Saturday, September 23, 2017

PHMSA Publishes Hurricane Recovery Waivers

The DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) published three Hazardous Materials Regulations (HMR) waivers in Monday’s Federal Register (82 FR 44696-44697, 82 FR 44699-44700, and 82 FR 44697-44698; available on-line today). These waivers are in support of the Environmental Protection Agency’s clean-up efforts for Hurricane Harvey and Hurricane Irma.

The Waivers

Each waiver identifies the areas affected based upon President Trump’s emergency declarations for Texas and Louisiana (Waiver #1); Florida, Puerto Rico, South Carolina and the Virgin Islands (Waiver #2); and Georgia (Waiver #3). The waiver only applies to the specific areas identified in those declarations and their subsequent amendments.

Each waiver provides that: “non-radioactive hazardous materials may be transported to staging areas within 50 miles of the point of origin. Further transportation of the hazardous materials from staging areas must be in full compliance with the HMR.” Each waiver remains effective for 30 days from September 1st (Waiver #1), September 8th (Waiver #2), or September 10th, 2017 (Waiver #3).


I do not recall seeing these types of waivers after previous hurricanes. They certainly seem like a good idea. It provides the EPA with some amount of flexibility in how they structure their recovery efforts to isolate and remediate unsafe hazardous materials that are found during their cleanup efforts.

Unfortunately, I can find nothing on the EPA’s web sites about the establishment of the collection points mentioned in these waivers. Neither the latest news release for Maria and Irma recovery, nor the hurricane specific web sites for Maria and Irma (NOTE: There is apparently no similar site for Harvey) contain any mention of the PHMSA waivers or collection points. This is particularly unhelpful as the PHMSA waivers quickly approach their expiration.

It seems that the Federal government still has some lessons to learn in handling the coordination of their response activities (and the publication of those activities) within the government.

Friday, September 22, 2017

ICS-CERT Publishes 5 Advisories

Yesterday the DHS ICS-CERT published five control system security advisories for products from Schneider, Ctek, Digium, iniNet Solutions, and Saia Burgess Controls. The advisory for the products from Saia Burgess Controls was originally posted to the NCCIC Portal on August 22, 2017.

Saia Burgess Controls Advisory

This advisory describes an information exposure vulnerability in the Saia Burgess Controls PCD Controllers. The vulnerability was reported by Davide Fauri of Eindhoven University of Technology. The latest version of the firmware mitigates the vulnerability. There is no indication that Fauri has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to to obtain information in memory.

The SBC upgrade notes also report that the current version makes the following security changes:

• Protective functions are activated by default;
• Improved password protection associated with the role-based user management;
• Access filter using "white" and "black" lists;
• Removed hardcoded password [NOT mentioned in ICS-CERT advisory].

Similar changes were also apparently made to the SBC PG5 Controls Suite.

iniNet Solutions Advisory

This advisory describes an improper authentication vulnerability in the iniNet Solutions SCADA Webserver. The vulnerability was reported by Matthias Niedermaier and Florian Fischer, both of Augsburg University of Applied Sciences. iniNet has released a new version that allows users to implement basic authentication. There is no indication that the researchers were afforded an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability  to access human-machine interface (HMI) pages or to modify programmable logic controller (PLC) variables without authentication.

Digium Advisory

This advisory describes an OS command injection vulnerability in the Digium Asterisk GUI. The vulnerability was reported by Davy Douhine of RandoriSec. Asterisk GUI is no longer maintained and should not be used. Digium recommends affected users to migrate to Digium’s SwitchVox product.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability  to execute arbitrary code on the device.

Interesting Questions: Would owners of a control system that uses an HMI configured with Digium’s Asterix GUI even know that it had been used, particularly if the system had been designed by a contractor or vendor? Would it take a complete system redesign to change out the GUI for an HMI?

Ctek Advisory

This advisory describes an improper authentication vulnerability in the Ctek SkyRouter. The vulnerability was reported by Maxim Rupp. The latest firmware version mitigates this and “additional security requirements”. NOTE: “Ctek, Inc., reports that due to industry demand, wireless carriers are rapidly eliminating 2G and 3G CDMA service and they will not be creating any additional update releases for those products.” There is no indication that Rupp was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to view and edit settings without authenticating.

Schneider Advisory

This advisory describes a missing authentication for critical function vulnerability in the Schneider InduSoft Web Studio products. The vulnerability was reported by Aaron Portnoy, formerly of Exodus Intelligence. Schneider has created a patch to mitigate the vulnerability. There is no indication that Portnoy was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability  to remotely execute arbitrary commands with high privileges.

NOTE: The Schneider security bulletin was published last Friday. Maybe Dale Peterson was right, it looks like ICS-CERT is doing ‘ICS-vuln Thursday’.

Thursday, September 21, 2017

S 1800 Introduced – DOD Electric Grid Security

Last week Sen. Warren (D,MA) introduced S 1800, the Securing the Electric Grid to Protect Military Readiness Act of 2017. The bill is nearly identical to SA 867, Warren’s proposed amendment to HR 2810 on the same topic. It addresses efforts to protect the electrical distribution systems on military installations.

Moving Forward

Warren is a member of the Senate Armed Services Committee to which this bill was referred for consideration. This means that she may have enough influence to have the Committee consider the bill.

I do not see anything in this bill that would engender any significant opposition. If the bill were to be considered it would be likely to pass with at least some bipartisan support.


There is nothing in this bill that directly addresses cybersecurity concerns for the industrial control system associated with military power distribution systems. A lot of the language seems to be IT-centric (for example: “to deny access to or degrade, disrupt, or destroy an information and communications technology system or network” {§2(c)(4)(A)} in the definition of ‘significant malicious cyber-enabled activities’).

I doubt that DOD would fail to address ICS security issues in the required studies and reports, but it would certainly be helpful if the bill specifically addressed requirements for ICS security considerations. I suspect that the failure to do so reflects a continued failure on the part of Congress to recognize the different issues involved with ICS security.

Wednesday, September 20, 2017

Senate Passes HR 2810 – FY 2018 NDA

On Monday the Senate passed HR 2810, the FY 2018 National Defense Authorization Act (NDAA) by a strongly bipartisan vote of 89 to 8; even the opposition was bipartisan with three Republicans, four Democrats and one Independent voting Nay.

Of all of the amendments that I discussed in my series of blog posts over the last two weeks, only three were adopted:

• Reed (for Kaine) Amendment No. 1089, to establish opportunities for scholarships related to cybersecurity.
• McCain (for Portman) Amendment No. 712, to require a plan to meet the demand for cyberspace career fields in the reserve components of the Armed Forces.
• McCain (for Portman) Amendment No. 1055, to require a report on cyber applications of blockchain technology.

