Tuesday, April 25, 2017

DHS Publishes Three Advisories

Today the DHS ICS-CERT published three control system security advisories for products from Hyundai Motor, Sierra Wireless and BLF-Tech.

Hyundai Motor Advisory


This advisory describes two vulnerabilities in the Hyundai Motor Blue Link. The vulnerabilities were reported by Will Hatzer and Arjun Kumar working with Rapid7. Hyundai produced a new version that mitigates the vulnerability. There is no indication that the researchers have been provided the opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Man-in-the-Middle – CVE-2017-6052; and
• Use of Hard-Coded Cryptographic Key – CVE-2017-6054

ICS-CERT reports that an attacker (no characterization of the skill level is provided) could remotely exploit this vulnerability to gain access to insecurely transmitted sensitive information, which could allow the attacker to locate, unlock, and start a vehicle associated with the affected application.

NOTE: A Rapid7 blog post provides more details about the vulnerability.

Sierra Wireless Advisory


NOTE: This advisory provides additional information on vulnerabilities that were initially reported by ICS-CERT in an Alert last June.

This advisory describes three vulnerabilities in the Sierra Wireless AirLink Raven XE and XT. The vulnerabilities were reported by Karn Ganeshen. Sierra Wireless has produced new firmware that mitigates two of the three reported vulnerabilities. There is no indication that Ganeshen was provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities were:

• Improper Authorization – CVE-2017-6044;
• Cross-Site Request Forgery – CVE-2017-6042; and
• Insufficiently Protected Credentials (Not mitigated) – CVE-2017-6046

Neither this advisory nor the Sierra Wireless Technical Bulletin [.DOC download] from last summer address the fourth vulnerability reported by Ganeshen in his disclosure; unauthenticated access to directories and arbitrary file upload.

ICS-CERT reports that a relatively unskilled attacker could use the publicly available exploits for these vulnerabilities to remotely attack these devices to perform unauthorized sensitive functions compromising the confidentiality, integrity, and availability of the affected system.

BLF-Tech Advisory


This advisory describes an uncontrolled search path element vulnerability in the BLF-Tech VisualView HMI. The vulnerability was reported by Karn Ganeshen. BLF-Tech has produced a new version to mitigate the vulnerability. There is no indication that Ganeshen was provided an opportunity to verify the efficacy of the fix.


ICS-CERT reports that a relatively unskilled attacker (access requirements not characterized) could exploit the vulnerability to to execute arbitrary code within the system.

FDA Announces Medical Device Cybersecurity Workshop

Today the Food and Drug Administration published a meeting notice in the Federal Register (82 FR 19059-19060) for a public workshop on “Cybersecurity of Medical Devices: A Regulatory Science Gap Analysis”. The two-day workshop will be held on May 18th, 2017 in Silver Springs, MD. The objective of the workshop is to facilitate a discussion on the current state of regulatory science in the field of cybersecurity of medical devices, with a focus on patient safety.

Cybersecurity Regulatory Science


The FDA notes that their Center for Devices and Radiological Health (CDRH) identified medical device cybersecurity as one of their top 10 regulatory science gaps. In the CDRH publication “Regulatory Science Priorities (FY2016)” it was noted that (page 8):

“Digital Health and cybersecurity are some of the fastest growing areas impacting medical devices. Devices are being increasingly used in networked environments and are expected to communicate with one another securely and accurately. To ensure these technologies and technological environments achieve the desired public health impact, research is needed to enhance performance and security of medical devices and interoperability, and to understand the impact of software modifications on device performance.”

With that in mind the FDA, in conjunction with the National Science Foundation and the DHS Science and Technology Directorate, is attempting to establish a cybersecurity regulatory science research framework to foster a collaborative research conducted between federal agencies such as NSF, DHS S&T, academia, medical device industry, and third party experts and other organizations with input from FDA.

Workshop Agenda


This scheduled workshop is designed to support that effort by conducting a number of simultaneous working sessions discussing the following topics:

• Relationship between medical device cybersecurity and patient safety;
• Unique cybersecurity and regulatory challenges for medical devices;
• Differences in cybersecurity between home care, large health care providers, and acute care settings (e.g., ambulance, emergency room);
• The roles and intersection of information technology professionals and biomedical engineering staff;
• Potential metrics, evaluation tools to test and quantify the cybersecurity of medical devices and systems;
• Automated and manual tools for communicating cybersecurity information about medical device design and function;
• Best practices for cybersecurity of medical devices at deployment and how to apply updates throughout the medical device lifecycle;
• Human factor issues in cybersecurity of medical device development, deployment, and use of devices; and
• Best practices in cybersecurity design, deployment, and post-deployment activities and procedures.

Each of the sessions will attempt to add to address the:

• Immediate cybersecurity challenges and potential solutions to facilitate entry of innovative medical devices into the marketplace;
• Cybersecurity regulatory science gaps to which solutions can be developed through additional scientific research; and
• Long-term cybersecurity research challenges which may need significant additional basic research.

Public Participation


Personnel wishing to participate in the workshop need to register in advance via the FDA’s workshop registration page. Unfortunately, as of 8:20 am EDT today that page does not show this planned workshop even though the notice states that early registration is recommended due to limited seating.

The FDA is also soliciting written comments on the above topics. Written comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # FDA-2017-N-1572). Those comments should be submitted by June 23rd, 2017.

Please note that the Federal Register notice specifically states that the workshop is not designed to discuss FDA policy regarding cybersecurity of medical devices.


Monday, April 24, 2017

CFATS 2.0 Results Webinar

I just completed watching the DHS “CFATS Tiering Update - April 2017” webinar. This webinar provided information on the preliminary outcomes of the DHS Infrastructure Security Compliance Division’s (ISCD) review of CSAT 2.0 Top Screen submission that were started last fall. I say ‘preliminary’ because ISCD is still reviewing a number of the submitted Top Screens and is presumably still sending out Top Screen submission letters.

