Thursday, August 17, 2017

NHTSA Sends Automated Vehicle Guidance to OMB

Yesterday the DOT’s National Highway Transportation Safety Administration (NHTSA) sent their Voluntary Guidance on Automated Driving Systems document to the OMB’s Office of Information and Regulatory Affairs (OIRA) for review. Guidance documents are not normally described in the Unified Agenda, so there is no public indication about what DOT will be including in this guidance document.


NHTSA hosted a series of public discussions on the topic last year. They also published an automated vehicles technology guidance document and a vehicle-to-vehicle notice of proposed rulemaking (NPRM) last year. The later document did include cybersecurity requirements.

Wednesday, August 16, 2017

Make America Secure and Prosperous Appropriations Act, 2018

The House Rules Committee announced today that is working on massive, multi-department spending bill to be considered when the House returns from summer recess. It is a move to cut short the spending process so that there may be a chance to pass a government spending bill before the September 30th deadline. The Rules Committee is calling for submission of amendments by 10:00 am on August 25th.

The combined bill is a complete re-write of HR 3354, the Department of the Interior, Environment, and Related Agencies Appropriations Act, 2018. The draft language incorporates most of the language from that bill and:

HR 3268 – Agriculture, Rural Development, Food and Drug Administration, and Related Agencies Appropriations Act, 2018;
HR 3267 – Commerce, Justice, Science, and Related Agencies Appropriations Act, 2018;
HR 3280 – Financial Services and General Government Appropriations Act, 2018;
HR 3355 – Department of Homeland Security Appropriations Act, 2018;
HR 3358 – Departments of Labor, Health and Human Services, and Education, and Related Agencies Appropriations Act, 2018;
HR 3362 – Department of State, Foreign Operations, and Related Programs Appropriations Act, 2018; and
HR 3353 – Transportation, Housing and Urban Development, and Related Agencies Appropriations Act, 2018

The House has already passed a combined spending bill for the other four spending bills not covered above. That bill, HR 3219, included the following spending bills:

• The Department of Defense Appropriations Act, 2018;
• The Legislative Branch Appropriations Act, 2018;
• The Military Construction, Veterans Affairs, and Related Agencies Appropriations Act, 2018; and
• The Energy and Water Development and Related Agencies Appropriations Act, 2018.


Combining eight spending bills into one big package could greatly reduce the amount of time required on the floor of the House for debate. I expect the Rules Committee would come up with a structured rule, with a few hundred floor amendments. The bill would almost certainly be passed in the House in a single week. The big question is whether or not the Senate would be allowed to take up the giant bill. Depending on what riders make it into the House passed version, I could almost expect to see an unusual amalgam of liberals and conservatives combining to block the moderate majority from considering and passing the bill.

ICS-CERT Publishes Two Advisories

Yesterday the DHS ICS-CERT published a medical device security advisory for products from BMC Medical and 3B Medical (one advisory). They also published a control system security advisory for products from Advantech

BMC Medical Advisory


This advisory describes an improper input validation vulnerability in the Luna continuous positive airway pressure (CPAP) therapy machine produced jointly by BMC Medical and 3B Medical. The vulnerability was reported by MedSec. Newer versions (after July 2017) have had the problem corrected; ICS-CERT reports that the company’s do not plan on providing mitigation measures for ‘older’ (before July 2017) machines.

ICS-CERT reports that a relatively low skilled attacker with adjacent network access could exploit the vulnerability to cause a crash of the device’s Wi-Fi module resulting in a denial-of-service condition affecting the Wi-Fi module chipset. This does not affect the device’s ability to deliver therapy.

NOTE: Buyers of CPAP devices should take careful note of the lack of post-production cybersecurity support demonstrated for this brand of devices.

Advantech Advisory


This advisory describes a heap-based buffer overflow vulnerability in the Advantech WebOP operator panels. The vulnerability was reported by Ariele Caltabiano (kimiya) via the Zero Day Initiative. ICS-CERT reports that Advantech was unable to verify the validity of this vulnerability. (NOTE: this obviously means that no mitigation measures appear to be forthcoming.)

ICS-CERT reports that a relatively low skilled attacker with uncharacterized access could use publicly available exploits to exploit this vulnerability to cause the target device to crash and may allow arbitrary code execution.


NOTE: There are a large number of ‘pending’ vulnerability reports on Advantech products currently listed on the ZDI web site.

Tuesday, August 15, 2017

ISCD Updates CFATS Knowledge Center

Today the DHS Infrastructure Security Compliance Division (ISCD) updated the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center by adding a link to a new CFATS fact sheet for colleges and universities and revised four frequently asked questions (FAQ) (according to the ‘Latest News’ blurb posted today on the Knowledge Center).

Colleges and Universities


The Colleges and Universities brochure is an update of a tri-fold brochure that was originally published in December 2010. The new brochure provides a brief overview of the CFATS program including a very brief description of the Top Screen reporting requirements. There is more detail in the new version and provides a number of important links to CFATS documents.

The one major shortcoming of the brochure is that, while it briefly describes chemicals of interest (COI) categories and explains that the list can be found in ‘Appendix A of the CFATS regulation’ there is no link to list of COI that is provided on the CFATS landing page, nor are the CFATS regulations actually listed (6 CFR 27).

New FAQs


The four ‘revised’ FAQ’s are:





The revised #1274 removes the mailing address [Infrastructure Security Compliance Division, Office of Infrastructure Protection, ATTN: CSAT, Department of Homeland Security, Building 5300, MS 6282, PO Box 2008, Oak Ridge, TN 37831-6282] and the messenger service delivery address [Infrastructure Security Compliance Division, Office of Infrastructure Protection, ATTN: CSAT, Department of Homeland Security, Building 5300, MS 6282, 1 Bethel Valley Road, Oak Ridge, TN 37831-6282] from the modes of contact for the CFATS Help Desk. I have no idea whether or not those old addresses are still good; but if they are, ISCD does not apparently want them used.

The revised #1288 adds regulatory references [§27.203(b) and §27.204(a)(2)] for the answer and a link to just the first reference. I have provided the link to the second.

FAQ #1606 is actually a new FAQ number, but the question and answer are very similar to an older FAQ (#1662) which is no longer on the current FAQ list (.PDF download). The new FAQ does not include any information (which was included in #1662) about a requirement to be CVI (Chemical-terrorism Vulnerability Information – the protocol for protecting the sensitive but unclassified information associated with the CFATS program) trained to be able to view/download the letter. Nor does the new FAQ mention that an Adobe Reader will be necessary to open the letter. NOTE: #1662 was still on the current FAQ list as of 8-4-17; the last time changes were made to the FAQ list.


