Congress is Out for the Summer

Yesterday the Senate held their last session for the month of August, heading back to their home districts for the Congressional summer recess. The House left a week earlier. This is an annual event for Congress and the only unusual thing about it this COVID-19 affected year was that both houses stayed a week longer than normal, hoping for an agreement on a new COVID-19 response bill.

There is still a remote possibility that both the House and the Senate could come back to Washington for a one-day session to take-up a relief bill, but no one is really expecting that to happen. The two sides are just too far apart in an election year. The political calculation has been made that no action will draw less voter ire than would giving in to the other side.

While the COVID-19 relief bill has drawn the most attention from the national press, the bigger concern is how Congress will deal with the annual spending bill process. With the House returning to Washington a week later than normal (to make up for leaving late), there will be just two and half weeks from the time they get back to the end of the fiscal year. Some sort of spending measure needs to be passed in that time to prevent a government shut down on October 1^st.

No one expects the Senate to take up the two minibus spending bills passed by the House last month and the Senate Appropriations Committee left Washington yesterday without introducing any spending bills of their own. So we will have to see a continuing resolution passed to keep government spending going at the current rate through the November election and probably through to mid-December to allow a backroom deal to be worked out on an omnibus spending bill.

The lack of a deal on the COVID-19 relief legislation bodes ill for reaching an agreement on a continuing resolution. If the House can come up with a clean (few or no policy or spending riders) CR, then the Senate will be likely to take that bill up and pass it. Unfortunately, the prospect of adding a few priority Democratic policy/spending riders will be a temptation that will be hard to resist. I would not be surprised to see some COVID-19 response measures or some additional postal service spending to support mail-in ballot handling from being included in a first attempt at a CR.

On a more personal basis, the Washington vacation will have the effect of slowing down the posting on this blog as there is less legislative news to talk about. This happens every August. This year, however, I will probably be taking up some of that writing slack time with additional postings about the Critical Infrastructure Security Operations Center (CI-SOC) over on my other blog, Future ICS Security News.

14 Updates Published – 8-11-20

Yesterday the CISA NCCIC-ICS published 14 updates to control system security advisories for products from Siemens. I covered the eight new control system security advisories that were published yesterday in an earlier blog post.

PROFINET Update #1

This update provides additional information on an advisory that was originally published on May 9^th, 2017 and most recently updated On July 14^th, 2020. The new information includes:

• Note about successor product for SIMATIC Teleservice adapters, and

Added

• SIMATIC ET200ecoPN product variants (MLFB IDs) that are not affected

OPC UA Update

This update provides additional information on an advisory that was originally published on 8-31-17 and most recently updated on February 5^th, 2019. The new information includes updated information on SIMATIC NET PC Software.

Industrial Products Update #1

This update provides additional information on an advisory that was originally published on December 5^th, 2017 and most recently updated on July 14^th, 2020. The new information includes a notice on SIMATIC ET200ecoPN product variants (MLFB IDs) that are not affected.

SIMATIC Update #1

This update provides additional information on an advisory that was originally published on December 10th, 2019 and most recently updated on June 9^th, 2020. The new information includes:

• Added update for SIMOCODE pro V EIP, and

• Informed about successor product for SIMATIC Teleservice adapters

Industrial Products Update #2

This update provides additional information on an advisory that was originally published on September 10^th, 2019 and most recently updated on June 9^th, 2020. The new information includes a note about successor product for SIMATIC Teleservice adapters.

PROFINET Update #2

This update provides additional information on an advisory that was originally published on October 10^th, 2019 and most recently updated on July 14^th, 2020. The new information includes:

• Added solution for SIMATIC PN/PN Coupler,

• Added SIMATIC ET200ecoPN product variants (MLFB IDs) that are not affected

Industrial Real-Time Update

This update provides additional information on an advisory that was originally published on October 10^th, 2019 and most recently updated on March 10^th, 2020. The new information includes adding SIMATIC ET200ecoPN product variants (MLFB IDs) that are not affected.

SCALANCE Update #1

This update provides additional information on an advisory that was originally published on February 11^th, 2020. The new information includes data about successor products for the SCALANCE S-600 family.

