Thursday, January 18, 2018

ICS-CERT Publishes an Advisory and an Update for Siemens Products

Today the DHS ICS-CERT published a new control system security advisory and an updated advisory for products from Siemens.

Siemens Advisory

This advisory describes multiple vulnerabilities in the Siemens SIMATIC WinCC Add-On (license manager software). The vulnerabilities were reported by Sergey Temnikov and Vladimir Dashchenko from Kaspersky Lab. Siemens reports that a third party supplier (Gemalto) has released an updated installer that mitigates the vulnerabilities. The Siemens security advisory reports that SIMATIC WinCC Add-Ons released in 2015 and earlier include a vulnerable version of Gemalto Sentinel LDK RTE. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Stack-based buffer overflow (2) - CVE-2017-11496 and CVE-2017-11497; and
• Improper input validation - CVE-2017-11498

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow remote code execution or a denial of service condition.

NOTE: Looking at the Gemalto product page, it looks like they may have sold this product to multiple vendors. It will be interesting to see if other vendors come forward to recommend installing the same (or similar) updates to their systems.

Siemens Update

This update provides new information for an advisory that was originally published on May 9th, 2017 and updated on June 15, 2017,on July 25th, 2017, on August 17th, 2017, on October 10th, on November 14th, and most recently November 28th. The update provides new version information and mitigation links for:

• SIMOCODE pro V PROFINET: All versions prior to V2.0.0

NOTE: The latest version of this Siemens security advisory is in their new format which makes checking against previous versions potentially tedious. Fortunately, Siemens (as opposed to ICS-CERT) annotates the specific changes made (as opposed to noting the section in which the changes were made) to their advisories.

Other Siemens Notes

Siemens also published two other advisory documents today that did not make it into the ICS-CERT publication schedule. One was a new advisory and one was an update. Since tomorrow is Friday and ICS-CERT seldom publishes advisories on Friday, I suspect that we will see these two next week.

Wednesday, January 17, 2018

ICS-CERT Publishes Meltdown Update #2

Today the DHS ICS-CERT published their second update for their control system security alert for the Meltdown and Spectre CPU vulnerabilities. The alert was originally published on January 11th, 2018 and updated on 1-16-18. The update provides links to three new vendor notification documtents:

Emerson (account required for login);
General Electric (account required for login, reference ID 000020832); and

The Schneider security notification has probably the most reasonable guidance that I have seen to date:

“Schneider Electric is actively monitoring vendor research into these vulnerabilities to determine appropriate actions to be taken. At the time of this publication, information is being updated rapidly and the impact of proposed mitigations and patches remains unclear. Many of the initial mitigations proposed by hardware and operating system vendors indicate a high level of potential performance impact, Schneider Electric recommends caution if mitigations or patches are applied to critical and/or performance constrained systems. If you elect to apply recommended patches or mitigations in advance of further guidance from Schneider Electric, we strongly recommend evaluating the impact of those measures on a Test & Development environment or an offline infrastructure.”

Bills Introduced – 01-16-18

Yesterday, with the House and Senate back in Washington after the long Martin Luther King Holiday weekend, there were 30 bills introduced. Of these, one may be of specific interest to readers of this blog:

HJ Res 125 Making an extension of continuing appropriations for fiscal year 2018, and for other purposes. Rep. Frelinghuysen, Rodney P. [R-NJ-11]

A copy of HJ Res 125 is available on the House Rules Committee site and that Committee will hold a hearing on the continuing resolution (being considered as an amendment to HR 195 as amended by the Senate) this afternoon. The bill would extend the current continuing resolution (that expires Friday night) until February 16th. It includes a number of special funding provisions to make passage more palatable, including an extension of the Children’s Health Insurance Program (CHIP).

Tuesday, January 16, 2018

ICS-CERT Updates Meltdown Alert

Today the DHS ICS-CERT updated their Meltdown/Spectre alert that was originally published on January 11th. The new information includes links to the following additional vendor reports on the CPU vulnerabilities:

Philips; and

Additionally (and not specifically noted in this update), Becton, Dickinson, and Company have published a new security bulletin since the original ICS-CERT alert mentioned their initial report.


