Thursday, July 31, 2014

ICS-CERT Publishes New Type Crain-Sistrunk Advisory

Today the DHS ICS-CERT published the latest version of the Crain-Sistrunk advisory; a buffer overflow vulnerability in the SUBNET SubSTATION Server 2, Telegyr 8979 Master application. The vulnerability was detected as part of the Automatak Project Robus use of a new fuzzer targeting Telegyr 8879 telecontrol protocol implementations. SUBNET has produced a hotfix for the vulnerability that Crain-Sistrunk have validated as successfully mitigating the vulnerability.

ICS-CERT reports that a moderate to highly skilled attacker could remotely exploit this vulnerability to execute a DOS attack. SUBNET discovered a closely related vulnerability during their investigation of the Crain-Sistrunk report. Both vulnerabilities are addressed by the hotfix.

NOTE: Since this is a critical infrastructure vulnerability, ICS-CERT published this vulnerability report on the US-CERT Secure Portal on July 15th. If you are associated with electrical distribution network security you just might want to sign up for access to the US-CERT Secure Portal for early notification of future Crain-Sistrunk Telegry 8879 vulnerability reports.

Tuesday, July 29, 2014

ICS-CERT Publishes Advisory for Innominate Security Routers

This morning the DHS ICS-CERT published an advisory for an information disclosure vulnerability in the Innominate mGuard security routers. The advisory had been previously published on the US-CERT secure portal on July 8th. The vulnerability was originally reported by Applied Risk Research in a coordinated disclosure. Innominate has produced a new firmware version and a firmware patch to mitigate the vulnerability. Applied Risk Research has confirmed that the mitigation is effective.

ICS-CERT reports that a moderately skilled attacker could remotely exploit this vulnerability to gather information about network topology, traffic flows, and other connected systems.

Applied Risk Research reports that the vulnerability probably applies to the Phoenix Contact FL mGuard and Hirschman Eagle mGuard product lines since they share the same firmware codebase. This is not mentioned in the Innominate security bulletin

S 2519 Introduced – Cybersecurity Operations Center

As I noted earlier Sen. Carper (D,DE) introduced S 2519, the National Cybersecurity and Communications Integration Center (NCCIC) Act of 2014. This bill would add a new section {§210G} to the Homeland Security Act of 2002 formally establishing the existing NCCIC.

The mandate included in this bill is very wide and vaguely written. Two of the subparagraphs describing the functions of the NCCIC directly affect the effect the industrial control system community through the functions of the ICS-CERT which is part of the NCCIC:

• Sharing cybersecurity threat, vulnerability, impact, and incident information and analysis by and among Federal, State, and local government entities and private sector entities {§210G(a)(3)}; and
• Upon request, providing timely technical assistance to Federal and non-Federal entities with respect to cybersecurity threats and attribution, vulnerability mitigation, and incident response and remediation {§210G(a)(3)}.

Both of these (actually all of the) activities are clearly identified as discretionary:

The provision of assistance or information to, and inclusion in the operations center of, governmental or private entities under this section shall be at the discretion of the Under Secretary appointed under section 103(a)(1)(H) [Under Secretary for NPPD] {§210G(e)}.

The current organization of the NCCIC can be seen here on the NCCIC web site. An interesting side note; the link to this organizational chart provided on the NCCIC landing page is an editing link which leads to one of those nasty ‘Access Denied’ warnings.

This bill was ordered reported by the Senate Homeland Security and Governmental Affairs Committee on the day of its introduction. If this bill makes it to the floor it will certainly be approved, probably under the unanimous consent process in the Senate and under suspension of the rules in the House. It could also find its way into a spending bill. It all depends on the discretion of the leadership of the respective bodies. 

Monday, July 28, 2014

House Passes Four Homeland Security Bills

As I noted this morning the House addressed a number of bills today under suspension of the rules. Four of them were mentioned as being of probably interest to readers of this blog:

HR 2952 - The Critical Infrastructure Research and Development Act;
HR 3107 - The Homeland Security Cybersecurity Boots-on-the-Ground Act;
HR 3202 - The Essential Transportation Worker Identification Credential Assessment Act; and
HR 3696 - The National Cybersecurity and Critical Infrastructure Protection Act.

All four bills, as expected, passed with impressive bipartisan support. Two of the bills (HR 2952 and HR 3696) passed by voice votes. The other two bills passed in voice votes; HR 3107 (395 to 8) and HR 3202 (400 to 0). Interestingly, HR 3107 was incorporated into HR 3696 before the bill was reported by the Homeland Security Committee.

I suspect the four bills could also garner similar bipartisan support in the Senate. There is a possible problem for HR 3696. This bill is as close at things will get in the near future to being a comprehensive cybersecurity bill. ‘Comprehensive bills’ have been routinely held up by Sen. Reid (D,NV) as the various affected committees in the Senate tried to craft their own bills. I suspect that Reid will do the same for this bill as the leadership tries to craft a deal to pass S 2588, the Cybersecurity Information Sharing Act of 2014. It is not really a competing bill, but Reid seems to figure that he can only pass one significant cybersecurity bill each session.

Congressional Hearings – Week of 7-27-14

This is the start of the last week currently scheduled for the House and Senate to be in Washington until after the Labor Day Weekend. There is only one hearing currently scheduled that is of specific interest to readers of this blog; a Senate markup hearing that looks at a number of interesting bills including CFATS.

Senate Markup Hearing

On Wednesday the Senate Homeland Security and Governmental Affairs Committee will hold a business meeting to cover a wide range of nominations and legislation. Included in the list of bills to be addressed are:

HR 4007, the Chemical Facility Anti-Terrorism Standards Program Authorization and Accountability Act of 2014;
S 2547, the RESPONSE Act of 2014; and
S 2664, a public alert and warning system bill yet to be published.

HR 4007 is, of course, the bill of biggest interest here. The Committee leadership has been talking about writing their own bill since the first of the year, but has failed to reach a consensus on that language. There has been recent talk about Chairman Carper (D,DE) wanting to see language added that would allow Tier 4 facilities to ‘self-certify’ compliance with the site security plan requirements. That amendment would probably be acceptable to the House. Anything more complicated than that might derail passage of this bill.