FAQ #1785 is also a new FAQ number. There was an earlier article on the CFATS Knowledge Center (#1610) that addressed some of this information, but that article was prepared in 2010 and included copious descriptions of the old tiering process that was supplanted by CSAT 2.0 and the new Risk Assessment process. That article was removed sometime in early April of this year. The new FAQ very briefly mentions the tiering process and notes that facilities will be notified via the Chemical Security Assessment Tool (CSAT) that a tiering notification letter is available. It then briefly describes how to access that notification letter; and this time that discussion does include a mention of the CVI training requirements.

HR 3401 Introduced – Automated vehicles

Last month Rep. Schakowsky (D,IL) introduced HR 3401, a bill that would require the DOT’s National Highway Transportation Safety Administration (NHTSA) to establish new automotive safety standards for highly automated vehicles. This bill was introduced the same day that the House Energy and Commerce Committee  amended HR 3388 to do the same thing.

This bill is nearly identical to Section 4 of the revised HR 3388 adopted by the Committee. There is one area where the paragraph numbering is slightly different, but there are no substantive differences between the requirements. It would amend 49 USC by adding a new §30129, Updated or new motor vehicle safety standards for highly automated vehicles.

It would require DOT to “issue a final rule requiring the submission of safety assessment certifications regarding how safety is being addressed by each entity developing a highly automated vehicle or an automated driving system” {new §30129(a)(1)}.

It would also require DOT to submit to Congress a regulatory and safety priority plan designed to accommodate the development and deployment of highly automated vehicles while ensuring “the safety and security of highly automated vehicles and motor vehicles and others that will share the roads with highly automated vehicles” {new §30129(c)(1)}. That plan would include a requirement for NHTSA to “identify elements that may require performance standards including human machine interface and sensors and actuators, and consider process and procedure standards for software and cybersecurity as necessary” {new §30129(c)(2)(B)}.

Moving Forward


Ms. Schakowsky is the ranking member of the Digital Commerce and Consumer Protection Subcommittee of the House Energy and Commerce Committee. Normally this would probably allow her to have this bill considered in Committee. In this case, however, because this bill was introduced the same day that HR 3388 was, it seems as is the bill was introduced as a backup measure to ensure that the safety standards provisions of this bill could end up being considered separately from the remainder of the provisions of the larger bill if that bill was determined to be too controversial to be considered on the floor of the House.

I suspect that this bill will not see any further action until the House Leadership determines whether or not HR 3388 will make it to the floor. If it does not, this bill will likely be moved to the floor for a vote without going through a separate review by the Committee.

Commentary


I did not mention the cybersecurity requirements described above in my discussion of HR 3388 because they were duplicative of the requirements that I described but were not as expansive as the cybersecurity requirements in §5 of HR 3388.


What is important (and unusual from a cybersecurity perspective) here is that both bills would require the establishment for safety standards for HMI, sensors and actuators. It does not include any guidance on what those standards would include, but that would normally be expected to be developed by the technical experts at NHTSA. But this would end up being where the Federal government took its first crack at developing safety (and perhaps specific cybersecurity) standards for key components found in (almost by definition) these critical components of control systems. Those standards could end up being ground breaking regulatory standards for the ICS industry.

Monday, August 14, 2017

OMB Approves PHMSA Shipping Papers ICR Revision

Last Friday the OMB’s Office of Information and Regulatory Affair approved the Pipeline and Hazardous Materials Safety Administration’s (PHMSA) information collection request (ICR) revision supporting requirements for hazardous material shipping papers and emergency response information. This ICR was filed in support of the most recent international harmonization of PHMSA hazardous material shipping regulations.

According to the abstract included in the recent notice, the ICR made the following changes to the ICR burden:

“This rulemaking reduced the burden to shippers by removing the requirement to provide a lithium battery handling document when shipping smaller lithium cells and batteries. While the rulemaking decreased the burden overall, the requirement that shippers communicate prototype or low production run battery shipments on a shipping paper resulted in an increase. The rulemaking also added new marine pollutant entries in Appendix B of § 172.101.”

While OIRA did not require any changes to the approved ICR, they did put PHMSA on notice about additional requirements that would be necessary for the next renewal of this ICR next spring. They noted that:

If PHMSA has not published a regulatory notice in the Federal Register seeking public comment on paperless hazard communication by the time PHMSA must publish a 60 day notice to extend OMB approval of this collection, PHMSA should include at least the following information in the 60 and 30 day notices for extending approval of this collection, in addition to the standard information required by the PRA:

• Identification and explanation of any technical and other barriers to paperless hazard communication by mode and environment (e.g., rural, urban) if applicable, and requests for public comment on ways to address those barriers;
• Identification and explanation of any safety problems associated with paperless hazard communication that are not present with paper-based hazard communication;
• Identification of safety, business and any other benefits associated with paperless hazard communication, by mode if possible; and
• At least rough estimates of the potential burden and cost reduction from fully allowing paperless hazard communication, by mode if possible, the methodology/inputs for the estimates, and request public comment on those estimates.

PHMSA will probably have to publish the 60-day ICR notice in the next couple of months to be able to get the comment period and time to review the responses before it becomes necessary to publish the 30-day notice before April 30th, 2018.

Commentary


This is not the first time that the Trump Administration’s OIRA has provided instructions to regulators to proactively move to electronic submission of information. This continues a regulatory theme that we have been seeing for the last couple of administrations. Not only will the electronic data collection reduce the data handling costs for the government, but it should provide at least some time burden reduction for industry.

As with my earlier post this morning, I do have some concerns about the cybersecurity protections for the data exchange process. If the data is submitted via email (a not very effective form of electronic data submission), this would provide a large number of emails (with attachments) from probably unauthenticated and unknown senders; a very sure method of increasing the general attack surface at PHMSA.

If, on the other hand, the data is directly provided to the database via a public web page, the security of that data can be subverted if the cybersecurity of the database (and the submission page) has not been properly implemented. More importantly, the cybersecurity protections need to be included in the design of the application and periodically reviewed and updated. This is an additional cost associated with electronic data submission that appears to be at least some what overlooked in the discussion of paperless government innovations.

EPA Sends Hazwaste Electronic Manifest Final Rule to OMB

On Saturday, the Environmental Protection Agency sent the final rule for the implementation of the Hazardous Waste Electronic Manifest rule to the OMB’s Office of Information and Regulatory Affairs (OIRA) for approval. This bill implements the fee setting and implementation date requirements of the Hazardous Waste Electronic Manifest Establishment Act (PL 112-195).

Commentary


With the Trump Administration’s concern about the ‘cost of regulation’ and how it effects business, it will be interesting to see how this final rule is being implemented. The congressional requirements for establishing the fund {42 USC 6939g(c)} are fairly comprehensive, leaving little room for fee reductions. There were no small business exceptions provided for in the authorizing legislation.


