Tuesday, May 31, 2011

Son-of-Stuxnet Can be Stupid

Eric Byres has a very interesting blog post over at TofinoSecurity.com about the next stage in the evolution of ‘sophisticated’ control system attack tools based upon the Stuxnet model, what he calls Son-of-Stuxnet. Eric does a great job of explaining the whole thing so I won’t do much more than point you at his blog and strongly recommend that everyone with an interest in chemical facility security or cyber security for industrial control systems should read and re-read Eric’s fine words.

Okay, you didn’t really think that I would stop there, did you? I would like to amplify one point that Eric makes about the need for process knowledge to develop a Son-of-Stuxnet attack.

Process Knowledge

Eric makes the point that an attacker with the requisite computer knowledge and access to the appropriate tools could easily acquire the necessary process knowledge to effect an attack on control systems. He provides a chilling example of how electrical grid process knowledge recently became available to the hacker community.

Those of us who have spent years working on and refining chemical manufacturing processes like to think that our processes are very sophisticated and complex. The industry likes to think that it does a good job of protecting that process knowledge as a way of maintaining their competitive edge in the market place. Both of these things are generally true.

Recent history has shown, however, that even the most sophisticated cyber security systems are relatively easy to breach using a variety of so-called Advanced Persistent Threat (APT) techniques. An adversary that wants to gain process knowledge to effect a Son-of-Stuxnet attack would be well advised to use these techniques to gain that knowledge.

Random Attacks

I am, however, much more concerned with the intelligent cyber adversary realizing that process knowledge is not necessary to effect a successful Son-of-Stuxnet attack on a modern chemical manufacturing facility. The sophistication and complexity of the chemical processes that we have come to rely upon will actually form a very effective basis for attacking those processes.

All an attacker has to do is to execute a series of random changes in the control system for one of these complex chemical manufacturing processes to fatally disrupt that process. Random changes in temperature set points on a continuous distillation process like those found in a refinery would shut the refinery down, potentially with catastrophic physical consequences. Random changes in weighment set points in a pharmaceutical batch process would create a product that would be unusable if detected and potentially hazardous to customers if not detected.

More over, random changes, particularly if protected by the type of man-in-the-middle data-hiding found in Stuxnet would make it next to impossible to troubleshoot the process to correct the problem. This could keep a facility shut down for days or weeks, wrecking financial ruin on the owners.

Process Knowledge Not Necessary

The Son-of-Stuxnet attack profile will provide a cyber-savvy attacker the ability to hold a chemical manufacturing facility hostage, demanding financial compensation to allow the facility to resume routine operations. And sophisticated chemical process knowledge would not be necessary to effect these attacks. This greatly increases the number of potential attackers that might have to be contended with.

As Eric said in closing out his excellent post: “Bottom line: we are in for a tough few years as the industry tries to catch up with the bad guys.”

FY 2012 DOD Spending Bill Draft

Today the House Appropriations Committee announced that a Subcommittee draft copy of the FY 2012 DOD Appropriations bill was available for public review. I did a quick (and not very detailed) scan of the bill looking for funding for the DOD cyber security programs, but could not find any (not surprised, again I would expect that to show up in the Committee Report on the ‘final’ proposed version of the bill that we should expect to see introduced later in June.

Readers may remember that it was May 14th that we were at the same point in the legislative process for the DHS appropriations bill. The House is moving infinitely faster this year on spending measures.

Another Chlorine Shipper STB Complaint

Last week saw another chlorine shipper filing a complaint with the Surface Transportation Board. This time it was the Canadian chlorine producer Canexus Chemicals asking the STB to order BNSF to establish common carrier rates for shipping chlorine from its production facilities in Vancouver, BC and Marshall, WA to an interchange point in Kansas City, MO for further transport via UP.

According to the complaint filed on May 25th, BNSF has told Canexus that it will only interchange the chlorine shipments with UP at interchange points in Portland and Spokane, WA. A closer reading of the communications between Canexus and BNSF included in the complaint show that the situation is probably more complex than that outlined in the Canexus description.

It looks like this is going to end up being a discussion about who is responsible for routing decisions on complex TIH shipping routes. It appears that in this instance that there are multiple routes from the Canexus locations to their customers in the Southeast United States, routes that require shipment via at least two separate railroads. It appears that UP, via contract negotiations, has gained effective control of the routing decisions for this set of shipments, minimizing its exposure to the liability associated with chlorine shipments.

Monday, May 30, 2011

HR 1900 Introduced – TSA Surface Transportation Security

Back in the middle of May Rep. Jackson-Lee (D, TX) introduced HR 1900, the Surface Transportation and Mass Transit Security Act of 2011, but the GPO copy of the bill only became publicly available last week. Essentially this bill would authorize the Surface Transportation Security Program within TSA. While a major focus of this program would be public transportation it would also address freight transportation of interest to the chemical security community.
Surface Security Inspectors

Section 3 of this bill would establish the Surface Transportation Security Inspection Office. The Office would be responsible for enforcing surface transportation security regulations and directives as well as assisting the various elements of the surface transportation industry “enhance their security against terrorist attacks and other security threats” {§3(a)(2)(A)}.

The Office would be headed by a Director and Deputy Director. They would supervise an inspection force deployed in a series of Primary and Secondary Field offices. Each Primary Field Office would be headed by a Chief Surface Transportation Security Inspector who would report directly to the Director. The Primary Field Offices would be staffed with at least 7 Surface Transportation Security Inspectors including the Chief Inspector.

Secondary Field Offices would be subordinate to a Primary Field Office and would be headed by a Senior Surface Transportation Security Inspector. The Secondary Field Office will be staffed by at least 5 Surface Transportation Security Inspectors including the Senior Inspector.

The bill does not establish a specific number of field offices, but it does call for a 100 person increase in the number of Surface Transportation Security Inspectors over the number in TSA at the end of 2010.

Surface Transportation Advisory Committee

Section 5 of the proposed bill would establish a Surface Transportation Advisory Committee to advise the Assistant Secretary (TSA) on ways to improve the surface transportation security program. The Committee will consist of unpaid members representing up to 27 organizations representing “public transportation agencies, passenger rail agencies or operators, railroad carriers, motor carriers, owners or operators of highways, over-the-road bus operators and terminal owners and operators, pipeline operators, privacy organizations, labor organizations representing employees of such entities, and the surface transportation security technology industry” {§1311(b)(1)}.

Within this Committee the bill would require the establishment of two working groups. The Passenger Carrier Security Working Group would “provide recommendations for successful implementation of initiatives relating to passenger rail, over-the-road bus, and public transportation security proposed by the Transportation Security Administration” {§1311(d)(1)}. The Freight Rail Security Working Group would address the same issues for the freight rail sector.

It is interesting that the passenger group would address all passenger transport modes but the freight group would only address the freight rail mode, not the trucking mode.

Security Training

Section 7 of the bill would address security training for surface transportation modes. First it would require that the TSA would report to Congress on their schedule for implementing the mandate to develop security training regulations for bus and passenger train transportation and freight rail transportation.

It would also require TSA to establish a program for approving third-party training programs that could be used by covered entities to fulfill the training requirements outlined in the new regulations.

First Observer Program

Section 12 of the bill would require the Assistant Secretary to formalize the current First Observer Program, establishing it as a program to encourage reporting by all members of the private sector transportation industry, evaluating the reports and forwarding the reports to appropriate law enforcement personnel. The bill would authorize an annual appropriation of $5 Million for this program which would be essentially a transportation fusion center.

HR 2017 – More Details

I’ve had more of a chance to review the text of HR 2017 and its accompanying Committee Report so I have a better understanding of the portions of the bill that will be of interest to the chemical and cyber security communities.

Budget Numbers

First there is the examination of the high level budget numbers with a comparison to those passed in the final FY 2011 continuing resolution:

● TSA Surface Transportation - $129,748,000 [FY 2011 - $105,961,000] – 22% Increase

● NPPD Management and Administration - $42,511,000 [FR 2011 - $43,577,000] – 2.5% Decrease

● Infrastructure Protection and Information Security - $891,243,000 [FR 2011 - $840,444,000] – 6.0% Increase
To get a better understanding of the budget at a more practical level you have to read the details in the Committee Report. I’m not going to try to make comparisons to last year in this section because those details were not available in the documentation accompanying HR 1473, the final FY 2011 continuing resolution.

● TSA Surface Inspectors and Canine Teams - $91,234,000 (fully funds 2010 authorized personnel numbers)

● National Computer Security Division - $463,841,000

● Office of Infrastructure Protection - $302,278,000
Cyber Security and HR 2017

The budget numbers for the NCSD are broken out in much more detail and the Committee has broken them out in a little different manner than in past budgets. They include

● US-CERT - $79,116,000
● Critical Infrastructure Cyber Protection - $61,364,000
The Critical Infrastructure Cyber Protection account includes $28,927,000 for Control System Security and $12,901,000 for CIP Cyber Security. There are no explanations of what those two accounts include.

