Bills Introduced – 05-24-18

Yesterday, with both the House and Senate preparing to leave Washington for their long Memorial Day Weekend, there were 75 bills introduced. Of these, four bills may be of specific interest to readers of this blog:

HR 5952 Making appropriations for the Departments of Commerce and Justice, Science, and Related Agencies for the fiscal year ending September 30, 2019, and for other purposes. Rep. Culberson, John Abney [R-TX-7]

HR 5961 Making appropriations for Agriculture, Rural Development, Food and Drug Administration, and Related Agencies programs for the fiscal year ending September 30, 2019, and for other purposes. Rep. Aderholt, Robert B. [R-AL-4]

S 2975 An original bill making appropriations for energy and water development and related agencies for the fiscal year ending September 30, 2019, and for other purposes. Sen. Alexander, Lamar [R-TN]

S 2976 An original bill making appropriations for Agriculture, Rural Development, Food and Drug Administration, and Related Agencies programs for the fiscal year ending September 30, 2019, and for other purposes. Sen. Hoeven, John [R-ND] 

ICS-CERT Publishes 2 Advisories and 3 Updates

Today the DHS ICS-CERT published a control system security advisory for products from Schneider Electric and a medical device security advisory for products from BeaconMedaes. They also published updates to previously published advisories for products from Rockwell, Siemens, and Martem.

Schneider Advisory

This advisory describes three vulnerabilities in the Schneider Floating License Manager. The vulnerabilities are being self-reported. Schneider has new versions available to mitigate the vulnerabilities.

The three reported vulnerabilities are:

• Heap-based buffer overflow - CVE-2016-2177;

• Improper restriction of operations within bounds of a memory buffer - CVE-2016-10395; and

• URL redirection to an untrusted site - CVE-2017-5571

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to cause a denial of service, allow arbitrary execution of code with system level privileges, or send users to arbitrary websites.

BeaconMedaes Advisory

This advisory describes three vulnerabilities in the BeaconMedaes TotalAlert Scroll Medical Air Systems web application. These vulnerabilities were reported by Maxim Rupp. BeaconMedaes has a new version that mitigates the vulnerability, There is no indication that Rupp has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Improper access control - CVE-2018-7526;

• Insufficiently protected credential - CVE-2018-7518; and

• Unprotected storage of credentials - CVE-2018-7515;

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities  to view and potentially modify some device information and web application setup information, which does not include access to patient health information.

NOTE: These vulnerabilities were not reported on the FDA Medical Device Safety Communication site.

Rockwell Update

This update provides new information on an advisory that was originally published on May 10^th, 2018. The new information is supposed to be a link to the Rockwell security advisory [log-in required]. Unfortunately, that link is to the Rockwell Arena advisory (the ICS-CERT advisory for that was publicly published on the same day as the Factory Talk advisory that is currently being updated here. The correct link is https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1073133.

Siemens Update

This update provides new information on an advisory that was originally published on May 8^th, 2018. The new information is a revision to the instructions as to how owner/operators should go about getting the updated version. It removed the original link to the ‘hotfix’ and substitutes the instruction to “Obtain the update via the local Siemens representative”.

Martem Update

This update provides new information on an advisory that was originally published on May 22^nd, 2018. The new information is links to the Martem advisories for vulnerability CVE-2018-10603 and CVE-2018-10607. A link to the Martem advisory for the third vulnerability was already included in the initial ICS-CERT advisory.

S 2836 Introduced – UAS Interdiction

Earlier this month Sen. Johnson (R,WI) introduced S 2836, the Preventing Emerging Threats Act of 2018. The bill would provide somewhat limited authority to DHS and DOJ to mitigate the threat “that an unmanned aircraft system or unmanned aircraft poses to the safety or security of a covered facility or asset” {new §210G(a)}. In many ways this bill is similar to HR 5366.