Since the authorizing legislation was written in 2012, there are no specific provisions requiring any cybersecurity protections of the E-Manifest system. Cybersecurity just was not on the Congressional radar at that point. It will be interesting to see if there are any attempts by the EPA to address such issues in this regulation.

Saturday, August 12, 2017

CG Publishes CSF Profile Document for Passenger Operations

Earlier this week the Coast Guard published on their Home Port web page (https://homeport.uscg.mil > Cybersecurity > Cyber News > Passenger Operations Cybersecurity Framework Profile Review; sorry the CG does not use links on its HomePort) a new cybersecurity guidance document and requested public comments on the document. The new document is the “Content Preview of the Passenger Operations Cybersecurity Framework Profile”. The Coast Guard’s blog did provide a real link to the document.

The Profile


This document is an attempt by the CG to help affected organizations (US passenger vessel operations) implement the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF). According to the CG’s blog:

“A profile implements the NIST Cybersecurity Framework, which was developed in 2014 to address and manage cybersecurity risk in a cost-effective way based on business needs and without placing additional regulatory requirements on businesses. The profile is how organizations align the Framework’s cybersecurity activities, outcomes, and informative references to organizational business requirements, risk tolerances, and resource allocations.”

The Profile is a .PDF document that first provides a list of 13 passenger vessel mission objectives with a brief description of each. These objectives include:

• Maintain human safety;
• Maintain marine safety and resilience;
• Maintain environmental safety;
• Maintain guest support and basic hotel services;
• Maintain regulatory compliance;
• Assure secure communications by function and mode;
• Optimize guest experience and value;
• Maintain supply chain and turnaround;
• Disembarking, embarking, and turnaround;
• Coordinate port operations;
• Assure (optimize) lifecycle asset management;
• Maintain passenger information and accounting systems; and
• Manage, monitor and maintain non-guest-facing office technology

The Profile then provides a CSF matrix showing each of the functions, categories and subcategories listed in the CSF with a listing for each of the 13 mission objectives listed above; categorizing them as either ‘High Priority’, ‘Moderate Priority’ or ‘Other Implemented Categories’. It is interesting that they do not use the pejorative term ‘Low Priority’ in the categorization.

Public Comments


The Coast Guard is asking for public comments on the Profile. They have provided a comment submission form (download .XLS) very similar to the format used by NIST to request comments during the development of the CSF. Comments can be emailed to  HQS-SMB-CG-FAC-CYBER@uscg.mil. Comments should be submitted by September 7th, 2017.

Commentary


I really do like the general format of this Profile document. The mission statement provides a general overview of what the affected organizations are supposed to be attempting to accomplish in the operations. Tying that back into the CSF matrix with a prioritization scheme provides a workable management tool for implementation of the CSF.

There are two specific areas where ‘process control systems’ (a very interesting substitute for the term ‘industrial control systems’ that I would typically use) are prominently discussed in the Mission Objective portion of the Profile. First in the description of ‘Maintaining Human Safety’ it starts: “Recognizing cybersecurity-effects on process control systems that impact personnel safety.” Similarly, in ‘Maintain environmental safety’ it addresses cybersecurity effects “on process control systems that impact environmental safety”. Additionally, there are at least two other mission objectives that include mention of “manage support systems security”, a clear reference to various process control systems.

I am more than a little surprised at the prioritization of these ‘process control systems’ in many areas of the CSF implementation matrix, but that may be more of reflection on my lack of familiarity with passenger vessel operations than anything else. I was pleased, however, to see both the human safety and environmental safety objectives receive ‘high profile’ rankings under two of the Risk Assessment subcategories:

ID.RA -3: Threats, both internal and external, are identified and documented; and
ID.RA - 5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk

Unfortunately, that pleasure was more than offset by the ‘other’ ranking across the board for the “ID.RA -2: Threat and vulnerability information is received from information sharing forums and sources” in the same Risk Assessment Category. That hardly supports the ‘high profile’ rankings noted above.


I really do recommend that everyone with an interest in maritime safety (not just passenger vessels) take a good look at this 16-page document. It provides an interesting perspective on CSF implementation in an often-overlooked area of operations. Likewise, the control system security community (particularly those with maritime experience) should also give the document a good review. The Coast Guard deserves a wide variety in the thoughtful comments it receives on this Profile.

NIST Cybersecurity Workforce RFI Comments – 08-05-17

This is part of a continuing series of blog posts looking at the comments that NIST has received on their request for information (RFI) on cyber workforce development. The comments are posted to the NIST National Initiative for Cybersecurity Education (NICE) web site. The earlier posts in the series were:


This week there were only four new submissions posted to the NIST web site. Those were from:


AT&T pointed at a report that it had helped prepare for the Federal Communications Commission on cybersecurity workforce development in the communication’s sector.

The comments from Southern Utah University pointed at the course outline for their Masters program in Cybersecurity & Information Assurance. They also emphasized the need for academia and industry to cooperate in providing internship/apprenticeship opportunities for students or early career professionals.

The UI LABS – DMDII comments outline work that organization has done looking at the DFARS cybersecurity requirements for DOD contractors. They point out their research points to the problems that many of those contractors are having complying with the 109 cybersecurity requirements outlined in NIST 800-171.


UMass Lowell describes the certification program they have developed for implementation of the NIST Cybersecurity Framework.

Bills Introduced – 08-11-17

Both the House and Senate met in pro forma session yesterday and there were 5 bills introduced. None of those bills were of specific interest to readers of this blog.

The reason that I am making this post today is to bring attention to a little known process in the House; during these pro forma sessions, it is possible to pass legislation. Yesterday two bills were passed, HR 2288 and HR 339. Both of these bills had previously passed in the House, but were amended in the Senate. For whatever reason, the House Leadership determined that it was necessary to pass the bills now while the vast majority of House members were back in their district.

Rep. Comstock (R,VA) asked for unanimous consent for both bills to be considered under the unanimous consent process (a single Nay sounded in the chamber would have killed either bill). The amended versions of both bills were adopted without any objection from the unnamed Democrat that was probably the only other elected representative {besides the presiding acting Speaker Pro Tempore, Rep. Perry (R,PA)}  on the floor of the House chamber.


Now there is nothing untoward or sneaky about Friday’s proceeding. Both bills originally passed with overwhelming support (unanimous vote for HR 2288 and a voice vote for HR 339) in the House and by unanimous consent in the Senate. But it does remind us that even in the dead days of summer in the Capital, legislative action is possible.

Friday, August 11, 2017

ICS-CERT Publishes 5 Advisories

Yesterday the DHS ICS-CERT published five control system security advisories for products from ABB, Fuji Electric, Solar Controls (2), and SIMPlight.

