Friday, March 31, 2017

S 679 Introduced – Aircraft Cybersecurity

Last week Sen. Markey (D,MA) introduced S 679, the Cybersecurity Standards for Aircraft to Improve Resilience  (Cyber AIR) Act of 2017. This bill is very similar to S 2764 that was introduced in the 114th Congress and saw no action there.

Differences


There is one significant difference between this bill and S 2764; §5 from the earlier bill is not present in this bill. That section outlined the requirements for the DOT’s Federal Aviation Administration to provide annual reports to Congress on “on attempted and successful cyberattacks on any system on board an aircraft” {§5(a) in S 2764}.

Moving Forward



Markey is a member of the Senate Commerce, Science and Transportation Committee to which the bill was assigned for consideration. Thus, there is a possibility that that Committee could consider this bill. I don’t believe, however, that there have been sufficient change in the composition of the Senate to overcome the opposition that was seen when portions of this bill were proposed by Markey last session as amendments to HR 636, the FY 2017 FAA authorization bill and S 2658, the Senate version of the same bill.

Thursday, March 30, 2017

ICS-CERT Publishes 2 Schneider Advisories and Medical IOT Alert

Today the DHS ICS-CERT published two control system advisories for products from Schneider Electric. They also published a medical control system alert for a medical lab device from Miele.

Modicon Advisory


This advisory describes multiple vulnerabilities in the Schneider Modicon PLCs. The vulnerabilities were reported by David Formby and Raheem Beyah of Georgia Tech and Fortiphyd Logic, Inc. Schneider has produced new firmware versions to mitigate two of the vulnerabilities and work arounds for the remaining vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Predictable value range from previous values - CVE-2017-6030;
• Use of insufficiently random values - CVE-2017-6026; and
• Insufficiently protected credentials - CVE-2017-6028

ICS-CER reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to spoof or disrupt Transmission Control Protocol (TCP) connections, sniff sensitive account information, and gain unauthorized access to a current web session.

Schneider has taken the unusual move of publishing separate Security Notification documents for each vulnerability (here, here, and here).

Wonderware Advisory


This advisory describes multiple vulnerabilities in the Schneider Wonderware InTouch Access Anywhere. The vulnerabilities were reported by Ruslan Habalov and Jan Bee of the Google ISA Assessments Team. Schneider has produced a new version to mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Cross-Site Request Forgery - CVE-2017-5156;
• Information Exposure - CVE-2017-5158; and
• Inadequate Encryption Strength - CVE-2017-5160

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability  to perform actions on behalf of a legitimate user, perform network reconnaissance, and gain access to resources beyond those intended with normal operation of the product.

The Schneider Security Bulletin reports a fourth vulnerability; Ability to escape out of remote InTouch applications and launch other processes. No CWE information is provided for the fourth vulnerability. Schneider also reports that the researchers have verified the efficacy of the fix.

Miele Alert


This alert describes a publicly reported path traversal vulnerability in the Miele Professional PG 8528, a large capacity cleaner and disinfector used in hospitals and laboratory settings. ICS-CERT does report that Jens Regel publicly disclosed this vulnerability without providing a link to the disclosure on the Full Disclosure web site.

The Miele press release on this vulnerability minimizes the criticality of the problem (perhaps legitimately so). What is more interesting is their comment on their failure to respond to Regel’s attempt at responsible disclosure:

“The technical aspects in this case are entirely separate from the fact that the Miele company failed to respond to several notifications regarding this issue. Executive Directors view this as a serious shortcoming, the details of which have already been investigated in depth with a view to preventing any repeat occurrence in future. They stress that they would like to thank Jens Regel, the source of this evidence, for his information – and for his perseverance.”


While the initial disclosure response was deficient, this certainly reflects a more helpful attitude of the upper management of the company.

ISCD Updates 15 CFATS FAQ Responses and Adds a New One

Today the DHS Infrastructure Security Compliance Division (ISCD) updated fifteen for frequently asked question (FAQ) responses on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center. It also added a new FAQ concerning recent DHS emails requesting new Top Screen submissions.

New FAQ


FAQ #1441 was added to the CFATS Knowledge Center. It asks: “If a facility has not made any changes to its holdings of chemicals of interest (COI) as indicated on its most recent Top-Screen, and DHS previously determined the facility to not be high risk, why did the facility receive an email from DHS requesting that a new Top-Screen be completed?”

The response refers back to the Federal Register notice about the introduction of CSAT 2.0 and the new CFATS risk assessment methodology.

FAQ Revisions


The FAQ responses that were changed were:


There was one major response re-write, FAQ # 641. The dated original entry referred to dates and requirements that were only applicable at the start of the CFATS program. The new version reflects the on-going requirements to submit Top Screens for facilities not currently covered under the CFATS program as well as Top Screen renewal requirements for covered facilities.

