Friday, December 30, 2016

President Amends EO 13694 and Sanctions Russians

Yesterday the President signed a new executive order (number to be published) that amends the existing EO 13694, Blocking the Property of Certain Persons Engaging in Significant
Malicious Cyber-Enabled Activities, that was originally published in April, 2015. This action was taken in response to actions taken by Russian intelligence agencies during the 2016 presidential election cycle.

Amended EO 13694


The amendment of the so called cyber response executive order does three things. It adds an annex {Annex A} to the Executive Order providing a list of specific people to whom the sanctions provided for in the order will apply. Second, it provides a new ‘offense’ for which sanction activities may be applied in the future {1(a)(ii)(E)}. Finally, it provides the Secretary of the Treasury with the authority to remove names from Annex A when “circumstances no longer warrant the blocking of the property and interests in property of a person listed in the Annex to this order” {new Section 10}.

The new annex includes four ranking members of the Russian Main Intelligence Department [GRU], the GRU and the Russian Federal Security Service, as well as two affiliated civilian organizations. Coincidentally, the Treasury Department also named two Russian individuals to the Specially Designated Nationals List (SDN) (the same list to which the persons and organizations in the Annex were added, see pages 356 thru 360 for all of the additions made yesterday) for cybersecurity fraud related issues not related to the election.

The new offense was added as paragraph 1(a)(ii)(E):

Tampering with, altering, or causing a misappropriation of information with the purpose or effect of interfering with or undermining election processes or institutions;

Other Russian Sanctions


The White House also announced two other sets of sanctions against the Russian Government yesterday. First it is expelling 35 Russian diplomats (intelligence officers), giving them and their families 72 hours to leave the country. It is also denying remaining Russian diplomatic personnel access to two Russian owned properties in Maryland and New York.

Officially this action is not related to the reported Russian ‘interference’ in the 2016 election, but it is rather being taken because over the last two years “harassment of our diplomatic personnel in Russia by security personnel and police has increased significantly and gone far beyond international diplomatic norms of behavior”.

Russian reaction to these ‘other sanctions’ is already being reported. CNN reports that the Russians have “ordered the closure of the Anglo-American School of Moscow” (school for the children of English speaking diplomats) and closed “access to the US embassy vacation house in Serebryany Bor, near Moscow”.

Joint Analysis Report


Also yesterday the FBI and US-CERT issued a joint analysis report (JAR-16-20296A) on the election security compromises, code named GRIZZLY STEPPE. This report is supposed to provide the technical support for the claim of Russian intelligence involvement in the hacks of the email systems of the Clinton Campaign and the Democratic National Committee.

While it does not provide any direct evidence of Russian involvement (that information almost certainly remains classified), the report does provide the indicators of compromise that are associated with those hacks. Those indicators include the YARA signature (in the report) and CSV and STIX format files of the indicators available on the GRIZZLY STEPPE web page.

The bulk of the JAR is a listing of mitigation measures that individuals and organizations can take to prevent similar attacks in the future. Unfortunately, there is nothing new here. All of the mitigation techniques should have been well known by the IT people responsible for the systems involved.

Commentary


The other sanctions being directed at diplomats here in the United States is a fairly common game played in the diplomatic community. The people being expelled are known intelligence personnel, almost certainly responsible for classic spying type operations here in the United States. Their expulsion will have some delaying effects on those spying efforts, but no effects of any long-term consequence. The US personnel that will be expelled from Moscow in retaliation will be responsible for similar efforts against the Russians.

It is very likely that the expulsions have nothing to do specifically with the election fiasco. Announcing them on the same day as the EO 13694 actions allows the press to conflate the two-separate sanctions, making the EO 13694 sanctions seem more effective. The freezing of assets under EO 13694 may have some effect on the individuals and organizations listed, but only if they have clearly identified assets in the United States. Even that effect will be minimized, if/when the individuals are ultimately removed from the Annex A list.

Congressional leaders on both sides of the fence are saying essentially; about time, but too little too late. I’m not sure what the politicians want (other than blood?). I guess the CIA and NSA could hack the political emails of Putin cronies and leak them to the Russian press. I don’t suspect, however, that they would get the same play in Russia as we saw in the US press during the election.

That is the big point that is being lost here. There is nothing really new here in the hacks of the political emails; that is espionage, pure and simple. Intelligence agencies sharing that information with the press is unusual, but not unprecedented. Of course, if it had been ‘Deep Throat’ sharing the emails it would not have caused nearly the stir.

What was unprecedented was the huge amount of play that the American press gave the leaked emails, even when it was patently clear that it was a foreign intelligence agency responsible for the leak. If the press had not spent so much time talking about the petty squabbles and indiscretions of the party and campaign officials (and there was nothing new there in the level of squabbles or seriousness of indiscretions) then this whole thing would have been a non-issue that these sanctions would have been more than appropriate to deal with.


Unfortunately, we have not heard the last of this.

Monday, December 26, 2016

Treasury Publishes Cyber Insurance TRIA Guidance

The Treasury Department published a guidance notice in tomorrow’s Federal Register (81 FR 95312-95313) concerning the application of the Terrorism Risk Insurance Program (TRIP) to certain forms of stand-alone cyber liability insurance policies under provisions of Terrorism Risk
Insurance Act (TRIA) of 2002, as amended.

There have been concerns about whether or not cyber liability insurance policies are covered under the TRIP. In general, as of January 1st, 2017 “policies reported for state regulatory purposes under the Cyber Liability sub-line on Line 17—Other Liability of the NAIC's Exhibit of Premiums and Losses (commonly known as Statutory Page 14) are considered “property and casualty insurance” under TRIA.”

As expected with anything deal with insurance, there are some caveats to that general guidance. For existing policies, those cyber liability policies are covered so long as:

• The insurer offered coverage for insured losses subject to the required disclosures under 31 CFR 50 Subpart B; or
• The insurer demonstrates that the appropriate disclosures were provided to the policyholder before the date of any certification of an act of terrorism.

