Thursday, April 30, 2015

ICS-CERT Publishes OPTO 22 Advisory

This afternoon the DHS ICS-CERT published an advisory for twin buffer overflow vulnerabilities in OPTO 22 products. The vulnerabilities were reported by Ivan Sanchez from Nullcode Team. OPTO has released new versions that mitigate the vulnerabilities and Sanchez has been able to verify the efficacy of the fix.

The twin vulnerabilities are:

∙ Heap-based buffer overflow, CVE-2015-1006; and
∙ Stack-based buffer overflow, CVE-2015-1007.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit the heap-based overflow vulnerability. The Stack-based overflow would require a social engineering attack before the vulnerability could be remotely exploited.

OPTO reports that the stack-based overflow vulnerability actually resides in a Rockwell OPC Test Client application (no version number is provided). The newer, unaffected OPTO 22 products use a ProSys Test Client application instead. Owners can obtain a copy of the ProSys Test Client from the OPTO 22 FTP site if they do not want to install the updated version of the PAC Project applications.

This is apparently just another case of a vendor using another vendor’s files without understanding the included vulnerabilities. It would be interesting if someone (ICS-CERT MAYBE) would look to see how many other systems were using the vulnerable Rockwell OPC Test Client.

Automotive Consortium for Embedded Security

Today the DOJ’s Antitrust Division published a notice in the Federal Register (80 FR 24279) that the Southwest Research Institute—Cooperative Research Group on Automotive Consortium for Embedded Security (ACES) has filed paperwork seeking limited protection from federal antitrust regulations under provisions of the National Cooperative Research and Production Act of 1993 (15 USC Chapter 69).

∙ Delphi Automotive Systems, LLC, Kokomo, IN;
∙ Denso International America, Inc., Southfield, MI;
∙ Ford Motor Company, Dearborn, MI;
∙ GM Global Technology Operations LLC, Detroit, MI;
∙ Honda R&D Americas, Inc., Raymond, OH; and
∙ Robert Bosch LLC, Farmington Hills, MI

The listed objectives of the ACES include:

∙ Perform high-risk/high-reward pre-competitive and non-competitive research and development;
∙ Serve as an independent verification and validation entity;
∙ Develop understanding of industry problems and associated risk;
∙ Monitor and share threats and industry research;
∙ Keep abreast of and provide input for emerging safety and security regulations and standards; and
∙ Provide members with relevant solutions and actionable results.


With recent revelations of systemic security vulnerabilities in a number of automotive systems it is encouraging to see the industry take proactive measures to address these issues. While individual automotive companies could probably come up with adequate solutions to these cybersecurity problems, it makes much more sense for industry wide solutions to be developed and deployed. This is particularly true given the relatively small number of available cybersecurity experts available to work on control system issues in general.

Wednesday, April 29, 2015

PHMSA Publishes Gas Cylinder Safety Advisory

Today the DOT’s Pipeline and Hazardous Material Safety Administration published a safety advisory in the Federal Register (80 FR 23851-23852) concerning unauthorized certification
of compressed gas cylinders.

PHMSA reports that between April 1986 through October 2014 that Liberty Industrial Gases and Welding Supplies Inc did not properly test ICC, DOT-Specification, or DOT-Special Permit cylinders that were presented for re-certification. Lacking proper testing, PHMSA considers that these cylinders are not safe for the transportation of hazardous materials. Cylinders marked by Liberty should be immediately taken out of service and emptied in an appropriate manner. Cylinders should be re-certified by a DOT-authorized cylinder requalifier to ensure their suitability for continued service.

To make matters more complicated, PHSA reports that Liberty marked the cylinders with the Requalifier Identification Number (RIN) of an approved requalifier. While the safety advisory only applies to cylinders marked by Liberty, unless the owner of the cylinder can specifically trace the requalification back to the approved requalifier, the cylinder probably should be assumed to have been marked by Liberty and appropriate action taken.

Anyone with a cylinder marked with the RIN of A890 with a date prior to October 2014 should contact the owner to determine the requalification status of the cylinder.

FMCSA Updates Hazmat Route Registry

Today the DOT’s Federal Motor Carrier Safety Administration (FMCSA) published a notice in the Federal Register (80 FR 23859-24009) that it has updated the National Hazardous Material Route Registry. The new NHMRR includes current route limitations and allowances, and information on State and Tribal Government routing agency contacts reported to FMCSA as of March 30, 2015.

As of 7:45 am CDT the NHMRR web site is still showing the 2009 version of the NHMRR.

Bills Introduced – 04-28-15

Seventy-four bills were introduced in the House and Senate yesterday. Three of those may be of specific interest to readers of this blog:

HR 2074 To enhance rail safety and provide for the safe transport of hazardous materials, and for other purposes. Rep. Norcross, Donald [D-NJ-1] 

S 1114 A bill to enhance rail safety and provide for the safe transport of hazardous materials, and for other purposes. Sen. Menendez, Robert [D-NJ]

S 1118 A bill to authorize appropriations for fiscal year 2016 for military activities of the Department of Defense and for military construction, to prescribe military personnel strengths for such fiscal... Sen. McCain, John [R-AZ]

It looks like the first two bills are companion measures that may specifically address crude oil train issues. It may be a wider hazmat transportation emergency response bill based upon the vinyl chloride derailment a couple of years ago in New Jersey.

S 1118 is the Senate version of the annual DOD authorization bill. The House version (HR 1735) did not contain any cybersecurity provisions. We will have to wait and see if the Senate version does.

Tuesday, April 28, 2015

Chemical Incidents Come in All Sizes

Chemical related incidents come in all sizes and locations. It is not just accidents at chemical manufacturing facilities or transportation centers that can result in emergency services responding to chemical incidents. This was seen last week in a chemical response incident in a small town in Pennsylvania last week. See the news story here, here, and here.

The Incident

Residents in a residential area complained about the smell of chlorine (most familiar to people as the smell of bleach). Emergency responders located the source of the leaking chlorine gas, a cylinder inspecting and refurbishing shop located in an older residential area. The tank was sealed and the building ventilated. Local residents were told to shelter in place until the chlorine gas dissipated.

Four people were taken to the hospital ‘for observation’ according to news reports. It is not clear if they were employees at the company (most likely to have significant exposure) or nearby residents. There are no follow-up news reports so they were probably released after their observation period was completed with minimal complications.


