Wednesday, December 13, 2017

Bills Introduced – 12-12-17

Yesterday with both the House and Senate in session there were 33 bills introduced. Of these, two may be of specific interest to readers of this blog:

HR 4629 To direct the Department of Transportation to issue regulations to require enhanced security measures for shipments of security sensitive material, and for other purposes. Rep. Norton, Eleanor Holmes [D-DC-At Large]

S 2220 A bill to provide for the development, construction and operation of a backup to the Global Positioning System, and for other purposes. Sen. Cruz, Ted [R-TX]

Something odd going on with HR 4629, the current security regulations for ‘security sensitive materials’ are not DOT regulations, but rather TSA (49 CFR 1580.101). Having said that, Norton is well known for her concern about the security of rail transportation of hazardous materials because there is a major rail transshipment point in Washington, DC (very close to the Capital) that handles large volumes of hazardous materials.

S 2220 will be followed here if it specifically includes a backup to the GPS timing system used by many industrial control systems. BTW: The Cosponsor for this bill is Sen. Markey (D,MA); talk about a political odd couple; firebrands from both the Right and Left.

Tuesday, December 12, 2017

ICS-CERT Updates Smiths Medical Advisory

Today the DHS ICS-CERT updated a medical control system security advisory for products from Smiths Medical. The advisory was originally published on September 7th, 2017. The update provides information on a patch that is available to mitigate the vulnerabilities as well as additional point of contact information for the company.

House Passes HR 3359 CISA Authorization

Yesterday the House passed HR 3359, the Cybersecurity and Infrastructure Security Agency Act of 2017 by a voice vote. The bill is Rep. McCaul’s (R,TX) long awaited reorganization of the DHS National Protection and Programs Division (NPPD).


This bill is really nothing more than an exercise in bureaucratic shuffling. The existing NPPD is now called CISA; an Under Secretary will be known as the Director and a number of sections in 6 USC are being renumbered. The most important part of the bill is found in section 4 of the bill; nothing in the bill confers new authorities or reduces existing authorities existing the day before this bill is enacted.

There is one subtle change made by this bill in the new definitions section 2201. There are two cybersecurity related definitions in this new section; both taken from existing statutes. The bill uses the IT-limited definition of ‘cybersecurity risk’ from the current 6 USC 148 (moving to §2209) and the ICS-inclusive definition of ‘cybersecurity threat’ from 6 USC 1501. The definitional disconnect between these two very similar (and closely intertwined) terms could cause some interesting confusion about the authority of this ‘new’ agency to address control system security issues.

Moving Forward

The bill moves forward to the Senate where it will pass with similar bipartisan support if it reaches the floor for consideration. The big question is whether or not the bill will have the leadership support necessary to bring it to the floor for consideration. At this point, I am not sure that it does.

Monday, December 11, 2017

ISCD Changes Monthly Status Reporting

Today (okay, yesterday now on the East Coast) the DHS Infrastructure Security Compliance Division (ISCD) changed the way they are reporting progress on the implementation of the Chemical Facility Anti-Terrorism Standards (CFATS) program. They scrapped the monthly .PDF CFATS Fact Sheet format and added a new web-page to the CFATS web-site that provides a slightly different look at the progress being made.

Inspection Reporting

Long-time readers of this blog will no doubt recall the monthly parsing of data that I have been doing since the CSAT 2.0 reporting began back in May of this year. With ISCD reporting inspection data both on inspections ‘since the inception of the program’ and on ‘at currently covered facilities’ I had fun trying to figure out how many inspections had actually been completed that month and how many facilities were undergoing multiple inspections due to failure to achieve compliance.

The new web page changes that reporting. It still carries on with reporting the number ‘since the inception of the program’, but it now simply reports a single number for the number of inspections (Authorization, Compliance, and Compliance Assistance) conducted during the month. The table from the November 2017 reporting is shown below.