House Floor

Today the House will consider a number of bills under suspension of rules. Four of them will be of interest to readers of this blog:

HR 2952 - The Critical Infrastructure Research and Development Act;
HR 3107 - The Homeland Security Cybersecurity Boots-on-the-Ground Act;
HR 3202 - The Essential Transportation Worker Identification Credential Assessment Act; and
HR 3696 - The National Cybersecurity and Critical Infrastructure Protection Act.

The House leadership has determined that these bills have enough bipartisan support to ensure their passage with a 2/3 vote. I’m kind of surprised that HR 3696 made that cut considering the number of organizations that still have problems with privacy issues in the bill. We will see if they get surprised on this vote; it does happen periodically.

S 2547 Introduced – RR Emergency Response

As I noted earlier Sen. Heitkamp (D,ND) introduced S 2547, the RESPONSE Act of 2014. The bill would amend 6 USC 318 and establish a new subcommittee of the National Advisory Council, an independent federal advisory committee that provides emergency response and planning advise to the NPPD Deputy Administrator for FEMA. The new subcommittee, the Railroad Emergency Services Preparedness, Operational Needs, and Safety Evaluation (RESPONSE) Subcommittee would provide recommendations on emergency responder training and resources relating to hazardous materials incidents involving railroads.

The RESPONSE Subcommittee

This is a ‘subcommittee’ in name only as most of its members would not come from the National Advisory Council (NAC). Statutory members would include {§318(d)(2)}:

• NPPD Deputy Administrator for FEMA (Chair);
• Director of the Office of Emergency Communications, DHS;
• NTSB Director for the Office of Railroad, Pipeline and Hazardous Materials Investigations;
• FRA Associate Administrator for Railroad Safety;
• TSA Assistant Administrator for Security Policy and Industry Engagement;
• Coast Guard Assistant Commandant for Response Policy;
• EPA Assistant Administrator for the Office of Solid Waste and Emergency Response;
• PHMSA Associate Administrator for Hazardous Materials Safety;
• FMCSA Chief Safety Officer and Assistant Administrator;

Appropriate members of the NAC would be appointed to the RESPONSE sub-committee as would other personnel from the oil, railroad and communications industries.

RESPONSE Recommendations

The bill would require the RESPONSE Subcommittee to develop recommendations to improve emergency responder training and resource allocation. The following areas are to be specifically addressed {§318(d)(6)}:

• Quality and application of training for local emergency first responders related to rail hazardous materials incidents;
• Effectiveness of funding levels related to training local emergency responders for rail hazardous materials incidents;
• Strategy for integration of commodity flow studies, mapping, and access platforms for local emergency responders;
• The lack of emergency response plans for rail, similar to existing law related to maritime and stationary facility emergency response plans;
• Development of a train incident database;
• Increasing access to relevant, useful, and timely information for the local emergency responder; and
• Determination of the most efficient agencies and offices for the implementation of the Subcommittee’s recommendations.

The problem with this bill is that it brings too many people to the table. Legitimately, the people listed in the bill all have something to contribute; but there are too many folks to effectively get anything done. The tasking probably should have been given to FEMA who then would have been directed to ‘consult with’ the agencies listed. As it is the Assistant Administrator for FEMA will have to try to herd all of the cats listed instead of actually trying to solve the problem.

Moving Forward

I suspect that this bill would have no problems passing in the Senate or the House; it is after all another pass-the-buck-to-a-committee bill that effectively costs nothing. The problem will be that this late in the session, it will be difficult for the bill to find its way to the floor for a vote. If it is considered in the Senate before the election (almost certainly after the summer recess at best) it will probably be one of those bills brought to the floor at the end of the day and considered by ‘unanimous consent’. In the House it will be considered on a Monday or Tuesday under ‘suspension of the rules’ provisions. The key to passage will be convincing the leadership to bring it to the floor.

Saturday, July 26, 2014

NIST Increases CSF Usability

This week the National Institute of Standards and Technology (NIST) expanded (somewhat) the usability of the Cybersecurity Framework (CSF) as a management tool. They published the CSF Reference Tool [Zip file containing a Windows® .EXE file; there is an alternative OS® application version]; “a FileMaker runtime database solution”.

According to the NSF web site:

“The CSF Reference Tool allows the user to browse the Framework Core by functions, categories, subcategories, informative references, search for specific words, and export the current viewed data to various file types, e.g., tab-separated text file, comma-separated text file, XML, etc.”

The tool is designed to make it easier for corporate management to use the CSF as a management tool for the implementation (and tracking the implementation) of the CSF. It makes it easier for the user to search for and extract information from the CSF Core [Excel® download] and to export that data into forms and formats that can be used for various management functions.

My biggest complaint about the CSF Core applies to this tool as well. The references data should include links to the specific areas of the applicable documents or at least to the documents themselves. I understand that there are copyright issues and many of the document owners require users to buy the documents. That and many of the documents are not formatted to be linkable down to the section level.

If NIST had been given a budget for the CSF (which would have meant that Congress get involved instead of it just being based upon an Executive Order) they might have been able to negotiate link access rights from this tool to the various standards involved. Without that capability, the utility of this tool will be limited for most organizations.

OOPS – I just found some other headaches; this file is set up to run from the NIST-CSF.exe from the extracted zip file each time it is opened. It does not automatically set up an icon or even a link on the START page. Even if you pin it to your task bar, you get ‘Run’ dialog box opening up on your screen before you get to the program. When you exit the program you get another dialog box that shows up informing you that the base program, FileMaker Pro®, ‘has stopped working’. These are software issues that ruin the run ability of the program. It is really sad that the programming skills and QA skills are so low at NIST that these types of errors remain in their distributed programs. We were not allowed to have errors like this remain in our college projects twenty years ago.

Friday, July 25, 2014

HR 3202 Reported in House – TWIC Assessment

Last week the House Homeland Security Committee published their report on HR 3202, the Essential Transportation Worker Identification Credential Assessment Act. The bill is now available for consideration by the Whole House and could be considered next week under suspension of the rules.

