Monday, February 20, 2017

HR 923 Introduced – Repeal of Cybersecurity Act

Earlier this month Rep. Amash (R,MI) introduced HR 923 which would repeal the Cybersecurity Act (Division N, PL 114-113). Amash and his bipartisan cosponsors are concerned about the way the Cybersecurity Act was slipped into the 2016 Consolidated Appropriations Act at the last minute.

Amash introduced a similar bill (HR 4350) last year in the 114th Congress. That bill was also assigned to eight committees for consideration. No action was taken in four of those committees and the remaining four only further assigned it to subcommittees for consideration. No hearings were held and no further action was taken.


Since the Cybersecurity Act was only added to the appropriations bill with the full consent of the House Republican leadership, I do not suspect that there will be any actions taken on this bill.

Sunday, February 19, 2017

HR 905 Introduced – Computer Code Copywrite Transfer

Earlier this month Rep. Farenthold (R,TX) introduced HR 905, the You Own Devices Act. This bill address some of the copywrite issues related to software used to operate equipment.

Software Copywrite Issues


The bill amends 17 USC 109, “Limitations on exclusive rights: Effect of transfer of particular copy or phonorecord”. It adds a new paragraph (f) to the section. That paragraph addresses the transfer of certain computer programs.

The first provision codifies the legal transfer of the software that “enables any part of a machine or other product to operate” {§109(f)(1)} when that machine or product is legally sold or otherwise transferred.

The second provision addresses software updates. It specifies that the right to receive any software changes related “in whole or in part to security or error correction” {§109(f)(2)} is transferred along with any transfer of the equipment that the software operates.

The third provisions prohibits the retention of a copy of the software when a party transfers the equipment and/or software to another party.

Moving Forward


Farenthold is a member of the House Judiciary Committee (the committee to which this bill was assigned for consideration) so there is a decent possibility that this bill could be considered in committee. There may be some opposition to the update provisions of this bill from some software vendors, so it is unclear at this point if there would be enough support in the House for the bill to allow it to be considered under suspension of the rules. It is unlikely that this bill would make it to the floor of the House under a rule.

If the bill were considered in the House, I suspect that it would pass.

Commentary


I think that this bill could end up being important for security researchers. The first provision allowing that legally buying software operated equipment automatically includes the legal transfer of the copy of the operation software precludes a vendor from threatening to prosecute researchers for illegally accessing the software.

The second provision means that when a researcher finds a vulnerability in a piece of control system software and the vendor issues an update or patch, the researcher is entitled to obtain a copy of that patch or update as long as he owns a piece of equipment that uses that software to operate. This would make it easier for the researcher to determine the efficacy of the fix.


One software related copywrite issue that is not addressed in this bill is the legal right to modify software used to operate a piece of equipment.

Saturday, February 18, 2017

Reader Comment – Moxa NPort Advisory

Today Reid Wightman posted a comment to a December blogpost that mentioned a control system security advisory published by ICS-CERT for Moxa NPort products. Reid was identified as one of the researchers that identified one or more of the vulnerabilities covered in that advisory. Reid’s comments that the reported fix for CVE-2016-9361 does not work. Please read his comment for more details.

Alert readers might remember that Digital Bond (with whom Reid was associated at the time) publicly disclosed the vulnerability in April of last year, resulting in an ICS-CERT control system security alert. Given the total elapsed time between the initial notification by Digital Bond and the published “fix”, it is especially disconcerting that Reid has to report that the fix does not work.

Assuming that there was no deliberate malfeasance involved on the part of Moxa, I can only conclude that Moxa did not really understand the cause of the vulnerability discovered by Reid. This is one of the reasons that it is important to have someone not employed by the vendor verify the efficacy of the fix. I think it would be best if the discovering researcher were the one to do the verification testing. That way there can be no doubt about how well the fix mitigates the discovered vulnerability.


Reid does not mention in his comment whether or not he had coordinated the report of the failure of the vendor’s fix with ICS-CERT. In some ways, I am hoping that he did not. If he had, it would seem to indicate that ICS-CERT (or perhaps Moxa) did not accept Reid’s judgement about the efficacy of the fix. Given the seriousness of the vulnerability (CVSS v3 base score of 9.8) I would have hoped that ICS-CERT would have tried to corroborate Reid’s report.

