Tuesday, April 25, 2017

DHS Publishes Three Advisories

Today the DHS ICS-CERT published three control system security advisories for products from Hyundai Motor, Sierra Wireless and BLF-Tech.

Hyundai Motor Advisory

This advisory describes two vulnerabilities in the Hyundai Motor Blue Link. The vulnerabilities were reported by Will Hatzer and Arjun Kumar working with Rapid7. Hyundai produced a new version that mitigates the vulnerability. There is no indication that the researchers have been provided the opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Man-in-the-Middle – CVE-2017-6052; and
• Use of Hard-Coded Cryptographic Key – CVE-2017-6054

ICS-CERT reports that an attacker (no characterization of the skill level is provided) could remotely exploit this vulnerability to gain access to insecurely transmitted sensitive information, which could allow the attacker to locate, unlock, and start a vehicle associated with the affected application.

NOTE: A Rapid7 blog post provides more details about the vulnerability.

Sierra Wireless Advisory

NOTE: This advisory provides additional information on vulnerabilities that were initially reported by ICS-CERT in an Alert last June.

This advisory describes three vulnerabilities in the Sierra Wireless AirLink Raven XE and XT. The vulnerabilities were reported by Karn Ganeshen. Sierra Wireless has produced new firmware that mitigates two of the three reported vulnerabilities. There is no indication that Ganeshen was provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities were:

• Improper Authorization – CVE-2017-6044;
• Cross-Site Request Forgery – CVE-2017-6042; and
• Insufficiently Protected Credentials (Not mitigated) – CVE-2017-6046

Neither this advisory nor the Sierra Wireless Technical Bulletin [.DOC download] from last summer address the fourth vulnerability reported by Ganeshen in his disclosure; unauthenticated access to directories and arbitrary file upload.

ICS-CERT reports that a relatively unskilled attacker could use the publicly available exploits for these vulnerabilities to remotely attack these devices to perform unauthorized sensitive functions compromising the confidentiality, integrity, and availability of the affected system.

BLF-Tech Advisory

This advisory describes an uncontrolled search path element vulnerability in the BLF-Tech VisualView HMI. The vulnerability was reported by Karn Ganeshen. BLF-Tech has produced a new version to mitigate the vulnerability. There is no indication that Ganeshen was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker (access requirements not characterized) could exploit the vulnerability to to execute arbitrary code within the system.

FDA Announces Medical Device Cybersecurity Workshop

Today the Food and Drug Administration published a meeting notice in the Federal Register (82 FR 19059-19060) for a public workshop on “Cybersecurity of Medical Devices: A Regulatory Science Gap Analysis”. The two-day workshop will be held on May 18th, 2017 in Silver Springs, MD. The objective of the workshop is to facilitate a discussion on the current state of regulatory science in the field of cybersecurity of medical devices, with a focus on patient safety.

Cybersecurity Regulatory Science

The FDA notes that their Center for Devices and Radiological Health (CDRH) identified medical device cybersecurity as one of their top 10 regulatory science gaps. In the CDRH publication “Regulatory Science Priorities (FY2016)” it was noted that (page 8):

“Digital Health and cybersecurity are some of the fastest growing areas impacting medical devices. Devices are being increasingly used in networked environments and are expected to communicate with one another securely and accurately. To ensure these technologies and technological environments achieve the desired public health impact, research is needed to enhance performance and security of medical devices and interoperability, and to understand the impact of software modifications on device performance.”

With that in mind the FDA, in conjunction with the National Science Foundation and the DHS Science and Technology Directorate, is attempting to establish a cybersecurity regulatory science research framework to foster a collaborative research conducted between federal agencies such as NSF, DHS S&T, academia, medical device industry, and third party experts and other organizations with input from FDA.

Workshop Agenda

This scheduled workshop is designed to support that effort by conducting a number of simultaneous working sessions discussing the following topics:

• Relationship between medical device cybersecurity and patient safety;
• Unique cybersecurity and regulatory challenges for medical devices;
• Differences in cybersecurity between home care, large health care providers, and acute care settings (e.g., ambulance, emergency room);
• The roles and intersection of information technology professionals and biomedical engineering staff;
• Potential metrics, evaluation tools to test and quantify the cybersecurity of medical devices and systems;
• Automated and manual tools for communicating cybersecurity information about medical device design and function;
• Best practices for cybersecurity of medical devices at deployment and how to apply updates throughout the medical device lifecycle;
• Human factor issues in cybersecurity of medical device development, deployment, and use of devices; and
• Best practices in cybersecurity design, deployment, and post-deployment activities and procedures.

Each of the sessions will attempt to add to address the:

• Immediate cybersecurity challenges and potential solutions to facilitate entry of innovative medical devices into the marketplace;
• Cybersecurity regulatory science gaps to which solutions can be developed through additional scientific research; and
• Long-term cybersecurity research challenges which may need significant additional basic research.

Public Participation

Personnel wishing to participate in the workshop need to register in advance via the FDA’s workshop registration page. Unfortunately, as of 8:20 am EDT today that page does not show this planned workshop even though the notice states that early registration is recommended due to limited seating.

