Wednesday, May 24, 2017

Frank R. Lautenberg Chemical Safety for the 21st Century Act

Yesterday the Environmental Protection Agency (EPA) sent a notice of proposed rulemaking (NPRM) to the OMB’s Office of Information and Regulatory Affairs (OIRA) for review. The NPMR implements the requirements of §6(b)(1) of the Frank R. Lautenberg Chemical Safety for the 21st Century Act (PL 114-182; 130 Stat 461) for the establishment of a process for the prioritization of risk evaluations.

The TSCA revisions outlined in that Act were generally supported by both the chemical industry and the environmental activism community. This will be the first major set of implementing regulations and it will be interesting to see how far the support for those continues. There have already been a number of official meetings between the EPA staff and organizations representing the regulated community concerning this rulemaking. Interestingly, all of those meetings occurred during the Obama Administration.


It will be interesting to see how long it takes OIRA to approve this rulemaking. Their workload has been generally light since Trump took office (42 rulemakings submitted/13 approved), but this will certainly be a controversial rulemaking that could take some time to wade through, particularly given Trump’s attitude about regulations.

Tuesday, May 23, 2017

ICS-CERT Publishes 3 Advisories

Today the DHS ICS-CERT published two industrial control system advisories for products from Rockwell and Moxa. They also published a medical control system advisory for products from B Braun Medical. The Rockwell advisory was previously published on the NCCIC Portal on April 25th, 2017. The Braun Medical advisory was previously published on the NCCIC Portal on March 23rd, 2017l

B Braun Medical Advisory


This advisory describes an open redirect vulnerability on the B Braun Medical SpaceCom module. The vulnerability was reported by Marc Ruef and Rocco Gagliardi of scip AG. Braun has produced a software update that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to  allow URL redirection to untrusted web sites.

Rockwell Advisory


This advisory describes multiple vulnerabilities in the Allen-Bradley MicroLogix 1100 and 1400 PLCs. The three of the vulnerabilities were reported by David Formby and Raheem Beyah of Georgia Tech and Fortiphyd Logic, Inc with the last one being reported by Ilya Karpov of Positive Technologies. Rockwell has provided a firmware update for one of the affected products and recommends disabling the web server as an alternative and/or additional mitigation measure. There is no indication that the researchers have been provide an opportunity to verify the efficacy of the fix.

The reported vulnerabilities are:

• Predictable value range from previous values - CVE-2017-7901;
• Reusing a nonce, key pair in encryption - CVE-2017-7902;
• Information exposure - CVE-2017-7899;
• Improper restriction of excessive authentication attempts- CVE-2017-7898; and
• Weak password requirements - CVE-2017-7903

ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerabilities  to gain unauthorized access to the affected programmable logic controllers and to spoof or disrupt TCP connections.

Moxa Advisory


This advisory describes three vulnerabilities in the Moxa OnCell IP gateways. The vulnerabilities were reported by Maxim Rupp. Moxa reports that the latest version of two of the products mitigate the vulnerabilities and provides a work around for the remainder. There is no indication that Rupp was provided an opportunity to verify the efficacy of the fix.

The reported vulnerabilities are:

• Improper restriction of excessive authentication attempts - CVE-2017-7915;
• Plain text storage of a password - CVE-2017-7913; and
• Cross-site request forgery - CVE-2017-7917


ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to allow an attacker to use brute force to determine parameters needed to access the application. An attacker may also obtain credentials by obtaining files that store passwords in clear text.

PHMSA Publishes GPAC Meeting Notice

Today the DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) published a meeting notice in the Federal Register (82 FR 23714-23715) for a meeting of the Gas Pipeline
Advisory Committee (GPAC). The meeting will be held in Arlington, VA on June 6th and 7th, 2017. The meeting is open to the public.

The meeting will provide the advisory committee a chance to review the PHMSA rulemaking on the safe operation of gas transmission and gathering pipelines. The notice of proposed rulemaking (NPRM) was published on April 8th, 2016.

PHMSA is suggesting that people who wish to attend the meeting (no web cast is planned) should register no later than June 2nd. People wishing to submit written comments may do so through the Federal eRulemaking Portal (www.Regulations.gov; Docket # PHMSA-2016-0136). This is the same docket used to receive comments on the NPRM.

Commentary


While President Trump has been vociferously anti-regulation in general, there were a number of provisions in the NPRM that were specifically required by Congress, so in some form this rulemaking will proceed. It will be interesting to see if the GPAC is asked to provide suggestions for the two regulations that will presumably be revoked to allow this rulemaking to proceed.


Monday, May 22, 2017

HR 2518 – CG Authorization – Markup Hearing

Today the House Transportation and Infrastructure Committee announced that there would be a markup hearing on Wednesday. Among the bills to be marked up will be HR 2518, the Coast Guard Authorization Act of 2017.


I have not reviewed HR 2518 here because there is nothing of specific interest to readers of this blog. I will continue to watch HR 2518 (and S 1119, it’s Senate counterpart) for any amendments that might address cybersecurity, the MTSA program, or chemical transportation safety or security.

ICS-CERT Updates WannaCry Alert Again (#5)

For the fifth consecutive business day ICS-CERT has updated its WannaCry Alert that was originally published on May 15th, 2017. Today’s update includes:

• Updates of two previously issued Siemens Security Advisories (Imaging and Diagnostics Products; and (Laboratory Diagnostics Products);
• Adds a new Siemens Security Advisory (Ultrasound Products); and
• A link to a Honeywell Security Update.

