Monday, February 20, 2017

HR 923 Introduced – Repeal of Cybersecurity Act

Earlier this month Rep. Amash (R,MI) introduced HR 923 which would repeal the Cybersecurity Act (Division N, PL 114-113). Amash and his bipartisan cosponsors are concerned about the way the Cybersecurity Act was slipped into the 2016 Consolidated Appropriations Act at the last minute.

Amash introduced a similar bill (HR 4350) last year in the 114th Congress. That bill was also assigned to eight committees for consideration. No action was taken in four of those committees and the remaining four only further assigned it to subcommittees for consideration. No hearings were held and no further action was taken.

Since the Cybersecurity Act was only added to the appropriations bill with the full consent of the House Republican leadership, I do not suspect that there will be any actions taken on this bill.

Sunday, February 19, 2017

HR 905 Introduced – Computer Code Copywrite Transfer

Earlier this month Rep. Farenthold (R,TX) introduced HR 905, the You Own Devices Act. This bill address some of the copywrite issues related to software used to operate equipment.

Software Copywrite Issues

The bill amends 17 USC 109, “Limitations on exclusive rights: Effect of transfer of particular copy or phonorecord”. It adds a new paragraph (f) to the section. That paragraph addresses the transfer of certain computer programs.

The first provision codifies the legal transfer of the software that “enables any part of a machine or other product to operate” {§109(f)(1)} when that machine or product is legally sold or otherwise transferred.

The second provision addresses software updates. It specifies that the right to receive any software changes related “in whole or in part to security or error correction” {§109(f)(2)} is transferred along with any transfer of the equipment that the software operates.

The third provisions prohibits the retention of a copy of the software when a party transfers the equipment and/or software to another party.

Moving Forward

Farenthold is a member of the House Judiciary Committee (the committee to which this bill was assigned for consideration) so there is a decent possibility that this bill could be considered in committee. There may be some opposition to the update provisions of this bill from some software vendors, so it is unclear at this point if there would be enough support in the House for the bill to allow it to be considered under suspension of the rules. It is unlikely that this bill would make it to the floor of the House under a rule.

If the bill were considered in the House, I suspect that it would pass.


I think that this bill could end up being important for security researchers. The first provision allowing that legally buying software operated equipment automatically includes the legal transfer of the copy of the operation software precludes a vendor from threatening to prosecute researchers for illegally accessing the software.

The second provision means that when a researcher finds a vulnerability in a piece of control system software and the vendor issues an update or patch, the researcher is entitled to obtain a copy of that patch or update as long as he owns a piece of equipment that uses that software to operate. This would make it easier for the researcher to determine the efficacy of the fix.

One software related copywrite issue that is not addressed in this bill is the legal right to modify software used to operate a piece of equipment.

Saturday, February 18, 2017

Reader Comment – Moxa NPort Advisory

Today Reid Wightman posted a comment to a December blogpost that mentioned a control system security advisory published by ICS-CERT for Moxa NPort products. Reid was identified as one of the researchers that identified one or more of the vulnerabilities covered in that advisory. Reid’s comments that the reported fix for CVE-2016-9361 does not work. Please read his comment for more details.

Alert readers might remember that Digital Bond (with whom Reid was associated at the time) publicly disclosed the vulnerability in April of last year, resulting in an ICS-CERT control system security alert. Given the total elapsed time between the initial notification by Digital Bond and the published “fix”, it is especially disconcerting that Reid has to report that the fix does not work.

Assuming that there was no deliberate malfeasance involved on the part of Moxa, I can only conclude that Moxa did not really understand the cause of the vulnerability discovered by Reid. This is one of the reasons that it is important to have someone not employed by the vendor verify the efficacy of the fix. I think it would be best if the discovering researcher were the one to do the verification testing. That way there can be no doubt about how well the fix mitigates the discovered vulnerability.

Reid does not mention in his comment whether or not he had coordinated the report of the failure of the vendor’s fix with ICS-CERT. In some ways, I am hoping that he did not. If he had, it would seem to indicate that ICS-CERT (or perhaps Moxa) did not accept Reid’s judgement about the efficacy of the fix. Given the seriousness of the vulnerability (CVSS v3 base score of 9.8) I would have hoped that ICS-CERT would have tried to corroborate Reid’s report.