S 307 Introduced – DOD Cyber Capability Database

Earlier this month Sen. Ernst (R,IA) introduced S 307, the Department of Defense Emergency Response Capabilities Database Enhancement Act of 2017. The bill would require DOD to specifically include cybersecurity capabilities in an existing DOD emergency response capabilities database.

Database Expansion


The bill would amend §1406 of the ‘John Warner National Defense Authorization Act for Fiscal Year 2007 {PL 109-364 §1406 (120 STAT. 2436)} which required DOD to establish a database that recorded the “emergency response capabilities that each State’s National Guard, as reported by the States, may be able to provide in response to a domestic natural or manmade disaster, both to their home States and under State-to-State mutual assistance agreements” {§1406(1)}.

The bill would add two specific cybersecurity related requirements to that database {§2(b)(2)}:

• Cyber capabilities of the National Guard that are identified by the Department as important to national security and for response to domestic natural or manmade disasters.
• Cyber capabilities of the other reserve components of the Armed Forces that are identified by the Department as important to national security.

Moving Forward


Ernst is a member of the Senate Armed Services Committee (the committee to which the bill was assigned for consideration) and two of her co-sponsors {Sen. Gillibrand (D,NY) and Sen. Fischer (R,NE)} are members of the Cybersecurity Subcommittee of that Committee. This means that there is a good chance that there will be sufficient political influence to have that Committee take up this bill.

There is nothing in this bill that would cause any substantial opposition to its consideration. If this bill were taken up on its own, it would likely be considered under the Senate’s unanimous consent procedure. This bill is also a good candidate for inclusion in the 2018 DOD authorization bill, either in the initial draft or as a floor amendment.

Commentary


There is nothing in the bill that would specifically require the inclusion of industrial control system security experience/expertise in the database listing. It is likely that DOD would take that step on their own initiative.


What is not clear with respect to either the original database requirement, or this modification, is to what use DOD is expected to put this database; whether it is only for internal DOD use or whether other government organizations (FEMA for example) would have access to the database. This bill would be a good place to clarify which agencies are expected to have access to the database.

Friday, February 17, 2017

Bills Introduced – 02-16-17

Yesterday with the House and Senate getting ready to depart for their Presidential Day recess next week there were 154 bills introduced. Many of these bills were introduced to provide fundraising talking points next week, but one of the bills may be of specific interest to readers of this blog:

S 412 A bill to amend the Homeland Security Act of 2002 to require State and local coordination on cybersecurity with the national cybersecurity and communications integration center, and for other purposes. Sen. Peters, Gary C. [D-MI]


It will be interesting to see how this bill avoids the ‘unfunded federal mandate’ label. I’ll only be covering this bill if it specifically includes control system security issues.

ICS Hacker Convicted

Yesterday the US Attorney’s Office for the Middle District of Louisiana announced that an individual had been sentenced to serve 34 months and pay $1.1 million as a result of his conviction for “for hacking into the computer system of an industrial facility to disrupt and damage its operations”. This appears to be the first conviction for an attack on an industrial control system in the United States.

The Attack


There is very limited information available on the attack. What is publicly available is that a fired IT worker at the Georgia Pacific Port Hudson Mill (Port Hudson, LA, just north of Baton Rouge) accessed “the control and quality control systems for making paper towels” according to one news report. The attack was conducted via a virtual private network (VPN) connection to the plant computer network.

A plant spokesman was quoted as saying: “"Things that were automatic were completely shut down.”

Another news report notes that there were multiple attacks on the facility computers between February 14th and 27th in 2014.

On the face of it, this does not appear to have been a sophisticated attack involving unknown or ineffectually mitigated control system vulnerabilities. Rather it looks like a fairly standard case of a system-knowledgeable person who did not have his system access adequately revoked when he was terminated.

The Law


The individual was convicted for violations of 18 USC 1030(a)(5)(A). Section 1030 is known as the “Fraud and related activity in connection with computers” section of the US Code and was designed to deal with financial crimes dealing with computers. The specific sub-paragraph charged explains the offense as whoever “knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer”.

The key definition here is that for a ‘protected computer’. The first part of that definition applies specifically to computers at financial institutions or the US government; which obviously does not apply in this case. Instead the second part of the definition (which I’ll call the ‘interstate commerce clause’) which states:

A computer “which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States” {§1030(e)(2)(B)}.

