Thursday, December 18, 2014

ICS-CERT Publishes 2 Advisories and 2 Updates

Today the DHS ICS-CERT published advisories for vulnerabilities in Honeywell’s Experion Process Knowledge System and Innominate mGuard and updated previously issued advisories for Siemens and Emerson control systems.

Emmerson Update

This update clarifies information that was published in an update two weeks ago. The earlier update added a new vulnerability to the advisory and the wording implied that the previously issued update mitigated that vulnerability as well. There was an interesting twitversation about this wording and it appears that someone may have been listening (a good thing).

ICS-CERT now clarifies that the patch mitigates all but the recently added authentication bypass vulnerability. That vulnerability is what requires the use of the third-party secure router for mitigation. There is also some interesting changes in the wording about the use of that router. Originally ICS-CERT reported that:

“Emerson asserts that by adding the EDR810 between the host and the field device it is virtually impossible for an attacker to eavesdrop on communications or falsify commands.”

The new wording is a bit less bombastic and limited in the claims:

“At this time, Emerson recommends that concerned asset owners install the EDR 810 between the host and the field device to mitigate this vulnerability.”

I suspect that someone’s lawyer got involved.

Siemens Update

This is the update that I described on Tuesday.

Innominate Advisory

This advisory describes a self-reported privilege escalation vulnerability in the Innominate mGuard devices. They have produced a firmware patch that reportedly mitigates the vulnerability.

ICS-CERT reports that a moderately skilled attacker who has admin privileges on the system could remotely exploit this vulnerability to increase those to root privileges to execute arbitrary commands. Innominate reports that in most installations the personnel with admin and root privileges are the same so that this vulnerability would have no effect in those cases.

BTW: Innominate also reported that there is a denial of service vulnerability found in a slightly different set of mGuard devices because of the way they use OpenVPN connection to
tunnel IPSec packets. I wonder why ICS-CERT didn’t publish an advisory for this vulnerability since it was also published yesterday by Innominate.

Honeywell Advisory

This advisory describes five vulnerabilities in the Honeywell  Experion Process Knowledge System (EPKS) application. The vulnerabilities were reported by  Alexander Tlyapov, Gleb Gritsai, Kirill Nesterov, Artem Chaykin and Ilya Karpov of the Positive Technologies Research Team and Security Lab. ICS-CERT reports that Honeywell have developed patch updates for the affected products, but does not say that the researchers have validated the efficacy of the patches.

The five vulnerabilities include:

• Heap-based buffer overflow - CVE-2014-9187;
• Stack-based buffer overflow - CVE-2014-9189;
• Arbitrary memory write - CVE-2014-5435;
• Directory transversal - CVE-2014-5436; and
• File inclusion - CVE-2014-9186


ICS-CERT reports that a moderately skilled attacker could remotely exploit these vulnerabilities to effect remote code execution or potential information disclosure. I can find no information on the public Honeywell web site about these vulnerabilities.

HR 4007 – Expedited Approval Facility

This is part of a continuing discussion of the recently passed HR 4007, Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014. In this post I will be looking at new expedited approval facility provisions of HR 4007. The previous postings in this series were:


One of the suggested methods for reducing the backlog of site security plan approvals has been that there ought to be a simpler method for smaller, lower threat facilities to get their site security plan (SSP) approved. One suggested method has been to use a system similar to what the EPA uses for water treatment facility security; the facility would certify that it meets the security requirements specified in the Risk Based Performance Standards guidance document. Congress took this basic idea and made it a little bit more complicated when they created the expedited approval facility (EAF) program in §2102(c)(4).

DHS Requirements

To start this program off, the bill requires the Secretary to accomplish two tasks within 180 days of the bill being signed into law. They are:

● Issue guidance for expedited approval facilities that identifies specific security measures that are sufficient to meet the risk-based performance standards {§2102(c)(4)(B)(i)}; and

● Develop prescriptive site security plan templates with specific security measures to meet the risk-based performance standards under subsection (a)(2)(C) for adoption and certification by a covered chemical facility assigned to tier 3 or 4 in lieu of developing and certifying its own plan.