S 307 Introduced – DOD Cyber Capability Database

Earlier this month Sen. Ernst (R,IA) introduced S 307, the Department of Defense Emergency Response Capabilities Database Enhancement Act of 2017. The bill would require DOD to specifically include cybersecurity capabilities in an existing DOD emergency response capabilities database.

Database Expansion

The bill would amend §1406 of the ‘John Warner National Defense Authorization Act for Fiscal Year 2007 {PL 109-364 §1406 (120 STAT. 2436)} which required DOD to establish a database that recorded the “emergency response capabilities that each State’s National Guard, as reported by the States, may be able to provide in response to a domestic natural or manmade disaster, both to their home States and under State-to-State mutual assistance agreements” {§1406(1)}.

The bill would add two specific cybersecurity related requirements to that database {§2(b)(2)}:

• Cyber capabilities of the National Guard that are identified by the Department as important to national security and for response to domestic natural or manmade disasters.
• Cyber capabilities of the other reserve components of the Armed Forces that are identified by the Department as important to national security.

Moving Forward

Ernst is a member of the Senate Armed Services Committee (the committee to which the bill was assigned for consideration) and two of her co-sponsors {Sen. Gillibrand (D,NY) and Sen. Fischer (R,NE)} are members of the Cybersecurity Subcommittee of that Committee. This means that there is a good chance that there will be sufficient political influence to have that Committee take up this bill.

There is nothing in this bill that would cause any substantial opposition to its consideration. If this bill were taken up on its own, it would likely be considered under the Senate’s unanimous consent procedure. This bill is also a good candidate for inclusion in the 2018 DOD authorization bill, either in the initial draft or as a floor amendment.


There is nothing in the bill that would specifically require the inclusion of industrial control system security experience/expertise in the database listing. It is likely that DOD would take that step on their own initiative.

What is not clear with respect to either the original database requirement, or this modification, is to what use DOD is expected to put this database; whether it is only for internal DOD use or whether other government organizations (FEMA for example) would have access to the database. This bill would be a good place to clarify which agencies are expected to have access to the database.

Friday, February 17, 2017

Bills Introduced – 02-16-17

Yesterday with the House and Senate getting ready to depart for their Presidential Day recess next week there were 154 bills introduced. Many of these bills were introduced to provide fundraising talking points next week, but one of the bills may be of specific interest to readers of this blog:

S 412 A bill to amend the Homeland Security Act of 2002 to require State and local coordination on cybersecurity with the national cybersecurity and communications integration center, and for other purposes. Sen. Peters, Gary C. [D-MI]

It will be interesting to see how this bill avoids the ‘unfunded federal mandate’ label. I’ll only be covering this bill if it specifically includes control system security issues.

ICS Hacker Convicted

Yesterday the US Attorney’s Office for the Middle District of Louisiana announced that an individual had been sentenced to serve 34 months and pay $1.1 million as a result of his conviction for “for hacking into the computer system of an industrial facility to disrupt and damage its operations”. This appears to be the first conviction for an attack on an industrial control system in the United States.

The Attack

There is very limited information available on the attack. What is publicly available is that a fired IT worker at the Georgia Pacific Port Hudson Mill (Port Hudson, LA, just north of Baton Rouge) accessed “the control and quality control systems for making paper towels” according to one news report. The attack was conducted via a virtual private network (VPN) connection to the plant computer network.

A plant spokesman was quoted as saying: “"Things that were automatic were completely shut down.”

Another news report notes that there were multiple attacks on the facility computers between February 14th and 27th in 2014.

On the face of it, this does not appear to have been a sophisticated attack involving unknown or ineffectually mitigated control system vulnerabilities. Rather it looks like a fairly standard case of a system-knowledgeable person who did not have his system access adequately revoked when he was terminated.

The Law

The individual was convicted for violations of 18 USC 1030(a)(5)(A). Section 1030 is known as the “Fraud and related activity in connection with computers” section of the US Code and was designed to deal with financial crimes dealing with computers. The specific sub-paragraph charged explains the offense as whoever “knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer”.

