Tuesday, September 1, 2015

ICS-CERT Publishes Siemens Advisory

Today the DHS ICS-CERT published an advisory for an IP forwarding vulnerability in older versions of the Siemens RUGGEDCOM switches. ICS-CERT reports that Stephen Craven of the Tennessee Valley Authority reported this vulnerability. Siemens reports that newer versions of the operating system for those switches allows for disabling of the IP forwarding function.

ICS-CERT reports that a moderately skilled attacker could remotely exploit this vulnerability if more than one VLAN were configured on the system.

It appears from the ICS-CERT advisory and the Siemens Advisory that this IP forwarding is not actually a vulnerability, but something designed into the system that could be a problem under some circumstances. The wording of both documents implies that the IP forwarding feature is a default feature on the newer systems. This would mean that using multiple virtual local area networks to segment the control system access could be bypassed by compromising an element of one of the VLANs if IP forwarding were enabled on the system. Seems like something that should be disabled by default and enabled only if needed.

BTW: Siemens does not credit Craven for the discovery for the vulnerability; rather it simply acknowledges “the Industrial Control Systems Cyber Emergency Response Team

(ICS-CERT) for their support and coordination efforts”.

FAA Advisory Meeting Will Include Aircraft Cybersecurity

The FAA published a meeting announcement in today’s Federal Register (80 FR 52839) for a public meeting of their Aviation Rulemaking Advisory Committee (ARAC) on September 17th, 2015 in Washington, DC. At this meeting the ARAC will receive status updates from a number of working groups, including the Aircraft Systems Information Security/Protection (ASISP) Working Group.

The ASISP was formed in February of this year and tasked with providing “recommendations regarding Aircraft Systems Information Security/ Protection (ASISP) rulemaking, policy, and guidance on best practices for airplanes and rotorcraft, including both certification and continued airworthiness.”

This meeting is open to the public, but there is limited seating so you should confirm your attendance with Renee Pocius (email Renee.Pocius@faa.gov). There have been provisions made for attending the meeting by telephone and Ms. Pocius should be contacted to make the arrangements for that as well. There will be a public comment period at the meeting. Coordination with Ms. Pocius for presenting an oral statement should be made by September 10th. Physical copies (25 each) of written statements may be provided to Ms. Pocius prior to the meeting or brought to the meeting.


It is not clear at this time whether the ASISP update will include any actual recommendations for regulatory actions. Given the short amount of time that the Working Group has been in operation, I would be surprised if this was anything more than a list of areas of potential concern and an idea of how much longer it might be before a recommendation was provided to the full Committee.

It is a shame to see that the FAA is still stuck in the 1960’s. The requirement to deliver 25 physical copies of written statements is archaic in the extreme. Most Federal Agencies use the Federal eRulemaking Portal (www.Regulations.gov) for the purpose of submitting written statements for meetings of this sort. This ensures that not only can the Committee members and staff have ready access to the documents, but the public has such access as well. And don’t even get me started about the failure to provide even a toll free line for the telephone bridge access to this meeting, much less an electronic connection. No wonder the Agency is having problems trying to modernize its traffic control systems; it has not bothered to modernize its administrative procedures.

Saturday, August 29, 2015

SSI Program Information and Accessibility

Part of the work that I do to keep up to date on programs that I write about here on this blog is to periodically check a number of web sites to see what changes have been made. One of the web sites that I check every Saturday is the web site for the TSA’s Sensitive Security Information (SSI) program. I’m not providing the link (okay I will) to that site since it no longer exists and hasn’t for three weeks now.

It was an information packed site. It provided links to program documents, explanations of terms, training requirements; all sorts of good information that anyone dealing with SSI would like to have handy to make sure that they were compliant with the regulations.

The first weekend that it was down (and I’m not talking about a standard 404 error message, but a nice pretty TSA ‘Page Not Found’ message) I wrote it off as one of those glitches that periodically happens on the internet. The second week I fired off a request to TSA asking about what was going on with their SSI web site. This week I got a very nice email from the SSI folks. It explained that:

“TSA recently deployed a new website which could only contain 508-compliant material. The SSI Program is currently working with Public Affairs to convert our programmatic content so that it is 508-compliant and may be loaded to the site.”

For those of you who do not readily understand government speak the term ‘508-compliant material’ refers to the requirements of §508 of the Rehabilitation Act of 1973 (29 USC 794d) as amended in 1992 by §509 of the Rehabilitation Act Amendments of 1992 (PL 102-569). In short the Federal government is required to provide equal access to information to people with disabilities. In this particular instance I would presume that that means people who cannot see the information on the web pages.

Now TSA information on the internet is hard enough to access for people with perfect vision, I can only imagine how hard it would be to find anything TSA related if I were visually impaired. So I whole heartedly endorse anything that makes access to this information easier for anyone, particularly those with physical disabilities.

