Sunday, May 31, 2015

S 1208 Introduced – Pipeline Replacement

Earlier this month Sen Markey (D,MA) introduced S 1208, the Pipeline Modernization and Consumer Protection Act. The bill would add a new section to 49 USC Chapter 601 that would attempt to encourage the replacement of aging gas pipelines.

Section 2 of this bill starts out by explicating a list of ‘congressional findings’ outlining the risks of an aging gas pipeline distribution system. Section 2(b) then goes on to add §60112A to the gas pipeline safety section of 49 USC outlining actions to be taken by gas pipeline operators and State regulators to correct the problem.

New USC Section

First it requires that each gas utility or gas distribution facility, in accordance with their pipeline integrity management program under 49 USC 60109, to accelerate the replacement of leaking pipelines or pipelines that are at high risk of leaking due to {new §60112A(b)(2)}:

∙ Inferior materials;
∙ Poor construction practices;
∙ Lack of maintenance; or
∙ Age.

Then the bill addresses a requirement for State regulatory authorities and unregulated gas utilities to “consider [emphasis added] developing prioritized timelines to repair all leaks based on the severity of the leak, including non-hazardous leaks, or replace identified leaking or high-risk piping or equipment, including leaks identified as part of an integrity management plan” {new §60112A(c)(1)(A)}. It goes on to again require those agencies to ‘consider’ adopting a cost-recovery program that includes {new §60112A(c)(1)(B)}:

∙ Replacement plans with targets and benchmarks for leaking or high-risk infrastructure replacement;
∙ Consideration of the economic, safety, and environmental benefits of reduced gas leakage, including consideration of reduced operation and maintenance costs and reduced costs attributable to lost or unaccounted-for natural gas; and
∙ Reporting on the reductions in lost or unaccounted-for gas as a result of pipeline replacements;

To better track the ‘unaccounted-for gas’ that is apparently (according to the findings) the result of minor ‘less hazardous leaks’ the bill again requires State regulators and unregulated gas utilities to ‘consider’ {new §60112A(c)(1)(C)}:

∙ Adopting a standard definition and methodology for calculating and reporting unaccounted-for gas;
∙ Adopting limits on cost recovery for lost and unaccounted-for gas; and
∙ Requiring use of best available technology to detect gas leaks.

Unaccounted-for Gas Guidelines

Section 2(c) of the bill would then require the PHMSA Administrator, within 1 year, to publish a set of non-binding guidelines for implementing the pipeline identification, replacement and cost recovery program described above. The Administrator would consult with State regulators, the Department of Energy, the EPA, FERC and other ‘appropriate Federal agencies’ in developing the guidelines. It also requires the guidelines to be updated every seven years.

Moving Forward

Since this bill does not actually require anyone to do anything (other than PHMSA to develop non-binding guidelines) there will probably not be any major opposition to this bill. The question then becomes whether or not Markey and his two cosponsors have the pull to get this bill considered in the Senate Commerce, Science and Transportation Committee. Markey is a relatively high-ranking Democrat on the Committee and one of the cosponsors {Sen. Schatz, (D,HA)} is also a member of the Committee. There is an outside chance that that might be enough to get the bill considered.

Saturday, May 30, 2015

Bills Introduced – 05-27-15

With both the House and Senate out of town this week on their extended Memorial Day weekend two spending bills were still introduced in the House on Wednesday. Both may be of specific interest to readers of this blog:

HR 2577 Transportation, Housing and Urban Development, and Related Agencies Appropriations Act, 2016 Rep. Diaz-Balart, Mario [R-FL-25]

HR 2578 Commerce, Justice, Science, and Related Agencies Appropriations Act, 2016 Rep. Culberson, John Abney [R-TX-7]

The text of both bills is already available and I will be reviewing them later today. I’ll report details of HR 2577 that include any specific mention of new transportation safety requirements. On HR 2578 I’ll be looking for cybersecurity requirements in the NIST portion of the bill.

What effective legislation would you write for CI ICS

Yesterday evening in an interesting Twitversation @digitalbond (Dale Peterson) asked a very important question in response to an article on; “We need strong cybersecurity legislation NOW!” Dale asked:

If it were only that easy. Imagine you were all powerful. What effective legislation would you write for CI ICS?”

Since I recently looked at a DHS effort to do just this for an important subsector of critical infrastructure (high-risk chemical facilities), I have seriously been thinking about this for a little over a week now. The more I think about it, the more I think that the folks at the Infrastructure Security Compliance Division (ISCD) have done a pretty good first pass at establishing a good, general purpose regulatory scheme for critical infrastructure control system security. With that as a starting point here is the legislation (in plain English not legislatese) I would craft to regulate the security of critical infrastructure industrial control systems.

Covered Control Systems

The first thing that we have to establish is which industrial control systems would be covered by the regulations. We could just regulate all control systems, but then we would have a problem with having any sort of practical compliance process with any reasonably sized inspection force. And without an inspection force there is no effective regulation. So we need to come up with some reasonable sub-set of industrial control systems to regulate.

We’ll start by scraping the term ‘critical infrastructure’ as in common usage this includes too many entities that have no real industrial control systems to regulate. Instead we will concentrate on critical industrial control systems (CICS). We will define a CICS as any control system that operates a process that, if completely owned by an attacker, could be used to have a serious direct kinetic, chemical or energy impact on more than 100 people off of the site where the process is located; this will be known as a potential critical attack (PCA).

We would also establish within the Office of Cybersecurity and Communication in DHS an organization called the Critical Control System Compliance Division (CCSCD) which would include ICS-CERT. It would have primary responsibility for writing control system regulations and enforcing such regulations at facilities not regulated by other Federal agencies. Those Federal agencies with primary regulatory responsibility for CICS facilities would be responsible for enforcing CICS regulations at those regulated facilities with the assistance as necessary of CCSCD.

Facility Control System Security Program

Each facility that has an industrial control system control room would be required to have a written facility control system security plan (FCSSP) that covers all systems controlled or monitored out of that control room. Where multiple control rooms monitor or control a system, a master control room will be designated to provide FCSSP coverage for that system with priority given to the control room with primary control responsibility.

The FCSSP will:

∙ Define the responsibilities of the Cyber Security Officer (CSO) with primary responsibility for maintaining and implementing the FCSSP;
∙ Define the elements of the CISC that if owned by an attacker could be used to conduct a PCA. These elements will be known as critical cyber systems (CCS);
∙ Identify safety systems that mitigate the potential effects of a PCA, including safety instrumented systems and automatic mechanical shutdown systems;
Document the business need and network/system architecture for all cyber assets (systems, applications, services, and external connections) connected to CCS;
Integrate cyber security into the system lifecycle for all CCS;
Identify and document CCS boundaries and implement security controls to limit access across those boundaries;
∙ Define responsibilities for identifying critical CCS patches and updates and providing for timely testing, application and documentation of those critical patches and updates;
Define the incident response system, including reporting requirements, for cyber incidents involving CCS;
∙ Include continuity of operations plans, IT contingency plans, and/or disaster recovery plans; and
Include a personnel surety program (PSP) for all personnel with physical or virtual access to CCS elements. The PSP will include periodic vetting against the Terrorist Screening Database through the CCSCD or other Federal agency.

