Friday, January 30, 2015

ICS-CERT Publishes Alert for Maritime Communication System

Today the DHS ICS-CERT published an alert for a public report of a vulnerability in the Cobham Sailor 900 VSAT. The vulnerability was publicly disclosed without coordination with either the vendor or ICS-CERT. ICS-CERT is trying to coordinate with vendor to determine if the vulnerability actually exists and, if it does, what the vendor will be doing about mitigating the vulnerability.

ICS-CERT reports that the vulnerability is a buffer overflow vulnerability that would allow an attacker to remotely exploit the vulnerability to execute arbitrary code. ICS-CERT notes that the vulnerability does not appear to affect navigation.

It has been a while since we have seen an alert from ICS-CERT, more researchers who publicly report vulnerabilities are now coordinating their disclosures through one agency or another. ICS-CERT does not typically identify the researcher or the location of the publication of the uncoordinated disclosure.

This vulnerability is not in a system that most people associate with ‘industrial control systems’ but it does show how wide spread cyber vulnerabilities have become. It will be interesting to see what downstream control systems could be affected by an exploit of this vulnerability. There are lots of control systems on modern ships.

Is ICS-CERT the most logical agency to handle this disclosure? Maybe not, but they would have more experience coordinating disclosures than either the Coast Guard (maritime) or the FCC (sat com).

PHMSA Publishes Special Permit Incorporation NPRM

Today the DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) published a notice of proposed rulemaking (NPRM) in the Federal Register (80 FR 5339-5449). This rulemaking addresses the MAP 21 (PL 112-141; §33012) requirement to review current Special Permits (SP) issued by PHMSA that are more than 10 years old to determine if they should be incorporated into the current hazardous materials regulations (HMR).

This proposed rule:

● Sets forth the methodology developed to conduct the required review (and the annual reviews to be conducted in the future);
● Identifies those SPs that can be incorporated and the proposed language for that incorporation;
● Identifies those SPs that cannot be reasonably incorporated and explains why the incorporation is not feasible; and
● Responds to rule making petitions related to existing SPs.

SPs Evaluated

PHMSA evaluated 1,168 SPs that were active and over 10 years old on January 1, 2013. Of those only 98 were deemed to be appropriate for adoption into the HRM. There is a lengthy table that lists those permits. It shows the permit number, the general category (six categories were established for the purpose of this review), a summary of the permit and the number of permit holders affected.

If only 98 permits were adopted for incorporation, it only stands to reason that there would be 1,070 permits that were not considered suitable for incorporation. As required by MAP-21 the preamble to this rule also lists each of those SPs. That table lists the same information described above along with a code that describes the general reason that the SP was not considered suitable. Those codes are:

2 – These SPs were not considered suitable for adoption because of their application; i.e., they were not widely-used, were too technical in nature, or were too specific to a SP holder; 
3 – These SPs were not considered suitable for adoption because of the specificity of the SP;
4 – These SPs were being addressed in other rulemakings; and
5 – These SPs were already adopted or authorizations were already specified in the current HMR.

Response to Petitions

Four petitions were considered during this rulemaking development:
P-1607 – To adopt the provisions of DOT SP-11458 that authorizes display packs of consumer commodity packages that exceed the 30 kg gross weight limitation;
P-1608 – To adopt standards for the construction and use of Fiber Reinforced Plastic (FRP) Cargo Tanks under DOT-SP 11903 and used under party status in DOT SP-9166;
P-1610 – To adopt the provisions of DOT-SP 11110 into the HMR that authorizes cargo aircraft operators to load division 1.4S and Class 8, PG III materials in inaccessible cargo locations in excess of the limitations specified in § 175.75(c); and
P-1611 – To adopt the provisions of DOT-SP 11470 into the HMR that authorizes the transportation in commerce of shrink-wrapped pallets containing boxes of waste ORM-D materials with the word “WASTE” marked on the outside of the pallet instead of the individual box.

Petitions P1607 and P1611 were accepted and incorporated into this rulemaking.

Summary of Incorporations

The preamble to the rule provides a brief overview of the changes that were made to the HMR by providing a brief description of the SPs that were accepted for incorporation. To make it easier to follow those changes there is a separate discussion of each of the six categories of SPs identified by PHMSA. Those discussion categories are:

Public Comments

PHMSA is soliciting public comments on this NPRM. Comments may be submitted via the Federal eRulemaking Portal {; Docket: PHMSA-2013-0042 (HM-233F)}. Comments should be submitted by March 31st, 2015.

Bills Introduced – 1-30-15

The House was not in session yesterday and there were 31 bills introduced in the Senate. There was only one that may be of specific interest to readers of this blog:

S 304 - A bill to improve motor vehicle safety by encouraging the sharing of certain information. Sen. Thune, John [R-SD]

I suspect that this might be a bill requiring automated information sharing between motor vehicles and/or between motor vehicles and roadway control devices. If this is the case I will treat this as a control system and watch for security requirements.

Thursday, January 29, 2015

ICS-CERT Publishes Another HART DTM Advisory

This afternoon the DHS ICS-CERT published another HART DTM advisory, this time for systems from Honeywell. This new advisory lists the affected Honeywell systems and reports that Honeywell has validated the CodeWrights fix in their equipment. Honeywell has made a patch available.