It was an interesting presentation and I recommend that interested parties that missed this webinar sign up for the next session that will be held early next month.

There have been a number of questions about the potential effects of the new risk-assessment methodology that is part of CSAT 2.0. The main question that folks have been asking is how that new methodology would end up affecting the Risk Tiering within the Chemical Facility Anti-Terrorism Standards (CFATS) program. The presentation today provides at least a partial answer.

Changed Risk Assessment Methodology


ISCD took a sample of 8,000 new Top Screen submissions and specifically looked at the new tiering results. Here are the results that ISCD reported today (Note: there was no mention of the missing 4% of the facilities):

• 5% moved from untiered to tiered;
• 5% moved from tiered to untiered;
• 51% moved between the four tier rankings; and
• 35% remained within their existing tier rankings

Remember, untiered facilities are not covered facilities under the CFATS program, and thus do not have to submit an SVA/SSP or have an approved site security plan (SSP) or alternative security plan (ASP).

The presenters also described two specific trends that they saw in tier changes. First, facilities that had just weapon of mass effect (WME) security issues tended to see a decrease in tier ranking because the new ‘physics-based modeling’ tended to see a lower risk for the same situation for these chemicals as compared to the old risk modeling process. Second, a counter-trend was seen with two specific chemicals (triethanolamine and methyldiethanolamine); the same ‘physics-based modeling’ tended to see an increased risk for these chemicals as compared to the previous methodology.

The presenters also noted that there were 235 facilities (not clear if they were part of the 8,000 used for the above analysis) that were facilities with only theft/diversion security issues that now had added release security issues. The presenters did not make it clear whether this was due to the risk modeling or if it was due to changes in the reported DHS chemicals of interest on site.

Commentary


I missed the early portion of the webinar, so I almost missed the information that ISCD probably presented on the number of letters sent out and the number of Top Screens that have been submitted. I should have more information on that in the near future.

I have some serious questions about the reported analysis of the risk assessment results presented in the webinar. Now this is probably due to my nitpicking of statistical analysis in general. I have a little more training (not that much though) in statistical analysis than most people, so I generally cringe whenever I see the word ‘analysis’ used in a presentation.

First, let’s look at that missing 4% I mentioned earlier. There is one category that is specifically missing from those reported, the untiered facilities that remained untiered facilities. For the sake of discussion, let us assume that those unreported 4% were those untiered facilities that did not change. That would mean that only 9% of the facilities in the 8,000-facility sample were untiered or facilities that were not covered by the CFATS program.

That is a problem because that would mean that 81% of the 8,000 facilities in the sample were currently covered facilities. That would be 6,480 facilities. But, as of the last reporting by ISCD, there were less than 3,000 covered facilities in the program. That means that the reported percentages cannot be of the whole 8,000 facility sample.

Let’s assume for the sake of argument that the all 2,948 facilities reported in the last CFATS Fact Sheet from October 1st of last year were included in the 8,000-facility sample. That would mean that there were 5,052 initially untiered facilities in the sample. Plugging these numbers into the previously reported percentages we get:

• 252 moved from untiered to tiered;
• 147 moved from tiered to untiered;
• 1503 moved between the four tier rankings; and
• 1031 remained within their existing tier rankings


This still leaves 716 facilities for which no data was provided, or 24% of the covered facilities. So, any way we look at it we have internally inconsistent information provided. I will try to get clarification from ISCD.

Committee Hearings – Week of 04-23-17

With both the House and Senate back in Washington after their two-week recess, the main focus this week will be on getting a spending bill passed for the remainder of FY 2017. The deadline for that is Saturday, else the dreaded government shutdown will occur (unlikely). With that on the congressional platter the hearing schedule is relatively light this week; there is just one hearing that may be of specific interest to readers of this blog. It will address hazmat transportation issues.

HAZMAT Transportation


On Wednesday the Railroads, Pipelines, and Hazardous Materials Subcommittee of the House Transportation and Infrastructure Committee will be holding a hearing looking at “Building a 21st Century Infrastructure for America: The State of Railroad, Pipeline, and Hazardous Materials Safety Regulations and Opportunities for Reform”. The witness list includes:

• Linda B. Darr, American Short Line and Regional Railroad Association;
• Roger Nober, BNSF Railway
• Paul Rankin, Reusable Industrial Packaging Association;
• Robin Rorick, American Petroleum Institute;
• Donald J. Santa, Jr., Interstate Natural Gas Association of America; and
• John Tolman, Brotherhood of Locomotive Engineers and Trainmen

I expect that we will hear very little about new regulations that the industries need to protect the public and more about what current and proposed rules need to be reviewed, revamped, or removed.

On the Floor


Nothing of specific interest expected to come to the floor of either the House or Senate this week beyond the FY 2017 Continuing Resolution. That bill has not yet been made public; still too much horse trading going on for that. It is interesting that we are seeing news this week about what bill components (or lack thereof) might result in a Trump veto of the spending bill coming out of a Republican controlled Congress.


As always, I will leave the gross reporting on the bill to the national press. I will focus on the specifics of what the bill might mean to the chemical safety, security and transportation communities and the control system cybersecurity community.

Saturday, April 22, 2017

DHS Announces Date and New Location for 2017 CSSS

Yesterday the DHS Office of Infrastructure Protection (IP) and the Chemical Sector Coordinating Council announced via the Chemical Sector Security Summit (CSSS) web page that the 2017 CSSS will be held in Houston, TX on July 19-21, 2017. Those of us who signed up for future information about the 2017 CSSS (see the bottom of the web page) received an email from DHS providing the same information yesterday.


Information concerning registration and the agenda will be published on the web page (and certainly here) later this spring.

NIST Announces CSF 1.1 Workshop – May 16th, 2017

NIST has announced another in a series of workshops concerning the proposed new version of their Cybersecurity Framework (CSF 1.1). The 2-day workshop will be held in Gaithersburg, Maryland on May 16th, 2017. The draft agenda for the workshop was made available this week on their CSF website.

