Friday, July 31, 2015

S 1846 Introduced – EMP Protection

Last week Sen. Johnson (R,WI) introduced S 1846, the Critical Infrastructure Protection Act (CIPA) of 2015. In my initial post about the introduction of this bill I commented that it might be a companion bill to HR 1073; that is not the case even though they share a common title. This bill requires more extensive activities from DHS than just consider electromagnetic pulse events (natural and man-made) in federal planning scenarios.

The bill starts off by adding a definition of ‘EM Threat’ to 6 USC 101 which encompasses electromagnetic pulses caused both by manmade actions and natural events. It then adds a new paragraph to 6 USC 121(d) requiring DHS to develop a “strategy to protect and prepare the critical infrastructure of the American homeland against EM threats, including from acts of terrorism” {new §121(d)(26)(A)(i)}.

It then goes on to add two new sections to the Homeland Security Act of 2002:

SEC. 318. EM threat research and development.
SEC. 526. National planning frameworks and education.

Research

The new §318 would require DHS S&T to conduct research and development to mitigate the consequences of EM threats. That research would include {new §318(b)}:

An objective scientific analysis of the risks to critical infrastructures from a range of EM threats;
Determination of the critical national security assets and vital civic utilities and infrastructures that are at risk from EM threats;
An evaluation of emergency planning and response technologies that would address the findings and recommendations of experts, including those of the Commission to Assess the Threat to the United States from Electromagnetic Pulse Attack;
An analysis of technology options that are available to improve the resiliency of critical infra- structure to EM threats;
The restoration and recovery capabilities of critical infrastructure under differing levels of damage and disruption from various EM threats;
An analysis of the feasibility of a real-time alert system to inform electric grid operators and other stakeholders within milliseconds of a high-altitude nuclear explosion.

Planning

The planning requirements under the new §526 are very similar to those found in HR 1073. It would require the DHS National Protection and Programs Directorate to:

Include EM threats in national planning frameworks; and
Conduct outreach to educate owners and operators of critical infrastructure, emergency planners, and emergency response providers at all levels of government regarding EM threats.

Restricting DHS Activity

The final two sections of the bill limit the ability of DHS to effectively complete any of the above actions. Section 4 specifically denies DHS any regulatory authority to advance EMP protections. Section 5 specifically requires DHS to execute the actions discussed above with funds currently appropriated to the Department.

Moving Forward

Johnson is the Chair of the Senate Homeland Security and Governmental Affairs Committee so he certainly has the political pull to move this bill forward. In fact, the bill was marked up in a Committee business meeting this week. Unfortunately, because the way the Senate does their business the substitute language adopted by the Committee is not posted to the Committee web site like we see in the House. This means that we will have to wait for the Committee Report on the bill to see what changes were made.

It will be interesting to see if Johnson is interested enough in this bill to put his political will forth to move the bill to the floor of the Senate. If it gets there, this bill will likely be passed by a bipartisan majority since it deals with a potentially catastrophic event, but does not require new regulations, nor will it cost any new money.

Commentary

EMP threats are the classic black swan event; absolutely catastrophic consequences but very low probability of occurrence. A cataclysmic geomagnetic storm has about the same probability of happening as a major comet/asteroid strike on the Earth. The difference between the two type of events is significant; we will see a comet/asteroid strike coming and may be able to take actions to prevent the strike. Any warning for a geomagnetic storm will be quite short.

The problem of a man-made EMP event of national significance has been widely overblown. Yes a properly designed nuclear weapon detonation very high over the heartland would very likely result in a catastrophic national-level EMP event. Fortunately, the old Cold War, strategy for preventing such an event is still in place; mutually assured destruction. Long before the weapon reached it detonation point, the massive counterstrike of our nuclear triad would be in route to the country that launched that missile. There are much more deniable methods for our nuclear missile capable adversaries to take out our electric grid infrastructure.

The other main problem with the current efforts to protect the Homeland against a catastrophic EMP event is that they are quite frankly a waste of time. Even if we were able to protect the electric grid from such an event (a very expensive and technologically iffy proposition at best) it would still not stop the virtual destruction of our country. That is because an EMP event of the requisite magnitude would also destroy almost every civilian (and many military) microprocessors in the country. No modern vehicles would be running, no communications would be functioning, no distribution systems would be operating, almost all modern electronic gadgets, widgets and dodads would be dead because their microelectronic circuits would be fried beyond redemption. It would be the ‘end of civilization as we know it’. And the scope of that electronic cataclysm gets worse every day as the internet of things expands.

I am much more concerned about the tactical level EMP event like that seen in the Oceans 11 (2001 remake) movie. A portable electromagnetic device is used to create a localized EMP event. The resulting local chaos would then be used to cover a more common type of terror attack that would be made more effective by a very reduced response due to the lack of communication and physical response capability. But even this type of event is currently at almost the science fiction level possibility, these types of devices would be large, cumbersome and require a large energy source.


Having said all of that, I understand the congressional fascination with EMP events. They are conceivably a societal level cataclysm and no one wants history to record that they did not attempt to do something to prevent them. Unfortunately, because no funding is made available for the work required, this bill will only take resources away from other problems that have a much higher probability of occurrence and it will do nothing to mitigate the underlying EMP problem.

Thursday, July 30, 2015

ICS-CERT Updates one Advisory and Publishes Another

This afternoon the DHS ICS-CERT updated a Siemens advisory for SIMATIC HMI Devices and publishes a new advisory for Schneider Electric InduSoft Wb Studio.

Siemens Update

This update notes that Siemens is now reporting that all of the affected HMI devices now have updates available to mitigate the three vulnerabilities reported in the original advisory back in April. It also adds three different types of SIMATIC HMI panels to the list of affected and mitigated products.

Schneider Advisory

This advisory describes a clear-text storage of sensitive information vulnerability in Schneider’s Electric InduSoft Web Studio and InTouch Machine. The vulnerability was originally reported by Gleb Gritsai, Alisa Esage Shevchenko, Ilya Karpov, and the team from Positive Technologies Security. Schneider has produced patches to mitigate the vulnerability but there is no indication that the researchers have been given the opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker with local access can obtain project passwords from the configuration file. These can then be used to execute arbitrary code.


NOTE: The link provided in the Advisory for the Schneider report on the InduSoft version of this vulnerability does not get to the report; Schneiderdoes not yet have the vulnerability listed. Here is the direct link.

