Results of Subcommittee Markup of HR 3674

Yesterday the Committee on Homeland Security’s Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies met to markup HR 3674, the  Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness (PrECISE) Act of 2011, as I reported they would last weekend. Several amendments were adopted and the Subcommittee adopted the revised bill by a voice vote, a certain mark of the bipartisan support for the bill. The HR 3674 could move to a full Committee markup as early as next week.

As was expected none of the amendments to Chairman Lungren’s (R,CA) substitute language made any specific mention of industrial control systems, but there were two amendments that might impact security programs for those systems. These amendments affect the sharing of cybersecurity information and providing for civil actions against anyone inappropriately disclosing cybersecurity information provided by the private sector.

Information Sharing

Rep. Long (R,MO) introduced an amendment (which was adopted by unanimous consent) that would extend the information sharing requirements for the Secretary of Homeland Security of §228(b) by adding, among others, “appropriate private sector entities that provide cybersecurity or information security products”. The wording ‘cybersecurity or [emphasis added] information security’ could certainly include control system security products. Of course, the weasel wording of ‘appropriate [emphasis added] private sector entities’ greatly weakens this requirement.

Civil Actions

Rep. Keating (D,MA) introduced an amendment (which was adopted by voice vote) that enhanced the §250 penalties for disclosure of information by government employees, contractors or members of the National Information Sharing Organization (NISO). The §250 language provided criminal penalties (fines, up to one year in jail, and removal from office). The new §251 makes such disclosure actionable in civil court allowing for recovery of actual costs, profits of the discloser, punitive damages, and legal fees. The inclusion of profits of the discloser {§251(a)(1)} and punitive damages {§251(a)(2)} make this a potentially very serious sanction against potential disclosures.

More Reports

A couple of the other amendments will increase the report workload on DHS without significant benefit to the cybersecurity community. A McCaul (R,TX) amendment requires a report on foreign entities that pose the “the greatest cybersecurity threats to the critical infrastructure of the United States”.  Another Long amendment would require an annual status report from the Board of NISO.

More Info on ISCD Hearing

The House Energy and Commerce web site now has some additional information available on their hearing about the problems at ISCD. The information includes a witness list and a Committee Staff memo on the situation.

Witness List

The witness list is predictable and yet disappointing if it is the complete list. As I predicted in my earlier blog Under Secretary Beers and Director Anderson will be the (first?) panel of witnesses. This may be predictable, but it is certainly necessary. These are the two individual with the responsibility for overseeing the operations of the Infrastructure Security Compliance Division of the Office of Infrastructure Protection. Additionally, Beers was the one to direct Anderson to conduct the project review that came to our attention via the FoxNews.com report in December.

I have received a number of personal (and mainly anonymous) contacts from personnel working in the Directorate over the last year or so. There has been a lot of dissatisfaction with the way the CFATS program has been administered. To be fair most of that pre-dates Anderson’s appointment as Director. In fact I have had at least one communication from a Chemical Facility Security Inspector that praises Director Anderson’s efforts to address the issues.

Still, I think that the voices of the work force in the Department also deserve a voice in these proceedings. As one former employee noted to me it would be difficult for Anderson to have a complete understanding of the problems of the program since she is so new to the office.

Staff Memo

I had really hoped to see a copy of Anderson’s report to Beers. Instead we have a memo from the Committee Staff outlining the current situation at ISCD. There are a couple of interesting points made in this memo. First and foremost (to my mind) is the fact that the Committee was given a copy of the memo on January 30, 2012, over a month after it was shown to Fox News reporter, Mike Levine, so much for Congressional oversight.

Another interesting point in the memo is their reporting about the ‘miss-tiering’ letter that was sent out last summer. The Staff Memo reports that problems in data entry and modeling resulted in “in improper tiering of 600 facilities”; a few more than the 400 letters I had heard about. More importantly, it seems that the problem was uncovered in 2010 and covered up until Anderson took over the Directorate.

The memo notes that the ISCD report is marked FOUO (for official use only) and is only being made available to members (and probably their staffs). It does summarize the main points (high level summary to be sure) of the report, noting that there are 5 ‘major programmatic’ challenges and 9 ‘staffing challenges’ out lined in the report.

