Monday, January 25, 2021

Latest GAO Report on CFATS Looks at Regulatory Collaboration

Last week the Government Accountability Office (GAO) published their latest report on the Chemical Facility Anti-Terrorism Standards (CFATS) program. This report looks at how the CFATS program interacts with eight other Federal chemical safety and security programs at both the Agency and installation levels. Includes recommendation to legislate additional chemical security requirements for water treatment facilities.

Other Programs

The report looks at how much of an overlap there is in security requirements between the CFATS program and eight other Federal regulatory programs. Those programs are:

• Explosives materials Program (ATF),

• Maritime Transportation Security Act program (Coast Guard),

• Hazardous materials transportation program (DOT),

• Resource Conservation and Recovery Act program (EPA),

• Risk Management Program (EPA),

• America’s Water Infrastructure Act program (EPA),

• Pipeline Security Program (TSA), and

• Rail Security program (TSA)

Using a very broad (and loosely defined as “engage in similar activities") term ‘align’ the GAO reports that all eight programs align with “six of 18 CFATS standards regarding restricting area perimeter; securing site assets; screening and controlling access; deterring, detecting, and delaying an attack; deterring theft and diversion, and deterring insider sabotage” {pg 21, using .PDF page numbers}. A table spanning three pages outlines which CFATS risk-based performance standards (RBPS) each of the Federal programs align with.

What is clear from a detailed reading of the report is that GAO, in looking for alignment, was looking for areas where regulatory compliance with another program could be used, at least in part, to comply with CFATS security plan requirements under the RBPS. While the GAO admits that some program coordination has taken place under the EO 13650 Working Group (see their lite web page) it takes DHS to task for not continuing to work on clarifying where compliance with other programs fits into CFATS compliance. The first GAO recommendation addresses this:

“The Secretary of DHS should direct its chemical safety and security programs to collaborate with partners and establish an iterative and ongoing process to identify the extent to which CFATS-regulated facilities are also covered by other programs with requirements or guidance that generally align with some CFATS standards.” {pg 53}

More specifically, recommendation five goes on to say:

“The Director of DHS’s Cybersecurity and Infrastructure Security Agency should update CFATS program guidance or fact sheets to include a list of commonly accepted actions facilities may have taken and information they may have prepared pursuant to other federal programs, and disseminate this information.” {pg 54}

Further recommendations are made to EPA, ATF and DOT to look at how their programs interface with the CFATS program.

DHS concurred with both of the above recommendations and had this specific response to recommendation five:

“DHS concurred with recommendation 5, stating in its letter that, among other actions, CISA will update or create a new guidance document or fact sheet by December 31, 2021, that includes a list of commonly accepted actions CFATS-regulated facilities may have taken and information they may have prepared pursuant to other federal programs and disseminate this information.” {pg 56}

Water Treatment Facility Security

This report states that water treatment and wastewater treatment facilities that are exempt from the coverage of the CFATS program “may present attractive terrorist targets due to their large stores of potentially high-risk chemicals and their proximities to population centers” {pg 47}. They go on to note that an earlier report “found that the Risk Management Program regulates at least 1,100 public water system and 500 wastewater treatment works facilities for many of the same chemicals at the same threshold quantities as the CFATS program’s chemical release attack scenario” {pgs 47-8}.

There are significant differences in the security aligned requirements of both the Risk Management Program and Water Infrastructure Act programs, and the CFATS program. “For example, the Risk Management Program and Water Infrastructure Act programs do not contain requirements or guidance regarding security training or background checks. In addition, while the Water Infrastructure Act program contains guidance on cybersecurity, the Risk Management Program does not.” {pg 48}

Water treatment facilities are also subject to the voluntary security guidelines of the American Water Works Association’s security practices management standard. They go on to note that EPA program officials reported that “the voluntary water and wastewater standards are not as comprehensive as the CFATS program’s 18 standards, and it is unclear the extent to which public water systems and wastewater treatment works implement the standard because its use is entirely voluntary” {pg 50}. Further, the report notes that DHS officials stated that “the general alignment of Water Infrastructure Act requirements or guidance with some CFATS standards may not reflect the level of security achieved because, unlike the CFATS program, the Water Infrastructure Act program does not include verification measures” {pg 51}.

The GAO makes two similar recommendations (#6 and #7) to DHS and the EPA about working with the other agency to “to assess the extent to which potential security gaps exist at water and wastewater facilities and, if gaps exist, develop a legislative proposal for how best to address them and submit it to the Secretary of Homeland Security and Administrator of EPA, and Congress, as appropriate” {pg 54}.

