Monday, November 30, 2015

HR 3490 Passes in House

This afternoon the House passed HR 3490, the Strengthening State and Local Cyber Crime Fighting Act, by a voice vote after only 14 minutes of debate. The bill will proceed to the Senate where, if it is considered, it will likely be under their unanimous consent process with even less debate.

The bill and the National Computer Forensics Institute both continue to ignore potential issues with forensics investigations of attacks on industrial control systems. If the Senate Homeland Security and Governmental Affairs Committee does take up consideration of this bill (probably unlikely) it would be nice to see some sort of language encouraging the development of forensics capability for ICS attacks before they become necessary.

HR 8 Rule Approved by Rules Committee

This evening the House Rules Committee met to craft the rule for the Consideration of HR 8, the North American Energy Security and Infrastructure Act of 2015. The version of the bill being considered includes the original bill, amendments adopted by the House Energy and Commerce Committee, modified versions of HR 2295 (as a new §1111) and HR 2358 (as a new §1112), along with some technical amendments proposed by Rep. Upton (R,MI). The rule for HR 8 adopted this evening only covers the initial 1 hour of general discussion of the bill, not any amendment process on the House Floor.

Possible Amendments

A total of 94 proposed amendments to HR 8 were submitted to the Rules Committee. If a restrictive rule for the amendment process is adopted, it is likely that only selected amendments from this list would be considered on the House floor. It is not clear from tonight’s Committee actions that a restricted rule will be adopted at a future hearing.

Of those amendments there are only six that may be of specific interest to readers of this blog. They are:

#19 Norcross (D,NJ) – Directs  the Secretary of Energy to study weaknesses in the security architecture of certain smart meters currently available, and promulgate regulations to mitigate those weaknesses.

#21 Norcross – Allows the Secretary of Energy to address prospective grid security emergencies proactively.

#34 DeSaulnier (D,CA), Lowey (D,NY) – Requires  the Department of Energy to study the maximum level of volatility that is consistent with the safest practicable shipment of crude oil.

#84 Jackson-Lee (D,TX) – Directs the Secretary of Energy to submit to the Committees on Energy and Commerce and Natural Resources of the House of Representatives and the Committee on Energy and Natural Resources of the Senate a report on methods to increase electric grid resilience with respect to all threats, including cyber attacks, vandalism, terrorism, and severe weather, no later than 120 days after the date of enactment of the Act.

#92 Garamendi (D,CA) – Sets the maximum volatility threshold for crude oil transported by rail at 8.5 psi until a national standard is established.

#93 Franks (R,AZ) – Secures the most critical components of America's electrical infrastructure against the threat posed by a potentially catastrophic electromagnetic pulse.

Moving Forward

The initial consideration of HR 8 under the rule approved this evening will probably start tomorrow. Based upon the way the House dealt with HR 22 earlier this month it is very possible that there will not be any more work by the Rules Committee on HR 8 and that all 94 amendments submitted to date will be allowed to be introduced on the House floor. There is a minor chance that there will be an open amendment process on this bill that would consider any offered amendments.

The two crude oil volatility amendments (#34 and #92) of those listed above are the only ones that have any significant controversy associated with them. I would expect that all of the others could pass in floor votes. Since #34 would effectively only require a study and report to Congress, I think that it could pass. The Garamendi amendment will certainly be opposed vigorously by the oil industry and that limits it chance of passing.


The Garamendi amendment is very similar in intent to HR 2379.

I did a somewhat detailed explanation of the shortcomings of the use of Reid Vapor Pressure measurement in my discussion of HR 1679. Garamendi continues to try to use this method even though it is ill suited to the differentiation of crude oil flammability or explosiveness. This is a fairly typical case of a politician not understanding the technical details of what he is attempting to legislate. The DeSaulnier amendment, on the other hand, requires the Secretary of Transportation to study and set a volatility standard for crude oil; leaving the technical details to the professionals.

Saturday, November 28, 2015

Supervisory Chemical Security Inspector Openings

Yesterday the DHS National Protection and Programs Directorate (NPPD) published a job listing on for seven Supervisory Chemical Security Inspector. The job listing closes next Thursday, December 13th, 2015.

Multiple Locations

Interestingly, there are twenty potential locations listed for the seven job openings. The locations listed can be found in the following states:

• Arkansas;
• California;
• Florida;
• Louisiana;
• Minnesota;
• North Carolina;
• Ohio;
• Oklahoma;
• Pennsylvania;
• South Carolina; and
• Texas.

Ammonium Nitrate Security Program?

The most interesting part of the announcement can be found in the Job Summary portion near the top of the page:

“Are you interested in a job where your primary purpose will be to plan, organize, schedule and conduct on-site inspections of ammonium nitrate facilities? Then consider joining the Field Operations Branch, Inspections and Enforcement Branch (I&EB), Infrastructure Security Compliance Division (ISCD), Office of Infrastructure Protection (IP), National Protection and Programs Directorate (NPPD), Department of Homeland Security (DHS).”

I reported earlier that the Ammonium Nitrate Security Program rulemaking had been moved to the ‘Long Term Action’ section of the Unified Agenda. That would seem to indicate that there would be no near term (next year at least) action on publishing a final rule. The reason, of course, is that DHS is having a hard time figuring out a cost effective method of meeting the Congressional mandate (see 6 USC Subchapter VII, Part J) to “regulate the sale and transfer of ammonium nitrate by an ammonium nitrate prevent the misappropriation or use of ammonium nitrate in an act of terrorism”. In fact, the Appropriations Committees of both the House and Senate have suggested that the folks at ISCD should craft a new NPRM instead of trying to twist the previous NPRM into a workable final rule.


While the first two duties listed in the job listing deal directly with security of ammonium nitrate facilities, the CFATS program is mentioned in one of the five job duties listed:

“Providing policy analysis, oversight, and technical expertise on legislation and regulations to the national Chemical Facility Anti-Terrorism Standards program by assessing, interpreting and implementing regulatory requirements.”

Then when we look at the qualifications requirements for being considered for this position we see the requirement for at least one year’s experience in:

• Evaluating subordinate chemical inspector preparation, performance, and reporting on chemical facility inspections;
• Reporting on chemical facilities by utilizing the Chemical Facility Anti-Terrorism Standards (CFATS);
• Collaborating and maintaining working relationships with business and industry representatives, • Federal, State and local government agencies, and internal and external stakeholders to revolve problematic issues and ensure legal compliance; and
• Supervising the work performance of other chemical facility inspectors.