As of April 1st, 2017, any new cyber liability policies will have to include those required disclosures when issued for the insurance to be covered under TRIP.

Commentary



Having sold insurance for a short while a large number of years ago (which makes me as qualified to advise about insurance as I am about legal matters – NOT), I know that details make a great deal of difference. If you want to ensure that your cyber liability insurance is covered under TRIP, get something in writing from the insurance company stating that your policy conforms to the guidance provided in tomorrow’s Federal Register. And then, get it reviewed by an insurance lawyer.

Sunday, December 25, 2016

DHS Publishes 2016 CSSS Presentations

This week the DHS Chemical Sector-Specific Agency (CSSA) finally got around to updating the Chemical Sector Security Summit (CSSS) web site to provide links to a number of the presentations for the 2016 CSSS that was held last July.

CSSS Presentations


As with all ten of the CSSS to date, the CSSA has not provided links to all of the presentation that were made at the CSSS, but the list of presentations included is informative and useful. This year’s list includes:

• Keynote Address (webcast) https://share.dhs.gov/p5wokztr7et/
• CFATS Update (webcast) https://share.dhs.gov/p5wokztr7et/
• Unmanned aerial systems https://share.dhs.gov/p1q16s5zpla/
• First Responder – Chemical Facility Response Planning https://share.dhs.gov/p9n0za7br14/
• What to Expect During a CFATS Inspection (webcast) https://share.dhs.gov/p8qeyz3qduq/
• Personnel Surety Program Overview https://share.dhs.gov/p13chl6f7m0/
• Compliance Inspections Lessons Learned (webcast) https://share.dhs.gov/p2o28kncglg/
• Chemical Security on a Global Front Chemical Security on a Global Front https://share.dhs.gov/p4qi18pazca/
• Chemical Facilities and Regional Resiliency Assessment Program – Lessons Learned https://share.dhs.gov/p1eou6o7gmw/
• DHS Voluntary Programs Update (webcast) https://share.dhs.gov/p3uyb44cbzy/ (slides - https://share.dhs.gov/p21djdnrym6/)

This is the first year that the CSSS included web casts from the meeting. There were more webcasts available in real time, but the list above does include some interesting presentations. I really, again, want to congratulate DHS for including these web casts in both the meeting and presentation list. I would also note David Wulf’s efforts (and those of the folks that work for him) in getting this done.

Sorry about showing the URLs, but I wanted to point out that at least someone at DHS is doing something to shorten the length of their links. Now, whether this particular method is a good thing or not is open to discussion because you cannot tell by looking at the URL what the link is to, nor if it is up to date. I also suspect that it might make spoofing an DHS site easier with a URL shortener site.

CSSA Web-Site


I do not follow the CSSA web site nearly as closely as I probably should. In fact, I only routinely (weekly) look at the CSSS web site for changes. In any case the CSSA updated their web site last month and it provides some links to some useful information, some of it even new.

I am disappointed, however, in the “Safety and Security for Small and Midsize Chemical Facilities” page. They definitely should take the word “chemical” off of the title since the page just provides links to probably valuable information for generic small and midsize businesses. Just sayn.


On the much better side of the information available, if you click through a number of links, is a page from the Office of Bombing Prevention on a wide variety of courses on dealing with improvised explosive devices (IEDs), including planning, identification and response. I have not had a chance to check out any of the individual on-line courses, but this looks like a wealth of good information that security managers at any type of facility should have.

Saturday, December 24, 2016

Future ICS Security News

Those readers who follow me on Twitter®, LinkeIn® or FaceBook® may have noticed last night that I have started a new writing project, Future ICS Security News. I am using this new platform to look at control system security from a slightly different perspective, what could happen with existing control system vulnerabilities.

I have been thinking about how to approach this project for about a year now. I had first thought of self-publishing a series of short-stories about control system security issues where the protagonists were involved with or affected by system hacks. I tried my hand at a couple, but they were a lot more work than I was willing to put into this project.

Because of the recent spate of news stories about ‘fake news’ in social media during the recent election cycle, I started thinking about doing this as a series of news stories about as-of-yet non-existent cyber-attacks on control systems. I tried my first one last night and was happy enough with the results to start a new ‘blog’ post on Google®, Future ICS Security News.

The first post, Local Student Arrested for Airline Incident, did not take much more time to write than a standard blog post. It was very loosely based upon an article I read about continuing work Ruben Santamarta has been doing with airline entertainment system vulnerabilities. Now my story has no technical details in it (because I don’t know any), so it takes a ‘what if?’ approach to looking at the problem. My answer to that question is my fault, not Rueben’s.

I really do like the fake news story approach. It lets me do a story with minimal character development or conversations (both story writing techniques that I find time consuming to do right) yet still look at potential control system security consequences. It also allows me to have a little fun with puns (watch names) and insider jokes.

I am not yet sure how often I will be doing new ‘news stories’. I’ll have to see what kind of reader response that I get and how often the story ideas strike me.


This will probably be the last time that I mention one of these stories here. I will be announcing the publication of each new story on Twitter, LinkedIn and Facebook. Feel free (PLEASE) to pass the links around; I would love for these stories to reach an audience outside of the control system security community. Maybe even have a congresscritter cite one during a debate in committee or even on the floor. Onion has managed that, why can’t I? (GRIN)

TSA Security Training NPRM - §1570 Rewrite

This is the second in a continuing series of blog posts about the recent TSA NPRM on security training for surface transportation organizations. Earlier posts in the series included:


The current 49 CFR 1570 addresses the General Rules of Subchapter D, Maritime and Land Transportation. The primary focus has been on the Transportation Workers Identification Credential (TWIC) enforcement process by TSA. This NPRM proposes a complete re-write of the section to more broadly provide the general rules for enforcement of all surface transportation requirements, current and those proposed in this rule. The only sections that have not been rewritten is §1570.1, outlining the scope of the section’s requirements, §1570.5, prohibiting fraud in record keeping under the subchapter.

