Saturday, August 30, 2014


I have been seeing a new cybersecurity ‘organization’ mentioned frequently on Twitter here recently. Today I found their blog ‘Firing for Effect’ and it looks like an interesting concept. I’ve added their blog to the list on this page. I don’t know how much they will concentrate on ICS security issues, but I certainly applaud their disclosure policies.

Reconfigurable Industrial Control Systems Cybersecurity Testbed RFQ

A couple of weeks back I did a post on a solicitation from the National Institute of Standards and Technology (NIST) for information about establishing a reconfigurable ICS testbed. Well this week NIST published a request for a quote for such a system. The response time for the RFQ is even shorter than the request for information was; it has to be submitted by September 8th.

The RFQ includes a 17 page description (Word® download link) of the system to be supplied and the actual solicitation notice (.PDF download link). NIST is describing the system this way:

“The National Institute of Standards and Technology (NIST) is in the process of developing a cybersecurity test bed for industrial control systems. The goal of this system is to measure the performance of industrial control systems when instrumented with cyber-security protections in accordance with best practices prescribed by national and international standards and guidelines. Examples of such standards and guidelines include IEC-62443 and NIST-800-82. The testbed will include a variety of industrial control simulation scenarios. The first of the scenarios will entail the simulation of a well-known chemical process called the Tennessee Eastman (TE) problem. The TE problem is an ideal candidate for cyber-security investigation because it is an open-loop unstable process that requires closed-loop supervision to maintain process stability and optimize operating costs.”

This is a small business set aside project. Only organizations with fewer than 500 employees should submit quotes. NIST is only accepting quotes via email.

If you did not take a close look at the project when it was announced earlier you might have a hard time getting a quote together in time. On the other hand this would probably be a great project to be involved in.

Thursday, August 28, 2014

No Wonder the Public is Ill-informed

The discussion about the location of chemical plants and emergency responder knowledge of what is stored at chemical plants is a complicated enough problem that it does not need to be complicated by unnecessary public hysteria. It is now wonder, however, that the public gets concerned when inaccurate news stories like this piece at about the closing of an ammonium nitrate distribution facility ‘contribute to the discussion’.

The article is actually an extraction of information from a well written local Texas newspaper article about the apparent closing of an El Dorado Chemical company distribution facility in Pittsburg, TX (NOT Pennsylvania as HSNW reports). The newspaper story is part of the on-going discussion in Texas about ammonium nitrate distribution facilities in small towns across the State; a discussion started by the West Fertilizer plant explosion in April of last year.

The HSNW digested story reports that “ the Pittsburgh facility, which was reported to have stored around thirty tons of ammonium nitrate — the combustible matter responsible for the West disaster — at the time of the 17 April incident”. What the newspaper story actually said was that the “West plant [not the Pittsburg facility] was reported to be storing about 30 tons of ammonium nitrate, investigators say exploded after a fire broke out in the West plant on April 17, 2013”.

The HSNW story goes on about how officials were concerned about the movement of the ’30 tons of ammonium nitrate’ saying: “While some — including Superintendent Judy Pollan — were relieved that the company was now gone, others questioned the danger of moving the thirty tons of chemicals around within the city.” Not only was this ‘questioned the danger’ statement never mentioned in the newspaper article but the topic of the transportation of ammonium nitrate was never mentioned and has generally been absent from the discussion of the West, TX incident.

Another silly statement was made-up whole in the opening paragraph of the HSNW story: “The city emergency management department was aware that the plant was to be closed, but they were not informed of the date – or the fact that the company chose to move the volatile and toxic material [emphasis added].” Forget, for the moment that ammonium nitrate is not ‘volatile’ or ‘toxic’ but everyone would hope that the company would move the ammonium nitrate out of a facility that was being closed. Not doing so would pose a larger danger to the community.

The HSNW story makes the closing of the Pittsburg, TX facility sound like some diabolical plot by a nefarious chemical company. The newspaper story paints a much better picture of a complicated issue that faces many rural towns; agricultural chemical storage facilities that have been a fixture of the town for a long time, but are now a potential danger as the town has grown up around them. The HSNW story does nothing to help understand the problem.

Wednesday, August 27, 2014

DHS Updated Chemical Security Landing Page

This morning the folks at DHS updated their Critical Infrastructure: Chemical Security web page. The update is fairly minor, the reference to the CFATS update link has been changed to read “August 2014” instead of “July 2014”.