The Appropriations Committee appears to be paying closer attention to control system security problems than anyone else in Congress. They make the following observation on page 94 of their Committee Report:

“The Committee is aware of promising efforts to develop manufacturing standards, guidelines, and compliance procedures for industrial automation and control systems. Integrating agreed-upon industry standards into industrial automation and control systems promises a much higher likelihood of successfully countering cyber vulnerabilities. Since the development of these standards is projected to take up to 10 years, the Committee encourages DHS, in conjunction with industry partners, to accelerate the development timeline for control system security standards and to brief the Committee within 60 days of the date of enactment of this Act on its plans to meet this directive.”
CFATS and HR 2017

There are no specific numbers listed for Infrastructure Security Compliance Division or CFATS in general. That certainly doesn’t mean that the Appropriations Committee is ignoring the CFATS program. As I mentioned in my earlier blog the CFATS §550 authorization would be extended until October 4th, 2013 by §536 of this bill. There are additional areas in the Committee Report that specifically address CFATS related issues.

On page 93 there is a paragraph in the report that deals specifically with inherently safer technology (IST). This is almost certainly in response to repeated Administration comments in support of adding an IST component to CFATS. The Committee directs DHS to complete a study on IST and CFATS and to report back to the Committee. It specifically requires that:

“The report shall detail the Department’s definition of IST; the cost to the Department to implement and oversee statutory or regulatory requirements; and the financial and economic cost to facilities required to implement such requirements. Finally, the report shall include findings detailing unintended consequences of implementing IST related to security and effects on other Federal agencies.”
This might be an interesting addition to the IST debate except for the fact that agency reports to the Appropriations Committee enter a black hole that no one outside of the Committee can see. One would think that the Homeland Security Committee or the Energy and Commerce Committee might be more interested in this report, except that the whole CFATS program is authorized by the Appropriations Committee so they have primary jurisdiction, sort of.

In general, the Appropriations Committee approves of the way that the CFATS program has been administered, noting that “DHS has established a robust screening and inspection program for facilities covered under the 2007 law” (pg 93 Committee Report). Perhaps they haven’t heard that the ‘inspection program’ is proceeding much slower than anticipated. Since they haven’t done any oversight hearings on this program they might not realize the current problems that the program is having. Then again, Committees that have heard the details aren’t concerned with the slow inspection pace so why should the Appropriations Committee?

Another Appropriations Committee authorized chemical security program that will be administered by ISCD is the ammonium nitrate sales regulations that have been wending their way through the administrative bowels of the Executive Branch for over three years now. In a paragraph addressing CFATS and ammonium nitrate on page 93 of the Committee Report the Committee “directs NPPD to expedite publication of its Final Rule for ammonium nitrate regulations and provide an immediate briefing on the anticipated timeline for full implementation of the program.”

That’s a real ambitious directive, given the fact that DHS has yet to publish their notice of proposed rule making for the ammonium nitrate program. To be fair, the rule is currently out of their hands as they submitted it to the Office of Management and Budget for review back on March 3rd. We should be seeing OMB’s reply ‘any time now’.

The big delay on this rule has been political and thus mainly out of NPPD’s hands. This rule would establish some significant performance requirements for a politically vocal and powerful portion of the US economy, the farm sector. Beyond that there are some significant hurdles to controlling these sales because of the wide variety of transaction sizes that must be considered and the way that agricultural commodities like this are moved and sold. For example there may be significant loses of product while moving on barges due to wind blowing the open stacks of ammonium nitrate powder into the river; diversion reporting rules need to take this into account.

Moving Forward

This will be the first appropriations bill that the House has considered in over 18 months (a continuing resolution does not count) and it looks like it will come to the floor this week. No telling yet on how far the Senate Appropriations Committee is on getting their bill together, but it certainly looks possible that we could have a signed bill before the summer recess.

The Republicans have promised an open rule making process for appropriations bills so this could be a very interesting week in the House. We’ll be able to see how interesting when we see the results of the House Rules Committee hearing on Tuesday night. The bill will certainly pass, but it will be interesting to see what changes come through the amendment process.

Congressional Hearings Week of 5-30-11

The Senate is taking a week off from their busy debate schedule (technically they’ll meet Tuesday and Friday in ‘pro forma’ sessions) so we only have to keep track of the House this week. Even so we have three hearings currently scheduled this week that might be of interest to the chemical security community, a cyber security related hearing, a TSA authorization hearing and probably most importantly the FY 2011 DHS budget bill HR 2017.

Cyber Security

The Committee on Oversight and Government Reform will be holding a hearing on Wednesday looking at “Cybersecurity: Assessing the Nation’s Ability to Address the Growing Cyber Threat”. No details about witnesses are yet available on the Committee web site, but this is supposed to be part of a series of ‘in depth’ hearings by this Committee on cyber security related issues. There could always be a mention or two about control system security.

TSA Authorization

The Homeland Security Committee’s Transportation Security Subcommittee will be holding a hearing on authorizing the Transportation Security Administration of DHS. This hearing was postponed from last week. There is no TSA authorization bill currently available for review, but I would not be surprised to see one published this week.

HR 2017

As I mentioned earlier this week HR 2017, the Department of Homeland Security Appropriations Act, 2012, was introduced last week and is scheduled for a Rules Committee hearing on Tuesday. This hearing will establish the rule for the floor consideration of this bill later this week. There are, as of yet, no proposed amendments listed on the Rules Committee web site, but I would expect that to change during the day Tuesday.

ICS-CERT Publishes 2 Advisories for Ecava IntegraXor

On Friday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published two separate advisories for vulnerabilities in the Ecava IntegraXor system. The vulnerabilities would allow DLL hijacking and cross site scripting. Both vulnerabilities would allow execution of arbitrary code by an attacker with moderate skill levels. The first would require the attacker to have access to the computer’s file system and the second would require the operator viewing an infected web site.

There are no known exploits publicly available for either vulnerability and Ecava has developed a single patch to mitigate both vulnerabilities.

To My Brothers in Arms

On this Memorial Day I would like to address my Brothers in Arms, past present and future; in all services with a special nod to those in my family; Antonio who is preparing for yet another cruise, Robert who is just recently back from Afghanistan and Gaige who is preparing to enter the Air Force. Today is an important day for us to pause and raise a glass to absent companions.

Today we accept the thanks of a grateful country for the sacrifices we have all made in the service of our country, but we all know that our absent companions gave their lives more for their buddies, and team mates than for the country. As such we owe them a more personal and heartfelt thanks than most people in the country can understand. And if we, the brotherhood of arms, continue to do our job, then most people will never have the chance to understand.

Let us raise a glass. To Absent Companions.

Friday, May 27, 2011

Reader Comment – Bipartisan HR 908

An anonymous reader objected to my characterization in this morning's blog of the bipartisan support (or lack thereof) of HR 908 in the Energy and Commerce Committee yesterday. Anonymous points out that there were five Democrats who voted for the final measure, better than the ‘couple’ that I had guessed at. I am glad to have that clarifying information; it is a shame that it wasn’t included on the Committee web site. I guess that it is just another case of open political discourse happening more in theory than in practice.

Bipartisan Support

Anon then went on to note that what is important is that “there is now a House bill reported out of committee with notable Democratic support, which will provide momentum for a IST-less bill to gain additional support by both parties when it reaches the House floor”. While I always prefer to see legislation that appeals to the moderates of both parties (it is less likely to see the ‘other’ Party try to undo it when they resume power), I didn’t see much effort in this bill to achieve that goal.

Adopting the whistleblower or worker participation amendments would have been a very low cost (both politically and monetarily) method of attracting middle ground Democrats. And, as I have said on a number of occasions, I think that it is possible to construct an IST provision that could be acceptable to industry, if the effort was taken.

Having said that, five Democrats signing on in a Committee vote is significant. It is much better than the straight party line vote that attended the passing of HR 2868 in the 111th Congress. Of course it doesn’t help much when the Democratic co-sponsor publicly discusses his misgivings with the legislative process. That plus the fact that the Republican leadership has historically done a much better job of maintaining support for the partly line than the Democrats have ever been able to do. Well, maybe five Democrats isn’t that impressive.

Premature Discussion

Anonymous closes his comment with a politically questionable statement; “Any talk about what may happen in the Senate is premature until the House approves either 908 or 901.” Back when the minority Republicans were about stopping HR 2868 they could afford to take that short view of the situation. They should, however, learn the lesson taught by the Democrats on that bill. The failure to take the long view of what could get passed in the Senate ended up with the House passing a bill that completely pleased their base, but was never even looked at in the Senate.

If the chemical industry and their Republican supporters really want to get a long period reauthorization of CFATS, then they had better learn that politics requires a longer view than the next vote. Robert Heinlein called politics the ‘art of the possible’. Anyone that forgets that is just posturing; accomplishing nothing.

