Tuesday, December 6, 2016

ICS-CERT Publishes Two Advisories

Today the DHS ICS-CERT published two control system security advisories for products from Locus Energy and Tesla Motors.

Locus Energy Advisory


This advisory describes a command injection vulnerability in the Locus Energy LGate application. The vulnerability was reported by Daniel Reich. Locus Energy has produced a firmware update to mitigate the vulnerability. The update will be remotely installed by Locus Energy upon request. There is no indication that Reich has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to take control of LGate that has its web server port publicly exposed.

This advisory was originally posted to the US-CERT secure Portal library on September 29, 2016.

Tesla Motors Advisory


This advisory describes a gateway ECU advisory for the Tesla Motors (Tesla) Model S automobile. The vulnerability was reported by Tencent’s Keen Security Lab. Tesla has produced an over-the-air firmware update to mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix. ICS-CERT reports that the updated has been available since September 18th.

ICS-CERT reports that it would be difficult to craft an exploit for this vulnerability as it would require a complex chain of exploits, “including a web browser compromise, local privilege escalation, and custom-built firmware”. A successful exploit would allow an attacker to remotely control the vehicle’s software and driving functions.

Monday, December 5, 2016

Committee Hearings – Week of 12-04-16

The House and the Senate are both in Washington for what could be the last week of the 114th Congress. As you would suspect, the hearing schedule is light, but there is one hearing on transportation security that might be of interest to readers of this blog.

Transportation Security


The Surface Transportation and Merchant Marine Infrastructure, Safety, and Security Subcommittee of the Senate Commerce, Science and Transportation Committee will be holding a hearing on Wednesday on “Assessing the Security of Our Critical Transportation Infrastructure”. This hearing will focus on surface transportation. The witness list includes:

• John Roth, Inspector General, DHS;
• Chief Neil Trugman, Interim Chief of Police, Amtrak
• Mr. Chris Spear, President and CEO, American Trucking Association
• Mr. Tony Straquadine, Manager of Commercial and Government Affairs, Alliance Pipeline;
• Mr. Tom Belfiore, Chief Security Officer, Port Authority of New York and New Jersey

Obviously, nothing will come of this hearing this session, but the information will carry over to help shape how the staff deals with transportation security issues in the next session. As is usual, watching the questions is more important than listening to the testimony.

On the Floor


The only thing currently of specific interest to readers of this blog to be scheduled to be voted on in the House and Senate this week is the Continuing Resolution to continue funding the government past the current FY 2017 funding that expires on December 9th. The current ‘plan’ is to pass a short-term measure to carry the current funding rate some time past the Trump inauguration to allow the new President to have input on the final FY 2017 spending bill.


The House Majority Leader does note that the current schedule of items to be considered under suspension of the rules may not be complete. We will have to watch for changes on a daily basis. I half expect HR 6381, the DHS ‘improvement’ bill, to be added to the list.

Friday, December 2, 2016

House Adopts S 2943 Conference Report – 2017 NDAA

Today the House accepted the Conference Report on S 2943, the FY 2017 National Defense Authorization Act (NDAA), by a strongly bipartisan vote of 375 – 34. The cybersecurity provisions of both HR 4909 and the Senate version of S 2943 were included in the final version with some modifications.

Cybersecurity Provisions


The cybersecurity provisions in the bill included (the page numbers refer to the explanation of the provision in the Conference Report):

Sec. 1641 [HR 4909, §1631] Special emergency procurement authority to facilitate the defense against or recovery from a cyber attack (pg 2717);
Sec. 1642 [S 2943, §1633] Limitation on termination of dual-hat arrangement for Command of the United States Cyber Command (pg 2717);
Sec. 1643 [S 2943, §1632] Cyber mission forces matters (pgs 2717-8);
Sec. 1644 [HR 4909, §1633] Requirement to enter into agreements relating to use of cyber opposition Forces (pg 2718);
Sec. 1645 [S 2943, §1631] Cyber protection support for Department of Defense personnel in positions highly vulnerable to cyber attack (pg 2718);
Sec. 1646 [HR 4909, §1634] Limitation on full deployment of joint regional security stacks (pg 2719);
Sec. 1647 [HR 4909, §1637] Advisory committee on industrial security and industrial base policy (pgs 2719-20);
Sec. 1648 [HR 4909, §1632] Change in name of National Defense University’s Information Resources Management College to College of Information and Cyberspace (pg 2720);
Sec. 1649 [S 2943, §1635] Evaluation of cyber vulnerabilities of F–35 aircraft and support systems (pg 2720);
Sec. 1650 [S 2943, §1637 and §1634] Evaluation of cyber vulnerabilities of Department of Defense critical infrastructure (pg 2721);
Sec. 1651 [HR 4909, §1639] Strategy to incorporate Army reserve component cyber protection teams into Department of Defense cyber mission force (pg 2721);
Sec. 1652 [S 2943, §1636] Strategic plan for the Defense Information Systems Agency (pgs 2721-2);
Sec. 1653 [S 2943, §1638] Plan for information security continuous monitoring capability and comply-to-connect policy; limitation on software licensing (pg 2722);
Sec. 1654 [S 2943, §1639 and §1640] Reports on deterrence of adversaries in cyberspace (pgs 2722-3); and
Sec. 1655 [HR 4909, §1638] Sense of Congress on cyber resiliency of the networks and communications systems of the National Guard (pg 2723).

