Saturday, May 31, 2014


Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received the proposed language for an advance notice of proposed rulemaking (ANPRM) for revisions to the Chemical Facility Anti-Terrorism Standards (CFATS). This is the rulemaking that I discussed earlier this week.

There is no telling how long this ANPRM will take to clear OIRA and be published in the Federal Register. I really doubt that this will proceed anywhere near as quickly as did the original CFATS rulemaking effort.

Ammonium Nitrate - West vs Athens

NOTE: I received this really detailed analysis of at least one potential explanation of why the Athens, TX ammonium nitrate facility did not explode Thursday like the one did in West, TX a year ago. It came to me in an email from Jim Overman who has graciously allowed me to post it here.


I really think there needs to be a lot of technical work done on the response of AN to fire.  I have gotten a lot of questions from friends about one had a devastating explosion and the other just burned.  You can include the incident in Bryan, TX a few years ago as well.  I'm sure that research would reveal countless others.  

Certainly, there are many factors involved in what happened in each of these circumstances.  I still think a significant factor is the volume to surface area ratio.  As I have stated several times, the rate of reaction is dependent on concentration of the reactants (which in the case of the gas phase of any reaction is definitely related to pressure) and the temperature.  

As you know, the rate of reaction doubles with every 10 degree (K) increase in temperature.  (I recognize this is only a rough guideline).  Also, the rate of energy production of a reaction is directly related to the rate of the reaction (we are discussing exothermic reactions).  This is one reason we have runaway reactions.  We utilize this intentionally with commercial explosives.  

If the rate is very slow, we can use such common terms as corrosion in reference to the reaction.  If the reaction is more vigorous, we use terms like "fire".  It really gets exciting when the rate is high enough to use terms like deflagration and if the reaction moves fast enough through the medium to exceed the speed of sound, when refer to it as a detonation.  

Essentially, in oxidation reactions like those between iron and oxygen, the only difference between rusting and burning is the rate of reaction.  We all know that steel wool will burn in pure oxygen.  This is an example of concentration of the reactants influencing the rate.  

In general, we use water effectively on Class A fires because the evaporation of the water removes heat from the reactants (e.g., wood and oxygen) faster than it is being produced.  (It is also pertinent to this discussion that the water vapor produced reduces the concentration of the other reactants.)  Now, consider fires in bulk materials.  If we can't get water to the hot reactants fast enough, the reaction continues to produce heat faster than the evaporating water removes it and the fire will continue to burn until there are not enough reactants (concentration).

Now, look closely at pictures of the AN storage in Athens [PJC – For example here and here].  The piles are not especially deep and the bins are are more like rooms an not very high.  That means that the ration of volume to surface area is low.  In other words, the total surface area of a given bulk is higher in a shallow pile with higher length and width.  This is the relevant heat transfer equation:

Fourier's Law express conductive heat transfer as  

q = heat transfer (W, J/s, Btu/s)
A = heat transfer area (m2, ft2)
k = thermal conductivity of the material (W/m.K or W/m oC, Btu/(hr oF ft2/ft))
dT = temperature difference across the material (K or oC, oF)
s = material thickness (m, ft)

Note that the only variables that really count are A and s.  As A gets smaller and s gets larger, q gets smaller.  In other words, physics works and less heat gets removed from the bulk and the reaction rate goes up.  As the temperature of the burning material goes up, dT actually increases so sometimes the change in dT will balance the other factors and we will have steady state burning.  This explains why "cooling the pile with hose streams sometimes works.  However, if the increase in dT does not balance things out, we have a recipe for disaster.

There are many other variables involved, but unless contamination is a factor, I suspect this may be the most significant.  After all is said and done, standards that do not address this issue will fall short when fires actually occur.

Jim Overman


Jim makes some very important points about the heat transfer effect in an ammonium nitrate fire. As he mentions in his closing paragraph contamination of the ammonium nitrate may also play an important role. This was noted in the Chemical Safety Board’s interim report on the West explosion. Another factor that could come into play is building collapse as that can have a direct pressure effect, reduce heat transfer and impede the flow of water to the ammonium nitrate stack.

