Thursday, June 22, 2017

OMB Approves EPA TSCA Guidance Document

Yesterday the OMB’s Office of Information and Regulatory Affairs announced the approval of the publication of a new EPA guidance document supporting the implementation of some of the requirements of the Frank R. Lautenberg Chemical Safety for the 21st Century Act (PL 114-182). Specifically, this document, “Guidance to Assist Interested Persons in Developing and Submitting Draft Risk Evaluations Under the Toxic Substances Control Act (TSCA)”, should provide information to industry in determining what information should be included in requesting EPA risk evaluations under 15 USC 2605 as modified by §6 of the Act (130 Stat 460).

OIRA was pretty quick in approving this publication (submitted on June 13th), especially considering that it was substantially written under the Obama Administration. It is unclear how soon this will be published by the EPA since two of the regulations that this supports are still under review by OIRA (here and here) at the notice of proposed rulemaking (NPRM) stage. Technically this could move forward without those rules being approed since those regulations probably have more effect on EPA actions taken on the submitted data than upon industry submitting the data.


Obviously, the Trump Administration will not meet the June 22nd (today) deadline for implementing the requirements of §6. To be fair neither would have the Obama Administration. That deadline was totally unrealistic given the rulemaking process and the complexity of the issues involved. I do suspect that we will see the two TSCA NPRMs published this summer.

Wednesday, June 21, 2017

ICS-CERT Publishes New Advisory and Updates 2 Siemens Advisories

Yesterday the DHS ICS-CERT published a new control system security advisory for a product from Ecava. They also update two previously published advisories for products from Siemens.

Ecava Advisory


This advisory describes an SQL injection vulnerability in the Ecava IntegraXor. The vulnerability was reported by Tenable Security. Ecava has produced a new version that mitigates the vulnerability. ICS-CERT reports that Tenable has verified the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to effect unauthenticated remote code execution.

PROFINET Update


This update provides additional information on an advisory originally published on May 9th, 2017 and updated on June 15th, 2017. This update provides new affected version data and links to updates for Primary Setup Tool (PST): All versions prior to  V4.2 HF1.

Interestingly, this information on the PST was made available in the same updated version of the Siemens Advisory published on June 13th that was used for the previous ICS-CERT update. A close comparison of the original Siemens Advisory and the June 13th versions shows that there was an additional product that was updated, but also not mentioned in the earlier ICS-CERT update or in this update; the Security Configuration Tool (SCT): All versions < V5.0.

Industrial Products Update


This update provides additional information on an advisory originally issued on November 8, 2016 and then updated November 22nd, 2016; December 23rd, 2016; February 14th, 2017; March 2nd, 2017 and May 9th, 2017. This update provides the same new information as the ICS-CERT updated described above. Interestingly (and kudos to ICS-CERT for really prompt reporting), Siemens published their updated Security Advisory just yesterday morning (ICS-CERT time).


NOTE: Siemens also announced (via TWITTER®; @ProductCERT ) yesterday that they had published a new security advisory (SSA-126840) and updated another advisory (SSA-275839)with the same SCT information noted above. I expect that we will see those reflected on the ICS-CERT site today or tomorrow.

Monday, June 19, 2017

Committee Hearings – Week of 6-18-17

With both the House and Senate in session the focus this week remains budget hearings. There are no budget hearings of specific interest this week, but the budget process is still taking up a large portion of congressional focus. There is only one cybersecurity hearing currently scheduled for this week though there may be cybersecurity amendments offered in the NDAA markup process that also begins this week.

NDAA Act


The FY 2018 National Defense Authorization Act (NDAA) is another priority moving forward. HR 2810 currently has no cybersecurity provisions, but there are gaping holes in the bill that will be filled-in during the markup process. That process starts this week in subcommittees of the House Armed Services Committee:


Cybersecurity


On Wednesday, the Senate Homeland Security and Governmental Affairs Committee will be holding a hearing on “Cybersecurity Regulation Harmonization”. The witness list includes:

• Christopher F. Feeney, BITS/Financial Services Roundtable
• Dean C. Garfield, Information Technology Industry Council
• Daniel Nutkis, Health Information Trust Alliance
• James "Bo" Reese, National Association of State Chief Information Officers


This will certainly focus on IT cybersecurity, but there may be some minor attention paid to control system security.

Sunday, June 18, 2017

HR 2825 Amended and Approved in Committee

Last week the House Homeland Security Committee held a markup hearing on HR 2825, the DHS Authorization Act of 2018 [corrected date 6-19-17 0710 EDT]. The Committee adopted a large number of amendments, including substitute language.

Substitute Language


The original bill was extremely light in its coverage and was obviously missing some titles. The substitute language offered by Rep. McCaul (R,TX) substantially enlarged and expanded the coverage of the bill. New sections in the substitute language that may be of specific interest to readers of this blog include:

§403. Cyber at ports.
§409. Repeal of interagency operational centers for port security and secure systems of transportation.
§572. Surface transportation security assessment and implementation of
risk-based strategy.
§577. Surface transportation security advisory committee.
§583. Study on surface transportation inspectors.
§584. Security awareness program.
§585. Voluntary use of credentialing.
§586. Background records checks for issuance of hazmat licenses.
§587. Recurrent vetting for surface transportation credential-holders.
§588. Pipeline security study.
§589. Repeal of limitation relating to motor carrier security-sensitive material
tracking technology.
§620. Cyber preparedness.
§642. Medical Countermeasures Program.

The provisions I discussed in my post about the original bill remain essentially unchanged.

Maritime Security


Title IV of the substitute language addresses maritime security issues. Most of the provisions found in this title were included in HR 2831, the Maritime Security Coordination Improvement Act that I reviewed yesterday. That bill includes provisions not seen in this bill, so it is likely to continue forward. I suspect that the duplicate provisions in this bill are those that McCaul considers the most important.

