Tuesday, May 31, 2016

ICS-CERT Publishes Two Advisories

This morning the DHS ICS-CERT published two control system advisories from products from ABB and Moxa.

ABB Advisory 


This advisory describes multiple credential vulnerabilities in the ABB PCM600. The vulnerability by Ilya Karpov from Positive Technologies. ABB has produced a new version to mitigate the vulnerabilities. There is no indication that Karpov has been provided an opportunity to verify the efficacy of the fix.

The vulnerabilities include:

• Use of password hash with insufficient computational effort - CVE-2016-4511; and
• Insufficiently protected credential - CVE-2016-4516, CVE-2016-4524, and CVE-2016-4527

ICS-CERT reports that a relatively unskilled attacker with local access to the computer running PCM6000 to edit the main application or gain access to PCM600 or connected devices.

ABB publishes a Cyber Security Deployment Guideline for the PCM600.

Moxa Advisory


This advisory describes a firmware overwrite vulnerability in the Moxa UC 7408-LX-Plus. The advisory reports that ICS-CERT was notified by ‘a third-party’ that identified the vulnerability. A thinking reader might guess that the ‘third-party’ was someone associated with the investigation of the Ukraine power outage (see pg 4, a third-of-the-way down the page). Moxa has produced instructions for a workaround, but no firmware update (ironically) is expected because the device has been discontinued.

ICS-CERT reports that a relatively unskilled attacker…. Nope they actually said that: “Crafting a working exploit for this vulnerability would be difficult. Root level access is necessary for this exploit. This decreases the likelihood of a successful exploit.” The fact that an actual exploit has been very publicly executed will be used to cast aspersions on all future uses of this phrase by ICS-CERT.


Interesting side note in the advisory. It seems like a successful exploit of this vulnerability essentially bricks the device beyond recovery.

Monday, May 30, 2016

HR 5312 Introduced – Cyber Research

Last week Rep. LaHood (R,IL) introduced HR 5312, the Networking and Information Technology Research and Development Modernization Act of 2016. The bill would make a number of amendments to the High-Performance Computing Act of 1991 (15 USC Chapter 81); mostly replacing the words ‘high-performance computing’ with ‘networking and information technology’ which changes the focus of this federal research and development program. There are some changes, however, that may be of specific interest to readers of this blog.

Cyber-Physical Systems and Security


The bill would add two new definitions to §5503:

‘Cyber-physical systems’ means physical or engineered systems whose networking and information technology functions and physical elements are deeply integrated and are actively connected to the physical world through sensors, actuators, or other means to perform monitoring and control functions;

‘Networking and information technology’ means high-end computing, communications, and information technologies, high-capacity and high-speed networks, special purpose and experimental systems, high-end computing systems software and applications software, and the management of large data sets;

The failure to include ‘cyber-physical systems’ in the definition of ‘networking and information technology’ means that most of the remainder of this bill remains focused on IT systems not control systems. There are, however, two places in the newly renamed ‘Networking and Information Technology section (§5511) where cyber-physical systems are specifically addressed in the outline of an on-going federal research program.

First it calls for research on increasing the “understanding of the scientific principles of cyber-physical systems and improve the methods available for the design, development, and operation of cyber-physical systems that are characterized by high reliability, safety, and security” {new §5511(a)(1)(J)}. This would be basic research on cyber-physical systems.

Next, the bill would expand that level of research into applications by calling for “a research framework to leverage cyber-physical systems, high capacity and high speed communication networks, and large-scale data analytics to integrate city-scale information technology and physical infrastructures” {new §5511(a)(1)(M)}.

Moving Forward


While LaHood is not a member of the House Science, Space, and Technology Committee, most of his seven co-sponsors are (including both the Chair and Ranking Member) so this bill will have no problem moving forward in Committee. In fact, the first markup of the bill was held before it was introduced.

Similar versions of this bill (HR 967 and HR 3834) were introduced in the last two Congresses and were passed out of Committee. Neither ever made it to the floor of the House for consideration. I do not see anything that would indicate that this bill has any better chance, particularly since it was introduced so late in the Session.

Commentary


There are two interesting things in this bill. The first is that the definition of ‘cyber-physical systems’ is written so that it is specifically not the same as the definition of an industrial control system. This definition encompasses a small subset of ICS that incorporate such a large number of sensors and actuators that a large-scale data processing operation is required for successful operation. I do not think that any system in use today qualifies. Rather we are looking at the type system that would be employed for autonomous transportation systems or true smart-grid operations.


The second item of interest here is that the bill would remove §5543 that authorizes separate spending for the program. That section has not been updated since 2004 and thus no spending authorized since 2007, but it at least provided some sort of basis for funding the program. Without that provision we are left with the §5511(c) requirement that the individual agencies in the federal government that have responsibilities under the program provide for their funding out of otherwise appropriated monies. So much for this being an important program.

Friday, May 27, 2016

Amendments to S 2943, FY 2017 NDAA – 5-26-16

Yesterday the Senate continued consideration of S 2943, the FY 2017 National Defense Authorization Act. An agreement was reached to continue consideration on June 6th when the Senate returns from their Memorial Day weekend. During the day yesterday a total of 134 amendments were offered for consideration. Two of those amendments may be of specific interest to readers of this blog:

The Amendments


The two amendments of potential interest were

SA 4244 (pg S3302) – Sen. Reed (D,RI) - SEC. 1097. Cybersecurity transparency.
SA 4303 (pg S3322) – Sen. Portman (R,OH) - SEC. 526. Plan to meet the demand for cyberspace career fields in the reserve components of the air force.