I guess that ICS-CERT has decided against listing all of the vulnerable systems in the CodeWrights advisory as they had originally reported. I can see pros and cons for either method of reporting.

I won’t describe these vulnerabilities in detail when I report them; no sense in just repeating the same words each time. Instead, I’ll just refer back to the original Emerson advisory since that is the only one so far to specifically mention physical security of the communications loop.

Bills Introduced – 1-28-15

Yesterday there were 87 bills introduced in the House and Senate. Only one may be of specific interest to readers of this blog:

HR 580 - To protect consumers by requiring reasonable security policies and procedures to protect data containing personal information, and to provide for nationwide notice in the event of a security breach. Rep. Rush, Bobby L. [D-IL-1]

If this is just an IT breach notification law as it appears to be then this will be the last mention of the bill in this blog.

Wednesday, January 28, 2015

Apology to ICS-CERT

It has been called to my attention that I made a serious error in yesterday's blog post about ICS-CERT advisories. In a note at the end I claimed that ICS-CERT had not reported a Siemens advisory on problems with the HART DTM. I was very badly mistaken. The referenced Siemens advisory dealt with NTP issues not the HART DTM.

I apologize for my error.

Bills Introduced – 1-27-15

Yesterday 65 bills were introduced in the House and Senate. Only one would be of specific interest to readers of this blog:

S 272 A bill making appropriations for the Department of Homeland Security for the fiscal year ending September 30, 2015, and for other purposes. Sen. Shaheen, Jeanne [D-NH]

This is almost certainly a ‘clean’ spending bill designed to be considered instead of the House passed version of HR 240. It is unlikely that this bill will go anywhere.

Tuesday, January 27, 2015

ICS-CERT Publishes Two Advisories and an Update

Today the DHS ICS-CERT published two new advisories and updated a two week old advisory. The new advisories addressed vulnerabilities in control system applications from Schnedier and Magnetrol. The update was for the CodeWrights advisory.

CodeWrights Update

This update provides a slight expansion of the scope of the vulnerability. It explains that “the exploit is possible from any adjacent network between the FDT/DTM frame application and the HART transmitter on the 4 mA to 20 mA current loop”. The previous version noted only that access “to the 4 mA to 20 mA HART current loop is required to exploit this vulnerability”.

This slightly weakens the claim that crafting “a working exploit for this vulnerability would be difficult”.

Schneider Advisory

This advisory describes a stack-based buffer overflow vulnerability in a number of Schneider products. The original discover by Ariele Caltabiano (kimiya) with HP’s Zero Day Initiative (ZDI) dealt with the vulnerability in the SoMove Lite software package. Schneider subsequently discovered the same vulnerability in a number of device type managers (DTM) containing the same DLL. Schneider has produced a patch that mitigates the vulnerability, but there is no mention if kimiya has been given the opportunity to validate the effectiveness of the patch.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability to execute arbitrary code on the affected systems. Schneider reports that the patch will replace the vulnerable FTD1 DLL.

Magnetrol Advisory

This advisory is kind of a waste of time. It describes the same CodeWrights vulnerability described in the advisory that was updated today. In fact, Magnetrol is one of the companies listed in the CodeWrights advisory as potentially having vulnerable HART DTM library is some of their products. The whole point of the CodeWrights advisory was that ICS-CERT could update that advisory when some vendor announced their implementation of a fix for the vulnerability in their equipment.

Oh well, Magnetrol has integrated the CodeWrights update and issued revised HART DTM library extensions.

BTW: ICS-CERT still has not mentioned the Siemens report of this vulnerability in some of their systems. I had expected them in the next (read this one) CodeWrights update to add Siemens to the list of affected vendors. I guess that I am just expecting too much from ICS-CERT.

I owe ICS-CERT a major public apology. The ‘missing’ Siemens vulnerability report deals with the NTP issue not the CodeWrights Vulnerability.

1,4-Butanediol Now a Drug?

Today the Food and Drug Administration (FDA) published a notice in the Federal Register (80 FR 4283-4288) that the World Health Organization was considering placing 1,4-Butanediol (BDO) on the Schedule 1 list of the Convention on Psychotropic Substances of 1971. If this proposal were adopted it could lead to the regulation of this industrial chemical under the Controlled Substances Act (21 USC Chapter 13).

The basis for this recommendation is the fact that the human body metabolizes BDO into gamma-hydroxybutyric acid (GHB) a well-known drug of abuse frequently known on the streets as ruffies or the ‘date-rape drug’.

In a previous place of employment I was responsible for the manufacture of an industrial coating product that used BDO as one of the primary ingredients. During our safety assessment of this raw material we became aware of this potential use of the chemical. Since voluntary ingestion of industrial chemicals is not a common mode of exposure we decided not to take any specific measures to protect employees from this possible exposure risk. Management did make the decision not to communicate this specific hazard to employees to reduce the risk that employees might start considering this industrial chemical as a potential recreational drug.

I am not currently up to speed on the provisions of the CSA, so I cannot discuss in any detail the requirements that a company would have to go through to register with the Federal Government and to track and protect its inventory of BDO if this proposed listing were to become law. I suspect that they would be onerous and unusual for most industrial chemical manufacturers.

