Monday, February 29, 2016

FRA Publishes PTC Direct Final Rule

Today the DOT’s Federal Railroad Administration (FRA) published a final rule in the Federal Register (81 FR 10126-10131) implementing changes in compliance dates for the implementation of Positive Train Control (PTC) technology in accordance with the requirements of §1302 of the Surface Transportation Extension Act of 2015 (PL 114-73).

The changes being made in this new final rule include:

• Striking the deadline referenced in 49 CFR §236.1005(b)(1) and is adding a paragraph (b)(7) to address the new deadlines the recent legislation mandates;
• Amending paragraph §236.1005(b)(6) by striking “2015” and replacing it with “2020”;
• Striking the deadline in §236.1006(b)(1) and (b)(3), replacing the latter change with a cross-reference to new paragraph § 236.1005(b)(7);
• Removed paragraph §236.1006(b)(2);
• Striking the introductory phrase in §236.1006(b)(3);
• Adding three years to each date referenced in paragraph §236.1006(b)(4)(iii)(B);
• Amending paragraph §236.1009(a)(5) to reference that new progress report deadline and to avoid confusion and potential redundant submissions;
• Amending the deadline in § 236.1011 to cross-reference to the applicable deadline determined under §236.1005(b)(7); and
• Amending the deadline dates referenced in Appendix A.

This is a direct final rule implementing changes required by Congress, so the typical public comments are not being solicited by FRA. The FRA does note that petitions for reconsideration may be filed via the Federal eRulemaking Portal (; Docket #FRA-2016-0012). Petitions should be filed before April 19th, 2016. The effective date of this final rule is April 29th, 2016.

Congressional Hearings – Week of 2-28-16

With both the House and Senate in session this week there will be a large number of budget related hearings in both bodies. Additionally, readers of this blog may be interested in one other hearing this week; this one on the re-authorization of pipeline safety.


The budget hearings that may be of specific interest to readers of this blog include:

TSA Budget Hearing – Transportation Security Subcommittee (House);
FRA Budget Hearing - Transportation, and Housing and Urban Development, and Related Agencies Subcommittee (House);
TSA Budget Hearing – Homeland Security Subcommittee (House);
Coast Guard Budget Hearing – Homeland Security Subcommittee (House); and
TSA Budget Hearing – Homeland Security Subcommittee (Senate)

Pipeline Safety Re-Authorization

On Tuesday the Energy and Power Subcommittee of the House Energy and Commerce Committee will hold a hearing on “Pipeline Safety Reauthorization”. Unlike last week’s Transportation and Infrastructure hearing on the same topic, a committee draft of the potential bill is available as is a background memo from the Committee staff.

The witness list for the hearing includes:

• Andrew Black, Association of Oil Pipe Lines;
• Ron Bradley, PECO Energy;
• Marie Therese Dominguez, PHMSA:
• Norman J. Saari, Michigan Public Service Commission;
• Donald Santa, Interstate Natural Gas Association of America
• Carl Weimer, Pipeline Safety Trust

On The Floor

There is nothing of specific interest in the way of legislation on the floor of the House this week. In the Senate we again have a possibility that the S 2012, the energy authorization bill may actually get final consideration, but the Flint water mess may still hold up consideration of that bill.

Sunday, February 28, 2016

HR 4624 Introduced – Abandoned Pipelines

Earlier this week Rep. Hahn (D,CA) introduced HR 4624, the Pipeline Inspection Enforcement Act of 2016. The bill would require the inspection of abandoned and transferred pipelines.

Bill Provisions

The bill would amend 49 USC 60108 by adding two new paragraphs to the section. The new paragraph (e) would require an organization acquiring a pipeline to conduct an inspection of the pipeline within 180 days of the acquisition. The new paragraph (f) would require State or Federal pipeline safety authorities to conduct inspections of newly reported abandoned pipelines to ensure that they are abandoned and presumably drained.

Moving Forward

Hahn is a mid-ranking member of the Railroad, Pipelines and Hazardous Materials Subcommittee of the House Transportation and Infrastructure Committee to which the bill was referred for consideration. It is likely that she has the political pull necessary to get the bill considered in Committee. According to her press release on this bill, she has requested that the language from this bill be included in the PHMSA re-authorization bill currently being drafted.

