Monday, April 30, 2012

Duties and Tariffs


This post is a little off topic from my normal posts about chemical security, chemical safety or cybersecurity, but I think that death and taxes are always fair game for discussion. But let me segue into this by explaining a part of my daily information search routine.

Checking Legislation


Knowing that every day that one or more houses of Congress are in session legislation is introduced I try to check the Daily Digest of the Congressional Record for the bill numbers introduced the previous day. Then I check the Library of Congress’ Thomas (named after Thomas Jefferson) web site to review the titles of each of those bills. Bills that look like they may contain subject matter of interest to me get downloaded from the GPO web site when they become available for detailed reading.

Typically this doesn’t take up too much time as there are not that many bills introduced on most days. One of the exceptions to that rule is the start of each new Congress when the docket is cleared and the legislative process begins anew; then it’s not unusual to see a hundred or more bills introduced for each of the first few days of the session. Another period of heavy bill introduction is the last week of April, apparently there is a deadline for the submission of bills that have to do with duties and tariffs; taxes paid on goods that come into the United States.

Last week we saw a total 776 bills introduced in the House and Senate to ‘extend or modify’ existing suspensions or reductions in duties on goods imported into the United States. Now bills are assigned numbers based upon the order in which they are given to the clerk so any other legislation introduced last week was intermingled in the stack of ‘duty’ bills. I may have missed some interesting bills for this stack of tax related stuff.

The bills cover a wide range of materials from basic chemicals to completed kitchen appliances. Almost every industry is represented on both the manufacturing and user sides. The biggest single category of materials is chemicals, ranging from basic chemical raw materials to pharmaceuticals, both intermediates and finished products.

Purpose of Duties and Tariffs


Duties and tariffs are typically used to protect domestic producers of products from competition from abroad. Since the United States is a ‘free trade’ country, we like to think that our use of these tax tools is designed to protect domestic manufacturers from ‘unfair competition’.

Countries that allow their manufacturers to use cost-cutting practices that would be illegal here, for example, would have a duty placed on their goods coming into the United States. There is a complex legal process that is used to determine which goods and countries fall into this category.

There are a number of legitimate political reasons that duties are placed upon in coming goods. This is one of the types of low level sanctions that can be placed upon countries that we are having serious disagreements with about various types of policies. It makes it more costly for them to sell their goods in this country, hitting them in the pocketbooks of producers of goods who then, in theory, will encourage their government to be more responsive to our way of thinking.

There have also been periods in our not too distant past where congresscritters routinely used the power to levy duties to please manufacturers in their district or State. Those manufacturers would then in turn support the re-election efforts or post-retirement employment efforts of those congresscritters.

Tariffs and Duties Can Hurt


As more and more basic manufacturing moves out of the United States it becomes necessary for domestic manufacturers to buy raw materials from overseas sources; either because there are no longer domestic suppliers or there are not enough domestic suppliers to provide the necessary volume. When there is a tariff or duty on these raw materials then the domestic manufacturer in effect pays the tax on the incoming goods and in turn passes those costs on to their customers.

Additionally, if that manufacturer has competitors in friendly countries, they may be able to buy the raw material without paying a duty and be able to sell the manufactured product at a lower price because of that.

Finally, when finished goods come into the United States with a tariff or duty applied, the end user, the consumer, pays that tax in the higher price they pay for the merchandise.

Politics


Now manufacturers who are forced by the market to buy foreign produced goods that have tariffs or duties laid upon them have a legitimate gripe; they are being forced to pay for a political or economic penalty that they have nothing to do with. They have every right and even a responsibility to petition their representatives to reduce or modify a duty or tariff to reduce the burden that the manufacture is being forced to pay.

On the other hand if a company moves their manufacturing facility overseas to take advantage of local conditions that allow for lower manufacturing costs they should be unsurprised when a competitor that keeps manufacturing in this country cries foul when some of those cost savings strategies are less than legal in this country. When a tariff or duty is subsequently laid upon those goods the manufacturer with overseas products has less of an expectation that their congresscritter has a responsibility or obligation to reduce or suspend such a tax.

Now the 776 bills submitted last week almost certainly contain proposals that are based on both of the situations described above. One would like to think that our legislators have adequately investigated the individual situations to ensure that they are due to the former rather than the later. One would like to think so, but I would very rather suspect that no such investigation took place in most instances and, for the most part, the ones that were done were questionable in their professionalism and diligence; congressional staffs aren’t that big, nor are they paid that much.

Now I have no way of knowing which of these are legitimate exercises of political power, but there is at least one that I would suspect based upon the politics and economics of the area where I lived most of my adult life. But, I have no staff and few resources to conduct an appropriate investigation, nor really the inclination to do so. As a result I won’t point a specific finger at a particular target.

There must be some percentage of these bills that are morally or politically suspect, hopefully it is rather small. With so many bills being considered in a relatively short period of time by one committee in the House and another in the Senate, I doubt that any but the most egregious bills will be removed from consideration. Since they will be rolled into a single bill for floor consideration (neither body could afford the time needed to consider 776 bills in even the most abbreviated legislative process) there is little likelihood that there will be any significant opposition to these bills being passed.

I don’t know of a better way to do this, but the light of public scrutiny should be shown on the process.

Saturday, April 28, 2012

Cybersecurity Week Votes – Friday


The House closed out their Cybersecurity Week Friday by passing two more cybersecurity bills. Both dealt with research issues and one may actually have a minimal impact on control system security issues. HR 2096, the Cybersecurity Enhancement Act of 2011, passed by a vote of 395-10; certainly a bipartisan vote, especially since all of the ‘Nays’ were Republican. HR 3834, the Advancing America’s Networking and Information Technology Research and Development Act of 2012, passed by a voice vote.

Cyber-Physical Systems


HR 3834 introduces the term ‘cyber-physical systems’ to describe a wide range of control and monitoring systems. These systems are added to the list of research topics addressed in amends the High-Performance Computing Act of 1991. Unfortunately this act does not provide any specific funding for these research priorities so the money has to come out of existing priorities.

Oh well, control systems are now at least considered in a piece of cybersecurity legislation.

Moving Forward


As I mentioned yesterday, neither of these bills is in any way controversial, they don’t cost any real money, so they can be expected to be passed relatively easily in the Senate. They will also allow everyone to point to them as proof that the Congress takes cybersecurity seriously and has actually done something about it.
Having accomplished so much this week both the House and Senate will take a previously scheduled two-week recess.

Friday, April 27, 2012

Quick Response from RuggedCom


This afternoon the folks at DHS ICS-CERT published an updated version of the RuggedCom alert that they published earlier this week. They added the following paragraph to the ‘mitigation’ section of the alert;

“ICS-CERT is coordinating with RuggedCom who has indicated that they intend to release a patch that removes the backdoor access to address this reported vulnerability. They plan to release this patch within the next month. In addition, RuggedCom has released a notification regarding this issue that can be accessed at http://www.ruggedcom.com/productbulletin/ros-security-page/.”

