Saturday, June 30, 2018

Public ICS Disclosures – Week of 06-23-18


This week we have a vendor advisory and two updates of previously issued advisories from Siemens. Additionally, OSIsoft released a new version of their PI SDK 2018 that, according to the release notes, addresses (among other issues) “potential security issues in PI SDK code as identified by Synopsis Static Analysis (Coverity)”.

Siemens Advisory


This advisory describes “service of the affected products listening on all of the host’s network interfaces on either port 4884/TCP, 5885/TCP, or port 5886/TCP could allow an attacker to either exfiltrate limited data from the system or to execute code with Microsoft Windows user permissions”. The vulnerability was reported by Chris Bellows and HD Moore from Atredis Partners and Austin Scott from San Diego Gas and Electric. Siemens has provided new versions for some of the affected products to mitigate the vulnerability and identified work arounds for others. There is no indication that any of the researchers have been provided an opportunity to verify the efficacy of the fix.

RAPIDLab Update


This update provides new information on two vulnerabilities that was previously reported by Siemens on June 12th, 2018. The new information is an acknowledgement that the vulnerabilities were reported by Oran Avraham from MEDIGATE. This advisory has not been reported by ICS-CERT.

Spectre and Meltdown Update


This update provides new information on the Spectre and Meltdown vulnerabilities in Industrial Products that was last updated on May 29th,  2018. The new information provides new version and mitigation information for HMI Panels with SIMATIC WinCC V14.

Commentary


You have to give OSIsoft credit for turning to an outside agency (Coverity) to have static code analysis done on their product. This independent evaluation is an example of going the extra mile in secure code development. What is not clear, however, from the release notes on this product is whether or not the code issues being corrected existed in the earlier versions of the development kit.

If the corrected vulnerabilities were in earlier versions, I would have preferred to see an enumeration of those vulnerabilities in a security advisory so that users could conduct a proper risk assessment to see if their situation necessitated an immediate upgrade to this newer version. OSIsoft has a strong history of identifying and correcting security issues, so I suspect that they felt that either the vulnerabilities were related just to new code or that they vulnerabilities in the previous code were so minor as to not require specific notification.

Friday, June 29, 2018

Bills Introduced – 06-28-18

With both the House and Senate preparing to leave Washington for the very-long 4th of July weekend there were 91 bills introduced yesterday. Of those, four may be of specific interest to readers of this blog:

S 3153 An original bill to authorize appropriations for fiscal years 2018 and 2019 for intelligence and intelligence-related activities of the United States Government, the Community Management Account, and the Central Intelligence Agency Retirement and Disability System, and for other purposes. Sen. Burr, Richard [R-NC]

S 3158 An original bill making appropriations for the Departments of Labor, Health and Human Services, and Education, and related agencies for the fiscal year ending September 30, 2019, and for other purposes. Sen. Blunt, Roy [R-MO]

S 3159 An original bill making appropriations for the Department of Defense for the fiscal year ending September 30, 2019, and for other purposes. Sen. Shelby, Richard C. [R-AL]

S 3182 A bill to amend the Homeland Security Act of 2002 to provide for the responsibility of the National Cybersecurity and Communications Integration Center to maintain capabilities to identify threats to industrial control systems, and for other purposes. Sen. Sasse, Ben [R-NE]

It will be interesting to see if S 3182 is a companion bill to HR 5733 (which passed in the House earlier this week), or if this is a version that addresses some of the definition problems that plague the House bill.

Thursday, June 28, 2018

ICS-CERT Publishes 1 Advisory and 1 Update for Medtronic Products


Today the DHS ICS-CERT published a medical device security advisory for products from Medtronic. They also updated a previously published medical device security advisory for products from the same company.

Medtronic Advisory


This advisory describes two vulnerabilities in the Medtronic MyCareLink Patient Monitor. The vulnerabilities were reported by Peter Morgan of Clever Security. Medtonic will be installing an automatic update to mitigate the vulnerabilities. There is no indication that Morgan has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Use of hard-coded password - CVE-2018-8870; and
Exposed dangerous method or function - CVE-2018-8868

The Medtronic advisory makes a very important point about these vulnerabilities in particular that may include an important lesson to learn for all medical devices:

“Medtronic encourages patients to only use home monitors obtained directly from Medtronic or their clinician. Patients should not use a pre-owned MyCareLink Patient Monitor or one that is purchased secondhand or online. Monitors obtained through unofficial means are at an increased risk for exploitation associated with the vulnerabilities identified.”

ICS-CERT reports that an uncharacterized attacker with physical access to the monitor can exploit these vulnerabilities to allow privileged access to the monitor’s operating system.

Medtronic Update


This update provides new information on an advisory that was originally published on February 27th, 2018. The update includes:

• A change in format of the advisory;
• New information in the ‘Risk Evaluation’ section (formerly the ‘Impact’ section);
• Removal of the second and third paragraphs from the old ‘Impact’ section;
• Addition of a new vulnerability (Improper restriction of communication channel to intended endpoints - CVE-2018-10596); and
• Addition of a new work around (disconnecting the programmer from the network).

The revised Medtronic advisory contains some information that does not entirely match up with the new information in ICS-CERT update. They note, for instance that: “After issuing this advisory on Feb. 27, 2018, Medtronic was made aware of additional vulnerabilities [emphasis added] in the CareLink 2090 Programmer and its accompanying software deployment network.” Since Medtronic does not name the ‘vulnerabilities’ it is possible that they have been lumped into the single vulnerability listed in the ICS-CERT report.

S 3109 Introduced – FY 2019 DHS Spending


Last week Sen. Moore (R,WV) introduced S 3109, the Department of Homeland Security Appropriations Act, 2019. This bill does not contain language for a one-year extension of the Chemical Facility Anti-Terrorism Standards (CFATS) program, but it does continue to provide funding at FY 2018 levels for that program. There are numerous cybersecurity mentions and one unmanned aircraft system (UAS) provision that may be of interest to readers of this blog.

Cybersecurity


The Committee provided funding for the National Computer Forensics Institute to continue training “to bolstering State and local cyber capabilities and supports USSS Electronic Crimes Task Forces” (pg 75). Funding was provided at $25 million; an increase of $6.2 million over FY 2018 and $21 million more than the Trump Administration requested.


Funding for the National Cybersecurity and Communications Integration Center (NCCIC) was set at $279 million with $186 million of that going to “Computer Emergency Response Teams”; presumably ICS-CERT and US-CERT. They also allocated $29.4 million of the NCCIC funds for “for election security through NCCIC activities, including vulnerability scans and incident detection and response” (pg 82).

DHS Science and Technology (S&T) received $6.5 million for ‘cyber physical systems’ research. This includes $1.5 million “to continue collaborating with the Department of Energy on Cybersecurity of Energy Delivery Systems, which utilizes critical large scale electric power transmission test facilities and relies on active cooperation and integration with operational utility providers” (pg 111).

