CERT-VDE published an advisory describing
an authentication issues vulnerability in the Phoenix Contact Classic Line
industrial controllers. The vulnerability was reported by Sergiu Sechel.
Phoenix Contact has provided generic workarounds to mitigate the vulnerability.
Saturday, June 29, 2019
Friday, June 28, 2019
Bills Introduced – 06-27-19
Yesterday with the House and Senate preparing to leave for a
long 4th of July weekend there were 132 bills introduced. One of
those bills may receive additional coverage in this blog:
S
2034 A bill to authorize small business development centers to provide
cybersecurity assistance to small business concerns, and for other purposes. Sen.
Peters, Gary C. [D-MI]
I will be watching this bill for language supporting control
system security issues.
Senate Passes S 1790 – FY 2020 NDAA
Yesterday the Senate amended and passed S
1790, the National Defense Authorization Act (NDAA) for Fiscal Year 2020,
by a strongly bipartisan vote
of 86 to 8. Only two amendments were adopted, the most important being SA
764 [pgs S 3856- 4093]; substitute language for the bill. That amendment
did not make any changes to the cybersecurity portions of the bill that I
previously discussed.
The House has not yet taken up HR 2500, the House version of
the NDAA. That will probably happen after the extended 4th of July
weekend. I will have more on that bill next week.
Ultimately, the House will take up the language of HR 2500
(either directly as that bill or as substitute language for S 1790). A conference
committee will then iron out the differences before the bill is again voted upon
in the House and Senate. As has become the new normal, we will have to watch
out for last minute presidential tweets to see if the final bill will be able
to be passed.
6 Advisories Published – 06-27-19
Yesterday the DHS NCCIC-ICS published five control system
security advisories for products from Advantech, SICK AG, and ABB (3). They
also published a medical device security advisory for products from Medtronic.
Advantech Advisory
This advisory
describes six vulnerabilities in the Advantech WebAccess/SCADA software
platform. The vulnerabilities were reported by Mat Powell, Natnael Samson
(@NattiSamson) and EljahLG via the Zero Day Initiative. Advantech has a new
version that mitigates the vulnerabilities. There is no indication that the researchers
have been provided an opportunity to verify the efficacy of the fix.
The six reported vulnerabilities are:
• Path traversal - CVE-2019-10985;
• Stack-based buffer overflow - CVE-2019-10991;
• Heap-based buffer overflow - CVE-2019-10989;
• Out-of-bounds read - CVE-2019-10983;
• Out-of-bounds write - CVE-2019-10987; and
• Untrusted pointer dereference - CVE-2019-10993
NCCIC-ICS reports that a relatively low-skilled attacker could
remotely exploit these vulnerabilities to allow information disclosure,
deletion of files, and remote code execution.
SICK Advisory
This advisory
describes a use of hard-coded credentials vulnerability in the SICK MSC800 PLC.
The vulnerability was reported by Tri Quach of Amazon’s Customer Fulfillment Technology
Security (CFTS) group. SICK has new firmware that mitigates the vulnerability.
There is no indication that Quach has been provided an opportunity to verify
the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker could
remotely exploit this vulnerability to allow a low-skilled remote attacker to
reconfigure settings and/or disrupt the functionality of the device.
CP 635 Advisory
This advisory
describes a use of hard-coded credentials vulnerability in the ABB CP620 and CP635
HMI products. The vulnerability is self-reported. ABB has an update available
that mitigates the vulnerability.
The ABB
advisory describes two other vulnerabilities with these products and
reports that the vulnerabilities were reported by Xen1thLabs. The individual
vulnerability reports from Xen1thLabs (see links below) include proof of
concept exploits.
The three reported vulnerabilities are:
NCCIC-ICS reports that a relatively low-skilled attacker on
an adjacent network could exploit the (single reported?) vulnerability to allow
an attacker to prevent legitimate access to an affected system node, remotely
cause an affected system node to stop, take control of an affected system node,
or insert and run arbitrary code in an affected system node.
CP 651 Advisory
This advisory
describes a use of hard-coded credentials vulnerability in the ABB CP651, CP665
and CP676 HMI products. The vulnerability is self-reported. ABB has an update
available that mitigates the vulnerability.
The ABB
advisory describes the same two other vulnerabilities with these products
and reports that the vulnerabilities were discovered based upon the work of Xen1thLabs
on the CP 635 vulnerabilities reported above.
NCCIC-ICS reports that a relatively low-skilled attacker on
an adjacent network could exploit the (single reported?) vulnerability to allow
an attacker to prevent legitimate access to an affected system node, remotely
cause an affected system node to stop, take control of an affected system node,
or insert and run arbitrary code in an affected system node.
Panel Builder Advisory
This advisory
describes seven vulnerabilities in the ABB PB610 Panel Builder 600 engineering
tool. The vulnerability was reported by Xen1thLabs. ABB has new versions
available that mitigate the vulnerabilities. There is no indication that Xen1thLabs
has been provided an opportunity to verify the efficacy of the fix.
The six reported vulnerabilities (with links to the Xen1thLabs
reports; reports which contain proof of concept exploit code) are:
NCCIC-ICS reports that a relatively low-skilled attacker
with uncharacterized access could exploit these vulnerabilities to prevent
legitimate access to an affected system node, remotely cause an affected system
node to stop, take control of an affected system node, or insert and run
arbitrary code in an affected system node.
Medtronic Advisory
This advisory
describes an improper access control vulnerability in the Medtronic MiniMed 508
and Paradigm Series Insulin Pumps. The vulnerability is self-reported, but
NCCIC-ICS notes that the internal investigation by Medtronic was guided by
previous work from outside researchers on other Medtronic products. Medtronic
suggests upgrading to a newer product. The FDA
advisory on this product notes that Medtronic is recalling the affected
insulin pumps.
NCCIC-ICS reports that an uncharacterized attacker with
adjacent access (radio frequency access according to the Medtronic
advisory) could exploit this vulnerability to intercept, modify, or
interfere with the wireless RF (radio frequency) communications to or from the
product. This may allow attackers to read sensitive data, change pump settings,
or control insulin delivery.
Thursday, June 27, 2019
Bills Introduced – 06-26-19
Yesterday with both the House and Senate ins session there
were 63 bills introduced. Of these, one will probably see additional coverage
in this blog:
HR
3494 To authorize appropriations for fiscal year 2020 for intelligence and
intelligence-related activities of the United States Government, the Community
Management Account, and the Central Intelligence Agency Retirement and
Disability System, and for other purposes. Rep.
