Tuesday, February 20, 2018

CFATS Program Oversight Hearing

Last week the Cybersecurity and Infrastructure Protection Subcommittee of the House Homeland Security Committee held an oversight hearing looking at the Chemical Facility Anti-Terrorism Standards (CFATS) program. According to the opening statement of the Chair, this is the first step in the reauthorization process for that program. The current authorization for the program ends on December 18th, 2018.

Support for CFATS Program

Three of the witnesses were from chemical manufacturing organizations who represent CFATS covered facilities in a range of industries. The fourth witness was a well-known environmental advocate who has frequently addressed chemical manufacturing safety issues.

Generally speaking, all four witnesses supported the CFATS program and advocated for its reauthorization. All expressed concerns that the reauthorization should not take the form of year-to-year extensions of the program that were seen prior to 2014.

Suggestions for Reauthorization Changes

Chet Thompson, representing the American Fuel & Petrochemical Manufacturers, specifically recommended another medium-term extension of the program requiring specific congressional reauthorization, as was done in 2014. His other recommendations for the reauthorization were generally restrictive:

• Do not include an inherently safer technology mandate (in oral testimony);
• Require changes in the Appendix A chemical of interest (COI) list to go through comment-response process;
• Avoid extending the anti-terrorist vetting program to Tier III and Tier IV facilities; and
Avoid any major changes to the program.

Kirsten Meskill, representing the American Chemistry Council, had three recommendations in her written testimony for the reauthorization of the CFATS program:

• Improve transparency in DHS risk determinations;
• Reconsider the value of Terrorist Screening Database (TSDB) screening at low risk facilities; and
• Recognize industry stewardship programs.

Pete Mutschler, representing both the Fertilizer Institute and the Agricultural Retailers Association, included two reauthorization suggestions in his testimony;

• Continue to protect the confidentiality of site security information; and
• Recognize industry stewardship programs.

Paul Orum, representing the Coalition to Prevent Chemical Disasters, was the most detailed in his recommendations for reauthorization changes. In his testimony Orum addressed (with specific suggestions):

• Use all available options – not just management and control strategies;
• Exercise oversight – especially of the ability of CFATS standards to realistically ensure protection;
• Use available resources – especially make better use of employee input;
• To improve public confidence, respect community concerns; and
• Support other programs that improve chemical security;


Readers will remember that I started the CFATS reauthorization discussion rolling last fall when I did two blog posts on my suggestions for changes to the program (here and here).

My first post addressed cybersecurity issues. None of the witnesses addressed cyber issues in their prepared testimony and there was only one question about cybersecurity during the hearing (52 minutes). The responses were fairly generic calls for information sharing. Thompson did note that the current Risk Based Performance Standard 8 of the CFATS program addresses cybersecurity.

One interesting topic that did come up during questioning (49 minutes) was the use of unmanned aerial vehicles (UAV) or drones. There was just one question (51 minutes) on the topic and the answers were very generic. Meskil pointed out that drones are a duel edged sword; they are useful in many inspection and maintenance operations at facilities, but weaponized drones are a potential threat that has yet to be addressed. While I will address specific recommendations for drone provisions of the CFATS reauthorization, I will note here that drone rules have to take into account two specific restrictions:

• Interference in the operation of a drone is a federal felony; and
• Tracking and intercepting a drone is technologically and operationally complicated.

Finally, on the topic of inherently safer technology (IST); there should be no mistake made, the CFATS regulations have had a positive impact on the application of risk reduction measures at a relatively large number of chemical facilities. This is clearly seen in the reduction in the number of facilities over the years that have left the CFATS program. Orum is correct that DHS and ISCD could further aid this legitimate risk reduction effort by being more forthcoming about the number and types of facilities that have exited the program by reducing and/or eliminating their COI inventories. As I have said on a number of occasions, requiring a specific IST review/implementation process ignores the complexity of the situation, but ISCD should be providing information gleaned (and anonymized) from former CFATS facilities to similar facilities to make the process somewhat less complicated.

Saturday, February 17, 2018

NIST Framework Update – 02-17-18

This week the National Institute of Standards and Technology updated their Cybersecurity Framework web site. Only two things of potential new interest on the redesigned web site; new CSF ‘Online Learning’ and a brief announcement about the date of the next CSF Workshop.