They were all considered as part of an en bloc amendment [pgs S5787-8] offered by Sen. McCain (R,AZ) at the end of the final debate on HR 2810. The en bloc amendment was adopted by unanimous consent [pg S5796].

Since there are significant differences between the versions of this bill passed in the House and Senate, it is very likely that there will be a conference committee appointed. There is, however, a very slight chance that the House will agree to the Senate amendment to the bill when it returns from their week working in their districts.

Tuesday, September 19, 2017


Today the DHS ICS-CERT published a control system security advisory for products from PHOENIX CONTACT. They also provided a link to a British publication: “Code of Practice CyberSecurity for Ships”.


This advisory describes ten improper access control vulnerabilities in the PHOENIX CONTACT mGuard Device Manager. The vulnerabilities are related to the Oracle Java SE implementation in the product. These vulnerabilities were self-reported by PHOENIX CONTACT. They have a new version that mitigates the vulnerabilities.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to allow unauthorized remote access, modification of data, and may allow remote and local users to gain elevated privileges.

Once again, we see a vulnerability caused by third party software and there is an open question about what other software systems have the same vulnerabilities. Interesting though that these 10 Oracle vulnerabilities are all dated in 2017. Makes it even more likely that other vendors using the same Oracle software will have not discovered/mitigated the vulnerabilities in their products.

Cyber Security for Ships

The code of practice document was produced for the British Government by the Institution of Engineering and Technology. It provides a high-level overview of the topic including an interesting overview of the threat environment for the shipping industry. Appendix D provides a non-technical description of how mitigation measures can be developed and Appendix H provides a lengthy bibliography of cybersecurity standards for both IT and operational systems.

HR 3712 Introduced – Reserve Cybersecurity Units

Earlier this month Rep. Kilmer (D,WA) introduced HR 3712, the Major General Tim Lowenberg National Guard Cyber Defenders Act. The bill would provide specific authorization for military reserve component cyber civil support teams. NOTE: For more on Gen. Lowenberg see here and here.

Emergency Preparedness Programs

Section 2 of the bill amends 10 USC 12310(c) which provides for military reservists to be used in an active duty role to support of emergency preparedness programs. It would add a new subparagraph (1)(E) to add “An attack or natural disaster impacting a computer, electronic, or cyber network” to the list of covered emergencies for which the emergency preparedness programs would be appropriate.

The bill then goes on to add a new subparagraph (3)(B) that would specifically allow an individual reservist or a “a reserve component cyber civil support team” to provide emergency preparedness support for the newly added cyber-attacks or disasters.

Cyber Civil Support Team Authorization

Section 3 of the bill requires that each state will have (within 5 years) “an operational reserve component cyber civil support team composed of reserve component members of the Armed Forces” {§3(a)}. To be considered operational each Cyber Civil Support Team would be required to be able to {§3(c)}:

• Perform duties relating to analysis and protection in support of responding to emergencies involving an attack or natural disaster impacting a computer, electronic, or cyber network;
• Advise and coordinate on any incident deemed critical for the protection of life, property, and maintenance of good order for the Governor;
• Cooperate with and assist private sector owners and operators of critical infrastructure and key resources;
• Collaborate and participate in information sharing with Federal, State, and local Fusion Centers, emergency management authorities, and emergency management divisions; and
• Coordinate with elements of the Department of Homeland Security.

Section 4 of the bill ensures that these Cyber Civil Support Teams are specifically covered by the provisions of the Freedom of Information Act under 5 USC 552.

Section 5 of the bill provides for a spending authorization of $50 million for support of the requirements of this bill.

Moving Forward

Neither Kilmer nor his two cosponsors {Rep. Palazzo (R,MS) and Rep. Heck (D,WA)} are members of the House Armed Services Committee to which this bill was assigned for consideration. This means that the bill is very unlikely to be considered in that Committee; pretty much ensuring that the bill will not get to the floor of the House for a vote.

There is nothing in this bill which would engender any serious opposition to its passage. The one major drawback to the bill is the spending authorization, but that is one area where Kilmer and Palazzo have some influence, since they are both on the House Appropriations Committee. If the bill were to be considered it is quite likely that it would receive substantial bipartisan support.


While there is a great deal of talk in Congress about protecting critical infrastructure from cyber-attacks, there does not seem to be too much that the military can do to protect the vast majority of critical infrastructure cyber-systems that are owned by the private sector. In fact, there is a very real argument that the private sector is responsible for that and should pay for that protection via activities either in-house or through a wide variety of organizations in the ever-expanding cybersecurity market place.

However, where cyber breaches have a physical impact on the community beyond the boundaries of critical infrastructure, there is certainly a need for the kind of support outlined in this bill. What concerns me about the approach taken in the bill is the focus on post-incident response instead of emergency preparedness planning.

Planning for the potential consequences of broadly effective cybersecurity incidents is a pre-requisite for effective responses to such wide scale incidents. In fact, the §12310(c) program was founded on the idea that providing one or two professional planners (military folks are, after all, as much planners as they are fighters) to local government emergency-response planning agencies was a cost-effective way of helping to mitigate the consequences of terrorist attacks and natural disasters.

All but the largest local government agencies are ill prepared to plan for or respond to cyber-attacks on critical infrastructure. Most have problems enough providing for their own cybersecurity prevention efforts, much less have time or resources to plan for attacks on privately owned critical infrastructure effecting their area. Cyber Civil Support Teams under State control could provide another (though still limited) resource for local governments involved in the planning process.

Friday, September 15, 2017

Senate Amendments to HR 2810 (FY 2018 NDAA) – 9-14-17

On Thursday, after voting to close debate on the McCain substitute language amendment (SA 1003), the Senate agreed to a final vote on HR 2810, the FY 2018 National Defense Authorization Act (NDAA), at 5:30 pm EDT on Monday, September 18th, 2017. Meanwhile, more amendments continue to be proposed. In addition to the previously proposed amendments (see here, here, here, here and here) a large number of possible amendments to HR 2180 were proposed in the Senate on Thursday; only one of which may be of specific interest to readers of this blog:

SA 1089. Mr. KAINE -  SEC. 1661. Cyber Scholarship Opportunities Act of 2017 (pgs S5768-9);

Cyber Scholarships

Amendment SA 1089 is pretty nearly the same as SA 849 that Sen. Kaine (D,VA) proposed on September 7th, 2017. The only difference is that the latest version removes the section on ‘Findings’ that explains why Kaine thinks that cyber scholarships are necessary.

This amendment would require that the current Federal Cyber Scholarship-for Service program (15 USC 7442) be expanded to include a pilot program of scholarships at at least five community colleges for students who are pursuing associate degrees or specialized program certifications in the field of cybersecurity and either “have bachelor’s degrees; or are veterans of the armed forces” {§1662(a)(2)}. No additional funding is provided for the new scholarship requirements.


