Tuesday, March 31, 2015

ICS-CERT Publishes 3 Advisories and an Update

Today the DHS ICS-CERT published three new advisories for control systems from Hospira, Ecava and Inductive Automation and an update for a recently released advisory for Schneider Electric.

Schneider Update

This update is for the Schneider advisory released last week for the InduSoft WebStudio and InTouch Machine applications. The update provides a link to additional information about the vulnerabilities, but it is only available to registered Wonderware customers, external partners or distributors.

Hospira Advisory

This advisory describes multiple vulnerabilities in the Hospira MedNet server software. The vulnerabilities were reported by Billy Rios. Hospira has produced a new version of the software and provided additional mitigation measures, but there is no indication that Billy has been given the opportunity to verify the efficacy of the fix.

The four vulnerabilities are:

∙ Password in configuration file - CVE-2014-5400;
∙ Improper control of generation code - CVE-2014-5401;
∙ Hard-coded cryptographic key - CVE-2014-5403; and
∙ Hard-coded password - CVE-2014-5405

ICS-CERT reports that a relatively low skilled attacker could remotely exploit three of the vulnerabilities; the pass in configuration file vulnerability is locally exploitable.

ICS-CERT explains that the new version of the MedNet server software addresses three of the vulnerabilities. The fourth vulnerability (improper control of generation of code) is found in “the vulnerable version of JBoss Enterprise Application Platform [link added] software, used in the MedNet software”. There is no indication which version of the EAP software is involved. MedNet has issued two reports (Improving Security in Hospira MedNet 5.5 and 5.8) discussing mitigation methods for this vulnerability. They are reportedly available from MedNet technical support.

NOTE: It goes without saying that vendors that use JBoss EAP should contact RedHat for details about this vulnerability. It will be interesting to see how long it is before this shows up in other ICS application advisories.

Ecava Advisory

This advisory describes a DLL loading vulnerability on the Ecava  IntegraXor SCADA Server. The vulnerability was reported by Praveen Darshanam. Ecava has produced a patch that mitigates the vulnerability and Darshanam has verified the efficacy of the patch.

ICS-CERT reports that a social engineering attack is required to get an authorized user to load a compromised DLL. A successful attack could result in the ability to run malicious code at the authorization level of the DLL.

Inductive Automation Advisory

This advisory describes multiple vulnerabilities in the Inductive Automation Ignition software (HMI/SCADA). The vulnerabilities were reported by Evgeny Druzhinin, Alexey Osipov, Ilya Karpov, and Gleb Gritsai of Positive Technologies. Inductive Automation has produced a patch that mitigates the vulnerability but there is no indication that the researchers have been given an opportunity to verify the efficacy of the fix.

The six vulnerabilities are:

∙ Cross-site scripting - CVE-2015-0976;
∙ Information exposure through error message - CVE-2015-0991;
∙ Insecure storage of sensitive information - CVE-2015-0992;
∙ Insufficient session expiration - CVE-2015-0993;
∙ Credentials management - CVE-2015-0994; and
∙ Use of password hash with insufficient computational effort - CVE-2015-0995

ICS-CERT explains that a relatively low skilled attacker can only locally exploit these vulnerabilities, though they earlier report that the vulnerabilities are remotely exploitable (which sounds more reasonable). The advisory does not describe potential consequences, but it would seem that a successful exploit should allow running of arbitrary code.

BNSF and Crude Oil Trains

There is a brief article at ProgressiveRailroading.com about the latest move by BNSF to protect themselves in the crude oil train controversy. It seems that yesterday they sent a letter to their customers outlining the steps that they intend to take to reduce crude oil train derailments. In addition to internal actions like further speed reductions in urban areas they intend to “to transition DOT-111 cars from shale crude service on our railroad within one year”.

While any number of safety and environmental advocacy groups would certainly applaud such action, this appears to be a publicity stunt more than a real action to prevent accidents. As long as PHMSA approves the use of DOT-111 cars for flammable liquid service BNSF is required under their common carrier obligations to accept the use of such cars on their system. While we are still waiting on PHMSA’s final rule on flammable railcars (expected in May) it is unlikely that PHMSA will phase out the use of the DOT-111 cars in less than a year; five years is the more likely time frame.

The big problem is that there are not enough newer railcars available to carry the current load of crude oil from the Bakken oil fields to the refineries located around the country. The older DOT-111 and the slightly safer unmodified CPC-1232 will have to be continued in use until the newer railcars built. And that is going to take three to five years at a minimum.

BASF can encourage shippers to use the newer cars all it wants. It is already facing a law suit in US District Court for adding a $1000 surcharge for each DOT-111 rail car used to ship crude oil. It will be interesting to see what kind of backlash will result from this newest attempt. The oil industry’s basic reply will be stop the derailments and the fires will stop.

The Next CFATS Update

Here it is the last day of March already and I expect that we will be seeing the next CFATS update publication from the good folks at the Infrastructure Security Compliance Division (ISCD) in the next week. I have been reporting on these updates since they were first published almost two years ago. What I would like to do today is put in my request for what I think should be included.

First off I want to say that ISCD is to be congratulated on making the effort to share this valuable information with the regulated community. They are under no legal obligation to do so which makes this doubly impressive. Please keep them coming.

Having said that, even good things can be improved. Let’s start with the data; there are two types of data that should be included in the monthly report:

Compliance inspections – With over half of the facilities now having authorized site security plans and having started the compliance inspection process on those facilities that have had approved site security plans for over a year, it is time for ISCD to start providing statistics on compliance inspections; the number of compliance inspections completed, the number of compliance inspections passed.

Facilities no longer covered by CFATS – ISCD has been reporting a declining number of facilities covered by the CFATS program and this is probably a good thing. It would be nice however to know more about how that is happening. ISCD could report the number of facilities that have gone out of business, the number that have reduced inventories to below the Screening Threshold Quantities and the number that have removed the DHS chemicals of interest from the facility.