ABB Advisory


This advisory describes a relative path traversal vulnerability in the ABB SREA-01 and SREA-50 remote monitoring tools. The vulnerability was reported by Bertin Jose and Fernandez Ezequiel. HMS Industrial Networks Ab provided a patch to correct the issue, but ABB has only tested it on the SREA-01. These are unsupported legacy products. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could use publicly available exploits to remotely exploit the vulnerability to access files on the affected products’ file systems, view data, change configuration, retrieve password hash codes, and potentially insert and send commands to connected devices without authorization.

NOTE: ABB reports that exploit code was published on github by the researchers.

Fuji Advisory


This advisory describes multiple vulnerabilities in the Fuji Monitouch V-SFT screen configuration software. The vulnerabilities were reported by Fritz Sands and kimiya via the Zero Day Initiative. Fuji has released a new version to mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2017-9659;
• Heap-based buffer overflow - CVE-2017-9660; and
• Improper privilege management - CVE-2017-9662

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerabilities to allow remote code execution or cause the software that the attacker is accessing to crash. The improper privilege management vulnerability could allow an attacker with local access to escalate privileges.

WATTConfig Advisory


This advisory describes an uncontrolled search path element vulnerability in the Solar Controls WATTConfig M Software. The vulnerability was reported by Karn Ganeshen. ICS-CERT reports that Solar Controls has not responded to requests to coordinate with NCCIC/ICS-CERT.

ICS-CERT reports that a relatively low skilled attacker with uncharacterized access could exploit the vulnerability to allow arbitrary code execution.

HCDownloader Advisory


This advisory describes an uncontrolled search path element vulnerability in the Solar Controls Heating Control Downloader (HCDownloader). The vulnerability was reported by Karn Ganeshen. ICS-CERT reports that Solar Controls has not responded to requests to coordinate with NCCIC/ICS-CERT.

ICS-CERT reports that a relatively low skilled attacker with uncharacterized access could exploit the vulnerability to allow arbitrary code execution.

SIMPlight Advisory


This advisory describes an uncontrolled search path element vulnerability in the the SIMPlight SCADA Software. ). The vulnerability was reported by Karn Ganeshen. ICS-CERT reports that Solar Controls has not responded to requests to coordinate with NCCIC/ICS-CERT.


ICS-CERT reports that a relatively low skilled attacker with uncharacterized access could exploit the vulnerability to allow arbitrary code execution.

Thursday, August 10, 2017

Linking Safety and Security

Joe Weiss has an interesting blog post, Why SOCs are not comprehensive enough for ICS cyber security, over on ControlGlobal.com. At first glance, it is a re-working of a common complaint of Joe’s, the inability to initially differentiate between control system errors and cyber-attacks; a very important problem in process industries. But Joe points out a very real need to coordinate safety, physical security and cybersecurity activities in the process environment. And that is worth serious discussion.

Joe and I have talked about this on more than a couple of occasions. We both got into the cybersecurity world via the process side of operations; Joe in nuclear power plant engineering and me as a manufacturing process chemist. For both of us, process safety was an important consideration in everything we did.

Safety Reviews


A key tool that we both have used (with a variety of names) is the process hazard analysis, or PHA. In the chemical industry, this is a process for looking at the chemical manufacturing process that employs a step by manufacturing step analysis of a process to identify all of the things that can go wrong.

While techniques vary, each step of the process is looked at. A team of individuals (representing the various areas of expertise involved in a modern manufacturing environment) looks at each process variable (temperature, mixing, pressure, ingredient addition, etc.) to determine what would happen if the variable were changed. If the consequence raises a safety issue, the potential causes of the non-standard situation are identified and compensating controls are identified to prevent the non-standard occurrence. As the potential consequence get worse, the team is required to identify more mitigation measures.

One of the variables that is always included in these reviews is operator error. When there is an extensive process history available (these PHAs are periodically re-done, even if no changes are made to the process), then each of the operator errors that have occurred in the past is specifically include when the appropriate portion of the process is reviewed. Otherwise, the team (which always includes at least one operator and an operations supervisor) looks at what types of operator errors might be expected to be made.

The one operator error that is almost never included is a deliberate attempt by the operator to sabotage the process. This is because it is almost impossible to mitigate this type of ‘operator error’. The only effective mitigation is the implementation of a two-man rule where an operation can only be triggered by operating two physically separated controls nearly simultaneously. This is a very expensive (both in engineering and manpower) and used in only the most extreme situations.

An item that is always included in the list of things that can go wrong is the failure of a piece of process equipment. Pumps, valves, sensor, actuators can all fail and Father Murphy is well known by all process professionals. Common mitigation measures include routine calibration, inspection and schedueled preventative maintenance of process equipment. In situations where equipment failure has the most extreme consequences a common technique is to have parallel processing capability installed where the failed piece of equipment can be bypassed automatically or by simple operator action. Where critical sensors are a concern, multiple and independent sensors are installed and allowable output variations are established.

Security Reviews


Industry has been slower to conduct formal physical security reviews of their facilities. Until 9-11, most such reviews (nuclear power generation facilities excepted) were primarily directed at inventory shrink more than preventing attacks on the facility. Since 9-11 that has changed and there has been more attention paid at preventing terrorist attacks and stopping active shooter situations.

Most physical security reviews (there has not been the level of standardization of security reviews as we have seen with safety reviews) focus on identifying critical portions of the facility and positing what standard attack scenarios are expected and then placing controls in place to deter, delay and detect such events. As in safety reviews, a physical security review increases the mitigation measures employed as the potential consequences (or the probability) of attack increases.

Formal cybersecurity reviews for the process industries are much less common and seem (from the limited data that I have seen) to focus on vulnerability management (patching) and access controls. We are just starting to see implementation of tools to actively monitor process controls to detect intrusions.

Linking Safety and Security


Safety and security have very similar purposes in the process industry, prevention of unintended consequences, particularly hurtful consequences. In very many ways they are two sides of the same coin. Safety protects against random system failures and security prevents system failures caused by deliberate actions. Understanding the potential consequences of any given system failure allows for prioritization of costs and efforts.

Security folks need to have representation on the PHA teams. Not so much for their contributions to safety (though that is an obvious benefit), but so that they can truly understand the critical portions of the process environment. If they understand what the key safety components of the control system are, they may be able to plan a more effective defense-in-depth that provides additional security against intrusion (or more quickly identifies intrusion) into those critical parts of the control system.

Likewise, safety people and process people need to be represented on the security reviews, both physical and cyber (if those are done separately). Their input will be necessary to understand how security measures will impact operations and safety. Planning for a police response to an active shooter incident at a facility handling flammable materials will require careful consideration of safety issues. Allowing for multiple (and contemporaneous) operator logon to controls systems may be necessary. These are just two of the possible operations and safety considerations that need to be accounted for in a security review.