Unfortunately, while providing links to the appropriate documents, ICS-CERT has not addressed the issue seen by a number of vendors, the Microsoft update may not be compatible with all control systems. That, plus the fact that Microsoft has decided to not allow the update to take effect on systems without an updated antivirus registry key, means that system owners need to pay real close attention to the final word from their vendors. Unfortunately, the information linked to in this update is mainly preliminary; most of the listed vendors are still looking at the compatibility issues.

Of course, it could be worse. We are still waiting for the initial ICS-CERT alert on the KRACK vulnerability.

HR 4773 Introduced – AV for Federal Breaches

Last week Rep. Cartwright (D,PA) introduced HR 4773, the ANecessary and Targeted Impediment to (ANTI) Viruses Act. The bill would require the General Services Administration to acquire license to an antivirus computer product to give to people whose personal identifiable information was lost in a breach of a Federal computer system. Funding for the AV product would be provided by the agency [“derived from amounts made available to the agency for operating expenses {§2(d)} whose computer system was breached.

Moving Forward

Both Cartwright and his sole cosponsor {Rep. Norton (D,DC)} are members of the House Oversight and Government Reform Committee to which this bill was assigned for consideration. This means that it is possible that this bill could receive consideration in that Committee.

There is nothing in this bill that would engender significant opposition (beyond an obvious point that I will raise in the Commentary section below). Even the funding for the measure is unlikely to raise any serious discussion. Thus, it is possible that this bill could receive bipartisan support in Committee and on the floor of the House.


Okay, the bar has been officially and substantially raised for when it becomes necessary to determine the silliest piece of legislation offered in the 115th Congress. With almost a full year to go, I am pretty confident (and really very hopeful) that this bill will be the hands down winner.

There is nothing in the bill (no ‘findings’ section, for example) that would explain why Cartwright and Norton believe that it will provide any sort of significant relief to provide an individual with computer antivirus protection when their personally available information has been lost in the breach of any computer network. Even if we assume that network log-in information is among the data lost and further assuming that the individuals use the same log-in credentials on their home computer, an antivirus package is not going to stop someone from using that log-on information in accessing that home computer.

The only thing that could have made this more ludicrous would for the bill to have included a provision prohibiting the GSA from allowing Kaspersky Labs from submitting or being awarded a bid to provide the AV product. {Disclosure Note: I have been using the Kaspersky AV suite for quite some time now and do not see any reason to stop}.

One can only hope that Cartwright and Norton (and the Norton AV people cringe every time I mention her name in this post) a pandering to a specific segment of the technical ignorati in offering this bill for consideration. The only other thing that would explain this cyber-silliness is that neither of these two congresscritters (nor their staff) has any idea what an antivirus program does or how personally identifiable information is misused.

I wrote above that there was nothing in this bill that would engender any specific (‘active’ probably would have been a better work) opposition. What I meant is that there is no political, ideological or financial reason for this bill to draw opposition. The fact that there is no connection between lost PII and computer hacking (the other sequence certainly) so there is no need for providing people with AV protection is not sufficient to draw opposition to the bill.

Okay, I just thought of something. Maybe there is a useful purpose in this bill. Since the agency whose computer system was breached is responsible for paying for the AV product out of their operating budget, this bill would effectively be a fine on that agency for their lack of cybersecurity competency. This could end up being a sizeable financial incentive to have adequate cybersecurity in place. Of course, it could end up bankrupting an agency (Wouldn’t you just love to be the Bankruptcy Judge sitting on that case????) and in many cases that could be a good thing. But if that is the ‘purpose’ of this bill, please spend the money on something else; give the folks a tank of gas, or something else worthwhile, not an antivirus program.

Monday, January 15, 2018

ICS-CERT Publishes November-December 2017 Monitor

Today the DHS ICS-CERT published the last ICS-CERT Monitor (for November and December of 2017). According to the opening editorial the next issue will become the (National Cybersecurity and Communications Integration Center) NCCIC Monitor; which will be broadened to include reporting from the three divisions of the NCCIC (ICS-CERT, NCC, and USCERT).

This issue continues the ‘color glossy’, corporate report feel (with 10 full-color photographs) that I have grown to dislike and disparage. While any organization deserves to be proud of their accomplishments and government agencies have a special duty to provide information about what they are doing; the flashy graphics and photographs of industrial facilities have a tendency to make this look more like an organizational selfie that is designed to make the agency feel good about itself.

