Saturday, March 28, 2020

ISCD Publishes 60-day CVI ICR

CISA is publishing a 60-day ICR notice in Monday’s (available online today) Federal Register (85 FR 17593-17594) for an extension of the current Chemical-Terrorism Vulnerability Information (CVI) information collection request (ICR). This would cover the information ISCD would collect on-line from personnel requesting to become a CVI authorized user.

ICR Burden

The key to estimating the burden of the ICR is to determine the number of  people that will be attempting to become CVI certified. CISA provides the last three-year data on the applications, but notes: “Due to past fluctuations and uncertainty regarding the number of future respondents, CISA believes that 20,000 continues to be a reasonable estimate.” This results in an extension of the current burden (estimate below) without change.

• Number of respondents – 20,000
• Time per respondent – 30-min
• Annual time burden – 10,000-hours

With an estimated average hourly wage for requestors being $79.75 this brings the annual cost burden to $797,474 per year.

Public Comments

CISA is soliciting public comments on this ICR notice. Comments may be solicited on the Federal eRulemaking Portal (; Docket # CISA-2020-0002). Comments are due by May 29th, 2020.

COVID-19 and Terrorism – 3-28-20

I briefly mentioned yesterday that the threat from domestic terrorists may be increased during the COVID-19 pandemic. Here is a brief reading list of recent articles supporting that view. These are not intelligence reports by any means, but they do offer some insights into the potential problem.

I will share more information along these lines as it becomes available.

Public ICS Disclosures – Week of 03-21-20

This week we have five vendor disclosures for products from Phoenix Contact (2), 3S (2) and Philips along with an update of a previous vendor disclosure from Belden. There is also an exploit publication for products from GE. Finally, an interesting look at control system security and COVID-19 ‘industrial distancing’.

Phoenix Contact Advisories

Phoenix Contact published an advisory [.PDF download link] describing a privilege escalation vulnerability in their Portico Remote desktop control software. The vulnerability was reported by an unnamed researcher. Phoenix Contact has a new version that mitigates the vulnerability. There is no indication that the researcher has been provided an opportunity to verify the efficacy of the fix.

Phoenix Contact published an advisory [.PDF download link] describing an insecure permissions vulnerability in their PC WORX SRT. The vulnerability was reported by  Sharon Brizinov of
Claroty. Phoenix Contact provides generic workarounds to mitigate the vulnerability.

3S Advisories

3S published an advisory [.PDF download link] describing an out-of-bounds memory buffer access vulnerability in their  CODESYS communication protocol. The vulnerability was reported by Carl Hurd of Cisco Talos and an OEM customer. 3S has a new version that mitigates the vulnerability. There is no indication that Hurd has been provided an opportunity to verify the efficacy of the fix.

NOTE: The Talos report includes proof-of-concept exploit code.

3S published an advisory [.PDF download link] describing a heap-based buffer overflow vulnerability in their Web Service application. The vulnerability was reported by Tenable. 3S has a new version that mitigates the vulnerability. There is no indication that the researcher has been provided an opportunity to verify the efficacy of the fix.

NOTE: The Tenable report includes proof-of-concept exploit code.

Philips Advisory

Philips published an advisory describing two vulnerabilities in their AC 2719 Air Purifier when using the Air Matters Android application. Philips reports that this is a chip-level problem, but reportedly a newer version of the application mitigates the vulnerabilities (?). The vulnerabilities were reported by an unnamed researcher.

The two (3 or 4 depending on where you read in the advisory) reported vulnerabilities are:

• Cleartext transmission of information;
• Insufficient Diffie Helman strength; and
• Decompiling Android app

NOTE: Okay, I will admit that I am confused by this advisory. I cannot find a researcher report of these vulnerabilities. If someone wants to step forward and explain this to me, I would appreciate it.

GE Exploit

Ivan Marmolejo has published an exploit for a password denial of service vulnerability in the GE ProficySCADA for iOS. There is no CVE number associated with the exploit report nor any vendor contact reports and I cannot find a report of a similar vulnerability on the GE security advisory page so this looks like a 0-day exploit.

COVID-19 has an interesting blog post about the increase in remote access to industrial systems due to COVID-19. They introduce a fun new term ‘industrial distancing’. It is a quick read, but worth it.

Friday, March 27, 2020

COVID-19 CFATS Extension

I reported earlier today that the Senate had left town without acting on an extension of the authority for the Chemical Facility Anti-Terrorism Standards (CFATS) program which runs out on April 18th. It turns out that I was mistaken. Thanks to a TWEET® from Douglas A. Leigh III, Director of Legislative Affairs National Association of Chemical Distributors (NACD), I went back and re-searched SA 1578, which became HR 748, Coronavirus Aid, Relief, and Economic Security (CARES) Act.

Sure enough, he was correct; buried well down within Division B, Emergency Appropriations for Coronavirus Health Response and Agency Operations, §16007 (pg S 2136) provides a short-term extension for the CFATS program. That section states:

“Section 5 of the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014 (Public Law 113–254; 6 U.S.C. 621 note) is amended by striking ‘‘the date that is 5 years and 3 months after the effective date of this Act’’ and inserting ‘‘July 23, 2020’’: Provided, That the amount provided by this section is designated by the Congress as being for an emergency requirement pursuant to section 251(b)(2)(A)(i) of the Balanced Budget and Emergency Deficit Control Act of 1985.”

That last “Provided” clause in the section is a technical necessity that really has nothing to do with the actual CFATS extension.

I must admit that it is nice seeing a date-certain for the termination of CFATS authority rather than the previous ‘the date that is 5 years and 3 months after the effective date of this Act’.

The House concurred with the Senate amendment to HR 748, this afternoon. The press reports that the President signed it this evening.

