Monday, March 27, 2017

Committee Hearings – Week of 3-26-17

This week both the House and Senate will be in session. There are a number of committee hearings that will be held on both sides of the Capitol, but there is only one, a cybersecurity hearing, that may be of specific interest to readers of this blog.

On Tuesday the Energy Subcommittee of the Senate Energy and Natural Resources Committee will be holding a hearing to look at cybersecurity threats to the US electric grid. The hearing will also receive testimony on S 79, the Securing Energy Infrastructure Act. The witness list includes:

• Michael Bardee, Federal Energy Regulatory Commission;
• John DiStasio, Large Public Power Council;
• Thomas Zacharia, Oak Ridge National Laboratory; and

• Ben Fowke III, Xcel Energy

Saturday, March 25, 2017

HR 1571 Introduced – Oil Train Fire Training Grants

Last week Rep Herrera-Beutler (R,WA) introduced HR 1571, the Fire Department Proper Response and Equipment Prioritization Act. The bill would require FEMA to give high priority to grants for incident response training for crude oil and ethanol train accidents.

The bill is essentially the same as HR 4765 that was introduced in the 114th Congress. That bill saw no action, mainly because Herrera-Beutler was not in a position to influence the House Science, Space, and Technology Committee to take up the bill. Since she is still not a member of that Committee (to which the bill was assigned for consideration) it is very unlikely that the Committee will take up the bill in this session.


The only way that this bill has a chance of making it into law during this session is for its provisions to be added to either the DHS spending or authorization (if that bill actually happens) bill. Herrera-Beutler is a member of the Appropriations Committee, so that it is possible that this could be included in the DHS spending bill. She is not a member of the House Homeland Security Committee so adding it to an authorization bill would have to come in the form of an amendment if/when the bill is considered in the House.

Friday, March 24, 2017

Bills Introduced – 03-23-17

Yesterday with both the House and Senate in session there were 59 bills introduced. Of those only one may be of specific interest to readers of this blog:

S 719 A bill to establish a grant program at the Department of Homeland Security to promote cooperative research and development between the United States and Israel on cybersecurity. Sen. Whitehouse, Sheldon [D-RI]


This bill will only receive further mention here if it includes specific language concerning control system security issues.

Thursday, March 23, 2017

ICS-CERT Publishes 2 Advisories

Today the DHS ICS-CERT published two control system security advisories for products from Becton, Dickinson and Company (BD) and Leão Consultoria e Desenvolvimento de Sistemas LTDA ME (LCDS).

BD Advisory


This advisory describes a hard-coded password vulnerability in the BD Kiestra PerformA and KLA Journal Service (laboratory information management systems) applications. The vulnerability is apparently self-reported. BD has will be providing updates to the two applications and the Kiestra Database to “reduce the risk [emphasis added] of exploitation of the hard-coded passwords vulnerability”.

ICS-CERT reported that a relatively low skilled attacker could remotely exploit this vulnerability to access the BD Kiestra Database, which could be leveraged to compromise the confidentiality of limited patient health information and personally identifiable information stored in the BD Kiestra Database.

The BD Security Advisory paints a more complicated picture of the vulnerability situation, but it also provides work arounds to be used pending the updates that will be provided later this year. It describes three vulnerabilities instead of one:

• A legacy application (SMB1 protcol);
• Hard-coded password in the two applications;
• Third-party default password in the Database.

LCDS Advisory


This advisory describes a path traversal vulnerability in the LCDS LAquis SCADA software. The vulnerability was reported by Karn Ganeshen via the Zero Day Initiative. LCDS has produced a new firmware version to mitigate the vulnerability. There is no indication that Ganeshen has been provided an opportunity to verify the efficacy of the fix.


ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to allow an unprivileged, malicious attacker to access files remotely.

Wednesday, March 22, 2017

ICS-CERT Updates Two Advisories

Yesterday the DHS ICS-CERT updated two control system security advisories for products from Moxa and Siemens.

Moxa Update  


This update provides information on an advisory that was originally issued on December 1st, 2016. The new information includes:

• New affected version information for all affected products;
• Adds two new devices (NPort 6000, and NPort 6110);
• Removes one previous listed device series (NPort 6x50 series); and
• Adds mitigation measure for newly listed device series (NPort 6000 series).

Siemens Update  


This update provides information on an advisory that was originally issued November 22nd, 2016. The new information includes:

• Updates affected version information for CP 443-1;
• Added link to update for CP 443-1; and
• Removed work around information for CP 443-1


The same information was changed on the Siemens Security Advisory. Siemens announced their update in a TWEET® on March 16th, 2017.

