Tuesday, June 27, 2017

ICS-CERT Published Newport Advisory

Today the DHS ICS-CERT published a control system security advisory for an improper authentication vulnerability in the Newport XPS-Cx and XPS-Qx controllers. The vulnerability was reported by Maxim Rupp. Newport will reportedly address this vulnerability in the next generation XPS-Dx controller.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to view and edit settings without authenticating by accessing a specific uniform resource locator (URL).

Commentary


It never ceases to amaze me when a company refuses to fix security issues in a current product, but expect customers to buy the next product that ‘will fix’ this problem. Why would anyone expect them to support that next product when a new vulnerability is found?

Of course, that assumes that their current (or future) customers will hear about this vulnerability. It was published in this advisory, but how many owners, ICS security managers, control system engineers, or integrators actually read these advisories (or are even aware that they exist)? Unless the company proactively forces notification to all of its current (and past) customers, there are going to be some number (high, medium or low %, who knows) that never get the word and remain vulnerable by default.

This is a problem that critical infrastructure security regulators are going to have to address. Cybersecurity plans must address the measures that covered facilities are going to take to identify known vulnerabilities in their systems so that they can do a proper risk assessment to identify the mitigation measures (if any) that the facility will take to address the known vulnerabilities


This topic is not addressed in the Chemical Facility Anti-Terrorism Standards (CFATS) Risk-Based Performance Standards (RBPS) guidance document. We are still waiting on the Coast Guard cybersecurity guidance document. I am not sure if it is adequately addressed in the NERC regulations.

HR 2922 Introduced – PREPARE Act

Earlier this month Rep. Donovan (R,NY) introduced HR 2922, the Promoting Resilience and Efficiency in Preparing for Attacks and Responding to Emergencies (Prepare) Act. The bill authorizes and modifies a number of DHS emergency planning, preparation and training programs.

Readers of this blog will probably be most interested in the following sections of the bill:

• §106. Allowable uses.
• §114. Port security grant program.
• §120. Cyber preparedness.
• §302. Medical Countermeasures Program.

Allowable Uses


Section 106 amends 6 USC 609 adding two new uses of funds to a number grant programs for States and high-risk urban areas. The two new uses are {new §609(a)(6) and (7)}:

Enhancing medical preparedness, medical surge capacity, and mass prophylaxis capabilities, including the development and maintenance of an initial pharmaceutical stockpile, including medical kits and diagnostics sufficient to protect first responders, their families, immediate victims, and vulnerable populations from a chemical or biological event;

Enhancing cybersecurity, including preparing for and responding to cybersecurity risks and incidents (as such terms are defined in section 227 [6 USC 148(1) and (3]) and developing statewide cyber threat information analysis and dissemination activities;

Port Security Program


Section 114 authorizes the port security grant program under 46 USC 70107. The section would authorize $200 Million dollars per year for the grants through 2022.

Cyber preparedness


Section 120 amends 6 USC 124h making cybersecurity additions to the support requirements set upon DHS for State, local and regional fusion centers. It requires DHS to provide fusion centers {new §124h(b)(10)}:

“…with expertise on Department resources and operations, including, in coordination with the national cybersecurity and communications integration center [(NCCIC)] under section 227 [6 USC 148], access to timely technical assistance, risk management support, and incident response capabilities with respect to cyber threat indicators, defensive measures, cybersecurity risks, and incidents (as such terms are defined in such section), which may include attribution, mitigation, and remediation, and the provision of information and recommendations on security and resilience, including implications of cybersecurity risks to equipment and technology related to the electoral process;”

It would also require the DHS NCCIC to review cybersecurity information developed by fusion centers, incorporate that information (where appropriate) into NCCIC information shared with fusion centers and other government agencies. It also adds the NCCIC as a potential personnel resource for fusion centers.

Medical Countermeasures Program


Section 302 adds a new §528 to the Homeland Security Act of 2002 that would add a requirement for DHS to {new §528(a)}:

“… establish a medical countermeasures program to facilitate personnel readiness, and protection for the Department’s employees and working animals and individuals in the Department’s care and custody, in the event of a chemical, biological, radiological, nuclear, or explosives attack, naturally occurring disease outbreak, or pandemic, and to support Department mission continuity.”

Moving Forward


Donovan is the Chair of the Emergency Preparedness, Response, and Communications Subcommittee of the House Homeland Security Committee; one of the three committees to which this bill was referred for consideration. Neither Donovan nor this three cosponsors are members of the other two committees (Transportation and Infrastructure Committee and Energy and Commerce Committee). This bill will certainly be considered in the Homeland Security Committee in the near future.

The bill does not currently have any Democratic cosponsors. This would seem to indicate that there is some opposition to at least some of current provisions (or missing provisions) of the bill. We will have to watch the markup of this bill to see how much bipartisan support there is for the bill. Bipartisan support is not really necessary in the House, but for the bill to make it to the floor of the Senate there cannot be serious Democratic opposition to the bill.

Commentary


The cybersecurity provisions of this bill all refer to 6 USC 148 with its IT-centric definitions of cybersecurity. Again, this would restrict the grant programs and fusion center support provisions limited to information system security, ignoring potential risks to critical infrastructure from attacks on industrial control systems (ICS) or the energy systems in this country.

Fortunately, the bill does include some modifications to definitions in §148, so it could be possible to clear up the multiple areas where we see similar problems with ignoring the ICS cybersecurity threat. The definition of ‘information system’ could be changed from its current reference to 44 USC 3502(8) to 6 USC 1501(9).


The medical countermeasures program is certainly important to providing support to DHS. I am glad to see that it specifically includes language about chemical incidents instead of just biological and radiological incidents; just see my post about the use of Cyanokits in response to an acrylonitrile spill. It would be nice to see some language in this authorization bill requiring the managers of the program to coordinate with local agencies when such countermeasures are not required by the Department, but could provide support to communities.

