Friday, January 13, 2017

HR 59 Introduced – Chemical Facility Security

Last week Rep. Jackson-Lee (D,TX) introduced HR 59, the Frank Lautenberg Memorial Secure Chemical Facilities Act. This bill is nearly identical to HR 54 introduced last session and very similar to bills introduced by Ms Jackson-Lee and Rep. Thompson (D,MS) over the last eight years. It provides a complete re-write of the current chemical facility security rules passed in the 113th Congress.

The bill includes all of the button pushing issues that the Democrats love and the Republicans hate, so there is little chance (actually no chance) that this bill will be considered at any time during this session of congress. In fact, the last time that the Democrats controlled both the House and Senate a similar bill was passed in the House but could not make its way to the floor of the Senate for consideration.

There are, however, some cyber security provisions in this bill that readers of this blog might find of interest.

First the bill would take the current cybersecurity requirements found in 6 CFR 27.230(8) and include them in the language of the newly proposed 6 USC 2203(d)(8). The only changes being made to the language are solely intended to make the requirements more readable (physical formatting changes). Both sets of language require covered chemical facilities to have measures in place to “deterring cyber sabotage, including by preventing unauthorized onsite or remote access to critical process controls” and then lists the general types of systems to be protected, including:

• Supervisory control and data acquisition systems;
• Distributed control systems;
• Process control systems;
• Industrial control systems;
• Critical business systems; and
• Other sensitive computerized systems

The sole purpose of moving the existing risk-based performance standards from the CFR to the USC is to make it harder for DHS to make changes to these standards by regulatory means.

Secondly, under a new §2206, Timely Sharing of Threat Information, the owner/operator is required to notify DHS of “any intentional or unauthorized penetration of the physical security or cyber security of the covered chemical facility, whether successful or unsuccessful” {new §2206(b)(1)(B)}. While the lack of definition of the key term ‘penetration’ is not unusual, it does provide an added measure of lack of clarity when it comes to cybersecurity.

Finally, we see again the requirement for hackers (specifically including “blue hat, red hat, and white hat hackers {§2111(b)(6)}) to “validate the security measures instituted to address cyber based threats”. Ignoring for the moment the lack of definition of key terms including the different colored hats, the requirement does not make any sense. Penetration testing, properly done, can certainly be a good thing for evaluating security controls, but this requirement is placed in the section dealing with conducting assessments of “methods to reduce the consequences of a terrorist attack” not security protocols.

A similar problem is seen in the previous subparagraph in the same section. It refers to:

The design of computing systems and development of plans, exercises, and drills to re-engage computing systems used in the processing, transport, storage of chemicals that are designed as a ‘‘risk’’ by the Secretary using protocols for trusted recovery under the worse case conditions;”

Again, this sounds like good cybersecurity planning and both of these requirements (with adequate definitions of key terms) should be included in the performance standards portion of the bill, not the inherently safer technology portion. I am not sure if it was added here as a mistake or a serious misunderstanding of the role of cyber security.

No comments:

/* Use this with templates/template-twocol.html */