Chlorine is typically shipped as a liquid in pressurized cylinders. When that pressure is released the liquid evaporates into a gas that forms a heavy, yellow-green vapor cloud. Chlorine is a toxic inhalation hazard (TIH) chemical that has been successfully used as a chemical weapon in WW I. The allowable exposure limit (OSHA PEL) is 1 ppm. It is detectable by its characteristic odor by most people at 0.32 ppm. The concentration of most concern is the immediately dangerous to life and health (IDLH) which is 1000 ppm. According to NIOSH exposure between the PEL and IDLG may lead to the following symptoms:

Burning of eyes, nose, mouth; lacrimation (discharge of tears), rhinorrhea (discharge of thin nasal mucus); cough, choking, substernal (occurring beneath the sternum) pain; nausea, vomiting; headache, dizziness; syncope; pulmonary edema; pneumonitis; hypoxemia (reduced O2 in the blood); and dermatitis.

People with other existing respiratory problems will exhibit symptoms at lower exposure levels than more healthy people.

The Business

The company has been in operation since 1946 (probably in the same location). They take DOT rated cylinders used for the transport of hazardous gasses and liquids and conduct the periodic safety inspections that PHMSA requires for such cylinders. The testing requires that the tanks be emptied, visually inspected and then filled with water. The tanks are then pressurized and observed for signs of leaks and the expansion of the tank is measured. The tanks that pass are then marked and recertified for hazmat service in accordance with PHMSA regulations.

The company’s web site would seem to indicate that the majority of the tanks tested at the site were propane tanks. The web site does indicate that other types of tanks are also tested, including ‘low pressure’ (<900 amounts="" and="" are="" areas="" at="" chlorine="" disinfection.="" for="" o:p="" of="" other="" parks="" plants="" psi="" relatively="" small="" tanks.="" tanks="" that="" these="" treatment="" types="" typically="" use="" used="" usually="" water="">

The web site indicates that there is a service fee for emptying propane tanks. There is no such fee listed for emptying chlorine cylinders so it would appear that the company required those tanks to be delivered empty. This would not be unusual for a small shop that did not handle chlorine for other reasons.

What May Have Happened

Unless the investigation by various government agencies (principally state EPA and OSHA) reveals unsafe practices that result in fines, the public will probably never hear the details of what happened at this facility. Based upon news reports, I can come up with a reasonable scenario for what might have happened.

The operator opening the cylinder would have been wearing minimal personal protective equipment (hopefully a half-face cartridge respirator, chemical goggles, a chemical jacket and industrial rubber gloves), expecting the cylinder to be empty. When the tank began to off-gas a significant amount of chlorine the operator would have been instructed to sound the local alarm and evacuate the immediate area.

Since the facility did not apparently expect to actually handle chlorine gas on site, there would probably not be ventilation systems in place to scrub the chlorine from the local atmosphere. Ideally the facility employees would move to an assembly area upwind of the facility and the local fire department would be notified. A properly equipped Hazmat Team would respond, seal the tank, ventilate the area, and conduct atmospheric testing until the area was cleared.

From the news reports it does not seem that the notification of the local emergency responders was made by the facility. This may have been due to confusion on the site, or it may indicate that smaller chlorine releases were normal enough that there was not an apparent need to report this incident.

If the facility were routinely handling cylinders with significant residues of liquid chlorine in the cylinders, I would expect the facility to have a lot more complex system in place for opening those cylinders including a local ventilation system equipped to scrub the chlorine gas from the atmosphere in the event of a release. I would define ‘significant residues’ as any visible liquid, but the EPA only requires reporting of spills over 10 lbs, so arguments could be made for any quantity between those limits.

Emergency Services

Chlorine is a widely used hazardous chemical. As such, urban and suburban fire departments should have at least minimal training in handling chlorine related incidents. While the incidents of most concern will normally be found at manufacturing facilities and along transportation (chlorine is routinely shipped by rail and truck) routes, smaller incidents are not unusual.

It certainly appears from the news reports that the responders in this case knew what they were doing and responded effectively.

CSB Announces Board Meeting – 05-06-15

Today the Chemical Safety and Hazard Investigation Board (CSB) published a meeting notice in the Federal Register (80 FR 23498) for a public business meeting on May 6th, 2015. The meeting will be held at the CSB offices in Washington, DC.

The agenda includes:

∙ Proposed amendments to 40 CFR Part 1600 to provide for regular Sunshine Act meetings and to address timely voting on calendared notation item votes;
∙ Proposed schedule for regular CSB public business meetings;
∙ The issuance of two Board Orders on Scoping and Investigations, respectively;
∙ The administrative closure of three investigations (calendared on March 10, 2015); and
∙ The 2015 CSB Action Plan;

It looks like some of the administrative items on the agenda are designed to address recent congressional concerns about the operation of the CSB. It is extremely unlikely that the new Chair will be approved by the Senate in time for this meeting, though I would not be surprised to hear that she was in attendance.

PHMSA Sends Gas Pipeline Safety NPRM to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs announced that it had received from the Pipeline and Hazardous Material Safety Administration (PHMSA) a copy of the notice of proposed rulemaking (NPRM) for proposed revisions to the pipeline safety regulations (PSR) concerning gas transmission pipelines. The ANPRM for this rulemaking was published on August 25th, 2011.

It is interesting to note that the Unified Agenda entry for this rulemaking indicates that it is being driven by congressional requirements included in the 2011 Pipeline Reauthorization Act. Since this act was passed in December of 2011, after the ANPRM comment period was closed, there is no telling what changes have been made to this proposed rule. I expect that they are extensive.

Topics that are supposed to be addressed in the rulemaking include:

∙ The definition of an HCA (including the concept of a potential impact radius);
∙ The repair criteria for both HCA and non-HCA areas;
∙ Requiring the use of automatic and remote-controlled shut off valves;
∙ Valve spacing; and

∙ Whether applying the integrity management program requirements to additional areas would mitigate the need for class location requirements.

Monday, April 27, 2015

DOT Takes Additional Actions on Crude Oil Trains – Inspection Recommendations

This is part of a detailed look at several actions that the Department of Transportation (DOT) took a week ago Friday to reduce the hazards associated with the transport of crude oil and other flammable liquids by train. Earlier posts in this discussion include:

This post will look at the FRA safety advisory about inspection requirements that was also published in today’s Federal Register (80 FR 23318-23321). This SA outlines additional inspections of trains and tracks that the FRA consider necessary to increase the safety of the transportation of flammable liquids by rail.