Starting sometime in the near future ISCD is going to have to start talking about its implementation plan for the new CFATS requirements imposed by the passage of HR 4007 last year. The deadline for the publication of the expedited facility security plan certification process is fast approaching for example. It would be nice if ISCD were to explain its plan for implementing that process.

The current (dead in the water) proposal for the personnel surety program was finally killed by the provisions of HR 4007. It would be helpful if ISCD publicly acknowledged that and withdrew the current information collection request. A brief description of the plan for implementing the HR 4007 personnel surety requirements would also be helpful.

ISCD has tried to establish a reputation for communication with the regulated community. The CFATS Update is one good example of that effort. Expanding that effort to cover the implementation of the HR 4007 requirements would be very helpful.

Monday, March 30, 2015

Ammonia Control System Incident

Last week the Chemical Safety Board posted a safety video about hydraulic shock in an ammonia refrigeration system. On Saturday Jake Brodsky posted a very interesting comment about that video over on the SCADESEC mailing list. He noted that part of the cause of the accident as reported by CSB was a control system issue; he suggests in this short comment that this industrial control system (ICS) issue could be used as a method for attacking this type of cooling system.


I will not try to go into a detailed discussion about how this control system works. The CSB did a great job is describing the system in their report on the report on the Millard Refrigeration Services accident that happened on August 23rd, 2010. I’ll just do a very quick summary here.

Anhydrous ammonia refrigeration systems use circulate liquid ammonia into the heat exchangers inside of the refrigerator/freezer (Reefer) box. As the liquid circulates it picks up heat and turns into a gas (boils). The gas then goes through a condenser and is returned to the liquid state to repeat the process.

Water vapor in the air in the Reefer box condenses on the outside of the heat exchanger (frost) which acts as an insulator and adversely impacts the efficiency of the refrigeration system. Periodically the cooling system is shut down and hot gas is circulated through the heat exchanger to melt the frost. The line is then drained, cleared and then refilled with liquid anhydrous ammonia.

It is very important that the process of draining, clearing and refilling the lines is done properly, otherwise you get the hydraulic shock action that can break open the piping and cause a large anhydrous ammonia release. The Millard release was about 32,000 pounds of anhydrous ammonia that injured almost 150 people out in the open a ¼ mile away.

The Incident

According to the CSB report there had been a 7 hour power outage at the facility. When power was restored there were a number of alarms on the control system letting the operators know what was going on. Presumably because the alarms were obnoxious, someone (not a trained operator) turned them off without noting the problems being reported. One of the problems was there was still hot gas in one of the cooling systems.

With the operators not knowing that there was hot gas still in the system they restarted the filling process without having gone through the required draining and clearing process. The result was a large hydraulic shock to the system that broke a 12” ammonia line. (Again it is a tad more involved than that; see the report for two pages of details).

A Cyber Attack

THIS WAS NOT A CYBER ATTACK. But, a cyber-attack probably could have been designed to accomplish what happened here. Now a lot of the details are going to depend on exactly what type of control system is used in the facility so there is no way to provide a detailed outline of an attack scenario (and I wouldn’t want to in any case). With that in mind here are some techniques that might be used.

First and simplest, replicate the 7 hour power outage. Okay, you probably don’t have to do the whole 7 hours; you would just have to shut the system down during the middle of a defrost cycle. The 7 hour shutdown added command pressure and made things more hectic because management was concerned about food starting to go bad. The key point is that the shutdown has to be done during a defrost cycle. Some sort of denial of service attack to shut down the refrigeration control system or the facility power system may be adequate for this purpose.

The problem from an attackers point of view with this method is that you are relying on operators to do the wrong thing during the re-start and that is an iffy proposition. Of course, if at first you don’t succeed….. At some point though the WC Fields addendum kicks in: “Then stop; there is no use being a damn fool about it.” This is especially true in this type of set-up; the more times you require folks to practice their emergency response plan, the better they will get at performing it.

The more complex, but surer way of pulling off this attack would be to attack the control system and interfere with the ability of the operator to drain, clear and refill the line at the end of the defrost cycle. This means that the attacker would have to reprogram some PLCs so that they operate in manner other than that which was intended and futz some sensor outputs to make it look like everything was operating normally.

This is, of course, why attacking an industrial control system is so difficult. First off you have to understand that you can cause hydraulic shock ruptures of ammonia lines, then:

∙ You have to understand how to optimize the conditions for that shock;
∙ You have to understand what controls work together to get that optimized condition;
∙ You have to understand what the operator is going to expect to see to do their part;
∙ You have to be able to provide that expected information to the operator;
∙ You have to know what safety systems are in operation and how to futz them; and
∙ You have to do all of this while hacking the system.

The one thing that should not escape anyone’s attention here is that the easiest place to do this hack is from the engineering workstation routinely used to work on the control system. And I don’t mean hacking into this from some off site hacker shop, but actually sitting at the terminal, sipping on a cup of coffee and smiling at the people around you. Yep, the infamous insider attack.

Saturday, March 28, 2015

S 650 Introduced – PTC Extension

As I noted in an earlier blog posting Sen. Blunt (R,MO) introduced S 650, the Railroad Safety and Positive Train Control Extension Act. The Senate Commerce, Science and Transportation Committee held a markup hearing on the bill this week and recommended the bill favorably after amending it. The bill would extend various deadlines for the implementation of positive train control (PTC) technology on railroads.


Congress required in 49 USC 20157 that all Class 1 railroads install a PTC system by December 31, 2015 on all rail lines over which toxic inhalation hazard (TIH) chemicals are transported. In implementing that requirement the Secretary of Transportation {49 CFR 236.1005} extended that requirement to all railroads that operated passenger rail lines on the same tracks over which TIH chemicals were transported.

There have been a number of challenges in meeting that deadline; both technical and regulatory. One of the problems that the railroads had was getting regulatory approval from the FCC for installing the track-side communications antennas. The FCC had originally required that each antenna installation undergo a separate permitting process, including a required historical commission review. That process was ultimately streamlined, but only after significant delays.