The cybersecurity provisions that I discussed in HR 2831 are included in this bill (§403) essentially unchanged.

Surface Transportation Security Studies


The substitute language contains a new Title V, Subtitle G (sections 571 thru 589) that addresses a number of surface transportation security issues. Many of them deal with various study and report requirements. There are two studies outlined in this subtitle that may be of specific interest to owners and operators of surface transportation organizations and activities.

Section 583 would require the Government Accountability Office (GAO) to conduct a study looking at potential duplications or redundancies between TSA and DOT “relating to surface transportation security inspections or over sight” {§583(1)}. While TSA has been given the responsibility for overseeing all transportation security issues, its main (some would say almost exclusive) focus has been on passenger air transportation security. As a result, the DOT modal agencies have continued to oversee the pre-TSA security requirements that were initiated by the modal agencies. There exists a very real potential that this study could lead to the disbanding of the TSA surface transportation security program as duplicative and ineffective.

Section 588 requires a separate GAO study of the TSA/DOT oversight conflict in the pipeline security arena. Of particular interest to readers of this blog is the specific inclusion of cybersecurity issues in the study parameters. The GAO is tasked with looking at how the current memorandum of understanding between DHS and DOT adequately delineates the responsibility for {§588(a)(1)}:

• Protecting against intentional pipeline breaches and cyber-attacks;
• Responding to intentional pipeline breaches and cyber-attacks; and
• Planning to recover from the impact of intentional pipeline breaches and cyber-attacks.

The big problem here is that most of the activities that are used to respond to a pipeline breach are the same for both intentional and accidental breaches. Given the fact that accidental breaches are much more common than intentional breaches, the DOT pipeline safety folks will have much more practical experience in this field.

The one area that is not specifically identified in the §588 requirements is having the GAO study identify if either PHMSA or TSA have enough people with the requisite skill and background in control system security to deal with cyber-attacks.

Other Amendments


An amendment offered by Rep. Thompson (D,MS) amended the new requirement for surface security awareness training outlined in §584. The Thompson amendment would reiterate that this new requirement would not “replace or affect in any way the security training program requirements” specified in 6 USC sections 1137, 1167, and 1184. Readers of this blog will remember that TSA finally published a notice of proposed rulemaking (NPRM) on those requirement last December. This amendment was adopted by voice vote.

An amendment offered by Rep. Langevin (D,RI) would add a new section to the bill that would require the FEMA Administrator to conduct a study on the use of grant funds awarded pursuant to 6 USC §604 (Urban Area Security Initiative) and §605 (State Homeland Security Grant Program) to support efforts to prepare for and respond to cybersecurity risks and incidents (as such terms are defined in 6 USC 148. Readers should see my discussion on HR 2831 on why the reference to 6 USC 148 ignores control system security issues. This amendment was adopted by voice vote.

Moving Forward



The amended substitute language on this bill passed by a voice vote. Even with the Democrats losing party line votes on six amendments, there is still substantial bipartisan support within the Committee for the amended bill. If McCaul can get buy in from the House leadership (including the chairs of a number of other potentially interested committees) to bring this bill to the floor, it is almost certain to pass. Convincing the Senate leadership to bring the bill to the floor in that body will be another intra-party, political issue.

Saturday, June 17, 2017

HR 2831 Introduced – Port Security Corrections

Last week Rep. Rutherford (R,FL) introduced HR 2831, the Maritime Security Coordination Improvement Act. The bill makes a number of changes to laws pertaining to port security operations conducted by the Coast Guard. Changes of specific interest to readers of this blog would be increased emphasis on cybersecurity and changes to Maritime Transportation Security Act (MTSA) inspection requirements.

Cybersecurity


Section 4 of the bill address three separate issues related to port cybersecurity related to different levels of cybersecurity interest; DHS/CG, Captain of the Port (COTP), and MTSA covered facility owner.

Section 4(b) of the bill specifically adds cybersecurity to the areas of potential weakness that DHS/CG is required to look at when they are assessing the “detailed vulnerability assessment of the facilities and vessels that may be involved in a transportation security incident” 46 USC 70102(b)(1)(C).

Section 4(a) addresses cybersecurity at the COTP level by adding a new requirement for Area Maritime Security Advisory Committees (AMSAC) under 46 USC 70112(a)(2)(A). The AMSACs would be specifically required to “shall facilitate the sharing of information relating to cybersecurity risks and incidents (as such terms are defined in section 227 of the Homeland Security Act of 2002 (6 U.S.C. 148)) to address port-specific cybersecurity risks and incidents, which may include the establishment of a working group of members of such committees to address such port-specific cybersecurity risks and incidents” {§70112(a)(2)(A)(i)}.

At the facility owner level the bill would require vessel and facility security plans under 46 USC 70103(c) to specifically address “prevention, management, and response to cybersecurity risks and incidents (as such terms are defined in section 227 of the Homeland Security Act of 2002 (6 U.S.C. 148) [link added])” {new §70103(c)(3)(C)(v)}.

Facility Inspections

Section 5 of the bills makes a change to the requirements for the Coast Guard to inspect MTSA covered facilities under 46 USC 70103(c)(4)(D). Instead of inspecting at least twice a year (one conducted without advanced notice), the new requirement would reduce that to at least once a year without notice.

Moving Forward


Rutherford and all three of his cosponsors {including Chairman McCaul (R,TX)} are members of the House Homeland Security Committee, one of the two committees to which the bill was assigned for consideration. This bill will almost certainly be considered (and approved) in the Homeland Security Committee; consideration by the Transportation and Infrastructure Committee is much less assured.

There does not appear to be anything in the bill that would raise any significant opposition in the House. If McCaul can get the bill to the floor of the House, it is likely to eventually reach the President’s desk.