Counter UAS


The Report allocates $13 million for “supports continued investments in research, development, testing, and evaluation of Counter-Unmanned Aerial Systems” (pg 109) but notes that: “Committee is extremely disappointed that the Department is unable to carry out many such activities because it does not currently have the necessary legal authorities to do so.”

Moving Forward


The Senate Appropriations Committee adopted the bill by a vote of 26 to 5 (pg 122). This level of bipartisan support is necessary to bring the House bill (which is being marked up this week) to the for a vote. This cooperative work in the Senate on spending bills this year provides the best chance we have seen in quite some time for actually getting individual spending bills to the President instead of having to wait for a series of continuing resolutions and a massive spending bill at the last (or beyond the last) minute.

Commentary


I really expected to see language providing a one-year extension of the CFATS program in this bill. Either the Committee was sure that the normal order would prevail and an as-of-yet unwritten authorization bill will pass before the end of the year (and that possibility does exist), or they are relying on the fact that this DHS spending bill continuing the funding for the CFATS program (listed as ‘Infrastructure Security Compliance’ on page 81 of the report) will be sufficient to carry the program through what ever legislative delay occurs between January 18th, 2019 and a final bill being signed by the President.

An argument can be made that funding the program past the ‘expiration date’ is a defacto continuing authorization. In fact, DHS has not seen authorization language since it was formed in 2002. The difference, though, is that the Homeland Security Act did not include an expiration date for DHS.

I have heard a number of legally knowledgeable individuals say that continued funding is all the program really needs to keep going. I am not enough of a legal scholar to really comment on that. I do know, however, that industry is going to look askance at any program directives that come out of the DHS Infrastructure Security Compliance Division (ISCD) after January 18th lacking a reauthorization bill, especially if complying with those directives costs any money. And there would be a natural tendency of corporate lawyers to argue against any enforcement actions on the basis of ISCD lacking reauthorization. Such arguments could take years to resolve in the courts.

We could still see a short-term extension of the CFATS program in the House bill, or one could be added in the floor amendment process in either house. I would expect, however, for such an amendment to carry the day that it would have to be authored by the Chair and Ranking Member of the respective homeland security committee. Such an amendment would signal the end of the prospects for a CFATS authorization bill in this session.

House Continues Debate on Amendments to HR 6157 – FY 2019 DOD Spending


Yesterday the House continued debate on HR 6157, the Department of Defense Appropriations Act, 2019. Both cyber workforce amendments that I discussed earlier were passed by voice votes. Debate was closed on all 29 additional amendments, but votes remain on five of those amendments and a debate on the final bill. Those votes are expected today.

Bills Introduced – 06-27-18


Yesterday with both the House and Senate in session there were 35 bills introduced. Of these, one may be of specific interest to readers of this blog:

HR 6237 To authorize appropriations for fiscal years 2018 and 2019 for intelligence and intelligence-related activities of the United States Government, the Community Management Account, and the Central Intelligence Agency Retirement and Disability System, and for other purposes. Rep. Nunes, Devin [R-CA-22]

Of course, the good stuff will be in the classified annex to the bill, but I will be watching the public version of the bill for cybersecurity language. The text of the bill is already available, and it is rather unusual in that it has two titles, the first is the authorization act for FY 2018 and the second for FY 2019. A quick look at the table of contents for each title shows some potentially interesting sections in each. More later.

Wednesday, June 27, 2018

Rules Committee Okays Additional Amendments for HR 6157, FY 2019 DOD Spending


Yesterday the House Rules Committee set the rule for today’s consideration of additional amendments to HR 6157, Department of Defense Appropriations Act, 2019. Two cyber related amendments from the list I described last week were added to the total of 29 amendments to be considered today.

The two amendments were:

• #4 from Rep. Hastings (D,FL); it would add $5 million dollars for training and retention of cybersecurity personnel DOD wide (it was #31 on the original list); and
#21 from Rep. Langevin (D,RI); it would add $10 million to the existing Cyber Scholarship program (it was #57 on the original list)

Both amendments are likely to be approved by voice votes.

Bills Introduced – 06-26-18


Yesterday with both the House and Senate in session there were 36 bills introduced. Of those three may be of specific interest to readers of this blog:

HR 6229 To authorize the programs of the National Institute of Standards and Technology, and for other purposes. Rep. Comstock, Barbara [R-VA-10]

HR 6235 To amend title 18, United States Code, to prohibit the use of unauthorized unmanned aircrafts over wildfires. Rep. Tipton, Scott R. [R-CO-3]

S 3132 A bill to amend title 18, United States Code, to prohibit the use of unauthorized unmanned aircrafts over wildfires. Sen. Gardner, Cory [R-CO]

HR 6229 is the official version of the bill that I discussed on Monday. It is being marked up in the House Science, Space, and Technology Committee today.

The two other bills are almost certainly companion measures written in response to a recent incident where a television news drone caused a grounding of firefighting aircraft during a wildfire in Colorado. There was a temporary flight restriction in place which made the flight illegal in the first place. One media report also noted that 43 CFR 9212.1(f) (interfering with firefighting efforts) could also be stretched to cover this issue. In any case, I will be watching these bills for any language that authorizes interception action in response to the violation.

Tuesday, June 26, 2018

House Passes STSAC Authorization and ICS Security Bills


Yesterday the House passed two bills that have been covered in this blog; HR 5081, the Surface Transportation Security and Technology Accountability Act of 2018, and HR 5733, the DHS Industrial Control Systems Capabilities Enhancement Act of 2018. Both bills were considered under the suspension of the rules process and were approved by voice votes.

I do not often mention the ‘floor debate’ about bills considered under the suspension of the rule process because that debate is normally congratulations about the bipartisan effort to develop the bill in committee. While we certainly saw a good measure of this in the debate on ICS cybersecurity bill, we also saw a potentially important mention of the DHS ICS-CERT.

In his brief speech supporting the bill, Rep. Langevin (D,RI) talked at some length about the important work being done by ICS-CERT. He started by explaining his amendment adopted by the House Homeland Security Committee on vulnerability disclosures (pg H5631):

“During the committee consideration, I was also proud to offer an amendment to codify ICS-CERT’s coordinated vulnerability disclosure program [emphasis added] that ensures ICS vulnerabilities can be reported securely, promptly, and responsibly.”

He goes on to note (pg H5632):

“The coordinated vulnerability [disclosure] program does just that by helping critical infrastructure owners and operators who receive notices from ICS-CERT about discovered vulnerabilities and effective patches before malicious actors have a chance to exploit any flaws. Mr. Speaker, this bill would empower ICS-CERT to carry out this mission fully and effectively [emphasis added].”

