Saturday, September 15, 2018

ISCD Updates FAQ Responses – 09-14-18


Yesterday the DHS Infrastructure Security Compliance Division (ISCD) updated responses to two Frequently Asked Questions (FAQ) on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center web page. Both questions deal with calculating screening threshold quantities for mixtures of flammables (one is specifically for propane).

The two revised FAQs are:


Flammable Mixtures


The response for FAQ #1373 was completely re-written with a completely different process from the original description.

The original response said essentially that when COI were in a mixture at more than 1% the entire weight of the COI was reported as the COI with the highest concentration; the facility did not report the weight of the other COI in that mixture. The exception to that was propane; if propane was in the mixture at less than 87.5% the next greatest COI in that mixture was reported, not the propane.

The new response also requires the checking of the NFPA flammability rating of the mixture. If the NFPA rating is 4 then the rule described above applies. If the NFPA rating is 1, 2 or 3 (and not a fuel), then only the actual weight of each COI in the mixture (present at 1% or more) would be reported.

Interestingly, no mention is made of propane in the new FAQ response.

Propane Mixtures


A relatively minor modification was made to the response to FAQ #1566. The second paragraph was expanded to provide more of the information from the FAQ response above for mixtures that contain less than 87.5% propane. It addresses the case where the NFPA rating of the propane containing mixture is 4. This response does not address the situation where the NFPA rating is 1, 2, or 3.

ICS Public Disclosures – Week of 09-08-18


This week we have three control system exploits being published for products from Schneider (AVEVA?)(2) and CirControl (an automobile charging station vendor).

Schneider Exploits


NOTE: Neither of the exploit reports described below include CVE numbers so it is possible that these are 0-day exploits, but they are both for very common vulnerabilities, so it is hard to tell.

Luis Martinez published an exploit for a local buffer overflow vulnerability in the Schneider InTouch Machine.

Martinez also published an exploit for a local buffer overflow vulnerability in the Schneider InduSoft Web Studio.

CirControl Exploit


David Castro (SadFud) published an exploit for a credential exposure vulnerability in the CirCarLife SCADA. The CVE indicates that the vulnerability was announced in June, but there is no indication that CirControl was notified and there is no listing of anything to do with cybersecurity on the CirControl web site.


Thursday, September 13, 2018

ICS-CERT Publishes Honeywell Advisory


Today the DHS ICS-CERT published a control system security advisory for mobile computers from Honeywell. The advisory describes an improper privilege management vulnerability. The vulnerability was reported by the Google Android Team. Honeywell has updates available to mitigate the vulnerability.

ICS-CERT reports that a skilled attacker could remotely exploit the vulnerability to allow a malicious third-party application to gain elevated privileges. This could enable the attacker to obtain access to keystrokes, passwords, personal identifiable information, photos, emails, or business-critical documents.

It is too early to tell if this vulnerability affects all Android devices (probably?) so other mobile ICS devices might also be affected. Of course (sarcasm alert), no one would use non-approved applications on a device used to access a control system, so this really is not a problem (SIGH).

HR 6638 Introduced – Cybersecurity Governance


Back in July Rep. Himes (D,CT) introduced HR 6638, the Cybersecurity Disclosure Act of 2018. The bill directs the Security and Exchange Commission to require reporting companies to include in annual reports a listing of senior personnel with expertise or experience in cybersecurity.

The bill gives the gives the Commission 360 days to issue final rules requiring reporting companies “disclose whether any member of the governing body, such as the board of directors or general partner, of the reporting company has expertise or experience in cybersecurity and in such detail as necessary to fully describe the nature of the expertise or experience” {2(b)(1)}.

Moving Forward


Himes and his two Democratic cosponsors {Rep. Meeks (D,NY) and Rep. Heck (D,WA)} are members of the House Financial Affairs Committee two which this bill was assigned for consideration. Normally, this could provide them with sufficient influence to have the bill considered in Committee. This late in the session, however, such consideration is unlikely.

Business interests with no cybersecurity representation (probably a large majority of middle size and smaller businesses) would be expected to oppose such reporting requirements. Since this is a major Republican constituency, I expect that there will be little or no support from Republicans on this bill.

Commentary


There is something odd about the way this bill was written. It includes a list of definitions in §2(a), two of which are never used in the bill. Those two definitions are the only reason that I am discussing the bill. The two terms? “Cybersecurity Threat” and “Information System”.