The key definition here is that for a ‘protected computer’. The first part of that definition applies specifically to computers at financial institutions or the US government; which obviously does not apply in this case. Instead the second part of the definition (which I’ll call the ‘interstate commerce clause’) which states:

A computer “which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States” {§1030(e)(2)(B)}.

Since Georgia Pacific is a multi-national company that certainly sells materials from this facility across state-lines, it would be easy how to see that the US Attorney could argue that this attack had a significant effect on either interstate and foreign commerce if the damage caused by the attack interfered with timely product shipments.

In establishing the ability for the court to punish a violation of §1030(a)(5)(A) the prosecution would have to prove that the attack resulted in one of six specific types of harm outlined in §1030(b)(4)(A)(i). Only four of those are potential interest in this case:

• Loss to 1 or more persons during any 1-year period aggregating at least $5,000 in value;
• Physical injury to any person;
• A threat to public health or safety;
• Damage affecting 10 or more protected computers during any 1-year period.

Give the $1.1 million restitution ordered by the court, I would assume that the US Attorney used the first harm category.


There is nothing in readily available information on this case that explains how the damage of $1.1 million occurred. Having worked in a company that sold into the paper industry for years I have learned a little about the paper making process. As each large paper roll is made any interruption of the machinery making that roll significantly damages that roll and requires a restart of a fresh roll of paper. If stoppages occurred on multiple occasions that week, I suspect that an accounting of damaged rolls and lost production could total $1.1 million without having to have included any physical damage to the equipment at the facility.

These attacks happened in 2014 and the Federal Grand Jury indicted the individual in 2015. There is no indication that the DHS ICS-CERT was involved in the investigation of the incident (and given the rapidity with which the FBI responded to the issue, it does not appear that it would have been necessary).

It would have been nice, however, if ICS-CERT had been brought into the case early on, not so much to help in the arrest and prosecution of the perpetrator, but so that ICS-CERT could publicize the attack to the ICS community. This could have been used to reinforce the need for some basic security procedures (revocation of access) and to point out (again) the vulnerability of ICS to easy attacks by anyone with control system network access.

It is not too late, however, for ICS-CERT to prepare a public report on this attack. While there was no trial for this case (the perpetrator plead guilty) there was a grand jury indictment in which the process of the attack had to presented in some detail. That should provide enough detail for ICS-CERT to prepare a relatively detailed report on the attacks.

This case also raises some interesting legal questions (DISCLAIMER: I AM NOT A LAWYER) about the adequacy of §1030 for the prosecution of attacks on industrial control systems. There have been a couple of attempts to amend §1030 (for example S 2931 in the 114th Congress) to specifically address industrial control system attacks, but none of them have proceeded past the introduction phase.

The big problem is that §1030 is a fraud related section of the US Code and attacks against control system (other than perhaps ransomware attacks) are not really related to fraud. The problem is further aggravated by the fact that the definition of computer used in that section is really designed to identify IT or communications systems not industrial control systems. Since this bill never came to trial, the use of this section to prosecute ICS related attacks has not really been legally tested.

I am sure that the US Attorney was prepared to argue that the definition could be interpreted (very broadly) to have included control system computers. A defense lawyer, on the other hand, could argue that the failed congressional attempts to specifically include ICS computers in the definition reflect a congressional intent not to allow that inclusion.

Unfortunately, it is impossible to determine in advance how a specific court would deal with such arguments. Appellate court acceptance of any outcome of that decision would be even harder to predict. The fact that this individual’s legal team did not (apparently) recommend such a fight of the prosecution might simply reflect the legal cost of such a fight rather than having reached a conclusion on the merits of the use of §1030 to prosecute an ICS attack.

That fight is almost certain to occur on some future case.

NOTE: Thanks to Chris Sistrunk for sharing the press release on this case on the ICS-ISAC Open Community on Facebook.

Thursday, February 16, 2017

ICS-CERT Published Rockwell Update

Today the DHS ICS-CERT published an update to their control system security advisory for products from Rockwell Automation that was originally published on September 15th, 2016. The update provides information on:

• A new software version to replace the original patch mitigation;
• More detailed information on the affected versions; and
• Notification that the previous patch is only to be used on version 8.40.00.

/* Use this with templates/template-twocol.html */