Galena, IL Derailment Information

The preamble to this safety advisory provides some preliminary accident investigation information on the recent derailment outside of Galena, IL. Some interesting highlights include:

∙ Train was traveling at 23 mph;
∙ Twenty-one of the 103 tank cars derailed;
∙ Three cars released crude oil from damaged bottom valves;
∙ Three cars released crude oil from damaged top valves; and
∙ Seven cars experienced catastrophic thermal tears;

‘Thermal tears’ result when a fire with flames directly impinging on the railcar walls both raise the internal temperature and pressure in rail car and weaken the mechanical strength of the walls sufficiently for the rail car to burst. The resulting huge gush of flames that this produces as the escaping vapors ignite are what the press usually describes as explosions in these types of accidents.

Finally the SA notes that the FRA’s “preliminary investigation indicates that a broken wheel on one of the loaded tank cars in the train may have caused the derailment”. This early finding is the reason that this safety advisory is being issued.

New Inspection Recommendations

This Advisory addresses the following inspections that should be conducted by railroads:

Continue the use of Wheel Impact Load Detectors (WILD) along their rights of way, but reduce the measurement action requirements so that a measurement of 120 kips would require an immediate stoppage of the train to remove the affected railcar from service until repairs were made. (NOTE: the suspect wheel in the Galena derailment had a recent WILD measurement of 83.87 kips);

The FRA encourages railroads to only use designated inspectors to conduct mechanical inspections of HHFT railcars instead of the allowing of train crew members to conduct those inspections (currently allowed under FRA rules in the absence of a designated inspector); and

The FRA recommends that long-haul HHFT trains undergo pre-departure mechanical and break inspections done by a qualified maintenance inspector (QMI) as required for extended haul trains under 49 CFR 232.213.

Actionable Information

Technically, the recommendations in a safety advisory are simply recommendations. They do not, for instance, carry the same weight as the requirements of an emergency order or regulations. However, the failure to follow these safety recommendations would certainly be used by opposing lawyers in a civil suit to show that the railroad did not take reasonable measures to prevent an accident involving HHFT.

Again, a safety advisory published in the Federal Register does not typically (and specifically does not in this case) include a solicitation for public comments.

Because of the relatively recent development of the information that caused this Advisory to be published, it is unlikely that the recommendations would be included in the HHFT rulemaking that is expected to see a final rule being published next month.

Sunday, April 26, 2015

FRA Publishes Emergency Order

The DOT’s Federal Railroad Administration is publishing a copy of Emergency Order #30 in Monday’s Federal Register (84 FR 23321-23326; available on-line Saturday) more than a week after it was published on the DOT web site. This causes an interesting issue with effective dates; the document says that it takes effect immediately and must be implemented by April 24th, 2015, three days before its publication in the Federal Register. The FRA obviously provided the railroads directly with a copy of the EO when it was originally published so this isn’t a real problem; it just looks like one.

I have discussed the provisions of this emergency order and the Canadian counterpart that was issued this week. The Canadian directive extends the lower speed limit to a much smaller cities than does this emergency order. While that difference may just reflect differences in population density, in the United States this means that there are many more ‘large’ urban areas that are not protected by this order than are.

Again, the FRA is not soliciting public comments on this Emergency Order, not unexpected since they have already made their safety determinations on this matter. It will, however, be interesting to see how much of this shows up in the HHFT final rule expected out in just a little over two weeks now.

Friday, April 24, 2015

HR 1770 Introduced – Breach Notification

Rep. Blackburn (R,TN) introduced HR 1770, the Data Security and Breach Notification Act of 2015. This is a bill addressing requirements for the breach of personally identifiable information stored in electronic systems.

As such I normally would not cover the bill in this blog. But, the bill was marked up in the House Energy and Commerce Committee the day after it was introduced and there was an amendment made to the bill that might get interpreted as applying to industrial control system breaches.

Notification Requirements

The bill requires that a covered entity notify an individual of any breach that results in a release of personally identifiable information “not later than 30 days after completing” {§3(c)(1)}after completing the necessary investigations outlined in the bill.

Originally the bill used a fairly standard definition of personally identifiable information used in the trigger of the notification requirements. An amendment offered by Rep. Kinzinger (R,IL), however, added to that definition:

“A user name or email address, in combination with a password or security question and answer that would permit access to an online account.” {§5(10)(B)(vi)}

Control Systems Covered?

Since the term ‘online account’ is not defined in the bill, it could be argued (nobody could how successfully until a judge would rule on the argument) that a control system could be considered an ‘on-line account’. There are other requirements in the bill that might mitigate that requirement, but they could also be argued around.

As a general rule, I don’t think that it would occur to most cyber security officers to specifically notify an operator if there were a breach in the control system that would result in the operators log-on information being compromised and I certainly don’t think that it was Blackburn’s intent that this specific situation would be included in the actions required by her bill.

Off the top of my head, I can only think of one circumstance where this might make to a judge for a decision on the merits of the argument. That would be in a wrongful termination law suit where a control system operator was dismissed for doing something wrong based upon something that was done on the control system. If during discovery the lawyer found out that there had been a security breach where log-on information may have been compromised he might be able to use the failure to make the notifications required under this act as a bargaining tool to get the company to agree to a deal on the wrongful termination suit.

I would certainly agree that that would be a circumstance not considered by the crafters of this bill, but it is an example (and probably not the only possible one) of how the use of loosely defined or undefined terms in legislation can have unintended consequences.

Moving Forward

The fact that this bill was considered, amended and ordered reported favorably the day after it was introduced indicates that there is some political pull (Blackburn in Vice Chair of the Committee after all) that may be able to move this bill to the floor of the House. I don’t see anything that would argue against its passage. The 29 to 20 vote in committee indicates that there isn’t a lot of bipartisan support for the bill. This would mean that the bill would have to be considered under regular order to pass.

Without at least some measure of bipartisan support (probably due to floor amendments) this bill will not get considered in the Senate.

Unless something more substantially control system security related is added to this bill, I doubt that it will be mentioned again in this blog.

HR 1804 Introduced – Crude by Rail Safety Act

As I mentioned earlier, Rep McDermott (D,WA) introduced HR 1804, the Crude-By-Rail Safety Act. This is a companion bill to S 859. This means that the two bills are very nearly identical and were introduced at about the same time so that they could begin the committee process in both houses of Congress at the same time.