Chlorine Institute Issues New Chlorine Release Modeling Data

Today the Chlorine Institute published an updated version of their Pamphlet 74 - Guidance On Estimating the Area Affected By A Chlorine Release. Revisions have been based, at least in part, on the data produced by the Jack Rabbit test program conducted by the DHS Transportation Security Administration in 2010. The second round of testing (Jack Rabbit II) will be conducted later this summer.

I will be going through Pamphlet 74 in some detail this weekend. It will be interesting to see if the EPA will be updating its RMP*Comp program that is used to determine (for planning purposes) the distance of concern for releases of toxic chemicals. Actual field test data and models based upon that data should provide a better estimate of the distance of concern.

Senate Passes HR 3236

This afternoon the Senate passed HR 3236, the Surface Transportation and Veterans Health Care Choice Improvement Act of 2015, by a very bipartisan vote of 91 to 4. All four no votes came from Republicans. The bill extending the current surface transportation authorization until October 31st now heads to the President for signature. TheHill.com is reporting that the President is expected to sign the bill.

Earlier in the afternoon the Senate passed HR 22 (which was the Hire More Heroes Act of 2015) which has become the bill that will provide long term authorization of surface transportation programs. That vote, 65 to 34, was still fairly bipartisan, but in a way that is becoming more common in the 114th Congress; Republican conservatives made up almost half of the no votes.


Because this bill has been formulated as a series of amendments (including the basic amendment that completely replaces the original bill language) to the original bill, it is difficult to tell what the actual provisions of the bill look like. We should be able to see the version as passed by the Senate tomorrow or Saturday.

FRA Announces Final Rule for Securement of Unattended Equipment

Yesterday the DOT’s Federal Railroad Administration announced that it had submitted their final rule for the securement of unattended equipment to the Federal Register for publication. The announcement also included a link to download a copy [.PDF download] of the rule submitted to the FR. This rule will supersede and modify the provisions of FRA Emergency Order #28 issued after the Lac-Megantic Railroad disaster.

I will not be doing a detailed review of this rule today since the copy available is not the ‘official’ copy of the rule. This means that I cannot provide links to specific portions of the rule in my discussion nor will I be able to give specific dates for the bills effective and compliance dates. It is not currently scheduled to be published in tomorrow’s FR, so I expect that it will be published sometime next week.

The notice of proposed rulemaking was published for this rule in September of last year. Nine public comments were submitted in response to the NPMR.


NOTE: This final rule was not submitted to OMB for review, neither was the NPRM.

Bills Introduced – 07-29-15

Yesterday there were 197 bills introduced in the House and Senate. Most of those (178) were from the House as it was leaving for the summer recess. Many of those bills were introduced just for the purposes of showing the voters and campaign contributors that the Congressman was actively working on issues important to those in the home district. Of the bills introduced yesterday just 11 may be of specific interest to readers of this blog:

HR 3299 To amend the Public Health Service Act to ensure preparedness for chemical, radiological, biological, and nuclear threats, and for other purposes. Rep. Brooks, Susan W. [R-IN-5]

HR 3305 To help enhance American network security and mitigate cybersecurity risks, and for other purposes. Rep. Hurd, Will [R-TX-23]

HR 3313 To amend the Homeland Security Act of 2002 to strengthen the ability of the Secretary of Homeland Security to detect and prevent intrusions against, and to use countermeasures to protect, agency... Rep. McCaul, Michael T. [R-TX-10]

HR 3326 To amend chapter 90 of title 18, United States Code, to provide Federal jurisdiction for the theft of trade secrets, and for other purposes. Rep. Collins, Doug [R-GA-9]

HR 3348 To direct the Attorney General to create a special reward program for individuals providing information leading to the apprehension and conviction of persons committing offenses under section 1030 of... Rep. Green, Al [D-TX-9]  

HR 3350 To require a terrorism threat assessment regarding the transportation of chemical, biological, nuclear, and radiological materials through United States land borders and within the United States, and... Rep. Higgins, Brian [D-NY-26]

HR 3360 To provide for identity protection coverage and other services for individuals exposed to the OPM security breaches, and for other purposes.

HR 3361 To amend the Homeland Security Act of 2002 to establish the Insider Threat Program, and for other purposes. Rep. King, Peter T. [R-NY-2]

HR 3402 To strengthen the ability of the Secretary of Homeland Security to detect and prevent intrusions against, and to use countermeasures to protect, government agency information systems and for other... Rep. Ruppersberger, C. A. Dutch [D-MD-2]

HR 3418 To enhance homeland security, including domestic preparedness and the collective response to terrorism, by improving the Federal Protective Service, and for other purposes. Rep. Thompson, Bennie G. [D-MS-2]

S 1890 A bill to amend chapter 90 of title 18, United States Code, to provide Federal jurisdiction for the theft of trade secrets, and for other purposes. Sen. Hatch, Orrin G. [R-UT] 

Cybersecurity

Not surprisingly a large number (7) of these bills deal (HR 3305, HR 3313, HR 3326, HR 3348, HR 3360, HR 3402, and S 1890) with cybersecurity issues. It looks like HR 3326 and S 1890 are companion bills that would make it a Federal offense to steal trade secrets. Three of the bills (HR 3313, HR 3360, and HR 3402) appear to deal with Federal computer systems (but may contain language for private sector cybersecurity). HR 3348 would establish a special reward program to deal with offenses under 18 US 1030, Fraud and related activity in connection with computers.

Chemical Security

I’m lumping the other four bills under the rubric of chemical security; though for two of them that only covers a portion of the threat to which the bills are responding. HR 3299 looks at CBRN issues from a public health perspective. HR 3350 would require a ‘terrorism threat assessment’ for CBRN related shipments within the United States; there will be some interesting definitions here. HR 3361 looks at insider threat response; this may also be a cybersecurity bill. And HR 3418 would strengthen the Federal Protects Service; which also provides critical infrastructure chemical facility support to facilities not covered under CFATS or MTSA programs.

Moving Forward

The Senate will be in Washington for another week or two. When they adjourn for summer recess I expect that we will see another large (but not so large) batch of bills introduced. In the meantime the Senate will continue to introduce a limited number of bills each day they are in session and there is a chance that an occasional bill will be introduced during the pro forma sessions that the House will hold between now and Labor Day.

It will take the GPO a while to work through this back log of bills, so I will continue to have fodder for my blog post while Congress is junketing, schmoozing voters, and sucking up to campaign contributors.


