Committee Hearings – Week of 04-22-18

With both the House and Senate in Washington this week things start to get busy before the primary season starts to make Congress really political. In addition to marking up the FY 2019 National Defense Authorization bill and budget hearings we have three hearings that may be of potential interest to readers of this blog; HR 4 and cybersecurity.

NDAA Markup

The introduced version of HR 5515, the National Defense Authorization Act for Fiscal Year 2019 was published last week. It has a number of large holes in it that will be filled this week by subcommittee markups. The full Armed Services Committee will not finish the markup process until the House comes back from their spring break the week after next. These two subcommittee hearings may be of specific interest:

April 26^th – Readiness Subcommittee;

April 26^th – Emerging Threats and Capabilities Subcommittee;

Budget

There are still a number of hearings being held looking at the President’s proposed budget. This week there is only one that may be of specific interest here:

April 26^th, DHS, House Homeland Security;

HR 4 Rule

As I mentioned over the weekend, the House Rules Committee will be holding a hearing on Tuesday to formulate the rule for the consideration of HR 4, the FAA Reauthorization Act of 2018, later this week. Two hundred and thirty-one proposed amendments have been submitted to the Committee for possible consideration on the floor of the House; the vast majority will not make it. Fourteen of those amendments deal with unmanned aircraft systems and two deal with cybersecurity issues. A large number of the rest deal with airport noise issues, a perennial concern of congresscritters. The bill will probably make it to the floor on Thursday.

Cybersecurity

On Tuesday the Senate Homeland Security and Governmental Affairs Committee will hold a hearing on “Mitigating America’s Cybersecurity Risk”. The witness list includes:

• Jeanette Manfra, DHS;

• Gregory C. Wilshusen, GAO; and

• Eric Rosenbach; Harvard University

This hearing could go one of two ways; most likely a look at cybersecurity issues in the Federal government (always a problem), or it could look at the cybersecurity concerns in critical infrastructure that we have been hearing about in the mainstream news. In either case it will likely be a high-level policy type discussion rather than focusing in-depth on any actual security issues.

HR 4 Introduced – FAA Reauthorization

Earlier this month Rep. Schuster (R,PA) introduced HR 4, the FAA Reauthorization Act of 2018. The bill includes a number of provisions that address unmanned aircraft system (UAS) operations and aviation cybersecurity.

UAS Provisions

The bill addresses UAS issues in two separate sub-titles; Sub-Title B of Title 3 and Sub-Title C of Title 7. Between these two sub-titles there are 17 separate sections addressing a wide variety of UAS topics. Of those, the following may be of specific interest to readers of this blog:

§337. Evaluation of aircraft registration for small unmanned aircraft;

§338. Study on roles of governments relating to low-altitude operation of small unmanned aircraft;

§341. Cooperation related to certain counter-UAS technology.

Section 337 of the bill requires FAA to “develop and track metrics to assess compliance with and effectiveness of the registration of small unmanned aircraft systems” {§337(a)} required by the interim final rule published in December of 2015. It would also require the DOT Inspector General to report to Congress on both the metric development required and the overall “reliability, effectiveness, and efficiency of the Administration’s registration program for small unmanned aircraft” {§337(b)(2)}.

Section 338 of the bill requires the DOT Inspector General to begin a study of the “the regulation and oversight of the low-altitude operations of small unmanned aircraft and small unmanned aircraft systems” {§338(a)(1)} and the appropriate roles of Federal, State, local, and Tribal governments in regulating UAS operations below 400 ft above ground level (AGL). An obligatory report to Congress is required.

Section 341 of the bill would require DOT to consult with DOD about efforts to streamline the deployment of systems “in the national airspace system intended to mitigate threats posed by errant or hostile unmanned aircraft system operations”.

Cybersecurity Provisions

The cybersecurity sub-title includes six sections. Of these, the following three sections may be of specific interest to readers of this blog:

§732. Cabin communications, entertainment, and information technology systems cybersecurity vulnerabilities.