Framework Learning

The new Online Learning page is going to be a disappointment to anyone that expects NIST to provide some new high-tech learning environment. What NIST has provided is three new pages with old-fashioned written discussions with minimal graphics addressing the following topics:

• Components of the Framework;
• Uses and Benefits of the Framework; and
History and Creation of the Framework.

The information presented is useful and well written. It is just odd to see this presentation format used to address such a modern issue. Actually, I kind of liked it.

Framework Workshop

The new Latest Update page announces that NIST intends to hold their next CSF workshop on September 11th -13th, 2018 in the Washington, DC area. Further information will be published in the coming weeks.


Back in December NIST published the latest draft version of CSF v1.1 for comments. The comment period closed on January 18th. NIST has still not published the comments that it has received. The Latest Update page still notes that: “All responses will be published publicly in the coming weeks.”

NIST has chosen not to use the Federal eRulemaking Portal (www.Regulations.gov) to receive comments for a variety of reasons. Most importantly, the justification is that the CSF is not a regulatory regime, so that particular public comment process is not necessary.

In earlier iterations of the CSF process NIST published the responses on the CSF web site as they came in. This allowed interested parties to see what other interested individuals and organizations were saying and add their two-cents worth as appropriate. It also allowed gadflies like myself to conduct on-going analysis and comments (see here for example) as the comments came in. Again, I would like to think that commentators such as myself helped to publicize the CSF discussions and maybe even inspire some additional comments being submitted that would not have otherwise been made.

I am disappointed that NIST did not provide the cybersecurity community to see these comments as they came in. It makes the revision process look much more closed than were the earlier efforts. I am afraid that this type of government activity that is being moved back behind closed doors by an Administration that supposed to be ‘business friendly’. Failing to conduct public business in the public eye is not now, nor never has been ‘business friendly’.

We need NIST to move the CSF modification process fully back into the public spotlight.

Public ICS Disclosures – Week of 02-10-18

This week we have seen an apparently new zero-day reported in an Advantech product, an exploit for a previously released Siemens vulnerability, two new vendor reports from OSIsoft that have not been addressed by ICS-CERT and two vendor reports that were reported late this week that may show up in ICS-CERT advisories.

Advantech Zero-Day

Nassim Asrir reported a remote code execution vulnerability in the Advantech WebAccess product. The report on ExploitDB.com includes exploit code. Asrir reports that an attacker could remotely exploit the vulnerability to execute arbitrary OS commands via a single argument.

Siemens Exploit

M. Can Kurnaz published exploit code on ExploitDB.com this week for a previously published vulnerability in the Siemens SIPROTEC 4 and SIPROTEC Compact product families. ICS-CERT had previously reported that a relatively unskilled attacker could remotely exploit this vulnerability, but this just made it that much easier. A firmware patch was made available almost three years ago to mitigate this vulnerability, so hopefully this exploit will be of no practical use.

OSIsoft Advisories

This week OSIsoft released two new product updates that were specifically listed as ‘security updates’. The two products involved were PI Data Archive 2017 R2 and PI Vision 2017 R2.

There were five ‘issues’ reported in the PI Data Archive alert:

• Privilege escalation;
• Improper handling of serialization or comparison of a variable;
• Improper input validation;
• Authentication protocol flaws; and
High Availability authentication protocol flaws

The PI Vison alert notes that changes were made in the default configuration of HTTP headers to prevent a cross-site scripting issue and two information disclosure issues.

Possibly Pending on ICS-CERT

We have two vendor reports that were issued on Thursday that may still make it to the ICS-CERT site next week so I will just mention them in passing.

ABB does not generally report their advisories to ICS-CERT, but they updated their Meltdown & Spectre advisory that has been mentioned in ICS-CERT alert on the same topic.

Schneider released a new security advisory listing new products that were affected by one of the previously reported vulnerabilities in their FlexNet Publisher Licensing Service.

Friday, February 16, 2018

ISCD Publishes Two More Industry Outreach Fact Sheets

Today the DHS Infrastructure Security Compliance Division (ISCD) published links to two new fact sheets on their Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center. The first is another in the recent series explaining the impact of the CFATS program on various industries; this one addresses laboratories. This is part of the ongoing ISCD outreach effort designed to connect with facilities that have not realized that they may be covered under the CFATS program. The second fact sheet outlines the first steps that a facility needs to take when it determines that it may be affected by the CFATS program.

