3 Advisories and 2 Updates Published – 12-12-19

Today the CISA NCCIC-ICS published three control system security advisories for products from Omron (2) and Advantech. They also updated a medical device advisory for products from Philips and a multi-vendor advisory.

Omron Advisory #1

This advisory describes and improper restriction of excessive authentication attempts vulnerability in the Omron CJ, CS and NJ Series PLCs. The vulnerability was reported by n0b0dy. Omron provides generic workarounds to mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to brute force login credentials, obtain unauthorized access of the system, and may allow an attacker unauthorized access to the FTP interface.

Omron Advisory #2

This advisory describes three vulnerabilities in the Omron CJ and CS Series PLCs. The vulnerabilities were reported by Wang Zhibei and n0b0dy. Omron provides generic workarounds to mitigate the vulnerabilities.

The three reported vulnerabilities are:

• Authentication bypass by spoofing - CVE-2019-18259;

• Authentication bypass by capture/replay - CVE-2019-13533; and

• Unrestricted externally accessible lock - CVE-2019-18269

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an attacker to pose as an authorized user to obtain the status information of the PLC.

Advantech Advisory

This advisory describes a stack-based buffer overflow vulnerability in the Advantech DiagAnywhere Server. The vulnerability was reported by Z0mb1E via the Zero Day Initiative. The device is no longer supported.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to may allow remote code execution.

Philips Update

This update provides additional information on an advisory that was originally published on November 14^th, 2019. The new information is an additional generic workaround to mitigate the vulnerability.

PLC Cycle Time Influences Update

This update provides additional information on an advisory that was originally published on April 16^th, 2019. The new information is the addition of another affected product from Phoenix Contact.

Interesting Twitter Thread

An interesting Twitter® thread today about record number of vulnerabilities in a single advisory. Spoiler alert: Siemens is not the record holder.

CSB Publishes Accidental Release Reporting NPRM

Today the Chemical Safety and Hazard Investigation Board (CSB) published a notice of proposed rulemaking (NPRM) in the Federal Register (84 FR 87899-67910) to establish an accidental release reporting requirement under 42 USC 7412(r)(6)(C). An advanced notice of proposed rulemaking for this action was published on June 25^th, 2009. This rulemaking is moving forward as a result of Federal District Court order in Air Alliance Houston et al v. U.S. Chemical Safety and Hazard Investigation Board.

The rule would add a new part to 42 CFR; Part 1604. The rule would require the owner/operator of any stationary source to report “any accidental release resulting in a fatality, serious injury or substantial property damages” {new §1604.3(a)}.

Definitions

Section 1604.2 provides a number of definitions of terms used in the rule. The definitions include:

• Accidental release;

• Ambient air;

• Extremely hazardous substance;

• General public;

• Owner or operator;

• Property damage;

• Regulated substance;

• Serious injury;

• Stationary source; and

• Substantial property damage.

Two of those definitions are taken directly from 42 USC 7412(r). The remainder are ‘new’ definitions that pertain only to this section. Two of those new definitions directly affect the reach of this new reporting requirement: ‘serious injury’ and ‘substantial property damage’. This is due to the scope of the Board’s jurisdiction in §7412(r)(6)(C)(i):

The Board [CSB] shall “investigate (or cause to be investigated), determine and report to the public in writing the facts, conditions, and circumstances and the cause or probable cause of any accidental release resulting in a fatality, serious injury or substantial property damages”.

The term ‘serious injury’ would mean any injury that results in:

• Death;

• One or more days away from work;

• Restricted work or transfer to another job;

• Medical treatment beyond first aid;

• Loss of consciousness; or

• Any injury or illness diagnosed by a physician or other licensed health care professional, even if it does not result in death, days away from work, restricted work or job transfer, medical treatment beyond first aid, or loss of consciousness.

The term ‘substantial property damage’ means “estimated property damage at or outside the stationary source equal to or greater than $1,000,000.

Reporting Requirements

Section 1604.3 requires that an owner or operator of a stationary source provide a report of any “any accidental release resulting in a fatality, serious injury or substantial property damages” {§1604.3(a)}. Any such report that is provided to the National Response Center (NRC) under 40 CFR 302.6 does not have to be reported directly to the CSB. Any report not provided to the NRC would be sent to the CSB via “email to: report@csb.gov, or by telephone at 202-261-7600” {§1604.3(c)}. Email or snail mail may be used to provide CSB with revised or updated information regardless of where the original report was sent.