Physical Security Issues

Even when the reporting is on a topic of interest to critical infrastructure owners and operators, there are some glaring inconsistencies in the information being reported. For example, in the article on the FY 2017 Assessment Summary, the opening paragraph (pg 4) reports that: “While the assessment teams identified weakness across all control families, six categories represented roughly 33 percent of the [753] total vulnerabilities discovered across assessed CI sectors.”

The article then went on to describe the number 4 vulnerability category, physical access control. It notes that:

“Maintaining visibility in the top discoveries this year were problems related to physical access. While this is not something the ICS-CERT focuses on during assessments, the team often sees this issue during assessments. ICS components and infrastructure should only be accessible to authorized personnel as necessary to maintain the system.”

There are two disturbing aspects about that “not something the ICS-CERT focuses on during assessments”. The first is the probability that if ICS-CERT had formally included ‘physical access’ in the assessment process, they might have (probably would have) found many more disturbing instances of poor physical security of control system devices. The second (and more disturbing to my mind) is the fact that ICS-CERT found the same problems in their FY 2016 assessments, AND DID NOT FORMALLY ADDRESS THE PROBLEM IN THE ASSESSMENT PROCESS IN 2017. The first is the result of a not unusual disconnect between cyber security and physical security personnel; a problem that certainly needs to be addressed. The second is a criminally negligent level of professional malfeasance upon the part of ICS-CERT.


As I alluded to in the opening paragraph, the editorial leading the publication addresses the changing roles of the NCCIC and its constituent divisions. Specifically, it reports that:

“Recently, the NCCIC went through an organizational realignment to consolidate and enhance the effectiveness of its mission-essential functions, which includes changes to the structures of the ICS-CERT, NCC, and USCERT divisions. This realignment has no impact to the technical expertise and services our stakeholders rely on us to provide….”

There have been a couple of interesting social media conversations about this ‘realignment’ (see here for example). For those of us on the outside looking in, it is really hard to tell what is going on. Having said that, I would like to point to the NCCIC web site (updated on June 22nd, 2017) and its description of ICS-CERT:

“ICS-CERT works to reduce risks within and across all critical infrastructure sectors by partnering with law enforcement agencies and the intelligence community and coordinating efforts among Federal, state, local, and tribal governments and control systems owners, operators, and vendors. Cybersecurity and infrastructure protection experts from ICS-CERT provide assistance to owners and operators of critical systems by responding to incidents and helping restore services, and by analyzing potentially broader cyber or physical impacts to critical infrastructure. Additionally, ICS-CERT collaborates with international and private sector Computer Emergency Response Teams (CERTs) to share control systems-related security incidents and mitigation measures.”

Looking at it from Columbus, GA it seems as if ICS-CERT is definitely continuing with its vulnerability coordination and reporting role. What is less clear is whether or not it is going to be the go-to Federal agency for incident reporting and investigation. It seems to me that with the rise in apparent nation-state attacks and economic attacks (ransomware) on control systems that it is going to be more important to have criminal investigative or federal intelligence agencies more involved in incident response rather than an agency of techno-geeks who may be more suited to understanding the nuts and bolts of an attack, but are probably less familiar with forensic reporting or courtroom testimony.

Forensics-reporting and effective testimony are more necessary for successfully prosecuting attackers than with protecting control systems from future attacks. Letting the techno-geeks muddy the waters of chain-of-custody and forensics reporting will likely make prosecutions more difficult, but will help other organizations learn how to deal with similar attacks. It is an interesting dichotomy that needs to be addressed in appropriate congressional forums.

Saturday, January 13, 2018

HR 4766 Introduced – PTC Extensions

Earlier this week Rep. DeFazio (D,NJ) introduced HR 4766, the Positive Train Control Implementation and Financing Act of 2018. It would amend 49 USC 20157, removing the discretionary authority of the Transportation Secretary to approve alternative PTC implementation plans that extend past the current PTC deadline of December 31st, 2018.

The Amendment

Section 2 of the bill removes two specific sub-paragraphs of §20157. First it removes §20157(a)(2)(B), thus removing the authority for railroads to propose alternative implementation schedules extending beyond 12-31-18. It also removes §20157(a)(3) which provides the Secretary with specific guidance on how such alternative schedules may be approved. A number of conforming amendments are also made.

Grant Program

Section 3 of the bill would add paragraph (m) to §20157 to establish a grant program administered by the Secretary to aid passenger railroads in their implementation of PTC. That grant program would be funded through December 31st and $2.6 Billion would be authorized for those grants.