H Res 200 Introduced – Cybersecurity Policy

Last week Rep. Taylor (R,VA) introduced H Res 200. This resolution calls for the establishment of a comprehensive cybersecurity policy.

The Resolution


The preamble to this resolution establishes the reasons that a cybersecurity policy is needed. It specifically mentions the large number of mega-data breaches that have recently occurred, including specifically the OMB breach. While no specific mention of control system security is made it does note that “malicious cyber activity has the potential to cause great harm to the national security, economy, and infrastructure of the United States and the health, well-being, and safety of United States citizens”. The inclusion of ‘infrastructure’ as one of the areas that could potentially be harmed certainly seems to indicate that cyber-physical vulnerabilities are considered to be a potential threat.

It concludes by resolving that:

“That it is the sense of the House of Representatives that the United States should develop and adopt a comprehensive cybersecurity policy that clearly defines acts of aggression, acts of war, and other related events in cyberspace, including any commensurate responses to any such act or event in cyberspace.”

Moving Forward


Taylor is not a member (nor is his cosponsor Rep. Ruppersberger (D,MD) of the House Foreign Affairs Committee to which this resolution was referred for consideration. This means that it is unlikely that the Committee will take up the resolution.

There is nothing in the resolution that would engender any significant opposition to the bill if it were considered in Committee or brought to the floor of the House.

Commentary



The failure to specifically mention cyber-physical vulnerabilities in the preamble to the resolution weakens the argument to support the call for a policy that addresses cyber activities that might constitute an act of war. Mention should have been made specifically to the 2015 attack on Georgian electrical utilities as an example of the types of cyber-physical attacks that have been seen in the real world.

Bills Introduced – 03-21-17

Yesterday with both the House and Senate in session there were 54 bills introduced. Of these four may be of specific interest to readers of this blog:

HR 1647 To establish a Water Infrastructure Trust Fund, and for other purposes. Rep. Blumenauer, Earl [D-OR-3]

HR 1653 To amend certain provisions of the Safe Drinking Water Act, and for other purposes. Rep. Latta, Robert E. [R-OH-5]

S 679 A bill to require the disclosure of information relating to cyberattacks on aircraft systems and maintenance and ground support systems for aircraft, to identify and address cybersecurity vulnerabilities to the United States commercial aviation system, and for other purposes. Sen. Markey, Edward J. [D-MA]

S 680 A bill to protect consumers from security and privacy threats to their motor vehicles, and for other purposes. Sen. Markey, Edward J. [D-MA]

The two water system bills will only receive further mention in this blog if they specifically address facility security or cybersecurity issues.


These two bills from Markey are almost certainly based upon bills that he introduced in the 114th Congress (S 2764 and S 1806 respectively). Neither bill saw any action in the previous session; perhaps it will be different this time.

Tuesday, March 21, 2017

ICS-CERT Publishes 2 Rockwell Advisories and Year-in-Review

Today the DHS ICS-CERT published two control system security advisories for products from Rockwell Automation; both had previously been published on the limited access NCCIC Portal on January 16th, 2017. They also published their annual report on ICS-CERT activities for 2016.

Factory Talk Advisory


This advisory describes an unquoted search path or element vulnerability in the Rockwell Factory Talk Services Platform. This is a self-reported vulnerability. Rockwell has produced a new version that mitigates the vulnerability.

ICS-CERT reports that an authenticated, but nonprivileged, local user could exploit this vulnerability to link to or run a malicious executable.

Connected Components Workbench Advisory


This advisory describes a DLL hijack vulnerability in the Rockwell Connected Components Workbench. The vulnerability was reported by Ivan Sanchez. Rockwell has produced a new version that mitigates the vulnerability. There is no indication that Sanchez has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT makes no mention of the exploitability of this vulnerability, but do note that a successful exploit could result in effects ranging from a denial of service (DoS) to the injection of malicious code into trusted processes, depending on the content of the DLL and the risk mitigations in place by the victim.

2016 Year in Review


The annual report is much the same as we saw last year in the 2015 report; it is essentially the same as a annual report that one might expect to find sent out to existing and prospective stock holders of a fortune 500 company. There are lots of numbers, pretty pictures and written fluff that provides little or no new information that can really be used by anyone in the control system security field.

For example, on page 8 there is a brief discussion of incident response activities in FY 2016. After detailing that ICS-CERT responded to 290 incidents, they toss off the comment that: “Also in FY 2016, the team responded to the first known cyberattack to result in physical impact to a power grid.” No additional information was provided, but I suspect that this was the December 2015 attack on the grid in Georgia, not a US grid attack. But you cannot tell that from this report.


