Wednesday, May 24, 2017

Frank R. Lautenberg Chemical Safety for the 21st Century Act

Yesterday the Environmental Protection Agency (EPA) sent a notice of proposed rulemaking (NPRM) to the OMB’s Office of Information and Regulatory Affairs (OIRA) for review. The NPMR implements the requirements of §6(b)(1) of the Frank R. Lautenberg Chemical Safety for the 21st Century Act (PL 114-182; 130 Stat 461) for the establishment of a process for the prioritization of risk evaluations.

The TSCA revisions outlined in that Act were generally supported by both the chemical industry and the environmental activism community. This will be the first major set of implementing regulations and it will be interesting to see how far the support for those continues. There have already been a number of official meetings between the EPA staff and organizations representing the regulated community concerning this rulemaking. Interestingly, all of those meetings occurred during the Obama Administration.


It will be interesting to see how long it takes OIRA to approve this rulemaking. Their workload has been generally light since Trump took office (42 rulemakings submitted/13 approved), but this will certainly be a controversial rulemaking that could take some time to wade through, particularly given Trump’s attitude about regulations.

Tuesday, May 23, 2017

ICS-CERT Publishes 3 Advisories

Today the DHS ICS-CERT published two industrial control system advisories for products from Rockwell and Moxa. They also published a medical control system advisory for products from B Braun Medical. The Rockwell advisory was previously published on the NCCIC Portal on April 25th, 2017. The Braun Medical advisory was previously published on the NCCIC Portal on March 23rd, 2017l

B Braun Medical Advisory


This advisory describes an open redirect vulnerability on the B Braun Medical SpaceCom module. The vulnerability was reported by Marc Ruef and Rocco Gagliardi of scip AG. Braun has produced a software update that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to  allow URL redirection to untrusted web sites.

Rockwell Advisory


This advisory describes multiple vulnerabilities in the Allen-Bradley MicroLogix 1100 and 1400 PLCs. The three of the vulnerabilities were reported by David Formby and Raheem Beyah of Georgia Tech and Fortiphyd Logic, Inc with the last one being reported by Ilya Karpov of Positive Technologies. Rockwell has provided a firmware update for one of the affected products and recommends disabling the web server as an alternative and/or additional mitigation measure. There is no indication that the researchers have been provide an opportunity to verify the efficacy of the fix.

The reported vulnerabilities are:

• Predictable value range from previous values - CVE-2017-7901;
• Reusing a nonce, key pair in encryption - CVE-2017-7902;
• Information exposure - CVE-2017-7899;
• Improper restriction of excessive authentication attempts- CVE-2017-7898; and
• Weak password requirements - CVE-2017-7903

ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerabilities  to gain unauthorized access to the affected programmable logic controllers and to spoof or disrupt TCP connections.

Moxa Advisory


This advisory describes three vulnerabilities in the Moxa OnCell IP gateways. The vulnerabilities were reported by Maxim Rupp. Moxa reports that the latest version of two of the products mitigate the vulnerabilities and provides a work around for the remainder. There is no indication that Rupp was provided an opportunity to verify the efficacy of the fix.

The reported vulnerabilities are:

• Improper restriction of excessive authentication attempts - CVE-2017-7915;
• Plain text storage of a password - CVE-2017-7913; and
• Cross-site request forgery - CVE-2017-7917


ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to allow an attacker to use brute force to determine parameters needed to access the application. An attacker may also obtain credentials by obtaining files that store passwords in clear text.

PHMSA Publishes GPAC Meeting Notice

Today the DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) published a meeting notice in the Federal Register (82 FR 23714-23715) for a meeting of the Gas Pipeline
Advisory Committee (GPAC). The meeting will be held in Arlington, VA on June 6th and 7th, 2017. The meeting is open to the public.

The meeting will provide the advisory committee a chance to review the PHMSA rulemaking on the safe operation of gas transmission and gathering pipelines. The notice of proposed rulemaking (NPRM) was published on April 8th, 2016.

PHMSA is suggesting that people who wish to attend the meeting (no web cast is planned) should register no later than June 2nd. People wishing to submit written comments may do so through the Federal eRulemaking Portal (www.Regulations.gov; Docket # PHMSA-2016-0136). This is the same docket used to receive comments on the NPRM.