One common change was the addition of links to 6 CFR 27, 6 USC 22 or some other federal regulation when the FAQ response includes reference to those publications. We see these changes in FAQ #1143, #1194, #1442, #1612, #1620, #1653, #1658, #1666, #1745 and #1751. I counted 22 other FAQ responses that included similar references where regulatory links could be added. It will be interesting to see if ISCD updates those FAQ responses as well.

Another common change was to change wording to FAQ responses reflecting the CSAT 2.0 change to submit a combined Security Vulnerability Assessment (SVA) and Site Security Plan (SSP), or as it is now called SVA/SSP. This change was made in FAQ responses #1628, #1634, #1650, #1653, and #1660.

One truly inconsequential change was made to the response to FAQ #1562. It added “(STQ)” following the words “Screening Threshold Quantity” in the second paragraph of the response.


Finally, one FAQ response (#1238) was corrected to properly reflect the original publication date.

HR 1579 Introduced – Drinking Water Security

Earlier this month Rep. Peters (D,CA) introduced HR 1579, the Secure and Resilient Water Systems Act. This bill would completely re-write the current drinking water security requirements of 42 USC 300i-2. It expands the current counter terrorism requirements to include protecting against climate change and source water degradation to enhance system security and resiliency.

Vulnerability Assessment


The new paragraph (a) would require community water systems to prepare new vulnerability assessments and submit them to the EPA within 24 months of enactment of the bill. The bill would require those assessments to identify threats to {§300i-2(a)(2)}:

• Source water from industrial activity, pipelines and storage tanks, contaminated sites, agricultural activity, and oil and gas exploration;
• Source water and distribution system from climate change, extreme weather, drought, and temperature changes; and
• Source water and distribution system from intentional acts, including intentional contamination, sabotage, and theft of any chemical of interest (as designated under Appendix A to 6 CFR 27).

The assessment would also be required to include “a comparison of the disinfection methods used by the community water system and reasonably available alternative disinfection methods, including a determination of whether reasonably available alternative disinfection methods could reduce the community water system’s vulnerability to the threats identified” {§300i-2(a)(2)}.

Protection Plans


Each community water system would be required to submit to the EPA a source water and distribution system protection plan. The submitted plan would {§300i-2(b)}:

• Identify strategies and resources to mitigate the threats identified in assessments prepared; and
Include specific emergency response plans for the threats identified in assessments.

Grants


The bill would establish the Drinking Water Infrastructure Resiliency and Sustainability Program to provide grants “for the purpose of increasing the resiliency or adaptability of the community water systems to threats identified” {§300i-2(c)(1)}. The grants could be used to {§300i-2(c)(3)(B)}:

• Promoting more efficient water use, water conservation, water reuse, or water recycling;
• Using decentralized, low-impact development technologies and nonstructural approaches, including practices that use, enhance, or mimic the natural hydrological cycle or protect natural flows;
• Reducing stormwater runoff or flooding by protecting or enhancing natural ecosystem functions.
• Modifying, upgrading, enhancing, or replacing existing community water system infrastructure in response to changing hydrologic conditions;
• Improving water quality or quantity for agricultural and municipal uses, including through salinity reduction; or
• Providing multiple benefits, including to water supply enhancement or demand reduction, water quality protection or improvement, increased flood protection, and ecosystem protection or improvement.

The bill would authorize $50 Million for each year from 2018 through 2022 to support the bill.

Moving Forward


Peters is a senior member of the House Energy and Commerce Committee to which this bill was referred for consideration. This means that he may have enough influence to have the Committee consider the bill.

The inclusion of ‘climate change’ language and inherently safer technology reporting provisions will automatically raise the ire of many Republicans on the Committee. Their inclusion almost guarantees that the Committee will not favorably consider the bill without modifying those provisions. Peters will almost certainly have to agree to such changes prior to the Committee considering the bill.

Commentary


The bill greatly expands the security considerations that community water systems need to require in both the vulnerability assessment and response plans currently required. This expansion is more than a little justified, particularly after looking at the fiasco associated with the aftermath of the Freedom Industries chemical spill in West Virginia.

I covered a number of issues about water facility planning and response that probably should be taken when there are potential chemical contamination issues from industrial chemical sources in a series of blog posts about the lessons learned from the Freedom Fiasco. It would have been nice to see this bill address at least some of those issues in some more detail.

I am very happy to see the bill specifically address chemical security issues. Unfortunately, it only addresses the threat of theft of DHS chemicals of interest (COI). This would probably only be an issue for smaller water facilities that use 150-lb cylinders of chlorine gas; stealing chlorine gas from rail cars or even 1-ton storage cylinders is much less of a problem. What should have also been included was the threat of deliberate releases of COI; a much larger potential terrorist threat.

