Saturday, May 21, 2022

GAO Report – Protecting DOD’s Controlled Unclassified Information Systems

On Thursday, the Government Accountability Office published a report on “Defense Cybersecurity Protecting Controlled Unclassified Information Systems” (GAO-22-105259). The report looks at how well the DOD is doing in their efforts to get their CUI programs into regulatory compliance. The short answer, according to the GAO’s look at four basic program measures, it that DOD still has a way to go.

The four measures used by GAO to evaluate the DOD’s implementation process are:

• Categorize DOD CUI systems accurately (80 to 89% complete),

• Implement Cybersecurity Maturity Model Certification’s 110 security requirements (70 to 79% complete),

• Implement 266 security controls for moderate confidentiality impact systems (80 to 89% complete), and

• Authorize system to operate on DOD network (90% plus complete).

While this GAO Report just looks at the DOD, the CUI program under 32 CFR 2002 applies to all branches of the Federal Government and their contractors (and in some instances regulated entities). Some common federal information protection schemes that fall under the CUI protection regulations include (but are certainly not limited to):

• Chemical-terrorism Vulnerability Information (CVI),

• Critical Energy Infrastructure Information (CEII),

• Protected Critical Infrastructure Information (PCII), and

• Sensitive Security Information (SSI)

It would be interesting to see how other federal agencies (DOE and DHS for example) fair in their implementation of the §2002 regulations.

OMB Approves BIS Information Security Controls Final Rule

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a ‘Final Rule’ for DOC’s Bureau of Industry and Security (BIS) for “Information Security Controls: Cybersecurity Items”. When this was sent to OIRA back in March, the submission was billed as a “Delay of Effective Date”, but there is no mention of that in yesterday’s announcement. It could be the final rule for the interim rule that was published last October. Well, we will see what is going on when this is published in the Federal Register, probably this coming week.

Review – Public ICS Disclosures – Week of 5-14-22

This week we have sixteen vendor disclosures from Aruba, Fujitsu, HPE (6), Moxa, OPC Foundation, Pepperl+Fuchs, Philips, Sick, Siemens, Tanzu (2). Then we have two vendor updates from Aruba and Johnson Controls. Finally, we have four researcher reports for products from Schneider, Spectrum Brands, Tesla, and Galleon.

Aruba Advisory - Aruba published an advisory that discusses five vulnerabilities in multiple Aruba products.

Fujitsu Advisory - JP-CERT published an advisory that discusses two vulnerabilities in the Fujitsu IPCOM products.

HPE Advisory #1 - HPE published an advisory that discusses two vulnerabilities in their Edgeline Servers.

HPE Advisory #2 - HPE published an advisory that discusses an information disclosure vulnerability in their Moonshot/Edgeline Servers.

HPE Advisory #3 - HPE published an advisory that discusses an information disclosure vulnerability in their Moonshot/Edgeline Servers.

HPE Advisory #4 - HPE published an advisory that discusses six vulnerabilities in their HP-UX OpenSSL products.

HPE Advisory #5 - HPE published an advisory that describes three vulnerabilities in their OneView product.

HPE Advisory #6 - HPE published an advisory that discusses 14 vulnerabilities in their ProLiant Gen10 and Gen10 Plus Servers.

Moxa Advisory - Moxa published an advisory that discusses a heap-based buffer overflow vulnerability in the Linux IPsec ESP transformation code.

OPC Advisory - The OPC Foundation published an advisory that describes an uncontrolled resource exhaustion vulnerability in their UA Legacy Java Stack.

NOTE: I believe that this vulnerability was one of the ones reported in the Pwn2Own Miami 2022 competition that I briefly mentioned last week.

Pepperl+Fuchs Advisory - CERT-VDE published an advisory that discusses six Bluetooth vulnerabilities in the Pepperl+Fuchs RSM-EX01B product family.

Philips Advisory - Philips published an advisory that discusses the CISA Emergency Directive 22-03 for the mitigation of VMware vulnerabilities.

Sick Advisory - Sick published an advisory that describes a deserialization of untrusted data vulnerability in their Flexi Soft Designer & Safety Designer.

Siemens Report - Siemens published a report discussing a published exploit of their S7-1200 4.5 that was published back in March.

Tanzu Advisory #1 - Tanzu published an advisory that describes an integer overflow vulnerability in their Spring Security product.