Commentary

The Working Group formed under Obama’s chemical safety and security executive order kind of faded away during the Trump administration. There was certainly some ongoing coordination there was no incentive (and many political disincentives) to forge any new regulatory efforts. This is very likely to change under the Biden Administration, though it will not likely be a top priority. Congressional efforts, if the two committees in the House can better their coordination, may be more persuasive.

The one CFATS legislative initiative that I think may be possible this session may be the introduction of bills to address the water facility security issue. The chance of their passage is still rather small given the CFATS three-year extension passed last year, but significant committee work and hearings this session may bear fruit in the 118th Congress.

Committee Hearings – Week of 1-24-21

With just the Senate in Washington this week the hearing schedule is very light. There will be Senate confirmation hearings (including DHS Secretary) and one organizational committee hearing in the House.

Energy and Commerce Organization

The House Energy and Commerce Committee will hold their organizational hearing on Friday. Nothing exciting here; just formal announcement of chairs and ranking members of the subcommittees and the adoption of committee rules and jurisdictions of the subcommittees (more on that in the Commentary section below).

Commentary

First, the Energy and Commerce subcommittee jurisdictions: It is always interesting to see how wide the scope of the responsibilities of House subcommittees is crafted. The wording in the E&C jurisdiction document is designed to be expansive rather than restrictive. The term ‘cybersecurity’ is specifically included in the description of jurisdiction in five of the six subcommittees listed; the only exception is the Subcommittee on Oversight and Investigations and their purview is wide enough to incorporate cybersecurity related topics. DHS oversight for all topics specified is included in the scope statement for all but the Consumer Protection and Oversight subcommittees.

Of particular interest in this blog is coverage for the Chemical Facility Anti-Terrorism Standards (CFATS) program. CFATS is not specifically mentioned (it is a relatively small program by federal agency standards) but it would be included in the jurisdiction of two subcommittees; Environment and Climate Change (under the ‘industrial plant security, including cybersecurity’ listing) and Communications and Technology (under the ‘; the Cybersecurity and Infrastructure Security Agency in the Department of Homeland Security’ listing).

Last topic: Senate confirmation hearings. The Senate has approved two nominations to date and will almost certainly approve a third today; all with strong bipartisan majorities. Things will start to get trickier. One of the major roadblocks ahead is the current failure to be able to reach an agreement on the organization of the Senate. With a 50-50 split Sen Schumer (D,NY) and Sen McConnel (R,TN) have yet to decide how to split the chairs of the Senate Committees and thus the number of Republicans and Democrats on those committees. Generally speaking the Committees are still operating under their 116th Congress organization.

With non-controversial nominees (like the first three) this is not a major headache. When we start to look at potentially more problematic nominees (like Alejandro Mayorkas, for DHS) this starts to cause problems. Sen Hawley (R,MO) has placed a hold on Mayorkas nomination because of immigration issues and this will be a topic that will likely resonate in this week’s hearings. While Sen Peters (D,MI) is Chair, the Committee website still shows eight Republican members to five Democrats. I suspect that Mayorkas will be approved by the Committee, but the Hawley hold will still delay the consideration on the Senate floor.

Sunday, January 24, 2021

Reader Comments – Instrument Vulnerabilities

Earlier this week Jake Brodsky left a comment on my blog post about the Thursday batch of control system security advisories. It is not a long comment, but it is certainly worth reading. He makes the point that: “If you exploit FDT [fdtCONTAINER vulnerability] on an instrument to get it to execute arbitrary code, you can also get it to report incorrect values FROM THE INSTRUMENT.”

As a person that has spent thousands of hours monitoring chemical processes in a manufacturing environment for both safety and quality issues, I can tell you that the prospect of not being able to trust the numbers being provided by your control system was what scared me most about Stuxnet and caused my interest in control system cybersecurity.

Instrument level data is probably the most critical data used in an industrial control system. That is the data the software relies upon to make process decisions. Being able to manipulate that data means that you can effectively manipulate the process (with the caveat that you must understand the process and how the control system responds to various instrument inputs if you are going to be able to drive the process in a specific upset direction). If you are just trying to disrupt the process (shut it down or adversely affect product quality) then less process knowledge would be needed.

Jake also made the point that Joe Weiss has been harping on the vulnerability of sensors for quite some time now. I have talked to Joe about this on a couple of occasions and I agree with many of his concerns. But I also know that smart process engineers understand the criticality of sensor data, this is the reason that there are frequently multiple sensors measuring the same data with protocols in place to deal with disagreements in sensor data.

