Legislative Cybersecurity Definitions

Earlier today in my post about the introduction of HR 1062 I briefly mentioned my concerns about the definitions related to cybersecurity used in current law and legislative proposals. In this post, I will be taking a more detailed look at the problem and my proposals for solutions.

Current Definitions

In writing legislation, congressional staffs (personal and committee) usually rely on definitions that currently exist in the United States Code. This reliance on previous work helps to establish a coherent lexicon of terminology that ensures that different programs in the government mean the same thing when the use the same terminology.

For cybersecurity issues we find the following definitions be referred to in many disparate types of legislation referring to cybersecurity:

Information System:

44 USC 3502(8) - the term ‘‘information system’’ means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information;

6 USC 1501(9) - The term ‘‘information system’’—

(A) has the meaning given the term in section 3502 of title 44; and

(B) includes industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers.

Cybersecurity Risk:

6 USC 659(a)(1) - the term "cybersecurity risk"-

(A) means threats to and vulnerabilities of information or information systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of such information or information systems, including such related consequences caused by an act of terrorism; and

(B) does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement;

Incident:

6 USC 659(a)(3) - the term "incident" means an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system; [NOTE: Based upon §3502 IT restricted definition of ‘information system’.

Cybersecurity Purpose

6 USC 1501(4) The term ‘‘cybersecurity purpose’’ means the purpose of protecting an information system or information that is stored on, processed by, or transiting an information system from a cybersecurity threat or security vulnerability.

Cybersecurity threat

6 USC 1501(5)

(A) In general

Except as provided in subparagraph (B), the term ‘‘cybersecurity threat’’ means an action, not protected by the First Amendment to the Constitution of the United States, on or through an information system that may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system.

(B) Exclusion

The term ‘‘cybersecurity threat’’ does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement.

Definition Problems

When crafters of legislation describe computer systems, they generally use the term ‘information system’. Initially this was almost universally applied to systems that were used exclusively in the financial industry, but that expanded to include other types of information as legislators looked at protecting personally identifiable information (PII) and medical/healthcare information and more recently intellectual property.

As it became more and more evident that a variety of industrial control systems, transportation systems, medical devices and other computer systems that controlled physical processes were potentially subject to cyberattacks, legislative writers tried to squeeze these systems into the definition of ‘information system’. The one successful attempt at codifying that combination of IT and OT technology into a single term by adding the wording: “includes industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers” in a second subparagraph.

This bastardized definition still refers to “the collection, processing, maintenance, use, sharing, dissemination, or disposition of information” purpose of the ‘information systems’. This provides no connection to the physical processes controlled by control systems.

Similarly, the other cybersecurity related definitions listed above (including those based upon the OT inclusive definition of §1501) use IT limiting terms such as: “information that is stored on, processed by, or transiting an information system” or “the integrity, confidentiality, or availability of information”. This has been acceptable from a legislative perspective because control systems still rely on ‘information’ for their operation.

Unfortunately, it is becoming increasingly obvious to those in the control system community that the cybersecurity focus in that sector should be more intensely focused on the potential physical outcomes from a successful attack rather than the information used in the control processes.

Proposed Legislative Solution

With these problems in mind, I would like to propose that 6 USC 659(a) be amended to read:

(a) Definitions

In this section-

(1) the term ‘control system’ means a discrete set of information resources, sensors, communications interfaces and physical devices organized to monitor, control and/or report on physical processes, including manufacturing, transportation, access control, and facility environmental controls;

(2) the term "cybersecurity risk"-

(A) means threats to and vulnerabilities of information or information systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of such information or information systems, including such related consequences caused by an act of terrorism; and

(B) does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement;

(A) threats to and vulnerabilities of information, information systems, or control systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of such information, information systems, or control systems, including such related consequences caused by an act of terrorism; and

(B) does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement;

(3) the terms "cyber threat indicator" and "defensive measure" have the meanings given those terms in section 102 of the Cybersecurity Act of 2015 [6 U.S.C. 1501];

(4) the term "incident" means an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system;:

(A) the integrity, confidentiality, or availability of information on an information system,

(B) the timely availability of accurate process information, the predictable control of the designed process or the confidentiality of process information, or

(C) an information system or a control system;

(5) the term "information sharing and analysis organization" has the meaning given that term in section 671(5) of this title;

(6) the term "information system" has the meaning given that term in section 3502(8) of title 44; and

(7) the term "sharing" (including all conjugations thereof) means providing, receiving, and disseminating (including all conjugations of each of such terms).