The programmatic challenges include:

• Inadequate training capability;

• An overreliance on hired consultants for expertise;

• Inappropriate transitions for new hires;

• Uncertainty from extremely short program authorizations; and

• Issues regarding job descriptions and the presence of an employee union.

While it is a common belief in most management, inside and outside of government, the inclusion of ‘an employee union’ as a challenge will probably not endear Ms. Anderson to the current liberal administration. I do suspect that some members of this Subcommittee will jump on that ‘challenge’ in this week’s hearing.

The memo only lists four of the 9 personnel challenges;

• Inexperienced managers;

• Personnel placed in jobs for which they are not qualified:

• Inadequate internal staff control, and

• Lack of regulatory compliance expertise

I would be interesting to know what the other five personnel challenges were. Did one include Levine’s comments about carrying weapons?

Watch this space for continued coverage of these issues.

ICS-CERT Publishes January Monthly Monitor

FULL DISCLOSURE: There were some very kind comments about this blog in the January ICS-CERT Monthly Monitor (see the last page article on CFATS). Even though, for a blogger, that mention is better than money, this shouldn’t affect my review, as I have generally had good things to say about the Monthly Monitor since it began publishing.

Today the DHS ICS-CERT people published their January edition of their Monthly Monitor, a brief look at industrial control system news over the previous month. This issue highlights two ICS-CERT incident responses in December (one that you may have heard about in the news), industrial cellular security, a short 2011 cybersecurity review and the standard sections that been a major part of the Monthly Monitor’s outreach efforts on behalf of ICS-CERT.

Two Incident Responses

As you would expect, ICS-CERT can’t go into a lot of details in publicly describing any of the incidents that they have been involved in investigating or evaluating; but these two short reports provide some invaluable information about the responses from ICS-CERT and the types of problems that face the community. One dealt with a chemical facility and the other dealt with a railroad.

The chemical facility incident did not apparently involve an actual control system. Rather an advanced persistent attach had been discovered and the company was concerned that it might have involved data exfiltration. The involvement of the control systems at the company might, thus have been placed in a compromised situation.

The result was that “ICS-CERT assisted the company with identifying the scope of the infection and by providing analysis and mitigations for eradicating the threat actor from their network” (page 1). Hopefully it also provided some educational assistance at avoiding similar troubles in the future.

The second response story apparently relates to an incident that made the news earlier this month where one DHS organization announced that there had been a foreign based cyber-attack on a railroad control system. Apparently this was more of an attack than we had seen in the water system story, but it wasn’t an attack specifically directed at the railroad. The article reminds security managers that (page 1):

“This incident underscores that Critical Infrastructure Key Resource (CIKR) own-ers and operators should evaluate existing cybersecurity countermeasures they have in place against broader cybersecurity risks. Any number of non-targeted cybersecurity events can impact operations when systems are Internet accessible.”

As is usual with this newsletter, the publishing team includes links to ICS-CERT or US-CERT documents that provide additional information regarding the topic. In this case they link to a short handout about ICS-CERT incident handling procedures with emphasis on how to get ready for a fly-away team investigation.

Industrial Cellular Security

There is a full page article about security issues associated with the wide variety of cellular devices that are available for industrial control system applications. It’s a very interesting primer; well worth the read. There are two interesting outside-of-DHS documents listed in the article, unfortunately the links were corrupted in the printing process; cut-and-paste them though and they work fine.

Coordinated Disclosure Researchers

At the end of every issue, ICS-CERT makes a plug for its coordinated disclosure program. Knowing that many researchers can use the free publicity, they include a listing of researchers that are currently working with ICS-CERT to help resolve exploits that they have discovered. Their efforts are apparently succeeding as the list of names continues to grow each issue. In fact, they have expanded the effort by adding a listing of ‘Notable’ researchers, listing the specific projects that they have worked on.

An interesting note about these two lists of researchers is the inclusion of one specific name that is well known to readers of this blog; Luigi Auriemma. Readers will certainly remember that Luigi sprang full blown on the ICS scene with a large number of uncoordinated disclosures on a single day; he took a lot of heat for that from a number of people. Apparently ICS-CERT has forgiven Luigi his trespasses and brought him at least partially into the fold; welcome Luigi.