Moving Forward

It looks like DHS is looking to establish the initial cadre of folks that will be starting up the Ammonium Nitrate Security Program. Since it looks like these folks will probably be hired from the existing pool of GS 13 Chemical Security Inspectors, I doubt that it will take the normal six to nine months to fill these positions. So it looks like we may see some movement (at long last) on establishing the ANSP. 
BTW: The ANSP final rule was supposed to be finished in 2008, according to the authorizing legislation. DHS only managed to get the comment period on the ANPRM completed by December 29th, 2008. This has been much more difficult than Congress ever imagined.

Tuesday, November 24, 2015

ICS-CERT Publishes Two Advisories

This afternoon the DHS ICS-CERT published two control system advisories for systems from Eaton’s Cooper and Moxa.

Eaton’s Cooper Advisory

This advisory describes an IEEE conformance issue involving improper frame padding in Eaton’s Cooper Power Systems Form 6 controls and Idea/IdeaPLUS relays equipped with Ethernet. The vulnerability was reported by David Formby and Raheem Beyah of Georgia Tech. An updated version of the systems (associated with another recent ICS-CERT Advisory) has been confirmed by the researchers to be free of the vulnerability.

ICS-CERT reports that a relatively unskilled attacker with network access to unencrypted packets would be able to read the leaked data.

This advisory was published on the US CERT Secure Portal on October 22nd, 2015. Again, the early notification is available to all critical infrastructure owners and legitimate researchers granted access by ICS-CERT. See bottom of the ICS-CERT landing page for information on how to apply for this access.

This is the second advisory for this sort of issue. Both were based upon reports by Formby and Beyah. How many more systems will they find with this vulnerability? Who knows, perhaps vendors should start looking themselves? Or not. Maybe Formby and Beyah can build a startup business on their technique for finding this vulnerability and then expand it into other areas of vulnerability research. I seem to recall another team that started out in a similar manner.

BTW: Eaton’s Cooper calls this a TCP/IP protocol stack vulnerability. It sounds a little bit more impressive, but perhaps not quite as descriptive.

Moxa Advisory

This advisory describes two vulnerabilities in the Moxa OnCell Central Manager Software. The vulnerabilities were reported through the Zero Day Initiative by Andrea Micalizzi. Moxa has produced a new version but there is no indication that Micalizzi has been provided an opportunity to verify the efficacy of the fix.

The two vulnerabilities are:

• Use of hard-coded credentials - CVE-2015-6481; and
• Authentication by-pass issues - CVE-2015-6480.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to gain full system access.

BTW: The Moxa release notes on the new version do list the authentication by-pass issue, but does not mention the hard-coded credentials

Saturday, November 21, 2015

S 2276 Introduced – Safe Pipes Act

Earlier this month Sen Fischer (R,NE) introduced S 2276, the Securing America’s Future Energy: Protecting our Infrastructure of Pipelines and Enhancing Safety (SAFE PIPES) Act. The bill authorizes expenditures for the DOT’s Pipeline and Hazardous Material Safety Administration’s (PHMSA) pipeline safety programs. It also requires a number of pipeline related studies and reports to Congress and some relatively minor rulemakings.

Reports to Congress

Section 3 of the bill requires the Secretary of Transportation to report to Congress on the status of a number of rulemaking activities required by Congress. Specifically mentioned are final rules required by Pipeline Safety Regulatory Certainty and Job Creation Act of 2011 (PL 112–90). Those include:

• Integrity management {§5(f)};
• Leak detection {§8(b)}; and
• Accident and incident notification {§9(a)}.

Other reports required in the bill include:

• Natural gas integrity management review {§5};
• Hazardous liquid integrity management review {§6};
• Study on improving location mapping technology {§9};
• Workforce of pipeline and hazardous materials safety administration {§10};
• Nationwide integrated pipeline safety regulatory database {§13};

New Regulation Requirements

This bill would require the Secretary to initiate a number of new rulemaking requirements; including:

• Underground natural gas storage facilities safety standard {§14}; and
• Defining the Great Lakes as an ecological resource under 49 CFR 195.6(b) {§16};

Pipeline Security

There is one minor reference to pipeline security issues in the bill. Section 17 of the bill requires the GAO to conduct a surface transportation security review that specifically addresses “the staffing, resource allocation, oversight strategy, and management of the Transportation Security Administration’s pipeline security program and other surface transportation programs”.

Moving Forward

Fisher is the Chair of the Surface Transportation and Merchant Marine Infrastructure, Safety and Security Subcommittee of the Senate Commerce Science and Transportation Committee, so this bill will certainly be considered in Committee.

The bill does not contain any obviously controversial political riders that doom so many authorization bills, so it is likely that this bill (after being amended on the floor of the Senate) would be able to pass with substantial bipartisan support. It is possible that this bill will be considered in the Senate before the end of the year.

Friday, November 20, 2015

Fall 2015 Unified Agenda – DHS

Today the OMB’s Office of Information and Regulatory Affairs published the Fall 2015 Unified Agenda. This is the current listing of the status of significant rulemakings planned or underway. The Long-Term Actions portion of the Unified Agenda was also updated.

Active DHS Rulemaking

Of the DHS rulemakings only ten may be of specific interest to readers of this blog. They include:

Protected Critical Infrastructure Information
Petitions for Rulemaking, Amendment, or Repeal
Chemical Facility Anti-Terrorism Standards (CFATS)
Homeland Security Acquisition Regulation: Safeguarding of Sensitive Information; Information Technology Security and Privacy Training
Updates to Maritime Security
2013 Liquid Chemical Categorization Updates
Transportation Worker Identification Credential (TWIC); Card Reader Requirements
Revision to Transportation Worker Identification Credential (TWIC) Requirements for Mariners
Security Training for Surface Mode Employees
Surface Mode Vulnerability Assessment and Security Plans
DHS Rulemakings in Fall 2015 Unified Agenda


Of those ten rulemakings under way only one is new to this issue of the Unified Agenda; Protected Critical Infrastructure Information (1601-AA77); an already existing program under the DHS National Protection and Programs Directorate (NPPD). The abstract for this rulemaking states:

“The Department of Homeland Security (DHS or the Department) invites public comment on the Advance Notice of Proposed Rulemaking (ANPRM) for potential revisions to the Protected Critical Infrastructure Information (PCII) regulations that provide the Department with the authority to establish uniform procedures for the receipt, care, and storage of Critical Infrastructure Information voluntarily submitted to the Department. For the purpose of maturing the program, DHS is initiating this rulemaking process to help it identify how to enhance the PCII regulation more effectively in achieving its regulatory objectives. DHS believes that after nine years of experience implementing the PCII program, DHS has gained first-hand insight on lessons learned, and that the ANPRM process provides expanded opportunities for the Department to hear and consider the views of interested members of the public on their recommendations for program modifications.”

