Review – 3 Advisories Published – 9-27-22

Today, CISA’s NCCIC-ICS published three control system security advisories for products from Rockwell Automation and Hitachi Energy.

 

Rockwell Advisory - This advisory describes a heap-based buffer overflow vulnerability in the Rockwell ThinManager ThinServer, a thin client and remote desktop protocol (RDP) server management software.

NOTE: I briefly discussed this vulnerability on Saturday.

Hitachi Advisory #1 - This advisory discusses two vulnerabilities (one with known exploit) in the Hitachi Energy Lumada Asset Performance Management (APM) Edge product.

NOTE: I briefly discussed these vulnerabilities on July 30^th, 2022.

Hitachi Advisory #2 - This advisory discusses an improper input validation vulnerability in the Hitachi Energy AFS660/AFS665 industrial switches.

NOTE: I briefly discussed these vulnerabilities on July 30^th, 2022.

 

For more details on these advisories, including links to third-party advisories and exploits, see my Article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/3-advisories-published-9-27-22 - subscription required.

MARAD Sends Tanker Security Program Interim Final Rule to OMB

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received from DOT’s Maritime Administration (MARAD) an interim final rule for “Tanker Security Program”. This rule supports the requirements of §3511 of the FY 2021 NDAA (PL 116-283, 134 STAT 4408). The new 46 USC Chapter 534 set forth in that legislation requires DOT, in coordination with DOD, to establish a ‘Tanker Security Fleet’ somewhat akin to the air reserve fleet that DOD can call upon in the event of a national emergency for airlift support. The TSP would provide for a fleet of tanker vessels that DOD could call upon for emergency fuel transport.

Short Takes – 9-26-22

Ian continues on perilous path toward Florida. WashingtonPost.com article. Headed for eastern Gulf Coast, still unsure where. Pull quote: “The uncertainty in the forecast stems from an approaching trough, or dip in the jet stream, over the northern United States. Ian may or may not hitch a ride. If it does, it would be scooped north and east more quickly and come ashore as a more serious hurricane in the Florida peninsula on Wednesday.”

NASA spacecraft will slam into an asteroid Monday — if all goes right. WashingtonPost.com article. DART mission impact expected Monday evening. Pull quote: ““We’ve got to have such technology,” he said. “It would be prudent upon us to test that all out ahead of time, so we’re not trying to do it for the first time when we really need it to work.””

Shutdown threat grows as lawmakers struggle to reach final deal. TheHill.com article. CR still has contentious components to work through. Pull quotes: “However, Republicans have been less open to funding for the nation’s monkeypox and coronavirus response efforts — a sentiment that appears to have only further cemented in light of Biden’s recent comments declaring the pandemic “over.””

Five things to know about NASA’s mission to hit an asteroid. TheHill.com article. DART mission overview. Pull quote: “DART is estimated to slam into Dimorphos around 7:14 p.m. at more than 14,000 miles per hour. NASA officials will be able to estimate the results of the strike by using ground-based telescopes.”

Medics ‘flying blind’ in fight against superbugs due to patchy diagnostics. Telegraph.co.uk article. Problems with antibiotic resistant bacteria in Africa. Pull quote: “Clinics and hospitals are also relying on a narrow arsenal of antibiotics. Four drugs make up two-thirds of all the antibiotics used in healthcare, the researchers found.” Remember monkeypox problems.

The U.S. Is Running Short of Land for Housing. WSJ.com article. Land use restrictions and lack of infrastructure causing problems. Pull quote: “Land-use restrictions and a lack of public investment in roads, rail and other infrastructure have made it harder than ever for developers to find sites near big population centers to build homes. As people keep moving to cities such as Austin, Phoenix and Tampa, they are pushing up the price of dirt and making the housing shortages in these fast-growing areas even worse.”

Thinking Like a Cyberattacker to Protect User Data. HomelandSecurityNewsWire.com article. Misleading title, look at potential side channel attacks. Pull quote: “When the researchers used this model to launch side-channel attacks, they were surprised by how quickly the attacks worked. They were able to recover full cryptographic keys from two different victim programs.”

Covid-tracking program lacked bare minimum cyber protections. WashingtonPost.com article. Look at since pulled restricted-distribution IG report. Pull quote: ““Cybersecurity controls for both systems were not implemented before employment because HHS officials prioritized deploying the systems for operational use to achieve the agency’s mission of combating the covid-19 pandemic over meeting all the federal requirements before deployment.”” Raise your hand if you are surprised…. No hands????

NASA strikes asteroid with spacecraft in historic planetary defense mission. TheHill.com article. DART hit the asteroid moon. Pull quote: “The DART team estimated they would have a full assessment on the collision in about two months, including details of how much the spacecraft pushed the asteroid out of its orbit. NASA and APL were hoping to change the orbit of Dimorphos by several minutes.”

