Tuesday, September 30, 2014

ICS-CERT Publishes Two PLC Advisories

This afternoon the DHS ICS-CERT published advisories for vulnerabilities in two well known control systems; Rockwell Micrologic 1400 PLCs and SchneiderWEB Server. Both advisories are for coordinated disclosures by outside researchers.

Rockwell Advisory

This advisory is for a denial of service vulnerability in the DNP3 implementation of the Allen-Bradley MicroLogix 1400 controller platform. The vulnerability was discovered by Matthew Luallen of CYBATI. Rockwell has produced a firmware revision to mitigate the vulnerability and the efficacy of that fix has been verified by Luallen according to the advisory. The advisory was originally released to the US-CERT Secure Portal on September 11th.

ICS-CERT reports that a moderately skilled attacker could remotely exploit this vulnerability to conduct a denial of service attack.

Interestingly, Matthew is associated with Crain-Sistrunk via Project Robus. Apparently this vulnerability was discovered using the Robus fuzzer. That would mean that fuzzer does more than ‘just’ detect classic Crain-Sistrunk DNP3 vulnerabilities.

Schneider Advisory

This advisory reports a directory traversal vulnerability in the SchneiderWEB server identified by Billy Rios. According to the advisory this affects 22 different products in 66 Part Numbers. Schneider has released firmware updates for some versions of 22 products. The advisory reports that “Rios has tested the update  [emphasis added] to validate that it resolves the vulnerability”. There may be some confusion about how Schneider uses the terms “part number” and “product” in their advisory. Billy Rios says that 22 different PLCs are affected.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to affect “unauthenticated administrative access and control over the device”.

Rios reports that there may be 800 of these devices visible on the internet.

Wednesday, September 24, 2014

ISCD Updates CFATS Knowledge Center – 9-24-14

Today the folks at ISCD added a short news item to their CFATS Knowledge Center web page announcing that they had made some administrative changes to the Chemical Security Assessment Tool (CSAT) application used by facilities covered under the Chemical Facility Anti-Terrorism Standards (CFATS) program to submit required information to DHS about their facilities.

That news item said:

“The Chemical Security Assessment Tool (CSAT) is a web based application that supports the Chemical Facility Anti-Terrorism Standards (CFATS) program. Over the last year, the Department of Homeland Security focused on revising and improving the usability and effectiveness of CSAT. Learn about the various updates to CSAT highlighted in the “2014 Updates to the Chemical Security Assessment Tool” Fact Sheet.”

Further down the page there is a link to that document under the documentation heading. That one page handout briefly outlines some of the administrative changes that were made. There is nothing earth shattering listed; just the kind of changes that make peoples jobs just a little bit easier. These are the kind of changes that bureaucracies generally overlook. They include:

1. Adding page numbers to summary reports
2. Pre-populating SSP survey questions on resubmissions rather than making facilities re-enter previously collected
3. Allowing all CSAT user roles for a facility the ability to view and print surveys in the CSAT document folder
4. Eliminating the need for a facility to revalidate all RBPS after a SSP unlock is conducted
5. Adding commas to all numeric fields in surveys to reduce errors in quantities reported
6. Creating a Top-Screen Update function that generates a new Top-Screen survey pre-populated with all
information from a previous submission

7. Adding the Facility Authorizer to the CC line of CSAT email notifications

Tuesday, September 23, 2014

FDA Cybersecurity Workshop Scheduled

Today the Food and Drug Administration published a notice in the Federal Register (79 FR 56814-56816) announcing a public workshop on “Collaborative Approaches for Medical Device and Healthcare Cybersecurity”. The notice also serves as a request for comments on the same topic. The two day workshop will be held on October 21st in Arlington, VA.

Recognizing the increasing interconnectedness of medical devices, diagnostic tools, individual medical records and health care administrative functions the FDA is holding this workshop to look at how the health care community and the Healthcare and Public Health (HPH) Sector can collaboratively increase cybersecurity and implement the Cybersecurity Framework (CSF) developed by NIST.

The two day workshop will address the following themes:

● Envisioning a collaborative environment for information sharing;
● Overcoming barriers to create a community of `shared ownership and shared responsibility' within the HPH Sector;
● Gaining situational awareness of the current cyber threats to the HPH Sector, especially to medical devices;
● Identifying cybersecurity gaps and challenges;
● Adapting and implementing the Framework to support management of cybersecurity risks involving medical devices;
● Developing tools and standards to build a comprehensive cybersecurity;
● Leveraging the technical subject matter expertise of the cybersecurity researcher community; and
● Building potential solutions.

Additionally, the FDA is looking for input on five specific cybersecurity related questions:

● Are stakeholders aware of the “Framework for Improving Critical Infrastructure Cybersecurity”?
● How can we establish partnerships within the HPH Sector to quickly identify, analyze, communicate, and mitigate cyber threats and medical device security vulnerabilities?
● How might the stakeholder community create incentives to encourage sharing information about medical device cyber threats and vulnerabilities?
● What lessons learned, case studies, and best practices (from within and external to the sector) might incentivize innovation in medical device cybersecurity for the HPH Sector? 
● How do HPH stakeholders strike the balance between the need to share health information and the need to restrict access to it?

In addition to responses from workshop participants about these themes and questions, the FDA is soliciting written comments on these topics. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # FDA-2014-N-1286). Comments need to be submitted by October 7th. That is a very short deadline, but the FDA is going to attempt to use these comments to guide their presentations at the workshop.