The FCSSP will also document the security procedures, techniques and equipment used to protect CCS from unauthorized access. These will include:

∙ Physical security measures to limit access to CCS components including systems to monitor physical access to those components;
∙ Intrusion detection systems to detect electronic access to CCS components;
∙ Logs of all communications to and from CCS components with an active program to monitor those logs for indications of unauthorized communications inbound or outbound; and
∙ Periodic checks of device (PLCs, RTUs and communications modules for example) programming to ensure that unauthorized changes had not been made to that programming

The Regulatory Program

Each industrial control system owner/operator would be required to determine if there is a potential off-site consequence associated with their control systems. Any owner of a control system with a potential off-site consequence would be required to electronically file a control system screening report (CSSR) with CCSCD. This report would be patterned on the CFATS Top Screen process. The CSSR would be a simplified online report describing the potential off-site consequences of a successful attack on the control system in question as well as the current safety systems in place to mitigate those consequences.

All information reported to CCSCD or a Federal agency with primary regulatory authority under this program would automatically be considered to be protected critical infrastructure information (PCII) without out the need for making the standard PCII declaration.

CCSCD would evaluate CSSR to determine the number of off-site people that would potentially be affected by a successful attack on a control system taking into account the mitigation measures in place. If the analysis indicates that a PCA would have an effect on less than 100 people, the facility would be notified that it is not a covered facility. Control systems having a PCA potentially affecting more than 100 people would be notified that they were covered facilities and would be tiered according to the following standards

Tier 1 – Facilities having a single PCA that could affect more than 5,000 people;
Tier 2 – Facilities having a single PCA that could affect between 2,000 and 5,000 people;
Tier 3 – Facilities having a single PCA that could affect between 500 and 2,000 people; and
Tier 4 – Facilities having a single PCA that could affect between 100 and 500 people.

Tier 4 facilities would have to certify on-line that they had an FCSSP that met the standards described above with a check off for each of the requirements listed. Tier 3 facilities would have to complete an on-line form explaining how they met each of the requirements listed above and certify on-line annually that those were actually in place. Tier 2 facilities would be required to complete an on-line form explaining how they met each of those requirements and would be required to conduct an annual self-audit using an updated CSET tool designed by ICS-CERT. Tier 1 facilities would be required to complete a more detailed form outlining how they met the above requirements and would be required to undergo an on-line annual audit with ICS-CERT conducting the audit every other year using an updated CSET tool designed by ICS-CERT. The ICS-CERT audit would also include a Design Architecture Review.

Audit findings would be reported to CCSCD or the primary Federal regulatory agency via an on-line tool. Facilities would be given 90 days to report corrective actions (including on-going corrective actions) on all audit findings. Repeat audit findings on two consecutive audits would require a compliance inspection by CCSCD or the primary Federal regulatory agency

Random compliance inspections would be conducted by CCSCD or the primary Federal regulatory agency per the following schedule:

Tier 1 facilities – 30% each year;
Tier 2 facilities – 10% each year;
Tier 3 facilities – 5% each year;
Tier 4 facilities – 1% each year.

Any covered facility that had a cyber-related incident with an off-site consequence would receive a compliance inspection within 30 days of the incident being reported. Violations found during any compliance inspections would be subject to civil penalties.

Incident Reporting

Covered facilities (including those regulated by another Federal agency with primary regulatory responsibility) would be required to report cyber incidents to CCSCD. Reports would be submitted via an on-line form according to the following schedule:

∙ Any cyber related incident with an off-site consequence would be reported within 1 hour;
∙ Any cyber related incident that resulted in the unscheduled shutdown of a CCS without an off-site consequence would be reported within 6 hours;
∙ Any scan or intrusion detected within the CCS boundary that affected CCS operations but did not result in a CCS shutdown or off-site consequence would be reported within 24 hours;
∙ Any scan or intrusion detected within the CCS boundary that did not affect CCS operations would be reported weekly; and
∙ Any scan or intrusion detected at the CCS boundary that did not penetrate the boundary would be reported monthly.

All reports of scans or intrusions that did not affect CCS operations would be reported in a summary report that would include source IP addresses where available.

All reports received of cyber related incidents that affected CCS operations would be immediately reviewed by a CCSCD action officer. In the event the cause was unknown (for incidents with off-site consequences) or the information reported seemed to indicate a deliberate attack, ICS-CERT would be notified and further actions or investigations would be initiated as necessary. Any time that an attack clearly seemed to be indicated, the FBI would be notified.

Information Sharing

By the 10th of each month CCSCD would compile an unclassified summary report of all cyber related incidents from the previous month. Copies would be distributed to the CSO of each covered facility, the FBI and the head of each Federal agency with primary regulatory authority over any covered facility.

A formal incident report would be completed by CCSCD on each cyber related incident that resulted in an effect on a CCS. Unclassified versions of those reports would be made available to CSOs of covered facilities. Classified (when required) versions of reports of those incidents would be made available to the FBI and the head of each Federal agency with primary regulatory authority over any covered facility. Copies of reports would also be made available to appropriate fusion centers, ISACs and ISAOs. All unclassified reports would be considered to be PCII.


Readers of this blog will immediately recognize that I stole large portions of this proposed program from the CFATS program model. I have long been a fan of the on-line reporting tools and the automated evaluation possibilities associated with those tools. I would certainly hope, however, that more work would be put into making the completion of the data as simple as possible and organized in a way that could be easily followed by mere humans; the CFATS SSP tool is way too convoluted, repetitive and unusable. We need to avoid replicating that.

I do not expect that Congress will make any effort to regulate the security of industrial control systems to anywhere near this extent any time in the near future. Industry resistance will be just too high. As we start to see attacks with off-site consequences, however, there will be increasing calls for even more regulation than this.

Hopefully, industry can get behind some sort of meaningful control system security legislation before we end up with a catastrophic attack on a control system. Congress tends to get knee-jerk over-reactions to situations of that sort and it can take a very long time to back off from those over-reactions.

Friday, May 29, 2015

HR 2402 Introduced – Protected Electric Security Information

Earlier this month Rep. Lofgren (D,CA) introduced HR 2402, the Protecting Critical Infrastructure Act. The bill would create a new class of controlled unclassified information (CUI) to protect information sharing within the bulk power distribution system and with Federal, State and local government agencies.

In many ways the bill shares elements in common with HR 2271 and S 1068, but there are two major differences. First there is no authorization for the Secretary of Energy to take any actions to protect cybersecurity. Second instead of recognizing the current Critical Energy Infrastructure Information (CEII) category of CUI it constructs a new category out of whole cloth.

Protected Electric Security Information

As I have mentioned in other blogs the current CEII would be classified as CUI Basic under the rulemaking on CUI currently being undertaken by the National Archives and Records Administration (NARA) of the OMB. This means that the NARA regulations would govern markings, protective measures, classification authority and declassification authority for CEII.

This bill, on the other hand would establish a new category of CUI, Protected Electric Security Information (PESI) as a matter of law. That would place PESI in the CUI Specified category. This means that the NARA CUI regulations (when finalized, maybe next year) would only govern those aspects of security not specifically covered in this bill or subsequent regulations issued in accordance with this bill.