There has been some fine tuning made to the requirements for the independent report on the efficacy of the TWIC program, though nothing of major significance. It does expand the reporting requirements for the Comptroller General to include reporting on the progress made in implementing the plan developed by DHS.

There is one major change made in the reported bill. The Committee back-tracked on supporting the GAO report recommendation that the current TWIC Reader Rule be delayed until a comprehensive review of the efficacy of the TWIC program is completed. The new version of the bill adds §2(e)(2) that exempts the current rulemaking from any delay caused by this bill. The report explains that this way (pg 8 of the report):

“The Committee has been critical of the Department’s delay in issuing a final rule for the use of card readers at MTSA regulated vessels and facilities and, at this time, the Committee believes that the current card reader rule should move forward. The Committee directs DHS to incorporate the results of this comprehensive assessment into any additional rule making or changes to existing rules.”

One can certainly sympathize with the Committees impatience; the TWIC Reader Rule was supposed to be in place years ago. Of course, industry may not be too pleased with this change. The TWIC Readers are going to be expensive to install, use and maintain. If the TWIC program has to undergo major revisions because of the assessment required in this bill, the Readers may not be useful too far into the future. That assumes, of course, that Congress and DHS can act in an expeditious manner to implement any changes recommended by the study.

As I mentioned in an earlier blog post, I expect that this bill will receive substantial bipartisan support when it comes to the floor. With that in mind, I would not be surprised to see it considered early next week under suspension of the rules. That way the House would be done with it before the recess. I think the bill would have a good chance of passing in the Senate in September, even with the electioneering and short schedule.


As I suggested last night, the OMB announced that it had approved the EPA’s request for information concerning potential changes to their Risk Management Program. This is being reported as being a ‘Notice’ not a ‘Pre-rule’ meaning that an advance notice of proposed rulemaking could still be expected to be part of any rulemaking process arising out of this action.

It won’t be until later today that we know whether or not this notice will be published in Monday’s Federal Register, though I fully expect that it will be.

Bills Introduced – 7-24-14

There is just one week left before Congress goes home for their summer recess and we are starting to see a surge in the number of purely political bills introduced. Yesterday there were a total of 52 bills introduced and two of them may be of specific interest to readers of this blog:

S 2656 Latest Title: A bill to provide for the regulation of persistent, bioaccumulative, and toxic chemical substances, and for other purposes. Sponsor: Sen Merkley, Jeff (D,OR)

S 2664 Latest Title: A bill to amend the Homeland Security Act of 2002 to direct the Administrator of the Federal Emergency Management Agency to modernize the integrated public alert and warning system of the United States, and for other purposes. Sponsor: Sen Begich, Mark (D,AK)

Thursday, July 24, 2014

EPA to Publish Chemical Safety RFI

I got an interesting email from the EO 13650 Working Group yesterday giving me advance notice of the EPA’s press release (issued today) about their pending publication of a Request for Information (RFI) for possible revisions to the EPA’s Risk Management Program (RMP). This is part of the Agency’s response to the requirements of the President’s Executive Order on Increasing Chemical Safety and Security (EO 13650).

Now, anyone that has been following the activities of the EO 13650 Working Group has been expecting this RFI. The EPA submitted the document to the OMB for approval back in May. That approval has not yet been announced, though we may see the announcement of that approval tomorrow on the OMB’s Office of Information and Regulatory Affairs web site.

According to today’s press release the RFI has been signed and forwarded to the folks at the Federal Register for official publication. It is not going to be in tomorrow’s Federal Register, so the earliest that it could show up is in the Monday edition (which will be released on-line on Saturday). From the date of publication there will be a 90-day comment period. There will almost certainly be requests to extend that comment period due to the breadth of the information requested.

An unofficial draft of the RFI is available on the EPA web site. The documents takes pains to acknowledge that this is not the official document and that there may be minor differences between the draft and the version that will be published in the Federal Register. Still it’s nice to have the draft available so that we can opine on the contents quickly and informatively when it is published.

So I guess it is time to start reading the lengthy (115 pages) document. I’ll probably start reporting on it in detail on Saturday.

ICS-CERT Publishes Two More Advisories

Some weeks it seems that everyday there is a new set of advisories from DHS ICS-CERT; this is one of those weeks. Today ICS-CERT published advisories for Siemens WinCC and the Morpho Itemizer. Oh, and they missed listing the Morpho advisory on both the landing page and the Advisories page; they did tweet about it though. When you get busy, mistakes happen unless you have good administrative controls in place.

Siemens Advisory

This advisory is based upon coordinated disclosures from an anonymous researcher and a separate report from Sergey Gordeychik, Alexander Tlyapov, Dmitry Nagibin, and Gleb Gritsai of Positive Technologies. Siemens has prepared an update that is reported to mitigate the multiple vulnerabilities, but there is no indication that the researchers have had a chance to verify the efficacy of the fix.

The vulnerabilities include:

• Forced browsing - CVE-2014-4682 – could allow unauthenticated access to data;
• Session fixation - CVE-2014-4683 – could allow remote privilege escalation;
• Improper privilege management - CVE-2014-4684 – could allow database privilege escalation;
• Permissions, privileges and access control - CVE-2014-4685 – could allow local user to escalate their privileges; and
• Hard-coded cryptographic key - CVE-2014-4686 – cold allow privilege escalation.

ICS-CERT reports that a low-to-moderately skilled attacker could remotely (except CVE-2014-4685) exploit these vulnerabilities. Siemens reports that they have produced an update that mitigates the vulnerabilities in WinCC and expect an update for Simatic PCS7 next month. In addition they suggest the following actions be taken until a hard fix can be established:

• Limit the WebNavigator server access to trusted networks/clients only
• Ensure that the WebNavigator clients authenticate themselves against the WebNavigator server (e.g. use client certificates)
• Restrict access to the WinCC database server at port 1433/tcp to trusted entities
• Deactivate all unnecessary OS users on WinCC server
• Run WinCC server and engineering stations within a trusted network, or
• Ensure that the WinCC server and the engineering stations communicate via encrypted channels only (e.g. establish a VPN tunnel).