The Reed amendment is essentially identical to S 2410 introduced by Reed in December, 2015 establishing cybersecurity expertise requirements for corporate boards. The language does specifically include “industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers” {new §1097(a)(3)(B)} in the definition of ‘information system’.

The Portman amendment would require the Air Force to report to Congress on their plan “for meeting the increased demand for cyberspace career fields in the reserve components of the Air Force, in accordance with the recommendations of the National Commission on the Structure of the Air Force” {new §526(a)}.

Moving Forward


The Senate has only reached agreement on the consideration of one amendment so far (and it is not one of the amendments of concern here), but I expect that we will see a lot more movement when the Senate returns. Either of these two amendments could easily be adopted if they were to be considered in the floor debate.


The Reed amendment is not really a DOD related topic, but the Senate rules are quite generous about the topics that can be added in the amendment process. It all depends on how much political will Reed and any other amendment supporters can bring to bear on the Senate leadership.

Bills Introduced – 05-26-16

Yesterday with the House and Senate preparing to leave Washington for an extended Memorial Day Weekend there were 72 bills introduced. Three of those may be of specific interest to readers of this blog:

HR 5368 To direct the Department of Transportation to issue regulations to require enhanced security measures for shipments of security sensitive material, and for other purposes. Rep. Norton, Eleanor Holmes [D-DC-At Large]

S 3000 An original bill making appropriations for the Department of Defense for the fiscal year ending September 30, 2017, and for other purposes. Sen. Cochran, Thad [R-MS]

S 3001 An original bill making appropriations for the Department of Homeland Security for the fiscal year ending September 30, 2017, and for other purposes. Sen. Hoeven, John [R-ND]

Norton’s bill would seem to be bypassing the surface transportation folks at TSA to put the onus for security regulations back on DOT. One can sympathize, for while DOT is slow in the rule making game, the surface transportation folks at TSA move slower than a weekend security line at the Chicago airport.


These two spending bills will probably be considered in the Senate next month. After seeing the games played in the House with the THUD spending bill, I will be surprised to see either of these bills considered in the House. We are almost certainly looking at a continuing resolution and a post-election omnibus again this year, despite the best efforts of the Senate.

Amendments to S 2943, FY 2017 NDAA – 04-25-16

On Wednesday the Senate voted 98 – 0 on a cloture vote to proceed with consideration of S 2943, National Defense Authorization Act for Fiscal Year 2017. Additionally, 93 new amendments were proposed to be considered for that bill. Two of those amendments may be of specific interest to readers of this blog:

SA 4205 (pg S3212) – Sen. Rounds (R,SC) - SEC. 1227. Imposition of sanctions with respect to significant activities undermining cybersecurity conducted on behalf of or at the direction of the government of Iran; and

SA 4226 (pg S3221) – Sen. Cantwell (D,WA) - SEC. 1641. Pilot program on training for national guard personnel on cyber skills for the protection of industrial control systems associated with critical infrastructure.

The Amendments


SA 4205 is almost identical to S 2756 that had been introduced by Rounds last month.

SA 4226 would require the Chief of the National Guard Bureau to establish a pilot program “to provide National Guard personnel with training on cyber skills for the protection of industrial control systems associated with critical infrastructure” {new §1641(a)}. The three year pilot program would be designed to “permit personnel who receive such training to assist National Guard Cyber Protection Teams in carrying out activities to protect systems and infrastructure” {new §1641(c)}. A report to Congress would be required after the pilot program was completed.

Moving Forward



It is still too early to see which amendments will actually reach the floor for consideration. The publication of the Congressional Record for Thursdays session later today may include a partial listing of the amendments that will be considered, but we will probably not know until the Senate returns from their Memorial Day weekend on June 6th exactly what all of those favored amendments will be.

Thursday, May 26, 2016

ICS-CERT Publishes Three Advisories

This morning the DHS ICS-CERT published three control system security advisories for products from Black Box, Sixnet and Environmental Systems Corporation.

Black Box Advisory


This advisory describes a credential management vulnerability in the Black Box AlertWerks ServSensor devices. The vulnerability was reported by Lee Ryman. Black Box has produced a new firmware version to mitigate the vulnerability and Ryman has verified the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to gain access system passwords.

Sixnet Advisory


This advisory describes a hard-coded credential vulnerability in the Sixnet BT series routers. The vulnerability was reported by Neil Smith. Sixnet has produced a new firmware version and updates to mitigate the vulnerability. There is no indication that Smith has been provided the opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could use publicly available exploits to remotely exploit the vulnerability to gain full access to the affected device.

The Sixnet web site does not yet (as of 22:00 EDT, 5-26-16) have the new version of the BT firmware listed.

Environmental Systems Corporation Advisory


This advisory describes twin vulnerabilities in the ESC 8832 Data Controller. The vulnerabilities were independently reported by Maxim Rupp and Balazs Makany. ESC reports that there is no code space for a firmware update so it has designed compensating controls to mitigate the vulnerabilities. There is no indication that either Rupp or Makany have been provided an opportunity to verify the efficacy of the fix.