The information protection items specifically addressed in the bill include:

∙ Protection from disclosure under Federal, State and local freedom of information rules {new §215A(a)(1)};
∙ Duration of protection, maximum 5 years §215A(a)(6)};
∙ Early declassification authority, resides in FERC §215A(a)(7)};
∙ Judicial review process §215A(a)(8)};

Additionally, FERC is given authority to draft regulations governing the sharing of CEII information between and amongst government agencies (at all levels in the US) and private entities, as well as with Mexican and Canadian authorities as necessary.

Moving Forward

Neither Lofgren nor her cosponsor {Rep. Gowdy (R,SC)} are members of the House Energy and Commerce Committee so it is unlikely that this bill will make it to committee consideration, especially considering that sponsors of HR 2271 are on that Committee.

EAP Guidance – Personnel Surety

This is part of a continuing series of blog posts on the newly released Expedited Approval Program (EAP) guidance document for Tier 3 and Tier 4 facilities under the Chemical Facility Anti-Terrorism Standards (CFATS) program. Other posts in the series are:

In this post I will look at the personnel surety requirements of the EAP. These are covered in section F (pg 50 and pg 86) of the EAP guidance document along with a number of other security management measures. The personnel surety program is covered under the Risk-Based Performance Standard #12 in the RBPS guidance document. In the CFATS regulations there are four personnel surety requirements at 6 CFR 27.230(12). They are:

∙ Measures designed to verify and validate identity;
∙ Measures designed to check criminal history;
∙ Measures designed to verify and validate legal authorization to work; and
∙ Measures designed to identify people with terrorist ties;

The EAP guidance document only specifically addresses the first three requirement because ISCD has yet to complete their Personnel Surety Program (PSP) that would address the method of identifying people with terrorist ties. I’ll discuss this further at the end of this post.

EAP Checklist

The EAP checklist lists eight personnel surety requirements:

∙ The facility has identified all affected individuals;
∙ The facility verifies and validates the identity of all affected individuals by a government issued ID or identification document as listed on the I-9 form;
∙ The facility conducts a criminal history check on all affected individuals through a third party background investigation company, national program, or local law enforcement agency. This background check includes national, state, and local resources for a timeframe of no fewer than five years and the report identifies all felonies, at a minimum;
∙ The facility has a process for adjudicating the results of background checks and determining access restrictions in a reasonable manner;
∙ Upon notification from DHS, the facility will implement a process to identify all affected individuals with terrorist ties;
∙ The facility escorts all visitors which do not have background investigations via an approved and trained escort; and
∙ The facility maintains documentation (at a minimum: employee name, how the required checks were conducted, and the results of the checks) of background checks for all current affected individuals in order to demonstrate compliance with personnel surety requirements.

The term ‘all affected individuals’ is specifically defined as:

∙ Facility personnel who have or are seeking access, either unescorted or otherwise [emphasis added], to restricted areas or critical assets; and
∙ Unescorted visitors who have or are seeking access to restricted areas or critical assets.

There are two items from the RBPS Metrics (pgs 99-100) that are not addressed in the EAP guidance. First Metric 12.2 for Tier 3 facilities requires that investigations “are repeated for all individuals at regular intervals”. And Metric 12.5 for all facilities requires that the background check program is audited annually.

Additional EAP Information

The discussion of the personnel surety program in the EAP guidance (pgs 50-52) provides only limited amounts of additional information. Most importantly, the guidance does make it clear that owners have some leeway in determining whether or not contractors are included in the term ‘facility personnel’.

There is surprisingly detailed guidance as to what constitutes ‘verifying ID. It includes:

∙ Comparing the picture on the card with the owner;
∙ Comparing the physical characteristics against the person’s physical appearance;
∙ Checking for tampering;
∙ Reviewing both sides of the card; and
∙ Checking the expiration date.

Terrorist Ties Checking

There is currently no approved method for facilities to check for personnel with terrorist ties. ISCD is responsible for setting up this program and has had problems getting the PSP program approved by the Office of Management and Budget due to industry opposition to many of the program elements. The most current proposal has been under review since March of 2014.

The most vociferous critics, and certainly the most influential, have been in Congress. The CFATS statute passed last session (HR 4007) specifically addressed those congressional concerns with the PSP program {6 USC 622(d)(2)}. While that statute requires DHS to establish a CFATS program to identify personnel with terrorist ties, it also allows facility owners to use other “Federal screening program that periodically vets individuals against the terrorist screening database” {§622(d)(2)(B)(i)(I)}. Additionally it requires that a facility accept any credential from such ‘Federal screening program’ if offered by an individual as proof that a covered individual has been screened for terrorist ties.

These new requirements for the PSP program will require a substantial re-write of the program that was submitted to OMB last year. It appears that ISCD is still going to rely on the Information Collection Request (ICR) route for obtaining approval of the PSP program. A footnote on page 6 of the EAP guidance notes that:

“Compliance with RBPS 12(iv) will be required for Tiers 1 and 2 upon approval of an Information Collection Request under the Paperwork Reduction Act, and upon notification to facilities by DHS that the CFATS Personnel Surety Program (i.e., the program enabling compliance with RBPS 12(iv)) has been implemented.”

This is the same two-stage implementation plan that ISCD had proposed in its last PSP proposal. This would allow it to implement the program at the highest risk facilities (and a smaller number of facilities) first. As the bugs were worked out and ISCD had a better idea of the number of individuals that would be affected at the Tier 3 and Tier 4 facilities, ISCD would then go back with a revision to the ICR to allow application of the PSP to Tier 3 and 4 facilities. This means that it could be quite some time before Tier 3 and Tier 4 facilities have to worry about the terrorist ties vetting of their covered personnel.


Like the cybersecurity requirements the personnel surety requirements of the EAP are rather vague and potentially allow facilities a great deal of latitude in how those requirements are met. It also means that facilities might face the very real prospect of having DHS specify particular vetting requirements that must be taken when the compliance inspection is completed. This potentially could substantially increase the cost of the personnel surety program and those new costs could come with a very short implementation period.

There is also an interesting new requirement for the Tier 3 and Tier 4 programs that was not included in the original personnel surety requirements outlined in the RPBS guidance document. It is the fifth point in the personnel surety checklist:

∙ The facility has a process for adjudicating the results of background checks and determining access restrictions in a reasonable manner;

This was undoubtedly added due to the new requirement in the CFATS statute {6 USC 622(d)(2)(A)(iii)(II)} for establishing a redress process. That requirement, however, was specifically targeted at individuals who had been vetted against the terrorist screening database via the ISCD PSP. The way it is implemented in the EAP expands that requirement (legitimately so in my opinion) to include all of the background checks in that redress program.

What is not clear is if ISCD has been ‘requiring’ such a redress program in all of the site security plans that it has been authorizing and/or approving to date. There certainly has not been anything publicly discussed about such a requirement. If not, it will be interesting to see if and how ISCD goes back to the non-EAP facilities with approved SSPs to get such a program put in place for non-PSP background checks.