Just a reminder, as of this writing, none of the amendments that I have addressed in this series of blog post (with the obvious exception of SA 1003) have even been considered on the floor of the House, much less adopted. There is a remote chance that some may be considered on Monday, but I do not really expect it.

This large number of amendments proposed for a ‘must pass’ bill like the NDAA is not unusual. With the political horse trading involved in getting enough votes to pass a bill like this, there is always the possibility that some pet bit of legislative language can be inserted via the Senate amendment process. It takes relatively little effort by a Senator’s staff to craft most of these amendments (frequently just cut and paste from a previously submitted bill), so it is kind of like buying a $1 lottery ticket when the pot is really high. A piece of legislation that might never see the light of day in the normal legislative process can become law because it was attached to an important bill.

A less well-known fact is that one of these little suspected gems may have already been added to the substitute language that was offered on this bill. I certainly did not do a full detailed analysis of every portion of the bill. Getting a new section added or a current section slightly revised can be the price of support for a bill like this. Depending on how much McCain trusts his committee staff and how significant the change was, he may not even know the details about those types of changes to the substitute language before it was proposed.

This is one of the reasons that I do not try to cover each of the potentially interesting amendments with the same level of detail as I use to cover interesting legislation. There is a very small chance of the amendments being considered or passed. The effort that I do make, reflects on bits of legislative language that I find illustrative of either poorly or well written legislative language, unique ideas, or really slick pieces of legislative legerdemain. 

Bills Introduced – 09-14-17

With both the House and Senate preparing to leave for their weekend recess, there were 64 bills introduced yesterday. Of those two may be of specific interest to readers of this blog:

HR 3776 To support United States international cyber diplomacy, and for other purposes. Rep. Royce, Edward R. [R-CA-39]

S 1821 A bill to establish the National Commission on the Cybersecurity of United States Election Systems, and for other purposes. Sen. Gillibrand, Kirsten E. [D-NY]

I am not sure what ‘cyber diplomacy’ is, but if it concerns control system security issues I will be covering HR 3776 here.

I do not really plan to expand the focus of this blog to include detailed coverage of election cybersecurity issues, but I will be watching S 1821 for the definitions it uses and the scope of coverage of the Commission.

Thursday, September 14, 2017

Senate Amendments to HR 2810 (FY 2018 NDAA) – 9-13-17

Yesterday the Senate actually began consideration of HR 2810, the FY 2018 National Defense Authorization Act (NDAA). Meanwhile, more amendments continue to be proposed. In addition to the previously proposed amendments (see here, here, here and here) a large number of possible amendments to HR 2180 were proposed in the Senate yesterday; including five that may be of specific interest to readers of this blog:

• SA 1003. Mr. MCCAIN - National Defense Authorization Act for Fiscal Year 2018 substitute language (pgs S5487-671);
• SA 1009. Mr. SASSE - cyberspace solarium commission (pgs S5674-6);
• SA 1019. Ms. HARRIS - pilot program on integrating into the department of defense workforce individuals with cybersecurity skills and technical expertise whose services are supported by private persons (pg S5678);
• SA 1025. Mr. WHITEHOUSE - botnet prevention (pgs S5680-1); and
• SA 1055. Mr. PORTMAN - report on cyber applications of blockchain technology (pg S5701-2)

Substitute Language

The substitute language (SA 1003) from Sen. McCain (R,AZ), and the staff of the Senate Armed Services Committee, is arguably the most important amendment to be offered to date, as it will form the working basis for the language that will be considered on the floor of the Senate. This language is based (as expected) on S 1519, the original Senate NDAA bill and it includes each of the cybersecurity related sections that I identified in S 1519.

Cyberspace Solarium Commission

SA 1009 would require DOD to establish the Cyberspace Solarium Commission with a mandate to “develop a consensus on a strategic approach to protecting the crucial advantages of the United States in cyberspace against the attempts of adversaries to erode such advantages” {SA 1009(a)}. The name harkens back to Eisenhower’s 1953 National Security Council’s Solarium Special Committee that was used to help formulate Eisenhower’s containment strategy vis-à-vis the Soviet Union.

The Commission would be tasked with {SA 1009(f)}:

• Weighing the costs and benefits of various strategic options to reach the goal of protecting the US cyberspace advantage;
• Reviewing adversarial strategies and intentions, current programs for the protection of the US cyberspace advantage, and the capabilities of the Federal Government to understand if and how adversaries are currently being deterred or thwarted in their aims and ambitions; and
• Evaluating the current allocation of resources for understanding adversarial strategies and intentions and protecting the US cyberspace advantage.

Botnet Prevention

This proposed amendment from Sen. Whitehouse (D,RI) and Sen. Graham (R,SC) is very similar to S 2931 that was introduced in the 114th Congress by Graham and Whitehouse. This amendment does not deal with DOD issues, but the Senate rules do allow for the consideration of extraneous amendments.

Moving Forward

The Senate held a cloture vote today on the McCain substitute language amendment and it passed with a bipartisan vote of 84 to 9. When the Congressional Record for today is published tomorrow I expect that we will see that some amendments were dealt with today, but at this point I have no idea which ones.

House Passes HR 3354 – FY 2018 Spending

This afternoon the House passed a much-amended HR 3354 by a very partisan 211 to 198 vote. The vote was closer than the party membership numbers would indicate in part because of the 14 Republicans that voted Nay, but also because of the 25 members (16 Republicans and 9 Democrats) that did not vote (probably due to early flight times for their weekends at home).

The large ‘Nay’ vote just about guarantees that the Senate will not take up this version of the bill. I expect that we will see a Senate bill omnibus bill introduced (or possibly a substitute language amendment to this bill) that will then be amended in a lengthy floor process. The resulting bill will be harder to reconcile with this House passed measure in a form that both houses will be able to pass. Fortunately, we have until December 8th.

NOTE: Just a reminder, the three amendments that I had identified as being of potential specific interest to readers of this blog were all approved early in the amendment process.

ICS-CERT Updates an Advisory and Publishes Another

Today the DHS ICS-CERT updated a previously published advisory for a product from Siemens. They also published a new advisory for a product from LOYTEC.

Siemens Update

This update provides additional information on an advisory that was originally published on originally published on May 9th, 2017 and updated on June 15, 2017, on July 25th, 2017, and then again on August 18th, 2017. The update provides new affected version information and mitigation links for:

• SCALANCE M-800,S615: All versions prior to V04.03,

LOYTEC Advisory

The advisory describes four vulnerabilities in the LOYTEC LVIS-3ME HMI touch panel. The vulnerabilities were reported by Davy Douhine of RandoriSec. LOYTEC has released a firmware update to mitigate the vulnerabilities. There is no indication that Douhine was provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• Relative path traversal - CVE-2017-13996;
• Insufficient entropy - CVE-2017-13992;
• Improper neutralization of input during web page generation - CVE-2017-13994; and
• Insufficiently protected credentials - CVE-2017-13998

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to cause information exposure or allow arbitrary code execution.