What I find hard to understand, however, is how TSA could have deployed a new disability friendly web site without ensuring that all of the content was §508 compliant first. That does not make any sense to me.

Because of that inexcusable oversight we have gone at least three weeks now without information being available on this critical security program. The average small to medium business does not have professionals on staff that are fully up to speed on each and every Federal security program and it is sites like this currently missing site that made it possible for such enterprises to have some hope of complying with Federal mandates.

The SSI program is especially important when it comes to companies sharing security information with the Federal government. It is only possible for companies to protect security information that they share from public disclosure under the Freedom of Information Act if they properly request that the information be considered SSI. If an organization does not properly request SSI information protection of data shared with the government then it is not protected.

Without this site being available, the average small to medium company is not going to have a reasonable way of knowing how to protect their transportation security related information from public disclosure when it is shared with a Federal government agency.

There is currently no information available on how long it is going to take the TSA to convert their SSI program information to a §508 compliant format. In the meantime, the friendly email I received did provide an email point (SSI@tsa.dhs.gov) of contact for anyone needing information on SSI program needs. Of course, that isn’t a very large office and too many information requests will prevent them from doing their other SSI related work. It sure would be nicer if the web site had not been taken down.

Thursday, August 27, 2015

ICS-CERT Updates 2 Siemens Advisories and Publishes 3 New Advisories

Today the DHS ICS-CERT updated two advisories for Siemens products from earlier this year and then published three new advisories for products from Siemens, Innominate mGuard and Moxa.


This update is for an advisory originally published in April and updated in April and July. This adds additional clarification as to the versions of the previously listed products are affected. Similarly the update provisions have been updated. It also added update instructions for TIA V12 SP1 devices and WinCC V7.2.

SIMATIC STEP 7 TIA Portal Update

This update is for an advisory originally published in February. This adds additional clarification as to the versions of the previously listed products are affected. An update has been added for SIMATIC STEP 7 (TIA Portal) V12 SP1.

Innominate mGuard Advisory

This advisory describes a denial-of-service (DoS) vulnerability in the Innominate mGuard device. This vulnerability has bee self-reported. Innominate has produced a firmware patch to mitigate this vulnerability.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to cause a temporary DoS condition in the VPN daemon on the device. Innominate reports that a successful authentication via X.509 certificate or PreShared Secret Key is required to exploit the vulnerability.

Siemens SIMATIC S7-1200 Advisory

This advisory describes a cross-site request forgery vulnerability on the Siemens SIMATIC S7-1200. This vulnerability was reported by Ralf Spenneberg, Hendrik Schwartke, and Maik Br├╝ggemann from OpenSource Training. Siemens has produced a firmware update to mitigate the vulnerability. There is no indication that the researchers have been afforded the opportunity to verify the efficacy of the fix.

ICS-CERT reports that a moderately skilled attacker could remotely exploit this vulnerability to perform actions at the level of the victim user.

Siemens reports that there are different firmware updates for Standard CPUs and Fail-safe CPUs.

Moxa Softcms Advisory

This advisory describes two different types of buffer overflow vulnerabilities in the Moxa Softcms software package. The vulnerabilities were reported by Carsten Eiram of Risk Based Security and Fritz Sands. The HP Zero Day Initiative coordinated the disclosures on these vulnerabilities. Moxa has released a new version of the software to mitigate these 9 separate vulnerabilities. There is no indication that the researchers have been given the opportunity to verify the efficacy of the fix.

ICS-CERT reports that a moderately skilled attacker could remotely exploit these vulnerabilities to allow remote code execution.

BTW – ICS-CERT has included a formal note on their landing page that they have updated their PGP public key and they have corrected the bad link that I identified in my blog post Tuesday.

Tuesday, August 25, 2015

ICS-CERT Publishes Repetitive Hart DTM Advisory

Today the DHS ICS-CERT published another advisory for the CodeWrights Hart-DTM vulnerability that was originally reported in January. This time it was for a large number of devices from Endress+Hauser. Interestingly Endress+Hauser had already been added to the latest version of the CodeWrights version (C) of the advisory published in February.

The only new information in this advisory in this new advisory is the extensive list of E+H affected products and the fact that E+H had finally gotten around to updating the version of the CodeWrights library that they were using.

Nothing to see here move along.

Oh wait. There was an interesting tweet from ICS-CERT this afternoon before they announced the new advisory. It seems that they have recently updated/revised/whatever their public PGP key for secure submission to ICS-CERT. This is certainly important news. Fortunately they tweeted it because there is nothing on their web page that indicates that the key had been changed.

Instead of providing a direct link to the PGP key they send you to the main landing page. To find the link to the key you have to scroll all the way to the bottom of the page and click on “Download PGP/GPG keys”. This is NOT a download link but a link to the page where you can copy the PGP key.