Monday, March 20, 2017

ISCD Updates Another CFATS FAQ Response

Today the DHS Infrastructure Security Compliance Division (ISCD) updated the response to a frequently asked question (FAQ) on the CFATS Knowledge Center. The updated response was for FAQ # 1275; What needs to be done when a facility is bought or sold?

There was no substantive change to the requirements associated with the change in ownership. The change simply removed the Chemical-Terrorism Vulnerability Information (CVI) disclosure statement at the end of the response. That statement used to read:

“CVI Disclosure If any letters submitted to DHS for review contain any CVI information, the letter must be properly marked, packaged, and sent in accordance with the CFATS regulations for protection of CVI (see 6 CFR § 27.400). A copy of the CFATS regulation, including the CVI requirements in 6 CFR § 27.400, is available at https://www.dhs.gov/critical-infrastructure-chemical-security.”


It is not clear why the statement was removed. While one would like to assume that anyone associated with the CFATS program would understand the CVI requirements for identifying and sending CVI protected information, the whole purpose of FAQ responses is to communicate information in a new format to ensure that the affected parties understand all of the requirements.

Committee Hearings – Week of 3-19-17

Both the House and Senate will be in session this week. While health care and election cybersecurity will be the main press focus this week there are a large number of other hearings taking place. Three of those hearings may be of specific interest to readers of this blog. They will deal variously with cybersecurity and the Coast Guard.

Cybersecurity


On Wednesday the House Homeland Security Committee will be holding a hearing to look at “A Borderless Battle: Defending Against Cyber Threats”. The witness list includes:

• Keith B. Alexander, IronNet Cybersecurity;
• Michael Daniel, Cyber Threat Alliance;
• Frank J. Cilluffo, George Washington University; and
• Bruce W. McConnell, EastWest Institute

I do not suspect that there will be a lot of detailed information about specific control system security issues, but there will be some discussion of cyber-physical threats and policy responses.

On Wednesday the Senate Commerce Science and Transportation Committee will hold a hearing to look at “The Promises and Perils of Emerging Technologies for Cybersecurity”. The witness list includes:

• Caleb Barlow, IBM Security;
• Venky Ganesan, Menlo Ventures;
• Steve Grobman, Intel Security; and
• Malcolm Harkins, Cylance Corporation

While focusing on ‘technologies’ don’t expect this hearing to get too technical. It will almost certainly contain some discussion of cyber-physical system protection but I do not expect too much focus on specific control system technology.

Coast Guard



On Wednesday the Oceans, Atmosphere, Fisheries and Coast Guard Subcommittee of the Senate Commerce Science and Transportation Committee will hold a hearing on “State of the Coast Guard: Ensuring Military, National Security, and Enforcement Capability and Readiness”. The Commandant will be the only witness. There may be some brief discussion about the Maritime Transportation Security Act (MTSA) program enforcement, but don’t expect much detail.

Sunday, March 19, 2017

TSA ICR Comment Response

I received an interesting email from Bruce Anderson at the DHS Transportation Safety Administration (TSA). He was responding to a comment I submitted last October on a 60-day information collection request (ICR) renewal notice that TSA had published to support the collection of information from people applying for a Transportation Workers Identification Credential (TWIC).

In my comment, I noted that the lack of detail about recent changes in the TWIC program made it difficult to appropriately comment on the burden estimates provided in the 60-day ICR renewal notice. In his email, Anderson responded (in part) for each of the three areas that I had identified a lack of detail that: “The supporting calculations and explanations are included in the Information Collection Supporting Statement.”

Readers who have followed my blog posts about ICRs over the years may recognize that document title. It is a document that the ICR submitting agency must provide to the OMB’s Office of Information and Regulatory Affairs (OIRA) to justify the requested approval of the ICR. These are very detailed documents that definitely spell out the details that I claimed were missing from the published ICR notice.

Unfortunately, that document is not prepared until the ICR renewal request is sent to the OIRA for approval. Part of the reason is that, included in that document, is a listing of the public comments received from the two ICR renewal notices (60-day and 30-day notices) and the agencies response to those comments.

The ICR published in October specifically requests public comments to: “Evaluate the accuracy of the agency's estimate of the burden”. Without the detailed information that is provided in the Information Collection Supporting Statement it is not possible for the public to evaluate the burden estimate. That was the point of my original comment and the point that was totally missed by TSA in their response.