Thursday, May 28, 2015

ICS-CERT Publishes IDS RTU Advisory

Today the DHS ICS-CERT published an advisory for a directory transversal vulnerability in IDS RTU 850 devices. The vulnerability was reported by Benjamin Kahler and Sebastian Kraemer of HSASec. ICS-CERT reports that the vulnerable models are well past their end-of-support date (2009) so no effort will be made to produce an update. IDS has provided specific mitigation suggestions nonetheless.

ICS-CERT reports that a highly skilled attacker could remotely exploit this vulnerability to obtain credentials for access to the internal service interface via telnet.

HR 2396 Introduced – Medical Software

Earlier this month Rep. Blackburn (R,TN) introduced HR 2396, the Sensible Oversight for Technology which Advances Regulatory Efficiency (SOFTWARE) Act, that addresses the regulation of medical software. In many ways it is similar to her HR 3303 of last session, but there are some subtle differences.


The bill starts off by adding a new definition to the Federal Food, Drug and Cosmetic Act (at 21 USC 321); that defines ‘health software’. It defines the term in the negative sense, explaining what it is not. In short it defines ‘health software’ as medically related software that would have no direct effect on patient health or safety.

Under the same paragraph it also defines another, somewhat odder term; ‘accessories’. This is not specifically software; it is defined as a product that {new §321ss(2)}:

Is intended for use with one or more parent devices;
Is intended to support, supplement, or augment the performance of one or more parent devices.

Software Regulation

Section 3 of the bill would add a new section to the Drugs and Devices chapter of the Federal Food, Drug, and Cosmetic Act. This section provides authority for the Secretary of Health and Human Services to regulate software. First though, it begins with a negative, prohibiting the Secretary from regulating health software.

But this prohibition does have an exception for health software that “provide patient-specific recommended options to consider in the prevention, diagnosis, treatment, cure, or mitigation of a particular disease or condition” {new §321ss(1)(F)} where the Secretary determines that the software “poses a significant risk to patient safety” {new 21 USC 361o(b)(1)(B)}.

The real difference between this bill and the one from last session lies in paragraph (c) of the new §361o that specifically provides authority for the Secretary to regulate software (other than ‘health software). It also provides authority for the Secretary to regulate software via ‘administrative order’ as long as proposed orders are first published in the Federal Register.

It also requires the Secretary to review existing regulations and guidance regarding the regulation of software and to update those regulations and guidance as necessary. In conducting the review the following areas will be reviewed {new §361o(c)(3)}:

∙ Classification of software;
∙ Standards for development of software;
∙ Standards for validation and verification of software;
∙ Review of software;
∙ Modifications to software;
∙ Manufacturing of software;
∙ Quality systems for software;
∙ Labeling requirements for software; and
∙ Post-marketing requirements for reporting of adverse events.

Moving Forward

Blackburn is a mid-ranking member of the Health Subcommittee of the House Energy and Commerce Committee. That combined with the fact that her co-sponsor {Rep. Green (D,TX)} is the Ranking Member of the Subcommittee there is a pretty good chance that this bill will be considered by the Committee.

There does not appear to be anything in the bill that would cause any serious opposition to the bill if it does make its way to the floor of the House. The only question is if Blackburn and Green can convince to the leadership to move the bill forward.


In light of the recent controversy surrounding the security vulnerabilities reported in the Hospira Infuson Pump software I am surprised and disappointed in not seeing security specifically mentioned as one of the areas for review of software regulations. With patient safety also not being specifically identified I am concerned that the FDA may not feel justified in taking actions to regulate the security of medical device software.

There are, of course, a number of places still in the legislative process where an amendment could add language addressing these two issues. Some specific changes (in italics) to §361o(c)(3) that I would like to see would include:

(B) Standards for development of software including secure development practices;
(C) Standards for validation and verification of software including security testing;
(E) Modifications to software including security patching;
(I) Postmarketing requirements for reporting of adverse events and security vulnerabilities, including coordination with ICS-CERT for security vulnerabilities.

It would also be helpful if there were specific language requiring the Secretary to coordinate with NIST and DHS during the required software regulation review process. And finally there should be a specific requirement for users of the software to report any suspected cyberattacks on regulated software to be reported to the FBI and ICS-CERT.

HR 2379 Introduced – Volatile Crude

Earlier this month Rep. Lowey, (D,NY) introduced HR 2379, a bill that would prohibit the transportation of certain volatile crude oil by rail. The bill would establish an interim standard of 8.5 psi as the maximum Reid vapor pressure that would be allowed for crude oil transported by rail.

This bill is somewhat similar to HR 1679 that was introduced last month; though the maximum Reid vapor pressure is significantly lower. In fact, this is the average vapor pressure for Bakken crude oil reported by American Fuel & Petrochemical Manufacturers in a study they conducted for PHMSA.

As I mentioned in my blog post on HR 1679, Reid vapor pressure is a totally inadequate measure of the volatility of crude oil. To make matters worse the test results for crude oil are so dependent on the sampling techniques that it is unlikely that two samples obtained by different people of the same material would be statistically similar.

Ms. Lowey is not a member of the House Transportation and Infrastructure Committee {though one of her co-sponsors, Rep. Garamendi (D,CA) is, but he is not on the appropriate sub-committee} so it is unlikely that she would have the political pull to get this bill considered in Committee. This is another crude oil transportation bill that is more about political grandstanding than transportation safety.

Wednesday, May 27, 2015

DHS Requests Comments on ISAOs

The DHS Office of Cybersecurity and Communications (OCC) published a request for comments in today’s Federal Register (80 FR 30258-30259) on the formation of Information Sharing and Analysis Organizations (ISAOs) for cybersecurity information sharing, as directed by Executive Order 13691. This request for comments is roughly associated with the ISAO workshop being conducted by DHS on June 9th.

The request for comments is looking generally for comments on the ISAO program outlined in EP 13691 and specifically for answers to 8 questions (the verbiage says five questions but lists 8; either a typo or poor editing):

1. Describe the overarching goal and value proposition of Information Sharing and Analysis Organizations (ISAOs) for your organization.
2. Identify and describe any information protection policies that should be implemented by ISAOs to ensure that they maintain the trust of participating organizations.
3. Describe any capabilities that should be demonstrated by ISAOs, including capabilities related to receiving, analyzing, storing, and sharing information.
4. Describe any potential attributes of ISAOs that will constrain their capability to best serve the information sharing requirements of member organizations.
5. Identify and comment on proven methods and models that can be emulated to assist in promoting formation of ISAOs and how the ISAO “standards” body called for by E.O. 13691 can leverage such methods and models in developing its guidance.
6. How can the U.S. government best foster and encourage the organic development of ISAOs, and what should the U.S. government avoid when interacting with or supporting ISAOs?
7. Identify potential conflicts with existing laws, authorities that may inhibit organizations from participating in ISAOS and describe potential remedies to these conflicts.
8. Please identify other potential challenges and issues that you believe may affect the development and maturation of effective ISAOs.

While DHS is soliciting public feedback, there is nothing in the notice that specifically tells people how to provide that feedback. There is, however, a docket (DHS-2015-0017) set up on the Federal eRulemaking Portal ( for submitting these comments. Comments should be submitted by June 10th, 2015.