The major shortfall of this bill (and the original 2002 legislation) is that there is no provision for the EPA to review and approve either the vulnerability assessment, the response plans, or the implementation of those plans. The additional requirement to submit the response plans to the EPA was a step forward over the existing keep on file requirement, but there are no provisions for the facility to have adequately implemented the response plans.


Another system security problem that is virtually ignored by this bill is the problem of water control system cybersecurity. There are increasing amounts of automation being used by even smaller water treatment systems for increased efficiency and manpower reduction efforts. Failure to specifically address the protection of these automated systems from deliberate attacks is a major shortcoming of this bill.

Finally, the funding provided for the grant program is more than ludicrously small. The original, significantly more limited requirements, were supported by $160 million in funding for the first year. Interestingly, none of the grant monies could be used to protect facility physical, cyber or chemical security work.

Bills Introduced – 03-29-17

Yesterday with both the House and Senate in session there were 54 bills introduced. Of those three may be of specific interest to readers of this blog:

S 763 A bill to improve surface and maritime transportation security. Sen. Thune, John [R-SD]

S 768 A bill to improve the productivity and energy efficiency of the manufacturing sector by directing the Secretary of Energy, in coordination with the National Academies and other appropriate Federal agencies, to develop a national smart manufacturing plan and to provide assistance to small- and medium-sized manufacturers in implementing smart manufacturing programs, and for other purposes. Sen. Shaheen, Jeanne [D-NH] 

S 770 A bill to require the Director of the National Institute of Standards and Technology to disseminate resources to help reduce small business cybersecurity risks, and for other purposes. Sen. Schatz, Brian [D-HI]

I suspect that S 763 will be very similar to S 3379 that was introduced in the closing days of the 114th Congress. As expected it saw no action.

I will only be looking at S 768 if it provides for cybersecurity measures in support of ‘smart manufacturing’; I’m not holding my breath.


With S 770 I will be looking for specific provisions on, or at least coverage of, control system security issues.

Wednesday, March 29, 2017

Bills Introduced – 03-28-17

With both the House and Senate in session yesterday there were 43 bills introduced. Of those one may be of specific interest to readers of this blog:

S 754 A bill to support meeting our Nation's growing cybersecurity workforce needs by expanding the cybersecurity education pipeline. Sen. Markey, Edward J. [D-MA]


It will be interesting to see what definitions are used in this bill to outline the scope of cybersecurity workforce. If the language is inclusive of industrial control systems then there will be further mention of this bill in this blog.

ISCD Publishes Minor Revisions to CSAT 2.0 Manuals

Today the DHS Infrastructure Security Compliance Division (ISCD) published links to another set of slightly revised manuals for the Chemical Security Assessment Tool (CSAT) 2.0. There was no major notice on the Chemical Facility Anti-Terrorism Standards (CFATS) web sites; just a minor note listing the new revision date (“3.29.17”) in the ‘Documents’ section of the CFATS Knowledge Center.

There are actually two different sets of links for the four manuals. One is on the CFATS Knowledge Center page (controlled by ISCD) and one on the CSAT 2.0 web page (controlled by DHS HQ). The table below provides both sets of links.

Version 2.0.12
Knowledge Center
CSAT 2.0
CSAT 2.0 Portal User Manual
CSAT 2.0 Survey Application User Manual
CSAT 2.0 Top-Screen Instructions
CSAT 2.0 Security Vulnerability Assessment / Site Security Plan Instructions


This new version continues the CSAT 2.0 tradition of making minor changes to the manual to better communicate the information requirements for submitting new Top Screens and SVA/SSP by CFATS covered facilities. ISCD is still not publishing a change description with each manual; I believe that that is still available on the CSAT web site (which I do not have access to, not working at/for a CFATS covered facility).

Tuesday, March 28, 2017

ICS-CERT Publishes Two Advisories

Today the DHS ICS-CERT published two control system security advisories for products from 3S – Smart Software Solutions and Siemens.

3S Advisory


This advisory describes two vulnerabilities in the 3S CODESYS Web Server which is used by an undisclosed variety of equipment manufacturers. The vulnerability was reported by David Atch of CyberX. 3S has provided a patch that mitigates the vulnerability. ICS-CERT reports that Atch has tested the patch and apparently verifies the efficacy of the fix.

The two vulnerabilities are:

• Unrestricted upload of file with dangerous type - CVE-2017-6027; and
• Stack-based buffer overflow - CVE-2017-6025

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerabilities to allow arbitrary files to be uploaded to the CODESYS Web Server without authorization. Additionally, an attacker may be able to crash the application or execute arbitrary code.

