Saturday, November 28, 2015

Supervisory Chemical Security Inspector Openings

Yesterday the DHS National Protection and Programs Directorate (NPPD) published a job listing on for seven Supervisory Chemical Security Inspector. The job listing closes next Thursday, December 13th, 2015.

Multiple Locations

Interestingly, there are twenty potential locations listed for the seven job openings. The locations listed can be found in the following states:

• Arkansas;
• California;
• Florida;
• Louisiana;
• Minnesota;
• North Carolina;
• Ohio;
• Oklahoma;
• Pennsylvania;
• South Carolina; and
• Texas.

Ammonium Nitrate Security Program?

The most interesting part of the announcement can be found in the Job Summary portion near the top of the page:

“Are you interested in a job where your primary purpose will be to plan, organize, schedule and conduct on-site inspections of ammonium nitrate facilities? Then consider joining the Field Operations Branch, Inspections and Enforcement Branch (I&EB), Infrastructure Security Compliance Division (ISCD), Office of Infrastructure Protection (IP), National Protection and Programs Directorate (NPPD), Department of Homeland Security (DHS).”

I reported earlier that the Ammonium Nitrate Security Program rulemaking had been moved to the ‘Long Term Action’ section of the Unified Agenda. That would seem to indicate that there would be no near term (next year at least) action on publishing a final rule. The reason, of course, is that DHS is having a hard time figuring out a cost effective method of meeting the Congressional mandate (see 6 USC Subchapter VII, Part J) to “regulate the sale and transfer of ammonium nitrate by an ammonium nitrate prevent the misappropriation or use of ammonium nitrate in an act of terrorism”. In fact, the Appropriations Committees of both the House and Senate have suggested that the folks at ISCD should craft a new NPRM instead of trying to twist the previous NPRM into a workable final rule.


While the first two duties listed in the job listing deal directly with security of ammonium nitrate facilities, the CFATS program is mentioned in one of the five job duties listed:

“Providing policy analysis, oversight, and technical expertise on legislation and regulations to the national Chemical Facility Anti-Terrorism Standards program by assessing, interpreting and implementing regulatory requirements.”

Then when we look at the qualifications requirements for being considered for this position we see the requirement for at least one year’s experience in:

• Evaluating subordinate chemical inspector preparation, performance, and reporting on chemical facility inspections;
• Reporting on chemical facilities by utilizing the Chemical Facility Anti-Terrorism Standards (CFATS);
• Collaborating and maintaining working relationships with business and industry representatives, • Federal, State and local government agencies, and internal and external stakeholders to revolve problematic issues and ensure legal compliance; and
• Supervising the work performance of other chemical facility inspectors.

Moving Forward

It looks like DHS is looking to establish the initial cadre of folks that will be starting up the Ammonium Nitrate Security Program. Since it looks like these folks will probably be hired from the existing pool of GS 13 Chemical Security Inspectors, I doubt that it will take the normal six to nine months to fill these positions. So it looks like we may see some movement (at long last) on establishing the ANSP. 
BTW: The ANSP final rule was supposed to be finished in 2008, according to the authorizing legislation. DHS only managed to get the comment period on the ANPRM completed by December 29th, 2008. This has been much more difficult than Congress ever imagined.

Tuesday, November 24, 2015

ICS-CERT Publishes Two Advisories

This afternoon the DHS ICS-CERT published two control system advisories for systems from Eaton’s Cooper and Moxa.

Eaton’s Cooper Advisory

This advisory describes an IEEE conformance issue involving improper frame padding in Eaton’s Cooper Power Systems Form 6 controls and Idea/IdeaPLUS relays equipped with Ethernet. The vulnerability was reported by David Formby and Raheem Beyah of Georgia Tech. An updated version of the systems (associated with another recent ICS-CERT Advisory) has been confirmed by the researchers to be free of the vulnerability.

ICS-CERT reports that a relatively unskilled attacker with network access to unencrypted packets would be able to read the leaked data.

This advisory was published on the US CERT Secure Portal on October 22nd, 2015. Again, the early notification is available to all critical infrastructure owners and legitimate researchers granted access by ICS-CERT. See bottom of the ICS-CERT landing page for information on how to apply for this access.

This is the second advisory for this sort of issue. Both were based upon reports by Formby and Beyah. How many more systems will they find with this vulnerability? Who knows, perhaps vendors should start looking themselves? Or not. Maybe Formby and Beyah can build a startup business on their technique for finding this vulnerability and then expand it into other areas of vulnerability research. I seem to recall another team that started out in a similar manner.

BTW: Eaton’s Cooper calls this a TCP/IP protocol stack vulnerability. It sounds a little bit more impressive, but perhaps not quite as descriptive.