CSB Meeting Announced – 6-10-15

The Chemical Safety and Hazard Investigation Board (CSB) published a meeting notice in today’s Federal Register (80 FR 30207) for a public meeting in Washington, DC on June 6th, 2015.

The morning portion of the meeting will focus on emerging safety issues and the CSB’s safety investigations and recommendations program. There may be a discussion of Board rules concerning periods when the Board’s chair position is vacant.

The afternoon portion of the meeting will address the Board’s investigation of the 2009 incident at the CAPECO petroleum tank farm in Puerto Rico.

The Board will be soliciting public comments during both portions of the meeting. Written comments may be submitted at the meeting or emailed to Hillary J. Cohen, Communications Manager,

Bills Introduced – 05-26-15

Both the House and Senate met in pro forma sessions yesterday while the vast majority of congresscritters were in their home states on a very extended Memorial Day weekend. Even so there were four bills introduced in the House (the Senate does not allow bill introductions during pro forma sessions). One of those bills may be of specific interest to readers of this blog:

HR 2576 To modernize the Toxic Substances Control Act, and for other purposes. Rep. Shimkus, John [R-IL-15]

This is supposed to be the House version of bipartisan TSCA reform. It will probably not get much mention in this blog. The bill is too complex and only tangentially touches on the aspects of chemical safety that I typically cover in this blog.

Tuesday, May 26, 2015

Bills Introduced – 05-22-15

There were 22 bills introduced in the House and the Senate on Friday, May 22nd. Only one of those may be of specific interest to readers of this blog:

S 1462 A bill to improve the safety of oil shipments by rail and for other purposes. Sen. Schumer, Charles E. [D-NY]

This bill is being introduced by five influential liberal Senators. It will be interesting to see what made it into this bill.

ICS-CERT Publishes Rockwell Advisory

Today the DHS ICS-CERT published an advisory for a password encryption vulnerability in the Rockwell Automation RSView32 application. The vulnerability was reported by Vladimir Dashchenko and Dmitry Dementjev of the Ural Security System Center. Rockwell has produced a software patch to mitigate the vulnerability, but there is no indication that the researchers have been given the opportunity to verify the efficacy of the fix. This advisory was originally released on the US CERT Secure Server on May 12th.

ICS-CERT reports that this vulnerability would be difficult to exploit as it would require access to the file in which the user names and passwords was stored, reverse engineering the encryption and then using a social engineering attack for the exploit.

Once again we have ICS-CERT taking a vulnerability with a reported low exploitability to the Secure Server while they publicly release vulnerabilities that can be exploited by attackers with relatively low skills. Something is amiss here.

Friday, May 22, 2015

ICS-CERT Publishes Update and Two Advisories

Yesterday the DHS ICS-CERT published an update for a year-old OleumTech advisory and two new advisories for systems from Emmerson and Schneider.

OleumTech Update

This update effectively closes out the mitigation side of a very peculiar advisory issued last year. In that original advisory ICS-CERT published their document without any apparent agreement from OleumTech that vulnerabilities actually existed. This update takes out two very interesting sentences from the original now that OleumTech has published updates that resolve the vulnerabilities. Those sentences stated:

“The researchers have coordinated the vulnerability details with NCCIC/ICS-CERT and OleumTech in hopes the vendor woulddevelop security patches to resolve these vulnerabilities. While ICS-CERT has had many discussions with both OleumTech and IOActive this past year, there has not been consensus on vulnerability details and positive product developments to resolve identified vulnerabilities.”

In discussing the now available updates for the systems ICS-CERT also removes the following description of the original OleumTech response:

“The vendor and IOActive researcher team do not completely agree with ICS-CERT about the severity and validity of these vulnerabilities. The vendor has stated they do not plan to resolve vulnerabilities they consider not valid.”

I suspect that OleumTech made some changes in their system unrelated to the reported vulnerabilities and realized that they could be considered to be mitigation measures and reported that to ICS-CERT. There is no indication that the original researchers have been given the chance to verify the efficacy of the fixes. In any case it looks like it took two years to fix the vulnerabilities.

Emmerson Advisory

This advisory describes an SQL injection vulnerability in the Emerson AMS Device Manager Application. This vulnerability was apparently self-reported and Emerson has developed a patch for newer versions of the system and a configuration fix for older versions.

ICS-CERT reports that a moderately skilled attacker could exploit this vulnerability to gain privilege escalation on the device manager, but not to the underlying computer system.

This advisory was originally released on the US CERT Secure Portal on April 21st. It seems odd to me that a vulnerability that requires local access to exploit would get released on the Secure Portal for a month before public release when many more serious and remotely exploitable vulnerabilities get public release immediately.

Schneider Advisory

This advisory describes a DLL hijacking vulnerability in the Schneider OPC Factory Server (OFS) application. The vulnerability was originally reported by Ivan Sanchez from Nullcode Team. Schneider has produced a patch that mitigates the vulnerability and Sanchez has been given the opportunity to verify the efficacy of the fix.

ICS-CERT reports that a social engineering attack is required to exploit this vulnerability. A successful exploit could cause a server crash or allow execution of arbitrary code. The Schneider advisory (.PDF Download) does not mention the possibility of code execution.

Wednesday, May 20, 2015

Bills Introduced – 05-19-15

Yesterday there were 89 bills introduced in the House and Senate. Only two of those may be of specific interest to readers of this blog:

HR 2410 To authorize highway infrastructure and safety, transit, motor carrier, rail, and other surface transportation programs, and for other purposes Rep. DeFazio, Peter A. [D-OR-4]

S 1376 An original bill to authorize appropriations for fiscal year 2016 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of... Sen. McCain, John [R-AZ]

HR 2410 may contain references to new hazardous material transportation requirements, particularly for crude oil trains. We will just have to wait and see.

S 1376 has already been ‘ordered reported’ so we are now waiting on both the publication of the language of the bill as well as the accompanying report. This will be the version of the 2016 NDA that will be considered in the Senate. A conference committee will sort out the differences between this version and the one passed by the House last week.

Tuesday, May 19, 2015

HR 2353 Passed in House

As expected HR 2353, the two-month extension of Highway Fund spending until July 31st passed by a largely bipartisan vote of 387 to 35. Earlier in the day a procedural move was made by Rep. Etsy (D,CT) to try to add an amendment requiring funding for positive train control for passenger rail. It was subsequently defeated on a straight party line vote of 182 to 241.

The bill will go to the Senate where it will very likely pass under the standard ‘without objection’ process. News reports have noted that the President has agreed to sign the bill when it gets to his desk. If the bill does not get passed in the Senate this week the State transportation projects funded by the Highway Fund will stop receiving funds on June 1st.

EAP Guidance – Cyber Security

This is part of a continuing series of blog posts on the newly released Expedited Approval Program (EAP) guidance document for Tier 3 and Tier 4 facilities under the Chemical Facility Anti-Terrorism Standards (CFATS) program. Other posts in the series are:

In the next couple of posts I’ll be looking at some of the actual security requirements outlined in the new EAP. As a reminder, all of these requirements are based upon the standards set forth in the Risk-Based Performance Standards (RBPS) guidance manual issued six years ago. That document describes considerations to be used in selecting appropriate security measures to fulfill each of the 18 standards outlined in 6 CFR 27.230.