While I have been critical of the bill’s failure to mention both ICS-CERT and US-CERT as the organizations that carry out the specified work of the National Cybersecurity and Communications Integration Center (NCCIC), the specific mention of the role of ICS-CERT in the congressional debate on this bill will go a long way is preserving the existence of, and defining the role of, that organization.

Bills Introduced – 06-25-18


Yesterday with both the House and Senate in session there were 29 bills introduced. Of these, one may be of specific interest to readers of this blog;

S 3122 A bill to support coding education. Sen. Cantwell, Maria [D-WA]

This bill is a long shot for additional coverage here, but I will watch it for inclusion of language about secure coding practices.

Monday, June 25, 2018

Rules Committee Approves Structured Rule for HR 6157, FY 2019 DOD Spending


This evening the House Rules Committee adopted a structured rule for the consideration of HR 6157, the Department of Defense Appropriations Act, 2019. The rule provides for floor action on a short-list of 24 of the 139 amendments submitted to the Committee last week. Additional amendments will be considered in an additional rule to be developed by the Committee tomorrow.

None of the nine amendments that I discussed briefly on Saturday were included in the initial 24 amendments included in this rule.

The House will probably start debate on this bill tomorrow afternoon.

CFATS Outreach Goes Bilingual


Today the DHS Infrastructure Security Compliance Division (ISCD) published a news item on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center announcing that they were publishing some of the CFATS outreach documents in a Spanish language version. The four documents published today were:

CFATS Tiering Methodology/Metodología para asignar niveles
RBPS 9 Response/RBPS 9 Respuesta
CFATS Overview/Resumen
CFATS First Steps/Primero Pasos
Report a CFATS Violation/ Denuncie Una Infraccion

This is an interesting move from the Trump Administration. I do not know how large a business audience there is for Spanish language CFATS information, but three of the first four documents listed above would be appropriate for the initial outreach to potentially affected facilities where the management is more comfortable working in Spanish rather than English. The one outlier is the RBPS 9 fact sheet; I am not sure why it was included in this translation effort unless the intention is to provide all CFATS fact sheets in a Spanish language version.

The last document frankly makes the most sense to translate into Spanish. With the increasing size of the bilingual work force, it is certainly appropriate to ensure that those workers have full access to the whistleblower information provided in this flyer. An interesting counterpoint question to this announcement is whether there are bilingual personnel manning the CFATS Tipline? Failure to appropriately provide that type of support will nullify the effort being made today.

Committee Hearings – Week of 06-24-18


With both the House and Senate in session this week it looks to be a busy week for Committee work. We are still seeing spending bills being marked-up and we have three cybersecurity related authorization bills. There will also be a Senate mark-up of the TWIC Reader Delay bill in that body.

Spending Bills

Monday – House Rules Committee – HR 6157 DOD;
Tuesday – House Rules Committee – HR 6157 DOD;
Tuesday – House Committee – LHHS;
Tuesday – Senate Sub-Committee – DOD;
Tuesday – Senate Sub-Committee – LHHS;
Thursday – Senate Committee – DOD;
Thursday – Senate Committee – LHHS

The Senate will finish work on HR 5895, the FY 2019 EWR spending bill Monday evening. The House will take up HR 6157, the FY 2019 DOD spending bill, either late Tuesday or on Wednesday.

Cybersecurity Authorization Bills


The three authorization bills with a cybersecurity nexus are for the National Telecommunications and Information Administration (NTIA), the National Institute of Science and Technology (NIST) and the intelligence community.

On Tuesday the Communications and Technology Subcommittee of the House Energy and Commerce Committee will hold a hearing on their draft of an authorization bill for NTIA. The witness list includes:

• Michael D. Gallagher, Entertainment Software Association;
• John Kneuer, JKC Consulting; and
Joanne S. Hovis, CTC Technology and Energy

The draft bill includes two ‘Sense of Congress’ sections on cybersecurity threats and supply chain vulnerabilities, and on preservation of domain name system and WHOIS service.
On Wednesday the House Science, Space, and Technology Committee will hold a mark-up hearing for three as of yet unintroduced bills. One of those is the draft of the NIST authorization bill. The draft includes a section on general cybersecurity and a separate section on IoT with cybersecurity language included.

On Thursday the House Intelligence Committee will hold the inevitably closed-hearing on their mark-up of the as of yet unpublished FY 2019 Intelligence Authorization Act. The draft is not publicly available and, of course, the good stuff will be in the classified annex to the bill.

TWIC Reader Rule


On Wednesday the Senate Commerce, Science, and Transportation Committee will hold a mark-up hearing on eight bills, including S 3094. The text of that bill has not yet been published by the GAO, but it sounds like it should be a companion bill to HR 5729, the Transportation Worker Identification Credential Accountability Act of 2018. After having reviewed the Coast Guard NPRM on their proposed selective delay of the implementation of the TWIC Reader Rule, it seems unlikely that the two legislative delay attempts and the CG delay are very closely related to the same issues.

On the Floor


In addition to the two spending bills on the floor this week, we will also see the House take up two bills of potential interest to readers of this blog. Later today the House will consider HR 5081, the Surface Transportation Security and Technology Accountability Act of 2018, and HR 5733, the DHS Industrial Control Systems Capabilities Enhancement Act of 2018. Both bills will be taken up under the suspension of the rules provisions. This means limited debate and no floor amendments. It also means that the leadership expects serious bipartisan support for both bills since a super-majority is required for passage.

The House is also scheduled to take up a motion to go to conference on HR 5515, the FY 2019 DOD authorization bill, that passed in the Senate last week.

NHTSA Sends Automated Driving ANPRM to OMB


On Saturday the DOT’s National Highway Traffic Safety Administration (NHTSA) sent an advance notice of proposed rulemaking (ANPRM) to the OMB’s Office of Information and Regulatory Affairs (OIRA) for review. According to the Spring 2018 Unified Agenda entry for this rulemaking NHTSA is looking for “public comments on NHTSA's progress in developing proposals for the establishment of a pilot research program for the safe on-road testing and development of the emerging advanced vehicle safety technologies, especially automated driving systems”.

With the number of publicly reported incidents involving accidents with automated driving vehicles on public streets, it would seem that NHTSA is more than a little late with this proposed rulemaking.

Saturday, June 23, 2018

Senate Consideration of HR 5895 – FY 2019 EWR Spending


The Senate took up debate on HR 5895, the Energy and Water Development and Related Agencies (EWR) Appropriations Act earlier this week. The bill, as passed in the House, also included language from the Legislative Branch, and Military Construction and Veterans Affairs spending bills.