For HR 908 or HR 901 to become law, they would need to be passed by the House in such a form that they will be considered by the Democratically (loosely) controlled Senate. This means that they need to include a sop to Sen. Collins (R, ME), who effectively controls the Homeland Security Committee on this topic. It will also require provisions to defuse the opposition of the core Green-Labor Democrats. Failure to take this into account will lead to another two years of relying on budget measure extensions while the House passed pure industry bill sits waiting to be considered in the Senate.

Chairman Upton has not apparently learned this yet. Chairman King are you listening?

HR 2017 Introduced – DHS FY 2012 Appropriations

Yesterday, Rep. Aderholt (R, AL) introduced HR 2017, Department of Homeland Security Appropriations Act, 2012. Since it was just published on the GPO site this morning I haven’t been able to review much, but §536 does extend the CFATS §550 authorization until October 4, 2012. Watch this space for more news; lots of reading material for the weekend.

HR 908 Amended and Passed In Committee

As expected the House Energy and Commerce Committee amended and reported favorably on HR 908. With a final vote of 33 – 16, the supporters of this bill can claim bipartisan support, but there is nothing here that labor or environmentalists will find even minimally acceptable.

Two Amendments Adopted

The Committee approved two amendments, both proposed by Rep. Shimkus (R, IL). The first deals with background checks while the second modifies the dates listed in the bill to provide for a full six year extension of the bill. The original bill showed the current expiration of §550 as October 4, 2010 and extended it until October 4, 2017. The date changing amendment corrected the current expiration to 2011 as provided in the FY 2011 budget bill. Then it modified the new expiration date to so that the full extension of the bill would match the original intent of the bill. Rep. Green (D, TX) attempted to reduce this by two years, but his amendment to the amendment was rejected.

The background check amendment adds language to §550 that specifically states that no “security background check is required under this section for an individual holding a valid transportation security card [a Transportation Workers Identification Credential (TWIC)] issued under section 70105 of title 46, United States Code” {§3(i)(1)}. If that wasn’t clear enough it goes on to state that a facility owner/operator can allow individuals with a TWIC or a ‘qualifying alternate security background check’ to “have access to restricted areas or critical assets of such facility without the satisfaction of any other additional requirements” {§3(i)(3)}.

There is an added provision that will certainly draw the ire of organized labor. The final sub-paragraph of the amendment states that:

“Nothing in this subsection shall be construed to prohibit an owner or operator of a chemical facility from requiring, for reasons other than compliance with this section, that prospective or current employees or contractors undergo any additional background checks in addition to that required under the risk-based performance standards issued under this section.” {§3(i)(4)(B)}.
Labor organizations have been complaining that the CFATS background check requirements, vague as they are, would/could be used by management to retaliate against labor organizers or union members. This provision along with the lack of specific language on redress procedures (currently loosely covered under § 70105 title 46 USC) will be seen by labor leaders as another justification for their concern about CFATS. I think that the wording of the Shimkus amendment attempted to deal with that concern, but I doubt that the opposition will see the subtle wording as adequate.

Major Changes Attempted

Ranking Member Waxman (D, CA) attempted to completely rewrite the legislation with his amendment. Unfortunately, the copy of the Waxman amendment provided on the Committee web site has been corrupted some how; many pages appear to be missing. It appears though that he intended to replace the §550 authorization with a bill similar to that passed in the House in the last session. The limited number of pages provided do not allow me to determine if the amendment actually included coverage of water treatment facilities.

It is not surprising that the Republican controlled Committee did not approve the Waxman amendment. The final vote was 18 – 26 on this amendment. I would assume that it was a party line vote, but we can’t tell as the Committee web site does not list the actual votes of the members only the total numbers. We’ll have to wait to see the Committee report to be sure. I will say that the Committee web site for this markup does not appear to comply with the intent of the new Republican rules for an ‘open’ Congress.

Minor Changes Attempted

The remaining amendments offered by the Democrats were relatively modest, and expected, changes to the wording of §550. The most controversial was offered by Rep. Waxman; he proposed to require that the Secretary either approve or disapprove a site security plan within 180 days of submission. Anyone seeing the current pace of the SSP approval process can understand the reason for this proposed amendment. Unfortunately, I think that this amendment probably would have been counter-productive, resulting in disapproved SSPs instead of the current procedure of DHS working with facilities. Something clearly needs to be done to resolve this problem, but I don’t think that this would have addressed the underlying problem.

The amendment offered by Rep. Capps (D, CA) also attempted to address this issue by making a minor word change in §550(a), changing from ‘may disapprove’ to ‘shall disapprove’. While more subtle than the Waxman amendment, this still would have changed the cooperative atmosphere between covered facilities and DHS.

Whistleblower protection would have been added by the Butterfield amendment, but the Chairman ruled that the amendment was “Nongermane” so the amendment never came up for a vote. I didn’t get a chance to actually watch the hearing, nor was a web cast available on the Committee site as of last night so I don’t know what held up this amendment. Again, a page appears to be missing from the copy of the amendment provided on the Committee web site. This is getting to look like really sloppy staff work.

Rep. Green (D, TX), a co-sponsor of the bill, proposed an amendment that would have added language providing a requirement for employee participation in the security processes required under § 550. This has long been a desire of organized labor as it also provided for participation of labor unions (excuse me, bargaining agent) in the planning process. The language here was much simpler than the provisions found in previous bills.

No Bipartisan Bill

The final vote on the amended bill was 33 – 16. Again the actual details of the vote are not available on the website, but it appears that there was probably a couple of Democrats (most likely including the co-sponsor, Rep Green) that voted for favorably reporting the bill. Even with a few Democrats signing off on the bill, I would hardly call this a bipartisan approval. There is nothing in this bill that would allow for enough Democrats in the Senate to vote for this bill to allow its passage.

Industry will (and has quite quickly) provide support for this bill, but labor and environmental organizations will fight this bill. In a divided Congress this will make it difficult to get action completed. If the marked up Homeland Security spending bill that we expect to see come to the floor next week contains, as expected, a one-year extension of the current CFATS authorization, there will be no pressure for the two sides to reach some sort of compromise on this issue.

If the chemical industry really wants a long term extension of the CFATS program to provide some level of predictability for the program, they are going to have to figure out what they can give to the opposition to allow them to agree to that extension. This bill does not do that.

Thursday, May 26, 2011

HR 1540 Passes in House

This afternoon the House passed HR 1540, the National Defense Authorization Act for Fiscal Year 2012 by a recorded vote of 322 to 96; a margin that must be counted as ‘bipartisan’. The bill was heavily amended, so the bill looks quite different than when it was approved by the House Armed Services Committee.

Amendment Results

I have been watching two particular amendments that could be of potential interest to the chemical security community; one dealing with cyber security, and the other dealing with GPS interference. Yesterday the Langevin (D, RI) cyber security amendment failed on voice vote and that ‘failure’ was confirmed this afternoon by a recorded vote of 172 to 246. While this isn’t technically the death of HR 1136 (the bill from which this amendment was extracted as nearly whole cloth), the vote almost ensures that no committee will take any time considering this legislation.

The Turner (R, OH) amendment was grouped into an ‘en bloc’ amendment with 10 other less than controversial amendments for a single period of debate and a single vote. It was the sixth such en bloc amendment considered today in an effort to speed up the processing of this bill on the House Floor. As is typical with en bloc amendments this passed by a voice vote.

Senate Action

Interestingly this bill is being sent to the Senate on the same day that the Government Printing Office (GPO) finally got around to printing a similar bill produced by the Senate Armed Services Committee; S 981, the National Defense Authorization Act for Fiscal Year 2012. Typically we would expect the Senate to substitute the language of S 981 for the House passed language of HR 1540. The differences would then get worked out in Conference.

I haven’t had a chance to peruse S 981 yet, but rest assured I’ll be looking for cyber security language in that bill.

ICS-CERT Updates Report on ICS Vulnerabilities

Yesterday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published an updated version of their Common Cybersecurity Vulnerabilities in Industrial Control Systems report. First published in 2009, this report is a look at the wide variety of current vulnerabilities seen by ICS-CERT in a variety of sources uniquely available to that organization.

While some individual vulnerabilities are discussed for illustrative purposes, this report is more of an overview of the state of ICS cyber security. The report looks at three broad areas of common ICS vulnerabilities:

• Software/ Product Security Weaknesses
• Configuration Weaknesses
• Network Security Weaknesses
These vulnerabilities exist in both vendor products and facility implementation. The ICS-CERT report provides corrective recommendations for vendors and owner/operators; nothing really new here, just solid justifications for well known cyber security procedures and mitigation measures. The owner/operator recommendations include:

• Restrict ICS User Privileges to only those Required

• Change All Default Passwords and Require Strong Passwords

• Test and Apply Patches

• Protect Critical Functions with Network Security Zones and Layers

• Customize IDS Rules for the ICS and Closely Monitor Logs

• Force Security through External Software Security Assessments
This report comes at a time of increasing public and political scrutiny of ICS security issues. Hopefully, Congress and potential regulators at DHS will take a close look at this document during their deliberations.