Schiff, Adam B. [D-CA-28]
I will be watching this bill for cybersecurity language. The
House Permanent Select Committee on Intelligence will be meeting
today to markup this bill.
Wednesday, June 26, 2019
House Amends and Passes HR 3055 – 2nd FY 2020 Minibus
Yesterday, after dealing with well over 200 amendments, the
House passed HR
3055, the second FY2020 spending minibus, by a near perfect (1 Democrat
votes Nay) party line vote of 227 to 194. Both of the
proposed amendments that I discussed earlier were adopted earlier this week.
Amendment Actions
The Maloney amendment (#264) was passed on Monday afternoon
as part of amendment en bloc #7 by a voice vote. The amendment would encourage
DOT to conduct research implementing connected vehicle and autonomous vehicle
technologies at Highway-Rail Grade Crossings. There was no debate on this
amendment.
The DeFazio amendment (#233) was passed later Monday
afternoon after almost 10 minutes of debate. A recorded vote was requested and
the amendment subsequently passed by a near party line vote (ten Democrats
voted Nay and four Republicans voted Aye) of 221 to 195.
The debate
was contentious, and more than a little hyperbole was used in attempts to sway
the vote. At one point, Rep. DeFazio (D,OR) describes the potential results of
a terrorist attack on a unit train of 100 LNG railcars, saying “It is likely it
will cause a chain reaction and explosion. It is going to be about as powerful
as Hiroshima if it goes off.” (pg H5053).
Rep. Price (D,NC) noted (pg H5054) that: “I want to note that the
underlying bill provides $1 million for the natural gas in rail tank cars, and it requires
the Department to incorporate findings and recommendations from this study into
any rulemaking on the transportation of LNG in rail tank cars before issuing a
final rule authorizing such shipments.”
This requirement is outlined on page 75 of the
Appropriations Committee Report (H Rept
116-106) on HR 3163, the original DOT spending bill that was incorporated
into HR 3055 as Division E. That section in the Report on “LNG by Rail”
concludes by stating:
“The Committee provides up to
$1,000,000 for PHMSA to initiate this study within 30 days of enactment of this
Act, and to complete this study no later than 18 months after enactment of this
Act. Further, the Committee directs PHMSA to incorporate the findings and
recommendations from this study into any potential rulemaking on the
transportation of LNG in rail tank cars and prior to issuing a final
rule authorizing such shipments [emphasis added].”
The DeFazio amendment would have no affect on the LNG by
rail rulemaking, it specifically addresses the issuance of a Special Permit by
PHMSA. That ‘special permit’ would be an interim authorization to ship
liquified natural gas by rail pending the completion of the rulemaking. The inclusion of the DeFazio amenement in the bill could be a moot point; there is a chance that the special permit could be approved in this fiscal year.
Moving Forward
It still is not clear if the Senate will be taking up
spending bills under regular order this year. If they take up HR 3055, they
will certainly substitute language from the Senate versions of the underlying
spending bills. It is very unlikely that a Senate version of this bill would
include the DeFazio LNG by rail language. If/when the Senate passes their
version of HR 3055, a conference committee will have to work out the
differences between the two versions of the bill. There is a remote possibility
that the DeFazio language could make it into an agreed upon conference version
of this bill because it would only affect the approval of a Special Permit, and
would not have a direct effect on the rulemaking on the mater.
PHMSA Pipeline Safety Rule to OMB
Yesterday the OMB’s Office of Information and Regulatory
Affairs (OIRA) announced
that it had received a notice of proposed rulemaking (NPRM) from DOT’s Pipeline
and Hazardous Material Safety Administration (PHMSA) on “Amendments to Parts
192 and 195 to Require Valve Installation and Minimum Rupture Detection
Standards” (RIN
2137-AF06). This rulemaking first
appeared on the Unified Agenda in Spring 2014.
According to the current entry in the Unified Agenda:
“PHMSA is proposing to revise the
Pipeline Safety Regulations applicable to newly constructed or entirely
replaced natural gas transmission and hazardous liquid pipelines to improve
rupture mitigation and shorten pipeline segment isolation times in high consequence
and select non-high consequence areas. The proposed rule defines certain
pipeline events as "ruptures" and outlines certain performance
standards related to rupture identification and pipeline segment isolation.
PHMSA also proposes specific valve maintenance and inspection requirements, and
9-1-1 notification requirements to help operators achieve better rupture
response and mitigation. The rule addresses congressional mandates, incorporate
recommendations from the National Transportation Safety Board, and are
necessary to reduce the serious consequences of large-volume, uncontrolled
releases of natural gas and hazardous liquids.”
Bills Introduced – 06-25-19
Yesterday with both the House and Senate in session there
were 66 bills introduce. Two of these may receive further attention in this
blog:
HR
3462 To amend the Internal Revenue Code of 1986 to provide a credit against
tax for disaster mitigation expenditures. Rep.
Bilirakis, Gus M. [R-FL-12]
HR
3484 To amend the Homeland Security Act of 2002 to authorize the Secretary
of Homeland Security to establish a rotational cybersecurity research program,
and for other purposes. Rep.
Richmond, Cedric L. [D-LA-2]
I will watch HR 3462 for language that includes emergency
response planning and/or exercises in the costs that could be covered by the
tax credit.
Hopefully, HR 3484 will include language that includes
control system security issues in the research program.
NCCIC Revamps ICS Web Site
Yesterday the DHS NCCIC redid their US-CERT and ICS-CERT web
sites. According to a blurb on the site: “On June 25, us-cert.gov and
ics-cert.us-cert.gov were consolidated into a single us-cert.gov site—a
comprehensive, easy-to-navigate website with an updated look and feel.”
Actually, there are still two separate pages for IT and ICS
activities. The main page for cybersecurity activity is https://www.us-cert.gov/. This page
includes current US-CERT alerts, advisories and reports. It also contains links
to a set of ICS pages on the site header, including the new ICS landing page: https://www.us-cert.gov/ics. That
landing page looks to contain all of the information and services found on the
old ICS-CERT site.
I liked the old format better, but then again, I have been
using it for the last ten+ years. Nothing is constant except change.
Maybe more to come as I dig into this over the weekend.
Tuesday, June 25, 2019
Subcommittee Markup of HR 3432 – Pipeline Safety
The Energy Subcommittee of the House Energy and Commerce
Committee will hold a markup
hearing on HR 3432, the Safer Pipelines Act of 2019, tomorrow. The bill was
introduced
earlier this week and an official copy of the bill has not yet been published.
A Committee
print of the bill is available.