S 1761 Introduced – FY 2018 Intel Authorization

Last month Sen. Burr (R,NC) introduced S 1761, the Intelligence Authorization Act for Fiscal Year 2018. This bill is the Senate counterpart of HR 3180 that was passed in the House on 7-28-17.

While a good portion of the bill is not publicly available (classified) there are a number of provisions that may be of specific interest to readers of this blog. In addition to Title V (Securing Energy Infrastructure), those sections include:

Sec. 604. Reports on the vulnerabilities equities policy and process of the Federal Government.
Sec. 605. Bug bounty programs.
Sec. 606. Report on cyber-attacks by foreign governments against United States election infrastructure.
Sec. 610. Limitation relating to establishment or support of cyber security unit with the Government of Russia.
Sec. 613. Notification of an active measures campaign.

Securing Energy Infrastructure

Title V is very closely patterned on S 79 of the same title. There are only three significant additions to the language of S 79 found in Title V:

• Adding a definition of the term ‘Director’ as the Director of Intelligence and Counterintelligence of the Department of Energy {§502(2)};
• Adding an interim 180-day report to Congress {§505(a)}; and
• Adding a definition of the term ‘appropriate committees of Congress’ as the intel committees, the Senate Committee on Energy and Natural Resources, and the House Energy and Commerce Committee {§505(c)}.

Joint Cybersecurity Unit

Section 610 is similar in intent to the three bills introduced to date (S 1544, HR 3191 and HR 3259)  that would prohibit funding for the establishment of a joint cybersecurity unit with elements of the Russian government. There is, however, a significant difference in the implementation of the restriction.

Section 610(a) would require the Director of National Intelligence to submit a report to Congress before and such unit is established. The report would include:

• The purpose of the agreement;
• The nature of any intelligence to be shared pursuant to the agreement;
• The expected value to national security resulting from the implementation of the agreement; and
• Such counterintelligence concerns associated with the agreement as the Director may have and such measures as the Director expects to be taken to mitigate such concerns.

Moving Forward

The Senate Intelligence Committee held a mark-up hearing on July 27th, 2017 and they approved the current version of the bill. A committee report was published on September 7th, 2017. The bill will be considered by the Senate at some point in the not too distant future as this is one of the ‘must pass bills’ that each house must consider. A bill will eventually pass, though not necessarily this bill, and it would then be reconciled with the House bill in a conference committee.

Wednesday, September 13, 2017

Senate Amendments to HR 2810 (FY 2018 NDAA) – 9-12-17

Yesterday the Senate leadership continued to work out a deal for determining which proposed amendments would be considered on the floor for HR 2810, the FY 2018 National Defense Authorization Act (NDAA). Meanwhile, more amendments continue to be proposed. In addition to the previously proposed amendments (see here, here and here) a large number of possible amendments to HR 2180 were proposed in the Senate yesterday; including three that may be of specific interest to readers of this blog:

• SA 948. Mr. MORAN - national guard bureau public-private cyber-security coalition (pg S5222)
• SA 989. Mr. ROUNDS - cybersecurity of industrial control systems. (a) designation of integrating official (pg S5234)
• SA 1001. Mr. ROUNDS - designation of official for matters relating to integrating cybersecurity and industrial control systems within the department of defense (pg S5240)

ICS Cybersecurity

Both of the proposed amendments from Sen. Rounds (R,SD) would require DOD to designate a single individual to be responsible “for all matters relating to integrating cybersecurity and industrial control systems within the Department of Defense” {§1630C(a)(1)}. The difference between the two amendments is that SA 989 identifies broader responsibilities for that designated individual. Those responsibilities would include {§1630C(a)(2)}:

• Developing, implementing, and be accountable for plans, programs, and policies to improve the cybersecurity of industrial control systems [only in SA 989]; and
• Developing Department-wide certification standards for integration of industrial control systems and taking into consideration frameworks set forth by the National Institute of Standards and Technology for the cybersecurity of such systems [in both amendments].

SA 989 would also require DOD to consider conducting pilot programs designed to “to assess the feasibility and advisability of implementing various solutions for protecting industrial control systems against cyber-attacks and discerning the specific criteria that a solution should demonstrate in order to be certified for military use” {§1630C(b)(1)}. Priority would be given to “the determination of certification criteria for military energy industrial control systems” {§1630C(b)(2)}.

Moving Forward

More political wrangling on what amendments to include in the debate on HR 2810 is expected overnight. There was one amendment voted upon today (in a round-about manner) and we could see additional votes tomorrow.

ICS-CERT Publishes Two Advisories

Yesterday the DHS ICS-CERT published two advisories. One was a medical device security advisory for products from Philips. The other was a control system advisory for products from mySCADA.

Philips Advisory

This advisory describes two vulnerabilities in the Philips IntelliVue MX40 Patient Worn Monitor. The vulnerabilities are self-reported. There are no FDA Safety Communications about these vulnerabilities. Philips has issued an update that mitigates one of the vulnerabilities; another update is due later this year.

The two reported vulnerabilities are:

• Improper cleanup on thrown exception - CVE-2017-9657; and
• Improper handling of exceptional conditions - CVE-2017-9658

ICS-CERT reports that a relatively low skilled attacker with access to an adjacent network could exploit these vulnerabilities to issue 802.11 Wi-Fi management commands that can impact reporting availability of MX40 device local monitoring to a central monitoring station.

mySCADA Advisory

This advisory describes an unquoted search path or element vulnerability in the mySCADA myPRO HMI/SCADA management platform. The vulnerability was reported by Karn Ganeshen, who publicly disclosed the vulnerability on 7-28-17. mySCADA has produced a new version that mitigates the vulnerability. There is no indication that Ganeshen was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker but authenticated attacker to execute arbitrary code with elevated privileges.

NOTE: Karn is pretty well known for his coordinated disclosure, so this public disclosure is unusual. There are no explanations on either the ICS-CERT or the iPositiveSecurity web site explaining why the early disclosure was made. It would be interesting to know ‘the rest of the story’.

ISCD Publishes CFATS Quarterly

Yesterday the DHS Infrastructure Security Compliance Division (ISCD) published the latest version of their Chemical Facility Anti-Terrorism Standards (CFATS) Quarterly. According to the ‘Latest News Entry” on the CFATS Knowledge Center: “This issue highlights the CSAT 2.0 SVA/SSP surveys, cybersecurity, an update on new Chiefs of Regulatory Compliance, new resources and materials, as well as the 2017 Chemical Sector Security Summit.”

