Wednesday, September 28, 2016

ICS-CERT Publishes Siemens Advisory

Yesterday the DHS ICS-CERT published a new control system security advisory for products from Siemens. Two recently published Siemens updates have yet to be reported by ICS-CERT

Siemens SCALANCE Advisory

This advisory describes a web security vulnerability in the Siemens SCALANCE M-800 and S615 modules. The vulnerability was reported by Alexander Van Maele and Tijl Deneut from HOWEST (University College West Flanders). Siemens has produced a new firmware version, but there is no indication that the researchers were provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that the vulnerability is remotely exploitable, but that it would be difficult to develop an exploit that could allow an attacker in a privileged network position to obtain web session cookies under certain circumstances. The Siemens Security Advisory explains that an attacker would have to be in a privileged network position to obtain web session cookies under certain circumstances.

This vulnerability was publicly reported by Siemens last Thursday.

Recent Siemens Updates

Last week on the same day that Siemens announced their update for the vulnerabilities described above they also announced an update for their glibc vulnerability that ICS-CERT reported on in July. I had expected to see the ICS-CERT update their advisory yesterday.

Yesterday Siemens announced an additional update on multiple vulnerabilities in their SIMATIC WinCC, PCS 7 and WinCC Runtime Professional products. ICS-CERT initially reported on these vulnerabilities in April and updated the report in June and again in July. With this only being publicly reported by Siemens yesterday, it was probably too much to expect that ICS-CERT would also be updating their advisory on the same day.

Hopefully we will be seeing ICS-CERT updating these two advisories in the coming days.

Tuesday, September 27, 2016

ISCD Updates FAQ #1627 Again

Today the DHS Infrastructure Security Compliance Division (ISCD) published a new frequently asked question (FAQ) on their CFATS Knowledge Center. Actually, FAQ #1627 was first published in May 2009 and then it was updated in August of this year. So what’s going on?

I noticed a week ago Saturday that the reference to the most recent update to FAQ #1627 was missing from the CFATS Knowledge Center (I check for the most recent updates every day). A more detailed follow-up check showed that FAQ #1627 was completely missing from the database.

It seems that ISCD has been doing a detailed review of their FAQs to determine which FAQ responses will be affected by the implementation of CSAT 2.0 (a lot, I suspect). Some of those FAQs will have to be rewritten (oh boy, I’m not looking forward to that blog post), but some will no longer be relevant and those will be discarded.

Until a week ago last Saturday I was not aware of ISCD removing any FAQs from their lengthy list. If some have been deleted, they have not mentioned it. If some have been deleted there would not be a simple way of checking using the search function on CFATS Knowledge Center. Of course, the question is whether or not there is a reason to keep track of deleted FAQs?

On one hand, FAQs are not really official policy, they just reflect official policy. That’s one of the reasons that so many FAQs provide references back to official manuals and the CFATS regulations. That could easily mean that as policy changed (as reflected by official changes in manuals) that some FAQs became obsolete to the degree that it made no sense to update the response and those FAQs could/should be deleted.

On the other hand, some people are reading FAQs and, inevitably, some are making decisions about their CFATS implementation based upon those FAQ responses. They deserve to be notified when FAQs they may have relied upon have been deleted. I know the changes in the manuals should be enough notification (legally) but with the reputation that ISCD has worked so hard to build that they work closely with the regulated community argues that they should take the extra step and make specific notification of any deletions.

Oh, and some may have been deleted by mistake. You know, like FAQ #1627.

S 3379 Introduced – Transportation Security

Last week Sen. Thune (R,SD) introduced S 3379, the Surface Transportation and Maritime Security Act. The bill includes requirements for a number of GAO studies and TSA management reviews with the intent of increasing the TSA’s focus on surface transportation security issues. Only three of the provisions of the bill are likely to be of specific interest to readers of this blog:

TWIC Background Checks

Section 17(a) of the bill would require the DHS Secretary to “establish a process to improve background checks and terrorism vetting processes” {§17(a)(1)}. Those improvements are to include:

• Establishing an entity within the Office of Intelligence and Analysis to provide guidance on security threat assessment processes;
• Conducting a comprehensive risk analysis of the security threat assessment processes to identify areas needing additional internal controls and quality assurance procedures and implementing those procedures;
• Improving fraud detection techniques;
• Updating guidance and finalizing a manual for Trusted Agents and adjudicators to ensure clear guidance on processes and regulations; and
• Establishing quality controls to ensure consistent procedures to review adjudication decisions and terrorism vetting decisions.

The remainder of the section deals with requiring a comprehensive review of the Transportation Security Card Program by DHS. Once the review is conducted the bill would require DHS to provide a corrective action plan to Congress to correct any identified deficiencies. Then the Department Inspector General would be required to report to Congress on the implementation of that action plan.