The FDA is also soliciting written comments on the above topics. Written comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # FDA-2017-N-1572). Those comments should be submitted by June 23rd, 2017.

Please note that the Federal Register notice specifically states that the workshop is not designed to discuss FDA policy regarding cybersecurity of medical devices.

Monday, April 24, 2017

CFATS 2.0 Results Webinar

I just completed watching the DHS “CFATS Tiering Update - April 2017” webinar. This webinar provided information on the preliminary outcomes of the DHS Infrastructure Security Compliance Division’s (ISCD) review of CSAT 2.0 Top Screen submission that were started last fall. I say ‘preliminary’ because ISCD is still reviewing a number of the submitted Top Screens and is presumably still sending out Top Screen submission letters.

It was an interesting presentation and I recommend that interested parties that missed this webinar sign up for the next session that will be held early next month.

There have been a number of questions about the potential effects of the new risk-assessment methodology that is part of CSAT 2.0. The main question that folks have been asking is how that new methodology would end up affecting the Risk Tiering within the Chemical Facility Anti-Terrorism Standards (CFATS) program. The presentation today provides at least a partial answer.

Changed Risk Assessment Methodology

ISCD took a sample of 8,000 new Top Screen submissions and specifically looked at the new tiering results. Here are the results that ISCD reported today (Note: there was no mention of the missing 4% of the facilities):

• 5% moved from untiered to tiered;
• 5% moved from tiered to untiered;
• 51% moved between the four tier rankings; and
• 35% remained within their existing tier rankings

Remember, untiered facilities are not covered facilities under the CFATS program, and thus do not have to submit an SVA/SSP or have an approved site security plan (SSP) or alternative security plan (ASP).

The presenters also described two specific trends that they saw in tier changes. First, facilities that had just weapon of mass effect (WME) security issues tended to see a decrease in tier ranking because the new ‘physics-based modeling’ tended to see a lower risk for the same situation for these chemicals as compared to the old risk modeling process. Second, a counter-trend was seen with two specific chemicals (triethanolamine and methyldiethanolamine); the same ‘physics-based modeling’ tended to see an increased risk for these chemicals as compared to the previous methodology.

The presenters also noted that there were 235 facilities (not clear if they were part of the 8,000 used for the above analysis) that were facilities with only theft/diversion security issues that now had added release security issues. The presenters did not make it clear whether this was due to the risk modeling or if it was due to changes in the reported DHS chemicals of interest on site.


I missed the early portion of the webinar, so I almost missed the information that ISCD probably presented on the number of letters sent out and the number of Top Screens that have been submitted. I should have more information on that in the near future.

I have some serious questions about the reported analysis of the risk assessment results presented in the webinar. Now this is probably due to my nitpicking of statistical analysis in general. I have a little more training (not that much though) in statistical analysis than most people, so I generally cringe whenever I see the word ‘analysis’ used in a presentation.

First, let’s look at that missing 4% I mentioned earlier. There is one category that is specifically missing from those reported, the untiered facilities that remained untiered facilities. For the sake of discussion, let us assume that those unreported 4% were those untiered facilities that did not change. That would mean that only 9% of the facilities in the 8,000-facility sample were untiered or facilities that were not covered by the CFATS program.

That is a problem because that would mean that 81% of the 8,000 facilities in the sample were currently covered facilities. That would be 6,480 facilities. But, as of the last reporting by ISCD, there were less than 3,000 covered facilities in the program. That means that the reported percentages cannot be of the whole 8,000 facility sample.

Let’s assume for the sake of argument that the all 2,948 facilities reported in the last CFATS Fact Sheet from October 1st of last year were included in the 8,000-facility sample. That would mean that there were 5,052 initially untiered facilities in the sample. Plugging these numbers into the previously reported percentages we get:

• 252 moved from untiered to tiered;
• 147 moved from tiered to untiered;
• 1503 moved between the four tier rankings; and
• 1031 remained within their existing tier rankings

This still leaves 716 facilities for which no data was provided, or 24% of the covered facilities. So, any way we look at it we have internally inconsistent information provided. I will try to get clarification from ISCD.

Committee Hearings – Week of 04-23-17

With both the House and Senate back in Washington after their two-week recess, the main focus this week will be on getting a spending bill passed for the remainder of FY 2017. The deadline for that is Saturday, else the dreaded government shutdown will occur (unlikely). With that on the congressional platter the hearing schedule is relatively light this week; there is just one hearing that may be of specific interest to readers of this blog. It will address hazmat transportation issues.

HAZMAT Transportation

On Wednesday the Railroads, Pipelines, and Hazardous Materials Subcommittee of the House Transportation and Infrastructure Committee will be holding a hearing looking at “Building a 21st Century Infrastructure for America: The State of Railroad, Pipeline, and Hazardous Materials Safety Regulations and Opportunities for Reform”. The witness list includes:

• Linda B. Darr, American Short Line and Regional Railroad Association;
• Roger Nober, BNSF Railway
• Paul Rankin, Reusable Industrial Packaging Association;
• Robin Rorick, American Petroleum Institute;
• Donald J. Santa, Jr., Interstate Natural Gas Association of America; and
• John Tolman, Brotherhood of Locomotive Engineers and Trainmen

I expect that we will hear very little about new regulations that the industries need to protect the public and more about what current and proposed rules need to be reviewed, revamped, or removed.