Wholesale Deadline Extension

Section 2 of the bill makes two changes to 49 USC 20157. The first extends the current deadline until December 31st, 2020 {§2(b)(1) to §20157(a)(1)}. The second would change the date basis for determining which sections of rail line would be required to have PTC installations; requiring PTC installation on lines over which TIH chemicals are transported on or after December 31st, 2015 {§2(b)(2) to §20157(a)(1)(B)}.

Retail Deadline Extension

Section 3 of the bill would also allow the Secretary of Transportation to authorize one year extensions to the implementation deadline on a case by case basis through 2022 {§3(a)(3) adding §20157(i)}. It goes on to outline the process by which the railroad would request the extension and the guidelines the Secretary would use in approving the extension. It provides a 10 day approval decision deadline after the Secretary receives the application.

Committee Amendment

The Committee amended the bill by adding a new section 5. This section amends §20157 by adding §20157(a)(3). It would require that each covered railroad would provide detailed annual reports to the Secretary about the progress they were making on the implementation of their PTC systems. The reporting requirement would continue until the Secretary certified the PTC installation under §20157(h).

In an interesting change of Congressional reporting requirements, the amendment did not require a summary report to Congress on the PTC implementation status. Instead it required the Secretary to make each report “available on the website of the Federal Railroad Administration” {§20157(a)(3)(D)}.

Moving Forward

Chairman Thune (R,SD) is obviously making the adoption of S 650 a priority for his Committee. It will be interesting to see how well that translates into moving the bill to the floor of the Senate.

The bill did have bipartisan support in committee. There will be some environmental and safety advocates who can be expected to object to the extension of this deadline. Given the fact that the current deadline cannot be met at this point, I would expect that those objections would take the form of modifying the new deadline date in the amendment process rather than stopping the bill from being considered.

I also expect that there will be an attempt made to add rail lines over which crude oil trains run to the PTC installation requirement. This has included in some other proposed legislation about crude oil trains, but getting that particular amendment added to this bill would probably be easier than getting the other bills through the legislative process. Such an amendment would also make the overall bill more palatable to safety and environmental advocates.

Friday, March 27, 2015

Bills Introduced – 03-26-15 House

Yesterday 111 bills were introduced in the House. The Congressional web site is not yet reporting on the Senate introduced bills because of how long the Senate stayed in session last night. The large number of bills in the House is due to their leaving town for their Easter break.

Of those bills introduced in the House yesterday three may be of specific interest to readers of this blog:

HR 1646 - To require the Secretary of Homeland Security to research how small and medium sized unmanned aerial systems could be used in an attack, how to prevent or mitigate the effects of such an attack, and... Rep. Watson Coleman, Bonnie [D-NJ-12]

HR 1679 - To ensure the safe transportation of Bakken crude oil by rail, and for other purposes. Rep. Garamendi, John [D-CA-3]

HR 1704 - To establish a nation data breach notification standard, and for other purposes. Rep. Langevin, James R. [D-RI-2]

HR 1704 is not the bill on the same topic that was marked up in the Energy and Commerce Committee this week. This, combined with the fact that Langevin is not on either of the two committees to which this bill was assigned, means that we will probably not be hearing about HR 1704 again. NOTE: The Committee bill approved this week did not contain any control system language; it was strictly a personal information protection bill.

Thursday, March 26, 2015

ICS-CERT Published Schneider Advisory

Today the DHS ICS-CERT published an advisory for multiple vulnerabilities in two Schneider Electric products, InduSoft WebStudio and InTouch Machine. The vulnerabilities were reported by Gleb Gritsai, Ilya Karpov, and Kirill Nesterov of Positive Technologies Security Lab and independent researcher Alisa Esage Shevcheckno. Schneider has produced patches for the products, but there is no indication that the researchers were provided the opportunity to verify the efficacy of the fix.

The vulnerabilities include:

∙ Hard-coded credentials - CVE-2015-0996;
∙ Authentication - CVE-2015-0997; and
∙ Clear-text transmission of sensitive information - CVE-2015-0998 and CVE-2015-0999.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to execute arbitrary code. They also mention that there may be exploits for these vulnerabilities publicly available.

Schneider published separate advisories for the two product lines (here and here). The two advisories are nearly identical and neither mention publicly available exploits. They were also both published over a month ago. There is no indication about why ICS-CERT only recently got the information.

Bills Introduced – 03-25-15

The House and Senate introduced 65 bills yesterday. Only one of those will be of specific interest to readers of this blog:

S 859 - A bill to protect the public, communities across America, and the environment by increasing the safety of crude oil transportation by railroad, and for other purposes. Sen. Cantwell, Maria [D-WA]

While the official GPO copy of this bill is not yet available, the press release from Cantwell’s office makes it clear that this is one of the most comprehensive bills yet introduced addressing the safety of crude oil trains. The lack of bipartisan sponsorship of this bill almost ensures that it will not be taken up during the current session; unless, of course, there is a deadly crude oil train wreck in this country.

Wednesday, March 25, 2015

Bills Introduced – 03-24-15

Yesterday the House and Senate introduced 65 bills. Only two of those may be of specific interest to readers of this blog:

HR 1560 - To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes. Rep. Nunes, Devin [R-CA-22]

S Res 110 - A resolution expressing the sense of the Senate about a strategy for the Internet of Things to promote economic growth and consumer empowerment.  Sen. Fischer, Deb [R-NE]

While the official copy of HR 1560 has not yet been published by the GPO, the House Intelligence Committee does have a copy of the bill, a summary, and a section-by-section review of the bill available on their web site. I have not yet had a chance to do a complete review of the bill, but it does specifically include industrial control systems in its definition of information systems {§11(8)(b)}.

This will be the last mention of S Res 110. The bill was introduced and passed yesterday in the Senate. It was passed by unanimous consent in the closing minutes of yesterday’s session. No vote was taken and there were probably few members even present. Again the official copy of the resolution has not been printed by the GPO, but Sen. Fischer has a copy on her web site.