I have not mentioned it to date because I have been expecting ICS-CERT or US-CERT to mention this in their alerts (they have not done so as of yet), but Siemens has been reporting since their first advisory publication that there are actually six vulnerabilities involved in the WannaCry malware. Those are:

• CVE-2017-0143 - Windows SMB Remote Code Execution Vulnerability (Input Validation);
• CVE-2017-0144 - Windows SMB Remote Code Execution Vulnerability (Input Validation);
• CVE-2017-0145 - Windows SMB Remote Code Execution Vulnerability (Input Validation);
• CVE-2017-0146 - Windows SMB Remote Code Execution Vulnerability (Input Validation);
• CVE-2017-0147 - Windows SMB Information Disclosure Vulnerability (Information Leak / Disclosure); and
• CVE-2017-0148 - Windows SMB Remote Code Execution Vulnerability (Input Validation)


I’m not sure that this really provides much in the way of actionable information. Both the Mitre CVD and NIST CVE listings for these CVE are dated from before the WannaCry outbreak. The Microsoft TechCenter reports for these CVE are also dated; still reporting that there have been no exploits of the vulnerabilities.

Committee Hearings – Week of 05-21-17

With both the House and Senate in Washington this week the focus will start to be on the FY 2018 budget. Other topics will also be addressed in Congressional hearings including one cybersecurity hearing.

Potentially Interesting Budget Hearings


With the President’s FY 2018 budget heading to the Hill this week we will be starting to see a series of hearing on that budget request. Some of the hearings that may be of particular interest to readers of this blog include:

US Cyber Command (House) – Tuesday;
DOT (House) – Wednesday;
DHS (House) – Wednesday;
DOD (Senate) – Wednesday;

Cybersecurity


Okay, ‘cybersecurity’ will really be one of the (major) sub-texts of this hearing. On Tuesday the Cybersecurity Subcommittee of the Senate Armed Services Committee will be holding a hearing on ‘Cyber Posture of the Services’. The witness list includes:

• Vice Admiral Marshall B. Lytle III, USCG
• Vice Admiral Michael M. Gilday, USN
• Lieutenant General Paul M. Nakasone, USA
• Major General Christopher P. Weggeman, USAF
• Major General Loretta E. Reynolds, USMC


I expect that there will be passing references to WannaCry and perhaps some obscure references to industrial control system security issues.

Friday, May 19, 2017

ICS-CERT Updates WannaCry Alert Again (#4)

For the fourth day in a row the DHS ICS-CERT updated their alert for the WannaCry ransomware. It was originally published on Monday and the latest update was yesterday. Today’s update adds links to WannaCry notifications from the following vendors:

Tridium; and


The update also provides a link to a general WannaCry support document from Siemens Healthineers. This document and a further linked Siemens’ blog post provides a good technical discussion of the WannaCry problem and solutions; including links to Microsoft updates for ‘unsupported’ (outdated?) Windows operating systems still in use by Siemens Healthineer (and too many other industrial control) products.

Bills Introduced – 05-18-17

Yesterday with both the House and Senate in session there were 75 bills introduced. One of those may be of specific interest to readers of this blog:

HR 2518 To authorize appropriations for the Coast Guard for fiscal years 2018 and 2019, and for other purposes. Rep. Hunter, Duncan D. [R-CA-50]

The Senate version of this bill was introduced on Tuesday and marked up yesterday (more on both later):


I will be watching both bills for cybersecurity as well as chemical transportation safety and security provisions.

ICS-CERT Updates WannaCry Alert, Updates 2 Advisories and Publishes 2

Yesterday the DHS ICS-CERT published another update of their WannaCry ransomware alert, updates for two advisories, and published new advisories for products from Schneider Electric and Miele Professional. They also published a notice about the date of the Fall 2017 ICSJWG meeting in Pittsburg, PA on September 12-14, 2017.

WannaCry Update


This update provides new information on the alert published on May 15th and updated on May 16th and again on May 17th. Unfortunately, I missed yesterday’s update so I will list both sets of changes at one time. The new information includes WannaCry advisories from the following vendors:

Phillips (general security web page, scroll down to WannaCry article);
Johnson & Johnson (general security web page, scroll down to WannaCry article); and

GE Proficy Update


This update provides new information on the advisory originally published on January 17th, 2017 and updated on January 24th. The update provides links to updates for the following products:

• GE has released new versions of the Historian software, Version 6.0 SIM 9 (Standard and Enterprise);
• GE has released a new version of the Historian software, Version 5.5 SIM 37;
• GE has released a new version of the CIMPLICITY software, Version 8.2 SIM 49; and
• GE has released a new version of the CIMPLICITY software, Version 9.0 SIM 22

NOTE: The contact information for receiving CIMPLICITY v9.5 and Historian v7.0 have inexplicably been removed from this update. GE still recommends updating to these versions.

GE Multilin Update


This update provides new information on the advisory originally published on April 27th, 2017. The update adds two new affected product lines to the advisory:

• Universal Relay, firmware Version 6.0 and prior versions, and
• URplus (D90, C90, B95), all versions.

Update information is provided for the Universal Relay products. GE expects to release the URplus firmware updates in July. The 369 Motor Protection Relay firmware update is still expected to be released next month.

Schneider Advisory


This advisory describes an incorrect default permissions vulnerability in the Schneider Wonderware InduSoft Web Studio. The vulnerability was reported by Karn Ganeshen. Schneider has released a new service pack to address the vulnerability. There is no indication that Ganeshen has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker with authorized access could exploit this vulnerability to escalate his or her privileges. The Schneider Security Notification expands that to state:

“The directory and files are added to system's PATH. Therefore, they can be manipulated by non-administrator users to write malicious files/DLLs and escalate privileges once these are executed.”

