Review - House Considering S 1605 – New FY 2022 NDAA

This evening the House will be taking up S 1605, a bill to designate the National Pulse Memorial in Orlando, FL. Instead of the language adopted in the Senate, the House will consider substitute language making the bill the National Defense Authorization Act for Fiscal Year 2022. If, as expected, this bill passes tonight in the House, the Senate will take up the bill under the abbreviated processes (no further amendments) used to accept a House amendment to a Senate passed bill.

The bill was crafted in much the same way as a conference committee would do after the two houses of Congress passed separate versions of a bill. Instead of an appointed conference committee (which for an NDAA would be mainly the Armed Services Committees supplemented by committee representatives for significant non-defense matters included in the bill), this substitute language was crafted by essentially just the Armed Services Committees using the House passed version of HR 4350 and the Senate Amendment SA 3867 substitute language from the Senate. There has been a Joint Explanatory Statement published which explains how the bill was crafted.

As I write this, the House is actively debating HR 1605 with one hour set aside for this debate. Various procedural matters will follow. The House expects to vote on this bill later tonight. I expect that it will pass with some level of bipartisan support (and bipartisan opposition).

For more details about the cybersecurity provisions included in the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/house-considering-s-1605-new-fy-2022 - subscription required.

Review - 3 Advisories Published – 12-7-21

Today, CISA’s NCCIC-ICS published three control system security advisories for products from Hitachi Energy and FANUC. The FANUC advisory was originally published to the restricted access Homeland Security Information Network (HSIN) ICS library on August 31, 2021.

XMC20 Advisory - This advisory describes two vulnerabilities in the Hitachi Energy XMC20 and FOX61x multi-service network elements.

NOTE: I briefly discussed the two Hitachi Energy advisories that form the basis for this advisory on November 27^th, 2021.

RTU500 Advisory - This advisory discussing two vulnerabilities in the Hitachi RTU500 Series remote terminal unit.

NOTE: This advisory is based upon an update to the Hitachi advisory that was originally published on November 17^th, 2021 and I briefly discussed on November 20^th, 2021.

FANUC Advisory - This advisory describes two vulnerabilities in the FANUC R-30iA and R-30iB series robot controllers.

NOTE: The HSIN ICS Library allows the release of vulnerability information to be restricted to selected facilities so that mitigation measures can be put into place before the vulnerabilities are publicly released. In this instance the generic mitigation measures provided by FANUC and NCCIC-ICS hardly seem to justify the delayed release.

NOTE: For more details about these advisories, including links to 3^rd party advisories, see my article at CSFN Detailed Analysis - https://patrickcoyle.substack.com/p/3-advisories-published-12-7-21 - subscription required.

S 3260 Introduced – TSA 20 Year Review

Last month, Sen Wicker (R,MS) introduced S 3260, the Transportation Security Administration 20th Anniversary Review Act. The bill would required the TSA to contract with “a federally funded research and development center to conduct a comprehensive review of the missions, capabilities, and performance of the Transportation Security Administration”. The bill would authorize $2 million to pay for the study.

Wicker is the Ranking Member of the Senate Commerce, Science, and Transportation Committee to which this bill was assigned for consideration. This means that there should be adequate influence to see this bill considered in Committee. I do not see anything in the bill that would engender any specific opposition, but I would expect to see amendments proposed that would address Democratic concerns about privacy and redress issues with the ‘Do Not Fly’ list and the Terrorist Screening Database overseen by TSA.

I think that there is a possibility that this bill could be considered under regular order by the full Senate sometime next year.

I think that this bill would be an excellent opportunity to have an independent agency look at the issue of whether or not the TSA is the appropriate agency to oversee cybersecurity issues in the transportation sector. To that end, I would like to see the following paragraph added to §2(b):

(21) An assessment of the capability of the Transportation Security Administration to oversee cybersecurity requirements in the transportation sector, including a comparable assessment of whether the individual modal administrations would be more capable of such oversight.

For more details about the required assessment, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-3260-introduced - subscription required.

Committee Hearings – Week of 12-6-21

This week with the House and Senate both in Washington, there is a fairly normal hearing schedule. There is one hearing of potential interest here: a cybersecurity markup hearing.

Cybersecurity Markup

On Wednesday, the House Judiciary Committee will hold a markup hearing on Wednesday covering five bills. One of those bills (HR 4977, the Better Cybercrime Metrics Act) may be of interest here. I have not reported on this bill, but it is essentially a companion bill to S 2629, which was reported in the Senate last week. This bill does not affect (or require) private sector reporting of cyber-crimes. What it does do is try to get DOJ to standardize the way that cybercrime statistics are reported within the government.

On the Floor

None of the bills this week scheduled for consideration under suspension of the rules in the House are of particular interest here. That includes the 16 new bills to be considered this week and the 14 being carried over from last week awaiting floor votes.