Authorized Actions

This bill would amend the Homeland Security Act of 2002 by adding a new section, §210G. It would authorize DHS and/or DOJ to take the following actions {§210G(b)(1)}:

• Detect, identify, monitor, and track the unmanned aircraft system or unmanned aircraft, without prior consent, including by means of intercept or other access of a wire communication, an oral communication, or an electronic communication used to control the unmanned aircraft system or unmanned aircraft;

• Warn the operator of the unmanned aircraft system or unmanned aircraft, including by passive or active, and direct or indirect physical, electronic, radio, and electromagnetic means;

• Disrupt control of the unmanned aircraft system or unmanned aircraft, without prior consent, including by disabling the unmanned aircraft system or unmanned aircraft by intercepting, interfering, or causing interference with wire, oral, electronic, or radio communications used to control the unmanned aircraft system or unmanned aircraft;

• Seize or exercise control of the unmanned aircraft system or unmanned aircraft;

• Seize or otherwise confiscate the unmanned aircraft system or unmanned aircraft; or

• Use reasonable force to disable, damage, or destroy the unmanned aircraft system or unmanned aircraft.

The definition of ‘covered facility or asset’ describes facilities designated by the Secretary or Attorney General that directly relates to {new §210G(k)(3)(C)}:

• Specific DHS missions related to Coast Guard and US Customs and Border Protection security operations, protection operations of the Secret Service, or protection of federal property under 40 USC 1315;

• Specific DOJ missions related to FBI and Marshals Service protection operations, Federal Bureau of Prisons operations,  or protection of DOJ facilities and Federal Courts;

• Specific DHS or DOJ missions related to National Special Security Events and Special Event Assessment Rating events, protection of people and property at mass gatherings (when requested by State, local or tribal governments), active Federal law enforcement investigations, emergency responses, or security operations, or when a national security threat has been identified.

The authority to undertake these actions would expire five years after the legislation is adopted with a one-time presidential authority to extend that authority for 180-days.

UAS and Critical Infrastructure Assessment

Paragraph 210G(l) would require DHS to conduct an assessment of the threat of UAS to critical infrastructure and domestic large hub airports. That assessment would include {new §210G(l)(1)}:

• An evaluation of current Federal and State, local, or tribal law enforcement authorities to counter the threat identified;

• An evaluation of the knowledge of, efficiency of, and effectiveness of current procedures and resources available to owners of critical infrastructure and domestic large hub airports when they believe a threat from unmanned aircraft systems is present;

• An assessment of what, if any, additional authorities the Department needs to counter the threat identified; and

• An assessment of what, if any, additional research and development the Department needs to counter the threat.

Moving Forward

Johnson is the Chair of the Senate Homeland Security and Governmental Affairs Committee to which this bill was assigned for consideration. This certainly means that this bill is likely to be considered in Committee. And with two influential Committee Democrats {Sen. McCaskill (D,MO) and Sen. Heitkamp (D,ND)} as co-sponsors it would seem that there is probably enough bipartisan support for this bill to be favorably reported by the Committee.

Commentary

The differences between these two bills show a very different approach to the matter while trying to accomplish almost the same ends. The House bill amended 18 USC which immediately ensured that the Judiciary Committee would have to be included in the deliberations. Johnson’s bill amends just the Homeland Security Act which limits the consideration to just the Homeland Security Committee even though the DOJ is specifically included in the bill.

Another major difference is that the House bill specifically listed the provisions of 18 USC that were excepted in providing DHS and DOJ with authority to take counter-UAS activities. This bill exempts “any provision of title 18, United States Code” {new §210G(a)} from interfering with these activities. It seems to me that the Johnson approach is overly broad and would inadvertently provide DHS and DOJ from coverage for all sorts of otherwise illegal acts if they can claim they were in support of covered anti-UAS activities.

Unlike the House bill, S 2836 puts off the issue of protecting critical infrastructure from UAS mounted attacks until some unknown future date after DHS completes their assessment and gets back to Congress. While critical infrastructure owners (including State, local and tribal governments) certainly should be concerned about the delay, I think that this is a generally reasonable approach to a very complex, resource intensive, and difficult problem.

DHS and DOJ are going to have a very difficult time adding the additional manpower and equipment needed to provide the activities outlined in this bill if they are going to provide continuous protection for the fixed facilities outlined in the bill. I suspect that initially the two Departments will concentrate on providing as needed protections when a specific threat is identified ahead of time. This will still require the addition of counter-UAS assets, but on a much more manageable scale.

The more limited approach taken by this bill (and the fact that it will actually get considered in Committee) may make it easier to get this bill passed, but I still think that there is going to be significant opposition from parties that will be reluctant to authorize activities that endanger aircraft.