At this point it does not look like the Chemical Safety Board will be doing an investigation of this accident. There was no loss of life and there was only limited (on a grand scale) property damage involved. As a single incident goes this just isn’t important enough to tie up the CSB’s limited resources. As we are finding more and more of these under-regulated ammonium nitrate storage facilities across the country, perhaps it would be important for the CSB to get involved in the investigation to help prevent another West Fertilizer type explosion. That would almost certainly take a congressional request, something unlikely to come from the Texas congressional delegation.

Friday, May 30, 2014

Ammonium Nitrate - Picture Worth a Thousand Words

There is a very scary article at about a fire yesterday at an ammonium nitrate storage facility in Athens, TX. This case did not end with a catastrophic explosion, but it is obvious that it could have.

WFAA has been very active in covering the ammonium nitrate storage problem in Texas. They have been discussing the problems at various storage facilities and specifically this facility. The article has a good gallery of still photos about the fire. One in particular (#10) is particularly concerning. The photo shows the wooden partitions in the ammonium nitrate storage area; these are specifically recommended against by recent a EPA-OSHA ammonium nitrate storage guidance document.

The same picture also shows how easy it would have been to break into the facility to steal ammonium nitrate. According to the WFAA news video report this facility was just registered last year after the West incident. It is not clear what agency that registration was with. If it was DHS and the CFATS program it is unlikely that this facility had yet been visited by DHS chemical security inspectors. That wouldn’t yet be due to the back log of site security inspections; it just takes some time to go through the Top Screen and Security Vulnerability Assessment (SVA) process.

It will be interesting to hear if this facility was actually covered under the CFATS program. It certainly would be covered (due to the ammonium nitrate storage in the middle of town like this) if it had self-reported the presence of the ammonium nitrate. If this facility is not on the DHS Infrastructure Security Compliance Division’s (ISCD) list of covered facilities there will be hell to pay with Congress.

Thursday, May 29, 2014

ICS-CERT Publishes to New Advisories

Today the DHS ICS-CERT published new advisories for products from Cogent and Triangle MicroWorks (TMW). Both advisories are based upon coordinated disclosures.

Cogent Advisory

This advisory addresses multiple vulnerabilities in the Cogent DataHub. The vulnerabilities were reported by Alain Homewood. Cogent has produced a new version of the application that addresses three of the four identified vulnerabilities and ICS-CERT reports that Homewood has verified the efficacy of the mitigation measures for those vulnerabilities.

The vulnerabilities are:

• Reflected cross-site scripting, CVE-2014-72038;
• Directory traversal, CVE-2014-59156;
• Password hash with insufficient computational effort, CVE-2014-32537; and
• Many known vulnerabilities in OpenSSL version 1.0.0D.

ICS-CERT reports that a low to moderately skilled attacker could exploit these vulnerabilities (three of them remotely) with a variety of potential effects. The new version does not address the third vulnerability listed above; Cogent advises that they do not plan to address this vulnerability due to “compatibility issues with existing systems”. They explain (and Homewood agrees according to the advisory) that an adequately strong password will be an effective mitigation of this vulnerability.

Triangle MicroWorks Advisory

This advisory addresses Crain-Sistrunk DNP3 vulnerabilities in TMW SCADA Data Gateway. It addresses the two standard vulnerabilities in serial and IP communications. In fact the wording of this advisory is nearly identical with an ICS-CERT advisory published last fall that covered both the devices included in this advisory as well as TMW’s DNP3 Source Code libraries.

Interestingly this advisory points us at a TMW document that documents the changes that are referenced in this advisory. Unfortunately, that document only reports the changes that were made last fall in response to the earlier advisory. Something odd is going on here and what it is isn’t clear from the ICS-CERT advisory. 

BTW: The Project Robus web page does not yet list this second TMW advisory. Looking at their tally it would seem that we still have seven more Crain-Sistrunk advisories to be published by ICS-CERT.

Wednesday, May 28, 2014

More CFATS Knowledge Center Updates 5-28-14

Apparently I was too quick to post earlier today when I described and update to the CFATS Knowledge Center. Since that post was written DHS Infrastructure Security Compliance Division has updated the responses to six frequently asked questions (FAQ) with minor corrections. The FAQ’s involved and the fixes are listed below.