Control System Security


Control system security is now addressed in two of those sections; §1644 and §1650.

Section 1644 addresses the use and training of cyber opposition forces in military exercises. The Conference Committee added a new subsection (c) that calls for the development of a joint training program and certification “for the protection of control systems”. The development is to be completed by June 30th, 2017.

Section 1650 addresses the evaluation of cyber vulnerabilities within DOD critical infrastructure. It incorporates the ‘cyber informed methodologies’ that I discussed earlier. That terminology is not actually used, but the pilot program required in subsection (b) and the tools for that pilot described in subsection (e) clearly apply to those types of methodologies.

Moving Forward



The Senate is likely to take up the Conference Report next week. They are very likely to accept the report under their unanimous consent procedures.

Bills Introduced – 12-01-16

Yesterday, with both the House and Senate in lame duck session, there were 23 bills introduced. Of those only one may be of specific interest to readers of this blog:

HR 6418 To amend certain provisions of the Safe Drinking Water Act, and for other purposes. Rep. Latta, Robert E. [R-OH-5]


This will be covered only if it addresses the facility security requirements for water treatment facilities.

ICS-CERT Publishes 5 Advisories

Yesterday ICS-CERT published five new control system security advisories for products from Siemens, Moxa, Advantech, Mitsubishi Electric, Smiths-Medical. They also published an update for an earlier Siemens product advisory.

Smiths-Medical Advisory 

This advisory describes two vulnerabilities in the Smiths-Medical CADD-Solis Medication Safety Software. The vulnerabilities were reported by Andrew Gothard of Newcastle Upon Tyne Hospitals NHS Foundations Trust. Smiths-Medical has produced new versions of the software and ICS-CERT reports that an independent investigator has verified the efficacy of the fix.

The reported vulnerabilities are:

• Incorrect permission assignment for critical resource - CVE-2016-8355; and
• Man-in-the-middle - CVE-2016-8358

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to add users, delete users, and to modify permissions, as well as modify drug libraries.

Advantech Advisory


This advisory describes multiple vulnerabilities in the Advantech SUSIAccess Server. The vulnerabilities were reported by rgod via the Zero Day Initiative. Advantech no longer supports SUSIAccess and recommends the purchase of new software to mitigate these vulnerabilities. There is no indication that rgod has been provided an opportunity to verify the efficacy of the fix.

The reported vulnerabilities are:

• Information exposure - CVE-2016-9349;
• Path traversal - CVE-2016-9351; and
• Permission, privileges and access control - CVE-2016-9353

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to manipulate files or conduct arbitrary code execution.

Mitsubishi Electric Advisory


This advisory describes two vulnerabilities in the Mitsubishi Electric MELSEC-Q series Ethernet interface modules. The vulnerabilities were reported by Vladimir Dashchenko of Critical Infrastructure Defense Team, Kaspersky Lab. Mitsubishi Electric has produced a new version that provides a mitigating control (IP filtering) for one of the vulnerabilities (the cryptographic vulnerability will not be addressed). ICS-CERT reports that there are publicly available exploits for these vulnerabilities.

The reported vulnerabilities are:

• Use of a broken or risky cryptographic algorithm - CVE-2016-8370; and
• Unrestricted externally available lock - CVE-2016-8368

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to intercept weakly encrypted passwords and conduct a denial of service attack.

ICS-CERT has added two new recommended practices to this advisory that I do not recall having seen before:

• Implementing IPsec can be used to encrypt communication pathways.
• Asset owners may wish to consider implementing a Bump-in-the-Wire (BitW) solution to improve security.