Commentary


While President Trump has been vociferously anti-regulation in general, there were a number of provisions in the NPRM that were specifically required by Congress, so in some form this rulemaking will proceed. It will be interesting to see if the GPAC is asked to provide suggestions for the two regulations that will presumably be revoked to allow this rulemaking to proceed.


Monday, May 22, 2017

HR 2518 – CG Authorization – Markup Hearing

Today the House Transportation and Infrastructure Committee announced that there would be a markup hearing on Wednesday. Among the bills to be marked up will be HR 2518, the Coast Guard Authorization Act of 2017.


I have not reviewed HR 2518 here because there is nothing of specific interest to readers of this blog. I will continue to watch HR 2518 (and S 1119, it’s Senate counterpart) for any amendments that might address cybersecurity, the MTSA program, or chemical transportation safety or security.

ICS-CERT Updates WannaCry Alert Again (#5)

For the fifth consecutive business day ICS-CERT has updated its WannaCry Alert that was originally published on May 15th, 2017. Today’s update includes:

• Updates of two previously issued Siemens Security Advisories (Imaging and Diagnostics Products; and (Laboratory Diagnostics Products);
• Adds a new Siemens Security Advisory (Ultrasound Products); and
• A link to a Honeywell Security Update.

I have not mentioned it to date because I have been expecting ICS-CERT or US-CERT to mention this in their alerts (they have not done so as of yet), but Siemens has been reporting since their first advisory publication that there are actually six vulnerabilities involved in the WannaCry malware. Those are:

• CVE-2017-0143 - Windows SMB Remote Code Execution Vulnerability (Input Validation);
• CVE-2017-0144 - Windows SMB Remote Code Execution Vulnerability (Input Validation);
• CVE-2017-0145 - Windows SMB Remote Code Execution Vulnerability (Input Validation);
• CVE-2017-0146 - Windows SMB Remote Code Execution Vulnerability (Input Validation);
• CVE-2017-0147 - Windows SMB Information Disclosure Vulnerability (Information Leak / Disclosure); and
• CVE-2017-0148 - Windows SMB Remote Code Execution Vulnerability (Input Validation)


I’m not sure that this really provides much in the way of actionable information. Both the Mitre CVD and NIST CVE listings for these CVE are dated from before the WannaCry outbreak. The Microsoft TechCenter reports for these CVE are also dated; still reporting that there have been no exploits of the vulnerabilities.

Committee Hearings – Week of 05-21-17

With both the House and Senate in Washington this week the focus will start to be on the FY 2018 budget. Other topics will also be addressed in Congressional hearings including one cybersecurity hearing.

Potentially Interesting Budget Hearings


With the President’s FY 2018 budget heading to the Hill this week we will be starting to see a series of hearing on that budget request. Some of the hearings that may be of particular interest to readers of this blog include:

US Cyber Command (House) – Tuesday;
DOT (House) – Wednesday;
DHS (House) – Wednesday;
DOD (Senate) – Wednesday;

Cybersecurity


Okay, ‘cybersecurity’ will really be one of the (major) sub-texts of this hearing. On Tuesday the Cybersecurity Subcommittee of the Senate Armed Services Committee will be holding a hearing on ‘Cyber Posture of the Services’. The witness list includes:

• Vice Admiral Marshall B. Lytle III, USCG
• Vice Admiral Michael M. Gilday, USN
• Lieutenant General Paul M. Nakasone, USA
• Major General Christopher P. Weggeman, USAF
• Major General Loretta E. Reynolds, USMC


I expect that there will be passing references to WannaCry and perhaps some obscure references to industrial control system security issues.

Friday, May 19, 2017

ICS-CERT Updates WannaCry Alert Again (#4)

For the fourth day in a row the DHS ICS-CERT updated their alert for the WannaCry ransomware. It was originally published on Monday and the latest update was yesterday. Today’s update adds links to WannaCry notifications from the following vendors:

Tridium; and


The update also provides a link to a general WannaCry support document from Siemens Healthineers. This document and a further linked Siemens’ blog post provides a good technical discussion of the WannaCry problem and solutions; including links to Microsoft updates for ‘unsupported’ (outdated?) Windows operating systems still in use by Siemens Healthineer (and too many other industrial control) products.
 
/* Use this with templates/template-twocol.html */