Actually the second item is permissive not required and there is no actual time limit associated with the Department’s publication of templates. I’ve included it here for two reasons; it is specifically mentioned in the EAF program {§2102(c)(4)(A)(ii)}and Congress gave the same exemption from the regulatory approval process that it gave the Secretary for development of the EAF guidance (see the previous post in this series for more details on this exemption).

After a facility makes its site security plan submission (as described below) DHS has 100 days {§2102(c)(4)(G)(i)(II)}to make a determination that the submitted plan if ‘facially deficient’, otherwise the plan is considered approved. The term ‘facially deficient’ means that the {§2101(7)}:

(S)ite security plan that does not support a certification that the security measures in the plan address the security vulnerability assessment and the risk-based performance standards for security for the facility, based on a review of—

(A) the facility’s site security plan;
(B) the facility’s Top-Screen;
(C) the facility’s security vulnerability assessment; or
(D) any other information that—
(i) the facility submits to the Department; or
(ii) the Department obtains from a public source or other source

I’m not sure how the good folks at ISCD are going to get this review system set up, but they have been specifically authorized by this bill to employ contractors for conducting this sort of review (not making the final go/no go decision – that’s a purely governmental responsibility). Whether they can get it set up in time is a question for a future date. From the facility point of view, if they can’t get the review done in 100 days, it doesn’t matter; the plan is automatically approved.

Owner Requirements

Things get a little more complicated from the owner’s point of view. Let’s talk timelines first. The starting point for timelines for existing CFATS facilities that have had their security vulnerability assessments accepted by ISCD and have been assigned to Tiers 3 or 4 is 210 days after the bill becomes law (which is 30 days after ISCD is supposed to have their guidance document published). Facilities notified of their tier ranking after the bill is signed start on the date of their tier notification.

Facilities have 120 days to submit their site security plan and certification that the plan conforms to the guidance provided by ISCD. At least 30 days before the certification is sent, the facility must notify ISCD that they intend to certify as an expedited approval facility {§2102(c)(4)(D)(iii)}. Actually the certification is just a tad bit more complicated than that; the owner/operator certifies that {§2102(c)(4)(C)}:

(i) the owner or operator is familiar with the requirements of this title and part 27 of title 6, Code of Federal Regulations, or any successor thereto, and the site security plan being submitted;

(ii) the site security plan includes the security measures required by subsection (b);

(iii)
(I) the security measures in the site security plan do not materially deviate from the guidance for expedited approval facilities except where indicated in the site security plan;
(II) any deviations from the guidance for expedited approval facilities in the site security plan meet the risk-based performance standards for the tier to which the facility is assigned; and
(III) the owner or operator has provided an explanation of how the site security plan meets the risk based performance standards for any material deviation;

(iv) the owner or operator has visited, examined, documented, and verified that the expedited approval facility meets the criteria set forth in the site security plan;

(v) the expedited approval facility has implemented all of the required performance measures outlined in the site security plan or set out planned measures that will be implemented within a reasonable time period stated in the site security plan;

(vi) each individual responsible for implementing the site security plan has been made aware of the requirements relevant to the individual’s responsibility contained in the site security plan and has demonstrated competency to carry out those requirements;

(vii) the owner or operator has committed, or, in the case of planned measures will commit, the necessary resources to fully implement the site security plan; and

(viii) the planned measures include an adequate procedure for addressing events beyond the control of the owner or operator in implementing any planned measures.

I expect that we will see the certification as a form in CSAT with check marks in the appropriate places. Oops, maybe not as the bill clearly states that the certification must be “signed under penalty of perjury”. So I guess this will probably be another sign and send to ISCD form.

Compliance


This post is starting to get more than a little long, so I’ll look at the compliance issues in another post.