New Passenger Routes

Section 4 of the bill would add a new paragraph (n) that would prohibit railroads from starting operation of new passenger line routes “unless a positive train control system is fully implemented and operational on such route”.

Moving Forward

DeFazio is a senior member of the House Transportation and Infrastructure Committee to which this bill was assigned for consideration. This means that it is possible that this bill may be considered in Committee.

Two things mitigate this bill from being positively considered. First, removing the authority for extending PTC implementation deadlines past December 31st could mean that certain passenger (and perhaps some freight rail) lines may have to suspend operations after that date if their PTC implementation has not been completed and approved by that date. This is, of course, the incentive that DeFazio intends this bill to be to drive the earliest possible implementation of PTC for passenger rail lines. Unfortunately, this also means that potentially affected railroads and their supported communities can be expected to oppose this legislation.

The second factor that by itself will almost certainly mean that the bill will not be considered in Committee is the funding of the $2.6 Billion grant program. Coming up with this new money will be a nearly impossible hurdle to overcome.


The recent Amtrak derailment is almost certainly a major impetus for the introduction of this bill. If the timing alone was not enough of a clue, then the §4 provisions would be the final give away. Still, DeFazio is not a new comer to the expression of concerns about the ‘slow pace’ of PTC implementation. Anyone that has been paying attention over the last five years or so should not be surprised by either the provisions of §2 or the grant program in §3. Unfortunately, this bill comes too late in the game to either be effective or even pass.

PTC systems will be in place on all passenger rail lines (and many if certainly not most freight lines) in the not too distant future (just do not hold your breath for 12-31-18 on every line). It will eliminate a certain class of human-error related railroad accidents. It will not, however, signal a new, significantly safer era of railroad transportation. Mechanical problems and rail defects will still cause many (most?) accidents and I expect we will see an increase in attacks (inevitably including cyber attacks on PTC systems) by nut jobs and radicals of a number of different persuasions.

Railroads will be incrementally safer because of the costly PTC systems (and still immensely safer than our highways), but I do not believe that anyone ten years from now will claim that it was a cost-effective way to increase the safety of this transportation mode.

Friday, January 12, 2018

Bills Introduced – 01-11-18

Yesterday, with both the House and Senate in session, there were 43 bills introduced. Of these, two may be of specific interest to readers of this blog:

HR 4766 To amend title 49, United States Code, to prohibit further extension of requirement to implement positive train control beyond December 31, 2018, and for other purposes. Rep. DeFazio, Peter A. [D-OR-4]

HR 4773 To require the Administrator for General Services to obtain an antivirus product to make available to Federal agencies in order to provide the product to individuals whose personally identifiable information may have been compromised. Rep. Cartwright, Matt [D-PA-17]

It looks like HR 4766 would attempt to remove the current discretionary authority of the Department of Transportation to extend the PTC deadline.

I’m not sure that HR 4773 will get any further mention here, but I have to watch for the language of this bill to see if it really is as non-sensical as the current description would lead us to believe.

ICS-CERT Publishes Alert, 3 Advisories and 1 Update

Yesterday ICS-CERT published an alert for the Intel Meltdown and Spectre vulnerabilities. They published three control system security advisories for products from Phoenix Contact, Moxa, and WECON. They also updated a previously published advisory for products from Advantech.

Meltdown Alert

This alert describes the CPU hardware vulnerable to side-channel attacks vulnerabilities known as  Meltdown and Spectre. The alert provides links to the following vendor notifications about these vulnerabilities:

Rockwell Automation (account required for login); and

The alert also provides a generic link to the ICS-CERT recommended practices page. It is disappointing that, in light of the problems seen with the Windows Update for Meltdown seen on some systems (here and here for example), ICS-CERT has not specifically mentioned the need for checking any updates on a test platform before uploading to a live control system.

Phoenix Contact Advisory

This advisory describes two vulnerabilities in the Phoenix Contact FL Switch product line. The vulnerabilities were reported by Ilya Karpov and Evgeniy Druzhinin of Positive Technologies. Newer versions of the firmware mitigate these vulnerabilities. There is no indication that the researchers were provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Improper authorization - CVE-2017-16743; and
• Information exposure - CVE-2017-16741

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to gain administrative privileges and expose information to unauthenticated users.