SVA/SSP Surveys

This brief article lists some new questions that facilities will have to answer when they first complete the CSAT 2.0 SVA/SSP. This list is a little different from the one that initially appeared on the SVA/SSP web site right after the CSAT 2.0 tool was introduced. The new list includes:

• Q3.10.050 Personnel Presence
• Q3.10.400 through Q3.10.420 Inventory Controls
• Q3.40.400 through Q3.40.430 Cyber Control and Business Systems (new)
• Q3.50.320 Personnel Surety, Types of Affected Individuals (new)
• Q3.50.710 Recordkeeping Affirmation (new)

Regulatory Compliance Managers

ISCD now has Regulatory Compliance Managers serving in each of its regional offices. The brief article notes that: “In addition to managing CFATS regional operations, CRCs will lead our regional efforts to coordinate with other federal, state, and local representatives and spearhead regional CFATS-related outreach and engagement.” The list of Compliance Managers includes contact information.


It is interesting to compare this CFATS Quarterly to the recently published ICS-CERT Monitor. While both documents are used by the parent organization to share information about their programs with the affected public, the two publications are significantly different. The Monitor has the look and feel of a corporate annual report with a similar lack of useful information. The Quarterly is not nearly as sophisticated in its presentation, but it provides more useful information. That is especially important in a regulatory organization.

Bills Introduced – 09-12-17

With both the House and Senate in session there were 31 bills introduced yesterday. Of those, one may be of specific interest to readers of this blog:

S 1800 A bill to require a report on significant security risks of the national electric grid and the potential effect of any such security risks on the readiness of the Armed Forces. Sen. Warren, Elizabeth [D-MA]

I suspect that this bill will be very similar (if not identical to) the amendment Warren proposed for HR 2810 earlier this week.

S 1656 Introduced – Medical Device Cybersecurity

Last month Sen. Blumenthal (D,CT) introduced S 1656, the Medical Device Cybersecurity Act of 2017. The bill would provide enforceable cybersecurity standards for medical devices.

The bill would amend the Food, Drug, and Cosmetics Act by adding a new §502A, Cybersecurity for Devices. The new section would address the following:

• Definitions;
• Transparency of risk prior to marketing;
• Protecting remote access to managed solutions;
• Cybersecurity fixes or updates; and
• End-of-life device;

Additionally, the bill would give the DHS ICS-CERT specific responsibilities with respect to the cybersecurity of medical devices.


Section 520A(a) provides definitions for two new terms; ‘cyber device’ and ‘cybersecurity fix or update’. Both definitions rely on the existing definition of device in 21 USC 321(h) for ‘device’ which is broadly “an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article” with established and recognized medical applications.

With that starting point a ‘cyber device’ is any device that has network or Internet connectivity, connects to an external storage device or external media, or has any other cyber capability. The term ‘cyber capability’ or even just ‘cyber’ is not defined. Similarly, a ‘cybersecurity fix or update’ is “any modification to a cyber device that addresses a software, firmware, or hardware error or known vulnerability, or a security update, and does not change the therapeutic or diagnostic function of the device” {§520A(a)(2)}.

Transparency of Risk Prior to Marketing

Section 520A(b) would require the FDA to develop a ‘report card’ that describes the cybersecurity functions of cyber devices. That report card would include {§520A(b)(2)}:

• Information pertaining to all essential elements described in the most recent version of the Manufacturer Disclosure Statement for Medical Device Security;
• A traceability matrix, accepted by the Secretary, that establishes design components and traces such components to design compensating controls;
• A description of any manufacturer compensating controls that effectively address known common vulnerabilities and exposures;
• A description of any cybersecurity evaluation conducted on the device, including any testing, validation, or verification of the device;
• A cybersecurity risk assessment conducted by the manufacturer, or a third party, explaining the risk of the device to patient safety and clinical hazards; and
• An indication of whether the device is capable of being remotely accessed along with an indication of any security measures and access protocols the device has in place to secure any such access if the capable.

The Department of Health and Human Services would be required to make a copy of the report card available to “any health care industry entity, consisting of any provider, device manufacturer, the Federal Government, health care information security researchers, and health care academia” {§520A(b)(3)(B)(ii)(I)}.

Protecting Remote Access to Managed Solutions

Section 520A(c) establishes standards for remote access to cyber devices. First it requires that manufacturers “obtain consent for such access from the provider owning or operating the device and from any patient on which the device is used” {§520A(c)(1)(A)}. That consent may be documented in the sales agreement between the manufacturer and the provider. Second, the manufacturer is required to provide notification to the provider when such access is made. This notification can be made via provider accessible access logs.

Finally, the paragraph would establish cybersecurity standards for devices capable of remote access. Those standards would include requirements to {§520A(c)(1)(C)}:

• Implement multi-factor authentication for accessing any cyber capability of the device;
• Secure data in motion and data at rest with data encryption, and other best practices, approved by the National Institute of Standards and Technology;
• Install automated tools to track access, or identify attempts at unauthorized access, to any cyber capability of the device;
• Adopt whitelisting approaches and changeable passwords for accessing any cyber capability of the device; and
• Comply with the remote access provisions recommended by the National Institute of Standards and Technology, in the document entitled ‘Security for Telecommuting and Broadband Communications (NIST Special Publication 800–46)’, published in August 2002 [emphasis added].

Cybersecurity fixes or updates

Section 520A(d) provides guidance on the usage of ‘cybersecurity fixes or updates’. First it provides that generally “any cybersecurity fix or update shall not require a new notification under section 510(k) or application for premarket approval under section 515(c)” {§520A(d)(1)}. Finally, it provides that such fixes or updates will be provided free of charge until a date specifically agreed upon between the manufacturer and the provider, or 10 years after “the manufacturer discontinues marketing the device” {§520A(d)(2)(B)} if no such agreement is documented.

End-of-Life Devices

Section 520A(e) sets forth the requirements that manufacturers must conform to when they stop marketing a cyber device. This includes requirements to:

• Provide any provider owning or operating the device with the report card, as most recently updated;
• To the extent practicable, inform any provider owning or operating the device that the manufacturer will no longer be manufacturing such device;
• Provide notice to any provider owning or operating the device of the date on which the last cybersecurity fix or update will be provided by the manufacturer; and
• Notify the Secretary of such declaration;

Additionally, the manufacturer is required to provide the following information to the provider owning or operating the device {§520A(e)(5)}:

• Compensating controls on how to securely configure the cyber device if the device stays in operation past the date on which the manufacturer stops providing cybersecurity fixes or updates;
• Documentation on secure preparation for recycling and disposal of the device;
• Specific guidance regarding supporting infrastructure architecture, including network segmentation and device isolation requirements; and
• Instructions on how to delete any personally identifiable information, protected health information, or other site-specific sensitive data such as configuration files.