I am going to start with the requirements in the EAP for RBPS #8, Cybersecurity. The main reason that I am starting here, rather than at the more conventional starting point, it that I am also interested in how ISCD is dealing with some of the complicated issues of cybersecurity and the EAP provides a unique opportunity to look at how ISCD would like to see cybersecurity implemented in high-risk chemical facilities.

RBPS #8 Requirements

The regulatory requirements for cybersecurity are spelled out in §27.230(8); Deter cyber sabotage, including by preventing unauthorized onsite or remote access to critical process controls, critical business system, and other sensitive computerized systems. The generic discussion of how this can be done starts on page 71 of the RBPS guidance and the metrics for evaluating security measures can be found starting on page 78. In the EAP guidance document the discussion of cybersecurity measures starts on page 40 and the cybersecurity portion of the site security plan (SSP) template starts on page 82.

The first requirement is to establish what computer systems are covered by the SSP. It must always be remembered that the SSP is focused on protecting the DHS chemicals-of-interest (COI) found on the site. This means that the facility is required to list all of the cyber assets that:

∙ Monitor and/or control physical processes that contain a COI;
∙ Are connected to other systems that manage physical processes that contain a COI; or
∙ Contain business or personal information that, if exploited, could result in the theft, diversion, or sabotage of a COI

Computer systems that deal with security functions like access control, surveillance and alarms are not considered under this RBPS unless they are connected to a computer system described above. They are considered during the discussion of their related security measures.

Cybersecurity Policies

The next area of the cybersecurity portion of the SSP deals with the establishment of cybersecurity policies. These policies must:

∙ Be documented, distributed and maintained with a management of change policy;
∙ Include the designation of a trained and qualified individual(s) to manage cyber security for the facility;
∙ Must require account access control to critical cyber systems utilizing the least privilege concept;
∙ Maintain access control lists, and ensure that accounts with access to critical/sensitive information or processes are modified, deleted, or de-activated in a timely manner;
∙ Establish password management protocols to ensure all default passwords have been changed (where possible), enforce password structures, and implement physical controls for cyber systems where changing default passwords is not technically feasible;
∙ Require physical access to critical cyber assets and media;
∙ Provides for cyber security training to all employees that work with critical cyber assets; and
∙ Require that the facility will report significant cyber incidents to senior management and DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).

Each of the bullet points listed above has its own check-off box on the EAP SSP template. There are no requirements to provide any additional information to ISCD for this area of the SSP. In general this will be true for almost all of the EAP SSP documentation. This will be the last time that I mention this check-off technique, but I will mention where the EAP requires additional information be provided to ISCD beyond the simple check the box.

There is a little more detail in the discussion portion of the EAP guidance on the topics listed above. There are only two that have any additional information of significance; the training requirements for the cybersecurity officer (pg 42) and a discussion about the documentation supporting the requirement to report significant cybersecurity incidents to ICS-CERT (pg 43).

Remote Access

Next there is a very short section on remote access to the cybersecurity assets. It requires that:

∙ The facility defines allowable remote access and rules of behavior.

In the detailed discussion there is also a requirement to capture all remote access activities on system logs.

Control Systems

The next section of the cybersecurity portion of the EAP SSP deals with control systems. For facilities that do not have control systems that impact the security of the COI there is a single box to check-off explaining that fact. The Control System section of the SSP reports that the facility:

∙ Conducts audits that measure compliance with the cyber security policies, plans, and procedures and results are reported to senior management;
∙ Documents the business need and network/system architecture for all cyber assets (systems, applications, services, and external connections);
∙ Disables all unnecessary system elements;
∙ Integrates cyber security into the system lifecycle for all critical cyber assets;
∙ Ensures that service providers and other third parties with responsibilities for cyber systems have appropriate personnel security procedures/practices in place;
∙ Identifies and documents systems boundaries and implements security controls to limit access across those boundaries:
∙ Monitors the critical networks in real-time for unauthorized or malicious access and alerts, recognizes and logs events and incidents;
∙ Has a defined incident response system for cyber incidents;
∙ Has backup power for all critical cyber systems; and
∙ Has continuity of operations plans, IT contingency plans, and/or disaster recovery plans.

Additional requirements documented in the discussion section include:

∙ Audits must be conducted at least every two years;
∙ Additions to cyber systems must be pre-approved by management;
∙ An intrusion detection system must be used.
∙ Cyber incident response must include requirement to contact a person or agency that “is trained to identify, contain, and resolve a cyber intrusion, denial-of-service attack, virus, worm attack, or other cyber incident” (pg 46).


It is clear that the EAP guidance for cyber security is pretty much taken directly from the metrics portion of the RBPS guidance manual. As such the EAP does not provide any more specificity than does the RBPS; it does not tell facilities what cybersecurity measures must be put into place.

There are a couple of metrics from the RBPS guidance that are missing from the EAP program. They include:

8.2.1 The facility has identified and documented systems boundaries (i.e., the electronic perimeter) and has implemented security controls to limit access across those boundaries;
8.3.3 IT management, systems administration, and IT security duties are not performed by the same individual. In instances where this is not feasible, appropriate compensating security controls (e.g., administrative controls, such as review and oversight) have been implemented;
8.5.1 The facility has implemented cyber security controls to prevent malicious code from exploiting critical cyber systems, and it applies appropriate software security patches and updates to systems as soon as possible given critical operational and testing requirements;
8.5.5 Facilities with control systems that have SISs have configured the SIS so that they have no unsecured remote access and cannot be compromised through direct connections to the systems managing the processes they monitor. (For Control Systems Only)

There is no explanation given as to why these metrics do not apply to facilities submitting EAP site security plans.

For cybersecurity at least, what the EAP does is to allow a facility to take its best guess at what security measures must be put into place to meet these rather vague requirements and then certify that it has done so. As long as all of the check boxes are marked, DHS will approve the SSP. The process that now takes place during the SSP authorization and approval process will simply be transferred to compliance inspection. The difference will be that DHS will then have the authority to tell the facility what security measures must be put into place to correct any ‘facial deficiencies’ in the implementation of the site security plan {6 USC 622(c)(4)(G)(ii)(I)(aa)}.

A quick look at the RBPS sections of the EAP look to provide a great more detail into what is required of a facility site security plan (I’ll go  into some of the details in later posts). What is different about cybersecurity is that there are fewer established standards that security professionals generally agree are effective at deterring, detecting and delaying a terrorist attack.

I was hoping that ISCD was going to take a better shot at establishing such standards, but it was patently unfair to put that load on this particular organization. While there are some people with computer and even control systems backgrounds within the ranks of the chemical security inspectors, this is patently not a cybersecurity standards setting organization and certainly not one with the control system security expertise to establish ICS standards.

Given the 180 day standard establishment deadline set by Congress, it was foolish to think that ISCD could accomplish more in the cybersecurity realm. They will have to continue on making the system-by-system judgement to determine if the security measures in place meet the vague guidelines. Hopefully, that will be the only part of the EAP guidelines that leaves so much open to interpretation.

