Review – Committee Hearings – Week of 5-11-25

This week with the House and Senate in session, we have a fairly busy hearing schedule with reconciliation markups and budget hearings dominating in the House. There will also be a hearing on DOD space operations and another on reauthorizing CISA information sharing programs. In the Senate we have two hearings on program reauthorization for pipeline safety and the FAA.

Budget Hearings

Budget Hearings	House	Senate
DHS	Homeland Security
DOT	Appropriations	Appropriations
EPA	Appropriations	Appropriations
DOL	Appropriations

Space Geek

On Wednesday the Subcommittee on Strategic Forces of the House Armed Services Committee will hold a hearing on “National Security Space Programs”.

FAA Reauthorization

On Wednesday the Senate Commerce, Science, and Transportation Committee will hold a hearing on “FAA Reauthorization One Year Later: Aviation Safety, Air Traffic, and Next Generation Technology”.

Information Sharing

On Thursday the Subcommittee on Cybersecurity and Infrastructure Protection of the House Homeland Security Committee will hold a hearing on “In Defense of Defensive Measures: Reauthorizing Cybersecurity Information Sharing Activities that Underpin U.S. National Cyber Defense”.

Pipeline Safety

On Thursday the Senate Commerce, Science, and Transportation Committee will hold a hearing on “Pipeline Safety Reauthorization: Ensuring the Safe and Efficient Movement of American Energy”.

 

For more information on these hearings, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/committee-hearings-week-of-5-11-25 - subscription required.

Review - ChemLock and Information Sharing

This is part of a series of blog posts looking at the potential for the authorization of CISA’s existing ChemLock program and using it as a voluntary replacement for the now defunct Chemical Facility Anti-Terrorism Standards (CFATS) program. Other posts in this series include:

• CFATS is Dead,

• Making ChemLock Safety Act Compliant – ChemLock Program Background,

• ChemLock and Tiering,

• Reader Comment – TSDB Screening for ChemLock,

• ChemLock and TSDB Screening,

• ChemLock and Risk Based Performance Standards,

• ChemLock and Chemical-Terrorism Vulnerability Information.

NOTE: Previous articles in this series have been removed from the CFSN Detailed Analysis paywall.

The CFATS program handled a lot of sensitive information that was categorized as Chemical-Terrorism Vulnerability Information (CVI). In order to limit the exposure of that information, DHS established the Chemical Security Assessment Tool (CSAT) as a secure, on-line portal for facilities to share sensitive information with the regulators and provided a secure method for facilities to receive CVI information from DHS. If the ChemLock program is going to be upgraded to serve as a voluntary replacement for the CFATS program, a similar secure information sharing system will have to be employed to protect the information sharing required to implement that expanded program.

An authorized ChemLock program could use the security information sharing tool developed for the CFATS program as the backbone for the upgraded voluntary ChemLock program and provide a means for facilities and CISA to share chemical security intelligence information. While the Safety Act certification process would be a primary incentive for facilities to formally involve themselves in the ChemLock program, a secure source of chemical security information would also provide an additional incentive for facilities to join ChemLock, expanding the reach of the voluntary program.

 

For more information about using the CSAT backbone to provide an information sharing environment, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/chemlock-and-information-sharing - subscription required.

Review - Problems with Vulnerability Information Sharing – 8-14-22

For a couple of years now, I have been doing a weekly blog post (more frequently lately, a multi-part blog post) looking briefly at industrial control (and medical device) security vulnerability disclosures by vendors and researchers. Generally, I try to keep this separate from my highlighting vulnerabilities disclosures by CISA’s NCCIC-ICS, if for no other reason than to keep down the amount of time I spend on the post. Recently, however, I have been seeing an increasing problem with the information sharing that goes into keeping the NCCIC-ICS advisories up to date. Today the problem became egregious enough that I need to look at it in some detail to show the depth of the problem.

 

This discussion is better done on my CFSN Detailed Analysis site, but it is so important that I do not think that it belongs behind a paywall. So, I will publish this article there - https://patrickcoyle.substack.com/p/problems-with-vulnerability-information - with free public access.

S 4000 Introduced – DHS and Congress Info Sharing

Earlier this month, Sen Portman (R,OH) introduced S 4000, the Intragovernmental Cybersecurity Information Sharing Act. The bill would require DHS to enter into information sharing agreements with the House and Senate on cybersecurity issues. No funding authorization is included in this bill.

The Agreements

The agreements would be made with the Senate Sergeant at Arms and the House Chief Administrative Officer. The agreements could include processes for:

• Direct and timely sharing of technical indicators and contextual information on cyber threats and vulnerabilities,

• Direct and timely sharing of classified and unclassified reports on cyber threats and activities, and

• Seating of cybersecurity personnel of the Senate or the House of Representatives at cybersecurity operations centers.

Periodic reports to Congress would be required by DHS on the status of the implementation of the agreements.

Moving Forward

Portman and one of this three cosponsors {Sen Peters (D,MI)} are members of the Senate Homeland Security and Governmental Affairs Committee (Peters is the Chair), so there should be sufficient influence to see this bill considered in Committee. There is nothing in the bill that would engender any organized opposition to the legislation. I expect that the bill would receive strong bipartisan support and the bill would be a strong candidate for consideration on the floor of the Senate under the unanimous consent process.

The mere introduction of this bill could be sufficient impetus to see such agreements formalized.

CG Publishes NMSAC Meeting Notice – 12-15-21

The Coast Guard has posted a meeting notice in tomorrow’s (on line today) Federal Register (86 FR 67482-67483) for a teleconference for their National Maritime Security Advisory Committee (NMSAC) on December 15^th, 2015. The Coast Guard intends to present a new tasking to the NMSAC: “Recommendations on Cybersecurity Information Sharing”. A copy of the tasking document should be on the NMSAC web site by December 13^th.

Personnel who wish to join the teleconference should contact the Ryan Owens (ryan.f.owens@uscg.mil) by December 7^th, 2021. Those wishing to submit comments for the Committee’s consideration focused on improving and enhancing the sharing of information related to cybersecurity risks that may cause a transportation security incident may submit them through the Federal eRulemaking Portal (www.Regulations.gov; Docket # USCG-2021-0824).

CRS Report on Information Sharing and Disclosure Requirements

This week the Congressional Research Service (CRS) prepared a report for Congress on “Critical Infrastructure Policy: Information Sharing and Disclosure Requirements After the Colonial Pipeline Attack”. The Report looks at the apparent change in information sharing philosophy embodied by the attempt by the Biden Administration to require cybersecurity incident reporting under EO 14028.