The two vulnerabilities are:

• Authentication bypass - CVE-2016-4501; and
• Privilege management - CVE-2016-4502

ICS-CERT reports that a relatively unskilled attacker could use publicly available information to remotely exploit the vulnerability to perform administrative operations over the network without authentication.


ESC recommends replacing the device or blocking Port 80 with a firewall.

House Amends and Passes S 2012 – Energy Policy

Last night the House passed an amended version of S 2012, the Energy Policy Modernization Act of 2016 by a nearly party-line vote of 241 – 178. Later the House voted to insist on its amendment and called for a conference committee.

Bill Provisions of Interest


The bill includes the following cybersecurity provisions from HR 8:

Sec. 1104. Critical electric infrastructure security.
Sec. 1106. Cyber Sense.
Sec. 2008. Report on smart meter security concerns.
Sec. 3126. Internet of Things report.

The bill includes the following chemical transportation safety provision from HR 8:

Sec. 5009. Study of volatility of crude oil.

Moving Forward


The Senate version of the bill passed by a vote of 85 – 12 with only Republicans voting No. The House version passed on a mainly partisan vote with 172 Democrats voting no. It will take the conference committee a while to work out a version of the bill that will be able to come to a vote in the Senate and still be acceptable to the leadership in the House. The bill that passed yesterday would not make it to the Senate floor.

A final version of the bill will probably include the provisions listed above; there is nothing there that is objectionable. The Senate bill had a slightly different version of §1104. It will be interesting to see how the differences are worked out.

The Senate bill has one additional cybersecurity provision that should also make it into the final bill:


Sec. 2002. Enhanced grid security.

S 2931 Introduced – Cyber Crime

Earlier this month Sen. Graham (R,SC) introduced S 2923, the Botnet Prevention Act of 2016. The bill would make amendments to two sections of the criminal code (18 USC) dealing with botnets and add another section addressing attacks against critical infrastructure computers.

Botnets

Section 2 of the bill amends 18 USC 1345 dealing with the administration of injunctions against acts of fraud. It would change the title of §1345 to ‘Injunctions against fraud and abuse’. It would add a new sub-paragraph to that section that would allow the Attorney General to commence a civil action in any Federal court to enjoin a violation of 18 USC 1030(a)(5) instead of just the bank fraud or healthcare fraud covered in the current section.

Section 4 of the bill amends 18 USC 1030 dealing with computer fraud. It adds a new sub-paragraph that adds trafficking in access to computers to the list of computer fraud offenses covered in this section.

Critical Infrastructure Computers


Section 3 of the bill would add §1030A to 18 USC. It would make it a felony to “to knowingly cause or attempt to cause damage to a critical infrastructure computer, if such damage results in (or, in the case of an attempted offense, would, if completed, have resulted in) the substantial impairment” {new §1030A(a)} of the operation of a critical infrastructure computer or the associated critical infrastructure.

The bill would punish violations of the new §1030A by up to 20 years in prison and would prohibit judges from making prison sentences under this section run concurrently “with any term of imprisonment imposed on the person under any other provision of law” {new §1030A(c)(2)}.

Moving Forward


Graham is a senior member of the Senate Judiciary Committee and his two Democrat co-sponsors are also members of that Committee. It is very likely that between the three of them that they could get the Committee to consider this bill.

The wording of this bill is almost identical with the wording of an amendment (SA 2713) that Sen. Whitehouse (D,RI) proposed during the consideration of S 754, but it was never brought up for a vote during those proceedings. Getting Graham to sponsor this bill makes it much more likely that the bill will be considered.

Commentary

The critical infrastructure provisions of the bill look, at first glance, like they should apply to industrial control systems at critical infrastructure facilities. Unfortunately, the definitions used in the proposed language means that control systems are specifically not covered. The new §1030A specifically uses the definitions of ‘computer’ and ‘damage’ that come from §1030. Those definitions are:

The term ‘computer’ “means an electronic, magnetic, optical, electrochemical, or other high speed data processing device [emphasis added] performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device” {§1030(e)(1)}.

The term ‘damage’ “means any impairment to the integrity or availability of data, a program, a system, or information” {§1030(e)(8)}.

In addition, the felony activity under §1030A is only covered if it is only felonious when conducted “during and in relation to a felony violation of section 1030” {new §1030A(a)}. In essence, what this bill does is to make an otherwise covered violation of 1030 a more heinous act when it is conducted against a covered IT computer at a critical infrastructure facility. An attack against an industrial control system (even at a major power distribution facility) would not be covered unless it also affected billing or record keeping computers at the facility.

To make this effective in prosecuting attacks on control systems at critical infrastructure facilities an amendment would have to be made to §1030. First there would have to be a paragraph added that would make it a crime to attack a control system. For example add:

§1030(a)(8) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to an industrial control system.

Additionally, we would have to add a definition of ‘an industrial control system’. To write that most broadly we would add:

§1030(e)(13) the term “industrial control system” means any network of computers, communications devices or networks, sensors, or actuators that is designed to detect and effect operations of physical devices. The term includes systems that are used to control the operation of manufacturing facilities, energy production and distribution facilities, building controls, vehicles, and medical devices.

Then the new §1030A(a) would have to be amended to read:

(a) OFFENSE.—It shall be unlawful, during and in relation to a felony violation of section 1030, to knowingly cause or attempt to cause damage to a critical infrastructure computer or industrial control system, if such damage results in (or, in the case of an attempted offense, would, if completed, have resulted in) the substantial impairment—

(1) of the operation of the critical infrastructure computer or industrial control system; or

(2) of the critical infrastructure associated with such computer or industrial control system.