• FAQ 1194 Corrected link to 6 CFR 27 (from 5-2-14);
• FAQ 1196 Corrected link to 6 CFR 27 (from 5-2-14);
• FAQ 1606 Changed name of link in the CSAT Portal to “View My CSAT Documents”;
• FAQ 1618 Changed name of link in the CSAT Portal to “View My CSAT Documents”;
• FAQ 1662 Changed name of link in the CSAT Portal to “View My CSAT Documents”; and
• FAQ 1666 Corrected links to 6 CFR 27 (from 5-2-14).

The changes marked as (from 5-2-14) are likely from comments I left on those FAQ’s about errors in the links provided. This just goes to show that ICSD is paying attention to the comments section responses it receives on the CFATS Knowledge Center.

Subcommittee Draft DHS Appropriations Bill Published

Last night the Homeland Security Subcommittee of the House Appropriations Committee published the draft of the FY 2015 DHS spending bill that will be marked up this evening. As expected that draft includes language that would re-authorize the CFATS program for an additional year {§530}. It also includes, for the first time language that is clearly (but not specifically) targeted at the CFATS Personnel Surety Program. That new language {§556} would limit the Departments ability to require chemical facilities to submit names of individuals for clearance against the Terrorist Screening Database if they had already be vetted against that list by another DHS program. This provision would only apply in FY 2015.

DHS Updates CFATS Knowledge Center – 5-28-14

This morning the folks at DHS Infrastructure Security Compliance Division (ISCD) updated one of the articles on the CFATS Knowledge Center. This update made a minor change to the response for Article 1670, How DHS Notifies a Facility of Its Preliminary or Final Tiering. The change is similar to those made last week; it corrected the link to the CSAT Portal.

Bills Introduced – 05-27-14

Yesterday the House met in a pro forma session but a bill was introduced in any case. And, as fate would have it, it would be one of probable interest to readers of this blog.

HR 4745 Latest Title: Making appropriations for the Departments of Transportation, and Housing and Urban Development, and related agencies for the fiscal year ending September 30, 2015, and for other purposes. Sponsor: Rep Latham, Tom (R,IA)

The bill was introduced along with the Appropriations Committee report on the bill (a standard procedure for appropriations bills). A copy of the bill is available on the GPO web site but the Committee Report is not (though a marked up draft is available on the House Rules Committee web site).

The Rules Committee hearing for this bill has already been announced for Thursday afternoon along with the intel authorization bill I mentioned earlier.

Tuesday, May 27, 2014

ICS-CERT Updates Two Siemens Advisories

Today the DHS ICS-CERT published updates for advisories for two separate vulnerabilities reported in the Siemens RuggedCom ROS devices. The original versions of these advisories were published in February and March of this year. Both of these updates (Improper input validation; and Uncontrolled resource consumption) now report that updates are available for all of the affected products and it seems that updating for either one will take care of the problem for both advisories. German efficiency in action.

OMB Publishes Spring 2014 Unified Agenda

Last week the OMB’s Office of Information and Regulatory Affairs (OIRA) published the latest version of the Unified Agenda. This is supposed to be a list of all of the Administration’s currently planned rulemaking activities. This is supposed to be done twice a year and has traditionally been done in the ‘Spring’ and ‘Fall’, though those terms bear only passing resemblance to calendar terminology. The last update was published in November of last year.

The table below provides a listing of the DHS rulemakings listed in the Spring Unified Agenda that will be of specific interest to readers of this blog:

Chemical Facility Anti-Terrorism Standards (CFATS)
Petitions for Rulemaking, Amendment, or Repeal
Proposed Rule
Updates to Maritime Security
Proposed Rule
General Aviation Security and Other Aircraft Operator Security
Proposed Rule
Security Training for Surface Mode Employees
Proposed Rule
Freight Railroads and Passenger Railroads--Vulnerability Assessment and Security Plan
Proposed Rule
Standardized Vetting, Adjudication, and Redress Services
Proposed Rule
Ammonium Nitrate Security Program
Final Rule
Classified National Security Information
Final Rule
Transportation Worker Identification Credential (TWIC); Card Reader Requirements
Final Rule
Revision to Transportation Worker Identification Credential (TWIC) Requirements for Mariners
Final Rule

CFATS Rulemaking

There is only one new item on the list; the CFATS rulemaking update. According to the abstract published by OIRA:

“The Department of Homeland Security (DHS) invites public comment on the Advance Notice of Proposed Rulemaking (ANPRM) for potential revisions to the Chemical Facility Anti-Terrorism Standards (CFATS) regulations. DHS believes this ANPRM will provide expanded opportunities for DHS to hear and consider the views of interested members of the public on their recommendations for possible program changes.”