Protecting facilities from incidents that impact operations or the local community is the goal of both safety and security managers. Close cooperation between the two and with the operations team is something that has to take place for all three teams to succeed in supporting a successful business.

Wednesday, August 9, 2017

HR 3435 Introduced – Crude Oil Vapor Pressure

Last month Rep. Lowey (D,NY) introduced HR 3435, a bill that would establish crude oil Reid Vapor pressure standards for the shipment of crude oil by rail. The bill is virtually identical to HR 2379 that was introduced in the 114th Congress. No action was taken on that earlier bill.

The bill would immediately establish a maximum Reid Vapor Pressure limit of 8.5 psi for all crude oil shipped by rail. The DOT would then be required to establish “establish an appropriate national standard for the maximum volatility of crude oil to be permitted to be shipped by rail” {new 49 USC 20169(b)}. No guidance is provided on what would constitute ‘an appropriate national standard’.

Moving Forward


Lowey is not a member of the House Transportation and Infrastructure Committee to which this bill was assigned for consideration, but her co-sponsor {Rep. Garamendi (D,CA)} is. This means that there is a remote chance that the bill could be brought up in Committee. It is highly unlikely that the bill will receive consideration due to oil industry opposition. Since the initial RVP standard set in this bill is the average value reported out of the Bakken oil fields, it would severely reduce oil shipments from those fields (the bills intention).

Commentary


The fact that this bill would rely on the Trump Administration to establish an ‘appropriate national standard’ without providing legislative guidance on that standard provides a clear indication that this is a pro forma introduction with no expectation that the bill will pass into law. Further, the introduction of the bill just before the summer recess (particularly when it is nothing more than a copy of a previously ignored bill) is a clear indication that Lowey and Garamendi produced the bill to ‘show’ their supporters that they are doing something about crude oil shipments.

As I have mentioned in an earlier post the Reid Vapor pressure test required by this bill has a number of technical problems associated with it. There is a good technical article that describes those problems and more effective test for predicting the problems with the rapid rise in pressure due to fire impingement that has led to some of the overpressure situations seen in some Bakken crude oil train wreck.


I would think that most transportation safety people would agree that some sort of reasonable limit on the vapor pressure of crude oil, particularly a standard related to the rate of pressure rise in a fire impingement situation, would help to reduce some of the incidents of explosive fires that we have seen in some crude oil train incidents. Having said that, the Reid Vapor Pressure testing required by this bill is totally inadequate to that task.

Tuesday, August 8, 2017

ICS-CERT Publishes Two Advisories

Today the DHS ICS-CERT published two control system security advisories for products from Moxa and OSIsoft. I mentioned the OSIsoft vulnerabilities in a blog post last month.

Moxa Advisory


This advisory describes an uncontrolled search path element vulnerability in the Moxa SoftNVR-IA Live Viewer. The vulnerability was reported by Karn Ganeshen. Moxa has developed an update to mitigate the vulnerability. There is no indication that Ganeshen was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that an uncharacterized attacker with uncharacterized access could exploit the vulnerability to execute code from a malicious DLL on the affected system with the same privileges as the application that loaded the malicious DLL.

OSIsoft Advisory


This advisory describes two vulnerabilities in the OSIsoft PI Integrator. The vulnerabilities are self-reported. OSIsoft developed new versions of the software to mitigate the vulnerabilities.

The two reported vulnerabilities are:

• Cross-site scripting - CVE-2017-9655; and
• Improper authorization - CVE-2017-9653

 ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerabilities to gain privileged access to the system. An attacker may also be able to store a malicious script in the application database.

BTW: Siemens published a new advisory and updated two advisories yesterday (notification on TWITTER® here, here, and here). I had kind of expected ICS-CERT to report on these today. Maybe tomorrow….

Monday, August 7, 2017

S 1662 Introduced – FY 2018 CJS Spending

Last month, Sen. Shelby (R,AL) introduced S 1662, the Commerce, Justice, Science, and Related Agencies (CJS) Appropriations Act, 2018. The bill does not specifically mention cybersecurity, but there are a number of places in the Committee Report on the bill that address cybersecurity issues.

DOC Cybersecurity


Most of the Department of Commerce (DOC) cybersecurity funding is made through the National Institute of Standards and Technology (NIST). Thus, it is not surprising that all of the Committee cybersecurity comments are related to NIST. The Committee comments that:

• NIST cybersecurity spending remains constant and “NIST is encouraged to update and enhance the NIST Cybersecurity Framework” (pg 21);
• No less than $33,000,000 is provided for the expanded National Cybersecurity Center of Excellence (NCCoE); (pgs 21-2);
• NIST shall provide a detailed accounting for the NCCoE’s budget and activities in its fiscal year 2018 spend plan (pg 22); and
• The Committee provides up to $2,000,000 to develop an IoT cybersecurity research initiative; the initiative shall seek to improve security of IoT devices in consumer and industrial settings (pg 22).

DOJ Cybersecurity


The situation in the Department of Justice is quite a bit different, with a number of agencies having cybersecurity responsibilities. In general, “the Committee directs the Department to maintain its cybersecurity posture at no less than the fiscal year 2017 level to defend and respond to current and emerging attacks that threaten its own infrastructure and activities” (pg 60). Additionally, the Committee provided specific guidance:

• The Committee increased the spending for the United States Attorney’s Office (USAO) by $4.9 million above the requested amount;
• The increased spending will all the USAO to “provide the high-caliber level of training on cybercrime and digital evidence needed for Assistant U.S. Attorneys to be able to analyze and present digital evidence across all types of criminal cases” (pg 69).
• After noting that the “FBI remains the only agency with the statutory authority, expertise, and ability to combine counterterrorism, counterintelligence, and criminal investigatory resources to neutralize, mitigate, and disrupt illegal domestic computer-supported operations” (pg 74), the Committee provided programmatic increases for cybersecurity activities throughout the FBI;
• The Committee provided $1 million “for the continuation of a Cybercrime and Digital Evidence • Resource Prosecutor Pilot Program to provide State and local prosecutors with training and trial experience in cybercrimes and digital evidence” (pg 92); and
• The Committee provided $1 million “to establish a partnership with an institution for higher learning for the purposes of furthering educational opportunities for students training in computer forensics and digital investigation” (pg 92).

NSF Cybersecurity


The Committee continued funding for cybersecurity research at current levels. Additionally, they provided “no less than $55,000,000 for the CyberCorps: Scholarships for Service program” (pg 118. Of that money, $7.5 million was allotted for continued support of “community colleges that have been designated as a Center of Academic Excellence in Information Assurance 2–Year Education [CAE2Y]” (pg 119).

Moving Forward



As with the other spending bills, it is unlikely in the extreme that this bill will be specifically considered in the Senate. It looks like the two Appropriations Committees will be spending their time working out a continuing resolution and a subsequent combined spending bill. As a result, the money amounts mentioned above are very likely to change before the final spending bill is passed.