The bill was feel good statement of the ‘sense of the Senate’ that the internet of things is a good thing to be encouraged in a way that “maximizes the promise connected technologies hold to empower consumers, foster future economic growth, and improve our collective social well-being”. The closest thing to a statement about the concerns relating to security of the IOT is found in the closing statement exhorting innovators to “commit to improving the quality of life for future generations by developing safe [emphasis added], new technologies aimed at tackling the most challenging societal issues facing the world”. Please save us from well-meaning but technologically inept politicians.

DHS Sends UAV Best Practices Notice to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a best practices notice from DHS for review. This was not listed in the latest Unified Agenda (notices typically are not) so there is no specific information about this proposed publication.

I would suspect that this is part of a DHS effort to establish internal controls about the appropriate use of unmanned aerial vehicles. It will be interesting to see how long it takes OIRA to approve the publication of this notice.

Tuesday, March 24, 2015

ICS-CERT Updates GE HART Device DTM Advisory

Today ICS-CER published an update of the GE and MACTek version of the HART Device DTM advisory. No changes have yet been published for the similar advisories for systems from Emerson, Honeywell, Magnetrol, and Pepperl+Fuchs or the latest update of the CodeWrights advisory. The update provides new information in three separate areas of the advisory.

Updated Impact Information

The first area changed deals with the ‘Impact Information’ section of the advisory. A new paragraph has been inserted in between the two paragraphs found on the original:

“The buffer overflow exploited could be used to execute arbitrary code on the system running the Frame Application. The researcher has provided proof of concept to ICS-CERT and the vendor. The updated HART Device DTM provided by the GE and MACTek will resolve this issue. Successful exploitation requires that the Frame Application is running and connected to a DTM‑configured HART‑based device at the time of the exploit.”

Since no change was made to the initial paragraph of the advisory, this vulnerability still does not appear to affect the “information, control, or view by the control system of the HART devices on the 4-20 mA HART Loop”.

Vulnerability Overview

The second section to be changed is the ‘Vulnerability Overview’ section of the ‘Vulnerability Characterization’ portion of the advisory. Once sentence has been added to the existing initial paragraph:

“Overflow involved could be used to execute arbitrary code on the system running the Frame Application.”

Probably more importantly, the CVSS base score was changed from 1.8 to 6.8 and the vector string has been changed from (AV:A/AC:H/Au:N/C:N/I:N/A:P) to (AV:A/AC:H/Au:N/C:C/I:C/A:C). None of the above data is reflected in the current version of CVE-2014-9203 that was last updated on February 9th, 2015; four days after the original GE advisory was published.


The final area changed is the addition of two paragraphs to the ‘Mitigation’ section of the advisory. They were added after the listing of available updates:

Device DTM software with the identified vulnerable versions listed as impacted should be used only within an offline secure network until patched. ICS-CERT strongly recommends performing configuration changes in a nonproduction environment where proper testing and risk evaluation can be performed. ICS-CERT also recommends that asset owners employ a least privilege practice and avoid unnecessary services within their production environment.
Some processes may require continual configuration changes. ICS-CERT recommends asset owners maintain all software with the latest security releases, limit connections outside the control process, and monitor approved connections for suspicious traffic.

The second paragraph sounds like generic advice. Much of the first paragraph is also generic, but it is a tad bit more strongly worded than we normally see in a ICS-CERT advisory. The strengthened verbiage seems appropriate based upon the additional scope of the vulnerability described earlier in the revised advisory.

GE Advisory

I went back to see if the changes found in this revision were also reflected in the advisory published by GE. Unfortunately there is a security certificate problem with the GE Advisory. Microsoft provides a warning that there is a mismatch between the address on the site (Https://geog.prod.acquia-sites.com/sites/geog.dev.local/files/geog_15-01_security_advisory_hart_dtm.pdf) and the address on the certificate (Https://geog.prod.com/sites/geog.dev.local/files/geog_15-01_security_advisory_hart_dtm.pdf ).

If you ignore the warning and open the file anyway you find that GE has not updated their advisory since the original ICS-CERT advisory was published last month. (Note: the link from the earlier version of this advisory now takes one to the same certificate conflicted site)


There has been a number of odd things about the way that ICS-CERT has handled this vulnerability, almost from the get-go. We now have six separate advisories for a vulnerability in DLL library common to all of the affected systems and there are at three separate versions of the advisory found in the six current versions.

I have never used a HART based system and I am certainly not a control systems engineer, but it really looks like ICS-CERT is having problems coordinating the facts about this issue with the various vendors involved. It could be, of course, that the conflicts are due to different implementations of the library. If that is the case, it would be helpful if ICS-CERT would make that matter public.

As it stands now it looks like this is an ICS-CERT issue not a vendor issue.

Monday, March 23, 2015

HR 1290 Introduced – Rail Hazmat Rerouting

As I mentioned in an earlier post, Rep. Ellison (D,MN) recently introduced HR 1290. The bill (which lacks a catchy title) would require a study of the “impact of diverting certain freight rail traffic to avoid urban areas”.

The bill starts {§1} out with 3+ pages of ‘Congressional Findings’ about the hazards associated with moving crude oil trains (particularly those originating in the Bakken region). Nothing new or noteworthy here.

Section 2 of the bill provides the meat of the matter. It requires {§2(a)} the DOT Secretary to “make appropriate arrangements with the Transportation Research Board of the National Academies" to conduct a study “on the cost and impact of rerouting freight rail traffic containing hazardous material to avoid transportation of such hazardous material through urban areas”. Unlike most proposed legislation that requires the conduct of a study, this bill specifically {§2(e)} authorizes $850,000 for the conduct of the study.

With all of the ‘findings’ setup in section one, it is interesting to note that there is no mention of crude oil in the study requirements. Is specifically refers to “hazardous material” and to ensure the broadest possible scope for the study, the bill uses the definition of that term from 49 USC 5102; which in turn refers to 49 USC 5103(a). That paragraph states:

“The Secretary shall designate material (including an explosive, radioactive material, infectious substance, flammable or combustible liquid, solid, or gas, toxic, oxidizing, or corrosive material, and compressed gas) or a group or class of material as hazardous when the Secretary determines that transporting the material in commerce in a particular amount and form may pose an unreasonable risk to health and safety or property.”