From various public pronouncements in the last month or so it would seem that the whole of the CFATS program would be subject to this ANPRM. According to the various comments this would include an update of the basic regulations, the list of DHS chemicals of interest (COI), and the Risk-Based Performance Standards Guidance (RBPS Guidance) document.

While there is a certain operational elegance to addressing the whole program in a single rulemaking, this will be certain to bog down the entire process in a political rehash of sensitive topics such as the personnel surety program and the concept of inherently safer technology. Separating out the least controversial portions of the program (the list of COI and the RBPS Guidance for example) would allow those to proceed while the main rulemaking would certainly flounder.

Of course, this will all be a moot point if Congress actually gets around to passing HR 4007 this summer. The rulemaking mandated by that legislation would take precedence and would likely avoid the ANPRM process; going directly to a notice of proposed rulemaking.

Other Rulemakings

There are no significant changes to the other rulemakings on my list. Long time readers will note that I have stopped publishing the political fiction of the ‘expected dates’ for the next step in the rulemaking process. Of the eleven rulemakings listed in the table only one has even a snowballs chance in hell of meeting the published expected date. That would be the May 2014 date for the Classified National Security Information rulemaking, since OMB has already approved the language for this final rule. I am actually surprised that it hasn’t already been published.

Monday, May 26, 2014

Committee Hearings – Week of 5-25-14

The House is coming back from a lengthy Memorial Day Weekend later this week, but the Senate won’t be back until next week. The short week makes for few hearings and only two of them will be of interest to readers of this blog; a spending bill markup and an oversight hearing.

DHS Spending Bill

The Homeland Security Subcommittee of the House Appropriations Committee will be holding a markup hearing on Thursday of the FY 2015 spending bill for DHS. A committee print of that may be available later this week.

DHS Oversight Hearing

The House Judiciary Committee will hold an oversight hearing on the Department of Homeland Security on Thursday. These are typically pretty high-level policy type discussions so I really don’t expect much in the way of chemical security or chemical transportation security to come up in this hearing.

On the Floor

One spending bill will come to the House floor this week; HR 4660, Commerce, Justice, Science, and Related Agencies Appropriations Act this will come to the floor under an open rule so there may be some interesting amendments including some in the cybersecurity area. The Rules Committee hearing on this bill has not been set, but it would almost have to be on Wednesday evening.

A controversial authorization bill will come to the floor on Friday; HR 4681, Intelligence Authorization Act for Fiscal Years 2014 and 2015. This will be a less open rule, but the Rules Committee hearing on this bill has not yet been set either. Amendments have to be submitted by Wednesday afternoon, so I expect that the hearing will be Thursday evening.

Sunday, May 25, 2014

EPA Submits RMP RFI Notice to OMB

On Thursday the Environmental Protection Agency submitted a notice to the OMB’s Office of Information and Regulatory Affairs (OIRA) for approval concerning a Risk Management Program request for information. I would assume that this is related to the requirements of §6(a)(iii) of the President’s Executive order on Increasing Chemical Safety and Security (EO 13650). That sub-paragraph requires that the Chemical Safety and Security Working Group to “develop a plan for implementing practical and effective improvements to chemical risk management identified pursuant to subsections (a)(i) and (ii) of this section.”

It will be interesting to see how long this takes to get out of the OMB. Depending on how politically sensitive the recommendations made in the notice actually are this may happen after Election Day in November.

Saturday, May 24, 2014

DHS Updates CFATS Knowledge Center – 05-22-14

Last Thursday the folks at DHS Infrastructure Security Compliance Division (ISCD) updated the CFATS Knowledge Center. They made some corrections and updates to links provided in nine responses to frequently asked questions (FAQ). Well actually the changes were made to 7 of the 9 FAQ responses that were marked as having been updated; I cannot see any changes to the other two.