Moxa Advisory

This advisory describes an unquoted search path vulnerability in the Moxa MXview network management software. The vulnerability was reported by Karn Ganeshen. Moxa has produced a firmware update that mitigates the vulnerability. There is no indication that Ganeshen was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker with locally authorized access could exploit the vulnerability to escalate privileges by inserting arbitrary code into the unquoted service path.

WECON Advisory

This advisory describes two vulnerabilities in the WECON LeviStudio HMI Editor. The vulnerabilities were reported by Sergey Zelenyuk of RVRT, HanM0u of CloverSec Labs, and Brian Gorenc via the Zero Day Initiative. The latest version of the software mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2017-16739; and
• Heap-based buffer overflow - CVE-2017-16737

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to effect arbitrary code execution.

Advantech Update

This update updates information on an advisory that was originally published on January 4th, 2018. This update adds two vulnerabilities to those previously reported:

• Unrestricted upload of file with dangerous type - CVE-2017-16736 and

• Use after free - CVE-2017-16732

Thursday, January 11, 2018

HR 4650 Introduced – Active Shooter Guidance

Last month Rep. Aguilar (D,CA) introduced HR 4650, the Providing Rational Options Toward the Elimination of Catastrophic Terrorism (PROTECT) Act of 2017. The bill would require DHS to provide guidance on planning for and responding to active shooter incidents. It would also add active shooter incidents to the list of priorities for State and Urban Area Initiative grant programs under 6 USC 608.

The bill would add a new section (§890B) to the Homeland Security Act of 2002 that would require DHS to develop and make available guidance “to assist in the development of emergency action and response plans for active shooter and mass casualty incidents in public and private locations” {new §890B(a)}.

Moving Forward

Aguilar is not a member of the House Homeland Security Committee to which this bill was assigned for consideration, but one of his co-sponsors, Rep. Watson-Coleman (D,NJ) is. This means that it is possible that Watson-Coleman has enough influence to have this bill considered in Committee.

There is nothing in this bill that would engender any significant opposition. The bill would probably draw bipartisan support if it were considered. If it makes it to the floor of the House, I suspect that it would be considered under the suspension of the rules process.


This bill is very generic in its guidance requirements. The most important piece of the bill is the amendment of §608 that adds ‘active shooters’ to the list of threats that DHS will consider when awarding homeland security grants under the Urban Area Security Initiative (§604) and the State Homeland Security Grant Program (§605).

I am disappointed (though hardly surprised) that the bill does not require DHS to prepare specific guidance for responding to active shooter incidents at facilities that store hazardous materials; particularly flammable liquids and gasses or toxic liquids and gasses. Over the years I have talked to police officers in a number of jurisdictions (including one with specific response responsibilities at an oil refinery) and none of them have been aware of the specific hazards associated with the discharge of firearms in facilities with potentially flammable atmospheres. Nor have they been aware of how easy it is for bullets to penetrate the walls of many storage tanks used to store toxic and flammable liquids.

If this bill makes it out of committee without language being added to require this sort of specific guidance being added, it is unlikely that it would be subsequently added in the legislative process. Any floor action in the House or Senate would almost certainly be made under abbreviated consideration rules which do not typically provide for amendments being offered.

Tuesday, January 9, 2018

House Passes HR 3202 – DHS Vulnerability Reporting

This afternoon the House passed HR 3202, the Cyber Vulnerability Disclosure Reporting Act, by a voice vote. There were only 12 minutes of debate and no amendments were authorized from the floor. The bill would require an unclassified report to Congress on procedures that DHS has developed with regards to vulnerability disclosures.

While it is currently unclear whether or not the Senate will take up the bill, it would most likely be considered under the Senate’s unanimous consent process which would involve even less debate and no provision for amendments.

NOTE: This bill gives lie to the current picture of the House as a strictly partisan body. The bill was introduced by Rep. Jackson-Lee (D,TX) with no Republican co-sponsors. The bill moved relatively quickly through the Homeland Security Committee and then to the floor of the House. This could only happen if the Democrat, Ms Jackson-Lee, had the explicit support of her Republican Committee Chair.

ICS-CERT Publishes 2 Advisories

Today the DHS ICS-CERT published two control system security advisories for products from General Motors and Rockwell Automation. The GM advisory was originally issued on the National Cybersecurity and Communications Integration Center (NCCIC) secure portal on August 22nd, 2017.