Incidentally, this study would go well beyond the hazmat route planning requirements of 49 CFR 820(c). The routing requirements in that section apply to a small subset of the urban areas described in this bill (“urban area, as designated by the Bureau of the Census, with a population of greater than 30,000”) {§2(d)(2)} and an even smaller subset of the hazardous materials described in that section. Even then routes through High Threat Urban Areas may be considered acceptable as a ‘least overall safety and security risk’.

Since this is a study bill that pushes off any report to the next congress (21 months from the date of passage) it is unlikely that there will be any major objections to this bill. As I have mentioned so many times, however, lack of objections does not guarantee consideration of the bill, much less passage. Ellison is a Democrat and not a member of the House Transportation and Infrastructure Committee so it is unlikely that that committee will take up the bill.

Committee Hearings – Week of 3-22-15

With both the House and Senate in Washington this week the budget remains a big topic, both in Committee and on the Floor of the House. In addition there will be hearings on cyber security, UAVs and railroad safety.

Budget Hearings

Of specific interest to readers of this blog will be hearings on the budgets for


The House Rules Committee will also be holding a hearing this evening on the consideration of the Budget Resolution later this week by the Whole House.

It has been a while since there has actually been a budget resolution signed by the President. It will be interesting to see if the House can put together a bill that the Republican almost-controlled Senate can bring to a vote under regular order.


The Commerce, Manufacturing and Trade Subcommittee of the House Energy and Commerce Committee will hold a hearing on Tuesday and Wednesday on "H.R.__, Data Security and Breach Notification Act of 2015". A committee draft is available, but I have not yet had a chance to review it.

Unmanned Aerial Vehicles

The Aviation Operations, Safety, and Security Subcommittee of the Senate Commerce, Science and Transportation Committee will be holding a hearing on Tuesday on “Unmanned Aircraft Systems: Key Considerations Regarding Safety, Innovation, Economic Impact, and Privacy”. The witness list includes:

• Margaret Gilligan, Federal Aviation Administration;
• John B. Morris, Jr., National Telecommunications and Information Administration;
• Gerald Dillingham, Government Accountability Office;
• John Villasenor, The Brookings Institution;
• Paul Misener, Amazon, Inc.; and
• Jeff VanderWerff, the American Farm Bureau Federation

Looking at the witness list it would not seem that UAV operations over critical infrastructure will get much in the way of mention at this hearing.

Railroad Safety

The Senate Commerce Science and Transportation Committee will hold a business meeting on Wednesday that will include a markup of S.650, the Railroad Safety and Positive Train Control Extension Act.

I have just briefly reviewed this bill and, as expected, it would extend the current positive train control (PTC) installation deadline from December of this year until 2020 and provide authority to the Secretary of Transportation to further extend that deadline on a case-by-case basis until 2012.

HR 1405 Introduced – RAILS Act

As I mentioned earlier Rep. Lipinski (D,IL) introduced HR 1405, the Reassuring Adequate Investment in Lifesaving Systems (RAILS) Act. The bill would reauthorize and expand the Railroad Safety Technology Grant program under 49 USC 20158, extending the authorization of the program through 2020.

The bill would extend the authorized use of the grants to include “advanced communications methods for conveying hazard information between all parties in the transportation chain, spectrum acquisition, multifrequency broadband connectivity equipment, implementation and interoperability testing” {added to §20158(a)}. There is no specific definition of ‘hazard information’ in the bill, but Lipinski’s press release on the bill specifically mentions “a system for electronic communication regarding hazardous material rail shipments”.

Unlike most bills that have been recently introduced expanding the potential uses of grant programs, this bill would increase the amount authorized for this program from $50 million to $200 million.

In the overall scope of the Federal budget (or even just the DOT budget) this increase is small enough not to be a serious impediment to passage. The biggest problem that this bill will need to overcome is the lack of bipartisan support in the sponsorship of the bill. Lipinski is a member of the House Transportation and Infrastructure Committee (the first hurdle in the legislative process for this bill), but he may not be senior or influential enough to convince the Republican leadership to begin consideration of this bill.

Saturday, March 21, 2015

DOT Request for Comments on Alternative Timing Services

The Department of Transportation published a request for comments in Monday’s (available on-line today) Federal Register (80 FR 15268-15269) about the possible use of an enhanced Long Range Navigation (eLoran) system as a complementary positioning, navigation, and timing (PNT) capability as an alternative to the current use of the GPS system.

In the event of a GPS system failure there is currently no backup for many of the services provided by that system. One of the systems under consideration for a backup is the eLORAN system. DOT is asking for feedback in the following areas:

∙ A brief description of your application(s) of positioning, navigation, and timing services;
∙ The positioning, navigation, and/or timing performance required for a complementary PNT capability during a disruption of GPS that could last for longer than a day;
∙ The availability and coverage area required for a complementary PNT capability;
∙ The willingness to equip with an eLoran receiver to reduce or prevent operational and/or economic consequences from a GPS disruption;
∙ The current and planned availability of e-Loran capable user equipment; and
∙ The other non-eLoran PNT technologies or operational procedures, currently available or planned, that could be used during a disruption of GPS for longer than a day.

Control system owners, vendors and integrators that use GPS for control system timing issues should consider submitting comments to DOT on this issue. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # DOT-OST-2015-0053). Comments should be submitted by May 22nd, 2015.

Friday, March 20, 2015

OMB Approves McKenzie Valve Emergency ICR

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a 6 month emergency information collection request (ICR) from DOT’s Federal Railroad Administration (FRA). This ICR was supporting the reporting requirements of FRA’s Railworthiness Directive for McKenzie DNNR valves that was published in the Federal Register on Wednesday (80 FR 14027 - 14029) along with the ICR notice (80 FR 14238 - 14239)

The ICR was approved for 6 months. The FRA estimates that it will affect 100 railcar owners (and 15,000 railcars). Two separate reports required by the Directive are authorized by the ICR with an estimated 200 reports for each with a total reporting burden of 500 hours. This does not include the time needed to change out the valves; it just covers reporting requirements.