Miele Advisory


This advisory describes a path traversal vulnerability in the in the Miele Professional PG 8528, a large capacity cleaner and disinfector used in hospitals and laboratory settings. This advisory provides updated information on the ICS-CERT alert on this vulnerability reported on March 30th, 2017. ICS-CERT still does not provide a link to the public disclosure by Jens Regel. Miele has provided software updates to mitigate the vulnerability. There is no indication that Regel has been provided an opportunity to verify the efficacy of the fix.


ICS-CERT reports that a relatively unskilled attacker could remotely use the publicly available exploits to read or modify sensitive data or files, execute unauthorized code or commands, and possibly cause a system crash.

Thursday, May 18, 2017

ISCD Updates NTAS FAQ

Yesterday the DHS Infrastructure Security Compliance Division (ISCD) updated one of the responses to a frequently asked question (FAQ) on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center. The change in the FAQ referring to the National Terrorism Advisory System (NTAS) is significant enough that it was specifically mentioned in the ‘Latest News’ section of the Knowledge Center.

The FAQ response to FAQ #1724 (How do National Terrorism Advisory System (NTAS) Alerts and Bulletins affect a CFATS Facilities’ RBPS 13 compliance responsibilities?) is a complete re-write and should be read by anyone responsible for security at a CFATS covered facility. The change basically delineates between the differences in facility response requirements for an NTAS Alert and an NTAS Bulletin.


Coincidentally, DHS published a new NTAS Bulletin earlier this week. As with the previous update there is nothing new here. It looks like we probably should have stuck with the earlier, color-coded version of the NTAS; at least you did not need to read anything to know that the situation was still the same.

Wednesday, May 17, 2017

Bills Introduced - 05-16-17

With both the House and Senate in session yesterday there were 78 bills introduced. One of those bills may be of specific interest to readers of this blog:

S 1129 A bill to authorize appropriations for the Coast Guard, and for other purposes. Sen. Sullivan, Dan [R-AK]


This is the bill that I mentioned earlier this week. A copy of the text (official or otherwise) is still not available. I will be watching for cybersecurity issues as well as chemical transportation safety and security requirements. A reminder: the Senate Commerce, Science, and Transportation Committee will mark-up this bill up tomorrow.

ICS-CERT Updates WannaCry Alert and Publishes 4 Advisories

Yesterday the DHS ICS-CERT updated their earlier alert on the WannaCry ransomware. They also published four control system security advisories for products from Schneider Electric (2), Hanwha Techwin, and Detcon.

WannaCry Update


This update provides additional information on the alert that was issued yesterday. The new information includes:

• Links to two new vendor advisories from ABB and Siemens; and
• Links to some generic information (here and here) from the FDA on medical device security.

Siemens makes an important point about medical device cybersecurity:

“We would like to point out that neither the use of an email client nor browsing the internet is part of the intended use of most of the product types covered by this Siemens Security Bulletin.”

The ABB document does mention restricting SMB protocol use but stops short of recommending disabling the protocol as suggested by Microsoft. They do note:

“This will help to prevent spreading of the WannaCry malware from individual compromised computers. For specific guidance please see additional communication for specific ABB solutions and contact your local ABB service organization.”

NOTE: The US-CERT also updated their alert for this malware.

Schneider VAMPSET Advisory


This advisory describes an improper input validation vulnerability in the Schneider VAMPSET tool. The vulnerability was reported by Kushal Arvind Shah from Fortinet's Fortiguard Labs. Schneider has produced a new firmware version to mitigate the vulnerability. There is no indication that Shah has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker with local access could exploit the vulnerability to cause the software to enter a denial-of-service condition. The Schneider Security Notification reports that vulnerability has no effect on the operation of the protection relay to
which VAMPSET is connected.

Techwin Advisory


This advisory describes an improper access control vulnerability in the Hanwha Techwin SRN-4000 network video management platform. The vulnerability was reported by Can Demirel and Faruk Unal of Biznet Bilisim. Techwin reports that a newer version mitigates the vulnerability. ICS-CERT reports that the researchers have verified the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to allow the attacker remote access to the web management portal with admin privileges without authentication.

Schneider SoMachine Advisory

This advisory describes two vulnerabilities in the Schneider SoMachine HVAC software. The vulnerabilities were separately reported by Zhou YU and Himanshu Mehta. Schneider reports that a newer version mitigates the vulnerability. There is no indication that either researcher has been provided the opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2017-7965; and
• Uncontrolled search path element - CVE-2017-7966

ICS-CERT reports that a relatively unskilled attacker (no access characterization) could exploit the vulnerability to allow arbitrary code execution and could cause the device that the attacker is accessing to crash due to a buffer overflow condition.

NOTE: The Schneider Security Notification only addresses the buffer overflow vulnerability.

Detcon Advisory


This advisory describes two vulnerabilities in the Detcon SiteWatch Gateway. The vulnerabilities were reported by Maxim Rupp. ICS-CERT reports that Detcon no longer owns or services the SiteWatch Gateway product, but it attempting to notify customers of the vulnerabilities.

The two reported vulnerabilities are:

• Improper authentication - CVE-2017-6049; and
• Plaintext storage of passwords - CVE-2017-6047


ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to allow remote code execution. An attacker who exploits these vulnerabilities may be able to change settings on the affected product or obtain user passwords.

Tuesday, May 16, 2017

Committee Hearings – Week of 05-14-17

With both the House and Senate in Washington this week there are a number of hearings scheduled. Three of those hearings may be of specific interest to readers of this blog. The relate to updating the Emergency Alert System (EAS), a hearing on emerging transportation technologies, and markup of a Coast Guard authorization bill.