The 9 FAQs are:

• FAQ 1221 – No detectable difference;
• FAQ 1363 – Updated link to CSAT Tool;
• FAQ 1490 – Updated links to CVI Procedures Manual;
• FAQ 1513 – Provides link to SVA Instruction Manual;
• FAQ 1514 – Provides link to SVA Instruction Manual;
• FAQ 1606 – Updated link to CSAT Tool;
• FAQ 1618 – Corrected link to CSAT Tool;
• FAQ 1662 – Corrected link to CSAT Tool;
• FAQ 1733 – No detectable difference.

The links that were updated had to be taken care of because of the changes that ISCD has made over the years in the way they handle links to their various manuals. The current system keeps the same link when they update manuals so FAQ responses (and other documents and sites with links to these manuals) do not have to be changed when manuals are upgraded. Any links to manuals that predate that procedure change will have to be identified and adjusted.

The two ‘corrected links’ changes both dealt with responses that had links to a document and the CSAT site. Unfortunately both links ended up being to the document.

In some ways it is surprising that these changes take so long to make. One would like to think that there is a continuous improvement effort that goes back and reviews these things to catch errors like this. In a perfect world with unlimited funding that would probably happen. I am certain, however, that ISCD does not have a professional proofreader on staff and it really does take a special type person to do this type of document checking.

CFATS Knowledge Center users can help. Any time they see an obvious error or see something that is less than clear people should use the ‘User Feedback’ section of each FAQ to call the matter to the attention of ISCD. And don’t forget, positive feedback is always welcome.

ICS-CERT Publishes Emersion Advisory

Note: It’s been a busy week at my real job, so some stuff is being posted much later than normal.

On Thursday DHS ICS-CERT published an advisory for two vulnerabilities in the DeltaV product from Emerson. The vulnerabilities were reported to Emerson in a coordinated disclosure by a team (Kirill Nesterov, Alexander Tlyapov, Dmitry Nagibin, Alexey Osipov, and Timur Yunusov) from Positive Technologies. Emerson has produced a patch to mitigate the vulnerabilities, but there is no indication in the advisory if Positive Technologies has had a chance to validate the efficacy of the patch.

The two vulnerabilities are:

• Improper authorization - CVE-2014-2349;
• Hard-coded credentials - CVE-2014-2350.

ICS-CERT reports that a relatively unskilled attacker with local access and a successful social engineering attack could exploit these vulnerabilities to conduct a denial of service attack or read/replace configuration files, or log into accounts.

Emerson only releases their advisories to customers so no other information on this vulnerability is publicly available.

Friday, May 23, 2014

Bills Introduced – 5-22-14

With the House and Senate leaving town for a LONG Memorial Day Weekend there were 76 bills introduced yesterday. Only three of them may be of specific interest to readers of this blog:

HR 4726 Latest Title: To amend title 23, United States Code, to direct the Secretary of Transportation to establish an innovation in surface transportation program, and for other purposes. Sponsor: Rep Davis, Rodney (R,IL)

HR 4738 Latest Title: To ensure the safety of DOT-111 tank cars by improving standards for new tank cars and upgrading existing tank cars, and for other purposes. Sponsor: Rep Payne, Donald M., Jr. (D,NJ)

S 2384 Latest Title: A bill to require the President to develop a watch list and a priority watch list of foreign countries that engage in economic or industrial espionage in cyberspace with respect to United States trade secrets or proprietary information, to provide for the imposition of sanctions with respect to foreign persons that knowingly benefit from such espionage, and for other purposes. Sponsor: Sen Levin, Carl (D,MI)

The first and last bills in the list may contain specific language of interest, I’ll wait and see when they are published. Chemical transportation folks and emergency responders will certainly be interested in the actual wording of the provisions in HR 4738.

Bills Introduced – 5-21-14

I’m a little bit late getting this out but here are the bills that were introduced on Wednesday that might be of interest to readers of this blog:

S 2372 Latest Title: A bill to provide additional oversight and guidance to the Department of Homeland Security. Sponsor: Sen Bennet, Michael F. (D,CO)

S 2380 Latest Title: A bill to amend title 49, United States Code, to improve the national freight policy of the United States, and for other purposes. Sponsor: Sen Booker, Cory A. (D,NJ)

Both of these bills are kind of iffy about containing specific language that pertains to chemical safety and security, but we will just have to wait and see what they contain.

