Review - S 2016 Introduced - Surface Transportation Investment Act of 2021

Earlier this month Sen Cantwell (D,WA) introduced S 2016, the Surface Transportation Investment Act of 2021. This is the Senate version of the FY 2021 surface transportation authorization bill. The bill contains one significant cybersecurity provision and two HAZMAT response provisions of note, as well seven additional, relatively minor, cybersecurity mentions.

GAO Cybersecurity Reports

The major cybersecurity requirement of this bill is found in §5023. It gives DOT three years to address recommendations made in two separate cybersecurity related reports from the GAO:

• A risk management report (GAO–19–384), and

• A cybersecurity workforce report (GAO-19-144)

HAZMAT Response

Section 6002 (pg 565) amends 49 USC 5116 by inserting a new subsection (j), Alert Grant Program. It would require DOT to establish this new grant program to “develop a hazardous materials response training curriculum for emergency responders, including response activities for the transportation of crude oil, ethanol, and other flammable liquids by rail, consistent with the standards of the National Fire Protection Association” {new §5116(j)(1)}. DOT would be required ensure that the training was available in ‘an electronic format’.

Section 6003 (pg 568) amends §7302 of the FAST Act (PL 114-94, Page 129 STAT. 1594) by changing the deadline in §7302(a)(1) from December 5^th, 2016 to December 5^th 2022 for DOT to establish regulations requiring Class I railroads to “to generate accurate, real-time, and electronic train consist information” {§7302(a)(1)(A).

Minor Cybersecurity Provisions

This bill continues a recent trend for legislation to make relatively minor changes to current requirements in order to increase the emphasis on cybersecurity. This trend involves the recognition that cybersecurity should be part and parcel of much of what goes on in a modern electronic society. Those minor cybersecurity mentions have been included in the following sections of the bill:

§5001. Intelligent Transportation Systems Program Advisory Committee,

§5005. Strengthening mobility and revolutionizing transportation grant program,

§5006. Electric vehicle working group,

§5013. Advanced transportation research,

§5015. Transportation research and development 5-year strategic plan,

§5018. University transportation centers program, and

§5021. Transportation workforce development

Moving Forward

On Wednesday, the Senate Commerce, Science, and Transportation Committee held a markup hearing that included S 2016. No information on that markup is currently available on the hearing website (not unusual for Senate websites to be very slow to update), but Congress.gov site for this bill notes that the Committee: “Ordered to be reported with an amendment in the nature of a substitute favorably.” The substitute language is not currently available, but typically such substitute language adds new provisions. I will take a look at the changes when the Committee Report is published.

For a more detailed look at the provisions of this bill, see my article at CFSN Detailed Analysis https://patrickcoyle.substack.com/p/s-2016-introduced (subscription required).

Review - Public ICS Disclosures – Week of 6-12-21

This week we have eight vendor disclosures from Digitek, EIP Stack Group, Genetec, QNAP (2), VMware, and Wibu (2). We also have two vendor updates from Dell and Mitsubishi. Finally, we have an exploit for products from Wibu.

Vendor Disclosures

Digitek Advisory - Incibe-CERT published an advisory describing an SQL injection vulnerability in the Digitek Secure 8 system.

EIP Stack Group Advisory - Incibe-CERT published an advisory describing an out-of-bounds read vulnerability in the EIP Stack Group OpENer product.

Genetec Advisory - Genetec published an advisory discussing vulnerabilities in Bosch IP cameras that may affect their Security Center, Security Center SaaS Edition, and Stratocast products.

QNAP Advisory - QNAP published an advisory describing an insecure storage of sensitive information vulnerability in their QNAP NAS products running myQNAPcloud Link.

QNAP Advisory - QNAP published an advisory describing an out-of-bounds read vulnerability in their QNAP NAS products running QTS and QuTS hero.

VMware Advisory - VMware published an advisory describing a denial-of-service vulnerability in their VMware Tools for Windows product.

