Friday, August 22, 2014

ICS-CERT Releases ICS Advisory to US-CERT Secure Portal

Rumor has it that the DHS ICS-CERT has issued a control system advisory for multiple vulnerabilities in a well know SCADA system. The advisory has apparently been issued via the US-CERT Secure Portal to allow system owners a chance to evaluate their risk and mitigate it as appropriate before the vulnerability is released to the public. I’m hearing that the public release will be sometime next month.

Once again, if you are a control system owner, a system integrator, or a control system security researcher you could be able to access this reported advisory if you were registered to have access to the US-CERT secure portal.

Thursday, August 21, 2014

ICS-CERT Updates Siemens HeartBleed Advisory Again

Today the DHS ICS-CERT published another update to the Siemens HeartBleed advisory that was updated just a week ago. The latest update provides a link to the patch for the CP 1543-1 Ethernet interface for the S 1500 system. This leaves just the RuggedCom ROX I and ROX II operating systems to be patched for this vulnerability.

Wednesday, August 20, 2014


Today the DOT’s National Highway Transportation Safety Administration (NHTSA) published an advance notice of proposed rulemaking (ANPRM) in the Federal Register (79 FR 49270-49278) concerning potential creation of a Federal Motor Vehicle Safety Standard (FMVSS) for vehicle-to-vehicle (V2V) communications. NHTSA believes that requiring V2V communication capability in new light vehicles would facilitate the development and introduction of a number of advanced vehicle safety applications.

Along with the publication of this ANPRM NHTSA is publishing “Vehicle-to-Vehicle Communications: Readiness of V2V Technology for Application” (.PDF download link). According to the report abstract (pg i), the “report explores technical, legal, and policy  issues relevant to V2V, analyzing the research conducted thus far, the technological solutions available for  addressing the safety problems identified by the agency, the policy implications of those technological solutions, legal authority and legal issues such as liability and privacy”.

This ANPRM is not an actual proposal for any specific regulatory language; rather it asks a series of questions that NHTSA needs to have answered before it can proceed with the rulemaking process. The extensive list of questions covers ten general topics:

Of particular interest to readers of this blog will be the cybersecurity questions asked in the communications security section of the ANPRM. These questions include:

• Do commenters believe that using machine-to-machine PKI for V2V is feasible, and that a security system based on PKI provides the level of security needed to support wide-scale V2V deployment?
• Do commenters believe that the current security system design (as shown in Figure IX-3 of the research report) is a reasonable and sufficient approach for implementing a secure and trusted operating environment?
• Do commenters believe the Certificate Revocation List is necessary? 
• Do commenters believe a V2V system would create new potential “threat vectors” (i.e., “ways into” a vehicle's electronic control unit) that could somehow control a vehicle or manipulate its responses beyond those existing in today's vehicles?
• Do commenters believe that V2V could introduce the threat of remote code execution, i.e., that, among possible threat vectors, malicious code could be introduced remotely into a vehicle through the DSRC [dedicated short-range communications] device and could create a threat to affected vehicles?
• Do commenters have suggestions on how NHTSA could mitigate these potential threats with standardized security practices and how NHTSA could implement a self-certification or third-party audit or testing program to guard against such threats? 
• Does the absence of encryption of the Basic Safety Message itself create any security threat, e.g., reverse engineering of a V2V system?
• If OEM DSRC devices were kept up-to-date through the current methods of upgrading that existing consumer electronics use today, would the use of this updating process introduce a new attack vector?
• Is there a possibility of cyber-attacks across the entire vehicle fleet and, if so, how should they be analyzed and addressed?
• Are there any other specific security issues that have not been mentioned here, but that should be addressed in the V2V security review?

NHTSA is soliciting public responses to the questions listed in the ANPRM. Comments may be submitted via the Federal eRulemaking Portal (; Docket # NHTSA-2014-0022). Comments should be submitted by October 20th, 2014.

Saturday, August 16, 2014

Public Comments on PHMSA HHFT NPRM – 08-16-14

This is the first in a series of blog posts that will look at the public comments on the DOT’s Pipeline and Hazardous Materials Safety Administration (PHMSA) notice of proposed rulemaking (NPRM) on high-hazard flammable trains (HHFT).

As is typical for the early comments received on a rulemaking, the six comments in the first two weeks of the comment period come from private individuals. Organizations usually take longer to develop, coordinate and publish their comments. Individuals have a shorter response time, but their comments are frequently less technically developed and focus on limited solution sets.

Less than Helpful Comments

One commentor provides an up-to-date list of ‘Reference National Standards for a 21st Century HMR’. Few of the standards on the list have anything to do with this NPRM. Yet another commentor provides a lengthy diatribe against the Surface Transportation Board and railroads in general and proposes a complete reworking of the rail transportation system.

