PHMSA Looking at Rail Hazmat Insurance

Earlier this week DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) published a request for comments in the Federal Register (81 FR 48885-48886) to seek public comments on its on-going study addressing liability issues with rail transportation of hazardous materials. This study was required by §7310 of the Fixing America's Surface Transportation (FAST) Act of 2015 (PL 114-94).

Study Requirements

The FAST Act required PHMSA to prepare a report on the current state of “of insurance for railroad carriers transporting hazardous materials” {§7310(a)} as well as addressing what level and type of insurance would be necessary to both “allocate risk and financial responsibility

for claims” {§7310(b)(2)(A)} and “ensure that a railroad carrier transporting hazardous

materials can continue to operate despite the risk of an accident or incident” {§7310(b)(2)(B)}.

Public Input

In support of this study and report requirement PHMSA is soliciting public input on response to nine specific topics. They include:

• The current level, structure, and type of liability insurance coverage (including self-insurance and retentions) available for hazardous materials transportation by rail;

• The appropriateness of the current levels of liability insurance coverage for hazardous materials transportation by rail;

• The drivers of the current coverage limits for hazardous materials transportation liability insurance;

• The impact of foreign requirements related to insurance and liability coverage;

• Data relating to, any previous or current initiatives for sharing the cost of insurance and/or legal liability for hazardous material by rail incidents between shipper and carrier;

• Alternative approaches from other industries that may be applicable to liability and insurance related to hazardous materials transportation by rail;

• Alternative programs that impose fees to fund secondary liability coverage and/or create liability caps;

Written comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # PHMSA-2016-0074). Comments should be submitted by September 9^th, 2016.

Commentary

Railroads have long maintained that they bear the bulk of the potential liability for accidents involving the transportation of hazardous material by rail. While their safety record for hazmat transportation is pretty impressive the possible consequences of a major hazmat release in a rail accident can be quite large. This was more than adequately demonstrated a few years back during the derailment of a crude oil train in Quebec, Canada where large portions of the center of a town were incinerated.

There have been a number of attempts by the railroad to get the Surface Transportation Board to allow railroads to charge hazmat shippers a liability premium for shipments of hazardous material.

Hazmat shippers, on the other hand, note that the majority of railroad accidents are the result of deficiencies in railroad operations, either errors committed by railroad employees, or failure to adequately maintain railroad equipment (most often the actual rail lines). Shippers do not feel any obligation to assume any measure of liability for accidents caused by railroad errors.

Hopefully, the PHMSA report will include a look at the three different types of liabilities related to hazmat shipments; shipped-product safety liability, railcar maintenance liability and operational liability.

Shippers are responsible for the proper classification, packaging and marking of hazmat shipments. They generally argue that their liability should be limited to the results of errors associated with those responsibilities. Railroads argue that the inherent characteristics of hazardous materials increase the potential consequences and costs associated with railroad accidents. Since they are required by law to accept any properly classified, packaged and marked hazardous material shipment, railroads argue that the liability for the increased cost of the consequences of a hazmat release should be borne, at least in part, by the shipper.

The PHMSA report to Congress needs to clearly identify the issues of joint and severable liability for the consequences for hazardous material releases during railroad accidents. PHMSA is clearly not going to be able to resolve the issue; that is going to be an issue for either Congress or the Courts.

To ensure that PHMSA has all of the information necessary to adequately inform Congress about this hazmat shipping liability issue, the chemical industry will need to ensure that they are fully involved in the comment process. They need to fully document what they what they see as the limits of their liability in a hazmat release and what steps they take to protect themselves against the costs associated with that liability.

ICS-CERT Publishes Four Advisories

Earlier this week the DHS ICS-CERT published four advisories for industrial control system vulnerabilities in products from Rockwell and Siemens.

Rockwell Advisory

This advisory describes two authentication vulnerabilities in the Rockwell Automation FactoryTalk EnergyMetrix application. These vulnerabilities were self-reported. This advisory was originally released on the US CERT Secure Portal on June 21, 2016.

The two vulnerabilities are:

• Insufficient session expiration - CVE-2016-4531; and

• SQL injection - CVE-2016-4522

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to gain unauthenticated access to the affected system.

Siemens SINEMA Advisory

This advisory describes a cross-site scripting vulnerability in the Siemens SINEMA Remote Connect Server (VPN) application. The vulnerability was reported by Antonio Morales Maldonado of INNOTEC SYSTEM, and Alexander Van Maele and Tijl Deneut of Howest. Siemens has produced an update to mitigate the vulnerability but there is no indication that any of the researchers have been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to gain ongoing access to these devices, but a social engineering attack would be required.

Siemens SIMATIC Net PC Advisory

This advisory describes a denial-of-service vulnerability in the Siemens SIMATIC NET PC-Software. The vulnerability was reported by Vladimir Dashchenko and Sergey Temnikov from Kaspersky Labs. Siemens has produced a new version to mitigate the vulnerability but there is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to cause a denial-of-service of the OPC-Unified Architecture (UA) service. Siemens reports that the attacker would require network access to exploit this vulnerability.

Siemens SIMATIC WinCC Advisory

This advisory describes two separate input validation vulnerabilities in the Siemens SIMATIC WinCC, PCS 7, and WinCC Runtime Professional applications. The vulnerabilities were reported by Sergey Temnikov and Vladimir Dashchenko from Kaspersky Lab. Siemens has produced updates to mitigate these vulnerabilities, but there is no indication that the researchers have been provided an opportunity to verify the efficacy of the fixes.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to extract arbitrary files or remotely execute arbitrary code. Siemens reports that the attacker would require network access to exploit this vulnerability.

S 3186 Introduced – Active Shooter Support

Last week Sen. Carper (D,DE) introduced S 3186, the Active Shooter Preparedness Enhancement Act of 2016. This is a companion bill to HR 5643, introduced earlier this month by Rep. Duckworth (D,IL).

Moving Forward

Carper is the ranking member of the Senate Homeland Security and Governmental Affairs Committee, the committee to which this bill was assigned for consideration. Thus, unlike HR 5643, this bill has the potential for being considered in Committee.

There is nothing in the bill that would draw any significant opposition, so there is a good chance that if the bill were considered in committee or on the Senate floor that it would pass with at least some bipartisan support. The problem is, this late into the final month of the 114^th Congress few bills will make it to the floor for consideration.