EAS


On Wednesday the Communications and Technology Subcommittee of the House Energy and Commerce Committee will hold a hearing to look at the “Future of Emergency Alerting”. A witness list is not currently available. The staff memo on the topic does not mention potential cybersecurity concerns; a surprising omission given the recent EAS fiasco in Dallas, TX.

Transportation Technologies


The Transportation, Housing and Urban Development, and Related Agencies Subcommittee of the House Appropriations Committee will be holding a hearing on “Emerging Transportation Technologies”. The witness list includes:

• Nidhi Kalra, RAND Corporation;
• Mykel Kochenderfer, Stanford University Department of Aeronautics and Astronautics
• David Strickland, Self-Driving Coalition for Safer Streets and
• Brian Wynne, Association of Unmanned Vehicle Systems International

There is a distinct possibility that cybersecurity issues may be briefly and lightly discussed.

CG Authorization


The Senate Commerce, Science, and Transportation Committee will hold a markup hearing on Thursday. A number of bills are on the agenda including an as of yet unintroduced bill for the FY 2018 authorization for the Coast Guard. No copies of the bill are currently available on the Committee web site. It will be interesting to see if chemical transportation safety or security, or cybersecurity receive a mention in this bill.

On the Floor


The only thing of potential interest on the floor of the House this week is the consideration of HR 1616, Strengthening State and Local Cyber Crime Fighting Act of 2017. I have not covered this bill because it includes no mention or coverage of control system security issues. It is being considered under the suspension of rules process, so there will be limited debate and no amendments. The leadership expects this bill to pass with substantial bipartisan support.


I will be very surprised if we do not hear at least some mention of  WannaCry in the debate on this bill.

ICS-CERT Publishes WannaCry Alert

Yesterday the DHS ICS-CERT published a control system security alert for the WannaCry ransomware. This alert is a follow-up to the US-CERT alert on the same attack vector. The alert provides links to three vendor sites providing information about indicators of attacks on their Microsoft Windows® based control system products. Those vendors (and their WannaCry links) are:

Rockwell Automation (log on required);

Both the Schneider and BD advisories emphasize that while medical and industrial control systems have been affected this is a Microsoft Windows based ransomware attack. They both recommend ensuring that Microsoft patch for the MS17-010 SMB vulnerability be applied to all Windows based machines (including Windows XP and Windows 8). Interesting that neither vendor alerts nor the ICS-CERT alert discusses the Microsoft suggestion to turn of the SMB file sharing tool.


ICS-CERT expects to update this alert with additional vendor information when it becomes available.

Thursday, May 11, 2017

ICS-CERT Publishes Two Advisories

Today the DHS ICS-CERT published two control system security advisories for products from Satel Iberia and Phoenix Contact.

Satel Iberia Advisory


This advisory describes a command injection vulnerability in the Satel Iberia SenNet Data Logger and Electricity Meters. The vulnerability was reported by Karn Ganeshen. A new version is available that mitigates the vulnerability. There is no indication that Ganeshen was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to gain root privilege to run arbitrary commands and change system data.

Phoenix Contact Advisory


This advisory describes two vulnerabilities in the Phoenix Contact mGuard. The vulnerabilities were self-reported. A new firmware version is available that mitigates the vulnerability.

The two reported vulnerabilities are:

• Resource exhaustion - CVE-2017-7935; and
• Improper authentication - CVE-2017-7937


ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerabilities to disrupt the availability of the device and gain unauthorized access to the device.

Reader Comment – NIST Working Group

An informative comment from RCandell on this morning’s blog post about the Wireless Systems for Industrial Environments (WSIE) program. I had sent Richard Candell, the lead for the working group, an email asking about cybersecurity concerns in the working group. Read his comment, but the short answer is that ICS cybersecurity is being handled elsewhere within NIST. His group will rely on NIST SP 800-82 and the Cybersecurity Framework for the cybersecurity information that they will include in their guidelines product.


Nice to have a prompt response from Richard. Not what you always get from the guvmint (Grin).

NIST Announces Wireless Control System Network Study

Today the National Institute of Standards and Technology (NIST) published a notice in the Federal Register (82 FR 21980) that it was establishing a technical working group (TWG) to develop best practices guidelines in selecting and deploying industrial wireless solutions within industrial environments such as process control and manufacturing.

The TWG would be established under the Networked Control System Group (NCSG). NIST is asking for organizations that wish to participate in the TWG to notify them within the next 180 days. No further details are provided in the notice.


The NCSG does have a web page established for their Wireless Systems for Industrial Environments (WSIE) program. That page does briefly acknowledge that one of the problems facing the adoption of wireless control systems technology is cybersecurity. A separate web page for the new TWG does not mention cybersecurity at all. It is not clear at this point whether or not cybersecurity concerns will be addressed in the best practice guidelines being developed.

Wednesday, May 10, 2017

ISCD Publishes CFATS Quarterly

I missed this last night because of problems with accessing the CFATS Knowledge Center, but on Monday the DHS Infrastructure Security Compliance Division published the latest version of their Chemical Facility Anti-Terrorism Standards (CFATS) Quarterly. The latest version provides information on the CSAT 2.0 tiering results, an overview of facility response requirements for a new tiering letter, and a brief reminder about annual CFATS audits.

Tiering Results


Not much new information provided in what is really just a summary of the recent webinars that ISCD held concerning the tiering results. The number of new Top Screens received has been raised to 12,000 and ISCD reports that they will be continuing to send out Top Screen notification letters for 18 months for the remaining 15,000 facilities that are on the list of facilities that have previously submitted Top Screens showing the presence of DHS chemicals of interest (COI) at or above the screening threshold quantity.

