WESA Announces Restrictions on Electronic Lockout-Tagout Systems

The Work Environment Safety Administration (WESA) today announced an emergency order placing restrictions on currently approved electronic lockout-tagout (eLOTO) systems. It also noted that it was temporarily suspending the approval process from such systems pending further investigations of the Bleichen Chemical Company chlorine release. Industry observers expect further delays in the release of the expected eLOTO rulemaking.

The WESA emergency order give facilities utilizing the Robotron SicherheitsKontrolle system for their approved eLOTO processes 10 days to certify that they have put into place software updates to fix the Wi-Fi vulnerability identified as being involved in the Bleichen incident. Facilities that are not able to meet the 10-day certification requirement will be immediately required to implement physical LOTO processes that comply with current WESA regulations. WESA inspectors will be sent to all facilities with approved eLOTO systems utilizing Robotron systems in two weeks to verify that these actions have been accomplished.

Immanuel C. Securitage of the ECS-CERT confirms that they are continuing to work with Robotron and the German government to ensure that such an update is made available as soon as possible.

The emergency order also requires all facilities using eLOTO systems to provide WESA with a full description of their cybersecurity processes protecting such systems. At a minimum, WESA expects the description to include:

• A listing of all electronic components associated with the system to include Human Machine Interfaces (HMI), programmable logic controllers, sensors, and communications modules;

• A listing of all connections to networks not directly associated with the eLOTO system;

• A listing of processes and equipment used to limit communications between those networks ant the eLOTO system;

• A description of the software/firmware update processes used to ensure that the most recent versions are applied to the eLOTO equipment; and

• A description of the physical and cyber security processes in place to ensure that only authorized personnel have access to the eLOTO processes.

Facilities with approved eLOTO systems have 30-days to provide this information to WESA or certify to WESA that they have replaced their eLOTO system with a physical LOTO process that conforms to WESA regulations.

The WESA announcement also indicated that it expects to have a formal eLOTO team in place before the end of the month. The team will include ten new eLOTO inspectors with cybersecurity experience. WESA and ECS-CERT have signed a memorandum of understanding that ECS-CERT will provide cybersecurity training for ten existing WESA inspectors to provide initial staffing for the eLOTO Office. A hiring announcement for ten cybersecurity experts is pending congressional approval.

The Senate and House Homeland Security Committees have announced a rare joint hearing into the Bleichen chemical incident on Friday. After hearing testimony, the two Committees are expected to discuss draft legislation for cybersecurity requirements for eLOTO systems. Copies of that draft are not yet available.

William Henry Lee III, the Mayor of Delano, GA, announced today that two additional people have died as a result of chlorine exposures from the Bleichen incident. Sixty people are still in hospitals in and around Delano, recovering from exposure related issues. The Georgia legislature is expected to meet in emergency session later this month to look into the response to the incident and consider long-term health issues in those people exposed during the incident. Members of the Georgia congressional delegation have jointly announced that they will have staffers available at the session to discuss coordination of State and federal activities.

Lawyers representing Delano, GA and a number of the dead and injured have announced a class action lawsuit against Bleichen Chemical Company and Robotron for cybersecurity negligence. Junior Butts, a well-known environmental lawyer, is expected to be the lead attorney in the case. The level of damages being sought has not yet been announced, but it is expected to include both actual and punitive damages.