I have not covered CSF 1.1 because the CSF is not operationally an industrial control system (ICS) security program. There are ICS components, but this is a cybersecurity management tool, not actually a cybersecurity tool. I have not seen anything in CSF 1.1 that would change that assessment.

Having said that, I am mentioning this workshop because it contains an internet of things (IOT) breakout session on the second day of the CSF 1.1 workshop. The agenda describes it this way:

“Cyber Meets the Physical World: The diverse use and rapid proliferation of connected devices – typically captured by the “Internet of Things (IoT)” – creates enormous value for industry, consumers, and broader society. At the same time, emerging threats, such as last year’s Mirai DDoS attacks, highlight the critical need to develop and apply guidance to maintain the cybersecurity of devices and the ecosystems into which they are deployed. NIST is seeking feedback on how the Framework may be applied to the IoT, both in terms of the devices themselves, as well as their integration into broader enterprise and network environments. Topics in this breakout may include: existing IoT definitions and taxonomies and their consistency with the Framework; IoT specific threats and constraints; sector-specific considerations for IoT security; and the integration of IoT-specific threats into the Framework model.”

Even this description of ‘Cyber Meets the Physical World’ contains no specific reference to industrial control systems, or even really hints at their existence. This is the thing that continues to concern me about the CSF. I hope that I am reading too much into this brief description and I hope that we hear from some attendees with an ICS cybersecurity background that there was some specific and realistic discussion of ICS specific security concerns with IOT and how that might be dealt with in the CSF environment.


Early registration is recommended by NIST due to the limited seating available. Registration closes on May 9th, 2017.

Friday, April 21, 2017

PHMSA Publishes 11 60-Day ICR Renewals

Today the DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) published a 60-day information collection request (ICR) renewal notice in the Federal Register (82 FR 18828-18831) for eleven separate existing ICRs. While the limited information provided in this notice would seem to indicate that there are no changes from the currently approved versions of these ICR, there is something odd going on with one of the ICRs.

The eleven ICRs are listed in the table below. The link in the title of the ICR is to its appearance in this notice and the link in the RIN is to the currently approved ICR.



The odd thing about the Approval for Hazardous Material ICR is that earlier this month PHMSA submitted an ICR revision request to OIRA for the ICR. That ICR revision was to support a final rule published by PHMSA on March 30th, 2017. That rulemaking simply reports that there are expected to be an additional 3,600 responses and an increase of 1,800 hours in the burden required by this new rule. A more detailed accounting of that change can be found in the supporting document [.DOC download] that was sent to OIRA earlier this month.

What seems likely is that whomever was responsible for crafting this ICR notice for PHMSA just copied the previous 60-day ICR notice submitted three years ago, made some cosmetic changes for dates and then submitted the revised document to OIRA. And I suspect that too many ICR renewals suffer the same problem; someone just going through the motions. It makes a mockery of the requirement for agencies to submit, and OMB approve, these ICRs to ensure that the regulated public is not unnecessarily burdened by the data collection demands of the Federal government.

At the very least, PHMSA needs to stop this ICR renewal and publish a new 60-day ICR notice without including the Approval for Hazardous Material ICR.


PHMSA is soliciting public comments on this ICR notice. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; PHMSA-2017-0018) I will be submitting a copy of this post as a comment.

Bills Introduced – 04-21-17

Yesterday both the House and Senate met in proforma session. There were twelve bills introduced in the House while the vast majority (probably only three in attendance) remained in their home districts campaigning, raising money and meeting with constituents (Senate rules do not allow introduction of bills during proforma sessions). Of these, only two may be of specific interest to readers of this blog:

HR 2105 To require the Director of the National Institute of Standards and Technology to disseminate guidance to help reduce small business cybersecurity risks, and for other purposes. Rep. Webster, Daniel [R-FL-11]

HR 2114 To require the Secretary of the Treasury to implement security measures in the electronic tax return filing process to prevent tax refund fraud from being perpetrated with electronic identity theft. Rep. Yoho, Ted S. [R-FL-3] 

It will be interesting to see what form the ‘disseminate guidance’ will take and what additional guidance (over and above the already existing guidance documents) will be required. I really do not expect that the guidance will include industrial control system guidance though it almost certainly should (IMHO).

I will only be mentioning HR 2114 in this blog post. I mention it to remind readers how long it takes Congress to react to real problems. Brian Krebs first wrote about this problem in 2015, so the problem has been around for a while now. To be fair Yoho introduced an earlier version of this bill in the 114th Congress (HR 1595) but there was no action taken on that bill even though it ultimately had 33 bipartisan cosponsors. I expect a similar fate this session.

Thursday, April 20, 2017

DHS Publishes 60-Day ICR Revision Notice for CVI Program

Yesterday the DHS National Protection and Programs Directorate (NPPD) published a 60-day information collection request (ICR) notice in the Federal Register (82 FR 18466-18468) for revisions being made to support the Chemical-Terrorism Vulnerability Information (CVI) program within the Chemical Facility Anti-Terrorism Standards (CFATS). The proposed changes reduce the number of information collections and the DHS burden estimate for that program.

Changes


Based upon the experience of the last three years, the Infrastructure Security Compliance Division (ISCD) of the NPPD is removing five information collection instruments from this ICR. They are:

• “Determination of CVI”;
• “Determination of a “Need to Know” by a Public Official”;
• “Disclosure of CVI Information;
• “Notification of Emergency or Exigent Circumstances”; and
• “Tracking Log for CVI Received”

This leaves just one ICR instrument covered by this collection, the information collected by the CVI Training web site and the subsequent CVI user application. ISCD reports that they expect a reduction in the number of respondents for this remaining instrument to decrease from 30,000 to 20,000.

Commentary


Once again it is nice to see a detailed accounting of the changes being proposed by a federal agency in the ICR process. Such details provide the data necessary to make informed comments for ultimate consideration by the OMB’s Office of Information and Regulatory Affairs.