What is not mentioned in the abstract is that this rulemaking for a long standing program is almost certainly driven by the rulemaking process under way from the National Archives and Records Administration (NARA) for Controlled Unclassified Information (CUI). The final rule for that has been submitted to OIRA and should be published this year. That rulemaking distinguishes between document control programs that are established by legislation or regulation and others that are just routine agency programs. Establishing a PCII rule allows DHS more control of marking, classification, destruction and distribution of the information. Without this rulemaking NPPD will have to loosen up many of their existing ‘rules’ about PCII.

Projected Dates

Each of the rulemaking listings in the Unified Agenda have a projected date for the Federal Register publication of the next step in the rule making process. Do not pay much attention to these; in fact, I would go so far as to say don’t pay any attention to these. They mean less than a politician’s election promises.

Some of these rulemaking activities date back to before 2007 (Security Training for Surface Mode Employees). Every six months a new Unified Agenda is published and a new set of dates is inked in. And the new dates continue to get missed; even if Congressional mandates are missed in the process.

Long Term Actions

There is a separate section of the Unified Agenda for ‘Long Term Action’. The rulemakings listed here were at one time or another listed on the main agenda, but even DHS bureaucrats could not stomach pretending that they were going to be allowed to do anything about these rulemakings. There are currently four rulemakings on the Long Term Action list that may be of specific interest to readers of this blog:

Ammonium Nitrate Security Program
Amendments to Chemical Testing Requirements
Protection of Sensitive Security Information
Drivers Licensed by Canada or Mexico Transporting Hazardous Materials to and Within the United States
DHS Long Term Actions

Rulemaking activities flip back and forth between this list and the main Unified Agenda. For example the Ammonium Nitrate Security Program and the Protection of Sensitive Security Information rulemakings were on the 2015 Spring Unified Agenda. The CFATS and the Updates to Maritime Security Rulemaking were on the 2015 Spring Long Term Actions list.

The one thing that you can probably safely expect (no guarantees here) that a rulemaking on the Long Term Actions list will not be acted upon until at least after the next Unified Agenda is published in the Spring. But, don’t bet your rent money on that; this is all subject to changing political conditions.

Thursday, November 19, 2015

ICS-CERT Publishes Tibbo Advisory –

This afternoon the DHS ICS-CERT published a control system advisory for the Tibbo AggreGate SCADA/HMI package. The twin unrestricted upload of file with dangerous type vulnerabilities were reported through the Zero Day Initiative by Andrea Micalizzi (rgod). Tibbo has produced a new version to mitigate the vulnerability, but there is no indication that Micalizzi has been provided the opportunity to verify the efficacy of the fix.

ICS-CERT reports that at least one of the vulnerabilities can be remotely exploited by a relatively unskilled attacker. A successful exploit if either vulnerability could allow the attacker to execute arbitrary code and commands.

There seems to be an irregularity between the version number of the updated version reported in the advisory and the updates available on the Tibbo web site. ICS-CERT reports that owners should upgrade to 5.30.06. The Tibbo web site indicates that 5.30.06 is a pre-release version of the program. I suspect that that is because Tibbo has not updated their web site to account for people needing to upgrade due to the vulnerabilities reported in this advisory. Certainly there is nothing on their web site about the problem.

Bills Introduced – 11-18-15

There were 42 bills introduced in the House and Senate yesterday. Along with a proposed declaration of war against the Islamic State, and a number of Syrian refugee bills there was one bill that may be of specific interest to readers of this blog:

HR 4057 To amend title 18, United States Code, to establish a criminal violation for using false communications with the intent to create an emergency response, and for other purposes. Rep. Clark, Katherine M. [D-MA-5]

HR 4057 would seem to address a local problem that is typically addressed by State and local laws. Unless, of course, it dealt specifically with Federal emergency response organizations. This is not likely to see further coverage in the blog unless something interesting is being included in that “and for other purposes” tacked on at the end.

Tuesday, November 17, 2015

ICS-CERT Published Exemys Advisory

This afternoon the DHS ICS-CERT published a control systemadvisory for the Exemys Telemetry Web Server. The login bypass vulnerability described in the advisory was reported by Maxim Rupp. ICS-CERT reports that Exemys “has not produced a patch to mitigate this vulnerability”.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to access information on the server.

The only unique mitigation measure for this vulnerability comes from ICS-CERT with no clear instructions on how to effect the proposed measure. The measure that ICS-CERT recommends is:

“ICS-CERT recommends implementing a single point login that cannot be bypassed.”

It is unusual for ICS-CERT not to be at least a little more forthcoming about why there is not now (and presumably won’t be in the near future) a vendor provided patch or upgrade. While Exemys is headquartered in Argentina, there is no mention of difficulties contacting the organization or that they disagree with the reported vulnerability. A dispassionate observer would probably be excused for assuming that Exemys is not concerned about the existence of this vulnerability.

Bills Introduced – 11-16-15

With both the House and Senate in Washington this week there were 36 bills introduced yesterday. Of those three may be of specific interest to readers of this blog:

HR 3996 To provide an extension of Federal-aid highway, highway safety, motor carrier safety, transit, and other programs funded out of the Highway Trust Fund, and for other purposes. Rep. Shuster, Bill [R-PA-9]

HR 4002 To amend title 18, United States Code, to make various improvements in Federal criminal law, and for other purposes. Rep. Sensenbrenner, F. James, Jr. [R-WI-5]

HR 4009 To amend chapter 44 of title 18, United States Code, to treat flamethrowers the same as machineguns. Rep. Engel, Eliot L. [D-NY-16] 

As I mentioned yesterday HR 3996 is a two-week extension of the surface transportation funding to allow the Conference Committee to work out the differences on HR 22. It was passed yesterday, as expected, on a voice vote after only 7 minutes of ‘debate’.

This will probably be the last mention of HR 4002 as this is probably just a housekeeping bill; updating and correcting 18 USC. There is a chance however that it will include revisions to the computer fraud language. If it does, you will see it here again.

HR 4009 is not one of the normal topics of this blog, but I just could not resist mentioning it. I will be very interested how they define ‘flame thrower’ in a way that does not include welding equipment or weed burners. If the news is slow and the definition interesting enough it may make it into the blog; probably not.

Monday, November 16, 2015

ICS-CERT Publishes Sept-Oct 2015 Monitor

This afternoon the DHS ICS-CERT published the latest version of the ICS-CERT Monitor. I have been a pretty harsh critic of recent issues of this publication, but, with this issue, I am returning to recommending that ICS-CERT owners read and circulate the document.

I was disappointed with the initial article on information sharing, particularly since it was started with a report of a potential control system compromise on a system that wasn’t compromised. I understand that this is probably a not-unusual occurrence, but it would have made a stronger case for incident reporting if the lead-in story was about a compromised system that was caught before the compromise was exploited. Having said that, a very good point was made in the article about the importance of system logging.