Senate Amendments


Senators proposed about 240 amendments to the bill over a period of four days. Only two of those amendments will be of specific interest to readers of this blog; SA 2910 (pg S3985) from Sen. Shelby (R,AL) and SA 2983 (pg S4053) from Sen. Bennet (D,CO)

Shelby’s amendment is this substitute language for the Senate version of the bill. The EWR language in the amendment comes from S 2975. Senate language from the Legislative Branch, and Military Construction and Veterans Affairs spending bills was also included.

Bennet’s amendment would require the DOE and DOD to conduct an evaluation of military facilities to determine “at which it would be cost-effective to establish a partnership with community colleges, institutions of higher education, and the private sector to train veterans and members of the Armed Forces transitioning to civilian life to enter the cybersecurity, energy, and artificial intelligence workforces”. A report to Congress would be required and no funding is provided.

Moving Forward


After considering (and mostly adopting) a large number of amendments, the Senate finally adopted the Shelby substitute language on Thursday. The Bennet amendment was not considered.

The Senate is scheduled to conduct their final vote on the bill Monday evening.

HR 6157 Introduced – FY 2019 DOD Spending


Last week Rep. Granger (R,TX) introduced HR 6157, the Department of Defense Appropriations Act, 2019. As expected there is no specific cybersecurity language in the bill, even though Congress continues to require DOD to provide specific cybersecurity spending documentation in the President’s budget request.

There are a number of cyber mentions in the Committee Report that deserve at least passing mention. They include:

• Cloud Computing (pg 9);
• Quarterly Cyber Operations Briefing (pg 10);
• Cybersecurity and Supply Chain Risk Management (pg 233);
• Cyber and Electronic Warfare for the Dismounted Soldier (pg 237); and
Unmanned Aircraft Systems (pg 287)

Moving Forward


The House Rules Committee accepted proposed amendments through last Thursday to possibly be included in the floor debate of this bill. As of today, there have been 131 amendments proposed. Nine of those amendments maybe of specific interest to readers of this blog:

• Rep. Garamendi (D,CA) #24 Provides $5 million for the purposes of carrying out a GPS backup technology demonstration;
• Rep. Hasting (D,FL) (5; #s 29, 30, 31, 32, and 33) adding $10 million to each of five separate accounts for “funding for the training and retention of cybersecurity professionals.
• Rep. Langevin (D,RI) #57 Provides $10 million to be used for the DOD Cyber Scholarship Program within the Information Systems Security Program;
• Rep. Castro (D,TX) #69 Increases funding by $3m to the RDT&E account to develop and evaluate unique combined sensor for detection and suppression of altered GPS signals in adversarial environments;
Rep. DeSantis (R,FL) #78 Ensures none of the funds made available by this Act may be used for international cooperation in cybersecurity with the Russian Federation or the People’s Republic of China

The Rules Committee will meet on Monday and Tuesday to formulate the rule for the consideration of HR 6157 and determine which amendments will be authorized to be proposed on the floor of the House during the debate (probably Tuesday and Wednesday).

The Appropriations Committee adopted HR 6157 by a strongly bipartisan vote of 48 to 4. This will probably be reflected in strong bipartisan support for the bill on the floor of the House. The Senate Appropriations Committee is scheduled to complete their work on their version of the bill next week. That language will be substituted for the House language in HR 6157. Passage of the Senate version will necessitate a conference committee to work out the differences between the two bills.

Public ICS Disclosures – Week of 06-16-18


This week we have a vendor disclosed vulnerability from ABB, a third-party vulnerability disclosed by Rockwell and an update on a WannaCry advisory from Siemens.

ABB Vulnerability


ABB published an advisory for a DLL hijacking vulnerability in their  Pluto Manager. The vulnerability was reported by Herman Groeneveld. ABB has a new version that mitigates the vulnerability. There is no indication that Groeneveld has been provided an opportunity to verify the efficacy of the fix.

ABB reports that a social engineering attack would be required to get an authorized user to load a malicious DLL. A successful exploit would allow the attacker to run malicious code.

Rockwell 3rd Party Vulnerabilities


Rockwell published an advisory for vulnerabilities in their Allen-Bradley® Stratix® 5950 Security Appliance due to five reported vulnerabilities in the Cisco Adaptive Security Appliance (ASA) Software. Rockwell has provided a set of work arounds for one of the vulnerabilities and a link to the Cisco SNORT for another. No mitigations are currently available for the other three. Future software updates are planned.

The five reported vulnerabilities are:

• Flow Creation Denial of Service Vulnerability - CVE-2018-0228;
• Virtual Private Network SSL Client Certificate Bypass Vulnerability - CVE-2018-0227;
• Transport Layer Security Denial of Service Vulnerability - CVE-2018-0231;
• Application Layer Protocol Inspection Denial of Service Vulnerabilities - CVE-2018-0240; and
Web Services Denial of Service - CVE-2018-0296

As will all 3rd party vulnerability reports, the open question is how many other ICS vendors are using the Cisco ASA software?

Siemens WannaCry Update


Siemens updated their advisory for the WannaCry vulnerability in their Molecular Diagnostics
Products from Siemens Healthineers. The original advisory was linked to in the 3rd update to the ICS-CERT WannaCry Alert in May of last year. The update notes that “Healthineers customer service engineers have been deploying fixes to affected systems”.

Depressing News


Any time that I start to feel hopeful about issues related to control system cybersecurity (I am an optimist by nature) I go to the Zero Day Initiative web site and look at the list of ‘Upcoming Advisories’ curated by that organization. The number of control system names in the vendor column is daunting to say the least.

Bills Introduced – 06-22-18


With only the House in session yesterday, there were 17 bills introduced. Of these one may be of specific interest to readers of this blog:

HR 6198 To amend the Homeland Security Act of 2002 to establish the Countering Weapons of Mass Destruction Office, and for other purposes. Rep. Donovan, Daniel M., Jr. [R-NY-11]

I will be watching this bill for chemical security language.

Bills Introduced – 06-21-18


A day late and a dollar short. On Thursday with both the House and Senate in session, there were 40 bills introduced. Of those three may be of specific interest to readers of this blog:

HR 6175 To enhance maritime safety, and for other purposes. Rep. Hunter, Duncan D. [R-CA-50]

HR 6188 To direct the Secretary of Homeland Security to establish a program to improve election system cybersecurity by facilitating and encouraging assessments by independent technical experts to identify and report election cybersecurity vulnerabilities, and for other purposes. Rep. Quigley, Mike [D-IL-5]

S 3109 Department of Homeland Security Appropriations Act, 2019. Sen. Capito, Shelley Moore [R-WV]

The title of HR 6175 is vague to say the least. I will be watching for potential cybersecurity or chemical transportation issues.

I do not plan to expand this blog into the arena or election cybersecurity, but HR 6188’s potentially ground breaking (sorry, overstated deliberately) concept of outsourcing cybersecurity execution to the private sector is something worth looking into.

