Friday, May 22, 2015

ICS-CERT Publishes Update and Two Advisories

Yesterday the DHS ICS-CERT published an update for a year-old OleumTech advisory and two new advisories for systems from Emmerson and Schneider.

OleumTech Update

This update effectively closes out the mitigation side of a very peculiar advisory issued last year. In that original advisory ICS-CERT published their document without any apparent agreement from OleumTech that vulnerabilities actually existed. This update takes out two very interesting sentences from the original now that OleumTech has published updates that resolve the vulnerabilities. Those sentences stated:

“The researchers have coordinated the vulnerability details with NCCIC/ICS-CERT and OleumTech in hopes the vendor woulddevelop security patches to resolve these vulnerabilities. While ICS-CERT has had many discussions with both OleumTech and IOActive this past year, there has not been consensus on vulnerability details and positive product developments to resolve identified vulnerabilities.”

In discussing the now available updates for the systems ICS-CERT also removes the following description of the original OleumTech response:

“The vendor and IOActive researcher team do not completely agree with ICS-CERT about the severity and validity of these vulnerabilities. The vendor has stated they do not plan to resolve vulnerabilities they consider not valid.”

I suspect that OleumTech made some changes in their system unrelated to the reported vulnerabilities and realized that they could be considered to be mitigation measures and reported that to ICS-CERT. There is no indication that the original researchers have been given the chance to verify the efficacy of the fixes. In any case it looks like it took two years to fix the vulnerabilities.

Emmerson Advisory

This advisory describes an SQL injection vulnerability in the Emerson AMS Device Manager Application. This vulnerability was apparently self-reported and Emerson has developed a patch for newer versions of the system and a configuration fix for older versions.

ICS-CERT reports that a moderately skilled attacker could exploit this vulnerability to gain privilege escalation on the device manager, but not to the underlying computer system.

This advisory was originally released on the US CERT Secure Portal on April 21st. It seems odd to me that a vulnerability that requires local access to exploit would get released on the Secure Portal for a month before public release when many more serious and remotely exploitable vulnerabilities get public release immediately.

Schneider Advisory

This advisory describes a DLL hijacking vulnerability in the Schneider OPC Factory Server (OFS) application. The vulnerability was originally reported by Ivan Sanchez from Nullcode Team. Schneider has produced a patch that mitigates the vulnerability and Sanchez has been given the opportunity to verify the efficacy of the fix.

ICS-CERT reports that a social engineering attack is required to exploit this vulnerability. A successful exploit could cause a server crash or allow execution of arbitrary code. The Schneider advisory (.PDF Download) does not mention the possibility of code execution.

Wednesday, May 20, 2015

Bills Introduced – 05-19-15

Yesterday there were 89 bills introduced in the House and Senate. Only two of those may be of specific interest to readers of this blog:

HR 2410 To authorize highway infrastructure and safety, transit, motor carrier, rail, and other surface transportation programs, and for other purposes Rep. DeFazio, Peter A. [D-OR-4]

S 1376 An original bill to authorize appropriations for fiscal year 2016 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of... Sen. McCain, John [R-AZ]

HR 2410 may contain references to new hazardous material transportation requirements, particularly for crude oil trains. We will just have to wait and see.

S 1376 has already been ‘ordered reported’ so we are now waiting on both the publication of the language of the bill as well as the accompanying report. This will be the version of the 2016 NDA that will be considered in the Senate. A conference committee will sort out the differences between this version and the one passed by the House last week.

Tuesday, May 19, 2015

HR 2353 Passed in House

As expected HR 2353, the two-month extension of Highway Fund spending until July 31st passed by a largely bipartisan vote of 387 to 35. Earlier in the day a procedural move was made by Rep. Etsy (D,CT) to try to add an amendment requiring funding for positive train control for passenger rail. It was subsequently defeated on a straight party line vote of 182 to 241.

The bill will go to the Senate where it will very likely pass under the standard ‘without objection’ process. News reports have noted that the President has agreed to sign the bill when it gets to his desk. If the bill does not get passed in the Senate this week the State transportation projects funded by the Highway Fund will stop receiving funds on June 1st.

EAP Guidance – Cyber Security

This is part of a continuing series of blog posts on the newly released Expedited Approval Program (EAP) guidance document for Tier 3 and Tier 4 facilities under the Chemical Facility Anti-Terrorism Standards (CFATS) program. Other posts in the series are:

In the next couple of posts I’ll be looking at some of the actual security requirements outlined in the new EAP. As a reminder, all of these requirements are based upon the standards set forth in the Risk-Based Performance Standards (RBPS) guidance manual issued six years ago. That document describes considerations to be used in selecting appropriate security measures to fulfill each of the 18 standards outlined in 6 CFR 27.230.

