Bills Introduced – 05-23-13

With the Memorial Day Recess coming up there was a typical surge in the number of bills introduced yesterday. Of that large number of bills two will probably be of interest to the chemical security and cybersecurity communities. They are:

S 1034 Latest Title: A bill to authorize appropriations for fiscal year 2014 for military activities of the Department of Defense and for military construction, to prescribe military personnel strengths for such fiscal year, and for other purposes. Sponsor: Sen Levin, Carl (D,MI)

HR 2146 Latest Title: To extend the Terrorism Risk Insurance Program of the Department of the Treasury for 10 years. Sponsor: Rep Capuano, Michael E. (D,MA)

The military spending bill may provide cybersecurity language. It will be interesting to see if the latest terrorism insurance extension bill (this one with a large number of bipartisan co-sponsers) corrects the deficiencies I’ve noted in the two earlier bills.

DHS ITF IdeaScale Cybersecurity Project – System Registration

This is part of a continuing series of blog posts about the latest DHS-IdeaScale project to open a public dialog about homeland security topics. This dialog addresses the DHS Integrated Task Force project to help advance the DHS implementation of the President’s Cybersecurity Framework outlined in EO 13636. The earlier post in this series was:

DHS ITF Establishes Collaboration Community

DHS ITF IdeaScale Cybersecurity Project – PLC Insecurity

DHS ITF IdeaScale Cybersecurity Project – Security Reputation

DHS ITF IdeaScale Cybersecurity Project – Vulnerability Information

Yesterday I posted a new ‘idea’ for discussion on the DHS/IdeaScale Integrated Task Force Collaboration Community (ITFCC). This idea is actually a two parter:

• Identifying high risk control systems; and

• Registering high-risk control system with ICS-CERT to get earlier warnings of zero day vulnerabilities

High-Risk Cyber Systems

I’m going to ignore information systems here; those can be dealt with by different controls and procedures. I’m going to concentrate on control systems because it is only throught their unauthorized manipulation that a cyber-attacker can cause widespread physical damage to society. This high-consequence risk provides a legitimate societal concern with the security of such systems.

Even at a high-risk, high-consequence facility, not all control systems or even their components have an equal potential to cause catastrophic off-site consequences. It is only those portions of the cyber-systems controlling physical processes that could cause off-site catastrophic consequences that society has a legitimate interest in seeing that the systems are adequate secured. Identifying and perhaps isolating those high-consequence components will help to prioritizes where to spend the time, money and manpower to ensure that the systems are adequately secured against attack or unintentional failure. Of course, any other components of the overall cyber-system that allow for access to those critical components become critical in their own right.

A prime prerequisite of any serious cybersecurity program must be to identify these components that provide a determined attacker the capability to cause widespread physical harm via computer controlled system.

Zero-Day Vulnerability Warnings

If society has a strong interest in the prevention of attacks on high-consequence control systems, they also have a concomitant obligation to provide assistance to the owners of such systems in the protection of those systems. One such critical form of assistance is the notification of system owners when a zero-day vulnerability (ZDV) is discovered in their protected system.

There is a legitimate argument to be made that the wide spread dissemination of information about ZDVs increases the risk to cyber-systems because it is generally easier to exploit a ZDV than to mitigate one, particularly since the skill sets necessary to develop a mitigation strategy are frequently not found in-house at critical infrastructure facilities.

A targeted distribution of ZDV knowledge to high-consequence installations using the vulnerable systems avoids a certain amount of the danger associated with providing ZDV information to various adversaries. But to accomplish this the ZDV information distribution agency must know what facilities have what control system components deployed in critical installations. This requires the registration (voluntary or otherwise) of those components with an organization like ICS-CERT.

If ICS-CERT were to have this information, when they were contacted with information about an ICS ZDV they could (immediately after notifying the vendor of the vulnerability if the information comes from a researcher) notify those facilities deploying the vulnerable system in a high-consequence application. For those facilities without in-house or contract control system security capabilities, ICS could provide assistance in setting up interim security processes while waiting for the vendor to rectify the vulnerability.

Public Participation

A quick reminder here that the whole ITFCC program requires public participation in the suggestion, discussion, selection and implementation process. The ITFCC web site is a forum for suggesting and discussing ideas that could become parts of the process for the security of critical infrastructure cyber-systems. Failing to participate in that process makes it less likely that you will be satisfied with the products of that process; products that you may be compelled to employ.

Take a couple of minutes and look at my latest idea and the other ideas currently under discussion at the site. Provide comments where you feel appropriate; become part of the discussion. Vote up or down on all of the ideas that you feel you can or cannot live with. And more importantly, provide your own ideas on how we as a society can increase the security of the cyber-systems that are an integral part of our everyday lives.

PHMSA Pipeline Public Awareness Workshop

The Pipeline and Hazardous Material Safety Administration published a notice in today’s Federal Register (78 FR 30964-30965) concerning an upcoming public workshop “to bring pipeline safety stakeholders together to discuss ways to improve public awareness outreach” on pipeline safety. The two day meeting will start on June 19^th and will be held in Richardson (Dallas), TX.