Morpho Advisory

This advisory looks at a single hard-coded-credential vulnerability reported by Billy Rios and Terry McCorkle. ICS-CERT reports that: “Morpho has decided not to address this vulnerability at this time.” Since the Itemizer® 3 is not strictly speaking an industrial control system (it’s an analytical system controller) it could look like this is no big thing. It could, however, have an effect on police investigations that would rely on these pieces of equipment to identify drug and explosives trace evidence. A cyber savvy defense attorney could use this uncorrected vulnerability to cause a judge to question the validity of test data from this machine and potentially reverse a drug or explosives conviction or the use of the evidence in court.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit this vulnerability to gain administrative access to the system. Not much you can’t do once you have that access.

NSTAC Meeting to Look at National Cyber Response

Today DHS published a meeting notice in the Federal Register (79 FR 43058-43059) concerning a public teleconference of the President’s National Security Telecommunications Advisory Committee (NSTAC) on August 13th, 2014. Briefing materials for the meeting will be available on the NSTAC web site on August 1st.

The current agenda includes reviews of the status of two on-going NSTAC studies:

• The needs, benefits, and operational efficacy of a national Information and Communications Technology mobilization capability in the face of a cyber-related event of national significance.
• The cybersecurity implications of the Internet of Things as it relates to national security and emergency preparedness.

Interestingly there is nothing in the mobilization capability scoping document that would seem to indicate that NSTAC is considering anything beyond IT type cyber incidents. While this is a telecommunications advisory committee, this still seems to be extremely short sighted.

Public comments on the above topics are being solicited by NSTAC. People wishing to make live comments on the teleconference need to register in advance. Written comments may be submitted via the Federal eRulemaking Portal (; Docket # DHS-2014-0032).

OMB Approves PHMSA Tank Car NPRM

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that they had approved the DOT’s Pipeline and Hazardous Material Safety Administration’s (PHMSA’s) notice of proposed rulemaking (NPRM) for Enhanced Tank Car Standards and Operational Controls for High-Hazard Flammable Trains (RIN: 2137-AE91).

It appears that the focus of this rulemaking has tightened significantly since the ANPRM was published last September. That is not unexpected given the number of high-profile crude oil train accidents in the last year.

Given the rapid review afforded this NPRM in OIRA, I would not be surprised to see this NPRM published in tomorrow’s Federal Register. Interestingly, a Hazardous Material Safety Action Plan on this topic published yesterday by DOT indicated that an advance notice of proposed rulemaking is due to be published as well. The only one that I have seen being submitted to OIRA on related topics is the one submitted last week on oil spill response plans. As of yesterday, OIRA had not taken any action on that ANPRM, though I expect that we will see that sooner rather than later.

Wednesday, July 23, 2014

TSA Abusing SSI Markings?

A hearing that I had ignored as being of no specific interest to readers of this blog became more interesting this afternoon. Tomorrow the House Committee on Oversight and Government Reform will hold a hearing to mark-up a lot of inconsequential (from a chemical security perspective) bills; mainly renaming bills. This afternoon the Committee added a completely unrelated matter to the hearing agenda; a review of a Committee Staff report on “Pseudo-Classification of Executive Branch Documents”.

This report provides a look at a variety of reports about TSA inappropriately using the Sensitive Security Information markings on various documents and videos for purposes unrelated to actual security issues. Glancing through the document I did not see anything that looked to me to be a particularly heinous abuse of power, but there did seem to be instances of improper use of the SSI markings.

If information sharing is to be anywhere near meaningful there will have to be a relatively free flow of information from the government to the governed. While there are legitimate instances where the government can and certainly should withhold sensitive or classified information from public disclosure, the authority to do so should be carefully constrained.

It will be interesting to see how far Chairman Issa (R,CA) pushes this particular investigation.

ICS-CERT Updates Two Advisories

This afternoon the DHS ICS-CERT published two updated advisories for control system vulnerabilities in Sierra Wireless AirLink products and various Siemens products. Both updates seem to be relatively minor changes to the ICS-CERT document. ICS-CERT does not report on the new information from Sierra Wireless, it just provides a link to the information.

Sierra Wireless Update

This advisory was originally published on January 8th, 2014 and has already been updated once. The purpose of today’s update was to include a link (.PDF download link) to an updated security advisory from Sierra Wireless. The earlier Sierra Wireless publication noted that they would investigate “methods to perform secure firmware updates remotely, and will provide information on this method when available”. The latest update (from May 28th; I wonder why it took ICS-CERT so long to update their advisory? I suspect that they were not informed by Sierra Wireless of the new information) provides those “details”:

• “Directly attaching a PC running the firmware update tool to the device via an Ethernet cable; or
• “Connecting to the device via VPN and performing the update over the VPN tunnel.”

I can see why it would take five months to come up with those useful techniques (SARCASM).

There is something even more interesting in the newest version of the Sierra Wireless documents that ICS-CERT missed in their update. To be fair, I also missed it in looking at the January Sierra Wireless document. The ICS-CERT advisory is specifically targeted at the ‘AirLink Raven X EV-DO product’. Sierra Wireless reports that the same vulnerability exists on the ‘Raven X, Raven XE, Raven XT, PinPoint X, PinPoint XT and MP Products’.

The ‘PinPoint’ products are all listed as “Discontinued, Not Supported” fortunately, the new mitigation measures will work just as well on the older models so perhaps that is why their vulnerability was not reported by ICS-CERT.

Siemens Vulnerability Update

The new data in this update was not provided by Siemens, but was more likely a response to a Siemens complaint about the wording in the initial advisory that made it seem that there were specific exploits directed at the Siemens products. ICS-CERT wrote in the original advisory (no longer available on-line) that:

“Exploits that target these vulnerabilities are known to be publicly available.”

While there are certainly HeartBleed exploits in play, we haven’t heard anything that would specifically point to their use against the Siemens products listed in this advisory (nor any ‘proof’ that they haven’t).

In any case ICS-CERT revised the wording to read:

“Exploits that target OpenSSL vulnerabilities are publicly available. ICS-CERT is unaware of any OpenSSL exploits that target Siemens’ products specifically.”