A quick review of that print indicates that this is an
authorization bill for the pipeline safety activities of DOT’s Pipeline and Hazardous
Material Safety Administration (PHMSA). I have not yet had a chance to do an in
depth review of the bill but it does include provisions making modification to
current requirements for:
• Integrity management programs;
• Pipeline hazard communication requirements;
• Emergency preparedness planning; and
• The adjustment of civil and criminal penalties for
violations of pipeline safety rules and regulations.
The markup notice indicates that at least one amendment will
be considered to HR 3432. That
amendment proposed by Rep. Kennedy (D,MA) would add six new sections to the
bill. Again, I have not yet had a chance to do an in depth review of the
amendment, but it looks very similar to HR
2139 that was cosponsored by Kennedy. HR 2139 has not yet been referred to
the Energy Subcommittee and no action has been taken on that bill.
President Nominates Lemos to CSB
Yesterday the Senate received
the nomination of Katherine Andrea Lemos of California, to be a Member of
the Chemical Safety and Hazard Investigation Board for a five-year term. Lemos
would serve to replace Mark Griffon who resigned from the CSB
According
to the White House:
“Katherine A. Lemos, Ph.D., has
previously served in the Federal Aviation Administration and on the National
Transportation Safety Board. Dr. Lemos is currently the Director of
Programs for Northrop Grumman Corporation’s Aerospace Sector. Dr. Lemos
has a distinguished background in system safety, accident investigation, human
factors, and advanced technology research and integration. Dr. Lemos has
broad experience across the product lifecycle in analyzing and promoting
product, process, and operational performance.”
President Trump has twice proposed defunding the CSB in EPA
budget documents. This appointment may signal an end to his attempt to kill the
Board.
If Lemos is confirmed by the Senate, there will still be one
vacancy remaining on the Board. The 5-year term of two of the three existing Board
Members (Manny Ehrlich and Richard Engler) will expire in December.
HR 3261 Introduced – Smart Signals Grants
Earlier this month Rep. Cardenas (D,CA) introduced HR 3261,
the Less Traffic with Smart Stop Lights Act of 2019. The bill would require DOT
to establish the Smart Technology Traffic Signals Grant Program. Funding would
come from existing DOT grant programs.
Grant Program
The new grant program would provide monies to State, local and
Tribal governments to improve the functioning of traffic signal in a way that
would {§2(a)}:
• Reduce traffic congestion;
• Improve the safety and effectiveness of roadways;
• Reduce fuel costs for drivers; and
• Reduce air pollution.
The monies would be used to improve traffic signals through
the implementation of innovative technology, including {§2(c)}:
• Adaptive signal control technology; and
• Real-time data measurement technology
Funding would come from two existing DOT grant programs; the
surface transportation block grant program (23
USC 133) and the congestion mitigation and air quality improvement program
(23
USC 149).
Moving Forward
Cardenas is a member of the House Energy and Commerce
Committee, one of the two committees to which this bill was assigned for consideration.
Rep. Espaillat (D,CA), a cosponsor of the bill is a member of the House
Transportation and Infrastructure Committee, the other committee to which the
bill was assigned. This means that the bill could be considered by both
relevant committees.
There is nothing in the bill that would drive any
ideological opposition to its passage. The funding provisions help to overcome
the added spending issue, but it will effectively reduce the funding available
for grants in the other programs by some undetermined amount.
Commentary
The biggest shortfall in the language in the bill is that it
contains no provisions for requiring grantees to address cybersecurity issues
with these innovative technology solutions. With that lack of cybersecurity language
in mind, I would like to suggest the following two modifications to the
language in the bill.
First, I would add a new clause to §2(c) that would specifically allow grants to be used
for improving cybersecurity of existing traffic control systems:
(3) defensive measures (as
defined in 6 USC 1501) to protect new or existing traffic control systems from
cybersecurity threats (as defined in 6 USC 1501).
Second, I would rewrite §2(f) to read:
(f) APPLICATIONS.—To be eligible
for a grant under the Program, a State, local, or Tribal government entity
shall submit to the Secretary an application at such time, in such form, and
containing:
(1) An analysis of the
cybersecurity threats (as defined in 6 USC 1501) that would affect the traffic
control systems to be funded by the grant being requested;
(2) A description of the
defensive measures that would be used to address the potential threats
described in (1); and
(3) Any other information as
the Secretary determines appropriate.
NOTE: The definitions in §1501 use the control system inclusive definition of ‘information
system’.
Bills Introduced – 06-24-19
Yesterday with both the House and Senate back in Washington
from the weekend there were 43 bills introduced. One of those bills will
probably receive additional coverage in this blog:
HR
3432 To amend title 49, United States Code, to improve the safety of the
Nation's natural gas and hazardous liquid pipeline systems, and for other
purposes. Rep. Rush, Bobby L. [D-IL-1]
Monday, June 24, 2019
HR 3290 Introduced – Pipeline Mandamus
Earlier this month Rep. Speier (D,CA) introduced HR 3290,
the PHMSA Accountability Act. The bill would allow civil suits against DOT to compel
performance of a non-discretionary duty under pipeline safety laws. The bill is
identical to HR
5443 that Speier introduced in the 114th Congress; no
congressional action was taken on that bill.
Application
In my blog post I generically addressed how this change
could affect the rulemaking process at DOT’s Pipeline and Hazardous Material
Safety Administration. Today, I will look at one of the 12 rulemakings
currently listed in the DOT’s
Spring 2019 Unified Agenda that are listed as being pipeline safety related.
This rulemaking could be considered for mandamus law suits if this bill was
current law.
RIN: 2137-AF31 – Pipeline Safety:
Coastal Ecological Unusually Sensitive Areas.
Section 19(b) of the PIPES Act of
2016 (PL
114-183) required DOT to “revise section
195.6(b) of title 49, Code of
Federal Regulations, to explicitly state that the Great Lakes, coastal beaches,
and marine coastal waters are USA ecological resources for purposes of
determining whether a pipeline is in a high consequence area (as defined in
section 195.450 of such title).”
Instead of reading this requirement
as a directed rulemaking to add a sub-paragraph (6) to §195.6(b) that reads “An area on or adjacent to the
Great Lakes, coastal beaches, and marine coastal waters.” The current Unified
Agenda indicates that the Administration intends to offer an Advanced Notice of
Proposed Rulemaking (ANPRM) later this year. In that rulemaking abstract it
mentions that “PHMSA must change the definition of USA and further define what
is included in "coastal beaches" and "marine coastal
waters." In this rulemaking, PHMSA will solicit broad input from the
pipeline industry and other stakeholders, propose definitions and geographic
extents for the new terms to be included in the revised USA definition, and
understand industry implications and concerns with the proposed revisions.”
