Friday, December 15, 2017

Bills Introduced – 12-14-17

Yesterday with both the House and Senate in session, there were 33 bills introduced. Of those, one may be of specific interest to readers of this blog:

HR 4650 To amend the Homeland Security Act of 2002 to develop and make available guidance relating to domestic preparedness for and collective response to terrorism regarding active shooter and mass casualty incident response assistance, and for other purposes. Rep. Aguilar, Pete [D-CA-31]

I will only be following this bill if it includes language requiring the guidance to include specific information for facilities that store, produce or ship hazardous chemicals relating to the special chemical hazards associated with the use of firearms at such facilities.

ISCD Publishes CFATS Quarterly – 12-15-17

Today the DHS Infrastructure Security Compliance Division (ISCD) published the latest issue of the Chemical Facility Anti-Terrorism Standards (CFATS) Quarterly on the CFATS Knowledge Center. This two page newsletter provides an update on what has been going on in the CFATS program over the last quarter.

Actually, as befits a year-end issue, a goodly portion of the Quarterly provides a brief review of what has been going on in the Program over the last year. Most of the stuff included has been talked about here (and in other ISCD forums) in more detail, but there were two paragraphs that deserve special mention; a short recognition of the lessons learned during the 2017 Hurricane Season and a terse forward look at the upcoming (?) reauthorization of the CFATS program.

Other items included in this issue include:

• A very brief CFATS numbers update;
• An inspection best practices article;
• A brief (and far from comprehensive) list of CFATS program resources;
• A brief blurb on the NAS Improvised Explosives Study; and
• A list of recently published CFATS fact sheets and notices

So far, ISCD seems to be doing a good job avoiding turning this publication into a three-colored, glossy corporate report. I hope they can keep it up.

Thursday, December 14, 2017

Another ICS Attack in the Wild

It has not made the mainstream news yet, but today FireEye and Dragos are both reporting an attack on an industrial control system in an unnamed facility in Saudi Arabia. While the details being released are sketchy (paying customers are presumably getting more details), the important take-away from these two reports is that both organizations confirm that a successful attack (plant shutdown) was made on the safety-instrumented-system (SIS) at the facility.

For those readers with a good technical background, read the two reports noted above; these two organizations have a much better grasp of the technical details than I. For those with a less technical background read-on (and note: the mistakes of interpretation are mine).

Safety Instrumented Systems

For most automated manufacturing systems, if something really goes wrong with the system, then some product is messed up, maybe some workers get injured, or maybe someone gets killed; but the results are local. For some manufacturing systems, however, the consequences can be much larger and harder to control. Some chemical plants and nuclear power generation facilities come readily to mind.
For these types of automated facilities there is another (additional) type of control system that stands between normal operations and catastrophe, the Safety Instrumented System. These generally separate control systems rely on the fact that at some intermediate point between normal operations and catastrophe there is a point that, if the proper steps are taken in a timely manner, the process can be safety shut-down before catastrophe becomes inevitable and everyone has to run for the hills.

We used to rely on human operators to perform these emergency shutdowns. But, as processes became more complex and the paths to catastrophe became more numerous, it quickly became apparent that only automated control systems could be relied upon to recognize the burgeoning problem and take the appropriate timely actions necessary, each and every time. And safety instrumented systems were born.

At its most basic, a SIS consists of a computer, a limited number of sensor, and a limited number of process actuators (valves and such). The computer is programed to watch the sensor(s); if they reach certain value(s) then the actuator(s) are operated, and the process is safely terminated. The product is almost certainly bad, local equipment may be damaged, some cleanup and downtime will be required, but catastrophe will have been averted.

If the SIS fails, there is one final layer of protection that will help mitigate the resulting catastrophe. These are things like pressure relief valves, rupture disks, sprinkler systems, and spill control systems. Unfortunately, if these were truly effective responses to the catastrophic failure, then a SIS would not probably be employed. The SIS is a pain to design (each is a custom design), expensive to install and a maintenance problem. They are typically not employed if the worst-case scenario for a facility will be contained within the facility.