Energy and Commerce Amends and Passes HR 3388 – DECAL Act

Last month the House Energy and Commerce Committee amended and passed HR 3388, the Designating Each Car’s Automation Level (DECAL) Act, by a strongly bipartisan 54 to 0 vote. The adopted bill was a complete re-write of the original that had been little more than a truth in labeling bill that did not even mention cybersecurity. The new version of the bill establishes cybersecurity requirements for highly-automated vehicles as well as requiring DOT’s National Highway and Traffic Safety Administration to establish new safety standards for the same.

Cybersecurity Requirements


Section 5 of the bill would amend 49 USC by adding a new section, §30130; Cybersecurity of automated driving systems. The new section would require manufacturers to establish cybersecurity plan for ‘highly automated vehicles’ [which “means a motor vehicle equipped with an automated driving system” {revised 49 USC 30102(a)(7)}, see §13(a) of the revised bill]. That plan would include {new §30130(a)}:

• A written cybersecurity policy with respect to the practices of the manufacturer for detecting and responding to cyber-attacks, unauthorized intrusions, and false and spurious messages or vehicle control commands;
• The identification of an officer or other individual of the manufacturer as the point of contact with responsibility for the management of cybersecurity;
• A process for limiting access to automated driving systems; and
• A process for employee training and supervision for implementation and maintenance of the policies and procedures required by this section, including controls on employee access to automated driving systems.

That ‘written cybersecurity policy’ would include {new §30130(a)(1)}:

• A process for identifying, assessing, and mitigating reasonably foreseeable vulnerabilities from cyber-attacks or unauthorized intrusions, including false and spurious messages and malicious vehicle control commands; and
• A process for taking preventive and corrective action to mitigate against vulnerabilities in a highly automated vehicle or a vehicle that performs partial driving automation, including incident response plans, intrusion detection and prevention systems that safeguard key controls, systems, and procedures through testing or monitoring, and updates to such process based on changed circumstances.

Moving Forward


The fact that this bill passed out of committee with unanimous support clearly indicates that the bill is prepared to move forward to the floor of the House for consideration. Typically, I would suggest that it would be considered under the suspension of rules provision allowing limited debate and no amendments. In this case, however, the fact that Committee members also submitted at least nine other bills on the same day that potentially (I have only seen the language on one of those) addressed additional cybersecurity requirements, there may be some resistance to the bill being considered in such a cavalier fashion.

I suspect that the House leadership will come up with one of two solutions to this potential problem. The easiest (politically) would be for the Rules Committee to draft a structured rule that would allow the consideration of amendments based mainly on these other bills to be offered in a limited floor debate. This process, however, would take up substantial floor time, making it unlikely that the bill would be considered before October 1st. It also might result in some amendments being approved that are not supported by the leadership.

If there is substantial political support for moving this forward quickly (and that is unclear at this time), then an alternative scenario would be to include a carefully (read politically) selected number of the additional bills to also be considered under the suspension of the rules process and let their sponsors worry about if there are enough votes to meet the supermajority requirements of that process.

Commentary


First, I would like to note that the bill completely separates the cybersecurity provisions of §5 from the privacy protection provisions of §12. This is very unusual in that Congress has a long history of equating cybersecurity and privacy protection. What is more interesting is that the privacy protection provisions do not include any mention of using the cybersecurity protections of vehicle systems to protect the privacy of information stored on or developed by those automated driving systems.

To my mind, there are two major cybersecurity shortcomings in this bill; the lack of information sharing provisions and the failure to address vulnerability reporting and coordination.

Given the automotive industry’s history of sharing components between vehicle lines of multiple manufacturers (most recently see the Takata air bag controversy) it would seem very likely that there will be instances where a cybersecurity vulnerability will occur in a device which is found in multiple vehicle lines. Failing to share that information between manufacturers will leave a large number of vehicles vulnerable to known vulnerabilities. I would prefer to see NHTSA as the designated information sharing agency there should be at least a requirement to share information with the Automotive ISAC.

Similarly, given the reality that most cybersecurity vulnerabilities seem to be found by independent security researchers or outside cybersecurity firms, there should be language in this bill providing for an agency to act as a receiver and coordinator of cybersecurity vulnerability information. Again, I would prefer to see NHTSA be given this role, but ICS-CERT would be an acceptable alternative (with information coordination requirements with NHTSA being specified). Using the Automotive ISAC would be a poor choice, since they are likely to take the manufacturers side in any dispute between researchers and vendors.

There is another cybersecurity related provision that I am surprised to see missing from this revised bill, a measure to address recall authority and recall mitigation measures for cybersecurity related problems with the highly automated vehicles. While the requirement for establishing a new safety standard for highly automated vehicles in §4 of the bill would provide general recall authority for cybersecurity related vulnerabilities under existing rules, it would not specifically authorize NHTSA to address cybersecurity vulnerabilities that have not actually resulted in problems in vehicle operations. It also would not provide NHTSA authority to require recalls for purely privacy related cybersecurity issues. To ease industry concerns about cybersecurity recalls, a specific provision allowing for remote updates of cyber systems as a cyber recall measure would need to be included in the bill.

Finally, the bill specifically excludes commercial vehicles from the requirements of the bill. There are significant and very advanced programs to automate commercial trucks. I understand that safety standards for those vehicles are separate from standard automotive safety standards. That means that coverage of those vehicles in this bill would probably be inappropriate from a regulatory standpoint, but I have seen no other attempt to regulate the cybersecurity of those heavier vehicles.

It will be interesting to see if any of these issues are addressed in the nine other bills pending publication by the GPO.


BTW: The revised language approved by the Committee will change the name of the bill from the DECAL Act to the Safely Ensuring Lives Future Deployment and Research in Vehicle Evolution (SAFTE DRIVE) Act. That will take effect when the Committee Report on the bill is published.

Saturday, August 5, 2017

NIST Cybersecurity Workforce RFI Comments – 08-05-17

This is part of a continuing series of blog posts looking at the comments that NIST has received on their request for information (RFI) on cyber workforce development. The comments are posted to the NIST National Initiative for Cybersecurity Education (NICE) web site. The earlier posts in the series were:


There were comments received from 76 different organizations this week, some with multiple submissions. There is no way that I am going to do even a cursory review of that many submissions; I will leave that to the professionals at NIST. Instead I’ll select some of the submissions and hit some high points; all perfectly arbitrary and non-random.

One very important point was made by Anna Johnston from the Information Systems Security
Association (ISSA) in Colorado Springs, CO. She noted that: “Too many businesses are seeking to hire senior cyber personnel to do basic diagnostics, patching, etc., when those tasks can be done by more junior cyber-skilled people.” Everyone wants rock stars to be backup singers. Great if you can afford it, but expect high-turnover.