A mandamus suit by an environmental
activist organization might be expected to try to compel DOT to issue a directed
final rule on the more limited reading of the intent of §19(b).
Moving Forward
While Speier is not a member of any of the three committees
to which this bill was assigned for consideration, one of her cosponsors {Rep.
Eshoo (D,CA)} is a member of the House Energy and Commerce Committee. Her
influence on that Committee would be enough for Committee consideration of the
bill, but the bill would not move to the floor without the active support of
the Chair of the House Transportation and Infrastructure Committee.
This bill would draw significant opposition from the
Republicans in the House, preventing the bill from being passed under the House
suspension of the rules process which requires a super-majority for bill passage.
Consideration of the bill under a rule is unlikely. The only other hope for passage
of this bill would be to include it as language in an authorization bill.
S 1867 Introduced – UAS Coordinator
Earlier this month Sen. Johnson (R,WI) introduced S 1867,
the DHS Countering Unmanned Aircraft Systems Coordinator Act. The bill would
require DHS to establish within the Office of Strategy, Policy, and Plans the
position of Countering Unmanned Aircraft Systems (UAS) Coordinator. The provisions
of the bill are similar to HR
6438 that was introduced, and subsequently passed
in the House in the 115th Congress.
Coordinator
The bill would add a new section 321 to the Homeland Security
Act of 2002. It would establish the position of Coordinator who would be responsible
for overseeing and coordinating with relevant Department offices and
components, including the Office of Civil Rights and Civil Liberties and the
Privacy Office, on the development of guidance and regulations to counter
threats associated with unmanned aircraft systems as described in 6
USC 124n.
In addition to the promoting research and development in
coordination with the Office of Science and Technology, the coordinator would
be required to work with “with the relevant components and offices of the
Department, including the Office of Intelligence and Analysis, to ensure the
sharing of information, guidance, and intelligence relating to countering UAS
threats, counter UAS threat assessments, and counter UAS technology” {new §321(a)(2)(C)}.
The Coordinator would also “serve as the principal
Department official responsible for sharing to the private sector information
regarding counter UAS technology, particularly information regarding instances
in which counter UAS technology may impact lawful private sector services or
systems” {new §321(c)}.
The position of Coordinator would terminate at the same time
as the provisions of §124(n).
Moving Forward
Johnson is the Chair of the Senate Homeland Security and
Governmental Affairs Committee so it is very likely that this bill would move
forward in Committee. If the bill were to make it to the floor of the Senate,
it would likely be considered under the Senate’s unanimous consent process.
If this bill passes in the Senate, it is close enough to the
HR 6438 language that it would likely pass in the House with bipartisan support.
Commentary
This bill, like the provisions of §124(n), still fail to resolve the problems that
critical infrastructure facilities have with protecting themselves from attack
by UAS. The most important of those problems are the legal prohibitions against
attacking aircraft in US airspace. Until that problem is adequately resolved,
facilities are going to be extremely limited in actions that they can take.
Sunday, June 23, 2019
LNG By Rail Special Permit Comments – 6-23-19
Over the last week there have been eight new comments posted
to the
docket for the liquified natural gas by rail special permit being
proposed by DOT’s Pipeline and Hazardous Material Safety Administration
(PHMSA). This week’s comments were all provided by private citizens and all
opposed the issuance of the special permit based upon their expressed concerns
about the safety of shipping LNG by rail.
When we see early multiple comments from private citizens on
a rulemaking docket, it is easy to suggest that there is an organized letter
writing campaign involved. Many environmental or chemical safety advocacy
groups have employed these types of campaigns in the past. It does not appear
that this is a typical organized campaign; there is no commonality of language
or phrases and there is no reference to a prepared statement or counter proposal.
Saturday, June 22, 2019
OMB Approval of CFATS PSM to Tier III and IV
Earlier this week I ran into a blog
post at Aradc.org (Agriculture Retailers Organization) by Andrea Mowers
about the OMB’s approval of the information
collection request to add Tier III and IV facilities in the Chemical Facilities
Anti-Terrorism Standards (CFATS) program to the Personnel Surety Program (PSP)
vetting of employees against the Terrorist Screening Data Base (TSDB). I missed
the May 23rd announcement
by OMB’s Office of Information and Regulatory Affairs (OIRA), but the ICR certainly
was approved.
We can expect to see the DHS Infrastructure Security Compliance
Division (ISCD) publish a notice in the Federal Register about the
implementation of the expansion of the PSP submission requirements. I will
review the details of that process when the document is issued, but we can look
at the Tier I and Tier II implementation and the documentation ISCD submitted
to OIRA to get a general idea of what those requirements will be.
First off, ISCD will establish some sort of internal process
to spread out the requirement to first modify approved site security plans
(SSP) to explain how the facility will implement the process. That implementation
plan would include which of the four options (or combination of options) that
the facility plans to use to screen employees, contractors and visitors (the
last two with unaccompanied access to critical areas of the facility) for
potential terrorist ties. Finally, once that SSP revision is approved, ISCD
will provide a deadline for the implementation of the plan. Facilities can probably
expect that assistance will be available from Chemical Security Inspectors
(CSI) during the process.
The general plan for the phased implementation of the Tier
III and IV implementation of the PSP requirements was outlined in a
response (.DOCX download) to industry comments submitted to OIRA. Response
4.1.1 notes:
“The Department agrees that a
flexible approach is appropriate for the rollout of the Personnel Surety
Program to Tier 3 and Tier 4 covered chemical facilities. If approved, the
Department plans to implement the CFATS Personnel Surety Program in a phased
manner to Tier 3 and Tier 4 covered chemical facilities over a three year
period. Similar to the successful and
recent retiering effort, the Department plans to consider the number of
facilities assigned to a single Authorizer when notifying facilities to
implement the Personnel Surety Program, as not to overwhelm a single
Authorizer. The Department will also allow the flexibility for Authorizers, if
desired, to complete the process for their facilities before notification by
the Department.”
While ISCD will certainly be providing individual facilities
with notification of the deadline by which they will have to revise their SSP,
I expect that ISCD will allow facilities to begin the process before that
notification is given. I do suspect, however, that they would prefer that facilities
not try to begin the process before the Federal Register Notice is published.
Facilities could contact their CSI or the regional office to confirm this.
One final point, questions have been raised throughout the
PSP development and implementation process about DHS’s reluctance to guarantee
that facilities would receive timely notification if a person is identified in
the TSDB vetting process as having potential terrorist ties. If this were
totally up to ISCD, I am sure that timely notifications would be made.