Since Inception     
November 2017
Authorization Inspections (AIs) 
Compliance Inspections (CIs)
Compliance Assistance
Visits (CAVs)

If we try to compare the ‘since inception’ numbers from this newest report and those from the old style November report (ISCD used to name their reports for date of reporting not the month the inspections were done). It would appear that there were 87 AIs completed and 111 CIs done in November. This discrepancy may be due to reporting format changes or a couple of other possible program issues. It is hard to tell from a single data point.

Facility Status Reporting

A new set of data being reported on the web page is CFATS Facility Statuses. Kind of an ugly title but, it is an interesting new set of information. Previously, ISCD only published monthly numbers on the number of facilities covered under the CFATS program and the number of currently approved site security plans (SSPs). The new web page provides a table showing a snapshot of the current status of facilities in the program.

Currently Covered

This new table provides us with data on the number of facilities that have received Tiering Letters (Tiered) but have not yet had their site security plan authorized. It also tells us how many are pending approval of their SSPs, how many have approved SSPs and the sum of the above tells us how many facilities are currently covered by the CFATS program.

Interestingly, since the resumption of program status in May, there has been a net gain of 978 facilities in the program. Most of these, presumably, were added due to the revised risk assessment process and CSAT 2.0 resubmission of Top Screens, though ISCD has continued to vigorously reach out to the chemical community to identify facilities that should have been submitting Top Screens, but, for one reason or another, have failed to do so. This is a fall smaller number than the 1272 facilities that have not yet had their SSPs approved. It is highly unlikely that a significant number of the new facilities have had their SSPs approved since May. Thus, it looks like we may have had about 300 facilities fall-out of the CFATS program since reporting resumed in May. That would not be out of line with what ISCD reported as being the drop-out rate for the new risk assessment process.

Missing Data

I continue to have problems with the ISCD compliance inspection data. The data being reported today for ‘compliance inspections since inception’ and the numbers reported in the last monthly report show that there should have been 111 compliance inspections completed in November, not the 87 being reported here. Again, there could be a number of different explanations, but I continue to suspect that the 87 inspections being reported in November only reflects one-inspection (the latest) per facility.

In the past couple of months, I have been focusing on the potential for these re-inspections being required because of facilities failing their compliance inspection and thus requiring a re-inspection. ISCD broadly points out another category of facilities being re-inspected:

“It is also important to note that this regulatory program is cyclical in nature, meaning activities such as Compliance Inspections are recurring. ISCD began conducting recurring Compliance Inspections in March 2017.”

It would be helpful if ISCD were a little more specific what the 87 number being reported actually means. Was that the total number of compliance inspections done in November or the increase in the number of facilities with a current compliance inspection. And just to make things perfectly clear, it would be helpful to have a number of compliance inspections passed/failed as well.

Actually though, I really am impressed with the effort that ISCD takes to keep the chemical security community up-to-date on the progress that is being made in the program. And the progress really is an important reflection on the daily efforts by the 150 or so Chemical Security Inspectors working with the employees and contractors at the 3,548 CFATS sites on an on-going basis to reduce the risk of a terrorist attack on these facilities. Everyone involved is to be commended on the time and effort being put into this program.

Saturday, December 9, 2017

NIST Publishes 2nd Draft for CSF 1.1 for Comment

This week the National Institute of Standards and Technology (NIST) published their second draft of version 1.1 of the Cybersecurity Framework (CSF) and a fact sheet that broadly outlines the changes made to the CSF.

The fact sheet makes the point that the revised CSF is applicable to information technology, operational technology, cyber-physical systems, and internet of things. Since the original CSF core already provided references to ISA 62443-2-1:2009 and ISA 62443-3-3:2013 that are found in this revision it does not seem that the new version changes much with respect to OT/IOT security.