Commentary

For anyone interested in this type of legislation, I would urge them to read my post on HR 5643. In short, any active shooter incident at an industrial facility needs to take into account the types, quantities and locations of any hazardous chemicals stored, produced or used at the site. I have seen little or no discussion of this inherent problem in any of the publications I have seen about active shooter events.

ISCD Updates CFATS Website for CSAT 2.0

Yesterday the DHS Infrastructure Security Compliance Division (ISCD), in conjunction with their Federal Register announcement about the implementation of CSAT 2.0, updated a number of their Chemical Facility Anti-Terrorism Standards (CFATS) program web sites. They also added a new page briefly outlining the new tiering methodology implementation.

Revised Pages

The following web sites were modified:

• Critical Infrastructure: Chemical Security

• Chemical Facility Anti-Terrorism Standards (CFATS)

• Chemical Security Assessment Tool (CSAT)

• Chemical Security Assessment Tool (CSAT) Top-Screen

• Chemical Security Assessment Tool (CSAT) Security Vulnerability Assessment (SVA)

• Reporting a Potential Chemical Facility Anti-Terrorism Standards (CFATS) Violation

For the most part each page was modified by adding minor variations of the following note:

“Per the notice published in the Federal Register on July 20, 2016, DHS has temporarily suspended the requirement to submit a Chemical Security Assessment Tool (CSAT) Top-Screen and Security Vulnerability Assessment as the Department improves the tiering methodology process.”

Tiering Methodology Page

The new Chemical Facility Anti-Terrorism Standards Tiering Methodology page provides a brief overview of most of the information that was presented in yesterday’s Federal Register notice. Other than mentioning that the Site Security Plan (SSP) CSAT tool will also be ‘revised and streamlined’ there is no mention of the new relationship between the SSP and SVA tools.

The page also notes that ISCD is intending to add new (and presumably revise some existing) frequently asked questions on the CFATS Knowledge Center to address the changes being wrought in the CFATS program. As of the time of the writing of this blog post (06:00 am EDT), no such changes have been made to the FAQs.

Commentary

These pages were modified/added overnight. This is a fairly comprehensive and timely update of a Federal web site to reflect an important new change in a regulatory program. While ISCD is to be commended on its prompt attention to the program web site, I do have a couple of complaints.

First, and foremost, is the lack of any real mention of the changes being made to the SSP portion of the CSAT tool. I am severely disappointed that the SSP page was not updated to include a mention of the fact that any un-submitted SSP data in a facilities SSP tool will be erased when the SSP tool is updated sometime next month. Particularly considering the unwieldly nature of the current SSP tool (which hopefully is being substantially reformatted in CSAT 2.0), the amount of work that could potentially be lost could be very disheartening for many CSAT Preparers.

Second it is almost as disturbing to see no mention of the change in the relationship between the SVA and SSP. In the old CSAT these two reports were submitted sequentially and submission of the SSP did not begin until the SVA was ‘approved’ by ISCD. The move to developing the tiering notification based upon the Top Screen makes infinitely more sense, but it will make for a major shift on how a facility implements its CFATS process. This surely should have received at least some mention in yesterday’s website update.

Finally, when I saw the new tiering methodology page I expected to see at least some information about the actual methodology. I know that ISCD has committed to providing some level of detail about that new risk assessment process and this would have been an appropriate time and place to do so.

This is certainly not going to be the last change to the CFATS website reflecting changes being brought about by the implementation of the new risk assessment process or CSAT 2.0. In the next month or so we can expect to see a number of new and/or revised CSAT publications being published. I hope that ISCD intends to publish those in a phased manor so that we have a chance to review and digest the changes in each CSAT 2.0 tool before we consider the next tool revision.

DHS Publishes CSAT 2.0 Notice

Today the DHS Infrastructure Security Compliance Division (ISCD) published a notice in the Federal Register (81 FR 47001-47004) outlining the plan for the implementation of their new risk assessment protocol and the revisions to the Chemical Security Assessment Tool that are being called CSAT 2.0. This includes the temporary suspension of requirements to submit Top Screens (TS) and Security Vulnerability Assessments (SVA) effective today.

Three-Step Process

Today’s notice outlines a three-step process that ISCD will be undertaking to implement the new risk assessment protocol and CSAT 2.0. Those steps are:

Temporarily suspend, effective July 20, 2016, the requirement for CFATS chemical facilities of interest to submit a Top-Screen and SVA;

Replace the current CSAT Top-Screen, SVA, and SSP applications with CSAT 2.0 (i.e., the revised CSAT Top-Screen, SVA, and SSP applications) in September 2016; and

Reinstate the Top-Screen and SVA submission requirements in 6 CFR 27.210(a) on October 1, 2016.

The Top Screen and SVA submission suspension affects all chemical facilities that may be required to submit either initial or resubmission Top Screens and SVAs.

Presumably the implementation of CSAT 2.0 will include the publication of new CSAT manuals during the month of September.

Facilities Not Affected

The notice makes clear that four specific classes of facilities will not be affected by the changes included in the implementation of CSAT 2.0. They include:

• Agricultural production facilities and miscellaneous extensions;

• Chemical facilities of interest with reportable COI that are only present in a gasoline mixture;

• Statutorily excluded facilities; and

• Untiered facilities that previously notified the department they had no reportable COI.

TS Submission Notifications

Once CSAT 2.0 is up and running ISCD will begin notifying ‘chemical facilities of interest’ of their need to submit a Top Screen. The notice makes it clear that the term ‘chemical facilities of interest’ was used deliberately instead of ‘covered facilities’ because it includes facilities that may have already submitted a Top Screen that indicated that they possessed DHS chemicals of interest (COI) inventories at or above the Screening Threshold Quantity (STQ).

The notification letters will be sent out in a phased manner over a number of months, presumably in a manner reflecting ISCD’s potential risk assessment of the previous information provided. There is no specific language in the notice that would indicate that all facilities that have provided Top Screens to ISCD will be notified to re-submit Top Screens at this time.

Facilities that do not have current COI inventories at or above the STQ will not be required to submit Top Screens to ISCD, even if they are notified by letter to submit a Top Screen. Those facilities may either submit a zero COI Top Screen or otherwise notify ISCD that they have no COI at or above the STQ and will not be submitting a Top Screen.

The notice does state that currently covered facilities that believe that the new risk assessment methodology will result in a lower tiering may submit a Top Screen before being notified by ISCD to do so. This certainly implies that ISCD will be sharing more information about the new risk assessment methodology and that tracks with what I have heard from ISCD privately. I do not expect that they will be sharing their actual model publicly, but they will be sharing more information about how the risk assessment methodology works.