Since Georgia Pacific is a multi-national company that certainly sells materials from this facility across state-lines, it would be easy how to see that the US Attorney could argue that this attack had a significant effect on either interstate and foreign commerce if the damage caused by the attack interfered with timely product shipments.

In establishing the ability for the court to punish a violation of §1030(a)(5)(A) the prosecution would have to prove that the attack resulted in one of six specific types of harm outlined in §1030(b)(4)(A)(i). Only four of those are potential interest in this case:

• Loss to 1 or more persons during any 1-year period aggregating at least $5,000 in value;
• Physical injury to any person;
• A threat to public health or safety;
• Damage affecting 10 or more protected computers during any 1-year period.

Give the $1.1 million restitution ordered by the court, I would assume that the US Attorney used the first harm category.

Commentary


There is nothing in readily available information on this case that explains how the damage of $1.1 million occurred. Having worked in a company that sold into the paper industry for years I have learned a little about the paper making process. As each large paper roll is made any interruption of the machinery making that roll significantly damages that roll and requires a restart of a fresh roll of paper. If stoppages occurred on multiple occasions that week, I suspect that an accounting of damaged rolls and lost production could total $1.1 million without having to have included any physical damage to the equipment at the facility.

These attacks happened in 2014 and the Federal Grand Jury indicted the individual in 2015. There is no indication that the DHS ICS-CERT was involved in the investigation of the incident (and given the rapidity with which the FBI responded to the issue, it does not appear that it would have been necessary).

It would have been nice, however, if ICS-CERT had been brought into the case early on, not so much to help in the arrest and prosecution of the perpetrator, but so that ICS-CERT could publicize the attack to the ICS community. This could have been used to reinforce the need for some basic security procedures (revocation of access) and to point out (again) the vulnerability of ICS to easy attacks by anyone with control system network access.

It is not too late, however, for ICS-CERT to prepare a public report on this attack. While there was no trial for this case (the perpetrator plead guilty) there was a grand jury indictment in which the process of the attack had to presented in some detail. That should provide enough detail for ICS-CERT to prepare a relatively detailed report on the attacks.

This case also raises some interesting legal questions (DISCLAIMER: I AM NOT A LAWYER) about the adequacy of §1030 for the prosecution of attacks on industrial control systems. There have been a couple of attempts to amend §1030 (for example S 2931 in the 114th Congress) to specifically address industrial control system attacks, but none of them have proceeded past the introduction phase.

The big problem is that §1030 is a fraud related section of the US Code and attacks against control system (other than perhaps ransomware attacks) are not really related to fraud. The problem is further aggravated by the fact that the definition of computer used in that section is really designed to identify IT or communications systems not industrial control systems. Since this bill never came to trial, the use of this section to prosecute ICS related attacks has not really been legally tested.

I am sure that the US Attorney was prepared to argue that the definition could be interpreted (very broadly) to have included control system computers. A defense lawyer, on the other hand, could argue that the failed congressional attempts to specifically include ICS computers in the definition reflect a congressional intent not to allow that inclusion.

Unfortunately, it is impossible to determine in advance how a specific court would deal with such arguments. Appellate court acceptance of any outcome of that decision would be even harder to predict. The fact that this individual’s legal team did not (apparently) recommend such a fight of the prosecution might simply reflect the legal cost of such a fight rather than having reached a conclusion on the merits of the use of §1030 to prosecute an ICS attack.

That fight is almost certain to occur on some future case.


NOTE: Thanks to Chris Sistrunk for sharing the press release on this case on the ICS-ISAC Open Community on Facebook.

Thursday, February 16, 2017

ICS-CERT Published Rockwell Update

Today the DHS ICS-CERT published an update to their control system security advisory for products from Rockwell Automation that was originally published on September 15th, 2016. The update provides information on:

• A new software version to replace the original patch mitigation;
• More detailed information on the affected versions; and
• Notification that the previous patch is only to be used on version 8.40.00.


Wednesday, February 15, 2017

Bills Introduced – 02-14-17

Yesterday, with both the House and Senate in session, fifty bills were introduced in Congress. Of those two may be of specific interest to readers of this blog:

HR 1030 To direct the Director of National Intelligence to conduct a study on cyber attack standards of measurement. Rep. Wilson, Joe [R-SC-2]

HR 1049 To enhance the database of emergency response capabilities of the Department of Defense. Rep. Langevin, James R. [D-RI-2]

HR 1030 is almost certainly a repeat of HR 2708 that was introduced in the 114th Congress and died in committee. This will probably suffer the same fate.