The two lengthy articles in this issue were both well done. The discussion about trends in malware will probably be a little basic for security savvy IT or operations administrators, but it would be a good article to share with plant management. It is a nice overview of malware history leading into potential problems with IIOT.

The second article should, on the other hand, be required reading for everyone in the cyber enterprise, not just industrial control systems. The problem of the disposal of inadequately scrubbed computers spans IT, ICS and personal computing. And it gives nice props to Wighman, Sistrunk and Toecker who worked on the problem with ICS-CERT.

There are a number of short articles that may be of interest to those of us keeping up with things going on in the ICS world. They include:

• ICS-CERT at DEF CON and Black Hat;
• Section 508 and Accessibility;
• ICS-CERT Virtual Learning Portal Upgrade;
• Industrial Control Systems Joint Working Group Meetings;

Again, this issue is much improved over those that were produced recently. I really want to encourage ICS-CERT to keep up the quality and applicability of the information presented in the Monitor. If they do, this will be another valuable tool for that organization to share information with the control system security community.

Congressional Hearings – Week of 11-15-15

This week the House and Senate return to Washington after their extended Veterans Day holiday. Currently there is only one hearing scheduled this week that may be of specific interest to readers of this blog; looking at automotive cybersecurity.

Auto Cybersecurity

The Transportation and Public Assets Subcommittee of the House Oversight and Government Committee will hold a hearing on Wednesday on “The Internet of Cars”. There is no witness list currently available.

On the Floor

There are two bills that will be considered under suspension of the rules in the House this week that may be of specific interest to readers of this blog:

HR 1073 - Critical Infrastructure Protection Act; and
HR 3996 – The Surface Transportation Extension Act of 2015, part II (introduced today)

HR 1073 is an electromagnetic pulse protection bill with no funding or regulatory authority. HR 3996 is another short term extension of the Surface Transportation Extension Act while the House and Senate Conferees work out the differences in the two versions of HR 22. The draft of the bill from the House Transportation Committee looks to be a relatively clean bill this time. Both bills will pass without significant opposition.

Sunday, November 15, 2015

More Secure Portal Rumors

This has been an interesting weekend for rumors about ICS-CERT releases on the US-CERT Secure Portal. First I have heard from multiple sources that there may be two or more control system advisories from ICS-CERT currently listed on the Secure Portal. With this you get the normal reminder that critical infrastructure owners and legitimate security researchers may request access to the Secure Portal; see instructions on the bottom of the ICS-CERT landing page.

I have had a single source tell me that the Unitronics advisory I described earlier this week was, in fact, originally released to the Secure Portal on October 1st as I surmised, but that an updated version was released on that portal on November 3rd as described in the publicly released version of the advisory. That reasonably explains the discrepancy that I noted in that earlier post.

Finally I am hearing a disturbing rumor (admittedly from a different single source) that there is a control system vulnerability that has been released to a government-only limited distribution section of the Secure Portal. I can certainly see a need for a really limited initial disclosure of an advisory if it was dealing with military hardware for instance. What is disturbing to me is that there is reportedly (again single source without verifiable details) not going to be a public disclosure of the vulnerability. Again, if this would only affect military hardware, that is perfectly legitimate. I just don’t have enough details to make the call.

Saturday, November 14, 2015

HR 3994 Introduced – SPY Car Study Act of 2015

Earlier this month, Rep. Wilson (R,SC) introduced HR 3994, the Security and Privacy in Your (SPY) Car Study Act of 2015. The bill would require the Administrator of the National Highway Traffic Safety Administration (NHTSA) to report to Congress on potential cybersecurity standards for automobiles made and/or sold in the United States.

A Study and Report to Congress

Section 2(a) of the bill would require the NHTSA Administrator to conduct a study “to determine appropriate standards for the regulation of the cybersecurity of motor vehicles manufactured or imported for sale in the United States that should be adopted by the Administration and any other appropriate Federal agencies”. The study would be conducted in consultation with:

• The Federal Trade Commission;
• The Director of the National Institute of Standards and Technology;
• The Secretary of Defense;
• The Automotive Information Sharing and Analysis Center;
• SAE International;
• Manufacturers of motor vehicles and original motor vehicle equipment; and
• Relevant academic institutions.

The study would be designed to identify:

• The isolation measures that are necessary to separate critical software systems from other software systems;
• The measures that are necessary to detect and prevent or minimize the effects of anomalous code associated with malicious behavior;
• The techniques that are necessary to detect and prevent, discourage, or mitigate intrusions into the software systems of motor vehicles and other cybersecurity risks in motor vehicles; and
• Best practices to secure driving data collected by the electronic systems of motor vehicles while such data are stored onboard the vehicle, in transit from the vehicle to another location, and in off-vehicle storage.
Interestingly the term ‘critical software system’ is specifically defined in the bill. It describes “a software system of a motor vehicle that can affect the driver’s control of the movement of the vehicle” {§2(c)(2)}. Driving data is also defined to include vehicle status information and personal information about the owner, driver or passengers.

NHTSA would have one year to complete the study and then six months more to present a report to Congress about the results of the study. The report to Congress would be unclassified and would include recommendations for “any legislation that may be necessary to authorize the adoption of such standards [recommended in the study]” {§2(b)(2)}.

Moving Forward

Neither Wilson nor his cosponsor {Rep. Lieu (D,CA)} are members of the House Energy and Commerce Committee to which this bill was referred. Thus it is unlikely that there is the political pull to get this bill considered by the Committee. If the bill were to make it to the floor it would likely pass since it just requires a study and report. The automotive industry would almost certainly object to any regulation of automotive cybersecurity, but would probably hold-off opposing the bill since they would be able to influence the results of the study.


I certainly can’t fault Wilson for trying to get a group of experts to determine what cybersecurity regulations might be necessary to ensure that automotive control systems are reasonably safe from cyber-attacks. And I agree that NHTSA, the government agency responsible for automotive safety, should probably be the agency to regulate that security; the Transportation Security Administration certainly is not a viable alternative. Having said that, I do think that there is a DHS agency that should be included in the study effort and that is ICS-CERT. They have the most knowledge of control systems within the government.

There are two agencies that I’m not sure that I agree should have anything to do with this study; the FTC and the DOD. The FTC’s cybersecurity knowledge is pretty limited and certainly does not include control systems. While they do have some regulatory experience, NHTSA already has a great deal of experience in dealing with automotive safety regulations. DOD certainly is developing cybersecurity expertise, but little of it has to do with protecting control systems. They certainly do not have the level of expertise in that arena that the ICS-CERT would have.