The Automation Federation asks an interesting question; why isn’t cybersecurity included as a base fundamental skill in every part of our education system? They note: “Little attention is paid to the millions of workers in the middle, who are most likely the ones who need the most knowledge on how to perform their day to day tasks in a cyber secure manner.”

The California Governor’s Office of Emergency Services response addresses an often overlooked aspect of cybersecurity; emergency response. They that California is attempting to develop a strategy “intended to strengthen cyber emergency preparedness and response, standardize implementation of data protection measures, enhance digital forensics and cyber investigative capabilities, deepen expertise among California's workforce of cybersecurity professionals, and expand cybersecurity awareness and public education”.

The Center for Long-Term Cybersecurity (CLTC) points out a long standing problem with government hiring of cybersecurity professionals; the “cumbersome security clearance processes that often cause applicants to lose interest in government jobs before their application process is completed, and security policies that can unnecessarily isolate employees from their social and
professional networks”.

The Energy Sector Security Consortium, Inc. (EnergySec) makes two important points. First the continuing disconnect between IT and OT cybersecurity, noting that:

“Although NICE has a workforce framework, it is not widely used in our industry to identify the security roles or job descriptions. The roles identified in the framework are mostly applicable to traditional Information Technology aspects of business vs. the Operational Technology (e.g. industrial control systems).”

Second, they note the very real need for entry-level jobs “to provide a bridge from the emerging academic programs to mid and senior levels positions”.

While the Security University’s response has a very odd organization it does make a series of interesting points. Very importantly, they note:

“95% of cyber security professionals do not require a cybersecurity degree for a high wage in demand cyber job. They need qualified and validated skills learned from seasoned, skilled cybersecurity professionals with a practicum that demonstrates the student has learned a process and methodology that uses cybersecurity tools and understands enough of the risk policy to determine how to defend based on known threats in order to defend against unknown threats.”

Tenable makes an interesting observation in their response:

“However, our efforts to expand the human workforce will inevitably fall short of the insatiable demand for cyber talent, and we have to prepare for that. We need to have a complementary focus on technology and automation, enabling us to make the most of the human experts we have. Asymmetrically leveraging our cyber talent through the use of technology is the only path to success.”

The Coast Guard response also makes a very important point:


“Cybersecurity training and education must be agile in its planning, assessment, development and delivery cycle to adapt to the speed at which technology drives change and the need to adapt.”

ICS-CERT Publishes Eaton Alert

Yesterday the DHS ICS-CERT published a control system security alert for products from Eaton. The alert describes two buffer overflow vulnerabilities in the Eaton ELCSoft, a PLC programming software for Eaton Logic Control (ELC) controllers. The vulnerabilities were reported by Ariele Caltabiano (kimiya) via the Zero Day Initiative. ZDI has published advisories on these vulnerabilities (here and here) due to the lack of mitigation response from Eaton.

Friday, August 4, 2017

ISCD Publishes New CFATS FAQ

Today the DHS Infrastructure Security Compliance Division (ISCD) added a new frequently asked question (FAQ) to their Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center. The new FAQ (#1784) and its associated response deal with whether or not amounts of a DHS chemical of interest (COI) in in transportation packaging needs to be included in the screening threshold quantity (STQ) calculations for a COI if that packaging is on or attached to motive power.

The simple answer is; it depends on the security issue associated with the particular COI. For release COI the answer is clearly, no. This is covered in 6 USC 27.203(b)(1)(ii). But, §27.203(b) only applies to release COI. For theft/diversion COI, however, the answer is yes since §27.203(c) does not include provisions exempting COI in transportation packaging ‘on or attached to motive power’.


The FAQ response does include a reference to the preamble to November 20, 2007 publication of the final rule establishing the CFATS program and Appendix A to 6 CFR Part 27. That reference refers back to the discussion of the calculation of the STQ for release chemicals. It is easy, however, to take that discussion out of context if one just looks at the paragraph on the bottom of page 65398 since that paragraph does contain a specific reference to §27.203(b); that reference was included in the previous paragraph.

Senate Passes S 88 – DIGIT Act

Yesterday the Senate amended S88, the Developing Innovation and Growing the Internet of Things (DIGIT) Act, and passed the bill under the unanimous consent process. There was no debate and only the one amendment (S 769, pgs S4889-90), substitute language offered by Sen. Wicker (R,MS). That amendment was also adopted under the unanimous consent process.

Changes in the Bill


The substitute language made three changes to the bill:

• In §3, removed the definition of ‘appropriate committees of Congress’ as the term was not used in the bill;
• In §4(c), added the Federal Energy Regulatory Commission to the list of federal agencies to be represented on the Federal Working Group; and
• In §4(f)(2), added a specific list of congressional committees to which the final report by the working group would be submitted.

Moving Forward


The bill now moves to the House for consideration. There is a companion bill in the House, HR 686. No action has been taken on that bill beyond referral to the House Energy and Commerce Committee for consideration. Unless someone with more influence in that Committee than Rep. Welch (D,VT) becomes a sponsor of the bill, it is very likely that both bills will languish in Committee in the House.

Commentary


There is another problem with this bill that I had not mentioned in my post about the introduction of the bill or in the post on HR 686. There is no definition of ‘Internet of Things’ in the bill. The problem here is that a working definition is going to have a major impact on the scope of the report required in this bill.

On one hand if we use the IoT definition found in HR 3010 [“the set of physical objects embedded with sensors or actuators and connected to a network” {§2(h)(1)}], we would almost certainly have to include most of the realm of industrial control system components in the Working Group’s study.


A more limited definition; “the interconnection via the Internet of computing devices embedded in everyday objects, enabling them to send and receive data”; would still have a rather broad impact, but would rule out control system components and medical devices, for instance. That would make this a much more manageable study.

Bills Introduced – 08-03-17

With just the Senate in session there were 34 bills introduced yesterday. Of those only one may be of specific interest to readers of this blog:

S 1755 A bill to amend title 18, United States Code, to prohibit unsafe operation of unmanned aircraft, and for other purposes. Sen. Whitehouse, Sheldon [D-RI]


It will be interesting to see if this legislation includes enhanced enforcement for unsafe operations over critical infrastructure.

Thursday, August 3, 2017

S 1655 Introduced – FY 2018 THUD Spending

Last month, Sen. Collins (R,ME) introduced S 1655, the Transportation, Housing and Urban Development, and Related Agencies (THUD) Appropriations Act, 2018. The bill does not include cybersecurity or chemical transportation safety language, but the Senate Appropriations Committee Report on the bill does include some language of potential interest to readers of this blog concerning UAS, autonomous vehicles and oil spill response plans.