Tanzu Advisory #2 - Tanzu published an advisory that describes an authorization bypass vulnerability in their Spring Security product.

Aruba Update - Aruba published an update for their TLStorm 2.0 advisory that was originally published on May 3rd, 2022.

Johnson Controls Update - Johnson Controls published an update for their SpringShell advisory that was that was originally published on April 19th, 2022 and most recently updated on April 29th, 2022.

Schneider Report #1 - Kaspersky published a report that describes an authentication bypass by spoofing vulnerability in the Schneider Electric Modicon M340/M580 controllers.

Schneider Report #2 - Kaspersky published a report that describes an information leak from project files vulnerability in the Schneider Electric EcoStruxure Control Expert / Process Expert, and SCADAPack RemoteConnect products.

Spectrum Brands Report - NCC Group published a report describing a BLE relay vulnerability in the Kwikset/Weiser Kevo smart locks.

Tesla Report - NCC Group published a report describing a BLE relay vulnerability in the Tesla automobile.

Galleon Report - Pen Test Partners published a report describing a command injection vulnerability in the Galleon Systems’ GPS NTP time server.


For more details on these disclosures, including links to researcher reports and third-party advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-5-581 - subscription required.


Friday, May 20, 2022

Review - HR 7174 Amended and Adopted in Committee – Cyber Forensics Institute

Yesterday, the House Homeland Security Committee held a business meeting where five DHS related bills were considered, including HR 7174, the National Computer Forensics Institute Reauthorization Act of 2022. Rep Slotkin (D,MI) proposed substitute language and Rep Thompson (D,MS) introduced a brief amendment to that language. The Committee adopted both by voice votes.

The amendments approved by the Committee yesterday do not make any substantive changes to the bill. The bill would still reauthorize the Secret Service’s NCFI through 2032 and expand the scope of responsibilities for the Institute. It would make several changes to 6 USC 383, including adding a list of definitions of key terms. The bill does not include authorization for expenditures to support these changes.

The broad bipartisan support for the bill in Committee essentially ensures that the bill will be considered under the suspension of the rules process. Once the Committee publishes their report on the bill, the bill will be cleared for consideration by the full House.

HR 7777 Adopted in Homeland Security Committee – ICS Training

Yesterday, the House Homeland Security Committee held a business meeting where five DHS related bills were considered, including HR 7777, the Industrial Control Systems Cybersecurity Training Act. Without amendment, the bill was ordered favorably reported by a voice vote. Once the Committee report is published, this bill will be cleared for consideration by the Whole House. The bill will almost certainly be taken up there under the suspension of the rules process. It will likely pass with strong bipartisan support.

This bill would amend the Homeland Security Act of 2002 to establish within CISA an Industrial Control Systems Cybersecurity Training Initiative. No new funding is authorized in the bill. This, in effect, authorizes the long-standing ICS training program is CISA.

Bills Introduced – 5-19-22

Yesterday, with both the House and Senate in Washington, there were 67 bills introduced. One of those bills will receive additional coverage in this blog:

S 4268 A bill to amend the Public Health Service Act to authorize grants to health care providers to enhance the physical and cyber security of their facilities, personnel, and patients. Sen. Gillibrand, Kirsten E. [D-NY] 

This may be a companion bill to HR 7814 that was introduced yesterday.

Thursday, May 19, 2022

HR 6824 Reported in House – Cybersecurity Competition

While the House passed HR 6824 earlier this week, the Committee Report for the bill was not publicly available until after the vote was held. The Report makes the point (pgs 3-4) that the ‘President’s Cup Cybersecurity Competition’ that would be authorized by the bill have actually been held since 2019. The report concludes that discussion by saying:

“H.R. 6824 will specifically authorize the President’s Cup Cybersecurity Competition in law in a manner that provides CISA with needed authority to award cash prizes to the winners to reward their demonstrated cybersecurity skills, which can act as an important retention tool. Codifying the President’s Cup will demonstrate that both Congress is committed to addressing Federal cybersecurity recruitment and retention challenges and values the Federal cyber workforce.”

That is, perhaps, a more positive spin than I normally put on congressional efforts to authorize activities already being undertaken by the Executive Branch. In this case, I will give them credit for the effort and intent publicly stated, since they did give CISA credit for the origination of the program.

 
/* Use this with templates/template-twocol.html */