I’ll give Wilson’s staff credit for addressing the main areas of interest with automotive control systems, but some of their attempts at ‘technical language’ should not have been attempted. In §2(a)(2) for instance they attempt to describe preventing hacking as “prevent or minimize in the software systems of motor vehicles anomalous codes associated with malicious behavior”; close but not quite there.  Then in §2(a)(2) in describing potential security techniques they suggest “continuous penetration testing and on-demand risk assessments”. Congress should leave as much of the technical language as possible to the folks in the Executive Branch that actually work with the technology.

Two things are missing from the study and report requirements. First is a failure to address how cybersecurity deficiencies interface with the current recall process including a definition of how software updates fit into that process. And second, is the failure to establish software/firmware vulnerability disclosures, including allowing legitimate security researchers to legally test automotive cybersecurity systems without falling afoul of the Digital Millennium Copyright Act

(DMCA). Both of these will have to be addressed in any legislation authorizing regulation of automotive cybersecurity.

Intelligent Technologies Initiative Act of 2015

Last month Rep. Takano (D,CA) introduced HR 3852, the Intelligent Technologies Initiative Act of 2015. The bill would require the DOT to establish a grant program to fund a grant program for funding intelligent transportation system (ITS) projects.

Grant Program

Section 3 of the bill would require the Secretary to establish an Intelligent Technology Initiative to provide “grants to eligible entities to establish deployment sites for large scale installation and operation of ITS to improve safety, efficiency, system performance, and return on investment” {§3(a)}. The program would provide grants to 6 entities for projects for up to five years. The bill would authorize $200 million per year thru 2020.

Moving Forward

Takano is not a member of the House Transportation and Infrastructure Committee, so it seem unlikely that he has the pull to move this bill through the Committee Process. While $200 million is a relatively small amount of money in surface transportation program, the money would still have to come out of some other program so it is likely that there would be some significant opposition to this bill when if it came to the House floor.


There are a number of ITS projects that seem almost inevitable, if program bugs can be worked out. In my opinion one of the biggest obstacles to effective ITS deployment is that the various systems that are being talked about have some serious potential cybersecurity problems that must be solved before the systems can be safely deployed.

Unfortunately, this bill is completely devoid of any mention of cybersecurity issues. There is no requirement for a cybersecurity component in any of the systems to be considered for the grant program. Nor is there any requirement in any of the required reports to Congress to include any information about cybersecurity issues.

I would like to see in any grant program for ITS deployment a clear requirement to address cybersecurity issues in any deployment scheme. Further, it would seem to me that a portion of the grant program should be set aside for specific studies on ITS cybersecurity issues. Failure to take these two requirements in an ITS implementation grant program clearly mark the program as being short sighted and not worthy of the limited transportation funding system.

Friday, November 13, 2015

OMB Approves FMCSA Prohibition of Coercion Final Rule

The OMB’s Office of Information and Regulatory Affairs (OIRA) announced yesterday that it had approved the final rule for DOT’s FMCSA regulation prohibiting coercion of truck drivers to violate federal trucking safety standards. The NPRM for this rule was published in May of 2014 and drew 95 comments, many from active and former truckers.

The Unified Agenda notes that Congress required the publication of new “regulations governing commercial motor vehicle safety [to] ‘ensure ... an operator of a commercial motor vehicle is not coerced by a motor carrier, shipper, receiver, or transportation intermediary to operate a commercial vehicle in violation of a regulation promulgated under 49 U.S.C. section 31136 or chapters 51 or 313 of title 49, U.S.C.’”

This rule will probably be published next week.

Building Control Systems Conference

Thanks to the folks at the SCADASEC listshare I heard about an interesting 3-day cybersecurity conference being put on by the Department of Commerce of all folks. The “Cyber Resilience of Building Control Systems” workshop is being sponsored by the Federal Facilities Council on November 17th, 2015 in Washington, DC and it is being webcast (something I would like to see more conferences doing, at least with select, high-profile presentations).

Some presentations of potential interest to readers of this blog include:

• Federal Perspective Keynote – Global/National Landscape: Former Congressman Steve Stockman – Overarching commentary on cyber legislation and challenges (privacy, encryption, information sharing);
• DHS - NPPD/Office of Cyber and Infrastructure Analysis - Susan Stevens – National Protection and Programs Directorate (NPPD) efforts to address the needs of all 16 Sectors to understand and manage cybersecurity risks for the multitude of facility and building types;
• DHS - NPPD/Office of Cybersecurity and Communications/ICS-CERT - Marty Edwards – • Building Control System cyber threats and vulnerabilities; role of ICS-CERT;
• USCYBERCOM – Bob Leverton – Overview of Joint Base Architecture for Secure ICS (J-BASICS) Tactics, Techniques & Procedures (TTPs);
• Whole Building Design Initiative: Rick Tyler, US Navy – Overview of draft Unified Facility Criteria 4-010-06 CYBERSECURITY OF FACILITY-RELATED CONTROL SYSTEMS;
• Cyber Ranges - DoD National Cyber Range – Dr. Robert Tamburello – Overview of Control System Test and Evaluation Events at the DoD National Cyber Range;
• Billy Rios – WhiteScope – Overview of Building Automation Systems continuous monitoring solutions, enumeration of internet-facing BAS using Shodan;
• Jason McHuen – Parsons – Hands-on demonstration of Kali Linux, Metasploit targeting and attacking Building Control Systems; and
• Alex Tarter – Ultra Electronics, 3eti – Cybersecuring Control System End-Point devices.

There will also be presentations and then separate hands-on workshops by ICS-CERT (CSET) and NSA (GrassMarlin) on the optional 3rd day of the workshop. It is not clear if the hands-on workshops will be webcast (my guess – not).

You can register on-line (also required for web cast) here. I’ll be there via the webcast; no travel budget, you know.

BTW: The agenda for this workshop indicates that there is a GrassMarlin module that can be downloaded with the ICS-CERT CSET. Nothing about that on the ICS-CERT pages. Again, ICS-CERT does a poor job in talking about the capabilities of their tools.

Interesting Rumor

I heard an interesting rumor today and I am very reluctant to share it on a couple of different levels. First I don’t want the people who sent it my way to face any repercussions and secondly it is usually not a good idea to destroy someone’s preconceived notions. But, since the rumor concerns me and this blog, I have to set the record straight.

Apparently there is a rumor going around that I am some sort of muckty-muck in DHS that is using this blog to get inside information about the Department out into public light. There are a couple of things wrong with that. First, I am not now, never have been, and almost certainly never will be a member of DHS. Hell, I haven’t even been in the city of Washington in over 30 years.