Definitions


As I mentioned in the earlier post, TSA is making a number of changes to §1570.3, Definitions. A large number of the changes are simply moving definitions from other sections of 49 CFR Chapter XII or referencing other definitions in other portions of the Code Federal Regulations. TSA is, however, adding five new definitions to help provide clarity to other specific definitions used in the modal portions of this rule. Those new definitions are:

Employee;

The last two are not really defined in §1570.3; they simply refer to the actual definitions in the modal sections of the proposed rule.

Provisions Moved


The rewrite of §1570 includes moving three of the current provisions of the section to new subparts of the section. The two TWIC specific sections (§1570.7, Fraudulent use or manufacture; responsibilities of persons; and §1570.9, Inspection of credential) have been moved to the new Subpart D, Security Threat Assessments (to Sections 1570.301 and 1570.303 respectively). Also moved to this subpart is §1570.13, False statements [by employers] regarding security background checks. This was moved to §1570.305.

Security Responsibilities


While most of the rule applies to owner/operators, §1570.7 specifically clarifies that all individuals are required to comply with the security requirements established under this rule. Every attempt was made to make the wording as inclusive as possible in describing the ways that security measures could be contravened. For example, the proposed §1570.7(a)(1) states that no person may: “Tamper or interfere with, compromise, modify, attempt to circumvent, or cause another person to tamper or interfere with, compromise, modify, or attempt to circumvent any security measure implemented under this subchapter.”

The problem with such attempts at making all-inclusive language is that someone slightly more creative can come up with something not covered. For instance the paragraph does not prevent someone from knowingly allowing someone ‘to tamper or interfere with…’

After developing the detailed inclusive language described above, someone realized that the regulation would effectively prohibit TSA, DHS and corporate inspectors from trying to test security measures. Thus, paragraph (b) was added to exempt inspectors from the prohibitions listed in paragraph (a).

Security Programs


Subpart B of §1570 is completely new in the proposed rule. It establishes the general security program requirements for surface transportation. The requirements in this section are fairly generic with the details being provided in the new modal sections being proposed in the NPRM. The three most important parts of this subpart are found in §1570.105, §1570.109 and §1570.111.

Section 1570.105 establishes the methodology for determining if an organization is covered by the new rules in the NPRM. First TSA has established the criteria for determining if an organization would be covered. The detailed requirements are found in the modal sections {§1580.101 – FR; §1582.101 – PT, and §1584.101 – OTRB). Then organizations are required to review those requirements and notify the TSA if they are a covered organization. Organizations would have 90 days to make that notification.

This self-identification of coverage is almost certainly going to result in the lack of 100% coverage of the organizations that should report their coverage. The major players will all self-report within the specified time (30 days after the final rule effective date), but there will be some number of smaller players (probably highest in the OTRB category) that, through either negligence or malfeasance, that will fail to self-identify.

To overcome this problem, TSA is going to have to have an effective outreach program to ensure that all of the potentially affected organizations know about the reporting requirements. As we know from the CFATS program and the West Fertilizer incident, the agency will be criticized when an incident happens involving an organization that did not appropriately self-identify and complete the subsequent regulatory requirements.

Section 1570.109 provides the regulatory time-table for completing the remaining regulatory requirements of this surface-transportation training program:

• 90-days from the effective date of the regulation to submit initial training plan for approval for affected organizations in existence when the final rule becomes effective;
• 90-days from the start of operations or modification of operations to submit initial or revised training plan after the effective date of the regulations; and
• 30-days to submit a petition for reconsideration after receiving from the TSA a notice to modify the training plan.

Similarly, §1570.111 provides the time-table for the implementation of the training program. Time limits have been set for initial training under a new/revised training program (1-year), training of new employees under an existing training program (60-days), and recurrent training (every year ± one month).

Operations


Subpart C addresses two requirements, both of which were previously seen in the existing §1580 requirements for freight railroad carriers and passenger railroad carriers. The proposed rule would make those requirements apply to public transportation systems and Those requirements are

§1570.201 – Security Coordinator; and

§1570.203 – Reporting significant security concerns

Friday, December 23, 2016

OMB Approves National Industrial Security Program NPRM

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a notice of proposed rulemaking (NPRM) from the National Archives and Record Administration’s (NARA) Information Security Oversight Office (ISOO) proposing changes to the National Industrial Security Program (NISP – 32 CFR 2004). This rule implements provisions of Executive Order 12829 and the insider threat provisions of Executive Order 13587.


This rulemaking may have effects on organizations receiving, storing, or producing classified threat intelligence information including cybersecurity threat information.

ICS-CERT Publishes Two Advisories and Updates Five

Yesterday the DHS ICS-CERT published two control system security advisories for products from Wago and Fidelix. It also published updates for previously issued advisories for products from Moxa (2), iRZ, Resource Data Management, Environmental Systems and Siemens.

Wago Advisory


This advisory describes an authentication bypass vulnerability in the WAGO Ethernet Web-based Management products. The vulnerability was reported by Maxim Rupp. WAGO has produced a firmware update and workarounds to mitigate the vulnerability. There is no indication that Rupp has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled hacker could remotely exploit this vulnerability to view and edit settings without authenticating.

Fidelix Advisory


This advisory describes a path traversal vulnerability in the Fidelix FX-20 series controllers. The vulnerability was reported by Semen Rozhkov of Kaspersky Lab. Fidelix has produced a new software version that mitigates the vulnerability. There is no indication that Rozhkov has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability  to read data from the device.

Moxa EDR-G903 Update  


This update provides additional information on an advisory that was originally published on May 17th, 2016.  It changes the name of one of the vulnerabilities from ‘memory leak’ to ‘information exposure’. On the unauthenticated download vulnerability, the CVE vector string has a change in the ‘A’ component at the end from ‘H’ to ‘N’.

iRZ Update


This update provides additional information on an advisory that was originally published on May 17th, 2016. It changes the CVSS v3 base score from 6.1 to 7.2 and changes two components of the CVE vector string; ‘UI’ from ‘R’ to ‘N’ and ‘C’ from ‘N’ to ‘H’.