Section 1604.4 provides a detailed list of what information is to be included in reports under this part. If any of that information was not provided in a reporting to the NRC (there are no specified information requirements in §302.6), presumably that information would be required to be directly supplied to the CSB.

Section 1604.5 provides for the enforcement of the requirements of Part 1604 under authority of 42 USC 7413 and 42 USC 7414.

Information Collection Request

As with all new rulemakings, the CSB has included an information collection request (ICR) in this NPRM. The new ICR includes the following burden estimates:

• Estimated responses per year: 200

• Hourly reporting burden per year: 50 hours (15 minutes per response)

• Dollar reporting burden per year: $1,860.00 ($37.20 average hourly wage per respondent)

Public Comments

The CSB is soliciting public comments on this NPRM. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # CSB-2019-0004). Comments need to be submitted by January 13, 2020.

Commentary

First off, lets start with the comment deadline. This rulemaking is going to affect a large segment of the manufacturing and retail industries (not just the chemical industry). While the monetary cost of reporting is rather low, the cost of putting compliance activities into place could be significant and could affect a number of small businesses that do not normally consider chemical incident reporting to be a concern. I expect that we will see any number of business advocacy groups request an extension of the comment period to a more normal 60-day period, particularly given the holiday season.

Next, I am not sure where the CSB came up with the unrealistic ‘200 annual responses’ for the ICR portion of the NPRM. Earlier in the preamble during the ‘Small Entity Impact’ portion of the analysis, the CSB notes that:

“In order to estimate the percentage of reports that would likely be filed by small businesses each year, the CSB reviewed the 1,923 accidental releases [emphasis added] to determine how many releases could be matched to a NAICS code and how many distinct NAICS codes were represented.”

There is no mention of what database was used for that analysis, but according to footnote 6 that data was accumulated over a 10.5-year period. That would appear to be where the ‘200 responses per year’ estimate comes from. I suspect that the database being used is woefully underreporting the types of releases that would be required to be reported under the proposed rule.

Using the ‘serious injury’ definition provided in the new §1604.2 any OSHA reportable injury that was due to a chemical release would require a CSB report. In fact, many injuries that would not be OSHA reportable (those not resulting doctor visits yet not resorting to prescribed medications for instance) would meet the ‘medical treatment beyond first aid’ standard requiring CSB incident reporting. None of the chemical facilities that I worked at in over 20 years in the industry would have gone more than six months or so without an incident that would have been reportable under that standard. The least-safe facility would have had to make a CSB report at least once a week under this standard.

I have a Google® search that I use to track chlorine releases and at least once a week it returns a local news article about a pool-chemical style incident where chlorine gas was released due to improperly mixed chemicals where at least one person needed to seek medical attention. A similar search for ammonia releases returns frequent news reports for small leaks from commercial refrigeration units that result in medical attention or hospital stays. The universe of the reports that would be required is many orders of magnitude larger than what CSB is expecting in this NPRM.

Now, I do not want anyone to misunderstand the comments above. I think that CSB is underestimating the extent of the problem, but that is because no one is attempting to collect the data. This data collection effort is, in my opinion, very necessary. As a society we need to have a better understanding of the nature of the chemical exposure problems that we face.

I do not think that CSB has any real need to ‘investigate’ the vast majority of these incidents. They have neither the manpower nor the money for such an extended effort. They are not able to investigate more than a dozen or so major chemical incidents each year and those investigations are where the bulk of the CSB’s efforts needs to be concentrated.

But, with a more complete data base of accidental chemical exposures, CSB could undertake one or two characteristic investigations each year that would look at one or two chemicals or chemical classes that result in a large number of injuries each year. That type of investigation could result in changes in chemical communications or chemical handling or even removing dangerous chemicals from commercial (as opposed to industrial) use. And that kind of investigation could prevent as many injuries or save as much money as any major chemical investigation that the Board undertakes.

To make that work, however, we need to get passed email reports (or even worse, snail-mail reports). The reporting structure needs to be more accessible and easier to ensure that more people are providing the reports and that the information being collected is more complete and useful. The way to do this would be to set up a web application where a form was provided with check-boxes and minimalistic fill-in-the-blank spaces. The resulting report would be readily accessible for machine-reading and analysis with human alert notifications for the worst incidents.