I am going to start with the requirements in the EAP for RBPS #8, Cybersecurity. The main reason that I am starting here, rather than at the more conventional starting point, it that I am also interested in how ISCD is dealing with some of the complicated issues of cybersecurity and the EAP provides a unique opportunity to look at how ISCD would like to see cybersecurity implemented in high-risk chemical facilities.

RBPS #8 Requirements

The regulatory requirements for cybersecurity are spelled out in §27.230(8); Deter cyber sabotage, including by preventing unauthorized onsite or remote access to critical process controls, critical business system, and other sensitive computerized systems. The generic discussion of how this can be done starts on page 71 of the RBPS guidance and the metrics for evaluating security measures can be found starting on page 78. In the EAP guidance document the discussion of cybersecurity measures starts on page 40 and the cybersecurity portion of the site security plan (SSP) template starts on page 82.

The first requirement is to establish what computer systems are covered by the SSP. It must always be remembered that the SSP is focused on protecting the DHS chemicals-of-interest (COI) found on the site. This means that the facility is required to list all of the cyber assets that:

∙ Monitor and/or control physical processes that contain a COI;
∙ Are connected to other systems that manage physical processes that contain a COI; or
∙ Contain business or personal information that, if exploited, could result in the theft, diversion, or sabotage of a COI

Computer systems that deal with security functions like access control, surveillance and alarms are not considered under this RBPS unless they are connected to a computer system described above. They are considered during the discussion of their related security measures.

Cybersecurity Policies

The next area of the cybersecurity portion of the SSP deals with the establishment of cybersecurity policies. These policies must:

∙ Be documented, distributed and maintained with a management of change policy;
∙ Include the designation of a trained and qualified individual(s) to manage cyber security for the facility;
∙ Must require account access control to critical cyber systems utilizing the least privilege concept;
∙ Maintain access control lists, and ensure that accounts with access to critical/sensitive information or processes are modified, deleted, or de-activated in a timely manner;
∙ Establish password management protocols to ensure all default passwords have been changed (where possible), enforce password structures, and implement physical controls for cyber systems where changing default passwords is not technically feasible;
∙ Require physical access to critical cyber assets and media;
∙ Provides for cyber security training to all employees that work with critical cyber assets; and
∙ Require that the facility will report significant cyber incidents to senior management and DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).

Each of the bullet points listed above has its own check-off box on the EAP SSP template. There are no requirements to provide any additional information to ISCD for this area of the SSP. In general this will be true for almost all of the EAP SSP documentation. This will be the last time that I mention this check-off technique, but I will mention where the EAP requires additional information be provided to ISCD beyond the simple check the box.

There is a little more detail in the discussion portion of the EAP guidance on the topics listed above. There are only two that have any additional information of significance; the training requirements for the cybersecurity officer (pg 42) and a discussion about the documentation supporting the requirement to report significant cybersecurity incidents to ICS-CERT (pg 43).

Remote Access

Next there is a very short section on remote access to the cybersecurity assets. It requires that:

∙ The facility defines allowable remote access and rules of behavior.

In the detailed discussion there is also a requirement to capture all remote access activities on system logs.

Control Systems

The next section of the cybersecurity portion of the EAP SSP deals with control systems. For facilities that do not have control systems that impact the security of the COI there is a single box to check-off explaining that fact. The Control System section of the SSP reports that the facility:

∙ Conducts audits that measure compliance with the cyber security policies, plans, and procedures and results are reported to senior management;
∙ Documents the business need and network/system architecture for all cyber assets (systems, applications, services, and external connections);
∙ Disables all unnecessary system elements;
∙ Integrates cyber security into the system lifecycle for all critical cyber assets;
∙ Ensures that service providers and other third parties with responsibilities for cyber systems have appropriate personnel security procedures/practices in place;
∙ Identifies and documents systems boundaries and implements security controls to limit access across those boundaries:
∙ Monitors the critical networks in real-time for unauthorized or malicious access and alerts, recognizes and logs events and incidents;
∙ Has a defined incident response system for cyber incidents;
∙ Has backup power for all critical cyber systems; and
∙ Has continuity of operations plans, IT contingency plans, and/or disaster recovery plans.