Wednesday, July 29, 2015

HR 3236 Passed in House

Early this evening the House took up HR 3236, the Surface Transportation and Veterans Health Care Choice Improvement Act of 2015. After just 24 minutes of debate the bill was passed by a strongly bipartisan vote of 385 to 34. This bill would extend the current surface transportation authorization (set to expire Friday night) until October 31st, 2015.


It looks like the Senate will take up this bill tomorrow.

Bills Introduced – 07-28-15

Yesterday 64 bills were introduced in the House and Senate. One of those bills may be of specific interest to readers of this blog:

HR 3236 Surface Transportation and Veterans Health Care Choice Improvement Act of 2015 Rep. Shuster, Bill [R-PA-9] 


This is, of course, the bill I mentioned last night. This bill will be considered on the floor of the House today under a closed rule. There will be limited debate and no amendments will be considered. The Export – Import Bank amendment that I mentioned yesterday was rejected by the House Rules Committee.

Tuesday, July 28, 2015

Rules Committee Hearing on Surface Transportation Authorization

The House Rules Committee announced a hearing this afternoon for the consideration of two bills; a VA accountability bill and an extension of the current surface transportation authorization (which expires Friday night) until October 31st. TheHill.com is reporting that the transportation bill would be considered tomorrow and the House would then adjourn for their summer recess, leaving the Senate to approve either the new extension (in HR 3236), accept the previously passed 5 month extension (HR 3038), or let funding for transportation projects stop until the Congress returns in September.


Other than the length of the extension, HR 3236 and HR 3038 have very similar language with the exception that HR 3236 would include Title IV dealing with changes to some Veterans Administration programs. There is also an amendment proposed that the Rules Committee may look at this evening’s hearing that would provide for the extension of the Export-Import Bank Authorization until 2019.

Bills Introduced – 07-27-15

Yesterday there were 35 bills introduced in the House and Senate. Of those one may be of specific interest to readers of this blog:

S 1869 A bill to improve federal network security and authorize and enhance an existing intrusion detection and prevention system for civilian federal networks. Sen. Carper, Thomas R. [D-DE]


This bill is almost certainly the EINSTEIN act that I mentioned in yesterday’s blog about Congressional hearings. If it only addresses Federal cybersecurity this will probably be the last mention of the bill in this blog.

Monday, July 27, 2015

New GAO Report on CFATS Program

Last Friday the Government Accountability Office (GAO) published their latest report on the Chemical Facility Anti-Terrorism Standards (CFATS) program. While the report did identify some areas where the DHS Infrastructure Security Compliance Division (ISCD) needed to improve the CFATS program it generally noted that significant improvements had been made and previously identified problems had generally been corrected.

The GAO Report identifies four areas of concern:

DHS has not taken steps to mitigate errors in some facility-reported data;
DHS does not have reasonable assurance that it has identified all of the nation’s highest-risk chemical facilities;
DHS cannot ensure consistency in how it addresses noncompliance in the CFATS program because it does not have documented processes and procedures; and
DHS’s CFATS performance measure does not reflect security measures that facilities have implemented and that ISCD has verified.

Top Screen Data Reporting

The GAO identifies a problem with the reporting of Distance of Concern DOC for the release of toxic chemicals in the Top Screen. The CFATS Top Screen requires the facility to calculate the down wind distance that a worse case discharge of a toxic release chemical of interest (COI) will cause a significant problem. The tool that facilities are required to use is the EPA’s RMP*Comp.

The user inputs the maximum amount of a Toxic COI that they have on site, enters some other basic information (see pages 42 and 43 of the Top Screen User’s Manual) and the tool calculates DOC which is then reported in the Top Screen. DHS then uses this information as part of its determination of whether or not a facility may be covered under the CFATS program as a facility at high-risk of terrorist attack.

The GAO used available Top Screen data to verify the DOC reported for a ‘a generalizable sample of facilities’. Using that data the GAO report indicates that 44% of the facilities (2,700 facilities) had errors in the reported DOC and about 43% under-reported the DOC. It goes on to note that a common potential reason for the under-reporting may be due to one difference in the way the tool is used to calculate EPA and CFATS DOC information, the CFATS program does not allow facilities to take credit for passive mitigation measures such as dikes around tank farms.

The Report provides an example of a facility with more than 200,000 lbs of anhydrous ammonia  (AA) reported in its Top Screen that reported a DOC of 0.9 miles and GAO found a minimum possible distance of 2.4 miles when they calculated the DOC using R*Comp. I have replicated that work and found that there was no way to come up with a DOC of 0.9 miles regardless of whether or not mitigation measures were used. I suspect that the facility used their largest storage tank data (as they would for EPA reporting) instead of the total amount of AA on site as required by DHS. It is remotely possible that GAO’s figure of 0.9 miles came from the DOC value reported for the Area of Highest Quantity (AHQ) instead of the total COI.

The GAO report notes that ISCD has all of the information in its Top Screen Database necessary to verify the DOC data, but does not choose to do so. The first part is not necessarily true. The RMP*Comp tool, when calculating the DOC for materials that are gasses at 25°C, asks if the material is liquefied, and if liquefied whether it is liquefied by refrigeration or by pressure. That information is not included in the Top Screen and makes a big difference in the DOC. This is not important for most toxic release COI, but it is for AA. Using the Report’s example with AA you could get DOC’s of 2.4 miles (unliquified) 6.5 miles (liquefied under refrigeration) vs 8.0 miles for liquefied by pressure (all in an urban setting).

The thing that the GAO failed to take into account in pointing out this deficiency is that ISCD does not verify any of the information provided in the Top Screen. It is true that they could generally check the DOC value (using the ‘unliquified’ data from RMP*Comp), but that might not give a true picture for all COI. But given the fact that ISCD is accepting all other reported information, it would be unusual for them to pick out this one item that could be partially verified in a portion of the instances where it is reported.

Given the fact that the Report notes that only 43% of the discrepancies that it noted were under-reports, it seems to me that their data would tend to indicate that there were systemic problems with the use of the RMP*Comp tool. As ISCD moves forward with implementing the results of the outside evaluation of their risk ranking methodology, they should consider taking this calculation out of the hands of the facility and do the calculations in-house.

The GAO has two recommendations for this area:


Provide milestone dates and a timeline for implementation of the new Top-Screen and ensure that changes to this Top-Screen mitigate errors in the Distance of Concern submitted by facilities, and
In the interim, identify potentially miscategorized facilities with the potential to cause the greatest harm and verify the Distance of Concern these facilities report is accurate.