Finally, the regulations (and the form I described above) needs to make clear the fact that 42 USC 7412(r)(6)(G) makes is absolutely clear that:

“No part of the conclusions, findings, or recommendations of the Board relating to any accidental release or the investigation thereof shall be admitted as evidence or used in any action or suit for damages arising out of any matter mentioned in such report.”

Reports submitted to CSB under §1604 cannot be used (since they are part of the investigatory tools of the Board) against the party making the information submission. This needs to be made clear in this NPRM. A new section needs to be added to this proposed part:

§1604.7 Subsequent us of accidental release reporting information

In accordance with 42 USC 7412(r)(6)(G) none of the information provided in reports required under this part shall be admitted as evidence or used in any action or suit for damages arising out of any matter mentioned in such report.

NOTE: A copy of this blog post will be filed a comment on the docket for this rule and will be provided to the OMB’s Office of Information and Regulatory Affairs as a comment on the included ICR.

Bills Introduced – 12-11-19

Yesterday with both the House and Senate in session there were 34 bills introduced. One of those bills may see further coverage in this blog:

HR 5394 To amend the Homeland Security Act of 2002 to require certain coordination between the Department of Homeland Security and Federal and non-Federal entities relating to cybersecurity risks and incidents, and for other purposes. Rep. Taylor, Van [R-TX-3] 

PHMSA Issues LNG by Rail Special Permit

Today the DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) published a notice in the Federal Register (84 FR 67768-67769) announcing that it had approved a special permit [.PDF download link] for the transportation of liquified natural gas (LNG) by rail. PHMSA published an environmental assessment and a draft of the special permit back in June. The special permit issued last week has significant changes from the draft that were based upon comments received on the proposed permit and the notice of proposed rulemaking (NPRM) for allowing transportation of LNG by rail.

New Special Conditions

Today’s notice outlines the operational controls that were added to the Special Permit. They include:

• Each tank car must be operated in accordance with §173.319 except as specified in paragraph 7a of the permit;

• Shipments are authorized between Wyalusing, PA and Gibbstown, NJ, with no intermediate stops.

Within 90 days after issuance, the grantee shall prepare and submit a plan providing per shipment quantities, timelines, and other actions to be taken for moving from single car shipments to multi-car shipments, and subsequently to unit trains (20 or more tank cars).

• Trains transporting 20 or more tank cars authorized under this special permit must be equipped and operated with a two-way end of train device as defined in 49 CFR 232.5 or distributed power as defined in 49 CFR 229.5.

• Prior to the initial shipment of a tank car under this special permit, the grantee must provide training to emergency response agencies that could be affected between the authorized origin and destination. The training shall conform to NFPA-472, including known hazards in emergencies involving the release of LNG, and emergency response methods to address an incident involving a train transporting LNG.

• While in transportation, the grantee must remotely monitor each tank car for pressure, location, and leaks.

The paragraph 7(a) requirements refer to the packaging limitations for the DOT 113C120W railcars. They include:

• Maximum permitted filling density – 32.5% (regulation authorizes 51.1% for ethylene);

• Maximum authorized operating pressure when offered for transportation – 15-psig (regulation authorizes 20-psig for ethylene); and

• Remote sensing for detecting and reporting internal pressure, location, and leakage (not required in regulation).

The Special Permit also imposes specific reporting requirements on the permit holder. These periodic reports include:

• Prior to first shipment – progress on the manufacture and delivery of railcars as well as scheduled first shipment date;

• During the life of the permit – quarterly reports on the number of shipments made under this permit; and

• Incident reports – written reports about “any incident involving a package or shipment conducted under terms of this special permit” {para 12a}.

Public Comments

PHMSA is soliciting public comments on this special permit. Comments should be filed under the docket for the LNG by Rail NPRM (www.regulations.gov; docket #PHMSA-2018-0025). That docket closes on December 23^rd, 2019.

Commentary

I am glad to see that PHMSA included a remote sensing requirement in this special permit. I had suggested a similar monitoring requirement in my comments submitted to the NPRM docket. I am a little bit disappointed that PHMSA did not include a temperature monitoring requirement, but pressure is the main safety consideration.

The permit language is a tad bit too vague about where the monitoring will take place and who is responsible for that monitoring. What is important, and should be carefully explicated in the NPRM, is the need for continuous monitoring while the cars are in transit and the ability to immediately contact both the affected train crew and local emergency response agencies if the monitoring detects a potential or actual transportation emergency.