Since neither McDermott, nor any of his four co-sponsors are members of the House Transportation and Infrastructure Committee, it is unlikely that this bill will be considered in the House any more than S 859 will be considered in the Senate.

FRA Publishes Incident ICR Revision

Today the DOT’s Federal Railroad Administration (FRA) published a 60-day information collection request (ICR) revision notice in the Federal Register (80 FR 23069-23071). This is the same incident report ICR notice that I discussed earlier in conjunction with the documents released last week by DOT concerning the additional actions that DOT is taking to reduce the risk from crude oil trains.

The FRA is soliciting public comments on this ICR notice. Comments may be submitted via the Federal eRulemaking Portal (; Docket # FRA-2015-0007). Comments should be submitted by June 23, 2015. My comment was submitted today.

Canada Issues New Hazmat Train Emergency Directive

Yesterday the Canadian Minister of Transport issued a new emergency directive on hazardous material transport by rail. In many ways it reflects and extends the recent DOT emergency order on flammable liquid transport.

This directive also requires the railroads to restrict hazmat trains to a maximum speed of 40 miles per hour in major urban areas. There are two significant differences between the Canadian Directive and the American EO:

The Canadian directive covers any train that contains a total of 20 hazardous material containing cars (or just one toxic inhalation hazard rail car); not the 20 car block of flammable liquid cars described in the American order.

The Canadian directive applies to any of the 33 Census Metropolitan Area (CMAs) in Canada. A table of Canadian CMAs show the minimum population size 123,300 for the listed CMAs; the HTUA’s in the DOT order are much larger and populations in the 100,000 range are essentially ignored.

The Directive also includes requirements for track inspections as well as route security and safety assessments. Since Canadian rules require termination dates on emergency directives this directive expires on August 17th.

A press release accompanying the publication of the Directive notes that the two largest Canadian railroads, CN and CP, “have already restricted their train speeds to a maximum of 35 mph in highly urbanized areas”.

HR 1731 Amended and Passed in House

Yesterday the House passed HR 1731, the National Cybersecurity
Protection Advancement Act of 2015, in a bipartisan vote of 355 to 63. Earlier the House approved all eleven amendments (including the Port cybersecurity report amendment) included in the rule for consideration of the bill. Ten of the amendments were adopted by voice votes and the one roll call vote was a near unanimous 405 to 8.

As specified in the rule for consideration of the bill, HR 1731 will be appended to the end of HR 1560 and no further action will be taken on HR 1731. The revised version of HR 1560 will be published by the GPO in the near future.

Bills Introduced – 04-23-15

Yesterday a total of 79 bills were introduced in the House and Senate. Of those, only two were of potential specific interest to readers of this blog:

HR 1987 To authorize appropriations for the Coast Guard for fiscal years 2016 and 2017, and for other purposes Rep. Hunter, Duncan D. [R-CA-50]

S 1068 A bill to amend the Federal Power Act to protect the bulk-power system from cyber security threats. Sen. Risch, James E. [R-ID] 

As in recent years, I don’t really expect to see much about chemical facility security or maritime chemical transportation in HR 1987. But you never can tell….

Since NERC has already promulgated cybersecurity requirements it will be interesting to see what ‘new’ requirements S 1068 will add.

Thursday, April 23, 2015

ICS-CERT Updates Three Siemens Advisories

Today the DHS ICS-CERT published updates or three previously published advisories. One of the three updates reports additional systems that have had the problem associated with the advisory. Another limits the some of the systems affected by the problem. The third announces the availabililtiy of another system update.  

HMI Devices Update

This updates the Siemens advisory from earlier this month for vulnerabilities in various SIMATIC HMI devices. This update actually extends the advisory to PCS 7 devices and notes that an update is available for those systems. Siemens has published a new advisory for the PCS 7 vulnerability since it has only one (CVE-2015-2823) of the three vulnerabilities noted in the original advisory.

Prosave Update

This updates an advisory issued last month for an insufficiently qualified paths vulnerability for a variety of Siemens products. The advisory limits some of the versions of previously identified systems that are susceptible to this vulnerability. Those systems are STEP 7 V5.5 SP3, and PCS 7 V8.0 SP2: all versions. The Siemens update for this vulnerability lists each of the versions that have had updates published.

GHOST Update

This updates the GHOST vulnerability advisory for various Siemens products. The ICS-CERT update reports that Siemens has now provided an update for the SIMATIC HMI Basic Panels.

PHMSA-FRA Publish HHFT Information Requirements

Today the DOT’s Pipeline and Hazardous Materials Safety Administration (PHMSA) published the Federal Register two of the documents posted to DOT web sites last Friday that I have been discussing. The first is the joint PHMSA/FRA safety advisory on information needed in accident investigations (80 FR 22778-22779). The second is the PHMSA notice on emergency response information requirement (80 FR 22781-22782).

PHMSA is not soliciting public input on either document. In fact, the comment period on the first document is listed as closed on the Federal eRulemaking Portal (; Docket # PHMSA-2015-0118).

Wednesday, April 22, 2015

HR 1560 Amended and Passed in House

This afternoon the House passed HR 1560, the Protecting Cyber Networks Act, by a bipartisan vote of 307 to 116. Even the no votes were largely bipartisan 37 Republicans and 79 Democrats.
Earlier in the day the House adopted all five of the amendments  included in the debate by the House Rules Committee. Only one of those required a voice vote and that was strongly bipartisan as well; 313 to 110.

As I noted yesterday, the House will take up HR 1731, the National Cybersecurity Protection Advancement Act of 2015. That bill is also expected to pass, though I don’t expect all eleven amendments to be adopted before the final vote. That bill does contain language providing for a specific role for the DHS ICS-CERT in the National Cybersecurity and Communications Integration Center. To that extent, it does obliquely address industrial control system security.

DOT Takes Additional Actions on Crude Oil Trains – Accident Information

This is part of a detailed look at several actions that the Department of Transportation (DOT) took last Friday to reduce the hazards associated with the transport of crude oil and other flammable liquids by train. Earlier posts in this discussion include:

This post looks at a joint Safety Advisory published by the Pipeline and Hazardous Material Safety Administration (PHMSA) and the Federal Railroad Administration last Friday (and it is scheduled to be published in the Federal Register tomorrow).