ICS-CERT and Cyber Devices

Separate from the §520A language, the bill also address the role of the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) in medical device cybersecurity. Section 2c of the bill would require DHS to expand the role of ICS-CERT to include {§520A(c)(2)}:

• Investigating cybersecurity vulnerabilities of cyber devices that may cause harm to human life or significant misuse of personal health information; and
• Coordinating device-specific responses to cybersecurity incidents and vulnerabilities with respect to cyber devices

The bill would also require DHS to establish rules concerning coordinated disclosure of cybersecurity vulnerabilities in cyber devices. Those regulations would {2(c)(4)}:

• Outline the roles and responsibilities of ICS–CERT and manufacturers and providers of cyber devices;
• Provide timelines for all required actions; and
• Provide for the enforcement of cooperation between ICS–CERT and manufacturers and providers of cyber devices

Moving Forward

Blumenthal is not a member of the Senate Health, Education, Labor, and Pensions Committee to which this bill was assigned for consideration. This means that the Committee is not likely to act on this bill; effectively killing it as a stand-alone measure. We could potentially see a version of this bill offered as an amendment to a Senate FDA authorization bill when that reaches the floor.


While there is much to like in this bill, there are too many problems that would make the resulting regulations unworkable. I’ll mention just a few.

First and foremost, the bill completely dodges the issue of ownership of implantable cyber devices. Throughout the bill there is reference to ‘the provider owning or operating the device’ as it this person (or organization) is the only entity that has an interest in the cybersecurity of the device. The only mention of the patient is where the provider informs the patient of the agreement between the provider and the manufacturer providing the manufacturer with permission to remotely access the device. Ignoring the rights of wearers of implantable devices has got to stop.

Next, while the bill attempts to specify a fairly comprehensive set of guidelines for remote access, it completely ignores the issue of who has responsibility for periodically checking the device logs to determine if/when unauthorized attempts were made to access the device or what actions should be taken when such access attempts are noted.

That same section of the bill makes a very rookie mistake when it specifies the date of a NIST publication that will be used as a standard for remote access requirements. This particular case is particularly egregious since there have been two updates to that specific standard since the date specified.

In §520A(e)(5) we see three specific actions that manufacturers are supposed to take at device end-of-life that really should have been required when devices are first authorized to be sold. These are the requirements to provide information on:

• Documentation on secure preparation for recycling and disposal of the device;
• Specific guidance regarding supporting infrastructure architecture, including network segmentation and device isolation requirements; and
• Instructions on how to delete any personally identifiable information, protected health information, or other site-specific sensitive data such as configuration files.

Not requiring that this information be provided until the end-of-life point of the cyber device is one of the most ludicrous problems with this bill.

Finally, the provisions regarding the role of ICS-CERT in the cyber device vulnerability disclosure process completely ignores the role of the security researchers that find most of the vulnerabilities in these devices. The way the paragraph reads it almost seems as if Blumenthal expects ICS-CERT to undertake the research necessary to find the vulnerabilities. If that is the case, the bill would certainly need to provide authorization for the funding and manpower needed to realistically undertake that mission.

Tuesday, September 12, 2017

Senate Amendments to HR 2810 (FY 2018 NDAA) – 9-11-17

Yesterday the Senate voted to close debate on the motion to close further debate on the motion to proceed to consideration of HR 2810, the FY 2018 National Defense Authorization Act (NDAA) by a vote of 89 to 3.This is the first step in the process to begin consideration of HR 2810. In addition to the previously proposed amendments (see here and here) a large number of possible amendments to HR 2180 were proposed in the Senate yesterday; including five that may be of specific interest to readers of this blog:

• SA 856. Mr. BROWN - Collaboration between federal aviation administration and department of defense on unmanned aircraft systems (pg S5118);
• SA 867. Ms. WARREN - Report on significant security risks of defense critical electric infrastructure (pgs S5121-2);
• SA 868. Mr. VAN HOLLEN - Strengthening allied cybersecurity (pgs S5122-3);
• SA 919. Mr. MCCAIN - Report on training infrastructure for cyber forces (pg S5146);
• SA 922. Mr. MCCAIN - Unmanned aircraft systems that pose a threat to the safety or security of certain department of defense facilities and assets (pg S5147)

Electric Infrastructure Security Risks

Yesterday’s amendment by Sen. Warren (D,MA) is nearly identical to the one she proposed last week (SA 794). The only change that I could see is that her staff added a definition of ‘security risk’:

“The term ‘‘security risk’’ shall have such meaning as the Secretary of Defense shall determine, in coordination with the Director of National Intelligence and the Secretary of Energy….”

Not much of a definition, but it does lay the onus for coming up with a useful definition with the people technically qualified to make the assessment.


SA 922 takes an interesting approach to the problem of shooting down unmanned aircraft systems (UAS) in United States airspace. Currently, damaging or shooting down an aircraft in US airspace is a criminal act under 18 USC 32 and there is no exemption in that section for actions by military personnel. This amendment would tangentially approach that problem for UAS by allowing the military to ‘seize’ UAS irrespective of the restrictions in 18 USC. Interestingly, there is no indication in the amendment on how DOD would be expected to seize those UAS or in what condition they would be when seized.

That authority would only be available at some very limited ‘covered facilities or assets’. Those would be defined as facilities relating to:

• The nuclear deterrence mission of the Department of Defense, including with respect to nuclear command and control, integrated tactical warning and attack assessment, and continuity of government;
• The missile defense mission of the Department; or
• The national security space mission of the Department.

Moving Forward

Yesterday’s vote is a pretty good indication that the Senate leadership has worked out an agreement on how to proceed with the consideration of HR 2810. There are still some procedural measures where that consideration could be derailed by a sizeable minority of the Senators, but at this point it looks like a much-amended HR 2810 will eventually get a floor vote in the Senate, maybe even this month.

When it eventually passes it will almost certainly be referred to a conference committee to work out the differences between the House and Senate versions of the bill. Still, we are likely to see a final version of the bill on the President’s desk well before the December deadline on other measures clogs up the legislative process.

Monday, September 11, 2017

Committee Hearings – Week of 09-10-17

Both the House and Senate are in town this week with most focus being on floor activities in both houses. There will be two hearings this week that may be of particular interest to readers of this blog; one on energy reliability and one on self-driving trucks.