Siemens Advisory


This advisory describes multiple vulnerabilities in the Siemens RUGGEDCOM VPN endpoints and firewall devices. Maxim Rupp reported four of the five vulnerabilities. Siemens has developed a mitigation tool [.PDF download] for these vulnerabilities. There is no indication that Rupp was provided an opportunity to verify the efficacy of the fix.

The vulnerabilities are:

• Improper authorization - CVE-2017-2686 and CVE-2017-2689;
• Cross-site request forgery - CVE-2017-2688
• Cross-site scripting - CVE-2017-2687 and CVE-2017-6864;


ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to perform actions with administrative privileges. The Siemens Security Advisory notes that network access is required to exploit three of the vulnerabilities while the other two require a social engineering attack.

Reader Question: Wither safety and security for new energy pipelines?

I received an interesting email from someone whom I suspect is not a long-time reader of this blog. The writer is concerned about the new pipelines being constructed to carry natural gas from the fracking fields to where it will be used and or processed in areas like Florida. The email states, in part:

“I am concerned that there doesn't seem to be a proper safety plan in place. The chance of either accident or sabotage seem high, so I am interested in your thoughts on how this issue will be managed.”

Since I address pipeline safety and security issues in this blog, responding to this email in a blog post seems like a reasonable place to address these issues.

Larger Environmental Issues


Ignoring for now the increasing concentration of CO2 in the atmosphere and the greenhouse gas issues of both methane and CO2, anyone with even a little bit of sense has got to be encouraged by the expanding use of wind and solar energy as part of the energy mix in this country. Both crude oil and natural gas are finite resources that are going to be consumed at some point and expanding alternative energy sources will put off that final consumption further into the future.

Having said that; even in the most optimistic plans for expansion of alternative energy, petroleum fuels and natural gas are going to be a large part of the energy mix in this country for a long time. This is particularly true for natural gas as it continues to displace coal as the primary source of electrical production in this country.

Bulk Liquid and Gas Transportation


There are four major types of transportation that can be used to transport bulk liquids and gasses like crude oil and natural gas; truck, barge, train and pipeline. All four of them have their place in the energy transport scheme; each with its own specific strengths and weaknesses. These strengths and weaknesses are generally related to the unit volume of material that can be transported.

Smaller unit volume generally means more flexibility in movement, higher unit cost, and increased handling. That increased handling also increases cost, but more importantly it increases the chance for accidents and equipment failure that can lead to releases of crude oil and natural gas to the environment.

Pipelines are the least flexible mode of bulk liquid and gas transportation. They have a fixed route that cannot be readily changed and they take significant time and resources to construct. They also have the lowest operating cost (per unit volume) and the least amount of handling resulting in the lowest release rate per unit volume transported.

Pipeline Safety


There are a huge number [lengthy .PDF Download] of gas and hazardous liquid pipelines currently operating in the United States. For the most part, their safety is regulated by the DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) and their security is addressed by the DHS’s Transportation Safety Administration (TSA).

PHMSA’s rules regulate the physical construction, maintenance and operation of gas and hazardous liquid pipelines. Their regulations are complex and fairly comprehensive. They continue to evolve over time as new issues are identified and new technologies are developed to increase the safe and efficient transportation of gas and hazardous liquid transportation.

Of course, rules and regulations have never made anything safe and secure. It is only the full compliance with both the letter and intent of those rules and regulations by pipeline operators, along with the skill and daily attention of their employees, that truly makes pipelines the safest way to transport large volumes of gas and hazardous liquids.

Are their instances where pipeline operators or their employees take shortcuts or outright violate the pipeline safety rules established by PHMSA? Anyone with a modicum of sense will admit that this is true. This is the reason that a (too) small number of PHMSA inspectors (and some State counterparts) spend a large amount of time inspecting the operation of the regulated gas and hazardous liquid pipelines. They probably catch just a small percentage of the rule violations; fortunately, the pipeline system is robust enough that these undetected violations seldom result in significant releases to the environment.

Pipeline Security


While PHMSA heavily regulates pipeline safety, the Congress has given the TSA very little actual authority to regulate pipeline security. The security of gas and hazardous liquid pipelines in this country relies mainly on pipeline operators voluntarily using industry developed best practices. The very small number of TSA Surface Transportation Security Inspectors have little time and no authority to actually inspect pipeline security. At best they do periodic office visits to review the operator’s written security procedures. Even if they detect glaring omissions in such program documentation, they can do little more than recommend changes to be made.

We have been fortunate for a number of reasons. First, there have been relatively few attacks on pipelines in North America (see here, here and here) and they have been rather inconsequential. That does not say much for security beyond that we have been lucky and that the terrorists have been inept.