Monday, June 26, 2017

Committee Hearings – Week of 6-25-17

This week with both the House and Senate in session, we are starting to see movement on spending bills, continued work on the National Defense Authorization Act (NDAA) and a couple of interesting markup hearings this week.

NDAA


As I mentioned last week the House Armed Services Committee started their work on HR 2810 in subcommittee markups. This week they will move to a full committee markup on Wednesday. The Senate bill has not been made public at this point.

Senate Armed Services Committee, 6-28-17 and 6-29-17 (maybe 6-30-17)

The HASC web site has a link to a brief (16 page) description of HR 2810. There is an interesting one paragraph blurb on cyber issues on page 11.

Spending Bills


The House Appropriations Committee starts public work on the FY 2018 spending bills this week, starting with markups of the individual spending bills by the appropriate subcommittee. We will be starting with the DOD spending bill (actually the Defense Construction and Veterans Affairs bill was marked-up last week) and the Commerce, Justice and Science (CJS) bill this week. A committee draft of the DOD bill is available, but I have not had a chance to look at it.

DOD, House, subcommittee markup, 6-26-17
CJS, House, subcommittee markup, 6-29-17

Other Mark-up Hearings


On Wednesday the House Energy and Commerce will be holding a mark-up hearing looking at a number of bills including HR 3050, Enhancing State Energy Security Planning and Emergency Preparedness Act of 2017. I did not catch this bill when it was introduced on Friday because of the way it was described at Congress.gov. Seeing the title of the bill today got me to take a quick look at the available committee draft (GPO version is not yet available) and it does have cybersecurity provisions (more later). I will be watching this bill.

On Thursday the Senate Commerce, Science, and Transportation Committee will be holding an executive session that will include the markup of S 1405, the FY 2018 FAA authorization bill. The GPO version is not yet available but the committee draft shows that a number of sections of the bill deal with unmanned aircraft systems (UAS) including a re-write of the model aircraft restrictions on the FAA regulatory authority. There is currently no mention of cybersecurity in the bill.

Saturday, June 24, 2017

Bills Introduced – 06-23-17

Yesterday with just the House still in Washington, there were 25 bills introduced. Of those, one may be of specific interest to readers of this blog:

HR 3033 To secure the technological edge of the United States in civil and military aviation. Rep. Knight, Stephen [R-CA-25]


This bill will only receive future mention here if it includes cybersecurity language.

HR 2810, NDAA – Cyber Subcommittee Markups

As I mentioned earlier this week the subcommittees of the House Armed Services Committee held a series of markup hearings looking at HR 2810, the FY 2018 National Defense Authorization Act (NDAA). The hearing of the Emerging Threats and Capabilities Subcommittee added Title XVI, Subtitle D – Cyber Related Matters, to the language of HR 2810.

Items in that subtitle include:

§1641—Notification Requirements for Sensitive Military Cyber Operations and Cyber Weapons
§1642—Modification to Quarterly Cyber Operations Briefings
§1643—Cyber Scholarship Program
§1644—Plan to Increase Cyber and Information Operations, Deterrence, and Defense

None of the above sections contain any language that specifically identifies or includes industrial control system (ICS). There are, however, a series of definition changes identified in §1643 that eliminate ‘information technology’, ‘information security’ or ‘IT’ references by substituting ‘cyber’. No definition of the term ‘cyber’ is provided.

Those definitions would be found in 10 USC Chapter 112, Information Security Scholarship Program. There is nothing in the Subcommittee report that would specifically indicate that this was done to add ICS programs to the scholarship program, but it would seem that that would be the major practical consequence of this change.


The full Committee is scheduled to markup HR 2810 on Wednesday.

OMB Approves Two Final Rules for TSCA Update

Over the last two days the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved two final rules (here and here) submitted by the EPA supporting changes required by §6(b) and §8(a) of the Frank R. Lautenberg Chemical Safety for the 21st Century Act (PL 114-182). The EPA has sent copies of those two final rules (here and here) to the Office of the Federal Register for publication. Those rules are not scheduled for Monday publication, but they will almost certainly be published next week.

It is unclear how much of a re-write these rules are from the notices of proposed rulemaking (NPRMs) written by the Obama Administration (here and here) shortly before Trumps inauguration. I did not review those NPRMs at the time because I was sure that there would either be new NPRMs published by the incoming administration or complete rewrites in the final rulemaking. Whether or not the rewrites here are legally justifiable will inevitably be determined by the courts.

I will not start commenting on these rules until they are published in the Federal Register. Other organizations have already started their commenting process (see for example here), but I prefer to wait because the formal publication allows me to link to specific paragraphs in the rule and preamble. This allows people to better understand what I am saying and check on my interpretations.


One point that I will comment upon. Both rules will become effective upon publication. This is unusual, but it is a result of congressionally mandated reporting requirements that become effective upon publication. The EPA determined (rightly so in my opinion) that there was no regulatory purpose to be served by adding a 60-day or 90-day effective date when that would just cut into the 180-day reporting requirements in the bill. There is, of course, the possibility that there could be a court stay of the effective date, but that cannot change the mandated reporting schedule.

Friday, June 23, 2017

Bills Introduced – 6-22-17

Yesterday, with both the House and Senate in session there were 67 bills introduced. Of those, two may be of specific interest to readers of this blog:

HR 3010 To provide for the identification and documentation of best practices for cyber hygiene by the National Institute of Standards and Technology, and for other purposes. Rep. Eshoo, Anna G. [D-CA-18]

S 1405 A bill to amend title 49, United States Code, to authorize appropriations for the Federal Aviation Administration, and for other purposes. Sen. Thune, John [R-SD]

As readers of this blog would expect, HR 3010 will only receive further coverage here if it contains specific control system security language.

The FAA authorization act will be watched for cybersecurity provisions.

ICS-CERT Publishes Two Siemens Advisories

Yesterday the DHS ICS-CERT published two control system security advisories for two products from Siemens.