Bills Introduced – 05-18-15

There were 26 bills introduced in the House and Senate yesterday. Of those two may be of specific interest to readers of this blog:

HR 2396 To amend the Federal Food, Drug, and Cosmetic Act with respect to the regulation of health software, and for other purposes Rep. Blackburn, Marsha [R-TN-7]

HR 2402 To amend the Federal Power Act to prohibit the public disclosure of protected information, and for other purposes Rep. Lofgren, Zoe [D-CA-19]

Blackburn has tried to limit the FDA’s authority to regulate non-patient-contact software in the past, but it is too early to tell what regulation or lack thereof is being covered here.

HR 2402 is probably another effort to codify critical electrical infrastructure information in light of the current NARA rulemaking that is underway.

Monday, May 18, 2015

HR 1987 Passes in House

As expected HR 1987, the 2016 Coast Guard Authorization Act, passed today in the House. There was only 14 minutes of debate and the bill passed on a voice vote.

As I mentioned earlier, there was no specific mention of chemical safety or security programs in this year’s bill, as there hasn’t been in recent years

Rules Committee Crafts Closed Rule on HR 2353

This evening, as part of a three bill rulemaking process the House Rules Committee established a closed rule for the consideration of HR 2353, the short term extension of Highway Fund based spending through July 31st, 2015. The bill also extends the Hazardous Materials Emergency Preparedness Fund and the Hazardous Materials Training Grants at the current rate through the same date.

There will be one hour of debate on the bill and no amendments. There is every chance that the bill will be passed tomorrow.

HR 2271 – Electric Grid Security

Last week Rep. Latta (R,OH) introduced HR 2271, the Critical Electric Infrastructure Protection Act. In many ways this bill takes the ideas introduced in S 1068 and expands them to cover threats other than just cybersecurity threats. In fact, this new bill does not specifically mention the term ‘cybersecurity threats’.


This bill would also amend Part II of the Federal Power Act (16 USC Chapter 12 Subchapter II), adding a new section. Where the earlier bill defined ‘cyber security threats’, this new bill provides predictable definitions for the following terms (new §215A(a)}:

∙ Critical electric infrastructure;
∙ Critical electric infrastructure information;
∙ Defense critical electric infrastructure;
∙ Electromagnetic pulse;
∙ Geomagnetic storm; and
∙ Grid security emergency.

The critical definition for this bill is ‘grid security emergency’. This is defined as either:

A “malicious act using electronic communication or an electromagnetic pulse, or a geomagnetic storm event, that could disrupt the operation of those electronic devices or communications networks, including hardware, software, and data, that are essential to the reli1ability of the bulk-power system or of defense critical electric infrastructure” {new §215A(a)(7)(A)(1)}; or

A “direct physical attack on the bulk-power system or on defense critical electric infrastructure” {new §215A(a)(7)(B)(1)}.

The definition also specifically includes the results of such acts or attacks.

Authority to Act

The new §215A(b) then goes on to provide the Secretary of Energy the authority to take emergency actions “as are necessary in the judgment of the Secretary” {new §215A(b)(1)} to protect the reliability of the bulk power system or defense critical electric infrastructure when the President identifies a grid security emergency in writing. Emergency orders under this provision may apply to {new §215A(b)(4)}:

∙ The Electric Reliability Organization;
∙ A regional entity; or
∙ Any owner, user, or operator of the bulk-power system or of defense critical electric infrastructure within the United States.

Such emergency authority and resulting orders will expire after 30 days. The Secretary, upon notification by the President that the grid security emergency continues, may extend the emergency actions for 30 days at a time. Unlike S 2068, there is no 90 day limit on those extensions.

As part of this emergency authority, the Secretary (and other ‘appropriate Federal agencies’) are required to provide temporary access to classified information related to the grid security emergency to any “key personnel of any entity subject to such emergency measures to enable optimum communication between the entity and the Secretary and other appropriate Federal agencies regarding the grid security emergency” {new §215A(b)(7)}.

Critical Electric Infrastructure Information

Section 215A(d) officially establishes Critical Electric Infrastructure Information (CEII) as controlled unclassified information (CUI, though the term is not actually used in the legislation) that is exempt from disclosure under Federal and State freedom of information laws. It requires the Secretary to establish regulations to provide for the appropriate protection of such information. Under the new rules being developed by the National Archives and Records Administration (NARA) this would move CEII out of the ‘Basic’ CUI classification and into the ‘Specified’ CUI category allowing the Secretary to establish the rules for protecting and sharing the information.

Moving Forward

Rep Latta is a relatively senior member of the Energy and Power Subcommittee of the House Energy and Commerce Committee. Rep. McNerney (D,CA) is a co-sponsor and the second highest ranking Democrat on the same subcommittee. Between the two of them they probably have enough pull to get this bill considered in the Subcommittee. Whether or not it will move forward from there depends on who else they can get on the bandwagon.

This bill would probably pass in both the House and Senate if it ever got to the floor. There is really nothing new here, it just legalizes and requires the establishment of a regulatory structure to allow the emergency actions that would take place in any case under the President’s executive powers under the Constitution.

It does look like this bill is being considered for inclusion in a larger bill. This would be the bill that I briefly discussed this morning as being the topic for tomorrow’s Energy and Power Subcommittee hearing. If that does happen this bill would be left hanging unless something happened to stop that new bill from proceeding.

Committee Hearings – Week of 5-17-15

Both the House and Senate will be in town this week before taking off next week for their Memorial Day break. Not much in the way of hearings this week of specific interest to readers of this blog; a couple of markups, an energy security hearing and the highway bill rule.

Energy Security

The Energy and Power Subcommittee of the House Energy and Commerce Committee will be holding a hearing on a new bill addressing energy reliability and security on Tuesday. Among other things the bill includes EMP provisions, cybersecurity order provisions, and a new ‘Cyber Sense’ program.

The witness discussion will be wide ranging and probably superficial. It is still early in the game on this bill.

Legislation Markups

The House Homeland Security Committee will markup 11 bills on Wednesday. This will include HR 1646 and HR 2200. I covered the subcommittee markup of both of those bills last week. Both are apparently on the fast track to the House floor. The Homeland Security Committee version (HR 1738) of the Integrated Public Alert and Warning System Modernization bill will also be considered. The fate of this bill has yet to be determined by the House leadership.

The Senate Commerce, Science and Transportation Committee will also meet on Wednesday to consider 13 bills. The one of note for readers of this blog is HR 710. Chances are looking good that Rep. Jackson-Lee (D,TX) may finally see her TWIC bill making it to the floor of the Senate.

Highway Bill

As I noted on Saturday the short term extension of the highway bill, HR 2353, has been introduced and the House Rules Committee will be meeting today to formulate the rule for its consideration. This bill is obviously being fast tracked so it will be on the President’s desk by Friday.

Floor of the House

In addition to HR 2353 the House will take up the 2016 Coast Guard authorization bill (HR 1987) this week under suspension of the rules. With no amendments being allowed under that process, this bill will go to the Senate without any new hazmat security or safety measures.

