Sunday, September 30, 2012

S 3569 Introduced – Cloud Computing Security


Earlier this month, before the Senate adjourned for the electioneering break, Sen. Klobuchar (D,MN) introduced S 3560, the Cloud Computing Act of 2012. The bill would specifically add attacks against cloud computing services to the federal computer offences listed in 18 USC §1030.

Cloud ICS Not Covered


The current wording of the bill would not specifically address attacks against control systems operating in the cloud. The key to this lack of coverage is two definitions being added by §2(b)(3) to §1030(e); ‘cloud services’ and “cloud computing account”. The ‘services ‘term is defined as “a service that enables convenient, on-demand network access to a shared pool of configurable computing resources (including networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or interaction by the provider of the service”. This definition could probably apply to ICS computing services in the cloud.

The limiting term deals with the cloud computing account. The term ‘cloud computing account’ means “information stored on a cloud computing service that requires a password or similar information to access and is attributable to an individual”. While it could be argued that ‘information stored’ could include information that forms the instructions in a cloud-based control system, the requirement that the information be ‘attributable to an individual’ clearly excludes cloud-based ICS.

This lack of ICS coverage is further emphasized in the additional language that is added to §1030 as sub-paragraph (k) that states if one of the computer offenses currently listed in the section is conducted against a computer that “ is part of a cloud computing service, each instance of unauthorized access of a cloud computing account, access in excess of authorization of a cloud computing account, or attempt or conspiracy to access a cloud computing account without authorization or in excess of authorization shall constitute a separate offense” {§2(a) }. Nothing in that description can reasonably be construed to involve an industrial control system.

To be fair to Ms. Klobuchar and her staff, there has not yet been a large movement of control systems to the cloud. It does seem apparent to the casual observer, however, that it is only a matter of time before there will be significant control system applications located in the cloud. If Congress intends to provide criminal sanctions on attacks against the cloud, the wording ought to be inclusive enough to address such services.

A simple wording change to ‘each instance of unauthorized access of a cloud computing account or cloud computing service’ should suffice.

Other Provisions


It would be truly impressive if a Senator could write a simple bill that accomplished a single purpose, but it doesn’t happen here. There are three additional provisions that deal with international cooperation and federal cloud computing procurement forecasting.

Section 4 of the bill requires the Secretary of State to work with international agencies (the actual wording in the bill is ‘international fora’; how quaint) “to advance the aims of ensuring interoperability between the provisions of this Act, the amendments made by this Act, and other laws and policies of the United States and foreign countries”. Such a vaguely worded requirement is no requirement at all.

Section 5 does kind of follow-up that requirement with the inevitable requirement for another study. This one requires the Secretary of State to “conduct a study on international cooperation regarding data privacy, retention, and security” {§5(a)(1)}. There is, of course, a requirement to present the results of this study to the Congress. This again reinforces the intention of this bill to only address information security, not ICS security.

These two sections of the bill do provide a sort of a logical extension of the legal definition of cloud computing offenses outlined earlier in the bill. The only relation the final section of the bill has to the named purpose of the bill is that it also refers to cloud computing. In this case, however, it is a requirement for each agency of the federal government to provide a “3-year forecast of the plans of the agency relating to the procurement of cloud computing services and support relating to such services” {§6(b)}.

Moving Forward


The introduction of this measure so late in the session calls into question if it was ever really intended to pass. If the Congress is going to take up any cybersecurity measure in the post-election lame duck session it is unlikely to be this one. This may be just another one of the multitude of bills that were introduced this month to further a re-election campaign.

OMB Approves Two Bioterrorism Rules


On Friday the Office of Management and Budget approved two rules dealing with the US bioterrorism prevention program, one from HHS/CDC and the other from USDA. Both rules deal with the biennial review of select agents and toxins.

Select Agent and Toxin List


The USDA rule would amend and republish the list of select agents and toxins that have the potential to pose a severe threat to animal or plant health, or to animal or plant products. It based on the relative potential of each select agent or toxin to be misused to adversely affect human, plant, or animal health implements the findings of the third biennial review of the list. The rule reorganizes the list based on the relative potential of each select agent or toxin to be misused to adversely affect human, plant, or animal health. This tiering of the list would allow for the risk-based structuring of security measures.

Security Measures


The HHS/CDC rule also updates the Select Agent and Toxin list based upon an interdepartmental review. It also implements the requirements of EO 13546, Optimizing the Security of Biological Select Agents and Toxins (BSAT) in the United States, to review, tier, and reduce the Select Agent List; establishing personal reliability standards for BSAT workers; and establishing physical security standards for identified Tier 1 select agents and toxins.

Not Homeland Security Related


The OMB makes one of the silliest statements that I have seen in a government publication in a long time in their action notice for each of these rules (HHS/CDC and USDA). On their standard notification format there is a question to be answered by OMB; “Related to Homeland Security”. In both instances the answer is “No”. The whole purpose of these two rules is to ensure that no one steals or diverts any of the select agents or toxins to be used as terrorist weapons. This is clearly established in  §3(a) of the Executive Order: “The use of BSAT presents the risk that BSAT might be lost, stolen, or diverted for malicious purpose.” And what better malicious purpose than a terrorist WMD attack.

The only thing that I can figure is that someone at OMB is making a simplistic response to that question; since the rule was not filed by DHS, then it couldn’t be related to Homeland Security. Needless to say that would be the height of bureaucratic simplemindedness. Hopefully this mistake was one made by an administrative minion not someone with decision making authority.

Moving Forward


Both rules were approved ‘Subject to Change’ so I suspect that there will be a little time lag for those ‘minor corrections’ required by OMB to be made to the documents. Typically these take a couple of weeks, but that would mean that they would be published in the Federal Register during the ‘October Surprise’ period of a presidential campaign. If the politicians at the White House feel that there is anything even slightly controversial in these rules, I would suspect that they would be further delayed until after November 6th; no sense giving the opposition any unnecessary ammunition in a very close election.