Resource Data Management Update


This update provides additional information on an advisory that was originally published on May 19th, 2016. It changes the CVSS v3 base score on the cross-site request forgery vulnerability from 6.5 to 8.0 and changes three components of the CVE vector string for the same vulnerability; ‘UI’ from ‘N’ to ‘R’, ‘C’ from ‘N’ to ‘H’, and ‘I’ from ‘N’ to ‘H’.

Moxa MiiNePort Update


This update provides additional information on an advisory that was originally published on May 24th, 2016. It changes the CVSS v3 base score on the cross-site request forgery vulnerability from 6.1 to 9.6 and changes three components of the CVE vector string for the same vulnerability; ‘UI’ from ‘R’ to ‘N’, ‘C’ from ‘L’ to ‘H’, and ‘I’ from ‘N’ to ‘H’.

Environmental Systems Update


This update provides additional information on an advisory that was originally published on May 26th, 2016, and then updated on June 2nd, 2016. It changes the CVSS v3 base score on the authentication bypass vulnerability from 7.5 to 9.1.

Siemens Update


This update provides additional information on an advisory that was originally published on November 8th, 2016 and then updated on November 22nd, 2016. It updates both the affected version and mitigation information for SIMIT V9.0 SP1 and SecurityConfiguration Tool (SCT) V4.3 HF1. Siemens has updated their security advisory and reported this update via a tweet on Wednesday.

Commentary


This cluster of incorrect CVE v3 base scores and vector strings from May of this year is interesting. As of this date it does not apparently affect all the advisories produced during that period and only affects one of the reported vulnerabilities in multiple vulnerability advisories. This would seem to indicate that it was not a systemic problem, but rather human error. While we would like to think that the folks at ICS-CERT were perfect, alas they are only human.


I am impressed with the four updates addressing these CVE related errors. I’m not sure what instigated the review of these advisories, but their publication does demonstrate a high level of integrity and attention to detail. ICS-CERT is to be commended on publishing them.

Wednesday, December 21, 2016

114th Congress Cybersecurity Legislation

With less than two weeks left until the 114th Congress ends on January 3rd, 2017 it is a good time to look at the record of this session of Congress to see how much work was accomplished in the legislative arena on cybersecurity issues. While I would like to be able to focus just on control system security issues, there were very few bills that focused on, or even mentioned, that topic. So for this post I will focus on general cybersecurity issues while ignoring strictly breach notification bills and cybersecurity bills that focused on government IT issues.

House


Members of the House introduced 38 bills that addressed cybersecurity issues and passed 17 of those bills. Sixteen of those bills did not make it to consideration in the Senate. Those sixteen bills were:

HR 3586 - Border and Maritime Coordination Improvement Act – Includes cybersecurity;
HR 4909 - National Defense Authorization Act for Fiscal Year 2017 – Includes cybersecurity;
HR 5293 - Department of Defense Appropriations Act, 2017 – Includes cybersecurity;
HR 5388 - Support for Rapid Innovation Act of 2016 – Includes cybersecurity;
HR 5389 - Leveraging Emerging Technologies Act of 2016 – Includes cybersecurity;
HR 6393 - Intelligence Authorization Act for Fiscal Year 2017 – Includes cybersecurity;

Note that six of those sixteen bills were not principally cybersecurity bills, but did include significant cybersecurity provisions. This was the first session of congress to include cybersecurity measures in other bills (excluding authorization and appropriations bills).

The one House bill with cybersecurity provisions that did make it to the President’s desk was HR 2029. That was the Consolidated Appropriations Act of 2016 (PL 114-113) and it included the Cybersecurity Act of 2015. This was the long awaited information sharing bill that Congress had been trying to pass for the last six years in one form or another.

Senate


With less than a quarter of the members of the House the Senate still introduced 22 cybersecurity related bills in the 114th Congress. Only two of those bills passed and one (FY 2016 NDAA –  PL 114-92) made it to the President’s desk for signature.

S 1356 - National Defense Authorization Act for Fiscal Year 2016 – Includes cybersecurity;

It should be noted that portions of S 754 made it into the Cybersecurity Act of 2015 as did portions of HR 234, the Cyber Intelligence Sharing and Protection Act, which saw no formal action in the House.

115th Congress


With the amount of press coverage of cybersecurity issues in the recent presidential election (not so much in the realm of policy discussions from the campaigns) it is easy to guess that cybersecurity will remain a topic of concern in the 115th Congress. It is hard to imagine that the Republican controlled Congress will do much to require the regulation of cybersecurity in the private sector, but I do suspect that we will see continued interest in information sharing from federal agencies to the private sector.

There will be continued discussion in the military and intelligence appropriations and authorization bills about the role of cyber retaliation for attacks on Federal agencies and major societal institutions.

The big unknown for those of us that watch the Congress is trying to predict what type of cyber incident will produce a knee-jerk reaction from the politicians on the order of a cyber patriot act. A control system incident that results in death or major infrastructure damage is very likely to inspire that type of political over-reaction, especially if it is linked to a foreign government or terrorist organization. Whether or not a lesser incident will produce a similar response remains to be seen.

FERC Publishes CEII Revision Final Rule

Today the DOE’s Federal Energy Regulatory Commission (FERC) published a final rule implementing changes to the Critical Energy Infrastructure Information (CEII) program mandated by §61003 (16 USC 824o–1) of the Fixing America's Surface Transportation (FAST) Act (PL 114-94). The notice of proposed rulemaking NPRM (FERC uses a different acronym – NOPR) was published in June of this year. This rule is unlikely to be overturned by the 115th Congress.

Congressional Mandate


The FAST Act required FERC to:

• Establish criteria and procedures to designate information as critical electric infrastructure information;
• Prohibit the unauthorized disclosure of critical electric infrastructure information;
• Ensure there are appropriate sanctions in place for Commissioners, officers, employees, or agents of the Commission or the Department of Energy [DOE] who knowingly and willfully disclose critical electric infrastructure information in a manner that is not authorized by the statute; and
• Facilitate voluntary sharing of critical electric infrastructure information  between, and by Federal, State, political subdivision, and tribal authorities; the Electric Reliability Organization; regional entities; information sharing and analysis centers; owners, operators, and users of critical electric infrastructure in the United States; and other entities determined appropriate by the Commission.