HR 5515 Debate in House

Yesterday the House began their debate on HR 5515, the National Defense Authorization Act for FY 2019. The initial rule for the consideration of HR 5515 made 103 of the 564 proposed amendments in order for consideration.

Of the nine amendments that I had identified as being of potential interest here, only one made the short list; #189 submitted by Rep. Jackson-Lee (D,TX) regarding cybersecurity apprenticeships. That amendment was adopted as part of en block amendment #6 at the close of debate last night.

Apprenticeship Amendment

The Jackson-Lee amendment would require DOD to submit a “report on the feasibility of establishing a Cybersecurity Apprentice Program to support on-the-job training for certain cybersecurity positions and facilitate the acquisition of cybersecurity certifications.” The amendment does not define the term ‘certain cybersecurity positions’ nor does it explicate the certifications to be considered.

Today’s Debate

The debate will resume today under the provisions of a second rule. Under that rule an additional 168 amendments from the list of 564 submitted will be allowed to be proposed on the floor. Only one more of the amendments that I previously identified made it to the second short list; amendment # 357, the Coast Guard Authorization Act of 2017. It will be debated as amendment # 52.

CG Authorization

While this amendment is entitled “the Coast Guard Authorization Act of 2017” it does not look anything like HR 2518 or S 1129 with the same title. Neither of those bills contained any language of particular interest here. This amendment does, however, contain language of potential interest to readers of this blog; these two sections in particular:

§319. Protecting against unmanned aircraft (pg 93);

§602. Maritime Security Advisory Committees (pg 200);

Section 319 would add a new §528 to 14 USC. That section would authorize DHS to take actions to mitigate the threat “that an unmanned air craft system or unmanned aircraft poses to the safety or security of a covered vessel or aircraft” {new §528(a)} with exceptions to current law (18 USC 32, 18 USC 1030, 18 USC 2510–2522, 18 USC 3121–3127, and 49 USC 46502) being provided to allow such actions. The allowed actions would specifically include {new §528(c)}:

• Detect, identify, monitor, and track the unmanned aircraft system or unmanned aircraft, without prior consent, including by means of intercept or other access of a wire, oral, or electronic communication used to control the unmanned aircraft system or unmanned aircraft;

• Warn the operator of the unmanned aircraft system or unmanned aircraft, including by passive or active, and direct or indirect physical, electronic, radio, and electromagnetic means;

• Disrupt control of the unmanned aircraft system or unmanned aircraft, without prior consent, including by disabling the unmanned aircraft system or unmanned aircraft by intercepting, interfering, or causing interference with wire, oral, electronic, or radio communications used to control the unmanned aircraft system or unmanned aircraft;

• Seize or exercise control of the unmanned aircraft system or unmanned aircraft;

• Seize or otherwise confiscate the unmanned aircraft system or unmanned aircraft; or

• Use reasonable force to disable, damage, or destroy the unmanned aircraft system or unmanned aircraft.

The definition of ‘covered vessel or aircraft’ is somewhat limited and regulations implementing this section will be required.

Section 602 is a complete re-write of 49 USC 70112. It looks, however, as if the rewrite was done to make the section easier to read with less bouncing back and forth between information about the National Maritime Security Advisory Committee and Area Maritime Security Advisory Committees.

Moving Forward

The debate on HR 5515 resumes today and will probably finish today. I suspect that amendment #52 will be adopted.

Again, the Senate will take up its own version of the bill which is being marked up this week. A conference committee with then work out the differences between the two bills. There is a decent chance that this process could be completed before the summer recess.

ICS-CERT Publishes 2 Advisories

Today the DHS ICS-CERT published a control system security advisory for products from Martem. They also published a medical device security advisory for products from Becton, Dickinson and Company (BD).

Martem Advisory

This advisory describes three vulnerabilities in the Martem TELEM-GW6/GWM products. The vulnerabilities were reported by Bernhards Blumbergs and Arturs Danilevics of CERT.LV, Latvia. Martem has described work arounds to mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Missing authentication for critical function - CVE-2018-10603;

• Uncontrolled resource consumption - CVE-2018-10607; and

• Cross-site scripting - CVE-2018-10609

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to allow execution of unauthorized industrial process control commands, denial of service, or client-side code execution.