Sunday, May 17, 2015

S 1209 Introduced – Pipeline Replacement Fund

Last week Sen. Markey (D,MA) introduced S 1209, the Pipeline Revolving Fund and Job Creation Act. The bill would authorize PHMSA to make grants to State revolving loan funds established for repairing or replacing natural gas distribution lines. This bill is very similar to two bills introduced in the 113th Congress; S 1768 and HR 4339. I have discussed the details in the post on S 1768. Neither bill was considered in committee in the last session.

Funds like this where the repayment of principle and interest on loans provides funds for subsequent loans are a means of taking a relatively small amount of current capital and leveraging it over a period of time. While the bill does authorize funding through 2026 it does not do so at any specific level. Without knowing how much funding will be available, it is hard to argue about the potential efficacy of the program.

Sen. Markey is a mid-ranking Democrat on the Senate Commerce, Science and Transportation Committee. That is the committee to which this bill was forwarded for consideration, but it is unlikely that he has enough influence to bring the Committee to consider this bill. This is particularly true since he was not able to have the bill considered in the last session when the Democrats were in charge of the Committee.

S 1175 Introduced – Rail Hazmat Safety

Just about three weeks ago Sen Wyden (D,OR) introduced S 1175, the Hazardous Materials Rail Transportation Safety Improvement Act of 2015. The bill takes a somewhat unique method of improving the safety of hazardous material rail transportation.

Rail Spill Liability Account

Title I of the bill adds a new section to 26 USC 9509, the Oil Spill Liability Trust Fund, establishing the Hazardous Liquids Rail Spill Liability Account within that Trust Fund. The Secretary of the Treasury would put any new monies deposited into the OSLTF resulting from rail transportation of oil from:

∙ Amounts recovered under §1006(f) or §1015 the Oil Pollution Act of 1990 for damages to natural resources;
∙ Any penalty paid pursuant to §309(c) of the Federal Water Pollution Control Act,
∙ The Deepwater Port Act of 1974; or
∙ Section 207 of the Trans-Alaska Pipeline Authorization Act.

Additionally §103 of the bill would add a new Subchapter E to 26 USC Chapter 38 levying a new fee on shippers of ‘hazardous flammable liquids’ that loads such materials into a DOT 111 railcar. The sliding scale fee would be $175/car loading for cars loaded before January 1st, 2017; $350 between that date and January 1st, 2018; $700 until January 1st 2019; and $1400 thereafter. The monies from this fee would be deposited in the Oil Spill Liability Trust Fund established in this bill.

Monies from the HLRSL account may be appropriated for purposes outlined later in this proposed bill in addition to monies for DHS hazmat response planning and training under 49 USC 5116.

To ensure that rail road related discharges of flammable liquids are covered by the Oil Pollution Act of 1990 for the financial purposes of this act. First the bill would amend 33 USC 2702 by specifically adding dangerous flammable liquid spills “resulting from rail transportation of such oil” {§102(a)} to the elements necessary for liability under the Oil Pollution Act without respect to the location of the spill “into or upon the navigable waters or adjoining shorelines or the exclusive economic zone”.

Next the legislation would require the PHMSA Administrator to designate as a hazardous substance any Class 3 hazardous material that is “discharged due to rail transportation" {new 33 USC 1321(b)(2)(A)(ii)}.

Finally, §104 will add a new section 45S to Chapter A of 26 USA that would add a limited tax credit for converting CPC-1232 tank cars into the new type designated for flammable liquid service. The bill was written before the publication of the DOT HHFT final rule, but the wording makes it clear that the conversion would be to the DOT 117R standards. The Treasury would be compensated for the monies lost to the tax credit from the Oil Spill Liability Trust Fund.


Section 201 would add a new requirement to the public sector hazmat response training standards of 49 USC 5115. It would mandate that the training curriculum would also recommend a  “course of study to train public sector employees to respond to an accident or incident involving trains transporting at least 20 tank cars of flammable liquids or gases” {new §5115(b)(1)(B)}.

Section 202 would amend 49 USC 5116 to add as an allowable use of the §5116(a) planning grants to “develop, improve, and carry out emergency plans for communities through which railroads transport a train or trains transporting at least 20 tank cars of flammable liquids or gases” {new §5116(a)(1)(C)}. A similar change would be made to the §5116(b) training grants by §203 of the bill.

Section 204 would require the DOT Secretary to establish a grant program to “provide financial assistance for local projects, activities, and personnel that mitigate the impacts of, and public health or environmental risks associated with, the transport of flammable liquids or gases by rail” {§204(b)}.

Section 205 would require the Secretary of Transportation to implement the following recommendations from the NTSB within 1 year of the enactment of this act:

R-14-019; and

Data Collection

Title III of the bill requires the conduct of a number of studies and submission of reports to Congress. They include reports on:

∙ The availability of equipment and firefighting materials appropriate for a large-scale release of flammable liquids or gases along HHFT routes;
∙ A census of the number and types of rail tank cars used to carry Class 3 hazardous materials;
∙ A quarterly survey of the volume of flammable energy products transported by rail; and
∙ An analysis of the risks to public health, public safety, the environment, and property that are associated with transporting large volumes of hazardous materials in unit trains.


The bill would add authorizations for many of the programs required in this bill. The new rail hazardous response planning and training grants would be authorized $15 Million in spending for the next three years. The new rail hazmat mitigation project grants would be authorized at $25 Million. And $5 Million would be authorized for each of the first three studies reported above.

Finally there would be $100 Million authorized for spending on CERCLA responses to hazardous substance releases resulting from rail transportation. The CERCLA funds would remain available until expended.

Moving Forward

This bill was referred to the Senate Finance Committee because of the tax code measures included in the bill. Wyden is the Ranking Member of that Committee and one of the eight cosponsors, Sen. Schumer (D,NY), is an influential member of that Committee. There is a slight chance that this bill may make it to the Committee for consideration. I doubt, however, that this bill will make it to the floor of the Senate.


This is a rather unusual take on the problem of flammable train safety; addressing the financial side of the issue. The idea of setting up a trust fund to handle the cleanup costs associated with the crude oil spills (and make no mistake that is the major target of this bill) certainly has a long precedence. Adding this to the current oil spill trust fund (which was really intended to deal with spills into waterways) seems like a bit of a stretch, but it would save the administrative costs of setting up a completely new administrative agency.

We have not been hearing much about the cost of cleaning up after these crude train derailments. I’m sure that there are significant costs involved, but I think that they are mainly being dealt with by the railroads. Communities will still have costs associated with these incidents, but it doesn’t really seem that those are being addressed in this legislation.

There is really only one very controversial component of this bill and that is the tax (I’m sorry ‘fee’) on loading flammable liquids into DOT 111 railcars. This is certainly a different way to go about forcing the industry to changing out the use of DOT 111 railcars. There will certainly be opposition to these provisions from the owners/leasers of these cars. They are already suing DOT about the phase out schedule in the HHFT rule and the tax schedule is much steeper in this bill. Vocal and effective political opposition to this new fee must be expected.

Even if this bill does manage to move forward (and a major HHFT accident in a town or urban area will would drastically change the political considerations moving this bill forward) there will have to be a number of modifications made to make it better align with the HHFT final rule. The frequent reference to the ’20 flammable railcars’ language comes quick to mind.
/* Use this with templates/template-twocol.html */