Energy Reliability

On Tuesday the Energy Subcommittee of the House Energy and Commerce Committee will be holding a hearing on “Powering America: Defining Reliability in a Transforming Electricity Industry”. The witness list includes:

• Paul Bailey, American Coalition for Clean Coal Electricity;
• Gerry Cauley, North American Electric Reliability Corporation;
• Neil Chatterjee, Federal Energy Regulatory Commission;
• Kyle Davis, Enel Green Power North America, Inc;
• Marty Durbin, American Petroleum Institute;
• Patricia Hoffman, U.S. Department of Energy;
• Tom Kiernan  American Wind Energy Association;
• Maria G. Korsnick, Nuclear Energy Institute;
• Kelly Speakes-Backman, Energy Storage Association;
• Susan F. Tierney, Analysis Group, Inc.; and
• Steve Wright, Chelan Public Utility District

This hearing is on system reliability and ensuring the flow of electricity to customers. Interestingly, there is no mention in the background memo on this hearing on how this reliability may be effected by cybersecurity concerns. Admittedly, the reliability topic is complicated enough without considering cybersecurity, but it will be interesting to see if it is mentioned in the testimony and questioning.

Self-Driving Trucks

On Wednesday the Senate Commerce, Science, and Transportation Committee will be holding a hearing to look at “Transportation Innovation: Automated Trucks and Our Nation's Highways”. The witness list includes:

• Scott G. Hernandez, Colorado State Patrol
• Troy Clarke, Navistar
• Ken Hall, International Brotherhood of Teamsters
• Deborah Hersman, National Safety Council
• Chris Spear, the American Trucking Associations

While I have focused on cybersecurity issues associated with automated driving systems, this hearing reminds us that there are other concerns that are also going to have to be faced with this next stage of industrial automation; jobs.

On the Floor

I have already mentioned the two big bills seeing floor action this week, HR 3354 in the House and HR 2810 in the Senate.

There really is not much else happening on the floor of either house this week of specific interest, but you always have to be careful saying that. The Senate calendar is always up in the air with all sorts of jockeying for position and both intra-party and inter-party wrangling keeping the schedule very flexible. The House is usually much easier to predict since the Majority Leader actually publishes a weekly schedule.

But even the staid House throws up the occasional odd-ball scheduling change now and again. Today was a good case in point. This was supposed to be a speechifying day with no votes scheduled; at least that is what the Majority Leader’s schedules said. This is typical on Monday’s as it allows for some travel flexibility for members coming back to Washington from their districts. But then, at 4:23 pm EDT, Rep. Reichert (R,MN) asked unanimous consent that HR 3732 be discharged from committee and be considered on the floor of the House. With no debate and no vote, the bill was passed.

Interestingly this bill was introduced today (probably by Reichert, but I cannot tell until tomorrow for sure until the Library of Congress prints the list of bills introduced today) with broad title of “To amend section 1113 of the Social Security Act [42 USC 1313] to provide authority for increased fiscal year 2017 and 2018 payments for temporary assistance to United States citizens returned from foreign countries”. I suspect that a connected constituent was getting a run-around from the Social Security Administration and this bill was designed to remove a funding excuse for that runaround.

There were probably very few people on the floor of the House when this matter came up. The consideration of this bill was a mere formality (and it may die a slow death waiting in the Senate for action), but there was almost certainly no legislative trickery involved. Both parties keep at least one ‘responsible’ (to the leadership) member on the floor to object to any skullduggery being played under the guise of ‘unanimous consent’; a single voice crying from the back of the chamber would have killed the consideration of this bill. So, the leadership of both parties consented to this bill being passed, and no one has raised a stink about it. That means that the bill would almost certainly have passed if it had been considered under regular order.

But, it does just go to show that the politicos in Congress can get things done when they really want to, so we must keep a close eye on them.

Senate Amendments to HR 2810 (FY 2018 NDAA) – 9-7-17

This week the Senate is scheduled to take up HR 2810, the FY 2018 National Defense Authorization Act (NDAA). In addition to the amendments introduced before the summer recess, Senators began proposing new amendments to HR 2810 last week. Those amendments included three that may be of interest to readers of this blog:

SA 794. Ms. WARREN - report on significant security risks of the national electric grid (pg S5008);
SA 824. Mr. THUNE - cybersecurity training program in the army senior reserve officers’ training corps (pg S5006); and
SA 849. Mr. KAINE - Cyber Scholarship Opportunities (pgs S 5072-3)

Electric Grid Study

The electric grid security study would be conducted by DOD (in coordination with the Director of National Intelligence and the Secretary of Energy) and would specifically look at:

• Identification of significant security risks to defense critical electric infrastructure posed by significant malicious cyber-enabled activities;
• An assessment of the potential effect of the security risks identified pursuant to paragraph (1) on the readiness of the Armed Forces; and
• An assessment of the strategic benefits derived from, and the challenges associated with, isolating military infrastructure from the national electric grid and the use of microgrids by the Armed Forces.

DOD is also expected to include in the report recommendations to:

• Eliminate or mitigate the security risks identified pursuant above; and
• Address the effect of those security risks on the readiness of the Armed Forces identified above.
A one of the key terms in this amendment that is specifically defined is ‘significant malicious cyberenabled activities’. In addition to the expected malware attacks and service disruption attacks it specifically includes more purely IT-centric attacks to:

• Deny access to or degrade, disrupt, or destroy an information and communications technology system or network; or
• Exfiltrate, degrade, corrupt, destroy, or release information from such a system or network without authorization.

Including these IT type attacks greatly expands the potential scope of this study. To somewhat limit that, the second IT-centric attack is restricted to those attacks that are conducted for the purposes of:

• Conducting influence operations; or
• Causing a significant misappropriation of funds, economic resources, trade secrets, personal identifications, or financial information for commercial or competitive advantage or private financial gain

Moving Forward

The cloture motion for HR 2810 was filed on Thursday and the vote on cloture is scheduled for 5:30 pm (EDT) today. If the leadership has worked out a deal on the amendment process (and it looks like it may have) then the 60-votes will be available to start the that process. I expect that we will see some additional amendments offered this week before a potential final vote on Thursday.

Since the bill will be amended in the Senate (the only question is when) a conference committee will be necessary to work out the differences in the bill. The passage of continuing resolution in HR 601 last week will make it easier for that conference to meet and work out the differences in the two versions of the bill. We might actually see a final vote on the bill before the end of the fiscal year (but do not hold your breath).

House Continues Consideration of HR 3354 – FY 2018 Spending

This week the House will continue with its consideration of HR 3354, the FY 2018 spending bill. Friday the House continued their work on the bill under a second structured rule that added an additional 225 amendments to be considered during the floor debate.

None of the new amendments look to be of specific interest to readers of this blog. The three amendments that I mentioned last week passed by voice votes last week. Two of those (#21 and #37) were considered on their own and #67 was considered as part of en block amendment #3.

With the continuing resolution in place extending current spending until December 8th, this bill, if it is considered in the Senate, will certainly be amended. As a result, a conference committee will almost certainly be required to craft a final version of the bill. The CR provides some time for that process to work out the details.