SIS Security

While industrial control system security has been problematic at best, SIS security is a slightly different story. Not because anyone was really concerned about hackers, but because no one wanted human error to get in the way of proper system operation. So, SIS were generally the last systems to be connected to any outside networks and most include the need for the operation of an actual, true-to-life physical key, to program the computer.

The SIS is placed in the program mode where it is programed, tested, and then placed in the stop mode with the key removed from the system. Before the hazardous process is started, the key in re-inserted, and the SIS is placed in the run mode and the key is again removed. The process is reversed when the hazardous process is over. This should be just about as good as it gets.

Unfortunately, someone again has proved that what man can secure, some other man can hack. Again, for details, read the two reports.

Take Away

DO NOT PANIC This is not the end of industrial control system safety. Who ever attacked this facility went to an awful lot of work. First to reverse engineer the SIS system involved, second to understand the process at the facility where this attack was initiated, and third to compromise the security at the facility to get the hack initiated. A lot of time, engineering and money (sounds like a nation-state to me) went into this attack and it failed. It screwed up and apparently unintentionally shutdown the process (safely) which ended up alerting the system owners to the apparent hack.

If you want to know how to protect your SIS, read either (better, both) reports, but there is really nothing new there. Isolate your SIS from the internet and other networks, secure access (physical and virtual) to the SIS equipment and follow SIS operations guidelines. And from me, train your operations personnel so that they fully understand the processes they control and listen to them when they report anomalous system behaviors.

Wednesday, December 13, 2017

Bills Introduced – 12-12-17

Yesterday with both the House and Senate in session there were 33 bills introduced. Of these, two may be of specific interest to readers of this blog:

HR 4629 To direct the Department of Transportation to issue regulations to require enhanced security measures for shipments of security sensitive material, and for other purposes. Rep. Norton, Eleanor Holmes [D-DC-At Large]

S 2220 A bill to provide for the development, construction and operation of a backup to the Global Positioning System, and for other purposes. Sen. Cruz, Ted [R-TX]

Something odd going on with HR 4629, the current security regulations for ‘security sensitive materials’ are not DOT regulations, but rather TSA (49 CFR 1580.101). Having said that, Norton is well known for her concern about the security of rail transportation of hazardous materials because there is a major rail transshipment point in Washington, DC (very close to the Capital) that handles large volumes of hazardous materials.

S 2220 will be followed here if it specifically includes a backup to the GPS timing system used by many industrial control systems. BTW: The Cosponsor for this bill is Sen. Markey (D,MA); talk about a political odd couple; firebrands from both the Right and Left.

Tuesday, December 12, 2017

ICS-CERT Updates Smiths Medical Advisory

Today the DHS ICS-CERT updated a medical control system security advisory for products from Smiths Medical. The advisory was originally published on September 7th, 2017. The update provides information on a patch that is available to mitigate the vulnerabilities as well as additional point of contact information for the company.

House Passes HR 3359 CISA Authorization

Yesterday the House passed HR 3359, the Cybersecurity and Infrastructure Security Agency Act of 2017 by a voice vote. The bill is Rep. McCaul’s (R,TX) long awaited reorganization of the DHS National Protection and Programs Division (NPPD).


This bill is really nothing more than an exercise in bureaucratic shuffling. The existing NPPD is now called CISA; an Under Secretary will be known as the Director and a number of sections in 6 USC are being renumbered. The most important part of the bill is found in section 4 of the bill; nothing in the bill confers new authorities or reduces existing authorities existing the day before this bill is enacted.

There is one subtle change made by this bill in the new definitions section 2201. There are two cybersecurity related definitions in this new section; both taken from existing statutes. The bill uses the IT-limited definition of ‘cybersecurity risk’ from the current 6 USC 148 (moving to §2209) and the ICS-inclusive definition of ‘cybersecurity threat’ from 6 USC 1501. The definitional disconnect between these two very similar (and closely intertwined) terms could cause some interesting confusion about the authority of this ‘new’ agency to address control system security issues.

Moving Forward

The bill moves forward to the Senate where it will pass with similar bipartisan support if it reaches the floor for consideration. The big question is whether or not the bill will have the leadership support necessary to bring it to the floor for consideration. At this point, I am not sure that it does.

