Tuesday, January 31, 2017

Electric Sector Cybersecurity Hearing Update

The House Energy and Commerce Committee updated their web site with additional information about tomorrow’s hearing on “The Electricity Sector's Efforts to Respond to Cybersecurity Threats”. The web site now lists the witnesses and provides a link to the testimony that they will give.

• Gerry W. Cauley (statement), North American Reliability Corporation (NERC);
• Scott L. Aaronson (statement), Edison Electric Institute (EEI);
• Barbara Sugg (statement), Southwest Power Pool (SPP); and

• Chris Beck (statement), The Electric Infrastructure Security Council (EIS Council)

ICS-CERT Publishes Two Advisories and Updates Another

Today the DHS ICS-CERT published two control system security advisories for products from Ecava and BINOM3. They also updated a previously published advisory for products from Moxa; that advisory was originally published on October 13th, 2016.

Ecava Advisory


This advisory describes an SQL injection vulnerability in the Ecava IntegraXor. The vulnerability was reported by Brian Gorenc and Juan Pablo Lopez via the Zero Day Initiative. Ecava has produced a software update to mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability. That exploit could lead to arbitrary data leakage, data manipulation, and remote code execution.

BINOM3 Advisory


This advisory describes multiple vulnerabilities in the BINOM3 Electric Power Quality Meter. The vulnerability was reported by Karn Ganeshen. ICS-CERT reports that BINOM3 has not provided any mitigation measures for these vulnerabilities.

The reported vulnerabilities are:

• Cross-site scripting - CVE-2017-5164;
• Improper access control - CVE-2017-5162;
• Cross-site request forgery - CVE-2017-5165;
• Information exposure - CVE-2017-516; and
• Hard-coded password - CVE-2017-5167.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities. Such an exploit could cause the device to inaccurately report a range of electrical quality measurements.

Format Update


Just a quick note that ICS-CERT has made another modification to their new advisory format. They have added a new section; Background. It provides information about the vulnerable device/application including affected sectors, where the device/application is used, and where the vendor is located.

Moxa Update


This update provides new information, including:

• Notification that the vulnerabilities also affect the ioLogik E2200 series devices;
• Provides affected version information for the ioLogik E2200 series devices; and
• Links for downloads of the firmware updates for the ioLogik E2200 series devices.


S Res 23 Introduced – Select Committee on Cybersecurity

Last week Sen. Gardner (R,CO) introduced S Res 23, Establishing the Select Committee on Cybersecurity. The resolution would establish a new committee in the Senate tasked with the oversight of cybersecurity matters in the Federal government.

Membership


The Committee would consist of the Chair and the Ranking Member (or their designees) from the {§1(c)}:

• Committee on Appropriations;
• Committee on Armed Services;
• Committee on Banking, Housing, and Urban Affairs;
• Committee on Commerce, Science, and Transportation;
• Committee on Foreign Relations;
• Committee on Homeland Security and Governmental Affairs;
• Committee on Intelligence; and
• Committee on the Judiciary.

Five additional members from the Senate would be appointed; three by the Majority Leader and two by the Minority Leader.

Jurisdiction


The resolution would authorize the Select Committee to{§1(b)}:

• To oversee and make continuing studies of and recommendations regarding cybersecurity threats to the United States; and
• Report by bill or otherwise on matters within its jurisdiction.

The resolution would require bills to be referred to the Select Committee for consideration if they relate to {§1(e)}:

• Domestic and foreign cybersecurity risks (including state-sponsored threats) to the United States;
• The activities of any department or agency relating to preventing, protecting against, or responding to cybersecurity threats to the United States, and relevant incidents or actions;
• The organization or reorganization of any department or agency to the extent that the organization or reorganization relates to a function or activity involving preventing, protecting against, or responding to cybersecurity threats to the United States, and relevant incidents or actions; and
• Authorizations for appropriations, both direct and indirect, for preventing, protecting against, or responding to cybersecurity threats to the United States, and relevant incidents or actions.

Moving Forward


Neither Gardner nor his sole cosponsor {Sen. Coons (D,DE)} are members of the Committee on Rules and Administration (the committee to which the resolution was referred for consideration), so it is extremely unlikely that that Committee will take action on the bill. While some of the most affected committees in the Senate would be represented on the Select Committee, the formation of this Committee would serve to dilute (at least to some extent) the power of all of the existing committee chairs and ranking members. That will probably provide for sufficient opposition to the bill to prevent it from being considered by the whole Senate even if the bill did make it out of committee.

Commentary


Industrial control systems are not specifically mentioned in the resolution. The key definition in this resolution is a ‘new’ term; ‘cyberspace’. That term is defined as “the global domain within the information environment consisting of the interdependent network of information systems infrastructures (including the Internet, telecommunications networks, computer systems, and embedded processors and controllers)” {§1(a)(3)}.

While that definition would seem to exclude industrial control systems, that is probably not as important as it would be in legislation pertaining to the Executive branch operation or the regulation of the private sector. What bills are referred to a committee is not exactly a legal matter, it is more of a political decision. Matters related to industrial control system security would almost certainly come under the actual purview of the Select Committee.

The important thing to remember here is that the Select Committee would not have exclusive jurisdiction over matters relating to cybersecurity. Where existing committees already have jurisdiction (for example the Homeland Security and Governmental Affairs Committee) over related matters, that jurisdiction would now be shared. For example, a cybersecurity bill giving DHS regulatory authority would be referred to both the HSGA Committee and the Select Committee for consideration and either could effectively kill the bill by failing to consider it.

The one upside to this resolution would be that the professional staff (and the political staff probably) would almost certainly contain a much higher concentration of cybersecurity professionals than any other committee in the Senate. This could allow for a much better technical analysis of (and hopefully influence on) cybersecurity issues. Where that underpaid staff would come from is an interesting question; most would probably come directly out of graduate schools.


Weighing the pros and cons of this bill, I would support the establishment of the Select Committee. I think that the existence of a professional staff with a strong cybersecurity background could end up being enough of a benefit to outweigh the formation of a new political silo in the Senate.

Monday, January 30, 2017

Committee Hearings – Week of 01-29-17

With both the House and Senate back in town this week the number of committee hearings scheduled begins to approach normal. Of the hearings scheduled this week there is one that may be of specific interest to readers of this blog; electric sector cybersecurity.

Respond to Cybersecurity Threats


On Wednesday the Energy Subcommittee of the House Energy and Commerce Committee will hold a hearing on “The Electricity Sector's Efforts to Respond to Cybersecurity Threats”. No witness list has yet been made available.