Discussion


There are no cybersecurity definitions in the bill beyond reference to the terms ‘cybersecurity risks’ and ‘incident’ from §148(a). Those definitions both rely on the definition of ‘information system’ which §148 takes from 44 USC 3502(8). That definition is very IT-centric; “the term ‘information system’ means a discrete set of information resources [emphasis added] organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information”. Thus, it could be argued that these cybersecurity requirements do not address control system, security system, or building maintenance system security issues.

In many industries (finance, commercial sales, and healthcare for example) protecting information is the paramount concern when we talk about cybersecurity. In port operations, however, the operational side of the house is probably more significant than is the need to protect just information. Thus, it would behoove Congress to ensure that the language in this bill reflects the importance of operational cybersecurity.

The only place that currently expands the IT-centric definitions of cybersecurity to include operations technology is 6 USC 1501(9). There the definition of ‘information system’ is still based on a reference to §3502, but it was specifically expanded by adding subparagraph (B) “includes industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers”.

The problem is, however, that §1501 does not also include the terms ‘cybersecurity risks’ or ‘incident’. One could use the current reference to §148 for those terms but specify that the term ‘information system’ is based upon §1501. Doing that in both instances where the first two terms are currently used would be very wordy and potentially confusing.

It would probably be better to add a new paragraph to §4 of the bill that provides definitions that would be used in the Port Security chapter of the US Code (46 USC 70101). If I were doing this, I would add the following definitions:

(1) The term ‘information system’ has the meaning given the term in section 3502 of title 44;

(2) The term ‘control system’ means a discrete set of information resources, sensors, communications interfaces and physical devices organized to monitor, control and/or report on physical processes, including manufacturing, transportation, access control, and facility environmental controls;

(3) The term ‘cybersecurity risk’ means:

(A) threats to and vulnerabilities of information, information systems, or control systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of such information, information systems, or control systems, including such related consequences caused by an act of terrorism; and

(B) does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement;

(4) The term ‘incident’ means an occurrence that actually, or imminently jeopardizes, without lawful authority:

(A) the integrity, confidentiality, or availability of information on an information system,

(B) the timely availability of accurate process information, the predictable control of the designed process or the confidentiality of process information, or

(C) an information system or a control system;


With these definitions in place the references to §148 are superfluous and should be removed. Then the intent would be clear that the bill would be addressing both the information and control system cybersecurity of port operations. And that is almost certainly the intent of the crafters of this bill.

Bills Introduced – 06-16-17

With both the House and Senate gone for the weekend there were 8 bills introduced in a proforma session in the House. Of those one may be of specific interest to readers of this blog:

HR 2930 To develop a civil unmanned aircraft policy framework, a pilot program, and for other purposes. Rep. Lewis, Jason [R-MN-2]


I will be watching this bill to see if it addresses issues related to UAS and critical infrastructure security.

Public ICS Disclosure – Week of 6-10-17

This week Richard Young described a privilege escalation vulnerability on the APC UPS Daemon. The Seclist – Full Disclosure report notes that Young has attempted a coordinated disclosure, but received an inadequate response from the vendor. He reports that:

“The default installation of APCUPSD allows a local unprivileged user to run arbitrary code with elevated privileges by replacing the service executable apcupsd.exe with a malicious executable, which will run with SYSTEM privileges at startup.”


The APCUPSD web site reports that the program supports Modbus (via both serial and USB connections) making this UPS support program vulnerability potentially a control system security issue.

Friday, June 16, 2017

Bills Introduced – 06-15-17

Yesterday with both the House and Senate in session there were 54 bills introduced. Of those, one may be of specific interest to readers of this blog:

HR 2922 To reform and improve the Federal Emergency Management Agency, the Office of Emergency Communications, and the Office of Health Affairs of the Department of Homeland Security, and for other purposes. Rep. Donovan, Daniel M., Jr. [R-NY-11]


The Office of Health Affairs currently has two chemical safety/security programs that have received mention in this blog: the medical countermeasures program for DHS employees, and the chemical defense program. I will be watching to see if HR 2922 addresses either program.

Thursday, June 15, 2017

ICS-CERT Publishes Advisory and Updates 5 Siemens Advisories

Today the DHS ICS-CERT published one new control system security advisory for a product from Cambium Networks and updated five previously published advisories for products from Siemens.

Cambium Advisory


This advisory describes two vulnerabilities in the Cambium ePMP Network Access Control products. The vulnerabilities were reported by Karn Ganeshen. According to Cambium, newer versions of the firmware are not affected. There is no indication that Ganeshen was provided an opportunity to verify that.

The two reported vulnerabilities are:

• Improper access control - CVE-2017-7918; and
• Improper privilege management - CVE-2017-7922

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to access device configuration as well as make unauthorized changes to the product’s configuration.

ICS-CERT also notes that Cambium also recommends that users edit default SNMP configuration.

PROFINET Update 1


This update provides additional information on the advisory that was originally published on May 9th, 2017. The update provides new information on the affected version of and links to the updates for:

• SIMATIC STEP 7 V5.X: All versions prior to V5.6;
• SIMATIC WinCC: All versions prior to V7.4 SP1 Upd1; and
• Security Configuration Tool (SCT): All versions prior to V5.0

PROFINET Update 2


This update provides additional information on the advisory that was originally published on May 9th, 2017. The update provides new information on the affected version of and links to the updates for:

• SCALANCE X300, X408: All versions prior to V4.1.0;
• X414 (not previously listed): All versions prior to V3.10.2;
• SITOP PSU8600 PROFINET: All versions prior to V1.2.0,
• SITOP UPS1600 PROFINET (not previously listed): All versions prior to V2.2;
• SIMATIC S7-400 including F and H: All versions prior to V8.2;

SIMATIC Update


This update provides additional information on the advisory that was originally published on February 14th, 2017. The update provides new information on the affected version:

• SIMATIC WinCC: All versions prior to V7.4 SP1; and
• SIMATIC WinCC Runtime Professional: All versions prior to V14 SP1,
The previously published mitigation measure (SIMATIC Logon V1.5 SP3 Update 2) will work on these products as well.