First House Floor Vote on Cyber Security

Last night, during the debate on HR 1540, the National Defense Authorization Act for Fiscal Year 2012, one of the measures that was debated and voted upon was an amendment offered by Rep. Langevin (D, RI) that specifically dealt with cyber security issues; making it the first time this session that the whole House has taken a vote on a cyber security measure.

HR 1136

Looking at the actual language for Amendment #49, found in House Report 112-88 (the report accompanying H. Res 276, the rule governing the debate of HR 1540), it turns out that this ‘Amendment’ was actually a virtual copy of HR 1136, the Executive Cyberspace Coordination Act of 2011, a bill introduced by Langevin back in March. As I noted in a blog about the bill when it was introduced, this bill was essentially an IT security bill dealing mainly with Federal cyber security. There was a section on ‘critical infrastructure’ that actually mentioned SCADA systems, but there were no real ICS cybersecurity requirements.

After the authorized 10 minutes of debate on the amendment the House voted it down on a voice vote. A recorded vote was ‘demanded’ by Rep. Langevin. As of 11:00 pm EDT last night that vote had not yet occurred. In bills with these lengthy debates and amendment processes (152 amendments were offered on this bill) the House pulls a bunch of these recorded votes together to minimize the time the Members actually have to spend on the floor of the House. A vote will be held sometime today.

This vote on a virtual copy of HR 1136 does not mean that this bill is legally dead. It is technically possible that the bill could still wend its way through the committee review and voting process to make its way back to the floor of the House. Possible but unlikely, otherwise Langevin would not have taken this to the floor as an amendment to a virtually unrelated bill; controversial amendments like this seldom pass as an amendment.

GPS Interference

Earlier this week in a blog posting about this bill I discussed the provisions of HR 1540 dealing with the GPS interference controversy. In that I dismissed an amendment by Rep. Turner (R, OH) modifying provisions of §911 of the bill dealing with the FCC’s approval of the new cell phone service by LightSpeed. That was based upon the summary of the amendment that described it as a ‘Sense of Congress’ measure. The actual amendment was published in the House Rules Committee report and it is a tad bit more potent than a ‘Sense of Congress’ measure.

The language of the Turner Amendment would actually prohibit the FCC from providing final approval of the LightSpeed license “until the Commission has resolved concerns of widespread harmful interference by such commercial terrestrial operations to the Global Positioning System devices of the Department of Defense.” {§911(a)}. This would be a much more effective response than what I had described.

Unfortunately, this still does not address the potential for interference with GPS timing signals used by some control system components. No one has actually reported interference problems with the timing signals, but I have found no reports that anyone has bothered testing this issue.

Turner’s amendment is #149 in the list of amendments to be debated on the floor during the consideration of this bill, so it will be one of the last ones considered. It will probably come up for a vote late this evening. It will be interesting to see how this vote turns out.

Continued Debate

I don’t know how long the House continued their debate of this bill last night. They will be back at it again when the come back to work today. A final vote on the bill will certainly be held before the House goes home for the long Memorial Day Weekend. The final version of the bill will almost certainly pass, probably with bipartisan support.

Wednesday, May 25, 2011

First of Five Hearings on Obama Cybersecurity Proposal

Dale Peterson, over at DigitalBond, has an interesting blog post on Monday’s Senate Homeland Security and Governmental Affairs hearing on the President’s recently released proposal for cyber security legislation. I still haven’t had a chance to view the entire hearing, but I certainly echo his recommendation to view the part of the hearing starting at about minute 99 of the recording. This provides an interesting conversation about the ‘critical infrastructure’ provisions of the bill.

I remain convinced that the vast majority of industrial control systems in the United States will not be covered by the proposed legislative language and I heard nothing in the discussion that would indicate otherwise. The main exception to that would be electrical utilities, they were mentioned a number of times. Even for utilities, however, the coverage would appear to be relatively sparse. Interestingly I heard no mention of chemical facilities as areas of potential concern; a very unusual oversight.

Having said that, even the relatively light coverage of the legislation could have a serious impact on ICS security in all industries. Making the cyber security status of a company public knowledge provides a great incentive for a proactive security program and opens up the whole topic for wider public discussion. Just look at how effective the environmental program in this country is. (I’m sorry, sarcasm just comes too easy.)

Vendor Responsibilities Ignored

One major security issue that is not discussed in the legislative proposal at all is the topic of vendor responsibility for providing vulnerability free systems. Now I know enough programming to know that writing error free code is nearly impossible, but provisions need to be made for identifying and correcting vulnerabilities in the complex control software. ICS-CERT is managing this now (without any legal mandate or authority) and no one is satisfied with how they are doing. This part of the problem needs serious legal attention.


There is another aspect of this that everyone is tending to gloss over and that is enforcement. For the most part critical infrastructure ‘entities’ will certify to the SEC or DHS that they have acceptable plans in place and are being properly implemented. There will be technical reviews of the plans by outside certified organizations. For the IT style plans, there are probably enough people out there with adequate credentials to set up such organizations. I’m not so sure about how this will work for industrial control systems.

It seems to me that there are few enough people with an understanding of industrial control systems and their security to go around as it is. You could double the size of ICS-CERT and it would still be shorthanded. Industry, if this passes, is going to be looking for people to take care of their in-house planning and implement process. The consulting type cyber security firms should see their business increase servicing businesses that aren’t big/rich enough to have dedicated ICS-Security staffs.

Where are the experts going to come from that will do the plan reviews/certifications? And who is going to establish the standards for those reviews, the training of the reviewers, and certify the reviewing organizations?

Moving Forward

While the politicians closed the hearing pledging fast action on the proposal, the disheartening fact is that this was the first of five congressional appearances scheduled for this panel from the administration. Too many folks have their political fingers in the cybersecurity pie for this to move quickly by any human standards.

Energy and Commerce HR 908 Markup to Start Today

The House Energy and Commerce Committee will begin another two-day markup hearing this afternoon that will include action on HR 908, the Full Implementation of the Chemical Facility Anti-Terrorism Standards (CFATS) Act. As with the May 10th hearing that was to have included action on HR 908, this afternoon’s meeting will only be for making opening statements; actual work on the bill will take place tomorrow morning at 10:00 am EDT.

Again, this hearing is also scheduled to deal with two potentially controversial authorization bills. The second bill here will be HR 1939, dealing with the Consumer Product Safety Commission. This time HR 908 has been given first listing; presumably this means that it will be taken-up first for action tomorrow morning.

There are no proposed amendments listed on the Committee web site, but the Committee memo about the HR 908 markup notes that members may file amendments to be considered up to two hours before they are to be offered for consideration during the hearing. This provides an effective deadline of 8:00 am tomorrow morning for submission of amendments.

There have been an increasing number of media reports that there is some possible dissention in the Committee about the lack of some of the provisions that Democrats have been pushing for the last couple of years. These have included reports that Rep. Green (D,TX), a co-sponsor of the legislation (officially making the bill bi-partisan) has expressed some concerns about the amendment process for the bill.

Regardless of any potential Democratic opposition, this bill will certainly be reported favorably by the full Committee tomorrow. The only thing that remains to be seen is that if there are any amendments that might make its acceptance in the Democrat controlled (barely) Senate more likely. The most likely amendment to be included (and still a low probability event) would be the elimination of the water treatment facility exemption to CFATS coverage. It’s not clear that the Committee would have the authority to extend that change to waste water treatment facilities.

Tuesday, May 24, 2011

HR 1540 and Cybersecurity

In an earlier blog on the introduction of HR 1540, the National Defense Authorization Act for Fiscal Year 2012 I mentioned that I saw no cyber security provisions but thought that that would change as this moved through the committee process. I was not completely wrong; I have found one fairly obscure reference to cyber security in the Committee Report on HR 1540.

In one of the reporting requirements that show up in committee reports but not the actual legislation, the House Armed Services Committee “directs the Secretary of Defense to conduct a study on the threat to the readiness of military installations from possible cyber attacks on civilian critical infrastructure” (pg 199). The requirement includes the inevitable ‘Report to Congress’ on the results and potential mitigation efforts.

The prior discussion makes it fairly clear that the Committee was concerned about potential attacks on local utilities supporting military bases. Interestingly the discussion makes no specific reference to Stateside facilities, so presumably it would also require DOD to look at potential affects on bases in foreign countries.

I am more than a little disappointed that the Committee has taken such a narrow view of the definition of ‘critical infrastructure’ in mandating this study. It fails to note that many military bases are served by fuel pipelines that could be subject to cyber attacks. Additionally, I would bet that there are military facilities that are located in areas that could be affected by attacks on high-risk chemical facilities and chemical facilities located in port areas covered by MTSA.