On the Floor


As I have mentioned in a couple of posts, the House will take up a number of homeland security related bills on Tuesday under their suspension of rules procedures. These procedures allow for limited debate (typically 40 minutes of mostly praise for the bill), no amendments, and a super majority required for passage. Bills considered under these procedures typically have significant bipartisan support.

Bills of interest in Tuesdays list include:

HR 437 – Medical Preparedness Allowable Use Act (Sponsored by Rep. Gus Bilirakis (R,FL) / Homeland Security Committee)
HR 612 – United States-Israel Cybersecurity Cooperation Enhancement Act of 2017 (Sponsored by Rep. James Langevin (D,RI) / Homeland Security Committee)

HR 677 – CBRN Intelligence and Information Sharing Act of 2017 (Sponsored by Rep. Martha McSally (R,AZ) / Homeland Security Committee)

HR 677 Introduced – CBRN Intelligence

Last week Rep. McSally (R,AZ) introduced HR 677, the CBRN Intelligence and Information Sharing Act of 2017. The bill would require DHS to establish chemical, biological,
radiological, and nuclear intelligence and information sharing functions of the Office of
Intelligence and Analysis. The bill is nearly identical to HR 2200 that was passed in the House in the 114th Congress.

This bill continues to maintain an almost unreasonable emphasis on the biological aspect of the CBRN threat. Again, the only mention of the private sector in the information sharing portion of the bill remains the reference to “relevant national biosecurity and biodefense stakeholders” {§210G(a)(5)}.


This bill is moving to the floor of the House this week. It will be considered on Tuesday as part of a number of homeland security related bills to be considered under suspension of the rules. It will almost certainly pass with substantial bipartisan support. It will be interesting to see if this bill continues to be ignored in the Senate.

Sunday, January 29, 2017

HR 612 Introduced – Cybersecurity Research

Earlier this week Rep. Langevin (D,RI) introduced HR 612, the United States-Israel Cybersecurity Cooperation Enhancement Act of 2017. The bill would establish a grant program to support joint cybersecurity research by US and Israeli organizations. The bill is essentially the same as HR 5843 that was passed in the House in the 114th Congress (not covered in this blog).

The bill provides no new funding to support the grants.

The bill could cover industrial control system cybersecurity research projects. This is based upon the definition of ‘cybersecurity threat’ used in the bill {§2(d)(3)}. It uses the definition from Cybersecurity Information Sharing Act of 2015 {Title I of Division N, PL 114-113; 6 USC 1501(5)} which in-turn relies on the broader definition of ‘information system’ from the same source.

Moving Forward


This bill is currently scheduled for a vote on Tuesday under the House suspension of the rules procedure. This provides for limited debate, no floor amendments and a super majority for passage. Consideration under this process signifies that the House leadership expects broad, bipartisan support for the bill.


If the bill makes it to the floor in the Senate (an open question as it is too early in the new Congress to tell how well the Senate is going to work), the bill would almost certainly be considered under the unanimous consent process.

Saturday, January 28, 2017

S 79 Introduced – Energy Sector Security

Earlier this month Sen. King (I,ME) introduced S 79, the Securing Energy Infrastructure Act. It would require the Secretary of Energy to establish a 2-year pilot program to study control system security in the energy sector. The pilot program would be funded at $10 Million for the 2-year study. This bill is essentially the same as S 3018 introduced late in the 114th Congress; that bill saw no action in committee. Attentive readers might recall that I suggested a letter writing campaign to support that bill.

I am not going to repeat the detailed explanation of the bill since I covered that in my post on the introduction of S 3018. I would like to address two items that I did not mention in that earlier post; the definition of ‘industrial control system’ and the use of the term ‘cyber-informed engineering'.

Industrial Control System


The bill defines ‘industrial control system’ as “an operational technology used to measure, control, or manage industrial functions” {§(2)(3)(A)}. That definition is expanded in sub-paragraph (B) to specifically include “supervisory control and data acquisition systems, distributed control systems, and programmable logic or embedded controllers”.

The initial definition could clearly be interpreted to include manual control systems with no electronic component. This is important because later in the bill ‘physical controls’ (as opposed to digital or analog) are one concept that is suggested as a way to avoid the security vulnerabilities in existing systems.

Cyber-Informed Engineering


This term was first used in S 2943, the FY 2017 National Defense Authorization Act. There it was used to describe a pilot program the DOD would run “to increase the resilience of military installations against cybersecurity threats and prevent or mitigate the potential for high-consequence cyberattacks” {§1634(a)}. The Armed Services Committee report (S Rept 114-255) provides a more detailed explanation:

“A consequence-driven, cyber-informed engineering approach is based on an evaluation of the operating environment that discriminates between targeted and indiscriminate attacks, analyzes vulnerabilities beyond traditional Information Technology security, and addresses systems created to control critical infrastructure that were designed primarily to meet engineering requirements with little or sometimes no consideration of security requirements.”

In S 79 the term shows up in the §4 description of the working group. In the second portion of the description of the working group purpose the bill it states that the working group will “develop a national cyber-informed engineering strategy to isolate and defend covered entities from security vulnerabilities and exploits in the most critical systems [emphasis added] of the covered entities” {§4(a)(2)}.

This sounds very much like how safety systems are configured in chemical operations. The sensors and actuators of safety systems are isolated from the active control system so that a failure (or compromise) of components of the control system cannot affect the proper operation of the safety system. And those safety systems are only designed to protect against catastrophic failure of the chemical manufacturing system, not general failures of the control scheme to maintain product quality or process efficiency.

As I mentioned in my post about S 2943, there is an interesting paper from 2015 published by the Idaho National Laboratory (INL) about the concept of ‘cyber-informed engineering’ (Note: the link in the original post is no longer good, it has been corrected.)

Moving Forward


In the last session, this bill had bipartisan support in the Senate Energy and Natural Resources Committee and it does again this session. I suspect that the reason that the bill did not move forward in the last session was due to its late introduction and short amount of time available.


The biggest thing stopping this bill from moving forward is the spending authorization for the pilot program ($10 million) and the inclusion of spending authorization for the working group activities ($1.5 million). While that is not a great deal of money (at Federal spending levels), it is money that will have to come from somewhere. Figuring out the spending offsets for that §11.5 million will take some doing. Once that is accomplished, this bill should be able to move forward pretty easily if it makes it to the floor.