Interestingly the Railworthiness Directive reports that McKenzie sold about 11,200 of the affected 3” valves and about 37,000 of the 1” and 2” valves. They also noted that they expected that the 3” valves would be found on about 6,000 railcars where it would have been used as a replacement valve.

Bills Introduced – 3-19-15

Yesterday as the House and Senate prepared to leave town on a three-day weekend a total of 106 bills were introduced. Of those, three may be of specific interest to readers of this blog:

HR 1461 - To repeal certain provisions of titles 23 and 49, United States Code, and for other purposes. Rep. Massie, Thomas [R-KY-4]

HR 1472 - To establish a modernized national Integrated Public Alert and Warning System, and for other purposes. Rep. Barletta, Lou [R-PA-11]

S 797 - A bill to amend the Railroad Revitalization and Regulatory Reform Act of 1976, and for other purposes. Sen. Booker, Cory A. [D-NJ]

HR 1461 may be similar to HR 1483, to amend titles 23 and 49, United States Code, to repeal wage requirements applicable to laborers and mechanics employed on Federal-aid highway and public transportation construction projects. If so, I will not mention it again.

HR 1472 may be similar to HR 3283 from last session. That bill was ordered reported by the Homeland Security Committee, but was never taken up by the Whole House.

The title to S 797 is so vague that there is no telling what it covers. If it addresses hazmat shipping issues, then it will receive future mention here.

Thursday, March 19, 2015

ICS-CERT Publishes Rockwell Advisory

Today the DHS ICS-CERT published an advisory for a DLL hijack vulnerability in Rockwell Automation’s FactoryTalk View Studio product. The vulnerability was reported by Ivan Sanchez of NullCode & Evilcode Team. Rockwell has produced a patch that mitigates the vulnerability but there is no indication that Sanchez was provided an opportunity to verify the efficacy of the patch.

ICS-CERT reports that a social engineering attack would be necessary to exploit this vulnerability.

Apparently ICS-CERT is changing the way they describe the remote exploit possibility of vulnerability. Instead of saying that the vulnerability is ‘not remotely exploitable’ as we have seen in some DLL related advisories in the recent past, they now say: “These vulnerabilities are not exploitable remotely without user interaction.” This seems to me to be a concise and accurate description of the situation.

Note: It looks like this may be the advisory that I reported as being posted on the US-CERT Secure portal recently. The advisory notes that it was posted to the portal on March 3rd.

IPTF Requesting Public Comment on Cybersecurity in the Digital Ecosystem

Today the NIST's Internet Policy Task Force published a request for public comment in today's Federal Register (80 FR 14360-14363) concerning it's ongoing work looking at cybersecurity in the digital ecosystem. 
The IPTF is trying to to identify substantive cybersecurity issues that affect the digital ecosystem and digital economic growth where broad consensus, coordinated action, and the development of best practices could substantially improve security for organizations and consumers. This effort is seen a complimentary to the NIST's Cybersecurity Framework and is attempting to identify actions that can be taken across a broader scope of the electronic landscape than just the system owner level.
In this document the IPTF “proposes to facilitate one or more multistakeholder processes around key cybersecurity issues facing the digital ecosystem and economy”. In facilitating this discussion the IPTF is asking for responses to the following questions:
· What security challenges could be best addressed by bringing together the relevant participants in an open, neutral forum to explore coordinated, voluntary action through principles, practices, and guidelines?

· Which topics could result in actionable, collective progress by stakeholders in a multistakeholder setting?

· What factors should be considered when selecting the multistakeholder processes?

· How can the IPTF promote participation of a broad range of stakeholders in the development process?

· What procedures and technologies can promote transparency in the process?

· What types of consensus outcomes can promote real security benefits without further adding to a compliance-oriented model of security?

· How should evaluation of the processes be conducted to assess results and ensure that the recommendations and outcomes of the process remain actionable and current?

Some of the topics to be considered could include:

· Privacy;

Comments should be submitted via by email to securityRFC2015@ntia.doc.gov. Comments should be submitted by May 18th, 2015.

Bills Introduced – 03-18-15

Yesterday a total of 80 bills were introduced in the House and Senate. One of those bills may be of specific interest to readers of this blog:

S 769 - A bill to streamline the permit process for rail and transit infrastructure. Sen. Blunt, Roy [R-MO]
I suspect that this may have to do with permitting issues for signaling devices required for the positive train control systems being installed on Class 1 rail lines throughout the country, but we will have to wait and see what the bill actually says when the GPO gets around to printing it.

Wednesday, March 18, 2015

Bills Introduced – 03-17-15

Yesterday there were 54 bills introduced in the House and Senate. Four of these bills may be of specific interest to readers of this blog:

· HR 1385 - To provide for a legal framework for the operation of public unmanned aircraft systems, and for other purposes. Rep. Poe, Ted [R-TX-2]

· HR 1405 - To amend title 49, United States Code, to ensure railroad safety. Rep. Lipinski, Daniel [D-IL-3]

· S 754 - An original bill to improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes. Sen. Burr, Richard [R-NC]

· S 766 - A bill to limit the retrieval of data from vehicle event data recorders, and for other purposes. Sen. Hoeven, John [R-ND]

HR 1385 will probably address more than small unmanned aerial vehicles, but we will have to wait to see the details.

Lipinski's HR 1405 will almost certainly address crude oil train issues among other items.

S 754 is the much publicized bill from the Senate Intelligence Committee. The formal copy of the bill has not been published by the GPO yet, but earlier draft versions did specifically include industrial control systems in the definition of information systems covered by the bill. The bill was reported without a written report when it was introduced yesterday meaning that it can be brought to the floor at anytime the leadership desires. It will be interesting to see if and when this bill gets to the floor.
S 766 may have implications for cybersecurity of automobiles, but I won't be certain of that until we see the actual language.