More Waxahachie Emergency Response Notes

Last October I looked at the fire at the Magnablend chemical facility in Waxahachie, TX as a learning tool for emergency response planners. Recently the facility was once again in the news for emergency response activities related to the aftermath of that fire. According to a news article on WFAA.com recent rains in the area caused containment ponds that collected fire-fighting water (and subsequent rain fall that helped ‘clean’ the facility) to overflow; ponds that “were presumed to still be polluted with chemical residue” according to the article’s author Brett Shipp.

Typically these run-off collection ponds are initially put into place by emergency responders and later improved somewhat by whatever clean-up company comes in to remediate the site. The initial runoff from the firefighting effort would probably have the highest concentration of dangerous chemicals. That is presuming, of course, that teams are able to quickly get into the facility and stop whatever leaks remain.

The initial fill of these ponds is usually emptied quickly in an effort to limit any additional environmental exposure to the chemical mixture involved. Most professional site restoration companies are well experienced in the physical and legal requirements of this process. These operations should be coordinated with local emergency response personnel so that they can respond appropriately to any incidents that occur in the process.

The containment structures are typically left in place until final site clearance is received to collect any subsequent run off from facility clean-up operations or rainfall runoff. The water collected is usually less contaminated than the initial collection in these ponds, but, depending on the chemicals involved at the site, may still harbor dangerous levels of hazardous chemicals. Remember what constitutes ‘dangerous levels’ is dependent on the chemicals involved, some chemicals are still dangerous down to the part per million or even part per billion levels in the environment.

Local emergency response planners need to ensure that these collection ponds are monitored for contaminant levels and liquid level in the ponds. When heavy rains are forecast for the area consideration of draining the current contents before the rain event may prove to be beneficial. Areas of the country that experience frequent short-notice periods of heavy rainfall may want to consider requiring secondary containment facilities to catch any pond overflows.

Provisions need to be put into place to keep these ponds isolated from the community, including restricting access to the ponds. They certainly meet the definition of ‘attractive nuisance’ and may actually be potential targets for fringe elements of the radical environmental movement, particularly if the company involved is already on the hit list for whatever real or imagined environmental slights. Less radical elements may also attempt to include such sites in ‘environmental actions’ designed to call attention to the hazards.

As with all emergency response plans a formal process needs to be put into place to review these situations on an on-going basis. Initial emergency plans for all facilities housing dangerous chemicals need to include run-off management plans. Those plans need to be reviewed and modified as necessary before the incident commander turns the scene back over to the owner or the environmental remediation company designated for site clean-up.

Siemens – The Big ICS-CERT Advisory

Today the DHS ICS-CERT folks published an unusual advisory. They combined reports of vulnerabilities from four separate researchers; Billy Rios, Terry McCorkle, Shawn Merdinger, and Luigi Auriemma; and combined them into one big (eleven separate vulnerabilities) advisory on the Siemens WinCC application. Not only is the big from the number of vulnerabilities, but the potential consequences of the exploitation of these vulnerabilities is really big. ICS-CERT notes that:

“Successful exploitation of these vulnerabilities could allow an attacker to log on to a vulnerable system as a user or administrator with the ability to execute arbitrary code or obtain full access to files on the system.”

Given the wide range of facilities that this Siemens application is used, an attacker would have a wide range of potential targets that could essentially be exploited at will, shutting down electrical transmission facilities, water treatment facilities, chemical plants, even automotive manufacturing facilities. Simultaneous attacks on a number of targets across a number of manufacturing and utility sectors could have a catastrophic impact on local, state, national, or even world economies.

The catalogue of vulnerabilities includes:

• Insecure authentications;

• Weak default passwords;

• Cross-site scripting;

• Header injection;

• Client-side attack;

• Lack of telnet daemon authentication;

• String stack overflow;

• Directory traversal (two separate vulnerabilities);

• Denials of Service; and

• Arbitrary memory read access.

The good news (and I’m really having to stretch here to call this ‘good news’) is that ONE of the vulnerabilities requires user interaction to exploit. Fortunately for Siemens’ customers there have been so few successful social engineering attacks over the last year or so (pardon the gross sarcasm). The bad news (and it doesn’t come much worse than this) is that there are publicly available exploits for 7 of the 11 (Oh Craps, I know, pardon the pun) vulnerabilities.

The good news (another stretch) is that Siemens has dealt with each of these vulnerabilities. They have

• Patched 5;

• Changed product documentation to explain how to correct one during set up;

• Recommended deactivation of transport mode for four others; and

• Explained that users have the option of disabling the final vulnerability.