Section 19 of the bill adds a new paragraph (c) to 6 USC 469. That section of the US Code deals with establishing fees for credentialing and background investigations. This amendment would establish that the phrase ‘individuals engaged in the field of transportation’ in §469 will include:

• Individuals required to obtain a transportation worker identification credential under section 101.514 of title 33, Code of Federal Regulations;
• Individuals required to obtain a hazardous materials endorsement on a commercial driver’s license issued by a State under section 5103a of title 49, United States Code; and
• Personnel at a facility that engages in loading, unloading, handling, or storage incidental to transportation who are subject to background checks under section 27.230(a)(12) of title 6, Code of Federal Regulations [Chemical Facility Anti-Terrorism Standards (CFATS) program].”.


Section 21 of the bill amends 49 USC 5103a adding a new subparagraph (d)(3) specifying that an individual in possession of a Transportation Workers Identification Credential (TWIC) has met the “met the background records check required” for the hazardous materials indorsement (HMI) for a commercial driver’s license.

Moving Forward

Thune is the Chair of the Senate Commerce, Science and Transportation Committee, the Committee to which this bill was referred for consideration. He has bipartisan support in the leadership of that Committee from his four cosponsors {Sen. Nelson(D-FL), Sen. Fischer (R-NE), Sen. Booker (D-NJ), and Sen. Blumenthal (D-CT)}. This bill will almost certainly move forward in the lame duck session. If it gets to the floor of the Senate (problematic depending on how much push Thune puts behind the bill) it would probably pass under the Senate unanimous consent process.


I noted in my earlier post on this bill that it was unusual that the bill was not also referred to the Senate Homeland Security and Governmental Affairs Committee. I’m pretty sure that this was done to avoid any delays in getting the bill considered on the Senate floor and not for petty inter-committee politics.

That is probably the reason that the CFATS and TWIC section of this bill was so ineffectually done. In amending 6 USC 469 this bill almost certainly would have no actual effect on the TWIC process. The bill should have amended 49 USC 70105(b)(2); that paragraph deals with who should be issued a TWIC. The current amendment would not change that.

This is an issue since Congress passed the Protecting and Securing Chemical Facilities from Terrorist Attacks Act (PL 113-254) specifically authorizing the use of the TWIC as a part of the personnel surety program. With the TWIC only authorized for transportation personnel working in and around US ports, this only solved part of the problem. If chemical facility workers (not working at a facility covered under the Maritime Transportation Security Act) were authorized to apply for a TWIC, the CFATS covered facilities could require their employees to get TWICs and ease a bunch of the paperwork burden of the CFATS Personnel Surety Program (PSP).

The fact that requiring employees to pay the TWIC registration fee passes the cost of personnel surety to the employees is frequently overlooked in Congressional conversations about TWIC and CFATS. I suppose that companies could be expected to reimburse employees for the expense (and some certainly would), but that has not come up in any of the talks that I have heard about TWIC and CFATS.

It is disappointing that this bill was introduced so late in the session. Many of the issues addressed (ineffectually to be sure) in this bill have been on the Congressional radar for a number of years. There have been a number of transportation related bills that could have included these inoffensive, bipartisan-supported measures. Instead they were cobbled into a bill that really has little chance to reach the President’s desk because of the politics of the end-of-session in a Presidential election year.

Monday, September 26, 2016

House Passes HR 5459 - Cyber Preparedness Act of 2015

This afternoon the House passed HR 5459, the Cyber Preparedness Act of 2015 by a voice vote after only ten minutes of debate under the House suspension of the rules process. The bill makes minor revisions to the Homeland Security Act of 2002 to enhance cybersecurity information sharing and makes enhancing cybersecurity an allowable use of DHS grants under the Urban Area Security Initiative and State Homeland Security Grant Program.

As I have noted in earlier blog posts, this bill continues to use an IT-limited definition of ‘cybersecurity risk’ that does not include industrial control systems. That does not mean that DHS cannot share ICS cybersecurity risk information with fusion centers, it is just not required to share that information.

If this bill is taken up by the Senate (not guaranteed by any stretch of the imagination this late in the session in an election year) it will probably be considered (and passed) under their ‘unanimous consent’ process that does not provide any opportunity for amendments on the floor.

Saturday, September 24, 2016

NHTSA Publishes Automated Safety Technologies Guidance

Yesterday the DOT’s National Highway and Transportation Safety Administration (NHTSA) published an enforcement guidance document in the Federal Register (81 FR 65706-65709) concerning Safety-Related Defects and Automated Safety Technologies. This is in addition to the recently published Federal Automated Vehicles Policy document published earlier this week.

Legal and Policy Background

The new enforcement guidance document outlines the legal and policy background that provides the authority of NHTSA to regulate safety in current and emerging automated motor vehicle safety technologies. An important component of the NHTSA policy is the statement that:

“For software or other electronic systems, for example, when the engineering or root cause of the hazard is known, a defect exists regardless of whether there have been any actual performance failures.”