Interestingly, the chemical facilities that have the lightest federal security mandate, water treatment facilities, could be covered under this mandated report as long as they provide water service to a DOD facility. It would be interesting to see if there would be any mention of potential cyber attacks that could result in the release of chlorine gas from these facilities as a possible source of danger to military facilities.

Unfortunately we will never see this report. These reports to Congress usually get buried in any case, but this one will certainly be classified, so public release will be even less likely. It would have been nice to see a requirement for an unclassified summary to be included with this report, but Congress has never been keen on sharing their information with the public.

More on GPS Interference

Yesterday while I was perusing the House Armed Services Committee’s report on HR 1540 looking for cyber security related provisions, I came across an interesting discussion (pgs 182-4) about the GPS interference that I reported on this weekend. The discussion is providing a Committee explanation of a provision of the revised version of HR 1540 that is currently being considered by the House Rules Committee in drafting its rule for the consideration of the bill on the floor of the House this week.

The military and a number of other agencies of the Federal government have expressed some concerns about the FCC’s potential approval of the new cell phone service license being sought by LightSpeed. The provision in HR 1540 (§911, Title IX, Subtitle B) would require DOD to report to Congress when it determines that a ‘commercial communications service’ will cause or is causing widespread ‘harmful interference’ with the GPS receivers of DOD. Presumably, then the Congress would react to stop that interference.

According to this discussion the FCC gave conditional approval to LightSpeed in January of this year pending final resolution of the ‘interference’ issue. It also notes that the FCC is scheduled to make their final determination on June 15th. There is a chance that this bill could become law before that date, but it wouldn’t have any direct effect on the FCC’s decision even if it did, it would just require DOD to prepare a report to Congress.

It is disappointing that the discussion says nothing about the potential affect of this interference with control systems. It does mention, in passing, that there is the potential for interference with timing services. That is the portion of this issue that could be of concern to some control systems engineers and is lumped in with “myriad commercial applications”.(pg 183) in the list of areas potentially affected.

One of the amendments being considered by the Rules Committee would take this issue one very small step forward. Rep. Turner (R, OH) has offered an amendment (#76) to HR 1540 that express the ‘Sense of Congress’ that “any commercial communications that interferes with the Global Positioning System (GPS) should not receive final authorization by the Federal Communications Commission until the potential interference with GPS is resolved”. A ‘Sense of Congress’ resolution has no legal effect on Federal agencies.

We’ll have to wait and see if this amendment (as effective as it is) makes it to the short list of amendments that the Rules Committee will allow to be considered during the floor debate. The Rule Committee hearing from yesterday evening is continuing this afternoon.

Monday, May 23, 2011

Another Spring/Summer H1N1 Flu Outbreak?

There is a report out on PandemicInformationNews.Blogspot.com about another spring outbreak of the H1N1 flu virus that brings to mind the 2009 outbreak. This time it appears that the initial US infection point is El Paso, TX. There is at least one report of infection in a family that had been vaccinated with the H1N1 vaccine in 2009, so there may be limited immunity to this new strain (now being identified as the Chihuahua sub-clade).

Over at Recombinomics.com they are reporting that genetic sequencing of some of the samples provides evidence that this variant may be very effective at infecting the upper respiratory tract, making this much more likely to spread via aerosols produced by coughing and sneezing. The capability to infect via aerosols makes it easier for this to spread during spring and summer travel seasons, a time when the spread of the flu typically is greatly reduced.

Its way too early to call this a new ‘pandemic’ flu, but it certainly seems to have the potential characteristics to become the next big flu killer. It is not, however, too early to break out the infectious disease response plan that most organizations last looked at in the summer and fall of 2009. A review of the lessons learned in that outbreak should have definitely informed changes and updates to that plan. High-risk chemical facilities will want to pay particular attention to how the plan deals with potential reductions in the availability of security personnel.

Sunday, May 22, 2011

GPS Interference from New Cell Service

Readers may remember that back in January there was a ‘mysterious’ report of expected GPS outages by the FAA that were re-broadcast by ICS-CERT because of their potential for interfering with certain timing signals used by some SCADA systems. I never did see a good explanation for the cause of the problem until early this morning when I was looking over the late news from yesterday.

An interesting article over on NextGov.com was discussing a test conducted by LightSquared, a new cell service provider, to see if their cell phone broadcasts interfered with GPS reception on nearby frequencies in areas near the cell towers. Low and behold, in a limited area right near the tower they completely scrambled some GPS receivers and just threw off the accuracy of other receivers. There is still some debate apparently whether the broadcast signal broadcast outside of the allowed spectrum, which borders the frequency allotted for GPS receivers; or if the receivers were too sensitive to signals outside of the allotted GPS spectrum.

I see no mention in this report of whether or not any SCADA devices were tested to see if LightSquared’s signal interfered with the GPS timing signal used by those devices to coordinate timing of actions at multiple, remote locations. From the scope of the tests reported in this article it would seem that the SCADA device would have to be close to the cell phone tower, but I know of two pipe line pumping stations near where I live that appear to have cell towers within the station perimeter.

I am absolutely sure (SARCASM Warning) that the ICS-CERT, PHMSA and TSA Pipeline Security have all been intimately involved in these studies, as have the appropriate vendors and anyone else with an interest at SCADA operations at remote locations. Everyone is too smart and communicates too well for something like this to have fallen through the cracks.

Congressional Hearings Week of 5-23-11

The House is back in town after a long week of checking the pulse back home and the Senate was in session the whole time. We’re now back to both houses working at the same time and that makes for an interesting week of hearings for the chemical security community. We have three hearings that will address cyber security, but I’ll be surprised to hear two minutes on control systems. There are two money bills being looked at, but we’re interested in the DOD bill just because of potential cyber security issues.

Cyber Security

The week starts off with the Senate Homeland Security and Governmental Affairs Committee taking an official look at the President’s new cyber security proposal that I talked about briefly last week. I focused on potential control systems issues, but that isn’t what the proposal was really about. The Administration is sending representatives from DHS (Reitinger), DOD (Butler), DOJ (Chipman), and DOC (Schwartz). The Lieberman-Collins team will sort out the details; I just hope they ask at least a couple of questions about control system security.

On Wednesday there will be two additional cyber security hearings on the other side of the Dome. The House Judiciary Committee will be holding an oversight hearing looking for ‘Innovative Solutions to Challenging Problems’. The House Science Committee will be looking at ‘Federal Cybersecurity Research and Development Efforts’. Both hearing will be conducted by two separate sub-committees. The inevitable focus will be on information security, but some one may slip up and ask someone about a control system by accident. No word available yet on the attendees at either hearing.

Money Bills

The House Appropriations Committee is meeting on Tuesday to discuss their ‘Report on the Suballocation of Budget Allocations for Fiscal Year 2012’. Two bills will be discussed, but only the Homeland Security Appropriations Bill counts for this community. How far down they are going to ‘sub-allocate’ the money remains to be seen, but it has to get closer to the program level (CFATS, TSA Ground Security, MTSA, or CERT) than does the part of the draft bill that I’ve already reported on.

HR 1540 will be discussed in front of the House Rules Committee this week to formulate the rule to bring it to a floor vote in the House. I previously mislabeled this bill as an ‘appropriations’ bill; it is just an ‘authorization’ bill. Not much here for Homeland Security or chemical security folks, but there may be mention of the DOD and cyber security matters tacked on somewhere along the line; it makes it to the list.

The Missing Hearing

The big hearing that everyone in our community expected to watch this week was the House Energy and Commerce Committee markup of HR 908. This was originally scheduled the week before last, but got bumped because the markup of a medical funding bill went long (nothing controversial there…). It was postponed until this last week, but the House took the week off to visit home folks. As of noon today there was nothing on the Energy and Commerce web site about a markup hearing for this bill; that doesn’t mean one isn’t going to happen, its just that no one is talking about it yet.

There have been news reports about dissention in the ranks, with Rep. Green (D, TX) not getting to add some of wording that he would like to the bill that he co-sponsored. The Democrats can only pass so hard; they don’t think the current bill will make it through the Senate (nor do I), but too much in the way of IST, water facility coverage, worker involvement, whistleblower protection, or citizen law suits and the bill will not get to the Senate; it will die in the Republican controlled House.

Oh, and don’t forget the power play between the Energy and Commerce Committee and the Homeland Security Committee about who gets oversight authority for CFATS.

There’s a lot of behind the scenes stuff going on with this bill and its counterpart in the Homeland Security Committee (HR 901). It will be interesting to see if any of it makes it to the public side of the process.

DHS Updates Training Support

Earlier this week the DHS Office of Infrastructure Protection (IP) added two new training related web pages to their web site, accessible through their Critical Infrastructure Protection landing page.

The first page, Training Programs for Infrastructure Partners, provides links to generic security training that would be appropriate to just about anyone, particularly those facilities that are considered to be critical infrastructure. There are a few actual training programs listed on this page, but it mainly serves as a consolidation page with links to other pages where the training would actually be found.