I also commend DHS for this review of the collection instruments covered by the ICR and their intent to remove little used or unnecessary instruments. Having said that, I have concerns about the removal three of the identified instruments;

• “Disclosure of CVI Information;
• “Notification of Emergency or Exigent Circumstances”; and
• “Tracking Log for CVI Received”

All three of these instruments are still required by the DHS CVI Procedural Manual; the first with mandatory language (“must promptly report”) and the other two with permissive language (“should be kept and submitted” and “DHS encourages"). In fact, the first is required by the CFATS regulations {6 CFR 27.400(d)(7)}.

The notice would appear to attempt to address these three instruments by stating that:

“The Department expects that in many instances when the Department may need or want to collect information regarding emergency and/or unauthorized disclosure of CVI, the collection would not be covered by the Paperwork Reduction Act because the information would be collected during the conduct of an investigation involving specific individuals or entities. See 44 U.S.C. 3518(c)”

That would certainly be true of the subsequent investigation of the reports in the first two instances, but not the initial reports themselves.

I would like to suggest that DHS continues to retain these three instruments in this ICR with an appropriate low number of respondents and the current estimate of burden hours and cost rates.

Public Comments


DHS is soliciting public comments about this ICR. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; DHS-2017-0015). Comments should be submitted by June 19th, 2017.

A copy of this blog post is being submitted as a comment to this ICR notice.

Wednesday, April 19, 2017

ICS-CERT Updates an Advisory and an Alert

Yesterday the DHS ICS-CERT updated two control system security notices; one an alert for the BrickerBot vulnerability and the other affecting products from Belden Hirschmann.

BrickerBot Update


This update provides new information on the alert that was originally published on April 12th, 2017. The update more specifically acknowledges the Radware contribution to the state of current knowledge about BrickerBot. It also provides:

• A slightly more detailed and updated description of the operation of both BrickerBot.1 and BrickerBot.2; and
• A new mitigation measure; updating Ubiquiti device firmware.

Belden Hirschmann Update


This update provides new information on the advisory that was originally published on January 26th, 2017. The update expands the scope of the advisory; adding three new vulnerabilities that were apparently fixed with the originally reported new software version. The newly reported vulnerabilities are:

• Server-side request forgery - CVE-2017-6036;
• Cross-site request forgery - CVE-2017-6038; and
• Information exposure - CVE-2017-6040

Belden did not change their original Security Bulletin. Instead, they issued an additional Security Bulletin to describe the ‘new’ request forgery vulnerabilities. Belden actually describes the cross-site request forgery as a subset of the server-side request forgery, rather than specifically listing it as a separate vulnerability. Belden never does specifically acknowledge the ‘information exposure’ vulnerability reported by ICS-CERT.


Interestingly, the only change that ICS-CERT makes to their ‘impact’ statement designed to reflect the additional vulnerabilities is to change the words ‘of this vulnerability’ to ‘of these vulnerabilities’. It does not acknowledge the Belden report that the ‘new’ vulnerabilities may allow an attacker to “trick administrators into changing the configuration of the device”.

Tuesday, April 18, 2017

ISCD Updates Two FAQ Responses and Adds a New Article

Today the DHS Infrastructure Security Compliance Division (ISCD) updated two frequently asked question (FAQ) responses and added a new article on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center. There is no specific notice on that site concerning the presence of the new article.

FAQ Updates


The two changed FAQ responses were significant rewrites of the verbiage but no real new information was provided. The updated FAQ responses were for the following existing FAQ:


The new response to FAQ #1489 is significantly shorter than the previous response. ISCD has removed verbiage about the need for facility knowledge on the part of the Preparer and the unrelated information that the Submitter should be an officer or employee of the company who is domiciled in the US. That was perfectly good information, but it was not really pertinent to the FAQ.

For FAQ #1579 there was actually a significant change to the wording of the FAQ as well as nearly complete rewrite of the response. The original FAQ started off with “How does a college define itself….” The new FAQ substitutes ‘facility’ for ‘college’; expanding the coverage of the response to include a more diverse set of facilities. That expansion did not have any real effect on the new response.

The new response would seem to imply that ISCD is taking a different sort of look at facilities that choose to only include isolated parts of their overall facility in their definition of the facility for the purpose of Top Screen submissions. The original FAQ response included this:

“As such, an institution of higher learning can, if appropriate, submit a Top-Screen on a facility-by-facility basis or on a campus-wide basis. However, the Department will evaluate whether or not the facility or facilities, if determined to be high-risk, have complied with CFATS and, specifically, the Risk-Based Performance Standards (RBPS).”

The new response substitutes the following language:

Individual buildings within a facility site can be registered as separate facilities if they possess COI at or above the screening threshold quantity (STQ). For example, a college or university can, if appropriate, submit a Top-Screen on a building-by-building basis or on a campus-wide basis and need not necessarily count the total of all COI in separate buildings to ascertain whether it meets or exceeds the applicable STQ for each COI. However, the Department will evaluate whether or not the definition of the parameters of the facility or facilities to determine whether such definition appears intended to thwart or evade regulation under CFATS.

It is clear to see that the original response had more of a focus on how the identification of multiple facilities impacted the site security plan for the sites. The new response would seem to indicate that ISCD has new concerns about people attempting to evade coverage under the CFATS program by filing multiple sites that might not be considered at high risk of terrorist attack when the combination of the facilities might be considered to be at high risk.

Both the original response and the new response provide a link to the final rule on Appendix A to the CFATS regulations (6 CFR Part 27) and a description of the area within that final rule where the discussion takes place that affect the response to this FAQ. If ISCD had used a link to the Federal Register web site instead of their own listing of the publication, they would have been able to provide a more direct link to the discussion (here).

New Article



The new article (Article #1780) provides a fairly detailed discussion of the categories of facilities that are exempt from the requirement to submit a Top Screen and are thus exempt from coverage under the CFATS program. The information provided in this article has, for the most part, been provided in individual FAQ responses to questions about the specific programs that form the basis for the exemption from CFATS program coverage. This is the first time, however, that it has been included in a single place on the CFATS Knowledge Center.