Moxa Advisory

This advisory describes two vulnerabilities in the Moxa OnCell Central Manager Software. The vulnerabilities were reported through the Zero Day Initiative by Andrea Micalizzi. Moxa has produced a new version but there is no indication that Micalizzi has been provided an opportunity to verify the efficacy of the fix.

The two vulnerabilities are:

• Use of hard-coded credentials - CVE-2015-6481; and
• Authentication by-pass issues - CVE-2015-6480.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to gain full system access.

BTW: The Moxa release notes on the new version do list the authentication by-pass issue, but does not mention the hard-coded credentials

Saturday, November 21, 2015

S 2276 Introduced – Safe Pipes Act

Earlier this month Sen Fischer (R,NE) introduced S 2276, the Securing America’s Future Energy: Protecting our Infrastructure of Pipelines and Enhancing Safety (SAFE PIPES) Act. The bill authorizes expenditures for the DOT’s Pipeline and Hazardous Material Safety Administration’s (PHMSA) pipeline safety programs. It also requires a number of pipeline related studies and reports to Congress and some relatively minor rulemakings.

Reports to Congress

Section 3 of the bill requires the Secretary of Transportation to report to Congress on the status of a number of rulemaking activities required by Congress. Specifically mentioned are final rules required by Pipeline Safety Regulatory Certainty and Job Creation Act of 2011 (PL 112–90). Those include:

• Integrity management {§5(f)};
• Leak detection {§8(b)}; and
• Accident and incident notification {§9(a)}.

Other reports required in the bill include:

• Natural gas integrity management review {§5};
• Hazardous liquid integrity management review {§6};
• Study on improving location mapping technology {§9};
• Workforce of pipeline and hazardous materials safety administration {§10};
• Nationwide integrated pipeline safety regulatory database {§13};

New Regulation Requirements

This bill would require the Secretary to initiate a number of new rulemaking requirements; including:

• Underground natural gas storage facilities safety standard {§14}; and
• Defining the Great Lakes as an ecological resource under 49 CFR 195.6(b) {§16};

Pipeline Security

There is one minor reference to pipeline security issues in the bill. Section 17 of the bill requires the GAO to conduct a surface transportation security review that specifically addresses “the staffing, resource allocation, oversight strategy, and management of the Transportation Security Administration’s pipeline security program and other surface transportation programs”.

Moving Forward

Fisher is the Chair of the Surface Transportation and Merchant Marine Infrastructure, Safety and Security Subcommittee of the Senate Commerce Science and Transportation Committee, so this bill will certainly be considered in Committee.

The bill does not contain any obviously controversial political riders that doom so many authorization bills, so it is likely that this bill (after being amended on the floor of the Senate) would be able to pass with substantial bipartisan support. It is possible that this bill will be considered in the Senate before the end of the year.

Friday, November 20, 2015

Fall 2015 Unified Agenda – DHS

Today the OMB’s Office of Information and Regulatory Affairs published the Fall 2015 Unified Agenda. This is the current listing of the status of significant rulemakings planned or underway. The Long-Term Actions portion of the Unified Agenda was also updated.

Active DHS Rulemaking

Of the DHS rulemakings only ten may be of specific interest to readers of this blog. They include:

Protected Critical Infrastructure Information
Petitions for Rulemaking, Amendment, or Repeal
Chemical Facility Anti-Terrorism Standards (CFATS)
Homeland Security Acquisition Regulation: Safeguarding of Sensitive Information; Information Technology Security and Privacy Training
Updates to Maritime Security
2013 Liquid Chemical Categorization Updates
Transportation Worker Identification Credential (TWIC); Card Reader Requirements
Revision to Transportation Worker Identification Credential (TWIC) Requirements for Mariners
Security Training for Surface Mode Employees
Surface Mode Vulnerability Assessment and Security Plans
DHS Rulemakings in Fall 2015 Unified Agenda


Of those ten rulemakings under way only one is new to this issue of the Unified Agenda; Protected Critical Infrastructure Information (1601-AA77); an already existing program under the DHS National Protection and Programs Directorate (NPPD). The abstract for this rulemaking states:

“The Department of Homeland Security (DHS or the Department) invites public comment on the Advance Notice of Proposed Rulemaking (ANPRM) for potential revisions to the Protected Critical Infrastructure Information (PCII) regulations that provide the Department with the authority to establish uniform procedures for the receipt, care, and storage of Critical Infrastructure Information voluntarily submitted to the Department. For the purpose of maturing the program, DHS is initiating this rulemaking process to help it identify how to enhance the PCII regulation more effectively in achieving its regulatory objectives. DHS believes that after nine years of experience implementing the PCII program, DHS has gained first-hand insight on lessons learned, and that the ANPRM process provides expanded opportunities for the Department to hear and consider the views of interested members of the public on their recommendations for program modifications.”