After a quick review of the S 3109 text and Committee Report I find no specific language for a short-term CFATS extension, but the funding tables do show funding for the program. More on this later.

Coast Guard Publishes TWIC Reader Delay NPRM


Yesterday the Coast Guard published a notice of proposed rulemaking (NPRM) in the Federal Register (83 FR 29067-29081) proposing to delay for a set of specific facilities and vessels the implementation date of the TWIC Reader Rule. The reason for this rule is an industry petition [.PDF download] that questions the inclusion of these facilities and vessels in Risk Group A. The three-year delay in the implementation date for just these facilities and vessels will allow the Coast Guard to review the Risk Group A assessment standards and initiate a new rulemaking if required.

The Petition


The industry petition stated (pg 2):

“Specifically, the petition requests the Coast Guard to promptly initiate a rulemaking that would amend the final rule to conform its coverage of “facilities that handle Certain Dangerous Cargoes (CDC) [Definition link added] in bulk” to those portions of facilities where the transfer to or from a vessel of CDCs in bulk occurs or is capable of occurring. This revised scope would be consistent with long-standing Coast Guard policy regarding CDC facilities and the requirement of a maritime nexus.”

The concern is that there are some facilities that have handle CDC in bulk (via truck or railroad) but those handling facilities have nothing to do with the maritime activities at the facility. Since the risk that the Coast Guard is responsible for mitigating is the risk of a maritime transportation security incident and these CDC activities have no maritime nexus, the TWIC Reader Rule should not apply to these facilities.

The Response


The Coast Guard is not currently judging the merits of the petition. It does acknowledge, however, that additional study is needed. The Coast Guard needs to determine if a more limited definition of CDC handling facilities needs to be included in the regulations or if specific guidance needs to be established to allow for a consistent waiver process to identify facilities without a maritime nexus for a transportation security incident that could be exempted from the TWIC Reader Rule requirement.

The three-year extension of the TWIC Reader Rule for CDC handling facilities that do not transfer CDC cargos to or from a vessel will allow the Coast Guard to further study the matter and initiate a new rulemaking if required.

The NPRM would modify the sub-paragraphs of 33 CFR 105.253(a) to change the description of the affected parties to the TWIC Reader Rule by adding verbiage to identify the status of a facility with respect to its transfer of CDC to or from a vessel. It would be changed to read:

“(1) Beginning August 23, 2018: Facilities that receive vessels certificated to carry more than 1,000 passengers.
“(2) Beginning August 23, 2018: Facilities that handle Certain Dangerous Cargoes (CDC) in bulk and transfer such cargoes from or to a vessel.
“(3) Beginning August 23, 2021: Facilities that handle CDC in bulk, but do not transfer it from or to a vessel.
“(4) Beginning August 23, 2021: Facilities that receive vessels carrying CDC in bulk but, during the vessel-to-facility interface, do not transfer it from or to the vessel.”

Public Comments


The Coast Guard is soliciting public comments on this proposed rulemaking. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # USCG-2017-0711). Because of the short time frame until the TWIC Reader Rule goes into effect on August 23rd, 2018, comments must be submitted by July 23rd, 2018.

Commentary


The petition that prompted this NPRM inadvertently raises again the issue of the exemption from the Chemical Facility Anti-Terrorism Standards (CFATS) program for facilities covered by the Maritime Transportation Security Act (MTSA). The crafters of the CFATS authority (both the initial authorization in the 2006 DHS spending bill and the subsequent re-authorization in 2014) recognized that there was no need for the CFATS program to regulate facilities that were already covered under the MTSA.

The Coast Guard has long allowed facilities a certain amount of leeway to define the perimeter of the MTSA covered facility. While the waterfront facing portion of the facility is certainly covered by the MTSA rules, facilities have been encouraged to include the remaining portions of the facility in their security plans as part of an unofficial defense-in-depth approach to preventing attacks on the clearly maritime portion of the facility.

It would appear from this petition and the Coast Guard’s response in the form of this NPRM that there has been an expectation in the industry that the Coast Guard would be more lenient in their security requirements for portions of the facility more removed from the maritime transportation nexus of the facility. Never having worked at an MTSA covered facility I cannot personally testify to the accuracy of this expectation, but it would appear to me to be a reasonable approach by the Coast Guard.

Unfortunately, this would mean that significant portions of many larger MTSA facilities would not be under the same sort of security regime that either the maritime facing portion of the facility or facilities regulated under the CFATS program. This would be especially true for portions of the facility that did not contain CDC but did store, produce, or handle chemicals that are identified as theft/diversion chemicals of interest under the CFATS program.

During the reauthorization of the CFATS program that needs to take place this year, Congress needs to specifically re-look at the blanket exemption MTSA covered facilities are give to the CFATS program. I certainly do not advocate a wholesale voiding of that exception. The Coast Guard is the obvious agency to regulate security at the strictly maritime facing portions of the facility and has a legitimate interest in the security at the remaining portions of connected facilities since that has a direct impact on the security of the waterfront.

What the Congress needs to do is to craft a closer working relationship between the Coast Guard and the CFATS’ Infrastructure Security Compliance Division to ensure that there are adequate security measures at these MTSA facilities for theft/diversion security threat chemicals that are precursors for improvised chemical munitions and/or explosives.

A relatively simple way to do that would be to require MTSA covered facilities to submit Top Screen’s to ISCD to allow ISCD to do a full chemical-terrorist threat assessment for the facility. Then instead of notifying the facility that it was a covered facility under CFATS where it would normally be appropriate to do so, it would notify both the MTSA covered facility and the local Captain of the Port that the facility’s security plan should address the security measures necessary to protect the identified DHS chemicals of interest at the facility. The Coast Guard would then be responsible for regulating the security for those chemicals as part of its oversight of the existing MTSA mandate.

Thursday, June 21, 2018

ICS-CERT Publishes 2 Advisories and Updates Siemens Advisory


Today the DHS ICS-CERT published two new control system security advisories for products from Rockwell Automation and Delta Electronics. They also updated a previously published control system security advisory for products from Siemens.

Rockwell Advisory


This advisory describes an improper input validation vulnerability in the Rockwell Allen-Bradley CompactLogix and Compact GuardLogix controllers. The vulnerability was reported by Alexey Perepechko of Applied Risk. Newer firmware versions mitigate the vulnerability. There is no indication that Perepechko was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to effect in a denial-of-service condition. As a result, the controller goes into a Major Non-Recoverable Fault (MNRF) state, which is considered safe. However, recovery requires the user to download the application program again.

The Rockwell advisory notes that the vulnerability was publicly disclosed by ‘researchers’ at the ICS Cyber Security Conference in Singapore on April 25, 2018.