HR 1891 Introduced – Methyl Bromide

Earlier this month Rep. LaMalfa (R,CA) introduced HR 1891, the Safe Agriculture Production Act of 2017. The bill would authorize the continued use of methyl bromide as a pesticide and/or fungicide for certain emergency uses. The bill is essentially identical to HR 3710 from the 114th Congress. That earlier bill saw no action.

LeMalfa and his 10 cosponsors (9 Republicans and 1 Democrat) are all from agricultural districts that were presumably affected by the phase out of methyl bromide under the Montreal Protocol to Protect the Ozone Layer as enforced by 40 CFR Part 82. 2017 is the first year that there are no authorized essential uses for methyl bromide and its manufacture, importation or use in the United States is generally outlawed.

As I outlined in my blog post about HR 3710, the bill would amend 7 USC 7719 concerning the agricultural uses of methyl bromide. The amendment is in effect a complete re-write of §7719. Something that I failed to mention in that earlier post is an important provision of §7719 that was not included in the new rewrite in this (or the earlier) bill. That provision was found at §7719(d)(2):

“Nothing in this section shall be construed to alter or modify the authority of the Administrator of the Environmental Protection Agency or to provide any authority to the Secretary of Agriculture under the Clean Air Act (42 U.S.C. 7401 et seq.) [link added] or regulations promulgated under the Clean Air Act.”

This type verbiage is typically added when there is a conflict between the authorities and responsibilities of two different sections of the Executive Branch. The removal of this language in the rewrite of §7719 and the inclusion of the “Notwithstanding any other provision of law…” verbiage in the new §7719(f) is effectively intended to remove the EPA from any regulation of methyl bromide in the ‘emergency’ situations broadly outlined in the bill.

The lack of any action in the last session on the previous version of this bill is a pretty good indicator that bill is unlikely to be considered in this session. There is, however, more incentive for the sponsors of this bill to push for action since methyl bromide use is completely disallowed for the first time this year. The replacement chemicals are not as effective as methyl bromide and many farmers and agricultural importers are going to be bothering these representatives for some sort of relief.

Even given that, I see little chance that this bill will make it through the legislative process. Passage may be possible in the House, but the bill would never make it to the floor in the Senate. The only chance that I see this making it into law is if it was included in the agriculture authorization bill, and that chance is fairly remote seeing that Rep. Conaway (R,TX; the Chair of the House Agriculture Committee) did not allow any action on the previous version of the bill in his Committee in the 114th Congress.


As always, my concern with this bill lies in the failure of DHS to include methyl bromide (a toxic inhalation hazard chemical) in its list of chemicals that would trigger a Top Screen reporting requirement under the Chemical Facility Anti-Terrorism Standards (CFATS) program. This is the only TIH chemical not on that list and it was specifically removed because it was being phased out by Montreal Protocol.

Saturday, April 15, 2017

Public ICS Vulnerability Disclosure – Week of 04-09-17

This week John Page (HYP3RLINX) published three control system security vulnerability reports on the Full Disclosure mailing list; all three reports include proof of concept exploit code. All three of the vulnerabilities were for products from Moxa; two for Moxa MXView (here and here) and one for MX-AOPC UA SERVER (here). Page reports that these were coordinated disclosures and that Moxa has updated firmware to mitigate all three vulnerabilities.

MXView


The two reported vulnerabilities are:

• Remote private key disclosure - CVE-2017-7455; and
• Denial of service - CVE-2017-7456

MX-AOPC UA SERVER



The sole reported vulnerability for this product is an XML external entity injection (CVE-2017-7457) vulnerability.

Friday, April 14, 2017

NTIA Announces IOT Cybersecurity Meeting

Today the Department of Commerce’s National Telecommunications and Information Administration published a meeting notice in the Federal Register (82 FR 17977-17978) concerning their Multistakeholder Process on Internet of Things (IOT) Security Upgradability and Patching. The public meeting will be held on April 26th, 2017 in Washington, DC.

The earlier meetings on this topic were held by NTIA on October 19th, 2016 and January 31st, 2017.

An agenda for the meeting is not yet available, but according to the meeting notice:

“Stakeholders have identified four distinct work streams that could help foster better security across the ecosystem. The main objectives of the April 26, 2017 meeting are to share progress from the working groups and hear feedback from the broader stakeholder community. Stakeholders will also discuss their vision of the timing and outputs of this initiative, and how the different work streams can complement each other.”

The meeting will be webcast. See the Multistakeholder web site for more information. 

ICS-CERT Publishes Two Advisories

Yesterday the DHS ICS-CERT published two control system security advisories for products from Schneider Electric and Wecon Technologies.

Schneider Advisory


This advisory describes two vulnerabilities in the Schneider Modicon M221 PLCs and SoMachine Basic. The vulnerabilities were reported by Simon Heming, Maik Br├╝ggemann, Hendrik Schwartke, and Ralf Spenneberg of Open Source Security. Schneider has announced an encryption work around and that they will introduce a new version of SoMachine Basic in June.

The two reported vulnerabilities are:

• Use of Hard-Coded Cryptographic Key – CVE-2017-7574; and
• Protection Mechanism Failure – CVE-2017-7575

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities using a publicly available exploit to extract a protected project file from the controller to obtain sensitive project information, or allow a user with access to a protected project file to decrypt it in order to obtain sensitive information without authorization.

Interestingly, the Schneider security notification only addresses the vulnerability in their SoMachine Basic; ignoring the vulnerability in their Modicon M221 PLCs. Could that vulnerability be a ‘design feature’?

NOTE: These are the vulnerabilities that I reported on last weekend. OpenSource published the vulnerabilities on their web site (here and here) a week ago last Tuesday.