Existing SVAs and SSPs

The notices makes it clear that only completed and submitted SVAs and Site Security Plans (SSPs) will be retained in CSAT 2.0. Partially completed SVAs and SSPs will be lost when CSAT 2.0 is implemented. This is of particular importance to remember this because ISCD will continue to accept new or revised SSP/ASP up until the date of the CSAT 2.0 switch over.

New SVA/SSP Timetable

For the most part, since ISCD expects to make a tiering decision based upon the new Top Screen, there will be no need to delay the SSP submission until after the receipt of the SVA. This notice, therefore, the new SVA and SSP tools in CSAT 2.0 have been designed to have facilities submit both documents concurrently. While more details are expected when the new manuals are published in September, it would seem that there will be more direct sharing of information between the two tools that should make the submission of both documents easier.

This means that ISCD is changing the submission deadline for the SVA from the current 90 days in §27.210(a)(2) to 120 days. It is interesting to note that the current regulation specifically allows ISCD to change that deadline with a Federal Register notice rather than requiring a rulemaking. The notice also makes it clear that the same notification of high-risk and tiering that now initiates the SVA submission requirement also is being used to initiate the SSP requirement. That certainly means that ISCD will be modifying the current notification letters.

Since the SVA and SSP tools will be so closely linked, facilities that revise their SSP will now also be required to revise their SVA at the same time.

Regular Top Screen Submissions

The notice indicates that regular Top Screen submissions for facilities reporting new inventories of COI at or above the STQ will resume on October 1^st, 2016. Facilities that acquire such inventories between now and then will have 60-days from October 1^st to submit their Top Screen.

CSSS Update

I am sure that there will be more information available at today’s session at the Chemical Sector Security Summit presentation on “Infrastructure Security Compliance Division (ISCD) Regulatory Update”. That session will be web cast at 10:00 am EDT.

NIST Looking at CSF and Manufacturing Operations

Thanks to Joel Langill for his TWEET® pointing at a new pre-publication draft of a National Institute of Standards and Technology (NIST) document entitled “Manufacturing Profile Cybersecurity Framework”. The Executive Summary of the document describes its purpose this way:

“This document provides the Cybersecurity Framework implementation details developed for the manufacturing environment. The “Manufacturing Profile” of the Cybersecurity Framework can be used as a roadmap for reducing cybersecurity risk for manufacturers that is aligned with manufacturing sector goals and industry best practices.”

It is not clear when/if NIST intends to publish this document, but it looks like it will be a valuable addition to the documents used to help organizations implement the Cybersecurity Framework (CSF).

Manufacturing Overview

There is a brief, if somewhat simplistic, overview of manufacturing systems. It breaks manufacturing down into two broad categories; process-based and discrete-based. It then breaks the process-based manufacturing into two separate processes; continuous and batch. I call this ‘somewhat simplistic’ because many manufacturing organizations use a combination of both systems and processes.

The important missing element in the manufacturing overview is any mention of the different types of cyber-systems used in the manufacturing environment. A wide variety of industrial control systems are used in the control of manufacturing processes, inventory control, safety systems, security systems and environmental controls.

Manufacturing and Business Objectives

The section on manufacturing and business objectives lays out five main areas where cybersecurity affects the manufacturing environment:

• Maintain personnel safety;

• Maintain environmental safety;

• Maintain quality of product;

• Maintain production goals; and

• Maintain trade secrets

The document then ties these categories of cybersecurity concern back into the categories and subcategories of the CSF Core. It highlights each of the subcategories in the Core that apply to each of the manufacturing objectives listed above.

The NIST document then goes on to undertake a lengthy discussion about how risks can be categorized for each of the subcategories in the CSF Core. Then, in Section 7 (Manufacturing Profile Subcategory Guidance) of the document NIST provides detailed proposed language for evaluating the cybersecurity risk profile for the manufacturing segment of an organization. Again this is based upon the categories and subcategories of the CSF Core.

Moving Forward

This document currently stands alone on the NIST web site without any indication of how NIST intends to move forward with this draft document. I would hope that NIST will continue their proactive efforts to bring industry into the development of the various documents that support the CSF. The 28 pages of the Manufacturing Profile Subcategory Guidance is too much for a single person (even me – GRIN) to effectively review and provide suggestions for improvement.

I do think that NIST has done another remarkable job of producing a draft document for public review and comments.

ICS-CERT Updates Advantech Advisory

Yesterday, in addition to the two updates I have already reported on, the DHS ICS-CERT updated a control system security advisory for Advantech WebAccess that was originally published on June 21^st, 2016.

The update adds ZDI to the vulnerability reporting process. It also adds an information exposure vulnerability (CVE-2016-5810) to the previously reported vulnerabilities.

I became aware of this vulnerability earlier today when I received an email from ICS-CERT (part of the notification program for which you can sign up) notifying me that the advisory had been updated. There was also a TWEET from ICS-CERT today making the same notification.

My followers on TWITTER would normally have seen a Re-TWEET from me, but for some reason ICS-CERT has been blocking Re-TWEETS of a number of their advisory and update TWEETs. Not all of them have been treated that way, but an interesting number of them have.

Bills Introduced – 07-14-16

On their last day in Washington for the next seven weeks the House and Senate introduced 236 bills. Of those five may be of specific interest to readers of this blog:

HR 5786 To amend title 49, United States Code, to provide for a rail spill preparedness fund, and for other purposes. Rep. DeFazio, Peter A. [D-OR-4]

HR 5843 To establish a grant program at the Department of Homeland Security to promote cooperative research and development between the United States and Israel on cybersecurity. Rep. Langevin, James R. [D-RI-2]

HR 5859 To amend the Homeland Security Act of 2002 to establish the major metropolitan area counterterrorism training and exercise grant program, and for other purposes. Rep. McCaul, Michael T. [R-TX-10]

HR 5877 To amend the Homeland Security Act of 2002 and the United States-Israel Strategic Partnership Act of 2014 to promote cooperative homeland security research and antiterrorism programs relating to cybersecurity, and for other purposes. Rep. Ratcliffe, John [R-TX-4]

HR 5900 To require compliant flame mitigation devices to be used on portable fuel containers for flammable liquids, and for other purposes. Rep. Thompson, Mike [D-CA-5]

Generally speaking these bills have little chance of being considered before this Congress disbands at the end of the year. For the most part these bills were introduced to provide the various congresscritters with bragging points in their campaigns. Still, I’ll be looking at each of these bills when they become available for review; there may be some interesting provisions.