Because of limited seating availability the FDA is requiring advanced registration to attend the workshop. You are supposed to be able to register for this on-line via the FDA Workshop and Conferences (Medical Devices) web page, but as of 05:00 am CDT this workshop was not listed on that page. This workshop will also be web cast. Registration for the web cast is also supposed to be via the same web site. The registration deadline for both is October 14th.

Saturday, September 20, 2014

Bills Introduced – 09-18-14

This is a day late because it took the folks at Thomas.LOC.gov some extra time to list the 242 bills that were introduced on Thursday. This was the last day that both the House and Senate were scheduled to be in Washington until November 12th so the number of political posturing bills was huge. Of all of those bills it looks like there are five that may be of specific interest to readers of this blog:

HR 5532 Latest Title: To improve the Compliance, Safety, Accountability initiative of the Federal Motor Carrier Safety Administration, and for other purposes. Sponsor: Rep Barletta, Lou (R,PA)

HR 5534 Latest Title: To amend the Safe Drinking Water Act to increase assistance for States, water systems, and disadvantaged communities; to encourage good financial and environmental management of water systems; to strengthen the Environmental Protection Agency's ability to enforce the requirements of the Act; and for other purposes. Sponsor: Rep Tonko, Paul (D,NY)

HR 5593 Latest Title: To amend the Intelligence Reform and Terrorism Prevention Act of 2004 to enhance security clearance investigation procedures, and for other purposes. Sponsor: Rep Gabbard, Tulsi (D,HI)

S 2858 Latest Title: A bill to enhance rail safety and provide for the safe transport of hazardous materials, and for other purposes. Sponsor: Sen Menendez, Robert (D,NJ)

S 2869 Latest Title: A bill to enhance the homeland security of the United States, and for other purposes. Sponsor: Sen Coats, Daniel (R,IN)

The chances are slim that any of these bills will do anything more than take up space in the Library of Congress. I don’t expect that any of them will make it to committee consideration in the lame duck session.

Thursday, September 18, 2014

ICS-CERT Publishes Advantech Advisory

Earlier this evening the DHS ICS-CERT published a new advisory for multiple buffer overflow vulnerabilities in the Advantech WebAccess application. The vulnerabilities were identified by Ricardo Narvaja of Core Security Technologies in a coordinated disclosure. Advantech has provided a patch to resolve the vulnerabilities and Narvaja has verified the efficacy of the fix.

The eight stack buffer overflow vulnerabilities affect the following parameters:

● NodeName, CVE-2014-0985;
● GotoCmd, CVE-2014-0986;
● NodeName2, CVE-2014-0987;
● AccessCode, CVE-2014-0988;
● AccessCode2, CVE-2014-0989;
● UserName, CVE-2014-0990;
● ProjectName, CVE-2014-0991;
● Password, CVE-2014-0992.

Because exploiting these vulnerabilities would require a social engineering attack, ICS-CERT reports that an exploitation of one of these vulnerabilities could be done remotely, but there would be a reduced likelihood of a successful attack.

Senate Passes HJ Res 124

Earlier this evening the  Senate took up the FY 2015 Continuing Resolution, HJ Res 124 and passed it with a bipartisan vote of 78 to 22. Eight Republicans joined 14 Democrats in voted in voting against the bill. Once the President signs the bill the government will remain funded through December 11th.

As passed the bill has some relatively vague to provisions supporting select anti-Assad rebels. It also includes an extension of the CFATS to that same December date.

There is still a chance that some of the individual spending bills might be taken up after the election, but most will probably be lumped together in an omnibus spending bill.

Wednesday, September 17, 2014

House Amends and Passes HJ Res 124

Earlier this evening the House passed the FY 2015 Continuing Resolution, HJ Res 124, after adopting the only amendment available for consideration. The Syrian rebel aid amendment passed in a by-partisan vote of 273 to 156; more Democrats supported it than there were Republicans who opposed the bill. The final vote was much more bipartisan with a final vote of 319 to 108.

This bill will extend government spending through December 11th. It also extends the CFATS regulations through that date.

The Senate has until September 30th to pass the bill.

ICS-CERT Publishes Yokogawa Advisory

This afternoon the DHS ICS-CERT published an advisory for an authentication vulnerability in the Yokogawa Centum 3000 series. The vulnerability was initially reported by Tod Beardsley of Rapid7 in a semi-coordinated disclosure. It was initially disclosed to Yokogawa (May 1st according to Rapid 7), CERTS (June 25th; presumably Japan-CERT and ICS-CERT?). The semi comes from the publication of a Metasploit module on August 9th and a Defcon presentation at about the same time. No word why ICS-CERT did not produce an alert at that point particularly since it appears that Yokogawa probably had interim mitigation measures available at that time. It could be that Yokogawa, not ICS-CERT was responsible for that decision.

NOTE: The ICS-CERT advisory gives co-discovery credit to Jim Denaro of CipherLaw. According to the Rapid 7 post about this vulnerability it sounds like Denaro was providing legal advice, not technical involvement in discovering the vulnerability.

ICS-CERT reports that a relatively unskilled attacker could use the publicly available exploit to remotely leak the CENTUM project database location, read and write arbitrary files,

Yokogawa expects to publish patches for the affected projects by the end of this month. The Advisory provides information on interim mitigation strategies.