Wecon Advisory


This advisory describes two buffer overflow vulnerabilities in the Wecon LEVI Studio HMI Editor. The vulnerabilities were reported by Andrea (rgod) Micalizzi, working with iDefense Labs. Wecon has developed a new version that mitigates the vulnerabilities. There is no indication that rgod has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Heap-based buffer overflow – CVE-2017-6037; and
• Stack-based buffer overflow – CVE-2017-6035


ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to cause the device to become unresponsive; a buffer overflow condition may allow remote code execution.

Thursday, April 13, 2017

ISCD Publishes Three FAQ Updates

Today the DHS Infrastructure Security Compliance Division (ISCD) published three revised frequently asked question (FAQ) responses on its Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center. While many recent changes have been made to add regulatory links, the three FAQ responses published today had some significant word changes.

The three FAQ responses that were updated today were:


FAQ #1291


The basic change to this FAQ response was the addition of links to the CFATS regulation and to the CFATS Advisory Opinion web site where there is a link to Opinion 2016-02 that addresses the ‘A Commercial Grade’ (ACG) issue in some detail. The greater detail found that opinion apparently provides a reasonable justification to remove some of the explanatory wordage in the original FAQ response.

FAQ #1383


The new FAQ #1383 response if very much shorter than the original response. It removes the explanation of why ANFO is not treated as an explosive by the CFATS program. While the new answer does specifically answer the question posed, I think that the information provided in the earlier version should have been retained for clarities sake. For the record, here is the old response with the deleted language highlighted:

No. As stated in the preamble to the final Appendix A to the Chemical Facility Anti-terrorism Standards (CFATS), the only explosive Chemicals of Interest (COI) listed in Appendix A (i.e., release explosives and theft/diversion explosives) are those listed by the Department of Transportation (DOT) as Class 1, Division 1 explosives. See 72 Fed. Reg. 65402-65403, [Link Added] 65405 & n. 37 (Nov. 20, 2007). Although ANFO is an explosive, it is not listed by DOT as a Division 1.1 explosive, and thus it is not covered by Appendix A. However, a facility that manufactures ANFO and possesses any chemical of interest (e.g. ammonium nitrate) in a quantity at or above the applicable STQ would be required to submit a Top-Screen.

FAQ #1437


The response to FAQ 1437 is a complete re-write of the original FAQ response; removing any mention of ACG which was never really pertinent to the question. Unfortunately, the new language is a little bit confusing until one actually looks at the Appendix A table.

The new response states:

“As provided in 6 CFR §27.203(d), https://www.gpo.gov/fdsys/pkg/CFR-2016-title6-vol1/pdf/CFR-2016-title6-vol1-sec27-203.pdf, a facility shall count toward the STQ the total quantity of any placarded amount of a sabotage/contamination chemical that the facility ships.”

The actual wording of §27.203(d) reads:

“A facility meets the STQ for a sabotage/contamination chemical of interest if it ships the chemical and is required to placard the shipment of that chemical pursuant to the provisions of subpart F of 49 CFR part 172 [Link Added].”

The way the regulation reads, if a facility ships one shipment of a sabotage/contamination chemical of interest that DOT required to be placarded (either on the container or the vehicle carrying the material) then the facility would have met the STQ requirements for that COI, regardless of the size of the shipment. The FAQ response would seem to indicate that you could have some number of placarded shipments of a sabotage/contamination COI, but not yet reach the COI level.


Looking at the COI table in Appendix A, however, quickly clears up the matter. The STQ for all sabotage/contamination COI is listed as ‘APC’ or ‘a placarded amount’; confirming that a single placarded shipment of the COI would meet the STQ for that sabotage/contamination COI.

S 768 Introduced – Smart Manufacturing

Last month Sen. Shaheen (D,NH) introduced S 768, the Smart Manufacturing Leadership Act. The bill would require the Secretary of Energy to develop a smart manufacturing plan and to provide assistance to small- and medium-sized manufacturers in implementing smart manufacturing programs.

Definition of Smart Manufacturing


The basic definition of smart manufacturing in this bill encompasses the technologies that digitally {§3(9)(A)}:

• Simulate manufacturing production lines;
• Operate computer-controlled manufacturing equipment;
• Monitor and communicate production line status; and
• Manage and optimize energy productivity and cost throughout production


The bill goes on to further expand the definition to include technologies that {§3(9)}:

• Model, simulate, and optimize the energy efficiency of a factory building;
• Monitor and optimize building energy performance;
• Model, simulate, and optimize the design of energy efficient and sustainable products, including the use of digital prototyping and additive manufacturing to enhance product design;
• Connect manufactured products in networks to monitor and optimize the performance of the networks, including automated network operations; and
• Digitally connect the supply chain network.

Smart Manufacturing Plan


Section 4 of the bill would require DOE to develop and implement a smart manufacturing plan within 3 years to improve the productivity and energy efficiency of the manufacturing sector of the United States. The plan would identify actions that the Federal government would take to {§4(b)(1)}:

• Facilitate quicker development, deployment, and adoption of smart manufacturing technologies and processes;
• Result in greater energy efficiency and lower environmental impacts for all American manufacturers; and
• Enhance competitiveness and strengthen the manufacturing sectors of the United States.

Moving Forward


Shaheen is not a member of the Senate Energy and Natural Resources Committee to which this bill was assigned for consideration. This means that there is little chance that she has the influence necessary to have that Committee take up the bill.

The only thing in this bill that would cause any significant opposition to its consideration (in committee or on the floor) is the inclusion of a relatively modest new grant program. The $10 million dollars authorized for the grant program would have to come out of an already limited budget environment. That would probably be sufficient to ensure that the bill will not receive consideration.

Commentary


Sharp eyed readers will see little above that indicate that I would spend any time evaluating this bill on this blog; there are no chemical safety or cybersecurity provisions mentioned in the bill. The lack of cybersecurity provisions in the bill is what concerns me here.

Shaheen does mention cybersecurity a couple of place in Section 2 of the bill; the congressional findings section. These finding spell out the reason that the programs outlined in the bill are necessary. And she lays out a pretty good set of reasons to include cybersecurity.