Less than a week to get this response from is fairly impressive, even if they have had the vulnerability information for just about a year now. Sometimes you just have to get someone’s attention.

Actually I would assume that they had been doing at least some work on the patch done since they were notified of the vulnerability. I would guess that it was a low priority project since it wasn’t going to be making the company any money. As long as the researchers wasn’t going public there wouldn’t be any real need to get the patch developed in a timely manner.

There is another potential explanation. The alert notes that RuggedCom was acquired by Siemens ‘earlier this year’. Given Siemens problems with vulnerabilities in their control systems it might seem that a company that was looking to be bought by Siemens might have a reason to ensure that a recently identified vulnerability didn’t make the news. It might even be a good idea to insure that the team doing a due-diligence inspection didn’t find out about the problems.

We won’t ever know which of the two possibilities (or maybe some other that I haven’t thought of) was really responsible for the delay in getting the development under way. In the long run, I guess it doesn’t really matter; a vulnerability has been identified and is being patched. Hopefully the bad guys won’t use it in the meantime.

Fortunately, the only people slower to exploit cybersecurity vulnerabilities than Congress are the terrorists. Hopefully it remains that way.

Cybersecurity Week Votes – Thursday


Yesterday the House took final action on two cybersecurity bills HR 3523, the Cyber Intelligence Sharing and Protection Act (CISPA) and HR 4257, the Federal Information Security Amendments Act of 2012. HR 4257, which amends the Federal Information Security Management Act (FISMA) of 2002, was passed by a voice vote and HR 3523 passed on a nearly party-line recorded vote.

Since HR 4257 is solely an information system security bill essentially affecting only federal agencies and their contractors, I’ll leave further discussion of that bill to others.

CISPA Amendments


As I noted in my earlier blog, most of the amendments considered yesterday by the House dealt with privacy issues. All of those (with one exception) passed either by voice vote or a unanimous recorded vote (okay 410-3, 414-1, and 413-3 are not technically unanimous). The one exception to that easy passage rule was the Conyers amendment that was not brought to the floor for consideration by its author. The one amendment that dealt with federal agency cybersecurity, the Jackson-Lee amendment, was withdrawn.

The three amendments that I discussed in that blog yesterday that might have a peripheral control system affect were not so cleanly dealt with. Two passed by a voice votes and one failed on a recorded vote; one of only two amendments to actually fail along party-line recorded votes.

The Turner amendment that added language that might allow regulators to consider adding coverage of control systems to regulations developed to implement this bill (don’t hold your breath, any regulations based upon this bill would be almost useless) passed on a voice vote. In an interesting parliamentary move, that amendment was actually extended after the bill was passed to add the phrase “deny access to or” before the word “degrade” wherever it is found in the bill instead of just in the four definitions listed in the amendment.

The Richardson amendment that would added wording that would make clear (in a weasel worded manner) that federal agencies could possibly share threat information with private sector entities failed on a near party-line vote. So there is still nothing in this bill that would actually allow that sort of information sharing; kind of defeats the whole purpose of the bill in my mind.

The Woodall amendment that explicitly stated that there was no requirement for private entities to share information with the federal government passed on a voice vote. I think that this amendment also weakens the bills intent. I understand the privacy implication reasons for this amendment, but it still leaves this ‘information sharing’ bill without any requirements for sharing even the most limited information about actual attacks or imminent threats.

Moving Forward


As most pundits have noted the Senate leadership is pushing a more activist security bill that would have actual requirements for security measures included in the language. Of course, Sen. Reid (D,NV) has been promising to bring such a bill to the floor of the Senate for over two years now. The same sort of political infighting (a lot of it intra-party on both sides of the aisle) that has prevented him from keeping multiple promises for action will almost certainly prevent this bill from being considered.

The House has two more cybersecurity bills, HR 2906 and HR 3834 (both bills authorize cybersecurity research), scheduled for floor action today. They are both rather innocuous and will certainly pass today. They have a relatively good chance of passing in the Senate so people can say that they have passed cybersecurity legislation.

The House has one more gutted cybersecurity bill that it is prepared to bring to the floor; HR 3674, the PRECISE Act. It will be interesting to see if that measure actually makes it to consideration in its present form.

Thursday, April 26, 2012

HR 3523 Rule


NOTE: Links added in first paragraph 4-26-12 05:51 EDT.
Last night (Wednesday) the House Rules Committee adopted therule for the consideration of HR 3523, the Cyber Intelligence Sharing and Protection Act (CISPA) on Thursday and Friday of this week. This will be a structured rule providing for limited debate (one hour on the bill and 10 minutes for each amendment) and allows for consideration of 16 specificamendments.

The vast majority of the amendments that will be considered on the floor of the House will deal with privacy issues; nothing surprising there.

Still No Mention of Control System Security


None of the amendments addresses control system security. There is one amendment that could be construed (with some imagination) to kind of possibly extend some of the definitions of covered ‘systems or networks’ so that an aggressive regulation writer might be able to use to justify trying to expand this bill to include control systems (did I get enough waffle words in there?). Rep. Turner’s (R,NY) amendment (#14) would add ‘deny access to’ in various definition phrases {§1104(h)}; “efforts to degrade, disrupt, or destroy such system or network”.  A denial of service attack on a control system might then be covered. The other components of that definition would not really apply to a control system attack since that attack only uses a control system network to attack the controlled physical system.

No Requirement for Feds to Share


As I noted in an earlier blog posting about this bill, there are not any provisions in the current version of the bill that would direct or require DHS or the intelligence community to share threat information with the private sector. Rep. Richardson (D,CA) has offered an amendment that almost comes close to allowing federal agencies to share information with the private sector. Her amendment (#10) would make clear that nothing in the bill would “prohibit a department or agency of the Federal Government from providing cyber threat information to owners and operators of critical infrastructure” {§1104(g)(3)}. That’s a long way from requiring such sharing.

No Requirement for Private Sector to Participate


There was never a requirement for any private entity to participate in any sharing activity under this bill. Just in case this wasn’t clearly understood, Rep. Woodal (R,GA) has proposed an amendment (#12) that specifically states that there is no liability “for choosing not to engage in the voluntary activities authorized under this section” {§1104(g)(3)}. Some people just need to ensure that voluntary means uh voluntary.

Wednesday, April 25, 2012

Another Widespread ICS Vulnerability


Today the DHS ICS-CERT published a more than slightly delayed alert about a serious vulnerability in various network devices from RuggedCom. The vulnerability was reported (in an attempted coordinated disclosure) by Justin W. Clarke.

Justin reported that:

“An undocumented backdoor account exists within all released versions of RuggedCom's Rugged Operating System (ROS®).  The username for the account, which cannot be disabled, is ‘factory’ and its password is dynamically generated based on the device's MAC address.”