HR 1049 is probably going to be a companion bill to S 307 that was introduced earlier this month in the Senate; the official text is still not available on S 307, but there is a draft available. Interesting post here on S 307.

Tuesday, February 14, 2017

ICS-CERT Publishes 3 Advisories and 3 Updates

Today the DHS ICS-CERT published three control system security advisories for products from Siemens, Geutebrück and Advantech. They also updated three control system security advisories for products from Siemens and Rockwell.

Siemens Advisory


This advisory describes an authentication bypass vulnerability in the Siemens SIMATIC Logon application. This vulnerability is being self-reported by Siemens. Siemens has produced an updated version of the application to mitigate the vulnerability.

ICS-CERT reports that an relatively low skilled attacker could remotely exploit this vulnerability to circumvent user authentication under certain conditions.

Geutebrück Advisory


This advisory describes two vulnerabilities in the Geutebrück G-Cam IP camera. The vulnerabilities were reported by Davy Douhine of RandoriSec, Florent Montel and Frédéric Cikala. There is no indication that the researchers were provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Authentication bypass using an alternative path or channel - CVE-2017-5174;
• Improper neutralization of special elements used in an OS command - CVE-2017-5173

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to bypass authentication and obtain remote anonymous access to the device; these vulnerabilities may allow remote code execution.

Advantech Advisory


This advisory describes a DLL hijacking vulnerability in the Advantech WebAccess application. The vulnerability was reported by Li MingZheng Kuangn. Advantech has produced a new version to mitigate the vulnerability. There is no indication that the researcher has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could exploit the vulnerability o execute arbitrary code within the system. ICS-CERT does not mention what type access is required or comment on the need for an social engineering attack.

Siemens APOGEE Update


This update provides additional information about an advisory originally published on March 22nd, 2016. The update includes:

• A correction of the name of one of the reporting institutions;
• Additional information about the affected versions; and
• Reports a new version that mitigates the vulnerability.

Siemens Industrial Produces Update


This update provides additional information about an advisory originally published on November 8th, 2016 and then updated on November 22nd, 2016 and updated again on December 22nd. The update includes:

• Updated ‘version affected’ information on SIMATIC IT Production Suite;
• Provided mitigation information for SIMATIC IT Production Suite; and
• Removed SIMATIC IT Production Suite from the temporary fix list.

Rockwell Update


This update provides additional information about an advisory originally published on January 5th, 2017. The update includes:

• Adds PowerFlex 700S drives to the list of affected devices;
• Adds DriveLogix 5730 controller option explanation; and

• Explains that the PowerFlex 700S is not covered by the new firmware version mitigation.

Monday, February 13, 2017

Committee Hearings – Week of 02-12-17

Both the House and Senate will be in session this week. The House continues to focus on repealing Obama Administration regulations and the Senate focuses on Cabinet nominations. There will be two cybersecurity related hearings that may be of interest to readers of this blog.

Self-Driving Cars


On Tuesday the Digital Commerce and Consumer Protection Subcommittee of the House Energy and Commerce Committee will hold a hearing to look at “Self-Driving Cars: Road to Deployment”. The witness list includes:

• Mike Abelson, General Motors;
• Nidhi Kalra, RAND Center for Decision Making Under Uncertainty;
• Anders Karrberg, Volvo Car Group
• Joesph Okpaku, Lyft
• Gill Pratt, Toyota Research Institute

None of the current witness statements mention cybersecurity concerns with self-driving vehicles. Perhaps we will see some discussion during the questioning phase of the hearing. You probably should not hold your breath.

US Cybersecurity Capabilities


On Tuesday the Research and Technology Subcommittee of the House Science, Space, and Technology Committee will hold a hearing on “Strengthening US Cybersecurity Capabilities”. The witness list includes:

• Charles H. Romine, National Institute of Standards and Technology (NIST);
• Iain Mulholland, VMware, Inc;
• Diana Burley, The George Washington University; and
• Gregory Wilshusen, Government Accountability Office (GAO)


Witness testimony documents are not yet available, so it is too early to tell if industrial control system security will be mentioned, but with no witnesses specifically representing ICS organizations it is probably not happening. The document to watch will be the new GAO report.