CSB Deploys Team to Fatal Refinery Incident in Ohio

The Chemical Safety Board announced today that it is deploying an investigation team to the BP Toledo Refinery in Oregon, OH for a fire and explosion that occurred nearly a week ago on September 20, 2022. Initial news reports (here and here) reported that two brothers were killed in the explosion and fire at the refinery. The CSB announcement adds that there was an associated release of sulfur dioxide and hydrogen sulfide.

The CSB has been having problems completing their open investigations, recently reporting on the planned schedule for completing 16 open investigations. While working through these problems the CSB has not initiated any new investigations since July 2021 when the started the investigation into the acetic acid release at the LyondellBasell facility in La Porte, TX.

It is more than a little unusual for the CSB to take six days to decide to investigate a chemical incident. The late start means that they have to rely on other agencies to preserve the scene of the incident for investigators. All sorts of people have probably been at the accident scene. It is surprising how much stuff non-investigators pick up as souvenirs at explosion sites, no telling how much evidence has walked of the site since the fire/explosion last Tuesday.

This raises an interesting question. Did CSB receive additional information (the newly reported chemical release) that made an investigation a higher priority than completing reports? Or was there political pressure applied to the CSB to get them to get back in the investigation game?

Review - HR 8806 Introduced – Healthcare Cybersecurity

Earlier this month, Rep Crow (D,CO) introduced HR 8806, the Healthcare Cybersecurity Act of 2022. The bill would require CISA to work with the Department of Health and Human Services (HHS) to improve cybersecurity in the Healthcare and Public Health Sector. No additional spending is authorized in this bill.

Moving Forward

Neither Crow nor his single cosponsor {Rep Fitzpatrick (R,PA)} are members of the House Homeland Security Committee to which this bill was assigned for consideration. This means that it is unlikely that the bill will be considered in Committee. I see nothing in the bill that would engender any organized opposition. I suspect that the bill would receive broad bipartisan support if it were considered in either Committee or on the floor of the House.

Commentary

The requirement in §6(a)(3) to evaluate the “best practices for the deployment of trained Cyber Security Advisors and Cybersecurity State Coordinators of the Agency into Healthcare and Public Health Sector assets before, during, and after data breaches or cybersecurity attacks” is going to have to include a detailed look at the number of Cybersecurity Advisors available in each region versus the history of the number of healthcare sector cyber attacks. CISA has only limited information available on the number of Cyber Security Advisors that it has on staff, but it is no more than 2 or 3 for each of their ten regional offices. This certainly will not be enough to handle every healthcare cyberattack in the healthcare sector, much less the 15 critical infrastructure sectors.

If CISA is going to be an incident response agency for private sector organizations, they are going to have to dramatically increase the number of IR personnel they have in their regional offices, and I do not think that that is doable.

 

For more details about the bill’s requirements, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-8806-introduced - subscription required.

Short Takes – 9-24-22

Immediate Action is Needed to Protect the Homeland from Drone Threats. HSToday.us article. Discussion about provisions of S 4687. Pull quote: “But more is needed and more is needed now. To ensure that drones don’t disrupt or harm our way of life, we must provide federal, state, and local authorities with the complete set of tools to mitigate drone threats while maintaining the civil rights and liberties of responsible unmanned aircraft operators.” 

The Elusive Future of San Francisco’s Fog. NYTimes.com article. If you have ever spent time in San Francisco, you know about fog… Pull quote: “Every summer, fog breathes life into the Bay Area. But people who pay attention to its finer points, from scientists to sailors, city residents to real estate agents, gardeners to bridge painters, debate whether there is less fog than there used to be, as both science and general sentiment suggest.”

Unusual ‘Chlorine’ Incident in Rhode Island

A local TV station in Pawtucket, RI published a report yesterday about a chlorine gas incident at a residential building. It seems that a contractor was emptying a sewage (septic?) tank at the building, and during the process added ‘chlorine tablets’ (sodium hypochlorite, pool chlorine tablets probably) to the tank as part of some sort of disinfection process. An unusually high number of tablets were apparently used, and two residents were taken to the hospital for treatment for breathing problems because of chlorine gas exposure.

Sodium hypochlorite when dissolved in water produces ‘bleach’. Bleach is very reactive with a number of different chemicals and frequently releases chlorine gas as part of many of those reactions. Chlorine is detectable by smell at very low concentrations, and I would suspect that there should not have been enough chlorine gas released into the building to be a serious health hazard for healthy individuals. Unfortunately, any number of pre-existing diseases could make people susceptible to breathing problems with even very low concentrations of chlorine gas.

Interestingly, this incident probably triggers a requirement to report the incident to the CSB. We certainly had a chemical release (chlorine gas) which caused serious injuries (2 hospital admissions). This was not a transportation related event, so the incident occurred at a ‘fixed site’. Since the contractor doing the work routinely handles the ‘chlorine tablets’ for the chemical treatment of sewage tanks, they would be expected to be aware of chemical hazards involved and should know about the CSB reporting requirements. I do not expect that the CSB will be sending an investigation team to an incident like this, even if they were fully staffed and not three years behind on completing accident investigation reports. But the incident still falls within the regulatory reporting requirements.