They are, of course, not saying that no one (sorry about the double negative but it is important and an appropriate use in this context) has specifically targeted these vulnerabilities in the Siemens products. That would be impossible to prove. We can probably take small comfort in the assumption that they probably would not have made this change if they had any reliable information indicating a possible HeartBleed related compromise of  a Siemens system.

BTW: Yesterday’s advisories are now listed on the ICS-CERT landing page.

Tuesday, July 22, 2014

ICS-CERT Obscures Publication of Two Advisories

This afternoon the DHS ICS-CERT published two control system advisories on their web site. For some reason, probably an oversight, they did not list the two advisories on the landing page of their web site. They were reported on TWITTER® (here and here) and are listed on the Advisories page of their web site. The advisories report multiple vulnerabilities in systems from Omron and Honeywell.

Omron Advisory

This advisory describes vulnerabilities reported by Joel Sevilleja Febrer of S2 Grupo with Omron’s NS series HMI terminals. ICS-CERT reports that Omron has produced an update that mitigates the vulnerabilities, but there are no indications that Sevilleja has had the opportunity to verify the efficacy of the effort.

The twin vulnerabilities are:

• Cross-site request forgery - CVE-2014-2369; and
• Cross-site scripting - CVE-2014-2370.

ICS-CERT reports that it would take a moderately to highly skilled attacker to remotely exploit these vulnerabilities. The advisory provides separate links to the new versions of each affected system. Interestingly, I can find no mention of the updated versions or the security issues requiring the update at the links provided.

Honeywell Advisory

This advisory describes vulnerabilities reported by Martin Jartelius of Outpost24 and Juan Francisco Bolivar in the Honeywell Falcon XLWeb controller. ICS-CERT reports that Honeywell has produced an update that deals with both vulnerabilities, but there is no indication that the researchers have been given the opportunity to verify the efficacy of the fix.

The twin vulnerabilities are:

• File accessible to external parties - CVE-2014-2717; and
• Cross-site scripting - CVE-2014-3110.

ICS-CERT reports that a moderately skilled attacker could remotely exploit these vulnerabilities. Honeywell’s report on these vulnerabilities is only available to registered owners.

NOTE: This advisory was previously posted to the US-CERT Secure Portal. Once again, I urge all control system owner, integrators and security researchers to register for access to this portal for valuable advance notice of advisories like this.

Monday, July 21, 2014

ICS-CERT Issues Reluctant Advisory for OleumTech Vulnerabilities

Today the DHS ICS-CERT took the unusual step of publishing an advisory for multiple vulnerabilities that are not acknowledged by the vendor; OleumTech. As a result no patches or updates appear to be forth coming as a result of this coordinated disclosure. The disclosures were made by Lucas Apa and Carlos Mario Penagos Hollman of IOActiv.

ICS-CERT reports that the vulnerabilities include:

• Improper input validation vulnerability - CVE-2014-2360 – could lead to a DOS attack and arbitrary code execution;
• Key management errors - CVE-2014-2361 – local access could lead to intercepting site security key;
• Use of cryptographically weak pseudo-random number generator - CVE-2014-2362 – 4-byte key could be guessed relatively easily.

ICS-CERT notes that an additional vulnerability reported by IOActive, unencrypted data messages, may be considered a user configuration issue since encryption options are available at setup. ICS-CERT reports that OleumTech does not accept the encryption issues as problems since they intended the functions to address authentication issues not encryption. OleumTech does not address the issues on their web site so ICS-CERT feels justified in publishing this advisory to alert owners to the vulnerabilities.

Congressional Hearings – Week of 7-20-14

There are just two weeks now before Congress starts their extended summer vacation. There are a number of hearings being held this week, but only one that may be remotely of specific interest to readers of this blog; and intel hearing of sorts.

On Wednesday the House Homeland Security Committee will be holding a hearing on "The Rising Terrorist Threat and the Unfulfilled 9/11 Recommendation." The witness list includes two former commissioners from the National Commission on Terrorist Attacks Upon the United States; Jamie S. Gorelick and Thomas H. Kean Jr.. Perhaps one of them will remind the Committee that one of the unaddressed recommendations of the Commission was the reform of Congressional oversight of the Homeland Security Department; political power is still more important than counter terrorism.

The House is going to take another pass (according to the Majority Leader’s web site) at trying to pass HR 5035, the NIST Reauthorization Act of 2014, under suspension of the rules on Tuesday. This had been listed for last week, but was not offered for consideration on the floor. Apparently the leadership thinks that they have the concerns about NIST cooperation with NSA worked out.

Sunday, July 20, 2014

Senate Amends and Passes S 2244 – TRI Reauthorization

On Thursday the Senate took up S 2444, the Terrorism Risk Insurance Program Reauthorization Act of 2014. Three amendments were considered on the floor of the Senate. Two were passed and one failed. The bill then passed by a solid bipartisan vote of 93 to 4.

Failed Amendment

The vote on the Coburn (R,OK) Amendment (SA 3549, CREC S4427) was actually a procedural vote that would have waived the Senate budgetary discipline rules to allow the Secretary of the Treasury to extend the insurance recoupment deadline in the event that the amount exceeded $1 billion in any given calendar year.

That procedural vote failed by a largely partisan vote of 48 to 49; three Democrats voted in the affirmative with the Republicans.

Lacking that waiver a vote on the actual amendment could not be held.

Adopted Amendments

The amendment by Senator Flake (R,AZ) (SA 3551, CREC S 4427-28) would establish a Federal Advisory Committee on Risk Sharing Mechanisms. The Committee would “provide advice, recommendations, and encouragement with respect to the creation and development of the nongovernmental risk-sharing mechanisms” {§8(b)(2)}.

The amendment passed on a vote of 97 to 0.

The final amendment did not, strictly speaking, actually deal with terrorism insurance. Sen. Tester (D,MT) proposed SA 3552 (CREC S 4428-32). It is actually an amendment of 15 USC 6751 et seq, revising the requirements for the National Association of Registered Agents and Brokers. This amendment is essentially the bill that Sen. Tester introduced earlier in the session, S 534. While that bill had been voted favorably reported in Committee, it was likely that the bill never would have made it to a floor vote on its own.

The amendment passed on a voice vote.

