Thursday, March 26, 2015

ICS-CERT Published Schneider Advisory

Today the DHS ICS-CERT published an advisory for multiple vulnerabilities in two Schneider Electric products, InduSoft WebStudio and InTouch Machine. The vulnerabilities were reported by Gleb Gritsai, Ilya Karpov, and Kirill Nesterov of Positive Technologies Security Lab and independent researcher Alisa Esage Shevcheckno. Schneider has produced patches for the products, but there is no indication that the researchers were provided the opportunity to verify the efficacy of the fix.

The vulnerabilities include:

∙ Hard-coded credentials - CVE-2015-0996;
∙ Authentication - CVE-2015-0997; and
∙ Clear-text transmission of sensitive information - CVE-2015-0998 and CVE-2015-0999.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to execute arbitrary code. They also mention that there may be exploits for these vulnerabilities publicly available.

Schneider published separate advisories for the two product lines (here and here). The two advisories are nearly identical and neither mention publicly available exploits. They were also both published over a month ago. There is no indication about why ICS-CERT only recently got the information.

Bills Introduced – 03-25-15

The House and Senate introduced 65 bills yesterday. Only one of those will be of specific interest to readers of this blog:

S 859 - A bill to protect the public, communities across America, and the environment by increasing the safety of crude oil transportation by railroad, and for other purposes. Sen. Cantwell, Maria [D-WA]

While the official GPO copy of this bill is not yet available, the press release from Cantwell’s office makes it clear that this is one of the most comprehensive bills yet introduced addressing the safety of crude oil trains. The lack of bipartisan sponsorship of this bill almost ensures that it will not be taken up during the current session; unless, of course, there is a deadly crude oil train wreck in this country.

Wednesday, March 25, 2015

Bills Introduced – 03-24-15

Yesterday the House and Senate introduced 65 bills. Only two of those may be of specific interest to readers of this blog:

HR 1560 - To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes. Rep. Nunes, Devin [R-CA-22]

S Res 110 - A resolution expressing the sense of the Senate about a strategy for the Internet of Things to promote economic growth and consumer empowerment.  Sen. Fischer, Deb [R-NE]

While the official copy of HR 1560 has not yet been published by the GPO, the House Intelligence Committee does have a copy of the bill, a summary, and a section-by-section review of the bill available on their web site. I have not yet had a chance to do a complete review of the bill, but it does specifically include industrial control systems in its definition of information systems {§11(8)(b)}.

This will be the last mention of S Res 110. The bill was introduced and passed yesterday in the Senate. It was passed by unanimous consent in the closing minutes of yesterday’s session. No vote was taken and there were probably few members even present. Again the official copy of the resolution has not been printed by the GPO, but Sen. Fischer has a copy on her web site.

The bill was feel good statement of the ‘sense of the Senate’ that the internet of things is a good thing to be encouraged in a way that “maximizes the promise connected technologies hold to empower consumers, foster future economic growth, and improve our collective social well-being”. The closest thing to a statement about the concerns relating to security of the IOT is found in the closing statement exhorting innovators to “commit to improving the quality of life for future generations by developing safe [emphasis added], new technologies aimed at tackling the most challenging societal issues facing the world”. Please save us from well-meaning but technologically inept politicians.

DHS Sends UAV Best Practices Notice to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a best practices notice from DHS for review. This was not listed in the latest Unified Agenda (notices typically are not) so there is no specific information about this proposed publication.

I would suspect that this is part of a DHS effort to establish internal controls about the appropriate use of unmanned aerial vehicles. It will be interesting to see how long it takes OIRA to approve the publication of this notice.

Tuesday, March 24, 2015

ICS-CERT Updates GE HART Device DTM Advisory

Today ICS-CER published an update of the GE and MACTek version of the HART Device DTM advisory. No changes have yet been published for the similar advisories for systems from Emerson, Honeywell, Magnetrol, and Pepperl+Fuchs or the latest update of the CodeWrights advisory. The update provides new information in three separate areas of the advisory.