Delta Advisory


This advisory describes a stack-based buffer overflow vulnerability in the Delta Industrial Automation COMMGR software. The vulnerability was reported by an anonymous researcher via ZDI. Delta has a new version that mitigates the vulnerability. There is no indication that the researcher was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow remote code execution, cause the application to crash, or cause a denial-of-service condition in the application server.

Siemens Update


This update provides additional information on an advisory that was originally published on May 9th, 2017 and updated on June 15, 2017,on July 25th, 2017, on August 17th, 2017, on October 10th, 2017, November 14th, 2017, January 23rd, 2018, and most recently on February 27th, 2018. The update provides updated affected version information and mitigation links for:

• Affected version for PCS 7; and
Added update information for PCS V8.2

NOTE: I reported on the Siemens update last weekend.

HR 6147 Introduced – FY 2019 IER Spending


Earlier this week Rep. Calvert (R,CA) introduced HR 6147, the Department of the Interior, Environment, and Related Agencies Appropriations Act, 2019. The only thing of note for the purposes of this blog is that the bill continues funding for the Chemical Safety Board (CSB) and that would not be news except for continued budget suggestions from the Administration that the CSB be disbanded. Water treatment facility security is briefly addressed in the Committee Report.

CSB Funding


The bill funds the CSB at $12 million dollars. This is $1 million above last year’s spending and $3.5 million above the amount recommended in the President’s budget to close out the agency. The Committee Report notes that (pg 84):

“The Board has the responsibility of independently investigating industrial chemical accidents and collaborating with industry and professional organizations to share safety lessons that can prevent catastrophic incidents and the Committee expects this work to continue.”

Water Treatment Facility Security


There is a brief note in the Report on funding for a Water Security Test Bed. No specific funding is allocated, just the note that:

“For both fiscal year 2019 and future budget requests, the Committee recommends that EPA include adequate funding for advancing full scale applied research and testing capabilities to address threats to drinking water and drinking water infrastructure.”

Moving Forward


The Report does not include any record of the votes in Committee on this bill, but the Dissenting Views portion of the Report (pgs 217-20) makes it clear that there are serious concerns about many items included in the bill. There will not be any significant bipartisan support for this bill when it makes it to the floor of the House. With the Republicans firmly in control in the House, this will not stop the bill from moving forward.

Again, as with all spending bills this may not be an impediment to the bill’s consideration in the Senate. We have yet to see the Senate version of the bill, but if we continue to have the strong bipartisan activity that we have seen to date in the Senate Appropriations Committee, the bill coming out of that Committee (which will form the basis for substitute language for this bill) will allow the Senate to take up this bill without regard to the Democrats documented objections to this bill.

Commentary


I am certainly glad to see the Committee’s continued strong support for the CSB. The on-going effective activity of this organization is still, however, in the President’s hands. With the resignation of the CSB Chair Sutherland, the President can slow kill the agency by failing to appoint a new chair. While Dr. Kulinowski, the Interim Executive Authority, is fully capable of overseeing the day-to-day operations of the Board, the solving of endemic morale issues and the long-term growth of the Board will have to await the next Chair.

While I was encouraged to see the Committee support a Water Treatment Facility Test Bed, I was disappointed to see the lack of specific funding being earmarked for such a facility or any guidance on what type of activities the facility should target. The EPA has a history of providing support for physical security protections of water treatment facilities to protect the safety of the water quality. The history on providing support for hazardous chemical security or cybersecurity is not quite as strong. This would have been a good place for the Committee to expand the scope of water treatment facility security oversight. At the very least, I would have expected to see a requirement to report to the Committee on the progress being made on the Test Bed.

Bills Introduced – 06-20-18


Yesterday with both the House and Senate in session there were 36 bills introduced. Of these, two may be of specific interest to readers of this blog:

HR 6157 Making appropriations for the Department of Defense for the fiscal year ending September 30, 2019, and for other purposes. Rep. Granger, Kay [R-TX-12]

S 3094 A bill to restrict the department in which the Coast Guard is operating from implementing any rule requiring the use of biometric readers for biometric transportation security cards until after submission to Congress of the results of an assessment of the effectiveness of the transportation security card program. Sen. Sullivan, Dan [R-AK]

I suspect that S 3094 is a companion bill to HR 5729. The OMB has approved the Coast Guard’s rule (but the CG has not yet published the rule) for a limited delay of the TWIC Reader Rule, but it does not appear that that delay is related to what these two bills are attempting to accomplish.

Wednesday, June 20, 2018

Bills Introduced – 06-19-18


Yesterday with both the House and Senate in session there were 36 bills introduced. Of those there are three that may be of specific interest to readers of this blog:

HR 6147 Making appropriations for the Department of the Interior, environment, and related agencies for the fiscal year ending September 30, 2019, and for other purposes. Rep. Calvert, Ken [R-CA-42] 

S 3085 A bill to establish a Federal Acquisition Security Council and to provide executive agencies with authorities relating to mitigating supply chain risks in the procurement of information technology, and for other purposes. Sen. McCaskill, Claire [D-MO]

S 3088 A bill to amend the Energy Policy Act of 2005 to require the Secretary of Energy to establish a program to prepare veterans for careers in the energy industry, including the solar, wind, cybersecurity, and other low-carbon emissions sectors or zero-emissions sectors of the energy industry, and for other purposes. Sen. Duckworth, Tammy [D-IL]

HR 6147 is one of those spending bills that I expect will not receive any additional coverage here, but you never can tell what may be slipped into the Committee Report.

I will be watching S 3085 for the definitions it uses. Hopefully, someone on the staff realizes that the Federal government is a consumer of control systems in various guises.

Depending on the definitions used here for ‘cybersecurity’ I may be watching S 3088 for its effects on cybersecurity manpower development.

Tuesday, June 19, 2018

Senate Passes HR 5515 – FY 2019 NDAA


Yesterday the Senate passed HR 5515, the FY 2019 National Defense Authorization Act (NDAA) by a bipartisan vote of 85 to 10. An earlier attempt (pg S3972) to adopt 47 additional amendments en bloc was blocked by Sen. Paul (R,KY) because the Senate would not consider his amendment on indefinite detention of American citizens (SA 2574, pg S3389). Presumably this list of amendments contained most of the block that was offered last week.

There is an outside chance that the House will accept the revised language that the Senate just passed. Much more likely is that the House will demand that its language stand and the bill will be sent to a conference committee to work out the differences.

S 3072 Introduced – FY 2019 CJS Spending


Last week Sen. Moran (R,KS) introduced S 3072, the Commerce, Justice, Science, and Related Agencies (CJS) Appropriations Act, 2019. As expected there is no mention in the actual bill of any cybersecurity requirements beyond the financing of each department and agencies internal IT cybersecurity program. The Committee Report for the bill, however, does mention three cybersecurity topics; workforce development, medical device cybersecurity research and research into the industrial internet of things (IIoT). All of those mentions are found under the section of the report dealing with the National Institute of Standards and Technology (NIST) on page 21.