Saturday, September 9, 2017

Bills Introduced – 09-08-17

With just the House in session yesterday there were 17 bills introduced. Of those, only one may be of specific interest to readers of this blog:

HR 3712 To amend title 10, United States Code, to provide for the establishment and operation of reserve component cyber civil support teams, and for other purposes. Rep. Kilmer, Derek [D-WA-6]

It will be interesting to see what sorts of definitions and limitations are applied to the use of these teams to ensure that they do not compete with private cybersecurity firms.

Friday, September 8, 2017

House Passes FY 2018 Continuing Resolution

This morning the House agreed to the Senate amendment to HR 601 after adding an additional amendment that provided for continued funding for the federal government through December 8th, 2017. Yesterday’s amendment to HR 601 in the Senate had added a similar short-term extension of the debt limit as well as funding for the response to Hurricane Harvey. The Senate is expected to take up the much-amended bill early next week. This removes the near-term deadline of September 30th for all three of these potential problems.

The vote in the House was a significantly bipartisan vote of 316 to 90. In line with the agreement reached earlier this week between President Trump and the Democratic leaders in the House and Senate, all 183 Democrats in the House voted for the bill, more than offsetting the 90 Republicans that voted against the measure.

After the morning vote, the House continued to work on the floor action to amend and pass HR 3354, the omnibus spending bill that it has been working on since Wednesday. With the end-of-month deadline erased, the House did not find it necessary to stay late today to finish work on the measure. A final vote is expected Wednesday.

While the expected passage of HR 601 in the Senate next week is expected to obviate the short term need to pass HR 3354, a spending bill does need to be crafted to be signed by the President by December 8th. Passage of this bill would allow for consideration and amendment in the Senate and allow a conference committee time to work out the differences between the two houses of Congress in something approaching regular order.

ISCD Updates Two CSAT Manuals

Yesterday the DHS Infrastructure Security Compliance Division updated its Chemical Facility Anti-Terrorism Security (CFATS) program web site to provide links to new versions of two of its CFATS Chemical Security Assessment Tool (CSAT) 2.0 manuals. These two new manuals are not the simple tweaks and clarifications that we have been seeing in CSAT 2.0 manuals since the program was changed last October. They are significant re-writes.

The two new versions of the manual are:

Interestingly the new manuals are dated today, not yesterday.

The Site Updates

The most obvious web site update is found on the CFATS Knowledge Center page. This page provides a notice in the ‘Latest News’ section about the two new manuals with links to the manuals found in the ‘Documentation’ section of the page. Listings for the older versions of the manuals were removed from that section.

The main landing page does not contain any mention of the new documents, but it was updated with a link to a new version of the CFATS Personnel Surety Program page. That new page does not mention any program changes and still provides a link to the old PSP Manual. The CSAT page was not changed (still dated June 21st, 2017), but the link to the CSAT Portal Users Manual now takes you to the new manual through an updated intermediate page.

PSP Manual

The new PSP manual is a complete re-write of the manual with a completely new format. This means that it will be time consuming to determine what program changes (if any) have actually been made that were reflected in the new manual. At first glance, I do not see any major changes, nor do I expect there to be any since there was no update provided on the PSP web page. There may, however, have been some changes to the way the web site is used. More on that in a future post.

CSAT Portal Manual

The changes to the Portal Manual do not involve a complete rewrite so I can take a quick look at the table of contents to initially look for changes to this manual; and there are some interesting ones. It does not look like any real policy change, but there appear to have been some additions made to the CSAT Portal tool.

I do not see any changes in the table of contents until we get to Section 9, User Management Tab. First the manual completely changes Section 9.4, Users. That section not provides the following information:

9.4.1 Export User List
9.4.2 View User Information
9.4.3 Reset Password
9.4.4 Delete User Account
9.4.5 Administrator
9.4.6 Personnel Surety Program

A completely new subsection is then added; 9.5, Groups. That subsection includes:

9.5.1 Corporation Group
9.5.2 Create Group
9.5.3 Edit Group
9.5.4 Delete Group
9.5.5 Merge Group

So far, no new policy; just some added functionality and/or better listing of capabilities already existing within the system.

Next, we find that ISCD has flipped Sections 10 and 11. The new Section 10 addresses Personnel Surety Program issues. This is a complete re-write and probably is related to the changes in the PSP manual that I mentioned in passing earlier. I’ll probably address this new section in detail when I cover the new PSP manual. In the meantime, the following new subsections were added to Section 10:

10.1 Search Affected Individuals
10.2 Affected Individuals
10.2.1 Add Individual
10.2.2 View an Affected Individual
10.2.3 Edit an Affected Individual
10.2.4 Remove Affected Individual(s)
10.2.5 Bulk Upload
10.2.6 Export to PDF
10.3 User Defined Fields
10.3.1 Create User Defined Fields
10.3.2 User Defined Field List

The new Section 11 is just the old Section 10, Manage My Account. No other changes appear to have been made.

I have not yet gone completely through the manual to see if any significant changes have been made to any of the other portions of the manual. That is fodder for a potential future blog post, if there are any changes.


It is not unexpected to see a major rewrite of the PSP manual. ISCD has been implementing the PSP program in the hand-holding mode since its inception last year. I am sure that there have been a large number of lessons learned and hopefully this new manual accurately reflects those changes. I am more than slightly disappointed that there was not more of a formal role out of this new manual. As controversial as the PSP program has been since it was first mentioned, I would have thought that ISCD would have announced a webinar to explain what had been learned in the first year of the operation of this program.

At first glance it looks like the CSAT Portal Manual is just a routine update of both the CSAT site and the Users Manual. The only problem is that you cannot be sure about that without doing an almost line-by-line examination of the manual.

One of the things that ISCD changed when they started CSAT 2.0 was the removal of version numbers and change logs from their new publications. I suspect that this may have been a DHS wide requirement because most other DHS agencies have not been that user friendly in their publications. It does make it difficult for users of these manuals to keep up with what is going on in the program.

Most facility or corporate security managers do not hold just that job. It is an additional duty place on top of their normal corporate responsibilities. This means that they do not have the time to do the type of page-by-page analysis of new program manuals (and there are a bunch of manuals supporting the CFATS program) to ensure that they understand the changes that are being made in the program. Failure to understand those changes, however, could result in their organizations falling out of compliance with program requirements.

I hate to say this about anything involved with the government, but failure to properly document changes in program manuals is not fair. It puts an improper burden on the regulated facilities, a burden that most cannot bear, particularly the smaller facilities. DHS really needs to play fair with the CFATS community if it wants to continue to operate the program as a partnership with the chemical community rather than as an adversarial regulatory relationship.
/* Use this with templates/template-twocol.html */