XHQ Advisory


This advisory describes an improper access control vulnerability in the Siemens XHQ operations intelligence product. This vulnerability is being self-reported. Siemens has developed a new version that mitigates the vulnerability.

ICS-CERT reports that a relatively low skilled attacker (who is an authorized user) could remotely exploit the vulnerability to gain read access to data in the XHQ solution exceeding his configured permission level.

SIMATIC CP 44x-1 Advisory


This advisory describes an improper authentication vulnerability in the Siemens SIMATIC CP 44x-1 Redundant Network Access (RNA) modules. This vulnerability is being self-reported. Siemens has released a firmware update to mitigate the vulnerability.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to perform administrative actions under certain conditions. The Siemens’ Security Advisory reports that the attacker must have network access to port 102/TCP of the affected device and the

configuration data of the CP must be stored on the CPU.

Bills Introduced – 06-21-17

On Wednesday, with both the House and Senate in session, there were 47 bills introduced. Of those only one may be of specific interest:

HR 2975 To make certain improvements in the laws administered by the Secretary of Homeland Security relating to public transportation security, and for other purposes. Rep. Lipinski, Daniel [D-IL-3]


This bill will probably address chemical transportation issues (if at all) peripherally. It will only be covered in this blog if chemical transportation issues or cybersecurity issues are addressed.

ISCD Publishes Records Maintenance Guidance – RBPS 18

Yesterday the DHS Infrastructure Security Compliance Division (ISCD) added links to two documents on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center web site. The Documents provide information to help CFATS covered facilities comply with Risk Based Performance Standard (RBPS) 18, Records. The documents are a records reporting template and a fact sheet providing information on the RBPS 18 requirements.

The fact sheet expands on the information provided in the RBPS Guidance Document, providing additional information about what types of documents CFATS facilities need to retain to comply with RBPS 18. The template provides a voluntary tool that facilities can use document some of the records retention requirements covered in RBPS 18. In particular it provides specific examples for reporting formats (with fictitious data samples) for:

• Sample Record of Breaches of Security
• Sample Record of Drills and Exercises
• Sample Record of Maintenance
• Sample Record of Security Threats
• Sample Record of Site Security Plan (SSP) Audit
• Sample Record of Training Delivered

The use of this particular tool is not required for compliance. ISCD is providing the tool as an example of a ‘best practice’. Facilities are free to use their own formats and reporting documents. Based upon my personal experience in the military, however, as both a unit security ‘manager’ and as a security inspector, using a common reporting format makes for easier inspections. Inspectors can spend less time looking for details and are more likely to overlook minor lapses.


NOTE: The example data provided in the template provides some interesting insight into what types of information that ISCD is really looking for.

Thursday, June 22, 2017

OMB Approves EPA TSCA Guidance Document

Yesterday the OMB’s Office of Information and Regulatory Affairs announced the approval of the publication of a new EPA guidance document supporting the implementation of some of the requirements of the Frank R. Lautenberg Chemical Safety for the 21st Century Act (PL 114-182). Specifically, this document, “Guidance to Assist Interested Persons in Developing and Submitting Draft Risk Evaluations Under the Toxic Substances Control Act (TSCA)”, should provide information to industry in determining what information should be included in requesting EPA risk evaluations under 15 USC 2605 as modified by §6 of the Act (130 Stat 460).

OIRA was pretty quick in approving this publication (submitted on June 13th), especially considering that it was substantially written under the Obama Administration. It is unclear how soon this will be published by the EPA since two of the regulations that this supports are still under review by OIRA (here and here) at the notice of proposed rulemaking (NPRM) stage. Technically this could move forward without those rules being approed since those regulations probably have more effect on EPA actions taken on the submitted data than upon industry submitting the data.


Obviously, the Trump Administration will not meet the June 22nd (today) deadline for implementing the requirements of §6. To be fair neither would have the Obama Administration. That deadline was totally unrealistic given the rulemaking process and the complexity of the issues involved. I do suspect that we will see the two TSCA NPRMs published this summer.

Wednesday, June 21, 2017

ICS-CERT Publishes New Advisory and Updates 2 Siemens Advisories

Yesterday the DHS ICS-CERT published a new control system security advisory for a product from Ecava. They also update two previously published advisories for products from Siemens.

Ecava Advisory


This advisory describes an SQL injection vulnerability in the Ecava IntegraXor. The vulnerability was reported by Tenable Security. Ecava has produced a new version that mitigates the vulnerability. ICS-CERT reports that Tenable has verified the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to effect unauthenticated remote code execution.

PROFINET Update


This update provides additional information on an advisory originally published on May 9th, 2017 and updated on June 15th, 2017. This update provides new affected version data and links to updates for Primary Setup Tool (PST): All versions prior to  V4.2 HF1.

Interestingly, this information on the PST was made available in the same updated version of the Siemens Advisory published on June 13th that was used for the previous ICS-CERT update. A close comparison of the original Siemens Advisory and the June 13th versions shows that there was an additional product that was updated, but also not mentioned in the earlier ICS-CERT update or in this update; the Security Configuration Tool (SCT): All versions < V5.0.

Industrial Products Update


This update provides additional information on an advisory originally issued on November 8, 2016 and then updated November 22nd, 2016; December 23rd, 2016; February 14th, 2017; March 2nd, 2017 and May 9th, 2017. This update provides the same new information as the ICS-CERT updated described above. Interestingly (and kudos to ICS-CERT for really prompt reporting), Siemens published their updated Security Advisory just yesterday morning (ICS-CERT time).


NOTE: Siemens also announced (via TWITTER®; @ProductCERT ) yesterday that they had published a new security advisory (SSA-126840) and updated another advisory (SSA-275839)with the same SCT information noted above. I expect that we will see those reflected on the ICS-CERT site today or tomorrow.