Updated Impact Information

The first area changed deals with the ‘Impact Information’ section of the advisory. A new paragraph has been inserted in between the two paragraphs found on the original:

“The buffer overflow exploited could be used to execute arbitrary code on the system running the Frame Application. The researcher has provided proof of concept to ICS-CERT and the vendor. The updated HART Device DTM provided by the GE and MACTek will resolve this issue. Successful exploitation requires that the Frame Application is running and connected to a DTM‑configured HART‑based device at the time of the exploit.”

Since no change was made to the initial paragraph of the advisory, this vulnerability still does not appear to affect the “information, control, or view by the control system of the HART devices on the 4-20 mA HART Loop”.

Vulnerability Overview

The second section to be changed is the ‘Vulnerability Overview’ section of the ‘Vulnerability Characterization’ portion of the advisory. Once sentence has been added to the existing initial paragraph:

“Overflow involved could be used to execute arbitrary code on the system running the Frame Application.”

Probably more importantly, the CVSS base score was changed from 1.8 to 6.8 and the vector string has been changed from (AV:A/AC:H/Au:N/C:N/I:N/A:P) to (AV:A/AC:H/Au:N/C:C/I:C/A:C). None of the above data is reflected in the current version of CVE-2014-9203 that was last updated on February 9th, 2015; four days after the original GE advisory was published.


The final area changed is the addition of two paragraphs to the ‘Mitigation’ section of the advisory. They were added after the listing of available updates:

Device DTM software with the identified vulnerable versions listed as impacted should be used only within an offline secure network until patched. ICS-CERT strongly recommends performing configuration changes in a nonproduction environment where proper testing and risk evaluation can be performed. ICS-CERT also recommends that asset owners employ a least privilege practice and avoid unnecessary services within their production environment.
Some processes may require continual configuration changes. ICS-CERT recommends asset owners maintain all software with the latest security releases, limit connections outside the control process, and monitor approved connections for suspicious traffic.

The second paragraph sounds like generic advice. Much of the first paragraph is also generic, but it is a tad bit more strongly worded than we normally see in a ICS-CERT advisory. The strengthened verbiage seems appropriate based upon the additional scope of the vulnerability described earlier in the revised advisory.

GE Advisory

I went back to see if the changes found in this revision were also reflected in the advisory published by GE. Unfortunately there is a security certificate problem with the GE Advisory. Microsoft provides a warning that there is a mismatch between the address on the site (Https:// and the address on the certificate (Https:// ).

If you ignore the warning and open the file anyway you find that GE has not updated their advisory since the original ICS-CERT advisory was published last month. (Note: the link from the earlier version of this advisory now takes one to the same certificate conflicted site)


There has been a number of odd things about the way that ICS-CERT has handled this vulnerability, almost from the get-go. We now have six separate advisories for a vulnerability in DLL library common to all of the affected systems and there are at three separate versions of the advisory found in the six current versions.

I have never used a HART based system and I am certainly not a control systems engineer, but it really looks like ICS-CERT is having problems coordinating the facts about this issue with the various vendors involved. It could be, of course, that the conflicts are due to different implementations of the library. If that is the case, it would be helpful if ICS-CERT would make that matter public.

As it stands now it looks like this is an ICS-CERT issue not a vendor issue.

Monday, March 23, 2015

HR 1290 Introduced – Rail Hazmat Rerouting

As I mentioned in an earlier post, Rep. Ellison (D,MN) recently introduced HR 1290. The bill (which lacks a catchy title) would require a study of the “impact of diverting certain freight rail traffic to avoid urban areas”.

The bill starts {§1} out with 3+ pages of ‘Congressional Findings’ about the hazards associated with moving crude oil trains (particularly those originating in the Bakken region). Nothing new or noteworthy here.