The first term is defined in two parts. The first {§2(a)(2)(A)}:

An action, not protected by the First Amendment to the Constitution of the United States, on or through an information system that may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system.”

The second part of the definition is the now obligatory {§2(a)(2)(B)}:

Does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement.

Nothing new or interesting here; it is a now standard IT-centric cybersecurity definition. The next term would normally also fall within that description, but the crafters of this bill included an addendum to one of the standard ‘information system’ definitions {§2(a)(3)(B)}:

Includes industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers.

We have seen both of these in other pieces of legislation, but the odd thing here is that neither definition has anything to do with the requirements of the bill. The definition of the key term in the bill; ‘expertise or experience in cybersecurity’ is left for the Commission to define; in consultation with NIST.

The best that I can figure is that Hines is using these two definitions to establish congressional intent that cybersecurity (for the purposes of this particular Commission regulation) includes control system security. Whether or not this would encourage reporting companies to include people with an ICS background in their governing bodies remains to be seen, but it might (should?) encourage the SEC to allow for such eventuality in their definition of ‘expertise or experience in cybersecurity’.

Bills Introduced – 09-12-18


Yesterday with both the House and Senate in session, there were 48 bills introduced. Of those three may be of specific interest to readers of this blog:

HR 6776 Making appropriations for the Department of Homeland Security for the fiscal year ending September 30, 2019, and for other purposes. Rep. Yoder, Kevin [R-KS-3]

HR 6791 To establish a grant program within the Department of Labor to support the creation, implementation, and expansion of registered apprenticeship programs in cybersecurity. Rep. Rosen, Jacky [D-NV-3]

S 3437 A bill to establish a Federal rotational cyber workforce program for the Federal cyber workforce. Sen. Peters, Gary C. [D-MI] 

Yes, the last spending bill has finally been introduced. Obviously, this will never make it to the floor of the House, much less the Senate. It may, however, form the base for the final spending bill that will be considered after the election.

Both HR 6791 and S 3437 are at base cybersecurity workforce measures. I will be watching both of these bills for the definitions to see if the bills specifically include industrial control system security folks.

On a lighter note: Election season is here (in case you had not noticed) and we are seeing legislators use the power of proposed legislation to support their campaigns. Usually this takes the form of proposing legislation supporting part of their electoral base. These bills are never really intended to be considered and passed; they just allow the proposer to point to the bill and say; “Look, I am trying to do something about…. Send me back for another term to be able to continue.”

Yesterday we saw the introduction of a resolution that clearly meets that criteria; H Con Res 135; Requiring Members of the House of Representatives and the Senate to participate in random drug testing. Rep Higgins (R,LA) introduced this resolution. It should certainly resonate with his constituents that have mandatory drug testing in their work place.

Wednesday, September 12, 2018

HR 6620 Introduced – UAS Threat Assessment


Back in July Rep. Richmond (D,LA) introduced HR 6620, the Protecting Critical Infrastructure Against Drones and Emerging Threats Act. The bill requires data collection and analysis activities about the threats posed by unmanned aircraft systems (UAS).

The bill would require the DHS Office of Intelligence and Analysis (OIA) within 120 days to {§2(a)}:

• Request additional information from other agencies of the Federal Government, State and local government agencies, and the private sector relating to threats of unmanned aircraft systems and other emerging threats associated with such new technologies;
• Develop and disseminate a security threat assessment regarding unmanned aircraft systems and other emerging threats associated with such new technologies;
Establish a secure reporting infrastructure for reporting information on emerging threats, such as the threat posed by unmanned aircraft systems

Within one year of the bill being adopted, OIA would be required to report to Congress on the threat posed by unmanned aircraft systems.

No monies are authorized by this bill.

Moving Forward


This bill will be considered by the House Homeland Security Committee tomorrow. I suspect that the bill will receive bipartisan support. If this bill does come to the floor of the House before the end of the session (probable) it will almost certainly be considered under the suspension of the rules process with minimal debate, no amendments and would require a supermajority to pass.

I really doubt that if this bill were considered in the House that it would make it to the floor of the Senate before the 115th Senate adjourns for good in December.

Commentary


This is another one of those motherhood and apple pie bills that allows congress critters to feel good about ‘doing something’ without raising any controversies or spending any money. Unfortunately, it will accomplish virtually nothing.