More importantly, many of the safety measures that have been put in place in response to PHMSA regulations would serve to reduce any damage from a successful pipeline attack. Things like leak detection and automated shut-off valves would help reduce the amount of gas or hazardous liquid that would be released to the environment. To be clear, this would not eliminate the dangers of an attack, just reduce the extent of the effects.

Moving Forward


Given the problems that we have seen with large rail shipments of crude oil, it is clear that we need to move even more of the shipment of fossil fuels to pipelines. That only makes sense from both an economic and safety perspective.

That does not mean that the current regulatory environment for hazardous material pipelines cannot be improved. One area that PHMSA sorely needs to address is the cybersecurity of the electronic control systems used to monitor and control the flow of gas and hazardous liquids through the pipelines.

Normally, one would expect a DHS agency (TSA for example) to handle transportation security issues, but TSA is so under-funded and under-staffed on the surface transportation security side of the agency that, even if Congress were to provide a cybersecurity mandate for pipelines, TSA would not be able to address the issue without major funding and manpower increases. Congress is unlikely to provide a new regulatory mandate and even less likely to expand funding for TSA.

Fortunately, PHMSA could almost certainly wangle some cybersecurity requirements as safety measures to ensure adequate control and monitoring of these hazardous material pipelines. The rules would have to be fairly basic; probably including (at a minimum):

• Include cybersecurity review (including detailed control system diagram) as part of all safety reviews;
• Limit virtual and physical access to control system network and its components;
• Identify safety critical electronic control system elements and require the reporting of loss of view or loss of control incidents involving those components; and
• Require membership in an industry or control system information sharing and analysis center (ISAC).


Fossil fuel opponents are going to have to realize that for the short-term, at least, pipelines are going to be an important and inevitable part of energy policy in this country. They might be better off, rather than opposing all new pipelines, to become engaged in the pipeline safety and security discussion so that the pipelines that are going to be built and operated are the most energy efficient and environmentally sensitive pipelines possible.

Monday, March 27, 2017

Committee Hearings – Week of 3-26-17

This week both the House and Senate will be in session. There are a number of committee hearings that will be held on both sides of the Capitol, but there is only one, a cybersecurity hearing, that may be of specific interest to readers of this blog.

On Tuesday the Energy Subcommittee of the Senate Energy and Natural Resources Committee will be holding a hearing to look at cybersecurity threats to the US electric grid. The hearing will also receive testimony on S 79, the Securing Energy Infrastructure Act. The witness list includes:

• Michael Bardee, Federal Energy Regulatory Commission;
• John DiStasio, Large Public Power Council;
• Thomas Zacharia, Oak Ridge National Laboratory; and

• Ben Fowke III, Xcel Energy

Saturday, March 25, 2017

HR 1571 Introduced – Oil Train Fire Training Grants

Last week Rep Herrera-Beutler (R,WA) introduced HR 1571, the Fire Department Proper Response and Equipment Prioritization Act. The bill would require FEMA to give high priority to grants for incident response training for crude oil and ethanol train accidents.

The bill is essentially the same as HR 4765 that was introduced in the 114th Congress. That bill saw no action, mainly because Herrera-Beutler was not in a position to influence the House Science, Space, and Technology Committee to take up the bill. Since she is still not a member of that Committee (to which the bill was assigned for consideration) it is very unlikely that the Committee will take up the bill in this session.


The only way that this bill has a chance of making it into law during this session is for its provisions to be added to either the DHS spending or authorization (if that bill actually happens) bill. Herrera-Beutler is a member of the Appropriations Committee, so that it is possible that this could be included in the DHS spending bill. She is not a member of the House Homeland Security Committee so adding it to an authorization bill would have to come in the form of an amendment if/when the bill is considered in the House.

Friday, March 24, 2017

Bills Introduced – 03-23-17

Yesterday with both the House and Senate in session there were 59 bills introduced. Of those only one may be of specific interest to readers of this blog:

S 719 A bill to establish a grant program at the Department of Homeland Security to promote cooperative research and development between the United States and Israel on cybersecurity. Sen. Whitehouse, Sheldon [D-RI]


This bill will only receive further mention here if it includes specific language concerning control system security issues.

Thursday, March 23, 2017

ICS-CERT Publishes 2 Advisories

Today the DHS ICS-CERT published two control system security advisories for products from Becton, Dickinson and Company (BD) and Leão Consultoria e Desenvolvimento de Sistemas LTDA ME (LCDS).

BD Advisory


This advisory describes a hard-coded password vulnerability in the BD Kiestra PerformA and KLA Journal Service (laboratory information management systems) applications. The vulnerability is apparently self-reported. BD has will be providing updates to the two applications and the Kiestra Database to “reduce the risk [emphasis added] of exploitation of the hard-coded passwords vulnerability”.