PROFINET-IO Update

This update provides additional information on an advisory that was originally published on February 11^th, 2020 and most recently updated on March 11^th, 2020. The new information includes adding SIMATIC ET200ecoPN product variants (MLFB IDs) that are not affected.

Industrial Products Update #3

This update provides additional information on an advisory that was originally published on February 11^th, 2020 and most recently updated on July 14^th, 2020. The new information included data about successor products for the SCALANCE S-600 family.

SCALANCE Update #2

This update provides additional information on an advisory that was originally published on April 14^th, 2020. The new information included data about successor products for the SCALANCE S-600 family.

SIMATIC Update #2

This update provides additional information on an advisory that was originally published on July 9^th, 2020 and most recently updated on July 14^th, 2020. The new information includes:

• Added solution for SIMATIC PCS neo, and

• SIMATIC PCS 7 removed from affected products

OPCENTER Update

This update provides additional information on an advisory that was originally published on July 14^th, 2020. The new information included reporting that CVE-2020-7576 was not yet fixed in Opcenter Execution Core V8.2.

UMC Stack Update

This update provides additional information on an advisory that was was originally published on July 14^th, 2020. The new information included added solution for SIMATIC PCS neo.

Another Siemens Update

There was one other advisory that Siemens updated yesterday. I will discuss it on Saturday.

Bills Introduced – 8-11-20

Yesterday with the Senate in Washington (or at least pretending to be) and the House meeting in pro forma session there were 39 bills introduced. One of these bills may receive additional coverage in this blog:

HR 7998 To require the Director of the National Institute of Standards and Technology to disseminate guidance to institutions of higher education and non-profit research institutions to help mitigate cybersecurity risks to COVID-19 related research, and for other purposes. Rep. Barr, Andy [R-KY-6] 

I will be watching this bill for language or definitions that would pertain to the cybersecurity of laboratory equipment or management systems, the lab equivalent of industrial control systems. Not expecting much but watching for it just the same.

8 Advisories Published – 8-12-20

Yesterday the CISA NCCIC-ICS published eight control system security advisories for products from Siemens (5), Tridium, Schneider, and Yokogawa. There were also 22 updates published but those will be dealt with in a later blog post.

SICAM Advisory

This advisory describes a cross-site scripting vulnerability in the Siemens  SICAM A8000 RTUs. The vulnerability was reported by Emma Good from KTH Royal Institute of Technology. Siemens has a new version that mitigates the vulnerability. There is no indication that Good has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit this vulnerability to compromise the confidentiality, integrity, and availability of the web application.

Automation License Advisory

This advisory describes an improper authorization vulnerability in the Siemens Automation License Manager. The vulnerability was reported by Lasse Trolle Borup of Danish Cyber Defense. Siemens has a new version of ALM6 that mitigates the vulnerability. There is no indication that Borup has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit this vulnerability to allow an attacker to locally escalate privileges and modify files that should be protected against writing.

Desigo Advisory

This advisory describes a code injection vulnerability in the Siemens Desigo CC building management platform. This vulnerability is self-reported. Siemens has patches available that mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to gain remote code execution on the server with SYSTEM privileges.

Simatic Advisory

This advisory describes the kr00k vulnerability in the Siemens SIMATIC and SIMOTICS wi-fi services. This is a third-party vulnerability in the Broadcom Wi-Fi client devices with publicly available exploits. Siemens has provided generic workarounds pending development of updates.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to read a discrete set of traffic over the air after a Wi-Fi device state change. NCCIC-ICS provides no mention of the publicly available exploits.

SCALANCE Advisory

This advisory describes a classic buffer overflow in the Siemens SCALANCE and RUGGEDCOM products. This is the Linux Point-to-Point Protocol Daemon (pppd) Vulnerability reported in March and proof-of-concept exploit code is available. Siemens has updates available to mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to gain unauthenticated access to a device and cause a buffer overflow to execute custom code. NCCIC-ICS provides no mention of the publicly available exploits.

Tridium Advisory

This advisory describes a synchronous access of remote resource without timeout vulnerability in the Tridium Niagara product. The vulnerability was self-reported. Tridium has updates that mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker on an adjacent network could exploit the vulnerability to result in a denial-of-service condition.