I am very disappointed that the Special Permit did not specifically require the shipper and the carrying railroad to treat unit trains of LNG as High Hazard Flammable Trains (HHFT) under 49 CFR 171.8. Having said that, since the permit is for a specifically limited route and the shipper is required to provide LNG response training to all affected emergency response agencies along that route, the application of the HHFT rules may be overkill. That would not be the case with a blanket LNG by rail authorization envisioned in the NPRM.

7 Advisories and 6 Updates Published – 12-10-19

Today the DHS NCCIC-ICS published seven control system security advisories for products from Siemens and six updates for products from Siemens (5) and Interpeak.

EN100 Ethernet Module Advisory 

This advisory describes three vulnerabilities in the Siemens EN100 Ethernet Module. The vulnerabilities are self-reported. Siemens has a new version that mitigates the vulnerability.

The three reported vulnerabilities are:

• Improper restriction of operations within the bounds of a memory buffer - CVE-2019-13942;

• Cross-site scripting - CVE-2019-13943; and

• Relative path traversal CVE-2019-13944

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an attacker to execute remote code, cause a denial-of-service condition, and obtain sensitive information about the device.

SIMATIC S7-1200 Advisory

This advisory describes two vulnerabilities in the Siemens SIMATIC S7-1200 and S7-1500 CPU families. The vulnerabilities were reported by Eli Biham, Sara Bitan, Aviad Carmel, and Alon Dankner from Faculty of Computer Science, Technion Haifa; Uriel Malin and Avishai Wool from School of Electrical Engineering, Tel-Aviv University; and Artem Zinenko from Kaspersky. Siemens has updates that mitigate the vulnerabilities. There is no indication that any of the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Use of a broken or risky cryptographic algorithm - CVE-2019-10929; and

• Missing support for integrity check - CVE-2019-10943

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to modify network traffic or impact the perceived integrity of the user program stored on the CPU.

NOTE: Siemens originally published their advisory for these vulnerabilities back in August, but NCCIC-ICS never reported on it. Siemens published an update for their advisory today.

XHQ Operations Intelligence Advisory

This advisory describes three vulnerabilities in the Siemens XHQ Operations Intelligence. The vulnerabilities are self-reported. Siemens has a new version that mitigates the vulnerabilities.

The three reported vulnerabilities are:

• Cross-site request forgery - CVE-2019-13930;

• Improper neutralization of script-related HTML tags in a web page - CVE-2019-13931; and

• Improper input validation - CVE-2019-13932

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an attacker to read or modify contents of the web application.

SIMATIC Products Advisory

This advisory describes a use of broken or risky cryptographic algorithm vulnerability in the Siemens SIMATIC products. The vulnerability was reported by Eli Biham, Sara Bitan, Aviad Carmel, and Alon Dankner from Faculty of Computer Science, Technion Haifa; and Uriel Malin and Avishai Wool from the School of Electrical Engineering, Tel-Aviv University, reported this vulnerability to Siemens. Siemens has updates for three of the affected products. There is no indication that any of the researchers have been provided an opportunity to verify the efficacy of the fix.

An uncharacterized attacker could remotely exploit this vulnerability to allow an attacker already in a man-in-the-middle position to modify network traffic exchanged on Port 102/TCP. The Siemens advisory notes that the attack must conduct a man-in-the-middle attack to exploit the vulnerability.

RUGGEDCOM ROS Advisory

This advisory describes two vulnerabilities in the Siemens RUGGEDCOM ROS. The vulnerabilities are self-reported. Siemens has provided generic workarounds to mitigate the vulnerabilities.

The two reported vulnerabilities are:

• Improper restriction of operations within the bounds of a memory buffer - CVE-2018-18440; and

• Resource management errors - CVE-2019-13103

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit these vulnerabilities to allow a denial-of-service condition or arbitrary code execution. The Siemens advisory reports that an attacker must have local access to exploit these vulnerabilities.

SiNVR Advisory

This advisory describes seven vulnerabilities in the Siemens SiNVR 3 video management solution. The vulnerabilities were reported by Raphaël Rigo from Airbus Security Lab. Siemens has provided generic workarounds for the vulnerabilities.