SICAM PAS Update

This update provides additional information on the advisory that was originally published on December 1st, 2016. The update provides updated version information and the announcement that the newest version of the software fixes all of the reported vulnerabilities. There is no indication that the researchers have verified the efficacy of the fix.

DROWN Update


This update provides additional information on the advisory that was originally published on April 12th, 2016 and subsequently updated on February 28th, 2017. The new update provides updated affected version information for:

• SCALANCE X300 family: All versions prior to V4.1.0,
• SCALANCE X414: All versions prior to V3.10.2,
• SCALANCE X200 RNA family: All versions prior to V3.2.5, and
• ROX I: All versions not using the mitigations listed in SSA-327980 (Siemens link).

Additionally, the update also provides new mitigation information for:

• SCALANCE X300 family;
• SCALANCE X414; and
• ROX I

Missing Siemens Advisories and Updates



The updates published today address five of the six ‘missing updates’ that I discussed on Tuesday. The still missing update is for the Siemens SPIROTEC products; SSA-732541, originally ICSA-15-202-01. I still have not seen the Siemens WannaCry updates that I mentioned on Monday being reported by ICS-CERT. Of course, ICS-CERT could have been waiting for the two new WannaCry updates Siemens announced today (here and here).

Wednesday, June 14, 2017

EPA Submits TSCA Submission Guidance to OMB

Yesterday the OMB announced that the EPA had submitted a new guidance document supporting requirements to submit submitting draft risk evaluations to the EPA as part of the new TSCA requirements under the Frank R. Lautenberg Chemical Safety for the 21st Century Act (PL 114-182). This document was not included in the Obama Administration’s last Unified Agenda and the Trump Administration has not yet published a Unified Agenda.


This is the third OMB submission from the Trump Administration supporting the new TSCA requirements (see here and here).

Tuesday, June 13, 2017

ICS-CERT Publishes 3 Advisories

Today the DHS ICS-CERT published three control system security advisories for products from Trihedral and OSIsoft. ICS-CERT continues to have problems with Siemens security advisories and updates.

PI Web API Advisory


This advisory describes cross-site request forgery vulnerability in the OSIsoft Web API. The vulnerability is self-reported. OSIsoft has produced an upgraded version and provides additional mitigation measures.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability to access the PI System with the privileges of a legitimate client user (write data).

PI Server Advisory


This advisory describes two improper authentication vulnerabilities in the OSIsoft PI Server. The vulnerability is self-reported. A new version (not currently available) has been developed that mitigates the vulnerability.

ICS-CERT reports that an (uncharacterized skill level) attacker could remotely exploit the vulnerability to spoof a PI Server or cause undefined behavior within the PI Network Manager.

Trihedral Advisory


This advisory describes three vulnerabilities in the Trihedral VTScada product. Karn Ganeshen reported the vulnerability. Trihedral has developed a patch to mitigate the vulnerability. ICS-CERT reports that Ganeshen has verified the efficacy of the fix.

The three reported vulnerabilities are:

• Uncontrolled resource consumption - CVE-2017-6043;
• Cross-site scripting - CVE-2017-6053; and
• Information exposure - CVE-2017-6045

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to result in uncontrolled resource consumption, arbitrary code execution, or information exposure.

NOTE: the VTScada upgrade notes report that “VTScada logo images are now protected by a checksum. VTScada will not start if these files have been removed or modified. If you wish to create a custom-branded application, contact Trihedral Engineering for licensing.” So it is possible that a facility is using a vulnerable system and not know it.

Missing Siemens Advisories and Updates


In addition to the five Siemens’ WannaCry updates I mentioned yesterday, there are six recently reported Siemens’ advisories and updates published that have not been reported by ICS-CERT. They are:

SSA-275839: Denial-of-Service Vulnerability in Industrial Products", June 7th;
SSA-946325: Vulnerabilities in SICAM PAS, June 9th;
SSA-732541: Denial-of-Service Vulnerability in SIPROTEC 4, June 12th;
SSA-293562: Vulnerabilities in Industrial Products, June 13th;
SSA-623229: DROWN Vulnerability in Industrial Products, June 13th; and
SSA-931064: Authentication Bypass in SIMATIC Logon, June 13th

To be fair it is probably too soon to be concerned about the last four, but the other 7 missing Siemens reportings are definite of concern.


As always thanks to the Siemens @ProductCERT for their tweets about security updates on their products.

CFATS Civil Penalties

Yesterday DHS published a new web page outlining the policy and processes for assessing civil penalties and cease operations orders for the Chemical Facility Anti-Terrorism Standards (CFATS) program. The short web page provides links to two documents; the policy document and a fact sheet. The Infrastructure Security Compliance Division (ISCD) has had (and periodically has used) the authority to issue administrative orders and assess civil penalties. This is the first time that a policy document has been provided outlining the process to be used.

The ten-page policy document should be read carefully by all CFATS covered (and potentially covered) facilities. It outlines the shortcomings that can draw an administrative order, civil penalty assessement, and/or cease and desist order (in accordance with 6 CFR 27.300), the method by which ISCD assesses the amount of the penalty and subsequent negotiations to reduce assessed penalties.

The policy addresses three separate types of situations where the policy may apply:

• Failure to file violations (Top Screen and SVA/SSP);
• SSP/ASP deficiencies and infractions;
• Chemical-Terrorism Vulnerability (CVI) infractions.