Coast Guard Cybersecurity Standards RFI

Today the Coast Guard published a notice in the Federal Register (79 FR 75574-75575) requesting comments on the development of guidance for maritime cybersecurity standards. This RFI is closely associated with last Friday’s meeting notice (79 FR 73896-73897) about a January 15th public meeting in Washington, DC on the same topic.

The summary for the RFI notes that:

The Coast Guard is developing policy to help vessel and facility operators identify and address cyber-related vulnerabilities that could contribute to a Transportation Security Incident. Coast Guard regulations require certain vessel and facility operators to conduct security assessments, and to develop security plans that address vulnerabilities identified by the security assessment. The Coast Guard is seeking public input from the maritime industry and other interested parties on how to identify and mitigate potential vulnerabilities to cyber-dependent systems. The Coast Guard will consider these public comments in developing relevant guidance, which may include standards, guidelines, and best practices to protect maritime critical infrastructure.

The Coast Guard is focusing their cybersecurity concerns on the prevention of Transportation Security Incidents (TSI). A TSI is defined in 33 CFR 101.105 to be “a security incident resulting in a significant loss of life, environmental damage, transportation system disruption, or economic disruption in a particular area”. This would probably indicate a more specific focus on cyber-physical systems rather than the mainly informational system focus of the NIST Cybersecurity Framework.

In requesting this information the Coast Guard is looking for answers to some specific questions. They include:

• What cyber-dependent systems, commonly used in the maritime industry, could lead or contribute to a TSI if they failed, or were exploited by an adversary?
• What procedures or standards do vessel and facility operators now employ to identify potential cybersecurity vulnerabilities to their operations?
• Are there existing cybersecurity assurance programs in use by industry that the Coast Guard could recognize? If so, to what extent do these programs address vessel or facility systems that could lead to a TSI?
• To what extent do current security training programs for vessel and facility personnel address cybersecurity risks and best practices?
• What factors should determine when manual backups or other non-technical approaches are sufficient to address cybersecurity vulnerabilities?
• How can the Coast Guard leverage Alternative Security Programs to help vessel and facility operators address cybersecurity risks?
• How can vessel and facility operators reliably demonstrate to the Coast Guard that critical cyber-systems meet appropriate technical or procedural standards?
• Do classification societies, protection and indemnity clubs, or insurers recognize cybersecurity best practices that could help the maritime industry and the Coast Guard address cybersecurity risks? 


Public comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # USCG-2014-1020). Comments should be submitted by February 17th, 2015. Reservations will be required for the January 15th public meeting. Reservations can be made via email (Josephine.A.Long@uscg.mil) and should be submitted by January 5th. There will be a live video feed available; access may be requested via the same email address.

Wednesday, December 17, 2014

HR 4007 – Current Site Security Plans

This is part of a continuing discussion of the recently passed HR 4007, Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014. In this post I will be looking at the effect that the passage of HR 4007 has on current site security plans. The previous postings in this series was:


Congress clearly intended that all of the 1370+ facilities with currently approved site security plans would not have to go back and redo those plans because of the passage of HR 4007:

“In the case of a covered chemical facility for which the Secretary approved a site security plan before the date of enactment of the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014, the Secretary may not require the facility to resubmit the site security plan solely by reason of the enactment of this title.” {§2102(c)(3)(B)}

What is not clear, however, is what the status of site security plans approved between the date the President signs the bill into law (“the enactment of this title”) and the time that the regulations are finally updated to take into account the changes required by HR 4007. Actually it may be slightly more complicated than that as there is still the date that the current authority for CFATS runs out and the new Title XXI takes effect 30 days after the enactment of the bill.

First 30 Days

Since the bill does not spell out what happens in this period, the Secretary has the discretionary authority to either continue current operations as is or suspend operations pending the effective date of Title XXI. I suspect that current operations will continue as before with the current approval process. It would be helpful if there were a statement to that effect from DHS.