The short report (2 pages) does not draw any conclusions, but it does outline the history of voluntary information sharing between privately owned critical infrastructure and the federal government. Anyone that wants to understand the impending debate in Congress on authorizing cybersecurity information reporting mandates needs to understand this history.

Interestingly, this report was prepared before TSA published their Security Directive 01-21 mandating that pipeline operators report cyberattacks on their operations and information systems.

S 3416 – Emergency Response Information Sharing

This is part of a series of blog posts on the recently introduced S 3416, the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2020, which would modify and reauthorize the Chemical Facility Anti-Terrorism Standards (CFATS) program for five years. Other posts in this series include:

S 3416 Introduced – CFATS Reauthorization and Cybersecurity

Information Sharing Strategy

The strategy that I discussed in yesterday’s post is also intended to address “the sharing of information with the local emergency manager, the local emergency response provider, and any on site emergency response provider for a covered chemical facility” {§6(a)}. That strategy would include “guidance on further improving outreach to the local emergency manager, the local emergency response provider, and any on site emergency response provider for a covered chemical facility” {§6(b)(3)}. That guidance would include requirements for:

• A statement of the name or title, organizational affiliation, and phone number of a local emergency manager or local emergency response provider, and any on site emergency response provider, for the covered chemical facility;

• The documented policy of the covered chemical facility to coordinate access to the facility with the local emergency manager, local emergency response provider, and any on site emergency response provider described in sub-paragraph (A), for purposes of training and pre-incident planning; and

• Written documentation by the covered chemical facility that the owner or operator has provided the local emergency manager or local emergency response provider with need to know (within the meaning of 6 CFR 27.400(e), or any successor thereto) and appropriate chemical-terrorism vulnerability information credentials the name and amount of each chemical of interest held, stored, or manufactured at the covered chemical facility.

Information Sharing Requirements

Section 15(a) amends 6 USC 622(e) by adding a paragraph (6), Sharing Information with Emergency Response Providers. This new paragraph would require DHS to “make available to State, local, and regional fusion centers and State and local government officials, including officials of State or local law enforcement agencies and emergency response providers” {new §622(e)(6)(B)} information that DHS determines is necessary “to ensure that emergency response providers are capable to effectively prepare for, respond to, and mitigate chemical security incidents at covered chemical facilities”. That information will include:

• The name of the covered chemical facility;

• The address of the covered chemical facility;

• The phone number of the covered chemical facility;.

• The name and Chemical Abstract Service number of each chemical of interest used, stored, or manufactured as specified in the Top-Screen submitted by the covered chemical facility;

• The quantity and concentration of each chemical of interest specified in the Top-Screen submitted by the covered chemical facility; and

• The name or title, organizational affiliation, and phone number of a local emergency manager or local emergency response provider for the covered chemical facility specified in the site security plan of the covered chemical facility.

The bill would require to DHS to use an existing “single information technology infrastructure, information technology platform, online platform, or website” {new §622(e)(C)(i)} for this required information sharing. Presumably this means the Infrastructure Protection Gateway that ISCD established in 2015.

DHS would be required to update this information every 90-days.

Emergency Responder Outreach

The new §622(e)(6) above would also require the Infrastructure Security Compliance Division (ISC) to conduct an outreach to local officials during compliance inspections or audits. Inspectors would be required to {new §622(e)(6)(E)}:

• Contact and notify the local emergency manager or local emergency response provider, and any on-site emergency response provider, identified by the covered chemical facility that there is a covered chemical facility in their response area; and

• Inform the response officials identified by the covered chemical facility of the available secure communications and information technology infrastructure platforms or other mechanisms to obtain additional information.

Commentary

I have two major concerns about the emergency response language in this bill; the lack of definition of key terms and the ‘need to know’ language used.

There are three new terms used in this bill about emergency responders that are unique to the bill and require definitions:

• Local emergency manager;

• Local emergency response provider; and

• On-site emergency response provider.

First-off, I think that the third term ‘on-site emergency response provider’ should be eliminated. If the facility management has not provided an on-site responder with necessary information about all of the chemicals on the site (not just those covered by the CFATS program), the facility has problems that need to be addressed by OSHA, not DHS.

Next, instead of the term ‘local emergency manager’ I would suggest that the terminology that should be used is “the head of the Local Emergency Planning Committee established under 42 USC 11001. Then, instead of ‘local emergency response provider’ the bill should use ‘the head of the fire department that provides coverage for the facility’. Actually, the second term is operationally redundant for most facilities as local fire departments are supposed to be represented on the local LEPC. But that is only true for ‘most’ facilities since there are a number of areas that have no LEPC or the LEPC is not really active.

The bill uses the phrase “with a need to know (within the meaning of section 27.400(e) of title 6, Code of Federal Regulations” to modify the term ‘emergency responders’ wherever there is a requirement to share information with those responders. Now, I understand the need to protect Chemical-terrorism Vulnerability Information (CVI) which is what §27.400 refers to, and ‘need-to-know’ is a key part of that protection.

The CVI information that DHS is required to share under the proposed §622(e)(6) is limited to:

• The name and Chemical Abstract Service number of each chemical of interest used, stored, or manufactured as specified in the Top-Screen submitted by the covered chemical facility; and

• The quantity and concentration of each chemical of interest specified in the Top-Screen submitted by the covered chemical facility

Both of these items of information should be available to the listed agencies via the Environmental Protection Agency. With that in mind, I would like to propose striking the phrase “with a need to know (within the meaning of section 27.400(e) of title 6, Code of Federal Regulations” wherever is used in §622(e)(6) and adding the following at the end of the paragraph:

(f) The information provided in (b) is presumed to be Chemical-Terrorism Vulnerability Information in accordance with 6 CFR 27.400. The individuals listed in (b) with whom that information is to be shared are deemed to have ‘need-to-know’ under §27.400(e)(i).

One final niggly bit; the inclusion of the requirements for the outreach to local emergency responders in §6 of the bill is more than a little confusing since the other part of that section deals with cybersecurity. The emergency response information share provision of § should have been included as part of §15 that proposes the addition of §622(e)(6) probably as part of §15(b).

HR 3256 Introduced – CFATS Reauthorization - Part I

Earlier this week Rep. Richmond (D,LA) introduced HR 3256, the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2019. Normally, I wait for the official print of the bill before I review it, but the House Homeland Security Committee has a committee print available and have scheduled a mark-up hearing of the bill on Wednesday, so I will be reviewing the committee print today.

