Tuesday, January 22, 2019

Two Advisories Published – 01-22-19

Today the DHS NCCIC-ICS published a control system security advisory for products from Johnson Controls and a medical device security advisory for products from Drager.

Johnson Controls Advisory

This advisory describes two vulnerabilities in the Johnson Controls Facility Explorer. The vulnerabilities were reported by Tridium. Johnson Controls has new versions that mitigate the vulnerabilities. There is no indication that Tridium has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Path traversal - CVE-2017-16744; and
Improper authentication - CVE-2017-16748

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit these vulnerabilities to allow an attacker to read, write, and delete sensitive files to gain administrator privileges in the Facility Explorer system.

Drager Advisory

This advisory describes three vulnerabilities in the Drager Infinity Delta patient monitoring devices. The vulnerabilities were reported by Marc Ruef and Rocco Gagliardi, of scip AG. Drager has new versions that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Improper input validation - CVE-2018-19010;
• Information exposure through log files - CVE-2018-19014; and
• Improper privilege management - CVE-2018-19012

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to cause information disclosure of device logs, denial of service through device reboots of the patient monitors, and privilege escalation.

NOTE: The Drager security advisory adds an additional vulnerability for one of the affected products; “Several 3rd party components were found outdated and vulnerable to several published security vulnerabilities.”

CFATS and Gun Shot Detection Systems

I got an interesting question from a reader yesterday. I whipped out a quick reply that I still standby, but I thought that it might need some additional discussion.

Question and Response

The original question was:

“Is there a requirement for chemical plants to have gunshot detection/notification? Esp after Metcalf incident, I would think.”

My initial reply was:

“The CFATS program certainly does not include such a requirement. I would not think that this would be cost effective for most manned facilities unless they were in a high crime area.”

CFATS Requirement?

First off, there are very few ‘security requirements’ under the Chemical Facility Anti-Terrorism Standards (CFATS) program. The program was crafted with the idea that each facility is unique and would have to design their security program to fit their unique character while fulfilling 12 operationally defined ‘Risk-Based Performance Standards’ (RBPS). Those standards are outlined at 6 CFR 27.230(a) and discussed in more depth in the RBPS Guidance Document. There is no specific mention of ‘gun shot detection systems’ in either document, thus there is no ‘CFATS requirement’ to employ such a system.

The RBPS Guidance Document does make two important points about detection systems. First:

“For a protective system to prevail, detection needs to occur prior to an attack (i.e., in the attack planning stages) or early enough in the attack where there is sufficient delay between the point of detection and the successful conclusion of the attack for the arrival of adequate response forces to thwart the attempt.” [pg 50]

And second:

“Typically, when a sensor or other IDS [intrusion detection system] component identifies an event of interest, an alarm notifies security, which then will assess the event either directly by sending persons to the location of the event or remotely by alerting personnel to evaluate sensor inputs and surveillance imagery.” [pg 52]

Interior and Exterior Shots Fired

There are two general scenarios where a gunshot detection system might be of use for a CFATS covered facility; shots fired inside the facility and shots fired outside the facility (okay, I guess there are no other scenarios).

For shots fired within the facility, it is, by definition, too late to prevent the attack. Information from a shot finder could provide information to response personnel to help pin down the location of the shooter. That will be problematic for most chemical facilities that do not have armed guards (the vast majority of chemical facilities in the United States). Detailed prior coordination with local law enforcement personnel (lacking at most chemical facilities) would be required to ensure that responding officers knew about the shot detection capabilities and had timely access to the location information when (and after) they arrived on scene.

The problem for shots fired outside of the facility would be determining if the impact area or trajectory of the projectiles was inside of the facility. For incidents where there is no facility impact, the ability to determine that would be helpful to frame interior incident response (do not panic, they are shooting at someone else). For shots targeted at the facility (with malice aforethought or inadvertently), the location of the impact point could have beneficial input into the emergency response within the facility.

Unfortunately, most shot detection systems do not track trajectory or impacts (okay, I do not know of ANY that do, but I am not current on the technology so someone may have addressed this issue). Setting up a system to predict impacts or trajectory would require at least two different detection systems; one to detect the initial gun shot location and one to detect the projectile in flight at at least one position. The second portion of that problem would require multiple sensors around the perimeter of the facility to detect boundary penetration.

The Metcalf Scenario

The original question specifically mentioned the Metcalf situation; the April 16th, 2013 sniper attack on the unmanned Metcalf Transmission Substation. The sniper was firing at transformers with the apparent intent (this incident is still ‘unsolved’) of causing equipment failure through a loss-of-coolant incident.