Unlike other some regulatory agencies of the Federal government (ie: EPA and OSHA) ISCD has not, does not, and apparently does not plan to publish individual notices of penalty assessments and/or orders issued. This is understandable as it would provide public notice of individual high-risk chemical facilities with less than adequate security measures; surely that would be any serious terrorists top wish list.


BTW: There is not currently any mention of this new web site on the CFATS landing page. I expect that we will see that in the next couple of days.

NTIA Attempting to Address Botnet Issues

Today the Department of Commerce’s National Telecommunications and Information Administration (NTIA) published a request for public comment (RFC) in the Federal Register (82 FR 27042-27044) requesting comments on actions that can be taken to address automated and distributed threats to the digital ecosystem. This request is part of the activity directed by the President in Executive Order 13800 (EO 13800).

NTIA is looking for comments on attack mitigation and endpoint prevention strategies to address distributed denial of services (DDOS) attacks that use botnets. NTIA is looking for specific comments on the topics below and any additional insights that might be available. The specific topics include:

Gaps in existing approaches;
• Potential methods of addressing the problem;
Role of the Federal government;
International nature of the problem; and
User prevention activities.


NTIA is soliciting public comments. Comments may be sent by email (counter_botnet_RFC@ntia.doc.gov). Comments should be submitted by July 13th, 2017.

HR 2774 Introduced – DHS Bug Bounty Program

Last week Rep. Lieu (D,CA) introduced HR 2774, the Hack the Department of Homeland Security (Hack DHS) Act of 2017. This bill is very nearly identical {some minor formatting changes in §2(c)} to S 1281 that was introduced last month.


Unlike in the Senate, neither Lieu or his three cosponsors are members of the House Homeland Security Committee to which this bill was referred for consideration. This means that it is extremely unlikely that this bill will be considered in the House.

Monday, June 12, 2017

ICS-CERT Publishes WannaCry Update (#9)

Today the DHS ICS-CERT published their first WannaCry update in almost two weeks. The last update was published on May 31st for the alert that was originally published on May 15th, 2017. The update includes a link to new vendor information and a link to the update in the STYX format, a machine readable format for sharing cyber threat information.

The new vendor information comes from Johnson & Johnson. The Update provides a link to a new ‘Security Advisories’ page which contains links to two product advisories; Certus®140 System, and Carto®3 System. No really new information is available in either document.

ICS-CERT kept the original Johnson & Johnson link in the Update. Unfortunately, that link now has nothing to do with WannaCry. All mention was removed leaving it just a generic cybersecurity disclosure reporting page. That link probably should have been removed from the Update.

ICS-CERT did miss reporting on Siemens WannaCry updates for a number of their products, including (thanks to the Siemens ProductCERT for their tweets):

Ultrasound products, published June 1st;
Mammography products, published June 1st;
Multimodality Workplace products, published June 1st;
Siemens Healthineer products, published June 1st; and
Advanced Therapy products, published June 9th.

These were just mainly product update reporting.


BTW: I half expected to see an ICS-CERT alert on CrashOverride today since US-CERT came out with their alert today. I’m still reading the Dragos paper but it sounds interesting. More to come, I’m sure.

Committee Hearings – Week of 06-11-17

This week with both the House and Senate in session the FY 2018 budget is still the big deal in congressional hearings. There are also three other hearings that may be of specific interest to readers of this blog; DHS authorization and cybersecurity

Budget


Because of having to deal with the FY 2017 spending bill earlier this year, Congress is behind in the budgeting/spending process. Hearings this week will be looking at the department budgets. These are high-level discussions of the President’s spending plan; don’t expect much in the way of details.

Hearings of potential interest to readers of this blog include:

• Monday, House, DOD, Armed Services Committee;
• Tuesday, Senate, DOD, Armed Services Committee;
• Wednesday, House, DOT, Appropriations Committee – Subcommittee;
• Wednesday, Senate, DOD, Appropriations Committee – Subcommittee;
• Thursday, House, DOD, Appropriations Committee – Subcommittee;
• Thursday, House, DOT, Appropriations Committee – Subcommittee;
• Thursday, House, EPA, Appropriations Committee – Subcommittee;

DHS Authorization


As I mentioned earlier today, the House Homeland Security Committee will be holding a markup hearing Wednesday on HR 2825, the FY 2018 DHS Authorization Act. There is already a link to the substitute language that the Committee will markup. I expect that we will see additional amendments posted to the site tomorrow afternoon.

Cybersecurity


There will be two cybersecurity related hearings this week. One will look at IOT opportunities and challenges and the other will look at WannaCry.

Tuesday the Digital Commerce and Consumer Protection Subcommittee of the House Energy and Commerce Committee will hold a hearing looking at “Disrupter Series: Update on IOT Opportunities and Challenges”. The witness list includes:

• Mark Bachman, Integra Devices
• Gary D. Butler, Camgian Microsystems Corporation
• Cameron Javdani, Louroe Electronics
• Peter B. Kosak, General Motors North America
• Bill Kuhns, Vermont Energy Control Systems LLC
• William S. Marras, the Spine Research Institute

On Thursday the Oversight Subcommittee and the Research and Technology Subcommittee of the House Science, Space, and Technology Committee will hold a joint hearing on “Bolstering the Government’s Cybersecurity: Lessons Learned from WannaCry”. The witness list includes:

• Salim Neino, Kryptos Logic
• Charles H. Romine, National Institute of Standards and Technology
• Hugh Thompson, Symantec

• Gregory J. Touhill, Carnegie Mellon University

HR 2825 Introduced – FY 2018 DHS Authorization

Last week Rep. McCaul (R,TX) introduced HR 2825, the Department of Homeland Security (DHS) Authorization Act of 2017. While the original title of the bill seemed to imply that it was a technical corrections act, this would actually be (if it is passed) the first authorization bill for DHS since it was introduced 2002.