Oh yes, the bill includes an attempt to cover the important tech buzz words in §2(b)(3):

“establish and utilize, in conjunction with the Chief Information Officer of the Department and other relevant entities, a secure communications and information technology infrastructure, including data-mining and other advanced analytical tools, in order to access, receive, and analyze data and information in furtherance of the responsibilities under this section, including by establishing a voluntary mechanism whereby critical infrastructure owners and operators may report information on emerging threats, such as the threat posed by unmanned aircraft systems.”

They missed ‘artificial intelligence’ and ‘blockchain’; maybe they can add those tomorrow.

ICS-CERT Publishes 5 Advisories and 4 Updates


Yesterday the DHS ICS-CERT published five control system security advisories for products from Siemens (3) and Fuji electric (2). They also updated three previously published advisories for products from Siemens and the Meltdown/Spectre alert.

SCALANCE Advisory


This advisory describes an improper input validation vulnerability in the Siemens SCALANCE X Switches. The vulnerability is being self-reported. Siemens has updates available for two of the three affected products and has identified mitigation measures.

ICS-CERT reports that a relatively low-skilled attacker could use publicly available exploits to remotely exploit the vulnerability to cause a denial-of-service condition.

SIMATIC Advisory


This advisory describes an improper access control vulnerability in the Siemens SIMATIC WinCC OA HMI. The vulnerability is being self-reported. Siemens has an update available to mitigate the vulnerability.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to escalate their privileges in the context of the program.

TD Keypad Designer Advisory


This advisory describes an unprotected search path element vulnerability in the Siemens TD Keypad Designer. The vulnerability is being self-reported. Siemens has identified generic mitigation measures for the vulnerability.

ICS-CERT reports that a relatively low-skilled attacker with local access could exploit the vulnerability  to escalate their privileges.

V-Server Lite Advisory


This advisory describes a classic buffer overflow vulnerability in the Fuji V-Server Lite. The vulnerability was reported by Ariele Caltabiano (kimiya) via the Zero Day Initiative (ZDI). Fuji has a firmware update available to mitigate the vulnerability. There is no indication that Caltabiano has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to view sensitive information and disrupt the availability of the device.

V-Server Advisory


This advisory describes seven vulnerabilities in the Fuji V-Server. The vulnerabilities were reported by Steven Seeley (mr_me) of Source Incite via ZDI. Fuji has a new software version that mitigates the vulnerabilities. There is no indication that Seeley has been provided an opportunity to verify the efficacy of the fix.

The seven reported vulnerabilities are:

• Use after free - CVE-2018-14809;
• Untrusted pointer dereference - CVE-2018-14811;
• Heap-based buffer overflow - CVE-2018-14813;
• Out-of-bounds write - CVE-2018-14815;
• Integer underflow- CVE-2018-14817;
• Out-of-bounds read - CVE-2018-14819; and
Stack-based buffer overflow - CVE-2018-14823

ICS-CERT reports that a relatively low-skilled attacker could use publicly available exploits to remotely exploit the vulnerabilities to allow for remote code execution on the device, causing a denial of service condition or information exposure.

Industrial Products Update


This update provides new information on an advisory that originally published on May 9th, 2017 and updated on June 15, 2017,on July 25th, 2017, on August 17th, 2017, on October 10th, on November 14th, November 28th, February 27th, 2018, May 3rd, 2018 and most recently on May 15th, 2018. The new information includes revised affected versions data and mitigation measures for:

• SINAMICS DCP w. PN; and
• SINAMICS DCM w. PN

SIMATIC Update


This update provides new information on an advisory that was originally published on May 17th, 2018. The new information includes additional mitigation measures that can be used.

OpenSSL Update


This update provides new information on an advisory that was originally published on August 14th, 2018. The new information includes revised affected versions data and mitigation measures for WinCC OA.

Meltdown/Spectre Update


This update provides new information on an alert that was originally published on January 11th, 2018 and updated on January 16th, 2018, January 17th, 2018, January 30th, 2018, February 20th, 2018, February 22nd, 2018, March 1st, 2018, and most recently on July 10th, 2018. The new information includes a link to a new Meltdown/Spectre advisory from Siemens.

Note: While this newly added advisory from Siemens and another Siemens advisory on the older versions of Meltdown/Spectre address newer versions of the vulnerability, ICS-CERT has failed to provide any information (or links to information) about these new problems.

 
/* Use this with templates/template-twocol.html */