There is an interesting comment in the Yokogawa report on this vulnerability (pg 2) that did not make it into the ICS-CERT advisory:

“When Yokogawa service personnel perform updating the revision and application the software patch, those charges are borne by the customer.”

I’m hoping that it lost something in translation, but it sure sounds like if Yokogawa has to send out a rep to install their patches, the system owner is going to pay for that service. 

S 2784 Introduced – Rail Safety

As I noted last week Sen. Blumenthal (D,CT) introduced S 2784, the Rail Safety Improvement Act of 2014. The bill would provide authorization for funding various DOT rail safety programs under 49 USC 20117 and adds some new safety requirements; including specific requirements for highly hazardous flammable trains (HHFT).

HHFT Rulemakings

In many ways Section 6 of this bill is a specific authorization for the current HHFT,  HHFT emergency response and train securement rulemakings that are being undertaken by the Pipeline and Hazardous Material Safety Administration (PHMSA) and the Federal Railroad Administration (FRA). There are some significant differences that could affect those rulemaking processes.

One significant affect could be on the timing of those rules. This bill would provide a very short time requirement (180 days for the emergency response {§6(e)(1)} and train securement {§13}) rulemakings and  for DOT to put these rules into place. There is no specific requirement for a deadline on the HHFT regulation process, but the HHFT requirements would become law upon this bill being signed by the President.

DOT could, of course, ignore these time limits as they have done for so many other congressional requirements or they could short-cut the publication and comment provisions of the rulemaking process and institute the provisions as a directed rulemaking. That response would almost certainly be challenged in court.

HHFT Requirements
This bill has some differences from the current PHMSA proposed rule. First it would codify the requirements in 49 USC 5111. It would expand the route notification requirements to include county officials {§5111(b)(1)}, require submission of copies of those notifications to DOT{§5111(b)(2)}, and specifically place those submissions to DOT under the public disclosure requirements of the Freedom of Information Act (5 USC 552). Interestingly, the DOT notification requirements do not apply to the requirement to provide route update information to State and County emergency response officials. It also provides for civil fines of up to $175,000 per day for failure to comply with these requirements {5111(b)(5)},

PTC for Crude Trains

Section 6(d) would amend 49 USC 20157(a)(1) by adding the requirement that any mainline over which “20 or more tank cars loaded with petroleum crude oil” are transported would have to be covered by a positive train control system (PTC). There is no provision changing the time by which that PTC system for these lines would have to be operational so presumably the December 21st, 2015 deadline would still apply. The wording does not seem to require that the 20 cars be in a single train so that further complicates the interpretation of this provision.

Moving Forward

This bill was introduced way too late in this session to be actually considered and passed. While there is a certain amount of political pressure on this issue, I do not believe that it is enough to overcome the political inertia of an election season and a busy lame duck session. This bill or another version of it will almost certainly be re-introduced in the next session.

DHS ‘Access Denied’

Okay DHS web site people, this has gone too far. What is going on with the new standard error message: “Access Denied. You are not authorized to view the web page you are attempting to load.”

I am seeing this crop up on too many public DHS web pages that I routinely check. I know that it is not a mistyping issue; I use a standard list of sites that I prepared and now just click on the links; those links have worked fine in the past.

Now all muckrakers are a tad bit paranoid, so my heart skips a beat when I see this on a new web site. My first thought is always “Have I finally pushed DHS too far?” After I take a quick breath I realize that this is probably just a new default that web site scripters are using for some inexplicable reason. Unfortunately, it seems that once this affliction hits a web site it becomes permanent.

This is currently in use for the following pages:

http://www.dhs.gov/2014-chemical-security-summit (the one that set me off today);

Let’s get this fixed. Paranoia already afflicts too many people when it comes to DHS operations. We don’t need to expand that list.

Bills Introduced – 09-16-14

As the first part of the pre-election recess nears the number of political posturing bills being introduced increases. Yesterday there were 55 bills introduced in the House and Senate. Amongst the posturing were two bills that may be of specific interest to readers of this blog:

HR 5482 Latest Title: To enhance the Office of Personnel Management background check system for the granting, denial, or revocation of security clearances or access to classified information of employees and contractors of the Federal Government. Sponsor: Rep Kelly, Mike (R,PA)

HR 5488 Latest Title: To require a review of the completeness of the Terrorist Screening Database (TSDB) maintained by the Federal Bureau of Investigation and the derivative terrorist watchlist utilized by the Transportation Security Administration, and for other purposes. Sponsor: Rep Jackson Lee, Sheila (D,TX)

The first may contain provisions that will affect the approval of security clearances for critical infrastructure personnel that would be necessary for obtaining intelligence information about potential threats. The second may contain provisions that would affect the security threat assessments conducted by TSA for TWIC, HME and CFATS programs.

Tuesday, September 16, 2014

ICS-CERT Publishes ClearSCADA Advisory

Today the DHS ICS-CERT published an advisory for three vulnerabilities reported in the Schneider Electric ClearSCADA system. Two of the vulnerabilities were reported by Aditya Sood and Schneider self-reported the third. Schneider continues to work on producing a patch to mitigate these vulnerabilities, but the advisory does provide some specific interim mitigation measures that owner/users can take. The patches are scheduled to be released later this month.

The three vulnerabilities are:

● Cross-site scripting, CVE-2014-5411;
● Authentication bypass, CVE-2014-5412;
● Weak hashing algorithim, CVE-2014-5413

ICS-CERT reports that a low to moderately skilled attacker could remotely exploit two of these vulnerabilities while the third would require a social engineering exploit to get a local user with administrative access to exploit the cross-site scripting vulnerability.