BTW: I hope that HHS/CDC does a better job of writing risk-based security performance standards than DHS/ISCD did.

Saturday, September 29, 2012

Chemical Weapons Convention ICR Renewal


The Commerce Department’s Bureau of Industry and Security published an information collection request (ICR) renewal notice in the Federal Register (77 FR 59891-59892) on Monday (available on the Internet today) for the submission of declarations, reports and inspections required by the Chemical Weapons Convention Implementation Act of 1998 and Commerce Chemical Weapons Convention Regulations (CWCR).

The current ICR (0694-0091) expires 02/28/2013 and there are no changes in this renewal request. The numbers provided in this request are:

• Estimated Number of Respondents: 816.

• Estimated Time per Response: 10 minutes--12 hours per response.

• Estimated Total Annual Burden Hours: 16,047.

• Estimated Total Annual Cost to Public: $41,740.

Public comments may be submitted via email to Jennifer Jessup (JJessup@doc.gov). Comments need to be submitted  by November 30, 2012.

NOTE: Most of the facilities required to submit Schedule 1 and 2 reports under this program will also be covered under the CFATS program.

ICS-CERT Publishes Emerson Advisory


Yesterday DHS ICS-CERT published an advisory  for the Emerson DeltaV service based upon a coordinated disclosure by Kuang-Chun Hung of the Security Research and Service Institute-Information and Communication Security Technology Center (ICST). The advisory concerns a buffer overflow vulnerability that could allow a relatively low skilled attacker to send a specially crafted string to a specific (but unnamed) port that could crash the system.

Emerson has crafted a hot fix for the problem that has been verified to be effective by ICST. According to the advisory (which was published earlier on the US-CERT restricted portal) Emerson contacted system owners with a notification about the problem and solution. This is the first time that I have seen an advisory note that the vendor directly communicated a vulnerability to system owners; I would like to think that ICS-CERT has simply overlooked mentioning this fact in other cases. If that is not the case, Emerson deserves special kudos for this action and hopefully this starts a trend.

Friday, September 28, 2012

HSAC Teleconference on Cyber Skills


DHS published a notice in today’s Federal Register (77 FR 59627) announcing that the Homeland Security Advisory Council (HSAC) will be holding a public teleconference on October 3rd, 2012. The HSAC will discuss the report of the Cyber Skills Task Force during this teleconference.

Late Notice


The Federal Advisory Committee Act requires 15-days notice for these types of meetings. The announcement justifies the short notice by stating that:

“This notice of the teleconference meeting of the HSAC is published in the Federal Register with less than 15 days' due to the complexity of the issue, the task force was not able to complete its report within this aggressive time line in time for deliver to the HSAC at its September 24-25 meeting. Waiting for the full 15 day notice period to conduct the teleconference will delay the discussion of the report to a period of time that will prevent the Secretary from meeting with the HSAC to review the report due to her travel schedule.”

Interestingly there was no mention of this report in the notice for the meeting earlier this week, so it would seem that the HSAC knew back on September 7th that this teleconference would be required. Even more interesting is the fact that there is no mention of a Cyber Skills Task Force on the HSAC web site. Nor was there mention of this task force in the minutes of the last two meetings of the HSAC.

Public Participation


The public will be allowed to participate in the teleconference in the ‘listen-only’ mode. People wishing to so participate must register with the HSAC via email at HSAC@dhs.gov or via phone at (202) 447-3135. Copies of the task force report will be provided to registrants at the time of registration. Written comments on the topic may be posted to the Federal eRulemaking Portal (www.Regulations.gov; Docket # DHS-2012-0064) though that docket had not yet been established as of 6:00 am EDT this morning. Both registration and the submission of written comments must be accomplished by 5:00 pm EDT on September 30th (please note that that is this Sunday and I would be very surprised if anyone will be answering the phones at HSAC on Saturday or Sunday).

Irreverent Question


There is nothing in this notice that would so indicate, but I wonder… Would this Cyber Skills Task Force report be in anyway linked to the much rumored ‘Cybersecurity Executive Order’ that is apparently imminent?

ICS-CERT Updates JSAR and Luigi Vuln


Yesterday DHS ICS-CERT published an updated Joint Security Awareness Report (JSAR) on Shamoon and an advisory for an Optimalog vulnerability reported last year by Luigi.

Shamoon


US-CERT/ICS-CERT updated their earlier advisory on Shamoon. The new version adds almost three pages of mitigation measures that organizations can take to protect themselves (actually only reduce their vulnerability) against a Shamoon attack. The JSAR divides the mitigations into ‘tactical’ and ‘strategic’ measures. The measures are an interesting mixture of the common (‘Ensure that password policy rules are enforced…’), the old school (‘Execute daily backups of all critical systems.’) and new form (‘the whitelisting of legitimate executable directories…’) security measures. Implementing all of the recommended actions will require a lot of work, particularly training.

There still isn’t anything in the JSAR that reports any specific ties of the Shamoon to control systems. Of course with the small number of reported infections it is hard to tell exactly what may or may not be at risk. At this point this is a low probability high consequence threat. That makes one question the need to spend the time and money to implement the listed mitigations. I guess that’s what CSO’s get the big money for.

Optimalog Vulnerability


Last November ICS-CERT published an alert based upon an uncoordinated disclosure by Luigi for the Optima APIFTP Server system. Yesterday ICS-CERT published an advisory on the twin vulnerabilities; a null pointer dereference and a loop with unreachable exit condition. ICS-CERT reports that a relatively unskilled attacker could use the publicly available exploit to remotely execute a denial of service attack.

Optimalog has released a new version that no longer installs the APIFTP server by default. If the APIFTP is to be used, Optimalog recommends configuring “the firewall and VPN accordingly”. There is no link to any Optimalog document or site that details that ‘accordingly’.