Laboratory Outreach

This fact sheet is very similar in format and information to the ones that I have previously discussed. The major difference is that the list of potentially affected chemicals is significantly different. One major difference in the list is that it includes a wide variety of chemical warfare agents. Unfortunately, ISCD failed to address the most contentious issue associated with those chemicals; the incredibly small amount (100-g) that qualifies as a screening threshold quantity (STQ) that would require reporting under CFATS.

First Steps

This fact sheet outlines the initial steps that a chemical facility needs to take when it suspects that it may be covered by the CFATS regulations (6 CFR 27), culminating in the submission of a Top Screen. The steps outlined include:

• Check your chemicals of interest (COI);
• Complete Chemical-terrorism Vulnerability Information (CVI) training;
• Register your facility; and
Submit a Top Screen

As you would expect from a ‘fact sheet’ the explanations provided for each of the steps are very brief and lacking in detail. Fortunately, links are provided to the appropriate parts of the CFATS web site for a more detailed explanation.


There is one unusual comment in the first steps fact sheet that I do not recall having seen in any other ISCD publication to date. In the discussion of what constitutes a chemical facility under the CFATS regulations, the fact sheet notes that:

“Under CFATS, a chemical facility is any establishment, from a large facility to an individual person [emphasis added] which possesses or plans to possess at any point in time, certain COI at or above a specified quantity or concentration.”

The definition of ‘chemical facility’ under the CFATS regulations states that {§27.105}:

“Chemical Facility or facility shall mean any establishment [emphasis added] that possesses or plans to possess, at any relevant point in time, a quantity of a chemical substance determined by the Secretary to be potentially dangerous or that meets other risk-related criteria identified by the Department.”

That ‘any establishment’ term is undefined, and I suppose that it could be stretched to include an ‘individual person’. At the very least I would expect to hear some arguments from lawyers if ISCD attempted to push regulatory activity down to a personally owned laboratory not associated with a business.

Having said that, it is not beyond the bounds of possibility that there could exist personal labs (particularly in the biological, pharmaceutical or agricultural sectors) where COI could be found at or above the STQ. The fact that that such laboratories would generally be expected to have less security than a similar corporate lab or even an academic lab would be of potential concern to ISCD as a possible terrorist target.

I am not sure how ISCD would locate such labs in order to conduct outreach activities. I suspect that the most common way of identifying such labs would be as the result of investigations of chemical releases or other chemical incidents by local authorities. If it was a purely local investigation (not the CSB, EPA, or OSHA for instance), I doubt that the word would get back to ISCD.

Bills Introduced – 02-15-18

With the Senate heading home for a week in district (and the House preparing to do the same) there were 65 bills introduced yesterday. Of those, four may be of specific interest to readers of this blog:

HR 5040 To authorize the President to control the export, reexport, and transfer of commodities, software, and technology to protect the national security, and to promote the foreign policy, of the United States, and for other purposes. Rep. Royce, Edward R. [R-CA-39]

S 2444 A bill to provide for enhanced energy grid security. Sen. Cantwell, Maria [D-WA]

S 2445 A bill to provide for the modernization of the electric grid, and for other purposes. Sen. Cantwell, Maria [D-WA] 

S 2447 A bill to accelerate smart building development, and for other purposes. Sen. Cantwell, Maria [D-WA]

With all of these bills I will be looking for control system cybersecurity issues in determining whether or not to continue coverage of the bill in this blog. I suspect hat S 2444 has the highest chance of future coverage.

As always, the large number of bills introduced before an extended stay outside of Washington is seldom due to an increased interest in legislative activity. Most of the bills introduced yesterday will receive no consideration on the Hill. Most are introduced to allow the submitter to claim to be taking action of interest in speaking before organizations and financial supporters back home.

Thursday, February 15, 2018

ICS-CERT Publishes 4 Advisories and One ABB Update

Today the DHS ICS-CERT published four new control system security advisories for products from Schneider Electric (2), GE and Nortek. Additionally, they provided an update for a previously published advisory for products from ABB.