Workforce Development


The Report notes that the Committee expects funding for to continue at 2018 levels for workforce development activities and specifically recommends that:

“Within the funds provided, the Committee encourages NIST to fund additional university system-led State and regional alliances and partnerships to focus on meeting the demand for a trained cybersecurity workforce, with a priority being placed on areas with a high concentration of Department of Defense, automotive, and health care related industries.”

Medical Technology Cybersecurity


While no specific funding is mentioned, the Report specifically “directs NIST to partner and work directly with academic institutions focused on computer security and privacy, with expertise in research to develop secure medical technologies, including secure medical devices, secure and privacy preserving medical software systems, and in training future scientists and practitioners in state-of-the-art techniques for supporting secure medical technologies.”

IIoT


The Committee directed NIST to spend “no less than $2,000,000 for the continued development of an IIoT cybersecurity research initiative”. That research effort would be designed to help “industry to improve the sustainable security of IIoT devices in industrial settings, including new designs, protocols, algorithms, system architectures, identity and lifecycle strategies, and system hardware features, as well as proposed security standards. This proposed research will account for human, technical, and economic dimensions.”

Moving Forward


As with the other Senate spending bills that I have looked at so far this year. There was strong bipartisan support for this bill in the Senate Appropriations Committee. The final vote on the bill (pg 150 of the report) was 30 to 1 in support of the bill, with only Sen. Lankford (R,OK) voting against the bill. This would indicate that there should be no problem overcoming the initial cloture requirement to have debate begin on the floor of the Senate on HR 5952 for which this bill will form the substitute language that will be debated in the Senate.


Monday, June 18, 2018

Committee Hearings – Week of 6-17-18


With both the House and Senate in session this week we continue to see movement on spending bills. Additionally we have a pipeline safety oversight hearing in the House.

Spending Bills

• Tuesday, Senate, Subcommittee, DHS spending;
• Wednesday, House, Committee, Labor, Health and Human Services, and Education;
• Thursday, Senate, Committee, DHS spending; and
• Thursday, House, Rules Committee, Amendment Deadline DOD spending

The Senate intends to begin thinking about consideration of HR 5895, the FY 2019 EWR spending bill which passed in the House earlier this month. The Senate will substitute language from S 2975 when it actually begins consideration.

Pipeline Safety


The Railroads, Pipelines, and Hazardous Materials Subcommittee of the House Transportation and Infrastructure Committee will hold a hearing on Thursday on “PIPES Act of 2016 Implementation: Oversight of Pipeline Safety Programs”. The witness list includes:

• Howard “Skip” Elliot, PHMSA;
• Andrew Black, Association of Oil Pipe Lines;
• Robin Rorick, American Petroleum Institute;
• Chad Zamarin, Interstate Natural Gas Association;
• Carl Weimer, Pipeline Safety Trust;

DHS Publishes PSP 30-day ICR Notice


Today the DHS National Protection and Programs Directorate (NPPD) published a 30-day ICR notice in the Federal Register (83 FR 28244-28251) for a proposed expansion of the current personnel surety program process for vetting personnel at facilities covered under the Chemical Facility Anti-Terrorism Standards (CFATS) program against the Terrorist Screening Database (TSDB). The 60-day notice was published in December of 2017 and comments were covered here.

This notice specifically addresses the comments submitted during the 60-day notice comment period. Those comments included:

Suggestions to delay the expansion of the PSP to Tier III and Tier IV pending further review of the efficacy of the Tier I and Tier II program;
Objections to railroad employees being subject to PSP screening;
Questions about the assumptions used in calculating the burden;
Calls for a phased implementation of the PSP implementation;
Lower risk at Tier III and Tier IV facilities obviates need for TSDB screening;
Concerns about the lack of facility notification in case of a positive TSDB screening result;

Almost all of the comments have been previously dealt with by DHS in the original CFATS rulemaking and the earlier PSP ICR process. Obviously, the commenters were not satisfied with the earlier response to those comments and are unlikely to be satisfied with the responses included in this new rebuttal.

The one relatively new objection is the one dealing with the reduced risk at Tier III and Tier IV facilities. The Department’s response is essentially that the PSP vetting against the TSDB is a requirement of  6 CFR 27.230(a)(12)(iv) for all covered facilities and thus must go forward.

DHS is soliciting public comments on this ICR. Comments should be sent electronically to dhsdeskofficer@omb.eop.gov. Comments should be submitted by July 18th, 2018.

Commentary


First, I would again like to congratulate NPPD on the amount of detail they include in their ICR notices. While people can certainly disagree with the decisions made in responding to comments, all of the ICRs in support of the CFATS program have include much more information than other agencies provide in their ICR notices. These ICR notices should be the gold-standard by which OMB measures acceptable ICR notices.

I was more than a little disappointed in the response to the issues raised about extending the PSP to Tier III and Tier IV facilities. Last week’s congressional hearings on the CFATS programs showed that there is much wider industry concern about this issue than was reflected in the comments submitted to DHS in response to the 60-day notice.

I firmly support the expansion of the TSDB screening to Tier III and Tier IV facilities, but I think that the argument that this is required by the regulation, while legally sufficient, is really rather weak. I think that the Department should have taken the opportunity presented by this ICR notice to more completely address industry concerns. While I think that most of the industry objection to this expansion is really based upon concerns about costs and manpower needs, their specific objections about the lower security risk need to be addressed.

DHS should have addressed the fact that the large bulk of facilities in Tier III and Tier IV are facilities that face a theft and/or diversion threat because of the presence of precursor chemicals that can be used to make improvised explosive or improvised chemical munitions. An insider threat at this class of facilities may actually pose a higher risk of terrorist attack because subsequently produced improvised weapons provide the terrorist organization with more flexibility in carrying out a subsequent attack on specific high-profile targets. Additionally, a terrorist participating in this type of insider attack is more likely to be able to walk away from the attack without personal harm than if attacking a facility with a release security hazard. This would expand the type of individual that would be willing to conduct an attack.

There is an unfortunate tendency in this country to conflate ‘terrorist attack’ with a jihadist suicide-bomber. At Tier I and Tier II facilities with release security issue chemicals of interest (COI) this may be a high-threat attack. At facilities with theft/diversion security issue COI this is legitimately a much lower probability attack. Almost by definition those facilities are much more susceptible to an insider attack attempting to acquire raw materials for attacks on higher profile targets. This is why the PSP terrorist screening database requirement really needs to be expanded to Tier III and Tier IV facilities, not the weak argument that regulation requires the expansion.