It would not be reasonable for TSA, or any agency, to include the complete Supporting Statement in the Federal Register notices that are required to be published by 44 USC 3507. What would be helpful, however, would be for a copy of the draft Supporting Statement to be included in the docket for the ICR on the Federal eRulemaking Portal (www.Regulations.gov). That way the concerned public or affected entities would have a legitimate opportunity to evaluate and comment upon the burden estimate.


The comment period for the 60-day ICR notice has closed and no more public comments are being accepted. There will be another notice, the 30-day ICR notice, and I will submit a copy of this post as a comment on that notice.

Saturday, March 18, 2017

S 536 Introduced – Cybersecurity Expertise

Last week Sen. Reed (D,RI) introduced S 536, the Cybersecurity Disclosure Act of 2017. The bill would require the Security and Exchange Commission (SEC) to establish rules requiring companies to list board members with cybersecurity expertise on annual reports. This is nearly the same as S 2410 that Reed introduced in the 114th Congress.

Differences from Earlier Bill


There are two detectable, but relatively insignificant differences between S 536 and S 2410. The first is that S 536 adds a definition of ‘NIST’ to §2(a). Secondly, S 536 adds a brief reference to NIST Special Publication 800-181 to the discussion {§2(c)} of what should constitute cybersecurity expertise in the SEC regulations.

Moving Forward


While Reed is a senior member of the Senate Banking, Housing, and Urban Affairs Committee to which this bill was assigned for consideration, he was not able to get his earlier bill considered by that Committee in the last session, so it is unlikely that he will be able to do so in this session.


There is nothing in this bill that should draw significant opposition. This bill should be able to pass in Committee if it is brought up.

TSA Publishes 2016 Enforcement Report

Earlier this week the DHS Transportation Security Administration (TSA) published a notice in the Federal Register (82 FR 13648-13650) providing information on their surface transportation enforcement activities performed in 2016. This report is an annual requirement from 49 USC 114(v)(7)(A).

This week’s report shows a total of 46 enforcement actions taken last year, an almost 15% increase over the previous year. See Table 1 below for a breakdown of recent enforcement activity.

Did not allow TSA Inspection
Rail Car Chain of Custody
4
1
Rail Car Security
1
Rail Car Location
5
1
Reporting Security Concern
2
1
1
Use of another’s TWIC
3
8
5
4
Direct the use of another's TWIC
7
3
Fraudulent Manufacture of TWIC
2
5
Use of an altered TWIC
15
34
Total
11
14
31
46
Table 1: TSA Enforcement History

It appears that there has been an increasing emphasis at TSA on Transportation Workers Identification Credential (TWIC) enforcement activities (TWIC is a shared responsibility between the TSA and Coast Guard) and a corresponding decline in enforcing TSA rules on freight rail security under 49 CFR 1580.

The TSA has the option of levying civil penalties to enforce regulations covering the TWIC and freight rail security. Table 2 shows the civil penalties information relating to their 2016 enforcement activities.

2016 TSA Surface Enforcement Actions
# of Incidents
Maximum Penalty
Proposed
Imposed
Use of another’s TWIC
4
$3,000
Pending
Direct another to use TWIC
3
$2,000
Pending
Fraudulent Manufacture of TWIC
5
$5,000
Pending
Total
12
$37,000
$2,000
Table 2: Civil Penalty Information


There were no penalties proposed for the 34 reported instances of the use of an altered TWIC that TSA reported; warnings were given.

Bills Introduced – 3-17-17

With just the House in session yesterday there were 35 bills introduced. Of those two may be of specific interest to readers of this blog:

HR 1609 To amend title 10, United States Code, to support meeting the increasing needs of the United States for a cybersecurity and information assurance workforce by reinvigorating and modifying the Information Assurance Scholarship Program of the Department of Defense, and for other purposes. Rep. Langevin, James R. [D-RI-2]

HR 1616 To amend the Homeland Security Act of 2002 to authorize the National Computer Forensics Institute, and for other purposes. Rep. Ratcliffe, John [R-TX-4]

It looks like HR 1609 may be a companion bill to S 592 which I have not yet had a chance to review.


HR 1616 is probably very similar to HR 3490 that was introduced in the 114th Congress and passed in the House. It was not taken up in the Senate. It will be interesting to see if this latest version includes industrial control system forensics language.