Unfortunately, intelligence and law enforcement entities outside of the
Cybersecurity and Infrastructure Security Agency (CISA), the controlling agency
under which ISCD resides, will be involved in making that decision. The comment
response document again addresses this issue in response 5.62:
“The Department’s design of the
CFATS Program is intended to promote and enhance the security of high-risk
chemical facilities; the Personnel Surety Program is one element of the larger
CFATS Program. To prevent a significant threat to a facility or loss of life, a
high-risk chemical facility will be contacted where appropriate and in
accordance with federal law and policy, and per law enforcement and
intelligence requirements.”
Friday, June 21, 2019
HR 2740 Passes in House – First FY 2020 Minibus
On Wednesday the House passed HR
2740, the first FY 2020 minibus spending bill by a vote of 226 to 203; a
near party-line vote with seven Democrats voting Nay. A large number of amendments
were adopted in two en bloc votes, including the Walberg amendment that I discussed
earlier. That amendment would add $7 million to the Cybersecurity, Energy
Security, And Emergency Response (CESER) spending account in the Department of
Energy.
When (if?) the Senate takes up HR 2740, it will substitute language
from the appropriate Senate spending bills for the language in the House bill.
To move the bill to the President a conference committee would have to work out
compromise language that would subsequently be passed by both the House and
Senate. The ‘(if?)’ is because the Republicans in the Senate are still trying
to work out a budget deal with the House and President that would set the
spending caps for FY 2020. The Senate might not take up spending bills until that deal is
reached.
Thursday, June 20, 2019
1 Advisory Published – 06-20-19
Today the DHS NCCIC-ICS published a control system security
advisory for products from Phoenix Contact.
This advisory describes three vulnerabilities in the Phoenix Contact Automation Worx Software Suite. The vulnerabilities were reported by 9sg Security Team via the Zero Day Initiative. Phoenix Contact is working on an update to mitigate the vulnerabilities.
The three reported vulnerabilities are:
• Access of an uninitialized pointer - CVE-2019-12870;
• Out-of-bounds read - CVE-2019-12869; and
• Use after free - CVE-2019-12871
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit these vulnerabilities to allow an attacker, with access
to an original PC Worx or Config+ project file, to perform remote code
execution.
HR 3256 Amended and Adopted in Homeland Security Committee
Yesterday the House Homeland Security Committee amended
and subsequently adopted HR 3256, Protecting and Securing Chemical
Facilities from Terrorist Attacks Act of 2019. The alternate
language was adopted by a voice vote (pretty much along party lines by the
sound of it) and the final action was taken by a recorded
vote of 14 to 12; strictly along party lines.
The Republican opposition to the bill was voiced by Ranking
Member Rogers (R,AL) and addressed predictable issues. One notable portion of
that opposition narrative was voiced at 17:25 into the video when Rogers stated: “The bill
enlarges the whistleblower protection program in an agency that does not have
the capacity or skills to administer such a program.” Comment: This is
perhaps why the Democrats felt that changes in the current whistleblower provisions
were needed.
All three statements on the bill {Chairman Thompson (D,MS),
Rogers, and Subcommittee Chair (and author of the bill) Richmond (D,LA)} all emphasized
how important reauthorization of the CFATS program was and how hard everyone
was working together to get this done. They all agreed that additional work needs
to be done to bill to get it to the point where there can be strong bipartisan
support for the bill when it gets to the floor of the House.
The next venue for consideration of the bill will be the
House Energy and Commerce Committee. Further amendments of the bill are sure to
be seen there.
Wednesday, June 19, 2019
Bills Introduced – 06-18-19
Yesterday with both the House and Senate in session, there
were 54 bills introduced. Three of the bills will likely see future coverage in
this blog:
HR
3310 To direct the Secretary of Homeland Security to conduct a study on how
to improve training and support for local emergency response providers in areas
with high concentrations of covered chemical facilities in how to respond to a
terrorist attack on a chemical facility. Rep. Jackson Lee, Sheila [D-TX-18]
HR
3318 To require the Transportation Security Administration to establish a
task force to conduct an analysis of emerging and potential future threats to
transportation security, and for other purposes. Rep.
Joyce, John [R-PA-13]
HR
3320 To amend the Homeland Security Act of 2002 to authorize the Secretary
of Homeland Security to implement certain requirements for information relating
to supply chain risk, and for other purposes. Rep.
King, Peter T. [R-NY-2]
HR 3310 looks like an interesting approach to figuring out
how to deal with outside response to a terrorist attack on a chemical facility.
Limiting the area of coverage to ‘areas with high concentrations of covered
[CFATS?] chemical facilities’ could be a way out of federal funding (local
funding would be more likely to be available). This bill will definitely
require some study.
HR 3318 will only be of interest here if it specifically
addresses surface transportation security issues.
‘Supply chain risk’ covers a wide variety of problems; if it
cyber issues are addressed, HR 3320 should get coverage here.
Rules Committee Approves Rule for Consideration of HR 3055 – 2nd FY2020 Minibus
Yesterday the House Rules Committee approved the rule for the
consideration of HR
3055, the 2nd FY2020 minibus. The rule provides for the initial
debate and offering of 290 amendments. The House is scheduled to start
consideration of the bill today after completion of its work on HR
2740, the 1st FY2020 minibus.
Amendments
Of the four amendments that I mentioned in my earlier post,
only two were included in the list of amendments allowed to be offered on the
floor during the consideration of this bill. Those were:
233
DeFazio (D,OR) Prohibits authorizing the transportation of liquefied natural
gas by rail tank car and prohibits the Secretary of Transportation from using
funds to authorize transportation of liquefied natural gas by rail tank car by
issuance of a special permit or approval.
264
Maloney (D,NY) Decreases and then increases funding for Transportation
Planning, Research, and Development by $1 million for the purposes of
encouraging the Department of Transportation to research implementing connected
vehicle and autonomous vehicle technologies at Highway-Rail Grade Crossings.
Comment: Both amendments will probably be adopted.
The DeFazio amendment vote will most likely be a party-line vote; the Maloney
amendment may receive some Republican support.
Other Provisions
There is a provision in this rule that addresses the
remaining consideration of HR 2740. Section 7(b) of H.
Res. 445 provides that during the further consideration of HR 2740 [starting
this morning] “the question of the adoption of further sundry amendments
reported from the Committee of the Whole shall be put to the House en gros and
without division of the question.” At this point, I am not sure exactly what
amendments that includes. It would probably not include amendments that were
debated yesterday, but scheduled for votes today, but that is not certain.