ICS-CERT reported that a relatively low skilled attacker could remotely exploit this vulnerability to access the BD Kiestra Database, which could be leveraged to compromise the confidentiality of limited patient health information and personally identifiable information stored in the BD Kiestra Database.

The BD Security Advisory paints a more complicated picture of the vulnerability situation, but it also provides work arounds to be used pending the updates that will be provided later this year. It describes three vulnerabilities instead of one:

• A legacy application (SMB1 protcol);
• Hard-coded password in the two applications;
• Third-party default password in the Database.

LCDS Advisory


This advisory describes a path traversal vulnerability in the LCDS LAquis SCADA software. The vulnerability was reported by Karn Ganeshen via the Zero Day Initiative. LCDS has produced a new firmware version to mitigate the vulnerability. There is no indication that Ganeshen has been provided an opportunity to verify the efficacy of the fix.


ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to allow an unprivileged, malicious attacker to access files remotely.

Wednesday, March 22, 2017

ICS-CERT Updates Two Advisories

Yesterday the DHS ICS-CERT updated two control system security advisories for products from Moxa and Siemens.

Moxa Update  


This update provides information on an advisory that was originally issued on December 1st, 2016. The new information includes:

• New affected version information for all affected products;
• Adds two new devices (NPort 6000, and NPort 6110);
• Removes one previous listed device series (NPort 6x50 series); and
• Adds mitigation measure for newly listed device series (NPort 6000 series).

Siemens Update  


This update provides information on an advisory that was originally issued November 22nd, 2016. The new information includes:

• Updates affected version information for CP 443-1;
• Added link to update for CP 443-1; and
• Removed work around information for CP 443-1


The same information was changed on the Siemens Security Advisory. Siemens announced their update in a TWEET® on March 16th, 2017.

H Res 200 Introduced – Cybersecurity Policy

Last week Rep. Taylor (R,VA) introduced H Res 200. This resolution calls for the establishment of a comprehensive cybersecurity policy.

The Resolution


The preamble to this resolution establishes the reasons that a cybersecurity policy is needed. It specifically mentions the large number of mega-data breaches that have recently occurred, including specifically the OMB breach. While no specific mention of control system security is made it does note that “malicious cyber activity has the potential to cause great harm to the national security, economy, and infrastructure of the United States and the health, well-being, and safety of United States citizens”. The inclusion of ‘infrastructure’ as one of the areas that could potentially be harmed certainly seems to indicate that cyber-physical vulnerabilities are considered to be a potential threat.

It concludes by resolving that:

“That it is the sense of the House of Representatives that the United States should develop and adopt a comprehensive cybersecurity policy that clearly defines acts of aggression, acts of war, and other related events in cyberspace, including any commensurate responses to any such act or event in cyberspace.”

Moving Forward


Taylor is not a member (nor is his cosponsor Rep. Ruppersberger (D,MD) of the House Foreign Affairs Committee to which this resolution was referred for consideration. This means that it is unlikely that the Committee will take up the resolution.

There is nothing in the resolution that would engender any significant opposition to the bill if it were considered in Committee or brought to the floor of the House.

Commentary



The failure to specifically mention cyber-physical vulnerabilities in the preamble to the resolution weakens the argument to support the call for a policy that addresses cyber activities that might constitute an act of war. Mention should have been made specifically to the 2015 attack on Georgian electrical utilities as an example of the types of cyber-physical attacks that have been seen in the real world.

Bills Introduced – 03-21-17

Yesterday with both the House and Senate in session there were 54 bills introduced. Of these four may be of specific interest to readers of this blog:

HR 1647 To establish a Water Infrastructure Trust Fund, and for other purposes. Rep. Blumenauer, Earl [D-OR-3]

HR 1653 To amend certain provisions of the Safe Drinking Water Act, and for other purposes. Rep. Latta, Robert E. [R-OH-5]

S 679 A bill to require the disclosure of information relating to cyberattacks on aircraft systems and maintenance and ground support systems for aircraft, to identify and address cybersecurity vulnerabilities to the United States commercial aviation system, and for other purposes. Sen. Markey, Edward J. [D-MA]

S 680 A bill to protect consumers from security and privacy threats to their motor vehicles, and for other purposes. Sen. Markey, Edward J. [D-MA]

The two water system bills will only receive further mention in this blog if they specifically address facility security or cybersecurity issues.


These two bills from Markey are almost certainly based upon bills that he introduced in the 114th Congress (S 2764 and S 1806 respectively). Neither bill saw any action in the previous session; perhaps it will be different this time.

Tuesday, March 21, 2017

ICS-CERT Publishes 2 Rockwell Advisories and Year-in-Review

Today the DHS ICS-CERT published two control system security advisories for products from Rockwell Automation; both had previously been published on the limited access NCCIC Portal on January 16th, 2017. They also published their annual report on ICS-CERT activities for 2016.