Moving Forward

Last week there had been a possibility that one of the House introduced bills (HR 4871 was specifically mentioned on the Majority Leader’s web site) would have been voted on. It never happened and there is no mention of that bill, or S 2244, on the schedule for this week. With only one more week before the extended summer recess, it will be interesting to see if the House takes up this bill or passes HR 4871 and then substitutes the language for that in S 2244. Or they could just amend S 2244 or adopt it as is.

In any case, if any changes are made before the summer recess, the bill would be considered by a conference committee and the bill would probably make it through (even during an electioneering season) before the election recess.

Friday, July 18, 2014

OMB Approves PHMSA Lithium Battery Rule

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a final rule submitted by DOT’s Pipeline and Hazardous Material Safety Administration concerning the regulation of shipments of lithium batteries.

This has been a very controversial rulemaking as can be seen by the number of meetings (including the latest meeting in May) that OIRA has had with a variety of shippers, manufacturers and advocacy groups since the NPRM was published in 2010.

The OIRA announcement indicated that their approval was ‘consistent with change’ so there could be a slight delay in the issuance of the final rule, but I expect that it will happen sometime next week.

OMB Receives PHMSA Rail Oil Spill Response ANPRM

Yesterday OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received an advance notice of proposed rulemaking from DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) for revisions to requirements for oil spill prevention and response plans for rail transport.

This proposed rulemaking was not included in the latest Unified Agenda published by the Administration so there is no official record of what the proposed rulemaking would address. It would seem to me that a primary focus would be the ending of the current de facto exemption from oil spill and response planning requirements that railroads and crude oil shippers have based upon the amount of oil in a single railcar.

There are a couple of approaches that could be taken. The most sweeping would be to lower the current 42,000-gal minimum requirement {49 CFR 130.31(b)} for a container of oil that would require the preparation and submission of an oil spill prevention and response plan in accordance with §130.31. Or it could establish a requirement establishing minimum number of railcars in a single train that would trigger the requirement. The first would put more of the burden on the shipper for plan preparation and the second would place more of that burden on the railroads.

It will be interesting to see how long this proposed rulemaking remains under review at OIRA.

Thursday, July 17, 2014

ICS-CERT Publishes Three New Advisories

Today the DHS ICS-CERT published three new control system advisories affecting control system products from Advantech, Cogent and Siemens.

Advantech Advisory

This advisory reports on 5 different vulnerabilities in the Advantech WebAccess application. The vulnerabilities were reported by Dave Weinstein, Tom Gallagher, John Leitch, and others via the Zero Day Initiative (ZDI, but not currently listed on their ‘published advisories’ page). ICS-CERT notes that a new version of the application is available that corrects the problems but there is no indication that the reporting researchers have been given a chance to verify the efficacy of the mitigation efforts.

The vulnerabilities include:

• Stack-based buffer overflows (11 separate instances), CVE-2014-2364;
• Remote code execution, CVE-2014-2365;
• Password disclosure, CVE-2014-2366;
• Remote authentication bypass, CVE-2014-2367
• Unsafe ActiveX control marked safe for scripting, CVE-2014-2368

ICS-CERT reports that a moderately skilled attacker could use the publicly available exploits for these vulnerabilities to execute arbitrary code on the system. The advisory notes that the new version 7.2 corrects these deficiencies. The WebAccess site reports that the v7.2 available for download is ‘Trial Software’ and still has v7.1 available for free download without mention of these vulnerabilities.

Cogent Advisory

This advisory reports a code injection vulnerability in the Cogent DataHub application. The vulnerability was reported by John Leitch via ZDI (but again not currently listed there). A new version of DataHub is available that reportedly corrects these vulnerabilities, but there is no indication that Leitch has had an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could use the publicly available exploit to remotely execute arbitrary code.

In addition to making an updated version available for download, Cogent advises that an owner/operator could mitigate the vulnerability by:

• Disabling the web server component in their Cogent DataHub installation, or
• Configuring their network security to block access to the Cogent DataHub web server from untrusted locations.

Siemens Advisory

This advisory reports four vulnerabilities that relate to the OpenSSL software used by previously unreported Siemens applications. These vulnerabilities were self-reported by Siemens. Upgrades are available for some of the applications and Siemens has provided alternative mitigation measures for the others.

ICS-CERT reports that the four vulnerabilities include:

• A man-in-the-middle vulnerability, CVE-2014-0224; and
• Three separate improper input validation vulnerabilities, CVE-2014-0198, CVE-2010-5298, and CVE-2014-3470
NOTE: All of these CVE are existing OpenSSL vulnerability reports

The Siemens ProductCERT advisory reports that the updated versions of APE 2.0.2 and WinCC OA (PVSS) 3.12-P009 are available. Updates for the below listed products are being prepared, but the advisory provides alternative mitigation measures to be used in the interim.

• ROX 1: all versions (only affected if Crossbow is installed)
• ROX 2: all versions (only affected if eLAN or Crossbow is installed)
• S7-1500: all versions

• CP1543-1: all versions

ISCD Publishes CFATS Update – 7-16-14

Yesterday the folks at DHS Infrastructure Security Compliance Division (ISCD) published the latest CFATS Fact Sheet. The information provided shows continued increases in the number of facilities with authorized and approved site security plans and a decrease in the number of facilities currently covered by the CFATS program during the month of June 2014.

The total number of authorized and approved sites continues to show month-to-month improvements as shown by this table.

The daily approval rate continues to show uneven performance on a month-to-month basis, but in many ways that is to be expected since each facility is a unique entity requiring differing amounts of time and chemical security inspector efforts.

The total number of CFATS facilities continues to show a decline reflecting an mixture of plant closures, inventory reductions and eliminations that allow facilities to be removed from the program coverage.

Wednesday, July 16, 2014

OMB Approves Revised FMCSA Hazmat Permit ICR

The OMB’s Office of Information and Regulatory Affairs (OIRA) announced yesterday that it had approved the revised information collection request (ICR) renewal of the DOT’s Federal Motor Carriers Safety Administration (FMCSA) for their hazardous materials safety permit program. This information collection requires motor carriers to provide estimates of their anticipated annual shipments of hazardous materials (HM), complete application forms, provide shipment estimates, and communication records to the FMSCA.