Interestingly the ClearSCADA support page linked to in the advisory contains a link to their system security page which in turn provides a link to a page entitled “List of ClearSCADA Vulnerabilities”. The three vulnerabilities listed in this advisory are not listed on that page.

Neither are the vulnerabilities reported in two other ICS-CERT advisories (here and here) from this earlier this year.

Bills Introduced – 09-15-14

Both the House and Senate were on the Hill yesterday, but apparently only the House introduced any new bills (as of 5 am CDT according to Thomas.loc.gov). They did introduce 20 bills, but only one of them might be of specific interest to readers of this blog:

HR 5469 Latest Title: To prevent future propane shortages, and for other purposes. Sponsor: Rep Latta, Robert E. (R,OH)

According to a press release from Latta’s office there is only a relatively minor chemical transportation safety provision in this bill, but I will have to see the actual bill to determine how minor it actually is.

Monday, September 15, 2014

Rules Committee Adopts Structure Rule for HJ Res 124

As I suggested Saturday, the House Rules Committee met this evening to develop the rule for the consideration of HJ  Res 124, the FY 2015 Continuing Resolution. The meeting had originally been scheduled for last week but was postponed at the request of President Obama so that the language supporting the training of Syrian rebel forces that also opposed the actions of the Islamic State of Iraq and the Levant (ISIL) could be added to the CR.

The Committee adopted a structure rule for the consideration of the bill as introduced (with a minor correcting amendment added to the existing language). The rule provides for a six hour debate of an amendment proposed by Rep. McKeon (R,CA), the Chair of the House Armed Services Committee. That amendment would provide the assistance to “appropriately vetted Syrian groups and individuals”.

This will be the only amendment that the structured rule would allow to be offered. The rule (H Res 722) will probably be debated tomorrow afternoon with the debate on the amendment and the two votes coming on Wednesday. Both the amendment and the bill will almost certainly pass in the House on Wednesday and in the Senate on Thursday.

Sunday, September 14, 2014

Public Comments on PHMSA HHFT NPRM – 09-14-14

This is part of a continuing a series of blog posts that will look at the public comments on the DOT’s Pipeline and Hazardous Materials Safety Administration (PHMSA) notice of proposed rulemaking (NPRM) on high-hazard flammable trains (HHFT). Earlier posts include:

There are 33 new posts this week including 22 that are part of the RiverKeeper.org letter writing campaign that I mentioned yesterday. There is also an interesting new letter writing campaign that appears to be family based with 7 nearly identical comments about the risk posed by railroad tracks near a family member’s house.

There is an interesting comment on rights-of-way (ROW) that are shared between freight and passenger lines. The commenter recommends that lines sharing ROW should be constructed in accordance with the American Railway Engineering and Maintenance-of-Way Association (AREMA) suggested standards of 25 ft separation of such lines.

I have noticed an interesting thread running through many of the negative comments against the transportation of crude oil. Most commenters mention both Bakken crude and tar sands oil as if they showed the same hazards. I think that this traces back to the fact that many environmentalists object to the tar sands oil extraction techniques and also object to the fracking techniques that are used in the Bakken fields. The two sets of objections are substantially different (as are the extraction techniques), but it is easier to lump the two together than keep the public's attention through explanations of the problems of each.

We have just two weeks left in the comment period for this rulemaking. I expect that we will start to see a trickle of comments from industry in the coming week, but I expect that the railroads and oil industry associations will be starting to file their requests for an extension of the comment period. A sixty day comment period for a rulemaking as complex as this is certainly shorter than normal; especially since there were new items added since the original ANPRM was published.

The Administration is under pressure, however, to ‘get something done’ quicker rather than better. I expect that they will deny those petitions. This will probably serve to delay the completion of this rule even more as the organizations principally affected will be requesting multiple meetings with the OMB’s Office of Information Regulatory Affairs once the final rule is submitted to that office for approval. Adding 30 days to the comment period now could eliminate the need for multiple rounds of OIRA-Industry-PHMSA back and forth later. It could also help reduce the number of post-final-rule law suits that would delay implementation. 

Public Comments on EPA RMP RFI – 09-14-14

This is the first in a series of blog posts about the public comments provided to the EPA about their request for information (RFI) about potential changes to their Risk Management Program. This RFI was mandated by the President’s Executive Order on Increasing Chemical Safety and Security (EO 13650). To date there have been 340 comments submitted with only 16 of those being posted to the comment docket.

Most of these early comments have come from members of the public. For the most part these are comments from people that feel that they are affected by potential chemical releases of various sorts in their communities. They range from strong proponents of requiring inherently safer technology (IST) implementation to banning of mercury containing light bulbs to people who are fed up with Federal regulations in general. Surprisingly there is no evidence of any organized letter writing campaign to date.

There are a disturbing number of ‘anonymous’ submissions. None of them seem to target specific companies or espouse any real extremist views so it does not seem that they are anonymous because of fear of retaliation. There is one anonymous comment that is quite detailed and deserves much more consideration than most such comments. This is may be an individual that works in the chemical industry and fears that his pro-regulatory comments might not be appreciated by his employer.

There is an interesting, if very brief, submission by Prof. Nicholas Ashford of MIT. He had earlier submitted two documents related to the topic and was apparently concerned that they had not been received because they did not show up on the docket. The EPA acknowledges the receipt of these two documents but notes that due to copyright restrictions they are only available at the EPA Reading Room in Washington. This may be an explanation of why some of the other 340 comments do not show up in the docket.