Monday, June 19, 2017

Committee Hearings – Week of 6-18-17

With both the House and Senate in session the focus this week remains budget hearings. There are no budget hearings of specific interest this week, but the budget process is still taking up a large portion of congressional focus. There is only one cybersecurity hearing currently scheduled for this week though there may be cybersecurity amendments offered in the NDAA markup process that also begins this week.

NDAA Act


The FY 2018 National Defense Authorization Act (NDAA) is another priority moving forward. HR 2810 currently has no cybersecurity provisions, but there are gaping holes in the bill that will be filled-in during the markup process. That process starts this week in subcommittees of the House Armed Services Committee:


Cybersecurity


On Wednesday, the Senate Homeland Security and Governmental Affairs Committee will be holding a hearing on “Cybersecurity Regulation Harmonization”. The witness list includes:

• Christopher F. Feeney, BITS/Financial Services Roundtable
• Dean C. Garfield, Information Technology Industry Council
• Daniel Nutkis, Health Information Trust Alliance
• James "Bo" Reese, National Association of State Chief Information Officers


This will certainly focus on IT cybersecurity, but there may be some minor attention paid to control system security.

Sunday, June 18, 2017

HR 2825 Amended and Approved in Committee

Last week the House Homeland Security Committee held a markup hearing on HR 2825, the DHS Authorization Act of 2018 [corrected date 6-19-17 0710 EDT]. The Committee adopted a large number of amendments, including substitute language.

Substitute Language


The original bill was extremely light in its coverage and was obviously missing some titles. The substitute language offered by Rep. McCaul (R,TX) substantially enlarged and expanded the coverage of the bill. New sections in the substitute language that may be of specific interest to readers of this blog include:

§403. Cyber at ports.
§409. Repeal of interagency operational centers for port security and secure systems of transportation.
§572. Surface transportation security assessment and implementation of
risk-based strategy.
§577. Surface transportation security advisory committee.
§583. Study on surface transportation inspectors.
§584. Security awareness program.
§585. Voluntary use of credentialing.
§586. Background records checks for issuance of hazmat licenses.
§587. Recurrent vetting for surface transportation credential-holders.
§588. Pipeline security study.
§589. Repeal of limitation relating to motor carrier security-sensitive material
tracking technology.
§620. Cyber preparedness.
§642. Medical Countermeasures Program.

The provisions I discussed in my post about the original bill remain essentially unchanged.

Maritime Security


Title IV of the substitute language addresses maritime security issues. Most of the provisions found in this title were included in HR 2831, the Maritime Security Coordination Improvement Act that I reviewed yesterday. That bill includes provisions not seen in this bill, so it is likely to continue forward. I suspect that the duplicate provisions in this bill are those that McCaul considers the most important.

The cybersecurity provisions that I discussed in HR 2831 are included in this bill (§403) essentially unchanged.

Surface Transportation Security Studies


The substitute language contains a new Title V, Subtitle G (sections 571 thru 589) that addresses a number of surface transportation security issues. Many of them deal with various study and report requirements. There are two studies outlined in this subtitle that may be of specific interest to owners and operators of surface transportation organizations and activities.

Section 583 would require the Government Accountability Office (GAO) to conduct a study looking at potential duplications or redundancies between TSA and DOT “relating to surface transportation security inspections or over sight” {§583(1)}. While TSA has been given the responsibility for overseeing all transportation security issues, its main (some would say almost exclusive) focus has been on passenger air transportation security. As a result, the DOT modal agencies have continued to oversee the pre-TSA security requirements that were initiated by the modal agencies. There exists a very real potential that this study could lead to the disbanding of the TSA surface transportation security program as duplicative and ineffective.

Section 588 requires a separate GAO study of the TSA/DOT oversight conflict in the pipeline security arena. Of particular interest to readers of this blog is the specific inclusion of cybersecurity issues in the study parameters. The GAO is tasked with looking at how the current memorandum of understanding between DHS and DOT adequately delineates the responsibility for {§588(a)(1)}:

• Protecting against intentional pipeline breaches and cyber-attacks;
• Responding to intentional pipeline breaches and cyber-attacks; and
• Planning to recover from the impact of intentional pipeline breaches and cyber-attacks.

The big problem here is that most of the activities that are used to respond to a pipeline breach are the same for both intentional and accidental breaches. Given the fact that accidental breaches are much more common than intentional breaches, the DOT pipeline safety folks will have much more practical experience in this field.

The one area that is not specifically identified in the §588 requirements is having the GAO study identify if either PHMSA or TSA have enough people with the requisite skill and background in control system security to deal with cyber-attacks.

Other Amendments


An amendment offered by Rep. Thompson (D,MS) amended the new requirement for surface security awareness training outlined in §584. The Thompson amendment would reiterate that this new requirement would not “replace or affect in any way the security training program requirements” specified in 6 USC sections 1137, 1167, and 1184. Readers of this blog will remember that TSA finally published a notice of proposed rulemaking (NPRM) on those requirement last December. This amendment was adopted by voice vote.

An amendment offered by Rep. Langevin (D,RI) would add a new section to the bill that would require the FEMA Administrator to conduct a study on the use of grant funds awarded pursuant to 6 USC §604 (Urban Area Security Initiative) and §605 (State Homeland Security Grant Program) to support efforts to prepare for and respond to cybersecurity risks and incidents (as such terms are defined in 6 USC 148. Readers should see my discussion on HR 2831 on why the reference to 6 USC 148 ignores control system security issues. This amendment was adopted by voice vote.

Moving Forward



The amended substitute language on this bill passed by a voice vote. Even with the Democrats losing party line votes on six amendments, there is still substantial bipartisan support within the Committee for the amended bill. If McCaul can get buy in from the House leadership (including the chairs of a number of other potentially interested committees) to bring this bill to the floor, it is almost certain to pass. Convincing the Senate leadership to bring the bill to the floor in that body will be another intra-party, political issue.