StructureOn Advisory

This advisory describes an unrestricted upload of file with dangerous type vulnerability in the Schneider StruxureOn Gateway software management program. The vulnerability is being self-reported.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to upload a malicious file to any directory on the device, which could lead to remote code execution. The Schneider security advisory reports that the file must be a .zip file with specifically modified metadata for this vulnerability to be exploited.

IGSS Mobile Advisory

This advisory describes two vulnerabilities in the Schneider IGSS Mobile application (iOS and Android). The vulnerabilities were reported by Alexander Bolshev (IOActive) and Ivan Yushkevich (Embedi). Schneider has produced updates for both versions. There is no indication that either researcher has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Improper certificate validation - CVE-2017-9968; and
Plaintext storage of password - CVE-2017-9969

ICS-CERT reports that a relatively low-skilled attacker with local access (okay they, actually said: “Locally exploitable”; that may not mean ‘local access’) could exploit the vulnerability to execute a man-in-the-middle attack. In addition, passwords can be accessed by unauthorized users.

NOTE: Marc Ayala pointed out to me that anyone can download these apps from the appropriate (iOs/Android) app store. This means that it would be easy to exploit a compromised mobile password. All the attacker needs to do is to get access to the IGSS configuration file on an oh so secure smart phone to compromise the password.

GE Advisory

This advisory describes two vulnerabilities in the GE D60 Line Distance Relay. The vulnerabilities were reported by Kirill Nesterov of Kaspersky Labs. GE has released new firmware that mitigates the vulnerability. There is no indication that Nesterov was provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2018-5475; and
• Improper restriction of operations within bounds of memory buffer - CVE-2018-5473

ICS-CERT reports that relatively low-skilled attacker could remotely exploit the vulnerability to execute arbitrary code on the device.

Nortek Advisory

This advisory describes a command injection vulnerability in the Nortek Linear eMerge E3 Series access control interface. The vulnerability was reported by Evgeny Ermakov and Sergey Gordeychik. Nortek recommends upgrading the system using established procedures. There is no indication that either researcher was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability  to execute malicious code on the system with elevated privileges, allowing for full control of the server.

ABB Update

This update provides additional information on an advisory that was originally published on November 14th, 2017. The update reports that the new update of Mesh OS mitigates the KRACK vulnerability in these devices.

NOTE: The updated ABB security advisory that forms the basis for this ICS-CERT update was published on January 11th, 2018.

Wednesday, February 14, 2018

House NHTSA Oversight Hearing

Today the Digital Commerce and Consumer Protection Subcommittee of the House Energy and Commerce Committee held an oversight hearing looking at the DOT’s National Highway Transportation Safety Administration (NHTSA). The sole witness at the hearing was Heidi King, the Deputy Administrator (the de facto Administrator since no one has yet been nominated to that position) for NHTSA.

There was no mention of cybersecurity in any of the statements published on the Committee’s web site (Committee Chair Latta, Subcommittee Chair Walden, and Ms King), but the Committee Staff background memo does include (pg 6) a brief, 3-paragraph, summary of cybersecurity issues related to automated driving systems.

Watching the video of the hearing it is clear that this was intended to be a wide ranging oversight hearing that touched on a number of issues. Unfortunately, few of the congress critters asking questions had much interest in cybersecurity issues. There were only three cybersecurity related question (at 1 hour 10 minutes, at 1 hour 20 minutes and at 2 hours 30 minutes into the video). King’s responses to the questions were very generic with the one strong point being made that she appreciated the formation of the Automotive ISAC.

King did make a very interesting point in her response to the last question, from Rep. Costello (R,PA). She noted that vehicle owners had a very important role to play in regard to vehicle cybersecurity. After once again praising the formation of the Auto ISAC, she said:

“Cybersecurity is not the domain of highly technical experts alone, but in fact cybersecurity is a concern to all of us. We see from our own experience, whether it be in our home computers or in our phones, there may be vulnerabilities that are driven by users, and so part of the cybersecurity journey will be to educate all of us to be thoughtful about how we use our devices or our cars, and make sure that we are all partners in our cybersecurity journey.”

It will be interesting to see if the auto industry actually attempts to try to make autonomous vehicle cybersecurity inherently secure, or whether they will follow the model of the computer and smart phone manufacturers and make security a feature that must be selected by the owner, often without specifically notifying the owner of the security options available.

/* Use this with templates/template-twocol.html */