The Advisory briefly notes that there was an “an attempted but unsuccessful coordination with the vendor” but there is a more detailed description of the apparent failure of RuggedCom to adequately respond to the disclosure.

Unusual for an alert, ICS-CERT is reporting that RuggedCom has recommended that “customers to disable the rsh (remote shell) service and set the number of Telnet connections allowed to 0”, but ICS-CERT also notes that they have not verified that this resolves the vulnerability issue.

Cybersecurity Week Update II


The witness list for today’s Iranian Cybersecurity Threat hearing is not available as is a list of proposed amendments to HR 3523.

Iranian Cybersecurity Threat


Today’s hearing about the ‘growing’ Iranian cybersecurity threat has some distinguished witnesses, but as with yesterday’s hearing, none are currently in the intelligence community. We should get some interesting theoretical and political insights into the potential for Iranian attacks on critical infrastructure cyber-systems (maybe even control systems, ala retaliation for Stuxnet), but there will be no hard information about specific or credible threats that anyone will be willing or able to act upon.

The witness include:

• Mr. Frank J. Cilluffo; Associate Vice President and Director; Homeland Security Policy Institute; The George Washington University

• Mr. Ilan Berman; Vice President; American Foreign Policy Council; and

• Mr. Roger Caslow; Executive Cyberconsultant; Suss Consulting

HR 3523 Amendments


Last night was the close of acceptance of amendments that might be considered later this week during the floor action on HR 3523, CISPA. The Rules Committee web page for the bill contains a brief summary of over 40 amendments that they will review in this afternoons hearing. Depending on the type of rule they decide upon, all or some (more likely about 10) of these amendments could come to the floor for their 10 minutes of debate.

Without being able to read the actual amendments (and those are not currently available) we only have the summaries to divine what will be included, but it doesn’t look like anyone is concerned with control system security. There is a nice spread of practical to ideological amendments for the Committee to consider.

Rep. Thompson (D,MS; Ranking Member of the Homeland Security Committee) has three amendments offered; including the expected privacy issue amendment that will probably be included in the short list going to the floor. Another of his amendments  may be of more practical effect:

“Would authorize existing activities of the Department of Homeland Security for securing Federal networks and supporting private sector cybersecurity efforts. Would also put in place a framework by which the Secretary would determine which infrastructure sectors are critical to our Nation, conduct risk assessments of those sectors, develop and disseminate best practices for mitigating cybersecurity risks, and work with existing regulatory agencies of critical infrastructure to incorporate best practices into existing regulations, where necessary.”

Depending on the wording of the actual amendment this could result in some interesting regulatory changes, particularly in MTSA and CFATS regulations where DHS would have the most control.

Tuesday, April 24, 2012

Cybersecurity Week Update


In my blog post on Sunday night I noted that this was going to be Cybersecurity Week in the House, but there were some holes in the details. I’d like to fill in some of those now. The witness list is now available for today’s ‘America is Under Cyber Attack’ hearing and the date has now been set for the Rules Committee hearing for HR 3523, CISPA.

Witness List


The witnesses scheduled to appear before the Subcommittee on Oversight, Investigations, and Management hearing today are:

• Mr. Shawn Henry; Former Executive Assistant Director; Criminal, Cyber, Response, and Services Branch; Federal Bureau of Investigation;

• Mr. James Lewis; Director and Senior Fellow; Technology and Public Policy Program; Center for Strategic and International Studies;

• Mr. Gregory C. Wilshusen; Director; Information Security Issues; Government Accountability Office;

• Mr. Stuart McClure; Chief Technology Officer: McAfee; and

• Dr. Stephen E. Flynn; Founding Co-Director; George J. Kostas Research Institute for Homeland Security; Northeastern University.

You’ll note that none of these witnesses are active members of the intelligence community so there is almost no chance that we are going to hear any information about any actual recent attacks on critical infrastructure. To be fair even if there were cybersecurity analysts from NSA, CIA and the FBI testifying such information would not be disclosed in an open hearing; that information is all classified.

No, this will be a ‘the house is on fire we have to do something’ hearing filled with anecdotal evidence or vague descriptions of not so recent attacks. I do suspect that we will hear at least one report about attacks on the electrical grid, which will be kind of silly because none of the bills to be considered this week address any control system security issues.

A real hearing on this issue; one attempting to understand the real nature of the threat; would have to be conducted behind closed doors. It certainly would not provide any real publicity for the passage the cybersecurity bills to be voted upon later this week. While legally unlikely, it would be nice, just once, to hear a witness, a CIO or cybersecurity officer from a private company, testify about a recent actual attack on their system and what it actually cost them in terms of time, money and reputation.

HR 3523 Rule Hearing


The House Rules Committee has set Wednesday afternoon at 3:00 pm EDT as the time for their hearing to approve the rule for the consideration of HR 3523, Cyber Intelligence Sharing and Protection Act. As I mentioned in Sunday’s blog post, amendments to be considered at the hearing will need to be submitted by this afternoon.

Two proposed amendments are already listed on the Committee web site. They are:

• Rep. Paulsen (R,MN), Would encourage international cooperation on cyber security where feasible; and

• Rep. Sanchez (D,CA), Would provide guidelines for any department or agency in the Federal government who are charged with border search and seizure of electronic devices.

I expect that we will see at least one amendment proposed by Rep. Thompson (D,MS) regarding protections of civil liberties. A large number of other amendments to this controversial yet popular bill are inevitable.

Sunday, April 22, 2012

Congressional Hearings – Week of 4-23-12


This is going to be an interesting week with Cybersecurity Week finally coming to the House, unfortunately ICS security is not on the agenda. The Lungren bill (HR 3674) is not currently scheduled to be considered, but if the report is filed in time, it may still make it to the floor this week. Two budget hearings round out the offerings that might be of interest to the chemical-security and cyber-security communities.

Cybersecurity Week


The first day of the House week (Tuesday) cyber-week will start off with a hearing before the House Homeland Security Committee’s Subcommittee on Oversight, Investigations and Management entitled; “America is Under Cyber Attack: Why Urgent Action is Needed”. It certainly sounds appropriate if just a tad bit ironic as we have been waiting for congressional action for some time.

Interestingly, this hearing is just two days away and there are still not any witnesses listed on the Committee web site. Dale Peterson took advantage of that fact last week to do an interesting piece on DigitalBond about the types of witnesses he would like to see appear before this panel. I added my two cents worth, but both Dale and I know (and so do most other observers) that we will just see the typical witnesses that we always see and that doesn’t include anyone from the industrial control system trenches.

While the House gets ready on Thursday to start actual consideration of cybersecurity legislation there is one last cyber-threat hearing with an interesting twist. The the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies of the House Homeland Security Committee will be holding a hearing on the Iranian Cyber Threat to the U.S. Homeland. I must have missed the one about the Russian mafia cyber-threat and the Chinese cyber-threat.