Saturday, June 17, 2017

HR 2831 Introduced – Port Security Corrections

Last week Rep. Rutherford (R,FL) introduced HR 2831, the Maritime Security Coordination Improvement Act. The bill makes a number of changes to laws pertaining to port security operations conducted by the Coast Guard. Changes of specific interest to readers of this blog would be increased emphasis on cybersecurity and changes to Maritime Transportation Security Act (MTSA) inspection requirements.

Cybersecurity


Section 4 of the bill address three separate issues related to port cybersecurity related to different levels of cybersecurity interest; DHS/CG, Captain of the Port (COTP), and MTSA covered facility owner.

Section 4(b) of the bill specifically adds cybersecurity to the areas of potential weakness that DHS/CG is required to look at when they are assessing the “detailed vulnerability assessment of the facilities and vessels that may be involved in a transportation security incident” 46 USC 70102(b)(1)(C).

Section 4(a) addresses cybersecurity at the COTP level by adding a new requirement for Area Maritime Security Advisory Committees (AMSAC) under 46 USC 70112(a)(2)(A). The AMSACs would be specifically required to “shall facilitate the sharing of information relating to cybersecurity risks and incidents (as such terms are defined in section 227 of the Homeland Security Act of 2002 (6 U.S.C. 148)) to address port-specific cybersecurity risks and incidents, which may include the establishment of a working group of members of such committees to address such port-specific cybersecurity risks and incidents” {§70112(a)(2)(A)(i)}.

At the facility owner level the bill would require vessel and facility security plans under 46 USC 70103(c) to specifically address “prevention, management, and response to cybersecurity risks and incidents (as such terms are defined in section 227 of the Homeland Security Act of 2002 (6 U.S.C. 148) [link added])” {new §70103(c)(3)(C)(v)}.

Facility Inspections

Section 5 of the bills makes a change to the requirements for the Coast Guard to inspect MTSA covered facilities under 46 USC 70103(c)(4)(D). Instead of inspecting at least twice a year (one conducted without advanced notice), the new requirement would reduce that to at least once a year without notice.

Moving Forward


Rutherford and all three of his cosponsors {including Chairman McCaul (R,TX)} are members of the House Homeland Security Committee, one of the two committees to which the bill was assigned for consideration. This bill will almost certainly be considered (and approved) in the Homeland Security Committee; consideration by the Transportation and Infrastructure Committee is much less assured.

There does not appear to be anything in the bill that would raise any significant opposition in the House. If McCaul can get the bill to the floor of the House, it is likely to eventually reach the President’s desk.

Discussion


There are no cybersecurity definitions in the bill beyond reference to the terms ‘cybersecurity risks’ and ‘incident’ from §148(a). Those definitions both rely on the definition of ‘information system’ which §148 takes from 44 USC 3502(8). That definition is very IT-centric; “the term ‘information system’ means a discrete set of information resources [emphasis added] organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information”. Thus, it could be argued that these cybersecurity requirements do not address control system, security system, or building maintenance system security issues.

In many industries (finance, commercial sales, and healthcare for example) protecting information is the paramount concern when we talk about cybersecurity. In port operations, however, the operational side of the house is probably more significant than is the need to protect just information. Thus, it would behoove Congress to ensure that the language in this bill reflects the importance of operational cybersecurity.

The only place that currently expands the IT-centric definitions of cybersecurity to include operations technology is 6 USC 1501(9). There the definition of ‘information system’ is still based on a reference to §3502, but it was specifically expanded by adding subparagraph (B) “includes industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers”.

The problem is, however, that §1501 does not also include the terms ‘cybersecurity risks’ or ‘incident’. One could use the current reference to §148 for those terms but specify that the term ‘information system’ is based upon §1501. Doing that in both instances where the first two terms are currently used would be very wordy and potentially confusing.

It would probably be better to add a new paragraph to §4 of the bill that provides definitions that would be used in the Port Security chapter of the US Code (46 USC 70101). If I were doing this, I would add the following definitions:

(1) The term ‘information system’ has the meaning given the term in section 3502 of title 44;

(2) The term ‘control system’ means a discrete set of information resources, sensors, communications interfaces and physical devices organized to monitor, control and/or report on physical processes, including manufacturing, transportation, access control, and facility environmental controls;

(3) The term ‘cybersecurity risk’ means:

(A) threats to and vulnerabilities of information, information systems, or control systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of such information, information systems, or control systems, including such related consequences caused by an act of terrorism; and

(B) does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement;

(4) The term ‘incident’ means an occurrence that actually, or imminently jeopardizes, without lawful authority:

(A) the integrity, confidentiality, or availability of information on an information system,

(B) the timely availability of accurate process information, the predictable control of the designed process or the confidentiality of process information, or

(C) an information system or a control system;


With these definitions in place the references to §148 are superfluous and should be removed. Then the intent would be clear that the bill would be addressing both the information and control system cybersecurity of port operations. And that is almost certainly the intent of the crafters of this bill.

Bills Introduced – 06-16-17

With both the House and Senate gone for the weekend there were 8 bills introduced in a proforma session in the House. Of those one may be of specific interest to readers of this blog:

HR 2930 To develop a civil unmanned aircraft policy framework, a pilot program, and for other purposes. Rep. Lewis, Jason [R-MN-2]


I will be watching this bill to see if it addresses issues related to UAS and critical infrastructure security.

Public ICS Disclosure – Week of 6-10-17

This week Richard Young described a privilege escalation vulnerability on the APC UPS Daemon. The Seclist – Full Disclosure report notes that Young has attempted a coordinated disclosure, but received an inadequate response from the vendor. He reports that:

“The default installation of APCUPSD allows a local unprivileged user to run arbitrary code with elevated privileges by replacing the service executable apcupsd.exe with a malicious executable, which will run with SYSTEM privileges at startup.”


The APCUPSD web site reports that the program supports Modbus (via both serial and USB connections) making this UPS support program vulnerability potentially a control system security issue.