As a process chemist I spent a lot of my process-upset investigation time looking for sensor failures by examining other process indicators; changes in pressure when valves opened or closed, changes in tank levels when pumps started and the like. Perhaps it is time to start building such data checks into our process controls, especially when safety-critical process changes are involved.

Finally, it would be helpful if the people writing these advisories were a little clearer about the processes that could be affected by the vulnerabilities. I would be surprised if many security managers understood that the fdtCONTAINER vulnerability had specific implications for process sensors. Only a very close reading of the NCCIC-ICS advisory would point you at that fact unless you were involved in process engineering (the key tell for non-engineers like myself was the involvement of Emerson and the RTIS).

Saturday, January 23, 2021

Public ICS Disclosures – Week of 1-16-21

This week we have six vendor disclosures from ABB, Bosch, Belden, WEIDMUELLER, PulseSecure, and Siemens. We have two vendor reports on products from Sela.

ABB Advisory

ABB published an advisory describing an unauthenticated crafted packet vulnerability in their AC500 V2 PLCs. The vulnerability was reported by Yossi Reuven of SCADAfence. ABB has a new firmware version that mitigates the vulnerability. There is no indication that Reuven was provided an opportunity to verify the efficacy of the fix.

Bosch Advisory

Bosch published an advisory describing two vulnerabilities in their Bosch Fire Monitoring System. The vulnerabilities are self-reported. Bosch has a patch that mitigates the vulnerabilities.

The two reported vulnerabilities are:

• Use of hard-coded credentials - CVE-2020-6779, and

• Use of password hash with insufficient computational effort - CVE-2020-6780

Belden Advisory

Belden published an advisory describing a firewall bypass vulnerability in their WLAN (HiCLOS) products. The vulnerability is self-reported. Belden has updates available that mitigate the vulnerability.

WEIDMUELLER Advisory

CERT-VDE published an advisory discussing the fdtCONTAINER vulnerability in the WEIDMUELLER WI Manager. WEIDMUELLER continues to work on mitigation measures for this vulnerability.

PulseSecure Advisory

PulseSecure published an advisory discussing a third-party (OpenSSL) null pointer dereference vulnerability in their products. They can report that their Pulse Secure vADC is not affected, but they are still looking at other products.

Siemens Advisory

Siemens published an out-of-zone advisory discussing the DNSpooq vulnerabilities in their SCALANCE and RUGGEDCOM Devices. Siemens has provided generic workarounds to mitigate the vulnerabilities pending further development efforts.

Selea Reports

Zero Science Labs has published a report describing a cross-site scripting vulnerability in the Selea CarPlateServer. Zero Science reports coordinating with Selea but is unaware of any mitigation measures developed by the company. LiquidWorm has published an exploit for this vulnerability.

 

Zero Science Labs has published a report describing a privilege escalation vulnerability in the Selea CarPlateServer. Zero Science reports coordinating with Selea but is unaware of any mitigation measures developed by the company. LiquidWorm has published an exploit for this vulnerability.

Friday, January 22, 2021

Last Trump EO’s Published – Includes UAS Order

Amid the news reports about the series of Executive Orders published this week by President Biden, reporters have missed that four new EO’s signed by President Trump on Monday were published in today’s Federal Register. Those EO’s include:

• Agency Rulemaking; Efforts To Ensure Democratic Accountability (EO 13979),

• Federal Buildings and Facilities: Building the National Garden of American Heroes (EO 13978),

• Regulatory Reform; Efforts To Protect Americans From Overcriminalization (EO 13980), and

• Unmanned Aircraft Systems; Efforts To Protect U.S. (EO 13981)

Each of these EO’s are legitimate executive orders that have almost the force of law on the incoming Biden Administration. I say ‘almost the force of law’ because President Biden can eliminate the requirements imposed by these EO’s with a stroke of his own pen as he did on Wednesday with his signature on EO 13992, Federal Regulation; Revocation of Certain Executive Orders (which will be published in Monday’s Federal Register).

None of the EO’s published today were on the list of revoked EO’s in paragraph 2 of EO 13992. That may be due (I’m guessing here) to the fact that the incoming Administration was not cognizant of these EO’s when they prepared EO 13992, but as likely (again I’m guessing), these four did not raise the same level of concern as the 7 EO’s revoked by Biden’s order.

UAS EO

According to the preamble to the EO, it was issued due to Trump’s concerns “that additional actions are necessary to ensure the security of Unmanned Aircraft Systems (UAS) owned, operated, and controlled by the Federal Government; to secure the integrity of American infrastructure, including America's National Airspace System (NAS); to protect our law enforcement and warfighters; and to maintain and expand our domestic industrial base capabilities.”