The language in this bill (either as this bill or as part of the PHMSA re-authorization) would likely be adopted in Committee. As part of the re-authorization bill it would certainly be considered and adopted by the full House. As a stand-alone bill, it is not clear that Hahn has the necessary clout to get the bill to the floor.


As a briefly mentioned in an earlier post Hahn’s bill was written in response to an oil spill in her district in 2014 from an abandoned crude oil pipeline. A similar pipeline leak was reported October of last year. The Wilmington leak was from an abandoned pipeline that had been assumed to have been empty.

One would like to assume that a pipeline owner would ensure that their pipeline was empty before officially abandoning it. After all, there would be some value of the material in the line that the owner should be interested in recovering. Obviously, this is not always the case and I suspect that there will be additional crude oil pipelines being abandoned or transferred as the oil industry continues to retrench due to the decline in crude oil prices. Because of the economic situations of the owners, I further suspect that, without legislation like this, there would be a number of these pipelines where all the i’s were not dotted nor all the t’s crossed.

Saturday, February 27, 2016

TSA Reports on 2015 Enforcement Actions

Yesterday the DHS Transportation Security Administration (TSA) published a notice in the Federal Register (81 FR 9857-9877) outlining the enforcement actions that it took in 2015 under the authority of 49 USC 114(v). That authorizes the TSA to levy civil penalties for violations of surface transportation security regulations under 49 USC (not including airport security) and Chapter 701 of 46 USC (Port Security). Annual reports on enforcement actions are required by §114(v)(7)(A).

Table 1 below summarizes the action taken in 2015.

2015 TSA Surface Enforcement Actions
# of Incidents
Maximum Penalty
Rail Car Chain of Custody
Reporting Security Concern
Use of another's TWIC
Allow another to use TWIC
Direct another to use TWIC
Fraudulent Manufacture of TWIC
Table 1 – 2015 TSA Enforcement Actions

Table 2 shows a summary of the number of enforcement actions taken by TSA each year under §114(v) from 2011 thru 2015.

Did not allow TSA Inspection
Rail Car Chain of Custody
Rail Car Security
Rail Car Location
Reporting Security Concern
Use of another's TWIC
Allow another to use TWIC
Direct the use of another's TWIC
Fradulent Manufacture of TWIC
Use of an altered TWIC

Table 2 – TSA Enforcement Actions 2011 thru 2015

The rail security enforcement actions have been dramatically reduced. Whether this is a result in actual improved security or changes in enforcement (a reduction in the number of inspections, for instance) is not possible to tell from this report. Similarly, the report does not really allow the outsider to draw any conclusions about the dramatic increase in TWIC related enforcement actions.

Responses to Latest CSF RFI – 02-27-16

This is part of an on-going look at the responses to the National Institute of Standards and Technology (NIST) latest request for information (RFI) on potential updates to the Cybersecurity Framework (CSF). A reminder, the comment period was extended until February 23rd, 2016. The previous posts in this series include:

This week there were 47 new responses (almost as many as had been posted in total by last week) to the RFI and all but one of them were dated after February 9th, the original comment cut-off date and one was dated after the new cut-off date. Obviously it was a smart move on the part of NIST to extend the comment period. As I noted last week, I expect that there will probably be one more of these posts to catch any additional late adds to the response list.

The comments posted this week come from:

Prevent Duplication of Regulatory Processes

NIST question 9 asks:

“What steps should be taken to “prevent duplication of regulatory processes and prevent conflict with or superseding of regulatory requirements, mandatory standards, and related processes” as required by the Cybersecurity Enhancement Act of 2014?”

One commenter suggested that federal regulators map their cybersecurity regulations to the CSF as the CSF is mapped to various standards. Another commenter suggested instead that NIST conduct such regulatory mapping. Regulatory mapping was addressed by a number (6) of additional commenters.

One commenter noted that the effect of IoT on the CSF should be looked at. Another commenter suggested that there should be more emphasis on acquisition and supply chain issues.

One commenter suggested that regulators use CSF reporting as their regulatory methodology.