HR 1062 Introduced – Cybersecurity Consortium

Earlier this month Rep. Castro (D,TX) introduced HR 1062, the National Cybersecurity Preparedness Consortium Act of 2019. The bill would authorize the DHS NCCIC to work with a consortium of non-profit entities to “develop, update, and deliver cybersecurity training in support of homeland security” {§2(1)}. The bill is very similar to HR 1465 from the 115^th Congress and HR 4743 from the 114^th. No action was taken on HR 1465 but HR 4743 was passed in the House with bipartisan support.

Differences in the Bills

The current language is most closely a copy of the version of HR 1465 that was reported in the House. There are still a number of differences in the two versions of the bill; some of them minor and others with more significant.

The first noticeable change is the references to both the Homeland Security Act of 2002 and 6 USC. These changes are strictly editorial updates for changes made to that Act and the US Code (USC) by the CISA authorization bill that was passed last year. As usual I prefer to use the USC links. All references to 6 USC 659 in the current bill are the same as the old 6 USC 148 that I have made numerous references to in the past. Unfortunately, the GPO has yet to update the USC for last year’s modifications, so all links to 6 USC in this post will be to the congressional version of the US Code.

Next this bill removes almost all references to the phrase ‘including threats of terrorism and acts of terrorism’ that were included frequently in the earlier bills. This was used as a pretty constant modifier of the phrase ‘cybersecurity risks and incidents. The current bill only uses this phrase one time in §3(b)(3):

Provide technical assistance services to build and sustain capabilities in support of preparedness for and response to cybersecurity risks and incidents, including threats of terrorism and acts of terrorism, in accordance with such section 2209;

There are two paragraphs from the earlier bills that are completed removed in this latest version. Section 2(c) admonished the Secretary to “to prevent unnecessary duplication of existing programs or efforts of the Department of Homeland Security”. Section 2(g) terminated the authorization for the program in five years from the date of enactment. There is no similar language for either of these provisions in the current bill.

Finally, there are two additional sections found in this bill that were not included in the earlier versions. Section 2 provides definitions of important terms; those definitions were included in the text of various paragraphs in the reported version of HR 1465. Section 4 added an important rule of construction to the bill:

“Nothing in this Act may be construed to authorize a consortium to control or direct any law enforcement agency in the exercise of the duties of the law enforcement agency.”

Moving Forward

Neither Castro or any of his six bipartisan cosponsors are members of the House Homeland Security Committee to which this bill was assigned for consideration. HR 1465 had a similar problem last session which explains why it was not considered in Committee. If the bill were to be considered in Committee (possible if a new cosponsor who was on the Committee were added) it would probably be adopted by a bipartisan majority. There is nothing in the bill that should draw any significant opposition.

A similar sounding bill, S 333, was introduced in the Senate, but it looks to have a similar consideration problem; none of the four Senators currently associated with the bill are on the Senate Homeland Security and Governmental Affairs Committee.

Commentary

I did now write about HR 1465 last session because the definitions provided for ‘cybersecurity risk’ and ‘incident’ rely on the IT restrictive definition of information system used in §659. This means that there is no authorization for providing training for incident response or response planning for industrial control system incidents. As it becomes more and more apparent that the physical consequences of a potential attack on industrial control systems could be much more significant than a purely IT system attack, this restrictive definition becomes more and more problematic.

I have been complaining about this definitional problem for some time. As is usual I have offered a number of different possible suggestions for the problem. The most comprehensive can be found in my discussion of HR 2831 last session.

Four advisories Published – 02-19-19

Today the DHS NCCIC published four control system security advisories for products from Rockwell Automation, Horner Automation, Delta Industrial and Intel.

Rockwell Advisory

This advisory describes two vulnerabilities in the Rockwell Allen-Bradley PowerMonitor 1000. This vulnerability was reported by Luca Chiou of ACSI. Rockwell is working on mitigation measures. CheckPoint Software Technologies has released IPS rules to detect attempts to exploit CVE-2019-19615.

The two reported vulnerabilities are:

• Cross-site scripting - CVE-2019-19615; and

• Authentication bypass using alternate path or channel - CVE-2019-19616

NCCIC-ICS reports that a relatively low-skilled attacker could use a publicly available exploits (here and here) to remotely exploit these vulnerabilities to allow a remote attacker to affect the confidentiality, integrity, and availability of the device.

NOTE: I discussed these vulnerabilities last Saturday.