CEII


A number of commenters on the NPRM requested that the Commission provide more details on what constitutes CEII. The preamble to this rule notes that §824o-1(a)(2) provides a definition of CEII. As a result FERC does not see any need to provide additional guidance on what constitutes CEII. FERC reminds commenters that CEII protections only apply to information submitted to FERC and DOE so no other agencies (including the NRC) may designate information CEII. That does not, however, prohibit other agencies from providing protections to electric grid related information submitted to non-DOE agencies.

Protection of CEII and CUI


FERC declined to provide clarification of what constitutes ‘a secure place’ for storing CEII. The preamble to this rule failed to note that by not specifying regulatory requirements for storing CEII that the controlled unclassified information (CUI) regulations of the National Archives and Records Administration provide the controlling authority to define those requirements (including NIST SP 800-171 for electronic storage and transmission) since CEII is a covered CUI listed in the CUI registry.

Effective Date


This rule will become effective on February 21st, 2017. As I noted earlier, this rule is unlikely to be considered for review by the 115th Congress. The rule implements requirements set by the Republican 114th Congress so there will be little impetus for essentially the same Congress to negate this rulemaking even though it fulfills many of the definitional requirements of a ‘midnight rule’.

Commentary


The CEII program only protects information submitted to FERC and the DOE from disclosure by those agencies or personnel with whom those agencies share the information. It does not establish any requirements for protection of that information by submitting organizations. The only drawback that I see is that FERC/DOE are not required to make a determination that the information actually qualifies for CEII protections until the CEII Coordinator at FERC makes that determination in response to a request for the information.


FERC maintains in this rulemaking that the protect submitted information as if it were CEII until such determinations are made. I think that a good lawyer for a whistleblower could maintain that any disclosures of information by FERC/DOE employee prior to a determination being made by the CEII Coordinator. To my mind it would make more sense to declare all submitted material CEII upon receipt and then to remove that declaration when appropriate when the CEII Coordinator is asked to review the information for possible release.

OMB Approves EPA Chemical Safety Final Rule

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that they had approved a final rule from the EPA implementing changes to the Clean Air Act regulations; the “Modernization of the Accidental Release Prevention Regulations under Clean Air Act”. This rule addresses changes to the Risk Management Program identified as a result of the President’s EO 13650 review of chemical safety and security programs. The notice of proposed rulemaking was published in March of this year. I did a series of blog posts about that NPRM.

This rule will certainly be included in any list of accomplishments of the Obama Administration; whether or not it withstands congressional review in the 115th Congress. For better or worse this will be a signature piece of chemical safety regulation.


It will be interesting to see if the EPA tried to craft a rule that would withstand that review or whether they went with a straight implementation of the NPRM. I suspect the later, given the surprising (in most quarters) election of Donald Trump instead of Hillary Clinton to head the next administration. Clinton would have been expected to veto any congressional review negating this rule.

Siemens Desigo PX Web modules

Yesterday the DHS ICS-CERT published a control system security advisory for an insufficient entropy vulnerability in the Siemens Desigo PX Web modules. The vulnerability was reported by Marcella Hastings, Joshua Fried, and Nadia Heninger from the University of Pennsylvania. Siemens has produced a firmware update to mitigate the vulnerability. There is no indication that the researchers were provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that while the vulnerability is remotely exploitable, that an exploit would be difficult to craft. A successful exploit could allow an attacker to recover private keys used for HTTPS in the integrated web server.

Siemens reported this vulnerability in a tweet last Friday. The Siemens security advisory notes that the Desigo PX Web modules are used in building automation systems


NOTE: Over the last year there has been an increasing number of exploit reports from university programs. It would seem that there is an increase in the number of academic programs looking at control system security issues. This is certainly a plus for the community; both in the terms of vulnerability reports, but also in the number of people explicitly being trained in control system security issues.

Sunday, December 18, 2016

TSA Publishes Surface Transportation Security Plan ANPRM

On Friday the DHS Transportation Security Administration (TSA) published an advance notice of proposed rulemaking (ANPRM) in the Federal Register (81 FR 91401-91416) concerning surface transportation vulnerability assessments and security plans (VASP). This is another longstanding requirement from Congress dating back to 2007. Those requirements are outlined in 6 USC 1162 (railroads, both freight and passenger) and 6 USC 1172 (over-the-road bus – OTRB – companies).

Congressional Mandate


The congressional mandate prescribed that TSA tier rank railroads and OTRBs based upon risk of terrorist attack. Additionally, Congress required that TSA establish regulations to prescribe that identified high-risk railroads and OTRBs:

• Conduct a vulnerability assessment;
• Identify a security coordinator; and
• Prepare and submit security plans to TSA for approval.

These requirements were supposed to have been in place in 2008.

Cybersecurity Requirements


Interestingly the congressional mandate specifically identified two separate cybersecurity requirements in the vulnerability assessment obligations. First was the specific inclusion of ‘information systems’ in the list of potential critical assets and infrastructure to be evaluated {§1162(d)(1)(A) and §1172(d)(1)(A)}. Second, in the list of areas in which companies were to be required to identify weaknesses, Congress specifically included “the security of programmable electronic devices (emphasis added), computers, or other automated systems” {§1162(d)(1)(C)(iii) and §1172(d)(1)(C)(iii)}.

TSA Questions


TSA starts this ANPRM with the assumption that “many higher-risk railroads (freight and passenger), public transportation agencies, and over-the-road buses (OTRBs) have implemented security programs with security measures similar to those identified by the 9/11 Act's regulatory requirements.” With that in mind TSA is looking for information on three topics:

• Existing practices, standards, tools, or other resources used or available for conducting vulnerability assessments and developing security plans;
• Existing security measures, including whether implemented voluntarily or in response to other regulatory requirements, and the potential impact of additional requirements on operations; and
• The scope/cost of current security systems and other measures used to provide security and mitigate vulnerabilities.