Should CSF be Updated?

NIST question 10 asks:

“Should the Framework be updated?”

A number of commenters (1) recommended that the CSF should continue to be updated as existing standards are updated and new standards are published.

One commenter noted that the CSF should be expanded to include cyber threats, insider threats and physical threats. Another commenter suggested that the CSF should involve more detail about technological concepts that effect implementation. Yet another suggested that the CSF should include more detail on creating a target profile. And another suggested more emphasis on state-of-the-art risk management practices. And another requested that the CSF be expanded to include product integrity and supply chain security. Another commenter suggested that medical device and industrial control systems need coverage in the CSF. Big-data and cloud privacy issues were suggested by another commenter as areas that need to be addressed.

One commenter suggested that CSF stability should be a primary concern. Another commented that reducing the frequency of updates would be helpful.

Private Sector Involvement

NIST question 20 asks:

“What should be the private sector’s involvement in the future governance of the Framework?”

A number of commenters (7) noted that the private sector should continue to provide input on CSF improvements. One commenter specifically recommended continued use of RFI’s and regional workshops.

One commenter argued that the users of the framework should provide the governance. Another commenter suggested that the private sector should provide feed-back on implementation issues.

One commenter suggested that NIST should hold semi-annual workshops to address potential changes to the CSF.


A total of 100 responses have been posted to the NIST site as of today. Fewer than half of the commenters used the either the spread-sheet format requested by NIST or keyed their responses to specific questions posed in the RFI. I really wish that the commenters that did not have the common decency to take the effort to consider how NIST was hoping to use their responses would sit down and read the 100 responses submitted to date and try to make sense of the data presented.

I am sure that a great deal of effort went into developing these 10 and 20 page responses that went into great detail about how the organization was diligently working on cybersecurity. Unfortunately, those comments were better suited to a press release than being helpful to NIST in charting the future of the CSF.

Over the last two weekends I have spent four hours reviewing responses to look for and analyze information on just three of the twenty questions. And I did not even attempt to read the responses that were not prominently keyed to the specific questions I was looking at. NIST on the other hand is going to have to peruse each of the missives to try to extract the requested information. I do not envy the NIST reviewers who will be required to review each and every submission, no matter how verbose and self-advertising.

It was interesting that out of 47 submissions posted this week, only one mentioned the fact that the CSF needs to be periodically updated to reflect revisions to the various standards referenced in the document. In the long run, I think that it was probably more important that a number of commenters noted that there should be a mapping of CSF and cybersecurity regulations. Comments went both ways; suggesting that regulations reference CSF and vice versa.

Nobody has suggested that new cybersecurity regulations have to be applied; instead they are recommending that regulated industries that are already facing security regulations have the cybersecurity provisions tied into the CSF. That way, commenters suggest, there would not be competing requirements, especially for those organizations facing multiple regulatory schemes.

I was happy to see a number of cybersecurity research organizations included in the responders this week. They had some different insights from those provided by industry organizations.

NIST Announces New CSF Workshop

Earlier this week the National Institute of Standards and Technology (NIST) announced that they would be holding a 2-day Cybersecurity Framework (CSF) workshop starting on April 6th, 2016 at their facility in Gaithersburg, Maryland. This will be a public workshop and advanced registration is required.

While a draft agenda is available (.docx download) it is currently only vaguely general in nature. The CSF web site provides a little more detail on what the workshop will cover:

• Ways in which the Framework is being used to improve cybersecurity risk management;
• How best practices for using the Framework are being shared;
• The relative value of different parts of the Framework;
• The possible need for an update of the Framework; and
• Options for long-term governance of the Framework.

In short, it looks like the workshop will address many of the same issues that have been addressed in the latest request for information, but that should not be unexpected to anyone who followed the CSF development process. I expect that more information will be made available in the coming weeks.

Friday, February 26, 2016

OMB Approves Revised FRA Accident Report ICR

On Wednesday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved “with change” the information collection request (ICR) from the DOT’s Federal Railroad Administration for changes to their Accident/Incident Reporting and Recordkeeping ICR. The revision requested by FRA would add 30 hours to the annual reporting burden due to the collection of some additional information on accidents including crude oil railcars.