CSB Business Meeting – 07-27-16

Today the Chemical Safety Board published a meeting notice in the Federal Register (81 FR 46045) for a business meeting to be held in Washington, DC on July 27^th 2016. The Board will provide an update on the 2016-2020 strategic plan, the status of Office of the Inspector General audits, open investigations, and the agency's action plan, as well as discuss financial and organizational updates. A conference call line access is being made available.

There will be a brief public comment period at the meeting. Written comments may also be submitted via email (public@csb.gov). 

OMB Approves CSAT 2.0 ICR

Today the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that they had approved the DHS Infrastructure Security Compliance Division’s (ISCD) information collection request (ICR) revision for the Chemical Security Assessment Tool (CSAT). ISCD has been calling the revised CSAT tools ‘CSAT 2.0’, reflecting the underlying change in the risk assessment process.

As I understand things the approval of this ICR does not mean that ISCD will immediately change over to CSAT 2.0. Part of the reason is that they still have to get the risk assessment process up and running along with getting the other tools upgraded to the 2.0 version. The plan remains that CSAT 2.0 and the new risk analysis process will be made active sometime this Fall.

As I mentioned in an earlier post, ISCD will be publishing a notice in the Federal Register outlining the process involved in the change-over, including describing which types of facilities will be required to submit a new Top Screen to re-start the screening process. There is currently no indication that there will be a wholesale requirement for all CFATS facilities to re-do their Top Screens before currently required by regulations.

While I had been hoping that ISCD would be web casting their CSAT 2.0 demonstrations at the Chemical Sector Security Summit, but that is not going to happen. I have been hearing, however, that there will be some sort of future web casts of the various tools like the Top Screen web cast earlier this year.

ICS-CERT Updates Two Advisories and Three New Advisories

Today the DHS ICS-CERT published updates for control system advisories from Honeywell and Siemens. They also published two new control system advisories and a medical control system advisory.

Honeywell Update

This update explains that additional Honeywell processes in the same applications are affected by the same vulnerability and mentions the researchers that reported the vulnerability in those processes. It also provides version numbers for the affected applications. The update also identifies the .DLL file that contains the source of the vulnerability and reports that a replacement .DLL file has been made available for all affected devices.

The original vulnerability was reported in April. This update was actually published on July 12^th, but there was no public announcement of the advisory until it was announced today on TWITTER®.

Siemens Update

This update provides version information for the latest device to have an update available to resolve the vulnerability. A link has also been made available for that device. Only one device remains without an update.

The original vulnerability was reported in April and updated once in June. As with the June update, there has been no public announcement of this update. Fortunately, Siemens CERT published a TWEET when they updated their advisory earlier this week.

Philips Medical Advisory

This advisory describes a large number of vulnerabilities in the Philips Xper-IM Connect system. The vulnerabilities were reported by Mike Ahmadi of Synopsys and Billy Rios of Whitescope LLC. A new software version is available and ICS-CERT reports that an independent third-party organization has verified the efficacy of the fixes.

ICS-CERT reports that the vulnerabilities were identified on a system running on Windows XP, Version 1.3.0.065. They identified 272 vulnerabilities associated with the Philips software and an additional 188 vulnerabilities from the unsupported Windows system.

ICS-CERT reported that a relatively low skilled attacker could remotely exploit these vulnerabilities with publicly available exploits to compromise the Xper-IM Connect system.

ICS-CERT has added a new recommendation to their standard list of recommendations to protect medical control systems (and it would apply to all control systems):

“Ensure that nonproduct-related software packages, such as email and web browser software, are not installed on medical devices, as they could contain vulnerabilities, malware, and broaden the attack surface, which could impact the intended function of the device.”

Schneider SoMachine Advisory

This advisory describes an ActiveX control vulnerability in the Schneider SoMachine software. The vulnerability was reported by Andrea Micalizzi via ZDI. Schneider has provided an update to mitigate the vulnerability. There is no indication that Micalizzi was provided the opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to remotely execute arbitrary code.

The Schneider security notification was originally published on June 10^th, 2016.

Moxa Advisory

This advisory describes an authentication bypass vulnerability in the Moxa MGate products. The vulnerability was reported by Maxim Rupp. Moxa has produced a new software version that mitigates the vulnerability. There is no indication that Rupp has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that relatively unskilled attacker could remotely exploit the vulnerability to log in as a valid user.

Schneider Pelco Advisory

This advisory describes a hard-coded credential vulnerability in the Schneider Pelco Digital Sentry Video Management System. The vulnerability was self-identified by Schneider.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to gain access to confidential information or execute code on the affected system.

The Schneider security notification was originally published on June 1^st, 2016. 

OMB Receives TSA Surface Transportation Security Training Rule

On Tuesday the OMB’s Office of Information and Regulatory Affairs (OIRA) received a notice of proposed rulemaking (NPRM) from the TSA covering surface transportation training requirements for security training. This rule was mandated by the Implementing Recommendations of the 9/11 Commission Act of 2007 (§1408 of PL 110-53) and was supposed to have been published in 2008.

According to the latest Unified Agenda abstract:

“This rule would require security awareness training for front-line employees for potential terrorism-related security threats and conditions pursuant to the 9/11 Act. This rule would apply to higher-risk public transportation, freight rail, and over-the-road bus owner/operators and take into consideration the many actions higher-risk owner/operators have already taken since 9/11 to enhance the baseline of security through training of their employees. The rulemaking will also propose extending security coordinator and reporting security incident requirements applicable to rail operators under current 49 CFR part 1580 to the non-rail transportation components of covered public transportation agencies and over-the-road buses.”

It will be interesting to see how long it takes OIRA to approve this NPRM. They have a number of rulemakings to review in order to avoid the midnight rule restrictions imposed by President Obama. This rulemaking hardly fits in the category of a last minute partisan rule.