Schneider Advisory

This advisory describes two path traversal vulnerabilities in the Schneider APC Easy UPS On-Line. The vulnerabilities were reported by rgod via the Zero Day Initiative. Schneider has a new version that mitigates the vulnerability. There is no indication that rgod has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to lead to remote code execution.

NOTE: Schneider also published six other advisories yesterday.

 

Yokogawa Advisory

This advisory describes two vulnerabilities in the Yokogawa CENTUM distributed control system. The vulnerabilities were reported by Nataliya Tlyapova, Ivan Kurnakov, and Positive Technologies. Yokogawa has patches that mitigate the vulnerabilities for products still under support. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Improper authentication - CVE-2020-5608, and

• Path traversal CVE-2020-5609

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow a remote unauthenticated attacker to send tampered communication packets or create/overwrite any file and run any commands.

NOTE: I briefly discussed these vulnerabilities on August 1^st.

HR 7248 Introduced – STARTER Act

Way back in June Rep Graves (R,MO) introduced HR 7248, the Surface Transportation Advanced through Reform, Technology, and Efficient Review (STARTER) Act. The bill is effectively a Republican alternative to a highway authorization bill that has yet to be introduced by the Democrats. It includes three grant programs that could affect automated driving system development and deployment.

Advanced Technologies Grant Program

Section 6001 of the bill would add a new §520 to 23 USC Chapter 25. It would require DOT to “establish a program to provide grants to eligible entities to deploy, install, and operate advanced transportation technologies to improve safety, efficiency, system performance, mobility, intermodal connectivity, and infrastructure return on investment” {new §520(a)}.

The grant program would favor technology deployments that {new§520(b)}:

• Reduces costs and improves return on investments, including through the optimization of existing transportation capacity,
• Delivers environmental benefits by alleviating congestion and streamlining traffic flow,
• Measures and improves the operational performance of the applicable transportation net- work,
• Reduces the number and severity of traffic accidents and increases driver, passenger, and pedestrian safety,
• Collects, disseminates, and uses information on real-time traffic, work zone, weather, transit, paratransit, parking, and other transportation-related information to improve mobility, reduce congestion, and provide for more efficient, accessible, and integrated transportation and transportation services,
• Monitors transportation assets to improve infrastructure management, reduce maintenance costs, prioritize investment decisions, and ensure state of good repair,

• Delivers economic benefits by reducing delays, improving system performance, and providing for the efficient and reliable movement of goods and services, or

• Accelerates the deployment of vehicle-to-vehicle, vehicle-to-infrastructure, autonomous vehicles, and other technologies.

Among the allowable uses listed for this grant program are “cybersecurity protection measures and activities to protect against cybersecurity threats” {new §502(e)(15)}.

Connected Vehicle Deployment Grants

Section 6002 would add a new §521 to Chapter 5. This would require DOT to develop a grant program to “to spur operational deployments to meet the transportation needs of eligible entities through the use of the best available and emerging intelligent transportation systems” {new §521(a)(1)}. The goals of the grant program would be to {new §521(a)(2)}:

• Spur connected vehicle technology deployment through wirelessly connected vehicles that interact with a connected environment, including mobile devices, infrastructure, and other elements,

• Realize safety, mobility, and environmental impacts through operational deployments,

• Capture and use new forms of connected vehicle and mobile device data to support improved surface transportation system performance and enhanced performance-based management,

• Encourage partnerships of multiple stakeholders (including private companies, State and local agencies, transit agencies, commercial vehicle operators, freight shippers, and transportation network companies),

• Deploy applications using data captured from multiple sources (including vehicles, mobile devices, and infrastructure) across all elements of the surface transportation system (including transit, highway, arterial highways, parking facilities, and toll highways), and

• Support deployment sites that create foundations for future expanded and enhanced deployments

Automated Driving Systems Demonstration Grants

Section 6003 adds a new §522 to Chapter 5. It would require DOT to establish an automated driving system demonstration grant program. The program would be designed to {new §522(a)(1)}:

• Test the safe integration of automated driving system technologies into the on-road transportation system of the United States and demonstrate how challenges to the safe integration of such technologies can be addressed, and

• Encourage collaboration and partnerships of multiple stakeholders.