Tiering Letter Response Requirements


While ISCD did briefly discuss what a facility needs to do to respond to a new Tiering Letter during their webinar, the Quarterly provides a discussion that is a bit more detailed. It is still not a definitive discussion, but ‘definitive’ is not really possible given the wide variety of facilities and circumstances involved. The final paragraph provides the solution to the lack of a definitive answer:

“DHS will assess facilities on a case-by-case basis to ensure security measures are appropriate to their level of risk. You may reach out to your Chemical Security Inspector or Compliance Case Manager if you are unsure what specific steps to take.”

CFATS Audits


There is a brief sidebar at the bottom of the second page of the Quarterly that reminds facility security managers that every CFATS covered facility with an approved site security plan (SSP) is required {6 CFR 27.225(e)} to conduct an annual audit of their compliance with that SSP. The CFATS rule does not provide detailed guidance on what such an audit will include. This brief piece in the Quarterly provides the following suggestions:

· Verification of Top-Screen and SVA data, including ensuring COI information is current;
· Confirmation of all CSAT user roles;
· Confirmation of all existing and planned measures from the SSP/ASP; and
· Review of current policies, procedures, training, etc.


I briefly addressed this issue back in December 2014 and I still think that post provides a useful look at audit requirements. A formal audit summary document certainly needs to be prepared and it needs to be made available during any compliance inspection.

Tuesday, May 9, 2017

Committee Hearings – Week of 5-7-17

With just the Senate in Washington this week (the House is taking a District Work Week) there are a relatively limited number of hearings scheduled. There is only one hearing currently scheduled this week that may be of specific interest to readers of this blog; a cybersecurity hearing.

The Senate Homeland Security and Governmental Affairs Committee will hold a hearing on Wednesday on “Cyber Threats Facing America: An Overview of the Cybersecurity Threat Landscape”. The witness list includes:

• Jeffrey E. Greene, Symantec Corporation;
• Steven Chabinsky, White & Case LLP;
• Brandon Valeriano, Marine Corps University
• Kevin Keeney, Monsanto Company


There is no indication that there will be any significant discussion of industrial control system security issues.

ICS-CERT Publishes 4 Advisories and Updates 2

Today the DHS ICS-CERT published four control system security advisories for three products from Siemens and one from Rockwell. The Rockwell advisory was originally posted to the NCCIC Portal on April 4, 2017. They also updated two previously issued advisories for products from Siemens.

Rockwell Advisory


This advisory describes multiple vulnerabilities in the Rockwell Automation Stratix 5900 services router. The vulnerabilities were reported by Cisco in Cisco software products used in the Rockwell Stratix 5900; some of these vulnerabilities have been previously reported. Rockwell has produced a new firmware version to mitigate these vulnerabilities.

The reported vulnerabilities include (take a deep breath):

• Improper input validation - CVE-2016-6380, CVE-2016-1409, CVE-2015-0642, CVE-2015-0643, CVE-2014-3361, CVE-2014-2113, and CVE-2014-2106;
• Resource management errors - CVE-2016-6393, CVE-2016-6384, CVE-2016-6381, CVE-2016-6382, CVE-2016-1350, CVE-2016-1344, CVE-2015-0646, CVE-2014-3359, CVE-2014-3355, CVE-2014-3356, CVE-2014-3354, CVE-2014-3299, CVE-2014-2108, and CVE-2014-2112;
• Information exposure - CVE-2016-6415;
• Multiple network time protocol daemon vulnerabilities (October 2015) - CVE-2015-7691, CVE-2015-7692, CVE-2015-7701, CVE-2015-7702, CVE-2015-7703, CVE-2015-7704, CVE-2015-7705, CVE-2015-7848, CVE-2015-7849, CVE-2015-7850, CVE-2015-7851, CVE-2015-7852, CVE-2015-7853, CVE-2015-7854, CVE-2015-7855, and CVE-2015-7871;
• Improper authentication - CVE-2015-1798, and CVE-2015-1799;
• Multiple OpenSSL vulnerabilities (March 2015) - CVE-2015-0207, CVE-2015-0209, CVE-2015-0285, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0290, CVE-2015-0291, CVE-2015-0292, CVE-2015-0293, and CVE-2015-1787;
• Cryptographic issues - CVE-2014-3566;
• Numeric issues - CVE-2014-3360;
• Multiple OpenSSL vulnerabilities - CVE-2010-5298, CVE-2014-0076, CVE-2014-0195, CVE-2014-0198, CVE-2014-0221, CVE-2014-0224, and CVE-2014-3470; and
• Network Address Translation Vulnerabilities - CVE-2014-2109 and CVE-2014-2111;

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to perform man-in-the-middle attacks, create denial of service conditions, or remotely execute arbitrary code. With some of these previously identified vulnerabilities up to 7 years old, I would bet that there are some publicly available exploits, but that was not mentioned in this advisory.

(SARCASM WARNING) I am glad that no other vendor uses any of these Cisco products.

Siemens SIMATIC Advisory


This advisory describes a denial of service vulnerability in the Siemens SIMATIC WinCC and SIMATIC WinCC Runtime Professional products. The vulnerability was reported by Sergey Temnikov and Vladimir Dashchenko of the Kaspersky Lab Critical Infrastructure Defense Team. Siemens has developed updates for the affected products to mitigate the vulnerability. There is no indication that the researchers have been afforded an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to cause the affected service to crash, resulting in a denial-of-service condition. The Siemens Security Advisory reports that the attacker must be member of the group administrators and have network access to an affected system.