Additionally, TSA has included in the ANPRM a list of thirteen specific questions that it would like to see answered by surface owner/operators that have conducted vulnerability assessments of security systems/operations. Additionally, TSA provides lists of questions about:


Public Feedback


TSA is soliciting public feedback on this ANPRM. Written comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov, Docket # TSA-2016-0002). Comments should be submitted by February 14th, 2017.

Commentary


This is very early in the rulemaking process and this ANPRM (as is usual) does not provide a lot of indication about how TSA currently envisions the regulatory process. The only real insight provided is the list of entities that TSA expects might be affected by this rulemaking. It should not be a surprise that Class 1 railroads and any railroad transporting rail security-sensitive materials (RSSM) in a high-threat urban area (HTUA) are specifically included.

Throughout the ANPRM TSA makes the point that many of the potentially regulated entities already have vulnerability assessments and security plans in place. This is based upon a number of voluntary ‘inspections’ TSA surface inspectors have done over the years. In order to show a cost-effective regulation, TSA is going to have to make every effort to allow existing effective processes to be used to meet any regulatory requirements.


Interestingly though, TSA is careful to mention ‘many existing’ not ‘most existing’ to describe current effective programs in this ANPRM. This does not provide a great deal of confidence in the current security situation almost ten years after these requirements were established by Congress.

Saturday, December 17, 2016

TSA Publishes Security Training NPRM

Yesterday the DHS Transportation Security Administration (TSA) published in the Federal Register (81 FR 91336-91401) their long-awaited rule on security training for surface transportation employees. Not only does this rule provide proposed requirements for training employees of railroads (both passenger and freight) and over-the-road bus (OTRB) companies, but it also makes supporting revisions to several other surface transportation security regulations.

According to the summary in the preamble to this NPRM the proposed rule would:

• Require security training for employees of higher-risk freight railroad carriers, public transportation agencies (including rail mass transit and bus systems), passenger railroad carriers, and over-the-road bus (OTRB) companies;
• Owner/operators of these higher-risk railroads, systems, and companies would be required to train employees performing security-sensitive functions, using a curriculum addressing preparedness and how to observe, assess, and respond to terrorist-related threats and/or incidents;
• Expand current requirements for rail security coordinators and reporting of significant security concerns (currently limited to freight railroads, passenger railroads, and the rail operations of public transportation systems) to include the bus components of higher-risk public transportation systems and higher-risk OTRB companies;
• Make the maritime and land transportation provisions of TSA's regulations consistent with other TSA regulations by codifying general responsibility to comply with security requirements; compliance, inspection, and enforcement; and procedures to request alternate measures for compliance; and
• Add a definition for Transportation Security-Sensitive Materials (TSSM). Other provisions are being amended or added, as necessary, to implement these additional requirements.

Definitions


In this rulemaking TSA is proposing to add a large number of definitions to 49 CFR 1500. Many of these definitions are being adopted from other places in the CFR. New and revised definitions being added include:


Training Requirements


The general security training requirements are outlined in the new Subpart B of 49 CFR 1570. Modal specific requirements will be found at §1580.115 (freight rail - FR), §1582.115 (public transportation and passenger rail - PT), and §1584.115 (OTRB). The modal specific requirements are all essentially the same with some minor wording variations reflecting some basic differences in type transportation provided.

Owner/operators would be given 90-days from the adoption of the final rule to complete their development of a security training program and to submit that program to TSA for review and approval. TSA would be given 60-days to approve the program or require changes to be made. Existing employees would then have to be trained in accordance with the submitted training program within one year. New employees could work in security-sensitive positions could work up to 60-days under ‘direct supervision’ (not specifically defined) before receiving the required training.

There would be four required components to be covered in the training:

Prepare;
Observe;
Assess; and
Respond

Public Comments


The TSA is soliciting public comments on this NPRM. Written comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # TSA-2015-0001). Comments should be submitted by March 16, 2017.

In addition to comments about the actual proposed rulemaking (much of which is mandated by law), the TSA is also seeking specific feedback on five questions concerning implementation of the rule:

• The preferred avenue to submit security training programs to TSA, such as through email, secure Web site, or mailing address;
• TSA is proposing to use accumulated days of employment as one of the factors triggering whether an employee must be trained and requests comment specifically on how to calculate accumulated days and to ensure contractors are not used to avoid the requirements of this proposed rule;
• The use of previous training to satisfy requirements in the proposed rule;
• Options for harmonizing the proposed training schedule with existing training schedules and for adding efficiencies with other relevant regulatory requirements, including identification of any laws, regulations, or orders not identified by TSA that commenters believe would conflict with the provisions of the proposed rule; and
• Options for ensuring training is effective in the absence of proficiency standards.

Commentary


TSA is going to be between a rock and a legal hard place when it comes to the bulk of the legitimate (more on ‘legitimate’ below) comments that it receives. Industry is going to complain large and loud about how comprehensive (and over-reaching) the training requirements are in this NPRM and how short the time frame is for them to submit training programs to TSA for approval. Unfortunately for TSA both of these issues are spelled out in detail the Congressional mandate for this training requirement (6 USC 1137 – PT; 6 USC 1167 – FR; and 6 USC 1184 -OTRB).

Two of the Congressional training requirements are going to be particularly difficult to implement:

• Appropriate responses to defend oneself, including using nonlethal defense devices; and
• Training related to behavioral and psychological understanding of, and responses to, terrorist incidents, including the ability to cope with hijacker behavior, and passenger responses.

If the first presupposes that employees have an obligation to defend themselves (as opposed to providing legal cover for their doing so) then there are going to be some legal objections from employers and compensation issues (medical and legal counsel) raised by employees and their representatives.

The second could be a master’s level course in applied psychology and hardly appropriate for first line employees; the vast majority of whom will never see a terrorist attack.