HR 3256 would reauthorize the Chemical Facility Anti-Terrorism Standards (CFATS) program for an additional five plus years (until May 1^st, 2025; §16). The bill also provide a number of amendments to the current authorization language (6 USC Subchapter XVI).

Major Additions

The following sections of the bill show the areas where significant changes would be made to the existing program:

§4. Protection and sharing of information.

§5. Civil enforcement.

§6. Whistleblower protection.

§7. Chemical Security Advisory Committee.

§12. Voluntary mechanism for reporting drones and other emerging threats.

§13. Regulations regarding specific products and mixtures containing chemicals of interest.

The following sections provide information on the studies and reports required by the bill:

§8. Implementation plan and report to Congress.

§9. Study on risks posed by excluded facilities.

§10. Study on feasibility of waiver program.

§11. Comptroller General reports.

Information Protection and Sharing

Section 4 of the bill would make a number of changes to 6 USC 623, Protection and Sharing of Information. The first change would be to rewrite paragraph (a) to read:

(a) In general - Notwithstanding any other provision of law, with respect to information in the possession of the Department, the Secretary shall protect information developed under this subchapter, including vulnerability assessments, site security plans, and other security related information, records, and documents shall be given protections from public disclosure consistent with the protection of similar information under section 70103(d) of title 46 [link added].

Additionally, a complete rewrite of paragraph (b) includes:

(2) NONDEPARTMENTAL INFORMATION. — Information is not protected pursuant to subsection (a) if it is—

(A) not in the possession of the Department;

(B) developed under this title but has been previously produced or developed for other purposes; and

(C) is already publicly available, readily discoverable, or otherwise lawfully disclosed.

Comment: It looks like this is intended to change the Chemical-Terrorism Vulnerability Information (CVI) program to make it more like other sensitive but unclassified (SBU) information protection programs. Currently the CVI program has strict information protection rules for information held at each covered facility. Other SBU only protect information in the hands of the Federal government, its contractors, and such information shared with State, Tribal, and local governments. If that was the intent, it looks to me like the terminal ‘and’ in (2)(B) nullifies that attempt as it does not remove protections already provided in the program. DHS would not be required to change the CVI rules under these changes. If the terminal ‘and’ were changed to ‘or’ then (2)(A) would be the controlling factor for removing CVI protections for information held at facilities.

As noted above §4 also rewrites (b), changing the information sharing requirements of §623(b) to require DHS to provide information (upon request) to {new §623(b)(1)}:

State, local, and regional fusion centers (as that term is defined in section 210A(j)(i) of this Act) and State and local government officials, including law enforcement and emergency response providers;

Members of Congress;

Members of the Chemical Security Advisory Committee under [new] section 2010 of this Act; and

The Comptroller General of the United States.

The addition of fusion centers and members of Congress in this paragraph allows the bill to delete the current paragraphs (c) and (f) from §623.

Comment: This is a proforma change to appease supporters who want ‘better’ information sharing about the hazards associated with covered facilities. This really provides no new requirements for the CFATS program beyond the addition of the new Advisory Committee which will be covered in more detail later in the bill.

Civil Enforcement

Section 5 of the bill would amend §624, Civil Enforcement. The first set of amendments deals with changes to paragraph (a), Notice of noncompliance. The first change the time limits for DHS to provide a written notice of non-compliance from 14-days to 3-days. And the second changes the time limit a facility would have to comply with a DHS order to comply, from 180 days to 30 days.

The next set of changes address paragraph (b)(2) civil penalties for non-reporting chemical facilities of interest. The change clarifies that the subparagraph applies to Top Screen submission requirements or supplemental information thereto.

The third set of changes paragraph (c)(1), expanding the DHS authority for issuing emergency orders due to violations of CFATS program requirements or the risk of terrorist incidents. It now adds a vague “or other malicious act” that may affect a chemical facility of interest to the list of potential causes of “an imminent threat of death, serious illness or severe personal injury that the Secretary could attempt to prevent by requiring facility action.

Comment: This is ‘other malicious act’ is vague enough to provide authority to order cybersecurity measures or even the development of active shooter programs. The current management would be unlikely to use this authority; their emphasis is on cooperative enforcement. Who knows what could happen in the future?

Whistleblower Protections

Section 6 of the bill modifies the existing whistleblower protections found in §625. The bill expands on the existing requirements for:

• Confidentiality;

• Response to reports; and

• Opportunity for review

The bill also adds a new paragraph (c) to the section; Procedure and Remedy. It provides requirements for DHS to “establish a procedure for the review and investigation of complaints of reprisals” {new §625(c)(i)} as well as establishing remedies for violations of the same.

NOTE: I am about half-way through the major CFATS changes proposed by this new bill and we are already at about 1000 words. It is getting a bit long for a blog post; even by me. I will try to finish up by tomorrow.

HR 1648 Introduced – SBA Security Assistance

Last Month Rep. Chabot (R,OH) introduced HR 1648, the Small Business Advanced Cybersecurity Enhancements Act of 2019. The bill would require the Small Business Administration to establish a Central Small Business Cybersecurity Assistance Unit as well as regional cybersecurity assistance units.

Cybersecurity Assistance Units

The CSBCAU would be collocated with the DHS National Cybersecurity and Communications Integration Center (NCCIC) and would serve as a conduit for sharing cybersecurity threat information between small businesses and the federal government. All of the information sharing protections provided under the CISA legislation {6 USC 1503(c)} would apply to information sharing via the CSBCAU {new 15 USC 648(a)(9)(B)(iii)}. Information on cyberthreat indicators or defensive measures shared through the CSBCAU will not be subject to the narrow regulatory exemption found in 6 USC 1504(d) (5)(D)(ii)(I).

The regional small business cybersecurity assistance units will be part of each Small Business Administration (SBA) small business development center. The bill would require the SBA to set aside $1 million from the monies authorized for small business development centers for the operation of regional SBCAU’s.

Moving Forward

Chabot and both of his cosponsors {Rep. Balderson (R,OH) and Rep. Velasquez (D,NY)} are members of the House Small Business Committee, the Committee to which this bill was assigned for consideration. This means that there is a good chance that this bill will be considered in Committee.

There is nothing in this bill that would incur any significant opposition. I suspect that if it is considered in committee that it would pass with significant bipartisan support. If considered by the full House it would likely be considered under the suspension of the rules process with limited debate and no floor amendments. Again, it would probably pass with substantial bipartisan support.