The FDA is seeking public comment on this matter. Comments may be submitted via the Federal eRulemaking Portal (; Docket # FDA-2015-N-0045). Comments must be submitted by February 26th, 2015 so that the FDA can formulate their response to the WHO. Interestingly the WHO has asked for a response by January 30th, 2015; Friday. WHO communicated their request on December 14, 2014.

Sunday, January 25, 2015

Committee Hearings – Week of 1-25-14

Here we are in the fourth week of the 114th Congress and the hearing schedule is starting to pick up. There are only two hearings this week, both on the Senate side, that may be of specific interest to readers of this blog; one on cybersecurity and one on rail transportation safety.


On Wednesday the Senate Homeland Security and Governmental Affairs Committee will be holding a hearing on Protecting America from Cyber Attacks: The Importance of Information Sharing. The witness list makes it clear that the focus of this hearing will be on the IT side of cybersecurity.

Freight Rail Safety

The Senate Commerce, Science and Transportation Committee will be holding a hearing on Wednesday on Freight Rail Transportation: Enhancing Safety, Efficiency, and Commerce. The current witness list includes:

● Mr. Frank Lonegro – CSX Transportation;
● Mr. Dave Brown – Genesee & Wyoming Railroad Services;
● Mr. Bill Johnson – Former Director of Port Miami and Former Chair of the Florida Ports Council;
● Ms. Michelle Teel – Missouri Department of Transportation; and
● Mr. Chris Jahn – The Fertilizer Institute

It is clear from this list that hazardous material transportation will be one of the topics discussed. Given that fact it is slightly disappointing that no one from the emergency response community is included on the witness list.

Byproducts and Unintended Consequences

There is an interesting discussion going on over on the Hazardous Materials Emergency Response (group membership required) group on LinkedIn about one of the byproducts of the current crude oil glut. As more expensive crude oil production sites are closed off due to the low market price of crude oil, there will be a reduction in the amount of crude oil transported in the US and Canada by railroad. One would like to think that this will lead to an increasing number of the most hazardous DOT 111 railcars being taken out of crude oil service.

Bill Barnholt, Cobra Hazmat/Safety Consulting & Training, writes in his discussion that:

“This means that there's going to be hundreds of (hopefully residue not loaded) tank cars being stored in areas that aren't used to having them around. This also increases the possibility of sabotage of the tank cars being stored. This will make the need for Emergency Responders even greater.”

Now this is not really an unusual occurrence. There are certain types of railcars that are periodically idled. The use of grain transport hopper cars, for instance, drops off dramatically after the harvest has been transported to market. The cars that are not actively in use are parked on some sort of non-active track until they are needed again.

The problem with these crude oil railcars, however, is that they may contain significant amounts of crude oil residue. While there certainly isn’t enough in a rail car to cause the sorts of fires that we have seen in the last year or so, there certainly is enough flammable vapors in these cars to cause a sizeable explosion if enough oxygen is present and there were some sort of ignition source.

I know that sounds dangers but there are two important ‘ifs’ in that statement. First enough oxygen must be present. We would expect these cars to be closed and, unless someone deliberately introduced oxygen into them, it is highly unlikely that there would be enough oxygen to support combustion inside the car. Second you would need a heat source (fire, electrical spark, etc) inside the car to provide an ignition source.

The very low probability problem could be eliminated by washing out the crude oil residues out of the railcars. Anyone that has ever cleaned a greasy auto part will have some inkling of the problems that are involved in this process. Needless to say this is not something that can be done safely or environmentally soundly just anywhere. Special facilities are required, the wash residue is typically a hazardous waste, and everything about this is quite expensive.

To the best of my knowledge there is no regulatory program that would require the owners of these cars to have them cleaned prior to parking them on a siding somewhere. Even more scary is the fact that there are no regulations that govern the security of these railcars that contain only residues. And there are certainly no rules governing where they can be parked.

Theoretically it would be fairly simple to turn these residue containing tank cars into rather impressive bombs. Some of the equipment would be a tad bit heavy for transporting by hand and it would take a little bit of knowledge about rail car fittings, but with the proper equipment and about 30 minutes access to the railcar a vapor phase explosion could be produced.

The effects of the explosion would be dependent on a number of factors, most of which would not be readily discernable before the attacker opened the railcar. I would expect, however, that if enough crude oil residues were present, it would be possible to produce a large enough explosion to damage nearby structures, kill people, and attract national news attention. In other words, it would be a successful terrorist attack if it took place near inhabited areas.

It is certainly too late to start any legislative or regulatory action to address the immediate issue. Local police departments should probably plan on actively patrolling these parking areas and all first responders should have a good idea where these railcars are parked in and near communities.

Other than that the best we can do is to continue to hope that the various wackos that wish to create death and destruction in support of whatever cause ignites their anger continue to lack the creativity and knowledge necessary to execute these types of attacks.

Saturday, January 24, 2015

OMB Approves FRA Risk Reduction Rule

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved the FRA’s notice of proposed rulemaking (NPRM) for the Railroad Risk Reduction Program.

As I noted in my post about the advance notice of proposed rulemaking (ANPRM) published in December of 2010 the amount of hazardous materials that a railroad carries (and particularly carries through major urban areas) will have a significant impact on the requirements of this risk reduction program. When I wrote that post I was mainly concerned with the transit of toxic inhalation hazard (TIH) chemicals and the emergency response requirements for those chemicals that should be included in this rule.