The second new page, Sector-Specific Critical Infrastructure Courses, is listed on the first page. There are a few actual training courses listed on this page (all three in the Dams Sector). Two of the critical infrastructure (CI) sectors that DHS is responsible for, the Chemical Sector and the Commercial Facilities Sector, have their own training resources page (I routinely watch and report on changes for the Chemical Sector page) and links to those two pages are found on this page.

Two other CI sectors do not currently have their own training web pages so this site provides email addresses for training points of contacts.

The one thing that is missing from these pages is a link to the main FEMA training site. Since FEMA is responsible for much of the training provided by DHS I don’t understand why it wouldn’t be listed here.

Saturday, May 21, 2011

EPA Cancels Some Methyl Bromide Registrations

The Environmental Protection Agency (EPA) continues to slowly wind down the use of methyl bromide in the United States. Friday they issued an order in the Federal Register (76 FR 29238-29240) canceling the registration of methyl bromide for certain soil fumigation uses as requested by the manufacturers. The sale of methyl bromide fumigants for these uses will not be allowed after varying dates (depending on the use) as late as December 31st, 2014. The continued use of ‘existing stocks’ may be allowed for up to 120 days after the termination of the registration.

This order does not terminate all registered uses of methyl bromide as a fumigant, but it will significantly reduce the total usage of this toxic inhalation hazard chemical that is known to have a deleterious affect on the concentration of ozone in the upper atmosphere. This atmospheric affect is the reason that methyl bromide use is being phased out world wide.

As long time readers of this blog are certainly aware, I continue to be concerned that DHS has not included methyl bromide on it list of chemicals of interest (COI) for the CFATS program. It was removed from the proposed list of Appendix A chemicals at the request of EPA because its use was being phased out. Here it is, almost four years later, and methyl bromide is still ‘being phased out’ and will continue in that mode for at least another two and a half years.

As long as methyl bromide continues to be used a fumigant it will continue to pose the same sort of security threat as other TIH chemicals. DHS certainly needs to strongly consider adding methyl bromide to Appendix A in the current on-going review of that list of COI.

Friday, May 20, 2011

Chemical Sector Security Summit Registration Closed

This morning the DHS Office of Infrastructure Protection updated the web site for the 2011 Chemical Sector Security Summit (CSSS), notifying the chemical security community that the registration for the Summit was now closed. This was not unexpected; DHS limited registration to 2 people per organization to try to provide access to as many organizations as possible.

Once again I would like to call on DHS OIP and SOCMA (one of the industrial sponsors of the CSSS) to consider opening the presentations at this year’s Summit to on-line viewing. With only about 600 openings for attendees available, and the poor economy affecting travel budgets, there will be no other way for most members of the chemical security community to attend this meeting.

I’m sure that DHS will be posting the slides from most of the presentations on-line after the conference is over as they have in years past. This is valuable, if incomplete, information. The actual words of the speakers and the increased level of detail that they provide over the slide content would be a valuable source of information to our community.

I would prefer to see the presentations in real-time, but even posting security-edited versions on the CSSS web site after the Summit is over would be valuable.

New Siemens Vulnerabilities?

The vulnerability disclosure issue got ugly earlier this week. A security researcher who was scheduled to make a presentation at the Takedown ‘security conference’ (well that’s how Wired.com described it in their article on the situation; to an outsider like me it sounds like a hacker convention) on hacking the Siemens control systems pulled his presentation (Chain Reactions — Hacking SCADA)at the last minute. According to the researcher, Dillon Beresford from NSS Labs, he was politely asked to pull the presentation by Siemens and ICS-CERT when Siemens discovered that a patch they had developed for one of the vulnerabilities that he was going to discuss had already been bypassed.

Responsible vs Immediate Disclosure

Beresford has apparently come down on the side of ‘responsible disclosure’, a policy encouraged and facilitated by ICS-CERT. In this type disclosure process the security researchers first report their vulnerability discoveries to vendors or an organization like ICS-CERT who coordinates with the vendor. Only when a method to correct or mitigate the vulnerability is developed is the news of the vulnerability made public. Supporters of this policy note that pre-mature (before there is a defense) disclosure puts system owners at risk without providing them a defense.

Opponents of ‘responsible disclosure’ (I’m talking about security researchers here not malicious hackers) point to numerous horror stories about efforts to make a responsible disclosure where they were ignored or rebuffed by the vendor involved. They also point out that if they could find the vulnerability other, less ethical researchers (malicious hackers) could as well. They would prefer to see system owners notified so that they could take some sort of protective precautions.

Actually, as in most issues, there are a large number of researchers who fall somewhere in the middle on this issue. These people would recommend giving venders a ‘reasonable’ amount of time to come up with a patch or mitigation procedure. If there has been no response by that time most would then come down on the side of immediate disclosure.

There is another side of this that is less frequently discussed, but deserves mention. Security researchers are, for the most part, in the business of system security. They sell their expertise to system owners who turn to them to protect their computer systems. A researcher who has his name attached to a number of vulnerability discoveries has demonstrated his expertise; its like having patents or published articles. Early disclosure provides the researcher with control of who gets credit for the discovery; this may be missing in coordinated disclosure situations.

Siemens Vulnerability

In this particular situation we have an unusual set of circumstances. First the world now knows that there are mulitple vulnerabilities in the Siemens SCADA systems and at least some are related to its PLCs (Programmable Logic Controllers). This is may be the same general type of vulnerability used by the crafters of Stuxnet (and reported on in-depth by Ralph Langner), or it may be an entirely new vulnerability. Which ever, it appears that it would allow an attacker to take control of a PLC and make changes in the physical processes controlled by the subverted PLC.

This is potentially very serious. Just ask your process safety team what could go wrong if one or more of the PLCs in the control system just started to do the wrong thing at the wrong time, opening valves instead of closing them; keeping pumps running while the storage tank is overflowing. And, remember, that Siemens is one of the top suppliers of PLCs in the world. Even in facilities where Siemens control systems have been replaced by another vender, there is still a good chance that one or more Siemens PLCs remain buried in the system.

Partial Disclosure

What we now have with the Siemens systems is neither responsible disclosure nor full disclosure (I like that better than the alternative – ‘irresponsible disclosure’). The world knows that there is a serious vulnerability in the Siemens control systems. System owners have no idea what type of actions – short of system shutdown – that they can take to protect their manufacturing processes.

Beresford and his co-workers at NLS Labs know what the vulnerability is, but that is okay as they don’t appear to be about overflowing storage tanks.

The rest of the security research community (and less ethical hackers) now know that there are exploitable vulnerabilities is a very common system. Providing that knowledge is like throwing raw meat to a pack of starving dogs. And Beresford inadvertently made it worse by telling the people from Wired.com that the vulnerabilities were ‘easy to find’; that’s like questioning the manhood of a gangbanger. Just look at the recent number of vulnerability reports for systems with vulnerabilities identified by Luigi earlier this year.

Open season has now been declared on Siemens control systems. Every hacker and security researcher worthy of the name will be trying to figure out the vulnerabilities that Beresford identified and expanding on that list. Oh, and if you don’t have a Siemens system or any Siemens PLCs in your control system, don’t be too confident. Beresford told Wired.com that at least one of the vulnerabilities that he discovered affects systems from multiple vendors.

System Owners

What is the owner of a Siemens control system to do with this information? Besides hoping and praying, not much more than should have already been done with your system. Minimize and understand the system exposure to the Internet and other networks. Watch the system logs very carefully for unusual activity. And, if you don’t have a system security team in house or under contract, make sure you have the contact information for ICS-CERT (see their web site). They don’t typically stop problems (manpower and liability issues) but they are resource for helping facilities to recover. Unless, of course, the attacks are wide spread; their small team can be quickly overrun.

Thursday, May 19, 2011

May ICS-CERT Monthly Monitor

Yesterday, the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published the May issue of their Monthly Monitor. This the second of what hopefully will be a long run of monthly documents that “highlights recent activities and information products affecting industrial control systems (ICS) and provides a look ahead at upcoming ICS related events”.

There is a lot of good information summarized in this publication with extensive links to source documents. I particularly appreciate the section on ‘Incident Response’ This provides sanitized descriptions of actual cyber security events that the ICS-CERT people have dealt with in the last month. Some of them have already been dealt with in the open media, but most have never been publicly released.

This month’s issue contains a brief report about a security researcher’s identification of a vulnerable, internet-facing control system to ICS-CERT. In the Analysis section there is a brief update about the tools that researchers use to identify such sites.

This is a good publication for anyone involved in the management of control system security.

More President’s Cyber Security Legislation

Okay, I finally got around to reading the President’s proposed language for cyber security legislation. While there is nothing in the proposal that specifically addresses control system security measures, there are enough ambiguities in the proposed language that regulations developed under these provisions could be used to regulate control system security.