The grant program would also be required to {§522(a)(1)(B)}:

• A baseline of safety metrics needed to characterize the safety risk of integrating automated driving system technologies into the transportation system;

• A baseline for the safety of automated driving system technology integration; and

• A baseline of roadway characteristics needed for the safe and efficient operation of automated driving system technologies.

Paragraph (C) amends 23 USC 133(b), adding a new authorized use for the Surface transportation block grant program. That new use would be {new §133(b)(16)} “Capital and maintenance expenses for infrastructure improvements to ensure the proper and safe operation of automated driving system technologies for which a demonstration project was carried out under section 522.”

Moving Forward

Graves (and most of the 22 Republican cosponsors to the bill) is a member of the House Transportation and Infrastructure Committee, one of the two committees to which this bill was assigned for consideration. While this would normally mean that the bill would have a good chance of being considered in the Committee, but this bill is a direct challenge to the Committee leadership’s ability to craft a consensus highway transportation authorization bill. This bill is not going anywhere.

Beirut and Changes to the AN Security Program

As I noted last week, the catastrophic explosion in Beirut, which may have been the result of a fire in an ammonium nitrate storage facility, has resulted in Rep Thompson (D,MS), Chair of the House Homeland Security Committee, calling for DHS to complete the rulemaking on the Ammonium Nitrate Security Program, required by 6 USC Part J – Secure Handling of Ammonium Nitrate.

As I have explained before, that rulemaking is stalled because the cost-benefit analysis provided in the notice of proposed rulemaking makes it clear that the rulemaking is cost effective. In large part this is due to the requirement in §488a to register everyone that would buy ammonium nitrate, or act as an agent of someone buying ammonium nitrate from registered ammonium nitrate facilities. These requirements are not something that DHS or CISA (the action agency for the Ammonium Nitrate Security Program (ANSP) can change. Thompson, however, is in an excellent position to address the deficiencies in the legislative requirements for the program.

With that in mind, I would like to suggest some changes that could be made to Part J that would correct this and other problems noted in the comments received in the rulemaking process.

Definitions

Section 488 provides the definitions used in this Part and there are three changes to definitions in this section. First, the definition of ‘ammonium nitrate should be revised to provide clarity that it does not include any materials that are already regulated as ‘explosives. This can be accomplished by adding at the end of §488(1) a new subparagraph (C):

(C) “does not include any mixture regulated under §27 CFR Part 555.”

The second definitional change that should be made would be to resolve the issue where an individual could be both ‘an ammonium nitrate facility’ and ‘an ammonium nitrate purchaser’ depending on which side of a transaction they are in a given moment. This could be done by making the following modification to the definition of ‘ammonium nitrate purchaser’:

(3) Ammonium nitrate purchaser

The term ‘‘ammonium nitrate purchaser’’ means any person who purchases ammonium

nitrate from an ammonium nitrate facility that is not registered per this Part as an ammonium nitrate facility.

Finally, there was some concern from a number of commenters about the use of the term ‘unexplained loss of ammonium nitrate’ in §488d. Depending on the packaging mode a 50-lb could reasonably be determined to be an ‘inventory error’ not missing material. In instances where bulk shipments by barge are being discussed, it is apparently routine to have thousands of pounds being blown of the barges by the wind. Thus, ‘unexplained loss’ needs to be tied to the packaging/transport mode of the material. With that in mind, we could add the following definition of that term in this section:

(4) Unexplained Loss of Ammonium Nitrate

The term ‘unexplained loss of ammonium nitrate’ means a negative change in inventory of ammonium nitrate in an amount set for each type of packaging (bags, bulk bags, and bulk) by the Secretary, after notice and an opportunity for comment, that does not have a readily apparent cause.