This advisory mentions Luigi’s uncoordinated disclosure but does not provide links to Luigi’s web page describing the vulnerability. Nor does it actually mention the original alert. The latter is unusual, but I thought that ICS-CERT had finally gotten it through their collective head that they had an obligation to give appropriate credit to the intellectual property that forms the basis of their report. Reid Wightman got credit last week, but Luigi doesn’t this week. I’m starting to see a pattern here; Digital Bond and the Washington Post carry enough weight to demand acknowledgement, an independent researcher doesn’t.

Thursday, September 27, 2012

TWIC Reader Rule Update


Laurie Thomas has an interesting post on her Maritime Security/MTSA News blog about a recent meeting of the TWIC Stakeholder Communications Committee. Laurie notes that:

“The NPRM concerning the use of TWIC readers has been developed and is currently going through high-level approval and review.”

The TWIC Reader rule is still going through the DHS approval process and has yet to be sent to the Office of Management and Budget for its review. The OMB approval process can be quite lengthy (most rules, about 75%, take at least 90 days to receive OMB approval).

Midnight Rule Making


There is another factor that could slow the approval process even further; the midnight rule controversy. At the end of a presidential administration there is a tendency to try to complete work on rulemaking processes so that the outgoing administration can put their final stamp on the regulatory process. When there is any controversy surrounding the potential rules the opposition cries foul, maintaining that the new administration should be the one to have approval of the regulatory action as they will be the ones tasked with enforcing the rules.

The Clinton and Bush administrations were both accused of using the midnight rule making process to further their agenda, but both actually put internal rules in place to minimize the amount of rulemaking that was completed in the last months of their administrations. Now the Obama administration may or may not be around for an additional four years (the election is still way to close to call) so it wouldn’t be fair for us to expect a formal announcement of avoiding midnight rule making, but it appears that an unofficial policy may be in place.

OMB Rule Submissions


The table below shows the rules that the Administration has officially submitted to OMB during 2012; all data current as of yesterday according to the Office of Information and Regulatory Affairs (OIRA) web site. The ‘Completed’ columns show the number of rules submitted during that month upon which OMB has completed their action. The ‘Incomplete’ column shows the number of rules submitted during that month that still have actions pending.

Completed
Incomplete
Submitted
Jan
45
14
59
Feb
38
8
46
Mar
44
12
56
Apr
28
9
37
May
25
19
44
Jun
15
11
26
Jul
17
10
27
Aug
10
17
27
Sep
3
9
12

 
Looking at this data it appears that the Obama Administration has taken unofficial steps to reduce the potential appearance of midnight regulating in the event that the President is not re-elected in November. If he is re-elected I would bet that there is a surge of rules submitted to OMB and a similar increase in the rate of approval of regulations by that agency (for example there are 28 EPA rules currently under review at OMB).

TWIC Reader Rule


Given the above information, I would not be surprised to see the TWIC Reader Rule still pending approval come year end. If Obama is not re-elected in November I would suspect that the rule would not go to the OMB before January 21st, 2013. If he is re-elected the rule would be expected to go to OMB in November and not be approved until after the first of the year.

Wednesday, September 26, 2012

S 3564 Introduced – Declassification


Last week before the Senate took their extended election break Sen. Lieberman (I,CT) introduced S 3564, the Public Interest Declassification Board Reauthorization Act of 2012. The bill reauthorizes the PIDB that was initially established by the Intelligence Authorization Act for Fiscal Year 2001 (PL 106-567; Title VII) to advise the President “on the systematic, thorough, coordinated, and comprehensive identification, collection, review for declassification, and release to Congress, interested agencies, and the public of declassified records” {PL 106-567 §703(b)(1)}.

Lieberman’s bill makes two minor changes to the provisions for appointing members of the PIDB. More importantly it would extend the authorization of the PIDB from December 27th 2012 until 2018.

It’s odd that this bill was introduced this late in the session; there is no way that this can be taken up before the election and it seems to be too low a priority program to take up much time during the lame duck session. Normally I would expect that this is one of the many bills introduced during the last week before the election adjournment that were meant only to be introduced for electioneering purposes. That is unlikely in this case as Lieberman is retiring at the end of the 112th Congress.

The other odd thing about this bill is that it wasn’t introduced by someone on the Senate Intelligence Committee; that is where the bill originally came from. But not only was it introduced by Lieberman, but it was also referred to the Senate Homeland Security and Governmental Affairs Committee, not the intel folks.

I have no explanation for these oddities; I just point them out. This bill will probably be taken up as a unanimous consent bill during the lame duck session. I hope this bill does pass; the more people working at declassifying outdated or misclassified material the better off the government will be in the long run.

DHS Announces CIPAC Meeting


Today DHS announced in the Federal Register (77 FR 59203-59204) that the Critical Infrastructure Partnership Advisory Council would be holding a public meeting on October 3rd, 2012 in Washington, D.C. CIPAC represents a partnership between the Federal Government and critical infrastructure owners and operators and provides a forum in which they can engage in a broad spectrum of activities to support and coordinate critical infrastructure protection.

Agenda


This meeting will focus on efforts to enhance critical infrastructure resiliency. Topics will include:

• Physical and Cyber Critical Infrastructure Protection;

• Industrial Control Systems Security;

• Opportunities in Mitigating Aging U.S Infrastructure;

• Social Media's Role in Critical Infrastructure; and

• Critical Infrastructure Program Updates

It is interesting to see that ICS security is receiving special mention as a topic separate from cybersecurity. This is extremely unusual for a general topic advisory panel such as this. Since this is an open forum I wouldn’t expect that there will be anything new mentioned on threat information, but it will be interesting to see how industry representatives approach this topic in this venue.

Public Participation


The public is invited to observe the Council’s deliberations. Advance registration to attend is not required; there will be registration at the door. Public oral comments on the topics above will be limited to a 30 minute public comment period at the end of the meeting, with each speaker being limited to 3 minutes. Speaker order will be determined by registration sequence.

Apparently there are no provisions being made to web cast this meeting; DHS certainly needs to work on this area of their information sharing. Opening the CIPAC meetings to a wider audience would do much to alleviate publicly expressed concerns about this panel being a method of giving special interests (industry) private access to DHS>

Written comments on the topics may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # DHS-2012-0051).

