Monday, May 30, 2016

HR 5312 Introduced – Cyber Research

Last week Rep. LaHood (R,IL) introduced HR 5312, the Networking and Information Technology Research and Development Modernization Act of 2016. The bill would make a number of amendments to the High-Performance Computing Act of 1991 (15 USC Chapter 81); mostly replacing the words ‘high-performance computing’ with ‘networking and information technology’ which changes the focus of this federal research and development program. There are some changes, however, that may be of specific interest to readers of this blog.

Cyber-Physical Systems and Security


The bill would add two new definitions to §5503:

‘Cyber-physical systems’ means physical or engineered systems whose networking and information technology functions and physical elements are deeply integrated and are actively connected to the physical world through sensors, actuators, or other means to perform monitoring and control functions;

‘Networking and information technology’ means high-end computing, communications, and information technologies, high-capacity and high-speed networks, special purpose and experimental systems, high-end computing systems software and applications software, and the management of large data sets;

The failure to include ‘cyber-physical systems’ in the definition of ‘networking and information technology’ means that most of the remainder of this bill remains focused on IT systems not control systems. There are, however, two places in the newly renamed ‘Networking and Information Technology section (§5511) where cyber-physical systems are specifically addressed in the outline of an on-going federal research program.

First it calls for research on increasing the “understanding of the scientific principles of cyber-physical systems and improve the methods available for the design, development, and operation of cyber-physical systems that are characterized by high reliability, safety, and security” {new §5511(a)(1)(J)}. This would be basic research on cyber-physical systems.

Next, the bill would expand that level of research into applications by calling for “a research framework to leverage cyber-physical systems, high capacity and high speed communication networks, and large-scale data analytics to integrate city-scale information technology and physical infrastructures” {new §5511(a)(1)(M)}.

Moving Forward


While LaHood is not a member of the House Science, Space, and Technology Committee, most of his seven co-sponsors are (including both the Chair and Ranking Member) so this bill will have no problem moving forward in Committee. In fact, the first markup of the bill was held before it was introduced.

Similar versions of this bill (HR 967 and HR 3834) were introduced in the last two Congresses and were passed out of Committee. Neither ever made it to the floor of the House for consideration. I do not see anything that would indicate that this bill has any better chance, particularly since it was introduced so late in the Session.

Commentary


There are two interesting things in this bill. The first is that the definition of ‘cyber-physical systems’ is written so that it is specifically not the same as the definition of an industrial control system. This definition encompasses a small subset of ICS that incorporate such a large number of sensors and actuators that a large-scale data processing operation is required for successful operation. I do not think that any system in use today qualifies. Rather we are looking at the type system that would be employed for autonomous transportation systems or true smart-grid operations.


The second item of interest here is that the bill would remove §5543 that authorizes separate spending for the program. That section has not been updated since 2004 and thus no spending authorized since 2007, but it at least provided some sort of basis for funding the program. Without that provision we are left with the §5511(c) requirement that the individual agencies in the federal government that have responsibilities under the program provide for their funding out of otherwise appropriated monies. So much for this being an important program.

Friday, May 27, 2016

Amendments to S 2943, FY 2017 NDAA – 5-26-16

Yesterday the Senate continued consideration of S 2943, the FY 2017 National Defense Authorization Act. An agreement was reached to continue consideration on June 6th when the Senate returns from their Memorial Day weekend. During the day yesterday a total of 134 amendments were offered for consideration. Two of those amendments may be of specific interest to readers of this blog:

The Amendments


The two amendments of potential interest were

SA 4244 (pg S3302) – Sen. Reed (D,RI) - SEC. 1097. Cybersecurity transparency.
SA 4303 (pg S3322) – Sen. Portman (R,OH) - SEC. 526. Plan to meet the demand for cyberspace career fields in the reserve components of the air force.

The Reed amendment is essentially identical to S 2410 introduced by Reed in December, 2015 establishing cybersecurity expertise requirements for corporate boards. The language does specifically include “industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers” {new §1097(a)(3)(B)} in the definition of ‘information system’.

The Portman amendment would require the Air Force to report to Congress on their plan “for meeting the increased demand for cyberspace career fields in the reserve components of the Air Force, in accordance with the recommendations of the National Commission on the Structure of the Air Force” {new §526(a)}.

Moving Forward


The Senate has only reached agreement on the consideration of one amendment so far (and it is not one of the amendments of concern here), but I expect that we will see a lot more movement when the Senate returns. Either of these two amendments could easily be adopted if they were to be considered in the floor debate.


The Reed amendment is not really a DOD related topic, but the Senate rules are quite generous about the topics that can be added in the amendment process. It all depends on how much political will Reed and any other amendment supporters can bring to bear on the Senate leadership.