DHS may give Tier 3 and Tier 4 facilities a choice as to whether or not they would prefer to wait and see what the expedited security plan process looks like. This is not required by the legislation, but it would certainly fit with the intent of the legislation. If I were a Tier 3 or Tier 4 facility manager early on in the SSP approval process, I think that I would ask my Chemical Security Inspector if that option was available.

Site security plans approved during this interregnum fall into somewhat of a grey area. They do not have the legal protection of §2102(c)(3)(B) so this falls back to the Secretary’s discretionary authority and that can be changed by a Secretarial whim, particularly if no guidance is published. I do not see any advantage to ISCD to change this at some future date, but I surely think that a successful terrorist attack on a facility with an SSP approved during this period would result in a quick change in policy.

Title XXI and Expedited Approvals

The other time period that is going to be fraught with some potential for conflicts is the time between the effective date of Title XXI and the issuance of the guidance for Expedited Approval Facilities document. Tier 3 and Tier 4 facilities with site security plans approved during that 180 day period will certainly be reviewing that guidance document and will be second guessing the cost of their security plans.

It is almost a certainty that some facilities will find that the EAF plan will be less expensive than the one approved by ISCD. There will be requests from facilities with approved plans to be able to opt out of those plans in favor of the EAF plan. It would be helpful if ISCD had a policy in place (publicly in place) on how they planned to deal with such requests.

Policy Decision

ISCD needs to make up its mind on how it intends to deal with these issues. No one expects that they will stop doing site security plan approvals while this is transition is underway; there has been just to much pressure to complete the SSP approval process. But they do owe it to the regulated community (and their physical and corporate neighbors) to be clear about how they will deal with the situations described above.

Many facilities awaiting SSP approvals have already spent the bulk of the money that their plans require so they have little incentive to wait out the publication of the EAF document. Facilities that are facing large future expenditures for their SSP will almost certainly want to take a wait and see attitude in the hope of lower cost compliance options. Making that decision effectively can only be done if all of the facts (in this case policy facts) are known.


Tuesday, December 16, 2014

ICS-CERT Publishes Schneider Advisory – Misses (again) Siemens Update

This afternoon the DHS ICS-CERT published a new advisory for five command injection vulnerabilities reported by Schneider last week and missed the latest BlackEnergy Siemens update for PCS 7.

Schneider Advisory

This advisory describes the five vulnerabilities reported by researchers Ariele Caltabiano, Andrea Micalizzi, and Brian Gorenc via ZDI in Schneider Electric’s ProClima software package. The ActiveX vulnerabilities are:

• MDraw30.ocx control, 3 vulnerabilities: CVE-2014-8513, CVE-2014-8514, and CVE-2014-9188;
• Atx45.ocx control , 2 vulnerabilities: CVE-2014-8511 and CVE-2014-8512.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to induce a buffer overflow situation that could allow for remote code execution. The link to Schneider advisory is currently reporting ‘http status 404’.

ICS-CERT reports that Schneider has produced an update that mitigates the vulnerabilities. The do not say that the researchers have verified the efficacy of the fix.

Siemens Update


This morning Siemens ProductCert tweeted that they had just updated their WinCC/PCS 7 advisory that ICS-CERT had previously linked with some of the BlackEnergy attacks.  Siemens reported that they had produced an update for PCS 7 V7.1 SP4. This only leaves WinCC V7.0 SP3 without a fix in place. Siemens is working on that and will further update their advisory when that becomes available. ICS-CERT will presumably get around to updating their advisory.

HR 4007 – Implementation Deadlines

This is part of a continuing discussion of the recently passed HR 4007, Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014. In this post I will be looking at the various implementation deadlines set by Congress. The previous postings in this series was:


Congress has been fairly vocal about the delays in getting site security plans approved, so it is not unexpected that there were a number of very specific implementation deadlines put into this legislation. Some of them are very tight deadlines that don’t take into consideration review requirements outside of DHS.