And finally the new §1030A(d)(1) would have to be amended to read:

(d) DEFINITIONS.—In this section—

(1) the terms ‘computer’, ‘damage’ and ‘industrial control system’ have the meanings given the terms in section 1030; and


I think that these changes (or something similar, I am not particularly attached to my words) would make the legislation achieve its intended action of making cyber-attacks on critical infrastructure a felony under federal law. And that is certainly needed before such an attack actually takes place on US soil.

Rule for Consideration of HR 2577 –

The House Rules Committee met last night to formulate the rule for consideration of the Senate amendment to HR 2577, which passed in the Senate as a combination of the Transportation, Housing and Urban Development, and Related Agencies (THUD) Appropriations Act, 2017 (Division A) and the Military Construction, Veterans Affairs, and Related Agencies Appropriations Act, 2017 (Division B).

In an interesting move, the rule adopted last night provided for a substitute amendment which effectively removes the THUD portion of the bill and substitutes HR 4794 (Military Construction and Veterans Affairs and Related Agencies Appropriations Act, 2017), HR 5243 (Zika Response Appropriations Act, 2016) and HR 897 (Reducing Regulatory Burdens Act of 2015) for the remainder of the Senate adopted language.

It looks like the removal of the THUD provisions has more to do with the controversy surrounding the House approach to Zika funding (much less money than either the Senate funding in HR 2577 or even less than requested by the Administration) than it does any of the significant differences between the House and Senate of THUD spending.


The House THUD spending bill has not yet been introduced.

Wednesday, May 25, 2016

Amendments to S 2943, FY 2017 NDAA – 05-24-16

This afternoon the Senate officially began consideration of S 2943, the FY 2017 National Defense Authorization Act with a cloture vote of 98 – 0. The amendment offering process began on Monday with 13 amendments offered. Yesterday there were an additional 59 amendments offered. To date only one of those amendments may be of specific interest to readers of this blog; relating to the supply chain security of critical telecommunications equipment, technologies, or services.

Supply Chain Security


Sen. Gardner (R,CO) proposed SA 4130 (pg S3118). It would add a new §1641, “Comptroller General of the United States report on department of defense critical telecommunications equipment or services obtained from suppliers closely linked to a leading cyber-threat actor.”

The amendment would require a report to Congress on any critical telecommunications equipment, technologies, or services obtained or used by the Department of Defense or its contractors or subcontractors that is {§1641(a)(1)}:

• Manufactured by a foreign supplier, or a contractor or subcontractor of such supplier, that is closely linked to a leading cyber-threat actor; or
• From an entity that incorporates or utilizes information technology manufactured by a foreign supplier, or a contractor or subcontractor of such supplier, that is closely linked to a leading cyber-threat actor.

Two key terms are defined in the amendment; ‘leading cyber-threat actor’ and ‘closely-linked’. The cyber-threat actor term is linked to the identification as a ‘leading threat actor in cyberspace’ in the “Worldwide Threat Assessment of the US Intelligence Community”, dated February 9, 2016. The term ‘closely-linked’ is used to describe a relationship between one of the identified cyber-threat actors and a foreign supplier, contractor or subcontractor. The term is used to describe that relationship when the supplier, contractor or subcontractor {§1641(c)(2)}:

• Has ties to the military forces of such actor;
• Has ties to the intelligence services of such actor;
• Is the beneficiary of significant low interest or no-interest loans, loan forgiveness, or other support of such actor; or
• Is incorporated or headquartered in the territory of such actor.

Moving Forward


Tomorrow we will start to get some idea of what amendments will be taken up during the consideration of S 2943 and we will continue to see amendments offered tomorrow and (probably) a week from Monday when the Senate comes back from their very extended Memorial day weekend.

The cloture vote today was a good sign that there is nothing fatal in the current language of S 2943. Whether or not that will remain the case as the amendment process moves forward remains to be seen.

Commentary


While the report requirement in Gardner’s amendment is technically targeted at all four countries (Russia, China, Iran and North Korea) listed in World Wide Threat Assessment (pg 3) it would seem to me that Gardner is really expecting the report to focus on China and its telecommunication industry. I think that anyone would have concerns about the potential problems of having communications equipment provided by companies with close ties to the Chinese government or (in particular) the Chinese Army.

This amendment may be exhibiting a tad bit more than a normal amount of paranoia when it includes any company that is incorporated or headquartered in the territory of one of the big four countries of cyber concern (again China is the obvious main target). While it may be hard to identify all of the companies that fall under the first three standards for ‘closely-linked’, the sweeping inclusion of all Chinese chip and equipment makers in the reporting requirements would seem to ensure that it would be extremely difficult to separate the wheat from the chaff in the resulting report.

And it may be my paranoia seeping through, but I am more than a little concerned that the report being required in the amendment is limited to just telecommunications equipment. The universe of electronic and cyber equipment that includes Chinese made chips and components is way larger than just telecommunications equipment. Since this is an amendment to the Defense authorization bill the report should be expanded to include all critical electronic or computer control systems used by DOD and its contractors.