There are a couple of other problems with the page that I have not gotten around to pointing out and this seems like as good a time as any. First the link for the “Risk Based Performance Guidelines” no longer goes the RBPS Guidance document, but rather to the fact sheet published for the latest iteration of the Personnel Surety Program ICR. Second the link to the “Cyber Executive Order 13636 Section 10(b) Report” returns an “Access Denied” error message. Both of these problems pre-date today’s page revision.

CG Announces NMSAC Meeting in September

Today the Coast Guard published a meeting notice in the Federal Register (79 FR 51186-51187) for a two day meeting of the National Maritime Security Advisory Committee starting September 16th in Baltimore, MD. Cybersecurity will be one of the topics discussed at the public meeting. The meeting will be available on-line and via teleconference.

The agenda for the meeting includes:

Notification of Maritime Security Level changes to international partners; and

The Coast Guard is planning on conducting a one-day cybersecurity symposium. The agenda item for this meeting is the review of a draft agenda for that symposium.

Public input may be sought during each of the agenda items and there will be a period of time put aside at the end of each day’s meeting for public comments. Registration is required for 5 minute presentations made during those comment periods. Written comments may be submitted via the Federal eRulemaking Portal (; Docket # USCG-2014-0790).

Tuesday, August 26, 2014

ICS-CERT Publishes Two New Advisories

Today the DHS ICS-CERT published two control system cybersecurity advisories for multiple vulnerabilities in the CG Automation  Substation Gateway and the Schneider Electric Wonderware Information Server.

Wonderware Advisory

This advisory reports on five vulnerabilities reported by Timur Yunusov, Ilya Karpov, Sergey Gordeychik, Alexey Osipov, and Dmitry Serebryannikov of the Positive Technologies Research Team in a coordinated disclosure. ICS-CERT reports that Schneider has produced an update that mitigates these vulnerabilities but there is no indication that Positive Technologies Research has validated that update.

The five reported vulnerabilities are:

• Account encryption and storage - CVE-2014-2381 and CVE-2014-2380;
• Cross site scripting - CVE-2014-5397;
• Improper input validation - CVE-2014-5398; and
• SQL Injections - CVE-2014-5399

ICS-CERT reports that crafting an exploit of these vulnerabilities ‘would be difficult’.

Looking at the CVE numbers it looks like there may have been two different vulnerability reports by Positive Technologies Research separated by a significant amount of time.

CG Automation Advisory

This advisory is the latest Crain-Sistrunk disclosed DNP3 improper input validation vulnerability. This should be the 22nd system report published by ICS-CERT of the reported 30 Crain-Sistrunk DNP3 reports submitted to date, according to the Automatak Robus web site.  CG  Automation has provided an update. ICS-CERT specifically reports that CG Automation has self-validated the efficacy of the fix, not Crain-Sistrunk; something smells there.

Follow-up NOTE (08-27-14 07:46 CDT): Adam reports that he and Chris no longer have access to CG Automation hardware to do the validation testing. So nothing nefarious, but it would have been appropriate (IMHO) for CG Automation to offer access for validation testing.

NIST Publishes Framework Follow-up RFI

Today the National Institute of Standards and Technology published a request for information in the Federal Register (79 FR 50891-50894) concerning information about organizational experiences with the implementation of the Framework for Improving Critical Infrastructure Cybersecurity that was published in February.

Responses to this RFI will help NIST develop tools and resources to help organizations to use the Framework more effectively and efficiently. The information will also be shared with DHS to aid in the implementation of the Critical Infrastructure Cyber Community (C3) Voluntary Program that the Administration developed to encourage organizations to implement the Framework. Finally, the information will help NIST to establish the agenda details of the upcoming Framework review workshop in October 2014.

The RFI is looking for specific information in three broad categories. Within each of those areas NIST proposes a series of questions that it would like to have answered by critical infrastructure organizations, standards setting organizations, and governmental agencies at all levels concerned with cybersecurity issues. Those three categories are:

As we came to expect during the development of the Framework, NIST is not using the Federal eRulemaking Portal for their information collection process. Responses will be sent directly to NIST and may be submitted by email ( Responses should be sent by October 10th, 2014. Responses will be published on the NIST Framework web site.
/* Use this with templates/template-twocol.html */