Wednesday, May 21, 2014

Bills Introduced – 05-20-14

Both the Senate and House were in session yesterday and a total of 31 bills were introduced. Four of those bills may be of specific interest to readers of this blog:

HR 4687 Latest Title: To amend title 49, United States Code, to provide for the inspection of pipeline facilities that are transferred by sale and pipeline facilities that are abandoned, and for other purposes. Sponsor: Rep Hahn, Janice (D,CA)

HR 4689 Latest Title: To require a plan approved by the Surface Transportation Board for the long-term storage of rail cars on certain railroad tracks. Sponsor: Rep Kline, John (R,MN)

S 2354 Latest Title: A bill to improve cybersecurity recruitment and retention. Sponsor: Sen Carper, Thomas R. (D,DE)

S 2365 Latest Title: A bill to prohibit the long-term storage of rail cars on certain railroad tracks unless the Surface Transportation Board has approved the rail carrier's rail car storage plan. Sponsor: Sen Klobuchar, Amy (D,MN)

The two railcar storage bills are probably identical companion measures. I’ll report on them if they contain specific language referring to railcars containing hazardous chemicals.

I suspect that the cybersecurity bill refers to ‘recruitment and retention’ in the Federal sector, so it may not get any additional coverage unless the language will have specific impact on the private sector.

Tuesday, May 20, 2014

ICS-CERT Publishes Siemens HeartBleed Update

Today the DHS ICS-CERT published an updated version of the HeartBleed advisory for a number of Siemens products. This is the second update for this advisory. The first was published on April 29th, 2014 and the original advisory was published on April 15th, 2014.

Siemens now reports that they have released product updates for all systems identified as vulnerable to the HeartBleed vulnerability.

ICS-CERT did not publish an updated version of their HeartBleed advisory nor have they updated their downloadable spreadsheet listing the HeartBleed status of a wide variety of control system products.

FAA Interprets Model Aircraft Rule

Yesterday the OMB’s Office of Information and Regulatory Affairs announced that it had received a draft of a notice from the Federal Avaiation Administration interpreting its rules on Model Aircraft.

The FAA set forth its current guidance on the operation of model aircraft back in 1981 in FAA Circular AC 91-57. It published a notice in the Federal Register (72 FR 6689-6690) updating that guidance with respect to commercial operations of unmanned aircraft systems.

Notices such as this are not listed in the Unified Agenda so we have no publicly available information about what this notice might address. I would suppose, however, that with the rise of ever more sophisticated small, unmanned aerial vehicles (UAV) that there will be additional restrictions placed upon their operations. This may include discussion about the operation of such vehicles over and around critical infrastructure facilities.

There is no telling how long this will take to clear OIRA since we have no idea how politically sensitive the notice will be.


Yesterday the OMB’s Office of Information and Regulatory Affairs announced that the National Archives and Records Administration (NARA) had submitted a draft of its notice of proposed rulemaking for the establishment of its Controlled Unclassified Information program. The requirements for this long overdue rulemaking were set forth in EO 13556, Controlled Unclassified Information.

According to the latest Unified Agenda entry for this rulemaking (RIN: 3095-AB80) that EO established “an open and uniform program for managing information requiring safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, excluding information that is classified under Executive Order 13526, or the Atomic Energy Act, as amended”.

The only details we have available about this proposed rulemaking at this date also come from that entry in the Unified Agenda. It notes that the NPRM would provide “guidance to agencies on safeguarding, disseminating, marking, and decontrolling CUI, self-inspection and oversight requirements, and other facets of the program”.

As I have noted in earlier posts on this EO this NPRM could potentially affect a number of chemical security related programs including CFATS (CVI), transportation security (SSI), and voluntary security information submissions to the government (PCII).

There is no telling how long it will take this rulemaking to percolate through OIRA. It is supposed to take just a couple of months, but in practice it can take years depending on the perceived political consequences of the rulemaking. Given the length of time that it has taken NARA to craft the NPRM, I expect this will be a lengthy process.

NPPD Announces Openings for 5 CSI

The DHS National Protection and Programs Directorate (NPPD) recently posted job openings via for Chemical Security Inspectors (CSI) at five locations. The open period for applying for these positions is Friday, May 16, 2014 to Thursday, May 29, 2014. Position openings are available in the following locations: Brea, Ca; Hammond, IN; Baton Rouge, LA; St.Louis, MO; Memphis, TN.