Monday, September 24, 2012

My Mistake – ICS-CERT Alerts


I received three anonymous comments today about last night’s post about ICS-CERT alerts. Well, they were probably the same comments three times trying to ensure that I got the information. The comments were a list of ICS-CERT alerts for the Luigi vulnerability disclosures that I mentioned in that blog post. I have gone back and confirmed that not only were the alerts posted, but I commented on them in my blog.

Oh, well, I get stupid every once in a while. Somehow I missed them in my file search yesterday. My apologies to ICS-CERT and my readers. And thanks to my readers for pointing out the error.

There was one Luigi disclosure that wasn’t given an alert, but even Luigi noted on his web site that the system was only marginally related to control systems so ICS-CERT apparently decided that it did not fall within their purview.

Okay, so my Luigi examples are full of c**p. That makes the Reid Wightman disclosures even more of an anomaly. Why was there the almost three month delay between Wightman’s disclosure of the ORing vulnerability and the ICS-CERT Advisory? And why did ICS-CERT ignore the second disclosure in the same blog posting?

There is a fourth comment on the same blog post by another Anonymous reader that kind of obliquely mentions the US-CERT secure portal where properly vetted owners can sometimes access advisories when the vendor publishes the mitigation or patch before the vulnerability is made public. But that is a separate matter as it appropriately give system owners the ability to patch their systems before the 0-day is disclosed to the public.

 

Sunday, September 23, 2012

No More ICS-CERT Alerts?


Last week I did a blog posting about an ICS system security report from ICS-CERT about vulnerability that had been publicly disclosed back in June. I noted in that post that such a public disclosure would normally have been expected to be reported shortly after the disclosure as an alert. It wasn’t done in this case nor was a second system vulnerability that was included in the same public disclosure mentioned by DHS.

A while back, I’m not sure exactly when as I didn’t pay too much attention, ICS-CERT changed their vulnerability notification process page. The added the following notice:

“UPDATE! In cases where a vendor is unresponsive, or will not establish a reasonable timeframe for remediation, ICS-CERT may disclose vulnerabilities 45 days after the initial contact is made, regardless of the existence or availability of patches or workarounds from affected vendors.”

Reading over the remainder of the page I don’t see any mention of alerts vs advisories; truth be told though, I don’t know if there ever was such a mention on the page. A close reading of the page does seem to indicate that ICS-CERT intends to give all vulnerability disclosures, coordinated and otherwise, at least 45 days for the vendor to convince ICS-CERT that they are working hard on fixing the problem.

Now this seems to track with the time frame on the Reid Wightman disclosure that formed the basis for the ORing Industrial Networking advisory and would explain why the other vendor mentioned in Reid’s post on DigitalBond.com did not have an advisory published for their nearly identical vulnerability; the second vendor convinced ICS-CERT that they were working on a mitigation/patch strategy.

A single data point, however, doesn’t make for good analysis. Trying to figure out where I could get additional data points, I decided to go the Luigi’s web site since he is such a prolific vulnerability discloser. Sure enough, since June 1st Luigi has posted five disclosures on his web site that have yet to make it to the ICS-CERT site. They include:

• SpecView – Web server directory traversal - http://aluigi.org/adv/specview_1-adv.txt

• PowerNet Twin Client – Stack buffer overflow (DOS) - http://aluigi.org/adv/powernet_1-adv.txt

• Sielco Sistemi Winlog – Multiple vulnerabilities - http://aluigi.org/adv/winlog_2-adv.txt

• Pro-face Pro-Server – Multiple vulnerabilities - http://aluigi.org/adv/proservrex_1-adv.txt

Now we all know that the fine folks at ICS-CERT follow Luigi fairly closely. They have publicized all of his uncoordinated disclosures in the past; usually within a day of their being posted on his web site. It is too much to think that they have stopped following Luigi now, so it looks like the days of alerts are over.

In one way it seems like a good thing to treat researchers the same whether or not they coordinate their disclosures. It does, however, put user’s at a disadvantage. The earlier ICS-CERT policy ensured that there was one point that the average owner/operator could monitor for word when there was an uncoordinated disclosure of a vulnerability. This allowed them to take at least some precautions to protect their systems while the vendor was working on a patch to correct the problem.

Without the early warnings provided by ICS-CERT Alerts owners are put at a distinct disadvantage. Black hats certainly share the information found in these public posts, particularly the proof-of-concept exploits that typically accompany the publication of the vulnerabilities (they certainly do for Luigi’s vulnerabilities).

So the bad boys get to have a 45 day head start on owner operators; essentially a 45-day 0-day exploit. Oh, and it’s not just the one researcher or organization that has the 0-day, it’s everyone that has access to the researcher’s site. Maybe the folks at ICS-CERT need to re-examine their new policy.

CG Authorization Passes in Senate


On Friday the Senate took up HR 2838, renamed it the ‘Coast Guard Authorization Act of 2012’ and changed almost every provision of the bill, including increasing the authorized funding and manpower for the Coast Guard. This was one of a large number of bills that were passed by unanimous consent without debate. HR 2838 had to be discharged from committee consideration (again by unanimous consent) to be brought to the floor for this ‘vote’.

As was to be expected the language adopted by the Senate is more closely related to S 1665, the Senate version of the authorization bill. Having said that, there were significant changes made to the version of S 1665 that was reported by the Senate Commerce, Science, and Transportation Committee. None of these changes were debated anywhere in the Senate.

Nothing in this new bill addresses anything that deals with chemical transportation safety or security or the Maritime Transportation Security Act. The one provision that came close to addressing those issues (GPS interference) that was included in the House version of the bill is completely missing from this version.

This bill will probably be taken up by conference committee after the election. Post-election politics will have a significant influence on the outcome, if there is one, of that conference.