The SA reminds railroads that the FRA and PHMSA have authority to investigate railroad accidents, particularly those involving hazardous material. As part of that investigation process they have the legal authority to demand information from the railroad and affected shippers of hazardous materials. As a matter of advance notice, the SA provides a list of the type of information that they routinely expect to request for accidents involving crude oil train cars or other flammable liquid accidents. Those include:

∙ Information on train consist;
∙ Waybill;
∙ Safety Data Sheet;
∙ Results of product testing used to categorize flammable material;
∙ Results of product testing of railcar samples;
∙ Date of Acceptance;
∙ Company extracting crude oil;
∙ Company doing initial categorization testing;
∙ Company hauling crude oil or other flammable liquid to loading facility; and
∙ All railroads handling affected railcars;

The ‘train consist’ information would include:

∙ Train number;
∙ Locomotives;
∙ Locomotives as distributed power;
∙ End-of-train device information;
∙ Number and position of tank cars in the train;
∙ Tank car reporting marks;
∙ Tank car specification and ‘relevant attributes’


A lot of the product related information included in the above list is going to be unique to crude oil shipments because of the increased testing in the latest version of EO 28 issued last year. Manufacturers of flammable liquids do not have to test every load to confirm the classification and packing group of the material. They can use standard information on the product. The oil industry used to be able to do this, but spot checks by PHMSA indicated that there were a number of cases where those assumptions were wrong.

At this time this information is only needed on an ‘on demand’ basis in the event of a rail accident involving crude oil or other flammable liquids (mainly targeting ethanol, but that distinction is not made in this SA). It seems likely that at some point FRA will consider a formal documentation requirement for all crude oil railcars from point of extraction to delivery to the refiner.

Bills Introduced – 04-21-15

Yesterday there were 59 bills introduced in the House and Senate. It was a big day for cybersecurity legislation with four bills introduced:

HR 1918 To amend title 18, United States Code, to provide for clarification as to the meaning of access without authorization, and for other purposes. Rep. Lofgren, Zoe [D-CA-19]

S 1023 A bill to amend the Internal Revenue Code to provide a refundable credit for costs associated with Information Sharing and Analysis Organizations. Sen. Moran, Jerry [R-KS]

S 1027 A bill to require notification of information security breaches and to enhance penalties for cyber criminals, and for other purposes. Sen. Kirk, Mark Steven [R-IL]

S 1030 A bill to amend title 18, United States Code, to provide for clarification as to the meaning of access without authorization, and for other purposes. Sen. Wyden, Ron [D-OR]

HR 1918 and S 1030 are the latest iterations of Aaron’s Law in memory of Aaron Schwartz. They would decriminalize some grey area hacking.

S 1023 would probably have some fairly limited application, but it should encourage cybersecurity information sharing every bit as much as current legislation specifically targeting that sharing. This is likely the last mention of this bill in this blog.

S 1027 is another breach notification bill that probably only affects IT system breaches. Unless there is specific mention of control systems in this bill this is the last time that I will mention this bill.

Tuesday, April 21, 2015

Rules Committee Adopts Rule for Cyber Sharing Bills

This evening the House Rules Committee held a hearing to craft the rule for the consideration of HR 1560 and HR 1731 (Wednesday and Thursday respectively) later this week on the floor of the House. These two bills are the latest cybersecurity bills attempting to encourage and control the sharing of cybersecurity threat information between government agencies and the private sector.

Each bill will be considered separately under a structured rule with limited debate and a pre-selected set of amendment to be considered. If each bill is adopted (a pretty good certainty) the Clerk of the House is directed to mash the two bills together by adding the provisions of HR 1731 to the end of HR 1560. The revised HR 1560 will then be sent to the Senate for consideration.

General Bill Provisions

I have started to review these bills on a number of occasions both before and after their amendments in committee (HR 1560, intel; HR 1731, homeland security), but both bills have become even more convoluted than normal in the frequent (and apparently poorly coordinated) attempts to placate the concerns of the privacy advocates that have been the main opponents of previous attempts at crafting information sharing bills.

Both bills strive to allow and encourage the private sector to share cyber threat information with each other and federal agencies. In numerous places and manners there have been attempts made to make it clear that personally identifiable information is not included in the sharing process.

The differences in the two  bills is more a matter of focus and procedure rather than any real difference in intent. HR 1560 establishes a stand-alone process for information sharing while HR 1731 amends two sections of the United States Code (6 USC 148 and 6 USC 131) to provide statutory law to support that information sharing.

ICS Security Issues

Both of these bills were generally crafted to address information sharing about threats to IT systems. HR 1560 made a brief concession to the idea of industrial control systems also being vulnerable to cyber-attack by specifically including “industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controller” {§11(8)(B)} in the definition of ‘information system’. Otherwise there is no specific mention of measures to address the unique security threats to industrial control systems.

HR 1731 does go a bit further. In the amendment to 6 USC 148 (included in PL 113-282 passed last December) that modifies the mandatory composition of the National Cybersecurity and Communications Integration Center the DHS ICS-CERT is added as a represented organization with the following specific responsibilities {§148(d)(1)(G)}:

∙ Coordinate with industrial control systems owners and operators;
∙ Provide training, upon request, to Federal entities and non-Federal entities on industrial control systems cybersecurity;
∙ Collaboratively address cybersecurity risks and incidents to industrial control systems;
∙ Provide technical assistance, upon request, to Federal entities and non-Federal entities relating to industrial control systems cybersecurity; and
∙ Shares cyber threat indicators, defensive measures, or information related to cybersecurity risks and incidents of industrial control systems in a timely fashion.

Floor Amendments

Before today’s hearing there were a number of amendments submitted to the Rules Committee for possible inclusion in the floor action on these bills; 25 for HR 1560 and 38 for HR 1731. The final rule selected 5 of those for HR 1560 and 11 for 1731.

There was one amendment that added an additional responsibility to those discussed for ICS-CERT about. That amendment (#15) would have added the responsibility to evaluates and make recommendations to the Under Secretary on industrial control systems that are essential for food, medicine, and medical device production or processing and wholesale delivery. This amendment will not be considered on the floor of the House.

There were two amendments {both submitted by Rep. Hahn (D,CA)} to HR 1560 that addressed port cybersecurity issues; one requiring a report to congress (#1) and the second prohibiting giving additional Port Security Grants to ports that had not conducted “a cybersecurity vulnerability assessment, as defined by the Secretary of Homeland Security” (#2). The first was one of the amendments that will be considered on the floor of the House.