Bills Introduced – 07-13-16

With just one day left before the House and Senate start their 7-week summer recess we are starting to see a sharp increase in the number of bills introduced with 89 bills introduced yesterday. Of those bills only three may be of specific interest to readers of this blog:

HR 5762 To improve the safety of hazardous materials rail transportation, and for other purposes. Rep. Bonamici, Suzanne [D-OR-1]

S 3186 A bill to amend the Homeland Security Act of 2002 to provide for active shooter and mass casualty incident response assistance, and for other purposes. Sen. Carper, Thomas R. [D-DE]

S 3187 A bill to increase the authorization of the National Transportation Safety Board through fiscal year 2020, to require the NTSB to investigate major oil and other hazardous materials derailments, to expand the Secretary of Transportation's emergency order authority, and to require the Secretary of Transportation to establish a volatility standard for crude oil transported by rail. Sen. Merkley, Jeff [D-OR]

It is tempting to call the two railroad hazmat bills election year posturing, but that would not be the case for Merkley who is not facing re-election for another four years. It will be interesting to see if these are actually companion bills (identical bills introduced in both houses of Congress).

It will be interesting to see if Carper’s bill addresses the unique issues of response to active shooter incidents at facilities where hazardous chemicals are stored.

House and Senate Pass HR 636 - FAA Authorization Bill

On Monday the House adopted a version of HR 636 that substituted new language for that adopted by the Senate in April by a voice vote. The cybersecurity provisions in the Senate language were removed and a new cybersecurity section was added. One of the two unmanned aircraft provisions associated with critical infrastructure facilities was completely re-written and the other remained mainly intact.

Cybersecurity

Section 2111 of the bill would require the FAA to develop “a comprehensive and strategic framework of principles and policies to reduce cybersecurity risks to the national airspace system, civil aviation, and agency information systems”. It would require the FAA’s Aircraft Systems Information Security Protection Working Group (ASISPWG) to identify and address cybersecurity risks associated with aircraft systems {§2111(a)(2)(1)(A)} including:

• To assess cybersecurity risks to aircraft systems;

• To review the extent to which existing rulemaking, policy, and guidance to promote safety also promote aircraft systems information security protection;

• Cybersecurity risks associated with in-flight entertainment systems;

• Whether in-flight entertainment systems can and should be isolated and separate, such as through an air gap, under existing rulemaking, policy, and guidance; and

• To provide appropriate recommendations to the Administrator if separate or additional rulemaking, policy, or guidance is needed to address cybersecurity risks to aircraft systems;

Critical Infrastructure Overflight

Section 2209 is a rewrite of §2154 that was adopted from S 2658. It requires the FAA to establish procedures for critical infrastructure facilities to apply to the FAA “to prohibit or restrict the operation of an unmanned aircraft in close proximity to a fixed site facility” {§2209(a)}. The bill would limit such restrictions to the following types of facilities:

• Critical infrastructure, such as energy production, transmission, and distribution facilities and equipment;

• Oil refineries and chemical facilities;

• Amusement parks; and

• Other locations that warrant such restrictions.

Section 2210 is essentially the same language that was found in Senate bill. It would allow critical infrastructure owners more latitude in their use of drones in inspection and monitoring activities.

Moving Forward

With the July 15^th authorization deadline fast approaching, it appears that the Senate has accepted the House language on HR 636 by a vote of 89 to 4. The bill will go to the President who will certainly sign the bill.

S 2012 Goes to Conference – Energy Authorization

It took a month and a half for the Senate to accomplish what everyone knew it would; yesterday the Senate rejected the House amendments to S 2012 and established a conference committee to deal with the differences between the two versions of the bill.

The cybersecurity provisions of the House and Senate versions should make it into the final bill. The most interesting thing to see will be which version of the ‘Critical electric infrastructure security’ {§1104 in the House passed version; §2001 in the Senate version} section of the bill will make it into the final bill. Likewise the House provision on the volatility of crude oil (§5009) should also make it into the final bill.

It is not clear how much work the Conference Committee will get done during the summer recess. For the most part the principals (the actual congresscritters) will be back in their districts raising money and glad handing the electorate. Some staff work will get done, but a conference is all about horse trading and deal making; that requires the active personal participation of the elected representatives.

If an appropriate compromise can be worked out that can allow the bill to be considered in the Senate, there is a chance that the bill could pass in the brief session between Labor Day and the election recess.

ICS-CERT Publishes Two Advisories

Today the DHS ICS-CERT published two control system security advisories for products from GE and Tollgrade.

GE Proficy Advisory

This advisory describes an improper privilege management vulnerability in earlier versions of the GE Proficy HMI/SCADA CIMPLICITY application. The vulnerability was reported by Zhou Yu of Acorn Network Security. GE notes that subsequent versions of the application do not contain the vulnerability, having been corrected by August 2014.

ICS-CERT reports that local access is required or that a remote exploit would require a social engineering attack. Exploit code is publicly available (link not provided in ICS-CERT Advisory).

The GE Product Security Advisory for this vulnerability recommends upgrading to a newer version of the application, but it also provides commands that serve to mitigate the vulnerability in the affected versions.

Tollgrade Advisory

This advisory describes three vulnerabilities in the Tollgrade Communications, Inc. Smart Grid LightHouse Sensor Management System (SMS) Software EMS. The vulnerabilities were reported by Ashish Kamble of Qualys, Inc. Tollgrade has produced a new version that mitigates the vulnerabilities. ICS-CERT reports that Kamble has tested the new version to verify the efficacy of the fix.

The vulnerabilities are:

• Missing authentication for critical application - CVE-2016-5790;

• Information exposure through an error message - CVE-2016-5797; and

• Forced browsing - CVE-2016-5807

ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerabilities to restart the system, brute force a login, or change privileged parameters.

House Passes HR 5639, NIST Improvement

Yesterday as expected the House passed HR 5639, the National Institute of Standards and Technology Improvement Act of 2016 by a voice vote. There was only eleven minutes ‘debate’ on the bill before the vote was taken, but there were no words spoken in opposition to the bill.

As I mentioned in my earlier post there is only one cybersecurity provision in the bill, but it is more of a face-saving slap at the NSA than an effective legislative provision.

The bill, if it reaches the floor of the Senate before the end of the session, will almost certainly be considered under their unanimous consent provisions where it will be passed with no debate and no vote.

OMB Approves CG TWIC Reader Final Rule

On Saturday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced their approval of the final rule for the Coast Guard’s Transportation Workers Identification Credential (TWIC) Card Reader Requirements. The final rule had been submitted to OIRA back in April. The notice of proposed rulemaking (NPRM) for this rule was published in June of 2013 and I did a series of blog posts on the public comments the CG received about the NPRM.

As I have mentioned earlier this final rule will have no effect on facilities covered by the Chemical Facility Anti-Terrorism Standards (CFATS) program as it only applies to Maritime Transportation Security Act (MTSA) covered facilities which are exempt from CFATS coverage. There is, however, an outside chance that some provisions from this rule could be included in the CFATS revisions that we are expecting to see in the not too distant (hopefully) future.