Friday, March 17, 2017

Bills Introduced – 03-16-17

Yesterday, with just the House in session {the Senate left for an early start to a week in their home states campaigning (er, working)}, there were 44 bills introduced. Of those, three may be of specific interest to readers of this blog:

HR 1571 To provide first responders with planning, training, and equipment capabilities for crude oil-by-rail and ethanol-by-rail derailment and incident response, and for other purposes. Rep. Herrera Beutler, Jaime [R-WA-3]

HR 1579 To require drinking water systems to assess and address their vulnerabilities to climate change, source water degradation, and intentional acts to ensure security and resiliency. Rep. Peters, Scott H. [D-CA-52] 

H Res 200 Expressing the sense of the House of Representatives that the United States should develop and adopt a comprehensive cybersecurity policy. Rep. Taylor, Scott [R-VA-2]

It will be interesting to see why HR 1571 was referred to the House Science, Space, and Technology Committee instead of the Transportation and Infrastructure or the Homeland Security Committees.

I will be following HR 1579 only if it specifically addresses cybersecurity or cyber resiliency issues.


While House Resolutions are usually of little real importance if this one actually mentions control system security issues that should be addressed as part of a ‘comprehensive’ cybersecurity policy. If it does not, the policy will hardly be ‘comprehensive’.

ISCD Published 6 Update FAQ Responses

Today the DHS Infrastructure Security Compliance Division (ISCD) updated the responses to six frequently asked question (FAQ) responses on the CFATS Knowledge Center. The changes to these responses were non-consequential; ISCD simply removed language referring to two manuals that were made obsolete by the change to CSAT 2.0 that was made last October.

No notice of the changes was provided on the CFATS Knowledge Center page.

Changes


The FAQ responses that were updated were:


The two manuals that are no longer part of the Chemical Security Assessment Tool (CSAT) that are not mentioned in the updated FAQ responses are:


NOTE: The links to the two old manuals were still good as of the writing of this post.

Commentary


Since the two old manuals have been included in the CSAT 2.0 program upgrade, it is certainly logical that references to the two manuals have been removed. What I do not understand is why the response updates did not refer to the new CSAT 2.0 manual that did address these issues; the Chemical Security Assessment Tool (CSAT) 2.0 Portal User Manual.


While the old method of just providing a link to the relevant manual was not really helpful, ISCD could be helpful if they provided a link to the manual and a section reference where the information could be found.

Thursday, March 16, 2017

ICS-CERT Publishes LCDS Advisory

Today the DHS ICS-CERT published a control system security advisory for the Leão Consultoria e Desenvolvimento de Sistemas (LCDS) LAquis SCADA software. They also published the draft agenda for the Spring 2017 meeting of the ICSJWG in Minneapolis, Minnesota, on April 11-13, 2017.

LCDS Advisory


This advisory describes an improper access control vulnerability in the LAquis SCADA software. The vulnerability was reported by Karn Ganeshen. LCDS has produced a new version to mitigate the vulnerability. ICS-CERT reports that Ganeshen has verified the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker, presumably with local access, could exploit the vulnerability to escalate their privileges and modify or replace application files.

ICSJWG Agenda


ICS-CERT has provided a link to the draft agenda for the ICSJWG Spring 2016 Meeting. It looks like there will be a number of interesting presentations from familiar names and organizations.


There appears to be an increasing interest in the interface of safety and security in process engineering. With the recent congressional interest in cyber informed engineering (see S 79 in the 115th Congress and S 2943 in the last session) Virginia Wright of the Idaho National Labs will be doing a presentation on the INL work on the topic (see here).

Tuesday, March 14, 2017

TSA Reopening Comment Period on Security Plan ANPRM

Today the DHS Transportation Security Administration (TSA) published a notice in the Federal Register (82 FR 13575) providing notice that it was reopening the comment period for their Advance Notice of Proposed Rulemaking (ANPRM) on ‘Surface Transportation Vulnerability Assessments and Security Plans”. The comment period for that rulemaking originally closed on February 14th, 2017.

A total of nine comments have been received on that ANPRM. Only one of those was from someone related to the freight railroad sector; a co-comment from the Association of American Railroads (AAR) and the American Short Line and Regional Railroad Association (ASLRRA). Their comments can be summed up by saying: “We already have this stuff covered, leave us alone.”

The re-opening of the comment period makes it clear that, now that the Trump Administration’s rulemaking review has been completed, this rulemaking will proceed since TSA is required to complete the rulemaking by law (6 USC 1162 and 6 USC 1172). The very small number of comments received for such a potentially costly rulemaking was obviously engendered by the assumption that the Trump TSA would not go forward with the rulemaking process.

