NTAS Changes for MTSA Facilities

Last month when DHS changed over from their old color-coded terrorist alert system to the new National Terrorism Alert System (NTAS) I did a blog about how that change would affect CFATS facilities and their preparation of site security plans. CFATS isn’t the only security program affected by this change. A couple of readers have noted that the Coast Guard’s MTSA security program also required the planning for enhanced security as the old Homeland Security Advisory System (HSAS) raised the threat level which, in turn, affected the Maritime Security (MARSEC) level.

Coast Guard Response to NTAS

One reader sent me a copy of a Marine Safety Information Bulletin (MSIB) (I'm sorry I don't have a link for the document) published by the Captain of the Port for New Orleans on April 29th describing how MTSA covered facilities and vessels should adapt their approved security plans to the new NTAS pending specific changes to 33 CFR 101.

That MSIB provided the following policy guidance:

“1. MARSEC levels will continue to have the meaning defined by 33CFR101.105

“2. All references to the HSAS in 33CFR101 are obsolete and will no longer be used.

“3. The three MARSEC levels will continue to be used as before, except as follows. If the Secretary of Homeland Security issues an NTAS alert, the Commandant will adjust the MARSEC level if appropriate based on commensurate risk, any maritime nexus, and/or CCG consultation with the Secretary of Homeland Security.”

It also provides an abbreviated change procedure for approved security plans to reflect the change from the HSAS to NTAS system:

“Pending future regulatory changes to 33CFR101, pen and ink changes in place of submission of a formal amendment per 33CFR104.415, 105.415, and 10.415 (sic) are authorized until the plan is next revised and submitted for review.”

Flexible Response

It is nice to see a regulatory agency exercising this type of flexibility in response to changes in the regulatory environment. Of course, the Coast Guard is also a military organization and the military has always favored this kind of response to changing conditions, allowing local commanders to respond to changing situations while the bureaucratic processes catch up. This is why the MSIB comes from the Captain of the Port rather than the Commandant.

It is extremely unlikely that ISCD, under any Director, would ever provide that sort of command flexibility to their Regional commanders of the CFATS inspection force. It doesn’t have the long history, tradition and training that the Coast Guard has that provides the institution the ability to allow such responsiveness.

In the mean time, CFATS facilities are going to have to try to figure out what to do with their site security plans. Do they address the current RBPS 13 guidance on enhanced security with an adaptation for the NTAS similar to what I wrote in my RBPS 13 revision blog? Or do they take the risk that DHS and their chemical security inspectors will not accept references to the NTAS because it isn’t mentioned in the Guidance document?

I think that CFATS facilities can count on the intelligence of the inspectors to understand that security requires some measure of flexibility. If they can’t, we have bigger problems than can be solved by a document revision. Besides, DHS is required by Congress to allow individual facilities a certain measure of flexibility in determining what security measures are used to secure the facilities.

DHS ICS-CERT Alert for Samsung Data Management Server

Last night the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) issued a new alert for an unconfirmed vulnerability in the Samsung Data Management Server. According to the summary:

“ICS-CERT was made aware of a published report by an independent researcher specifying a hard-coded credential vulnerability in the Samsung Data Management Server. This vulnerability allows an attacker to remotely log in with administrative privileges via telnet or FTP. ICS-CERT has not validated this vulnerability.”

ICS-CERT has not confirmed the vulnerability and is working with the vendor to confirm and mitigate this reported vulnerability.

Railroad Replies to STB Complaint

Late last month I wrote about a complaint filed with the Surface Transportation Board (STB) about proposed railroad rules for the handling of railcars of toxic inhalation hazard (TIH) chemicals. As of yesterday there have now been three reply documents filed with the STB; a motion to dismiss, an answer to the complaint, and a reply.

Okay, you probably have to be a lawyer (I’m not) to understand the differences between, and the significance of, each of these documents, but the long and short of it is that these are the legal responses telling the STB that, in the point of view of the respondents, nothing has been done that deserves a response by the STB.

Motion to Dismiss

Last week RailAmerica and Alabama Gulf Coast Railway (AGR) filed a motion to dismiss the complaint. They noted that the tariff named in the industry complaint had been canceled/replaced on April 29th and that the SOP mentioned in the complaint was a presentation document for discussion with their customers, not a document subject to STB review.

Additionally, RailAmerica asked to be removed from the complaint since they were not a railroad and thus not subject to action by the STB.

Explanation of AGR TIH Procedures

Yesterday AGR and RailAmerica filed their Response to a Motion for Injunctive Relief. Again, I’ll leave the legal arguments for the STB to resolve and other lawyers to discuss. The interesting part of this filing for me is the description of the TIH railcar handling procedures outlined in the attached copy of the new tariff (AGR Tariff 0900-1) that replaced the one specified in the industry complaint.

There is a nice summary of the AGR handling process on page 25 of the reply document filed with the STB which I’ll reproduce below. If this is the actual process used by AGR, this looks like a reasonable way to handle the FRA rules put into place to ensure the safety and security of TIH shipments.