Siemens PROFINET Advisory 1


This advisory describes two input validation vulnerabilities in Siemens devices using the PROFINET Discovery and Configuration Protocol (DCP). The vulnerability was reported by Duan JinTong, Ma ShaoShuai, and Cheng Lei from NSFOCUS Security Team. Siemens has produced firmware updates to mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker with network access to the local Ethernet segment (Layer 2) could exploit the vulnerabilities to cause the targeted device to enter a denial-of-service condition, which may require human interaction to recover the system.

The Siemens Security Advisory reports that CNCERT/CC coordinated the disclosure of this vulnerability.

Siemens PROFINET Advisory 2


This advisory describes an improper input validation vulnerability in Siemens devices using using the PROFINET Discovery and Configuration Protocol (DCP). The vulnerability was reported by Duan JinTong, Ma ShaoShuai, and Cheng Lei from NSFOCUS Security Team. Siemens has produced updates that mitigate the vulnerability. There is no indication that the researchers have been afforded an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker with access to an adjacent network could exploit the vulnerability to cause a denial-of-service condition requiring a manual restart by exploiting this vulnerability.

The Siemens Security Advisory reports that:

“On a single host the affected component is shared among the affected products. Installing one fixed version will mitigate the vulnerability for all Siemens applications installed on the single host.”

Siemens Industrial Products Update


This update provides new information on an advisory that was originally issued on November 8, 2016 and then updated November 22nd, 2016; December 23rd, 2016; February 14th, 2017; and March 2nd, 2017. The new information includes:

• Updated version information for SIMATIC WinCC V7.4, SIMATIC WinCC Runtime Professional, SIMATIC WinCC (TIA Portal) Professional, and SIMATIC STEP 7 (TIA Portal) V13;
• Adds mitigation information for the above products; and
• Removes the above products from the ‘temporary fix’ list.

The Siemens Security Advisory was also updated.

Siemens S7-300/400 PLC Update


This update provides new information on an advisory that was originally issued on December 13, 2016. The new information includes:

• Adding Profibus as an access route for the inadequate encryption strength vulnerability; and
• Adds links for firmware updates for S7-300 CPUs;


The Siemens Security Advisory was also updated.

ISCD Resumes Publishing Monthly Updates

Yesterday the DHS Infrastructure Security Compliance Division (ISCD) resumed the publication of their monthly updates on the implementation of the Chemical Facility Anti-Terrorism Standards (CFATS) program. The previous series of updates stopped in October of last year when ISCD started the implementation of the new Chemical Security Assessment Tool (CSAT) 2.0.

New Format


As expected with the change in both the CSAT tools and the new risk assessment methodology, ISCD has changed both the formatting and information provided in the new Monthly Update. The table below shows the data being presented:


Total Facilities
Current Facilities
Covered Facilities

2,570
Authorization Inspections
2,914
2,386
Approved Security Plans
2,719
2,281
Compliance Inspections
2,053
1,921
Table 1: Reported Data

Commentary


A couple of notes here. First I changed the wording of the headings for the two data columns, the information is the same, but I think my wording is clearer. The Updates does note that some previously tiered facilities have been dropped from the CFATS program since they had their site security plan (SSP) authorized, approved, and/or inspected for a variety of reasons. An overview of the possible reasons is provided, but no details about the numbers for each category.

I added the ‘Covered Facilities’ line to the table above; it is not in the Update table. The number for the current facilities is provided in the text of the update. What would have been interesting to see here is listing of the total number of facilities that had, at one time or another, been a covered facility. The last number we had before CSAT 2.0 was 2,948, but the first Fact Sheet (April 2013) showed 4,382 facilities and the number has certainly been higher than that.

ISCD does report in the body of the new Update that they will probably see a continuing increase in the number of covered facilities, at least in the near term. This is due to their continuing to send out Top Screen notification letters to facilities that are currently not covered, as I explained late last month.

Given the 2015 GAO report on the CFATS program and its reporting of problems with compliance inspections it still disappoints me to see ISCD publish numbers of compliance inspections conducted without reporting on the pass/fail numbers on those inspections. I really do expect that ISCD can now report much better than the nearly 50% failure rate that GAO reported in 2015.


I am glad to see that ISCD has resumed publishing this update. The congressional pressure that was the impetus for providing this data back in 2013 is no longer present. That makes this that much more impressive that ISCD is sharing this information.

Friday, May 5, 2017

HR 2223 Introduced – Rail Spill Fund

Last month Rep. DeFazio (D,OR) introduced HR 2223, the Community Protection and Preparedness Act of 2017. The bill would establish a Rail Account within the Oil Spill Liability Trust Fund (OSLTF). The bill is similar to HR 5786 that was introduced in the 114th Congress, but significant changes were made to increase the chances of this bill being considered.

Changes


Section 3 of the earlier bill that added new requirements for rail track inspections has been removed from this version. In its place, DeFazio added §5 that would require DOT to report to Congress on rail track inspections. That report would include an assessment of current {§5(1)}:

• Railroad track inspections, including the frequency of inspections;
• Training provided to railroad track inspectors and related railroad personnel;
• Railroad compliance with Federal track safety regulations; and
• Federal oversight of railroads with respect to track safety

Another change is the addition of a new §3 that would require the DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) to complete their rulemaking on “Oil Spill Response Plans and Information Sharing for High-Hazard Flammable Trains”.

Moving Forward


DeFazio is the Ranking Member of the House Transportation and Infrastructure Committee and thus should be in position to move this bill forward to consideration by that Committee. The earlier bill drew too much opposition from railroads due to the costly track inspection requirements for the Committee to approve the bill. This was almost certainly the reason that the bill was not considered in the last session.

The removal of those track inspection requirements should remove the opposition of the railroads. In fact, there could be a quiet endorsement of this bill by the railroads as it would increase the costs to shippers of flammable liquids thus potentially reducing some of those shipments. This would help reduce railroad liability for accidents involving these hazardous materials. The presence of the Rail Fund in the OSLTF to help fund response training would also reduce calls for additional railroad funding of such training.