The job description includes:

• Plan, coordinate, assist with and conduct on-site physical inspections/audits, documentary and data reviews, personnel interviews, incident investigations and site vulnerability analysis of chemical facilities as a member of a regional field operations team.
• Assist and/or lead in the production of field reports and briefings following inspections, compliance assistance visits, incident investigations and other events as requested or deemed necessary by senior DHS officials. 
• Provide support for and maintain cognizance of the enforcement of administrative sanctions, including the termination of chemical facility operations, as prescribed by law, through participation in enforcement action planning and post-execution operational phases and reports.
• Provide specific, clear, concise, accurate and detailed chemical facility inspection data for inclusion into reports and briefings to aid in supporting possible preventative, corrective, and/or administrative action.
• Participate with Federal, State, local and tribal officials as well as chemical industry private sector officials in emergency preparedness activities (i.e., conferences, exercises, workshops, seminars etc.) and serve on collaborative tasks forces and committees relevant to developing further chemical security awareness.

There are essentially two tracks for job qualifications. You can either have experience conducting chemical facility security inspections or you can have an advanced degree in Safety Engineering, Industrial Hygiene Inspection, Chemical Engineering, and Process Safety Engineering. Interestingly a degree in Chemistry is specifically inadequate unless it includes course work in the fields listed above. (On a personal note: that means that I would not be qualified to apply for this position.)

The application process for these positions can only be started via

Monday, May 19, 2014

OMB Receives EPA’s Proposed CCL 4

On Saturday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a copy of the Environmental Protection Agency’s  (EPA) new proposed Drinking Water Contaminant Candidate List (CCL 4). According to the EPA’s CCL web page:

“EPA must periodically publish this list of contaminants (called the Contaminant Candidate List or CCL) and decide whether to regulate at least five or more contaminants on the list (called Regulatory Determinations).”

It will be interesting to see if the EPA takes the politically expedient course and adds crude 4-methylcyclohexanemethanol (MCHM, the Freedom Spill chemical) to the list. Not that MCHM is a wide spread drinking water threat, but it certainly is a visible one.

Friday, May 16, 2014

NIST Announces SGAC Meeting – 06-03-14

Today the DOC’s National Institute of Standards and Technology (NIST) published a meeting notice in the Federal Register (79 FR 28484-28485) concerning a meeting of the Smart Grid Advisory Committee (SGAC) in Washington, DC on June 3rd, 2014. The meeting is open to the public.

According to the notice the preliminary agenda includes:

• The updated NIST Framework and Roadmap for Smart Grid Interoperability Standards;
• The updated Guidelines for Smart Grid Cyber Security (NISTIR 7628)
• The NIST Smart Grid Testbed activities; and
• The interaction between Cyber-Physical System and Smart Grid.

The final agenda will be published on the NIST Smart Grid web site.

Entrance into the NIST facility requires pre-registration. The required pre-registration information may be submitted via email ( Up to 30 minutes has been set aside for public comments. Personnel wishing to make oral presentations can register their intent via the same email address. Written comments may be submitted in the same way.

Bills Introduced – 5-16-14

The Senate has been in town all week and the House ‘met’ yesterday in a pro forma session (probably 3 members present for 5 minutes), but of the 29 bills introduced, a third came from the House. The one bill of potential specific interest to readers of this blog was a House bill:

HR 4660 Latest Title: Making appropriations for the Departments of Commerce and Justice, Science, and Related Agencies for the fiscal year ending September 30, 2015, and for other purposes. Sponsor: Rep Wolf, Frank R. (R,VA)

I’ll be watching this bill for cybersecurity provisions.

Thursday, May 15, 2014

ICS-CERT Publishes 3 HeartBleed, 1 SQL Injection and 1 Certificate Advisories

Today the DHS ICS-CERT published five advisories; one an update of the generic OpenSSL Alert and two new control system HeartBleed advisories, a security certificate advisory and a good ‘old-fashioned’ SQL Injection advisory.