Friday, January 27, 2017

S 88 Introduced – IOT Support

Earlier this month Sen. Fischer (R,NE) introduced S 88, the Developing Innovation and Growing the Internet of Things Act or “DIGIT Act”. The bill would establish a working group within the Executive Branch to provide recommendations to Congress on how to plan and encourage the growth of IoT. The bill was adopted without amendment in a markup hearing before the Senate Commerce, Science and Transportation Committee this week.

This bill is very similar to S 2607 introduced in the 114th Congress and adopted by the same Committee. That bill never made it to the floor of the Senate.

Working Group


The bill would establish working group of Federal stakeholders to advise Congress on the internet of things (IOT). The working group would {§4(b)}:

• Identify any Federal regulations, statutes, grant practices, budgetary or jurisdictional challenges, and other sector-specific policies that are inhibiting or could inhibit the development of the Internet of Things;
• Consider policies or programs that encourage and improve coordination among Federal agencies with jurisdiction over the Internet of Things; and
• Consider any findings or recommendations made by the steering committee and, where appropriate, act to implement those recommendations.

The working group would also specifically look at how the Federal agencies will be affected by IOT. Included in that review is a requirement to look at security measures those agencies may need to take to {§4(b)(4)(D)}:

• Safely and securely use the Internet of Things; and
• Enhance the resiliency of Federal systems against cyber threats to the internet of things.

The working group would be advised by a steering committee established within the Department of Commerce. The steering committee would consist of personnel from outside of the government including experts from both the tech sector and other industrial sectors that could benefit from the use of IOT. The steering committee is tasked in looking at (among other things) three security related issues relating to IOT {§4(e)(2)(C)}:

• Promote or are related to the privacy of individuals who use or are affected by IOT;
• May enhance the security of IOT; and
• May protect users of IOT.

Moving Forward


Early action on S 88 in committee would seem to indicate that Fischer has the support of the Chair in proceeding with moving S 88 to the floor of the Senate. Whether or not that support will be enough to actually get the bill to the floor remains to be seen. With no funding or new regulations being authorized by the bill, there should be no impediment to this bill being passed in either house if it is actually considered. In the Senate, this bill would probably be considered under the unanimous consent provisions.

Commentary


There have been subtle changes in the wording of this bill with respect to the cybersecurity challenges associated with IOT. Whether or not those changes have any real effect on the recommendations that are made to congress as a result of the studies required in this bill remain to be seen.

I am still concerned that the relatively minor mentions of IOT security in this bill reflect a gross misapprehension of the problems that we have already seen with IOT security issues. There is no mention, for example, in the rather extensive findings section of the bill about how some recent denial of service attacks have utilized bot nets that consist mainly of inadequately secured IOT devices.

I am also concerned that ICS-CERT is not specifically mentioned in the list of agencies to be represented in the working group. While DHS is listed, ICS-CERT (the only agency specifically working on security issues for IOT type devices) is not listed. The Department of Commerce listing, on the other hand, specifically includes three technical agencies (NTIA, NIST, and NOAA) from the Department.


The lack of funding also concerns me. The committee eport on S 2607 (S Rept 114-364) last session contained the mandatory report from the Congressional Budget Office on the cost of the legislation. The CBO estimated that the working group and steering group would incur administrative costs of about $3 million (pg 5). That money would come from the budgets of the agencies involved in the activity. While $3 million is chump change in the federal government, it does have to come from somewhere and failing to account for that spending in bills like this is political slight-of-hand at best and dishonest accounting in practice.

Thursday, January 26, 2017

ICS-CERT Publishes Two Advisories

Today the DHS ICS-CERT published two control system security advisories for products from Belden and Eaton.

Belden Advisory


This advisory describes a path traversal vulnerability in the Belden Hirschmann GECKO. The vulnerability was reported by Davy Douhine of RandoriSec. Belden produced a new version to mitigate the vulnerability. There is no indication that Douhine was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a highly skilled attacker could remotely exploit this vulnerability to access a copy of the configuration file of an affected device without authenticating, exposing sensitive information. The Belden Security Bulletin notes that only administrators that are using the configuration download feature are affected.

Eaton Advisory


This advisory describes path traversal vulnerability in legacy Eaton ePDUs. The vulnerability was reported by Maxim Rupp. The affected products are no longer supported; Eaton suggests using defense in depth mitigation measures if the devices are not replaced.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to access configuration files.


NOTE: For some reason this vulnerability was presented in last year’s format. I’ve already gotten so used to the new format that this reversion feels odd. Oh well….

Wednesday, January 25, 2017

Bills Introduced – 01-24-17

With both the House and Senate leaving for an extended weekend (a proforma session for both houses on Friday) there were 152 bills introduced. Of those 9 bills may be of specific interest to readers of this blog:

HR 625 To provide for joint reports by relevant Federal agencies to Congress regarding incidents of terrorism, and for other purposes. Rep. Aguilar, Pete [D-CA-31]

HR 642 To amend the Homeland Security Act of 2002 to enhance the partnership between the Department of Homeland Security and the National Network of Fusion Centers, and for other purposes. Rep. Barletta, Lou [R-PA-11]

HR 666 To amend the Homeland Security Act of 2002 to establish the Insider Threat Program, and for other purposes. Rep. King, Peter T. [R-NY-2]

HR 677 To amend the Homeland Security Act of 2002 to establish chemical, biological, radiological, and nuclear intelligence and information sharing functions of the Office of Intelligence and Analysis of the Department of Homeland Security and to require dissemination of information analyzed by the Department to entities with responsibilities relating to homeland security, and for other purposes. Rep. McSally, Martha [R-AZ-2]

HR 678 To require an assessment of fusion center personnel needs, and for other purposes. Rep. McSally, Martha [R-AZ-2]

HR 686 To ensure appropriate spectrum planning and interagency coordination to support the Internet of Things. Rep. Paulsen, Erik [R-MN-3]

HR 697 To amend the Homeland Security Act of 2002 to improve the management and administration of the security clearance processes throughout the Department of Homeland Security, and for other purposes. Rep. Thompson, Bennie G. [D-MS-2]

HR 701 To direct the Administrator of the National Highway Traffic Safety Administration to conduct a study to determine appropriate cybersecurity standards for motor vehicles, and for other purposes. Rep. Wilson, Joe [R-SC-2] 

S Res 23 A resolution establishing the Select Committee on Cybersecurity. Sen. Gardner, Cory [R-CO]

HR 625 will only be of interest here if it includes specific language addressing cybersecurity, chemical security, or chemical transportation security issues.

Hopefully HR 642 will also address the types of expertise needed at fusion centers.