A shot detection system at this facility would not have prevented the attack, but it may have provided timely enough notification to have allowed police to have apprehended the perpetrator. Unfortunately, this presumes a timely response to a ‘shots fired’ report without any indication of an antipersonnel attack.

There are few ‘unmanned’ chemical facilities, but many facilities are not manned 24/7 so this scenario could apply to such facilities. Again, the big problem is not being able to determine what the target of the shooting is when the shot detection system goes off. This is a big problem in rural areas where the shots may be from legitimate hunters.


If a facility is concerned with protecting critical infrastructure from gunshot attacks (and storage tanks quickly come to mind in this regards) it is probably more effective to provide some sort of ballistic protection in the form of either intermediate barriers or bullet-proof coatings (ballistic plate or fabrics) for high-risk equipment. Even if gunshot detection is employed, such protection would still be necessary if there is a high-risk for a ballistic attack; gunshot detectors (shot location or impact location) only provide for response, they DO NOT prevent damage.


In short, I stand behind my earlier conclusion that these systems are not required for CFATS facilities and I doubt that they would be cost effective if employed. If systems are available (at a ‘reasonable’ cost) for predicting impact locations for shots fired, and a facility is in an area where there are frequently shots fired, it might be worthwhile to employ such a system to alert internal response personnel for inadvertent bullet impacts on site.

Monday, January 21, 2019

HR 480 Introduced – DHS Threat Assessment

A bit over a week ago Rep. Rogers (R,AL) introduced HR 480, the Homeland Threat Assessment Act. The bill would require DHS to conduct an annual “assessment of the terrorist threat to the homeland” {§2(a)}.

The Assessment

The bill would require the annual assessment to include {§2(b)}:

• Empirical data assessing terrorist activities and incidents over time in the United States:
• An evaluation of current terrorist tactics, as well as ongoing and possible future changes in terrorist tactics;
• An assessment of criminal activity encountered or observed by officers or employees of components in the field which is suspected of financing terrorist activity;
• Detailed information on all individuals denied entry to or removed from the United States as a result of material support provided to a foreign terrorist organization;
• The efficacy and spread of foreign terrorist organization propaganda, messaging, or recruitment;
• An assessment of threats, including cyber threats, to the homeland, including to critical infrastructure and Federal civilian networks;
• An assessment of current and potential terrorism and criminal threats posed by individuals and organized groups seeking to unlawfully enter the United States; and
An assessment of threats to the transportation sector, including surface and aviation transportation systems.

The bill would require the assessment to be presented to congress in a classified form with unclassified summaries and, potentially, unclassified annexes.

Moving Forward

Rogers is the Ranking Member of the House Homeland Security Committee and Rep. Thompson (D,MS), the single cosponsor, is the Chair. This means that this bill will almost certainly be considered in Committee in the not too distant future. There is nothing in the bill that would cause and serious opposition and it would almost certainly receive strong bipartisan support, both in Committee and on the Floor of the House.


Now this bill is clearly about a ‘terrorist’ threat assessment, but the language in two of the sub-paragraphs in §2(b) very carefully do not contain the word ‘terrorist’ when all of the remaining sub-paragraphs do contain that word (or variations there on). This would lead me to suspect that Rogers (or the Committee Staff who actually crafted the legislation) intended the cybersecurity and transportation assessments to include threats other than just those posed by terrorists.

So far, the only terrorist cyber threat that we have seen in actual practice have been a variety of doxing attacks (publication of private personal information) against various members of the armed forces and their families. There is nothing that would stop various terrorist groups (or radicalized individuals) from conducting more serious cyber-attacks, but nation-state actors are currently much more of a cyberthreat than terrorists.

While the wording of this sub-paragraph {§2(b)(6)} does not specifically call for reporting on nation-state level cybersecurity threats, the wording is vague enough to invite DHS to do so. If that is actually the intent of the wording, it would appear that it was done with the intention of avoiding stepping on the toes of the House Intelligence Committee or specifically involving the US Cybercommand/NSA in the assessment (an action outside the purview of the Homeland Security Committee).

The intent of the similarly vague wording in §2(b)(8) regarding transportation threats is less clear until you think to include energy transportation (specifically gas and oil pipelines). There again we have seen indications of a potential nation-state level cyber-threat that the crafters of this bill might want to have included in this DHS threat assessment.

Saturday, January 19, 2019

Public ICS Disclosures – Week of 01-12-19

This week we have a vendor notification for products from Eaton and a broad research report on vulnerabilities in radio frequency (RF) controllers from TrendMicro.