Comment: I suspect that this is the Democrats
retaliating for the Republicans forcing votes on each amendment proposed for HR
2740. More importantly, it is a warning that the same measure may be applied to
this bill’s consideration if the Republicans continue the tactic to slow down
consideration of HR 3055. The Democrats apparently intend to complete
consideration of the bill this week.
OMB Approves NIST SP 800-171 Update
On Monday the OMB’s Office of Information and Regulatory
Affairs (OIRA) announced
the approval of the National Institute of Standards and Technology’s (NIST)
Special Publication 800-171, Protecting Controlled Unclassified Information in
Nonfederal Systems and Organizations. This update was sent
to OMB for approval back in February. Guidance documents are not typically
listed in the Unified Agenda and there is nothing on the SP800-171
web site that indicates what types of changes are being made.
This document could be published this week, but the Trump Administration
is notoriously slow to publish regulatory documents so there is no telling when
this will be published.
This document establishes cybersecurity requirements for
electronic systems that store, receive or send Controlled Unclassified
Information (CUI). It mainly covers contractors, but facilities covered under
the Chemical Facility Anti-Terrorism Standards (CFATS) program would be
required to comply with these standards on systems containing Chemical-Terrorism
Vulnerability Information (CVI).
Tuesday, June 18, 2019
HR 3256 Introduced – CFATS Reauthorization – Part 2
This is the second installment of a look at HR 3256
(note: an official copy of the bill is now available), the Protecting and
Securing Chemical Facilities from Terrorist Attacks Act of 2019. The initial
post was made on Sunday. The House Homeland Security Committee will
markup this bill tomorrow and substitute
language for the bill will be considered. Things are moving fast here.
New Sections Added
The substitute language is adding the following new
sections:
§11. Review of tiering methodology.
§15. Voluntary program.
§16. Study on local emergency response capacity to
respond to chemical security incidents.
§17. Previously approved facilities.
Changes to Previously Reported Provisions
The substitute language does change some of the provisions
that I reported upon in my last post.
Section 4 of the bill is substantially changed. The new
version removes the rewrite of paragraph (a) that I previously described. It
also rewrites paragraph (b), but the new version (along with a small format
change) revises the language on State and local government officials by
clarifying that the information sharing will take place only “with respect to
information on any chemical facility of interest within the jurisdiction of the
official, but only if such information may not be disclosed pursuant to any
State or local law” {new §623(b)(1)}.
It also clarifies the information sharing with the new Chemical Security
Advisory Committee will only be for the purposes of “conducting official duties
and responsibilities as described in such section” {§623(b)(3)}.
Comment: These changes clearly protect the current
Chemical-Terrorism Vulnerability Information (CVI) program.
No significant changes were made to the other two sections
which I discussed. The remainder of this post will only deal with the
provisions found in the substitute language that the Committee will markup
tomorrow.
Chemical Security Advisory Committee
Section 7 of the bill would add a new section (§2110) to the Homeland
Security Act of 2002 which would become (probably) 6 USC 630. The new section
would require DHS to form the Chemical Security Advisory Committee. The new CSAC
would consist of 12 members representing {new §630(b)(1)}:
• Industry;
• Academia;
• Labor;
• Emergency response providers;
• Local emergency planners;
• Environmental, community, or public health
advocates, particularly for communities with high concentrations of covered
chemical facilities; and
• Cybersecurity and information policy.
The purpose of the CSAC is broadly written; to “advise the
Secretary on the implementation of this title” {§630(a)}. The only other operational guidance
provided is the recommendation that the Committee “may establish subcommittees
to assesses and recommend improvements to the risk tiering methodology for
chemical facilities, the risk-based performance standards for chemical
facilities, risk reduction strategies, and other aspects of the program under
this title as the Secretary determines appropriate” {§630(c)}.
Comment: Other advisory committees have been very
helpful to their Federal Agency in providing insight and technical support for
policy development. One provision that is sometimes seen (particularly for DOT
advisory committees) is a requirement for the Secretary to seek advice from the
committee on all proposed rulemakings under the committee’s charter. That might
be a useful addendum to this section.
Review of Tiering Methodology
I generally do not worry too much about mandated studies and
reports to Congress in authorization bills, but I do want to briefly mention
the provisions of §11
of this bill because of one of the requirement. This section would require the
DHS Cybersecurity and Infrastructure Security Agency (CISA) to conduct a review
of the current tiering methodology used by the Infrastructure Security
Compliance Division (ISCD) to assess the relative risk of terrorist attack at a
facility covered by the CFATS program. One of the items that the review is
supposed to take into account is {§11(a)(1)(c)}:
The vulnerabilities of chemical
facilities to cybersecurity threats, including the vulnerabilities of
facilities’ information technology and operational technology and the implications
on the potential for penetration of both the physical security and
cybersecurity of facilities.
Comment: I generally applaud this idea, but it would
pose some significant challenges to expand the Top Screen submission to provide
adequate information for ISCD to properly asses this risk. What might be need
to implement this would be to go back to the requirement to submit a security
vulnerability assessment report to DHS prior to ISCD making a tiering decision.
That is not, however, something that the lawmakers would necessarily want to
consider in requiring this review and report.
COI Mixture Appeals
Section 14 of the revised bill would require DHS to
establish “a process through which the Secretary can be petitioned to exclude a
product or mixture” from consideration in the risk assessment process used to establish
that a facility is a covered facility or to tier the facility. The only
guidance provided on this process is that the information collected will not be
subject to the requirements of 44 USC Chapter 35 (presumably the information collection
requirements of §3507)
or the Freedom of Information Act requirements.
This requirement supports a change made to §622 {a new paragraph
(f)} by §3 of the
bill. That new paragraph would authorize DHS to exclude a product or mixture
from the Top Screen reporting requirements if DHS determines “determines that
the product or mixture does not present a terrorism risk for which the chemical
of interest contained within the product or mixture was included on Appendix A
[COI list for 6 CFR 27]”.
Comment: The current mixture rules used by ISCD are
very broadly written and almost certainly cause reporting of mixtures that do
not pose the hazards associated with the underlying DHS Chemical of Interest. I
am thinking primarily of flammable liquids; a mixture containing 2% of a
flammable COI may not itself be flammable. The problem is that the way (f) is
written this would affect Top Screen submissions. This would require additional
access to the Chemical Security Assessment Tool prior to CVI training.
Moving Forward
This bill will probably amended further tomorrow, but it
will certainly be adopted by the Committee. The only question is how much
support it will receive from the Republicans. It looks to me that the Democrats
have moderated their changes enough that there could be some support, or at least
acquiescence by the part of the business community. This would allow some of
the Republicans to vote in favor of the bill.