Facility Identification

The report outlines the measures that DHS has taken to identify facilities that have not submitted Top Screens, but should have done so. While they had conducted earlier out-reach activities, the effort was expanded after the West Fertilizer incident and the issuance of the President’s Executive Order on Increasing Chemical Facility Safety and Security. As a result of these latest efforts just over 3,000 potentially non-compliant facilities were identified and contacted by DHS.

More than 1500 had already submitted Top Screens; the ‘new’ identification was apparently based on differing naming or location information. Over three hundred were exempted from CFATS regulations. Of the remaining just over 1,000 have now submitted Top Screens and just 24 of those have been designated as high-risk facilities covered under the CFATS program with 44 still pending. ISCD is continuing to investigate other means of identifying potentially non-compliant facilities.

The report indicates an interesting problem. ISCD has asked States for information on the chemical facilities that they regulate as part of this program. California recently complied, identifying over 46,000 facilities (ISCD has only processed 50,000 Top Screens since the program started) which ISCD is now going through. Only 13 other States have supplied similar lists.

The GPO did not provide any recommendations for DHS on this issue.

Compliance Inspection Issues

The Report starts of the discussion of this issue with a review of actions that ISCD has taken to increase their rate of site security plan approvals and notes that ISCD has made substantial improvements in that approval rate. Interestingly, even though the GAO calculated that ISCD would have the approval backlog eliminated next year, they did not mention that the EAP process will almost certainly further accelerate the SSP approval process.

The Report then notes that ISCD has completed 83 compliance inspections of facilities with approved site security plans. There is no discussion of how well that reflects the requirement for ISCD to inspect facilities within one year of their site security plan being approved. The number seems low, but it will almost certainly increase as ISCD has fewer authorization inspections to complete.

The GAO reports that nearly half of the facilities inspected have not completely implemented all of the security measures outlined in their site security plans, which of course means that the facilities are out of compliance. The Report notes that ISCD is working with the facilities to get them into compliance.

The GAO notes that none of the non-compliance sanctions available to the Department (including Compliance Orders, Civil fines and even Cease Operations Orders) have been used by the Department to-date. While ISCD is ‘working with’ the facilities, the GAO reports that they do not have any written processes or procedures in place to document the progress that is being made at those facilities. Nor, apparently, does ISCD have any written processes or procedures in place on how they determine whether or not a facility is in compliance.

The GAO had one recommendation for this area:


Develop documented processes and procedures to track noncompliant facilities and ensure they implement planned measures as outlined in their approved site security plans.


CFATS Performance

The last area of concern identified in the Report concerns the program reporting done by ISCD to DHS. This annual reporting requirement is used by DHS and the GAO to assess program performance and efficacy. One of the pieces of information included in that report is the number of security measures implemented by facilities. The GAO notes that ISCD does not distinguish between those measures implemented before the facility site security plans were approved, which measures have been reported as planned, or which of the planned measures have been implemented. Thus, the GAO reports that the numbers do not reflect changes brought about by the CFATS program and ISCD actions in support of that program.

The GAO had one recommendation for this area:

Improve the measurement and reporting of the CFATS program performance by developing a performance measure that includes only planned measures that have been implemented and verified.

Moving Forward


DHS has acknowledged the four recommendations in the GAO report and has reported their intended actions to be taken in response to those recommendations. GAO confirms that if those actions are taken as reported, the recommendations would be considered as completed.

Improvised Chemical Devices

There are more and more reports coming out of the Middle East of both Syria and IS using improvised chemical munitions. These devices have generally used industrial chemicals (typically chlorine gas) rather than military grade chemical munitions (chlorine was used as the original chemical weapon, but it has long ceased to be considered an effective military grade chemical weapon). There is a brief summary article here that hits some of the high points and recent a New York Times article shows how easy these weapons are to make.

While there is a VERY outside possibility that some of these actual weapons will be sent to the United States, the much higher concern is that the development of very rudimentary weapons point to the fact that they could very easily be made in the United States by anyone with a moderately equipped home workshop. It would be very unusual for IS not to export the knowledge of how to make these weapons.

These are very definitely tactical scale terror weapons. While they do fit the current legal standard for being weapons of mass destruction (WMD) they should more probably be classified as weapons of mass hysteria (WMH). The concentration of these industrial gasses necessary to kill is relatively high and hard to achieve over any substantial area with these types of weapons. A limited number of people could certainly be killed by these weapons, but the hysteria resulting from their use would be much more devastating in both the long run and short run than would be the actual injuries from the chemicals.

It really is not hard to get your hands on some of the chemicals of interest that would be used in these devices. The Chemical Facility Anti-Terrorism Standards (CFATS) program does regulate the security at some facilities that manufacture, store or use, but not all of them by a long shot. Small water treatment facilities are exempt from both CFATS and EPA security programs and they frequently use small cylinders of chlorine gas. Small agricultural users of anhydrous ammonia are not currently under any security regulations.


I suspect that we are going to be hearing more about these types of attacks outside of the current conflict zone in the not too distant future.

Hearings – Week of 07-27-15

With the Summer Recess fast approaching the House and Senate are scrambling to get their agenda’s cleared. There will be a number of interesting hearings going on this week, but only three of specific interest to readers of this blog. All three will deal with various aspects of cybersecurity.

Best Practices

The Cybersecurity, Infrastructure Protection, and Security Technologies Subcommittee of the House Homeland Security Committee will be holding a hearing on Tuesday to look at “Promoting and Incentivizing Cybersecurity Best Practices”. The witness list includes:

∙ Raymond B. Biagini, Covington and Burling
∙ Brian Finch, Center for Cyber and Homeland Security, George Washington University
∙ Andrea M. Matwyshyn, Center for Information Technology Policy, Princeton University

This sounds like it will be a very high-level discussion of the topic with little in the way of specific discussion of best practices and control system security is likely to be completely ignored.

Cyber Threats

It looks like the House Permanent Select Committee on Intelligence will be holding a hearing on “World Wide Cyber Threats” on Thursday. I say looks like because the hearing is listed on the House Committee Calendar pages but not on the Intelligence Committee web site. In any case if this is in fact an open hearing, nothing of earth shattering importance will be mentioned because all of that information is classified. No witness list is available.

Mark-Up Hearing

The Senate Homeland Security and Governmental Affairs Committee will be holding a business meeting on Wednesday that will include the markup of 15 bills (which means minimal actual discussion) including two bills that have not yet been introduced (so I have no idea what they actually say) that apparently deal with cybersecurity issues. They are:

∙ Critical Infrastructure Protection Act of 2015
∙ EINSTEIN Act of 2015

The first bill is likely to be an EMP – Geomagnetic Storm bill, but could really cover just about anything. The second is almost certainly a bill to authorize DHS to implement EINSTEIN 3 across the federal computer system landscape with a possibility of making it available to private critical infrastructure facilities.