Response to Public Comments

The FRA only received comments from one person (yours truly) on their 60-day ICR notice (see my blog post). They correctly pointed in the supporting document (para 8; .doc download link) that they submitted to OIRA out that the addition of a more detailed reporting form for crude oil related accidents as I suggested would require a separate rulemaking and would thus be outside of the scope of this ICR. They did note that they would “continue to evaluate whether it needs more data as part of a comprehensive, long-term improvement in its information collection activities for the rail transportation of crude oil and the rail transportation of hazardous materials in general”.

This could be included in the High-Hazard Flammable Train (HHFT) oil spill response NPRM submitted earlier this week to OIRA.

OIRA Limits Approval

OIRA took an unusual step with their approval of this change. The previous version of this ICR was due to expire in May of next year. The revised ICR is now set to expire before that date on February 28th, 2017. OIRA has also set additional requirements on DOT before they request a normal extension of this ICR before that date. These include a requirement for a DOT report on a “joint PHMSA-FRA plan, coordinated with OST, to create a single system for electronically reporting accident information involving trains, pipelines, and hazardous materials and eliminates duplicative reporting requirements”.

There is a possibility (probably remote) that such a plan could be included in the same NPRM mentioned above.

Bills Introduced – 02-25-16

With both the House and Senate in session yesterday there were 54 bills introduced. Of those two may be of specific interest to readers of this blog:

HR 4624 To amend title 49, United States Code, to provide for the inspection of pipeline facilities that are transferred by sale and pipeline facilities that are abandoned, and for other purposes. Rep. Hahn, Janice [D-CA-44]

HR 4628 To require reporting of terrorist activities and the unlawful distribution of information relating to explosives, and for other purposes. Rep. Lowey, Nita M. [D-NY-17]

Hahn’s bill addresses concern about recent leaks from abandoned pipelines.

Lowey’s bill would appear to address concern about the availability of information on the manufacture of improvised explosives and explosive devices on the internet.

In both bills the inclusion of the phrase “and for other purposes” in the descriptive title of the bill opens up the possibility of coverage of only vaguely related matters. This is sometimes used to add controversial legislative proposals to a relatively innocuous bill.

Thursday, February 25, 2016

ICS-CERT Reports on December Ukraine Power Outage

This afternoon the DHS ICS-CERT published an incident response alert for the power outages in the Ukraine that occurred on December 23rd, 2015. ICS-CERT reports that “that power outages were caused by remote cyber intrusions at three regional electric power distribution companies”.

The Report

ICS-CERT reports that the attacks on multiple facilities occurred within 30 minutes of each other. The actual power outage was caused by attackers remotely shutting off breakers either thru “existing remote administration tools at the operating system level or remote industrial control system (ICS) client software via virtual private network (VPN) connections”. To hamper recovery efforts, the attackers:

• Used KillDisc malware to over-write HMI interfaces embedded on remote terminal units (RTU);
• Corrupted firmware on Serial-to-Ethernet communications devices at substations; and
• Scheduled disconnects of UPS devices via their remote management interfaces.

The Alert also reported the previously identified fact that BlackEnergy malware had been detected on systems of the affected utilities, but ICS-CERT noted that they “do not know whether the malware played a role in the cyber-attacks”.

The report contains a relatively lengthy section on mitigation measures for industrial control systems. In addition to the measures reported in the ICS-CERT defense-in-depth strategies publication, the report recommends:

• Implementation of information resources management best practices;
• Develop and exercise contingency plans that allow for the safe operation or shutdown of operational processes in the event that their ICS is breached;
• Use Application Whitelisting (AWL) to detect and prevent attempted execution of malware uploaded by malicious actors;
• Isolate ICS networks from any untrusted networks, especially the Internet; and
• Limit Remote Access functionality wherever possible.

The report concludes by reporting that in addition to the previously identified YARA rules for the identification of BlackEnergy infections additional indicators of compromise developed for this incident can be found in a restricted distribution (TLP Green) publication (IR-ALERT-H-16-043-01P) on the US-CERT Secure Portal.