On the Floor

Nothing of specific interest expected to come to the floor of either the House or Senate this week beyond the FY 2017 Continuing Resolution. That bill has not yet been made public; still too much horse trading going on for that. It is interesting that we are seeing news this week about what bill components (or lack thereof) might result in a Trump veto of the spending bill coming out of a Republican controlled Congress.

As always, I will leave the gross reporting on the bill to the national press. I will focus on the specifics of what the bill might mean to the chemical safety, security and transportation communities and the control system cybersecurity community.

Saturday, April 22, 2017

DHS Announces Date and New Location for 2017 CSSS

Yesterday the DHS Office of Infrastructure Protection (IP) and the Chemical Sector Coordinating Council announced via the Chemical Sector Security Summit (CSSS) web page that the 2017 CSSS will be held in Houston, TX on July 19-21, 2017. Those of us who signed up for future information about the 2017 CSSS (see the bottom of the web page) received an email from DHS providing the same information yesterday.

Information concerning registration and the agenda will be published on the web page (and certainly here) later this spring.

NIST Announces CSF 1.1 Workshop – May 16th, 2017

NIST has announced another in a series of workshops concerning the proposed new version of their Cybersecurity Framework (CSF 1.1). The 2-day workshop will be held in Gaithersburg, Maryland on May 16th, 2017. The draft agenda for the workshop was made available this week on their CSF website.

I have not covered CSF 1.1 because the CSF is not operationally an industrial control system (ICS) security program. There are ICS components, but this is a cybersecurity management tool, not actually a cybersecurity tool. I have not seen anything in CSF 1.1 that would change that assessment.

Having said that, I am mentioning this workshop because it contains an internet of things (IOT) breakout session on the second day of the CSF 1.1 workshop. The agenda describes it this way:

“Cyber Meets the Physical World: The diverse use and rapid proliferation of connected devices – typically captured by the “Internet of Things (IoT)” – creates enormous value for industry, consumers, and broader society. At the same time, emerging threats, such as last year’s Mirai DDoS attacks, highlight the critical need to develop and apply guidance to maintain the cybersecurity of devices and the ecosystems into which they are deployed. NIST is seeking feedback on how the Framework may be applied to the IoT, both in terms of the devices themselves, as well as their integration into broader enterprise and network environments. Topics in this breakout may include: existing IoT definitions and taxonomies and their consistency with the Framework; IoT specific threats and constraints; sector-specific considerations for IoT security; and the integration of IoT-specific threats into the Framework model.”

Even this description of ‘Cyber Meets the Physical World’ contains no specific reference to industrial control systems, or even really hints at their existence. This is the thing that continues to concern me about the CSF. I hope that I am reading too much into this brief description and I hope that we hear from some attendees with an ICS cybersecurity background that there was some specific and realistic discussion of ICS specific security concerns with IOT and how that might be dealt with in the CSF environment.

Early registration is recommended by NIST due to the limited seating available. Registration closes on May 9th, 2017.

Friday, April 21, 2017

PHMSA Publishes 11 60-Day ICR Renewals

Today the DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) published a 60-day information collection request (ICR) renewal notice in the Federal Register (82 FR 18828-18831) for eleven separate existing ICRs. While the limited information provided in this notice would seem to indicate that there are no changes from the currently approved versions of these ICR, there is something odd going on with one of the ICRs.

The eleven ICRs are listed in the table below. The link in the title of the ICR is to its appearance in this notice and the link in the RIN is to the currently approved ICR.

The odd thing about the Approval for Hazardous Material ICR is that earlier this month PHMSA submitted an ICR revision request to OIRA for the ICR. That ICR revision was to support a final rule published by PHMSA on March 30th, 2017. That rulemaking simply reports that there are expected to be an additional 3,600 responses and an increase of 1,800 hours in the burden required by this new rule. A more detailed accounting of that change can be found in the supporting document [.DOC download] that was sent to OIRA earlier this month.

What seems likely is that whomever was responsible for crafting this ICR notice for PHMSA just copied the previous 60-day ICR notice submitted three years ago, made some cosmetic changes for dates and then submitted the revised document to OIRA. And I suspect that too many ICR renewals suffer the same problem; someone just going through the motions. It makes a mockery of the requirement for agencies to submit, and OMB approve, these ICRs to ensure that the regulated public is not unnecessarily burdened by the data collection demands of the Federal government.

At the very least, PHMSA needs to stop this ICR renewal and publish a new 60-day ICR notice without including the Approval for Hazardous Material ICR.

PHMSA is soliciting public comments on this ICR notice. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; PHMSA-2017-0018) I will be submitting a copy of this post as a comment.
/* Use this with templates/template-twocol.html */