There are two comments posted by industry consultants. The first (in order of submission) was from Terry Hardy and it points out the failure of the current (and proposed) RMP program to specifically address the safety issues related to the use of industrial control systems. The second was from Robin Pitblado that provided a brief discussion supporting the use of the safety case regime in regulating chemical safety.

The most interesting (from my point of view working in the chemical industry) was a submission from Capt. Pete Brummel an Eastside, WA based fire fighter concerning drills conducted with the Tolt Water Treatment Facility. It is a very simple testament to cooperation between facilities and their supporting first responders. There isn’t much in the way of suggestions for the RMP regulations, but it is something that should be taken into account by the writers of any new regulations.

Saturday, September 13, 2014

PHMSA Oil Spill Response Plan ANPRM Comments – 09-13-14

This is the first post in a series that looks at the public comments provided to DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) on their advanced notice of proposed rulemaking (ANPRM) for possible regulations governing oil spill response planning for High-Hazardous Flammable Trains. Fifty comments have been received as of last Friday and 20 comments are posted to the current docket.

Most of the comments (18 of the 20 posted) received to date are from private individuals that feel that they might be impacted by a spill from one of these crude oil trains. Thirteen of those are part of an organized letter writing campaign organized by RiverKeeper.org. I have never understood why environmental organizations think that an organized letter writing campaign will sway regulators in their decisions about how or if regulations should be written. I suspect that these campaigns are more about keeping their members feeling like they are involved and having an effect rather than a real effort to affect the rulemaking process.

There is a very interesting ‘Anonymous’ comment that was obviously written by someone familiar with oil spill response planning. That comment coupled with one from a business group and another from a spill response consultant organization provide the most useful information in the comments to date. All three of these comments look at the rulemaking as an extension of current oil spill response regulations; they have various ideas about how the railroad situation parallels or differs from fixed installation, pipeline or maritime spill response situations. All are worth reading.

The first comment posted to this docket makes a point that PHMSA has yet to address and none of the commenter mentioned above look at, flaming oil. The comment from an individual starts with a very succinct statement of the problem: “Develop a plan for flaming oil running downhill or under other tank cars.” If the PHMSA regulations don’t at least make an effort to deal with that problem they will be incapable of preventing disasters like we saw in Canada last year.

DOE Publishes DRAFT CSF Implementation Guidance

Yesterday the Department of Energy (DOE) published a notice in the Federal Register (79 FR 54695-54696) announcing that it had published a draft guidance document for the energy sector that describes how organizations in that sector could be expected to implement the NIST Cybersecurity Framework (CSF) that was published last February.

DOE had earlier developed a Cybersecurity Capability Maturity Model (C2M2) for the energy sector. According to the introduction to that document the C2M2 was designed to focus on “the implementation and management of cybersecurity practices associated with the information technology (IT) and operations technology (OT) assets and the environments in which they operate” (pg 1). Like the CSF this is a high-level document that allow for the development and documentation of a cybersecurity risk management program. One major difference between the C2M2 and the CSF is that the C2M2 does not specifically tie Maturity Indicator Levels (MILs) back to established standards and practices.

DOE made an earlier attempt at tying the CSF to the C2M2. It published a two page document that highlighted the similarities between the CSF and the C2M2, but it lacked any specific guidance on how the two programs could be used to support each other.

The new guidance document is a much more detailed look at the alignment of the two cybersecurity management programs. For example, Appendix A shows each of the CSF’s Functions, Categories and Subcategories and then lists each of the C2M2 practices that support that effort at each of the MILs.

DOE is requesting detailed public feedback on the draft Guidance document. DOE is not using the Federal eRulemaking portal; responses will be emailed directly to DOE (Cyber.Framework@hq.doe.gov). To make handling of the comments easier to manage, DOE is requesting that commenters use a specific Word® format form that requires the provision of the Section, Page and Line number for each comment. This should expedite the handling of comments and ensure that each commenter’s input is considered in the appropriate review area of the Guidance.

DOE has set a very unrealistically short comment period for the review of this document. They are asking for comments to be submitted by October 14th. Most large organizations will not be able to get internal reviews conducted in that short a time frame; much less prepare detailed responses. May be that is what DOE is trying to accomplish here; fewer comments means less rewriting of the Guidance.

Congressional Hearings – Week of 9-14-14

Currently this coming week is the last scheduled full week for both house of congress to be in Washington before the November elections (that may change), but there is currently only one hearing scheduled that might be of interest to readers of this blog; a markup hearing in the Senate.

Mark-up Hearing

The Senate Commerce, Science and Transportation Committee will hold an executive session on Wednesday where they will amend and/or vote on a number of bills. Two of those may be of specific interest to readers of this blog:

S 2444, the Coast Guard Authorization Act for Fiscal Years 2015 and 2016 
S 2777, Surface Transportation Board Reauthorization Act of 2014

NOTE: The STB bill does not currently contain any provisions specifically targeted at chemical transportation matters or that would be expected to affect consideration of chemical transportation matters.

Continuing CR

The House Majority Leader’s web site does say that HJ Res 124 will be considered on the floor this week under a rule. There is not currently a Rules Committee hearing set for that rule. I expect that we will see such a meeting on Monday or Tuesday.