Commentary

This bill is an attempt to encourage small business owners to participate in the existing cybersecurity information sharing program with CISA by using familiar SBA channels of communication. Unfortunately, it does not address the underlying issues that appear to be hindering businesses in general from participating in the information sharing process. That is the appearance that the information sharing process is a one-way street with little useable information flowing back to the private sector.

The one small sop thrown to the small business community, the §1504 exception will do little to add encouragement for small businesses to participate in the CISA information sharing process. Section 1504 allows units of the federal government to use information shared with NCCIC to be used to fine tune existing cybersecurity regulations. Since there are few areas of the federal regulatory system that are specifically allowed to regulate cybersecurity, this is a fairly unimportant exception.

There is no mention in this bill of industrial control system security issues. The findings section of the bill only mentions information technology security concerns. Fortunately, since this bill attempts to supplement the CISA information sharing process, it uses control system friendly definitions from 6 USC 1501 that are based on the definition of ‘information system’ that specifically includes control systems. Unfortunately, this is as unlikely to encourage small businesses to share control system security threat information with CISA as it is purely IT threat information. Congress needs to clearly identify the existing impediments to information sharing and rectify those before they can expect small businesses to become part of the process.

More on CFATS Hearing and Emergency Response

It is becoming increasingly obvious that the Democrats on both the House and Senate Homeland Security Committees are concerned about the role of emergency response in the Chemical Facility Anti-Terrorism Standards (CFATS) program. This means that it is becoming increasingly likely that some sort of emergency response provision will find its way into whatever final bill comes out of the 116^th Congress reauthorizing the CFATS program. Thus, the topic bears more discussion.

EPCRA

The CFATS regulations are not the base law in the United States for emergency response information sharing and planning for most chemical facilities. The base law for that requirement is found in the Emergency Planning and Community Right-to-Know Act (EPCRA) codified at 42 USC Chapter 116 with the regulations established at 40 CFR 355. Among other things that Chapter establishes the Local Emergency Planning Committees, provides for the preparation of comprehensive emergency response plans, and details what facilities are covered under the provisions of EPCRA.

Under the EPCRA regulations a facility is subject to the emergency planning requirements of the regulation if they have any chemicals on either of the extremely hazardous substance lists {Appendixes A (alphabetical order) & B (CAS # order) to §355} in excess of the threshold planning quantity listed in those appendixes. For chemicals on those lists that were included in the DHS list of chemicals of interest (COI), a large portion of the toxic-release hazard chemicals on the COI list, were taken with the same TPQ (called screening threshold quantity in the CFATS program).

Most of the chemicals on the EPCRA lists were not included in the CFATS COI list. Only the most toxic chemicals from the list were included as DHS concluded that only the most toxic would form the basis for a credible terrorist attack on a facility holding those chemicals.

Interestingly, two other categories of chemicals that are included in the DHS COI as release hazard chemicals are not addressed in the EPCRA emergency planning regulations or statutes; flammable and explosive chemicals. Congress intended for the EPCRA requirements only to apply to toxic-release hazard chemicals.

Actually, the EPCRA regulations do not require companies or facilities holding extremely hazardous chemicals to do any sort of emergency planning. Those facilities are simply required to report the following types of applicable information to their Local Emergency Planning Committee (LEPC) {§355.21 table}:

• Provide notice that the facility is subject to the emergency planning requirements of EPCRA;

• Designate (and provide notice to the LEPC of) a facility representative who will participate in the local emergency planning process as a facility emergency response coordinator;

• Provide notice of any changes occurring at the facility that may be relevant to emergency planning; and

• Provide any information necessary for developing or implementing the local emergency plan if requested by the LEPC.

All of the responsibility for planning, training, coordinating and exercising the emergency plan fall to the LEPC {42 USC 11003(c)}. Unfortunately, Congress has provided no funding to, or even provided provisions for funding, the LEPCs. With the Federal government providing no funding for these organizations, there is no effective way for the EPA to regulate the operation of LEPCs or their emergency planning function. Congress has essentially left that responsibility to the States.

CFATS

The CFATS regulations (6 CFR part 27) were originally authorized as part of a DHS spending bill over 10 years ago, but have been more recently been authorized by 6 USC Part XVI. Nothing in the current authorizing statute specifically mentions ‘emergency response planning’ at CFATS covered facilities. That is addressed, very briefly, in the CFATS regulations at §27.230(a)(9) as part of the risk-based performance standards used to develop and evaluate site security plans. That sub-paragraph states:

“Response. Develop and exercise an emergency plan to respond to security incidents internally and with assistance of local law enforcement and first responders”

The CFATS Risk-Based Performance Standards Guidance manual emphasizes that RBPS #9, Response, is targeted at the response to a security situation and that ‘emergency response’ is only a relatively small part of the response obligation of the facility under the CFATS program. The manual explains the difference this way (pg 84):

“It is important not to confuse a “security response” intended to engage and hopefully neutralize the adversaries with the broader “emergency response” that follows an attack and attempts to reduce the severity of the event and lessen the consequences in terms of loss of life and destruction of property or production capability. The initial “security response” has tactical considerations addressed in RBPS 4 – Deter, Detect, and Delay, whereas the “emergency response” relates to the more traditional efforts to contain the damage and lessen the consequences after a security event. These planning considerations overlap to some degree, and both involve establishing strong, functional, relationships with the various response organizations and personnel that may be needed to support this performance standard. It should be noted that individuals involved in security response activities also often have an integral role in emergency response, and this dual role should be taken into consideration when developing comprehensive crisis management plans.”

In the metrics included at the end of the RBPS 9 that facilities and DHS use to evaluate a CFATS site security plan (SSP), there are only mentions of ‘emergency response’ (Metric 9.1; pg 85):

“Documented agreements and/or written procedures for emergency response, including off-site responder services, such as ambulance support, explosive device disposal support, firefighting support, hazardous material spill/recovery support, and medical support.”

There are other requirements within the RBPS 9 metrics for outreach to ‘local law enforcement and emergency responders’ (including LEPCs), but these are not planning requirements; though the metric does note that facilities can fulfill this measure by participation “in incident response drills and exercises in conjunction with off-site responder organizations” (Metric 9.4; pg 86).

Problems With Current Models

The two regulatory models described above take two different approaches to the emergency response planning problem. The EPA model calls for unfunded agencies, the LEPCs, to conduct the emergency response planning for all facilities in their operations area. The CFATS model calls places the planning responsibility with the covered facility. Both models contain serious disconnects from reality.