“TIH-PIH are inherently dangerous commodities and require special handling. AGR must provide safe transportation for TIH-PIH in accord with existing rules. To that end, AGR has developed a program imposing minimal additional burdens on the shippers. AGR’s program starts with notification from a shipper that a car is being forwarded for delivery to AGR. AGR is requiring the pre-notification so that it can verify that the recipient will be able to receive the car or cars when it is delivered, arrange to have an inspector available when the car or cars are received by AGR, arrange to have locomotives and crews available when the TIH-PIH car or cars arrive for interchange to AGR. Before accepting a TIH-PIH car or cars, AGR will inspect that car or cars to make sure of compliance with the requirements of 49 CFR 174.3. Once AGR accepts a car or cars it will put the car or cars into a priority train to immediately deliver the car or cars to the receiver. This train will depart within the 48 hour period required by 49 CFR 174.14, usually much sooner. The priority train will also provide more expeditious service and safer transit to receiver than handling the car or cars in the normal course of business that would require moving through yards, switching onto a regular train, and starting and stopping at different shippers along the rout to the receiver. The train will travel at the appropriate speed for safe operation based on the conditions of the rail line, time of year, weather and any other relevant factors deemed relevant by AGR operating and/or safety personnel. It is AGR’s belief that the transfer of TIH-PIH cars to a priority train will enhance the efficiency of the use of the TIH-PIH equipment fleet by expediting delivery to the destination.”

Of course, the devil is always in the details. For example, if a receiver is not prepared to receive a TIH railcar when delivered, they’ll be charged $1,000 per day until they are prepared to receive it. If an unsafe TIH railcar is delivered to AGR, they reserve the right to charge the shipper a penalty of $10,000. The amounts seem high to me, but I suppose they are intended to ‘encourage’ proper behavior by shippers and receivers so they probably need to be high.

In any case, this is not the tariff that was referenced in the industry complaint to the STB. It would be interesting to see the difference between the two documents to see if substantial changes were made.

Waiting for Industry Response

There will be an inevitable reply by one or more of the signers of the original complaint and maybe even a counter reply or two before the STB actually starts to consider the merits of the complaint; don’t expect anything quickly in this ‘action’.

HR 1690 Introduced, Security Credentials

Last week Rep. Rogers (R, AL) introduced HR 1690, the Modernizing of Documentation and Elimination of Redundant Identification and (MODERN) Security Credentials Act. The bill would require the DHS Secretary to “consolidate and harmonize the Department of Homeland Security’s security threat assessment process for transportation workers” {§2(a)} and to reduce redundant background checks.


To allow the same background checks to be used for multiple security credentials the bill modifies the lists of permanently disqualifying {§4(a)} offenses and interim disqualifying offenses {§4(b)} that prohibit DHS from approving the issuance of the security credentials found in 46 USC §70105. Then bill would make these applicable to airport security credentials {§3(4)(B)} and State Hazardous Materials Endorsements for CDL’s {§2101(b)}.

The bill would not limit the authority of airport operators to deny security credentials to potential employees or the States to deny HAZMAT Endorsements to applicants based upon their internal security rules; the bill would prohibit States from requiring additional background checks though.

No specific mention is made of the CFATS program, but the way the bill is written it would certainly allow the Secretary the authority to write personnel surety regulations for high-risk chemical facilities that would give background check credit to holders of the various identification credentials based upon the 46 USC §70105 background checks.

An initial hearing on this bill was held before the Transportation Security Subcommittee (chaired by Rep. Rogers) of the House Homeland Security Committee on May 4th. None of the witnesses heard expressed any major concerns with the legislation. Airport operators were satisfied with its protection of their authority to issue/deny access credentials. Trucking company owners were satisfied with the consolidation of the background check requirements for HAZMAT Endorsements and TWICs. The labor representative was mainly satisfied with the redress process included for the DHS background checks.

It would be interesting to hear from ISCD how this legislation might affect their on-going attempts to craft personnel surety rules for the CFATS process. The CFATS program is probably not large enough to rate a seat at the witness table when the full Homeland Security Committee holds their hearing on this bill. Hopefully they will at least request written testimony from ISCD on the matter.

Reader Comment – ISCD Problems

This week an anonymous reader left a comment on an older post about the reorganization of ISCD. Since few readers are likely to see this comment, I’ll reproduce it here:

“As bleak as the above narrative is, it's only a small part of the story. Would that Congress (and the IG) would be sufficiently interested and willing to dig deeper into this travesty, the country might well become safer and more secure as to attacks on chemical facilities.”

As a blogger I generally appreciate responses that are supportive of positions that I have taken on just about any topic. Unfortunately, generic comments such as this one, particularly from anonymous sources, do little to advance the cause.

I understand why DHS employees and contractors would not want their names associated with this issue. It is a fact, however, that most people discount generic anonymous comments since there is no information included that can be independently verified. To extend the discussion of the issue an anonymous writer must provide new information.