The Response

The response on TWITTER® was fairly quick this afternoon and was generally less than positive. Most of the negatives were about the lack of detailed data and the references in the report to the lack of technical information available to investigators. A good summary of these concerns about the report deficiencies has been provided in a Sans blog post by Robert M. Lee.

A major concern seems to be that this is more of a political document than a technical report. It has been suggested that the information in this alert should have been releases weeks ago by a political appointee and that this report should have provided more technical analysis that would aid system owners in the United States in detecting, delaying and stopping this type of attack.


While certainly overdue (the facts in this report have been publicly reported by a number of cybersecurity organization weeks ago) this report is important because it is an official statement by the US Government that a successful cyber-physical attack did take place against electrical utilities in the Ukraine. What is missing from that declaration, however, is an equally clear statement that a similar successful attack could occur in the United States.

The mitigation measures suggested by this report are important tools in preventing a malware based cyber-attack. What is missing is an admission that even if these measures (with one exception) had been in place in the affected utilities, that the attack would still have been successful. None of the security measures address the fact (not reported here) that the BlackEnergy malware that was put into place by a phishing attack allowed the attackers to gain authorized access to the control systems to execute their attacks that shut down the breakers.

The only mitigation measure mentioned that might have addressed this attack avenue is found in one sentence: “Remote access should be operator controlled, time limited, and procedurally similar to ‘lock out, tag out’.” Even this may not have been adequate since the attackers were using operator level access. A more expansive discussion of what the terms ‘operator controlled’ and ‘time limited’ actually mean may have shown how they could have been used prevent this attack.

The main point of that mitigation measure should have been that remote access should be viewed as a non-standard condition that requires formal management risk assessment and approval; the well-established ‘lock out, tag out’ process. Systems legitimately requiring remote access should have to be taken off-line, physically isolated from the controlled process and then have to be verified operational before they are placed back in-line. This would have stopped the actual attack that shutdown power distribution in the Ukraine in December.

If the ICS-CERT restricted distribution report does have more complete (and effective) indicators of compromise (IOC) than just the BlackEnergy YARA rules, it is disappointing that those indicators were not released in today’s report. Certainly, the initial distribution of IOC, should be limited to critical infrastructure facilities that are likely to be affected by a similar attack. This allows those facilities to take effective measures to search their systems for such indicators and take appropriate mitigation measures.

At some point, however, the remainder of the control system community (owners, vendors, researchers and commentators) needs to be made aware of those IOC. This would allow owners of non-critical infrastructure to take measures (as appropriate) to prevent such attacks on their systems. More importantly it would allow for a more general discussion of the associated vulnerabilities that could lead to prevention of related attacks or development of more effective or cheaper mitigation measures.

We all have to remember, however, that this is the first time that ICS-CERT was allowed to report on an actual successful control system attack resulting in a cyber-physical effect. For what appears to be obvious reasons in hind-sight, ICS-CERT effectively ignored Stuxnet. So, ICS-CERT (and the politicians that control it) are still trying to figure out what they are going to do with actual, clearly identified attack information.

If, as it appears, ICS-CERT is withholding information at this late date (two months since the attack) about details of indicators of compromise, it bodes ill for the DHS mandate to establish a cybersecurity information sharing process. Information about IOC is the main thing that the private sector wants from DHS. If they are not willing to share that information, there is no need for the private sector to share information about attacks with DHS.


Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved the EPA’s notice of proposed rulemaking (NPRM) on Modernization of the Accidental Release Prevention Regulations Under Clean Air Act. The NPRM was submitted to OMB in December of last year and is related to the chemical safety and security executive order (EO 13650) issued in 2013.

The Unified Agenda (UA) listing for this rulemaking abstract explains that the rulemaking:

“In response to Executive Order 13650, the EPA is considering potential revisions to its Risk Management Program regulations and related programs. The Agency may consider the addition of new accident prevention or emergency response program elements, and/or changes to existing elements, and/or other changes to the existing regulatory provisions.”