Factory Talk Advisory


This advisory describes an unquoted search path or element vulnerability in the Rockwell Factory Talk Services Platform. This is a self-reported vulnerability. Rockwell has produced a new version that mitigates the vulnerability.

ICS-CERT reports that an authenticated, but nonprivileged, local user could exploit this vulnerability to link to or run a malicious executable.

Connected Components Workbench Advisory


This advisory describes a DLL hijack vulnerability in the Rockwell Connected Components Workbench. The vulnerability was reported by Ivan Sanchez. Rockwell has produced a new version that mitigates the vulnerability. There is no indication that Sanchez has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT makes no mention of the exploitability of this vulnerability, but do note that a successful exploit could result in effects ranging from a denial of service (DoS) to the injection of malicious code into trusted processes, depending on the content of the DLL and the risk mitigations in place by the victim.

2016 Year in Review


The annual report is much the same as we saw last year in the 2015 report; it is essentially the same as a annual report that one might expect to find sent out to existing and prospective stock holders of a fortune 500 company. There are lots of numbers, pretty pictures and written fluff that provides little or no new information that can really be used by anyone in the control system security field.

For example, on page 8 there is a brief discussion of incident response activities in FY 2016. After detailing that ICS-CERT responded to 290 incidents, they toss off the comment that: “Also in FY 2016, the team responded to the first known cyberattack to result in physical impact to a power grid.” No additional information was provided, but I suspect that this was the December 2015 attack on the grid in Georgia, not a US grid attack. But you cannot tell that from this report.


Monday, March 20, 2017

ISCD Updates Another CFATS FAQ Response

Today the DHS Infrastructure Security Compliance Division (ISCD) updated the response to a frequently asked question (FAQ) on the CFATS Knowledge Center. The updated response was for FAQ # 1275; What needs to be done when a facility is bought or sold?

There was no substantive change to the requirements associated with the change in ownership. The change simply removed the Chemical-Terrorism Vulnerability Information (CVI) disclosure statement at the end of the response. That statement used to read:

“CVI Disclosure If any letters submitted to DHS for review contain any CVI information, the letter must be properly marked, packaged, and sent in accordance with the CFATS regulations for protection of CVI (see 6 CFR § 27.400). A copy of the CFATS regulation, including the CVI requirements in 6 CFR § 27.400, is available at https://www.dhs.gov/critical-infrastructure-chemical-security.”


It is not clear why the statement was removed. While one would like to assume that anyone associated with the CFATS program would understand the CVI requirements for identifying and sending CVI protected information, the whole purpose of FAQ responses is to communicate information in a new format to ensure that the affected parties understand all of the requirements.

Committee Hearings – Week of 3-19-17

Both the House and Senate will be in session this week. While health care and election cybersecurity will be the main press focus this week there are a large number of other hearings taking place. Three of those hearings may be of specific interest to readers of this blog. They will deal variously with cybersecurity and the Coast Guard.

Cybersecurity


On Wednesday the House Homeland Security Committee will be holding a hearing to look at “A Borderless Battle: Defending Against Cyber Threats”. The witness list includes:

• Keith B. Alexander, IronNet Cybersecurity;
• Michael Daniel, Cyber Threat Alliance;
• Frank J. Cilluffo, George Washington University; and
• Bruce W. McConnell, EastWest Institute

I do not suspect that there will be a lot of detailed information about specific control system security issues, but there will be some discussion of cyber-physical threats and policy responses.

On Wednesday the Senate Commerce Science and Transportation Committee will hold a hearing to look at “The Promises and Perils of Emerging Technologies for Cybersecurity”. The witness list includes:

• Caleb Barlow, IBM Security;
• Venky Ganesan, Menlo Ventures;
• Steve Grobman, Intel Security; and
• Malcolm Harkins, Cylance Corporation

While focusing on ‘technologies’ don’t expect this hearing to get too technical. It will almost certainly contain some discussion of cyber-physical system protection but I do not expect too much focus on specific control system technology.

Coast Guard



On Wednesday the Oceans, Atmosphere, Fisheries and Coast Guard Subcommittee of the Senate Commerce Science and Transportation Committee will hold a hearing on “State of the Coast Guard: Ensuring Military, National Security, and Enforcement Capability and Readiness”. The Commandant will be the only witness. There may be some brief discussion about the Maritime Transportation Security Act (MTSA) program enforcement, but don’t expect much detail.

Sunday, March 19, 2017

TSA ICR Comment Response

I received an interesting email from Bruce Anderson at the DHS Transportation Safety Administration (TSA). He was responding to a comment I submitted last October on a 60-day information collection request (ICR) renewal notice that TSA had published to support the collection of information from people applying for a Transportation Workers Identification Credential (TWIC).