HR 666 will probably be reintroduced to avoid the religious connotations of the bill number.

HR 677 is probably very similar to HR 2200 introduced in the last session and passed in the House by a nearly unanimous vote. Another bill that was not taken up by the Senate.

HR 678 is probably similar to HR 3503 introduced in the last session and passed by a voice vote. And yet another one.

I suspect that HR 686 is a companion bill to S 88 introduced earlier this month in the Senate.

HR 697 may be similar to HR 3505 introduced in the last session. I did not cover that bill because it did not really address the security clearance process for the private sector organizations to aid information sharing.

Hopefully HR 701 will specifically address the relationship between independent security researchers, NHTSA and auto companies.


Establishing a Select Committee on Cybersecurity sounds like a way to raise the profile of cybersecurity issues. Unfortunately, it will also make law making on the topic more difficult as it will add another committee silo through which cybersecurity related bills will have to pass. Inter-committee politics does almost as much to slow down the legislative process as does partisan politics.

Tuesday, January 24, 2017

ICS-CERT Publishes Advisory and Updates Another

Today the DHS ICS-CERT published a control system security advisory for a product from Schneider Electric and updated another for a product from GE.

Schneider Advisory


This advisory describes a credentials management vulnerability in the Schneider Electric Wonderware Historian. The vulnerability was reported by Ruslan Habalov and Jan Bee of the Google ISA Assessments Team. Schneider has provided work around instructions to mitigate the vulnerability. There is no indication that the researchers have been provided the opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to compromise Historian databases.

GE Update



This update provides additional information on the security advisory covering the GE GE Proficy Human-Machine Interface/Supervisory Control and Data Acquisition (HMI/SCADA) iFIX, Proficy HMI/SCADA CIMPLICITY, and Proficy Historian software. That advisory was originally published on January 17th, 2017. The update provides a link to the GE Product Security Advisory for the vulnerability. That GE document provides workaround data that can be used if upgrading is not a timely or workable alternative.

Bills Introduced – 01-23-17

With both the House and Senate in session yesterday there were 34 bills introduced. Of those, only one may be of specific interest to readers of this blog:

HR 612 To establish a grant program at the Department of Homeland Security to promote cooperative research and development between the United States and Israel on cybersecurity. Rep. Langevin, James R. [D-RI-2] 


As with a similar bill last session (HR 5843) I will only be following this bill if it includes specific control system security provisions.

S 133 Introduced – FY 2017 Intelligence Authorization

Earlier this month Sen. Burr (R,NC) introduced S 133, the Intelligence Authorization Act for Fiscal Year 2017. Last Friday the Senate Select Committee on Intelligence reported the bill favorably without amendment. There are two cybersecurity provisions that may be of interest to readers of this blog:

Sec. 312. Assistance for nationally significant critical infrastructure.
Sec. 614. Report on cybersecurity threats to seaports of the United States and maritime shipping.

CI Assistance


Section 312 would authorize elements of the intelligence community, through the Under Secretary for Intelligence and Analysis of the Department of Homeland Security, to provide assistance to covered critical infrastructure facilities “to reduce the risk of regional or national catastrophic harm caused by a cyber attack (sic) against covered critical infrastructure” {§312(c)}.

A key term used in §312 is ‘covered cybersecurity asset’ which is defined as “an information system or industrial control system [emphasis added] that is essential to the operation of covered critical infrastructure” {§312(a)(2)}.

The bill describes the type of assistance to be provided by the intelligence community. It includes {§312(e)(2)}:

• Activities to develop a national strategy to effectively leverage intelligence community resources made available to support the program;
• Activities to consult with the Director of National Intelligence and other appropriate intelligence and law enforcement agencies to identify within the existing framework governing intelligence prioritization, intelligence gaps and foreign intelligence collection requirements relevant to the security of covered cyber assets and covered critical infrastructure;
• Activities to improve the detection, prevention, and mitigation of espionage conducted by foreign actors against or concerning covered critical infrastructure;
• Activities to identify or provide assistance related to the research, design, and development of protective and mitigation measures for covered cyber assets and the components of covered cyber assets; and
• Activities to provide technical assistance and input for testing and exercises related to covered cyber assets.

Cybersecurity Threats to Seaports


Section 614 would require the Under Secretary of Homeland Security for Intelligence and Analysis to submit a report to Congress on cybersecurity threats to seaports and maritime shipping. The report would address “the cybersecurity threats to, and the cyber vulnerabilities within, the software, communications networks, computer networks, or other systems” {§614(a)}. While it does not specifically address control systems, the ‘other systems’ mention probably provides for coverage of that topic.

In addition to a report on any recent cyberattacks or cybersecurity threats, the bill would require an assessment of{§614(b)}:

• Any planned cyberattacks directed against such software, networks, and systems;
• Any significant vulnerabilities to such software, networks, and systems; and
• How such entities and concerns are mitigating such vulnerabilities.

While not specifically stated, the report will almost certainly be classified because of the requirement to be “consistent with the protection of sources and methods” {§614(a)}.

Moving Forward



This bill was supposed to have been a ‘must pass’ bill in the last session. The House passed three slightly different versions of an intel authorization bill and the Senate Select Committee on Intelligence marked up their own version of such a bill, but nothing made its way to the Senate floor. With most of the players remaining the same in the Senate, it will be interesting to see if the change in administration has any potential effect on the consideration of this bill.

Monday, January 23, 2017

Committee Hearings – Week of 1-22-17

This will be a very short (two-day) week for both the House and Senate and there will be relatively few congressional hearings as a result. Most of the scheduled hearings in the House will be organizational in nature and will include the Appropriations Committee and the Energy and Commerce Committee. Most of the scheduled hearings in the Senate will be confirmation hearings. There is one markup hearing scheduled in the Senate that may be of specific interest to readers of this blog.

The Senate Commerce, Science and Technology Committee will hold a markup hearing tomorrow. In addition to voting on the nomination of Elaine Cho to be the Secretary for the Department of Transportation the Committee will markup a number of bills; including S 88, the Developing Innovation and Growing the Internet of Things Act or “DIGIT Act”.

The GPO has not yet published an official copy of this bill yet (probably today or tomorrow) so I have not yet posted my review of the bill. The Committee web site does include a link to the Committee draft of the bill. As expected is quite similar to the version of S 2607 that was reported out of the same Committee last session. That bill never made it to the floor for a vote.

A quick review of the Committee draft does show that there has been a minor cybersecurity provision added to the bill, but it is only found in the portion of the bill that deals with Federal agency use of IOT devices. More on that when I see the official version of the bill.

