Thursday, July 24, 2014

NSTAC Meeting to Look at National Cyber Response

Today DHS published a meeting notice in the Federal Register (79 FR 43058-43059) concerning a public teleconference of the President’s National Security Telecommunications Advisory Committee (NSTAC) on August 13th, 2014. Briefing materials for the meeting will be available on the NSTAC web site on August 1st.

The current agenda includes reviews of the status of two on-going NSTAC studies:

• The needs, benefits, and operational efficacy of a national Information and Communications Technology mobilization capability in the face of a cyber-related event of national significance.
• The cybersecurity implications of the Internet of Things as it relates to national security and emergency preparedness.

Interestingly there is nothing in the mobilization capability scoping document that would seem to indicate that NSTAC is considering anything beyond IT type cyber incidents. While this is a telecommunications advisory committee, this still seems to be extremely short sighted.

Public comments on the above topics are being solicited by NSTAC. People wishing to make live comments on the teleconference need to register in advance. Written comments may be submitted via the Federal eRulemaking Portal (; Docket # DHS-2014-0032).

OMB Approves PHMSA Tank Car NPRM

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that they had approved the DOT’s Pipeline and Hazardous Material Safety Administration’s (PHMSA’s) notice of proposed rulemaking (NPRM) for Enhanced Tank Car Standards and Operational Controls for High-Hazard Flammable Trains (RIN: 2137-AE91).

It appears that the focus of this rulemaking has tightened significantly since the ANPRM was published last September. That is not unexpected given the number of high-profile crude oil train accidents in the last year.

Given the rapid review afforded this NPRM in OIRA, I would not be surprised to see this NPRM published in tomorrow’s Federal Register. Interestingly, a Hazardous Material Safety Action Plan on this topic published yesterday by DOT indicated that an advance notice of proposed rulemaking is due to be published as well. The only one that I have seen being submitted to OIRA on related topics is the one submitted last week on oil spill response plans. As of yesterday, OIRA had not taken any action on that ANPRM, though I expect that we will see that sooner rather than later.

Wednesday, July 23, 2014

TSA Abusing SSI Markings?

A hearing that I had ignored as being of no specific interest to readers of this blog became more interesting this afternoon. Tomorrow the House Committee on Oversight and Government Reform will hold a hearing to mark-up a lot of inconsequential (from a chemical security perspective) bills; mainly renaming bills. This afternoon the Committee added a completely unrelated matter to the hearing agenda; a review of a Committee Staff report on “Pseudo-Classification of Executive Branch Documents”.

This report provides a look at a variety of reports about TSA inappropriately using the Sensitive Security Information markings on various documents and videos for purposes unrelated to actual security issues. Glancing through the document I did not see anything that looked to me to be a particularly heinous abuse of power, but there did seem to be instances of improper use of the SSI markings.

If information sharing is to be anywhere near meaningful there will have to be a relatively free flow of information from the government to the governed. While there are legitimate instances where the government can and certainly should withhold sensitive or classified information from public disclosure, the authority to do so should be carefully constrained.

It will be interesting to see how far Chairman Issa (R,CA) pushes this particular investigation.

ICS-CERT Updates Two Advisories

This afternoon the DHS ICS-CERT published two updated advisories for control system vulnerabilities in Sierra Wireless AirLink products and various Siemens products. Both updates seem to be relatively minor changes to the ICS-CERT document. ICS-CERT does not report on the new information from Sierra Wireless, it just provides a link to the information.

Sierra Wireless Update

This advisory was originally published on January 8th, 2014 and has already been updated once. The purpose of today’s update was to include a link (.PDF download link) to an updated security advisory from Sierra Wireless. The earlier Sierra Wireless publication noted that they would investigate “methods to perform secure firmware updates remotely, and will provide information on this method when available”. The latest update (from May 28th; I wonder why it took ICS-CERT so long to update their advisory? I suspect that they were not informed by Sierra Wireless of the new information) provides those “details”:

• “Directly attaching a PC running the firmware update tool to the device via an Ethernet cable; or
• “Connecting to the device via VPN and performing the update over the VPN tunnel.”

I can see why it would take five months to come up with those useful techniques (SARCASM).

There is something even more interesting in the newest version of the Sierra Wireless documents that ICS-CERT missed in their update. To be fair, I also missed it in looking at the January Sierra Wireless document. The ICS-CERT advisory is specifically targeted at the ‘AirLink Raven X EV-DO product’. Sierra Wireless reports that the same vulnerability exists on the ‘Raven X, Raven XE, Raven XT, PinPoint X, PinPoint XT and MP Products’.

The ‘PinPoint’ products are all listed as “Discontinued, Not Supported” fortunately, the new mitigation measures will work just as well on the older models so perhaps that is why their vulnerability was not reported by ICS-CERT.

Siemens Vulnerability Update

The new data in this update was not provided by Siemens, but was more likely a response to a Siemens complaint about the wording in the initial advisory that made it seem that there were specific exploits directed at the Siemens products. ICS-CERT wrote in the original advisory (no longer available on-line) that:

“Exploits that target these vulnerabilities are known to be publicly available.”