Oh, yes. No witness list for this hearing either.

The main point of Cybersecurity Week is, of course, to pass cybersecurity legislation. Starting on Thursday this week the full House will consider:

H.R. 2096 - Cybersecurity Enhancement Act of 2011, as amended
H.R. 3834
- Advancing America's Networking and Information Technology Research and Development Act of 2012
H.R. 4257
- Federal Information Security Amendments Act of 2012

H.R. 3523 - Cyber Intelligence Sharing and Protection Act, Rules Committee Print

The first three will be considered ‘under suspension of the rules’. This is an abbreviated debate process to be used on bills that the leadership is sure will pass. It takes a 60% vote to pass a bill under this procedure so it isn’t a process taken lightly by the leadership.

The controversial cybersecurity bill, HR 3523, is planned to come to the floor starting Thursday with a probable vote on Friday. This bill will be considered under a rule that will allow for at least some floor amendments. The Rules Committee has not yet set the date and time for the hearing where the rule will be developed but they have set the deadline for submitting amendments for Tuesday afternoon.

Budget Hearings


Two different hearings this week will look at different versions of the FY13 Energy and Water Development Appropriations Bill.  On Tuesday the Senate Appropriations Committee’s Labor, Health and Human Services, and Education, and Related Agencies Subcommittee will be doing their markup of the as of yet unnumbered Senate bill. The House Appropriations Committee is a little further along in the process with their bill; they will be holding a full Committee markup on Wednesday.

Changes to HR 3523 - CISPA


Earlier this week I noted that the Intelligence Committee report on HR 3523 had been filed and that it was available for action before the full House. On Friday both the House Rules Committee and the Majority Leader’s web sites noted that HR 3523 will probably be considered by the House starting on Thursday under a rule. The rule hearing has yet to be scheduled, but will probably be held on Tuesday night.

The House Rules Committee site provides a link to a House Rules Committee Print of HR 3523. The site notes that:

“Rules Committee Print 112-20, showing the text of the bill as reported with additional changes recommended by the Chair and Ranking Minority Member of the Permanent Select Committee on Intelligence”

Since the markup hearing for the bill was not webcast and the Intelligence Committee did not provide any details on the web site about the amendments that were adopted in the hearing we had been waiting on the Committee report to see what language would be considered by the House. Now we need to look at the version further amended by the two leaders of the Committee (more appropriately by the Committee Staff with the approval of the two leaders). I’ll try to do both here.

Committee Intent


One of the important purposes of committee reports is that it provides Congress with a chance to provide written evidence of their intent in writing the laws. Appellate Courts frequently use Congressional intent in deciding what laws actually mean or were intended to mean.

In this case the Intelligence Committee report provides a pretty succinct summary of why this bill was developed:

“The Committee determined that these issues are best resolved in the first instance by providing clear, positive authority to permit the monitoring—by the private sector—of privately-owned and operated networks and systems for the purpose of detecting cybersecurity threats and to permit the voluntary sharing of information about those threats and vulnerabilities with others, including entities within the private sector and with the federal government.”

Now there are certainly those who object to the phrase ‘positive authority to permit monitoring’, even if it is being given to the private sector rather than the government. That sums up the opposition that this bill faces and may end up killing the bill when it gets to the Senate. But that has little to do control system security.

This is another bill that never specifically mentions control systems. The closest that the committee report comes to addressing control systems issues (and it’s not very close at all) is when it talks about protecting R&D:

“The Committee believes that immediate and serious action is necessary to staunch the bleeding of American corporate research and development information and to better protect our national security.”

Not much to pin our hopes on for sharing information about control system threats, but it’s the best we have.

Changes to the Bill


Looking at the original bill, the revised text in the Committee Report, and the House Rules Committee Print there have been a number of changes made to this bill. Interestingly most of them have been made in the latest version as Rogers (R,MI) and Ruppersberger (D,MD) try to craft a version of HR 3523 that will mitigate the privacy and access controversy that could kill the bill.

One small, but important, change is the addition of two words early in the bill. In §1104(a) that is being added to the National Security Act of 1947 the words “and utilities” in the general heading section, leaving it to read:

“The Director of National Intelligence shall establish procedures to allow elements of the intelligence community to share cyber threat intelligence with private-sector entities and utilities [emphasis added] and to encourage the sharing of such intelligence.” {§1104(a)(1)}

Similar supporting changes are made throughout the newest version of the bill. All of these changes were made in the Rules Committee version. It allows the bill’s provisions to cover some utilities that are neither truly private sector or purely government agencies.

Most of the changes made to the bill are designed to restrict sharing of information to some extent. They were obviously added to respond to a number of criticisms that have been making the rounds of the social networking sites. The changes include the addition of:

§1104(a)(5) – Restriction on Disclosure of Cyber Threat Intelligence.

§1104(b)(2) – Sharing with the Federal Government.

§1104(c) – Federal Government Use of Information.

§1104(d) – Federal Government Liability for Violations of Restrictions on the Disclosure, Use, and Protection of Voluntarily Shared Information.

§1104(g)(2) - Limitation on Military and Intelligence Community Involvement in Private and Public Sector Cybersecurity Efforts.

§1104(g)(3) - Information Sharing Relationships.

NOTE: All of the above changes only showed up in the Rules Committee Print.

Unfortunately for the audience of this blog none of the changes is worded in a manner that would ensure that the information sharing requirements (and that is a loosely used word with respect to this bill) would apply to control system threat information. Of course, neither is there any indication that the US intelligence apparatus has the knowledge base to develop control system threat intelligence.

Saturday, April 21, 2012

Markup Results for HR 3674


Earlier this week the House Homeland Security Committee completed their markup of HR 3674, the Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act of 2011 (The PRECISE Act) and reported the amended bill favorably by a party-line vote of 16-13. The Lungren amendment in the nature of a substitute (ANS) that I reported on earlier this week was agreed to on a voice vote as were five amendments to that language.

The Missing Amendments


If one were to just look at the mark-up hearing page for this bill on the Homeland Security Committee web site one could be forgiven for thinking that there had been no disagreements in this markup. The only amendments that are listed on that page are those amendments that were adopted. Three of the approved amendments had Republican authors.

There were 15 other amendments that were dealt with at the hearing; one was withdrawn, one was ruled out of order and the other 13 were voted down along party lines. The sad part is that only one of those amendments, authored by Rep Jackson-Lee (D,TX) has been made publicly available on the Committee web site. For all of the remaining disapproved amendments we have only a brief, teasing summary of the purpose in the Summary of Committee Action.