Friday, September 12, 2014

FAA Expanding Aircraft Cybersecurity Coverage

Today the FAA published two notices in the Federal Register (79 FR 54572-54574 and 79 FR 54574-54575) establishing Special Conditions for cybersecurity requirements for Bombardier BD-500-1A10 and BD-500-1A11 series airplanes. Separate requirements were established to protect aircraft control systems from unauthorized external access and internal access. The requirements are identical to those I reported on for Airbus Model A350-900 airplanes.

It appears that the FAA will continue to treat cybersecurity on a Special Conditions basis rather than to amend their airworthiness regulations {14 CFR Part 25}. Perhaps congressional action is necessary.

Thursday, September 11, 2014

ICS-CERT Publishes Two Advisories; Ecava and Schneider

Today the DHS ICS-CERT published to control system security advisories for systems from Ecava and Schneider. Both advisories are based upon coordinated disclosures.

Ecava Advisory

This advisory addresses multiple vulnerabilities in the IntegraXor SCADA Server. An Improper Privilege Management vulnerability was reported by Andrea Micalizzi and three other vulnerabilities were identified by Alain Homewood. Alain has verified the efficacy of the patch produced by Ecava to resolve the vulnerabilities that he identified. No information was provided on the efficacy of the fix for resolving the vulnerability identified by Andrea.

The four vulnerabilities identified in this system are:

● External control of file name or path, CVE-2014-2375;
● SQL injection, CVE-2014-2376;
● Sensitive information disclosure, CVE-2014-2377; and
● Improper privilege management, CVE-2014-2386.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities.

NOTE: This advisory was originally released to the US-CERT secure portal on August 12th. This was the advisory that I had referred to earlier. Readers that had access to the secure portal would have already known about this vulnerability.

Schneider Advisory

This advisory address a buffer overflow vulnerability (been a while since we’ve seen one of those) in the VAMPSET software reported by Aivar Liimets of Martem AS. Schneider has produced an update that according to Aivar mitigates the vulnerability.

ICS-CERT reports that direct access to the relay is required for a successful attack. Schneider provides a more detailed description of the way the vulnerability works in their report on the vulnerability. That report also describes additional mitigation measures that can be taken by the system owner/operator.

FRA Publishes CP Safety Plan Notice

The DOT’s Federal Railroad Administration (FRA) published a notice in today’s Federal Register (79 FR 54343) that it had received a petition from the Canadian Pacific  Railroad Company for the approval of their Railroad Safety Program Plan (RSPP) as required by 49 CFR 236.905. The actual copy of the RSPP is available on the Federal eRulemaking Portal (www.Regulations.gov; Docket # FRA-2014-0078).

The FRA is apparently not sure if it wants public comments on the RSPP or not. The notice initially states that: “FRA is not accepting comments on this RSPP.” But later in the notice it states that: “Interested parties are invited to participate in these proceedings by submitting written views, data, or comments.” The docket is certainly open for comments though, so feel free to add your two cents worth.

NOTE: The RSPP is the implementation plan for the railroad’s positive train control (PTC) system.

Bills Introduced – 09-10-14

Twenty-nine bills were introduced yesterday, but only one that will be of specific interest to readers of this blog:

S 2784 Latest Title: A bill to direct the Secretary of Transportation to carry out activities to improve rail safety, and for other purposes. Sponsor: Sen Blumenthal, Richard (D,CT)

Billed as a comprehensive railroad safety bill this bill would be considered political grandstanding this late in the session if it were not for the fact that Blumenthal is the Chair of the Subcommittee on Surface Transportation and Merchant Marine Infrastructure, Safety, and Security of the Senate Commerce, Science and Transportation Committee.

The bill is supposed to address (among a host of other rail safety issues) positive train control (PTC) system implementation and highly hazardous flammable trains.

There is a distinct possibility that this bill will be covered in next week’s markup hearing of the Senate Commerce, Science and Transportation Committee. If it doesn’t make it to that hearing this bill it will almost certainly not make it to the floor of the Senate this session. Even if it does get cleared by that Committee it won’t make it to the floor before the election.

Wednesday, September 10, 2014

Rule Committee Hearing on HJ Res 124 Postponed

Just a brief note published on the House Rules Committee website, the hearing that had been scheduled for today for HJ Res 124, the FY 2015 CR, has been postponed ‘subject to the call of the chair’. This almost certainly means that a vote will not happen on this continuing resolution this week. There is still plenty of time before October 1st, but the House was not scheduled to be here for most of that time.

I haven’t seen any explanation of why the delay, but I suspect that it is because some Republicans have wanted to have various parts of their agenda tacked on to this ‘must pass’ bill. Or it could be too many objections to the short term extension of the Export-Import Bank authorization included in the bill.

Bills Introduced – 09-09-14

The second day back in Washington for pre-election posturing and there were 22 bills introduced in Congress. Only one of those will be of specific interest to readers of this blog:

HJ RES 124 Latest Title: Making continuing appropriations for fiscal year 2015, and for other purposes. Sponsor: Rep Rogers, Harold (R,KY)

As I noted last night, this is a pretty clean CR with no significant political posturing. If the congressional crazies can keep their hands off of this bill then it has a good chance of passing and keeping the Federal Government running through the election. With spending provided through December 11th this should allow for a reasonable post-election funding process.