CFATS Repeal

The bill is very clear that, in general, the current CFATS regulations will continue in force with some changes. Section 2107(b)(1) states that “each existing CFATS regulation shall remain in
effect unless the Secretary amends, consolidates, or repeals the regulation”. And it is important to note that the term ‘existing CFATS regulation’ is specifically defined {§2101(5)} to include any guidance documents published in the Federal Register. This would include the Risk Based Performance Standards guidance document and the Clarification to Chemical Facility Anti-Terrorism Standards; Propane and presumably the current Agricultural Facilities Time Extension Notification.

Having given with the one hand, however, Congress required the Secretary of DHS to take away with another. In §2107(b) the bill would require that:

“Not later than 30 days after the date of enactment of the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014, the Secretary shall repeal any existing CFATS regulation that the Secretary determines is duplicative of, or conflicts with, this title.”

Now I have not had the time to go through the current regulations and see what if any of the current provisions of 6 CFR Part 27 may be “duplicative of, or conflicts with, this title”. Even though the bill has not yet been signed into law, I’m sure that the Secretary has at least a couple of lawyers looking at this requirement.

Unfortunately, even with the best of intentions and unlimited lawyer power, I am afraid that the Secretary is going to have a hard time meeting this deadline. Forgetting for the moment the amount of time lost to holidays and the resultant short staffing in any agency at this time of year, even if the Secretary meets the 30 day deadline to produce such a regulation change, it will probably take another 30 to 60 days for it to be processed through OMB.

Also, I’m not sure that this requirement is specific enough to allow the Secretary to avoid the publish and public comment process required by 5 USC 553.


Facility Outreach Program

Section 2109 give DHS just 90 days to establish an outreach program to help identify potential chemical facilities of interest (think back to the West Fertilizer incident) and to make “make available compliance assistance materials and information on education and training” {§2109(2)}. Since the Department has done a great deal of work on this topic since the publication of Executive Order 13650 (see requirement here) this requirement should be fairly simple to complete.

Expedited Approval Facilities

As I mentioned in my last post the Secretary is required to come up with a program to help Tier 3 and Tier 4 facilities expedite the site security plan approval process. This is essentially a program where the facility can self-certify that their plan meets the minimum risk based performance standards associated with a facility at their level of risk.

There are actually two prongs to this program, both of which DHS is required to have up and running within 180 days of the bill being signed. Both are set forth in §2102(c)(4). First it requires that the “Secretary shall issue guidance for expedited approval facilities that identifies specific security measures that are sufficient to meet the risk-based performance standards”{§2102(c)(4)(B)(i)}.

Then it allows the Secretary to “develop prescriptive site security plan templates with specific security measures to meet the risk-based performance standards under subsection (a)(2)(C) for adoption and certification” {§2102(c)(4)(H)(i)}.

To aid in DHS being able to meet this deadline Congress has allowed that the Department should not be subject to the administrative rulemaking provisions of 5 USC 553 (publish and comment requirements) or 44 USC Chapter 35, Subchapter I (clearance through OMB’s Office of Information and Regulatory Affairs). These exceptions to the regulatory process will certainly make things easier for ISCD to publish a final guidance document as they essentially have carte blanch to do things their way.

Congress could justify moving this outside of the normal rulemaking process because any Tier 3 or Tier 4 facility has the full option to use this expedited approval method in full or in part or not at all. This means that the guidance cannot ‘really’ be a burden on anyone.

Whistleblower Protections

One of the provisions that was added to this bill to make it easier to obtain bipartisan support was the whistleblower protections set forth in §2105. This requires the Secretary, within 180 days, to “establish, and provide information to the public regarding, a procedure under which any employee or contractor of a chemical facility of interest may submit a report to the Secretary regarding a violation of a requirement under this title” {§2105(a)(1)}.