Wibu Advisory - Wibu published an advisory describing a buffer over-read vulnerability in their CodeMeter Runtime Network Server.

Wibu Advisory - Wibu published an advisory describing a denial-of-service vulnerability in their CodeMeter Runtime CmWAN Server.

Vendor Updates

Dell Update - Dell published an update for their Dell Wyse Windows Embedded System that was originally published on May 11^th, 2021.

Mitsubishi Update - Mitsubishi published an update for their MC Works advisory that was originally published on June 18^th, 2020 and most recently updated on January 14^th, 2021.

Exploits

Wibu Exploit - Brian Rodriquez published an exploit for a unquoted service path vulnerability in the Wibukey Runtime product.

 

For a more detailed look at these disclosures see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-dda (subscription required),

CISA Announces 2021 Chemical Security Seminars

CISA published a notice on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center concerning the 2021 Chemical Security Summit. Like last year, CISA and the Chemical Sector Coordinating Council have decided that the in-person Chemical Security Summit would not be practical because of the continuing COVID-19 pandemic. They will, instead, be holding Chemical Security Seminars on December 1^st, 8^th, at 15^th from 8 am to noon Pacific Time.

More detailed information will be published on the Chemical Security Summit site.

CISA and CSCC held a similar set of seminars last December and the format was very successful.

Bills Introduced – 6-17-21

Yesterday with both the House and Senate in Washington and preparing for the new federal holiday, there were 118 bills introduced. Three of these bills may receive additional attention in this blog:

HR 4005 To direct the Director of the Cybersecurity and Infrastructure Security Agency to establish a School Cybersecurity Improvement Program, and for other purposes. Rep. Matsui, Doris O. [D-CA-6]

HR 4006 To require original equipment manufacturers of digital electronic equipment to make available certain documentation, diagnostic, and repair information to independent repair providers, and for other purposes. Rep. Morelle, Joseph D. [D-NY-25]

S 2134 A bill to establish the Data Protection Agency. Sen. Gillibrand, Kirsten E. [D-NY]

I would also like to mention in passing one Senate Resolution:

S Res 279 A resolution designating June 21, 2021 through June 25, 2021, as "National Cybersecurity Education Week". Sen. Rosen, Jacky [D-NV] 

I will be watching HR 4005 for language and definitions that would indicate that building control and/or security systems are specifically covered. I am not holding my breath.

I will be watching HR 4006 for language and definitions that could have cybersecurity implications.

I will be watching S 2134 for definitions and language that might indicate that control system information would be covered. I am not really expecting to find it.

I will not be covering HR 2885 – Grid Resilience Grants

A frequent feature of this blog is the Bills Introduced post. For each day that either the House or Senate is in session Congress.gov publishes, generally the next day, a listing of the bills that were introduced. I look at the brief descriptions of those bills and make a preliminary determination of whether the bills address a topic that I will be covering here in this blog. If it is, I make a brief announcement of the fact in a ‘Bills Introduced’ post for that day.

I did one of those posts for April 28^th, 2021. In that post I listed five bills that I might be covering, including HR 2885:

"HR 2885 To require the Secretary of Energy to establish an electric grid resilience grant program and an electric grid resilience research and development program. Rep. Johnson, Eddie Bernice [D-TX-30] ."

I listed that bill based upon the description provided above since cybersecurity is increasingly becoming a resiliency issue. For HR 2885 I noted:

“I will be watching HR 2885 for language and definitions that would include cybersecurity in the grid resilience programs; probably will not be any.”

Once the bill is actually printed, increasingly months later, I make a determination of whether or not I will be covering the bill, generally based upon the criteria that I list in the Bills Introduced post. If the bill does not meet those self-imposed criteria, I just generally never mention it again. Every once-in-a-while, however, I just have to mention a bill that I will not be covering in this blog. Yesterday, the text for HR 2885 was printed and it contained a provision that I just have to mention.