Moving Forward

Both of these bills will probably pass this week in the House. There will be significant opposition to the bill because of perceived privacy issues, but I don’t think that it will be enough to derail either bill.

It is unlikely that the final version of HR 1560 will be considered by the Senate. The Senate will consider their own version of an information sharing bill next week. The language for that bill will then likely be transferred to HR 1560 setting up the need for a conference committee to work out the differences in the bill. It is very likely that a final version will be passed by both houses before the summer recess.

Monday, April 20, 2015

DOT Takes Additional Actions on Crude Oil Trains – Incident Report ICR

This is part of a detailed look at several actions that the Department of Transportation (DOT) took last Friday to reduce the hazards associated with the transport of crude oil and other flammable liquids by train. Earlier posts in this discussion include:

In this post I will look at the draft information collection request (ICR) revision that the FRA included in the set of Documents released by DOT. This is the draft of a 60-day ICR notice that will be published in the Federal Register; probably later this week.


This ICR notice is for a revision of the FRA Accident/Incident Reporting and Recordkeeping ICR (OMB # 2130-0500). This ICR was last renewed in July of last year without any significant change noted by the FRA. The previous ICR renewal in May of last year saw a decline in the number of responses projected based on the previous three years’ worth of accident reporting data. The hours per response remained the same, so there was also a proportional decrease in the estimated hourly burden.

Changes in Response Requirements

This ICR revision will require additional information be provided in each railroad accident involving any number of rail cars carrying crude oil or residual crude oil. The additional information will be a reporting of:

∙ The number of tank cars on the train that contained crude oil or residual crude oil;
∙ The number of such cars that were damaged in the accident; and
∙ The number of crude oil or residual crude oil cars that leaked during the accident and response.

This new requirement for providing this data (on form Form FRA F 6180.54 [.PDF Download] in Special Study Block 49b) will be in addition to any other data on the crude oil cars that would have normally been included in the incident report. FRA estimates that this will add 3 minutes to the reporting burden for this form for an estimated annual increase of 30 hour.


This reporting will allow FRA to track the number of crude oil rail cars involved in train accidents; their damage and release rates. This is data that is apparently not currently available to the FRA.

The FRA picked a very simple way to collect this information. There was no change made to the form involved and the data provided will pretty painless to submit. Unfortunately, as is the case in most instances where the easy way to accomplish a task is selected, the data provided will provide almost nothing in the way of information that can be used for analytical purposes.

For example lumping crude oil railcars and crude oil residue cars in the data collection will be expected to about double the number of cars involved in accidents and damaged in accidents since most railcars in crude oil service are not cleaned before being returned for refilling. The number of tank cars that leak will almost certainly not double because of the greatly reduced volume of crude oil available to make it to any holes in the tank car. Additionally, due to the lower mass of the tank car because of the missing crude oil, any damage to the car due to its motion or its resistance to change in motion when struck will be significantly reduced. This will make the tank cars seem less susceptible to damage than they really are in a full state.

Additionally, since there is no effort being made to determine what types of tank cars are actually in use and the rate of failure (measured by leaks) for each type of tank car, the FRA will not be able to adequately describe how the continuing change of the makeup of the crude oil tank car fleet will affect the failure rate of the fleet.

The FRA took the easy way out. They made a show of collecting additional data without significantly increasing the burden on the railroads and shippers making the reports. What they should have done was to design a new report specifically for rail accidents involving damaged and leaking rail cars containing crude oil. That form should have been designed to collect a meaningful data set that could inform additional regulatory actions or non-actions as the data dictated.

As it is, the FRA and PHMSA will still not be able to access meaningful accident information to be able to intelligently discuss the relative damage and failure rates and types of failures of the various types of railcars involved in the shipment of crude oil, or on how the variations in crude oil types affect those failure rates.

NOTE: I will submit a copy of this posting as a comment to the ICR notice when it is published.

Committee Hearings – Week of 04-19-15

Both the Senate and House will be in session this week, though the House is only working three days. A lot of hearings on spending matters, but the big news is cybersecurity information sharing.  There is one other cybersecurity hearing and the CSB chair nominee hearing will be held.

Information Sharing

The two competing House bills on cybersecurity information sharing will hit the floor this week; HR 1560 on Wednesday and HR 1731 on Thursday. Before that can happen the Rules Committee will have to meet to set up the rule for the consideration of the two bills; HR 1731 today and HR 1560 tomorrow.

Other Cybersecurity

The House Committee on Small Business will hold a hearing on Wednesday on “Small Business, Big Threat: Protecting Small Businesses from Cyber Attacks”. Looking at the witness list and the meeting notice it certainly looks like this will focus on IT and breach issues instead of control system security, but you never can tell.


The Homeland Security Subcommittee in both the House and Senate will hold hearings on FEMA spending this week. The Senate on Wednesday and the House on Thursday. Also on Wednesday the THUD subcommittee in the Senate will hold a hearing on the FY 2016 DOT spending.

CSB Chair

The Senate Environment and Public Works Committee will be holding a nomination hearing on Wednesday for Vanessa Sutherland to be a Member and Chairperson of the Chemical Safety and Hazard Investigation Board. Ms. Sutherland is currently the Chief Counsel at PHMSA. Management and leadership questions will probably dominate this hearing given the current problems at CSB.

Sunday, April 19, 2015

HR 1789 Introduced – DOT 111 Railcars

Last week Rep. Payne (D,NJ) introduced HR 1789, the Tank Car Safety and Security Act of 2015. The bill would require the publication of new regulations concerning the use of DOT-111 tank cars in flammable service.

Tank Car Design

New regulations on the DOT 111 railcars would be required to be published by the Secretary of Transportation within 1 year of adoption of this bill. Those regulations would need to:

∙ Revise the DOT 111 tank car design for new railcars that includes “outer steel jacket around the tank car and thermal protection, full-height head shields and high-flow capacity pressure relief valves” {§2(a)(1)}; and
∙ Require DOT 111 tank cars constructed before October 2011 to be upgraded, including “installation of high-flow-capacity relief valves and design modifications to prevent bottom outlets from opening in the case of an accident” {§2(a)(2)}.

The DOT Secretary would also be required, within 1 year of the adoption of this bill, to report to Congress on an ‘aggressive’ phase out plan for the older, un-modified DOT 111 tank cars used in flammable service.