I suspect that when we finally see the regulations proposed in the NPRM it will be very minimalist with regards to programs affecting the freight rail industry, essentially adopting the status quo. The only problem with that is that the law specifically establishes the mandate that the regulations require the railroads to “prepare, submit to the Secretary for approval [emphasis added], and implement a security plan in accordance with this section that addresses security performance requirements” {§1162(a)(1)(B)}.


The AAR/ASLRRA comments do not address how TSA should go about dealing with that requirement. I think we are going to see some additional comments.

ICS-CERT Publishes Advisory and Alert

Today the DHS ICS-CERT published a new control system security advisory for products from Fatek. They also published a control system security alert for a class of micro-electromechanical systems (MEMS) accelerometer sensors from a number of vendors.

Fatek Advisory


This advisory describes a stack-based buffer overflow in Fatek PLCs. An anonymous researcher reported the vulnerability via the Zero Day Initiative (ZDI). Fatek has produced a new version that mitigates the vulnerability. There is no indication that the anonymous researcher has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to crash the affected device or allow remote code execution.

The Fatek release note for the new version of the Fatek Ethernet Module Configuration Tool used in these devices explain that there were two separate changes responding to apparently separate vulnerabilities. It is not clear from the release note if both are necessary to mitigate the vulnerability listed in the ICS-CERT advisory or if there is another vulnerability that was not reported by ICS-CERT.

MEMS Accelerometer Alert


This alert describes a publicly disclosed vibration based design flaw in a number of MEMs accelerometers from a variety of manufacturers. ICS-CERT does not identify the vulnerability reporter, but it appears to be based upon a paper that will be presented at the  IEEE European Symposium on Security & Privacy, Paris, France, April 2017 by Timothy Trippel, Ofir Weisse, Wenyuan Xu, Peter Honeyman, and Kevin Fu.

According to ICS-CERT:

“According to public reporting, the design flaws may be exploitable by playing specific acoustic frequencies in close proximity to devices containing embedded capacitive MEMS accelerometer sensors. At a specific acoustic frequency it may be possible to induce a vibration within vulnerable accelerometers to alter the sensors’ output in a predictable way. The impact of exploitation would be dependent on the function and operation of host devices, but it is understood that during an attack it may be possible to render affected sensors inoperable. This could result in a denial of service for host devices. During a successful attack, the integrity of measured data by vulnerable sensors could also be compromised. In the worst case attack scenario, it may be possible for an attacker to control sensor output data in a predictable way to achieve some level of control over a host device that primarily operates on unvalidated sensor data.”

One device manufacturer, Robert Bosch GmbH, has already produced a vulnerability advisory for MEMs accelerometers that they produce. ICS-CERT is working with other vendors to identify a list of affected products that use the affected capacitive MEMS accelerometers and to determine each vendor’s mitigation plan.

Commentary


The ICS-CERT failure to identify the source of the public disclosure in this particularly alert is extremely short sighted. I understand their desire to encourage coordinated disclosures, but I have never thought that failing to give credit where it is due served that purpose well. In this case this is an academic paper for a vulnerability that looks like it will take a great deal of effort to effectively exploit; particularly in an ICS environment. Failing to provide the details of the vulnerability (through a link to the original paper) is a disservice to the ICS community.

To make matters worse, from a coordinated disclosure point of view, the vulnerability potentially affects nearly all (apparently) MEMS accelerometer manufacturers. There would be no effective way to really coordinate the disclosure with all of the potential vendors. Further, I expect that many solutions are going to depend upon actions of other vendors that actually employ the accelerometers in their equipment.

Oh, and by-the-way, the original paper was publicly disclosed today in a NY Times article.

ICS-CERT really does need to get out a revision to this alert that gives specific credit, and a link to the paper, to the discoverers of this vulnerability.


Oh, in another cute by-the-way, this vulnerability already has a cute name – WALNUT.

Monday, March 13, 2017

S 516 Introduced – Cybersecurity Grants

Earlier this month Sen. Warner (D,VA) introduced S 516, the State Cyber Resiliency Act. This is a companion bill to HR 1344, introduced on the same day in the House. Warner is not on the Senate Homeland Security and Governmental Affairs Committee, to which the bill was referred for consideration. This means that the bill will be unlikely to proceed in the Senate either.

ICS-CERT Publishes Destructive Malware Paper

Today the DHS ICS-CERT published a new white paper; Destructive Malware. This is a brief overview of wiper (five types) and multifunctional wiper (three types) malware. It provides a couple of paragraphs to summarize the action of each malware type with a very brief recovery summary.