HJ Res 117 Passes in Senate


On Friday the Senate passed HJ Res 117, the Continuing Appropriations Resolution, 2013, by a mostly partisan vote of 62-30. No amendments were made to the bill in the Senate so it goes to the President who will certainly sign the measure.

This CR will generally increase spending on current programs by 0.612% {§101(c)} and will continue funding of the federal government until March 27, 2013 {§106}. Section 137 provides for a separate moderate increase in funding for certain cybersecurity programs in DHS NPPD. Section 139 of the bill specifically provides for the extension of the CFATS program and there are no funding restrictions included that would affect the CFATS program.

Friday, September 21, 2012

PHMSA Publishes Pipeline Safety ICR 30-Day Notice


Today the Pipeline and Hazardous Material Safety Administration (PHMSA) published a 30-day notice in the Federal Register (77 FR 58616-58622) of their intent to revise certain pipeline safety reporting requirements. This is a follow-up to the earlier 60-day information collection request (ICR) notice and includes responses to the unusual number of public comments on the proposed changes.

Public Comments


Typically ICR notices do not receive much in the way of public comments. This proposal however received 12 such comments. Copies of the public comments can be reviewed on the Federal eRulemaking Portal (www.Regulations.gov; Docket # PHMSA-2012-0024). Commentors included:

• SCANA Corporation;

• Jack Wilson;

• American Gas Association (AGA);

• American Petroleum Institute (API) and American Oil Pipelines Association (AOPL);

• Interstate Natural Gas Association of America (INGAA);

• Texas Pipeline Association;

Of the remaining comments two were supportive of the  INGAA comments and four were supportive of the AGA.

The Comments


The individual comments and responses are really too numerous to mention in a blog posting (this does take up 6 pages of the Federal Register). I will list the separate reports covered and the total number of comments received on each

• Annual Report for Gas Transmission and Gathering Systems – 26

• Gas Transmission Pipeline and Gathering Systems Incident Report – 4

• Hazardous Liquid Pipeline Systems Accident Report – 10

PHMSA agreed with some of the comments and made appropriate revisions on the forms. Some comments they disagreed with, but made clarifying changes to the forms or instructions anyway. And still others they disagreed with and let the forms stand as proposed.

Administrative Change


I noted in my earlier blog post that PHMSA was not requesting an extension of the expiration of the current ICR; just revising the forms. That statement can be found at. That may have changed; the new wording is not as clear as that in the original notice.

The original notice said:

“PHMSA is only requesting approval of the information collection changes addressed in this notice. The information collection for hazardous liquid accident reports (OMB control number 2137-0047) is scheduled to expire December 31, 2013, and the information collection that covers gas transmission annual reports and incident reports (OMB control number 2137-0522) is scheduled to expire January 31, 2014. In 2013 [emphasis added], PHMSA will solicit comments on all aspects of these information collections, including the forms, in accordance with the standard PRA renewal process.” (77 FR 22389).

This notice states:

“The following information is provided for each revised information collection: (1) Title of the information collection; (2) OMB control number; (3) Type of request; (4) Abstract of the information collection activity; (5) Description of affected public; (6) Estimate of total annual reporting and recordkeeping burden; and (7) Frequency of collection. PHMSA will request a three-year term of approval for each information collection activity. PHMSA is only focusing on the revisions detailed in this notice and will request revisions to the following information collection activities.” (77 FR 58622)

This will be made more clear when the actual request is made to OMB, but that may be too late for any additional comments on the general renewal of the ICR to be made.

Public Comments


Public comments on the revisions (or non-revisions) can be submitted to the Office of Management and Budget (OMB). Comments may be submitted by email (OIRA_Submission@omb.eop.gov) and must be submitted by October 22nd, 2012.

Second Procedural Vote on HJ Res 117


Yesterday the Senate passed one more hurdle on the way to an actual vote on HJ Res 117, the Continuing Appropriations Resolution, 2013 by a somewhat bipartisan vote of 67-31. This should mean that there will be an actual vote today on the measure but there is an interesting election year fight going on in the Senate that might delay a vote (and the subsequent election adjournment) through the weekend.

Again, this is important to the chemical security community because the CR includes a six month extension of the CFATS program and slightly increases the funding for that program (and essentially the whole government) during that period.

Thursday, September 20, 2012

HJ Res 117 Procedural Vote


Yesterday the Senate agreed to a cloture motion to allow consideration of HJ Res 117, the Continuing Appropriations Resolution, 2013. This procedural vote clears the last hurdle in allowing the Senate to vote on this measure, probably today. The vote of 76-22 in favor of cloture is a pretty sure sign that the measure will pass.

Just a reminder that passage of this continuing resolution will continue the CFATS program through at least March 27th, 2013 with a slightly increased rate of funding.

ICS-CERT Publishes 2 Advisories and Roadmap


Yesterday DHS ICS-CERT published two advisories for control systems vulnerabilities and the “Roadmap to Secure Control Systems in the Transport Sector”. The advisories deal with another self-reported Siemens problem and a new ‘we-don’t-see-it’ vulnerability; this time in the ORing Industrial DIN-Rail Device Server 5042/5042+ systems

The Roadmap


Last year the DHS CSSP and the DOT John A Volpe National Transportation Systems Center joined together to sponsor the Transportation Roadmap Working Group to develop a roadmap for cybersecurity of control systems in the Transportation Sector. The group consisted of representative from a variety of transportation related government agencies and private sector organizations.

This is a 56 page document and will take some digesting before I can provide any real analysis of its usefulness, but I will quote here from the forward to provide the Working Group’s perspective on what this document is supposed to be.

“The Roadmap to Secure Control Systems in the Transportation Sector (Transportation Roadmap) describes a plan for voluntarily improving industrial control systems (ICSs) cybersecurity across all transportation modes: aviation, highway, maritime, pipeline, and surface transportation. This Transportation Roadmap provides an opportunity for transportation industry experts to offer input concerning the state of control systems cybersecurity and to communicate recommended strategies for improvement. This Transportation Roadmap brings together transportation stakeholders from all modes, including government agencies and asset owners and operators, by offering a common set of cybersecurity goals and objectives, with associated metrics and milestones for measuring performance and improvement over a ten-year period.”