Bills Introduced – 05-26-16

Yesterday with the House and Senate preparing to leave Washington for an extended Memorial Day Weekend there were 72 bills introduced. Three of those may be of specific interest to readers of this blog:

HR 5368 To direct the Department of Transportation to issue regulations to require enhanced security measures for shipments of security sensitive material, and for other purposes. Rep. Norton, Eleanor Holmes [D-DC-At Large]

S 3000 An original bill making appropriations for the Department of Defense for the fiscal year ending September 30, 2017, and for other purposes. Sen. Cochran, Thad [R-MS]

S 3001 An original bill making appropriations for the Department of Homeland Security for the fiscal year ending September 30, 2017, and for other purposes. Sen. Hoeven, John [R-ND]

Norton’s bill would seem to be bypassing the surface transportation folks at TSA to put the onus for security regulations back on DOT. One can sympathize, for while DOT is slow in the rule making game, the surface transportation folks at TSA move slower than a weekend security line at the Chicago airport.


These two spending bills will probably be considered in the Senate next month. After seeing the games played in the House with the THUD spending bill, I will be surprised to see either of these bills considered in the House. We are almost certainly looking at a continuing resolution and a post-election omnibus again this year, despite the best efforts of the Senate.

Thursday, May 26, 2016

Amendments to S 2943, FY 2017 NDAA – 04-25-16

On Wednesday the Senate voted 98 – 0 on a cloture vote to proceed with consideration of S 2943, National Defense Authorization Act for Fiscal Year 2017. Additionally, 93 new amendments were proposed to be considered for that bill. Two of those amendments may be of specific interest to readers of this blog:

SA 4205 (pg S3212) – Sen. Rounds (R,SC) - SEC. 1227. Imposition of sanctions with respect to significant activities undermining cybersecurity conducted on behalf of or at the direction of the government of Iran; and

SA 4226 (pg S3221) – Sen. Cantwell (D,WA) - SEC. 1641. Pilot program on training for national guard personnel on cyber skills for the protection of industrial control systems associated with critical infrastructure.

The Amendments


SA 4205 is almost identical to S 2756 that had been introduced by Rounds last month.

SA 4226 would require the Chief of the National Guard Bureau to establish a pilot program “to provide National Guard personnel with training on cyber skills for the protection of industrial control systems associated with critical infrastructure” {new §1641(a)}. The three year pilot program would be designed to “permit personnel who receive such training to assist National Guard Cyber Protection Teams in carrying out activities to protect systems and infrastructure” {new §1641(c)}. A report to Congress would be required after the pilot program was completed.

Moving Forward



It is still too early to see which amendments will actually reach the floor for consideration. The publication of the Congressional Record for Thursdays session later today may include a partial listing of the amendments that will be considered, but we will probably not know until the Senate returns from their Memorial Day weekend on June 6th exactly what all of those favored amendments will be.

ICS-CERT Publishes Three Advisories

This morning the DHS ICS-CERT published three control system security advisories for products from Black Box, Sixnet and Environmental Systems Corporation.

Black Box Advisory


This advisory describes a credential management vulnerability in the Black Box AlertWerks ServSensor devices. The vulnerability was reported by Lee Ryman. Black Box has produced a new firmware version to mitigate the vulnerability and Ryman has verified the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to gain access system passwords.

Sixnet Advisory


This advisory describes a hard-coded credential vulnerability in the Sixnet BT series routers. The vulnerability was reported by Neil Smith. Sixnet has produced a new firmware version and updates to mitigate the vulnerability. There is no indication that Smith has been provided the opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could use publicly available exploits to remotely exploit the vulnerability to gain full access to the affected device.

The Sixnet web site does not yet (as of 22:00 EDT, 5-26-16) have the new version of the BT firmware listed.

Environmental Systems Corporation Advisory


This advisory describes twin vulnerabilities in the ESC 8832 Data Controller. The vulnerabilities were independently reported by Maxim Rupp and Balazs Makany. ESC reports that there is no code space for a firmware update so it has designed compensating controls to mitigate the vulnerabilities. There is no indication that either Rupp or Makany have been provided an opportunity to verify the efficacy of the fix.

The two vulnerabilities are:

• Authentication bypass - CVE-2016-4501; and
• Privilege management - CVE-2016-4502

ICS-CERT reports that a relatively unskilled attacker could use publicly available information to remotely exploit the vulnerability to perform administrative operations over the network without authentication.


ESC recommends replacing the device or blocking Port 80 with a firewall.

House Amends and Passes S 2012 – Energy Policy

Last night the House passed an amended version of S 2012, the Energy Policy Modernization Act of 2016 by a nearly party-line vote of 241 – 178. Later the House voted to insist on its amendment and called for a conference committee.

Bill Provisions of Interest


The bill includes the following cybersecurity provisions from HR 8:

Sec. 1104. Critical electric infrastructure security.
Sec. 1106. Cyber Sense.
Sec. 2008. Report on smart meter security concerns.
Sec. 3126. Internet of Things report.

The bill includes the following chemical transportation safety provision from HR 8:

Sec. 5009. Study of volatility of crude oil.