On the Floor

There are a number of TSA bills (airport security side) that will be considered in the House this week under suspension of the rules. The only other thing of interest is the possibility of HR 1735 coming out of Conference. It will be interesting to see what cybersecurity provisions remain in that mashup. We will also have to wait and see if the President will hold his nose and actually sign the bill once it passes.


Friday, July 24, 2015

S 1806 Introduced – Auto Cybersecurity

Earlier this week Sen. Markey (D,MA) introduced S 1806, Security and Privacy in Your Car Act of 2015, or SPY Car Act of 2015. While this bill was introduced on the same day as the notorious Wired article about the Jeep Cherokee hack was published, this bill marks the culmination of an ongoing interest by Markey on this topic.

Definitions

The bill starts out by adding some new cybersecurity related definitions to 49 USC 30102. The following terms were added:

Critical software systems;
Driving data;
Entry points; and
Hacking.

Of the four the first and last two are most critical from a control system cybersecurity perspective.

The term ‘critical software systems’ was specifically limited to “software systems that can affect the driver’s control of the vehicle movement” {new §30102(a)(3)}. This means that other control systems related to signals, lights, locks and windshield wipers for example are excluded from the definition.

‘Entry points’ are those means by which someone can access driving data or through which control signals can be sent into the system. The term is specifically defined to include wired or wireless connections.

The term ‘hacking’ is given pretty broad definition as “the unauthorized access to electronic controls or driving data, either wirelessly or through wired connections”. There is no discussion of who (the auto manufacturer or vehicle owner) can provide authorized access.

Cybersecurity Standards

The bill then goes on to add a new section to 49 USC, §30129 addressing cybersecurity standards that would apply to vehicles manufactured two years after regulations implementing this new statute take effect. Three areas are covered in these standards:

Protection against hacking;
Security of collected information;
Detection, reporting, and responding to hacking.

The protection against hacking provisions require that the covered vehicles are {new §30129(a)(2)}:

Equipped with reasonable measures to protect against hacking attacks;
Incorporating isolation measures to separate critical software systems from noncritical software systems;
Evaluated for security vulnerabilities following best security practices, including appropriate applications of techniques such as penetration testing; and
Adjusted and updated based on the results of the evaluation.

The information security provisions of the new section deal with protecting the data collected by onboard ‘electronic systems’. The provisions include protecting data stored in the vehicle, in transit to undefined other locations, and in storage in those off-vehicle locations. The protected data is not limited to that obtained from ‘critical software systems’.

The final standard pertaining to hacking is the most broadly written. It states {§30129(a)(4)}:

“Any motor vehicle that presents an entry point shall be equipped with capabilities to immediately detect, report, and stop attempts to intercept driving data or control the vehicle.”

Once the regulations are written implementing these standards, violations of the standards could result in a civil penalty “of not more than $5,000 for each violation” {§30129(b)}. This paragraph references 49 USC 30165 for the application of this penalty so it is clear that the penalty could be assessed on each vehicle or part of a vehicle covered under the violation for up to a total of $5 million.

Privacy Protections

Section 4 of the bill relies on the Federal Trade Commission to provide additional privacy protections. The FTC is required to develop regulations addressing the following automotive information protection requirements {new 15 USC 57d}:

Notice of the collection, transmission, retention, and use of driving data collected from such motor vehicle;
The option of terminating the collection and retention of driving data;
Continued access to navigation tools or other features or capabilities; and
Prohibition of the use any information collected by a motor vehicle for advertising or marketing purposes without affirmative express consent by the owner or lessee.

Moving Forward

I think that thanks to Charlie Miller and Chris Valasek there is an increased understanding of the potential severity of the problem. This will be reinforced when they give their talk about the Jeep Cherokee hack at Black Hat next month. There will be some more hearings; probably including a command performance by Miller and Valasek with an FCA executive sitting at the table next to them. But some sort of legislation like this will almost certainly move forward during the 114th Congress.

Markey is a member of the Senate Commerce, Science and Transportation Committee which is tasked with considering this bill and the Subcommittee which will take the lead on this legislation. So he is in a good position to move this bill through the Committee side of the equation. It remains to be seen if he can convince Chairman Thune to work to move the bill to the floor.

With the surface transportation bill starting to move forward in the Senate, it would not be unusual for Markey to try to get this added to that bill as a floor amendment. It is a bit early in the process for this to be effective, but it would provide an interesting gauge of how well this type of bill would do on the floor of the Senate.

Commentary

The first problem that I see with this bill is that it relies on the DOT in consultation with the FTC to establish control system security regulations for automobiles. While I understand that DOT is responsible for automotive safety (and this is clearly a safety issue) I don’t believe that they have the necessary in-house expertise to establish and enforce workable automotive control system cybersecurity regulations.

While DHS has generally been given responsibility for cybersecurity regulations, I don’t think that anyone there has given any serious thought to control system cybersecurity regulatory issues. TSA, which has the transportation security mandate, certainly has not and their surface transportation security folks have over the last five years or so demonstrated a marked inability to get around to writing mandated security regulations.

What probably needs to happen here is that the bill needs to include ICS-CERT as a consultive partner on this regulatory scheme and that organization needs to be beefed up with some regulatory expertise to actually be of help in this type of situation. While we are talking about ICS-CERT we need to consider that they are going to have to add some expertise in automotive control systems as they are obviously going to have to be dealing with automotive control system issues going forward.

The next problem is the unnecessarily limited definition of ‘critical software systems’. In fact, limiting the problem to ‘software systems’ could be construed to eliminate large portions of the cyber-physical systems used to control modern motor vehicles. Given the recent work by Corey Thuen at Digital Bond Labs on can bus issues (see for example here) it seems to me that the definition of ‘critical software systems’ needs to be much more expansive. Even if we limit that definition to other cyber-physical systems like lights and windshield wipers, the definition needs to include all of the safety systems for the vehicle.

The bill needs to include specific provisions for the discovery, reporting and mitigating of new vulnerabilities once the vehicles are on the road. This will almost certainly be a function for the National Highway Transportation Safety Administration, but is needs to be specifically spelled out in the bill. This would have to include specific authority for NHTSA to order (if necessary) an automotive manufacturer to fix a cyber defect reported to NHTSA by a security researcher.