Interestingly only six of the eighteen member of the working group come from the private sector; two reps from one shipping line, one industry group (public transportation), an aircraft manufacturer (well ‘formerly’ from Boeing) and representatives from the two transportation related Information Sharing and Analysis Centers (ISACS). The three non-federal government agencies all come from California and two of those from Los Angeles. At first glance this hardly seems to represent ‘all transportation modes’.

Siemens Vulnerability


The Siemens advisory concerns the latest in a number of self-reported control system vulnerabilities. This one deals with an insecure HTTPS certificate storage vulnerability in Siemens’ S7-1200 PLC. A moderately skilled attacker can obtain the private key for the HTTPS certificate authority for the PLC and use it to create a forged certificate to conduct a man-in-the-middle attack on the browser communicating with the PLC.

Since the PLC also has a properly protected private key used to dynamically generate its own certificate the recommended mitigation is to (pg 2) “uninstall the CA signing keys from the Web browser’s certificate store” FOR EACH PLC (sorry for yelling, but are you kidding me? How many PLCs does your system use?). Oh yes, then you have to (pg3) “manually confirm the identity of the PLC and accept its certificate via the browser” FOR EACH PLC.

Okay, kudos again to Siemens for self-reporting this, but this was really poor design. Damned if this isn’t going to be a major headache for systems engineers.

NOTE: The Siemens-CERT notes that this vulnerability was discovered by ‘a researcher’. Naming that researcher might have encouraged other researchers to contact Siemens with future vulnerabilities rather than publicly disclosing them.

Slam Another Uncooperative Vendor


ICS-CERT takes on another uncooperative vendor, this time ORing Industrial Networking is labeled as an ‘unresponsive’ vendor over a reported vulnerability in their DIN-Rail Device Server. Reid Wightman reported (NOTE: ICS-CERT did publish this link in the advisory - kudos) the hard-coded credential vulnerability.

I am kind of confused though. Reid’s post on DigitalBond.com is dated June 13th (and addresses two different devices from two different manufacturers). Typically this should have resulted in an alert (or two) about the publicly identified vulnerability and this advisory should be the follow-up to that document. There was no alert published that I can see.

A relatively unskilled attacker could remotely use the publicly available exploit to gain administrative access to the device. In the absolute best understatement of the year ICS-CERT explains that this “could result in a loss of availability, integrity and confidentiality” (pg 1).

Other vendors please note one last caveat emptor quote from the advisory (pg 3):

“ICS-CERT is not aware of ORing Industrial Networking developing a patch, update, or fix for the affected products. The ORing software update Web site does not indicate that a new version of firmware or security patch is available.”

Wednesday, September 19, 2012

2012 CSSS Presentations – CFATS at Educational Institutions


This is the another in a series of blog posts about presentations made at the recent 2012 Chemical Sector Security Summit. The first in the series dealt with the problems associated with the presentations in general. The subsequent posts will deal with the information provided in the slide presentations. The published presentations only provide the outline, I’ll try to fill in what information that I can from other sources or my best guesses.





This post will look at the application of the CFATS program at educational institutions. The presentation was made by Brad Huntsman of ISCD. Since the first draft of the CFATS regulations DHS has made it clear that they expected that there would be portions of educational facilities that would fall under the CFATS definition of a high-risk chemical facility, including laboratories and physical plant operations. This brief presentation looks at how many such facilities actually made it onto the current list of high-risk chemical facilities regulated under CFATS.

Coverage


The CFATS regulations require any facility that has had in the last 60-days an inventory of any of 300+ DHS chemicals of interest (COI; Appendix A, 6 CFR Part 27) in excess of the listed screening threshold quantity (STQ) to submit a Top Screen to provide DHS with the initial information needed to determine if a facility could potentially be regulated under the CFATS program. Slide # 3 of the presentation notes that the following areas of educational facilities could be affected by this Top Screen submission requirement (Note: This is not an exhaustive list):

• Chemistry labs;
• Research facilities;
• Field houses;
• Pool complexes; and
• Agricultural, medical, and other campus facilities

Slide #4 provides the following data on the number of Top Screen submissions and subsequent status under the CFATS rules:

• 324 Top Screen submissions;
• 60 Regulated high-risk chemical facilities; and
• 8 Pending final status determination.

After each potentially regulated facility submits a subsequent Security Vulnerability Assessment (SVA) ISCD makes a final determination if the facility is a covered facility and places it into one of four risk tiers ranking its potential risk for terrorist attack; Tier 1 is the highest tier ranking. Slide #4 also provides data on the tier rankings of the 60 regulated educational facilities.

• 1 Tier 1 facility;
• 17 Tier 2 facilities;
• 6 Tier 3 facilities; and
• 36 Tier 4 facilities.

There is nothing in the presentation that explains why there is a Tier 1 facility on this list, but I would suspect that it is due to the presence of a large amount of a toxic inhalation hazard chemical (probably chlorine or anhydrous ammonia) at a campus support facility though it could be due to the presence of relatively small amounts of actual chemical weapons grade materials at a research lab. The Tier 4 facilities are probably due to the significant presence of theft-diversion chemicals in campus labs or research facilities; these would be due to chemicals that could be used to make improvised explosives or chemical weapons.

Defining Covered Facilities


Because an educational institution is regulated under CFATS does not mean that the entire facility is placed under strict security controls. This would be patently untenable for an entire college or university to be placed under the type security measures necessary to comply with the Risk-Based Performance Standards for high-risk chemical facilities.

As do all chemical facilities, these schools have the option of just what portion of their campus will be included in the boundaries of the reported facility. In fact, the 60 CFATS covered facilities are located at only 45 different schools. This means that some number of schools have multiple covered facilities within their campus.

Educational Security Measures?


