HR 1975 Introduced – Cybersecurity Advisory Committee

Last month Rep. Katko (R,NY) introduced HR 1975, the Cybersecurity Advisory Committee Authorization Act of 2019. The bill would require the DHS Cybersecurity and Infrastructure Security Agency (CISA) to establish a cybersecurity advisory committee to advise the Director on the development, refinement, and implementation of policies, programs, rulemakings, planning, training, and security directives pertaining to the mission of CISA.

Composition

The Committee would be composed of 35 individuals representing State and local governments and of a broad range of industries, including {new §2215(c)(1)(C)}:

• Defense.

• Education;

• Financial services;

• Healthcare;

• Manufacturing;

• Media and entertainment;

• Chemicals;

• Retail;

• Transportation;

• Energy;

• Information Technology; and

• Communications.

Moving Forward

Katko is a member of the House Homeland Security Committee, one of the three committees to which this bill was assigned for consideration. This means that it is likely that this bill will receive consideration in that Committee. None of the current cosponsors of the bill are members of the other two committees to which the bill was assigned. This greatly decreases the possibility that this bill will be considered in those committees. There is a reasonable chance that the bill could move to the floor without action by the Energy and Commerce or Oversight and Reform committees if the Homeland Security Committee were to strongly indorse the bill.

There is nothing in this bill that would engender serious opposition. If the bill were to be considered it would probably receive broad bipartisan support. I suspect that there is a good chance that this bill will come to the floor of the House under the suspension of the rules process.

Commentary

There is no language in this bill that specifically identifies control system cybersecurity as a targeted interest of the Committee. But, having said that, it seems clear to me that the crafters of the bill intended operational technology cybersecurity to be included in the Committee’s purview. One just has to look at the industrial sectors specified to see that a wide variety of industrial control systems are core technologies for many of the sectors. I do have a minor concern, however, that the support side (vendors, integrators and researchers) of control system security may not receive any recognition in this committee. This concern could be reduced by changing the name of one of the industries from ‘information technology’ to ‘information and operational technology’.

The Federal government has successfully used this type of advisory committee to help provide regulators with a wide span of technical expertise. There have periodically been complaints about the ‘influence’ these industry insiders have over the regulatory process. Usually, this type of complaint has been short circuited by ensuring the inclusion of counter-industry advocacy representative like labor organizations or privacy groups. For this Committee, I think the failure to include representative of privacy groups is a significant shortcoming that should be corrected before this legislation makes its way to the President.

S 876 Introduced – DOE Vet Training

Last month Sen. Duckworth (D,IL) introduced S 867, the Energy Jobs for Our Heroes Act of 2019. The bill would require DOE to establish a program to prepare eligible participants for careers in the energy industry as part of the DOD’s SkillBridge (program web site ‘under construction’) program.

Energy Ready Vets Program

The bill would add a new section to the Energy Policy Act of 2005. It would require DOE to establish the ‘Energy-Ready Vets Program’ to prepare eligible participants for careers in the energy industry. The program would “provide standardized training courses, based, to the maximum extent practicable, on existing industry-recognized certification and training programs, to prepare eligible participants in the program for careers in the energy industry” {new §1107(d)}.

Cybersecurity Training

The program would provide training in five energy sectors, including the cybersecurity sector of the energy industry. The training would prepare participants for jobs in {§1107(d)(1)(C)}:

Cybersecurity preparedness;

• Cyber incident response and recovery;

• Grid modernization, security, and maintenance;

• Resilience planning; and

• Other areas relating to the cybersecurity sector of the energy industry;

The bill provides for a grant program “to assist the industry in developing such an industry-recognized certification and training program” {§1107(f)(1)} when such programs do not currently exist. Funding for the grant programs comes out of a generic “such sums as are necessary to carry out this section” authorization included in §1107(g)(1).

Moving Forward

While Duckworth is not a member of the Senate Energy and Natural Resources Committee, one of her two cosponsors {Sen. Gardner (R.CO)} is. This means that there is a strong possibility that this bill will be considered in Committee. I suspect that there will be bipartisan support for the bill both in Committee and on the floor as it hits three key political targets: veterans, jobs and clean energy (one of the job sectors not covered in this post).

The key problem this bill faces is getting it to the floor of the Senate for a vote. Time is the big issue and the bill is not important enough to get full debate in the Senate. This means that it would have to be considered under the Senate’s unanimous consent process where the voice of a single Senator can stop the bill from being considered. I do not see anything in the bill to draw strong opposition, but ‘objections’ are frequently raised on bills as a means of expressing political opposition to any of a number of loosely related issues.