The main problem will be in the Senate. This bill will
almost certainly not be considered in the Senate Homeland Security and
Governmental Affairs Committee. Sen. Johnson (R,WI) will almost certainly
introduce his own legislation and the Committee will consider that instead of
this bill. The question will then be how the Senate leadership decides (if it
decides) to proceed; it could bring Johnson’s bill to the floor and send it to
the House for consideration, consider the House bill as passed, or (more likely)
consider the House bill by substituting Johnson’s language.
I do not expect the Senate to take any action of CFATS
authorization until just before the current expiration next year. And that may
just take the form of another extension.
Monday, June 17, 2019
Rules Committee to Meet on HR 3055 – The Second FY 2020 Minibus
Tomorrow the House Rules Committee will meet to formulate
the rule for the consideration of HR 3055, the Second FY 2020 Minibus. The new
version of HR 3055 will include language from HR
3055 (CSJ), HR 3164 (ARD), HR 3052 (IER), HR 2745 (MCVA), and HR
3163 (THUD). The meeting Tuesday and a second meeting on Wednesday will set
the list of amendments that will be allowed to be considered on the floor. The HR
3055 web page currently lists 553 separate (and often duplicative) amendments
that have been proposed.
The following amendments have caught my interest:
• Division A (CSJ), #108,
Rep. Langevin (D,RI), Increases funding for CyberCorps: Scholarship for
Service, the nation’s premiere cybersecurity workforce recruitment and
curriculum development initiative by $7.35 million; the money coming from the
NSF account for reimbursing DHS for security guard services.
• Division B (ARD), #55,
Rep. Langevin, Increases funding for the FDA's Transform Medical Device Safety,
Cybersecurity, Review, and Innovation initiative by $5 million in order to increase
the FDA's capacity to protect consumers from cyber threats both pre- and
post-market; the money coming from the account of the Office of the Chief
Information Security Officer, US Department of Agriculture.
• Division E (THUD), #9,
Rep. DeFazio (D,OR), Prohibits authorizing the transportation of liquefied
natural gas by rail tank car and prohibits the Secretary of Transportation from
using funds to authorize transportation of liquefied natural gas by rail tank
car by issuance of a special permit or approval.
• Division E (THUD), #107, Rep. Maloney (D,NY), Decreases
and then increases funding for Transportation Planning, Research, and
Development by $1 million for the purposes of encouraging the Department of
Transportation to research implementing connected vehicle and autonomous
vehicle technologies at Highway-Rail Grade Crossings.
ISCD Publishes New FAQ and Updates a FAQ Response
Today the folks at the DHS Infrastructure Security
Compliance Division (ISCD) updated a response to a frequently asked question
(FAQ) and published a new FAQ on their Chemical Facility Anti-Terrorism Standards
(CFATS) Knowledge Center. Both FAQ’s
deal with the submission of Top Screen reports.
Actually, what ISCD did was to separate the response to the
original FAQ #641 into two cases. The first case deals with initial Top Screen
submissions; that remained in #641. The requirements for facilities already in
the CFATS program to resubmit a Top Screen were put into the new FAQ #1793.
Interestingly, there is one Top Screen submission situation
that has not been addressed in any of the FAQ’s to date. If a facility submits
a Top Screen and is notified by DHS that it is not a covered facility, does the
facility have to submit another Top Screen when it acquires a new DHS chemical
of interest (COI) in quantities above the Screening Threshold Quantity, or the
originally reported COI at a higher inventory level?
S 1589 Report Printed in Senate – Intel Authorization Act
Last week the Senate Select Committee on Intelligence printed
their Report to accompany S 1589, the Damon Paul Nelson and Matthew Young
Pollard Intelligence Authorization Act for Fiscal Years 2018, 2019, and 2020.
As I
reported earlier, the Committee favorably reported the bill last month
without a report.
There was one interesting bit on control system security in
the report on page 31:
National Security Threats to
Critical Infrastructure
The Committees are aware of
significant threats to our critical infrastructure and industrial control
systems posed by foreign adversaries. The sensitive nature of the information
related to these threats make the role of the IC of vital importance to United
States defensive efforts. The Committees have grave concerns that current IC
resources dedicated to analyzing and countering these threats are neither
sufficient nor closely coordinated. The Committees include provisions within
this legislation to address these concerns.
Unfortunately, I could find nothing in the bill that covered
this topic. If it is in there, and congresscritters would never fib, it is
buried in a section titled with something that does not deal with
cybersecurity.
S 1790 Introduced – FY 2020 NDAA
Last week Sen. Inhofe (R,OK) introduced S 1790,
the National Defense Authorization Act (NDAA) for Fiscal Year 2020. The bill
was reported
favorably by the Senate Armed Services Committee which Inhofe chairs. The
Senate is scheduled to take up the bill this week. The bill includes an entire
sub-title that addresses cyber operations; including one section that addresses
the development of a set of cybersecurity standards for the defense industrial
base.
Defense Industrial Base Cybersecurity
Section 1634 requires DOD to “develop a consistent,
comprehensive framework to enhance cybersecurity for the United States defense
industrial base” {§1634(a)}.
The framework would be developed by February 1st, 2020. The framework
would include {§1634(b)}:
• Identification of unified cybersecurity standards,
regulations, metrics, ratings, third-party certifications, or requirements to
be imposed on the defense industrial base for the purpose of assessing the cybersecurity
of individual contractors.
• The roles and responsibilities of various activities
within the Department of Defense, across the entire acquisition process,
beginning with market research, including responsibility determination, solicitation,
and award, and continuing with contractor management and oversight on matters
relating to cybersecurity.
• The responsibilities of the prime contractors, and
all subcontractors in the supply chain, for implementing the required
cybersecurity standards, regulations, metrics, ratings, third-party certifications,
and requirements identified under paragraph (1).
• A plan to provide implementation guidance, education,
manuals, and, as necessary, direct technical support or assistance to such
contractors on matters relating to cybersecurity.
• Methods and programs for defining and managing
controlled unclassified information, and for limiting the presence of
unnecessary sensitive information on contractor networks.
• Quantitative metrics for assessing the effectiveness
of the overall framework over time, with respect to the exfiltration of
controlled unclassified information from the defense industrial base.
While the language in the bill does not specify whether the cybersecurity
concerns cover both the information technology and control system technology
used in the industrial base, the Committee Report does address the matter. It
notes (pg 306):
“The committee is concerned that
contractors within the defense industrial base are an inviting target for our
adversaries, who have been conducting cyberattacks to steal critical military
technologies.”