Friday, June 16, 2017

Bills Introduced – 06-15-17

Yesterday with both the House and Senate in session there were 54 bills introduced. Of those, one may be of specific interest to readers of this blog:

HR 2922 To reform and improve the Federal Emergency Management Agency, the Office of Emergency Communications, and the Office of Health Affairs of the Department of Homeland Security, and for other purposes. Rep. Donovan, Daniel M., Jr. [R-NY-11]


The Office of Health Affairs currently has two chemical safety/security programs that have received mention in this blog: the medical countermeasures program for DHS employees, and the chemical defense program. I will be watching to see if HR 2922 addresses either program.

Thursday, June 15, 2017

ICS-CERT Publishes Advisory and Updates 5 Siemens Advisories

Today the DHS ICS-CERT published one new control system security advisory for a product from Cambium Networks and updated five previously published advisories for products from Siemens.

Cambium Advisory


This advisory describes two vulnerabilities in the Cambium ePMP Network Access Control products. The vulnerabilities were reported by Karn Ganeshen. According to Cambium, newer versions of the firmware are not affected. There is no indication that Ganeshen was provided an opportunity to verify that.

The two reported vulnerabilities are:

• Improper access control - CVE-2017-7918; and
• Improper privilege management - CVE-2017-7922

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to access device configuration as well as make unauthorized changes to the product’s configuration.

ICS-CERT also notes that Cambium also recommends that users edit default SNMP configuration.

PROFINET Update 1


This update provides additional information on the advisory that was originally published on May 9th, 2017. The update provides new information on the affected version of and links to the updates for:

• SIMATIC STEP 7 V5.X: All versions prior to V5.6;
• SIMATIC WinCC: All versions prior to V7.4 SP1 Upd1; and
• Security Configuration Tool (SCT): All versions prior to V5.0

PROFINET Update 2


This update provides additional information on the advisory that was originally published on May 9th, 2017. The update provides new information on the affected version of and links to the updates for:

• SCALANCE X300, X408: All versions prior to V4.1.0;
• X414 (not previously listed): All versions prior to V3.10.2;
• SITOP PSU8600 PROFINET: All versions prior to V1.2.0,
• SITOP UPS1600 PROFINET (not previously listed): All versions prior to V2.2;
• SIMATIC S7-400 including F and H: All versions prior to V8.2;

SIMATIC Update


This update provides additional information on the advisory that was originally published on February 14th, 2017. The update provides new information on the affected version:

• SIMATIC WinCC: All versions prior to V7.4 SP1; and
• SIMATIC WinCC Runtime Professional: All versions prior to V14 SP1,
The previously published mitigation measure (SIMATIC Logon V1.5 SP3 Update 2) will work on these products as well.

SICAM PAS Update

This update provides additional information on the advisory that was originally published on December 1st, 2016. The update provides updated version information and the announcement that the newest version of the software fixes all of the reported vulnerabilities. There is no indication that the researchers have verified the efficacy of the fix.

DROWN Update


This update provides additional information on the advisory that was originally published on April 12th, 2016 and subsequently updated on February 28th, 2017. The new update provides updated affected version information for:

• SCALANCE X300 family: All versions prior to V4.1.0,
• SCALANCE X414: All versions prior to V3.10.2,
• SCALANCE X200 RNA family: All versions prior to V3.2.5, and
• ROX I: All versions not using the mitigations listed in SSA-327980 (Siemens link).

Additionally, the update also provides new mitigation information for:

• SCALANCE X300 family;
• SCALANCE X414; and
• ROX I

Missing Siemens Advisories and Updates



The updates published today address five of the six ‘missing updates’ that I discussed on Tuesday. The still missing update is for the Siemens SPIROTEC products; SSA-732541, originally ICSA-15-202-01. I still have not seen the Siemens WannaCry updates that I mentioned on Monday being reported by ICS-CERT. Of course, ICS-CERT could have been waiting for the two new WannaCry updates Siemens announced today (here and here).

Wednesday, June 14, 2017

EPA Submits TSCA Submission Guidance to OMB

Yesterday the OMB announced that the EPA had submitted a new guidance document supporting requirements to submit submitting draft risk evaluations to the EPA as part of the new TSCA requirements under the Frank R. Lautenberg Chemical Safety for the 21st Century Act (PL 114-182). This document was not included in the Obama Administration’s last Unified Agenda and the Trump Administration has not yet published a Unified Agenda.


This is the third OMB submission from the Trump Administration supporting the new TSCA requirements (see here and here).

Tuesday, June 13, 2017

ICS-CERT Publishes 3 Advisories

Today the DHS ICS-CERT published three control system security advisories for products from Trihedral and OSIsoft. ICS-CERT continues to have problems with Siemens security advisories and updates.

PI Web API Advisory


This advisory describes cross-site request forgery vulnerability in the OSIsoft Web API. The vulnerability is self-reported. OSIsoft has produced an upgraded version and provides additional mitigation measures.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability to access the PI System with the privileges of a legitimate client user (write data).

PI Server Advisory


This advisory describes two improper authentication vulnerabilities in the OSIsoft PI Server. The vulnerability is self-reported. A new version (not currently available) has been developed that mitigates the vulnerability.

ICS-CERT reports that an (uncharacterized skill level) attacker could remotely exploit the vulnerability to spoof a PI Server or cause undefined behavior within the PI Network Manager.

Trihedral Advisory


This advisory describes three vulnerabilities in the Trihedral VTScada product. Karn Ganeshen reported the vulnerability. Trihedral has developed a patch to mitigate the vulnerability. ICS-CERT reports that Ganeshen has verified the efficacy of the fix.

The three reported vulnerabilities are:

• Uncontrolled resource consumption - CVE-2017-6043;
• Cross-site scripting - CVE-2017-6053; and
• Information exposure - CVE-2017-6045

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to result in uncontrolled resource consumption, arbitrary code execution, or information exposure.