The other thing that is missing from this amendment is any definition of the type of information to be included in the report. The proposed language specifies what types of equipment from what sources should be addressed in the report, but nothing more about the content of the report. For example, Gardner might have required the report to identify:

• What military end equipment or systems contained parts manufactured by a company that is closely-linked with a leading cyber-threat actor;
• Identify if there are other sources of supply of those parts;
• What methods were available to verify that parts from ‘closely-linked’ suppliers met all of the safety, security and quality requirements of the military; and
• What techniques are available to adequately isolate components manufactured by ‘closely-linked suppliers’ from post-installation communications with the military or intelligence agencies of the ‘leading cyber-threat actors’.

This amendment is unlikely to be modified by the current process for consideration of S 2943. To see the types of changes described above, I’m afraid that we would have to see a completely new amendment if my concerns are to be addressed; I’m not holding my breath.


BTW: A real odd amendment was offered yesterday, SA 4141 would add a new division to S 2943. It would add the FY 2017 spending for the State Department to the spending approved in the bill. The State Department and DOD have always had a more than little strained relationship because of their nearly opposite way of dealing with foreign adversaries. Pairing these two departments would be just a tiny bit ironic.

House Passes HR 2756 – TSCA Reform

Yesterday the House passed HR 2756, the Frank R. Lautenberg Chemical Safety for the 21st Century Act (TSCA reform) by a wildly bipartisan vote of 403 – 12. The debate on the bill  (pgs H3025-H3031) consumed 40 minutes, but it was hardly a debate. The list of supporters speaking in support of the bill was impressive in its political diversity.


The bill will go to the Senate (possibly this week). As surprising as this may seem since this has been a touchstone political topic for the last ten years, the bill could actually be considered under the Senate’s unanimous consent process with no debate and no vote.

HR 5077 Passes in House – Intel Authorization

Yesterday the House passed HR 5077, the Intelligence Authorization Act for Fiscal Year 2017, by a broadly bipartisan vote of 371 – 35. The bill had been debated (pgs H2901-H2905) on the floor on Monday for all of 27 minutes, most of which was used for praising the bipartisan leadership of the Intelligence Committee.


The bill will probably be considered in the Senate under their unanimous consent process where it will be approved without debate or vote.

Bills Introduced – 05-24-16

With both the House and Senate in session yesterday there were 17 bills introduced. Of those one may be of specific interest to readers of this blog:

HR 5312 To amend the High-Performance Computing Act of 1991 to authorize activities for support of networking and information technology research, and for other purposes. Rep. Duffy, Sean P. [R-WI-7]


It is interesting that a bill of this name was marked up yesterday in the House Science, Space and Technology Committee and then this bill is supposed to be marked up today by the same Committee. The bill that was marked up yesterday contained provisions concerning research and development efforts on ‘cyber-physical systems’. 

Tuesday, May 24, 2016

ICS-CERT Publishes Moxa Advisory

This afternoon the DHS ICS-CERT published an advisory for control system vulnerabilities in the Moxa MiiNePort serial device server module series. The multiple vulnerabilities were reported by Karn Ganeshen earlier this month on the Full Disclosure mail list. Moxa will reported produce a beta version of a firmware patch in late May 2016.

The reported vulnerabilities include:

• Cleartext storage of sensitive information - CVE-2016-2295;
• Cross-site request forgery - CVE-2016-2285; and
• Weak credential management - CVE-2016-2286

ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerabilities to silently unauthorized actions on the device such as password change, configuration parameter changes, saving modified configuration, and device reboot.


ICS-CERT is reporting that Moxa recommends disabling Ports TCP/80 (HTTP) and TCP/23 (TELNET). The other two affected ports {UDP/161 (SNMP), UDP/4800 (utility), and TCP/4900 (utility)} are needed for remote operation and should be protected.

HR 5077 Reported in House – FY 2017 Intel Authorization

Last week the House Intelligence Committee issued their report on HR 5077, the Intelligence Authorization Act for Fiscal Year 2017. While there is little in the bill that directly concerns cybersecurity, the topic receives a significant amount of attention in the Committee Report.

Cybersecurity Concerns


As with the cybersecurity mention in the actual bill, the Committee Report coverage of the topic is mainly limited to requirements for reports to Congress. The cybersecurity related reports include:

• Unclassified cybersecurity incident information sharing with the National Cybersecurity
and Communications Integration Center (NCCIC);
• Increasing the DHS I&A’s utilization of cybersecurity expertise of the National Labs; and
• Improving the cybersecurity training within national intelligence program (NIP) funded undergraduate and graduate computer science programs;

The one actual cybersecurity action requirement found in the Committee Report deals with supply chain security issues for the intelligence community (IC). The Committee is concerned that current IC acquisition guidelines do not adequately address cybersecurity issues in the supply chain. The Committee is requiring the Director of National Intelligence (DNI) to review and consider revising those guidelines to:

• Expand risk management criteria in the acquisition process to include cyber and supply chain threats;
• Require counterintelligence and security assessments as part of the acquisition and procurement process;
• Propose and adopt new education requirements for acquisition professionals on cyber and supply chain threats; and
• Factor in the cost of cyber and supply chain security.

Moving Forward


The floor debate on HR 5077 took place yesterday evening and a recorded vote was requested. That vote should take place today. As I mentioned earlier, I expect that the bill will pass with substantial bipartisan support.