This workshop is part of the PHSMA outreach on its incorporation by reference of the American Petroleum Institute’s (API) Recommended Practice (RP) 1162, "Public Awareness Programs for Pipeline Operators (1st edition)." The goals of the work shop, according to the PHSMA web site, include:

• Provide an overview of the public awareness program and discuss recent inspection findings;

• Understand what's working and not working with RP 1162 (1st edition) from various stakeholder perspectives (industry, pipeline operators, public, emergency response officials, local public officials, and excavators);

• Share ways to improve public awareness outreach efforts; and

• Discuss the path forward for improving public awareness.

The public is invited to attend this workshop or view the web cast (Again I hearted endorse any effort by agencies of the Federal government to utilize web casts to extend the range of participation in any public meeting NPPD PLEASE NOTE). The registration form for the workshop provides for both public and virtual attendance or even follow-up information if not able to attend.

Bills Introduced – 05-22-13

Congress was busy yesterday with a fairly large number of bills introduced. One in particular will probably be of interest to the chemical security/safety community:

S 1009 Latest Title: A bill to reauthorize and modernize the Toxic Substances Control Act, and for other purposes. Sponsor: Sen Lautenberg, Frank R. (D,NJ)

This bill has been widely mentioned in the press because of the wide political range of its co-sponsors and at least initial support by the chemical industry.

There is one other bill that I just have to mention in passing because of its obvious internal contradictions. I won’t be mentioning this bill again.

HR 2113  Latest Title: To end the practice of including more than one subject in a single bill by requiring that each bill enacted by Congress be limited to only one subject, and for other purposes [emphasis added]. Sponsor: Rep Marino, Tom (R-PA) (introduced 5/22/2013) 

You just can’t make stuff up like this.

ICS-CERT Publishes CODESYS Gateway Advisory

Yesterday afternoon DHS ICS-CERT published an advisory about a ‘use after free’ vulnerability in the CODESYS Gateway application. The vulnerability was reported by Nicholas Miles in a coordinated disclosure.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability to conduct a DOS or execute arbitrary code. CODESYS has developed an update to mitigate this vulnerability and Miles has verified its efficacy.

The Advisory notes that Gateway application is used by multiple vendors in other products and many integrators use the application in developing integrated automation systems. The Advisory includes the following recommendation:

“Control systems vendors should review their products, identify those that incorporate the affected software, and take appropriate steps to update their products and notify customers.”

Readers might recognize that this is exactly the type situation that I had referred to in my recommendation on the Integrated Task Force Collaboration Community site. While CODESYS has probably notified the system vendors to whom they have sold this system, it is not clear that all of the system owners of integrator built systems would get notified of their exposure to this vulnerability.

PHMSA Resumption of Transportation NPRM

The Pipeline and Hazardous Material Safety Administration (PHMSA) published a notice of proposed rulemaking (NPRM) in today’s Federal Register (78 FR 30258-30266) implementing Congressional requirements for the agency’s enhanced enforcement procedures resumption of transportation rules. These requirements were set forth in §33009 of MAP 21 (PL 112-141).

The proposed regulation would:

• Clarify the Department's position with respect to perishable hazardous material, by amending the opening of packages provision of the Department's hazardous materials procedural regulations for the opening of packages, emergency orders, and emergency recalls;

• Recognizes the special characteristics and handling requirements of perishable hazardous material by clarifying that an agent will stop or open a package containing a perishable hazardous material only after the agent has utilized appropriate alternatives;

• Codify the statutory notification requirement in HMTSIA by incorporating into the regulations the Department's current notification procedures from the operations manual that was developed in conjunction with the PHM-7 final rule; and

• Add a new provision to address appropriate equipment for inspectors.

Public comments on this NPRM are being solicited by PHMSA. Public comments may be filed via the Federal eRulemaking Portal {www.Regulations.gov; Docket #PHMSA-2012-0259 (HM-258B)}. Comments must be received by July 22^nd, 2013.

BTW: The MAP-21 requirements include a mandate for the Secretary to have these regulations finalized by July 6^th, 2013; an unrealistic requirement if there ever was one and one that will obviously not be met.

ICS-CERT Closes Mitsubishi Alert

Late Monday afternoon the DHS ICS-CERT published a new advisory for the Mitsubishi MX Component that closed the book on the alert for that equipment that was issued last month. Both documents address an ActiveX buffer overflow vulnerability that was discovered by Derek Betker and  Dr Ide, who published exploit code for the vulnerability on the OSVDB.org web site.

ICS-CERT reports that a moderately skilled attacker could remotely exploit this vulnerability to execute a DOS attack or executing arbitrary code. Mitsubishi recommends upgrading the equipment to MX Component version 4.3 which is not affected by this vulnerability.