The seven reported vulnerabilities are:

• Cleartext storage of sensitive information in GUI - CVE-2019-13947;

• Improper authentication (2) - CVE-2019-18337 and CVE-2019-18341;

• Relative path traversal - CVE-2019-18338;

• Missing authentication for critical function - CVE-2019-18339;

• Weak cryptography for passwords - CVE-2019-18340; and

• Exposed dangerous method or function - CVE-2019-18342

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to read (and reset) passwords of other SiNVR 3 CCS (Central Control Server) users, read the CCS and SiNVR users database including the passwords of all users in obfuscated cleartext, list arbitrary directories or read files outside of the CCS application context, extract device configuration files and passwords from the user database, read data from the EDIR directory, read or delete arbitrary files, or access other resources on the same CCS server.

SCALANCE Advisory

This advisory describes an improper enforcement of message integrity during transmission in a communication channel vulnerability in the Siemens SCALANCE W700 and W1700 wireless communication devices. The vulnerabilities are self-reported.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to access confidential data. The Siemens advisory notes that the attacker must be within wireless range of the device to exploit the vulnerability.

SCALANCE Update

This update provides additional information on an advisory that was originally published on May 24^th, 2013. The new information includes:

• Added Scalance X-200 switch family;

• Updated CVSS Scores from CVSSv2 to CVSSv3.1; and

• SIPLUS devices now explicitly mentioned in the list of affected products

SIMATIC CP 343-1 Update

This update provides additional information on an advisory that was originally published on November 11^th, 2016 and most recently updated on March 21^st, 2017. The new information includes SIPLUS devices now explicitly mentioned in the list of affected products.

NOTE: Siemens most recently updated their advisory last month and those corrections about the S7-400 CPUs are not included in the NCCIC-ICS update. Unfortunately none of the versions (except the latest) of the Siemens advisory are listed on the Siemens CERT page and I did not see last month’s update.

SIPROTEC 5 Update

This update provides additional information on an advisory that was originally published on July 9^th, 2019 and most recently updated on August 13^th, 2019. The new information includes an update for SIPROTEC 5 relays with CPU variants CP200 and the respective Ethernet communication modules.

SINAMICS Update

This update provides additional information on an advisory that was originally published on August 15^th, 2019 and most recently updated on November 11^th, 2019. The new information includes updated version information and mitigation links for:

• SINAMICS SM120 V4.7; and

• SINAMICS SM120 V4.8

Industrial Products Update

This update provides additional information on an advisory that was originally published on September 10^th, 2019 and most recently updated on November 14^th, 2019. The new information includes:

• Added solution for SCALANCE W700; and

• SIPLUS devices now explicitly mentioned in the list of affected products

Interpeak (ICS) Update

This update provides additional information on an advisory that was originally published on October 1^st, 2019 and most recently updated on October 10^th, 2019. The new information is the addition for links to vendor advisories for:

• Siemens (SIPROTEC 5)

• Siemens (RUGGEDCOM)

NOTE: Both advisory links are to updates published today of Siemens advisories that were published earlier; August 2^nd, 2019 and September 10^th, 2019 respectively.

Additional Siemens Advisories

Siemens published one additional new advisory and two updates today that did not show up on the NCCIC-ICS page. We will probably see the other new advisory covered on Thursday.

House Passes Two Threat Analysis Bills – HR 3318 and HR 4402

Yesterday the House took up two homeland security bills related to threat analysis; HR 3318, the Emerging Transportation Security Threats Act of 2019; and HR 4402, the Inland Waters Security Review Act. Both bills were considered under the suspension of the rules process and were passed by a voice vote. There was very limited debate with nary a voice raised in opposition to either bill.

Both bills will probably be taken up in the Senate in the coming year. If considered in that body they would be handled under the Senate’s unanimous consent process with no debate and no actual vote. If even a single Senator objected to the bill, the bill would die a quite death. Neither bill is important enough to justify the time necessary to process the bill under regular order.

HR 4432 Reported in House – UAS Threat Assessment

Last month the House Homeland Security Committee published their report on HR 4432, the Protecting Critical Infrastructure Against Drones and Emerging Threats Act along with the amended version of that bill.

An interesting thing happened on the way to the Government Printing Office. Section 2(c) of the original bill seems to have disappeared. Readers will remember that I complained about that section of the bill that would have exempted DHS from the Information Collection Request requirements of the Paperwork Reduction Act. Now changes made to a bill after it has been approved in Committee are not too unusual, but there is language in the Report’s ‘Section-by-Section Analysis of the Legislation’ (pg 6, last paragraph). It will be interesting to see if the language is in the bill when it is passed in the House.

Yes, the bill will almost certainly be passed in the House after it is taken up under the suspension of the rules process and it will pass with a substantial bipartisan vote.