As introduced this bill would have minimal effect on the chemical security, transportation security or cybersecurity functions of the department. There are only three provisions of the bill that may be of specific interest to readers of this blog:

Sec 3 – Definition of congressional homeland security committees;
Sec 117 – Research and development and CBRNE organizational review; and
Sec 108 – Office of Strategy, Policy, And Plans.

Congressional Oversight


It looks like §3 is an attempt to consolidate the congressional oversight of DHS to four committees by specifically identifying only those committees in the definition of the term “congressional homeland security committees”. Those four committees are:

• House Homeland Security Committee;
• House Appropriations Committee;
• Senate Homeland Security and Governmental Affairs Committee; and
• Senate Appropriations Committee.

This will almost certainly not directly affect the rules of the House that provide for congressional oversight activities, but it does serve to restrict reporting requirements outlined in this bill.

Interestingly, this bill was only assigned to the House Homeland Security Committee for review instead of the nine committees (for instance) to which HR 6381 (last sessions late entry attempt at a DHS authorization bill) was assigned. It will be interesting to see if this bill gets to the floor without being considered by any other House Committee.

Chemical Security


Section 117 provides for a formal review of research activities of the Department, mainly those being conducted by the Science and Technology (S&T) Directorate. The Department would be required to report the four committees on that review.

Additionally paragraph (b) of that section would require DHS to undertake a review of the Departments “chemical, biological, radiological, nuclear, and explosives activities” {§117(b)(1)} with the intent to develop “organizational structure to ensure enhanced coordination and provide strengthened chemical, biological, radiological, nuclear, and explosives capabilities in support of homeland security” {§117(b)(1)}.

This could potentially effect to whom the Departments Infrastructure Security Compliance Division (ISCD) (the CFATS people) reports. It would not probably have much actual effect on the operation of that organization.

DHS Organization


Section 108 addresses some of the high-level organization changes of the Department that McCaul has been calling for four a couple of years. However, instead of specifically calling for a separate cybersecurity element it outlines the apportionment of the political appointees within the Department. The positions of particular interest to readers of this blog would include:

• Administrator, Transportation Security Administration;
• Assistant Secretary, Infrastructure Protection;
• Assistant Secretary, Office of Cybersecurity and Communications;
• Assistant Secretary for Threat Protection and Security Policy;
• Assistant Secretary for Cyber, Infrastructure, and Resilience Policy;

The TSA Administrator would be appointed by the President with the ‘advice and consent’ of the Senate. The IP Assistant Secretary would not require Senate approval and the remainder would be appointed by the DHS Secretary.

No details are given in the bill for their duties or the organizations which they would oversee.

Moving Forward


McCaul is Chair of the House Homeland Security Committee so this bill will obviously move forward there. In fact, it is slated to be considered in a full committee markup on Wednesday. Interestingly, the Ranking Member is not a cosponsor of this bill, an unusual move on McCaul’s part. It will be interesting to see how much bipartisan support this bill receives in Committee.

The only problem that I see with this bill moving forward is that it would seem to trample on the political prerogatives of a number of Committee Chairs. That would normally doom this bill to languish after the Homeland Security Committee favorably reported it. This problem will become even worse when the House Homeland Security takes up the bill on Wednesday. The Committee will consider substitute language that will specifically address a number of areas dealing with both TSA and the Coast Guard which would normally have to be considered by the Transportation and Infrastructure Committee.


McCaul has either worked out this change in Congressional Oversight with the House Leadership (a major undertaking that he and his predecessor have been trying to achieve for well over ten years now), or he is trying to pull a fast one. Hopefully it is the former. If it is the latter, this bill will never make it to the floor and he will have poisoned the well of cooperation for any future projects.

Saturday, June 10, 2017

S 1272 Introduced – UAS Rights

Last month Sen. Feinstein (D,CA) introduced S 1272, the Drone Federalism Act 5 of 2017. The bill would outline the limits of Federal Aviation Authority’s (FAA) authority to preempt State and local regulation of civil unmanned aircraft.

Local Regulations


Section 2 of the bill requires the FAA to specifically define scope of the preemptive effects of any regulations concerning the operations of civil unmanned aircraft systems (UAS). It then goes on to outline areas where FAA must preserve the legitimate interests of State, local and tribal governments to {§2(a)(2)}:

• Protect public safety;
• Protect personal privacy;
• Protect property rights;
• Manage land use; and
• Restrict nuisances and noise pollution

That area is limited to the operation of civil unmanned aircraft that is operated:

• Below 200 feet above ground level; or
• Within 200 feet of a structure.

Further, the bill provides examples of what types of restrictions by State, local and tribal governments the bill envisions. They include {§2(b)(2)}:

• Limitations on speed;
• Prohibitions or limitations on operations in the vicinity of schools, parks, roadways, bridges, or other public or private property;
• Restrictions on operations at certain times of the day or week or on specific occasions such as during parades or sporting events;
• Prohibitions on operations while the operator is under the influence of drugs or alcohol.
• Prohibitions on careless or reckless operations; and
• Other prohibitions that protect public safety, personal privacy, or property rights, or that manage land use or restrict noise pollution.

Personal Property Rights


Section 3 of the bill prohibits the FAA from establishing regulations that “authorize the operation of a civil unmanned aircraft in the immediate reaches of the airspace above property without permission of the property owner” {§3(a)}. The term “immediate reaches of the airspace above property includes {§3(c)}:

• Any area within 200 feet above the ground level (AGL) of the property;
• Any area within 200 feet above any structure on the property; and
• Any area where operation of the aircraft system could interfere with the enjoyment or use of the property.