Moxa Advisory


This advisory describes multiple vulnerabilities in the Moxa NPort serial device servers. The vulnerabilities were reported by Reid Wightman of RevICS Security, Mikael Vingaard, and Maxim Rupp. At least some of the vulnerabilities were reported in an earlier ICS-CERT alert based upon a Digital Bond Labs report. Moxa has produced new firmware versions to mitigate the vulnerabilities in all but one of the devices (no longer supported). There is no indication that any of the researchers have been provided an opportunity to verify the efficacy of the fix.

The reported vulnerabilities are:

• Credential management - CVE-2016-9361;
• Permissions, privileges and access control - CVE-2016-9369;
• Classic buffer overflow - CVE-2016-9363;
• Cross-site scripting - CVE-2016-9371;
• Cross-site request forgery - CVE-2016-9365;
• Improper restriction of excessive authentication attempts - CVE-2016-9366;
• Plain text storage of a password - CVE-2016-9348; and
• Resource exhaustion - CVE-2016-9367

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to allow “the complete compromise of an affected system”.

Siemens Advisory


This advisory describes multiple vulnerabilities in the Siemens SICAM PAS. The vulnerabilities were reported by Ilya Karpov and Dmitry Sklyarov of Positive Technologies and Sergey Temnkikov and Vladimir Dashchenko of Kaspersky Lab. Siemens has produced an update to mitigate some of the vulnerabilities; additional future patches are expected. There is no indication that any of the researchers has been provided an opportunity to verify the efficacy of the fix.

The reported vulnerabilities are:

• Use of hard-coded credentials - CVE-2016-8567;
• Storing passwords in a recoverable format - CVE-2016-8566;
• Files or directories accessible to external partied - CVE-2016-9156; and
• Weaknesses that effect memory - CVE-2016-9157

Siemens reports in their security advisory that the first vulnerabilities do not exist in the latest version of SICAM PAS. They also provide mitigating controls for the other two vulnerabilities pending development of further updates.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to cause a denial-of-service condition or remotely exploit arbitrary code.

BTW: This is the advisory that I briefly mentioned on Tuesday.

Siemens Update


This update provides updated affected version information and information on a new version that reportedly mitigates the vulnerability. The original version of this advisory was published last June.


This is the update that I mentioned briefly on Tuesday. It appears that ICS-CERT did provide an earlier version of this update on Tuesday, but it is not clear what that update may have addressed since it is no longer available on the ICS-CERT website and I missed its publication. There was not an intermediate update from Siemens between their original version and the latest one that provides the information in this update.

Wednesday, November 30, 2016

House Passes S 546, the RESPONSE Act

Yesterday the House passed S 546, the RESPONSE Act, by a voice vote. There was less than five minutes of debate on the bill; mainly praise for the leadership of the House Transportation and Infrastructure Committee’s efforts to refine the provisions of the bill.


The bill now goes back to the Senate for action on the amended language. The Senate will probably accept the House changes and send the bill to the President. This will most likely be accomplished under the Senate’s unanimous consent process. If the Senate does insist on their language, there is little chance that a conference committee could complete action before the 114th Congress’ final session sometime towards the middle of December.

HR 6393 Introduced – FY 2017 Intel Authorization

Last week Rep. Nunes (R,CA) introduced HR 6393, the Intelligence Authorization Act for Fiscal Year 2017. This bill is apparently a replacement for both HR 5077 (which passed in the House in a strongly bipartisan vote) and S 3017. Both of those bills have stalled in the Senate. I suspect that Nunes and his Committee staff have coordinated with their Senate counterparts to remove/revise any provisions from the earlier bill that have held up consideration.

The cybersecurity intelligence report on US port operations requirement from HR 5077 remains in the new bill. Interestingly Dr. Andy Ozment, the Assistant Secretary for Cybersecurity and Communications at the Department of Homeland Security (DHS), published an opinion piece on CSOOnline.com Monday that describes the ICS-CERT response to a cyberattack on a US port control system earlier this year. Other than failing to note that there are only 13 of the vulnerable systems in use worldwide, the article does describe the ICS-CERT process fairly concisely.


HR 6393 is scheduled to be considered on the floor of the House today under the suspension of rules provisions. This provides for limited debate and no amendments from the floor. This bill should pass with strong bipartisan support. I suspect that the Senate will take up the bill under their unanimous consent procedures before the end of the lame duck session.
 
/* Use this with templates/template-twocol.html */