I am not exactly the sort of person that someone would hire for the Department nor would I really be happy being an employee of that organization. I spent a number of years trying to be a somewhat compliant member of the US Army and it used up all of my getting along with the bureaucracy; as anyone that knew me in that period of my life can attest. And I am certainly not someone who would be able to climb the internal ladder to reach a level of bureaucratic power and there is no politician in their right political mind that would appoint me to anything approaching a position of authority.

In many ways I should be (and really am) proud that the knowledge that I do have about the CFATS program is thought well enough of in the community that people assume that I have to be in a special position of influence to be able to share that knowledge. But a close observer would probably note that I don’t have an infallible insider’s insight into the goings on in ISCD or anywhere else in the Department (or on the Hill or in the Transportation Department, or anywhere else that I write about).

What I do have is a basic knowledge of how agencies and bureaucracies work, particularly in the political aspects of those operations. I was raised in a household where politics and engineering were the things that adults discussed and children were encouraged to listen and ask questions. I studied history, and political science and even some law from a variety of people that had insiders experience and I cultivated those connections whenever I could.

And just as important as all of that, I have cultivated connections over the last eight years with a number of people in and around the chemical safety and security (and lately in the cybersecurity) realms that are willing to tell me things about the goings on in these areas that are an important part of my life. I seldom get the whole story or both sides of the story, but I am experienced enough in the ways of the world to be able to piece together what the other side or missing pieces probably look like. Finally, I am not really trying to be a news person here, but rather an influencer of how things are proceeding in the world.

Ten or twenty years ago I would not have been able to pull off this blog without living in or near the seats of power. Without the internet I would not have access to half of the information available to me and the other half would be so out of date by the time that I got it that it would be just about worthless. But I do exist here and now and the internet and modern communications all make this possible.

So, sorry to destroy the mini-myth that is growing up around PJ Coyle (Please not - Pat or Patrick Coyle; PJCoyle was my AOL handle and it got stuck to the blog when AOL was hosting it). I am just an able muckraker who is an evangelical about chemical safety and security with a bit of knowledge about the political process with access to modern research tools and a niddly need to explain things. Please keep that in mind as you read this blog and perhaps send me interesting bits of information, or questions to be answered.

Oh and please remember that muckrakers are cheap but we still do have to feed the family and the dogs. A periodic small financial contribution to the cause is always appreciated.

Thursday, November 12, 2015

Non-Toxic Gases Kill

There was a short news item on this afternoon about an industrial accident that killed one employee. The report notes that a CO2 gas leak at the facility was responsible, explaining:

“Alarms immediately sounded when the leak happened, and employees responded properly, but a man who was closest to the leak was affected, HFD [Houston Fire Department] said.”

While there is a great deal in the news about the release of CO2 to the atmosphere as a probable (or not depending on your political suasion) cause of global climate change, there is very little talk about this being an industrial chemical that is used in a number of different commercial applications, from industrial cooling, to atmospheric deoxygenation, to caffeine removal from coffee.

CO2 at room temperature is a non-toxic gas that is a routine part of the air that we breath every day and an important part of the respiratory cycle for the exchange of oxygen between plants and animals.

So, if CO2 is non-toxic and necessary for life, how did a person die from a CO2 leak? The answer if fairly simple; asphyxiation. The atmosphere contains a number of chemicals, but the most important one from an animalistic point of view (and please remember that humans are animals) is oxygen. Oxygen is typically found in the air at about 21%. Anything below about 19% starts to become too little to support life. As other gasses are added to the atmosphere the amount of oxygen (as O2) starts to decline. If too much is added to the local area, then there is not enough oxygen present to support life and animals die.

Apparently what happened here is that there was a leak, probably in a CO2 transfer line. The facility had some sort of alarms in place (probably based upon O2 sensors), but the person closest to the leak did not apparently have time to evacuate to a place of high-enough oxygen concentration and died.

Short of requiring employees to carry O2 cylinders all of the time (expensive and not without their own level of hazard) there is not much that can be done to prevent this sort of accident, except ensuring high levels of ventilation. If you move high amounts of fresh air through areas of the facility where leaks can be expected to occur (and CO2 leaks should not happen often; it is a relatively inert gas) you greatly reduce the probability that unsafe concentrations of CO2 can occur or last long enough to kill employees.

One relatively simple way to do this is to keep all CO2 transfer lines on the outside of the building, normal air movements should serve to keep ambient O2 levels high enough in the event of a leak. In areas where transfer lines must traverse enclosed areas of the facility emergency ventilation fans (tied to O2 sensors) may be necessary to flood the area with outside air to displace the leaking CO2. In areas where such ventilation is not necessary emergency O2 bottles can be placed to allow anyone in such areas to get oxygen before the pass out (2 to 3 minutes after being in a depleted O2 environment).

It is way too early in this incident to tell what precautions had been taken by the facility owner to prevent this type of incident. The presence of alarms would seem to indicate that the employer was aware of the hazards, and it is possible that even if all reasonable precautions had been put into place that unusual circumstances were in play in this case.

A detailed investigation is going to be necessary to determine what happened and what could have been done to prevent it. Since a death from chemical exposure was involved, we might normally expect that the Chemical Safety Board (CSB) would investigate this accident. Recent news stories, however, have reported that the CSB does not intend to initiate any new investigations until their current investigation backlog is erased. We will probably hear more about this at the public CSB meeting later this month in Washington.

ICS-CERT Publishes Unitronics Advisory

This afternoon DHS ICS-CERT published a control systemadvisory for two vulnerabilities reported in the Unitronics VisiLogic OPLC IDE. The vulnerabilities were reported (through ZDI) by Steven Seeley of Source Incite, Fritz Sands of ZDI, and Andrea Micalizzi. Unitronics has produced an update package but there is no indication that any of the researchers were provided the opportunity to verify the efficacy of the fix.

The two vulnerabilities were:

• Unsafe ActiveX control marked safe for scripting – CVE-2015-6478; and
• Code injection – CVE-2015-7905

ICS-CERT reports that a moderately skilled attacker could remotely exploit these vulnerabilities to execute arbitrary code.

There is nothing on the Unitronics web site or in the version documentation that describes the security vulnerabilities. There is the possibility that Unitronics directly contacted their customers during the period that this vulnerability was listed on the US CERT Secure Portal (posted November 3rd, 2015).

Actually, looking at the vulnerability ID number assigned by ICS-CERT (ICSA-15-274-02) it would seem that the advisory was probably placed on the Secure Portal on October 1st when the Omron advisory (ICSA-15-274-01) was published. Either that, or something happened at the last minute to cause ICS-CERT to hold the advisory for more than a month.