COVID-19 Update for CFATS Program – 3-27-20

Today the CISA Infrastructure Security Compliance Division (ISCD) published a notice in the ‘Latest News’ section of the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center concerning the effect of the COVID-19 pandemic on the CFATS program. The notice also provides a link to a document providing additional information signed by Brian Harrell, the CISA Assistant Director for Infrastructure Security, the component of CISA in which the ISCD resides.

Knowledge Center Notice

The notice makes two essential points. First, earlier this week ISCD began postponing and rescheduling all site visits by ISCD Chemical Security Inspectors. This is being done in support of the isolation and social distancing prevention program in place across the country. The notice makes it clear that these inspections and assistance visits will resume as the COVID-19 pandemic eases.

Second, the notice reiterates that the CFATS regulations remain in effect and that facilities are still required to fulfill their reporting requirements and continue full implementation of their approved site security plans. With regards to the impact of the COVID-19 pandemic on their facilities, ISCD notes:

“We are encouraging facilities to consider what compensatory measures they may need to put in place to continue to secure their critical assets if their designated personnel are unable to perform their security duties due to illness or quarantine.”

Infrastructure Security Letter

Director Harrell’s letter re-emphasizes the comments made in the notice. It also provides responses to four questions that CISA expects facilities to be asking:

• When will I be contacted to reschedule inspections and visits?
• What should I do if our security has been impacted and I need assistance with compensatory measures?
• What should I do if my COI is missing or has been released?
• I am unable to complete my in-progress Top-Screen or Site Security Plan by the current due date due to COVID-19 response. How do I request an extension?

In response to the first question, Harrell makes an important point:

“In these rare cases, our personnel will coordinate with you in advance of arrival to discuss health and safety requirements in place at your facility.”


I think that this is a reasonable response to an unexpected national emergency. The COVID-19 pandemic may have reduced the threat to chemical facilities from international terrorists; international travel has, after all, been severely impacted. It seems that there might be an increase in the threat from domestic terrorist action; there has been at least one preempted attack on a hospital that was related to the COVID-19 epidemic. Chemical facilities must remain vigilant, this applies to both chemical security and chemical safety vigilance.

Bills Introduced – 3-26-20

Yesterday with just the House in session (but not really in Washington, but not a proforma session) and the Senate in their COVID-19 recess, there were 14 bills introduced. One of those bills will receive future coverage in this blog:

HR 6395 To authorize appropriations for fiscal year 2021 for military activities of the Department of Defense and for military construction, to prescribe military personnel strengths for such fiscal year, and for other purposes. Rep. Smith, Adam [D-WA-9]

Did the Senate Kill CFATS Because of COVID-19?

See corrected information about this post here - [Added 0632 EDT, 3-28-20]

On Wednesday, the Senate passed HR 748 after amending it to become the Coronavirus Aid, Relief, and Economic Security Act. Everyone sighed with relief as the upper chamber actually came to an agreement. After taking care of some minor procedural matters, the Senate then took off for what we will end-up calling the COVID-19 Recess; they are not currently scheduled to return to Washington until April 20th, 2020.

There are, of course, proforma sessions scheduled through out the recess. This has become a standard practice (from well before Trump) to prevent the President from making recess appointments that would not require Senate advice and consent. While the House rules provide for some limited legislative activity during proforma sessions, the Senate used its normal proforma session language in escaping the potential Washington COVID-19 exposure; “with no business being conducted”. This means that no bills will be offered in the Senate and no action will be allowed on existing bills.

The Senate will meet in proforma session on each Monday and Thursday between today and April 16th. They are then next scheduled to meet in a real session on April 20th. This sounds good, the Senate is ‘setting the example’ on isolation and social distancing. Congratulations.

One small problem. The Chemical Facility Anti-Terrorism Standards (CFATS) program’s current authorization expires on April 18th, 2020. And, the Senate failed to take action on the House passed CFATS extension, HR 6160. Nor did it take action on either of the two CFATS bills before the Senate, S 3416 or S 3506 (which has yet to be published by the GPO). This means that no final action on extending the current authorization for the CFATS program is “possible” until April 20th, 2020.

Okay, I put ‘possible’ in quotes for a reason. Anyone that has watched Congress in action for as long as I have knows that there is always a way around the ‘rules’ of Congress. If Sen McConnel (R,TN) decides that HR 6160 needs to be passed before April 18th, he will find a way to pass it. And I do not think that there would be any serious opposition to that passage if it were to happen.

What happens if the Senate does not take action before April 18th? An interesting question. The 18th this year is on a Saturday, so for all practical purposes, nothing happens. The Senate could come back into session on the Monday, the 20th, pass HR 6160 and send it to the President, who would probably sign it that day. There would be some breath holding across the CFATS community, but nothing would really change.

But, even if they did not do that, it might not make a real difference. The CFATS program is currently funded, like the rest of the Federal government, until September 30th, 2020. There are a number of people who feel (myself included) that that provides de facto authority for the continued the operations of the CFATS program through the end of the fiscal year. I do not think that the Infrastructure Security Compliance Division would attempt to formally sanction anyone for CFATS violations during that period (thus forcing a court review of their authority), but I think that routine inspections, Top Screen reviews and Site Security Plan approvals would continue. And I do not think that there would be any serious objection from the regulated community.

And, on October 1st, when the continuing resolution continues to fund the federal government (there will certainly be one this year, perhaps for a full year because of COVID-19) the CFATS program funding and thus unofficial authority would likely continue.

Does this mean that CFATS reauthorization or extension is not needed? Certainly not. At some point ISCD will have to tell a facility to do something that the facility does not want to do and the courts would become involved. The court would then have to rule that the authority for the program had expired and that the facility was not obligated to do what it was told. Then the CFATS program would be dead. Congress does need to act.

/* Use this with templates/template-twocol.html */