Commentary


It is heartening to see the Intelligence Committee endorse unclassified information sharing about cybersecurity incidents. The intelligence community by its very nature is secretive in their operations and is reluctant to share the information they gain from their activities for fear of compromising their intelligence collection assets and techniques. Extracting information of any sort from that classified data that can be shared with a wider audience is a difficult undertaking for the intelligence community and they need to be continuously prodded by their overseers to ensure that they make a reasonable effort to do so.


In my very brief time working in tactical level intelligence in the Army I learned first-hand how difficult it is to sort through classified intelligence data to extract out useful information for those at the point of the spear that could be shared without compromising the data collection process. The absolutely necessary vetting and approval process for the unclassified intelligence products produced almost made the effort counterproductive and did made it very difficult to produce useable time-sensitive information. The effort really was worthwhile and should be actively pursued at all levels in the intelligence community.

Rule for Consideration of HR 2576 – TSCA Reform

Last night the House Rules Committee finished their rule for the consideration of the Senate amendment to HR 2576, the TSCA Modernization Act of 2015. The House amendment that I described Saturday was further amended and will be offered as an amendment to the Senate amendment on the House floor, perhaps as soon as today. There will be one hour of debate and the vote will be held without further amendment.

The amendment made last night was a four-page technical correction to the language of the amendment agreed to by the unofficial conferees. That amendment is included in the Rules Committee report on the Senate amendment to HR 2576.


The bill will almost certainly pass with at least some bipartisan support, as all of the major chemical safety players in the House and Senate have agreed to this new language.

Monday, May 23, 2016

ISCD Adds New CVI FAQ to CFATS Knowledge Center

This afternoon the DHS Infrastructure Security Compliance Division (ISCD) added a new frequently asked question (FAQ) to the CFATS Knowledge Center. The new FAQ (# 1770) relates to the relationship between the Chemical-Terrorism Vulnerability Information (CVI) program and the Freedom of Information Act (FOIA).

FAQ # 1770 asks: “Can Chemical-terrorism Vulnerability Information (CVI) be released under the Freedom of Information Act (FOIA)?”


The answer makes clear that CVI protected information may not be released under either the Federal FOIA nor any similar State or local laws. It also provides a link to the CVI Handbook for further clarification of the rules concerning the protection of CVI.

Committee Hearings – Week of 5-22-16

This week both the House and Senate are in Washington, but are preparing to take their Memorial Day recess. Lots of stuff on the agenda for this week both in hearings and on the floor. Spending bills are going to be an important item this week. We will also see a couple of cybersecurity hearings and two House Rules Committee Hearings of specific interest to readers of this blog.

Spending Bills


The following spending bill hearings will take place this week

• Commerce, Justice and Science – House Appropriations Committee – Monday;
• Transportation, Housing and Urban Development – House Appropriations Committee – Monday;
• Defense – Senate Defense Sub-Committee – Tuesday;
• Homeland Security – Senate Homeland Security Subcommittee – Tuesday;
• Defense and Homeland Security – Senate Appropriations Committee – Thursday.

Cybersecurity


There are three cybersecurity related hearings scheduled for this week; a bill markup, a preparedness and response hearing and a hearing on international cybersecurity. None of these hearings will specifically address industrial control system matters.

On Tuesday the House Science, Space and Technology Committee will mark up an as of yet unintroduced bill, the “Networking and Information Technology Research and Development Modernization Act of 2016”. No language is yet available on the Committee web site.

Two subcommittees of the House Homeland Security Committee will be holding a joint hearing on Tuesday on “Enhancing Preparedness and Response Capabilities to Address Cyber Threats”. The witness list has been announced and includes:

• Mark Ghilarducci, Office of the Governor of California
• Daniel J. Cooney, New York State Police
• Steven Spano, Center for Internet Security
• Mark Raymond, National Association of State Chief Information Officers
• Robert Galvin, Port Authority of New York and New Jersey

The Subcommittee on East Asia, the Pacific, and International Cyber Security will be holding a hearing on Wednesday on “International Cybersecurity Strategy: Deterring Foreign Threats and Building Global Cyber Norms”. The only witness currently scheduled is Christopher Painter,
Coordinator for Cyber Issues, State Department.

Rules Committee Hearing


In addition to this evenings TSCA hearing that I mentioned Saturday, the House Rules Committee will meet Tuesday to consider an amendment to S 2012, Energy Policy Modernization Act of 2015, that passed last month in the Senate. According to the Committee website the amendment will be substitute language that includes substantial provisions from the following (38) bills already passed in the House:

HR 8, HR 4583, HR 2080, HR 2081, HR 4416, HR 4434, HR 4411, HR 4412, HR 2898, HR 2406, HR 1937, HR 538, HR 404, HR 482, HR 959, HR 979, HR 984, HR 1289, HR 1324, HR 1541, HR 1554, HR 1949, HR 2223, HR 2288, HR 2857, HR 2880, HR 3004, HR 3036, HR 3371, HR 3620, HR 4119, HR 1475, HR 1214, HR 2791, HR 2647, HR 1806, and Title XXXIII of HR 4909. 

The only bill in the list that I have covered is HR 8, so I expect that the only cybersecurity provisions will be those from that bill. I should have a chance to take a closer look at the substitute language before the Rules Committee Hearing.

On The Floor


The House will be considering HR 5077, the Intelligence Authorization Act for Fiscal Year 2017 later today (or possibly tomorrow, it is a long suspension list) under suspension of the rules. As always this requires a supermajority to pass and there will be little debate and no amendments to the bill on the floor.