Most of the EO deals with limiting the Federal government’s use of UAS that are “manufactured by foreign adversaries or have significant components that are manufactured by foreign adversaries” {§3(a)}.

There is one section, however, that has nothing to do with the use of UAS by the Federal Government. Section 4 calls for restricting the use of UAS on or over critical infrastructure or other sensitive sites. It requires the FAA, within 270 days, to propose regulations pursuant to section 2209 of the FAA Extension, Safety, and Security Act of 2016 (Public Law 114-190, 130 STAT 634).

Those regulations were supposed to establish “a process to allow applicants to petition the Administrator of the Federal Aviation Administration to prohibit or restrict the operation of an unmanned aircraft in close proximity to a fixed site facility” {§2209(a)}. The required regulations were supposed to have already been proposed within 180 days of the bill’s enactment on July 15th, 2016. In other words, the regulations were supposed to have all ready been written by Trump’s FAA.

It will be interesting to see how the Biden Administration deals with this portion of EO 13981.

Bills Introduced – 1-21-21

Yesterday, with both the House and Senate in session, there were 81 bills introduced. Of those, one bill will receive additional coverage in this blog:

HR 397 To amend the Homeland Security Act of 2002 to establish chemical, biological, radiological, and nuclear intelligence and information sharing functions of the Office of Intelligence and Analysis of the Department of Homeland Security and to require dissemination of information analyzed by the Department to entities with responsibilities relating to homeland security, and for other purposes. Rep. Gimenez, Carlos A. [R-FL-26]

While Gimenez is a first term Representative, this bill sounds very much like HR 1589 from last session. That bill was introduced by Rep. Walker (R,NC) who is no longer in Congress. That bill was passed in the House in 2019 and amended/adopted by the Senate Homeland Security and Governmental Affairs Committee, but it was never taken up by the full Senate.

Thursday, January 21, 2021

5 Advisories Published – 1-21-21

Today CISA’s NCCIC-ICS published five control system security advisories for products from WAGO, Mitsubishi Electric, Honeywell, and Delta Electronics (2).

WAGO Advisory

This advisory describes a deserialization of untrusted data vulnerability in the M&M Software fdtCONTAINER (M&M is subsidiary of WAGO). The vulnerability was reported by Emerson. M&M has a new version that mitigates the vulnerability (but would not be compatible with existing projects). There is no indication that Emerson has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low skilled attacker could exploit the vulnerability via a social engineering attack to allow malicious code to be executed without notice.

NCCIC-ICS reports that this vulnerability affects products from Emerson and PEPPERL+FUCHS.

NOTE: I briefly discussed this vulnerability last Saturday, but I was not aware that M&M was a subsidiary of WAGO.

Mitsubishi Advisory

This advisory describes an uncontrolled resource consumption vulnerability in the Mitsubishi MELFA product line. The vulnerability was reported by Qi An Xin Group, Inc. Mitsubishi has provided generic mitigation measures for the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to cause a denial-of-service condition.

NOTE: NCCIC-ICS provided an incorrect link for the Mitsubishi advisory (listed as ‘Mitsubishi Electric website’ in this advisory). The link should have been https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-019_en.pdf.

Honeywell Advisory

This advisory describes four vulnerabilities in the Matrikon (a subsidiary of Honeywell) OPC UA Tunneller. The vulnerability was reported by Uri Katz of Claroty. Matrikon has a new version that mitigates the vulnerability. There is no indication that Katz has been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• Heap-based buffer overflow - CVE-2020-27297,

• Out-of-bounds read - CVE-2020-27299,

• Improper check for unusual or exceptional conditions - CVE-2020-27274, and

• Uncontrolled resource3 consumption - CVE-2020-27295

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to disclose sensitive information, remotely execute arbitrary code, or crash the device.

TPEditor Advisory

This advisory describes two vulnerabilities in the Delta TPEditor. The vulnerabilities were reported by kimiya via the Zero Day Initiative. Delta has a new version that mitigates the vulnerabilities. There is no indication that kimiya has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Untrusted pointer dereference - CVE-2020-27288, and

• Out-of-bounds write - CVE-2020-27284

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit these vulnerabilities to allow an attacker to execute code under the privileges of the application.

ISPSoft Advisory

This advisory describes a use after free vulnerability in the Delta ISPSoft PLC program development tool. The vulnerability was reported by Francis Provencher via ZDI. Delta has a new version that mitigates the vulnerability. There is no indication that Provencher has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit these vulnerabilities to allow an attacker to execute code under the privileges of the application.

 
/* Use this with templates/template-twocol.html */