Sunday, January 22, 2017

TSA Security Training NPRM – Training Program Requirements

This is part of a continuing series of blog posts about the recent TSA NPRM on security training for surface transportation organizations. Earlier posts in the series included:


In this blog post I will look at the requirements laid out in the NPRM for the training programs mandated by Congress.

General Requirements


The training program general requirements are included in three separate modal sections of the proposed rule; §1580.113 (FR), §1582.113 (PT), and §1584.113 (OTRB). The requirements under each of these sections is essentially the same and include information on:


TSA is being very careful to be as non-prescriptive as possible in each of these requirements. For the most part they are simply outlining what information that will be submitted to TSA as part of the training plan approval process. For example, in the preamble discussion about methods for determining effectiveness of training, TSA explains:

“TSA would afford flexibility to each individual owner/operator to measure effectiveness of their security training program using methods and criteria appropriate for their operations. TSA does not prescribe the method in the proposed rule, but does propose that every training program specify the manner and method by which the effectiveness of the training program would be evaluated by the owner/operator.”

Even where there is specific requirements for actions on the part of owner operators, for example when changes in security plans or operations are made, the rule calls for the owner/operator to provide information about how those changes to previously received training would be communicated to employees. It does not prescribe how those changes would be communicated.

Security Training and Knowledge


Again, the specific training requirements are spelled out in the three separate modal sections; §1580.113 (FR), §1582.113 (PT), and §1584.115 (OTRB). Most of the wording in the three separate sections is the same except where the freight railroad requirements include specific information supporting current security requirements of the existing §1580 and §174.9.

In addressing the knowledge requirements to be covered in the security training, TSA breaks those elements into four broad categories: prepare, observe, assess, and respond. Interestingly, the preamble discussions of these requirements frequently refer to ‘security plans or measures’. This rulemaking does not mandate the preparation of security plans; that is being addressed in a separate rulemaking.

Other Training Programs


Congress mandated for the freight railroad and OTRB training programs that TSA should “take into consideration any current security training requirements or best practices” {6 USC §1167(a) and §1184(a)} in establishing this training regulation. The preamble to the NPRM addresses this issue while noting that they expect that “additional training would be needed for some of the knowledge required by the ‘prepare’ category of training in proposed §§ 1580.115(c), 1582.115(c), and 1584.115(c)”. The other training programs discussed include those addressed in:


Additionally, the TSA recognizes that there are existing security training programs that are voluntarily in use by many organizations that could be used to fulfill portions of the training requirements outlined in this NPRM. They include:

First Observer™; and

Saturday, January 21, 2017

PSM Covered Chemical Facilities National Emphasis Program

Earlier this week the Occupational Health and Safety Administration (OSHA) published guidelines for the implementation of a new chemical facilities national emphasis program (NEP). The guidelines replace those issued in 2011 for a similar NEP.

There are two interesting programmatic changes in the new NEP. First, OSHA is expanding the list of eligible EPA’s Risk Management Program facilities that will be included in the Process Safety Management (PSM) NEP inspection list from just Program 3 facilities to facilities from Programs 1, 2 and 3. Finally, the NEP encourages OSHA inspectors to review reports submitted for the RMP to familiarize themselves with facility processes before the inspection. Both of these changes are almost certainly an outgrowth of chemical safety program coordination requirements from Obama’s Chemical Safety and Security Executive Order (EO 13650).


PHMSA Publishes Train Consist ANPRM

Earlier this week the DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) published an advance notice of proposed regulation (ANPRM) in the Federal Register (82 FR 6451-6456) concerning electronic train consists for Class 1 railroads that transport hazardous materials. This rulemaking supports a congressional mandate from the Fixing America's Surface Transportation (FAST) Act of 2015 (§7302, PL 114-94).

Section 7302 required the DOT Secretary to issue these regulations within one year of the passage of HR 22 which occurred on December 4th, 2015. This would authorize DOT to go directly to a final rule. Instead DOT is publishing this ANPRM to gather data to support the Regulatory Impact Analysis (RIA) of this rulemaking.

PHMSA is asking four categories of questions to provide the requisite information. The categories are:

Affected entities questions, 3 questions;
Baseline questions, 11 questions;
Implementation questions, 8 questions;
Costs questions, 8 questions; and
Benefits questions, 3 questions.

 PHMSA is requesting public comment on this ANPRM. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # PHMSA-2016-0015). Comments should be submitted by April 19th, 2017.


Political Note: While President Trump has issued a directive to all Federal agencies to suspend rulemaking activities pending approval of his appointees, that should not be expected to stop this rulemaking. The FAST Act was passed by a Republican-controlled Congress that mandated that this rulemaking should proceed. The Trump administration is unlikely to stop this rulemaking and is legally obligated to proceed with this action.

HR 437 Introduced – Medical Preparedness Grants

Last week Rep. Bilirakus (R,FL) introduced HR 437, the Medical Preparedness Allowable Use Act. The bill would allow medical preparedness programs to be funded under two separate homeland security grant programs. The bill is virtually identical to HR 361 from the 114th Congress. That bill passed in the House but was never taken up in the Senate.

The medical preparedness grants would be authorized for programs to “to protect first responders, their families, immediate victims, and vulnerable populations from a chemical or biological event”. Because the word ‘event’ is not defined, the bill would only authorize grants for programs related to “preventing, preparing for, protecting against, and responding to acts of terrorism” {existing 6 USC 609(a)}, not accidental or weather related chemical releases.

As with last session’s bill, no additional funding would be authorized for the medical preparedness grants. This means that funds for medical preparedness would effectively be taken away from existing grant monies under the Urban Area Security Initiative and the State Homeland Security Grant Program.

Friday, January 20, 2017

HR 54 Introduced – Cyber Defense

Earlier this month Rep. Jackson-Lee (D,TX) introduced HR 54, the Department of Homeland Security’s Cybersecurity Asset Protection of Infrastructure under Terrorist Attack Logistical Structure or CAPITALS Act. The bill would require DHS to conduct a study on the feasibility of establishing a Department of Homeland Security Civilian Cyber Defense National Resource.

Cyber Defense National Resource


There are no details in the bill about how such a resource would be organized or funded. The only thing that is clear is that this resource would be separate from any military organization (including the National Guard). There is nothing in the bill that would address whether or not the force would be able to address control system security issues.