The House will also consider the TSCA revision (HR 2576) and the Energy bill under a more complete debate process, possibly with amendments from the floor, later in the week.


As I mentioned earlier today the Senate is probably going to take up the FY 2017 NDAA this week, though I will be surprised if it is completed this week (though stranger things have happened in Washington).

S 2943 Introduced – FY 2016 NDAA

Last week Sen. McCain (R,AZ) introduced S 2943, the National Defense Authorization Act (NDAA) for Fiscal Year 2017. The House version of this bill (HR 4909) passed last week. It provides authorization for military activities for the next fiscal year.

Like the House bill, there is an entire subtitle of this bill (Subtitle C of Title XVI) related to cyber issues. The following sections are listed in that subtitle:

Sec. 1631. Cyber protection support for Department of Defense personnel in positions highly vulnerable to cyber attack.
Sec. 1632. Cyber Mission Forces matters.
Sec. 1633. Limitation on ending of arrangement in which the Commander of the United States Cyber Command is also Director of the National Security Agency.
Sec. 1634. Pilot program on application of consequence-driven, cyber-informed engineering to mitigate against cybersecurity threats to operating technologies of military installations.
Sec. 1635. Evaluation of cyber vulnerabilities of F–35 aircraft and support systems.
Sec. 1636. Review and assessment of technology strategy and development at Defense Information Systems Agency.
Sec. 1637. Evaluation of cyber vulnerabilities of Department of Defense critical infrastructure.
Sec. 1638. Plan for information security continuous monitoring capability and comply-to-connect policy.
Sec. 1639. Report on authority delegated to Secretary of Defense to conduct cyber operations.
Sec. 1640. Deterrence of adversaries in cyberspace.

There are no overlaps between the items found in this subtitle of the bill and the corresponding subtitle of the House version. Two of the sections in this version of the bill may be of specific interest to readers of this blog: §1634 and §1640

Cyber-Informed Engineering


Section 1634 requires the DOD to establish “a pilot program to assess the feasibility and advisability of applying consequence-driven, cyber-informed engineering methodologies to the operating technologies of military installations, including industrial control systems, in order to increase the resilience of military installations against cybersecurity threats and prevent or mitigate the potential for high-consequence cyberattacks.”

While I am waiting for the Armed Forces Committee report on S 2943 to see if there are any additional insights into what the Committee expects to see included in the ‘cyber-informed engineering’ pilot, I did find an interestingpaper [updated link, 23:21 1-28-17]on the topic from a couple of engineers at the Idaho National Laboratory. They note that modern industrial processes are constructed with the assumption that the control system is trusted, an assumption that is increasingly proving to be incorrect. They call for a new engineering design process that takes the potential insecurity of the control system into account as part of the design basis for the entire industrial process.

Deterrence of Adversaries in Cyberspace


In many ways §1640 is similar to HR 5220 and S 2905 in that it requires the President to report to Congress on “determining when an action carried out in cyberspace constitutes an act of war against the United States” {§1640(b)(1)}. The important difference here is that that report only comes after the Joint Chiefs of Staff provide a detailed report to Congress “on the military and nonmilitary options available to the United States to deter Russia, China, Iran, North Korea, and terrorist organizations in cyberspace” {§1640(a)(1)}. This makes the report more of a policy development requirement rather than just a political gotcha game.

Moving Forward


The Senate Armed Services Committee has already completed their action on this bill (and I am expecting their report to be published today or tomorrow) so this bill is cleared to move to the Floor of the Senate. It is being reported on TheHill.com that this bill will come to the floor of the Senate this week, though it is not the first bill slated for floor action today.

There are a number of controversies that could arise in connection with this bill (unrelated to cybersecurity issues) that could slow consideration especially considering that the Senate is heading home for a week of campaigning at the close of the week. It would not be surprising to see some vocal posturing before the Memorial Day Recess and then more reasonable actions following the return to Washington.

When this bill is eventually passed, it will have to go to a conference committee to work out the significant differences with that House over a number of matters. It is not entirely clear at this point that a House-Senate compromise bill would be acceptable to the President as both sides try to make points going into the election. I suspect that a final version of this bill will only be achieved in the lame duck session.

Commentary


It is interesting to see a piece of legislation addressing a new and innovative engineering concept like cyber-informed engineering. It is less surprising that it was found in a defense authorization bill, particularly in the Senate. McCain did after all receive a pretty good technical education at the US Naval Academy. And as a military pilot he did come to have a pretty good personal understanding of the importance of good engineering. I am not saying that he came up with the concept, but he was better able to comprehend its importance when briefed on it by DOD than a less technologically trained congress critter would have.


In many ways the chemical engineering profession has embraced the basic idea behind this new engineering concept in the way they that have developed their stand-alone safety systems. Those systems were not developed with cybersecurity in mind, but rather to deal with problems with another less-than-trusted part of the chemical manufacturing process, the human operator. The lessons that chemical engineers have learned over the last couple of decades in dealing with human-engineering issues should be directly applicable to cyber-informed engineering.

Saturday, May 21, 2016

DHS Announces CISPA Workshop – 6-9-16

The DHS National Protection and Programs Directorate published a meeting notice in Monday’s Federal Register (81 FR 32340-32341, available on-line today) for a workshop to discuss information sharing as related to Title I of the Cybersecurity Act of 2015, the Cybersecurity Information Sharing Act. The public meeting will be held on June 9th, 2016 in Arlington, VA.