GM Advisory

This advisory describes multiple vulnerabilities in the General Motors Shanghai OnStar (SOS) iOS Client. The vulnerability was reported by Charles Gans. GM has produced a new version of the SOS iOS Client and is scheduled to release a new version of the North American OnStar iOS Client. There is no indication that Gans has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Clear-text storage of sensitive information - CVE-2017-9663;
• Channel accessible by non-endpoint - CVE-2017-12697; and
• Improper authentication - CVE-2017-12695

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to remotely gain full access to the Shanghai OnStar iOS client, allowing for the control of remote vehicle commands and the ability to view and edit account data.

NOTE: There is nothing on the Automotive ISAC web site about this set of vulnerabilities (or any other public vulnerability reports for that matter) even though one of the mitigation measures suggested by GM directly applies to the using public. Nor have I seen any news reports of GM sharing this information directly with the public.

Rockwell Advisory

This advisory describes a buffer overflow vulnerability in the Rockwell Allen-Bradley MicroLogix 1400 Controllers. The vulnerability was reported by Thiago Alves of the University of Alabama. The latest firmware version mitigates the vulnerability. There is no indication that Alves was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to cause the device that the attacker is accessing to become unresponsive to Modbus TCP communications and affect the availability of the device.

ICS-CERT Publishes AV Update Guidance

Yesterday the DHS ICS-CERT published a link to a National Cybersecurity and Communications Integration Center (NCCIC) recommended practices document; “Updating Antivirus in an Industrial Control System”. This is essentially the same guidance (complete with the same ICS network architecture diagram) that ICS-CERT published last fall in their Sep-Oct 2017 Monitor.

The timing for this publication is interesting with all of the current brouhaha about Microsoft not allowing automatic updates being sent to systems that do not have an updated AV registry key.

As I said last fall, nothing new here. The addition of this new recommended practice document just means that ICS-CERT has another document to link to for the mitigation measures portion of their advisories and alerts.

Monday, January 8, 2018

ISCD Publishes CFATS Update – December 2017

Today the DHS Infrastructure Security Compliance Division (ISCD) updated the data on the Chemical Facility Anti-Terrorism Standards (CFATS) Monthly Update page. The new data for December 2017 shows the continued progress being  made implementing the CFATS program.

Facility Status

The table below shows the change in the current covered facility status for those facilities covered by the CFATS chemical security program over the last two months. A decline in the number of ‘Tiered Facilities’ is expected as recently tiered facilities complete their site security plans and have those plans authorized and ultimately approved.

CFATS Facility Status

It looks like ISCD has completed the notification process for facilities to resubmit Top Screens in support of the implementation of CSAT 2.0. The increase in the number of covered facilities appears to be leveling off. Based upon program history, I would not be surprised to see the number of covered facilities start to actually decline.

ISCD Activities

The next table shows the activities that ISCD had taken during the month of December to support the CFATS program. The ‘to Date’ data reflects the total number of inspections/visits that have been completed since the CFATS program began.

CFATS Activities
Authorization Inspections to Date
Authorization Inspections Month
Compliances Inspections to Date
Compliances Inspections Month
Compliance Assistance Visits to Date
Compliance Assistance Visits Month

ISCD continues to have problems with reconciling the reported number of monthly inspections/visits and the number of those visits to date. Looking at the ‘Authorization Inspection’ data we see an increase of just 30 inspections done since the last report while reporting that there were 49 inspections completed in December. We see a similar difference in the compliance inspection and compliance assistance visit data.

In the past the discrepancy has been the other way; with a larger increase in the cumulative inspections than was reported as having been conducted. I had suggested in earlier blogs that these earlier data oddities could be explained by a number of facilities leaving the program or failing inspections. Neither of those explanations would explain the differences seen this month.

Committee Hearings – Week of 1-7-18

Today is the first full week of the second session of the 115th Congress. Both the House and Senate will be in session, but the hearing schedules is pretty light. Only one hearing of potential interest to readers of this blog; a DOE oversight hearing that will briefly touch on cybersecurity.