Section 2 of the bill provides the meat of the matter. It requires {§2(a)} the DOT Secretary to “make appropriate arrangements with the Transportation Research Board of the National Academies" to conduct a study “on the cost and impact of rerouting freight rail traffic containing hazardous material to avoid transportation of such hazardous material through urban areas”. Unlike most proposed legislation that requires the conduct of a study, this bill specifically {§2(e)} authorizes $850,000 for the conduct of the study.

With all of the ‘findings’ setup in section one, it is interesting to note that there is no mention of crude oil in the study requirements. Is specifically refers to “hazardous material” and to ensure the broadest possible scope for the study, the bill uses the definition of that term from 49 USC 5102; which in turn refers to 49 USC 5103(a). That paragraph states:

“The Secretary shall designate material (including an explosive, radioactive material, infectious substance, flammable or combustible liquid, solid, or gas, toxic, oxidizing, or corrosive material, and compressed gas) or a group or class of material as hazardous when the Secretary determines that transporting the material in commerce in a particular amount and form may pose an unreasonable risk to health and safety or property.”

Incidentally, this study would go well beyond the hazmat route planning requirements of 49 CFR 820(c). The routing requirements in that section apply to a small subset of the urban areas described in this bill (“urban area, as designated by the Bureau of the Census, with a population of greater than 30,000”) {§2(d)(2)} and an even smaller subset of the hazardous materials described in that section. Even then routes through High Threat Urban Areas may be considered acceptable as a ‘least overall safety and security risk’.

Since this is a study bill that pushes off any report to the next congress (21 months from the date of passage) it is unlikely that there will be any major objections to this bill. As I have mentioned so many times, however, lack of objections does not guarantee consideration of the bill, much less passage. Ellison is a Democrat and not a member of the House Transportation and Infrastructure Committee so it is unlikely that that committee will take up the bill.

Committee Hearings – Week of 3-22-15

With both the House and Senate in Washington this week the budget remains a big topic, both in Committee and on the Floor of the House. In addition there will be hearings on cyber security, UAVs and railroad safety.

Budget Hearings

Of specific interest to readers of this blog will be hearings on the budgets for


The House Rules Committee will also be holding a hearing this evening on the consideration of the Budget Resolution later this week by the Whole House.

It has been a while since there has actually been a budget resolution signed by the President. It will be interesting to see if the House can put together a bill that the Republican almost-controlled Senate can bring to a vote under regular order.


The Commerce, Manufacturing and Trade Subcommittee of the House Energy and Commerce Committee will hold a hearing on Tuesday and Wednesday on "H.R.__, Data Security and Breach Notification Act of 2015". A committee draft is available, but I have not yet had a chance to review it.

Unmanned Aerial Vehicles

The Aviation Operations, Safety, and Security Subcommittee of the Senate Commerce, Science and Transportation Committee will be holding a hearing on Tuesday on “Unmanned Aircraft Systems: Key Considerations Regarding Safety, Innovation, Economic Impact, and Privacy”. The witness list includes:

• Margaret Gilligan, Federal Aviation Administration;
• John B. Morris, Jr., National Telecommunications and Information Administration;
• Gerald Dillingham, Government Accountability Office;
• John Villasenor, The Brookings Institution;
• Paul Misener, Amazon, Inc.; and
• Jeff VanderWerff, the American Farm Bureau Federation

Looking at the witness list it would not seem that UAV operations over critical infrastructure will get much in the way of mention at this hearing.

Railroad Safety

The Senate Commerce Science and Transportation Committee will hold a business meeting on Wednesday that will include a markup of S.650, the Railroad Safety and Positive Train Control Extension Act.

I have just briefly reviewed this bill and, as expected, it would extend the current positive train control (PTC) installation deadline from December of this year until 2020 and provide authority to the Secretary of Transportation to further extend that deadline on a case-by-case basis until 2012.
/* Use this with templates/template-twocol.html */