In my comment, I noted that the lack of detail about recent changes in the TWIC program made it difficult to appropriately comment on the burden estimates provided in the 60-day ICR renewal notice. In his email, Anderson responded (in part) for each of the three areas that I had identified a lack of detail that: “The supporting calculations and explanations are included in the Information Collection Supporting Statement.”

Readers who have followed my blog posts about ICRs over the years may recognize that document title. It is a document that the ICR submitting agency must provide to the OMB’s Office of Information and Regulatory Affairs (OIRA) to justify the requested approval of the ICR. These are very detailed documents that definitely spell out the details that I claimed were missing from the published ICR notice.

Unfortunately, that document is not prepared until the ICR renewal request is sent to the OIRA for approval. Part of the reason is that, included in that document, is a listing of the public comments received from the two ICR renewal notices (60-day and 30-day notices) and the agencies response to those comments.

The ICR published in October specifically requests public comments to: “Evaluate the accuracy of the agency's estimate of the burden”. Without the detailed information that is provided in the Information Collection Supporting Statement it is not possible for the public to evaluate the burden estimate. That was the point of my original comment and the point that was totally missed by TSA in their response.

It would not be reasonable for TSA, or any agency, to include the complete Supporting Statement in the Federal Register notices that are required to be published by 44 USC 3507. What would be helpful, however, would be for a copy of the draft Supporting Statement to be included in the docket for the ICR on the Federal eRulemaking Portal (www.Regulations.gov). That way the concerned public or affected entities would have a legitimate opportunity to evaluate and comment upon the burden estimate.


The comment period for the 60-day ICR notice has closed and no more public comments are being accepted. There will be another notice, the 30-day ICR notice, and I will submit a copy of this post as a comment on that notice.

Saturday, March 18, 2017

S 536 Introduced – Cybersecurity Expertise

Last week Sen. Reed (D,RI) introduced S 536, the Cybersecurity Disclosure Act of 2017. The bill would require the Security and Exchange Commission (SEC) to establish rules requiring companies to list board members with cybersecurity expertise on annual reports. This is nearly the same as S 2410 that Reed introduced in the 114th Congress.

Differences from Earlier Bill


There are two detectable, but relatively insignificant differences between S 536 and S 2410. The first is that S 536 adds a definition of ‘NIST’ to §2(a). Secondly, S 536 adds a brief reference to NIST Special Publication 800-181 to the discussion {§2(c)} of what should constitute cybersecurity expertise in the SEC regulations.

Moving Forward


While Reed is a senior member of the Senate Banking, Housing, and Urban Affairs Committee to which this bill was assigned for consideration, he was not able to get his earlier bill considered by that Committee in the last session, so it is unlikely that he will be able to do so in this session.


There is nothing in this bill that should draw significant opposition. This bill should be able to pass in Committee if it is brought up.

TSA Publishes 2016 Enforcement Report

Earlier this week the DHS Transportation Security Administration (TSA) published a notice in the Federal Register (82 FR 13648-13650) providing information on their surface transportation enforcement activities performed in 2016. This report is an annual requirement from 49 USC 114(v)(7)(A).

This week’s report shows a total of 46 enforcement actions taken last year, an almost 15% increase over the previous year. See Table 1 below for a breakdown of recent enforcement activity.

Did not allow TSA Inspection
Rail Car Chain of Custody
4
1
Rail Car Security
1
Rail Car Location
5
1
Reporting Security Concern
2
1
1
Use of another’s TWIC
3
8
5
4
Direct the use of another's TWIC
7
3
Fraudulent Manufacture of TWIC
2
5
Use of an altered TWIC
15
34
Total
11
14
31
46
Table 1: TSA Enforcement History

It appears that there has been an increasing emphasis at TSA on Transportation Workers Identification Credential (TWIC) enforcement activities (TWIC is a shared responsibility between the TSA and Coast Guard) and a corresponding decline in enforcing TSA rules on freight rail security under 49 CFR 1580.

The TSA has the option of levying civil penalties to enforce regulations covering the TWIC and freight rail security. Table 2 shows the civil penalties information relating to their 2016 enforcement activities.

2016 TSA Surface Enforcement Actions
# of Incidents
Maximum Penalty
Proposed
Imposed
Use of another’s TWIC
4
$3,000
Pending
Direct another to use TWIC
3
$2,000
Pending
Fraudulent Manufacture of TWIC
5
$5,000
Pending
Total
12
$37,000
$2,000
Table 2: Civil Penalty Information


There were no penalties proposed for the 34 reported instances of the use of an altered TWIC that TSA reported; warnings were given.
 
/* Use this with templates/template-twocol.html */