DOE Oversight

Tomorrow the Energy Subcommittee of the House Energy and Commerce Committee will be holding a hearing on “DOE Modernization: Advancing DOE’s Mission for National, Economic, and Energy Security of the United States”. According to the staff background memo, this will include a look at the DOE’s role in energy sector cybersecurity. The lengthy witness list includes:

• Dan Brouillette, DOE;
• Paul Dabbar, DOE;
• Frank Klotz , DOE;
• Sarah Ladislaw, Center for Strategic and International Studies;
• Donald Levy, University of Chicago and Co-Chair;
• Mark Menezes; DOE;
• Rich Powell, ClearPath Foundation;
• Dan Reicher, Brookings Institution; and
• Steve Wasserman, Argonne National Laboratory

On the Floor

There is one bill that will make it to the floor this week that may be of specific interest to readers of this blog; HR 3202, the Cyber Vulnerability Disclosure Reporting Act. The bill would require a report to Congress on procedures that DHS has developed in regards to vulnerability disclosures. It only addresses DHS vulnerability discoveries, not those made by DOD or DOE and the report to Congress is not really a public report, but it is required to be unclassified (with potentially classified annexes).

The bill will be considered Tuesday under suspension of the rules. There will be limited debate and no floor amendments. It is expected to pass with bipartisan support.

Thursday, January 4, 2018

ICS-CERT Publishes 2 Advisories and Siemens Update

Today the DHS ICS-CERT published two control system security advisories for products from Advantech and Delta Electronics. It also updated a previously published advisory for products from Siemens

Advantech Advisory

This advisory describes multiple vulnerabilities in the Advantech WebAccess products. The vulnerabilities were reported by Steven Seeley of Offensive Security, Zhou Yu and Andrea Micalizzi working with the Zero Day Initiative, and Michael Deplante. Advantech has released a new version that mitigates the vulnerabilities. There is no indication that any of the researchers were provided an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

• Untrusted pointer deference - CVE-2017-16728;
• Stack-based buffer overflow - CVE-2017-16724;
• Path traversal - CVE-2017-1672;
• SQL injection - CVE-2017-16716; and
• Improper input validation - CVE-2017-16753

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to cause the device to crash, remotely execute arbitrary code or bypass authentication.

Delta Advisory

This advisory describes multiple vulnerabilities in the Delta Industrial Automation Screen Editor. The vulnerabilities were reported by Steven Seeley of Source Incite. The affected product has been discontinued and Delta recommends upgrading to DOPSoft, Version 2. There is no indication that Seeley has verified the efficacy of the fix.

The three reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2017-16751;
• Use after free - CVE-2017-16749; and
• Out-of-bounds write - CVE-2017-16747

ICS-CERT reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to remotely execute arbitrary code.

Siemens Update

This update provides new information on an advisory that was was originally published on July 6th, 2017, and updated on July 18th, on July 28th, on October 10th, and then again on November 30th. Siemens is providing updated version information and mitigation measures for their SIPROTEC 7UT686.

NOTE: This is the update that I mentioned last Saturday.

Tuesday, January 2, 2018

ISCD Publishes New PSP FAQ

Today the DHS Infrastructure Security Compliance Division (ISCD) posted a note on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center that they had published a new frequently asked question (FAQ) to assist facilities in understanding the requirements to verify if an affected individual is legally authorized to work. Actually, two new FAQs were published today and two existing FAQ responses updated.

The two new FAQs are:

#1787 addresses the advertised personnel surety issue. It notes that a facilities compliance with the Immigration Reform and Control Act of 1986 (PL 99-603 more specifically the new §274a or 8 USC 1324a) requirement to submit to E-Verify or have an I-9 form completed prior to allowing access to restricted area(s) and critical asset(s) will meet the requirements of §27.230(a)(12)(ii). It also lists an exception to that requirement for employees that have been continuously employed at the facility since November 7, 1986. NOTE: The link at the end of the FAQ response to the Immigration Reform and Control Act does not work.

#1788 addresses the issue of how to request an extension of a due date for a Top Screen or Security Vulnerability Assessment / Site Security Plan. The Submitter can submit the request via the Chemical Security Assessment Tool through the “Request Extension” button on the facility details page.

The two revised FAQ responses are for:

#1658 actually changed the FAQ question wording from the original: “What is required of an Alternative Security Program (ASP)?” The new response provides a generic description of the ASP and omits the link to the risk-based performance standards requirements of 6 CFR 27.230. A more complete answer should have included a link to the ASP requirements of §27.235.

#1666 is simply an editorial revision of the wording of the FAQ response to make it somewhat easier to read.
/* Use this with templates/template-twocol.html */