As I noted in my blog post about the 60-day ICR notice publication FMCSA more than doubled their estimate of the burden hours associated with this document due to the increased numbers of trucks permitted to handle the hazardous material loads covered under the requirements of 49 USC 5109.

Since the safety permit program referred to in this ICR is a carrier permit program and not a vehicle permit program, FMCSA must estimate the number of vehicles covered under the requirements of this ICR based upon information in the Motor Carrier Management Information System. The previous ICR submission showed an estimate of 15,000 trucks making 280 hazmat shipments per year against this submission’s estimate of 41,500 trucks making 280 hazmat shipments per year. That is almost a three-fold increase in the rate of hazmat shipments in just three years.

There were three public comments (here, here and here) on the 60-day ICR notice that FMCSA responded to in their 30-day ICR notice. One comment was effectively not related to the ICR and the other two addressed the additional burden associated with advanced load tracking techniques that are not required under this program.

Tuesday, July 15, 2014

NTSB Meeting to Release Vinyl Chloride Rail Accident Report

The National Transportation Safety Board published a meeting notice in today’s Federal Register (79 FR 41311-41312) concerning a meeting to be held in Washington, DC on July 29th, 2014 to discuss the report of their investigation into the rail accident in Paulsboro, New Jersey on November 30, 2012 that resulted in a catastrophic release of vinyl chloride.

The meeting will be open to the public and will be web cast.

Bills Introduced – 07-14-14

Twenty-four bills were introduced yesterday and one of those may be of specific interest to readers of this blog:

HR 5099 Latest Title: To amend the National Institute of Standards and Technology Act to remove the National Security Agency from the list of the entities consulted during the development of information systems standards and guidelines. Sponsor: Rep Grayson, Alan (D,FL)

Earlier this morning I reported on the non-consideration of HR 5035, I suspect that this bill may the part of the response that caused the Republican leadership from withdrawing the consideration of HR 5035 under suspension of the rules.

As I explained in an earlier post, the sole provision of HR 5035 that addressed the NSA influence issue was no more than a pro forma wrist slap of no real consequence. This bill is probably going to be an over-reaction in the other direction.

It will have little chance of succeeding, Grayson is probably not an influential enough member of the opposition on the House Space Science and Technology Committee to force this bill onto the Committee’s markup list. Having said that, it did derail the consideration of HR 5035 and may force that bill to a markup hearing where further attention can be focused on the relationships between NIST and NSA.

House Did Not Consider HR 5035

According to the House Floor Summary for today, the House did not consider HR 5035, the NIST reauthorization bill that I described this weekend. It is still listed on the Majority Leader’s web site for consideration on Monday, July 14th so there is no official reason given for why the bill was not addressed today. I suspect that there was enough concern about the NIST-NSA relationship that was not adequately addressed in this bill to make this slightly more controversial than the Leadership was willing to risk on considering the bill under suspension of the rules.

There is an outside chance that the bill could get added to tomorrow’s session. I suspect that, if I am right about why the bill was not considered today, it will be considered next week under a rule with limited amendments.

Monday, July 14, 2014

Congressional Hearings – Week of 6-13-14

The summer congressional recess is fast approaching and then the electioneering season begins in earnest when they get back to Washington in September. In these last weeks before the recess there are lots of hearing scheduled but only two (both in the Senate this week) will likely be of specific interest to readers of this blog; both dealing with the FY 2015 DOD spending bill.

FY 2015 DOD Appropriations

There will be two hearings this week on the Senate version of the FY 2015 DOD spending bill. Tuesday the Defense Subcommittee of the Appropriations Committee will markup the bill and then Thursday the full committee will take their pass at it.

For the last couple of years I have been watching the DOD spending bill for cybersecurity measures. I did not see much in the House bill (HR 4870) this year and I am beginning to think that the spending folks have passed cybersecurity by. We will see how the topic fares in this bill.

House Floor

According to the House Majority Leader’s web site, there is a chance that HR  4871, a TRIA reauthorization bill, will come to the floor of the House on Thursday. That is too late for consideration under suspension of the rules, so we can probably expect to see a Rules Committee hearing on Wednesday if this is going to happen.

There is a chance that a competing Senate bill , S 2244 could also be considered this week. I suspect that both bills will pass in their respective house. Whichever one get’s passed first will be ignored by the other house until just after final passage when the bill number will be changed to the counterpart legislation. That will send the whole thing to Conference. That would probably mean a TRIA bill going to the President in September.

Saturday, July 12, 2014

HR 5035 Introduced – NIST Authorization

As I mentioned earlier Rep. Bucshon (R,IN) the Chair of the Subcommittee on Research and Technology of the House Science, Space and Technology Committee, introduced HR 5035, the NIST Reauthorization Act of 2014. This is the two-year re-authorization of the National Institute of Standards and Technology.


There is only one place in this bill where cybersecurity activities are specifically addressed. Section 12 of the bill would amend 15 USC 278g-3, the Computer Standards Program. This section of the USC provides for NIST being responsible for setting standards for the security of government computer systems (not including ‘national security systems) and the information within those systems.

The only change made to this section is the removal of the words “the National Security Agency” from §278g-3(c)(1). This section currently requires the Director to “consult with other agencies and offices (including, but not limited to, the Director of the Office of Management and Budget, the Departments of Defense and Energy, the National Security Agency, the Government Accountability Office, and the Secretary of Homeland Security) to assure” that proper appropriate information security policies, procedures, and techniques are used by government agencies.

Apparently this revision was put into place because of Snowden revelations that NIST recommended less than adequate encryption standards under recommendations of NSA. If this is the reason, the crafters of this language are taking very limited action against the NSA because section only applies to the security of government systems and not NIST standards that would be used by the private sector.

Even with government IT security, this amendment to §278g-3 only deals with lower security standards associated with government IT systems not associated with national security systems. Paragraph (b) of the section still requires NIST to coordinate with NSA to establish guidelines “for identifying an information system as a national security system consistent with applicable requirements for national security systems” {§278g-3(b)(3)}.