Since that time we have had a number of accidents with crude oil unit trains that have resulted in very large fires with multiple explosions. I would suspect that the FRA has included specific requirements for those trains in this NPRM.

We should see this NPRM published in the Federal Register in the coming week.

Friday, January 23, 2015

PHMSA Publishes HMR Update NPRM

Today the DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) published a notice of proposed rulemaking (NPRM) in the Federal Register (80 FR 3787-3838). The proposed rule would make a number of changes to the US hazardous material regulations (HRM); some based upon responses to public petitions, others on responses to NTSB accident investigation recommendations and some were initiated by internal agency actions.

Petition Responses

The changes proposed in this rulemaking include responses to the following public petitions:

P-1590 – Dangerous Goods Advisory Council (DGAC) - Remove the PG II designation for certain organic peroxides, self-reactive substances and explosives in the § 172.101 Hazardous Materials Table (HMT);
P-1591 – Air Products and Chemicals, Inc - Amend the marking requirements for poisonous by inhalation shipments transported in accordance with the International Maritime Dangerous Goods (IMDG) Code or Transport Canada's Transport of Dangerous Goods (TDG) Regulations (§ 171.23);
P-1597 – DGAC- Require that emergency response telephone numbers be displayed on shipping papers numerically (§ 172.604);
P-1601 – United Parcel Service (UPS) - Amend the packaging instructions for certain shipments of nitric acid by requiring intermediate packaging for glass inner packagings (§ 173.158);
P-1604 – National Propane Gas Association (NPGA) - Extend the pressure test and internal visual inspection test period to ten years for certain MC 331 cargo tanks in dedicated propane delivery service (§ 180.407);
P-1605 – Compressed Gas Association (CGA) - Incorporate by reference in § 171.7 CGA Pamphlet G-1.6, Standard for Mobile Acetylene Trailer Systems, Seventh Edition(§§ 171.7 and 173.301); and
P-1609 – Truck Trailer Manufactures Association - Clarify the requirements applicable to the testing of pressure relief devices for cargo tank motor vehicles (§ 180.407).

NTSB Recommendations

Some of the changes are based upon two recent NTSB recommendations dealing with the shipment of acetylene cylinders mounted on mobile acetylene trailers. The specific NTSB recommendations were:

H-09-01 - Modify 49 CFR § 173.301 to clearly require (1) that cylinders be securely mounted on mobile acetylene trailers and other trailers with manifolded cylinders to reduce the likelihood of cylinders being ejected during an accident and (2) that the cylinder valves, piping, and fittings be protected from multidirectional impact forces that are likely to occur during highway accidents, including rollovers; and
H-09-02 - Require fail-safe equipment that ensures that operators of mobile acetylene trailers can perform unloading procedures only correctly and in sequence.

PHMSA Initiated Changes

There is a rather extensive list of PHMSA initiated changes include in this NPRM. That list includes:

● Revise § 107.402(d)(2) to replace the term “citizen” with the term “resident.”
● Revise § 107.402(e) to require that a lighter certification agency submits a statement that the agency is independent of and not owned by a lighter manufacturer, distributor, import or export company, or proprietorship.
● Revise § 107.402(f) to require portable tank and multi-element gas container (MEGC) certification agencies to submit a statement indicating that the agency is independent of and not owned by a portable tank or MEGC manufacturer, owner, or distributor.
● Revise § 107.807 to require a cylinder inspection agency to be independent of and not owned by a cylinder manufacturer, owner, or distributor.
● Remove the entry for CGA Pamphlet C-1.1 in Table 1 to § 171.7.
● Incorporate by reference updated versions of the American Association of Railroads (AAR) Manual of Standards and Recommended Practices, Section C-III, Specifications for Tank Cars, Specification M-1002 in § 171.7.
● Revise the § 172.101 table to add Special Provision B120 to Column (7) for the entry “Calcium nitrate, UN1454.”
● Revise the entry for “Propellant, solid, UN0501” to remove vessel stowage provision 24E from Column (10B) of the HMT.
● Revise the PG II HMT entry for “UN2920, Corrosive liquids, flammable, n.o.s.,” to for consistency with the UN Model Regulations, IMDG Code, and the ICAO TI such that this entry is eligible for the limited quantity exceptions.
● Revise the PG II HMT entry for “UN3085, Oxidizing solid, corrosive, n.o.s.” for consistency with the UN Model Regulations, IMDG Code and the ICAO TI such that this entry is eligible for the limited quantity exceptions.
● Revise the HMT entries for “Trinitrophenol (picric acid), wetted,with not less than 10 percent water by mass, UN3364” and “Trinitrophenol, wetted with not less than 30 percent water, by mass, UN1344” to harmonize the HMR with the UN Model Regulations, IMDG Code, and the ICAO TI to clarify that the 500 gram limit per package does not apply to UN1344 but does apply to UN3364.
● Revise Special Provision 136, assigned to the proper shipping name “UN3363, Dangerous goods in machinery or apparatus,” in § 172.102 to include reference to Subpart G of Part 173.
● Remove reference to obsolete Special Provision 18 for the HMT entry “UN1044, Fire extinguishers” and in § 180.209(j) and provide correct cross reference to § 173.309.
● Correct a reference in § 172.201 to exceptions for the requirement to provide an emergency response telephone number on a shipping paper.
● Revise §§ 172.301(f), 172.326(d) and 172.328(e) to include the clarification that the NOT-ODORIZED or NON-ODORIZED marking may appear on packagings used for both unodorized and odorized liquefied petroleum gas (LPG), and remove the effective date of October 1, 2006 or “after September 30, 2006,” if it appears in these paragraphs, as the effective date has passed.
● Amend § 172.406(d) by clearly authorizing the use of labels described in Subpart E with a dotted or solid line outer border on a surface background of contrasting color.
● Update a mailing address in § 172.407(d)(4)(ii).
● Clarify the marking size requirements for an intermediate bulk container (IBC) that is labeled instead of placarded by replacing the bulk package marking reference in § 172.514(c) with the non-bulk marking reference, specifically, § 172.301(a)(1).
● Revise § 173.4a(a) to clarify that articles (including aerosols) are not eligible for excepted quantity reclassification under § 173.4a, although some are eligible to be shipped as small quantities by highway and rail in § 173.4.
● Revise § 173.21(e) to prohibit transportation or offering for transportation materials in the same transport vehicle (e.g., a trailer, a rail car) with another material, that could cause a dangerous evolution of heat, flammable or poisonous gases or vapors, or produce corrosive materials if mixed.
● Clarify that the requirements provided in paragraph § 173.24a(c)(1)(iv) do not apply to limited quantities packaged in accordance with § 173.27(f)(2).
● Clarify the quantity limits for mixed contents packages prepared in accordance with § 173.27(f)(2).
● Clarify the requirements applicable to bulk transportation of combustible liquids by adding new subparagraph § 173.150(f)(3)(xi) stating that the registration requirements in Subpart G of Part 107 are applicable and revising §§ 173.150(f)(3)(ix) and 173.150(f)(3)(x) for punctuation applicable to a listing of requirements.
● Add a new paragraph (j) in § 173.159 to allow shippers to prepare for transport and offer into transportation damaged wet electric storage batteries.
● Revise § 173.166(e)(6) to add the words “or cargo vessel.”
● Revise §§ 173.170 and 173.171 by changing the term motor vehicle to transport vehicle to allow for motor vehicles comprised of more than one cargo-carrying body to carry 100 pounds of black or smokeless powder reclassed as Division 4.1 in each cargo-carrying body instead of 100 pounds total in the motor vehicle.
● Revise § 173.199(a)(4) by removing the reference to the steel rod impact test in § 178.609(h).
● Clarify the Packing Method table for organic peroxide materials in § 173.225.
● Amend the bulk packaging section reference in Column (8C) of the HMT from § 173.240 to § 173.216 for the entries “Asbestos, NA2212,” “Blue asbestos (Crocidolite) or Brown asbestos (amosite, mysorite) UN2212,” and “White asbestos (chrysotile, actinolite, anthophyllite, tremolite), UN2590.” In addition, we are proposing to revise paragraph (c)(1) in § 173.216 by authorizing the use of bulk packages prescribed in § 173.240.
● Add a new paragraph (d)(5) to § 173.304a, a new paragraph (h) to § 173.314 and revise § 173.315(b)(1) to require odorization of liquefied petroleum gas when contained in cylinders and rail cars.
● Amend § 173.306(k) to clarify that aerosols shipped for recycling or disposal by motor vehicle containing a limited quantity are afforded the applicable exceptions provided for ORM-D materials granted under §§ 173.306(i) and 173.156(b).
● Create a new paragraph (d) in § 175.1 stating that the HMR do not apply to dedicated air ambulance, firefighting, or search and rescue operations.
● Correct § 175.8 by adding the appropriate 14 CFR, Part 125 citations.
● Clarify exceptions for passengers, crewmembers, and air operators in paragraphs (a)(18), (a)(22), and (a)(24) of § 175.10 for the carriage of hazardous materials aboard a passenger aircraft.
● Clarify § 175.75(e)(2) by replacing the word “located” with “certificated.”
● Clarify § 176.30(a)(4) by replacing the word “packaging” with “package.”
● Clarify that the loading restrictions in § 177.835(c)(1) through (4) are applicable to § 177.848(e).
● Revise § 178.65(i)(1) to correctly reference the manufacturer's report requirements in § 178.35(g).
● Clarify § 178.337-17(a) to eliminate confusion of the name plate and specification plate requirements.
● Correct an editorial error in the formula in § 178.345-3(c)(1).
● Include provisions consistent with the non-bulk packaging and IBC approval provisions for Large Packagings in § 178.955.
● Clarify the requirements for Federal Railroad Administration (FRA) approval of tank car designs in § 179.13.
● Revise § 180.401 to replace the term “person” with “hazmat employee or hazmat employer” to clarify that Subpart E of Part 180 does not only apply to persons offering or transporting hazardous materials.

Public Comments

PHMSA is soliciting public comments on this NPRM. Comments may be submitted via the Federal eRulemaking Portal {; Docket # PHMSA-2013-0225 (HM-218H)}. Comments should be submitted by March 24th, 2015.