In the same section, and also labeled as a measure for the “Affirmation of Applicability of Constitutional Takings Clause Absent Federal Aviation Administration Regulations”, the bill also prohibits the FAA from establishing regulations prohibiting the operation of a civil unmanned aircraft “when flown in the immediate reaches of the airspace above property” {new §336(a)(6) of PL 112-95, Page 126 STAT. 77} when the operator has permission of the property owner.

Moving Forward


While Feinstein is not a member of the Senate Commerce, Science, and Transportation Committee to which this bill was assigned for consideration, two of her co-sponsors {Sen. Lee (R,UT) and Sen. Blumenthal (D,CT)} are. This means that there is a possibility that this bill could be considered in Committee.

The same forces that were responsible for including §336 in the FAA Modernization and Reform Act of 2012 (PL 112–95) will certainly oppose the passage of this bill because it would almost certainly result in a hodgepodge of drone regulations across the country that would affect operators of model aircraft. It is doubtful that even if this bill were adopted in Committee (unlikely) could make it to the floor of the Senate for consideration because of that opposition.

Commentary


This bill was substantially written to get around the Congressional limitations on drone regulations included in §336 of the FAA Modernization and Reform Act of 2012. Attempts to nullify those limitations on the FAA’s ability to regulate ‘model aircraft’ have been unsuccessful in Congress. Section 2 of this bill would instead allow State, local and tribal governments to undertake those regulations.

Having said that, §3 of this bill would further limit the ability of the FAA to regulate unmanned aircraft. Specifically, the provisions of §3(2)(b) have apparently been designed to neutralize the FAA’s ability to prohibit the flying of UAS over private property in restricted flight zones like Washington, DC.

What is interesting in that attempt is that it creates an inevitable situation where there is a conflict between the current §336(a)(5) (which allows the FAA to restrict UAS operations within five miles of an airport unless the operator has permission from the control tower) and the new §336(a)(6) (which prohibits the FAA from restricting the operation of UAS within 200 feet AGL above private property when the operator has permission of the property owner). Thus, it would seem that the FAA could not prevent someone from flying a UAS at the boundary fence in the landing pattern of an airport if the operator had permission from the property owner.


An additional point to be made here is that while this bill might allow State, local and tribal governments to establish some regulations for the control of UAS it does nothing to address the very real problems in enforcing those regulations. Since drone registration is still not authorized under §336 (and recently confirmed in federal court) and it is still against the law to interfere in the operation of any aircraft (including UAS) in the National Airspace (18 USC 32), State and local officials are going to have a hard time enforcing any regulations.

Friday, June 9, 2017

S 1281 Introduced – DHS Bug Bounty

Last month Sen. Hassan (D,NH) introduced S 1281 the Hack the Department of Homeland Security (Hack DHS) Act of 2017. The bill would require DHS to set up a pilot program to establish a bug bounty program to minimize vulnerabilities to the information systems of the Department.

Pilot Program


The bill would require the pilot program include registration and background checks for those security researchers participating in the program. It would provide for bounties to be paid “for reports of previously unidentified security vulnerabilities within the websites, applications, and other information systems of the Department that are accessible to the public” {§2(b)(2)(A)}. The program would be patterned on the DOD’s “Hack the Pentagon” program.

The bill authorizes $250,000 for the pilot program. Since the bill calls for letting competitive contracts for both running the program and remediating the vulnerabilities reported, it is not clear if these funds are for the administrative costs or the bounties. In either case, the amount seems low.

This bill is definitely IT centric as it uses the limited definition of ‘information systems’ found at 44 USC 3502(8). Thus, it would seem to exclude building control systems and security systems used by the Department. Additionally, DHS is required to designate ‘mission critical’ operations within the Department that would be exempt from the program.

Moving Forward


Hassan is not on the Homeland Security and Governmental Affairs Committee to which this bill has been assigned for consideration. All three of her cosponsors are (with two being fairly high-ranking Democrats) so there is a distinct possibility that the bill could be considered in Committee.

I do not see anything within the bill that would engender any significant opposition to the bill, either in committee or on the floor of the Senate.

Commentary


The one thing missing from this bill is any discussion about the publication of the vulnerabilities reported in the program. Presumably, most of the software involved will be commercial software, so there would be a public interest in having coordinated disclosures of the vulnerabilities in publicly available software. Disclosures in DHS custom or proprietary software could certainly be argued against.

An interesting point is raised in this bill. Section 2(b)(2)(B) specifically requires the Department to “consult with the Attorney General on how to ensure that computer security specialists and security researchers who participate in the pilot program are protected from prosecution under section 1030 of title 18, United States Code, and similar provisions of law for specific activities authorized under the pilot program”.


This strikes me as a tad bit paranoid since the researchers are having to register with DHS to participate in the program. This means that they would be accessing the systems with permission which would preclude prosecution under §1030. That some researchers would request specific written permission with §1030 in mind would be understandable (security researchers should be paranoid), but for this verbiage to be included in the bill would seem to indicate an unusual level of paranoia in a Senate staffer (they write the bills in most cases) or someone is trying to make points with the cybersecurity community.

Bills Introduced – 06-08-17

Yesterday as the House and Senate adjourned for the weekend, there were 68 bills introduced. Two of those bills may be of specific interest to readers of this blog:

HR 2825 To amend the Homeland Security Act of 2002 to make certain improvements in the laws administered by the Secretary of Homeland Security, and for other purposes. Rep. McCaul, Michael T. [R-TX-10]

HR 2831 To improve the port and maritime security functions of the Department of Homeland Security, and for other purposes. Rep. Rutherford, John H. [R-FL-4]

HR 2825 is probably a series of technical corrections to current laws. I will only cover it here if there are interesting or significant changes to chemical security, surface transportation security or cybersecurity provisions.