Finally, and perhaps most importantly, we are going to need to have a serious discussion about who can authorize access to the various electronic systems in vehicles. The automotive industry has long maintained that they own those systems and only license their use to the vehicle owner. This potentially means that a bill like this would make it a federal criminal offense for a non-manufacturer authorized auto shop to access information in the vehicle control system for diagnostic testing, much less make changes to the tuning specifications for the engine to improve engine performance or increase fuel efficiency. Because of the wide definition of hacking provided here, even changing out a vehicle sensor with a factory replacement by the owner could be considered hacking under the bill if the manufacturer is the only one who can authorize access.

As a serious first pass at automotive cybersecurity legislation this looks like a pretty good bill. It still needs a lot of significant work and some serious input from the control system security community.

Bills Introduced – 07-23-15

Yesterday there were 70 bills introduced in the House and Senate. Only one of those may be of specific interest to readers of this blog:

S 1846 A bill to amend the Homeland Security Act of 2002 to secure critical infrastructure against electromagnetic threats, and for other purposes. Sen. Johnson, Ron [R-WI]


Given yesterday’s hearing of the Senate Homeland Security and Governmental Affairs Committee on the subject, I suspect that the ‘electromagnetic threats’ referenced in the title of this bill refer to electromagnetic pulse (EMP) and geomagnetic storms. We will have to wait and see if this is just another study/planning bill or if it actually outlines very expensive measures to protect CI against these low probability, high consequence events.

Thursday, July 23, 2015

ICS-CERT Corrects Error in Siemens RuggedCom Advisory

This afternoon the DHS ICS-CERT updated the advisory that it had issued earlier this week for the Siemens RuggedCom Devices. The update corrects an error in list of affected products.

The original advisory listed “RuggedCom devices with ROX: All firmware versions prior to v2.6.3”. The new version shows “RuggedCom devices with ROX II: All firmware versions” and then specifically notes that “ROX I” devices are not affected. This change reflects the information that was printed in the original Siemens Advisory and is not because of any change initiated by Siemens.

I learned of the updated version from a Tweet made by ICS-CERT. The changed advisory is not on top of the list of advisories provided on their landing page that would typically indicate that it was added today. What has been done is that the original listing made on July 21st has been changed to reflect the new advisory number (‘A’ added to the end of the original) and has the words “Update A” added at the end of the title.

Since we saw the same thing last week with the updated Schneider advisory, I think that this may reflect a change in the way that ICS-CERT is running their list of vulnerabilities. The list on the landing page will only show the vulnerability listing on its original order making it very difficult to tell when an advisory is updated. And the older advisories drop off the landing page as new ones are added. Fortunately they are announcing the updates on Twitter (@ICS-CERT) so we can keep track of them that way as long as they continue to do this.


Transportation Security Subcommittee Amends and Adopts 3 Bills

Today the Transportation Subcommittee of the House Homeland Security Committee met to markup three bills. Two of the bills (HR 3102 and HR 3144) dealt exclusively with airport security issues, but the third bill (not yet introduced) did deal with surface transportation security issues that I addressed in an earlier blog.

Surface Transportation Security Amendments

The Subcommittee did amend the Transportation Security Administration Reform and Improvement Act of 2015. One of the amendments dealt with redress issues in the portion of the bill dealing with airport personnel security checks. The only other amendment replaced §203, the section that I took objection to in my earlier post.

The new §203 continues to deal with security training issues related to front line employees in public transportation and over-the-road bus-lines. Instead of eliminating the current requirement for TSA to establish requirements for such training programs the new section requires a report by the TSA Administrator on the status of the implementation of 6 USC 1137 and 6 USC 1184, the statutory sections requiring such training. The report is to address the specific challenges TSA has had in establishing regulations requiring the provision “of basic security training to public transportation frontline employees and over-the-road bus frontline employees for preparedness for potential security threats and conditions”

Commentary

The original bill and the amended version both completely ignore the fact that a similar security training program requirement for freight railroads (6 USC 1167) has also been effectively ignored by the TSA.

Completely missing from the bill now is any reference to the two sections mentioned in the earlier version requiring vetting of those personnel against the TSDB. While I am glad to see that the Subcommittee decided not to eliminate those provisions, I was disappointed in seeing that there was no requirement for TSA to explain why 6 USC 1140 and §1520 of the 9/11 Commission Act of 2007 had not been complied with any better than had the training requirements.


While the security awareness training of public transportation employees is important, I think that it is much more important to ensure that those employees are not known to have associations with terrorist organizations. As the recent attack by a trusted vendor delivery driver at the Air Products facility in France last month showed us, failure to check personnel against such lists puts people at risk.

Bills Introduced – 07-22-15

Yesterday there were 47 bill introduced in the House and Senate. Only one of these may be of specific interest to readers of this blog:

S 1828 A bill to strengthen the ability of the Secretary of Homeland Security to detect and prevent intrusions against, and to use countermeasures to protect, government agency information systems and for other purposes. Sen. Collins, Susan M. [R-ME]

Since this bill is mainly directed at internal Federal government cybersecurity it probably won’t receive further mention in this blog. Except there is always that ‘and for other purposes’ tacked on to the end of the title that may mean interesting things have been added to this bill.

Wednesday, July 22, 2015

ICS-CERT Publishes Automotive Alert

Today the DHS ICS-CERT published an alert for yesterday’s report of the hack on a Jeep Cherokee. This is the same hack that most of the control system cybersecurity community was discussing yesterday on social media.

ICS-CERT notes that the unnamed researchers (we are playing that game again) have been in contact with Fiat-Chrysler Automotive (FCA) for about 9 months about the vulnerability and FCA published a security notice [Note: there are minor problems with the link on the Alert] and firmware update on the problem last week. There is also an FCA blog post (entitled “Unhacking the hacked Jeep”; nice catchy title) explaining the situation.

It seems to me that this should have been an advisory (with appropriate credit to the researchers) instead of an alert. While ICS-CERT may not have been involved, there was enough coordination that the vendor was able to get a patch out a week before the demonstration (not exploit code) was released to the public.

This alert did nothing more than make ICS-CERT look late and ineffective.


BTW: It will be interesting to see if other automakers using the Uconnect system will publish their own alerts or just offer the patch.

EAP Submission Process – A Simplified Explanation

Almost two weeks ago now I published a description of how I understood the Expedited Approval Program (EAP) submission process would be run. It was based upon a discussion with some people who had a high-level understanding of the process, but who had never actually gone through the process. On top of that it was a phone conversation without visual aids so what I thought I understood what they were saying may have been off just a tad.