I expect that the final rule will be published in the Federal Register later this week.

Committee Hearings – Week of 7-10-16

Both the House and Senate are in Washington this week, but it is scheduled to be their last week until early September. The hearing schedule is fairly light this week with only three hearings of interest to readers of this blog; two cybersecurity and one PHMSA oversight hearing.

Cybersecurity

On Wednesday the Cybersecurity, Infrastructure Protection, and Security Technologies Subcommittee of the House Homeland Security Committee will be holding a hearing on “Value of DHS’ Vulnerability Assessments in Protecting Our Nation’s Critical Infrastructure”. This will deal with cybersecurity assessments conducted by the DHS Office of Cybersecurity and Communications (CS&C) and Office of Infrastructure Protection (presumably including assessments conducted by ICS-CERT). The witness list includes:

• Matthew J. Eggers, US Chamber of Commerce;

• Robert H. Mayer, United States Telecom Association;

• Mark Clancy, Soltra;

• Mordecai Rosen, CA Technologies; and

• Ola Sage, e-Management

On Tuesday the Energy Subcommittee of the Senate Energy and Natural Resources Committee will be holding a hearing on S 3018. The witness list includes:

• Patricia Hoffman, US Department of Energy;

• Duane D. Highley, Arkansas Electric Cooperative Corporation;

• Rob Manning, Electric Power Research Institute; and

• Brent Stacey, Idaho National Laboratory

Readers will recall that this is the bill that I called for support via a letter writing campaign.

PHMSA

On Tuesday the Surface Transportation and Merchant Marine Infrastructure, Safety, and Security Subcommittee of the Senate Commerce, Science and Transportation Committee will be holding a hearing looking at “The FAST Act, the Economy, and Our Nation’s Transportation System”. It is not clear what portions of the FAST Act will actually be covered in this hearing. The witness list includes:

• Patrick J. Ottensmeyer, Kansas City Southern Railway Company;

• Jay Thompson, Commercial Vehicle Safety Alliance
• David Eggermann, BASF
• Stephen J. Gardner, Amtrak 

On the Floor

There will be a large number of bills considered in the House this week under suspension of the rules with limited debate, no amendments, and requiring a super majority to pass the bill. Of those being considered only one is of specific (if very minor) interest to readers of this blog; HR 5639, the National Institute of Standards and Technology Improvement Act.

The Senate will take another try at starting debate on HR 5293, the FY 2017 DOD spending bill. Amendments (including one to substitute language from S 3000) will not be filed until the first cloture vote is agreed to. I’m not holding my breath, but this could possibly pass and go to conference before the summer recess.

HR 5639 Introduced – NIST Update

Last week Rep. Moolenaar (R,MI) introduced HR 5639, the National Institute of Standards and Technology Improvement Act of 2016. The bill updates the National Institute of Standards and Technology Act (15 USC 272). There is only one minor cybersecurity provision in the bill.

Cybersecurity Provision

Section 11 of the bill makes one small change to 15 USC 278g–3, the computer standards program. It removes the words ‘National Security Agency’ from paragraph (c)(1). That paragraph lists the agencies that NIST must consult with in establishing standards for information systems and cybersecurity standards for federal information systems.

Moving Forward

Moolenaar is a member of the House Science, Space and Technology Committee, the committee to which the bill was assigned for consideration. More importantly many of the ten cosponsors are influential members of the Committee and the Congressional leadership. This is clearly reflected by the fact that the bill will be considered this week under suspension of the rules. The bill will almost certainly pass with substantial bipartisan support.

Commentary

This change was almost certainly included in response to news that the NSA influenced NIST to include backdoors into encryption standards. The change does not prevent NIST from consulting with NSA, or limit what influence NSA has on NIST operations. The change is simply a face saving move by Congress so that it appears that Congress has limited the influence of NSA.

OMB Approves PHMSA HHFT Oil Spill Response Plan NPRM

On Friday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved the DOT’s Pipeline and Hazardous Material Safety Administration’s (PHMSA) notice of proposed rulemaking on “Oil Spill Response Plans and Information Sharing for High-Hazard Flammable Trains”. The advanced notice of proposed rulemaking (ANPRM) for this rulemaking was published in August of 2014. The NPRM was sent to OIRA  back in February.

It is interesting to note that there was a significant change in the title of this rulemaking after the ANPRM was published. Originally titled: “Oil Spill Response Plans for High-Hazard Flammable Trains”, the new title (which added the words ‘and Information Sharing’) was first used in the Fall 2015 Unified Agenda. It was not until the Spring 2016 agenda was published that we were able to see how that might affect the scope of the rulemaking. The abstract for the rulemaking now states:

“This rulemaking, developed in consultation with the Federal Railroad Administration, would revise PHMSA's regulations to expand the applicability of comprehensive oil spill response plans (OSRPs) based on thresholds of liquid petroleum oil that apply to an entire train. We are also proposing to revise the format and clarify requirements of a comprehensive OSRP and to require railroads to share information [emphasis added] about high-hazard flammable train operations with state and tribal emergency response organizations (i.e., State Emergency Response Commissions and Tribal Emergency Response Commissions) to improve community preparedness. Lastly, PHMSA is proposing an update to boiling point testing [emphasis added] procedures to provide regulatory flexibility and promotes enhanced safety in transport through accurate packing group assignment.”

The information sharing provisions should be fairly straight forward, but it will be interesting to see how PHMSA deals with the terrorism fears on subsequent information sharing by State agencies. What will be very interesting to see is how PHMSA plans to deal with the crude oil volatility issue being addressed by the changes to boiling point testing (see my post about their earlier Safety Advisory on the topic). The wording in Unified Agenda does not seem to indicate that PHMSA will be using the controversial vapor pressure testing that many environmental and safety advocates have been calling for. I have addressed some of the problems with vapor pressure testing in an earlier blog post.

HR 5643 Introduced – Active Shooter

Earlier this week Rep. Duckworth (D,IL) introduced HR 5643, the Active Shooter Preparedness Enhancement Act of 2016. The bill outlines DHS responsibilities for assisting State and local governments and the private sector develop active shooter preparedness plans.