The first problem common to both models is the funding issue. Emergency response planning takes time and expertise to accomplish the frontend work; develop the plan. That requires money to pay for the expert’s time. Even if the expert is volunteering their time there is the cost of the time lost to that expert’s normal job. Next, in order to be an effective plan, the plan must be reviewed, revised, exercised, reviewed and revised on a periodic basis. Again, the time involved in the process is costly and limited. LEPCs in large urban areas may be able to absorb this cost by having a full-time professional planner on staff with a local agency, but that is not going to be an option for most communities.

For large CFATS facilities, it may be possible to have a full-time emergency response planner on staff or finances may be available to pay for an emergency response contractor to undertake the planning necessary. At some point, however, as facility’s decrease in size that professional capability is going to be impossible to afford. But even where the facility has the financial resources to fund a planner, the community is still going to have to fund the review and exercise portion of the emergency planning process. Again, smaller communities are going to find this extremely difficult or impossible to afford.

The second problem is the information sharing issue. At first glance, in the EPA model this does not seem to be much of a problem. Facilities are required to provide LEPCs with the required information, either directly by law or by response to requests from the LEPC. Unfortunately, the amount required directly by statute is relatively limited and the LEPC can only request the information that it knows that it needs. There is no incentive for facilities to share additional information such as the presence of other chemicals on site that may complicate the emergency response process.

For CFATS covered facilities this problem is aggravated by the statutory restrictions on the sharing of Chemical-Terrorism Vulnerability Information (CVI). Now the information about CFATS facility holdings of the toxic-release hazard chemicals covered under the EPCRA rules is not generally going to be classified as CVI, at least as that information relates to the type, amount and location of the Highly Hazardous Chemicals listed in the EPCRA regulations. As noted earlier, however, flammable and explosive release hazard chemicals covered under CFATS are not addressed in EPCRA and the sharing of information about those chemicals (which also need emergency response planning under CFATS) is limited to only those individuals that have been trained in handling of CVI materials and have the appropriate means to protect that information. Again, there is a time cost associated with receiving the CVI training (the training is free) and the cost of the physical security and cybersecurity for protecting that information is not negligible.

And the final problem with the current models is that both EPA and DHS have made it difficult to share information with the potentially affected neighbors about the emergency response planning. Both agencies have done this with the intent to deny information to potential attackers. The EPA restricts access to the facility data to people who physically access an EPA reading room (limited locations), and DHS prohibits sharing of CVI information with the public. While done with the best of motives, both agencies have ensured that in most cases the public does not have access to the necessary information to promptly respond to an emergency response situation.

Fixing the Problem

Because of the size of the universe of EPCRA covered facilities, I do not foresee Congress attempting to provide enough funding to allow LEPCs to fix the emergency response planning problems identified above. If they are fixed it will be on a case by case basis where either the local community or large chemical facility is able to provide the necessary funding.

Because the CFATS covered facility universe is much smaller (3,330 as of March 1^st) some of these issues may be more tractable. I have addressed in some detail how I would modify the current authorization in a blog post from last year. The money issue still remains, my suggestion to allow (gently require) FEMA to use grant funds for emergency response planning for CFATS covered facilities only partially addresses the issue due to the limited nature of those funds and I did not propose increasing them because that would increase the problems with getting the reauthorization bill passed. Realistically, FEMA needs a specific emergency response planning grant authority and is probably going to have to be required (and funded) to provide professionals to help LEPCs conduct both the planning and exercises of those plans. That will almost certainly have to be addressed in separate legislation.

Finally, none of my suggestions in the earlier post address the issue of information sharing with the local, potentially directly affected population. It is easy to say that information must be shared but legislating that in an effective manner is going to be difficult. Defining who the potentially affected population is will be hard enough. Crafting language describing an effective outreach program that will overcome what is unfortunately in many cases a mistrust of the chemical industry based upon decades of poor, incomplete and often misleading information is going to be difficult.

The best I can suggest at this point is adding an additional sub-paragraph to the end of §636(b) proposed in that earlier blog post:

(6) Conduct an annual outreach class for the immediate neighbors potentially affected by a full release of any toxic-release COI on the facility describing:

(A) What such a release might look and or sound like;

(B) What measures the facility has in place to warn neighbors of such a release;

(C) What immediate actions neighbors should take to best protect themselves in the event of such a waring;

(D) How neighbors will be made aware of an all-clear status after an incident;

(E) What medical treatment should be sought after such a release.

(F) A point of contact for reporting suspicious activities in the neighborhood that may be directed at the facility.

PHMSA Publishes Train OSPR Final Rule

Today the DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) published a final rule in the Federal Register (84 FR 6910-6952) on “Oil Spill Response Plans and Information Sharing for High-Hazard Flammable Trains”. The notice of proposed rulemaking (NPRM) was published in July 2016. The rulemaking modifies existing requirements for comprehensive oil spill response plans (COSRPs), establishing petroleum oil thresholds that apply to an entire train consist. The rule also requires railroads to share information about high-hazard flammable train (HHFT) operations with State and tribal emergency response commissions to improve community preparedness. It also incorporates a new voluntary standard for testing initial boiling point of crude oil; ASTM D7900.

The preamble to the rule makes it clear that the final rule implements the provisions of the NPRM “with minor changes for plain language or clarification in consideration of the comments received to the NPRM”. The preamble provides tables with the summary of the differences between the NPRM and the final rule:

Comprehensive oil spill response plans; and

HHFT information sharing for emergency response plans;

No changes were made to the portion of the rule incorporating the new initial boiling point test method.

The effective date for this rule is April 1^st, 2019.

Commentary

As I have stated before, while I think that the change in threshold requirements for COSRPs is appropriate, it continues to fail to address the planning requirements for addressing the fire and explosion response planning necessary for Highly Hazardous Flammable Trains (HHFT). Unfortunately, neither PHMSA nor the Federal Railroad Administration have been provided authority to require such emergency response planning. This is going to require congressional action.

CFATS Reauthorization – Emergency Response

This is part of a continuing series of blog posts on my proposed changes to the CFATS authorization. The current authorization for the program ends on December 18^th, 2018. These posts address some of the language that I would like to see in any re-authorization bill. Earlier posts in the series include:

CFATS Reauthorization – Cybersecurity

CFATS Reauthorization – Agricultural Production Facilities

CFATS Authorization – Protection from Drones

CFATS Authorization – Excluded Facilities

CFATS Reauthorization – Academic Laboratories

CFATS Reauthorization – Inherently Safer Technology

CFATS Reauthorization – STQ Adjustments

CFATS Reauthorization – WMD Criminal Activities

In light of the recent GAO report on the Chemical Facility Anti-Terrorism Standards (CFATS) program and its findings on problems with information sharing between DHS and local first responders, I would like to suggest the following language on information sharing:

Section 636 – Information Sharing

(a) IP Gateway - The Secretary will establish an on-line portal for sharing information about covered facilities with the local first responder community and local emergency response planners.