Well today, I got hold of some screen shots from the CSAT tool and I don’t think that my explanation could have been further from the actual process if I had tried to write something wrong. So with apologies for the earlier disinformation here goes.

Notification Process

A facility that wants to use the EAP is required to notify the DHS Infrastructure Security Compliance Division (ISCD) at least 30 days in advance of their intention to do so. The process is very simple; sign in to the Chemical Security Assessment Tool as is normal and if the facility is eligible for the EAP (final risk assignment to Tier 3 or Tier 4) you will see the following on the left side of the CSAT main page.



The green arrow (which won’t be there on your CSAT screen) in the box points to the button that must be selected to make the notification. That’s all there is to it. You will see a dialog box that will inform you of when (30-days after the notification) the EAP Upload will be available for your use. You will also notice that the Site Security Plan line on the CSAT page will be replaced by an EAP line.



Forget my earlier instructions about using the SSP Questions Manual. You will not be using it. You will want to get your copy of the DHS Guidance for the Expedited Approval Program. The owner of the facility will have to fill out and sign pages 60-61 or some other document that includes the same information. This will then have to be saved electronically as a .PDF, .DOC or .DOCX file. You can do the same thing for pages 64 thru 91 (not required to be signed) or make up a document that contains essentially the same information saved in one of the same document types. You are also going to need a diagram of your facility saved in the one of the same formats or .JPG, .PNG, .GIF, or .BMP.

Then you will sign back into the CSAT page and click on the ‘UPLOAD’ button on right side of the EAP line. This will take you to an upload page like than shown below.

Then it is just a matter of selecting the files that will be included in the upload (the top three at a minimum) and then pressing the ‘Upload’ button. And that is all that it takes to complete your portion of the EAP submission process.


Once the submission is complete, DHS has 100 days to approve or disapprove the EAP. If they disapprove it they will provide a detailed explanation of what must be done to correct the submission.

FRA Notifies Railroads that SERC Notifications Will Continue

The DOT’s Federal Railroad Administration (FRA) announced today that it was sending a letter to railroads that they were going to continue to require railroads to make notifications to “State Emergency Response Commissions (SERCs) and Tribal Emergency Response Commissions (TERCs) of the expected movement of Bakken crude oil trains through individual states and tribal regions”. That requirement comes from an Emergency Order issued in May 2014 affecting all trains carrying more than million gallons of crude oil from the Bakken oil fields.

Conflict with OMB

The HHFT final rule issued by Pipeline and Hazardous Material Safety Administration (PHMSA) in May actually contained provisions that cancelled the reporting requirements from the Emergency Order effective March 31st, 2016; the day before the railroads were to have completed their route selection requirements under the revised 49 CFR 172.820.

The FRA had notified the OMB’s Office of Information and Regulatory Affairs (OIRA) of their intent to continue this reporting requirement until a new regulation on Oil Spill Response Planning could codify the requirements when they sought routine approval of the information collection request (ICR) supporting this reporting requirement. OIRA only approved the ICR thru March 31st of next year noting that:

“Per the joint PHMSA-FRA HHFT final rule (RIN 2137-AE91), the information collection requirements in the May 7, 2014 emergency order remain in effect until March 31, 2016. OMB is therefore approving this collection until that date. FRA may submit a request to continue this collection after soliciting public comment per the PRA's [Paperwork Reduction Act; specifically 44 USC 3506(c)] requirements.”

This does not mean, that the extension of the ICR will not be approved, but it does mean that the railroads will have another political opportunity to derail the effort.

Rail Routing Information is SSI

Because of the changes that the HHFT final rule made to §172.820 the routing information of highly-hazardous flammable trains (HHFT) is protected as Sensitive Security Information (SSI) under 49 CFR 15 and 49 CFR 1520. And the crude oil trains covered in the Emergency Order are certainly covered under the HHFT definition.

One of the reasons that railroads had objected to sharing the information required in the Emergency Order was that it was specifically not protected under SSI procedures. This left the public dissemination of that information up to the discretion of the local agency and the State rules that governed information sharing. And, as the railroads feared, much of that information was released to the public; making it accessible to people that might attempt to disrupt the flow of those trains.

The wording of §172.820(h)(2) makes it clear that the protected information is limited to the routing information not the volume or type of oil carried or the frequency with which the trains would traverse the selected routes. A close reading of the regulation would seem to indicate that the routing information does not actually become SSI until the first time that the railroads complete their route analysis under §172.820(c). That won’t officially be done until April 1st, 2016.

The FRA could have adopted the position in today’s letter to the railroads that for the purpose of moving forward with the continued notification and updates to SERTS that the routing portion of the information provided could be classified as SSI under authority of §172.820(c), thus pre-empting State and local sunshine act or freedom of information act laws for that information. Thus, SERTS would be required to only share that information with personnel with a need to know which would certainly include local emergency response and emergency planning agencies. The FRA obviously chose not to do so, adhering to the tightest interpretation of the rule.


This will have to be an issue that FRA addresses when they go back and re-submit the ICR for and extension of the reporting requirement past March 31st, since after that date the routing information is clearly protected from public disclosure under the banner SSI.

Bills Introduced – 07-21-15

A total of 57 bills were introduced in the House and Senate yesterday. Only two of them may be of specific interest to readers of this blog:

HR 3128 Making appropriations for the Department of Homeland Security for the fiscal year ending September 30, 2016, and for other purposes. Rep. Carter, John R. [R-TX-31]

S 1806 A bill to protect consumers from security and privacy threats to their motor vehicles, and for other purposes. Sen. Markey, Edward J. [D-MA]

A copy of HR 3128 is available from the GPO is available and I will be reviewing it later today for specific information on chemical security and cybersecurity. I don’t expect to find any in the actual bill, but when the Committee Report on the bill is published I will almost certainly find items of interest upon which I will be reporting.

Sen. Markey’s bill introduced yesterday had a significant boost by an article posted on Wired.com about a live hack of a vehicle on a public road way. I suspect that action on this bill (or others sure to come) may be accelerated because of this stunt.


Homeland Security Committee Announce Markup Hearing for Thursday

This morning the House Homeland Security Committee announced that their Transportation Security Subcommittee would be holding a markup hearing on Thursday. Three bills would be included in the markup:

H.R. 3102, the “Airport Access Control Security Improvement Act of 2015”.
H.R. ____, the ‘‘Partners for Aviation Security Act”.
Committee Print of H.R. ___, the “Transportation Security Administration Reform and Improvement Act of 2015”.