§733. Cybersecurity threat modeling.

§736. Cybersecurity research and development program.

Section 732 would require the FAA to “determine the research and development needs associated with cybersecurity vulnerabilities of cabin communications, entertainment, and information technology systems on civil passenger aircraft” {§732(a)}. Those R&D needs would include an assessment of:

• Technical risks and vulnerabilities;

• Potential impacts on the national airspace and public safety; and

• Identification of deficiencies in cabin-based cybersecurity.

Section 733 would require the FAA, in consultation with the National Institute of Standards and Technology, to “develop an internal FAA cybersecurity threat modeling program to detect cybersecurity vulnerabilities, track how those vulnerabilities might be exploited, and assess the magnitude of harm that could be caused by the exploitation of those vulnerabilities” {§733(a)(1)}.

Section 736 would require the FAA to “establish a research and development program to improve the cybersecurity of civil aircraft and the national airspace system” {§737(a)}. In support of that program the FAA would be required to establish a plan to implement that program. The plan would include objectives, proposed tasks, milestones, and a 5-year budgetary profile. The FAA would also be required to commission a National Academies study of that plan.

Moving Forward

This bill is scheduled to be considered by the House this week. The House Rules Committee will hold a hearing on Tuesday to prepare the rule for the consideration of the bill. There have been 231 proposed amendments to the bill submitted to the Committee for consideration. These amendments include a number that address either UAS or cybersecurity provisions.

I suspect that we will have a managed rule for this bill that will include a relatively small number of those amendments. I suspect that the bill will pass with at least some bipartisan support. This is one of those ‘must pass’ bills that Congress has to deal with every year. We have not yet seen a Senate version of the bill, but the Senate will take up their own version of the bill which typically means that a conference committee will have to be convened to work out the differences between the two versions.

Commentary

I am more than a little concerned that this bill addresses (§341) the deployment of weapon systems to mitigate the threat of UAS systems without addressing the legal issues associated with interfering with the operation of aircraft. While the bill does not specifically mention weapons the vague use of the phrase “systems in the national airspace system intended to mitigate threats” can only be considered weapons. Whether those weapons conduct physical attacks to destroy the UAS or electronic attacks to cause the UAS to crash (any landing outside of the control of the pilot/operator is a crash; controlled or otherwise) still mean that the systems employed are weapons.

See my discussion of HR 5366 to see the extent of the legal complications that are apparently being ignored in this section.

ISCD Updates SSP Instruction Manual – 04-12-18

Earlier this week the DHS Infrastructure Security Compliance Division (ISCD) published a link to a new version of their Security Vulnerability Assessment (SVA) – Site Security Plan (SSP) Instructions manual on the SVA-SSP manual web site. This manual explains the question asked in the SVA-SSP portion of the Chemical Security Assessment Tool (CSAT) for the Chemical Facility Anti-Terrorism Standards (CFATS) program.

As has become the standard for CSAT manuals, ISCD has stopped including version numbers and explanation of changes made in this new version. A quick review of the Table of Contents and a random check of pages seems to indicate that the changes made to this manual are minor changes in explicatory language rather than policy or substantive changes in processes. Even so, Facility Security Managers will want to have the newest version of the manual on-hand.

The last time this manual was updated was March of last year.

NIST Publishes CSF v1.1

Earlier this week the National Institute of Science and Technology announced the released version 1.1 of their Cybersecurity Framework (CSF). According to the CSF web page, this new version includes updates on:

• Authentication and identity,

• Self-assessing cybersecurity risk,

• Managing cybersecurity within the supply chain and

• Vulnerability disclosure.