NOTE: the VTScada upgrade notes report that “VTScada logo images are now protected by a checksum. VTScada will not start if these files have been removed or modified. If you wish to create a custom-branded application, contact Trihedral Engineering for licensing.” So it is possible that a facility is using a vulnerable system and not know it.

Missing Siemens Advisories and Updates


In addition to the five Siemens’ WannaCry updates I mentioned yesterday, there are six recently reported Siemens’ advisories and updates published that have not been reported by ICS-CERT. They are:

SSA-275839: Denial-of-Service Vulnerability in Industrial Products", June 7th;
SSA-946325: Vulnerabilities in SICAM PAS, June 9th;
SSA-732541: Denial-of-Service Vulnerability in SIPROTEC 4, June 12th;
SSA-293562: Vulnerabilities in Industrial Products, June 13th;
SSA-623229: DROWN Vulnerability in Industrial Products, June 13th; and
SSA-931064: Authentication Bypass in SIMATIC Logon, June 13th

To be fair it is probably too soon to be concerned about the last four, but the other 7 missing Siemens reportings are definite of concern.


As always thanks to the Siemens @ProductCERT for their tweets about security updates on their products.

CFATS Civil Penalties

Yesterday DHS published a new web page outlining the policy and processes for assessing civil penalties and cease operations orders for the Chemical Facility Anti-Terrorism Standards (CFATS) program. The short web page provides links to two documents; the policy document and a fact sheet. The Infrastructure Security Compliance Division (ISCD) has had (and periodically has used) the authority to issue administrative orders and assess civil penalties. This is the first time that a policy document has been provided outlining the process to be used.

The ten-page policy document should be read carefully by all CFATS covered (and potentially covered) facilities. It outlines the shortcomings that can draw an administrative order, civil penalty assessement, and/or cease and desist order (in accordance with 6 CFR 27.300), the method by which ISCD assesses the amount of the penalty and subsequent negotiations to reduce assessed penalties.

The policy addresses three separate types of situations where the policy may apply:

• Failure to file violations (Top Screen and SVA/SSP);
• SSP/ASP deficiencies and infractions;
• Chemical-Terrorism Vulnerability (CVI) infractions.

Unlike other some regulatory agencies of the Federal government (ie: EPA and OSHA) ISCD has not, does not, and apparently does not plan to publish individual notices of penalty assessments and/or orders issued. This is understandable as it would provide public notice of individual high-risk chemical facilities with less than adequate security measures; surely that would be any serious terrorists top wish list.


BTW: There is not currently any mention of this new web site on the CFATS landing page. I expect that we will see that in the next couple of days.

NTIA Attempting to Address Botnet Issues

Today the Department of Commerce’s National Telecommunications and Information Administration (NTIA) published a request for public comment (RFC) in the Federal Register (82 FR 27042-27044) requesting comments on actions that can be taken to address automated and distributed threats to the digital ecosystem. This request is part of the activity directed by the President in Executive Order 13800 (EO 13800).

NTIA is looking for comments on attack mitigation and endpoint prevention strategies to address distributed denial of services (DDOS) attacks that use botnets. NTIA is looking for specific comments on the topics below and any additional insights that might be available. The specific topics include:

Gaps in existing approaches;
• Potential methods of addressing the problem;
Role of the Federal government;
International nature of the problem; and
User prevention activities.


NTIA is soliciting public comments. Comments may be sent by email (counter_botnet_RFC@ntia.doc.gov). Comments should be submitted by July 13th, 2017.

HR 2774 Introduced – DHS Bug Bounty Program

Last week Rep. Lieu (D,CA) introduced HR 2774, the Hack the Department of Homeland Security (Hack DHS) Act of 2017. This bill is very nearly identical {some minor formatting changes in §2(c)} to S 1281 that was introduced last month.


Unlike in the Senate, neither Lieu or his three cosponsors are members of the House Homeland Security Committee to which this bill was referred for consideration. This means that it is extremely unlikely that this bill will be considered in the House.

Monday, June 12, 2017

ICS-CERT Publishes WannaCry Update (#9)

Today the DHS ICS-CERT published their first WannaCry update in almost two weeks. The last update was published on May 31st for the alert that was originally published on May 15th, 2017. The update includes a link to new vendor information and a link to the update in the STYX format, a machine readable format for sharing cyber threat information.

The new vendor information comes from Johnson & Johnson. The Update provides a link to a new ‘Security Advisories’ page which contains links to two product advisories; Certus®140 System, and Carto®3 System. No really new information is available in either document.

ICS-CERT kept the original Johnson & Johnson link in the Update. Unfortunately, that link now has nothing to do with WannaCry. All mention was removed leaving it just a generic cybersecurity disclosure reporting page. That link probably should have been removed from the Update.

ICS-CERT did miss reporting on Siemens WannaCry updates for a number of their products, including (thanks to the Siemens ProductCERT for their tweets):

Ultrasound products, published June 1st;
Mammography products, published June 1st;
Multimodality Workplace products, published June 1st;
Siemens Healthineer products, published June 1st; and
Advanced Therapy products, published June 9th.

These were just mainly product update reporting.


BTW: I half expected to see an ICS-CERT alert on CrashOverride today since US-CERT came out with their alert today. I’m still reading the Dragos paper but it sounds interesting. More to come, I’m sure.

Committee Hearings – Week of 06-11-17

This week with both the House and Senate in session the FY 2018 budget is still the big deal in congressional hearings. There are also three other hearings that may be of specific interest to readers of this blog; DHS authorization and cybersecurity

Budget


Because of having to deal with the FY 2017 spending bill earlier this year, Congress is behind in the budgeting/spending process. Hearings this week will be looking at the department budgets. These are high-level discussions of the President’s spending plan; don’t expect much in the way of details.