The study required in this bill is very similar to the Cyber National Guard study required in HR 60 introduced last session by Jackson-Lee. The only substantial differences are the change in the agency responsible for the study (the HR 60 study was to be conducted by the Director of National Intelligence) and the name of the organization (HR 60 called it the Cyber Defense National Guard).

Section 2(b)(8) of the bill specifically directs the study to include a look at the impact of having substantial numbers of the ‘resource’ not having “military, intelligence, law enforcement, or government work experience”. This does raise questions about the source of personnel for such an organization and how much training in cybersecurity would be a pre-requisite for membership in the organization.

Moving Forward


The changes in the bill did have a practical political effect on the bill. HR 60 had been referred to the House Intelligence Committee for consideration. Since the new study and organization would be a DHS action, HR 54 has been referred to the House Homeland Security Committee and it’s Cybersecurity, Infrastructure Protection, and Security Technologies Subcommittee. Ms. Jackson-Lee is an influential Democrat on both the Committee and Subcommittee. Since the bill only requires the conduct of a study and authorizes no funds for that study and subsequent report, there appears to be no substantial impediment to this bill being considered.


I suspect that the changes made to this bill indicate that Jackson-Lee is seriously interested in seeing the bill passed. I suspect that we will see this bill considered by the Committee in the coming months. I would not be surprised to see the bill make it to the floor under the suspension of rules process where it would probably pass with substantial bipartisan support.

Thursday, January 19, 2017

ICS-CERT Publishes Schneider Advisory

Today the DHS ICS-CERT published a control system security advisory for a product from Schneider Electric. This advisory describes a cross-site scripting vulnerability in the Schneider homeLYnk Controller. The vulnerability was reported by Mohammed Shameem ("@_M_Shahnawaz). Schneider has produced a firmware upgrade to mitigate the vulnerability. There is no indication that Shameem has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to cause execution of java script code.


NOTE: ICS-CERT has corrected their problem with naming these advisories. All advisories published since the first of the year are now named with a recognizable vendor/product name. It did not require a new formatting change.

NHTSA Publishes V2V Communications NPRM

Last week the DOT’s National Highway Transportation Safety Administration (NHTSA) published a notice of proposed rulemaking (NPRM) in the Federal Register (82 FR 3854-4019) to establish a new Federal Motor Vehicle Safety Standard (FMVSS), No. 150, to mandate vehicle-to-vehicle (V2V) communications for new light vehicles and to standardize the message and format of V2V transmissions.

The new FMVSS would establish a requirement for all new light vehicles (< 10,000 lbs gross vehicle weight) would include include vehicle-to-vehicle communication technology able to transmit standardized Basic Safety Messages (BSMs) over dedicated short-range radio communication (DSRC) devices. The requirement would be phased in over a three year period starting two years after the issuance of the final rule.

The lengthy NPRM (434 pages) breaks the NTSA proposal into seven sections:

• The actual communications technology itself;
• Proposed messaging format and content requirements;
Authenticating V2V messages;
Malfunction indication requirements;
Software and certificate updating requirements; and
• Proposed cybersecurity related requirements.

The discussion of cybersecurity requirements is rather extensive in the preamble to the proposed rule. The actual specific cybersecurity requirements in the proposed FMVSS, however, are currently space holding messages where the cybersecurity requirements will be listed (see for example here). This is because NHTSA still has a lot of questions for which it is seeking responses on cybersecurity issues. NHTSA is addressing the cybersecurity concerns with the following general comment (and then a number of questions about specific issues):

“NHTSA seeks comments regarding the cybersecurity needs and requirements and how regulatory language could be crafted to appropriately express the requirements in terms that industry can implement and in terms by which performance can be objectively evaluated.”


NHTSA is seeking public comments on this NPRM. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # NHTSA-2016-0126). Comments need to be submitted by April 12th, 2017.

Wednesday, January 18, 2017

PHMSA Publishes Crude Oil Volatility ANPRM

Today the DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) published an advance notice of proposed rulemaking (ANPRM) in the Federal Register (82 FR 5499-5508) concerning a possible rulemaking addressing volatility of unrefined petroleum products
and Class 3 materials.

As mentioned in an earlier post, this ANPRM is based upon a rulemaking petition filed by the Attorney General for the State of New York. According to the summary of the ANPRM that petition asks PHMSA to revise the hazardous materials regulations (HMR) to “implement a Reid Vapor Pressure (RVP) limit less than 9.0 pounds per square inch (psi) for crude oil transported by rail”. In that same summary PHMSA notes that it will use public comments on this ANPRM to “help assess and respond to the petition and to evaluate any other potential regulatory actions related to sampling and testing of crude oil and other Class 3 hazardous materials. PHMSA will also evaluate the potential safety benefits and costs of utilizing vapor pressure thresholds within the hazardous materials classification process for unrefined petroleum-based products and Class 3 hazardous materials”.

Review of Existing Data


The body of the ANPRM provides a discussion of how PHMSA currently regulates how the transportation hazards of crude oil and other flammable (Class 3) liquids are categorized. It then goes on to provide a brief discussion of how PHMSA dealt with the possible issue of adding vapor pressure to the regulatory scheme in the recent highly-hazardous flammable train rulemaking. PHMSA requested input on the potential use vapor pressure, but did not end up including it in that rulemaking.

In 2014 DOE and DOT commissioned the Sandia National Laboratory to conduct a review “of available crude oil chemical and physical property data literature to characterize and define tight crude oils based on their chemical and physical properties, and identify properties that could contribute to increased potential for accidental combustion”. The initial stages of that study concluded that “the wide-ranging variability in crude oil sample type, sampling method, and analytical method, as well as the acknowledgement that this variability limits the adequacy of the available crude oil property data set as the basis for establishing effective and affordable safe transport guidelines.”

The next phase of that Sandia study is specifically designed to determine what methods of sampling and analysis are suitable for characterizing the physical and chemical properties of different crude oils.

Questions to be Answered


While the Sandia study is on-going, PHMSA is looking for input on a wide variety of issues that would have to be considered in any proposed rulemaking on crude oil and flammable liquid vapor pressure regulation in the transportation realm. In asking for that input PHMSA is asking for answers to a specific set of questions that it breaks down into four broad categories; 24 general questions, six safety questions, eight vapor pressure questions; and a single packaging question.