Some of these amendments looked interesting. Ranking Member Thompson (D,MS) proposed to add a section requiring the identification of sector specific cybersecurity risks. After this was voted down by a party-line vote twice (I’m assuming that there was a minor variation in the language between the two versions) other Democrats on the Committee offered six similar amendments (oaky still an assumption on my part since I haven’t seen any of the actual proposed language) for identifying cybersecurity risks for six different critical infrastructure sectors; including:

• Transportation Systems Sector;
• Chemical Sector;
• Emergency Services Sector;
Nuclear Reactors, Materials, and Waste Sector;
Energy Sector; and
• Dams Sector

I suppose that it kind of made sense that these amendments were voted down. It would be hard to justify not requiring some sort of risk mitigation for the identified risks once they were identified. That just doesn’t fit with the requirement that any DHS directed efforts to actually prevent cybersecurity attacks can only be made at the request of the private sector entity who is then free to ignore any costly defense against the identified risk/attacks.

The failure to publish the defeated amendments is a very odd step for this Committee. They have had one of the better records for providing information to the public. It would be interesting to hear Chairman King explain why an exception to that policy was made for this bill.

Lungren Slips in a Ringer


I ran into an interesting thing when I was reviewing the details of the amendments that were offered to the Lungren ANS; the page and line numbers in the amendments did not match up with the page and line numbers in the copy of the ANS that I had downloaded from the  Homeland Security Committee web site on April 16th; the version that I reported on in my earlier blog post.

There was one major change in the new version of the bill it removed §243, Cyber threat information sharing with the Federal Government. One other significant change was related to that deletion, the removal of the definition of ‘cybersecurity purpose’ from §249; a term used only in §243. The remaining changes were miscellaneous references to §243.

The removal of §243 guts the information sharing provisions of this bill. It removes the only mandate for the government to provide cyber-threat information to private sector owners of critical infrastructure in any of the bills currently under consideration in Congress. It also removes all protections of information that the private sector might provide to the DHS National Cybersecurity and Communications Integration Center (NCCIC).

With this change in place Subtitle E of this bill becomes a simple reauthorization of the NCCIC with the addition of a new Board of Advisors. It also removes any possibility of the bill being attacked by privacy and internet access activists. The bill gets much easier to pass in both the House and Senate, but doesn’t allow it to accomplish much.

The Approved Amendments


The first of two amendments by Rep. McCaul (R,TX) provides a more detailed description of the ‘cybersecurity operational activity’ authorized to be conducted by DHS. It also provides a definition for ‘countermeasure’ and outlines the Federal preemption status of this bill. All important details, but nothing of specific interest for the control system security community.

The second McCaul amendment does two interesting things at the same time. First it removes §6 which required the Secretary to prepare a report on cybersecurity training for fusion centers. Second it establishes the Cybersecurity Domestic Preparedness Consortium to develop and provide cybersecurity training for State and local first responders. Again a valuable idea, but it will have little or no effect on control system security.

Chairman King submitted an amendment that takes care of a simple housekeeping function, providing references to Title XI of National Security Act of 1947, as amended. This is one of those necessary functions that sometimes get lost in the legislation drafting process. Nothing to see here, keep moving.

Rep. Richmond (D,LA) proposed a very simple amendment it added a single word to the bill (one of my favorite words) ‘Chemical’. Passing this amendment will give the chemical sector a seat on the Board of Advisors of the NCCIC. Since I have been advocating this since the idea of the Board of Advisors was first introduced, I heartily endorse this amendment. Too bad the NCCIC can’t do anything.

Rep. Hahn (D,CA) managed to get a privacy related amendment added to the bill. It would require the DHS Privacy Officer to review the ‘cybersecurity policies, programs, and activities’ of the Department. It really isn’t that big a thing since that is already the job of the PO so this is a symbolic amendment; which is probably why it passed.

Thursday, April 19, 2012

ICS-CERT Publishes Monthly Monitor and Updates Siemens Advisory

Late yesterday afternoon the folks at DHS ICS-CERT published their March 2012 ICS-CERT Monthly Monitor and an update to a previously issued Siemens system Advisory. The Monthly Monitor provides some information on an interesting phishing attack on an electric utility and the Siemens update addresses some mitigation issues.

Monthly Monitor


ICS-CERT is apparently going to be making it a common feature on their Monthly Monitor to describe an interesting new type of attack that their team has responded to in the previous month. This month it deals with a telephone phishing attack. The two attacks reported to ICS-CERT were unsuccessful due to an alert individual on the receiving end. Reporting (and publicizing) unsuccessful attacks is important because it helps other organizations learn how to avoid the attack.

The other thing about this type of attack is that it would be unusual for it to be directed at just one or two organizations. It will be interesting to see if other electrical distribution organizations were affect by a similar attack. It would also be nice to know if ICS-CERT pushed this information directly to other organizations in the industry.

The ‘Situational Focus’ section of the Monitor has a good discussion of system auditing and logging and another on the role of fusion centers. There is also a helpful description of their ICS Advanced Training course.

As is usual this is an issue well worth reading and circulating.

Siemens Update


The Siemens advisory update is more than a little confusing. This update references a ‘previous’ advisory from back in December. But that advisory has a different number than the current advisory and the vulnerability that is specifically addressed with new information is not found in that original advisory. What happened is that ICS-CERT updated that December advisory in January with new vulnerabilities. Readers might remember that the second advisory provided information on eleven separate vulnerabilities with mitigation measures for some but not all of the vulnerabilities.

This version provides a minor change to the mitigation measures for the telnet daemon. Where the second advisory noted that: “Users have the option of disabling the telnet function on SIMATIC panels when telnet is not actively being used.” The new version is a tad bit more active in its recommendation: “Siemens recommends disabling the telnet function on SIMATIC panels when telnet is not actively being used.”

I pointed out in my posting on the second advisory that ICS-CERT specifically noted that no one had verified the Siemens mitigation measures. This version reports that ICS-CERT has tested two of the service packs identified in the Siemens information and that they resolve the five of the eleven reported vulnerabilities that were actually patched. To address the remaining vulnerabilities the Advisory notes:

“The remaining vulnerabilities are addressed in documentation and a new FAQ entry on Siemens website. If unable to implement these changes, product users should contact their integrator or Siemens product support for assistance.”

I just hope that Siemens is pushing this information to their customers. I would bet that the vast majority of owners never see the ICS-CERT web site or blogs like this one.


Wednesday, April 18, 2012

HR 3523 Reported in House

Yesterday the House Committee on Intelligence submitted their report on HR 3523, the Cyber Intelligence Sharing and Protection Act (CISPA) of 2011. The publication of HRept 112-445 cleared the bill for action on the floor of the House. It is not clear that the Republican leadership intends to bring this bill to the floor in its current form, particularly since it has attracted so much adverse attention from privacy and internet access activists. And President Obama’s recent concerns about the bill mark a move away from the bipartisan support that had been expressed earlier.