ICS-CERT Publishes Three Advisories

Yesterday the DHS ICS-CERT published three control system advisories for systems from Johnson Controls, Honeywell and Xzeres.
Johnson Controls Advisory
This advisory describes two vulnerabilities is the Johnson Controls Metasys building management system. The vulnerabilities were reported by Billy Rios. Johnson Controls has produced patches for the affected systems but there is no indication that Rios has been provided the opportunity to verify the efficacy of the fixes.
The two vulnerabilities are:
· Storing passwords in a recoverable format – CVE-2014-5427

· Unrestricted upload of files with a dangerous type – CVE-2014-5428
ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to compromise the Metasys system.
Honeywell Advisory
This advisory describes a directory traversal vulnerability in the Honeywell XL Web Controller. The vulnerability was reported by Martin Jartelius of Outpost24. Honeywell has produced an update that mitigates the vulnerability but there is no indication that Jartelius has had an opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability to gain access to the web root directory.
ICS-CERT reports that the same web controllers have been sold under the name 'Falcon' by Centraline. The advisory provides links to the Centraline updates, but Honeywell customers will have to contact the Honeywell HBS branch for assistance in getting the updates.
Xzeres Advisory
This advisory describes a cross-site request forgery vulnerability in the XZERES’s 442SR turbine generator operating system. The vulnerability was reported by Maxim Rupp. Xzeres has produced a patch that mitigates the vulnerability but there is no indication that Rupp has been provided an opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability to obtain the username password from the system. ICS-CERT reports that while no exploits are currently specifically available for the vulnerability in this system, there are publicly available exploits for similar vulnerabilities that could easily be changed to work on this system.

Sunday, March 15, 2015

McKenzie Valves and Oil Train Fires

A question has been bothering me since I wrote the post earlier this week about the Federal Railroad Administration’s (FRA) railworthiness directive about McKenzie UNNR valves; could leaks from these valves have contributed to recent derailment fires in non-DOT 111 railcars?


Now, before I proceed any further with this let me make two things perfectly clear. First, I am not a railroad accident investigator and I have not gotten any closer to the recent wrecks than some photos that I have seen on the web. Second, the FRA directive only mentioned the McKenzie UNNR valves being seen on DOT 111 railcars; there is no mention of CPC 1232 railcars; the type cars that were involved in the West Virginia derailment.

Crude Oil Explosions

The reason that I ask this question is that the one good picture of the cars involved in the WV derailment that I have seen shows the cars being intact. There does not seem to be any of the damage that we would associate with exploding railcars like has been seen in some of the earlier incidents. There were certainly reports of explosions associated with this derailment, but I think that they could be explained by leaking valves.

First you have to understand that there are two different types of ‘explosions’ that can be involved in a crude oil train (or any flammable liquid train) derailment. The first is not really an explosion in the military sense of the term; a sealed railcar is involved in an exterior fire. The heat of the fire outside the railcar increases the temperature of the liquid within and this causes a build-up of pressure inside. With enough heat the pressure builds up to the point where the railcar can no longer contain the pressure and the car catastrophically fails. This can be aggravated if the flames of the exterior fire impinge on the car above the liquid level and weaken the exposed metal.

The second type of explosion is an explosion exterior to the railcar caused by the ignition of a flammable gas cloud that has escaped from the railcar. This will usually accompany the first type of explosion, but it may also happen when a less intense fire is involved. As the interior contents of the railcar increase in temperature and pressure begins to build safety systems on the railcar known as pressure release valves will open and allow some of the flammable gas in the headspace to be released to the atmosphere. You can actually get multiple explosions of this type from a single railcar if the fire continues long enough.

The main difference in the two types of railcar explosions is the extent of the damage. The explosion caused by the catastrophic failure of containment is typically much more damaging especially since it typically includes a very large secondary explosion of the second type. With the non-catastrophic explosions of the second type, less fuel is actually involved so the amount of energy released is significantly smaller. Now you don’t want to be around either one, but you can safely be closer to the second than the first.

Cause of the Fires

One of the reasons for the surprise at the fires involved in the West Virginia derailment was that they involved the CPC 1232 railcars not DOT 111 railcars. The newer CPC 1232 are designed to withstand derailments better than the DOT 111 railcars. They are supposed to remain intact better and thus prevent oil spills and subsequent fires. As I have mentioned a number of times, you cannot guarantee that they will be 100% failure free (and improvements to their design are probably included in the upcoming PHMSA rule), but we had hoped for better performance than was seen in WV.

If McKenzie valves, however, were installed on one or more of the involved railcars, the situation changes substantially. You could have had crude oil on the outside of the railcars, even before the accident. That material would have been on the top of the cars. This is critical because that is the last place that you want a fire to start if you want to stop the venting of flammable gasses as it takes less heat to heat up the gasses in the head space than it does to heat up the liquid to produce more flammable gas.

Additionally, the FRA notes that the McKenzie valves that they tested were unable to hold 50 psi of pressure. This is significantly less than the pressure at which the pressure relief valves are set to function at so that there would be flammable gas releases from these valves at much lower temperatures than normally expected.

Finally, if a derailed railcar ended up on its side (as at least one clearly did in the West Virginia wreck photo) that we would expect to see crude oil leaking out of that valve throughout the time the railcar was on its side and it would be leaking faster while the fire was burning because of internal pressure in the car. This longer burning fire would contribute to more type two explosions from the other cars.

Investigations Continue

I am sure that the FRA is taking these possibilities into account as they continue to investigate these recent derailments. But it is also something that we need to consider as we continue to debate the problems associated with crude oil train derailments.

Saturday, March 14, 2015

Committee Hearings – Week of 3-15-15

Both the House and Senate will be operating in Washington this week. The budget is the hot topic for hearings this week with most committees looking at some aspect of the budget. Cybersecurity is also a common theme this week with a number of hearings (see the listing below). The electric grid modernization, sUAV, Chemical Terrorism, Coast Guard mission and TSCA legislation round out the hearing topics that may be of specific interest to readers of this blog.