Committee Hearings, Cybersecurity Capabilities, Self-Driving Cars

Sunday, February 12, 2017

S 278 Introduced – Cybersecurity Research

Earlier this month Sen. Daines (R,MT) introduced S 278, the Support for Rapid Innovation Act of 2017. The bill would require the DHS Science and Technology Directorate to support the research, development, testing, evaluation, and transition of cybersecurity technologies.

Cybersecurity Research


The bill would add a new §312, Cybersecurity Research and Development, to Title III of the Homeland Security Act of 2002 (6 USC 181 et seq). The new section outlines a number of areas of cybersecurity research, including {§321(b)}:

• Advancing the development and accelerating the deployment of more secure information systems;
• Improving and creating technologies for detecting and preventing attacks or intrusions;
• Improving and creating mitigation and recovery methodologies;
• Assisting the development and supporting infrastructure and tools to support cybersecurity research and development efforts;
• Assisting the development and support of technologies to reduce vulnerabilities in industrial control systems [emphasis added];
• Assisting the development and support cyber forensics and attack attribution capabilities;
• Assisting the development and accelerating the deployment of full information lifecycle security technologies to enhance protection, control, and privacy of information to detect and prevent cybersecurity risks and incidents;
• Assisting the development and accelerating the deployment of information security measures, in addition to perimeter-based protections;
• Assisting the development and accelerating the deployment of technologies to detect improper information access by authorized users;
• Assisting the development and accelerating the deployment of cryptographic technologies to protect information at rest, in transit, and in use;
• Assisting the development and accelerating the deployment of methods to promote greater software assurance;
• Assisting the development and accelerating the deployment of tools to securely and automatically update software and firmware; and
• Assisting in identifying and addressing unidentified or future cybersecurity threats.

The bill also specifies that no additional funding is provided to support these research efforts. It closes by noting that {§2(c)}: “Such requirements shall be carried out using amounts otherwise authorized.”

Moving Forward


Daines is a member of the Senate Homeland Security and Governmental Affairs Committee, the committee to which this bill was assigned for consideration. This means that there is at least the potential that the Committee will consider this bill. If the bill were considered, it is likely that it would be approved since there are no new regulations or spending authorized by the bill. Similarly, if the bill were to make it to the floor of the Senate, it would likely pass. It is too early to tell if there is the necessary political will to advance this bill.

Back on January 10th the House passed HR 240 by a voice vote with limited debate. HR 240 is a companion bill to S 278 according to the introductory speech (pgs S 657-8) by Daines. There was no committee action on HR 240 in the House Homeland Security Committee.

Commentary


It is a good thing that industrial control systems are specifically mentioned in the bill since the bill relies on the IT limited definition of ‘information system’ both in the bill {new §312(e)(4)} and as a part of the support for the definition of the term ‘incident’ {new §312(e)(4)}. That information system definition is found in 44 USC 35002(8).


Given the funding limitation in this bill and the long list of cybersecurity research activities to be supported, it is extremely unlikely that the bill will result in any new significant cybersecurity research support. But passing the bill would make it look like Congress is doing something; appearances are everything.

Saturday, February 11, 2017

Trump EO and New Regulations

I read an interesting blog post by Michael Kennedy about President Trump’s executive order entitled “Reducing Regulation and Controlling Regulatory Costs” (EO 13771). Anyone trying to predict the regulatory burden of the new Trump administration should read Michael’s post. The new powers given to the OMB Director (and presumably through the Office of Information and Regulatory Affairs – OIRA) just mean that the White House will retain tighter control over the regulatory actions of the Executive Branch.

There is an additional caveat restricting the application of this EO. In multiple place we see phrases like “unless otherwise required by law”. The EO explicitly acknowledges that regulations required by statute must be implemented by the Executive Branch. This includes, for instance, the current DOT rulemaking on security training for surface transportation organizations.

Before anyone gets too excited about the prospects of reduced Federal regulations we need to wait and see what the Spring 2017 Unified Agenda looks like. That will provide the first formal look at what the Administration really intends to do in the regulatory arena. But even that will not be the final story.


One thing is already clear; Donald Trump is a man who expects to get his way. I suspect that we will see him continue the Obama legacy of legislating via executive order. And implementation of those orders will require regulations. And those regulations will be much harder to predict.