It does not appear that Mr. Huntsman provided any information about how the Department expected these facilities to go about adequately security their facilities. The presentation includes a generic page that deals with “CFATS Outreach to Colleges and Universities” but it provides no real information other than mentioning “DHS has created outreach materials” (a tri-fold brochure that can be accessed on the CFATS Knowledge Center web page. Sorry no permanent link is available; go to ‘page 2’ of the Documentation section at the bottom left of the page) for such institutions.

Because of the problems that ISCD is having with their Site Security Plan approval process, I would suspect that, other than the one Tier 1 facility, they have not given a lot of thought to the process of how schools should go about securing their high-risk chemical facilities.

ICS-CERT Publishes Another Web Browser Advisory


Yesterday the DHS ICS-CERT published another web browser (no not IE9) advisory, this time with Fultek WinTR (a Turkish web based SCADA system). The directory traversal vulnerability was reported by Daiki Fukumori of Cyber Defense Institute. Fultek has not verified the vulnerability (ICS-CERT has) and has not offered any mitigations (since they don’t have a problem why should they fix it).

The Vulnerability


This is an increasingly common (read: it is being increasing reported) vulnerability (CVE-2012-3011) in SCADA/ICS web browsers. The web server does not adequately sanitize user inputs allowing relatively unskilled attackers to retrieve arbitrary files from the server. There is nothing in this advisory that describes the limits of what files could be retrieved.

Denying Vulnerabilities


As far as I can tell this is the first time the ICS-CERT has published an advisory for a vulnerability that the vendor has denied exits. There have been alerts and advisories where the researcher blew the whistle in the situation, but not one where ICS-CERT called out the vendor. I think that this is a good move on their part for a number of reasons. First it makes it easier for ICS-CERT to convince researchers to coordinate their disclosures. Second, and maybe most important in my opinion, is that it provides a little more pressure on recalcitrant vendors to respond more promptly to fix the vulnerabilities identified.

Kudos to ICS-CERT for publishing this Advisory.

Tuesday, September 18, 2012

Committee Report Filed on WMD Bill


Last week the House Homeland Security Committee submitted their report on HR 2356, the WMD Prevention and Preparedness Act of 2011. None of the information presented in the report deal with the threat of chemical weapon attacks based upon terrorist attacks on chemical facilities that could release huge volumes of toxic inhalation hazard chemicals in or near large metropolitan areas.

Leadership Delays

While there continues to be bipartisan support for this limited WMD legislation, the leadership of the House continues to put road blocks in the way of the consideration of this bill. First the Committee leadership took over four months to complete action on their report, guaranteeing that floor action could not take place on the floor of the House before the election.
The three other Committees to which this bill was referred {Committees on Energy and Commerce, Transportation and Infrastructure, Foreign Affairs, and Intelligence (Permanent Select)} have not taken action on the bill. The House leadership extended their deadlines to consider the bill until November 30th, 2012. If that were not enough to ensure that no action will be taken on this bill during this session, an additional Committee (House Committee on Science, Space, and Technology) was added to the list of Committees to which the bill was referred.

Ignores Industrial Chemical Weapons

I have long maintained that this bill spends too much time concentrating on potential bioweapons, weapons that have as yet not been employed by nation-states, much less terrorists. These potential weapons should certainly be addressed, but ignoring the much easier to employ class of WMD, industrial chemicals, makes little or no sense.
While the CFATS program does address a security at a fraction of the potential facilities holding large quantities of industrial chemicals that could be used as improvised chemical munitions a large number of such facilities have been exempted from the strict security standards of that program. More importantly, however, the CFATS program ignores the emergency response and post-incident clean up requirements that are addressed in this bill for potential bioweapons.
Perhaps the 113th Congress will be able to more appropriately address the potential problems of the whole range of potential weapons of mass destruction and prioritize the efforts of that program based upon the likelihood of the employment of the various types of weapons.

And Another Thing About OIP


Joel Langill made an important point last week in a TWEET about my original OIP personnel problem post. He said that these problems were “not good in light of potential exec order!” Since NPPD would presumably be the DHS agency that would be responsible for any program set forth in a cybersecurity executive order, these problems might be expected to crop up in the responsible agency. We certainly don’t want the cybersecurity jobs to be “given to those in favor with senior IP leadership without regard to process or to qualifications”.

So, Secretary Napolitano, please tell us that the DHS agency given responsibility for carrying out the President’s CSEO will be staffed by professionals that will be chosen based upon their experience and ability not on who they know. And don’t say ‘of course’, your agency does not have a real good track record.

Follow-up on OIP Personnel Problems


A little over a week ago I did a post on some personnel issues in NPPD’s Office of Infrastructure Protection that were identified to me in a copy of an email sent to the DHS IG. As one would expect I have had problems finding someone in DHS that would talk with me about these issues on the record. Even off the record no one wants to provide any details about the alleged improprieties in OIP.

I have, however, been told by a former senior staffer from Infrastructure Protection that these types of allegations are not new. That former staffer notes:

“Jobs are given to those in favor with senior IP leadership without regard to process or to qualifications. Many if not most of the difficulties with IP programs can be traced to unqualified managers and distraught employees whose morale has been shattered by these shenanigans.”

Apparently formal complaints to the Office of the Chief Human Capital Officer of DHS go back at least 5 years. Supposedly there have been numerous specific complaints to the DHS Inspector General that have gone nowhere. Complaints have even been made to members of Congress with no apparent results. Everyone seems to want to sweep the problems under rug.

We saw last week in a Congressional oversight hearing that Congress pays little or no attention to the root cause of the problems at CFATS. It seems to me that these types of personnel issues are a sign of the underlying problem with the CFATS program and other programs being run by the Office of Infrastructure Protection.

Someone needs to start asking some hard questions of the management of NPPD. Congress will have another chance to redeem itself in its oversight responsibility on Thursday when the Homeland Security Subcommittee of the House Appropriations Committee has Deputy Undersecretary Spaulding before it in a resumption of its CFATS hearing. Maybe they will take the opportunity to ask some hard questions about the personnel issues that have led to the problems at ISCD.