I haven’t had a chance to read the report yet. I’ll get to it tonight and see if there is anything interesting or unusual that isn’t covered in the actual language of the bill.

OMB Approves EPA Final Rule on 2012 Methyl Bromide Exceptions

Yesterday the web site of the Office of Management and Budget (OMB) published a notice that it had approved, ‘consistent with change’, the final rule for the EPA’s 2012 Critical Use Exemption from the Phaseout of Methyl Bromide. As has been routine for this program at EPA, this rule is way too late to be effective in controlling the amount of methyl bromide produced in or imported into the United States. I would assume that, as was done for the 2011 rule,  EPA sent out a letter authorizing producers of methyl bromide to make/import a pre-determined amount of methyl bromide to meet the critical use needs of agricultural producers in the lead up to this year’s planting season.

I think that I’ll skip my normal screed about methyl bromide and the DHS list of chemicals of interest for this blog post. I’ll get a better chance in a week or so when this actual final rule is published in the Federal Register.

Tuesday, April 17, 2012

New Language for HR 3674

As I noted in yesterday’s blog post Rep. Lungren (R,CA), the chair of the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies of the House Homeland Security Committee is planning on introducing substitute language for HR 3674, Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act of 2011 (The PrECISE Act), during the full Committee markup of that bill. My earlier post provided just a general idea of the scale of changes included in the bill. I’ve now had a chance to do a more detailed review and this post looks at those areas that might be of interest to the control system security community.

Control System Security Ignored


HR 3674 has always been an information security bill, but earlier versions did include some brief mentions of control system security issues. This version of the bill removes all of those mentions. For example the wording in §226(a)(7), added in the substitute language submitted in the Subcommittee markup hearing that required the development of “guidelines for making critical infrastructure information systems and industrial control systems [emphasis added]  more secure at a fundamental level” has been removed in this latest version.

Even the wording in the original bill that addressed cybersecurity R&D efforts, requiring the “development and support of technologies to reduce vulnerabilities in process control systems” {§229(b)(5)} has been removed.

No Standards to be Set


It is apparent that the reason for the removal of any reference to control systems in this revised language is because of the full scale revision of the authority to be given to DHS to regulate cybersecurity in the private sector. Actually, ‘revision’ is hardly adequate; the regulatory scheme for this new bill is summed up nicely in §226 that is being added to the Homeland Security Act of 2002 in §2 of this bill. It requires the DHS Secretary to “perform necessary activities to help facilitate the protection of Federal systems and, solely upon the request of critical infrastructure owners and operators [emphasis added], assist such critical infrastructure owners and operators in protecting their critical infrastructure information systems” {§226(a)}.

The phrase ‘solely upon the request’ occurs in a number of places in the discussion in §226 of how the Secretary will go about ‘assisting in protecting’. It is specifically used to describe the conduct of risk assessments for critical infrastructure information systems and the providing of technical assistance to critical infrastructure owners and operators.

Careful reading of this section of the revised language for the bill allows one to understand why this bill does not intend to establish a regulatory regime for protecting cybersecurity in the private sector; there will not be enough resources made available to DHS to allow them to prepare rules and establish an enforcement capability to support such regulations. This is clearly seen in §226(e):

“The provision of assistance or information to critical infrastructure owners and operators, upon request of such critical infrastructure owners and operators, under this section shall be at the discretion of the Secretary and subject to the availability of resources. The provision of certain assistance or information to one critical infrastructure owner or and operator pursuant to this section shall not create a right or benefit, substantive or procedural, to similar assistance or information for any other critical infrastructure owner or and operator.”

Information Sharing


Lungren (and presumably the Committee Staff) is obviously trying to avoid the ire of various internet activists the way that the Roger’s information sharing bill (HR 3523) has increasingly done. Subtitle E of the bill would add a series of sections to the Homeland Security Act to address cybersecurity information sharing by DHS.

The first section of this subtitle clearly requires DHS to supply cyber-threat information to the private sector; something that has not been explicitly spelled out in any cybersecurity legislation to date. Section 241 requires the Secretary to make “information appropriately in the possession of the Department available to appropriate owners and operators of critical infrastructure on a timely basis”. Caveats are provided for details of protected information and classified information.

The bill establishes the National Cybersecurity and Communications Integration Center (NCCIC) as the agency within the Department responsible for carrying out the information sharing requirements of the Department. The sharing requirements for the NCCIC include cyber threat information and “exchanging technical assistance, advice, and support with appropriate entities” {§242(b)}. Unfortunately, the section that outlines the methodology and requirements for information sharing and protection is poorly written.

Section 243(a)(1) starts out explaining that that Federal agencies are required to provide cybersecurity threat information in their possession to the NCCIC; allowing them to place restrictions on what and how that information could be shared to protect the sources of that information. There is nothing really controversial here.

Section 243(a)(2) places additional and more specific restrictions on how information provided to the NCCIC can be shared. The wording implies, but never specifically states, that much of the information covered under this subparagraph would be information provided to DHS by the private sector. This can be seen in the use of the phrases “protected entity” and “self-protected entity” that have been proposed in other cybersecurity bills. Unfortunately they are not defined anywhere in this bill.

Information sharing protections listed in §243(a)(2)(C) and §243(a)(2)(D) include:

• Shall be exempt from disclosure under section 552 of title 5, United States Code;

• Shall be considered proprietary information and shall not be disclosed to an entity outside of the Federal Government except as authorized by the entity sharing such information;

• Shall not be used by the Federal Government for regulatory purposes;

• Shall be handled by the Federal Government consistent with the need to protect sources and methods and the national security of the United States; and

• Shall be exempt from disclosure under a State, local, or tribal law or regulation that requires public disclosure of information by a public or quasi-public entity.

Information Sharing Restrictions


Responding to specific privacy and domestic spying charges levied against HR 3523, Lungren has provided three separate restrictions on the use information shared with the Federal government (presumably, but not specified, by private sector entities). Actually this is another poorly written area as there is a repeated reference to ‘subsection (b)’ but there is no such subsection in §243.

The revised language provides the ‘limitation on use’ provisions that only allow Federal agencies to share the information only if “at least one significant purpose of the use” {§243(a)(3)(A)(ii)} is for cybersecurity purposes or protection of national security. Similar language is found in HR 3523.

Lungren has added language {§243(a)(3)(B)} that specifically prohibits searching such information provided to the Federal Government (again presumably by the private sector) except for national security or cybersecurity purposes. It also specifically prohibits {§243(a)(3)(C)} the Federal Government from requiring “a private sector entity to share information with the Federal Government”.

It is not clear that these efforts will mollify privacy and internet freedom advocates concerns about the effects of these security provisions on their privacy and freedom of expression rights. But an effort has been made.

The Markup Hearing


The full Homeland Security Committee will meet in a markup hearing on Wednesday, April 17th, 2012. It is likely that there will be a number of additional amendments made to this language. I’ll cover those results later this week.