Control System Cybersecurity
The Report does address control system cybersecurity
research being conducted by DOD. On pages 325-6 the Committee “commends the
Department of Defense for its efforts to address the cybersecurity of
installation industrial control systems (ICSs).” It goes on to discuss a
National Security Agency research program, Integrated Adaptive Cyber Defense (IACD).
It notes that “IACD technologies include
sensing and automated orchestration and interoperability among cybersecurity
tools and systems to defend both operational technology (such as ICSs) and
information technology”. There is additional discussion of this technology
under the “Software defined networking and network and cybersecurity orchestration”
heading on pages 333-4.
Cybersecurity Research
The Report notes (pgs 97-8) that the Committee is recommending
funding Defense-wide cybersecurity research (line item # PE 62668D8Z) at $25.1
million, an increase of $10.0 million above the Administration’s request.
Moving Forward
This bill will start to be considered on the floor of the
Senate sometime this week (a number of nominations have to be completed first).
Amendments have already started to be proposed to this bill, over 200 were
submitted on Thursday alone. How many of those (and yet to be submitted)
amendments will make it to the floor of the Senate remains to be seen.
Sunday, June 16, 2019
HR 3256 Introduced – CFATS Reauthorization - Part I
Earlier this week Rep. Richmond (D,LA) introduced HR 3256,
the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of
2019. Normally, I wait for the official print of the bill before I review it,
but the House Homeland Security Committee has a committee
print available and have scheduled a mark-up
hearing of the bill on Wednesday, so I will be reviewing the committee print
today.
HR 3256 would reauthorize the Chemical Facility
Anti-Terrorism Standards (CFATS) program for an additional five plus years
(until May 1st, 2025; §16).
The bill also provide a number of amendments to the current authorization language
(6
USC Subchapter XVI).
Major Additions
The following sections of the bill show the areas where significant
changes would be made to the existing program:
§4. Protection and sharing of
information.
§5. Civil enforcement.
§6. Whistleblower protection.
§7. Chemical Security Advisory
Committee.
§12. Voluntary mechanism for
reporting drones and other emerging threats.
§13. Regulations regarding specific
products and mixtures containing chemicals of interest.
The following sections provide information on the studies
and reports required by the bill:
§8. Implementation plan and report to Congress.
§9. Study on risks posed by excluded facilities.
§10. Study on feasibility of waiver program.
§11. Comptroller General reports.
Information Protection and Sharing
Section 4 of the bill would make a number of changes to 6
USC 623, Protection and Sharing of Information. The first change would be
to rewrite paragraph (a) to read:
(a) In general - Notwithstanding
any other provision of law, with
respect to information in the possession of the Department, the Secretary shall
protect information developed under this subchapter, including vulnerability
assessments, site security plans, and other security related information,
records, and documents shall be given protections from public
disclosure consistent with the protection of similar information under section 70103(d)
of title 46 [link added].
Additionally, a complete rewrite of paragraph (b) includes:
(2) NONDEPARTMENTAL INFORMATION.
— Information is not protected pursuant to subsection (a) if it is—
(A) not in the possession of
the Department;
(B) developed under this title
but has been previously produced or developed for other purposes; and
(C) is already publicly
available, readily discoverable, or otherwise lawfully disclosed.
Comment: It looks like this is intended to change the
Chemical-Terrorism Vulnerability Information (CVI) program to make it more like
other sensitive but unclassified (SBU) information protection programs.
Currently the CVI program has strict information protection rules for
information held at each covered facility. Other SBU only protect information
in the hands of the Federal government, its contractors, and such information
shared with State, Tribal, and local governments. If that was the intent, it
looks to me like the terminal ‘and’ in (2)(B) nullifies that attempt as it does
not remove protections already provided in the program. DHS would not be
required to change the CVI rules under these changes. If the terminal ‘and’
were changed to ‘or’ then (2)(A) would be the controlling factor for removing
CVI protections for information held at facilities.
As noted above §4
also rewrites (b), changing the information sharing requirements of §623(b) to require DHS to
provide information (upon request) to {new §623(b)(1)}:
State, local, and regional fusion
centers (as that term is defined in section 210A(j)(i) of this Act) and State
and local government officials, including law enforcement and emergency
response providers;
Members of Congress;
Members of the Chemical Security Advisory
Committee under [new] section 2010 of this Act; and
The Comptroller General of the United
States.
The addition of fusion centers and members of Congress in
this paragraph allows the bill to delete the current paragraphs (c) and (f)
from §623.
Comment: This is a proforma change to appease
supporters who want ‘better’ information sharing about the hazards associated
with covered facilities. This really provides no new requirements for the CFATS
program beyond the addition of the new Advisory Committee which will be covered
in more detail later in the bill.
Civil Enforcement
Section 5 of the bill would amend §624,
Civil Enforcement. The first set of amendments deals with changes to paragraph
(a), Notice of noncompliance. The first change the time limits for DHS to
provide a written notice of non-compliance from 14-days to 3-days. And the
second changes the time limit a facility would have to comply with a DHS order
to comply, from 180 days to 30 days.
The next set of changes address paragraph (b)(2) civil penalties
for non-reporting chemical facilities of interest. The change clarifies that
the subparagraph applies to Top Screen submission requirements or supplemental
information thereto.
The third set of changes paragraph (c)(1), expanding the DHS
authority for issuing emergency orders due to violations of CFATS program
requirements or the risk of terrorist incidents. It now adds a vague “or other
malicious act” that may affect a chemical facility of interest to the list of potential
causes of “an imminent threat of death, serious illness or severe personal injury
that the Secretary could attempt to prevent by requiring facility action.
Comment: This is ‘other malicious act’ is vague
enough to provide authority to order cybersecurity measures or even the development
of active shooter programs. The current management would be unlikely to use
this authority; their emphasis is on cooperative enforcement. Who knows what
could happen in the future?
Whistleblower Protections
Section 6 of the bill modifies the existing whistleblower
protections found in §625.
The bill expands on the existing requirements for:
• Confidentiality;
• Response to reports; and
• Opportunity for review
The bill also adds a new paragraph (c) to the section; Procedure
and Remedy. It provides requirements for DHS to “establish a procedure for the
review and investigation of complaints of reprisals” {new §625(c)(i)} as well as
establishing remedies for violations of the same.
NOTE: I am about half-way through the major CFATS changes
proposed by this new bill and we are already at about 1000 words. It is getting
a bit long for a blog post; even by me. I will try to finish up by tomorrow.
Subscribe to:
Posts (Atom)