Addressing the need for recalls to address software related safety issues, the new guidance document provides the following discussion:

“Software installed in or on a motor vehicle—which is motor vehicle equipment—presents its own unique safety risks. Because software often interacts with a motor vehicle's critical systems (i.e., systems encompassing critical control functions such as braking, steering, or acceleration), the operation of those systems can be substantially altered by after-market software updates. Software located outside the motor vehicle could also be used to affect and control a motor vehicle's critical systems.[4Under either circumstance, if software (whether or not it purports to have a safety-related purpose) creates or introduces an unreasonable safety risk to motor vehicle systems, then that safety risk constitutes a defect compelling a recall.”

Policy Guidance

The only specific guidance provided in the document is found in the next to last paragraph:

“Motor vehicle and motor vehicle equipment manufacturers have a continuing obligation to proactively identify safety concerns and mitigate the risks of harm. If a manufacturer discovers or is otherwise made aware of any safety-related defects, noncompliances, or other safety risks after the vehicle and/or equipment (including automated safety technology) has been in safe operation, then it should promptly contact the appropriate NHTSA personnel to determine the necessary next steps. Where a manufacturer fails to adequately address a safety concern, NHTSA, when appropriate, will address that failure through its enforcement authority.”


Anyone that is looking for specific guidance from NHTSA on how manufacturers (both vehicle and equipment) are going to be expected to ensure that their vehicle control systems are protected from cyber-attack are going to be sorely disappointed in this document. In fact, the guidance does not specifically address security issues related to software or control systems.

Having said that, it is clear from the portions of the document quoted above that NHTSA is planning on taking a broad approach as to what constitutes a ‘safety defect’ when it comes to vehicle automation systems. It would be hard to argue that security defects that would allow an attacker to affect, or even access, control systems that affect the safe operation of the vehicle would not be addressed by this approach.

The real defect in this guidance is the failure to address how NHTSA could expect to receive vehicle automation defect information other than from the manufacturer. The failure to establish a system for independent security researchers to report security defects in the software, hardware or firmware of vehicle automation systems directly to NHTSA (or another government agency like ICS-CERT) is understandable only in that this guidance document is directed at vehicle and equipment manufacturers. Not mentioning that receiving such information, however, would be an important part of the analysis and enforcement process is unforgivable.

Hopefully, this guidance document will not be the last word from NHTSA on the issue of vehicle control system safety. The failure to specifically address automation system security in this guidance document or the earlier performance guidance document could mean that NHTSA is intending to specifically address that area in a separate document. Or, more likely in my opinion, NHTSA continues to skirt the security issue because of a lack of specific congressional authority to address the matter.

Friday, September 23, 2016

Bills Introduced – 09-22-16

Yesterday with both the House and Senate in session there were 73 bills introduced reflecting the impending (if currently unknown date) shutdown of Congress for the remainder of the election season. Most of the bills introduced yesterday (and for the remainder of the month) are re-election tools not real attempts to enact legislation. Of those bills three may be of specific interest to readers of this blog:

HR 6116 To enable needed drinking water standards, reduce lead in drinking water, plan for and address threats from climate change, terrorism, and source water contamination, invest in drinking water infrastructure, increase compliance with drinking water standards, foster greater community right to know about drinking water quality, and promote technological solutions for drinking water challenges. Rep. Pallone, Frank, Jr. [D-NJ-6]

HR 6121 To amend the Safe Drinking Water Act with respect to climate resiliency, security, and source water protection planning, and for other purposes. Rep. Capps, Lois [D-CA-24]

HR 6134 To establish a National TechCorps program, and for other purposes. Rep. Bera, Ami [D-CA-7]

HR 6116 and HR 6121 are only two of a number of bills about public water systems, but they are the only two to specifically mention ‘security’ in their description blurb. I will specifically be watching these two for chemical security or cybersecurity measures, but I’m not holding my breath.

The National TechCorps will only be of interest hear if it specifically deals with cybersecurity matters.

DHS Announces PNT Study

Yesterday the DHS Science and Technology Directorate (S&T) and DHS National Protection and Programs Directorate (NPPD published a brief notice in the Federal Register (81 FR 65390) announcing a study to define and validate current and future positioning, navigation, and timing (PNT) requirements for critical infrastructure. The requirements defined and validated by the study will support key decisions in the development of complementary PNT solutions.

The announcement notes that:

“Accurate PNT is essential for critical infrastructures across the country. Currently, the Global Positioning System (GPS) is the primary source of PNT information. However, GPS signals are susceptible to both unintentional and intentional disruption leaving critical infrastructure vulnerable to operational impacts from disruptions. Due to the essential need for precise timing within many of the critical infrastructure sectors, DHS will initially focus the study on timing requirements within the electricity and wireless communications sectors. Subsequently, DHS will engage additional sectors and expand the study to include positioning and navigation requirements.”

DHS is currently soliciting participants in the electricity and wireless communications sector. Interested parties should contact John Dragseth, NPPD, DHS,, 703-235-9467; or Sarah Mahmood, S&T, DHS,, 202-254-6721.
/* Use this with templates/template-twocol.html */