What is not mentioned in the abstract is that this rulemaking for a long standing program is almost certainly driven by the rulemaking process under way from the National Archives and Records Administration (NARA) for Controlled Unclassified Information (CUI). The final rule for that has been submitted to OIRA and should be published this year. That rulemaking distinguishes between document control programs that are established by legislation or regulation and others that are just routine agency programs. Establishing a PCII rule allows DHS more control of marking, classification, destruction and distribution of the information. Without this rulemaking NPPD will have to loosen up many of their existing ‘rules’ about PCII.

Projected Dates

Each of the rulemaking listings in the Unified Agenda have a projected date for the Federal Register publication of the next step in the rule making process. Do not pay much attention to these; in fact, I would go so far as to say don’t pay any attention to these. They mean less than a politician’s election promises.

Some of these rulemaking activities date back to before 2007 (Security Training for Surface Mode Employees). Every six months a new Unified Agenda is published and a new set of dates is inked in. And the new dates continue to get missed; even if Congressional mandates are missed in the process.

Long Term Actions

There is a separate section of the Unified Agenda for ‘Long Term Action’. The rulemakings listed here were at one time or another listed on the main agenda, but even DHS bureaucrats could not stomach pretending that they were going to be allowed to do anything about these rulemakings. There are currently four rulemakings on the Long Term Action list that may be of specific interest to readers of this blog:

Ammonium Nitrate Security Program
Amendments to Chemical Testing Requirements
Protection of Sensitive Security Information
Drivers Licensed by Canada or Mexico Transporting Hazardous Materials to and Within the United States
DHS Long Term Actions

Rulemaking activities flip back and forth between this list and the main Unified Agenda. For example the Ammonium Nitrate Security Program and the Protection of Sensitive Security Information rulemakings were on the 2015 Spring Unified Agenda. The CFATS and the Updates to Maritime Security Rulemaking were on the 2015 Spring Long Term Actions list.

The one thing that you can probably safely expect (no guarantees here) that a rulemaking on the Long Term Actions list will not be acted upon until at least after the next Unified Agenda is published in the Spring. But, don’t bet your rent money on that; this is all subject to changing political conditions.

Thursday, November 19, 2015

ICS-CERT Publishes Tibbo Advisory –

This afternoon the DHS ICS-CERT published a control system advisory for the Tibbo AggreGate SCADA/HMI package. The twin unrestricted upload of file with dangerous type vulnerabilities were reported through the Zero Day Initiative by Andrea Micalizzi (rgod). Tibbo has produced a new version to mitigate the vulnerability, but there is no indication that Micalizzi has been provided the opportunity to verify the efficacy of the fix.

ICS-CERT reports that at least one of the vulnerabilities can be remotely exploited by a relatively unskilled attacker. A successful exploit if either vulnerability could allow the attacker to execute arbitrary code and commands.

There seems to be an irregularity between the version number of the updated version reported in the advisory and the updates available on the Tibbo web site. ICS-CERT reports that owners should upgrade to 5.30.06. The Tibbo web site indicates that 5.30.06 is a pre-release version of the program. I suspect that that is because Tibbo has not updated their web site to account for people needing to upgrade due to the vulnerabilities reported in this advisory. Certainly there is nothing on their web site about the problem.

Bills Introduced – 11-18-15

There were 42 bills introduced in the House and Senate yesterday. Along with a proposed declaration of war against the Islamic State, and a number of Syrian refugee bills there was one bill that may be of specific interest to readers of this blog:

HR 4057 To amend title 18, United States Code, to establish a criminal violation for using false communications with the intent to create an emergency response, and for other purposes. Rep. Clark, Katherine M. [D-MA-5]

HR 4057 would seem to address a local problem that is typically addressed by State and local laws. Unless, of course, it dealt specifically with Federal emergency response organizations. This is not likely to see further coverage in the blog unless something interesting is being included in that “and for other purposes” tacked on at the end.

Tuesday, November 17, 2015

ICS-CERT Published Exemys Advisory

This afternoon the DHS ICS-CERT published a control systemadvisory for the Exemys Telemetry Web Server. The login bypass vulnerability described in the advisory was reported by Maxim Rupp. ICS-CERT reports that Exemys “has not produced a patch to mitigate this vulnerability”.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to access information on the server.

The only unique mitigation measure for this vulnerability comes from ICS-CERT with no clear instructions on how to effect the proposed measure. The measure that ICS-CERT recommends is:

“ICS-CERT recommends implementing a single point login that cannot be bypassed.”

It is unusual for ICS-CERT not to be at least a little more forthcoming about why there is not now (and presumably won’t be in the near future) a vendor provided patch or upgrade. While Exemys is headquartered in Argentina, there is no mention of difficulties contacting the organization or that they disagree with the reported vulnerability. A dispassionate observer would probably be excused for assuming that Exemys is not concerned about the existence of this vulnerability.
/* Use this with templates/template-twocol.html */