Preparedness Response

Section 2 of the bill would add a new section to the Homeland Security Act of 2002; Sec. 890B. Active shooter and mass casualty incident response assistance. It would require DHS to develop guidance “to assist in the development of emergency action and response plans for active shooter and mass casualty incidents in public and private locations, including facilities that have been identified by the Department as potentially vulnerable targets” {new §809B(a)}. The guidance would include {new §809B(a)}:

• A strategy for properly responding to an active shooter or mass casualty incident in a public or private location;

• A plan for establishing a unified command;

• A schedule for regular testing of equipment used to receive communications during such an incident;

• A practiced method and plan to communicate with occupants of such location during such an incident;

• A practiced method and plan to communicate with the surrounding community regarding such an incident;

• A plan for coordinating with volunteer organizations to expedite assistance for victims;

• A schedule for joint exercises and training;

• A plan for outreach to facilities that have been identified by the Department as potentially vulnerable targets; and

• Other planning documents, as determined by the Secretary.

Grants

Section 3 of the bill amends 6 USC 607(a)(2) to add “training exercises to enhance preparedness for and response to mass casualty and active shooter incidents and security events at public and private locations” {new §607(a)(2)(E)} to the list of law enforcement terrorism prevention activities for which grants are authorized under the Urban Area Security Initiative and State Homeland Security grant programs.

Section 4 of the bill amends 6 USC 608(b) by adding “Active shooters” {new §608(b)(9)} to the list of threats that DHS takes into account in prioritizing Urban Area Security Initiative and State Homeland Security grant allocations.

No new funding is provided in the bill.

Moving Forward

Duckworth is not a member of any of the three committees (Homeland Security, Judiciary, and Transportation and Infrastructure) to which this bill was assigned for consideration. This means that, especially this late in the session, it is unlikely that the bill will receive consideration in any of these committees unless she convinces people in the committee leaderships to co-sponsor the bill.

There is nothing in the language of this bill that would raise any organized opposition to the bill. If it were to make it to the floor for the vote, it would likely do so under the under suspension of the rules provisions and pass with solid bipartisan support.

Commentary

I will start out with a by now familiar comment about the grant portions of the bill. The bill would expand the number of potential grants without expanding the amount of money available to share with State and local authorities. This means that the number of other grants available would have to be reduced or the amounts monies in the other grants would be reduced. This type of legislative grant dilution is political grandstanding.

The other thing wrong with this bill is not unique to Duckworth’s approach. I have yet to see any serious discussion of the unique problems that chemical storage brings to the active shooter situation. I have talked to a senior police officer with a major municipal police force who had responsibilities for responding to active shooter and terrorist incidents at a major refinery. No one had explained to him the potentially catastrophic problems that could arise if his police started shooting on the refinery grounds.

Given the fact that various hazardous chemicals are found in a wide variety of industrial facilities (NOT just chemical plants) any requirement for a strategy for active shooter incidents at industrial facilities is going to have to start with an assessment of the potential chemical hazards that could be encountered at the facility.

It is just as important that emergency response personnel (police, fire and emergency medical technician) that could respond to an active shooter event at a facility that stores hazardous chemicals be informed of the hazards associated with the chemical and their locations in the facility. Additionally, medical facilities that could be accepting and treating casualties from such events need to be informed of the potential hazardous chemicals with which casualties could be contaminated, both for the safety of the medical facility and staff as well as needing to be prepared to treat the chemical injuries that could result from chemical releases during active shooter events.

With that in mind, I would insert a new paragraph (b) to the section being added by §2 of the bill {and change the current paragraph (b) to paragraph (c)}:

(b) Strategy guidelines for facilities that store industrial chemicals:

(1)   In developing an active shooter strategy, all industrial facilities will first develop an assessment of the hazardous chemicals stored at the facility. That assessment will include a listing of:

A.    Each hazardous chemical stored at the facility;

B.     The quantity of each hazardous chemical identified in (A) above; and

C.     The location of each place in the facility where the chemicals identified in (A) above are produced, used, or stored.

(2)   The facility will determine the potential hazards associated with each of the chemicals identified in (1) above. At a minimum the facility will determine the potential consequences of multiple punctures of storage containers of each of the chemicals listed in (1) above, including:

A.    The potential for fires and explosions,

B.  The potential for, and extent of, a toxic atmosphere,

C.  The potential for the formation of an oxygen deficient atmosphere, and

D.  The potential for the mixing of incompatible chemicals and the hazards associated with such mixing;

(3)   The facility will also determine the areas of a facility where the potential for a flammable atmosphere might be expected to exist during normal operations; and

(4)   The facility will also determine the areas of a facility where the potential for an oxygen deficient atmosphere might normally be expected to exist.

(5)   The information developed in (1) thru (4) above will be listed as annexes to facility strategy for properly responding to an active shooter or mass casualty incident.

(6)   Definition: In this section the term ‘hazardous chemical’ will include, at a minimum, all of the chemicals listed in §112(r) of the Clean Air Act {42 USC 7412(b)}. This definition does not prohibit a facility owner/operator from adding chemicals to the hazardous chemical list when, in the opinion of the owner/operator, the added chemical presents a potential hazard to employees or the environment if released during an active shooter event.

Uncontrolled Polymerization Hazards - Acrylates

There is a brief article at NJ.com about a recent incident at a warehouse where six firefighters were hospitalized for chemical exposure related symptoms after responding to a reported fire at the warehouse. It appears that some chemicals in drums began to self-react causing a chemical vapor release that affected the firemen approaching the warehouse doors. The chemical involved was an unspecified acrylate.

Acrylates

Acrylates are a family of vinyl monomers that are based upon chemical modifications of acrylic acid. The modifications are made by adding carbon chains of varying lengths to either (or both) of the two carbons separated by the characteristic double bond that makes these chemicals important components of a wide variety of commercial polymers. While acrylate monomers are frequently used to make homopolymers (polymers containing just a single type of monomer) they are more frequently used to make copolymers where relatively small amounts of acrylates are added to other monomers to modify or tailor the characteristics of the resulting polymer.

All acrylate monomers have some level of toxicity associated with them. Generally speaking, the longer the side chains added to the monomer the lower the level of toxicity. See the manufacturers Safety Data Sheet (SDS) for toxicity information. They also have a characteristic odor that becomes less offensive and harder to detect as the side chains get larger.

For ease of handling, higher molecular weight (longer side chains) acrylates have organic solvents added; this increases the volatility and may increase the flammability of the products. The lower molecular weight acrylates are very volatile and flammable in their own right.