An accompanying fact sheet outlines the three components of the CSF and summarizes the key points about the newest version of the CSF:

• Refined for clarity, it’s fully compatible with v1.0 and remains flexible, voluntary, and cost-effective;

• Declares applicability for "technology," which is minimally composed of Information Technology, operational technology,          cyber-physical systems, and Internet of Things

• Clarifies utility as a structure and language for organizing and expressing compliance with an organization’s own cybersecurity requirements;

• Enhances guidance for applying the Cybersecurity Framework to supply chain risk management;

• Summarizes the relevance and utility of Cybersecurity Framework measurement for organizational self-assessment; and

• Better accounts for authorization, authentication, and identity proofing

Vulnerability disclosure is addressed in a new sub-category (#5) in Respond – Analysis (pg 42). That subcategory notes that:

“Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers)”

The references for that sub-category are listed as:

• CIS CSC 4, 19;

• COBIT 5 EDM03.02, DSS05.07; and

• NIST SP 800-53 Rev. 4 SI-5, PM-15

Public ICS Disclosures – Week of 04-14-18

This week we have four new vendor reported vulnerabilities (all from ABB) and two vendor updates of previously disclosed vulnerabilities (both from Siemens).

Industrial Products Spectre and Meltdown Update

This update provides new mitigation information (for SIMATIC IPC427D, SIMATIC IPC477D, SIMATIC FieldPG M4) on the previously reported Spectre and Meltdown vulnerabilities in Siemens Industrial Products. The Industrial Products vulnerability was reported in the ICS-CERT Meltdown and Spectre Vulnerabilities Alert, but ICS-CERT does not issue an update for multivendor products when listed product advisories are updated.

To be fair, the link in the latest version of the ICS-CERT alert does take you to the latest version of the Siemens advisory, but you have no way of knowing that new information is available just by looking at the ICS-CERT alert. This is an ongoing issue for all ICS-CERT alerts/advisories covering multiple vendor vulnerabilities.

SIMATIC Denial of Service Vulnerability Update

This update provides new mitigation information (for SIMATIC BATCH V8.0 and V8.1) on the previously reported denial of service vulnerability in the Siemens SIMATIC product line. I am not sure why ICS-CERT did not update their advisory for this product on Thursday when they updated the SIMATIC IPC advisory that was released the same day.

Relion 630 Series Advisory #1

This advisory describes a weak database encryption vulnerability in the ABB Relion 630 Series relays. This vulnerability was privately reported to ABB. ABB has no plans of corrective measures for this specific issue in the affected products.

ABB reports that an uncharacterized attacker with uncharacterized access could exploit the vulnerability to delete or modify the database. Removing or modifying the database will make the device inoperable. ABB notes that the database contains cross reference data for faster indexing and searching and does not contain any secret information.

Relion 630 Series Advisory #2

This advisory describes a path traversal vulnerability in the IEC 61850 Manufacturing Message Specification (MMS) implementation in the ABB Relion 630 Series relays. The vulnerability was privately reported to ABB. ABB has new versions that mitigate the vulnerability.

ABB reports that an uncharacterized attacker with uncharacterized access could exploit the vulnerability to retrieve any file on the device’s flash drive without authentication on the device or make the product inoperative by deleting files from the device’s flash drive.

It is not clear if this is a problem that is unique to ABB implementation of the IEC 61850 MMS or whether it may apply to other vendor devices as well.

Relion 630 Series Advisory #3

This advisory describes a terminal reboot vulnerability in the SPA communications protocol in the ABB Relion 630 Series relays. The vulnerability was privately reported to ABB. ABB has new versions that mitigate the vulnerability.

ABB reports that an uncharacterized attacker with uncharacterized access could exploit the vulnerability to reboot the device resulting in a denial of service situation. During the reboot phase, the primary functionality of the device is not available.

PCM600 and SAB600 Advisory

This advisory describes multiple vulnerabilities in the Sentinel HASP Run‐time Environment in the ABB PCM600 and SAB600 substation management devices. These vulnerabilities are apparently the Gemalto license management problems reported by Kaspersky Labs; ABB is reporting only four of the fourteen Gemalto vulnerabilities. ABB has new versions that mitigate the vulnerabilities.

ABB reports that an uncharacterized attacker with uncharacterized access could exploit the vulnerability to cause a buffer overflow. Buffer overflows may allow remote attackers to execute arbitrary code or to shut down the remote process (a denial of service).