Neither of these requirements is adequately addressed in the proposed language. For example the self-defense language is limited to: “Use any applicable self-defense devices or other protective equipment provided to employees by the owner/operator.” {proposed §1582.115(f)(3)} The second is simply not addressed in the requirement to interact “with the public and first responders at the scene of the threat or incident, including communication with passengers on evacuation and any specific procedures for individuals with disabilities and the elderly” {proposed §1582.115(f)(2)}. There is nothing about understanding and responding to the terrorists involved in the incident.

Legitimate responses – The earlier ANPRM also requested public feedback and it did receive lots of feedback; much of it vitriolic. Reading most of the comments from individuals you can clearly see that many people object to anything that the TSA tries to do based solely on their interactions with TSA screeners at the airports. The ANPRM was issued during the height of the complaints about new TSA pat-downs and the improved screening devices and many of the comments reflected that.

There is nothing in this NPRM (nor was there in the ANPRM) about the use of TSA screeners for surface security applications. While there may have been an increase in concerns about protecting public transportation against the increased number of personal (as opposed to wholesale) terrorist attacks on European public transit, nobody is proposing (for economic reasons if nothing else) to extend airport type passenger screening to public transportation or OTRB operations. Hopefully, commenters on this rule will realize that and limit their comments appropriately.

One last point. In a response to my earlier post about this NPRM being approved by OMB I was told by a colleague in the training community that they had been told by a transportation company that this rulemaking would not go forward under the Trump Administration. I think that it is way too early to tell what the new administration will or will not do with regards to regulatory reform, but I am certain that there will be new regulations promulgated by the Federal government over the next four (eight?) years.

Whether or not this specific rule will move forward remains to be seen. There has been a strong push by congressional committees (all Republican controlled) for TSA to complete this rulemaking. Anyone that declines to raise legitimate issues in the rulemaking process based upon their belief in future inaction upon the part of the TSA is making a potentially big mistake. The only thing that is certain to kill this rulemaking is a general showing that the cost of implementation is too high relative to the potential benefits. That would require that industry provide detailed feedback on the cost of implementation. And, potential providers of the required training owe it to their future business in this area to provide some realistic cost estimates about the development of training packages.


One more last point (really last this time). There is no mention of any cybersecurity aspect in these training requirements. Given the increased and mandated use of positive train control technology, the security of the control systems involved should have been addressed in this rulemaking. But, of course, Congress did not consider it when they established the mandate back in 2007 (nobody did then) so the TSA ignored the issue.

Friday, December 16, 2016

PHMSA Submits Crude Oil Volatility ANPRM to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received an advance notice of proposed rulemaking (ANPRM) from DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) concerning a potential rulemaking setting volatility standards for the safe shipment of crude oil. This rulemaking first appeared in the Fall 2016 Unified Agenda.

According to the abstract in the Unified Agenda this rulemaking is being considered because of a petition for rulemaking submitted by the Attorney General of the State of New York regarding vapor pressure standards for the transportation of crude oil. PHMSA could potentially apply vapor pressure standards to crude oil shipments and other class 3 materials.

Even if this ANPRM is published before January 20th (not very probable given the holidays and other time constraints), it is unlikely that this rulemaking would proceed under the Trump Administration because of the opposition of crude oil and other flammable liquid shippers.


Note: I have discussed some of the issue related to  measuring crude oil volatility in my blog post about the introduction of HR 1679. The failure of that bill to even be considered in Committee is probably indicative of the lack of interest in Congress and the Republican leadership in general in considering this type of regulation.

Thursday, December 15, 2016

ICS-CERT Publishes Two Advisories

Today the DHS ICS-CERT published two control system security advisories for products from OmniMetrix and Fatek Automation.

OmniMetrix Advisory


This advisory describes two vulnerabilities in the OmniMetrix OmniView web application. The vulnerabilities were reported by Bill Voltmer of Elation Technologies LLC. OmniMetrix has produced a new version that mitigates the vulnerability. There is no indication that Voltmer was provided an opportunity to verify the efficacy of the fix.

The reported vulnerabilities are:

• Cleartext transmission of sensitive information - CVE-2016-5786; and
• Weak password requirements - CVE-2016-5801

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to control the operation of backup generators connected to the compromised account.

Fatek Automation Advisory


This advisory describes a stack-based buffer overflow vulnerability in the Fatek Automation PLC WinProladder application. The vulnerability was reported by an unidentified researcher through the Zero Day Initiative. ICS-CERT reports that Fatek Automation will not produce a new version to mitigate this vulnerability. ZDI, on the other hand, reports that Fatek Automation will be producing a new version. There is no mention of the vulnerability on the Fatek Automation web site.


ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to perform a number of malicious actions including arbitrary code execution.

Wednesday, December 14, 2016

OMB Approves NHTSA V2V NPRM

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a notice of proposed rulemaking (NPRM) from the National Highway Transportation Safety Administration (NHTSA) on vehicle-to-vehicle (V2V)communications. The advance notice of proposed rulemaking (ANPRM) for this was published in August 2014.

The abstract for this rulemaking in the Fall 2016 Unified Agenda only provides a generic description of what V2V is, not how the agency plans to regulate those communications. It does note that V2V will form the backbone for future vehicle automation processes.

The ANPRM for this rulemaking was more about asking questions about V2V potential problems and solutions than proposing any actual regulatory language. We will have to wait and see the NPRM when it is published to find out what sort of requirements will be outlined in the new regulations. Hopefully, communications security and vulnerability reporting will be included in the NPRM.


There has been a long delay in the last six months between the OIRA approval of a rulemaking and publication of that rule in the Federal Register. This is undoubtedly due to Administration concerns with perceptions of midnight rulemaking, even with a rulemaking that has been in the works for as long as this one has.