Crude Oil Security

In a requirement that does not have anything to do specifically with DOT 111 railcars, the bill would require the Administrator of the TSA to publish new railroad security regulations that would deal with the in-transit storage of crude oil railcars. It would prohibit crude oil containing railcars from being “unattended during any period of time that such tank car is being transferred between railroad carriers or between a railroad carrier and a shipper” {§2(a)(3)}. There is no distinction made in the bill between cars containing crude oil and crude oil residue.

The only regulations that currently address preventing railcars from being unattended are the regulation of security sensitive hazardous materials at 49 CFR 1580.107. This bill does not suggest that the other requirements of those regulations, including the use of ‘rail secure areas’ and the documented inspections and transfer of railcars, would apply to crude oil railcars.

I am not sure where this concern with the security of crude oil railcars is coming from. I have heard nothing in the discussions of this issue that would indicate that there is any significant concern with security issues. I will admit that I have some minor concerns that these trains may become the target of the wacko fringe side of the environmentalist cause, but not enough to think that security regulations would be required.

Besides, providing security for a 100 car crude oil train, or even just a block of twenty such rail cars, is an entirely different proposition than the securing of a couple of chlorine railcars. The requirement for them not to be left unattended does not provide much of a security increase; a single person is not going to be able to adequately observe all of those railcars, much less react to a suspected incident in any reasonable fashion.

Moving Forward

This is the least aggressive bill introduced to date concerning the safety of crude oil transport and it is the most limited in scope. This may mean that given a serious push to have congress legislate on the issue during this term, this bill might receive the qualified support of railroads and crude oil shippers.

On the other hand, this bill will be hampered by the fact that it will have to be considered by two committees (the Transportation and Infrastructure Committee and the Homeland Security Committee) before it comes to the floor of the House. Normally I would expect the problem to be in the Homeland Security Committee as they are not directly affected by the crude oil train situation, but Rep. Payne is a member of the Transportation Subcommittee there and may have enough pull to get at least subcommittee consideration of this bill.

Over all, I don’t think that this bill will move forward unless there is a crude oil train accident that really captures the attention of the public by either killing people or destroying something politically significant.

Saturday, April 18, 2015

DOT Takes Additional Actions on Crude Oil Trains – FRA EO 30

This is part of a detailed look at several actions that the Department of Transportation (DOT) took on Friday to reduce the hazards associated with the transport of crude oil and other flammable liquids by train. Earlier posts in this discussion include:

This post will look at the Federal Railroad Administration’s (FRA) emergency order concerning the maximum speed in selected urban areas for certain trains transporting large quantities of Class 3 flammable liquids.

Affected Trains

EO 30 will specifically apply to trains containing a continuous block of 20 tank cars or a total of 35 tank cars carrying Class 3 flammable liquids. At least one of the tank cars must be DOT 111 (including those built to the CPC 1232 standards).

This definition of affected trains was apparently designed to address criticism of the 20 tank car standard included in HHFT NPRM could apply to trains carrying single cars of flammable liquids from 20 different shippers, hardly the intent. The hazard for flammable liquids in rail car derailments is that the failure of containment from a single car could result in a pool fire that would cause the catastrophic failure of adjacent cars, compounding the disaster.

One could certainly make an argument for a smaller block of cars. Even a block of two cars raises the potential hazard for secondary involvement. But given the fact that very few derailments involve even the majority of cars in an affected train some number of train cars above two in a block would provide adequate protection against secondary involvement. It would be nice, however, for PHMSA to outline in detail how the number 20 was arrived at.

High-Threat Urban Areas

This Emergency Order would only affect the speed limit for trains transiting high-threat urban areas (HTUA) as defined in 49 CFR 1580.3. That definition from the rail transportation security regulations describes an HTUA as “an area comprising one or more cities and surrounding areas including a 10-mile buffer zone, as listed in appendix A [link added] to this part.” Maps of each of the current 46 HTUAs are currently available on the Transportation Security Administration web site.

A quick look at the Los Angeles, CA HTUA for instance shows that there are large urban populations and highly concentrated suburban populations outside of the designated HTUA. Given that there are only 46 designated HTUAs in the United States, it is easy to see that there are significant number of large urban areas that are not covered by this EO.

Speed Limit

The EO sets a maximum speed limit of 40 mph for affected trains in HTUAs. This is the same speed limit for HTUAs that was included as one of the three options for specific reduced speed limits in the HHFT NPRM. The other two options provided in the NPRM also set a 40 mph speed limit, but provided a different standard for the application of that limit. The first was to apply the limit to all HHFT trains carrying DOT 111 rail cars in flammable liquid service and the other was to define the area for the speed limit so as to include all areas with a census population greater than 100,000.

Effective Date

The effective date for this emergency order was listed as immediately (presumably yesterday’s date; 4-17-15) and the compliance date for the speed limits is April 24th, 2015. I expect that we will see this EO published in the Federal Register next week, but that should not affect the effective date nor the compliance date.

HHFT Final Rule Insight

I would assume that the differences between this Emergency Order and the earlier HHFT NPRM reflect responses to comments to that NPRM. That should mean that the definition of HHFT in the final rule will probably be the same as outlined in this Order. Similarly, I would expect that the speed limits area definition here will be reflected in the final HHFT rule.

Friday, April 17, 2015

S 902 Introduced – CI Trespassing

Last month Sen. Schumer (D,NY) introduced S 902, a bill that would make it a federal offense to trespass on critical infrastructure. This bill is identical to S 2934 that was introduced near the end of the last session without any action. In press release last November Schumer made it clear that it was targeting people who trespassed on New York bridges as publicity stunts or climbed the World Trade Center.

The bill would amend 18 USC Chapter 65, Malicious Mischief, by adding §1370. It uses a fairly conventional definition of ‘critical infrastructure’ and specifically adds ‘landmarks, structures and other objects’ declared to be a national monument {§1370(a)(2)}.

The bill would then make it a federal offense to “knowingly go on any critical infrastructure used in or affecting interstate commerce, with intent to commit a criminal offense” {§1370(b)}. Violation of this new section would be punishable by fines (limit not specifically set) and/or imprisonment for not more than five years.

Senator Schumer is a mover and shaker in the Senate and may have the pull to try to get this considered. I would not expect much opposition form many Republicans, who tend to be law and order types. Most of the opposition would be from Democrats concerned about stifling free speech.


The simple act of trespass has a long history in the United States as being a component of free speech and political expression. A group of like-minded activists would move from a public space into a fringe area of a private space, or interfere with movement in a public space to attract the attention of the news media. Speeches would be made and the police would move in to break up the demonstration by arresting the participants for trespass. Since this is normally a misdemeanor, the protestors would be back on the street shortly and would return to their day jobs.