This bill, however, is certainly a strong candidate for inclusion in a DOE or even DOD authorization bill either as part of the introduced bill or as an amendment.

Commentary

The lack of people with cybersecurity training is an ongoing problem for many industrial sectors and the energy sector specifically. Training veterans for such jobs is a win-win solution. Since the SkillBridge program is targeted at individual military facilities, the provisions of this bill would allow DOE to tailor cybersecurity training programs at facilities with high-concentrations of military members with cybersecurity skills. This could allow the programs to focus on certification skills rather than basic cybersecurity training. This would make it easier for cyber warriors to transition into critical cybersecurity jobs.

HR 1731 Introduced – Cybersecurity Reporting

Last month Rep. Hines (D,CT) introduced HR 1731, Cybersecurity Disclosure Act of 2019. The bill would require the Securities and Exchange Commission to establish rules requiring the reporting of whether there was cybersecurity expertise on the board of directors or other governing body of each company required to file annual reports. This is a companion bill to S 592.

Hines and both of his two cosponsors {Rep. Heck (D,WA) and Rep. Meeks (D,NY)} are members of the House Financial Services Committee to which this bill was assigned for consideration. This means that the bill can probably be expected to receive consideration. I see nothing in the bill that would cause any serious opposition; it would probably receive bipartisan support.

Hines introduced a similar bill last session (HR 6638) that died without action. Part of the reason was it’s relatively late introduction in the session, but it was also unlikely to receive active support from the more business friendly Republican leadership of the Committee. When (if) this bill is considered in Committee, the vote will provide a better view of how much bipartisan support the bill would actually receive on the floor. The bill is only likely to get House action if it can draw the super-majority support necessary for passage under the suspension of the rules process.

HR 1668 Introduced – IoT Cybersecurity

Last month Rep. Kelly (D,IL) introduced HR 1668, the Internet of Things (IoT) Cybersecurity Improvement Act of 2019. This is a companion bill to S 734.

Kelly (and at least two other cosponsors) is a member of the House Oversight and Reform Committee, one of the two committees to which this bill was assigned for consideration. Rep. Foster (D,IL) is a member of the House Science, Space, and Technology Committee, the other Committee to which the bill was assigned. This means that there is a decent chance that this bill will be considered in these committees.

This bill is more likely to advance in the House than S 734 is to advance in the Senate. I suspect that there would be significant bipartisan support and the bill would be passed in the House under the suspension of the rules process.

HR 1648 Introduced – SBA Security Assistance

Last Month Rep. Chabot (R,OH) introduced HR 1648, the Small Business Advanced Cybersecurity Enhancements Act of 2019. The bill would require the Small Business Administration to establish a Central Small Business Cybersecurity Assistance Unit as well as regional cybersecurity assistance units.

Cybersecurity Assistance Units

The CSBCAU would be collocated with the DHS National Cybersecurity and Communications Integration Center (NCCIC) and would serve as a conduit for sharing cybersecurity threat information between small businesses and the federal government. All of the information sharing protections provided under the CISA legislation {6 USC 1503(c)} would apply to information sharing via the CSBCAU {new 15 USC 648(a)(9)(B)(iii)}. Information on cyberthreat indicators or defensive measures shared through the CSBCAU will not be subject to the narrow regulatory exemption found in 6 USC 1504(d) (5)(D)(ii)(I).

The regional small business cybersecurity assistance units will be part of each Small Business Administration (SBA) small business development center. The bill would require the SBA to set aside $1 million from the monies authorized for small business development centers for the operation of regional SBCAU’s.

Moving Forward

Chabot and both of his cosponsors {Rep. Balderson (R,OH) and Rep. Velasquez (D,NY)} are members of the House Small Business Committee, the Committee to which this bill was assigned for consideration. This means that there is a good chance that this bill will be considered in Committee.

There is nothing in this bill that would incur any significant opposition. I suspect that if it is considered in committee that it would pass with significant bipartisan support. If considered by the full House it would likely be considered under the suspension of the rules process with limited debate and no floor amendments. Again, it would probably pass with substantial bipartisan support.

Commentary

This bill is an attempt to encourage small business owners to participate in the existing cybersecurity information sharing program with CISA by using familiar SBA channels of communication. Unfortunately, it does not address the underlying issues that appear to be hindering businesses in general from participating in the information sharing process. That is the appearance that the information sharing process is a one-way street with little useable information flowing back to the private sector.