Simple Answers

A commentor from Washington State points out that there will be an increase in oil train traffic in that state in the coming years because of planned port and refinery expansions. This writer wants the DOT-111 cars immediately banned and briefly outlines additional safety measures that should be taken; including:

• Sensible speed limits;
• Rescheduling trains to avoid peak times;
• Notifying affected communities of increasing rail traffic,
• Requiring two operators for each train,
• Requiring at least one of these operators is alert at all times; and
• Automatic brakes (dead-man switches).

Another commentor wants to stop any more increases in crude oil shipments until the railcar fleet is replaced with safer models.

More Detailed Suggestions

Another writer acknowledges the problems with railcar safety and poor system maintenance, but attributes the current problem of “explosions; the 300 foot fireballs, walls of fire, incinerated buildings, vaporized humans, fouled water, and poisoned soil” to the lack of stabilization of the crude oil by removing the most volatile “NGLs” (natural gas liquids). He wants the government of North Dakota to require the removal of NGLs prior to their being loaded for transport.

Another writer of an obvious technical background wants to ensure that the hazard classification of crude oil is correct by requiring a detailed certificate of analysis (that would include “ include dissolved organic and inorganic gasses, % composition of aromatic and aliphatic compounds and their identity and quantification of inorganic substances including radioisotope identification”) to accompany each shipment. He would also require an independent lab corroboration of the analysis at the 95% confidence level.

More Comments to Come

We should start to see comments coming in from some of the industries involved and the various advocacy groups interested in this issue. Interestingly there have not been any requests yet for either public meetings or a delay in the relatively short response window (60 days) provided for this NPRM. That will almost certainly change.


The DHS National Protection and Programs Directorate (NPPD) is publishing in Monday’s Federal Register (79 FR 48693-48696; available on-line today) an advance notice of proposed rulemaking (ANPRM) concerning possible changes to the Chemical Facility Anti-Terrorism Standards (CFATS) program. This is the third rulemaking that was directed by the President’s Executive Order on Increasing Chemical Safety and Security (EO 13650) and the only one to start as an ANPRM rather than a request for information (RFI).

Actually the EO gave only a very limited requirement for the CFATS program to look at the list of DHS chemicals of interest (COI) that triggers the initial facility reporting requirement that may lead a facility to be covered by the CFATS program. This ANPRM address that issues and takes a broader look at the potential for changes to the CFATS program. No specific changes are proposed in this ANPRM; rather this is functionally similar to the RFIs for the EPA Risk Management Program (RMP) and the OHSA Process Safety Management (PSM) program.

NPPD’s Infrastructure Security Compliance Division (ISCD) proposes a number of questions that it would like answers to from the regulated and affected communities that would allow ISCD to formulate a proposed rule. Those questions are grouped into seven functional areas:

Appendix A (COI list);

In soliciting responses to these questions, ISCD requests that the responses be as detailed as possible and include analysis of the potential cost and benefits of the proposals. Comments may be filed using the Federal eRulemaking Portal (; Docket # DHS-2014-0016) Comments should be filed by October 17th, 2014.

ICS-CERT Publishes Two Siemens Advisories

Earlier this week (still getting caught up) the DHS ICS-CERT published two advisories for control system vulnerabilities in Siemens products. One was for a new denial of service attack vulnerability in the Simatic S7-1500 CPU and the other was an update of an earlier HeartBleed advisory.

S-1500 Advisory

This advisory addresses a vulnerability in the handling of specially crafted TCP packets that could result in a CPU restart and hold in the STOP mode which would require manual reset. It was originally reported by Arnaud Ebalard from Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI) in a coordinated disclosure.

Siemens has produced a firmware update that mitigates the vulnerability. There is no indication that Ebalard has been given the opportunity to verify the efficacy the fix.

ICS-CERT reports that a moderately skilled attacker could remotely exploit this vulnerability. The Siemens Product-CERT advisory clarifies that network access is required to exploit the vulnerability.

OpenSSL Update

This advisory updates the Siemens HeartBleed Advisory originally issued on July 17th and previously updated on July 23rd. The new update:

• Provides affected version information not previously provided for the S7-1500 product;
• Provides a link to the newly available S7-1500; and
• Removes the alternative mitigation measures previously provided for the S7-1500.

The Siemens ProductCert advisory was also updated.

NOTE: Siemens reports that they are continuing to work on HeartBleed fixes for their ROX 1, ROX 2, and CP1543-1 products.

Friday, August 15, 2014

FRA Submits Securement NPRM to OMB

On Thursday (I’ve been on the road so I’m catching up on stuff) the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a notice of proposed rulemaking (NPRM) from the DOT’s Federal Railroad Administration (FRA) concerning the securement of unattended equipment. This rulemaking was not covered in the Spring 2014 Unified Agenda, but it does not take any great imagination or regulatory insight to guess that this will address the train securement problems identified in the Canadian crude oil train catastrophe last year.

At the very least we can expect that the proposed rule will codify the requirements set out in Emergency Order #28. It remains to be seen if the rulemaking will go beyond those requirements. Back in April the Railroad Safety Advisory Committee approved draft language (.PDF File) for a rulemaking on this subject, but there is no requirement for DOT to use that consensus language.
/* Use this with templates/template-twocol.html */