Friday, February 10, 2017

Bills Introduced – 02-09-17

With just the Senate in session (and actually in continuous session since Monday) and the House ‘meeting’ in proforma session yesterday there were 25 bills introduced. Of those one may be of specific interest to readers of this blog:

HR 988 To provide for a study by the Transportation Research Board of the National Academies on the impact of diverting certain freight rail traffic to avoid urban areas, and for other purposes. Rep. Ellison, Keith [D-MN-5]


It will be interesting to see if this bill is targeted against crude oil trains, toxic inhalation hazard chemicals or hazardous chemicals of any sort. Environmental and safety advocates have pushed for all three types of chemicals to be routed around urban areas. A comprehensive independent study of the issue would certainly be beneficial.

Thursday, February 9, 2017

ICS-CERT Publishes Hanwha Techwin Advisory

Today the DHS ICS-CERT published an industrial control system advisory for products from Hanwha Techwin. The advisory describes two vulnerabilities in the Hanwha Techwin Smart Security Manager. The vulnerabilities were reported by Steven Seeley of Source Incite. Hanwah Techwin has produced a patch to mitigate the vulnerability. There is no indication that Seely has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Path traversal - CVE-2017-5168; and
• Cross-site request forgery - CVE-2017-5169


ICS-CERT only notes that the vulnerabilities are remotely exploitable and reports that a successful exploit could lead to create an arbitrary file on the server with attacker controlled data as well as an attacker gaining root shell access.

Wednesday, February 8, 2017

Bills Introduced – 02-07-17

With both the House and Senate in session there were 133 bills introduced yesterday. Of those six may be of specific interest to readers of this blog:

HR 905 To amend title 17, United States Code, to provide that the first sale doctrine applies to any computer program that enables a machine or other product to operate, and for other purposes. Rep. Farenthold, Blake [R-TX-27]

HR 923 To repeal the Cybersecurity Act of 2015. Rep. Amash, Justin [R-MI-3]

HR 935 To codify an office within the Department of Homeland Security with the mission of strengthening the capacity of the agency to attract and retain highly trained computer and information security professionals, and for other purposes. Rep. Jackson Lee, Sheila [D-TX-18]

HR 940 To secure communications of utilities from terrorist threats, and for other purposes. Rep. Jackson Lee, Sheila [D-TX-18]

HR 945 To codify the objective of Presidential Policy Directive 21 to improve critical infrastructure security and resilience, and for other purposes. Rep. Jackson Lee, Sheila [D-TX-18]

HR 955 To require the Director of National Intelligence to conduct a study on the feasibility of establishing a Cyber Defense National Guard. Rep. Jackson Lee, Sheila [D-TX-18]

It looks like HR 905 would allow the purchaser of ICS software or firmware to sell or transfer that software without permission of the vendor; see 17 USC 109. This may be an interesting bill.

HR 923 is likely a repeat of HR 4350 introduced in the 114th Congress. The House leadership killed that bill by referring it to eight separate committees for consideration; no action was taken in any of the committees.

HR 935 looks to be a repeat of HR 53 introduced in the 114th Congress; no action was taken on HR 53.

It looks like HR 940 is new legislation. If it contains specific mention of control system security, it will be covered in this blog.

I will be watching HR 945 for mention of cybersecurity, chemical facility security and/or chemical transportation security.


It looks like HR 955 will be a repeat of HR 60 in the 114th Congress; no action was taken on that bill.

ICS-CERT Updates Another Advisory

I missed it last night, but yesterday the DHS ICS-CERT updated a controls system security advisory for products from BINOM3. That advisory was originally published on January 31st, 2017.

The new update greatly expands the impact assessment of the multiple vulnerabilities. Instead of just allowing inaccurate reporting of electric quality measurements, the new impact statement reports:


“Successful exploitation of these vulnerabilities could cause unauthorized access to the device, sensitive information leakage, arbitrary script/code execution, unauthorized functional configuration and data changes, and denial-of-service attacks.”

Tuesday, February 7, 2017

ICS-CERT Publishes 3 Advisories and 1 Update

Today the DHS ICS-CERT published two medical control system security advisories for products from Becton, Dickinson and Company (BD) and an industrial control system advisory for products from Sielco Sistemi. Both BD advisories were previously published on the NCCIC Portal on January 17, 2017. Yesterday ICS-CERT updated their medical control system advisory for products from St. Jude; that advisory was originally published on January 9th, 2017.