Autopolymerization

All vinyl monomers have the capability to auto-polymerize, that is to begin to react to form polymers without the addition of reaction initiating chemicals. A variety of inhibitors are added to these monomers to prevent that auto-polymerization process, but none of them are completely successful and a very-low rate of autopolymerization is almost always in progress in stored monomers.

Polymerization of vinyl monomers always results in the production of heat. In the polymer production process a great deal of energy is consumed in controlling the heat of reaction because the higher the temperature of the reactants the faster the polymerization process proceeds. It is important to control the rate of the reaction for both quality and safety purposes.

Each acrylate monomer has its own characteristic autopolymerization temperature. Generally speaking, the smaller the length of the side chains, the lower that temperature is. The autopolymerization temperature is important because when the monomer reaches that temperature it is not possible to control the autopolymerization process by applying external cooling.

Safety Concerns

If the heat of reaction is not removed by external cooling the amount of heat produced by the autopolymerization process raises the temperature of the acrylate/solvent mixture which increase the rate of reaction. At lower product temperatures air cooling of the containers is sufficient to remove the heat of reaction of properly inhibited acrylate mixtures.

As the inhibitor is consumed over time, the rate of the autopolymerization reaction increases and at some point air cooling is no longer adequate to control the temperature of the container. If additional inhibitor is not added, or more efficient cooling added you can reach the point where you have a significantly self-accelerating polymerization reaction taking place with an accelerating increase in the acrylate temperature.

At some point, if not controlled, the autopolymerization reaction will increase the temperature of the acrylate mixture to the point that the vapor pressure of the acrylate or solvent will exceed the pressure rating of the sealed container causing a failure of the container (potentially a catastrophic failure) and a release of the acrylate and/or solvent vapors to the atmosphere. This could result in an explosive flammable-air mixture.

Response

The autopolymerization reaction becomes a safety concern when there is a noticeable rise in the temperature of the storage container. Material stored in drums or other portable containers should have the temperature checked periodically (see manufacturers safe handling guidance for monitoring frequency) and the drum temperature recorded so that trends can be tracked.

When a significant temperature rise is noted (see the manufacturers safe storage guidance for what is considered ‘significant’ for the particular acrylate). After checking the drum for any signs of bulging or other indicators of pressure, carefully open the container {wearing ALL appropriate personal protective equipment (PPE) – see the SDS} and add the re-stabilization chemical (also known as a ‘backstop’) recommended by the manufacturer (typically a phenothiazine solution).

If the temperature continues to rise after the backstop solution is added, or there are signs of container pressurization (bulging top or leaking), you have a hazardous material response situation which requires specially trained personnel. Typically, this is going to include isolation of the material and the application of cooling water to the outside of the container to reduce the possibility of catastrophic loss of containment. Atmospheric and run-off water monitoring should also be conducted.

If you have loss of containment during the incident the liquid will be some combination of the base acrylate and any solvent used in the solution. In either case they are hazardous materials and should be treated appropriately. Both toxicity and flammability will be issues of concern. Because of the heat of the liquids escaping the containers, there will be a significant vapor cloud (again flammable and toxic) associated with any release.

Summary

Acrylates are valuable industrial chemicals used in the making of many specialty polymers and plastics. They are, however, hazardous materials and must be treated with care and respect. Facilities that store these materials need to understand the autopolymerization hazards and have a plan in place to deal with them. An essential part of that plan must be a close working relationship with the local first responder community, ensuring that the first responders are aware of the potential hazards and how to deal with them.

ICS-CERT Publishes Two Advisories and the Monitor

Today the DHS ICS-CERT published two control system security advisories for products from Moxa and WECON. They also published the latest edition of the ICS-CERT Monitor.

Moxa Advisory

This advisory describes an authorization bypass advisory in the Moxa Device Server Web Console. The vulnerability was reported by Maxim Rupp. Support for the device ended in 2012, but Moxa has provided recommendations to mitigate this vulnerability. There is no indication that Rupp has been provided an opportunity to verify the efficacy fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to gain access to change settings and data on the target device.

Moxa suggests disabling two ports and restricting access to three others. They note that such restrictions could impact remote systems administration.

WECON Advisory

This advisory describes two buffer overflow vulnerabilities in the WECON LeviStudio software. The vulnerabilities were reported by Rocco Calvi and Brian Gorenc via the Zero Day Initiative. WECON has not (and apparently does not plan to) released a product fix to address these vulnerabilities; CAVEAT EMPTOR.

The two vulnerabilities are:

• Heap-based buffer overflow - CVE-2016-4533; and

• Stack-based buffer overflow - CVE-2016-5781

ICS-CERT has a new take on social engineering attacks, and I quote:

“An attacker with low skill would be able to exploit these vulnerabilities. Crafting a working exploit for these vulnerabilities would not be difficult; however, social engineering is required to convince the user to accept the malformed file or visit a malicious web site. This decreases the likelihood of a successful exploit.”

May-June 2016 Monitor

The Monitor covers ICS-CERT operations during May and June of this year. The lead-off article on a specific incident takes an oblique look at the use of SHODAN for identifying control system components facing the internet. Beyond pointing out that some sort of internet facing device (presumably a control system component?) was identified by ICS-CERT via SHODAN, the only information of note is that devices identified with an ISP IP address cannot be directly identified by ICS-CERT. They have to forward notification to the owner via the ISP. Good to know that ISPs are protecting our privacy (at least in this instance).

We also see four pieces about ICSJWG meetings. The first is a recap of an ICS-CERT presentation at the Spring meeting about “Viewing Your Network through the Eyes of an Attacker”. There is also a listing of the other ICS-CERT presentations at that meeting. Then there is a brief preview of the Fall Meeting. The final item is a lengthy item about the Advanced Analytical Lab’s presentation at the Spring Meeting.

This issue contains a little bit more information about the system assessments that ICS-CERT does. It contains a brief article outlining the top six weaknesses that ICS-CERT identified in their assessments in 2015. Those weaknesses are:

(1) Boundary protection;

(2) Least functionality;

(3) Authenticator management;

(4) Identification and authentication;

(5) Least privilege; and

(6) Allocation of resources

There are also two brief pieces on Protected Critical Infrastructure Information (PCII). The first is a short article on what facilities need to do to claim PCII protections for information that they submit to ICS-CERT. While the overview is pretty good, there is a lack of detail on what exactly must be in the Express Statement and in the Certification Statement. Those details are available on the PCI web site.

On the whole, this issue of the Monitor is well worth reading.