Committee Hearings – Week of 9-27-21

This week with both the House and Senate in session, and the end of the fiscal year at week’s end, there is a full slate of hearings on both sides of the Capitol. Of interest here are oversight hearings for TSA, the CSB and DHS. Lots of important action on the floor of both the House and Senate. It will be a busy week.

Oversight Hearings

On Wednesday, the House Homeland Security Committee will hold a hearing on “20 Years After 9/11: The State of the Transportation Security Administration”. The witness list will include David Pekoske, the current TSA Administrator and three former Administrators. While this should be a wide ranging discussion, it will probably focus on air travel security as that has been the agency’s focus over its life, but pipeline security questions will be raised.

On Wednesday, the Oversight and Investigations Subcommittee of the House Energy and Commerce Committee will hold a hearing on “Protecting Communities from Industrial Accidents: Revitalizing the Chemical Safety Board”. No witness list is currently available.

On Thursday, the Oversight, Management, and Accountability Subcommittee of the House Homeland Security Committee will hold a hearing on “20 Years After 9/11: Transforming DHS to Meet the Homeland Security Mission”. The witness list includes:

• Chris Currie, Government Accountability Office,

• Randolph “Tex” Alles, DHS,

• Angela Bailey, DHS

Looking at the witness list, I suspect that this hearing will concentrate on personnel issues. Cybersecurity workforce issues could be addressed.

On the Floor in the Senate

A cloture vote on HR 5305, the Extending Government Funding and Delivering Emergency Assistance Act (FY 2022 Spending continuing resolution plus debt limit extension), is scheduled for early this evening. If this gets the necessary 60 votes to continue debate (not likely) then the Senate will approve the bill later this week. If it fails, the ball would be tossed back to the House for a clean continuing resolution. Plenty of time before the continued government funding is required by Midnight Thursday.

On the Floor of the House

Last month, Speaker Pelosi promised the moderate Democrats a vote on the Senate version of HR 3684, the bipartisan infrastructure bill, today. Instead, it looks like all they are going to get today is a one-hour debate on the bill. The vote is apparently being slipped to Thursday to perhaps give the progressive wing of the Party a chance to vote on their expensive Build Back Better Act. HR 3684 needs to pass before Thursday Midnight as the authorization for most transportation programs expires at that time. This would not be as drastic as a government shutdown, critical programs would continue to operate (if a spending measure is in place), but regulatory enforcement efforts would face legal hurdles.

The final version of the Build Back Better Act is still not completed. The bill was marked up by the House Budget Committee on Saturday, but final changes will take place in the House Rules Committee. No hearing for that consideration is currently scheduled according to the Rules Committee website. Which indicates that horse trading is still going on behind closed doors. This bill is likely to come to the floor with limited debate and no amendments. The progressive Democrats want a floor vote on this bill before HR 3684 is considered.

According to Majority Leader Hoyer’s (D,MD) Weekly Leader site the House should take up two cyber security related bills (along with 10 other bills) under the suspension of the rules process. As I wrote last week, these were also potentially on the schedule last week, but were never taken up. The two bills are:

• HR 4611 – DHS Software Supply Chain Risk Management Act of 2021, and

• S 1917 – K-12 Cybersecurity Act of 2021

Review - Cybersecurity for the Manufacturing Sector – SP 1800-10 (draft)

Earlier this week the National Institute of Standards and Technology (NIST) published a draft of SP 1800-10, Protecting Information and System Integrity in Industrial Control System Environments. The new document provides a practical example solution to help manufacturers protect their Industrial Control Systems (ICS) from data integrity attacks. NIST is soliciting comments on this new document.

NIST is soliciting comments on the Draft of SP 1800-10. Comments should be submitted via email (manufacturing_nccoe@nist.gov) or by filling out the web form. Comments should be submitted by November 7^th, 2021.

Commentary

This document provides an important look at how cybersecurity can be successfully engineered into an industrial control system. How useful that example will be for actual manufacturing systems remains to be seen. Looking at this document, it would appear that a high-level of IT knowledge will be required to implement the solutions reported in the document. Whether that level of support is readily available in small manufacturing of chemical facilities remains to be seen.

What is not clear from this document is how much work is needed to implement these tools. A description of the time needed to set up the equipment for these relatively simple control systems would be helpful, but I am not sure how well that would scale to real world control systems with hundreds of control devices and sensors. It is also not clear how much response action would be required by facilities to address the error messages and log files generated by such a system. Is a security operation center necessary or will facilities have to rely on already overstressed operators to deal with these results?

For understandable reasons, these test beds to not address process safety issues that must be taken into account when assessing security risks at a facility; even the Tennessee Eastman simulation fails to address this represents a generic chemical process without considering chemical hazards. I do wish, however, that there had been some discussion about the role process safety has in any process control system risk evaluation.