The bad news is that no one outside of Siemens has verified if any of the above actions prevent the exploit of any of the eleven vulnerabilities included in this report.

The final good thing is that ICS-CERT put all of these vulnerabilities into a single advisory, making it easier to keep track of what has been fixed or not. It might be a good idea to do the same sort of thing for Siemen’s PLCs.

New Version of HR 3674, ‘the’ House Cybersecurity Bill

As I noted in my blog post Saturday, there will be a subcommittee markup hearing for HR 3674, the Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act of 2011 (PRECISE) Act of 2011. As is usual with markups of bills like this, the hearing will start off with the Chairman, Rep Lungren (R,CA) introducing his revised language for the bill and the subsequent proposed amendments will be made to that new language. So let’s take a look at the new version of his bill.

Overview

First off nothing has been removed from the bill at this point (that could change later this week); so everything I wrote about this bill (then a draft of this bill) still pertains to this revised language.

Most of the changes have been technical wording changes that will be mainly of interest to lawyers and judges if this bill ends up being signed by the President. There were, however a couple of new sections that were added at the end of the bill. They include:

§ 4. Report on Support for Regional Cybersecurity Cooperatives;

§ 5. Pilot Program on Cybersecurity Training for Fusion Centers; and

§ 6. Assessment of Sector by Sector Cybersecurity Preparedness.

Please note that §5 provides for training fusion center personnel in IT security practices to protect their information systems, not about cyber security threat assessment. It would have been nice to see a training requirement here for instance that would direct fusion center analysts to ICS-CERT for assistance in evaluating potential control system threats or attacks.

The bulk of the remaining changes can be found in Subtitle E, National Information Sharing Organization (NISO). Most of these changes have apparently been made to ensure that the NISO is not a ‘threat’ to civil liberties or legitimate information sharing activities.

ICS Coverage?

This bill remains at heart an information system protection bill not an ICS protection bill. The new version does include an additional mention of ‘industrial control systems’. In §226(a)(7) the bill would require the Secretary of DHS to:

“establish, in coordination with the Director of the National Institute of Standards and Technology, the heads of other appropriate agencies, and appropriate elements of the private sector, guidelines for making critical infrastructure information systems and industrial control systems [emphasis added]  more secure at a fundamental level, including through automation, interoperability, and privacy-enhancing authentication”.

There continue to be a number of sections of the bill that do not contain the explicit language “critical infrastructure information systems” and these may imply coverage of control systems. These are generally reporting requirements or information sharing requirements and they do not provide any regulatory authority.

For example the new §4 of the bill requires the Secretary to report on:

“the Secretary’s plan to provide support to regional, State, and local grassroots cyber cooperatives designed to decrease cyber disruptions to critical infrastructure, increase cyber workforce training efforts, increase community awareness of cybersecurity, organize community cyber-emergency preparedness efforts, build resiliency of regional, State, and local critical services, and coordinate academic technical and policy research effort”.

There is mention of potential grant program supporting these ‘cyber cooperatives’ (and that term is never defined), but there is no spending authority for such grants. This means that the grant money would have to come out of some existing grant program.

National Information Sharing Organization

The most controversial area of this bill continues to be the establishment of the National Information Sharing Organization which is also the section of the bill that sets up the conflict between this bill and HR 3523 (the bill sponsored by the House Intelligence Committee). Most changes to the NISO sections of this bill address privacy concerns.

For example §244(9) sets for the requirements for the protections of ‘privacy and civil liberties’. The new version of this bill adds subparagraphs (B) and (C) that specify that only ‘cyber threat information’ may be shared within NISO and that all “personally identifiable information not necessary to describe a cyber threat” be removed from information shared by and through NISO.

I noted in my earlier blog on this bill that the private sector board members of NISO did not include anyone from the water, chemical or transportation critical infrastructure key resources (CIKR) sectors. The revised version changes that somewhat in that it adds the water sector to those represented on the Board. The continued lack of chemical or transportation sector representation effective shuts those sectors out of NISO participation.

The new version of this bill also financially guts NISO after FY 2015. Federal funding up until then consists of $20 million each fiscal year (and that comes out of the existing DHS S&T budget, no new money). After FY 2015 the only federal money going to NISO will be the Federal membership fee for NISO. Even that will be limited by §253(b) to no more than “the fee collected from the largest private sector member of the National Information Sharing Organization”.