The UA entry claims the Clean Air Act Section 112(r)(7) {42 USC 7412(r)(7)} as the legal basis for this rulemaking which forms the basis for the EPA’s risk management program (RMP). Limiting the legal basis for the rulemaking to sub-paragraph (7) suggests that the following areas for changes suggested in EO 13650 will not be included in this rulemaking:

• General duty clause {§7412(r)(1)};
• List of substances upon which RMP is based {§7412(r)(3)};
• RMP fuel exemption {§7412(r)(4)(b)}; or
• Chemical Safety Board {§7412(r)(6)};

As would be expected, industry has taken a great deal on interest in this rulemaking; going all the way back to their participation in EO 13650 listening sessions and responding to the EPA’s EO 13650 request for information. In just the last couple of weeks there have been a number of meetings at OIRA between a wide variety of groups and the EPA. The OIRA web site provides a listing of those meetings (NOTE: the names listed below are the meeting requestor names, the links provide more details about whom participated in the meetings):


I expect that we will see this NPRM published in the Federal Register later this week.

3 DHS Acquisition Cybersecurity Rules to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received three notices of proposed rulemaking (NPRM) from the DHS Office of the Secretary relating to cybersecurity requirements in the DHS acquisition process. Those rulemakings were:

Only the first rulemaking has been published in the Unified Agenda so we can only make assumptions as to the content of the other two. It is very possible that the second does not really address cybersecurity issues at all.

The unified agenda listing for the Safeguarding of Sensitive Information rule only specifically mentions personally identifiable information, but the way that it is worded could certainly include controlled but unclassified (CBU) information that will be regulated by rules being established by the National Archives and Records Administration (final rule under review at OIRA). It will be interesting to see if this DHS rule includes the same NIST computer standards that are expected to be included in the NARA rule.

OIRA typically approves acquisition rulemakings faster than wider regulatory issues so we might see an approval here in the next month or so.


Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a notice of proposed rulemaking (NPRM) from the Pipeline and Hazardous Material Safety Administration (PHMSA) for its rulemaking: Hazardous Materials: Oil Spill Response Plans and Information Sharing for High-Hazard Flammable Trains.

The advanced notice of proposed rulemaking (ANPRM) was published in August of 2014. There were over 200 public responses to that ANPRM. Most of those came from individuals, not organizations or companies though there are indications that there was at least one letter writing campaign involved.

OIRA could take months to clear this controversial NPRM for publication.

Wednesday, February 24, 2016

NIST Announces ISPAB Meeting

Today the National Institute of Standards and Technology published a meeting notice in the Federal Register (81 FR 9169-9170) for a 3-day public meeting of the Information Security and Privacy Advisory Board (ISPAB) starting on March 23rd, 2016 in Washington, DC. There is no indication that there will be a web cast of the sessions.

The agenda for the meeting includes:

• Presentation from DHS, National Protection and Programs Directorate,
• Updates on OMB Circular No. A-130 Revised, Management of Federal Information Resources,
• Legislative updates relating to security and privacy,
• Overview on Information Sharing and Analysis Organization (ISAO), information sharing in the communications sector, and the Communications Security, Reliability and Interoperability Council (CSRIC),
• Briefing from the DOC, Office of Chief Data Officer,
• DHS, National Cybersecurity Assessment and Technical Services briefing on penetration testing,
• Discussion on password storage with Federal Chief Information Officers,
• Presentation from American Council for Technology and Industrial Advisory Council (ACT-IAC) on Cybersecurity Ideation Initiative Report,
• FedRAMP Updates on “High” baseline security controls,
• Briefing on security and privacy relating to autonomous vehicles,
• Presentation on the United States Cybersecurity Research and Development Plan, and
• Updates on NIST Computer Security Division.

Registration will not be required to attend this meeting. There will be a short public comment period on March 25th. Advanced registration for the limited public speaking times is suggested. Written comments may be submitted by snail mail to:

ISPAB Secretariat
Information Technology Laboratory
100 Bureau Drive, Stop 8930
National Institute of Standards and Technology
Gaithersburg, MD 20899-8930


There are lots of interesting things going to be discussed here over a three-day period. It seems a shame that NIST cannot provide a web cast of the meetings. What seems ludicrous, however, is that written comments have to be submitted on paper via snail mail. I know that NIST does not like using the Federal eRulemaking Portal, but there should at least be an email address for submitting such comments.
/* Use this with templates/template-twocol.html */