Update on Judiciary Committee Hearing


The Senate Judiciary Committee updated their web site today on their threat hearing that I mentioned in an earlier blog. The updated information includes witness list for the hearing and a change in the location. Somehow I got the date for the hearing wrong in my earlier blog, it will be held on Wednesday instead of the earlier reported Thursday.

Witnesses


There will be two witness panels for this hearing and neither of them have much in common with the Homeland Security Committee’s panel. The first panel will be government witnesses, including:

• Scott McAllister, Deputy Under Secretary State & Local Program Office, DHS;
• Roy L. Austin, Jr., Deputy Assistant Attorney General Civil Rights Division, DOJ; and
• Michael A. Clancy, Deputy Assistant Director Counterterrorism Division, FBI;

The public panel consists of:

• Harpreet Singh Saini, Oak Creek, WI;
• Daryl Johnson, Founder & Owner, DT Analytics, LLC; and
• James B. Jacobs, New York University School of Law

Hate Crimes


This hearing will be more focused on hate crimes than terrorism threats. These can still serve as the basis for attacks on high-risk chemical facilities if the perpetrator can find some link, even if only in his mind, between his hate and the facility. Facility security managers may still find some bits of intel here worth the price of admission.

Monday, September 17, 2012

2012 CSSS Presentations – CFATS Personnel Surety Program


This is the another in a series of blog posts about presentations made at the recent 2012 Chemical Sector Security Summit. The first in the series dealt with the problems associated with the presentations in general. The subsequent posts will deal with the information provided in the slide presentations. The published presentations only provide the outline, I’ll try to fill in what information that I can from other sources or my best guesses.




Today I will address the presentation made by Matthew Bettridge of DHS ISCD on the CFATS Personnel Surety Program. The PSP is supposed to address the requirement of §27.230(a)(12)(iv) that requires high-risk chemical facilities to include in their personnel surety programs “measures designed to identify people with terrorist ties”. Currently the only federally acceptable way to identify such people is to compare a person’s identity against the Terrorist Screening Database (TSDB) administered by the Transportation Security Administration.

DHS Does Not Grant/Deny CFATS Access


As currently set forth in RBPS #12 and the CFATS regulations, ISCD does not intend to administer a program like the TSA TWIC or HME. There is no regulatory standard for access to CFATS facilities similar to the ones found in those programs. CFATS facility management will be the one to decide what standards must be met in the general background checks to be conducted by the facility. The only regulatory requirement is that the facility must submit information (what information has yet to be established) to ISCD to allow TSA to conduct a check against the TSDB. There is not even a prohibition against a person who is listed on the TSDB as a suspected terrorist being given unaccompanied access to critical areas of a high-risk chemical facility.

Previous Attempt at PSP


The presentation takes two slides to try to clarify the proposed requirements of the PSP that was recently withdrawn from consideration by the Office of Management and Budget (OMB). The OMB must sign-off on the program because it collects and processes information supplied by the public and the OMB is tasked to ensure that such information collection requests are lawful, necessary, and minimally invasive. How much of that previously proposed PSP will be contained in the new program that has yet to be developed remains to be seen.

The New Proposal


Under Secretary Beers recently told a Congressional Sub-committee that the Department will publish the new proposal within 30 days. Given that short time frame (and reasonably that means that the final draft has to be circulating for review within NPPD), it is kind of surprising that there was so little information in this presentation about what ISCD intended to include in their new proposal.

Actually, there was only one new item floated in this presentation (unless Bettridge talked about others that were not in the slide). That was to allow the use of TWIC readers in lieu of submitting personally identifiable information to ISCD/TSA. If this does come about, ISCD will have a TWIC reader ‘rule’ in place before the Coast Guard (I know TSA and CG have already done the hard work, but it will be ironic in any case).

Use of the TWIC


If this clearly authorized use of the TWIC reader is included in the final CFATS PSP it is going to have its upsides and downsides. Truck drivers with either a TWIC or HME (I think that TWIC readers should recognize HME’s but I’m not positive; anyone want to chime in here?) will have a delivery edge at CFATS facilities, but it will also increase the number of truck drivers that are going to have to try to get a TWIC (and many won’t be able to because of criminal records) as CFATS security managers begin to require drivers to have TWICs to enter their facility. This is going to put driver’s at places away from TWIC Enrollment Centers at even more of a disadvantage.

Facilities wishing to go to the TWIC for their PSP are going to have problems with the same criminal conviction problem that is going to be facing truck drivers. Many owners have been willing to overlook some criminal convictions that TSA will not let slide because they know the worker involved or are willing to take the risk for a variety of reasons. Sliding the whole PSP responsibility to TSA will force a number of people out of the chemical workplace.

Finally, if there is a large-scale move to using TWIC Readers for PSP purposes at CFATS facilities the need for processing a large number of new applications is going to coincide with a large number of renewals of current TWIC users. This could create the same kind of back log in the system that we saw in the early days of the initial issuance of the TWIC.

PSP Approval


Unless ISCD requests emergency approval of their new PSP information collection request (ICR) it is going to take at least six months for the approval process to move forward. Here is what I see as an absolute ‘best case’ approval

• October 11, 2012 – Publish 60-day ICR notice in the Federal Register.

• December 11, 2012 – Close public comment period on 60-day notice .

• January 11, 2013 – Publish 30-day ICR  notice in the Federal Register

• February 11, 2013 – Close public comment period on 30-day notice and submit ICR to OMB

• March 11, 2013 – OMB gives approval of ICR

Actually I think that the ‘best case’ is, as is usual, unobtainable. Unless there is a very dramatic change in the PSP proposal, there will be extensive public comments on both ICR notices and responding to those will delay any subsequent work on the ICR. If Romney wins in November, the change in management at DHS will also slow the approval process. Finally, the screwed up budget process will also weigh down all processes in the Executive Branch.
I will be happily surprised if we have an operational PSP in place by this time next year.
 
/* Use this with templates/template-twocol.html */