Tuesday, September 9, 2014

Community is Ignoring CFATS Listening Sessions

I’m in Houston on business this week so I thought that I would show up at the CFATS ANPRM listening session that was held today. I had not registered as wishing to make a comment, rather I was attending for a chance to talk to people with an interest in the ANPRM. I’m mean Houston has a huge number of chemical facilities that would certainly have an interest in potential changes to the CFATS regulations.

Boy was I disappointed. No one was there except for the DHS folks that were waiting around to listen. When I got there at 3:30 pm (the session was supposed to run from 9:00 am to 4:00 pm) I was the 12th (that’s right # 12!!!!!) person to show up today. Talking to the DHS people there it seems that their first session in Washington, DC was little better attended.

Both of these listening sessions were scheduled for a full day because DHS was just certain that these two locations would have a large turnout of people wishing to share their ideas about what the new CFATS rules should look like. Apparently they were wrong. Apparently the chemical community in Houston does not care about what changes might be made to the program.

Now I understand that the corporate folks probably want to go through a more formal internal review process before they put forth their views. Those comments will almost certainly be in written form with a full review by legal departments. That is not who DHS was targeting with these listening sessions, it was looking for the views of the people down in the trenches; operators, truck drivers, security guards and security system vendors. And they just did not show up.

Now part of the reason may be that DHS reached out to the wrong folks. I’ve already taken them to task for not publishing this information on the CFATS web site. Instead they concentrated on sending out information to facilities already under the CFATS program and business organizations that support those facilities. That is certainly a legitimate outreach effort. But I have got to wonder if they bothered notifying the local press. There is certainly nothing listed in the Houston Chronicle about today’s meeting.

Hopefully, DHS will reach out to the Atlanta papers before the next physical listening session in that fair city next week. And since DHS passed over Charleston, WV (figuring no doubt that interested parties could have come to Washington, just down the road), maybe Ken Ward would like to invite them to hold a session in that fair city. They certainly have concerns about chemical issues of all sorts there.

Come on people. Let’s get some interested folks to turn out for these events. Take the opportunity to see the regulators face-to-face. Make your opinions known. Register to attend one of the upcoming listening sessions.

House Rules Committee Announces Meeting on CR

Today the House Rules  Committee published a notice that they would be holding a hearing on a short term continuing resolution (HJ Res 124) tomorrow at 2:00 pm. If a rule is, as expected, adopted at that hearing, then the full House could vote on the bill Thursday afternoon and the Senate could potentially vote on it Friday. The CR would continue funding the Federal Government at essentially current levels through December 11th {§106(3)}.

The Committee Draft of the bill available on the Rules Committee web site looks like a fairly clean continuing resolution devoid of any provisions that could hold-up its passage this week. It does contain CDC funding for Ebola support operations by that organization. It also includes a specific extension of the CFATS program authorization through December 11th {§127}; there are a number of other Federal programs which receive similar mention.

FRA Publishes Securement NPRM

Today DOT’s Federal Railroad Administration (FRA) published a notice of proposed rulemaking (NPRM) in the Federal Register (79 FR 53356-53383) concerning the securement of unattended trains. This rule would update current regulations in place since 2001 is part of their on-going efforts to upgrade the safety and security of trains in response to a series of crude oil train derailments.

In general this rule would:

• Ensure that each locomotive left unattended outside of a yard be equipped with an operative exterior locking mechanism and that such locks be applied on the controlling locomotive cab door when a train is transporting tank cars loaded with certain hazardous materials;
• Provide that certain hazardous materials trains may only be left unattended on a main track or siding if justified in a plan adopted by the railroad, accompanied by an appropriate job briefing, and proper securement is made and verified; and
• Require additional verification of securement in the event that a non-railroad emergency responder may have been in a position to have affected the equipment.

The requirements in this NPRM would apply to:

• Any loaded freight car containing PIH material, including anhydrous ammonia and ammonia solutions; or
• Twenty (20) or more loaded cars or loaded intermodal portable tanks of any one or any combination of PIH materials (including anhydrous ammonia and ammonia solutions), or any flammable gas, flammable or combustible liquid, explosives, or a hazardous substance listed at § 173.31(f)(2) of this title

The location specific securement plans are not required to be submitted to, or approved by, FRA. They are, however, required to be made available to the FRA upon request; and the FRA may require changes to the plan {§232.103(n)(7)(i)}. The FRA must be notified when such plans are adopted or changed.

While not explicitly stated in the revised CFR language provided in the rule, the preamble makes it clear that the requirements for a second employee’s verification of proper securement may be done without physical attendance at the site of the securement;

“This may be done by relaying pertinent securement information (i.e., the number of hand brakes applied, the tonnage and length of the train or vehicle, the grade and terrain features of the track, any relevant weather conditions, and the type of equipment being secured) to the qualified railroad employee. The qualified railroad employee must then verify and confirm with the train crew that the securement meets the railroad's requirements.”

Interestingly the preamble specifically states that “proposed paragraph (n)(8)(i) does not contain a requirement that the railroad maintain a record of the verification of proper securement.” This will make enforcement of this provision very iffy.

FRA is soliciting public comments on this NPRM. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # FRA-2014-0032). Comments should be submitted by November 10th, 2014.

Monday, September 8, 2014

Congressional Hearings – Week of 9-7-14

Congress is back in session after a long month back in their districts. With just this week and next (and maybe a half-week at the end of the month) they have just a limited amount of time to get their Washington grandstanding done before elections. Some of that grandstanding will be in committee hearings. Only two hearings this week, though, that will be of specific interest to readers of this blog; both in the Senate.