Moving Forward


The Senate version of the bill passed by a vote of 85 – 12 with only Republicans voting No. The House version passed on a mainly partisan vote with 172 Democrats voting no. It will take the conference committee a while to work out a version of the bill that will be able to come to a vote in the Senate and still be acceptable to the leadership in the House. The bill that passed yesterday would not make it to the Senate floor.

A final version of the bill will probably include the provisions listed above; there is nothing there that is objectionable. The Senate bill had a slightly different version of §1104. It will be interesting to see how the differences are worked out.

The Senate bill has one additional cybersecurity provision that should also make it into the final bill:


Sec. 2002. Enhanced grid security.

S 2931 Introduced – Cyber Crime

Earlier this month Sen. Graham (R,SC) introduced S 2923, the Botnet Prevention Act of 2016. The bill would make amendments to two sections of the criminal code (18 USC) dealing with botnets and add another section addressing attacks against critical infrastructure computers.

Botnets

Section 2 of the bill amends 18 USC 1345 dealing with the administration of injunctions against acts of fraud. It would change the title of §1345 to ‘Injunctions against fraud and abuse’. It would add a new sub-paragraph to that section that would allow the Attorney General to commence a civil action in any Federal court to enjoin a violation of 18 USC 1030(a)(5) instead of just the bank fraud or healthcare fraud covered in the current section.

Section 4 of the bill amends 18 USC 1030 dealing with computer fraud. It adds a new sub-paragraph that adds trafficking in access to computers to the list of computer fraud offenses covered in this section.

Critical Infrastructure Computers


Section 3 of the bill would add §1030A to 18 USC. It would make it a felony to “to knowingly cause or attempt to cause damage to a critical infrastructure computer, if such damage results in (or, in the case of an attempted offense, would, if completed, have resulted in) the substantial impairment” {new §1030A(a)} of the operation of a critical infrastructure computer or the associated critical infrastructure.

The bill would punish violations of the new §1030A by up to 20 years in prison and would prohibit judges from making prison sentences under this section run concurrently “with any term of imprisonment imposed on the person under any other provision of law” {new §1030A(c)(2)}.

Moving Forward


Graham is a senior member of the Senate Judiciary Committee and his two Democrat co-sponsors are also members of that Committee. It is very likely that between the three of them that they could get the Committee to consider this bill.

The wording of this bill is almost identical with the wording of an amendment (SA 2713) that Sen. Whitehouse (D,RI) proposed during the consideration of S 754, but it was never brought up for a vote during those proceedings. Getting Graham to sponsor this bill makes it much more likely that the bill will be considered.

Commentary

The critical infrastructure provisions of the bill look, at first glance, like they should apply to industrial control systems at critical infrastructure facilities. Unfortunately, the definitions used in the proposed language means that control systems are specifically not covered. The new §1030A specifically uses the definitions of ‘computer’ and ‘damage’ that come from §1030. Those definitions are:

The term ‘computer’ “means an electronic, magnetic, optical, electrochemical, or other high speed data processing device [emphasis added] performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device” {§1030(e)(1)}.

The term ‘damage’ “means any impairment to the integrity or availability of data, a program, a system, or information” {§1030(e)(8)}.

In addition, the felony activity under §1030A is only covered if it is only felonious when conducted “during and in relation to a felony violation of section 1030” {new §1030A(a)}. In essence, what this bill does is to make an otherwise covered violation of 1030 a more heinous act when it is conducted against a covered IT computer at a critical infrastructure facility. An attack against an industrial control system (even at a major power distribution facility) would not be covered unless it also affected billing or record keeping computers at the facility.

To make this effective in prosecuting attacks on control systems at critical infrastructure facilities an amendment would have to be made to §1030. First there would have to be a paragraph added that would make it a crime to attack a control system. For example add:

§1030(a)(8) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to an industrial control system.

Additionally, we would have to add a definition of ‘an industrial control system’. To write that most broadly we would add:

§1030(e)(13) the term “industrial control system” means any network of computers, communications devices or networks, sensors, or actuators that is designed to detect and effect operations of physical devices. The term includes systems that are used to control the operation of manufacturing facilities, energy production and distribution facilities, building controls, vehicles, and medical devices.

Then the new §1030A(a) would have to be amended to read:

(a) OFFENSE.—It shall be unlawful, during and in relation to a felony violation of section 1030, to knowingly cause or attempt to cause damage to a critical infrastructure computer or industrial control system, if such damage results in (or, in the case of an attempted offense, would, if completed, have resulted in) the substantial impairment—

(1) of the operation of the critical infrastructure computer or industrial control system; or

(2) of the critical infrastructure associated with such computer or industrial control system.

And finally the new §1030A(d)(1) would have to be amended to read:

(d) DEFINITIONS.—In this section—

(1) the terms ‘computer’, ‘damage’ and ‘industrial control system’ have the meanings given the terms in section 1030; and


I think that these changes (or something similar, I am not particularly attached to my words) would make the legislation achieve its intended action of making cyber-attacks on critical infrastructure a felony under federal law. And that is certainly needed before such an attack actually takes place on US soil.
 
/* Use this with templates/template-twocol.html */