Hearings of potential interest to readers of this blog include:

• Monday, House, DOD, Armed Services Committee;
• Tuesday, Senate, DOD, Armed Services Committee;
• Wednesday, House, DOT, Appropriations Committee – Subcommittee;
• Wednesday, Senate, DOD, Appropriations Committee – Subcommittee;
• Thursday, House, DOD, Appropriations Committee – Subcommittee;
• Thursday, House, DOT, Appropriations Committee – Subcommittee;
• Thursday, House, EPA, Appropriations Committee – Subcommittee;

DHS Authorization


As I mentioned earlier today, the House Homeland Security Committee will be holding a markup hearing Wednesday on HR 2825, the FY 2018 DHS Authorization Act. There is already a link to the substitute language that the Committee will markup. I expect that we will see additional amendments posted to the site tomorrow afternoon.

Cybersecurity


There will be two cybersecurity related hearings this week. One will look at IOT opportunities and challenges and the other will look at WannaCry.

Tuesday the Digital Commerce and Consumer Protection Subcommittee of the House Energy and Commerce Committee will hold a hearing looking at “Disrupter Series: Update on IOT Opportunities and Challenges”. The witness list includes:

• Mark Bachman, Integra Devices
• Gary D. Butler, Camgian Microsystems Corporation
• Cameron Javdani, Louroe Electronics
• Peter B. Kosak, General Motors North America
• Bill Kuhns, Vermont Energy Control Systems LLC
• William S. Marras, the Spine Research Institute

On Thursday the Oversight Subcommittee and the Research and Technology Subcommittee of the House Science, Space, and Technology Committee will hold a joint hearing on “Bolstering the Government’s Cybersecurity: Lessons Learned from WannaCry”. The witness list includes:

• Salim Neino, Kryptos Logic
• Charles H. Romine, National Institute of Standards and Technology
• Hugh Thompson, Symantec

• Gregory J. Touhill, Carnegie Mellon University

HR 2825 Introduced – FY 2018 DHS Authorization

Last week Rep. McCaul (R,TX) introduced HR 2825, the Department of Homeland Security (DHS) Authorization Act of 2017. While the original title of the bill seemed to imply that it was a technical corrections act, this would actually be (if it is passed) the first authorization bill for DHS since it was introduced 2002.

As introduced this bill would have minimal effect on the chemical security, transportation security or cybersecurity functions of the department. There are only three provisions of the bill that may be of specific interest to readers of this blog:

Sec 3 – Definition of congressional homeland security committees;
Sec 117 – Research and development and CBRNE organizational review; and
Sec 108 – Office of Strategy, Policy, And Plans.

Congressional Oversight


It looks like §3 is an attempt to consolidate the congressional oversight of DHS to four committees by specifically identifying only those committees in the definition of the term “congressional homeland security committees”. Those four committees are:

• House Homeland Security Committee;
• House Appropriations Committee;
• Senate Homeland Security and Governmental Affairs Committee; and
• Senate Appropriations Committee.

This will almost certainly not directly affect the rules of the House that provide for congressional oversight activities, but it does serve to restrict reporting requirements outlined in this bill.

Interestingly, this bill was only assigned to the House Homeland Security Committee for review instead of the nine committees (for instance) to which HR 6381 (last sessions late entry attempt at a DHS authorization bill) was assigned. It will be interesting to see if this bill gets to the floor without being considered by any other House Committee.

Chemical Security


Section 117 provides for a formal review of research activities of the Department, mainly those being conducted by the Science and Technology (S&T) Directorate. The Department would be required to report the four committees on that review.

Additionally paragraph (b) of that section would require DHS to undertake a review of the Departments “chemical, biological, radiological, nuclear, and explosives activities” {§117(b)(1)} with the intent to develop “organizational structure to ensure enhanced coordination and provide strengthened chemical, biological, radiological, nuclear, and explosives capabilities in support of homeland security” {§117(b)(1)}.

This could potentially effect to whom the Departments Infrastructure Security Compliance Division (ISCD) (the CFATS people) reports. It would not probably have much actual effect on the operation of that organization.

DHS Organization


Section 108 addresses some of the high-level organization changes of the Department that McCaul has been calling for four a couple of years. However, instead of specifically calling for a separate cybersecurity element it outlines the apportionment of the political appointees within the Department. The positions of particular interest to readers of this blog would include:

• Administrator, Transportation Security Administration;
• Assistant Secretary, Infrastructure Protection;
• Assistant Secretary, Office of Cybersecurity and Communications;
• Assistant Secretary for Threat Protection and Security Policy;
• Assistant Secretary for Cyber, Infrastructure, and Resilience Policy;

The TSA Administrator would be appointed by the President with the ‘advice and consent’ of the Senate. The IP Assistant Secretary would not require Senate approval and the remainder would be appointed by the DHS Secretary.

No details are given in the bill for their duties or the organizations which they would oversee.

Moving Forward


McCaul is Chair of the House Homeland Security Committee so this bill will obviously move forward there. In fact, it is slated to be considered in a full committee markup on Wednesday. Interestingly, the Ranking Member is not a cosponsor of this bill, an unusual move on McCaul’s part. It will be interesting to see how much bipartisan support this bill receives in Committee.

The only problem that I see with this bill moving forward is that it would seem to trample on the political prerogatives of a number of Committee Chairs. That would normally doom this bill to languish after the Homeland Security Committee favorably reported it. This problem will become even worse when the House Homeland Security takes up the bill on Wednesday. The Committee will consider substitute language that will specifically address a number of areas dealing with both TSA and the Coast Guard which would normally have to be considered by the Transportation and Infrastructure Committee.


McCaul has either worked out this change in Congressional Oversight with the House Leadership (a major undertaking that he and his predecessor have been trying to achieve for well over ten years now), or he is trying to pull a fast one. Hopefully it is the former. If it is the latter, this bill will never make it to the floor and he will have poisoned the well of cooperation for any future projects.
 
/* Use this with templates/template-twocol.html */