This is not a technical level document; it is more of a management overview designed to allow mid-level managers to understand the very basics of what their technical personnel are talking about. Unfortunately, I think that it misses its usefulness for this purpose by being too definitive in its explanation of appropriate responses. It might lead non-technical managers to unnecessarily question tech actions that do not fit the narrow parameters of the actions suggested.


I also do not understand why this is being published by ICS-CERT instead of US-CERT. While these malware may affect ICS operations, they are not specifically ICS malware. If this had been published by US-CERT it might reach a wider audience outside of the control system security community.

Sunday, March 12, 2017

HR 1344 Introduced – State Cybersecurity Grant Program

Earlier this month Rep. Kilmer (D,WA) introduced HR 1344, the State Cyber Resiliency Act. The bill would establish a new Federal Emergency Management Administration (FEMA) grant program to develop and implement a cyber resiliency program.

Cyber Resiliency Program


The bill would provide grants for States establishing cyber resiliency programs designed to assist State and local governments “in preventing, preparing for, protecting against, and responding to cyber threats” {§2(a)}. The FEMA Administrator would approve State plans that were {§(2)(d)(1)(B)}:

• Enhancing the preparation, response, and resiliency of computer networks, industrial control systems, and communications systems performing such functions against cybersecurity threats or vulnerabilities;
• Implementing a process of continuous cybersecurity vulnerability assessments and threat mitigation practices to prevent the disruption of such functions by an incident within the State;
• Ensuring that entities performing such functions within the State adopt generally recognized best practices and methodologies with respect to cybersecurity;
• Mitigating talent gaps in the State government cybersecurity workforce, enhancing recruitment and retention efforts for such workforce, and bolstering the knowledge, skills, and abilities of State government personnel to protect against cybersecurity threats and vulnerabilities;
• Protecting public safety answering points and other emergency communications and data networks from cybersecurity threats or vulnerabilities;
• Ensuring continuity of communications and data networks between entities performing such functions within the State, in the event of a catastrophic disruption of such communications or networks;
• Accounting for and mitigating, to the greatest degree possible, cybersecurity threats or vulnerabilities related to critical infrastructure or key resources, the degradation of which may impact the performance of such functions within the State or threaten public safety;
• Providing appropriate communications capabilities to ensure cybersecurity intelligence information-sharing and the command and coordination capabilities among entities performing such functions;
• Developing and coordinating strategies with respect to cybersecurity threats or vulnerabilities in consultation with neighboring States or members of an information sharing and analysis organization.

The Administrator would be able to approve grants to States for developing approved plans and then separate grants for State and local government activities implementing those plans. The implementing grants may be used specifically for {§2(g)(2)}:

• Supporting or enhancing information sharing and analysis organizations.
• Implementing or coordinating systems and services that use cyber threat indicators (as such term is defined in 6 USC. 1501) to address cybersecurity threats or vulnerabilities.
• Supporting dedicated cybersecurity and communications coordination planning;
• Establishing programs, such as scholarships or apprenticeships, to provide financial assistance to State residents who pursue formal education, training, and industry-recognized certifications for careers in cybersecurity and commit to working for State government for a specified period of time.

Moving Forward


Kilmer in not a member of either the House Homeland Security Committee or the Transportation and Infrastructure Committee, the two committees to which this bill was assigned for consideration. This means that it is unlikely that he will have sufficient influence to see the bill considered in either committee.

There is nothing in the bill that would draw significant opposition from any groups outside of Congress. The major stumbling block for this bill is that it authorizes a new spending program. Kilmer tries to avoid the problem not including a dollar amount in the authorization language included in the bill {§2(j)}. That would be set by the Appropriations Committee (to which Kilmer does belong) in the DHS spending bill.

Commentary


This bill is definitely intended to see States include control system security issues in their cyber resiliency. Industrial control systems are specifically mentioned in the outline of plan objectives {§2(d)(1)(B)(i)}. Where things start to get a little confusing is in the matter of definitions.

In discussing implementation grants the bill uses the term ‘cyberthreat indicators’ and references the definition in 6 USC 1501(5) which is based upon the control system inclusive definition of ‘information system’ found in that section. But later in the definition section of this bill {§2(k)} both the definition of ‘cybersecurity risk’ and ‘incident’ are adopted from 6 USC 148(a) which depends on the IT exclusive definition of ‘information system’.