(A) The portal will provide information in two tiers of accessibility:

(I) The Tier One will allow open access to information that will include the following information about all covered facilities:

(i)  Name;

(ii) Location;

(iii) Geospatial information; and

(iv) Inventory and location information for all COI reported on the current Top Screen that are subject to the reporting requirements of §§ 311 and 312 of the Emergency Planning and Community Right-to-Know Act (EPCRA) regardless of the threshold quantities of that Act.

(II) The Tier Two will include additional information that is protected by the Chemical-Terrorism Vulnerability Information (CVI) program described in 6 CFR 27.400, including:

(i) Complete list of COIs, to include amounts and locations;

(ii) Facility tiering information; and

(iii) Facility security information.

(B) The Secretary will establish procedures to register and authorize access to the portal for all members of a recognized Local Emergency Planning Committee (LEPC) established under EPCRA, and at least one designated representative from each local law enforcement agency (LLEA), fire department and hospital operating within 10 miles of each covered facility. Access will be provided on the following basis:

(I) Registered LEPC members will be provided access to both tiers of information described in (A) for all facilities in their county or within 10 miles of their county;

(II) Registered LLEA representatives will be provided access to both tiers of information described in (A) for all facilities in jurisdiction or within 10 miles of their jurisdiction;

(III) Registered fire department representatives will be provided access to all Tier One information and Tier Two information specifically related to COI for all facilities in jurisdiction or within 10 miles of their jurisdiction; and

(IV) Registered hospital representatives will be provided access to all Tier One information and Tier Two information specifically related to the types COI (excluding amounts and locations) for all facilities in jurisdiction or within 10 miles of their jurisdiction.

(C) The LEPC members and designated representatives from LLEA, fire departments, and hospitals listed above will be considered to be a covered person under §27.400 and deemed to have a need-to-know under the CVI rules for information about covered facilities.

(D) The Secretary will contact each LEPC, LEEA, fire department and hospital within 10 miles of each covered facility explaining the existence of the portal described in (a), the procedures for registering for the portal, and the requirements for protecting CVI provided in the portal.

(b) Facility information sharing requirements. Each CFATS covered facility is required to:

(1) Contact in writing their local LEPC, LLEA, fire department and nearby hospital and inform them about the existence of the portal described in (a).

(2) Designate a security representative to the local LEPC in addition to any other facility representation to the LEPC. If a local LEPC does not exist, that fact will be reported in writing to the Director, Infrastructure Security Compliance Division.

(3) Invite a representative of the local LEPC, LLEA, local fire station and nearby hospital to participate in or observe each security exercise conducted by the facility.

(4) Conduct an annual training class for representatives from each local LEPC, LLEA, fire station and nearby hospital about the chemical hazards associated with each release security issue COI reported on the most recent facility Top Screen.

(5) Conduct an annual training class for representatives from each local LEPC and LLEA with the potential chemical weapon or improvised explosive device hazard associated with each theft/diversion security issue COI reported on the most recent facility Top Screen.

(c) Joint Exercises

(1) The Secretary will encourage each LEPC, LLEA, fire department and nearby hospital to participate in annual security exercises conducted by each CFATS covered facility. This encouragement may include providing access to FEMA grants for such exercises.

(2) 15 USC 2229(c) is amended by adding:

“(4) FEMA is directed to give priority consideration to grants providing for planning, training, and the conduct of exercises involving facilities covered under 6 USC Part 27.”

(3) 6 USC 609 is amended by inserting a new:

“(14) Planning for emergency response to attacks on chemical facilities covered under 6 USC Part 27, to include the conduct of exercises under the resulting plans; and”

GAO Publishes CFATS Report – 08-08-18

Yesterday the Government Accountability Office (GAO) published their latest report on the Chemical Facility Anti-Terrorism Standards (CFATS) program. This report was requested by Congress as part of the efforts leading up to the re-authorization of the CFATS program. Generally, the GAO was satisfied with the progress that the DHS Infrastructure Security Compliance Division (ISCD) has made with improvements to the CFATS program and issued two Recommendations. GAO provides both a copy of the report and one-page summary on their web site.

Measuring Program Performance

While the GAO report is generally positive in its reporting on improvements made to the CFATS program (and specifically to responses to previous GAO recommendations) they do note one on-going problem that ISCD has only partially addressed. That reflects on the ability of ISCD and DHS to measure the success of the CFATS program in reducing the risk of terrorist attack on high-risk chemical facilities.

Specifically, they recommend that ISCD “should incorporate vulnerability into the CFATS site security scoring methodology to help measure the reduction in the vulnerability of high-risk facilities to a terrorist attack, and use that data in assessing the CFATS program's performance in lowering risk and enhancing national security.” (pg 33)

DHS has concurred with this recommendation (pg 39) and notes on-going activities to improve the calculation of the change in ‘security score’ that the Department uses to measure and report the program performance in ‘lowering risk and improving national security’. To more fully comply with the recommendation DHS reports that (pgs 39-40):

“To develop a system that could numerically evaluate vulnerabilities likely would require revising the regulatory language describing CFATS vulnerability assessments, modifying CFATS processes, and updating tools used to gather vulnerability assessments. This would be a significant burden on both industry and government and NPPD does not believe this would result in a better measure for evaluating the security enhancing effectiveness of the CFATS program, compared to the new performance measure the Department intends to implement.”

Information Sharing

While the GAO report recognizes that ISCD has taken positive steps to share information about CFATS covered facilities with first responders and emergency planners through the establishment of their IP Gateway, their investigation showed that the information available is not effectively reaching the targeted audience (see the lengthy discussion on pages 29-32.

The GAO recommends that DHS “should take actions to encourage access to and wider use of the IP Gateway and explore other opportunities to improve information-sharing with first responders and emergency planners.” (pg 33-4).

The DHS response to this recommendation includes a discussion (pgs 40-1) of efforts that it has taken to date (mostly identified in the GAO report) including a program requirement (Risk Based Performance Standard 9) that requires facilities to “have regular and recurring contact with their local first responders” (pg 41). DHS then goes on to explain that this last “is the most effective way to get information to first responders as it involves direct communication between the high-risk chemical facilities and their local responders. DHS then notes that they “cannot require first responders to access the IP Gateway or respond to facility requests for visits”. They do report that they “will ensure contact is made with LEPCs representing the top 25 percent of the CFATS high-risk chemical facilities no later than the end of the second quarter FY 2019” (pg 41).