Eaton Advisory

Eaton published an advisory describing a path traversal vulnerability in their Intelligent Power Manager (IPM) product. This vulnerability is apparently being self-reported. Eaton has new version of the firmware that mitigates the vulnerability.

RF Controller Vulnerabilities

TrendMicro has published a report on vulnerabilities in RF controller systems. Their work on this topic specifically on industrial cranes was highlighted in a Forbes.com article and a presentation at S4x19 this week in Miami.

Friday, January 18, 2019

HR 370 Introduced – Pipeline Security

Last week Rep. Upton (R,MI) introduced HR 370, the Pipeline and LNG Facility Cybersecurity Preparedness Act. This bill is nearly identical to the version of HR 5175 that was reported in the House last session. That bill never made it to the floor of the House for consideration. The bill would provide the Department of Energy with some level of responsibility for pipeline security (specifically including cybersecurity) but without any regulatory authority in the area. The respective responsibilities of DHS/TSA and DOT/PHMSA in the area would not be affected.

Moving Forward

The Republicans have yet to announce their committee rosters yet so it is too early to tell if Upton will be back on the Energy and Commerce Committee, the Committee to which this bill was referred for consideration. His single co-sponsor {Rep. Loebsack (D,IA)} is a member of that Committee so this bill may end up being considered in Committee.

There is a lesser chance that the bill will move directly to the floor of the House for consideration as so many bills reintroduced in the previous session are. If Upton were really hoping for that to happen, he probably should have had Loebsack listed as the sponsor of the bill.

This bill will almost certainly be approved with substantial bipartisan support. The modifications made in the marked-up version of the previous bill were designed to throw bones to the other committees (Transportation and Homeland Security) that might object to the bill overstepping into their areas of oversight. Additionally, the revised language now seen in this ‘original bill’ easy any potential industry concerns by clarifying that the tools and procedures developed by DOE under direction of this bill {in §2(3) and §2(6)} would be available for ‘voluntary use’ by industry and not mandated.

If this bill makes it through the backroom processes in the House and is considered on the floor, it will be sent to the Senate with bipartisan support.

Bills Introduced – 01-17-19

Yesterday with both the House and Senate in session there were 86 bills introduced. Of those, three may receive additional coverage on this blog:

HR 648 Consolidated Appropriations Act, 2019 Rep. Lowey, Nita M. [D-NY-17] 

HR 680 To provide for the establishment of a pilot program to identify security vulnerabilities of certain entities in the energy sector. Rep. Ruppersberger, C. A. Dutch [D-MD-2]

S 174 A bill to provide for the establishment of a pilot program to identify security vulnerabilities of certain entities in the energy sector. Sen. King, Angus S., Jr. [I-ME]

HR 648 is another version of an FY 2019 spending bill that addresses the spending for the shut down agencies in the Federal government (except for DHS). I will only be looking at this bill if there are specific provisions of the bill of interest. The schedule for next week has not yet been published, but I expect that it will be considered on the floor next week. This will be another attempt to get Republican support to re-open the government over Trump’s opposition.

It looks like the other two bills are companion bills, but I cannot be sure until I see the actual bills.

House Accepts Senate Amendment to HR 251 – CFATS Extension

Yesterday the House accepted the Senate amendment to HR 251, the Chemical Facility Anti-Terrorism Standards Program (CFATS) Extension Act. The amendments received bipartisan support and the House agreed to the Senate amendments by voice vote.

While all of the speakers on the floor during the short debate on the bill supported the Senate amendment, it is clear that their support was for extending the CFATS program rather than being specifically in favor of the shortened extension period found in the Senate revision.

Rep. Thompson (D,MS), the original author of the bill and Chair of the Homeland Security Committee said:

“I am concerned this abbreviated authorization period provides less stability for DHS and more uncertainty for the regulated community, but unless we act, the CFATS program will expire at midnight tonight.”

Rep. Shimkus (R,IL), a cosponsor of the bill and Ranking Member of the House Energy and Commerce Committee, before urging members to support the amendments to HR 251, said:

"What troubles me, though, about the other body’s amendment is it doesn’t give CFATS much room to make more improvement. One of the major lessons to come out of the hearings we had in my committee on the CFATS program was that, from 2009 to 2014, 1-year authority extensions did not offer program stability and stagnated the program’s improvement.”

The bill now goes to the President for signature. There has been no indication that the President Trump would not sign the bill.

/* Use this with templates/template-twocol.html */