BD Advisory

This advisory describes three separate SQL related vulnerabilities in the BD BD Kiestra and InoqulA systems. These vulnerabilities are being self-reported. BD intends to have mitigations in place by July. In the mean-time BD has described workarounds to mitigate the vulnerabilities.

The following applications in the affected products fail to warn users of unsafe actions:

• Database (DB) Manager;

• ReadA Overview; and

• PerformA

ICS-CERT reports that an uncharacterized attacker with access to an adjacent network could exploit the vulnerabilities which may lead to loss or corruption of data.

NOTE: These vulnerabilities have not been reported on the FDA Medical Device Safety Communications site.

Bills Introduced – 05-21-18

With both the House and Senate back in town yesterday, there were 25 bills introduced. Of those, two may be of specific interest to readers of this blog:

HR 5895 Making appropriations for energy and water development and related agencies for the fiscal year ending September 30, 2019, and for other purposes. Rep. Simpson, Michael K. [R-ID-2]

S 2887 A bill to amend title 10, United States Code, to provide for the establishment and operation of reserve component cyber civil support teams, and for other purposes. Sen. Cantwell, Maria [D-WA]

As is usual with these spending bills, I will be watching for items of potential interest to readers of this blog. With HR 5895 I will be specifically looking for cybersecurity and chemical safety provisions.

There has been a great deal of talk about these type units over the last couple of years. It will be interesting to see how Cantwell addresses the issue in S 2887. As always, I will be watching for definitions and provisions that specifically address control system security issues.

ISCD Updates Two Fact Sheets

Yesterday the DHS Infrastructure Security Compliance Division updated their Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center. One ‘latest news’ item announced the publication of two updated CFATS fact sheets. A second item talked about the upcoming regional meeting. And, finally, ISCD re-did the ‘Documentation’ section, providing links to the above items and eliminating many of the outdated documents that had been accumulating in the section.

Fact Sheets

The two updated fact sheets dealt with Risk Based Performance Standard (RBPS) #9 (Response) and the Infrastructure Protection (IP) Gateway. The RBPS 9 fact sheet was originally published last July. The IP Gateway fact sheet was older, being originally published in 2015.

The changes to the RBPS 9 fact sheet are relatively minor. In the opening paragraph they clarified that the CFATS program was designed to ensure security measures were in place to protect against “hazardous chemicals being exploited in a terrorist attack” rather than to “reduce the risks associated with their chemicals”. The second change was to add a bullet point about the IP Gateway in the discussion about DHS compliance assistance and outreach.

The IP Gateway fact sheet, on the other hand, under went a complete re-write. The fact sheet explains that the IP Gateway was established as part of the Obama Administration’s efforts under EO 13650, Improving Chemical Facility Safety and Security. It was established to help share chemical safety and security information from federal agencies (like ISCD) with other Federal, State, local and tribal government agencies.

The revised fact sheet does a better job of explaining both what CFATS facility information is shared with these government agencies and how that information is required to be protected by those agencies. One important part of the revision is a link to a web site that provides even more information about the IP Gateway Program.

Regional Meeting

The brief news item on the West Regional Meeting that I have been discussing for the last week or so (most recently here). There is little new information either in the news entry or in the new flyer linked to in the Documentation section. ISCD is, however, using the CFATS Knowledge Center as an additional way to reach out to facilities to ensure that they know about their DHSChemSecurityTalks program.

Documents Section Update

I have not mentioned it (because I am an information junky) but the Documentation section of the CFATS Knowledge Center has become rather bloated over the last year or so. Part of this is because ISCD has been actively working to ensure that they are communicating with the regulated (and potentially regulated) community and has been producing a large number of outreach documents. Unfortunately, part of the bloat has also been because of a failure to routinely purge the section of outdated materials. Yesterday that purge was done. Things like old monthly update notices were removed from the section. Even with the addition of the three new products mentioned above, the total number of documents listed in the Section went from 69 down to 54. There are still plenty of informative documents listed on the site.

Interestingly, it seems that removal of the document listings does not mean that the documents have been removed from the web site. There is at least one old monthly update for which the old link still works; at least as of this morning.