Commentary

The first issue is a program measurement issue that needs to be resolved between DHS and Congress. Congress rightly wants to know that the programs that it authorizes and funds are having a beneficial effect. How to measure that performance in a meaningful way in this particular instance, is going to be difficult to establish. DHS has an important point in that the measures of program performance should not unduly increase the burden on the regulated community.

The second issue is much more problematic and important to the ultimate success of the CFATS program. All CFATS covered facilities have to rely to some extent on the resources of the local community to respond to a successful attack on the facility. Even facilities with dedicated on-site emergency response personnel are going to have to rely on off-site responders to deal with effects of an attack on the local community. Sharing information with local response agencies (including police, ambulance and hospitals serving the area around CFATS facilities) is an important pre-requisite to having an effective response a successful terrorist attack.

I was disappointed in this portion of the GAO report in that the investigators did not apparently dig deeper into why “officials representing 13 of the 15 LEPCs stated that they do not have access to CFATS information within the IP Gateway” (pg 31). While seven of those officials reportedly were not aware of the IP Gateway, it is disconcerting that GAO did not attempt to ascertain why the other 8 could not accesses the available information.

I suspect that the reason has to do with the provisions that require that before an individual can access the most detailed (and important) information they have to be cleared for access to Chemical-Terrorism Vulnerability Information (CVI). This clearance requires completing an on-line training program, establishing a need-to-know (should be a priori established for LEPC members), and maintaining the information security requirements (a post access requirement) of the CVI program {which have yet to be upgraded to comply with Federal controlled unclassified information (CUI) standards}. Gaining the CVI access is not terribly difficult, but it does require some investigation and action by the LEPC officials desiring access to the information.

Much of the information currently protected by the CVI designation in the IP Gateways probably should not be protected as it should be available to LEPCs under the EPA reporting requirements of the Emergency Planning and Community Right-to-Know Act of 1986 (EPCRA). Interestingly, the GAO reports note that 200 of the 300+ chemicals covered under the CFATS program {DHS chemicals of interest (COI)} are not covered under the reporting requirements of EPCRA. Not mentioned in the report is the fact that (presumably most of) these 200 chemicals are covered under the CFATS program because of their potential use in manufacturing improvised chemical munitions or improvised chemical weapons, not because they are an air-pollution release-risk covered under the EPCRA requirements.

Adequately addressing this information sharing problem is not one that ISCD is going to be able to resolve on its own. It will require congressional action as part of the CFATS reauthorization process. I will address this issue more completely in a future blog post.

FERC to Expand Cybersecurity Reporting Requirements

Earlier this week the DOE’s Federal Energy Regulatory Commission published an order (final rule) on their web site (it will become official when published, probably next week, in the Federal Register) directing the North American Electric Reliability Corporation (NERC) “to develop and submit modifications to the NERC Reliability Standards to augment the mandatory reporting of Cyber Security Incidents, including incidents that might facilitate subsequent efforts to harm the reliable operation of the bulk electric system (BES).” The notice of proposed rulemaking for this order was published in December of last year.

I am not going to go into a great deal of detail about this rule here; the complex relationships between FERC, NERC and the electric grid are just a little too byzantine for my simple mind to understand. The interesting take away here for the rest of the control system security community is that the new rules to be written by NERC will expand ‘Cyber Security Incidents’ (capitalized and not hyphenated in FERC SPEAK) to include some sort of measure of near misses and they will include a requirement to notify ICS-CERT of those incidents in addition to the current requirement to notify the Electricity Information Sharing and Analysis Center (E-ISAC).

Expanded Definition

Currently the NERC Reliability Standard CIP-008-05 requires the reporting of Cyber Security Incidents only if they have “compromised or disrupted one or more reliability tasks.” While such incidents are certainly worth reporting they leave a whole slew of potential preparatory ‘attacks’ and compromises outside of the mandatory reporting structure and completely ignore the salutatory effects of sharing information about ‘near misses’ or almost successful attacks.

With this order NERC will be required to recraft CIP-008 to include “Cyber Security Incidents that compromise, or attempt to compromise, a responsible entity’s [Electronic Security Perimeter] ESP or associated [Electronic Access Control or Monitoring Systems] EACMS” in the reporting requirements.

ICS-CERT

In the NPRM it was noted that the DOE noted only two Cybersecurity Incident Reports in 2015/2016 while in the same time frame the DHS ICS-CERT responded to 125 cybersecurity incidents in 2014/2015. Ignoring the whole apples and rocks comparisons here, it becomes apparent that some sort of reporting is already underway to ICS-CERT. The FERC order would formalize that and make it a reporting requirement.

Commentary

The expansion of the reporting requirements for Cyber Security Incidents (and I AM NOT going to do another ‘CSI’ acronym; can’t do it, sorry) cannot help but be a good thing; except….

Okay, we have no idea how many new reports this requirement will generate. IF the industry complies with the intent of the rule (an open question) the number of reports could be quite large. Does NERC (who owns E-ISAC) have the necessary number of analysts necessary to review, catalogue, cross-reference, and then deduce attack information from such submissions and then produce properly anonymized information to share with the remainder of the community in a timely manner. Because of the lack of a reasonable estimate of the potential number of reports, and the apparently expanding interest in probing/compromising the grid, I suspect not.

Then there is the whole issue of the quality of information that will be submitted to E-ISAC. Obviously, the more complete the information, particularly on attempted attacks, the easier it will be for E-ISAC to establish actionable information to share with the other E-ISAC members; poor quality or inaccurate information means the information ultimately shared is less useful and potentially even counter-productive.

That leads to the question of who will train facility control system engineers to recognize, isolate and document cyber-attacks. Oh, sorry, control system engineers will not be doing that, it will be the Security Operations Center with its staff of forensically trained experts. I forgot that those existed at each facility in the Bulk Electric System (SIGH).

Actually, I suspect that this is the reason that the Order includes a requirement to report to ICS-CERT. I do not expect (that is my guess, I certainly do not know) that E-ISAC has fly-way teams of control system experts to investigate these incidents. That is not a complaint, it is just not what one should probably expect from any ISAC.

The problem that arises from this is has anyone looked at the capability of ICS-CERT to expand the operations of its fly-away teams to respond to an increasing number of incidents. Who is going to pay for the additional costs of the investigations of the new reports? FERC has no control of ICS-CERT either directly nor through the DOE, so is there a memorandum of understanding between the two organizations about how ICS-CERT is supposed to respond to these newly required reports?