That was necessary because those terms were not defined in §1501. It could have been avoided if the term ‘information system’ had been included in (k) and referenced the definition in §1501. That might have been a bit problematic because the ‘information system’ term is not directly used in this bill. A simpler way of dealing with this would have been to amend the definition in §148 to use that in §1501. This would have the added benefit of updating all other uses of ‘information system’ that rely on the §148 definition.

Saturday, March 11, 2017

HR 1335 Introduced – Communications Cybersecurity

Last week Rep. Clarke (D,NY) introduced HR 1335, the Cybersecurity Responsibility Act of 2017. The bill would require the FCC to issue rules providing cybersecurity requirements for communications networks.

Communications Security


Section 2 of the bill would require the FCC to “issue rules to secure communications networks through managing, assessing, and prioritizing cyber risks and actions to reduce such risks” {§2(a)}. It also requires that those rules would establish that communications networks would be considered critical infrastructure and that information submitted to the FCC and DHS about such networks would be protected as Critical Infrastructure Information.

The key term in this bill is ‘communication network’. The bill provides a broadly inclusive definition: “a network for the provision of wireline or mobile telephone service, Internet access service, radio or television broad casting, cable service, direct broadcast satellite service, or any other communications service” {§2(c)}.

Moving Forward


Clarke is a fairly senior member of the House Energy and Commerce Committee to which the bill was assigned for consideration. This means that she may have the influence necessary to have the bill be considered in Committee.

Since the bill, however, provides relatively broad regulatory powers to the FCC there will be a great deal of push back from industry. This means that there would be substantial Republican opposition to this bill. It is unlikely that there would be much support for moving this bill forward.

Commentary



The ‘any other communications service’ provisions of the communication network definition could provide FCC authority to regulate the communications networks associated with physically distributed control systems like SCADA networks. Initially, it would be unlikely that the FCC would exercise that sort of authority; developing regulations for more traditional communications networks would take up a great deal of time for the FCC.

Public ICS Vulnerability Disclosures – Week of 03-04-17

This week there were two control system vulnerability disclosures on the Full Disclosure web site. The first is for an access control platform and the second is for a laboratory information management system (LIMS) used in medical labs.

Access Control Platform


On Wednesday Andrew Griffiths from the Google Security Team announced multiple vulnerabilities in the Spider access control platform from SICUNET. The vulnerabilities include:

• Outdated software;
• PHP include();
• Unauthenticated remote code execution;
• Hardcoded root credentials; and
• Passwords stored in plaintext

As expected from the Google Security Team, the vendor was notified of the vulnerabilities multiple times, but no reply was received within the standard 90-day disclosure window used by Google.

DNA LIMS


On Thursday Nicholas von Pechmann from Shorebreak Security announced multiple vulnerabilities in the dnaLIMS application from dnaTools. The vulnerabilities include:

• Improperly protected web shell - CVE-2017-6526;
• Unauthenticated Directory Traversal - CVE-2017-6527;
• Insecure Password Storage - CVE-2017-6528;
• Session Hijacking - CVE-2017-6529;
• Cross-site Scripting (2 instances); and
• Improperly Protected Content

The Shorebreak Security Advisory provides proof of concept code for most of these vulnerabilities and reports that they have developed Metasploit modules for many of them.


Shorebreak notified the vendor in November of the vulnerabilities. While dnaTools replied that the application should be kept behind a firewall, there was no indication given to the researchers that there would be any attempt to fix the vulnerabilities. Multiple university laboratories have on-line login pages for this application that are readily found via Google.

Friday, March 10, 2017

Bills Introduced – 03-09-17

With both the House and Senate in session, there were 78 bills introduced yesterday. Of those, three may be of specific interest to readers of this blog:

HR 1465 To authorize the Secretary of Homeland Security to work with cybersecurity consortia for training, and for other purposes. Rep. Castro, Joaquin [D-TX-20]

S 592 A bill to amend title 10, United States Code, to support meeting the increasing needs of the United States for a cybersecurity and information assurance workforce by reinvigorating and modifying the Information Assurance Scholarship Program of the Department of Defense, and for other purposes. Sen. Kaine, Tim [D-VA]

S 594 National Cybersecurity Preparedness Consortium Act of 2017. Sen. Cornyn, John [R-TX]

HR 1465 and S 594 are almost certainly companion bills. I suspect that they will be very similar to HR 4743 and S 3295 that were introduced in the 114th Congress. HR 4743 passed with a strongly bipartisan vote in the House, but neither bill was taken up in the Senate.


On S 592 it will be interesting to see if there is specific mention of control system security and to see if there are funds authorized for the program.
 
/* Use this with templates/template-twocol.html */