Regulation of the sale and transfer of ammonium nitrate

Section §488a is where the bulk of the proposed changes are going to be required. The first item that needs to be addressed is the issue of what ammonium nitrate mixtures (other than registered explosives that were addressed above) would be covered by the ANSP. The original language required DHS to establish what percentage of ammonium nitrate in a mixture would be covered but did not address what the de minimis amount would be. With that in mind I would suggest the following change to §488a(b):

(b) Ammonium nitrate mixtures­­­­­­­­­

Not later than 90 days after December 26, 2007,

the   The Secretary, in consultation with the heads of appropriate Federal departments and agencies (including the Secretary of Agriculture), shall, after notice and an opportunity for comment, establish a threshold percentage for ammonium nitrate in a substance and the minimum amount of ammonium nitrate mixture that shall be regulated under this Part.

This is the section of Part J that deals with the requirement to register purchasers of ammonium nitrate that I am proposing to remove. To delete this requirement, paragraph (d) would have to be deleted as would all references to “(d)” in the remainder of the section. Additionally, the renumbered paragraph (d), Records, would require a change to subparagraph (2)(B):

(A) record the name, address, and telephone number, and registration number issued under subsection (c) or (d) of each person that purchases ammonium nitrate, in a manner prescribed by the Secretary;

While the earlier change to the ammonium nitrate definition would exempt regulated explosive mixtures from coverage of Part J, it would not specifically exempt explosive manufacturers from coverage under this part. This could be accomplished by modifying paragraph (f), Exemption for explosive purposes, to read:

(f) Exemption for explosive purposes

The Secretary may will exempt from this part a person producing, or selling, or purchasing ammonium nitrate exclusively for use in the production of an explosive under a license or permit issued under chapter 40 of title 18.

This change will retain the reporting requirement for covered facilities selling ammonium nitrate to regulated explosives manufacturers, but that should have no practical effect on those regulated manufacturers.

The final change deals with another issue that was raised during the rulemaking comment process, that of the requirements dealing with vetting people against the terrorist screening data base. In the same manner that we saw with the CFATS personnel security vetting, a number of commenters wanted DHS to acknowledge the fact that many of the people involved in the regulated universe would already have been vetted by one or more DHS programs. To deal with that I would suggest changing the current wording of paragraph (i)(2)(A) to read:

(A) Check required

(i)The Secretary shall conduct a check of appropriate identifying information of any person seeking to register with the Department under subsection (c) or (d) against identifying information that appears in the terrorist screening database of the Department,

(ii) The Secretary will accept information about current status of other programs administered by the Department where identification is vetted against the terrorist screening database of the Department, in lieu of requiring new information being submitted on those individuals.

Other Matters

When Thompson pushed through the language that is now Part J, he included provisions requiring the regulations to be developed within 90-days, while still requiring the normal publish and comment rulemaking process for the regulations. This established a standard that could not be met and set the stage for the slow rulemaking process that resulted.

I would assume that Thompson still wants quick action on the revised rulemaking. With that in mind I would suggest that the legislation include wording to require DHS to publish a revised NPRM within six months of the rulemaking being adopted, with the final rule being published a year later. This would still be a tight schedule, but CISA has already done much of the hard work on the rulemaking; most of the remaining work is trimming language and recalculating costs.

Keep in mind that this Part is still a security program not a safety program. There is nothing in the original language or my proposed changes that would stop a catastrophic explosion at an ammonium nitrate storage facility like the world saw in Beirut or the nation saw at West Fertilizer. Those were apparently safety issues, not security problems. Those issues would have to be dealt with separately. This revision of Part J would just make it easier to stop people from legitimately acquiring ammonium nitrate for nefarious purposes.

Public ICS Disclosure – Week of 8-1-20

This week we have one new SigRed vendor disclosure from Draeger and one Ripple20 vendor update from Schneider.

Draeger Advisory

Draeger published a SigRed advisory announcing that none of their medical devices were affected by those vulnerabilities.

Schneider Update

Schneider published a Ripple20 advisory update for an advisory that was originally published on June 23, 2020 and most recently updated on July 29^th, 2020. The new information includes:

• Updated remediation for Uninterruptible Power Supply (UPS) using NMC2, and

• Corrected affected version and enhanced Remediation/Mitigation version details for Uninterruptible Power Supply (UPS) using NMC2