I got there by a slightly more circuitous route starting with clicking on the “Report an Incident” button near the top of the same page. That page provides some interesting information on reporting stuff to ICS-CERT and is good to know. Near the bottom of the page it says:

“Organizations can download our PGP key at https://ics-cert.us-cert.gov/sites/default/files/documents/ICS-CERT.asc

Don’t waste your time clicking on that link unless you want to see the ICS-CERT 404 page; nothing special there. Fortunately there is the same “Download PGP/GPG keys” link on the bottom of this page to take you to the real PGP key.

At least I think this is the new key. Nothing on the web site mentions that the key has been changed. This is getting to be a real problem on the ICS-CERT web site. There is no way to tell if something is new or old.

Homeland Security Committee Reports HR 1073

Before leaving Washington for the summer recess, the House Homeland Security Committee filed their report on HR 1073, the Critical Infrastructure Protection Act (CIPA). There are no changes to the bill beyond what I already reported, but there is some discussion about the one controversy surrounding the bill.

EMP vs Geomagnetic Storm

Section 2(a) of the revised bill amends 6 USC 101 by adding the definition of ‘EMP’. That definition includes both intentional man made electromagnetic pulse events and geomagnetic disturbances caused by solar storms.

On page 7 of the Committee Report there is a discussion about the difference between the two types of events. It clearly states that:

“The committee is aware of the concerns of industry in the possible confusion between pulses caused by intentional means, such as a high altitude nuclear weapon detonation, and those caused by natural phenomena such as solar storms. The magnitude and the temporal duration of the energy released are very different.”

Ranking Member Thompson (D,MS), in his ‘additional view’ response to the report on page 19, further explains the distinction between the two types of events this way:

“An EMP event is manmade and expected to impact all microprocessors. A GMD is naturally-occurring and expected to impact primarily bulk power and communication systems.”

This, of course means that the mitigation measures undertaken to lessen the effects of the two types of events will be different. They will both need to provide similar protections of the electric grid, but an EMP event would also have to protect a much wider variety (and much larger number) of electronic devices throughout the country to be effective.

Moving Forward

Because the bill allows no regulatory action or the spending of any new money this bill passed in Committee by a voice vote, even considering Thompson’s concerns. I would expect this bill to see the same bipartisan support on the floor of the House where it will almost certainly be considered under the ‘suspension of the rules’ process with limited debate and no amendments. There is a very good chance that this bill will reach the floor before the end of the fiscal year even with everything else that will be going on the House.


While the Committee noted that the intent of their EMP definition was to “keep these electromagnetic pulse initiating events distinct and separate, as well as the resulting impact on critical infrastructure such as the electric power grid” (pg 7) it would seem to me that defining the two terms separately and requiring planning and research activities to address both types of events would have made that distinction clearer.

This is not just a semantic distinction. It may be possible to protect the electric grid from a geomagnetic storm (GMS) event, or at least provide adequate spare parts to get substantial parts of the grid back into operation in a reasonable time after such an event. All it would take is large sums of money. The problem with a large scale EMP event is that while many of those same grid protection measures may be useable to mitigate an EMP event’s effect on the grid, the larger problem of the destruction of nearly all electronic devices within line of site of the nuclear device initiating the EMP event cannot practically be mitigated.

Smaller scale, non-nuclear EMP attacks (like that shown in the movie Oceans Eleven), are of course a different matter. Their small scale and relatively limited impact would still be much more difficult to mitigate than a similar scale GMS event, again because of the simultaneous destruction of microprocessor based devices. But, depending on the size of the device used, it may be possible to throw enough money at the problem after the attack to allow for a reasonable recovery.

This bill will move to the Senate in its current form. There is a remote chance that it will be revised by the Senate Homeland Security and Governmental Affairs Committee before it comes to a floor vote, but I suspect that it will move straight to consideration on the floor of the Senate by unanimous consent.

This means that we will have to rely on DHS to make a reasonable distinction between these two types of events. Hopefully they would use their limited resources (again no new resources are being authorized in this bill) to concentrate on the GMS threat and pretty much ignore the EMP event. Spending any time or money on the EMP threat will achieve nothing but detracting from other work on more likely threats.

Thursday, August 20, 2015

ICS-CERT Updates Two Rockwell Alerts

This afternoon the DHS ICS-CERT updated two alerts that it issued for Rockwell PLC’s last week. The updated alerts (here and here) have the same, single-sentence addition made:

“This vulnerability was discovered by Aditya K. Sood and presented by him at DefCon 2015 in Las Vegas, Nevada, on August 8, 2015.”

This means that all six of the DefCon related alerts that ICS-CERT published last week come from the same talk. Strange that none of the other talks about ICS security matters merited an alert, advisory or update of a previously issued advisory.
/* Use this with templates/template-twocol.html */