Monday, March 27, 2017

Committee Hearings – Week of 3-26-17

This week both the House and Senate will be in session. There are a number of committee hearings that will be held on both sides of the Capitol, but there is only one, a cybersecurity hearing, that may be of specific interest to readers of this blog.

On Tuesday the Energy Subcommittee of the Senate Energy and Natural Resources Committee will be holding a hearing to look at cybersecurity threats to the US electric grid. The hearing will also receive testimony on S 79, the Securing Energy Infrastructure Act. The witness list includes:

• Michael Bardee, Federal Energy Regulatory Commission;
• John DiStasio, Large Public Power Council;
• Thomas Zacharia, Oak Ridge National Laboratory; and

• Ben Fowke III, Xcel Energy

Saturday, March 25, 2017

HR 1571 Introduced – Oil Train Fire Training Grants

Last week Rep Herrera-Beutler (R,WA) introduced HR 1571, the Fire Department Proper Response and Equipment Prioritization Act. The bill would require FEMA to give high priority to grants for incident response training for crude oil and ethanol train accidents.

The bill is essentially the same as HR 4765 that was introduced in the 114th Congress. That bill saw no action, mainly because Herrera-Beutler was not in a position to influence the House Science, Space, and Technology Committee to take up the bill. Since she is still not a member of that Committee (to which the bill was assigned for consideration) it is very unlikely that the Committee will take up the bill in this session.

The only way that this bill has a chance of making it into law during this session is for its provisions to be added to either the DHS spending or authorization (if that bill actually happens) bill. Herrera-Beutler is a member of the Appropriations Committee, so that it is possible that this could be included in the DHS spending bill. She is not a member of the House Homeland Security Committee so adding it to an authorization bill would have to come in the form of an amendment if/when the bill is considered in the House.

Friday, March 24, 2017

Bills Introduced – 03-23-17

Yesterday with both the House and Senate in session there were 59 bills introduced. Of those only one may be of specific interest to readers of this blog:

S 719 A bill to establish a grant program at the Department of Homeland Security to promote cooperative research and development between the United States and Israel on cybersecurity. Sen. Whitehouse, Sheldon [D-RI]

This bill will only receive further mention here if it includes specific language concerning control system security issues.

Thursday, March 23, 2017

ICS-CERT Publishes 2 Advisories

Today the DHS ICS-CERT published two control system security advisories for products from Becton, Dickinson and Company (BD) and Leão Consultoria e Desenvolvimento de Sistemas LTDA ME (LCDS).

BD Advisory

This advisory describes a hard-coded password vulnerability in the BD Kiestra PerformA and KLA Journal Service (laboratory information management systems) applications. The vulnerability is apparently self-reported. BD has will be providing updates to the two applications and the Kiestra Database to “reduce the risk [emphasis added] of exploitation of the hard-coded passwords vulnerability”.

ICS-CERT reported that a relatively low skilled attacker could remotely exploit this vulnerability to access the BD Kiestra Database, which could be leveraged to compromise the confidentiality of limited patient health information and personally identifiable information stored in the BD Kiestra Database.

The BD Security Advisory paints a more complicated picture of the vulnerability situation, but it also provides work arounds to be used pending the updates that will be provided later this year. It describes three vulnerabilities instead of one:

• A legacy application (SMB1 protcol);
• Hard-coded password in the two applications;
• Third-party default password in the Database.

LCDS Advisory

This advisory describes a path traversal vulnerability in the LCDS LAquis SCADA software. The vulnerability was reported by Karn Ganeshen via the Zero Day Initiative. LCDS has produced a new firmware version to mitigate the vulnerability. There is no indication that Ganeshen has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to allow an unprivileged, malicious attacker to access files remotely.

Wednesday, March 22, 2017

ICS-CERT Updates Two Advisories

Yesterday the DHS ICS-CERT updated two control system security advisories for products from Moxa and Siemens.

Moxa Update  

This update provides information on an advisory that was originally issued on December 1st, 2016. The new information includes:

• New affected version information for all affected products;
• Adds two new devices (NPort 6000, and NPort 6110);
• Removes one previous listed device series (NPort 6x50 series); and
• Adds mitigation measure for newly listed device series (NPort 6000 series).

Siemens Update  

This update provides information on an advisory that was originally issued November 22nd, 2016. The new information includes:

• Updates affected version information for CP 443-1;
• Added link to update for CP 443-1; and
• Removed work around information for CP 443-1

The same information was changed on the Siemens Security Advisory. Siemens announced their update in a TWEET® on March 16th, 2017.

H Res 200 Introduced – Cybersecurity Policy

Last week Rep. Taylor (R,VA) introduced H Res 200. This resolution calls for the establishment of a comprehensive cybersecurity policy.

The Resolution

The preamble to this resolution establishes the reasons that a cybersecurity policy is needed. It specifically mentions the large number of mega-data breaches that have recently occurred, including specifically the OMB breach. While no specific mention of control system security is made it does note that “malicious cyber activity has the potential to cause great harm to the national security, economy, and infrastructure of the United States and the health, well-being, and safety of United States citizens”. The inclusion of ‘infrastructure’ as one of the areas that could potentially be harmed certainly seems to indicate that cyber-physical vulnerabilities are considered to be a potential threat.

It concludes by resolving that:

“That it is the sense of the House of Representatives that the United States should develop and adopt a comprehensive cybersecurity policy that clearly defines acts of aggression, acts of war, and other related events in cyberspace, including any commensurate responses to any such act or event in cyberspace.”

Moving Forward

Taylor is not a member (nor is his cosponsor Rep. Ruppersberger (D,MD) of the House Foreign Affairs Committee to which this resolution was referred for consideration. This means that it is unlikely that the Committee will take up the resolution.

There is nothing in the resolution that would engender any significant opposition to the bill if it were considered in Committee or brought to the floor of the House.


The failure to specifically mention cyber-physical vulnerabilities in the preamble to the resolution weakens the argument to support the call for a policy that addresses cyber activities that might constitute an act of war. Mention should have been made specifically to the 2015 attack on Georgian electrical utilities as an example of the types of cyber-physical attacks that have been seen in the real world.

Bills Introduced – 03-21-17

Yesterday with both the House and Senate in session there were 54 bills introduced. Of these four may be of specific interest to readers of this blog:

HR 1647 To establish a Water Infrastructure Trust Fund, and for other purposes. Rep. Blumenauer, Earl [D-OR-3]

HR 1653 To amend certain provisions of the Safe Drinking Water Act, and for other purposes. Rep. Latta, Robert E. [R-OH-5]

S 679 A bill to require the disclosure of information relating to cyberattacks on aircraft systems and maintenance and ground support systems for aircraft, to identify and address cybersecurity vulnerabilities to the United States commercial aviation system, and for other purposes. Sen. Markey, Edward J. [D-MA]

S 680 A bill to protect consumers from security and privacy threats to their motor vehicles, and for other purposes. Sen. Markey, Edward J. [D-MA]

The two water system bills will only receive further mention in this blog if they specifically address facility security or cybersecurity issues.

These two bills from Markey are almost certainly based upon bills that he introduced in the 114th Congress (S 2764 and S 1806 respectively). Neither bill saw any action in the previous session; perhaps it will be different this time.
/* Use this with templates/template-twocol.html */