No ‘Stuxnet’ Coverage

A couple of security researchers have taken objection to the wording of the change to §1030A of 18 USC that describes what would be included in the offense, ‘Aggravated Damage to a Critical Infrastructure Computer’. They note that the wording of §1030A(a)(1)(A) would limit that offense to actions that resulted in the substantial impairment “of the operation of the critical infrastructure computer”. They note that attacks like Stuxnet do not actually target these computers but the linked control devices. They then reason that a Stuxnet like attack would not fall under the definition of this offense.

Someone with a control systems background would certainly have included a listing of specific control systems devices in this definition. The problem with that approach would be that when a new class of control devices is developed a change in legislation would be required to include that in the definition of ‘Aggravated Damage’.

The crafters of this document took a different approach. In §1030A(a)(1)(B) it includes the impairment “of the critical infrastructure associated with such computer”. This should address the concern about whether or not a Stuxnet type attack would fall under this offense.

Critical Infrastructure Cyber Security Regulations

One area of this proposed legislation that could allow for the regulation of some industrial control systems can be found on page 20 in the addition of Subtitle E to Title II of the Homeland Security Act of 2002. The coverage by this section of control systems rests on a broad definition of ‘critical information infrastructure’ found in §242(5) that includes any “physical or virtual information system that controls, processes, transmits, receives or stores electronic information in any form including data, voice or video” if it is “vital to the functioning of critical infrastructure” {§242(5)(A)}.

An argument could certainly be made that any computer is an ‘information system’ and that ‘electronic information’ is used to control physical processes that are vital to the functioning of critical infrastructure. If I were writing the supporting regulations, I would use this interpretation to establish ICS security regulations. I doubt, however, that DHS will take that approach. They are going to have enough problems dealing with the regulation of information systems without taking on the additional problems involved in control system security regulation.

ICS Regulation

For arguments sake, let’s assume that I am wrong about the DHS interest in regulating control systems in critical infrastructure. With that assumption made what affect might this proposed regulatory language have on industrial control system security?

Information protection: Section 245 provides that any cyber security information voluntarily provided to DHS will be protected against disclosure under the Freedom of Information Act. This is significantly less protection against disclosure provided by other security programs like CFATS (CVI) or MTSA (SSI). The wording would not provide protection from disclosure of any information required to be submitted to DHS by subsequent regulations. Section 246 weakens that protection further by prohibiting prosecution of non-Federal government employees for disclosure of the information voluntarily provided to DHS. There is no provision for protecting sensitive business information. Personal information is provided significant protections.

Response to cyber incident: Section 249 provides the Secretary of DHS with the authority to order a wide range of responding actions, but is provided that authority only with respect to Federal information systems. There is no mention in this section of authority to order private sector entities to do anything.

Covered Critical Infrastructure

Starting on page 32 we see another piece of legislative language, the “Cybersecurity Regulatory Framework for Covered Critical Infrastructure Act”, that could effect industrial control system security. Section 3 of this language would require the DHS Secretary to write regulations to designate ‘covered critical infrastructure’. There are a number of restrictions on this authority constraining what can be designated. The two main ones are that:

● A successful attack could result in “a debilitating impact on national security, national economic security, national public health or safety; and” {§3(b)(1)(A)}

● The designated entity “is dependent upon information infrastructure to operate” {§3(b)(1)(A)}.
For high-risk chemical facilities, the failure to modify the word ‘safety’ by preceding it with ‘national’ may allow an aggressive DHS to include CFATS facilities under any regulations developed under this section. This is not significantly impacted by the second requirement as the term ‘information infrastructure’ is not specifically defined in this ‘act’. This means that the presence of an industrial control system could be argued to be, de facto, part of an information infrastructure.

Again, I doubt that DHS would expansively interpret this rule to cover high-risk chemical facilities, but pipelines and elements of the electrical grid would certainly fall under the descriptions in this section.

Covered Infrastructure Requirements

Section 4 of this ‘act’ would require the Secretary to establish a ‘process’ to determine which cyber security risks would have to be ‘mitigated’. A list of ‘covered’ risks would be published and periodically updated. The Secretary would also be required to ‘consult’ with standards setting organizations and ‘private sector representatives’ to determine an appropriate ‘framework’ to enhance security practices.

Taking a page from the CFATS authorization this legislative language would maintain that such frameworks “shall not require the use of a particular measure, but shall leave the choice of particular measures to an entity to which the framework applies” {§4(b)(5)}. This has worked out so well for CFATS (SARCASM Alert) that we might as well try it on cyber security as well.

Covered critical infrastructure organizations (and it is not clear at what level; corporate, business group, individual facility) will be required to develop a ‘cybersecurity plan’ on one of those ‘applicable frameworks’ I discussed above. The plan would have to be signed by someone of authority in the organization.

Annual certification of the existence of an updated plan would have to be made to the SEC (or DHS if privately held) and a ‘high-level summary’ would have to be publicly disclosed. Detailed ‘security and vulnerability-related information’ would be protected against disclosure under the Freedom of Information Act.

The DHS Secretary is given limited authority to enforce regulations under this ‘act’. Specifically the Secretary shall not “issue a shutdown order, require use of a particular measure, or impose fines, civil penalties, or monetary liabilities on the owner or operator of the covered critical infrastructure” {§8(a)(1)(C)}. With no teeth to this regulation some companies will comply, others won’t, and most will fall somewhere in the middle.

Finally, the Secretary, in consultation with the Director of the OMB, may exempt individual critical infrastructure, in whole or part, from provisions of this ‘act’, if “Secretary determines that a sector-specific regulatory agency has sufficient specific requirements in place to effectively mitigate identified cybersecurity risks.”

Missing from Proposal

There is nothing in this proposal that identifies any kind of vender responsibility for providing secure software, firmware or hardware to critical infrastructure or the government. Neither is there any mention of dealing with reports of vulnerabilities in such ‘ware by independent security researchers. Nor are there any provisions to protect whistleblowers in either the private or public sector from retaliation for reporting cybersecurity problems.

The biggest problem, other than specifically and unequivocally addressing control system security, is the lack of protection provided to security information and protected business information in the system.

Oh well, it is a step forward in the discussion, and there is certainly a level of detail missing from previous recommendations made by the administration. Lots of work will need to be done before this sees the first committee vote, much less gets to the floor of the House or Senate.

Wednesday, May 18, 2011

DHS Updated CFATS Knowledge Center and one FAQ Change

Today DHS ISCD Help Desk folks updated the CFATS Knowledge Center page and updated one of the many Frequently Asked Questions accessed from that page. The changes to the page are mainly housekeeping, making the display of information cleaner. The updated FAQ response is also mainly housekeeping in its scope. Housekeeping, however, is an important task that needs periodic attention.

Updated Format

Minor formatting changes were made to two sections of the page, the ‘Latest News’ section in the upper right and the ‘Documentation’ section in the lower left. There is also a formatting change on the listing of the FAQ questions and the ISCD response to those questions.

They have added a date for each of the entries in the ‘Latest News Section’ and limited the amount of print shown on the main page. There is a link to the remainder of the information for that news bite. If it was my page, I would have removed two or three of the later items; the oldest dates back to October of last year and it hardly rates as ‘News’.

The ‘News’ section change is relatively obvious and would be noticed by just about anyone that visits the page routinely. The ‘Documentation’ section would probably only be noticed by the anal retentive visitors. There are still four pages of documentation listing, but now there are six documents instead of five on each of those pages; an earth shaking change, obviously.

The Help Desk folks have added another date to the listing of each of the FAQ questions. They have kept the ‘Last Modified’ date and added a ‘Date Published’ listing. Actually that name is slightly misleading, but it sounds better than ‘Date of Previous Change and/or Original Publication’. For example the FAQ response updated in today’s change shows a ‘Date Published’ of ‘July 1, 2009’. It was actually first published on October 3, 2008 and revised on July 2, 2009 not July 1st. Okay, July 1st/July 2nd , that’s really nit picking.

In the response to each FAQ, there is now a clickable option to print a .PDF file of that particular FAQ and its response. I’m not sure how often that capability will actually be used, but it is an additional way of providing information to the chemical security community so I applaud the effort.

FAQ 1588 Response Updated

They updated the response to FAQ 1588; “Can you tell me where I can find additional information on CVI?” They updated the link to the Chemical Security landing page where there is a link to the CVI web page. That seems convoluted, but the landing page link should stay constant where as the URL for the CVI web page will change as changes are made to that web page.

Playing Games with Dates Again

In the process of writing this posting I had a chance to look a little more closely at the list of FAQ sorted by date and it once again appears that someone at ISCD is playing some games with dating of posts. FAQ #41 has re-appeared on the page after a couple of months of absence and the most recent change date is now listed as March 14th. Readers of this blog may remember my exchange about this FAQ in a blog posts dated March 12th and March 13th. Actually I’m glad to see this FAQ back on the page even if the dating is incorrect.