OT/IOT Changes

In fact, if you look at the list of changes made to the CSF (starting at page 50) there are only four references to OT/IOT changes:

• Section 1.0 (pg 7): ‘Framework Introduction’ was updated to reflect security implications of a broadening use of technology (e.g. ICS/CPS/IoT) and to more clearly define Framework uses;
• Appendix C (pg 53): ‘Acronyms’ - was modified to include CPS - Cyber-Physical Systems;
• Appendix C (pg 53): ‘Acronyms’ – was modified to include IoT - Internet of things;
• Appendix C (pg 53): ‘Acronyms’ - was modified to include OT - Operational Technology

The introduction section discussion referenced above addresses OT/IOT security issues this way:

“The critical infrastructure community includes public and private owners and operators, and other entities with a role in securing the Nation’s infrastructure. Members of each critical infrastructure sector perform functions that are supported by the broad category of technology, including information technology (IT), industrial control systems (ICS), cyber-physical systems (CPS), and connected devices more generally, including the Internet of Things (IoT). This reliance on technology, communication, and interconnectivity has changed and expanded the potential vulnerabilities and increased potential risk to operations. For example, as technology and the data it produces and processes is increasingly used to deliver critical services and support business decisions, the potential impacts of a cybersecurity incident on an organization, the health and safety of individuals, the environment, communities, and the broader economy and society should be considered.”

Unfortunately, the terms ‘CPS’ and IoT are not used in the revised CSF Core. In short, the CSF does not specifically address the specific cyber-physical consequences of security breaches in OT/IoT systems.

Suggested OT/IOT Changes

Unfortunately, this revision to the CSF still does not adequately address the potential cyber-physical consequences of a cybersecurity incident. At a minimum, the core should have an additional subcategory under Risk Assessment:

ID.RA-X: Worst-case cyber-physical events need to be identified that effect either on-site operations and/or the off-site community.

This would then lead to requiring an additional Risk Management Strategy subcategory:

ID.RM-X: Appropriate emergency response agencies are notified of potential off-site community effects of cyberphysical incidents.

The on-site effects on operations would be addressed by the current IR.RM-4. To clarify that addition, I would reword the subcategory title to read: “Potential business impacts (including on-site and off-site effects of cyber-physical incidents) and likelihoods are identified.”

Broadening Information Security Focus

While the verbiage in the introduction to the CSF would indicate that NIST intends to broaden the focus of CSF to include OT/IoT security, there are still a number of references to ‘information security’ in the CSF core that really should be revised to indicate that broadened focus. For example ID.GV-1 still refers to ‘information security’ when the intent should reflect a broader ‘cybersecurity’; the words should be changed to reflect this. Similar wording changes need to be made to ID.GV-2, ID.SC-3, PR.AT, and PR.AT-5,

Public Input

NIST is asking for public input on this second draft for CSF 1.1. Comments need to be submitted by January 19th, 2018. Comments can be submitted by email to

NOTE: A copy of this blog post was submitted as a comment to NIST on 12-9-17 14:50 EST.

Public ICS Vulnerability Disclosures – Week of 12-03-17

Yesterday Joel Langill pointed out a vulnerability report from ABB that was published over two weeks ago. The report addresses an authentication vulnerability in the ABB Ellipse 8 products. The ABB report notes that the vulnerability exists in the implementation of the Lightweight Directory Access Protocol (LDAP) that would allow an attacker with local network access to sniff the unsecured authentication credentials sent between the Ellipse device and the LDAP/AD server.

As with any vulnerability that is found to exist in an implementation of an industry-wide standard, the question arises; what other vendors are using this vulnerable implementation?

NOTE: The ABB report states that the vulnerability was reported in a “responsible disclosure”, but does not name the researcher making the disclosure.

Friday, December 8, 2017

Senate Sends CR to President

Yesterday, shortly after action was complete in the House, the Senate passed HJ Res 123, Further Continuing Appropriations Act, 2018, by a largely bipartisan vote of 82 to 14. The 14 Nays included 6 Republicans and 7 Democrats (and 1 Independent). The CR would extend the current spending (at FY 2017 rates) until December 22nd, 2017.

No procedural votes preceded the consideration of the bill indicating that a strong deal had been achieved to ensure passage of the bill. The 30 minutes of debate allocated for the bill only drew two speakers; one of which spent the time praising his home State of Alaska; 8 minutes of the ‘debate’ went unused.

The Congress now has an additional two weeks to try to come up with a final spending deal for FY 2018. There has been some discussion in the press of potentially seeing an additional CR carrying the current spending over until January.
/* Use this with templates/template-twocol.html */