Bills Introduced – 1-22-15

There were 130 bills introduced in the House and Senate yesterday. Of those only two might be of specific interest to readers of this blog:

HR 490 - To provide for a strategic plan to reform and improve the security clearance and background investigation processes of the Federal Government, and for other purposes. Rep. Lynch, Stephen F. [D-MA-8]

HR 505 - To establish a Hazardous Materials Information Advisory Committee to develop standards for the use of electronic shipping papers for the transportation of hazardous materials, and for other purposes. Rep. Lipinski, Daniel [D-IL-3]

HR 490 will only be of specific interest if it includes requirements for non-governmental security clearances. The rules governing the issuance of security clearances for government employees and contractors are slightly different from those issued for the purely private sector.

ICS-CERT Publishes Advisory and TIP

Yesterday the DHS ICS-CERT published an advisory for a vulnerability in a Siemens system and a tip about best practices for continuity of operations.

Siemens Advisory

This advisory describes an open redirect vulnerability in the Siemens SIMATIC S7-1200 CPU family. The vulnerability was reported to Siemens by Ralf Spenneberg, Hendrik Schwartke, and Maik Brüggemann from OpenSource Training. Siemens has provided an update that mitigates this vulnerability, but there is no indication that the researchers have verified the efficacy of the fix.

ICS-CERT reports that a moderately skilled attacker could remotely exploit this vulnerability to redirect users to a malicious web site. The exploit would require a social engineering attack.

BTW: Still no mention of the Siemens NTP vulnerability.

Continuity TIP

This document provides a rather extensive list of things to ensure the survivability of a network from a malicious intrusion. This looks to be more targeted at IT and network systems than specifically directed at control system security.

I did not see anything new or earth shattering, nor is anything described in the detail necessary for someone that doesn’t already understand this stuff to implement. This may, however, provide a basic check list for managers to use to question their cybersecurity folks on the status of their security processes.

Tuesday, January 20, 2015

ICS-CERT Publishes Two New Advisories

This afternoon the DHS ICS-CERT published two new advisories reporting multiple vulnerabilities in systems from Schneider Electric and Siemens.

Schneider Advisory

This advisory reports on two vulnerabilities reported in in Schneider Electric’s ETG3000 FactoryCast HMI Gateway by Narendra Shinde of Qualys Security. Schneider has produced a firmware update that mitigates the vulnerabilities. There is no indication in the advisory that Shinde was allowed to validate the efficacy of the update.

The two reported vulnerabilities were:

● Unauthenticated access - CVE-2014-9197; and
● FTP hardcoded credentials - CVE-2014-9198

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to access to the HMI Gateway. ISC-CERT also reports that Shinde reported that default credentials also allow access to configuration files, but this is not counted as a ‘vulnerability’.

The advisory also reports that the firmware update does not actually change the FTP credentials; it merely disables the FTP. The Schneider ‘readme’ document accompanying the firmware updated download explains what functions are lost when the FTP is disabled. Schneider also notes that upon an ETG reboot the FTP is automatically re-enabled.

Siemens Advisory

This advisory reports twin denial of service vulnerabilities in the SCALANCE X-300/X408 switch family. The vulnerabilities were reported by Déjà vu Security. Siemens has produced a firmware update that mitigates the vulnerabilities but there is no indication that Déjà vu Security has had the opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to execute a denial of service attack. Siemens reports that both vulnerabilities require network access and one of the vulnerabilities requires the attacker be able to sign in to the FTP server.

Missed Siemens Advisory

Readers who follow me on TWITTER® (@pjcoyle) know that yesterday when Siemens reported their SCALANCE vulnerability they also reported on their NTP vulnerability in their RuggedCom devices. This is the set of vulnerabilities reported by ICS-CERT back in December. Siemens reports that their ROX based devices may be affected by those vulnerabilities.

They report that they are working on updates for the affected products. Their current advisory does provide some interim mitigation measures that system owners can take while waiting for the updates to be made available.

I suspect that the reason that ICS-CERT did not report this particular Siemens vulnerability is that the original NTP Advisory ‘addressed the problem’. Unfortunately it looks like Siemens (and perhaps other vendors) may have to take additional actions to protect their systems beyond that recommended in the NTP Advisory.

ISCD Updates CFATS Knowledge Center

Today the folks at DHS Infrastructure Security Compliance Division (ISCD) published a new frequently asked quest (FAQ) on the CFATS Knowledge Center. The new FAQ (# 1735) asks (and, of course, answers):

“How may a corporation with multiple facilities regulated under CFATS request the corporate approach and what benefits does this provide the corporation?”

The response (sorry no permanent links to FAQs or responses) explains that for many organizations with multiple CFATS facilities at least some portion of the chemical security plans are operated out of the corporate office not the local facility. Where the corporate portion of the plan is the same (or substantially similar) across multiple facilities it makes eminent sense for ISCD to inspect that portion one time and share the results with the various facility chemical security inspectors.

The FAQ response does not go into  a great deal of detail about how this program works but it does provide suggested methods of connecting with ISCD to get involved in the program:

● Contact an Inspector or Regional Director in the area where the facility’s corporate headquarters is located;
● Contact the Compliance Case Manager responsible for the region where the majority of your facilities are located; or
● Contact the CFATS help desk at 866-323-2957 or to request information on your local contacts.

HR 53 Introduced – Cybersecurity Education

As I reported in an earlier post Rep. Jackson-Lee (D,TX) introduced HR 53, the Cyber Security Education and Federal Workforce Enhancement Act. This bill would formally establish the current the Cybersecurity Education and Awareness Branch (CEA) within the Department of Homeland Security’s (DHS) Office of Cybersecurity and Communications (CS&C). The CEA manages the National Initiative for Cybersecurity Careers and Studies (NICCS).