I have heard that my blog posts have caught the attention of upper management in the Department, with appropriate officials asking some questions about the situation. I am, properly, not privy to those inquiries. I also accept that Mr. Driggers’ replies to those inquiries carry more weight with management than do my opinions; if that wasn’t the case he wouldn’t have been placed in that position.

ISCD has a difficult enough job without having internal management problems. Random sniping on my part is not going to make either of those situations any easier. So, unless someone provides information worth discussing, this will be the last reader response of this sort that I will actively respond to on this blog. Reader comments will still be posted when submitted, but I will not comment on them unless they provide new information.

PHMSA HAZMAT Security Plan ICR Renewal to OMB

On Friday the Office of Management and Budget (OMB) announced that the Pipeline and Hazardous Materials Safety Administration had submitted a renewal request, without change, for the current information collection request (ICR, OMB # 2137-0612) for Security Plans for shipping Hazardous Materials. This is a routine request to extend the current program.

An interesting entry in the OMB file is that PHMSA estimates the cost of this program to the Federal Government to be $0. As a taxpayer I am usually happy to see the government controlling costs, but I do remember the old adage, something that is ‘free’ is worth what you pay for it.

The reason that this program has no cost to the PHMSA is that organizations are not required to submit their plans for approval or even review. An inspector making a site visit might ask to see the security plan, but, even then, there is no authority for PHMSA to require changes as long as the plan is in existence. On the other hand, PHMSA doesn’t have much in the way of security experts on staff (that would be a TSA responsibility) so even if they had the authority they wouldn’t have the expertise to effectively review the security plans.

I would bet that there are trucking companies and shippers out there who take their hazmat shipping security responsibility seriously and attempt to really do effective security plans; I salute them. For the vast majority of organizations, however, I would bet that if the plans are prepared, they are treated like just another compliance issue. This would result in an EH&S officer (who in many cases will handle all government paperwork) crafting a simple document that is titled ‘Security Plan’ but does not really address security any more effectively than does their chain link fence.

Oh well, no terrorist has yet hijacked a hazmat truck in the United States and turned it into a chemical weapon. Of course, that means that it will never happen.

Congressional Hearings Week of 05-09-11

This week will be an interesting one for congressional hearings for the chemical security community. It will see the first full committee vote of the Session on CFATS legislation, another TWIC hearing, and a look at the potential financial consequences of cyber attacks.

HR 908 Vote

The House Energy and Commerce Committee will be holding an odd two-day mark-up hearing on Tuesday and Wednesday that will address two separate bills, including HR 908, one of three CFATS extension bills under consideration in the House. Multiple day markup hearings on controversial legislation is not that unusual, but conducting a combined markup of a health care bill (HR 5) and a CFATS extension bill is odd. Furthermore, the announced format (opening statements on the first day followed by the actual markup work on the second day) is peculiar.

I was surprised this week that there were no amendments offered by the Democrats in the Subcommittee markup of this bill and I don’t believe that that will be repeated this week. While IST provisions and employee involvement requirements have little to no chance of passing in the Republican controlled committee, the Democrat’s base supporters will demand at least a proforma attempt at including these provisions.

One other potential amendment might come to a vote, a removal of the water facility exemption. There is a chance that this amendment might pass in this Committee. The inclusion of water treatment facilities in the CFATS program would ensure that the Energy and Commerce Committee would have a voice in any future CFATS program changes. With no IST provisions in the bill and EPA control of the security program at water facilities, this provision might even be able to pass in the full House.

TWIC

The Transportation Workers Identification Credential is certainly coming in for a lot of Congressional scrutiny during the opening months of this session. The Senate Commerce Science and Transportation Committee will be holding a hearing to review the program on Tuesday. The following witnesses are currently scheduled to testify at the hearing:

• Mr. John S. Pistole, Administrator, Transportation Security Administration;

• Rear Admiral Kevin Cook, Director, Prevention Policy, U.S. Coast Guard; and

• Mr. Steve Lord, Director, Homeland Security and Justice Government Accountability Office

Questions will certainly be asked about the pace of implementation of the TWIC Reader program. Additional topics of concern could include the upcoming renewal of existing cards and potential expansion of the program into other transportation sectors.

Cyber Security

On Thursday the Senate Commerce Science and Transportation Committee will be holding a previously postponed hearing on the economic ramifications of cyber attacks. There is only a slight possibility that this will include mention of attacks on industrial control systems. Witnesses scheduled include:

• Mr. Gordon Snow, Assistant Director, Federal Bureau of Investigation Cyber Division

• Ms. Harriet Pearson, Vice President Security Counsel, Chief Privacy Officer, IBM

• Ms. Sara Santarelli, Chief Network Security Officer, Verizon

• Mr. Thomas Kellermann, Chief Technology Officer, AirPatrol Corp.

Even without coverage of ICS issues, this hearing could be of interest to the chemical security community. We frequently overlook the fact that chemical companies do have IT systems that need protecting as much as (some people say more than) their control systems.