The main thing holding up consideration of this bill remains the opposition of the flammable liquid shippers to having to pay for the Rail Fund. That opposition is not as organized as the railroads were in their earlier opposition. That combined with the general Republican opposition to federal regulations may be enough to derail this bill. If the bill is considered by the Committee, the chances of it passing in the House would be much higher than I currently expect it to be.

Commentary


From a hazmat transportation safety perspective, the main problem with the OSLTF remains the limitation of consideration of spill response as a water contamination issue. Continuing to ignore the fire and explosion hazard related to these spills means that this fund will have little or no effect on the planning for, and spending on, responding to the biggest hazard for flammable liquid accidents in or near urban areas.

From a legal point of view, the easiest way to do this would be to either create a new hazardous chemical spill liability fund that would be completely separate from the current OSLTF. That way the new fund could be more appropriately targeted in the scope of emergency response planning and support. From a political point of view that is not going to happen absent a really huge hazmat transportation incident.

This bill tries to take the more politically expedient approach of adding a more generalized hazmat response under authority of 49 USC 5116 for a subset of the OSLTF established as the Rail Fund. The problem with this is that the folks currently administering the OSLTF are experienced and focused on the issues of protecting water from oil spills, not responding to fires and explosions. This involves two completely different sets of planning and response activities.


Having said that, I think that this is probably the most expedient method of dealing with an expensive and complex issue. It is not going to be really effective, but it will be more effective than what we currently have. We have to remember that politics is, at its heart, the art of the possible.

Thursday, May 4, 2017

ICS-CERT Publishes 4 Advisories

Today the DHS ICS-CERT published 4 control system security advisories for products from Rockwell, Advantech, Dahua Technology and Hikvision. The Rockwell advisory was previously published on the NCCIC Portal on April 4, 2017.

ICS-CERT also published the latest version of their ICS-CERT Monitor. Not worth reviewing, but it is out there.

Rockwell Advisory


This advisory describes a resource exhaustion vulnerability in Rockwell ControlLogic and CompactLogic controllers. This vulnerability was apparently self-reported. Rockwell has provided updated versions to mitigate the vulnerability.

ICS-CERT reports that an uncharacterized attacker could remotely exploit the vulnerability to cause the device that the attacker is accessing to become unavailable.

Advantech Advisory


This advisory describes an absolute path traversal vulnerability in the Advantech WebAccess. The vulnerability was reported by Zhou Yu via ZDI. Advantech has produced a new version to mitigate the vulnerability. ICS-CERT reports that Yu has verified the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to traverse the file system and gain access to files or directories, which could result in the device becoming unavailable.

Dahua Technology Advisory


This advisory describes two password vulnerabilities in the Dahua Digital Video Recorders and IP Cameras. Bashis disclosed these vulnerabilities without coordination with ICS-CERT (see Brian Krebs and ThreatPost articles for more information).

The two reported vulnerabilities are:

• Use of password hash instead of password for authentication - CVE-2017-7927; and
• Password in configuration file - CVE-2017-7925

ICS-CERT reports that a relatively low skilled attacker could use publicly available exploits to remotely exploit the vulnerabilities to allow the attacker to obtain user credentials, including password hashes, and use these credentials to bypass authentication.

Hikvision Advisory


This advisory describes two password vulnerabilities in the Hikvision cameras. The vulnerability was reported by IPcamtalk user “Montecrypto”. Hikvision has published a new version to mitigate one of the two vulnerabilities. There is no indication that Montecrypto was provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Improper authentication - CVE-2017-7921; and
• Password in configuration file - CVE-2017-7923

In Passing



Please remember that when ICS-CERT publishes their 2017 stats that they will almost certainly include the Dahua and Hikvision vulnerabilities in their count of control system advisories for the year.

House Passes HR 244 – FY 2017 Spending

After a nearly party-line vote on the resolution adopting the rule for consideration of  HR 244, the House passed the Consolidated Appropriations Act, 2017 by a bipartisan vote of 309 to 118 (with 103 Republicans voting Nay). The Democratic opposition to the rule vote was an attempt to open consideration of HR 244 to the amendment process on the floor of the House.

Cybersecurity


The rule for consideration of HR 244 also added a new division to HR 244. The new Division N is the Intelligence Authorization Act for Fiscal Year 2017. As I have mentioned on a couple of occasions the House has passed various versions of this bill in both the 114th and 115th Congress, but the Senate has not taken up any version of this bill.

The version now included in HR 244 does not include any specific cybersecurity provisions beyond a reporting requirement; Sec. 614. Report on cybersecurity threats to seaports of the United States and maritime shipping. I have previously discussed this provision on a couple of occasions, the most recently here.

Moving Forward



The Senate is scheduled to debate HR 244 today and vote on cloture on Friday morning. The current plan for consideration in the Senate does not include a floor amendment process.

Tuesday, May 2, 2017

ICS-CERT Publishes 3 Advisories

Today the DHS ICS-CERT published three control system security advisories for products from Advantech, CyberVision and Schneider.

Advantech Advisory


This advisory describes a client-side authentication vulnerability in the Advantech B+B SmartWorx MESR901. The vulnerability was originally reported by Maxim Rupp. ICS-CERT reports that Advantech is unable to provide mitigations for this product and is working to replace the product with a new model.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to bypass authentication and access restricted pages.