Since §253(a) prohibits Federal appropriations supporting NISO, that fee will have to come out of the budget of DHS or three other “Federal agencies with significant responsibility for cybersecurity” {§243(b)}. Since none of the four is required to pay the Federal governments ‘fair share’ fee I bet this gets lost in the annual budget shuffle.

There are two new terms specifically defined in the NISO sections of this bill that might increase the applicability of NISO to control system security information sharing (but don’t hold your breath); ‘cyber attack’ and ‘cyber security criminal act’. The inclusive language for ‘cyber attack’ includes the phrase “causes or attempts to cause damage and loss” {§248(f)(1)(B)}. For ‘cyber security criminal act’ the phrase is “efforts to degrade, disrupt or destroy a cybersecurity system or network” {§248(f)(2)(A)}. Neither constitutes a resounding commitment to ICS security information sharing.

Further Amendments

The subcommittee markup hearing that starts on Wednesday (and may become a multi-day hearing) will undoubtedly include many changes to the wording of this bill. Watching the hearing itself will be little help in identifying those changes as the exact wording of the changes is rarely included in the live proceedings. Usually we just get the interpretations of what the various congress critters think the language means.

We will have to wait until the actual amendment language is posted to the House Homeland Security Committee web site. The staff of that Committee usually does a pretty good job of getting that information up quickly. After that we will have the full committee markup (maybe as early as next week). Then we will have to wait for four other committees to act (or more likely fail to act) on the bill.

Congressional Hearings – Week of 01-30-12

Congress has a full week (for Congress 4 days is a full week) of work ahead of them including two hearings that will certainly be of interest to readers of this blog; ISCD Problems, and Cybersecurity Legislation.

ISCD Problems

The Environment and Economy Subcommittee of the House Energy and Commerce Committee will be holding hearings on the current problems at ISCD on Friday. Actually the title of the hearing is “Evaluating Internal Operation and Implementation of the Chemical Facility Anti-Terrorism Standards program (CFATS) by the Department of Homeland Security”; and I thought that I had a tendency to get wordy.

No witness list is currently available, but I would bet that it includes on the first panel Under Secretary Beers and Director Anderson. If that is the only panel of witnesses, the hearing will be a typical Congressional waste of time. If the second panel is industry reps, it will be almost as much of a waste of time. The only way that this hearing will be meaningful is if it includes sworn testimony from people within ISCD including the facility inspection force; I’m not holding my breath.

What is disappointing is that the first hearing on this topic is by a subcommittee of the Energy and Commerce Committee. First we are certainly past the point where we should be wasting time with Subcommittee hearings since they will certainly have to be duplicated by the full committee before anything can be accomplished. Secondly it is a sign of the utterly stupid organization of oversight of DHS components in Congress that this hearing is not being held by the Homeland Security Committee. Of course Rep King (R,NY) and Thompson (D,MS) have been absolutely silent on the ISCD issue so maybe it is better that someone else does the hearings.

One last rant point here; if the hearing record does not include a public copy (redacted if absolutely necessary) of the internal NPPD report on the problems, the Subcommittee needs to be swept from office in November and the Committee Staff fired on the spot. I know, it won’t happen, but I just had to vent.

Cybersecurity

The Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies of the House Homeland Security Committee will be holding a potentially multiple day mark-up hearing on HR 3674 starting on Wednesday. I did a blog post on this bill before it was actually introduced and most of that discussion remains applicable to the bill going into this hearing.

Chairman Lungren (R, CA) will be submitting substitute language for this bill at this hearing. There are some interesting changes being proposed (including some minor but specific control system language), but that is a subject for a separate blog post.

This bill has the hallmarks of being the potential cyber-security bill for this session. The only drawback is that it was also referred to the following committees for consideration:

• House Oversight and Government Reform

• House Science, Space, and Technology

• House Judiciary

• House Intelligence (Permanent Select)

I know the Intelligence Committee has their own bill (HR 3523) that has some conflicting provisions with the current and proposed versions of HR 3674, so we can bet that they won’t hold any hearings on this bill. Similar issues may arise with the other committees as well. The House and Senate leadership are committed to passing cybersecurity legislation this session, but that doesn’t necessarily trump committee politics.