ISCD Adds New FAQ to CFATS Knowledge Center

Today the DHS Infrastructure Security Compliance Division (ISCD) posted a new frequently asked question (FAQ) to their Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center web site. The new FAQ (#1791) asks: “What are Reportable Chemicals?” The answer is supposed to be a ‘video tutorial’, but the FAQ response does not actually show the video. If you right-click on the video box and copy the video address and then paste that into your browser you get (actually, I get; I don’t know what you will see) the following error message:

“Communication Error (tcp_error)

RP1a A communication error occurred: ""

The Web Server may be down, too busy, or experiencing other problems preventing it from responding to requests. You may wish to try again at a later time.”

The idea of using a video to explain regulatory issues fits in with the times as the YouTube generation seems to prefer getting information from videos rather than reading explanatory documents. Unfortunately, ISCD appears to be having some technical issues with embedding the video in their FAQ response. Perhaps they should have put the video on the DHS YouTube channel and then just provided a link to the video.

House Subcommittee Marks-Up Energy Security Bills

On Wednesday the Subcommittee on Energy, of the House Committee on Energy and Commerce, held a markup hearing on five energy bills. Four of the bills have been covered in this blog and those bills passed on voice votes; two of them were amended with substitute language from the original offerors. The four the bills that have been addressed in this blog:

• HR 5174, Energy Emergency Leadership Act;

• HR 5175, Pipeline and LNG Facility Cybersecurity Preparedness Act (amended);

• HR 5239, Cyber Sense Act (amended); and

• HR 5240, Enhancing Grid Security through Public-Private Partnerships Act

HR 5175 Changes

The one change made to HR 5175 in the substitute language is relatively minor. It adds a phrase to §2(1) to expand the coordination requirement by adding: “including through councils or other entities engaged in sharing, analysis, or sector coordinating”.

HR 5239 Changes

The changes to HR 5239 are mainly grammatical and would have little to do with the operation of the Cyber Sense program that is proposed by this bill. There is one potentially significant change; §2(b)(7) from the original bill was removed. That paragraph had provided a requirement for the Secretary of Energy to “establish procedures for disqualifying products that were tested and identified as cyber-secure under the Cyber Sense program but that no longer meet the qualifications to be identified cyber-secure products”. There is nothing in the revised program that would prohibit that disqualification.

Moving Forward

The bipartisan support received in the subcommittee will almost certainly be duplicated when these bills are taken up by the whole committee. The question then will be to see if the sponsors and the Committee leadership have enough influence (or are willing to expend the effort to influence) to bring these bills before the full House. I firmly expect that we will see some version of these bills reach the floor under the suspension of the rules procedure in the House. Again, that means limited debate and no floor amendments. I would not be surprised to see all five bills considered on a single day.

Commentary

The removal of the language in HR 5239 providing for the establishment of a process to disqualify products that no longer meet the Cyber Sense standards brings up an interesting legal situation. As I said earlier, there is nothing in the bill that would specifically prohibit the Secretary from establishing such rules. But, having said that, a good lawyer could argue before a friendly judge that the removal of the specific authority to establish such a disqualification process from the language in the bill establishes a congressional intent that such authority can no longer be exercised by the Secretary absent specific authorization by Congress.

What this very well could end up meaning is that once a vendor becomes authorized to use the ‘Cyber Sense’ label on their product, they will no longer have to work to maintain the ‘Cyber Sense’ standards because the Secretary would not have the authority to require the vendor to remove the ‘Cyber Sense’ labeling. If the vendor flaunting of the ‘Cyber Sense’ standards becomes wide spread, the efficacy of the whole program would be called into question, destroying the process.

If this problem is to be addressed, it will almost certainly have to be done during the Energy and Commerce mark-up hearing that will probably be conducted in the next couple of weeks. After that, if the bill moves forward, it would almost certainly be under processes in both the House and Senate that would not allow for amendments to the bill from the floor.