CyberVision Advisory


This advisory describes a code injection vulnerability in the CyberVision Kaa IoT Platform. The vulnerability was reported Jacob Baines from Tenable Network Security. ICS-CERT reports that CyberVision has been unresponsive to multiple contact requests and has produced no mitigations for this vulnerability.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability to allow for the creation of files with custom content, movement of files, and execution of arbitrary OS commands.

Schneider Advisory


This advisory describes an Improper XML Parser Configuration in the Schneider Wonderware Historian Client. The vulnerability was reported by Andrey Zhukov from USSC. Schneider has an update that mitigates the vulnerability. ICS-CERT reports that Zhukov has verified the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker (no discussion of access requirements) to cause denial of service of trend display or to disclose arbitrary files from the local file system to a malicious web site. The Wonderware Security Bulletin reports that a social engineering attack would be required to get an authorized user to load a malicious XML settings file.

Commentary


At this late date it is very disconcerting to see two ICS-CERT advisories reporting that vendors are not fixing reported vulnerabilities. I am disappointed in not seeing ICS-CERT report why Advantech is choosing to not fix their SmartWorx MESR901. I suspect that this is an end-of-life issue, but the product is still being actively advertised on the Advantech web site.


More disturbing is the failure of CyberVision to even respond to ICS-CERT about the reported vulnerability. The Kaa project is advertised as an open-source IOT platform. We have enough problems with IOT security issues without having people acknowledge and try to fix specifically identified security issues with their product.

ISCD Updates Another FAQ

Today the DHS Infrastructure Security Compliance Division (ISCD) updated the response to one of the frequently asked questions (FAQ) on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center. The FAQ in question was:


This is a complete re-write to the FAQ response, but very little information was actually changed. The two most important changes were the addition of links to three different sections of the CFATS regulations and a change to the name of the person to whom letters requesting determinations should be sent. The original FAQ response showed Amy Graydon as the acting Director of ISCD, that has long since changed to David Wulf as the Director.


This points out a common problem that is seen frequently in the FAQ responses. The addresses given in the various FAQs should only include position titles, not the name of the person currently holding that position. That way the FAQ’s do not need to be updated when personnel change.

HR 244 – DHS Spending

This is the second in a short series of blog posts about HR 244, the Consolidated Appropriations Act, 2017. The initial post in the series was:


This post deals with Division F of the bill, the Department of Homeland Security Appropriations Act, 2017. This Division is generally based upon the earlier appropriations bills from 114th Congress (HR 5634 and S 3001). As is typical with DHS appropriations bill, the programs of specific interest to readers of this blog do not draw much in the way of specific mention in the actual spending bill (or Division F in this instance). To gather much in the way of information we have to look at the Explanatory Statement for Division F, that effectively updates the Committee reports on the earlier bills.

Cybersecurity


Cybersecurity is now a major reporting category under Title III, Protection, Preparedness, Response, And Recovery, under the National Preparedness and Programs Directorate. Table 1 below lays out the cybersecurity operations and support funding outlined on pages 40-41. The CERT figures probably include ICS-CERT and are part of the NCCIC funding.


Budget Estimate
Final Bill
Cyber Readiness


NCCIC Operations
$116,168,000
$108,402,000
(CERT)
(94,134,000)
(86,368,000)
NCCIC Planning
92,683,000
88,502,000
(CERT)
(65,788,000)
(61,607,000)
Cyber Infrastructure


Cybersecurity Advisors
13,535,000
12,970,000
Enhanced Cybersecurity Services
16,830,000
16,950,000
Cybersecurity Education and Awareness
7,886,000
14,133,000
Federal Cybersecurity
435,235,000
428,457,000
Total
$682,340,000
$669,414,000
Table 1: Cybersecurity Spending

The budget numbers are from the Trump budget. The breakout from the last Obama budget does not track well with these categories so it is not reasonable to try to compare the two sets of numbers. Even where there are similar category titles (CERT Operations for example) it is not necessarily the same set of budget numbers.

There are no specific control system security related comments in the Explanatory Statement. This is somewhat disappointing since the Senate Report on S3001 that noted (pg 98) increased spending (+$5 Million) on the ICS-CERT ‘Training and Assessment’ account. I suspect that there will still be an increase, but how much of that earlier amount remains to be seen.

Chemical Security


Again, the Chemical Facility Anti-Terrorism Standards (CFATS) program is not large enough to be mentioned in HR 244. It does get a line item in the Explanatory Statement and the numbers do mesh from the previous bills; see Table 2.


Obama Budget
Trump Budget
Final
Infrastructure Security Compliance
$78,667,000
$76,876,000
$69,557,000
Table 2: Chemical Security

There is no explanation why the negotiators reduced the CFATS program spending to levels below the $72 Million found in both of the earlier House and Senate Reports. Congress has had problems recently with ISCD being able to fill the authorized Chemical Security Inspector slots, but that may not explain this decrease; it may simply be cutting minor programs to provide money’s for increasing other programs.

Surface Transportation


Surface transportation security falls under two different agencies in DHS. The Coast Guard deals with the security of water transportation and its related land based facilities under the Maritime Transportation Security Act (MTSA). There is no mention of that program in either HR 244 or the Explanatory Statement. On the government side this is a very inexpensive program (relatively speaking).

The TSA is responsible for all of the other very limited DHS surface transportation security programs. For purposes of this blog, this includes pipeline, rail and truck transportation security. There is just a single line item to cover all of the TSA surface transportation security spending:


Obama Budget
Trump Budget
Final
Surface Transportation Security
$122,716,000
$122,716,000
$122,716,000
Table 3: Surface Transportation Security


It really looks like everyone is just marking time on TSA surface transportation operations. Kind of scary looking at the history of attacks on surface transportation across the world.
 
/* Use this with templates/template-twocol.html */