The general questions covers many of the issues that any new regulatory scheme has to address to justify the cost of the regulation. It includes questions about

• How a 9.0 psi Reid Vapor Pressure limit on crude oil would affect the outcome of accidents involving crude oil transportation;
• How to measure the health and environmental effects of the proposed regulations;
• What methods could be used to reduce the vapor pressure of crude oils above the proposed limit;
• Whether the vapor pressure standard should be applied to all modes of transportation;
• Whether other risk factors that should also be addressed;
• The fixed and variable costs of establishing the vapor pressure limit; and
• The transportation of the flammable gasses removed from the crude oil;

The safety questions address the potential implications that the adoption of the vapor pressure limit have on other portions of the HMR. It includes questions about:

• The possible adoption of a new crude oil listing in the hazardous materials table (HMT) for high vapor pressure crudes; and
• The effect of flammable liquids with high concentrations of dissolved flammable gasses on the response community.

Public Responses


PHMSA is soliciting public comments on this ANPRM. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # PHMSA-2016-0077. Comments should be submitted by March 20th, 2017.


There will almost certainly be a large letter writing campaign (or even possibly multiple campaigns) orchestrated by environmental activist organizations. Federal agencies do not take any special cognizance of the number of comments submitted for or against a rulemaking. They are required, however, to address specific issues raised in comments. When cut-and-paste comments are received, the agency only has to deal with a single response to each of the issues raised in the response. All of the activist organizations clearly understand this, thus it would seem that these campaigns are designed more for internal reasons (most likely fund raising) than to affect the outcome of the regulatory process.

Bills Introduced – 01-18-17

Yesterday with the Senate in a short session and the House in a proforma session, there were a total of 39 bills introduced. Of those, one may be of specific interest to readers of this blog:

HR 584 To amend the Homeland Security Act of 2002 to enhance preparedness and response capabilities for cyber attacks, bolster the dissemination of homeland security information related to cyber threats, and for other purposes. Rep. Donovan, Daniel M., Jr. [R-NY-11]

The description of the bill could cover lots of cybersecurity requirements of varying effectiveness. This is one bill that I will be watching for.


There will not be any other sessions of either the House or Senate until Friday and both of those will be short sessions leading to the inauguration.

Tuesday, January 17, 2017

ICS-CERT Publishes Two Advisories

Today the DHS ICS-CERT published two control system security advisories for products from GE and Phoenix Contact. The GE advisory was previously published on the NCCIC Portal on December 1st, 2016.

GE Advisory


This advisory describes an insufficiently protected credentials vulnerability in the GE Proficy Human-Machine Interface/Supervisory Control and Data Acquisition (HMI/SCADA) iFIX, Proficy HMI/SCADA CIMPLICITY, and Proficy Historian software. The vulnerability was reported by Ilya Karpov of Positive Technologies. GE has produced new versions that mitigate the vulnerability. There is no indication that Karpov has been provided the opportunity to verify the efficacy of the fix.

ICS-CERT reports that a highly skilled attacker could exploit the vulnerability with local access and user interaction. This, however, was the vulnerability that ICS-CERT thought posed enough of a threat to critical infrastructure that it required advance notice to critical infrastructure facilities.

Phoenix Contact Advisory


This advisory describes a default password vulnerability in the Phoenix Contact mGuard product that was induced in the system by updating with version 8.4.1. Phoenix Contact self-reported this vulnerability.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability.

Saturday, January 14, 2017

OMB Approves FHWA V2I Guidance Document

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved an interim guidance document from the DOT’s Federal Highway Administration concerning vehicle to infrastructure (V2I) communications. This was not listed in the Fall 2016 Unified Agenda, but this is certainly part of the DOT’s ongoing intelligent transportation system program.

The FHWA published a draft of this document in 2014. That draft promised the development of a guide to V2I cybersecurity that would include:

“Provides deployers with: (1) an analysis of extensibility of security and trust systems to additional points of connection, including V2I, devices, backhaul, and others; (2) an analysis of additional risks from extensibility and cybersecurity; (3) an analysis of potential impacts to the existing transportation system/networks. It will also provide definitions of the organizational functions and processes for operating the security function, along with cost models for operations and maintenance.”


It will be interesting to see if that management speak is better presented in this new interim guidance document. More importantly, it would be helpful if the cybersecurity guidance was actually included in the upcoming document and not just mentioned as a future project.

Bills Introduced – 01-13-17

With only the House meeting in Washington yesterday there were 76 bills introduced. Of those, only one may be of specific interest to readers of this blog:

HR 526 To amend the Homeland Security Act of 2002 to establish in the Department of Homeland Security a board to coordinate and integrate departmental intelligence, activities, and policy related to counterterrorism, and for other purposes. Rep. Katko, John [R-NY-24]

This bill will only be of interest here if it specifically addresses cybersecurity matters.


There is one other bill that I would like to mention in passing, HR 571, to permit members of the House of Representatives to donate used computer equipment to public elementary and secondary schools designated by the members. I am torn between hoping that the bill sets standards for removing sensitive information from those computers prior to their donation or hoping that computer education programs at those institutions teach the students to look for sensitive information on those computers as a cybersecurity learning aid. I will not be mentioning this bill again on this blog….

Friday, January 13, 2017

HR 59 Introduced – Chemical Facility Security

Last week Rep. Jackson-Lee (D,TX) introduced HR 59, the Frank Lautenberg Memorial Secure Chemical Facilities Act. This bill is nearly identical to HR 54 introduced last session and very similar to bills introduced by Ms Jackson-Lee and Rep. Thompson (D,MS) over the last eight years. It provides a complete re-write of the current chemical facility security rules passed in the 113th Congress.

The bill includes all of the button pushing issues that the Democrats love and the Republicans hate, so there is little chance (actually no chance) that this bill will be considered at any time during this session of congress. In fact, the last time that the Democrats controlled both the House and Senate a similar bill was passed in the House but could not make its way to the floor of the Senate for consideration.

There are, however, some cyber security provisions in this bill that readers of this blog might find of interest.

First the bill would take the current cybersecurity requirements found in 6 CFR 27.230(8) and include them in the language of the newly proposed 6 USC 2203(d)(8). The only changes being made to the language are solely intended to make the requirements more readable (physical formatting changes). Both sets of language require covered chemical facilities to have measures in place to “deterring cyber sabotage, including by preventing unauthorized onsite or remote access to critical process controls” and then lists the general types of systems to be protected, including:

• Supervisory control and data acquisition systems;
• Distributed control systems;
• Process control systems;
• Industrial control systems;
• Critical business systems; and
• Other sensitive computerized systems

The sole purpose of moving the existing risk-based performance standards from the CFR to the USC is to make it harder for DHS to make changes to these standards by regulatory means.