First, she establishes that “the interconnection of the many components of manufacturing within a manufacturing plant with other business functions within a company and across companies within a supply chain will enable new production efficiencies” {§2(4)}. Those of us who follow control system security recognize (and object to) these ‘interconnections’ as a great source of the vulnerability of control systems that until recently were considered to have isolation as their greatest security measure.

Second, in laying out the barriers to adoption of smart manufacturing technologies, she specifically identifies the lack of “common cybersecurity protocols and standards” {§2(7)(D)}.

Finally, she establishes that the Department of the Energy is (and should be) specifically working “with the private sector to reduce the market barriers through the development of voluntary protocols and standards” {§2(9)} to overcome these barriers to smart manufacturing technology adoption in the US.

So why is there no mention of cybersecurity in the discussion of the smart manufacturing plan the DOE is supposed to develop and implement? It is almost certainly not because Shaheen and her staff (who really write these bills) do not see the need; they specifically mentioned the need. It is probably not because they are technologically ill equipped to set cybersecurity standards; there is no specificity in the other requirements for the smart manufacturing plan. I do not even believe it is because of the current resistance in the business community to establishing cybersecurity regulations; the bill could have easily called for the establishment of ‘voluntary standards or protocols’ for cybersecurity.

No, I think that the problem here is committee politics. If Shaheen had added the word ‘cybersecurity’ to section 4 of the bill, it would have forced the bill to have been referred to at least one more Committee (the Commerce, Science, and Technology Committee) for consideration. This would have destroyed any minor hope that Shaheen would have had for being able to horse trade with a Committee Chair to get the bill considered by a committee to which she was not a member.

Further, I suspect that she was hoping that the bill would have been assigned to the Senate Committee on Small Business and Entrepreneurship (of which she is the Ranking Member) not the Energy and Natural Resources Committee. That was the reason that she makes a major point of addressing small business concerns in the bill. Unfortunately, the inclusion of the DOE really put a kibosh on that hope.

I really think that we might see this bill again later this year when the DOE authorization bill makes it to the floor of the Senate as an amendment to that bill. If it does, I would hope to see some added cybersecurity language. To that end, I would suggest the following specific language:

Add a new §3(10): “VOLUNTARY CYBERSECURITY STANDARDS AND PROTOCOLS -The term “voluntary cybersecurity standards and protocols” means a standard and/or protocol developed by the National Institute of Standards and Technology (NIST) or recognized independent standards setting organizations that an electronic equipment manufacturer, system integrator or system owner may voluntarily apply in the manufacture, integration or operation of an industrial control system, energy management system or information and communication technology system, that would protect such systems from a cyber threat as that term is defined in 6 USC 1501.”

Add a new §4(b)(1)(C): “encourage to the development, promulgation and implementation of voluntary cybersecurity standards and protocols in smart manufacturing operations; and”


This simple, generic language could add a significant measure of cybersecurity support to this bill without drawing any significant opposition from manufacturers fearing new government regulations.

Wednesday, April 12, 2017

ICS-CERT Publishes BrickerBot Alert

Today the DHS ICS-CERT published a control system security alert today about a new botnet attack that affects IOT devices. The attack bricks the affected devices, thus the name, BrickerBot. ICS-CERT identifies Radware as the initial source of the report on BrickerBot and provides a link to their BrickerBot report (originally published a week ago).

ICS-CERT provides the following summary of the two BrickerBot versions (BrickerBot 1 affects Ubiquiti devices and BrickerBot 2 affects Android devices):

• BrickerBot.1 targets devices running BusyBox with an exposed SSH command window and an older version of Dropbear SSH server. Most of these devices were also identified as Ubquiti network devices, some of which are access points or bridges with beam directivity.
• BrickerBot.2 targets Linux-based devices which may or may not run BusyBox or use Dropbear SSH server. However, Brickerbot.2 can only access devices which expose a Telnet service protected by default or hard-coded passwords.


ICS-CERT is working to identify affected devices and will work with vendors to see what equipment specific mitigation measures (if any) will be used to mitigate this vulnerability.

Tuesday, April 11, 2017

ICS-CERT Publishes Schneider Advisory

Today the DHS ICS-CERT published a control system security advisory for Schneider Modicon PLCs. The advisory describes two vulnerabilities that were reported by Eran Goldstein of CRITIFENCE. These are not the vulnerabilities that I briefly described on Saturday. Schneider has developed compensating controls to mitigate the vulnerability. There is no indication that Goldstein was provided the opportunity to verify the efficacy of the fix. There are no indications that Schneider intends to produce a more permanent fix to these vulnerabilities.

The two reported vulnerabilities are:

• Authentication Bypass by Capture-Replay - CVE-2017-6034; and
• Violation of Secure Design Principles - CVE-2017-6032

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to capture and replay sensitive commands to PLCs on a network using the Modicon Modbus protocol.


The Schneider security notification also mentions that SCADA/ICS Cyber Threats Research Group contributed to the identification of these vulnerabilities.

Reader Question - Material Modifications

I had an interesting question sent to me by a long time reader of this blog concerning the term ‘material modifications’ as it is used in 6 CFR 27.210(d). That Chemical Facility Anti-Terrorism Standards (CFATS) requirement states that: “If a covered facility makes material modifications to its operations or site, the covered facility must complete and submit a revised Top-Screen to the Department within 60 days of the material modification.” The reader asks if the term ‘material modifications’ is defined in the CFR.

No Definition


The short answer is no. This is one of many definitions missing from the CFATS rule. In this case, I suspect that the reason is that there is no specific definition that would fit the situation. The issue was discussed, however, in the preamble to the interim final rule that established the CFATS program. We can see that discussion in response to a specific public request for a definition of the term:

“Material modifications can include a whole host of changes, and for that reason, the Department cannot provide an exhaustive list of material modifications. In general, though, DHS expects that material modifications would likely include changes at a facility to chemical holdings (including the presence of a new chemical, increased amount of an existing chemical, or the modified use of a given chemical) or to site physical configuration, which may (1) substantially increase the level of consequence should a terrorist attack or incident occur; (2) substantially increase a facility’s vulnerabilities from those identified in the facility’s Security Vulnerability Assessment; (3) substantially effect the information already provided in the facility’s Top-Screen submission; or (4) substantially effect the measures contained in the facility’s Site Security Plan.”