Markup of HR 3674 – Cybersecurity

The House Homeland Security Committee web page today announced that the full Committee would be conducting a markup hearing for HR 3674, Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act of 2011 (The PrECISE Act). As with the subcommittee markup hearing in February, the sponsor of the bill (and Sub-Committee Chair), Rep. Lungren (R,CA), will be offering an amendment in the form of a substitute.

The copy of the potential amendment provided on the hearing notice web page shows an extensive re-write of the legislation. A quick review of the changes show no real changes as far as control system security goes, but there is a complete change of focus of Subtitle E being added to the Homeland Security Act of 2002. The change in the title of Subtitle E provides a preview of the changes to the information sharing provisions of the bill:

• Original Version - National Information Sharing Organization

• New Version - Department of Homeland Security Cybersecurity Information Sharing

I’ll be taking a closer look at the specific provisions before the hearing on Wednesday.

Monday, April 16, 2012

Updated Legislation Page

Just want to let readers know that I finally got around to updating the page on this blog related to legislation in the 112th Congress. Here is a listing of what was updated:

• Added HR 3834, HR 4263, S 2102, S 2105 and S 2151 under Cybersecurity;

• Added HR 4005, and HR 4251 under Homeland;

• Updated HR 901 under CFATS;

• Updated HR 2356 and HR 2764 under Homeland

I’ll be trying to make these updates in a more timely fashion in the future.

OMB Approves PHMSA Control Room Management ICR

Last Friday the Office of Management and Budget (OMB) approved the information collection request (ICR) supporting the PHMSA final rule on pipeline control room management and human factors, a draft of which is currently under review by OMB. The OMB ICR page describes the final rule:

“The proposed rule would require operators of hazardous liquid pipelines, gas pipelines, and liquefied natural gas (LNG) to assure controllers and control room management practices and procedures maintain pipeline safety and integrity.”

The ICR supporting this final rule would address the record keeping requirements for:

Control room management procedures;
Roles and responsibilities of pipeline controllers;
Information on SCADAs;
Fatigue mitigation;
Alarm management;
Change management;
Operating experience;
Training;
Compliance validation; and
Deviations.

Sunday, April 15, 2012

Congressional Hearings – Week of 04-16-12

Congress is coming back to work from their two week Easter Recess. There are lots of hearings taking place, but only a couple that might be of interest to the chemical and cyber security communities; both dealing with appropriations bills. Media reports of this week being ‘cybersecurity week’ in the House were optimistic at best.

Transportation


The Senate Appropriation Committee’s Subcommittee on Transportation, Housing and Urban Development and Related Agencies will hold a markup hearing on Tuesday for the FY 2013 appropriations bill for Transportation, Housing and Urban Development and Related Agencies.

Energy and Water


Wednesday the House Energy and Water Development and Related Agencies Subcommittee of the Appropriations Committee will conduct a markup hearing on their FY 2013 Energy and Water Appropriations Bill. This hearing will not be webcast.

Cybersecurity


Early last week there had been some news reports that this week would be ‘cybersecurity week’ in the House with a number of related bills coming to floor votes. Unfortunately there is nothing on the Majority Leader’s website or the Rules Committee website that indicates that any cybersecurity legislation will be considered this week. It is remotely possible that we could see some additions to the list of bills intended to be considered, but it’s unlikely that the whole host of bills could be added.

In fact, there is a good indication that there is some committee infighting holding up any real floor consideration of cybersecurity legislation. The House Homeland Security Committee has a hearing already scheduled for April 24th (a full week ahead) entitled:  America is Under Cyber Attack: Why Urgent Action is Needed.

Here is a quick status update on the cybersecurity legislation that has been introduced in the House:

HR 76 (Jackson-Lee, D) – No hearings held

HR 174 (Thompson, D) – No hearings held

HR 1136 (Langevin, D) – No hearings held

HR 1261 (Connolly, D) – No hearings held

HR 2096 (McCaul, R) – Reported, ready for floor action

HR 3523 (Rogers, R) – Ordered reported

HR 3674 (Lungren, R) – Reported out of subcommittee, pending hearings in 4 other committees

HR 3834 (Hall, R) – Reported, ready for floor action

The Roger’s bill is the bill currently under wide spread attack by cyber-activists as being a ‘threat to the freedom of the internet’.

The Lungren bill is the most comprehensive which is why it must also be considered by the additional committees including those chaired by Rogers and Hall. It is unlikely to be considered by those two committees as there are some conflicts with the bills sponsored by their chairs. Oh, yes, Lungren is a Subcommittee Chair on the Homeland Security Committee, that’s why they have the hearing scheduled for next week to put pressure on the leadership to break his bill out of the other committees.

Saturday, April 14, 2012

Chemical Sector Security Summit Bids

Did you ever wonder what goes into setting up a 2 day meeting for 600 people? Well thanks to a recent tweet I just had a chance to review the official Request for Proposal (RFP) for this summer’s Chemical Sector Security Summit. It’s almost too late to get a bid together (closing date is April 16th), but I really doubt that I have too many readers in a position to submit that kind of bid in any case. I’m including this as just a preview of that upcoming meeting for chemical facility security personnel.

Friday, April 13, 2012

PHMSA Pipeline Safety ICR Revisions

Today the Pipeline and Hazardous Material Safety Administration published a 60-day information collection request (ICR) revision notice in the Federal Register (77 FR 22387-22389) for a number of pipeline reporting ICRs. The notice explains a number of revisions that PHMSA is planning on making on these forms.

The reporting forms include:

• Gas transmission incident report (PHMSA F 7100.2; OMB control number 2137-0522)

• Hazardous liquid accident report (PHMSA F 7100-1; OMB control number 2137-0047)

• Gas transmission annual report (PHMSA F 7100.2-1; OMB control number 2137-0522)

Incident and Accident Reports


These two revised forms will ask for additional pipeline physical details for pipeline incidents involving girth welds. Minor changes will also be made to the form to reflect the format of the on-line reporting system. PHMSA does not expect that these revisions will change the annual burden for either of these reports.

Annual Reports


PHMSA is planning on making revisions to annual report form based upon some of the NTSB recommendations from the San Bruno, CA pipeline explosion and requirements from the Pipeline Safety, Regulatory Certainty, and Job Creation Act of 2011. These include:

• Providing a mechanism for identifying segments of pipelines that the owner is unable to verify the maximum allowable operating pressure (MOAP);

• Reporting the methodology used to determine the MOAP;

• Reporting the miles of pipeline that have not been subjected to hydrostatic pressure testing to 125% of MOAP; and

• Reporting the number of miles of pipeline which cannot be checked by the passage of an instrumented internal inspection device.