Sunday, June 17, 2018

The Other CFATS Hearing


On Thursday the Environment Subcommittee of the House Energy and Commerce Committee held a status hearing on the Chemical Facility Anti-Terrorism Standards (CFATS) program. Readers who watch the video of the hearing will notice a marked difference between this hearing and the Senate hearing from earlier in the week. This hearing included lots of testimony and Committee questions about chemical worker safety (OSHA) and environmental safety (EPA). Like in Tuesday’s hearing, the industry witnesses were looking for a long-term extension of the CFATS authority and the two government witnesses (David Wulf, DHS; and Chris P. Currie, GAO) provided nearly identical testimony to what they provided on Tuesday.

Cybersecurity


There was no direct testimony about cybersecurity in the CFATS environment in this hearing. Two of the Congressmen, however, did have some questions about the topic.

Rep. McNerney (D,CA) had questions about cybersecurity and information sharing (1:05:52 thru 1:08:53). Because of his past work in the energy sector, he focused on the time it took to get a security clearance approved so that facilities could get access to classified cybersecurity intelligence. Wulf was not able to provide detailed information about the time involved; just a generic description of the private sector security clearance process at DHS. Both agreed that this was an impediment to information sharing.

Rep. Olson (R,TX) had a question about cybersecurity risk, pointing out that the Arkema incident after Hurricane Harvey could have similarly been caused by a cyberattack. Wulf agreed to the importance of protecting cyber controls at CFATS facilities and outlined the company line on the training that Chemical Security Inspectors (CSI) received on cyber inspection techniques. There was no mention of (or questions about) the problems about which CSI LeGros testified on Tuesday.

Emergency Response Planning


There were lots of talk about the need for communications between CFATS facilities and local first responders. The testimony of two of the witnesses (Yvette Arellano, Texas Environmental Justice Advocacy Services; and Mike Wilson, BlueGreen Alliance) focused heavily on this topic and general safety communications with the local community.

Rep. Flores (R,TX) had questions about communicating Chemical-Terrorism Vulnerability (CVI) information with Local Emergency Planning Committees (LEPCs). Wulf explained that only LEPC members such as emergency response planners and first responders would have the ‘need-to-know’ to gain access to CVI information. Lack of time stopped a more complete explanation.

Towards the end of the hearing (when similar questions were raised with the second panel) James Conrad {representing Society of Chemical Manufacturers and Affiliates (SOCMA)} reminded everyone that the information that LEPC’s (hazardous material Safety Data Sheets and inventory information) require are not CVI, they are required to be supplied to SERCs, LEPCs and local fire departments by EPA regulations (see for example 40 CFR 370.30). Conrad then went on to explain that the CVI procedures manual clearly states that (pg 8) “Thus, information that a facility develops in accordance with other statutory or regulatory obligations, or information that pre-dates DHS regulation under Section 550, is not CVI.”

Enforcement Activity


Long time readers of this blog are probably familiar with my calls for additional information about the results of Compliance Inspections; wanting to know how many facilities have failed the initial inspection and the actions that the Infrastructure Security Compliance Division (ISCD) to get facilities into compliance.

Wulf provided some of that information under questioning on Thursday. He was broadly uncommunicative about the results of inspections. He did note, however, that ISCD has had to resort to issuing 70 compliance letters giving facilities dates certain to come into compliance. Of those all but three met the final deadline. Those remaining three had to have civil penalties assed before they came into compliance. That is a pretty good compliance record with 3,553 compliance inspections having been conducted to date.

Commentary


This hearing was disappointing on so many levels. First and foremost was the decided lack of knowledge about the CFATS program amongst the questioning Representative. Too many congresscritters expected CFATS to protect the community from chemical releases due to hurricanes, earthquakes or corporate ineptitude. More than one congresscritter suggested that the CFATS program ought to be expanded to include such problems.

On one hand, I can sympathize. The CFATS program has a good relationship with the regulated community, including (in many cases) personal relationships between facility personnel and CSI. Facility management and ISCD has a solid record of working with facilities and industry in general to cooperatively work towards increasing the chemical security at covered facilities.

There are two reasons for this successful relationship. First ISCD is forbidden from issuing regulations requiring specific security measures rather they are required to issue risk-based security guidance that tells facilities what they must accomplish. Facilities then prepare draft site security plans and negotiate with ISCD to achieve a plan that meets the appropriate standards. This process insures that the facility has a solid understanding of what the regulatory requirements for their facility are. Also, the CSI for a facility have a greater, in-depth understanding of what the facility does and how it intends to accomplish its security goals than a one-time inspector from OSHA or EPA can ever achieve.

Now, I am a long-time advocate for effective emergency planning and that planning can only be effective if all of the potentially affected parties (okay ‘all’ is never really achievable, but I still want to attempt to include ‘all’) know the potential hazards involved and what actions they can reasonably be asked to take in the event of an incident.

None of that information should fall under CVI protections. SDS provide open source information on the hazards involved and the local LEPC should be determining what actions would take place in the event of incidents at different levels of severity. Unfortunately, neither the facility nor ISCD have any way of compelling an LEPC to do its emergency planning job. Nor does the agency responsible for oversight of LEPCs. Congress never provided EPA with that authority nor LEPCs with funding to under take the emergency planning necessary to protect the community from unintended (accidental or as a result of an attack) chemical releases.

If Congress really wants to do something to improve the CFATS program’s handling of emergency response planning, they should remove that planning from LEPCs and delegate responsibility to FEMA with a concurrent increase in funding and manning for FEMA to accomplish the task. I would suggest that FEMA be specifically authorized to work through LEPC’s where the local agency is up to the task.

On a separate matter: I was a little confused listening to everyone at this hearing referring to the expiration of the current CFATS authorization coming in January 2019. I have been reporting that date as December 18th, 2018 because of the 4-year expiration term set in §5 of the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014 (PL 113-254). I have been remiss in not closely examining the wording of that section. It states:

“The authority provided under title XXI of the Homeland Security Act of 2002, as added by section 2(a), shall terminate on the date that is 4 years after the effective date [emphasis added] of this Act.”

The effective date was set in §4(a) as “30 days after the date of enactment of this Act”. The enactment date was December 18th, 2014, which would make the effective date January 17th, 2015 and the expiration date January 17th, 2019.

Finally, this hearing points out another problem with the congressional hearing process. The exchange of information in the Senate hearing earlier this week was fairly effective. This was due in large part to only four Senator’s taking part in the questioning and a very loose hand on the clock by the Chair. This allowed for information exchanges and actual dialogs to occur. The large venue on Thursday meant that the Chair had to keep a tight hand on the stop-watch to keep the hearing under three hours. Combine that with congresscritters popping in and out of the hearing resulting in duplicative questions and the natural tendency of any politician to speechify instead of asking a simple question and you have a very limited exchange of information. Congress needs to come up with a solution to this problem if they want hearings to be an actual method of acquiring information on complex topics.

 
/* Use this with templates/template-twocol.html */