Horner Advisory

This advisory describes an improper input validation vulnerability in the Horner Cscape control system application programming software. The vulnerability was reported by ‘anonymous’ via the Zero Day Initiative (ZDI). Horner has a new version that mitigates the vulnerability. There is no indication that anonymous has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to crash the device being accessed, which may allow the attacker to read confidential information and remotely execute arbitrary code.

Delta Advisory

This advisory describes an out-of-bounds read vulnerability in the Delta Industrial Automation CNCSoft. The vulnerability was reported by Natnael Samson (@NattiSamson) via ZDI. Delta has an updated version that mitigates the vulnerability. There is no indication that Samson was provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to cause a buffer overflow condition that may allow information disclosure or crash the application.

Intel Advisory

This advisory describes eleven vulnerabilities in the Intel Data Center Manager SDK. The vulnerability was reported by Intel’s Product Security Incident Response Team. Intel has a new version that mitigates the vulnerability.

The eleven reported vulnerabilities are:

• Improper authentication - CVE-2019-0102;

• Protection mechanism failure (4) - CVE-2019-0103, CVE-2019-0104, CVE-2019-0106, and CVE-2019-0107,

• Permission issues (4) - CVE-2019-0105, CVE-2019-0108, CVE-2019-0109, and CVE-2019-0111;

• Key management issues - CVE-2019-0110;

• Insufficient control flow management - CVE-2019-0112

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow escalation of privilege, denial of service, or information disclosure.

S 315 Introduced – DHS Cyber Response Teams

Last month Sen. Hassan (D,NH) introduced S 315, the DHS Cyber Hunt and Incident Response Teams Act of 2019. The bill would authorize the current cyber incident response teams in the DHS NCCIC. The bill is very similar to HR 5074 from the 115^th Congress which passed in the House but was never taken up in the Senate.

The bill does not name the teams, but the description certainly refers to the incident investigation teams associated with US-CERT and ICS-CERT. The bill specifically mentions ‘control systems’ {6 USC 659(f)(1)(D)} but does not provide a definition for that term.

Hassan and her two cosponsors {Sen. Peters (D,MI) and Sen. Portman (R,OH)} are all influential members of the Senate Homeland Security and Governmental Affairs Committee to which this bill was assigned for consideration. This should mean that the bill has a good chance of being considered in that Committee. A recent article over on Politico.com pointed out, however, how hard it is to get cybersecurity legislation through that Committee. Since this bill does not contain any new authority for NCCIC nor does it approve any new funding, this bill may be able to avoid that cybersecurity trap.

NOTE: HR 1158 was recently introduced in the House with a similar sounding name, but the text has not yet been published. I suspect that it will be very similar to this bill.

S 300 Introduced – DOE Pipeline Security

Earlier this month Sen. Cornyn (R, TX) introduced S 300, the Pipeline and LNG Facility Cybersecurity Preparedness Act. This is a companion bill (identical language) to HR 370 that was introduced in January. The bill would define cybersecurity oversight requirements for DOE over energy pipelines and LNG facilities.

While there is a good chance for committee action on HR 370 in the House, neither Cornyn nor his single cosponsor {Sen. Heinrich (D,NM)} are members of the Senate Commerce, Science, and Transportation Committee to which this bill was assigned for consideration. This means that it is extremely unlikely that the bill will be considered in that Committee.

Public ICS Disclosures – Week of 02-09-19

This week we have five vendor disclosures for products from Kunbus, Schneider (3) and Rockwell; five vendor updates from Siemens; one coordinated disclosure for products from Resource Data Management and one exploit for a previously disclosed vulnerability for products from AVEVA.

Kunbus Advisory

Kunbus published an advisory for five vulnerabilities in its KUNBUS-GW Modbus TCP PR100088 product. The vulnerabilities were reported by Nicolas Merle of Applied Risk. Kunbus is working on an update to mitigate the vulnerabilities.

The five reported vulnerabilities are:

• Conditional authentication bypass;

• Missing authentication for critical function;

• Denial of service;

• Publication of information by parameter data in an HTTP GET request; and

• Plain text storage of passwords

Schneider Advisories

Schneider has published an advisory describing six vulnerabilities in its Sarix Enhanced and Spectra Enhanced cameras. The vulnerabilities were reported by Deng Yongkai (NSFOCUS) and Gjoko Krstic (Zero Science). Schneider has a new firmware version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• A permissions, privileges, and access control vulnerability - CVE-2018-7816;

• A command injection vulnerability (2) - CVE-2018-7825 and CVE-2018-7826;

• A cross-site scripting (XSS) vulnerability (2) - CVE-2018-7827 and CVE-2018-7828; and

• An improper neutralization of special elements in query vulnerability - CVE-2018-7829

Schneider has published an advisory describing a buffer error vulnerability in its Vijeo Designer Lite software. The vulnerability is self-reported. Schneider has provided generic mitigations as the product has reached end-of-life status.