House Accepts Senate Amendment to HR 710 – TWIC Assessment Act

Yesterday during a proforma session, the House accepted the Senate’s amendment to HR 710, the Essential Transportation Worker Identification Credential (TWIC) Assessment Act. There was no debate and no vote (not that the number of folks present exceeded more than about 4), being adopted under the unanimous consent process. Five other bills (HR 1150, HR 4939, S 8, HR 3842, and HR 6302) were also passed in the same manner. None of those bill will be of specific interest to readers of this blog.

The new version of HR 710 includes provisions concerning:

• Credential improvements;
• Comprehensive security assessment of the transportation security card program;
• Corrective action plan development; and
• Inspector General review.


This bill remains a study and report bill with no new funding and no new specific requirements for the TWIC program. Earlier versions of this bill included a variety of requirements for restricting implementation of rulemakings pending reports to Congress, but there are no such provisions in this version being sent to the President.

ICS-CERT Publishes 5 Advisories and Strategy Document

Yesterday the DHS ICS-CERT published five control system security advisories for products from Siemens (2), Delta Electronics, Moxa, and Visonic. Additionally is published information about a new US – Canada agreement on a strategy for protecting the electric grid from both man-made and natural events.

Siemens S7 Advisory


This advisory describes two advisories in the Siemens S7-300 and S7-400 programmable logic controllers. The vulnerabilities were reported by Zhu WenZhe from Beijing Acorn Network Technology. Siemens has published interim mitigation guidance pending the production of an actual fix for the vulnerabilities.

The reported vulnerabilities are:

• Inadequate encryption strength - CVE-2016-9159; and
• Protection mechanism failure - CVE-2016-9158

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to effect a denial-of-service condition or credential disclosure. Siemens notes that an attacker would have to have network access to the device.

NOTE: Siemens announced this vulnerability in a tweet last Friday.

Siemens SIMATIC Advisory


This advisory describes an ActiveX vulnerability in the Siemens SIMATIC WinCC and SIMATIC PCS 7. The vulnerability was reported by Mingzheng Li from Acorn Network Security Lab. Siemens has produced a new version to mitigate the vulnerability. There is no indication that Li has been provided an opportunity to verify the fix.

ICS-CERT reports that this vulnerability requires a social engineering attack and is thus not remotely exploitable. The Siemens security advisory simply notes that an attacker must have control of a web site “that is allowed to execute ActiveX components”. A successful attack could allow an attacker to crash the component or leak application memory content.

NOTE: Siemens announced this vulnerability in a tweet last Friday.

Delta Electronics Advisory


This advisory describes two vulnerabilities in the Delta Electronics WPLSoft, ISPSoft, and PMSoft software applications. The vulnerabilities were separately reported by axt and Ariele Caltabiano via the Zero Day Initiative. Delta Electronics has produced new software versions to mitigate these vulnerabilities. There is no indication that either researcher was provided an opportunity to verify the efficacy of the fix.

The reported vulnerabilities are:

• Heap-based buffer overflow - CVE-2016-5805; and
• Out-of-bounds write - CVE-2016-5802

ICS-CERT reports that a social engineering attack is required to exploit these vulnerabilities. A successful exploit could allow an attacker to execute arbitrary code.

Moxa Advisory


This advisory describes two vulnerabilities in the Moxa DACenter application. The vulnerabilities were reported by Zhou Yu. Moxa has produced a patch to mitigate the vulnerabilities. ICS-CERT reports that Yu has verified the efficacy of the fix.

The reported vulnerabilities are:

• Resource exhaustion - CVE-2016-9354; and
• Unquoted search path - CVE-2016-9356

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to effect a denial of service attack or allow an authorized but nonprivileged local user to execute arbitrary code with privileges on the system.

Visonic Advisory


This advisory describes two vulnerabilities in the Visonic PowerLink2 module. The vulnerabilities were reported by Aditya K. Sood. Visonic has produced an updated version to mitigate the vulnerabilities. There is no indication that Sood has been provided an opportunity to verify the efficacy of the fix.

The reported vulnerabilities are:

• Information exposure - CVE-2016-5813; and
• Cross-site scripting - CVE-2016-5811

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerabilities to download images from the server.

Electric Grid Security Strategy  

ICS-CERT published a fact sheet about and a link to a new US-Canada electric grid security strategy document. The strategy focuses on three goals:

• Protect today’s electric grid and enhance preparedness;
• Manage contingencies and enhance response and recovery efforts; and
• Build a more secure and resilient future electric grid.

As one would expect, the actual strategy document is a high-level political document with very little technical information. It is important, however, in that it reflects the reality of the fact that the electric grid of these two countries is interconnected and that adequate protection of that interconnected grid is going to take coordinated efforts from both parties.


As in any strategy, the tactics used to implement that strategy may be as important as the strategy itself.  It will be interesting to see if any similar tactical documents are publicly released.

Monday, December 12, 2016

Senate Completes Final Formal Session of 114th Congress

On Friday, the Senate conducted their final formal session of the 114th Congress. There will be a number of proforma sessions conducted between today and January 3rd, but no business will be conducted during those sessions. In Friday’s session the Senate passed a number of bills in addition to the continuing resolution that I briefly reported upon Saturday. Of those bills two may be of specific interest to readers of this blog:


S 546 was sent to the President for signature as the Senate accepted the House amendment to the bill. As predicted the bill was considered under the Senate’s unanimous consent process with no debate or vote.

The future of HR 710 is less clear as the Senate amended HR 710 (also under the unanimous consent process). This was not the amendment that was included in the report from the Senate Commerce, Science and Transportation Committee that I described in May, but new substitute language (pg S7078) introduced on Friday. The general intent and process outlined in the House version of the bill was essentially included in the new language, but numerous details were changed.


The House is scheduled to meet in proforma session today. Unlike the Senate, the House rules do allow for the House to complete actual business in a proforma session, but it does require some serious coordination between the Republican and Democratic leadership. The House originally passed the bill under suspension of the rules by a voice vote, so there was no substantial objection to the bill. That makes this bill one that could potentially be considered in a proforma session, especially since the bill only requires a study and some reports to Congress and spends no new monies.
 
/* Use this with templates/template-twocol.html */