UAS


The Committee briefly mentioned the electronic registration system that the FAA had established for registration of unmanned aircraft systems (UAS) in December of 2015. The comment explicitly ignores the recent court case which invalidated the portion of that registration that applied to recreational users of UAS. The report states (pgs 32-3):

“The Committee believes that online, interactive education program links on the electronic registration process would provide the education necessary to reduce the risk of unknowing or negligent mistakes by recreational operators of small unmanned aircraft thus promoting aviation safety. Therefore, the Committee directs the FAA to include in its electronic registration system for recreational operators a link for registrants to undergo a suitable and interactive online education and training program.”

The report comment goes on to provide additional direction to the FAA on executing that directive and requirements for reporting back to the Committee on the results. This is definitely in keeping with other legislative efforts (See S 1405 for example) that mandate the use of the current registration system for model aircraft operators. I expect that the FAA will be holding off on the de-registration of recreational UAS operators until it sees if/how Congress legislates on the matter during this session.

Autonomous Vehicles


The Committee reiterates its support for the Automated Vehicle program at the National Highway Traffic Safety Administration (NHTSA) to the tune of $10.1 million. It does express some concern about cybersecurity issues; stating (pg 63):

“The Committee remains concerned with cybersecurity in autonomous vehicles and urges the Department to continue to address this risk in the next update of the Federal Automated Vehicles Policy.”

Oil Spill Response Plans


The Committee takes the DOT’s Pipeline and Hazardous Material Safety Adminstration (PHMSA) to task for failing to issue a final rule on modifying the current Oil Spill Response Plan (OSRP) so that the threshold for the requirement of an OSRP would take into account the amount of oil in every car in a train consist instead of just the amount in any given car. This is an on-going issue between the Committee and PHMSA. This year the report gets real specific, stating (pg 88):

“The Committee directs PHMSA to issue a final rule to expand the applicability of comprehensive oil spill response plans to rail carriers no later than 5 days after enactment of this act.”

The recently published Trump Administration update to the Unified Agenda reports that DOT expects to issue the final rule in December (and those UA expectations are almost always missed). It will be interesting to see how the anti-regulation Trump administration responds.

Moving Forward


It is increasingly looking like there will have to be a continuing resolution before October 1st as Congress is unlikely (VERY UNLIKELY) to pass the spending bills in regular order by that date. That means that we will almost certainly not see a standalone THUD spending bill make it to the President’s desk and certainly not this bill. Spending bills have to ‘originate’ in the House so the best this bill could have done is be passed in the Senate and then substituted for the language of the House bill when it reached the Senate. In a good year (and we have not seen one of those in a good while) the differences in the two bills would have been worked out in a conference committee before being approved by both houses and then sent to the President.

Commentary



Interestingly, the Appropriations Committee directives found in the Committee Report (which do not have the force of law, just the force of the purse) will essentially continue ‘in force’ when a spending bill covering THUD (and likely everything else) is signed by the President. DOT may ignore those directives and no court will say anything about it. However, at some point the Committee could get so upset at the Department that they specifically withhold funds in a spending bill until such time as the Department complies with the directives. We may be approaching that point with the OSRP directive, that is what the unrealistic ‘5 day’ response time was all about.

ICS-CERT Publishes 3 Advisories

Today the DHS ICS-CERT published two medical system advisories for products from Siemens and one control system advisory for products from Schneider Electric.

Molecular Imaging Advisory 1


This advisory describes two vulnerabilities in Siemens’ Molecular Imaging products running on Windows XP. These vulnerabilities are apparently self-reported. Siemens is working on updates for these vulnerabilities and recommend disconnecting the devices from networks pending receipt of those updates.

The two reported vulnerabilities:

• Improper control of generation of code - CVE-2008-4250; and
• Improper restriction of operations within the bounds of a memory buffer - CVE-2017-7269

ICS-CERT reports that an uncharacterized attacker could remotely exploit the vulnerabilities to remotely execute arbitrary code.

Note: Neither the ICS-CERT advisory nor the Siemens security advisory report that there are a number of publicly available exploits for the 2008 Windows XP RPC vulnerability.

Molecular Imaging Advisory 2

This advisory describes multiple vulnerabilities in Siemens’ Molecular Imaging products running on Windows 7. These vulnerabilities were apparently self-reported. Siemens is working on updates for these vulnerabilities and recommend disconnecting the devices from networks pending receipt of those updates.

The reported vulnerabilities are:

• Improper control of generation of code (2) - CVE-2015-1635 and CVE-2015-1497;
• Improper restriction of operations within the bounds of a memory buffer - CVE-2015-7860; and
• Permissions, privileges and access controls - CVE-2015-7861

ICS-CERT reports that an uncharacterized attacker could use publicly available exploits to remotely exploit the vulnerabilities to remotely execute arbitrary code.

NOTE: Both these advisories note that while disconnecting the devices from networks is a useful mitigation technique, they should be reconnected so that the updates can be remotely applied by Siemens. This is one important difference between medical devices and control system advisories; updates only affect the device being updated so remote updates are an effective option in most medical devices.

Schneider Advisory


This advisory describes an uncontrolled search path element vulnerability in the Schneider Pro-face GP-Pro EX. The vulnerability was reported by Karn Ganeshen. Schneider has developed an update that mitigates the vulnerability. There is no indication that Ganeshen was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that an uncharacterized attacker with uncharacterized access could use publicly available exploits to allow arbitrary code execution. The Schneider security bulletin that physical access to the computer is required.

Commentary


I continue to be concerned with some delays in ICS-CERT’s publication of advisories. The Siemens’ advisories were both published a while back (July 17th and July 26th). While these are both medical devices (and really outside of the ICS-CERT mandate) and Siemens does a good job publicly communicating their vulnerabilities, these vulnerabilities both had publicly available exploits. This makes prompt mitigation especially important, even when it is nothing more than disconnecting the device from networks pending updates.

I suppose that it really comes down to what the role of ICS-CERT is in communicating control system (and now medical device) vulnerabilities. If their role is simply reporting vulnerabilities reported to it by researchers and vendors, then delays such as these are vendor issues not ICS-CERT issues.

Of course, if ICS-CERT is intended to be more of a cybersecurity resource for system owner than an information sharing tool for vendors, then ICS-CERT is going to have to be more proactive in monitoring major vendor public communications and the cybersecurity press for researcher reports of ICS vulnerabilities and mitigations.


To be fair, that will probably require more resources than currently allocated for information sharing. And that resource allocation issue is not one should (or probably can) be resolved at their level, it is something that Congress is probably going to have to address. As control system security continues to become a more important societal issue, Congress is going to have to address the issue of the existence and role of ICS-CERT. In other words, ICS-CERT should specifically authorize ICS-CERT and establish its actual role in the industrial cybersecurity realm.
 
/* Use this with templates/template-twocol.html */