While there are certainly HeartBleed exploits in play, we haven’t heard anything that would specifically point to their use against the Siemens products listed in this advisory (nor any ‘proof’ that they haven’t).

In any case ICS-CERT revised the wording to read:

“Exploits that target OpenSSL vulnerabilities are publicly available. ICS-CERT is unaware of any OpenSSL exploits that target Siemens’ products specifically.”

They are, of course, not saying that no one (sorry about the double negative but it is important and an appropriate use in this context) has specifically targeted these vulnerabilities in the Siemens products. That would be impossible to prove. We can probably take small comfort in the assumption that they probably would not have made this change if they had any reliable information indicating a possible HeartBleed related compromise of  a Siemens system.

BTW: Yesterday’s advisories are now listed on the ICS-CERT landing page.

Tuesday, July 22, 2014

ICS-CERT Obscures Publication of Two Advisories

This afternoon the DHS ICS-CERT published two control system advisories on their web site. For some reason, probably an oversight, they did not list the two advisories on the landing page of their web site. They were reported on TWITTER® (here and here) and are listed on the Advisories page of their web site. The advisories report multiple vulnerabilities in systems from Omron and Honeywell.

Omron Advisory

This advisory describes vulnerabilities reported by Joel Sevilleja Febrer of S2 Grupo with Omron’s NS series HMI terminals. ICS-CERT reports that Omron has produced an update that mitigates the vulnerabilities, but there are no indications that Sevilleja has had the opportunity to verify the efficacy of the effort.

The twin vulnerabilities are:

• Cross-site request forgery - CVE-2014-2369; and
• Cross-site scripting - CVE-2014-2370.

ICS-CERT reports that it would take a moderately to highly skilled attacker to remotely exploit these vulnerabilities. The advisory provides separate links to the new versions of each affected system. Interestingly, I can find no mention of the updated versions or the security issues requiring the update at the links provided.

Honeywell Advisory

This advisory describes vulnerabilities reported by Martin Jartelius of Outpost24 and Juan Francisco Bolivar in the Honeywell Falcon XLWeb controller. ICS-CERT reports that Honeywell has produced an update that deals with both vulnerabilities, but there is no indication that the researchers have been given the opportunity to verify the efficacy of the fix.

The twin vulnerabilities are:

• File accessible to external parties - CVE-2014-2717; and
• Cross-site scripting - CVE-2014-3110.

ICS-CERT reports that a moderately skilled attacker could remotely exploit these vulnerabilities. Honeywell’s report on these vulnerabilities is only available to registered owners.

NOTE: This advisory was previously posted to the US-CERT Secure Portal. Once again, I urge all control system owner, integrators and security researchers to register for access to this portal for valuable advance notice of advisories like this.

Monday, July 21, 2014

ICS-CERT Issues Reluctant Advisory for OleumTech Vulnerabilities

Today the DHS ICS-CERT took the unusual step of publishing an advisory for multiple vulnerabilities that are not acknowledged by the vendor; OleumTech. As a result no patches or updates appear to be forth coming as a result of this coordinated disclosure. The disclosures were made by Lucas Apa and Carlos Mario Penagos Hollman of IOActiv.

ICS-CERT reports that the vulnerabilities include:

• Improper input validation vulnerability - CVE-2014-2360 – could lead to a DOS attack and arbitrary code execution;
• Key management errors - CVE-2014-2361 – local access could lead to intercepting site security key;
• Use of cryptographically weak pseudo-random number generator - CVE-2014-2362 – 4-byte key could be guessed relatively easily.

ICS-CERT notes that an additional vulnerability reported by IOActive, unencrypted data messages, may be considered a user configuration issue since encryption options are available at setup. ICS-CERT reports that OleumTech does not accept the encryption issues as problems since they intended the functions to address authentication issues not encryption. OleumTech does not address the issues on their web site so ICS-CERT feels justified in publishing this advisory to alert owners to the vulnerabilities.

Congressional Hearings – Week of 7-20-14

There are just two weeks now before Congress starts their extended summer vacation. There are a number of hearings being held this week, but only one that may be remotely of specific interest to readers of this blog; and intel hearing of sorts.

On Wednesday the House Homeland Security Committee will be holding a hearing on "The Rising Terrorist Threat and the Unfulfilled 9/11 Recommendation." The witness list includes two former commissioners from the National Commission on Terrorist Attacks Upon the United States; Jamie S. Gorelick and Thomas H. Kean Jr.. Perhaps one of them will remind the Committee that one of the unaddressed recommendations of the Commission was the reform of Congressional oversight of the Homeland Security Department; political power is still more important than counter terrorism.

The House is going to take another pass (according to the Majority Leader’s web site) at trying to pass HR 5035, the NIST Reauthorization Act of 2014, under suspension of the rules on Tuesday. This had been listed for last week, but was not offered for consideration on the floor. Apparently the leadership thinks that they have the concerns about NIST cooperation with NSA worked out.
/* Use this with templates/template-twocol.html */