Monday, December 11, 2017

ISCD Changes Monthly Status Reporting

Today (okay, yesterday now on the East Coast) the DHS Infrastructure Security Compliance Division (ISCD) changed the way they are reporting progress on the implementation of the Chemical Facility Anti-Terrorism Standards (CFATS) program. They scrapped the monthly .PDF CFATS Fact Sheet format and added a new web-page to the CFATS web-site that provides a slightly different look at the progress being made.

Inspection Reporting

Long-time readers of this blog will no doubt recall the monthly parsing of data that I have been doing since the CSAT 2.0 reporting began back in May of this year. With ISCD reporting inspection data both on inspections ‘since the inception of the program’ and on ‘at currently covered facilities’ I had fun trying to figure out how many inspections had actually been completed that month and how many facilities were undergoing multiple inspections due to failure to achieve compliance.

The new web page changes that reporting. It still carries on with reporting the number ‘since the inception of the program’, but it now simply reports a single number for the number of inspections (Authorization, Compliance, and Compliance Assistance) conducted during the month. The table from the November 2017 reporting is shown below.

Since Inception     
November 2017
Authorization Inspections (AIs) 
Compliance Inspections (CIs)
Compliance Assistance
Visits (CAVs)

If we try to compare the ‘since inception’ numbers from this newest report and those from the old style November report (ISCD used to name their reports for date of reporting not the month the inspections were done). It would appear that there were 87 AIs completed and 111 CIs done in November. This discrepancy may be due to reporting format changes or a couple of other possible program issues. It is hard to tell from a single data point.

Facility Status Reporting

A new set of data being reported on the web page is CFATS Facility Statuses. Kind of an ugly title but, it is an interesting new set of information. Previously, ISCD only published monthly numbers on the number of facilities covered under the CFATS program and the number of currently approved site security plans (SSPs). The new web page provides a table showing a snapshot of the current status of facilities in the program.

Currently Covered

This new table provides us with data on the number of facilities that have received Tiering Letters (Tiered) but have not yet had their site security plan authorized. It also tells us how many are pending approval of their SSPs, how many have approved SSPs and the sum of the above tells us how many facilities are currently covered by the CFATS program.

Interestingly, since the resumption of program status in May, there has been a net gain of 978 facilities in the program. Most of these, presumably, were added due to the revised risk assessment process and CSAT 2.0 resubmission of Top Screens, though ISCD has continued to vigorously reach out to the chemical community to identify facilities that should have been submitting Top Screens, but, for one reason or another, have failed to do so. This is a fall smaller number than the 1272 facilities that have not yet had their SSPs approved. It is highly unlikely that a significant number of the new facilities have had their SSPs approved since May. Thus, it looks like we may have had about 300 facilities fall-out of the CFATS program since reporting resumed in May. That would not be out of line with what ISCD reported as being the drop-out rate for the new risk assessment process.

Missing Data

I continue to have problems with the ISCD compliance inspection data. The data being reported today for ‘compliance inspections since inception’ and the numbers reported in the last monthly report show that there should have been 111 compliance inspections completed in November, not the 87 being reported here. Again, there could be a number of different explanations, but I continue to suspect that the 87 inspections being reported in November only reflects one-inspection (the latest) per facility.

In the past couple of months, I have been focusing on the potential for these re-inspections being required because of facilities failing their compliance inspection and thus requiring a re-inspection. ISCD broadly points out another category of facilities being re-inspected:

“It is also important to note that this regulatory program is cyclical in nature, meaning activities such as Compliance Inspections are recurring. ISCD began conducting recurring Compliance Inspections in March 2017.”

It would be helpful if ISCD were a little more specific what the 87 number being reported actually means. Was that the total number of compliance inspections done in November or the increase in the number of facilities with a current compliance inspection. And just to make things perfectly clear, it would be helpful to have a number of compliance inspections passed/failed as well.

Actually though, I really am impressed with the effort that ISCD takes to keep the chemical security community up-to-date on the progress that is being made in the program. And the progress really is an important reflection on the daily efforts by the 150 or so Chemical Security Inspectors working with the employees and contractors at the 3,548 CFATS sites on an on-going basis to reduce the risk of a terrorist attack on these facilities. Everyone involved is to be commended on the time and effort being put into this program.
/* Use this with templates/template-twocol.html */