Generic OpenSSL Advisory

Instead of continuing to provide ‘letter’ updates to the original OpenSSL Alert (last updated 4-29-14), ICS-CERT upgraded the document to an Advisory. There is a lot of new information in the new Advisory, including discussions of:

• Impact;
• Background;
• The vulnerability;
• Mitigation overview;
• OpenSSL scanning;
• Detection signatures;
• Specialized search engines;

At first glance it is disappointing that there is not a list of affected and unaffected systems included in the Advisory the way there was in the earlier Alert. On closer inspection there is a download link to a spread sheet that provides that information in much more detail. I would have preferred something that would have let you know the latest date that the list had been updated (today’s was last updated 5-15-14).

Two Product Specific HeartBleed Advisories

The two product specific Advisories are for products from Unified Automation and Schneider. The UA advisory contains a link to their description of the HeartBleed vulnerability. The Schneider advisory notes that the problem is not actually theirs; it exists in a third party component (from Tableau Software). As always this raises the question of what other vendors may be using the offending application in their products and thus have the same vulnerability.

SQL Injection

This advisory is for an SQL injection advisory for CSWorks software. The vulnerability was reported by John Leitch in a coordinated disclosure via the Zero Day Initiative. CSWorks has produced an updated version that mitigates the vulnerability, though there is no mention if Leitch has verified the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability to possibly execute arbitrary code.

The CSWorks security release for this vulnerability reminds system administrators that under “no circumstances should administrators give root access to CSWorks”.

Certificate Vulnerability

This advisory is for a certificate verification vulnerability in the Siemens RuggedCom Rox devices. This is apparently a self-identified vulnerability and Siemens is still working on firmware updates for the affected systems.

ICS-CERT reports that a moderately skilled attacker could remotely exploit this vulnerability to execute a man-in-the-middle attack.

Pending the production of firmware updates Siemensrecommends the following interim mitigation measures:

• Secure Syslog: Siemens recommends placing the syslog server inside the trusted
network boundary until a corrected update is made available.
• Software upgrade: When updating devices running the affected ROX versions, the
identity of the update server cannot be ensured. Siemens recommends placing the
upgrade server inside the trusted network boundary.

• FTPS: Siemens recommends using SFTP for data transfer until a corrected update is available.

Wednesday, May 14, 2014

TSA Publishes Pipeline Security 60-Day ICR Notice

Today the DHS Transportation Security Administration (TSA) published a 60-day information collection request (ICR) renewal notice in the Federal Register (79 FR 27631-27632) for their Critical Facility Information of the Top 100 Most Critical Pipelines program. This ICR (1652-0050) was last renewed in February 2012 and expires February 2015.

TSA is making a revision to the number of expected responses from industry covered by this ICR and reduces the estimate time burden associated with collection of information. A summary of that change is provided in the Table below.

Time Burden (hours)
Cost Burden ($)
Table: Change in Burden Estimate

Part of the change in burden estimate is apparently driven by the fact that TSA is no longer collecting information used to establish the Pipeline System Critical Facility List. There is no indication in the ICR as to why TSA believes that this information will not require some sort of periodic updating to reflect changes in the pipeline infrastructure in this country.

Another change is that TSA is reducing the number of Critical Facility Security Reviews conducted each year from 120 to 90. These CFSRs are conducted via on-site visits and use a check list; the Pipeline Security Critical Facility Review (WORD® Download) form. According to the supporting document (WORD® Download) submitted with the last ICR renewal only 24 of the 120 visits would be conducted by TSA personnel (Q-14, pg 5) with the remainder being conducted by contractors. There was no explanation given in the earlier ICR documents why there were 120 annual visits to the ‘Top 100 100 Most Critical Pipelines’ nor is there an explanation in this ICR renewal notice as to why this is being reduced to 90.

The final change is that TSA is reducing the number of expected follow-up email questionnaires to check up on the implementation of recommended practices. The earlier ICR documentation indicates 197 annual follow up emails (for 120 visits) while this notice indicates that only 90 such email follow-ups will be conducted going forward. This may reflect TSA experience that only one follow-up is necessary as this follow-up procedure was just established as part of the last revision of this ICR.

NOTE: TSA reports that they do not estimate a cost to industry beyond their hour burden estimate. Unfortunately, this is not uncommon.
/* Use this with templates/template-twocol.html */