Allowing this type of simple political expression to be turned into a federal offense would severely inhibit this form of protest.

Having said that, there are certainly other forms of trespass on critical infrastructure facilities that are not mere political statements, but precursors for taking more violent action against those facilities. Most terrorist attacks are preceded by some form of physical surveillance. When that surveillance takes the form of trespass on the facility it would certainly be nice to have some federal statute to prosecute that form of trespass under instead of a typical misdemeanor trespass charge.

But then again, I don’t know how you would word the statute so as to allow non-violent political statements to be excluded and still deal with those suspected of planning some sort of violent attack. Unfortunately, this bill does not even attempt to make the distinction since it is specifically targeting protestors that would hang a Palestinian flag from the Brooklyn Bridge not violent terrorists.

HR 1646 Introduced – Drone Security Research

Last month Rep. Watson Coleman (D,NJ) introduced HR 1646, the Homeland Security Drone Assessment and Analysis Act. The bill would require DHS to conduct an assessment of the risk of drone attacks and how to mitigate those attacks. In her press release about the bill and in comments on the floor of the House, Ms Watson Coleman has stated that the bill arose out of concerns that she heard in testimony before the  Management and Oversight Subcommittee of the House Homeland Security Committee.

This is a short bill with very simple requirements. First the DHS Secretary is required to conduct research into “how commercially available small and medium sized unmanned aerial systems could be used to perpetuate an attack” {§2(a)}. There is no funding for the study, no guidance on how it is to be conducted and there is no definition of the key terms ‘small’ and ‘medium sized unmanned aerial systems’.

Once the study is completed the Secretary is required to coordinate with DOD, DOT and DOE to “develop Federal policies, guidance, and protocols to prevent such an attack or mitigate the effects of such an attack” {§2(a)}. Additionally, the Secretary is required to disseminate the information to “State, local, and tribal law enforcement officials regarding how such officials may bolster preparedness for and responses to attacks perpetrated by commercially available small and medium sized unmanned aerial systems” {§2(b)}. There is no mention of sharing the information with critical infrastructure owners who might be considered to be the targets of most of the homeland security related attacks.

And finally, of course, is the standard requirement to report on the security assessment to Congress.

Since this bill does not require anyone to really do anything besides conduct a study, and no funds are included in the bill this bill would almost certainly face no organized opposition if it made it to the floor. Since Rep. Watson Coleman is the ranking member of the Homeland Security subcommittee looking at the bill, there is a very good chance that this bill could get considered in committee and successfully move to the floor of the House. 

DOT Takes Additional Actions on Crude Oil Trains

Today the Department of Transportation published six new documents outlining new actions that PHMSA an FRA were taking to reduce the risks associated with the transportation of crude oil and other flammable liquids in unit trains or blocks of cars. The new documents are:

A DOT blog post by Secretary Foxx outlines the new requirements and actions being published today. These actions are being taken while the highly-hazardous flammable train (HHFT) rulemaking is still under review at the Office of Management and Budget. Congressional sources have said that the rulemaking is expected to be published on May 12th, 2015.

PHMSA also has a new web page providing a history of actions that the Department has taken to date to increase the safe transportation of energy products.

There is also a note that FEMA is also addressing the emergency response information issue in a separate blog post.

I’ll have further information after I have had a chance to conduct a review of the documents.

HR 1738 Introduced – Public Alert System Modernization

As I mentioned in an earlier post Rep. Bilirakis (R,FL) introduced HR 1738, the Integrated Public Alert and Warning System Modernization Act of 2015. The bill is virtually identical to HR 3283 from last session; which cleared the House Homeland Security Committee but was never considered on the floor. It is also very similar to HR 1472 which was approved by the House Transportation and Infrastructure Committee earlier this week.

The Two Bills

Both HR 1738 and HR 1472 attempt to do pretty much the same thing; modernize the national public alert system. Both would establish an inter-agency Advisory Committee to figure out the best way to accomplish this objective. They would also add upgrading State and local alert systems to the allowable uses of Homeland Security Grants without increasing the funding for that program.

There are two major differences in these bills. First, HR 1738 would go about implementing this program by amending the Homeland Security Act of 2002; a more formalized approach than HR 1472. Second, HR 1738 would authorize spending $13.4 million per year on the program where HR 1472 would only authorize $12.8 million.

On a minor note; HR 1738 does include a cybersecurity provision not seen in HR 1472. It would require that one of the design parameters for the modernized system is that is should be “to the greatest extent practicable, hardened against cyber attacks” {§526(c)(4)}.

Committee Politics

There is one other important difference between these two bills. HR 1738 has been assigned to two committees (Homeland Security and Transportation and Infrastructure) for consideration before it can get to the floor of the House. HR 1472 only has to (and already has) clear the Transportation and Infrastructure Committee. The reason is that since HR 1738 amends the Homeland Security Act of 2002, the Homeland Security Committee has jurisdiction. Public alert systems fall under the purview of the Transportation and Infrastructure Committee. Apparently though, the House leadership failed to realize (or ignored) the fact that HR 1472 also amend the Homeland Security Act in changing the grant use wording.

For HR 1738 to make it to the floor it would have to be considered by the Transportation and Infrastructure which fast tracked consideration of HR 1472 the competing bill. Either that or the Chair of the Transportation and Infrastructure Committee would have to waive his right to consider the bill. Again, that is unlikely to happen given the approval of HR 1472.

Unless, of course, there is some horse trading going on between the two Chairmen on consideration of some other bill that is important to the Transportation and Infrastructure. This may be why Rep Barletta (R,PA and Chair of the Economic Development, Public Buildings and Emergency Management Subcommittee) introduced HR 1472 in the first place.

Bills Introduced – 04-16-15

There were 111 bills introduced yesterday in the House and Senate; an unusual number of bills for the end of the week when they are coming back to work Monday. Of those, only one might be of potential interest to readers of this blog:

S 1006 A bill to incentivize early adoption of positive train control, and for other purposes. Sen. Feinstein, Dianne [D-CA]

With the current deadline for implementing PTC being the end of this year, there is hardly time to get the technology adopted ‘early’. This may be related (or even include) an extension of the PTC deadline that has proposed in S 650. It will be interesting to see how this is worded.
/* Use this with templates/template-twocol.html */