Public Comments


In this ICR revision notice PHMSA is requesting comments about the specific changes reported in the notice. The revision request will not change the current expiration of the ICRs so general comments on the complete ICRs should be reserved for when they are renewed sometime next year. Public comments may be submitted via the Federal eRulemaking Portal (www.regulations.gov; Docket # PHMSA-2012-0024). Such comments should be submitted by June 12, 2012.

Thursday, April 12, 2012

DHS Private Sector Clearance Program 60-day ICR Notice

Today the DHS National Protection and Programs Directorate (NPPD) published a 60-day ICR reinstatement notice in the Federal Register (77 FR 21989) for their Critical Infrastructure Private Sector [Security] Clearance Program (PSCP). OMB approval of this ICR would allow NPPD to collect information necessary to initiate the security clearance investigation process for selected critical infrastructure civilian personnel who would not otherwise be eligible for a clearance under Executive Order 12829.

There is something odd going on with this ICR and it doesn’t look like the problem is in DHS. The original ICR was submitted in July 2008 and approved in November of that year. It was set to expire on November 30th, 2011. DHS submitted a request to re-approve the ICR in July of last year with a change in the number of potentially covered individuals from 250 to 450 with an equivalent change in the time burden (42 to 75). That was approved ‘without change’ by OMB on September 14th, 2011 with an expiration of November 30th, 2011; the same date upon which it was already set to expire.

Apparently no one at DHS noted the error in the OMB approval; they expected the normal three year ICR expiration which would have put it either in September or November of 2014. The ICR approval paperwork was probably put in an action item folder dated for some time in the early summer of 2014 and promptly forgotten.

Somehow someone noted that the ICR had expired prematurely. It would be nice to think that a simple phone call to the action officer at OMB would have cleared up the matter, but that is not the way that a bloated bureaucracy operates. Alternatively we could have expected to see NPPD submit an expedited or ‘emergency’ ICR approval request to get the program on a technically firm footing, but that probably would have required publicly pointing out OMB’s error and that doesn’t win much in the way of friendly bureaucratic cooperation. OMB already sits on NPPD requests for lengthy periods of time, no sense in antagonizing them.

It really doesn’t make much difference in any case. This is a voluntary program and people requesting security clearances under this program are certainly not going to object to providing this information on a form without an up-to-date OMB approval number in the corner. While the public can’t be required to provide the information on an unapproved collection, neither can NPPD be required to process a security clearance request.

Comments on this ICR are being solicited by NPPD. Comments may be submitted via the Federal eRulemaking Portal (www.regulations.gov; Docket # DHS-2012-0001). Comments should be submitted by June 11, 2012.

Wednesday, April 11, 2012

ICS-CERT Publishes 5 Advisories by the Numbers

Five separate advisories were published by the DHS ICS-CERT folks today and there are a lot of other interesting numbers involved. First there are two new sets of vulnerabilities from coordinated disclosures and three sets following up alerts for uncoordinated disclosures. Next there are two advisories from Luigi and one from Basecamp. Then there are two Siemens advisories for different devices by different researchers. Finally we have a real first; a vulnerability reported in a cybersecurity device.

Siemens


Siemens has two new devices now listed on the ICS-CERT list of vulnerable control systems applications; Scalance S and Scalance X. The similarities in names is apparently due to both being communications devices; Scalance X is an ‘Industrial Ethernet Switch’ and Scalance S is a security module that includes a ‘Stateful Inspection Firewall’. Vulnerabilities in either could open an otherwise secure network to attack.

The two vulnerabilities reported in Scalance S were disclosed to Siemens by Adam Hahn and Manimaran Govindarasu. The vulnerabilities are a brute-force authentication vulnerability and a stack-based overflow vulnerability. Both are remotely exploitable by a moderately skilled attacker and could result in a DOS or possibly arbitrary code execution. Siemens has a firmware update and a security advisory to ‘resolve’ these vulnerabilities. Interestingly ICS-CERT does not say that the researchers have verified the resolution of these vulnerabilities.

There is just a single buffer overflow vulnerability reported in the Scalance X by J├╝rgen Bilberger from Daimler TSS GmbH directly to Siemens.  This is a remotely exploitable vulnerability that could be exploited by a moderately skilled attacker. A successful exploit could result in a DOS or execution of arbitrary code. Siemens has a firmware update for this vulnerability that, again, the advisory says ‘addresses the vulnerability’ without saying that the researcher has verified that claim.

I’m not sure how ICS-CERT was notified about these vulnerabilities since both advisories clearly state that the disclosures were directly to Siemens. I would probably assume that the notification was made by Siemens and that would certainly be a positive move from a company that a large number of people associate with their insecure-by-design PLCs.

Luigi Uncoordinated Disclosures


Two of today’s advisories were follow-ups to alerts due to uncoordinated disclosures last year by Luigi. One of the advisories references the earlier alert, but the other does not. What’s really unusual about that is that another advisory for the same product, the MICROSYS Promotic HMI, where ICS-CERT did not reference the original Luigi related alert. To the best of my knowledge these are the only two instances where an earlier alert was not referenced in the advisory; strange coincidence that they both are about the same product reported by the same researcher.

The Promotic vulnerability is for a ‘use after free’ condition that would allow an attacker to corrupt data or possibly execute arbitrary code. Remote execution is not possible as the exploit requires a local user to run a vulnerable project file. MICROSYS notes that the latest version of Promotic does not contain this vulnerability so users can just download the latest version to correct the problem.

The second advisory is for the Certec webMI2ADS HMI application, or maybe it is the atvise webMI that they referenced in the original alert. There has been more than a little confusion in naming protocols in systems upon which Luigi has reported. This is probably due to the fact that Luigi is operating out of Italy and names do change in different countries.

The Certec advisory addresses four separate vulnerabilities;

• Directory traversal;
• Null pointer;
• Termination of software; and
• Resources consumption

These vulnerabilities are remotely executable that a relatively low skilled attacker could exploit to cause a DOS or perhaps access ‘sensitive data’. Registered users can download a new version of the application that does not contain these vulnerabilities. The Advisory reports that Luigi has confirmed that the update ‘resolves these vulnerabilities’.

Basecamp


The Basecamp related advisory concerns the vulnerabilities identified in the Koyo ECOM1000 Ethernet Module. Reid Whitman was responsible for the original disclosure as part of the Basecamp presentations at the S4 Conference in January. There were five vulnerabilities identified in this product;

• Buffer overflow;

• Weak password requirements;

• Web server cross-site scripting;

• Web server requires no authentication; and

• Uncontrolled resource consumption.

All of the vulnerabilities are remotely exploitable allowing a moderately skilled attacker to exploit these vulnerabilities. Koyo has a produced a patch that addresses each of these vulnerabilities with varying degrees of effectiveness. The web server, for example, is now disabled by default but the module can reconfigured by the user to enable the web server and apparently re-opening the vulnerability.
 
/* Use this with templates/template-twocol.html */