This program in DHS is not specifically mentioned in the Explanatory Statement that accompanied HR 240 (the current DHS funding bill). Presumably the funding for this program comes out of the $15 million for education listed under ‘Global Security Management’. This bill would do nothing to increase that funding, but might raise the level of visibility to the point where it might get mentioned in the future.

The programs identified in the bill would help foster federal cybersecurity workforce development. There would certainly be some spillover effect into the private sector as personnel moved out of the government and the education programs produced cybersecurity trained personnel excess to the government needs.

If Ms. Jackson-Lee can convince the Republican leadership in three committees (Homeland Security, Science and Technology, and Education and Workforce) to consider this bill then the bill might make it to the floor in the House. There is nothing in the bill that would seem to inspire specific opposition, so it would probably pass if considered.

Monday, January 19, 2015

First HR 4007 Deadline Passes

Saturday the first deadline for HR 4007 came and went. This marked 30 days since the President signed the bill into law. This means that 6 USC 21 is now the governing law for the Chemical Facility Anti-Terrorism Standards (CFATS) and the old §550 authorization no longer applies.

Revocation Rule Deadline

As I predicted last month the Secretary missed the deadline to publish a rule revoking those provisions of 6 CFR 27 that are “duplicative of, or conflicts with” {§2107(b)} 6 USC 21. To be fair, I still have not found any specific provisions of the CFATS regulations that fall under this requirement. So it may not have been necessary to issue any revoking language. If that had been the case, it might have been nice for ISCD to issue a statement to that effect.

Grandfathered SSPs

We still have not heard any official (or unofficial for that matter) word from DHS about the status of the Site Security Plans that have been authorized or approved since the President signed HR 4007 into law. You might recall that §2102(c)(3)(B) provides that any facilities with approved site security plans (SSPs) as of the date of the President’s signature on HR 4007 (12-18-14) cannot be required to submit new SSPs just because Title XXI has become law. Plans approved since that date do not have that legal protection.

I don’t expect that the management at ISCD will want to increase the workload of their chemical security inspectors by going back and revisiting the site security plans approved in the last month (not that that will have been a very large number because of the holidays), but legally these site security plans have not been approved under the standards set by the current law. It would be helpful (if not actually legally binding) for the Secretary to publish a notice in the Federal Register laying out the status of SSPs being approved while the new CFATS regulations are being written.

Friday, January 16, 2015

ICS-CERT Publishes 2 Advisories

Yesterday the DHS ICS-CERT published two ‘new’ advisories that had been previously published on the US-CERT Secure Portal; one for a GE application and one for an application from Arbiter Systems.

GE Advisory

This advisory describes a memory access violation vulnerability in the GE CIMPLICITY CimView application. The vulnerability was reported by Said Arfi. GE has produced an update that mitigates the vulnerability but there is no report of Arfi verifying the efficacy of the update.

ICS-CERT reports that a moderately skilled attacker could exploit this vulnerability to execute arbitrary code. While the advisory states that this vulnerability could not be remotely exploited, it does note that user interaction is required to exploit. That would seem to mean that a specially crafted social engineering attack could cause a local user to upload the .CIM file needed  to exploit this vulnerability.

This is the second GE advisory this week that has been withheld from public view for almost 90 days after it was released on the US-CERT Secure Portal. It is hard to understand why it would take that length of time for GE systems owners to mitigate this vulnerability, especially since the vulnerability is not supposed to be remotely exploitable.

Arbiter Systems Advisory

This advisory describes a GPS clock spoofing vulnerability. This vulnerability was apparently self-reported. Arbiter Systems has developed a new product that does not have the reported vulnerability.

ICS-CERT reports that while the vulnerability is remotely exploitable the vendor believes that it would be difficult to craft a workable exploit. They are so sure of this, in fact, that Arbiter Systems still intends to sell the vulnerable system. ICS-CERT does explain that a successful exploit could disrupt the clock.

What is not explained in the advisory is that disrupting a clock in a SCADA system will interfere with the coordination of the actions of physically separated components of that system. The potential effects would be determined by what controls were mis-coordinated.

Thursday, January 15, 2015

HR 60 – Cyber Defense National Guard

As I mentioned in an earlier post Rep. Jackson-Lee (D,TX) introduced HR 60, the Cyber Defense National Guard Act. The bill would require the Director of National Intelligence to prepare a report for Congress on the feasibility of establishing a Cyber Defense National Guard (CDNG).

The bill does not establish any requirements for this CDNG beyond the most basic. The purpose provided in the bill would be to “to defend the critical infrastructure of the United States from a cyber attack [sic] or manmade intentional or unintentional catastrophic incident” {§2(b)(2)}. The wording is a little bit awkward and it does not specifically cover potential natural cyber catastrophes such as solar storms, or even hurricanes destroying cyber infrastructure.  

Beyond that basic mission description it is pretty much up to the DNI (in consultation with DOD and DHS) how the CDNG would be constituted, supported, trained and deployed. At this point it is not even clear that the CDNG would be a State supported/commanded force like the current National Guard.