Setting up the reporting and investigation mechanisms may be possible within the 180 day time frame, but this will also require the publication of a regulation (actually just an addition to 6 CFR 27) and Congress did not try to exempt DHS from the normal regulatory process for this requirement. Since this will place a potential ‘burden’ on every ‘chemical facility of interest’ (NOT just CFATS facilities) the normal process will have to be followed.

Various Reports


All of the remaining time deadlines for implementation processes deal with reports to Congress. And no one (besides some beleaguered staffers at ISCD and various congressional committees) cares about those. 

Sunday, December 14, 2014

HR 4007 – An Overview

While we are still waiting on the President to sign this bill into law (which he is fully expected to do considering the Administration’s vocal support of the measure) it would seem that this on-going discussion about HR 4007 should start with an overview of the provisions of the bill. The previous posting in this series was:


Table of Contents

The general layout of the bill includes five sections:

SEC 1. Short Title – Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014;
SEC 2. Chemical Facility Anti-Terrorism Standards Program – Codifies the CFATS program in 6 USC Title XXI;
SEC 3. Assessment; Reports – Provides for a series of reports to Congress about the performance of the program;
SEC 4. Effective Date; Conforming Repeal – Changes the authority for the CFATS program effective 30 days after this bill is signed into law; and
SEC 5. Termination – Provides for the termination (barring future Congressional action) of the CFATS program 4 years from the date the bill is signed.

The meat of the program is laid out in §2 with 9 new sections added to the US Code:

Sec. 2101. Definitions.
Sec. 2102. Chemical Facility Anti-Terrorism Standards Program.
Sec. 2103. Protection and sharing of information.–
Sec. 2104. Civil enforcement.
Sec. 2105. Whistleblower protections.
Sec. 2106. Relationship to other laws.
Sec. 2107. CFATS regulations.
Sec. 2108. Small covered chemical facilities.
Sec. 2109. Outreach to chemical facilities of interest.

What the Bill Does

First and foremost this bill codifies the CFATS program and takes it out of the annual renewal in the DHS spending bill process. It establishes a 4 year term for the program, subject to future renewals of this authorization by the Congress. In many ways it also makes it easier for Congress to make incremental changes to the program.

The legislation does add some new components to the current CFATS program, including (a more detailed discussion of these additions will be seen in future posts):

• An expedited approval process for site security plans at Tier 3 and Tier 4 facilities;
• The establishment of a whistleblower protection program;
• A requirement to include employee participation in the development of site security plans; and
• Special assistance programs for small chemical facilities.

Interestingly, for the two complicated new processes included in the expedited approval program the bill specifically exempts the Secretary from having to go through the ‘publish and public comment’ regulatory approval process. This is the only way that the tight timeline (180 days) for these two programs could be accomplished.

There is nothing in the bill that specifically repeals anything in the current program. It does, however, provide some more in depth guidance to clear up what has been seen as ‘problems’ within the program. These include (again more details in later posts):

• Additional guidance on the personnel surety program;
• Provision of specific authority to provide guidance on what security measures to include in a site security plan;
• Authority to use inspectors from other government agencies and contractors;
• Risk assessment methodology;
• Changes in Tiering;
• Clarification of enforcement authority; and
• Outreach to chemical facilities of interest.

What is Missing

If I had been writing this legislation there are some additional areas that I would have included to make this a truly comprehensive chemical facility security bill. These could have included:

• Guidance on updating the list of DHS Chemicals of Interest (COI; Appendix A to 6 CFR Part 27);
• Inclusion of the ammonium nitrate security program;
• Guidance on coordination with the Coast Guard on chemical security at MTSA facilities and the NRC on chemical security at nuclear power generation facilities;
• A clear definition of what railroad related facilities could be included in the facilities of interest definition;
• Some sort of discussion about cyber-security requirements; and
• Clear guidance on the status of agricultural facilities as potential facilities of interest.


What is good about the passage of HR 4007, however, is that the heavy lifting on chemical security has now been done and the details (like those mentioned above) can be dealt with on a piecemeal basis.
 
/* Use this with templates/template-twocol.html */