BD Alaris 8015 Advisory


This advisory describes twin insufficiently protected credentials vulnerabilities in the BD Alaris 8015 Point of Care (PC) unit, which provides a common user interface for programming intravenous infusions. The vulnerabilities were self-reported, but the BD Security Bulletin reports that unnamed “independent security researchers” were involved in finding the vulnerability. The advisory provides multiple compensating controls that mitigate the vulnerability.

ICS-CERT reports that both vulnerabilities could be exploited by a relatively unskilled attacker with physical access to the devices. Both would require access to a flash drive; one installed in the unit the other one removeable. A successful exploit would allow the attacker access to the host facility’s wireless network authentication credentials and other sensitive technical data.

There is no mention of this vulnerability on the FDA Medical Device Safety Communications page.

BD Alaris 8000 Advisory


This advisory describes an insufficiently protected credentials vulnerability in the BD Alaris 8015 Point of Care (PC) unit, which provides a common user interface for programming intravenous infusions. The only difference in this advisory is that only an internal flash memory device is involved.

ICS-CERT reports that a relatively low skilled attacker with physical access to the device could exploit this vulnerability. The BD Security Bulletin, however, notes:

“Attack complexity is HIGH based on limited availability of these wireless credentials that are stored in the PCU on internal flash memory. The attacker would then have to use advanced tools to read the flash memory, decode the file system, and then locate and read the credential data. No system privilege is required and an attacker would be able to read the credential data without a user name or password.”

Sielco Sistemi Advisory


This advisory describes an uncontrolled search path element vulnerability in the Sielco Sistemi Winlog SCADA software. The vulnerability was reported by Karn Ganeshen. Sielco Sistemi has released a new version of the software to mitigate the vulnerability. There is no indication that Ganeshen has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT did not comment on the exploitability of this vulnerability except to note that a successful exploit may allow an attacker to load a malicious DLL and execute code on the affected system with the same privileges as the application that loaded the malicious DLL.

St Jude Update


This update provides new information on:

• The versions of the device that are affected by the vulnerability; and
• How the various versions of the device may be affected.


The FDA Safety Communication about this vulnerability has not been updated with the new information.

Bills Introduced – 02-06-17

Yesterday, with both the House and Senate in session, there were 54 bills introduced. Once of those may be of specific interest to readers of this blog:

HR 876 To amend the Homeland Security Act of 2002 to reform programs of the Transportation Security Administration, and for other purposes. Rep. Katko, John [R-NY-24]


I’ll only be covering this bill if it includes surface transportation security provisions related to the transportation of chemicals.

Saturday, February 4, 2017

HR 701 Introduced – NHTSA Cybersecurity

Last month Rep. Wilson (R,SC) introduced HR 701, the Security and Privacy in Your (SPY) Car Study Act of 2017. The bill would require DOT’s National Highway Transportation Safety Administration (NHTSA) to conduct a study to determine appropriate standards for the regulation of the cybersecurity of motor vehicles.

The Study


The study would be required to address {§2(a)}:

• The isolation measures that are necessary to separate critical software systems from other software systems;
• The measures that are necessary to detect and prevent or minimize in the software systems of motor vehicles anomalous codes associated with malicious behavior;
• The techniques that are necessary to detect and prevent, discourage, or mitigate intrusions into the software systems of motor vehicles and other cybersecurity risks in motor vehicles, such as continuous penetration testing and on-demand risk assessments;
• Best practices to secure driving data collected by the electronic systems of motor vehicles;
• A timeline for implementing systems and software that reflect the measures, techniques, and best practices identified.

The bill requires a report to Congress within one year of passage of this bill. Presumably, then Congress would take necessary actions to pass legislation requiring implementation of the suggested program.

Moving Forward


Neither Wilson nor his co-sponsor {Rep. Lieu (D,CA)} are members of the House Energy and Commerce Committee, the committee to which this bill was referred for consideration. This means that the bill is unlikely to be considered by that Committee.

There is nothing in the bill that would draw substantial ire of any group. Since only a study is being required (with no spending to support the study) that could only serve to pass the buck to a future Congress, this bill would be adopted in committee if it was considered and subsequently passed if it made it to the floor of the House.

Commentary


The first major problem with this bill is that it fails to include the DHS ICS-CERT in the list of organizations with which NHTSA is required to consult in the conduct of the study. In fact, there is no mention of DHS, the agency designated by Congress to be responsible for cybersecurity matters, in the bill. This was almost certainly done to avoid the inevitable inter-committee conflicts that affect most homeland security legislation.