The one small sop thrown to the small business community, the §1504 exception will do little to add encouragement for small businesses to participate in the CISA information sharing process. Section 1504 allows units of the federal government to use information shared with NCCIC to be used to fine tune existing cybersecurity regulations. Since there are few areas of the federal regulatory system that are specifically allowed to regulate cybersecurity, this is a fairly unimportant exception.

There is no mention in this bill of industrial control system security issues. The findings section of the bill only mentions information technology security concerns. Fortunately, since this bill attempts to supplement the CISA information sharing process, it uses control system friendly definitions from 6 USC 1501 that are based on the definition of ‘information system’ that specifically includes control systems. Unfortunately, this is as unlikely to encourage small businesses to share control system security threat information with CISA as it is purely IT threat information. Congress needs to clearly identify the existing impediments to information sharing and rectify those before they can expect small businesses to become part of the process.

Public ICS Disclosures – Week of 04-13-19

This week we have two vendor disclosures from CODESYS.

Gateway V3 Memory Management Advisory

CODESYS published an advisory describing an uncontrolled memory allocation vulnerability in the CODESYS V3 products. The vulnerability was reported by Martin Hartmann from cirosec GmbH. 3S has released a new version that mitigates the vulnerability. There is no indication that Hartmann has been provided an opportunity to verify the efficacy of the fix.

CODESYS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to cause a denial-of-service condition.

Gateway V3 Channel Management Advisory

CODESYS published an advisory describing two vulnerabilities in the CODESYS V3 products. The vulnerabilities were reported by Martin Hartmann from cirosec GmbH. 3S has released a new version that mitigates the vulnerabilities. There is no indication that Hartmann has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities (on a single CVE - CVE-2019-9010) are:

• Insufficiently random values to identify the communication channel; and

• Insufficiently verifies the ownership of a channel

CODESYS reports that a moderately skilled attacker could remotely exploit these vulnerabilities to close existing communication channels or to take over an already established user session to send crafted packets to a PLC.

S 715 Introduced – Smart Manufacturing

Last month Sen. Shaheen (D,NH) introduced S 715, the Smart Manufacturing Leadership Act. The bill would require the Secretary of Energy to develop a smart manufacturing plan and to provide assistance to small- and medium-sized manufacturers in implementing smart manufacturing programs. The bill is almost identical to S 768 that Shaheen introduced in the 115^th Congress; no action was taken on that bill.

Differences in the Bills

There are two differences between these two versions of the bill; one minor and one significant. The minor change is found in §7(g); the dates have been changed for the authorization of funding. It now reads: “$10,000,000 for each of fiscal years 2020 through 2023”; this is an expected change.

The significant change addresses my one major complaint about the previous version of this bill; it did not address cybersecurity issues. Two new subparagraphs were added to §4(b)(2) addressing the requirements for what items must be included in the Secretary’s plan. The new subparagraphs are:

(C) the use of smart manufacturing to improve energy efficiency and reduce emissions in supply chains across multiple companies;

(D) actions to increase cybersecurity in smart manufacturing infrastructure;

Moving Forward

While Shaheen is still not a member of the Senate Energy and Natural Resources Committee to which this bill was assigned for consideration, one of her cosponsors {Sen. Alexander (R,TN)} is an influential member of that Committee. This greatly increases the possibility that the Committee will consider this bill during the session.

Since no regulatory authority is actually provided by the bill, the main sticking point for its adoption (either in Committee or on the floor of the Senate) is the inclusion of $10 million in appropriations for the grant program outlined in the bill. This is not a large amount of money in federal spending terms, but it is money that will have to come from somewhere; probably from other programs in the DOE budget.

Commentary

The cybersecurity provision added to this bill is even more generic than the one I proposed in my posting of S 768. There are certain advantages in Congress employing vague, generic language in legislation; it allows regulatory agencies more leeway in adopting (and even more importantly) and later modifying actual regulatory or guidance language. While the process required to actually make such modifications is lengthy and time consuming, it would be much longer, if the agency had to rely on changes in congressional language to start the change process.

This time issue has been one of the problems cited whenever there is discussion about cybersecurity language or regulation. The cybersecurity risk landscape changes so quickly special care needs to be taken to ensure that outdated security measures are not locked into the regulatory process. Shaheen’s staff appears to have realized that problem and looks to have done their part to ensure that Congress is not the source of that kind of problem in this bill.