It is interesting that the DNI has been designated as the point person for conducting this study. If this were intended to be just a new type of National Guard unit, the point would have been someone from DOD. If the idea were for this to be some sort of new cyber-emergency response agency it probably would have been a DHS study; probably under the auspices of FEMA.

Keeping with the old saw that if the tool you have is a hammer, all problems look like nails, giving this study tasking to the DNI will almost insure that at least one of the prime missions of the CDNG will be to detect and deter cyberattacks before they become reality. It can certainly be argued that this is the current mission of NSA, but given the bad press that NSA has suffered during the last couple of years, providing a separate agency to look at cybersecurity intelligence activities for critical infrastructure may make such activities more palatable to people outside of the defense community.

Ms Jackson-Lee has a reasonably good working relation with the Chairman of the Homeland Security Committee and if that Committee had been given responsibility for the review of this bill I would expect that it would be considered by that committee sometime this year. But since the DNI was given reporting responsibility the bill was assigned to the Permanent Select Committee on Intelligence. Ms Jackson-Lee is not a member of that committee so I suspect that this bill will die unexamined.

HR 54 Requires Hacker Support

When I reviewed HR 54, the Frank Lautenberg Memorial Secure Chemical Facilities Act, I did not go into any great detail because the bill is dead in the water. I saw a TWEET yesterday from @5ean5ullivan that made me go back and look at one section much more closely. It seems that Rep. Jackson-Lee (D,TX) wants covered chemical facilities to employ hackers to checkout their cybersecurity.

Cybersecurity Requirements

Section 2111(b)(6) requires: “the conduct of tests of facilities should include blue hat, red hat, and white hat hackers to validate the security measures instituted to address cyber based threats”.

Interestingly this requirement does not come in the portion of the legislation that discusses site security plans or risk-based performance standards for security measures. Instead it is found in the section of the bill that deals with Methods to Reduce the Consequences of a Terrorist Attack, commonly referred to inherently safer technology (IST).

In the discussion of the required assessment of IST measures the §2111(b) describes the various things that a facility must look at in conducting their assessment. In an apparent after thought (and certainly never included in earlier versions of Democrat bills on chemical security) are two sub-paragraphs dealing with cybersecurity issues.

The first requires: the design of computing systems and development of plans, exercises, and drills to re-engage computing systems used in the processing, transport, storage of chemicals that are designed [should be ‘designated’] as a ‘‘risk’’ by the Secretary using protocols for trusted recovery under the worse case [worst case?] conditions” {§2111(b)(5)}.

This certainly sounds like a reasonable requirement, but it probably should have been included in §2103(d)(8) the discussion of deterring cyber sabotage in the risk based performance criteria that would be required by this bill.

The requirements to use hackers described above is also out of place in the discussion of IST requirements. I am not so sure, however, that this was intended to be part of the planning requirements for facility security plans. It actually looks like it should have been included in §2104, Site Inspections. If that were the case it would call for DHS to use hackers to evaluate the cybersecurity protections that are part of the site security plan. That would be a radically new type of cybersecurity requirement that I have not seen suggested in any other regulatory program.

Problems with Hacker Requirement

Now I understand how this might sound like a good idea to some congress critter. This would seem to be the only way to verify that proper protective actions have been taken. But as a practical matter, this will cause more problems than it could possible solve. Before we get into any of the technical reasons why this is not a good idea we only need to look at the lack of personnel available to be able to do this type of hack. There are probably not 100 people world-wide familiar enough with control systems to conduct such an evaluation and I would venture to guess that none of them are familiar enough with all of the different types of control systems and components to be able to do a complete evaluation.

Secondly, as many recent presentations have pointed out (see my post here and upcoming posts on from S4x15) have pointed out, it will take a team of people, various control systems experts and chemical engineers, to cause catastrophic damage at a chemical facility. This is, in many ways good news as it is unlikely that the average terrorist group (particularly home-grown terrorists) will have that level of expertise available to conduct such an attack.

Finally, no chemical facility owner/operator is going to allow any outsider to hack into a live control system involved with the handling, storage or manufacture of hazardous chemicals. The potential for problems is just too high. And taking a system down to allow for such an evaluation off-line is just too costly for most chemical facilities.

Congress and Cybersecurity

It is good to see that Congress is starting to seriously think about cyber security. But provisions like this hacker requirement shows just how far removed from reality too many of these congress critters really are. It will be interesting to see how many problems congress tries to institute as they address the complicated problem of cybersecurity.

Wednesday, January 14, 2015

Bills Introduced – 01-13-15

Some congressional staffers were busy over the weekend as 87 bills were introduced in the House and Senate yesterday. Only one of those bills may be of specific interest to readers of this blog:

HR 291 - To establish a WaterSense program, and for other purposes. Rep. Napolitano, Grace F. [D-CA-32]

This bill may only deal with California drought response so I may not mention it again, but you never can tell.

DHS Updates Chemical Sector Training Page

Yesterday the DHS Chemical Sector-Specific Agency (SSA) updated their training page. They now list a number of on-line training courses available from DHS on subjects related to security awareness. The topics include:

These are not chemical facility specific training, but the folks at the Chemical SSA apparently feel that they would be appropriate for chemical facility awareness training.

Unfortunately the link to the previously listed web-based Chemical Security Awareness Training program is no longer provided on this web site. As of 9:30 EST today this link to that training is still good.
/* Use this with templates/template-twocol.html */