The following cybersecurity related hearings are scheduled this week:

Cybersecurity: The Evolving Nature of Cyber Threats Facing the Private Sector – Subcommittee on Information Technology of the House Oversight Committee, Wednesday

The Growing Cyber Threat and its Impact on American Business – House Intelligence Committee, Thursday

Examining the Evolving Cyber Insurance Marketplace - Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security of the Senate Commerce, Science and Transportation Committee, Thursday

The House Intelligence Committee hearing will be a somewhat rare public hearing.

Coast Guard Mission

The Coast Guard and Maritime Transportation Subcommittee of the House Transportation Committee will hold a hearing on Tueday on “An Overview of the U.S. Coast Guard’s Missions”. The Deputy Commandant is the only witness currently scheduled. There may be brief mentions of MTSA and chemical transportation issues.


The Oversight and Management Efficiency Subcommittee of the House Homeland Security Committee will be holding a hearing on Wednesday on “Unmanned Aerial System Threats: Exploring Security Implications and Mitigation Technologies”. The witness list has not yet been announced.

Chemical Terrorism

The Emergency Preparedness, Response, and Communications Subcommittee of the House Homeland Security Committee will be holding a hearing on Thursday on “Agents of Opportunity: Responding to the Threat of Chemical Terrorism”. The witness list has not yet been published.

This sounds like it will be looking at the potential use of industrial chemicals as terrorist weapons. This is a subject that should be near and dear to me and my readers.

Electric Grid

The Senate Energy and Natural Resources Committee will be holding a hearing on Tuesday on “The State of Technological Innovation Related to the Electric Grid”. The witness list includes:

● Ms. Lisa Barton, AEP Transmission;
● Ms. Lisa Edgar, Florida Public Service Commission
● Dr. Michael Howard Ph.D., P.E., Electric Power Research Institute
● Dr. Peter Littlewood, Argonne National Laboratory
● Dr. Jeff Taft, Pacific Northwest National Laboratory

I expect that there will be some mention of cybersecurity issues and perhaps physical security of substations.


It looks like the Senate Environment and Public Works Committee will be holding a hearing on Wednesday to look at S 697, the bipartisan bill to amend the Toxic Substances Control Act (TSCA) that I mentioned earlier this week. The hearing is not yet listed on the Committee web site.

Friday, March 13, 2015

DLL Hijacking Vulnerability

I hear that ICS-CERT has published a DLL hijacking advisory for an industrial control system on the US-CERT Secure Server. Since I don’t have access to that site I can’t confirm that, and if I did I wouldn’t be able to talk about it anyway. If they have, they will get around to publishing it on the ICS-CERT site in the near future.

In any case, if you are the owner operator of an industrial control system at a critical infrastructure facility, you should already have requested access to the Secure Server so that you would be up to date on these types of vulnerabilities.

If you are not a critical infrastructure facility, you might try contacting US-CERT to see if you can get access, I understand that they have liberalized their rules about who they will give access. They are certainly willing to talk to security researchers and system integrators.

FRA Issues Railworthiness Directive 1 – McKenzie Valves

Today the DOT’s Federal Railroad Administration (FRA) published Railworthiness Directive #1 identifying a series of unauthorized valves currently in use on a large number of railcars. The design of these valves leads to their leaking in service.

As a result of an investigation into 17 leaking crude oil tank cars on a BNSF train heading to Anacortes, Washington from the oil fields in North Dakota, the FRA has identified a family of ball valves (3”, 2” and 1” UNNR valves) produced by McKenzie Valve and Machining that are routinely damaged in normal use. Further investigation determined that the design of these valves had not actually been approved by the AAR Tank Car Committee as thought by McKenzie and UTLX, the tank car company who owns the cars where these valves have been found.

According to FRA’s investigation the valves are only damaged when installed with a plug the same size as the ball-valve. When a reducer is used instead, the valves appear to function as designed. With that in mind the FRA is requiring any tank car with the affected McKenzie valves installed with a full-size plug be immediately removed from hazmat service (loaded or residual). Because the valves, even with reducers, are not of approved design, the FRA is requiring the replacement of valves equipped with reducers. Tank car owners equipped with the 3” valves with reducers have until May 12th to replace them and until June 11th to replace the 1” and 2” valves equipped with reducers.

Even though the FRA has found at least one of the offending valves in other hazmat service, most of the leaking valves have been found on crude oil cars. Because of this I expect that this problem will be used to help call for further restrictions on the shipment of crude oil by rail.

OMB Approve ATF Safe Explosives Act Rule

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved the DOJ’s Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) final rule implementing the requirements of the Safe Explosives Act (PL 107-296,Title XI, Subtitle C). The current interim final rule has been in effect since September 11, 2003.

I expect that this final rule will be published next week.

Bills Introduced – 03-12-15

Yesterday, with only the Senate in session, 18 bills were introduced. Only one of those bills may be of specific interest to readers of this blog:

S 725 A bill to amend the Toxic Substances Control Act, and for other purposes. Sen. Boxer, Barbara [D-CA]

This bill is almost certainly an alternative to the bipartisan TSCA bill introduced earlier this week. Boxer has complained about the pre-emption of State chemical safety rules in that bill.

It is extremely unlikely that this bill will ever see any action in the Republican controlled Senate.

Thursday, March 12, 2015

ICS-CERT Publishes Schneider Advisory

Today the DHS ICS-CERT published an advisory for a buffer overflow vulnerability in the Schenider Pelco DS-NVs software package (video management software). The vulnerability was reported by Ariele Caltabiano (kimiya) and Andrea Micalizzi (rgod) via the HP Zero Day Initiative. Schneider has produced a patch which mitigates the vulnerability but there is no indication that the researchers have been given the opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to execute arbitrary code.

Neither this advisory nor the Schneider notification identify the vulnerable DLL involved in this vulnerability so it is not possible to tell if the vulnerability would be unique to this application or if it might be found in multiple Schneider products.
/* Use this with templates/template-twocol.html */