BTW: If you had been following the ICS-CERT notices on the Secure Portal, you would have already known about this vulnerability. If you are a critical infrastructure owner or cybersecurity officer see the bottom of the ICS-CERT landing page for instructions on how to apply for access.

Wednesday, November 11, 2015

ISCD Publishes CFATS Newsletter

Today the DHS Infrastructure Security Compliance Division (ISCD, the CFATS folks) posted a link to their latest CFATS Quarterly newsletter on the CFATS Knowledge Center. The newsletter is designed to provide a high-level overview of what is happening in the Chemical Facility Anti-Terrorism Standards (CFATS) program.

According to Annie Hunziker, Program Analyst with ISCD, the newsletter has been sent to “authorizers and submitters from all regulated facilities” in addition to being posted on the CFATS Knowledge Center.

This issue highlights the recent progress of the CFATS program, including approval of the CFATS Personnel Surety Program (PSP) Information Collection Request, information about the 2015 Chemical Sector Security Summit and the compliance inspection process.

Personnel Surety Program

Readers will remember that I last discussed the CFATS PSP in early October when ISCD published their Fact Sheet on the CFATS Personnel Surety Program. I told you at that time that we would be seeing a notice in the Federal register in the ‘near future’. The latest word that I have from ISCD is that the notice is still making its way through the Department’s approval process. I suspect that there is still some political pressure being exerted by industry to get some additional changes or clarifications made to the PSP process.

Compliance Inspections

The compliance inspection process is actually mentioned in a couple of the articles in the newsletter. The one of most direct interest, however, is found on the second page. Announcing that the “Compliance Inspection are in full swing” the brief article provides three suggestions for preparing for the inspection:

• Review the SSP/ASP in its entirety and ensure that there is visual evidence of each measure to demonstrate to the inspection team;
• Review the planned measures and ensure there is documentation showing the successful completion of each planned measure; and
• Ensure all personnel with CFATS duties have been trained and are fully aware of their responsibilities within the SSP/ASP.

With the GAO reporting earlier this year that there were a large number of the facilities that had undergone compliance inspections that had not completed their planned security measures, this is an area that will undoubtedly get special attention from the Chemical Security Inspectors (CSI) conducting these compliance inspections. They will expect to see extensive documentation for the reason that any planned measures are not fully in place.

S 1356 Passed in Senate – 2016 NDAA

Yesterday the Senate adopted the House amendment to S 1356, the National Defense Authorization Act 2016 by a decidedly bipartisan vote of 91 to 3. This bill was passed last Thursday in the House by a similar vote of 370 to 58. The funding provisions of this bill were in accordance with the recent budget agreement, so there has been no threat of veto of this bill.

As best as I can tell the non-funding provisions of this bill are the same as HR 1735 that was vetoed by the President. It certainly has the same cybersecurity related provisions.

BTW: There is not yet an official copy of the House version of this bill. The only thing currently available is the final draft version that had been circulated in the House prior to the vote last week.

Bills Introduced – 11-10-15

Yesterday there were 21 bills introduced in the Senate (the House is back in their districts for Veterans Day and the Senate left last night). Of those two may be of specific interest to readers of this blog:

S 2270 A bill to address voluntary location tracking of electronic communications devices, and for other purposes. Sen. Franken, Al [D-MN]

S 2276 A bill to amend title 49, United States Code, to provide enhanced safety in pipeline transportation, and for other purposes. Sen. Fischer, Deb [R-NE]

S 2270 is more than a bit of a reach for possible coverage on this blog but that ‘for other purposes’ bothers me.

S 2276 is almost certainly going to be followed in this blog; just have to wait and see what the details are in the bill.

Tuesday, November 10, 2015

The Chemical Gloves Controversy – A Manifesto

I had an interesting (and prolonged) Twitversation with @SellaTheChemist (a well known British chemist and populizer of all things Chemistry in Britain) yesterday about laboratory gloves. It all started with my comment about a photo accompanying a @ChemistryWorld post. The folks in the picture were using the old style bulb pipettes. They were wearing safety glasses and lab coats, but not gloves, and I complained about the lack of gloves in the stock photo.

Little did I know that in Britain, at least (but I suspect that might extend further in the EU), there is a ‘controversy’ over requirements to routinely wear lab gloves in the laboratory. I had never heard of a controversy about this very common personal protective equipment, so the conversation was a bit eye opening for me.

It became clear pretty quickly that Andrea Sella and I were talking past each other because of some basic disagreements on lab safety. And, to be sure, the 140 character limit of a Twitversation is more than a little limiting. So I thought I would take to my bully pulpit and issue a manifesto on lab gloves.

The Legal Standard

Here in the United States the basic legal requirement for the use of hand protection in the workplace is derived from the basic PPE Standard found in 29 CFR 1910.132. Paragraph (a) sums up the basic requirement nicely:

“Protective equipment, including personal protective equipment for eyes, face, head, and extremities, protective clothing, respiratory devices, and protective shields and barriers, shall be provided, used, and maintained in a sanitary and reliable condition wherever it is necessary by reason of hazards of processes or environment, chemical hazards, radiological hazards, or mechanical irritants encountered in a manner capable of causing injury or impairment in the function of any part of the body through absorption, inhalation or physical contact.” [emphasis added]

The specific standard (§1910.138) for gloves is actually quite short. It describes the selection process for gloves in paragraph (b):

“Employers shall base the selection of the appropriate hand protection on an evaluation of the performance characteristics of the hand protection relative to the task(s) to be performed, conditions present, duration of use, and the hazards and potential hazards identified.”

To get a better understanding of how the glove requirements are enforced in a lab environment you have to turn to the standard for “Occupational exposure to hazardous chemicals in laboratories.” (§1910.1450). Each lab is required to develop and maintain (annual updates) a Chemical Hygiene Plan. Part of that plan is the requirement to outline the criteria that “the employer will use to determine and implement control measures to reduce employee exposure to hazardous chemicals including engineering controls, the use of personal protective equipment and hygiene practices” {§1910.1450(e)(3)(ii)}.

That clearly does not require the use of lab gloves. OSHA inspectors expect to see the routine use of lab gloves because of a couple of statements seen in Appendix A to §1910.1450. This appendix is technically ‘non-mandatory’, but deviations from what is recommended typically draw official comments from inspectors that require justification of the deviations. The guidelines in the appendix address the development of the required Chemical Hygiene Plan and are based upon the National Research Council’s (NRC) 2011 edition of “Prudent Practices in the Laboratory: Handling and Management of Chemical Hazards.”

The first principal is to minimize all chemical exposures and risks. A key component of that principal is explained this way:

“Because few laboratory chemicals are without hazards, general precautions for handling all laboratory chemicals should be adopted [emphasis added]. In addition to these general guidelines, specific guidelines for chemicals that are used frequently or are particularly hazardous should be adopted.”