The major technical issue with this bill (other than the complete misuse/misunderstanding of technical terminology – ‘continuous penetration testing’???) is that it completely fails to address the communications issues that are an integral part of most any cyber threat. The current existence of in-car Wi-Fi nodes and the imminent future impact of vehicle-to-vehicle and vehicle-to-infrastructure communications systems cannot be overlooked in any study of automotive cybersecurity issues.


Finally, the bill overlooks the role of the independent security researcher in identification of cybersecurity vulnerabilities. Any cybersecurity study that fails to look at the relationships between such researchers, vendors and regulators is missing an important component of identifying and fixing cybersecurity vulnerabilities.

HR 686 Introduced – IOT Support

Last month Rep. Paulsen (R,MN) introduced HR 686, the Developing Innovation and Growing the Internet of Things (DIGIT) Act. This is a companion bill to S 88 that was introduced in the Senate. That means that the language of the bill is the same and it allows for work to begin on the bill in both houses of Congress at the same time, instead of sequentially.

Paulsen sponsored a very similar bill (HR 5117) in the 114th Congress. No action was taken on that bill, at least partially because Paulsen was not a member of the House Energy and Commerce Committee and his co-sponsor {Rep. Welch (D,VT)} was not an influential member of that Committee. The same holds true for this session as well; except that Welch’s influence has increased some because this is his second term in the House. The bill will probably not see action in committee.


The bill would probably be approved in committee if considered and would similarly pass if it made it to the floor of the House since no regulatory authority or new spending is provided.

Friday, February 3, 2017

Bills Introduced – 02-02-17

Yesterday, with both the House and Senate in session, there were 59 bills introduced. Of those only one may be of specific interest to readers of this blog:

S 278 A bill to amend the Homeland Security Act of 2002 to provide for innovative research and development, and for other purposes. Sen. Daines, Steve [R-MT]

This bill will only be followed here if it contains specific reference to chemical security or cybersecurity research.

ICS-CERT Publishes Honeywell Advisory

Yesterday the DHS ICS-CERT published a control system advisory for multiple vulnerabilities in the Honeywell XL Web II controller application (also sold as Falcon web controller by Centraline). The vulnerabilities were reported by Maxim Rupp. Honey well has produced a new version to mitigate the vulnerability. There is no indication that Rupp has been provided an opportunity to verify the efficacy of the fix.

The reported vulnerabilities are:

• Plaintext storage of passwords - CVE-2017-5139;
• Insufficiently protected credentials - CVE-2017-5140;
• Session fixation - CVE-2017-5141;
• Improper privilege management - CVE-2017-5142; and
• Path traversal - CVE-2017-5143

ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability to allow the attacker an entry point into the network where it is located.


NOTE: For some reason this advisory was published in the old format. While not a serious issue, the lack of internal controls on the format issue may be an indicator of some management issues.

Wednesday, February 1, 2017

House Passes Three Homeland Security Bills

Yesterday the House took up 17 homeland security related bills under the suspension of rules process and passed all of them. Of these, three are probably of interest to readers of this blog:

HR 437, the Medical Preparedness Allowable Use Act;
HR 612, the United States-Israel Cybersecurity Cooperation Enhancement Act of 2017; and
HR 677, the CBRN Intelligence and Information Sharing Act of 2017.

HR 437 passed by a voice vote after less than 10 minutes of ‘debate’; no one spoke in opposition to the bill.

HR 612 passed by a voice vote after about 16 minutes of ‘debate’; no one spoke in opposition to the bill.

HR 677 passed by a voice vote after about 5 minutes of ‘debate’; no one spoke in opposition to the bill.

All three of these bills would almost certainly pass in the Senate if they make it to the floor for consideration. Since earlier versions of all three of these bills passed in the House in the 114th Congress, but were not taken up by the Senate, it is obvious that consideration by the Senate is not a given.


With these bills being passed in the first 30-days of the 115th Congress, time constraints will not be a factor in whether or not they make it to the floor. What matters is whether or not there is a champion in the Senate with enough political influence with the leadership to bring them to the floor. If any of these bills are considered, they will most likely be considered under the Senate’s unanimous consent procedure with no debate and no actual vote. A single Senator can block a bill under this procedure.
 
/* Use this with templates/template-twocol.html */