The first two bills are airport security bills pure and simple, so I intend to ignore them. The third bill contains two titles; the second being “Surface Transportation Security”. That means that it is fair game in this blog.

Surface Transportation Security Changes

This Title contains three sections:

Sec. 201. Surface Transportation Inspectors.
Sec. 202. Repeal of biennial reporting requirement for the GAO relating to the Transportation Security Information Sharing Plan.
Sec. 203. Repeal of frontline employee training requirements.

Section 201 outlines a new reporting requirement for the Comptroller Generals Office concerning “the efficiency and effectiveness of the Administration’s 4 Surface Transportation Security Inspectors Program” {§201(b)}. From the tenor of the items to be addressed in the report, the author (almost certainly the Committee Staff) don’t think much of the current crop of Surface Transportation Inspectors. It looks like they want the responsibility for this program to revert to the DOT modal agencies.

Section 202 removes a reporting requirement for the Comptroller Generals Office established in 49 USC 114(u)(7). This is a biennial reporting requirement on a user satisfaction survey concerning “the quality, speed, regularity, and classification of the transportation security information products disseminated by the Department of Homeland Security to public and private stakeholders”.

Section 203 removes the requirement for TSA to establish employee security training programs that were originally required under the 9/11 Commission Act of 6 2007 (Public Law 110–53). Those programs are:

Public transportation security training program {6 USC 1137};
Over-the-road bus security training program {6 USC 1184}

There are two other programs included in the elimination program set out in this section that have nothing to do with employee training; they both deal with employee threat assessment programs:

Threat assessments (public transportation) {6 USC 1140};
Threat assessments (railroad) (§1520 of the 9/11 Commission Act of 6 2007}

Both of those threat assessment requirements use virtually the same wording:

“Not later than 1 year after the date of enactment of this Act, the Secretary shall complete a name-based security background check against the consolidated terrorist watchlist and an immigration status check for all railroad frontline employees, similar to the threat assessment screening program required for facility employees and longshoremen by the Commandant of the Coast Guard under Coast Guard Notice USCG-2006-24189 (71 Fed. Reg. 25066 (April 8, 2006)).”

Commentary

TSA has never actually gotten around to establishing any of the programs mentioned in §203, so as a practical matter eliminating them does not make much difference. And since everyone knows (pardon the sarcasm) that terrorists never attack public transportation, there really is no need for security training of front line employees in that sector.


Likewise, there is no chance (again sarcasm alert) that terrorists would want to become railroad employees to effect an attack. And we know that terrorists have made no attempt to radicalize Americans as a part of an effort to encourage lone wolf attacks in this country. With both of those facts established, there is obviously no need to vet first line surface transportation employees against the TSDB.

Tuesday, July 21, 2015

ICS-CERT Publishes 4 Advisories – Three for Siemens

This afternoon the DHS ICS-CERT published four new advisories for control system security issues. Three of the advisories were for products from Siemens (RuggedCom, Smart Client and Siprotec) and the other was for another Hospira infusion pump.

Hospira Advisory

This advisory reports that a new unnamed vulnerability found in the Symbiq Infusion System, in conjunction with previously reported vulnerabilities reported in the Hospira infusion pump line of products allow the product to be “remotely directed to perform unanticipated operations”. Billy Rios originally reported the vulnerability. Hospira has developed operational mitigation measures to stop a remote exploit of this vulnerability.

ICS- CERT reports that: “As previously announced by Hospira in 2013, the Symbiq Infusion System would be retired on May 31, 2015, and will be fully removed from the market by December 2015.” This advisory was originally released to the US-CERT Secure Portal on June 23rd. This is probably the advisory that I reported hearing rumors about earlier this month.

ICS-CERT reports that a moderately skilled attacker could remotely exploit this vulnerability.

The operational mitigation measures include:

“Disconnect the affected product from the network. Disconnecting the affected product from the network will have operational impacts. Disconnecting the device will require drug libraries to be updated manually. Manual updates to each pump can be labor intensive and prone to entry error.

“Ensure that unused ports are closed, to include Port 20/FTP and Port 23/TELNET.

“Hospira strongly recommends that healthcare providers contact Hospira’s technical support to change the default password used to access Port 8443 or to close Port 8443. Contact Hospira’s technical support at 1-800-241-4002. Hospira is working directly with Symbiq customers to update the configuration of the pump to close access ports.”

Commentary – Disconnect the pumps from the network? We know that is not a fail safe action. Besides how many of the technicians and nurses have experience updating the drug libraries manually? In my opinion (if anyone didn’t already suspect) Hospira/FDA/Owners should have already pulled these devices from use. I see law suits in the future.

Siemens RuggedCom Advisory

This advisory describes a TLS POODLE vulnerability in Siemens RuggedCom ROS and ROX-based devices. This is apparently a self-identified vulnerability. Siemens has developed a firmware update for this vulnerability.

ICS-CERT reports that a social engineering attack would be required to exploit this vulnerability.

The Siemens Advisory notes that the current firmware update is just for the ROS based devices and that work is continuing on the ROX based device update.

Siemens Sm@rt Client Advisory

This advisory describes a password storage vulnerability in the Siemens Sm@rtClient Android application. The vulnerability was reported by Karsten Sohr from Universität Bremen and Stephan Huber from Fraunhofer SIT. Siemens has produces a new version of the application that mitigates the vulnerability. There is no indication that the researchers have been given the opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker with local access to the mobile device could obtain the password. This could allow a successful attacker remote mobile operation and observation of SIMATIC HMI systems.

Siemens SIPROTEC Advisory

This advisory describes a denial of service vulnerability in SIPROTEC 4 and SIPROTEC Compact devices. The vulnerability was reported by Victor Nikitin from i‑Grids LLC. Siemens has produced a firmware update to mitigate the vulnerability, but there is no indication that Nikitin has been given the opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to effect a denial of service attack and a manual re-boot is required to return the device to service.

There is a minor discrepancy in the description of the affected devices. ICS-CERT reports the affected devices as:

“SIPROTEC 4 and SIPROTEC Compact product families
“All devices that include the EN100 Ethernet module version V4.24 or prior”

The Siemens Advisory, on the other hand, describes the affected devices this way:

“SIPROTEC 4 and SIPROTEC Compact product families: All devices where the Ethernet module EN100 with version V4.24 or lower is included.”


I am pretty sure, however, that owners of these devices would pretty quickly figure out that the ICS-CERT verbiage is meant to describe what Siemens reported.
 
/* Use this with templates/template-twocol.html */