One final comment. I was really pleased to see that all of the test evaluations showed that the tested systems prevented the design criteria attacks. It shows that cybersecurity controls in a control system environment are possible. I would be surprised, however, to hear that they all did so on the first attempt. It would be helpful if initial testing-failure descriptions and a discussion of remedial actions taken were presented. It would also be helpful if NCCOE were to report on a well-funded red-team attack on the platforms tested.

For more details on the document and the systems evaluated, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/cybersecurity-for-the-manufacturing  - subscription required.

Review - S 2792 Introduced – FY 2022 NDAA

Earlier this week, Sen Reed (D,RI) introduced S 2792, the National Defense Authorization Act (NDAA) for Fiscal Year 2022. This is the version of the NDAA reported by the Senate Armed Forces Committee that will probably be substituted for the House language of HR 4350 when it is considered in the Senate. As with the House bill, S 2792 has a Title on cyber operations, including a report on DOD support for CISA. It also includes authorization language for a civilian cybersecurity reserve pilot and a brief discussion about technical debt.

As I mentioned above, when the Senate begins consideration of HR 4350, the version of the NDAA that passed this week in the House, there is typically an amendment in the form of a substitute that is offered for the Senate’s consideration. This bill will form the base for that amendment. There will be a vigorous floor amendment process, though it will not include nearly as many amendments as did the House debate.

Once the Senate passes that amended version, it will go back to the House for consideration of the new language. I would expect that the House will ‘insist’ on its version and the bill will then go to conference to work out the compromise version that will get to the President for signature. I expect that most of the House cybersecurity amendments will remain in that version.

For more details about the cybersecurity provisions of the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-2792-introduced - subscription required.

GAO Publishes Grid Resiliency Overview

This week the Government Accountability Office published a report on “Electricity Grid Resilience”. This is a brief, 2-page, overview of recent GAO reports on the topic. It does highlight previous GAO recommendations that have not yet been implemented. Includes discussion of cybersecurity and physical security risks.

Review - Public ICS Disclosures – Week of 9-18-21

This week we have seven vendor disclosures from ABB, Pilz, Hitachi, Johnson and Johnson, Philips, SonicWall, and VMware.

ABB Advisory - ABB published an advisory describing an integrity check bypass vulnerability in their free@home System Access Point products.

Pilz Advisory - VDE CERT published an advisory discussing the  INFRA:HALT vulnerabilities in Pilz products.

Hitachi Advisory - Hitachi published an advisory describing an authentication bypass vulnerability in their Disk Array Systems.

Johnson and Johnson Advisory - Johnson and Johnson published an advisory discussing the BadAlloc vulnerabilities in their products.

Philips Advisory - Philips published an advisory discussing two recently reported Apple® vulnerabilities.

SonicWall Advisory - SonicWall published an advisory describing an improper limitation of a file path to a restricted directory vulnerability in their SMA 100 Series Appliances.

VMware Advisory - VMware published an advisory describing 19 vulnerabilities in their vCenter Server and Cloud Foundation products.

For more details about the advisories, including listing of VMware multiple vulnerabilities and links to researcher advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-9-7bc - subscription required.

Review - DOC Publishes IaaS Cybersecurity ANPRM – 9-24-21

Today the Department of Commerce published an advance notice of proposed rulemaking (ANPRM) in the Federal Register (86 FR 53018-53021) on “Taking Additional Steps to Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities”. This action is being taken in response to requirements in EO 13984, Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities. This ANPRM was sent to OMB’s Office of Information and Regulatory Affairs on August 6^th, and approved by OIRA on September 13^th.

DOC is soliciting responses from the public and industry on the issues raised in today’s ANPRM notice. Comments may be submitted via the Federal eRulemaking Portal (www.regulations.gov; Docket # DOC-2021-0007). Comments should be received by October 25^th, 2021.

For further details about the EO 13984 requirements and the questions for which DOC is seeking answers, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/doc-publishes-iaas-cybersecurity - subscription required.

TSOB Ratifies TSA Pipeline Security Directive #2

Today DHS published a notice in the Federal Register (86 FR 52953) announcing that the Transportation Security Oversight Board (TSOB) has ratified Transportation Security Administration (TSA) Security Directive Pipeline-2021-02. That security directive was issued on July 19^th, 2021.

This review and ratification is required under 49 USC 114(l)(2)(B). That subparagraph only allows an emergency order to last for 90-days unless ratified by the TSOB. According to today’s notice, the TSOB met on August 4^th, 2021 and ratified the Security Directive ‘in its entirety’ on August 17^th, 2021.

The TSOB was established under 49 USC 115. It consists of seven members or their designees

• The Secretary of Homeland Security,

• The Secretary of Transportation,

• The Attorney General,

• The Secretary of Defense,

• The Secretary of the Treasury,

• The Director of National Intelligence, and

• One member appointed by the President to represent the National Security Council.