Cyber Terrorism

On Wednesday the Senate Homeland Security Committee will be holding a hearing on “Cybersecurity, Terrorism, and Beyond: Addressing Evolving Threats to the Homeland”. The witness list is a who’s who of upper level cybersecurity policy wonks:

• Francis X. Taylor,Under Secretary for Intelligence and Analysis, DHS;
• Suzanne E. Spaulding, Under Secretary, National Protection and Programs Directorate, DHS;
• Nicholas J. Rasmussen, Deputy Director, National Counterterrorism Center, ODNI; and
• Robert Anderson, Jr., Executive Assistant Director, Criminal, Cyber, Response, and Services Branch, FBI

It’s a war out there. Grand strategy will be discussed; known enemies will be named; and nothing new will be heard.

Freight Rail Service

Also on Wednesday the Senate Commerce, Science and Transportation Committee will hold a hearing on “Freight Rail Service: Improving the Performance of America’s Rail System”. Three shipper organizations, a Department of Agriculture guy all take on a single railroad executive. So we’ll here about captive shippers, lack of grain cars, and freight rates. The 800 lb gorilla will have to sit in the back of the room since it doesn’t look like anyone wants to talk about crude oil trains.

On the Floor

Nothing to see here folks, move on to next week. There are not spending bills on the list of items to do before election so we can expect to see a rather blasé continuing resolution being published tomorrow so that the House and Senate can both vote on it before they head home for the weekend. Of course they could hold off until the end of the month just to see if the Republican leadership in the House can hold things together for one important vote while the clock is ticking.

FAA to Set Aircraft Network Security Specifications

Today the FAA published a final special condition standard for Airbus Model A350-900 airplanes in the Federal Register (79 FR 53128-53129) concerned with electronic system-security protection from unauthorized external access. The effective date for this action is today.

The FAA notes in their background discussion to this action that “electronic system-network-security considerations and functions have played a relatively minor role in the certification of such systems because of the isolation, protection mechanisms, and limited connectivity between the different network”. On this aircraft type, however, the Administrator found that:

“The airplane-control domain and operator-information-services domain perform functions required for the safe operation and maintenance of the airplane. Previously, these domains had very limited connectivity with external network sources. The network architecture and configuration may allow the exploitation of network-security vulnerabilities resulting in intentional or unintentional destruction, disruption, degradation, or exploitation of data, systems, and networks critical to the safety and maintenance of the airplane.”

Furthermore, the preamble acknowledges that:

“The existing regulations and guidance material did not anticipate these types of airplane system architectures. Furthermore, 14 CFR regulations and current system-safety assessment policy and techniques do not address potential security vulnerabilities, which could be exploited by unauthorized access to airplane networks, data buses, and servers. “

The Special Conditions outline the following three control system security requirements:

1. The applicant must ensure airplane electronic system-security protection from access by unauthorized sources external to the airplane, including those possibly caused by maintenance activity.
2. The applicant must ensure that electronic system-security threats are identified and assessed, and that effective electronic system-security protection strategies are implemented to protect the airplane from all adverse impacts on safety, functionality, and continued airworthiness.
3. The applicant must establish appropriate procedures to allow the operator to ensure that continued airworthiness of the airplane is maintained, including all post-type-certification modifications that may have an impact on the approved electronic system-security safeguards.

At this time these requirements are only required for Airbus Model A350-900 airplanes.

Sunday, September 7, 2014

Public Comments on PHMSA HHFT NPRM – 09-06-14

This is part of a continuing a series of blog posts that will look at the public comments on the DOT’s Pipeline and Hazardous Materials Safety Administration (PHMSA) notice of proposed rulemaking (NPRM) on high-hazard flammable trains (HHFT). Earlier posts include:

There were 21 comments submitted in the last three weeks. There are more than that listed in the docket, but a number of commenters submitted multiple copies because they did not realize that their posts were not going to appear in real time. Even the 21 comment number is a little misleading since there are a couple of repeats of comments from multiple people, but it is too early to tell if this is an organized comment campaign (like I have seen from various environmental groups) at this point.

Most of the comments come from individuals with no direct connection to the hazmat shipping industry. They are mainly from people that feel that they are being put at risk from the shipment of crude oil through their communities. Their comments are generally simplistic, but represent a very real political reality that this is a problem that has significant potential impacts beyond the regulated community. Unfortunately, for these folks the comments are typically their only potential contribution to improving the safety of the rail lines that pass through their communities. While simplistic and perhaps poorly informed the comments need to be taken into account.

There are comments from two people directly connected to the problem; a railroad consultant and a freight locomotive engineer. The engineer calls out three factors that are not addressed in the NPRM:

• A two person crew should be mandatory on all trains, especially key trains;
• The engineer's workload should not increase for safety reasons; and
• A rational amount of buffer cars on the head end should be mandatory

The consultant identifies a number of interesting points that have generally been missing from much of the discussion to date. First off, he reminds us that the DOT 111 cars are not all constructed the same. Newer models (since the late 1980’s?) are constructed with normalized steel and are much more resistant to rupture. Second, his list of necessary retrofits for those normalized steel cars consists of just three improvements:

• Head shields;
• Safety valves; and
• Removable valve handles.

The detailed discussion of the other NPRM safety measures contained in the consultant’s comments is well worth reading.

In the next week or two we should start to see more in the way of corporate comments on the rule.
/* Use this with templates/template-twocol.html */