I suspect that HR 2831 will also be a series of technical corrections, but this is more likely to receive detailed coverage in this blog.

Thursday, June 8, 2017

Two Transportation Reg Rollback Initiative Published Today

Today DHS and DOT published separate notices in the Federal Register (82 FR 26632-26634, and 82 FR 26734-26735) requesting public feedback on potential rules and regulations that should be reviewed for potential elimination under President Trumps regulatory rollback initiative (EO 13777). The DHS initiative addresses Coast Guard regulations, guidance documents, and interpretative documents that could be repealed, replaced, or modified. The DOT effort is a Department-wide look at existing policy statements, guidance documents, and regulations to identify unnecessary obstacles to transportation infrastructure projects.

Coast Guard


DHS is looking for input on Coast Guard regulations that:

• Eliminate jobs, or inhibit job creation;
• Are outdated, unnecessary, or ineffective;
• Impose costs that exceed benefits;
• Create a serious inconsistency or otherwise interfere with regulatory reform initiatives and policies;
• Are inconsistent with the requirements of section 515 of the Treasury and General Government Appropriations Act, 2001 (44 U.S.C. 3516 note), or the guidance issued pursuant to that provision, in particular those regulations that rely in whole or in part on data, information, or methods that are not publicly available or that are insufficiently transparent to meet the standard of reproducibility; or
• Derive from or implement Executive Orders or other Presidential directives that have been subsequently rescinded or substantially modified.

Specifically, DHS is looking to review regulations found in:


They are also planning on looking at guidance documents and information collection requests.

DHS is soliciting public comments. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # USCG-2017-0480). Comments should be submitted by July 10th, 2017.

DOT


The DOT initiative published today takes a slightly different tact. They are specifically trying to identify regulations, guidance documents and policies that unjustifiably delay or prevent completion of surface, maritime, and aviation transportation infrastructure projects. They want information that identifies:


DOT is soliciting public comments. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # OST-2017-0057). Comments should be submitted by July 24th, 2017.

Commentary


Regardless of how you might feel about the current administration, it is almost certainly a good idea to periodically review the current regulatory environment to ensure that outdated, outmoded or even ineffective regulations are modified or removed. There are statutory processes in place for internal departmental reviews, but no government employee is going to be able to identify or even understand all of those regulations that cause unnecessary pain and economic hardships in the regulated community.


Having said that, it should be remembered that no executive branch department can change regulatory requirements specifically mandated by Congress. Those will require legislative changes, something that can only be suggested by the Administration. This is briefly addressed in the DOT project.

Bills Introduced – 06-07-17

Yesterday with both the House and Senate in session there were 49 bills introduced. Of those three may be of specific interest to readers of this blog:

HR 2807 To amend title 10, United States Code, to require congressional notification concerning sensitive military cyber operations and cyber weapons, and for other purposes. Rep. Thornberry, Mac [R-TX-13]

HR 2810 To authorize appropriations for fiscal year 2018 for military activities of the Department of Defense and for military construction, to prescribe military personnel strengths for such fiscal year, and for other purposes. Rep. Thornberry, Mac [R-TX-13]

HR 2812 To direct the President to develop a strategy for the offensive use of cyber capabilities, and for other purposes. Rep. Correa, J. Luis [D-CA-46] 

I promise that this is not being turned into a military blog (GRIN), but military cyber weapons and strategy will probably have a serious impact on cybersecurity for control systems in critical infrastructure. We should certainly, for example, be prepared to defend critical infrastructure facilities from those types of control system attacks that our military contemplates executing against such facilities in enemy countries.

I will be watching HR 2807 for the critical definitions involved in outlining ‘sensitive military cyber operations and cyber weapons’ to see if Congress is intending to keep an eye on counter control system operations.

As always, I watch the military authorization and spending bills for cybersecurity provisions.


Last session there were a number of efforts (see HR 2708, HR 3039, and HR 5220 for example) related to requiring the President to establish norms for deciding what types of cyber-attacks would be considered ‘acts of war’. It will be interesting to see how HR 2812 differs from these earlier unsuccessful attempts.

Wednesday, June 7, 2017

Bills Introduced – 06-06-17

With both the House and Senate in session there were 35 bills introduced yesterday. Of those, two may be of specific interest to readers of this blog:

HR 2774 To establish a bug bounty pilot program within the Department of Homeland Security, and for other purposes. Rep. Lieu, Ted [D-CA-33]

HR 2778 To direct the Secretary of Transportation to establish a Smart Technology Traffic Signals Grant Program, and for other purposes. Rep. Cardenas, Tony [D-CA-29]

HR 2774 is probably a companion bill to S 1281 which I have not yet seen.


I will only report on HR 2778 if it includes cybersecurity provisions.

Tuesday, June 6, 2017

ICS-CERT Publishes Two Advisories

Today the DHS ICS-CERT published two control system security advisories for products from Digital Canal Structural and Rockwell.

Digital Canal Advisory


This advisory describes a stack-based buffer overflow vulnerability in the Digital Canal Wind Analysis structural engineering analysis software. The vulnerability was reported by Peter Cheng. Digital Canal reports that the current version mitigates the vulnerability. There is no indication that Cheng has verified the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to cause the device that the attacker is accessing to become unavailable, resulting in a denial of service.

Rockwell Advisory


This advisory describes a missing authorization vulnerability in the Rockwell PanelView Plus 6 700-1500. The vulnerability was self-reported by Rockwell. Rockwell has identified firmware versions that mitigate the vulnerability. Rockwell also reports that graphic terminals running OS 2.31 or greater are not affected by this vulnerability.


ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to remotely access the device to potentially retrieve data or disrupt the availability of the device.
 
/* Use this with templates/template-twocol.html */