This is further expanded upon in the discussion of Hierarchy of Controls to avoid chemical exposures. There is the specific admonition to “not allow laboratory chemicals [emphasis added] to come in contact with skin” that precedes the discussion of glove selection. Both of these comments in Appendix A are used to explain an inspector’s expectation that laboratory gloves will be worn whenever chemicals are handled in the lab. Failure of a lab to meet that expectation would need to be justified to an inspector during an inspection or investigation.

Selection of Gloves

As a lab manager the proper selection of gloves for use in the lab is a very challenging topic if there are a variety of chemicals in use since there is no single glove that is appropriate for handing of all chemicals. Since lab gloves are high-turnover PPE, cost is certainly an issue. But other factors that must be taken into account include

• Ease of wear or dexterity issues;
• Chemical permeability;
• Chemical reactions; and
• Temperature resistance.

For most labs this is going to mean that there is a general use lab glove that is used for most operations in the lab and then there will be gloves that will be used for specific chemicals or lab operations. It is not unusual to find the typical medical vinyl or latex ‘exam’ gloves to be used for general lab work; they are readily available from most supply houses and are relatively inexpensive when bought in case lots.

There are a number of glove compatibility guides available on-line. I have used both the Cole-Parmer and the Ansel guides, but there are a number of others available. A quick test of chemical compatibility (but not permeability) is to place 10 mL of the chemical in question in a finger of the glove and see if the chemical leaks through the glove. The longer it takes to break through the better, but I would never use a glove with a chemical if it did not take at least five minutes to break through (more on that later).

Wearing of Gloves

The first thing that you have to remember about gloves is that they are, by definition, not permeable. This means that liquids outside of the glove do not get inside (the purpose of wearing the gloves). But it also means that liquids inside the glove (think sweat) will stay inside the gloves. For people whose hands sweat prolifically this can lead to medical problems with the skin if gloves are not changed frequently. Some people use powdered (typically baby powder) gloves to mitigate this issue, but I have found that this can create contamination issues. I prefer to use cotton inspection gloves inside of my lab gloves.

Gloves have to fit properly so that the wearer can still accurately operate lab equipment. Nothing will stop people from wearing gloves faster than not being able to do their job with the gloves on. Unless you are able to hire a staff with all the same sized hands (good luck) this means that you are going to have to have multiple sizes of each type of glove on hand. As a lab manager one of the first things that I do with new personnel is to determine which size gloves they need and update my stocking as necessary.

Generally speaking, gloves should be worn whenever open containers of chemicals are being handled. This includes shipping and storage containers, but also lab containers like beakers, flasks and the like. Once a container is closed and checked to ensure that there is no chemical on the outside of the container, then gloves are typically no longer required. For chemicals that have a low quantity/concentration chemical hazard may require gloves when handling closed containers that have been previously opened because of the possibility of small quantity spills/contamination on the outside of the bottle. This needs to be addressed in the chemical hygiene plan.

Finally there have to be clear limits on where gloves cannot be worn. Part of a chemical hygiene plan is taking a detailed look at lab operations to see where gloves must be worn and areas where they may not be worn. Doors are a common problem; you don’t want people to manipulate door handles with gloves on and then have someone without gloves manipulate the same handle. If people routinely carry chemicals into or out of the lab and that requires wearing gloves (product samples coming into a QA lab are a good case in point) then an automatic opener or levered door handles should be considered.

Computer keyboards are another concern. Gloves should never be worn when using a strictly admin computer. Keyboards (or other controls) for lab instruments make for more difficult rules. A detailed analysis of how the equipment is used will determine if the controls are always or never operated with gloves. Signage and training are keys to making this work.

Chemical Hygiene

The whole purpose of wearing gloves is not to wear gloves but to stop skin contact with chemicals. They are not to be used in place of good laboratory techniques that strive to keep chemicals IN their appropriate containers and not on the outside of the containers. This means that anytime chemicals get on the gloves they either need to be cleaned or disposed of. This is an absolute necessity to prevent cross contamination, particularly of closed containers that most people feel comfortable not wearing glove to carry from one location to another.

Making the decision between the two is primarily a chemical hygiene decision, but any lab manager who has had to live within a budget knows that there are also financial considerations. For any chemical, however, that comes with a medical hazard at low concentrations (for bio-accumulators for instance) disposal is probably going to be the first choice.

To make this work, lab personnel are going to have to be trained to look at their gloves after each time that they handle a chemical container. That way they will have the best chance of properly identifying the contaminating chemical and taking the appropriate action to decontaminate.

Remember the five minute break through standard that I described earlier. This is where that comes into play. You can get away with using a glove that will break through after five minutes if you have properly trained your personnel to check their gloves after each time they handle a chemical. It is important, however, to let your people know what chemicals do have break through times with specific gloves so that they can be extra careful with the handling of those gloves.

Staging Gloves

If you are going to require employees to wear and change gloves you are going to have to ensure that they are readily available. If people have to walk very far they are probably going to ‘forget’ to wear the gloves. This is especially true for gloves that are for limited use with specific high hazard chemicals. Those chemicals and their required gloves need to be collocated in the lab.


Training is the key to any successful Chemical Hygiene Plan and that is especially critical for the proper use of gloves. Employees need initial and periodic refresher training on the Chemical Hygiene plan, but I have found that additional training on the proper use of gloves is usually required. Job aids are especially helpful in areas where specific glove types are to be used. Just as important, however, is a clear marking of areas where gloves are not to be worn.

Formal, documented training, is important, but day-to-day training and evaluation needs to be included in the training program. Every time that the lab manager enters the lab, a short pause should be taken for a general safety observation of the lab. Specific checks for cleanliness, orderliness and PPE should be made each time the lab manager enters the lab with other observation objectives being made on a routine (scheduled) basis. Short comings need to be quickly addressed as both a matter of training (ensuring that people know what and why safety requirements are in place) and discipline (ensuring that people do what they know is required).

One technique that can be used to help people consider PPE requirements in labs where non-routine chemicals and processes are used is to require a listing of the PPE as part of the heading in the lab notebook that is completed before the experiment is run. With this in place, lab notebook reviews become another technique for reinforcing the PPE requirements, with attention paid to both the ‘what’ and the ‘why’ of the requirements.

Moving Forward

A Chemical Hygiene Plan is required for all chemical labs in the United States. A key component of that Plan is delineation of the use of chemical gloves to protect lab employees from physical exposure to chemicals in the lab. Consideration of the chemicals handled, the mode of handling and the quantities handled all must be included in determining the requirements for selecting and using gloves as personal protection equipment.

/* Use this with templates/template-twocol.html */