The House Majority leader lists the following legislation for possible consideration this week:

• Consideration of the FY22 National Defense Authorization Act

• Possible Consideration of Legislation Related to the Debt Limit

• Possible Consideration of Legislation Related to End of the Year Healthcare Provisions

• Additional Legislative Items Are Possible

The odd thing is that the House already passed HR 4350, the FY2022 NDAA. That bill is still stalled in the Senate. When the Senate adjourned last Thursday, there was no mention of an agreement on resuming consideration of the bill this week. Apparently the leadership has about given up on trying to get an agreement on the amendments to be considered before the final vote on the substitute language on the bill.

An interesting article over on TheHill.com lays out a bizarre solution to the current stalemate. Typically the Senate takes up the House bill, substitutes the Senate language, amends it and then the two conference on how to combine the two bills. That conference language then goes back to the House and Senate for a final vote. What TheHill.com is reporting is taking out the ‘amends it’ step. Apparently the two Armed Services Committees are holding an unofficial conference to work out the differences between what the two committees want in the bill. That unofficial conference bill would then be taken up by the House under a closed rule (without amendments like a conference report is normally considered).

I am not sure how they would expect to get this past the bomb throwers in the Senate, but it is certainly out-of-the-box thinking. I would suspect that the House Armed Services Committee would try to keep most of the floor add-ins from HR 4350 in the reported bill. It would be interesting to see what ‘amendments’ the Senate would try to keep.

Review - Public ICS Disclosures – Week of 11-27-21

This week we have eight vendor disclosures from B&R Automation (2), CODESYS, Moxa (3), Tanzu, and Wireshark. We also have a vendor update from CODESYS. Finally, we have 26 researcher reports of vulnerabilities in products from Open Design Alliance.

B&R Advisory #1 - B&R published an advisory discussing the NUMBER:JACK vulnerabilities.

B&R Advisory #2 - B&R published an advisory describing two vulnerabilities in their Automation Studio and PVI Windows Services.

CODESYS Advisory - CODESYS published an advisory describing an improper certificate validation vulnerability in their Git distributed version control system.

Moxa Advisory #1 - Moxa published an advisory describing four vulnerabilities in their ioPAC 8500 and ioPAC 8600 Series (IEC Models) Controllers.

Moxa Advisory #2 - Moxa published an advisory discussing the recently reported Realtek SDK Router vulnerabilities.

Moxa Advisory #3 - Moxa published an advisory discussing the INFRA:HALT vulnerabilities.

Tanzu Advisory - Tanzu published an advisory describing an out-of-memory error vulnerability in their Spring AMQP product.

Wireshark Advisory - Wireshark published an advisory describing a NULL pointer dereference vulnerability in their Modbuss dissector.

CODESYS Update - CODESYS published an update for their Gateway V3 advisory that was originally published on March 29^th, 2021  and most recently updated on November 18^th, 2021.

ODA Reports - The Zero Day Initiative published 26 reports about vulnerabilities in 12 separate CVEs in the ODA viewer.

For more details about these advisories, updates and reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-11-195 - subscription required.

S 2629 Reported in Senate - Cybercrime Reporting

Earlier this week the Senate Judiciary Committee reported S 2629, the Better Cybercrime Metrics Act favorably without a written report. The Committee met on November 18^th, 2021, to consider the bill and ordered it reported at that time without amendment. The bill is now cleared for possible consideration by the full Senate.

The bill would require DOJ to establish a taxonomy for classifying cybercrime in the National Incident-Based Reporting System (NIBRS) and would require the reporting of cybercrimes according to that taxonomy. The bill provides for $1 million to support the development of the taxonomy, including a study on the topic by the National Academy of Sciences. It would have no effect on cybercrime reporting by victims.

Reporting a bill without a written report is usually an indication that an effort is going to be made to bring the bill to the floor for consideration. With the strong bipartisan support seen for this bill in Committee, it is possible that the bill could be offered under the Senate’s unanimous consent process.

House and Senate Pass HR 6119 – FY 2022 CR

 The House and Senate both took up and passed HR 6119 (Rules Committee print), the Further Extending Government Funding Act, that will extend the current FY 2022 spending through February 18^th, 2022. The bill is a ‘clean’ continuing resolution. The only additional spending included in the bill concerns Operation Allies Welcome, the re-settlement activities for the Afghanistan refuges that were evacuated when the US withdrew US military support from that country this summer.

The House took up the bill this afternoon. After little more than two hours of debate, the bill passed by a near party-line vote of 221 to 212. Rep Kinzinger (R,IL) was the only person to ‘switch sides’ by voting to pass the bill.

After the Senate leadership agreed to a straight up vote on an amendment to defund the President’s vaccine mandate, the Senate took up HR 6119. The anti-vaccine amendment fell on a straight party-line vote of 48 to 50, with a simple majority required for passage. The final bill passed on a partially bipartisan vote of 69 to 28, with 60 ayes required for passage.

President Biden will likely sign the bill tomorrow avoiding a shutdown of the federal government, at least through February.