There are almost certainly other mentions of working with NSA in 15 USC Chapter 7 {for example §278g-4(a)(3)} that could have also been addressed if Congress was serious about severing ties between NIST and NSA. So this amendment is a symbolic congressional wrist slap of the NSA with no real consequences.

Moving Forward

According to the Majority Leader’s web site, HR 5035 will be considered by the House on Monday under suspension of the rules. Barring some unforeseen circumstance, this should mean that the bill will pass with a minimum of fuss and bother, very little debate and no amendments. It is likely to get equally swift and cursory attention in the Senate.

OMB Approves Revised TWIC ICR

Yesterday the OMB’s Office of Information and Regulatory Affairs announced that it had approved the Transportation Security Administration’s (TSA) request for an extension of the Transportation Workers Identification Credential (TWIC) information collection request (ICR) for a period of three years.

Data Issues

The whole ICR process is designed to ensure that the US Government is collecting information on individuals and organizations that it actually needs to fulfill its regulatory obligations and to minimize the burden on citizens and organizations providing the necessary data. While it may be argued that the original purpose has become somewhat quixotic in practice, it does provide for some sort of accounting for the data collection process.

In this case that data collection accounting purpose does not appear to be being properly fulfilled as there is a disconnect between the data provided by TSA and the data published by OIRA. The table below shows the annualized burden data submitted by TSA (Word® download link, pgs 16-17) and the data approved by OIRA.

Burden Hours
TSA Submission
OIRA Approval

It may be that OIRA was relying on an earlier version of the data submission document in providing their approval numbers, but the TSA document available on the OIRA site for this ICR is certainly in conflict with the data OIRA approved.

CFATS Issues

I noted in an earlier blog post that there had been no comments submitted in response to the 60-day ICR notice. It turns out that there were three comments received on the subsequent 30-day ICR notice; one from the Institute of Makers of Explosives (IME), one from the Lake Carrier’s Association, and one from a private individual.

The comments from IME and the TSA response to that comment may have important implications for the ongoing debate about the use of the TWIC as part of the Chemical Facility Anti-Terrorism Standard (CFATS) program implementation of a personnel surety program (PSP).

The IME has a long history of insisting that facilities covered under the CFATS program ought to be able to use the TWIC program as an integral part of the PSP. While transportation workers with TWICs are supported the proposed CFATS PSP (though certainly not to the extent requested by IME and other industry commentators), the use of TWICs by chemical employees that are not transportation workers does not appear to be authorized under the current TWIC program (see 49 CFR 1572.17(e)}.

In their ICR comment IME noted that:

“Additional categories of individuals would have to be “authorized by TSA.” We have asked TSA to establish and publish the process by which categories of individuals could petition TSA to be authorized to apply for TWICs. We are anxious to put in place a process to request TSA authorization so that we can petition the agency to allow those required to obtain a threat assessment under the new vetting programs of ISCD an alternative means of compliance.”

The TSA response to the IME comments concluded by saying:

“TSA is sympathetic to IME’s view, but it is constrained by law from authorizing non-transportation workers to pay a fee for the TWIC security threat assessment and credential.”

And since TSA is required to collect a fee from applicants for TWICs that covers the cost of the threat assessment and issuance of the credential, TSA will not be issuing TWIC to non-transportation chemical facility employees.

The House could have corrected this conflict when they approved HR 4007 since that bill clearly deals with the issue of the CFATS PSP, but it failed to address the issue. The Senate still has a chance to address this conflict when they consider HR 4007. The cleanest way to accomplish this would be to amend 46 USC 70105(2) to add:

“(H) an individual allowed unescorted access to a secure area designated in a chemical facility site security plan approved under 6 USC 2101.”

I doubt however that this will be addressed in the Senate. The surest way to stop HR 4007 from passing in this session of the Congress is to open the bill to the amendment process in the Senate. Unless the amendment process was tightly controlled (most appropriately by limiting amendments to within the Senate Homeland Security and Governmental Affairs hearing process) there would be a high likelihood that IST provisions or civil suit enforcement provisions would be added to the bill. It is clear that any such additions would ensure that the bill would not be re-approved in the House.

OMB Receives Draft Vehicle-to-Vehicle Communications ANPRM

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a copy of an advanced notice of proposed rulemaking (ANPRM) from the DOT’s National Highway Transportation Safety Administration (NHTSA) establishing a new Federal Motor Vehicle Safety Standard (FMVSS) for vehicle-to-vehicle (V2V) communications.

This rulemaking was not listed in the most recent Unified Agenda so it is difficult to tell what the rule will cover. I would like to think that it would include requirements for cybersecurity standards for such communications.

Friday, July 11, 2014

OMB Approves TSA ICR for Pipeline Security Incident Reporting

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved the renewal of an information collection request (ICR) submitted by the Transportation Security Administration (TSA) supporting that agency’s pipeline security incident information collection activities. The ICR was approved ‘consistent with change’.

As I noted in an earlier blog post about the ICR TSA revised downward slightly the burden estimate for this ICR. As I suggested in that post the burden change was based upon “the actual number of incidents reported”.

There is no specific information, however, about what further change was made that OIRA took into consideration when they approved the ICR. What is clear is that the supporting information document that would have been submitted with the ICR renewal request (submitted on 12-27-13) was changed at the last minute; it was re-submitted yesterday according to the OIRA web site. No explanation is provided as to what changes were made to that document and the original version is not available.

Bills Introduced – 07-10-14

Both the House and Senate were in session yesterday and forty-six bills were introduced. Only one will be of specific interest to readers of this blog:

S 2588 Latest Title: An original bill to improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes. Sponsor: Sen Feinstein, Dianne (D,CA)

This bill was marked up in a closed hearing yesterday before it was introduced and has had considerable mention in the various news outlets. An official copy is not yet available through the GPO, but the Senate Select Committee on Intelligence does have a committee draft available on its web site. There is also a committee press release describing the bill and the amendments that were made yesterday.

I have only done a quick scan of this bill and it would affect industrial control systems as the definition of ‘Information System’ specifically “includes industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers” {§2(11)}.

There will be more on this bill at a later date.
/* Use this with templates/template-twocol.html */