Schneider has published an advisory describing three vulnerabilities in its  Modicon M221 and

SoMachine Basic products. The vulnerabilities were reported by Matthias Niedermaier (Hochschule Augsburg), Jan-Ole Malchow (Freie Universität Berlin), Florian Fischer (Hochschule Augsburg) and Reid Wightman (Dragos Inc.). Schneider has updates available to mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• An environment vulnerability (2) - CVE-2018-7821 and CVE-2018-7823; and

• An incorrect default permissions vulnerability - CVE-2018-7822

Rockwell Advisory

Rockwell has published an advisory describing two vulnerabilities in its PowerMonitor 1000 monitor that were publicly reported (with exploits) in December (here and here) by Luca Chiou. Rockwell has provided generic mitigation measures pending development of updates. It also provides a link to intrusion prevention system (by CheckPoint) rules to detect the cross-site scripting vulnerability.

The two reported vulnerabilities are:

• Cross-site scripting - CVE-2019-19615; and

• Authentication bypass - CVE-2019-19616

 Siemens Updates

Siemens published an update for their advisory on Spectre and Meltdown Vulnerabilities in Industrial Products. They added updated affected version data and provided links to mitigations for:

• SIMATIC ET 200 SP Open Controller; and

• SIMATIC IPC547E

NOTE: NCCIC-ICS updated their alert (ICS-ALERT-18-011-01) for this vulnerability when Siemens added a new advisory. That technically included this update since the link provided in the alert goes to the latest version of the Siemens advisory.

Siemens published an update for their advisory on Spectre-NG (Variants 3a and 4) Vulnerabilities in Industrial Products. They added updated version data and provided links to mitigations for:

• SIMATIC ET 200 SP Open Controller:

• SIMATIC ET 200 SP Open Controller (F);

• SIMATIC S7-1500 Software Controller;

• SIMATIC IPC547E;

• SIMATIC ITP1000;

• SIMATIC IPC3000 SMART V2;

• SIMATIC IPC347E;

• SIMATIC HMI Basic; and

• Panels 2nd Generation:

They also removed the following unaffected products from the advisory:

• SIMATIC IPC227E;

• SIMATIC IPC277E;

• SIMATIC IPC327E; and

• SIMATIC IPC377E

NOTE: NCCIC-ICS is expected to update their advisory.

Siemens published an update for their advisory on Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP. They added two additional vulnerabilities to the list for these products:

• CVE-2018-1000876; and

• CVE-2018-16862

NOTE: NCCIC-ICS has not published an advisory/alert on these vulnerabilities.

Siemens has published an update for their advisory on Denial-of-Service in SICAM A8000 Series. They updated the CVSS vector due to known exploit.

Siemens has published an update for their advisory on Foreshadow / L1 Terminal Fault Vulnerabilities in Industrial Products. They updated the affected version data and provided links to the mitigation measures for:

• SIMATIC IPC547E;

• SIMATIC IPC547G;

• SIMATIC ITP1000;

• SIMATIC IPC3000 SMART V2; and

• SIMATIC IPC347E

They also removed the following unaffected products from the advisory:

• SIMATIC IPC227E;

• SIMATIC IPC277E;

• SIMATIC IPC327E; and

• SIMATIC IPC377E

NOTE: NCCIC-ICS has not published an advisory/alert on these vulnerabilities.

Resource Data Management

Safety Detective published an article describing default credential vulnerabilities for commercial refrigeration systems from Resource Data Management. The article describes how the researchers were able to locate vulnerable systems, change settings, and manipulate controls in systems in hospitals and stores.

AVEVA Exploit

Jacob Baines published an exploit for vulnerabilities in the AVEVA InduSoft Web Studio. The vulnerabilities were reported by NCCIC-ICS earlier this month.

Bills Introduced – 02-14-19

On Thursday, with both the House and Senate in session there were 144 bills introduced. One of these may receive further future mention in this blog:

S 495 A bill to amend title 18, United States Code, to reauthorize and expand the National Threat Assessment Center of the Department of Homeland Security. Sen. Grassley, Chuck [R-IA]

I will be watching this bill for specific mention of chemical security, chemical transportation security or cybersecurity.

NOTE: On Thursday I mistakenly titled the ‘Bills Introduced’ blog post as referring to bills introduced on 2-14-19, it should have read ‘2-13-19’. That has been corrected.