Additional requirements documented in the discussion section include:

∙ Audits must be conducted at least every two years;
∙ Additions to cyber systems must be pre-approved by management;
∙ An intrusion detection system must be used.
∙ Cyber incident response must include requirement to contact a person or agency that “is trained to identify, contain, and resolve a cyber intrusion, denial-of-service attack, virus, worm attack, or other cyber incident” (pg 46).


It is clear that the EAP guidance for cyber security is pretty much taken directly from the metrics portion of the RBPS guidance manual. As such the EAP does not provide any more specificity than does the RBPS; it does not tell facilities what cybersecurity measures must be put into place.

There are a couple of metrics from the RBPS guidance that are missing from the EAP program. They include:

8.2.1 The facility has identified and documented systems boundaries (i.e., the electronic perimeter) and has implemented security controls to limit access across those boundaries;
8.3.3 IT management, systems administration, and IT security duties are not performed by the same individual. In instances where this is not feasible, appropriate compensating security controls (e.g., administrative controls, such as review and oversight) have been implemented;
8.5.1 The facility has implemented cyber security controls to prevent malicious code from exploiting critical cyber systems, and it applies appropriate software security patches and updates to systems as soon as possible given critical operational and testing requirements;
8.5.5 Facilities with control systems that have SISs have configured the SIS so that they have no unsecured remote access and cannot be compromised through direct connections to the systems managing the processes they monitor. (For Control Systems Only)

There is no explanation given as to why these metrics do not apply to facilities submitting EAP site security plans.

For cybersecurity at least, what the EAP does is to allow a facility to take its best guess at what security measures must be put into place to meet these rather vague requirements and then certify that it has done so. As long as all of the check boxes are marked, DHS will approve the SSP. The process that now takes place during the SSP authorization and approval process will simply be transferred to compliance inspection. The difference will be that DHS will then have the authority to tell the facility what security measures must be put into place to correct any ‘facial deficiencies’ in the implementation of the site security plan {6 USC 622(c)(4)(G)(ii)(I)(aa)}.

A quick look at the RBPS sections of the EAP look to provide a great more detail into what is required of a facility site security plan (I’ll go  into some of the details in later posts). What is different about cybersecurity is that there are fewer established standards that security professionals generally agree are effective at deterring, detecting and delaying a terrorist attack.

I was hoping that ISCD was going to take a better shot at establishing such standards, but it was patently unfair to put that load on this particular organization. While there are some people with computer and even control systems backgrounds within the ranks of the chemical security inspectors, this is patently not a cybersecurity standards setting organization and certainly not one with the control system security expertise to establish ICS standards.

Given the 180 day standard establishment deadline set by Congress, it was foolish to think that ISCD could accomplish more in the cybersecurity realm. They will have to continue on making the system-by-system judgement to determine if the security measures in place meet the vague guidelines. Hopefully, that will be the only part of the EAP guidelines that leaves so much open to interpretation.

Bills Introduced – 05-18-15

There were 26 bills introduced in the House and Senate yesterday. Of those two may be of specific interest to readers of this blog:

HR 2396 To amend the Federal Food, Drug, and Cosmetic Act with respect to the regulation of health software, and for other purposes Rep. Blackburn, Marsha [R-TN-7]

HR 2402 To amend the Federal Power Act to prohibit the public disclosure of protected information, and for other purposes Rep. Lofgren, Zoe [D-CA-19]

Blackburn has tried to limit the FDA’s authority to regulate non-patient-contact software in the past, but it is too early to tell what regulation or lack thereof is being covered here.

HR 2402 is probably another effort to codify critical electrical infrastructure information in light of the current NARA rulemaking that is underway.

Monday, May 18, 2015

HR 1987 Passes in House

As expected HR 1987, the 2016 Coast Guard Authorization Act, passed today in the House. There was only 14 minutes of debate and the bill passed on a voice vote.

As I mentioned earlier, there was no specific mention of chemical safety or security programs in this year’s bill, as there hasn’t been in recent years

Rules Committee Crafts Closed Rule on HR 2353

This evening, as part of a three bill rulemaking process the House Rules Committee established a closed rule for the consideration of HR 2353, the short term extension of Highway Fund based spending through July 31st, 2015. The bill also extends the Hazardous Materials Emergency Preparedness Fund and the Hazardous Materials Training Grants at the current rate through the same date.

There will be one hour of debate on the bill and no amendments. There is every chance that the bill will be passed tomorrow.
/* Use this with templates/template-twocol.html */