All sorts of interesting questions being raised by this relatively simple final rule, but I will ask but one more (really); how are the Critical Electrical Infrastructure Information (CEII) regulations going to affect the information submitted by owners to ICS-CERT? Owners can request that sensitive security information submitted to FERC or NERC be protected by CEII disclosure rules, but not information directly submitted to ICS-CERT. Information submitted to ICS-CERT by NERC or FERC could be so protected, but there are no provisions for information submitted directly from the private sector to ICS-CERT. Another important quandary to be considered stumbling down the road to information sharing.

Classified ICS Security Information – An Example

Earlier this week I wrote a post on sharing of classified industrial control system (ICS) information sharing. As one of the ways to avoid the many complications of sharing classified information I mentioned preparing unclassified derivative works. This week the DHS US-CERT announced a series of web awareness briefings on one such derivative work; US-CERT Alert TA 18-074A, Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors.

The alert was issued in March of this year and includes a wealth of technical data including indications of compromise that could be used to search systems to see if similar attempts had been made to compromise those systems. But, being a technically oriented document, it does little to convince non-cybersecurity personnel about the existence and scope of the potential threat and who should be concerned about it. Hopefully, that is what these four web briefings (actually 1 briefing x 4) will address. The briefings will take place on:

• July 23^rd, 2018, at 1:00 to 2:30 pm EDT;

• July 25^th, 2018, at 1:00 to 2:30 pm EDT;

• July 30^th, 2018, at 1:00 to 2:30 pm EDT; and

• August 1^st, 2018, at 1:00 to 2:30 pm EDT.

The webinar will be available via the Homeland Security Information Network (HSIN). An HSIN login is not required, but the Adobe Connect® application is being used so you need to allow time to download and install that before accessing one of the briefings. A dial-in audio link (1-888-221-6227) is also provided. Hopefully, this briefing will remain available after these dates for those of us who already have obligations at these dates and times.

Classified ICS Security Information

There is an interesting discussion that has been taking place for a couple of days now over on LinkedIn. It was initiated by Isiah Jones from LEO Cyber Security. A lot of the response has been targeted at Isiah’s confrontational language, but the really important take away is that Isiah thinks/knows(?) that there is classified information available about threats to industrial control systems in critical infrastructure in the United States. Now Isiah is being necessarily vague about the information, but the discussion is important none the less.

Now I have not had access to classified information of any sort since I left the military a goodly number of years ago. My TS clearance is certainly not in force after this time and I have not had the necessary ‘need to know’ for access in any case. Having said that, I am absolutely certain that such classified information exists and that is unlikely to get into the hands of many of the people who could actively use that information to protect their facilities against serious nation-state level threats.

All is not lost, however. More about that later in the post.

The Need for Secrecy

Contrary to the beliefs of my friends in the black helicopter set, there are many legitimate reasons for the intelligence community (IC) to keep threat information classified. In most cases, the need to protect future access to critical information is more important than the need to share the current information; this is best exemplified by the Coventry-Ultra controversy from WWII. In other cases, the ‘knowledge’ is either so incomplete as to be useless (the Russians want to be able to attack the power grid) or the level of confidence in the information is so low that the intelligence community does not want to be accused of crying wolf.

Information Sharing Problems

Even when the IC is willing to share information, it is not easy to get the information to the correct people. First off, the information is going to be classified so the person receiving the information needs to be properly vetted to receive classified information. Anyone familiar with this process knows that it tedious and time consuming.

If IC waits until they know who will need a specific piece of information before the vetting process begins, the information will probably be worthless once the process is complete; the whole closing the barn door after the animals have gotten out thing. If you vet everyone that might need access to some specific piece of classified information at some unknown future time you end up clogging the vetting system even further with probably unnecessary vetting requests.

Even if the appropriate people have the necessary security clearances, getting them the appropriate information in a secure manner is also a problem. Even if secure messaging aps are used to protect the information in transit, the receiving device has to have minimum levels of security to prevent the information from getting into the wrong hands. Those security measures are expensive; too expensive to set up and maintain on the off chance of needing to receive classified information at some unknown point in the future.

This whole thing is further complicated by the fact that within the receiving organization, the information still needs to be protected during the internal sharing process. Everyone that needs access to the information to put proper protections in place needs to be vetted, their communications need to be protected, and many of their working files will be derivatively classified and need similar protections. This stuff gets very complicated; just ask anyone that has done operation planning in the military.

An alternative that many people have advocated (and I am certainly one) is for the IC to produce unclassified versions of their intelligence information to make the sharing process easier. I did this at the tactical intelligence level in one of my military jobs. It is time consuming to try to extract useable information from an intelligence report and then get that unclassified version vetted to ensure that means and methods are not inadvertently disclosed. Usually, the resulting product is useful for background purposes only, providing little or no information that provides for direct reaction by the recipient.

So, What to Do?

So, all is not lost. The IC can tell (and has told) us that adversaries are targeting control systems in critical infrastructure and has sophisticated techniques for doing so. The specific attack vectors are not necessarily important (as other attack vectors will certainly be used in future attacks). What is important to know is that nation-state level actors are involved and thus will ultimately get through defenses that they are really interested in attacking; THERE IS NO SUCH THING AS A SECURE SYSTEM.

First off, facilities need to determine what they really need to protect to survive and thrive. Information that would significantly hurt the company if it found its way into the hands of competitors or other adversaries needs to be encrypted at rest and in transit. Portions of control systems that are necessary for safety and quality control need to be isolated to the greatest extent possible. Where complete isolation is not possible for whatever reason, communications between the critical portions and other networks need to be closely monitored for anomalies. Where safety effects could be felt outside the facility, additional controls need to be implemented that are physically separated from the control network and analog safety measures should be established whenever possible.

Finally, a reaction plan needs to be firmly in place for all worst-case scenarios. The plan needs to assign specific responsibilities and identify any outside resources that need to be contacted, how that contact is to be made (with at least one alternative communications method identified), and who will make the contact. And, most importantly, those outside resources need to know in advance their roles in responding to an emergency event at the facility. That reaction plan needs to be trained and tested on a recurring basis.

Folks, none of this is new. We have been doing fire drills since we were little kids. We take precautions to prevent fires but recognize that fires can happen none-the-less. We install sprinkler systems and place fire extinguishers at key locations. At facilities where we have an unusually high threat for fires because of combustible materials we take additional precautions and put additional reactive measures in place. We need to extend that same mind set to control system security.