Additionally, there is now a FAQ change dated March 29th, 2011 for FAQ 1474; “In User Registration, what do I put for the county if our facility's city isn't a part of a county?” As early as 8:00 a.m. EDT this morning the latest changed FAQ listed before April 13th listing for the article on the Chemical Sector Security Summit was the January 11th FAQ response to the FAQ 1712 about the SSP Webinar.

The change made to FAQ 1474 was actually just a correction to a typo in the question; changing ‘part of a country’ to ‘part of a county’ at the end of the question. This is not an earth shaking change and there is little difference if that change was made on March 29th or today. The only reason that I mention these two dating discrepancies is that it is beginning to look like there is a pattern emerging of people making changes to the CFATS web site and playing fast and loose with the dating of the changes.

These dates have little to do with the information provided, they were added to the web pages (a move I applauded years ago) to make it easier to track when changes are made to pages. The games apparently being played with these dates make no sense, but they will make it harder and more time consuming for people like me who closely watch these pages to detect changes to the web site. It also causes one to reconsider the faith one places in the integrity of the data presented on these pages; if stupid games are being played with the dates, what games are being played with the data?

President’s Cyber Security Legislation

I had been going to ignore the recently released cyber security plan from the Obama administration, I have wasted too many hours in the past reading this type policy document from this administration only to find vague generalities and platitudes without actionable recommendations. Apparently this was a mistake; according to a recent blog by Dale Peterson at DigitalBond.com this bill proposed by the President would provide for ICS regulation at critical infrastructure facilities. Dale’s blog is well worth the read and he’s convinced me that this bears closer attention. BTW: Make sure you read the reader comments at the end of the blog post.

Senators Lieberman (I, CT) and Collins (R, ME) apparently think so as well, they will be holding a hearing on the proposed legislation on May 23rd at 10:30 am. No details are yet available about who will be appearing at the hearing. If Sen. Rockefeller (D, WV) holds a hearing on this as well, then we’ll know that the Senate is taking this legislative language seriously.

I promise that I’ll read the President’s proposal and see if I can add anything to Dale’s analysis.

Indicators of Terrorist Activity

SECURITY WARNING: The following blog post discusses information that has been marked as ‘Law Enforcement Sensitive’ by DHS, Protective Security Division, and has been disclosed without appropriate authorization. Under the Obama Administration’s Wiki Leaks Doctrine, reading this post or downloading the referenced document by a government employee or contractor with access to sensitive but unclassified information could have negative consequences.

Thanks to the folks over at PublicIntelligence.net I have had a chance to read an interesting document that should be of interest to everyone in the chemical security community. This draft version of the 2004 “Potential Indicators of Terrorist Activity Infrastructure Category: Chemical Storage Facilities” provides an overview of the reasons why a chemical facility might be attacked by terrorists. It also provides an extensive discussion of indicators that might be expected to be observed as terrorists prepare for an attack.

As I have noted on many occasions in this blog an effective terrorist attack will be preceeded by a period of surveillance that will allow the terrorist to collect the information necessary to prepare an effective attack on the site. Detecting this pre-operational reconnaissance may allow law enforcement personnel to disrupt the attack before it has a chance to cause any damage at the targeted chemical facility. Being able to recognize this surveillance is thus should be key part of any chemical facility security plan.

This DHS report breaks the indicators down into four areas:

• Surveillance Indicators;

• Transactional Indicators;

• Customer Behavioral Indicators, and

• Weapons Indicators.
Document Shortcomings

There are two major shortcomings in the discussion in this document. First it does not do a good job of reminding people that the indicators are not proof of terrorist intent. Many of the indicators, including photography of the site, may have perfectly innocent reasons for being done and may, in fact, be politically protected behavior. This needs to be specifically and repeatedly brought to the attention to front line security personnel in training and exercise situations. Failure to do so could result in lengthy and expensive litigation.

Second, there is no discussion of the fact that facility personnel need to report this type behavior and take no direct response to the potential terrorists until an actual attack starts. In almost all cases facility security personnel have no authority to take actions off-site to protect the facility. Even politically correct overt responses to potential indicators of pre-operational planning could result in increased efforts at concealing pre-attack preparations and making preemption of the attack difficult or impossible.


Even with the inadequate coverage of those two topics, I firmly recommend that all chemical facility security managers download and review this document.

Suspicious Activity Reporting Training

This is a good place to mention that I have been asked to plug a SAR training program that I have previously mentioned. For obvious reasons both DHS and DOJ are really getting behind the suspicious activity reporting movement. While the LEAPS.TV training program mentioned is primarily targeted at law enforcement personnel, security guards and anyone responsible for facility security planning would do well to take the 18 minutes necessary to complete this free, on-line training program. (Full Disclosure: I have a training program available on LEAPS.TV and will hopefully be developing more of them in the future.)

Tuesday, May 17, 2011

OMB Announces Conditional Approval of Declassification Rules

Yesterday the OMB web site included the announcement that the draft of the National Archives and Records Administration (NARA) notice of proposed rule making (NPRM) to update its regulations on the declassification of classified documents. The OMB approval is ‘consistent with change’ meaning that OMB has asked for some changes in the NPRM.

The NPRM will implement changes to the handling of classified information mandated by President’ Executive Order 13526.

This rule will not directly affect the CFATS program because the Chemical-Terrorism Vulnerability Information (CVI) program is not ‘classified information’. The philosophy guiding the development of this rule, however, may be expected to carry over to future regulations on CVI, and other unclassified but sensitive information control programs.

Terrorism Threat

There is an interesting article over on HomelandSecurityNewswire.com that addresses the overall threat of a terrorist attack in the United States and whether that threat is being overblown for political reasons. It is hard to argue that the current terrorism risk picture presents a threat to the existence of the United States. Some people argue that the overhyped response to the relatively low level threat provides a greater existential risk to the country than the risk of an actual terrorist attack.

This is an argument that can be appreciated by the managers of high-risk chemical facilities. There is no question that the implementation of security measures to respond to the Risk-Based Performance Measures outline in the CFATS program will cost a great deal of money for all covered facilities. If managers cannot control these security costs it could certainly pose an existential threat to that facility.

Determining the Threat

I don’t think that anyone has made any claims that there is a high probability for a terrorist attack on a high-risk chemical facility. Based solely on past history there is no threat of an attack on a US chemical plant. Of course, based upon past history, on September 10th, 2001 there was no chance that someone would fly airliners into the Twin Towers in New York.

This is the reason that CFATS program bases the threat calculation for determining what facilities are covered not on past history but on the potential consequences of an attack. For facilities with release COI this is a fairly straightforward calculation. Tools exist to calculate the area at risk in the event of a catastrophic release. Once that is known it is a relatively simple matter to count the number of people in that affected area. The hard part, politically speaking, is setting the threshold numbers that put a facility into the high-risk category and the tier rankings. It is slightly more complicated for theft-diversion COI, but a consequence based calculation is still used to determine the risk.

Low Probability – High Costs

So, at high-risk chemical facilities we have a classic case of low-probability high-consequence event; the cost of the potential consequences is so high that it justifies the expenditures for preventing those low-probability consequences.

There is a savings grace here. Many of the security measures implemented to protect a facility from a release COI consequence would also serve to reduce the probability of an accidental release of those COI and to mitigate the potential consequences of such a release. That does nothing to reduce the costs, but it does provide further justification.

If We Identify a Specific Threat

If we reach a point in time where a specific threat against a specific high-risk chemical facility is identified, what will happen? First off, since a high-risk security program is already in, much of the hard work of protecting the facility will already have been done. Many security measures requiring long-lead times for designing, manufacturing and installing will have already been put into place. Without the CFATS program in place, many of these measures would never have been implemented.

Second, since the CFATS program requires each facility to have in place a plan for periods of elevated threats, the facility will have already done much of the planning necessary to increase their security profile.

Increased Security Decreases Threat

Finally, we must remember that increased security should also serve to deter potential attacks on the facility. Terrorist organizations, like any other political organization needs to appear to be effective to maintain a steady inflow of people and money. If facility security measures appear to be strong enough to cast doubts on possible mission success, the typical terrorist will move on to an alternative target.

Additionally, an effective security program raises security awareness of facility employees and contractors. This increased awareness would make it more likely that any pre-attack surveillance would be detected. This would increase the likelihood that attack can be pre-empted. Extending that security awareness to the surrounding community, including local law enforcement, increases the chances of attack detection even more.

Realistic Appraisal

A realistic appraisal of the current threat environment, from all of the unclassified information available to the intelligent public, makes it relatively clear (there are no absolutes in intelligence matters) that the probability of any given high-risk chemical facility being attacked by terrorists is very low, but not so low as to approach zero. Prudence and a realistic appraisal of the possible consequences of an attack on a high-risk facility require that precautions be taken to further reduce the possibility of a successful attack on one of these facilities.
/* Use this with templates/template-twocol.html */