Secondly, under a new §2206, Timely Sharing of Threat Information, the owner/operator is required to notify DHS of “any intentional or unauthorized penetration of the physical security or cyber security of the covered chemical facility, whether successful or unsuccessful” {new §2206(b)(1)(B)}. While the lack of definition of the key term ‘penetration’ is not unusual, it does provide an added measure of lack of clarity when it comes to cybersecurity.

Finally, we see again the requirement for hackers (specifically including “blue hat, red hat, and white hat hackers {§2111(b)(6)}) to “validate the security measures instituted to address cyber based threats”. Ignoring for the moment the lack of definition of key terms including the different colored hats, the requirement does not make any sense. Penetration testing, properly done, can certainly be a good thing for evaluating security controls, but this requirement is placed in the section dealing with conducting assessments of “methods to reduce the consequences of a terrorist attack” not security protocols.

A similar problem is seen in the previous subparagraph in the same section. It refers to:

The design of computing systems and development of plans, exercises, and drills to re-engage computing systems used in the processing, transport, storage of chemicals that are designed as a ‘‘risk’’ by the Secretary using protocols for trusted recovery under the worse case conditions;”


Again, this sounds like good cybersecurity planning and both of these requirements (with adequate definitions of key terms) should be included in the performance standards portion of the bill, not the inherently safer technology portion. I am not sure if it was added here as a mistake or a serious misunderstanding of the role of cyber security.

OMB Approves EPA TSCA NPRM

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a notice of proposed rulemaking (NPRM) from the EPA; Procedures for Evaluating Existing Chemical Risks Under the Toxic Substances Control Act. This rulemaking is implementing congressional requirements under the Frank R. Lautenberg Chemical Safety for the 21st Century Act (PL 114-182).

While many of the details associated with this NPRM may end up being controversial, this rulemaking was mandated by a Republican controlled congress with much support from industry. This rulemaking is almost certainly to be expected to proceed under the Trump administration.


We can expect to see this NPRM published in the Federal Register next week.

Bills Introduced – 01-12-17

Yesterday with both the House and Senate in session there were 104 bills introduced. Of those, one might be of specific interest to readers of this blog:

S 133 A bill to authorize appropriations for fiscal year 2017 for intelligence and intelligence-related activities of the United States Government, the Community Management Account, and the Central Intelligence Agency Retirement and Disability System, and for other purposes. Sen. Burr, Richard [R-NC]


S 133 is the Intel Authorization bill (one of the so called ‘must pass’ bills) that never got passed last session. The House passed three different versions of the bill, but the Senate never could get a bill to the floor. Maybe it will be different this session. As usual, I will be watching for cybersecurity measures in this bill.

Thursday, January 12, 2017

ICS-CERT Publishes Three Advisories

Today the DHS ICS-CERT published three control system security advisories for products from Carlo Gavazzi, VideoInsight, and Advantech. ICS-CERT also published their latest ICS-CERT Monitor for November and December 2016. I am not going to review this publication any longer.

Carlo Gavazzi Advisory


This advisory describes three vulnerabilities in the Carlo Gavazzi VMU-C EM, VMU-C PV web servers. The vulnerabilities were reported by Karn Ganeshen. Carlo Gavazzi has produced a new firmware version that mitigates the vulnerability. ICS-CERT reports that Ganeshen has verified the efficacy of the fix.

The reported vulnerabilities are:

• Access control flaws - CVE-2017-5144;
• Cross-site request forgery - CVE-2017-5145; and
• Sensitive information stored in clear text - CVE-2017-5146

ICS-CERT is confused on the exploitability of these vulnerabilities. At the start of the advisory they report that the vulnerabilities are: “Remotely exploitable/low skill level to exploit.” But later in the body of the advisory it reports: “Not remotely exploitable. High skill level is needed to exploit.” I suspect that the first is correct and the second may be an artifact of the new format ICS-CERT is using to report advisories; more on that later.

VideoInsight Advisory


This advisory describes an SQL injection vulnerability in the VideoInsight Web Client. The vulnerability was reported by Juan Pablo Lopez Yacubian. VideoInsight has produced a new version to mitigate the vulnerability. ICS-CERT reports that Yacubian has verified the efficacy of the fix.
ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to execute arbitrary commands on the target system.

Advantech Advisory


This advisory describes two vulnerabilities in the Advantech WebAccess application. The vulnerabilities were reported by Tenable Network Security via the Zero Day Initiative. Advantech has produced a new version to mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Authentication bypass - CVE-2017-5152; and
• SQL injection - CVE-2017-5154

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerabilities to access pages unrestricted; the SQL injection condition may allow remote code execution.

New Advisory Format


ICS-CERT has started 2017 with a new format for their advisories. Any change is going to have plusses and minuses and it is easy to pick out the problems with the new format. Fortunately, there are more good things in this change, so I would like to highlight those.

First, ICS-CERT has obviously taken a hard look at what they think is the important information in the advisory and has moved that information to the top of the advisory. The first five items on the advisory are short listings of:

• CVSS v3 Score;
• Exploitability;
• Vendor;
• Affected equipment; and
• Vulnerability listing

These are certainly very important pieces of information. Their placement at the top of the format makes it easier to do a quick review of the advisory.

This is followed by essentially the same affected versions, impact, and mitigation measures. There are no significant changes to these sections. At the end of the advisory we now some major revisions to the vulnerability overview. Those changes include actual links to the CVE instead of a footnote to the URL; and more detailed background information on the types of vulnerabilities. That takes the form of links to the Common Weakness Enumeration (CWE) dictionary documenting the vulnerability.

The last section before the contact information of the advisory is the researcher section; listing the researcher's name and affiliation. It will be interesting to see how ICS-CERT handles self-identified vulnerabilities in this section.

The major downside of the new format is that the title of the advisory is taken from the first item on the advisory, the CVSS score. This will provide all sorts of misunderstandings and difficulties in finding specific advisories as the year goes on. This could be easily remedied by changing the order of the initial listing to show the vendor name first.

The second problem that I see is that ICS-CERT has taken out any information about what industries are affected by the advisory or the regions of the world in which the affected equipment is deployed. With the major players like Siemens and even mid-level players like Advantech this is not a real problem, but two of today’s advisories are for vulnerabilities in equipment from less well known vendors.


The last problem is more a matter of appearances than an actual problem; the moving of the researcher’s name to the end of the advisory. This certainly does nothing to tell the public (or the researcher) of the importance on the security researcher in the vulnerability reporting process. In my opinion the researchers name and affiliation should be included in the summary information at the top of the advisory.
 
/* Use this with templates/template-twocol.html */