Change in Chemical Holdings


The most obvious change in chemical holdings that would be considered a material modification would be the introduction of a new DHS chemical of interest (COI) found in Appendix A to 6 CFR 27. Even if the new COI were not held at a screening threshold quantity (STQ) the addition could still qualify as a material modification if the addition met one of the four standards listed in the preamble discussion.

An inventory increase in one or more of the existing COI reported on the most recent Top Screen could also be considered a material modification that triggers a new Top Screen submission requirement. How much of an increase would be a trigger the requirement would depend on the chemical in question. A one pound increase in propane (Release – Flammable) would almost certainly not be a trigger while a one pound increase in Chlorosarin (Theft - CW) would almost certainly trigger the requirement. Again, the four standards would provide guidance on how much is significant.

The addition of non-COI chemicals to facility chemical holdings is even more complicated. The addition of a new flammable liquid in sizeable quantities could increase the size of a potential conflagration at a facility holding flammable-release COI. The addition of another potential (but unlisted) precursor to a chemical weapon could make it easier for a terrorist to manufacture that chemical weapon as a result of a successful attack on the facility. Once again, the four standards are what establishes the existence of a material modification.

Facility Configuration


Changes to the physical structure or operation of a CFATS covered facility could certainly be considered a material modification. Which changes would trigger the new Top Screen reporting requirements would depend on the facility and the COI holdings at that facility.

At a facility with holdings of theft-diversion COI anything that increases the traffic through the facility would almost certainly be considered a material modification. This could include construction activities, changes in the number of contractors on site, or even changes in the number of pick-ups and deliveries at the site. Again, the four standards listed in the preamble will determine which changes trigger the reporting requirement.

Decreased Risk


Facilities also need to remember that the material modification requirement is not limited to changes that increase the risk of terrorist attack at the facility. Changes that decrease risk can also trigger the reporting requirement. The folks at the Infrastructure Security Compliance Division (ISCD) are certainly not going to fine a facility for failing to report changes that reduce risk, but ISCD could lower the facility Tier ranking or even remove a facility from CFATS coverage when material modifications produce significant reductions in the risk of terrorist attack.

Always Consider Material Modification


Just about any change at a facility could have an effect on the security of the facility. CFATS covered facilities have a legal obligation to take a specific look at any changes in facility structure, operation or chemical holdings. This should be a part of the standard management of change process at the facility. Facility management needs to consider the chance that any changes made to the facility may trigger additional security requirements (and the associated costs) if the changes:

• Substantially increase the level of consequence should a terrorist attack or incident occur;
• Substantially increase a facility’s vulnerabilities from those identified in the facility’s Security Vulnerability Assessment;
• Substantially effect the information already provided in the facility’s Top-Screen submission; or
• Substantially effect the measures contained in the facility’s Site Security Plan.


If there are questions about a pending change the simplest thing to do is to ask DHS if they think that a change would be considered a material modification at the facility. For major (read costly) changes at a facility, the earlier the question is asked the better. Remember, the cost of any necessary security changes should be included in estimating costs for any facility modification.

Monday, April 10, 2017

ICS-CERT Updated MEMS Accelerometer Alert

Today the DHS ICS-CERT updated their control system security alert for physical vulnerabilities in a wide variety of MEMS accelerometers. The original alert was published on March 14th, 2017.

Today’s update provides a link to another manufacturer’s (Analog Devices) alert about the problem with a slightly different look at the vulnerability.


Interestingly, ICS-CERT still does not provide acknowledgement of researchers who discovered the vulnerability nor does it provide a link to their academic paper that describes the vulnerability. Nor does it mention the cute vulnerability name that has been attached to the problem by the researchers; ‘Walnut’. I guess that ICS-CERT is the tough nut to crack.

Bills Introduced – 04-07-17

With just the Senate in session there were 37 bills introduced on Friday. Of those only one may be of specific interest to readers of this blog:

S 904 A bill to amend the Homeland Security Act of 2002 to authorize the National Computer Forensics Institute, and for other purposes. Sen. Grassley, Chuck [R-IA]


This bill is probably a companion bill to HR 1616 which I have not covered since it does not include industrial control system inclusive language. That will probably be the fate of this bill as well.

Sunday, April 9, 2017

DHS Publishes Another CFATS ICR Revision

The DHS National Protection and Programs Directorate (NPPD) published another information collection (ICR) revision notice in Monday’s (available on-line yesterday) Federal Register (82 FR 17270-17273) supporting the Chemical Facility Anti-Terrorism Standards (CFATS) program. The requested revisions are due, in part, to the recent changes made to the Chemical Security Assessment Tool (CSAT) now known as CSAT 2.0.

The ICR (1670-0014) covers information collected via the following CFATS activities:


The changes reported here are all relatively innocuous and reflect bureaucratic i-dotting and t-crossing more than any shift in policy or procedures. Normally, I would not have mentioned this ICR notice at all (hardly newsworthy), but given the problems that I have identified with another ICR revision notice (from the TSA) I thought that I would mention this ICR notice and hold it out as an example of an agency providing detailed enough information for members of the public and affected community to be able to formulate an effective comment on the substance of the burden estimate provided by the agency.

The earlier TSA proforma ICR notice provided less than the minimum necessary information and left me with a better understanding of the agency’s reputation for blatant disregard of public opinion. That TSA notice, and their reply to my comment, clearly explicated to anyone that cared to listen that the TSA does not care how their activities affect those that they are supposed to be supporting.


DHS, and yes even the OMB’s Office of Information and Regulatory Affairs, could be well served by using this NPPD ICR notice as a teaching guide as to how a public ICR notice should be prepared and the earlier TSA notice as a counter-example.
 
/* Use this with templates/template-twocol.html */