HR 2885 establishes both a grid-resilience grant program and a grid-resilience research and development program. As I expected, there is no language in the bill that includes cybersecurity in either program. What I did not expect to see, however, was specific language in the bill that prohibited the use of funds in the grant program from being used for cybersecurity purposes. But, there it is in §2(c)(2)(ii), under ‘prohibited uses’, cybersecurity.

Now, I understand that this bill is trying to address resiliency issues related to extreme weather events. That is clearly spelled out in §2(c)(1). And cybersecurity is clearly not specifically related to extreme weather events, again, I understand that. What I do not understand is why Rep Johnson (D,TX) felt it necessary to specifically spell out that cybersecurity expenditures were not covered by the grant program.

But, my understanding is not necessary. What I do understand is that this will be the last mention of HR 2885 in my blog. Weather resiliency of the grid is just not a topic that I intend on covering at this time. But Johnson had to specifically exclude cybersecurity issues so I had to specifically exclude her bill.

Review - 3 Advisories and 2 Updates Published – 6-17-21

Today CISA’s NCCIC-ICS published three control system security advisories for products from Advantech, Softing, and Schneider electric. They also published updated advisories for products from Rockwell Automation and WAGO.

Advantech Advisory - This advisory describes two vulnerabilities in the Advantech WebAccess/SCADA.

Softing Advisory - This advisory describes an improper restriction of operations within the bounds of a memory buffer vulnerability in the Softing OPC-UA C++ Software Development Kit.

Schneider Advisory - This advisory describes an improper privilege management vulnerability in the Schneider Enerlin'X Com’X 510 energy server.

Rockwell Update - This update provides additional information on an advisory that originally published on January 21^st, 2021 and most recently updated on February 16^th, 2021.

WAGO Update - This update provides additional information on an advisory that originally published on January 21^st, 2021 and most recently updated on February 16^th, 2021.

For more detailed look at the advisories and updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/3-advisories-and-2-updates-published (subscription required).

Review - S 1260 and Cybersecurity

With the recent publication of the engrossed version (passed in the Senate) of S 1260, the United States Innovation and Competition Act of 2021, I have now had a chance to go back and look at the cybersecurity related provisions that were included in the massive, 2375 pages, bill. In addition to the new sections added in the substitute language that I briefly mentioned earlier, there were a number of provisions added in passing that are worthy of mention.

Protecting research from cyber theft

Section 2305 amends 15 USC 272(e)(1)(A) by adding ‘institutions of higher education’ to the list of considerations NIST has to address in developing consensus-based cybersecurity standards. Additionally, §2305(b) requires NIST to “disseminate and make publicly available resources to help research institutions and institutions of higher education identify, protect the institution involved from, detect, respond to, and recover to manage the cybersecurity risk of the institution involved related to conducting research.”

NASA Cybersecurity

Section 2676 (pg 690) would amend 51 USC 20301 by adding a requirement for the NASA Administrator to “up-date and improve the cybersecurity of NASA space assets and supporting infrastructure” {new §20301(c)}. NASA would also be required to establish a Cyber Security Operations Center. Finally, it would authorize NASA to “implement a cyber threat hunt capability to proactively search NASA information systems for advanced cyber threats that otherwise evade existing security tools” {§2676(c)(1)}.

Cyber Response and Recovery

Section 4252 (pg 1238) is the Cyber Response and Recovery Act. It is essentially the language of S 1316, which I have previously described in detail.

Federal Rotational Cyber Workforce Program

Division D of the bill includes Title II, Cyber and Artificial Intelligence. Subtitle B (pg 1257) of that Title is the Federal Rotational Cyber Workforce Program Act of 2021. It is essentially the language of S 1097 which the Senate Homeland Security and Governmental Affairs Committee ordered reported favorably last month.

Commentary

Almost all of the cybersecurity provisions in this bill are limited to information technology because of the language or definitions involved. It is not clear that that was the intention of the crafters of this bill, but it is certainly the effect.

For a more detailed look at the cyber provisions of S 1260, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-1260-and-cybersecurity (subscription required).