The purpose of this meeting is to inform stakeholders and the public of CISA implementation issues. It will consist of a keynote address, formal presentations and panel discussions. Topics will include:

• What is CISA?
• What is the Automated Indicator Sharing (AIS) initiative?
• What are the privacy concerns around CISA and how are privacy protections built into information sharing?
• What is the benefit of participating in an Information Sharing and Analysis Organization (ISAO) as it pertains to CISA?
• How does an organization (Federal or non-federal) connect and participate in AIS?

There is limited seating available at the venue so advance registration is required by emailing cisaimplementation@hq.dhs.gov. There is no indication that this workshop will be webcast.


There will be a period for public comments during the workshop. Written comments may also be submitted via the Federal eRulemaking Portal (www.Regulations.gov; docket # DHS-2015-0017). Written comments need to be submitted by June 2nd, 2016.

Rules Committee to Meet on HR 2576 – TSCA Revision

The House Rules Committee will meet Monday evening to formulate the rule for consideration of a House amendment to the Senate amendment to HR 2576, TSCA Modernization Act of 2015. This amendment is the bicameral, bipartisan compromise language that the press has been reporting on this week.

Changes


This 181-page substitute language is a very complex amendment of the current Toxic Substances Control Act (15 USC 2601-2609) that combines language from the versions passed in the House and Senate versions plus some other changes worked out by an unofficial conference group of Senators and Representatives (and the appropriate staff members).

The House Energy and Commerce Committee has published a four-page summary of the compromise language.

Moving Forward


Since this is compromise language that took a great deal of effort to work out, I do not suspect that the rule for the consideration of this bill will provide for much, if anything, in the way of amendments. No one is going to be completely satisfied with the language of this bill. Sen. Sanders (I,VT), for example, has come out against the revised language. Industry groups (see here and here) however, are apparently taking a more pragmatic stance and are generally supporting the language.

Commentary


The existing TSCA regulations are complex enough, but the amendments in this bill are going to make it even more so. The big problem is the amendment process. Congressional bills do not generally show the revised language; they show the changes that are to be made. For example, one of the many changes (in this case to 15 USC 2605) in this bill reads {§6(2)}:

“(2) in subsection (a)—
“(A) by striking ‘‘finds that there is a reasonable basis to conclude’’ and inserting ‘‘determines in accordance with subsection (b)(4)(A)’’;
(B) by inserting ‘‘and subject to section 18, and in accordance with subsection (c)(2),’’ after ‘‘shall by rule’’;
(C) by striking ‘‘to protect adequately against such risk using the least burdensome requirements’’ and inserting ‘‘so that the chemical substance or mixture no longer presents such risk’’;

This in a more conventional business format would read:

“(a)If the Administrator finds that there is a reasonable basis to conclude determines in accordance with subsection (b)(4)(A) that the manufacture, processing, distribution in commerce, use, or disposal of a chemical substance or mixture, or that any combination of such activities, presents or will present an unreasonable risk of injury to health or the environment, the Administrator shall by rule and subject to section 18, and in accordance with subsection (c)(2), apply one or more of the following requirements to such substance or mixture to the extent necessary to protect adequately against such risk using the least burdensome requirements so that the chemical substance or mixture no longer presents such risk:”

This is certainly easier to read, but the full effect is still not clear because the references to other sections of TSCA (which are also amended) have to be read and understood before the actual import of the changes made to this paragraph can be understood.

In addition, many of the changes made in this revised language (and both of the other versions of the bill) are apparently minor wording changes that may only be of specific interest to lawyers arguing obscure provisions of the law. For example, a very common change made throughout the bill is the simple substitution of the word ‘information’ for the word ‘data’. While the two words have significantly different common definitions, you would have to read and analyze each instance of this change to understand the regulatory implications.

All of this makes it very difficult to conduct a real review. Even where wholesale changes have been made to the language, it is difficult to accurately assess their implication for chemical manufacturing and chemical safety because of all of the minor changes that are made in the supporting language.

Looking at the Committee summary of this revised language it certainly seems that this bill should be an improvement over the current TSCA language. A closer look, however, shows some significant problems that are glossed over in the revision.

For example, the new requirement for the EPA to make a decision within 90 days of the submission of a pre-manufacturing notice (PMN) for a new chemical as to whether or not there is a potential safety issue with the chemical that needs to be regulated. An effective review of the large number of new chemicals developed every year within that time frame is going to require a large number of new chemical safety experts at the EPA. There are no indications that Congress will fund such a staffing increase.

Another area of potential concern is the requirements for industry funding of research on new chemicals. This has always been a sticking point for the development of chemical safety information; such testing is important yet expensive. Chemical safety advocates are certainly heartened to see industry being stuck with the bill for large portions of this testing. In order to avoid stifling chemical innovation too much there are limits to how much a company can be forced to spend on such testing depending on the size of the organization. Small companies are responsible for a disproportionate share of the innovation in the chemical industry. This safety-testing funding proposal will almost certainly have an impact on the merger and acquisition process as larger companies will wait for the testing requirements on a new chemical to run out.

It certainly looks like this bill is going to pass and that is probably a good thing. But it is going to take years to see what the actual impacts on the chemical industry will be.

Friday, May 20, 2016

Spring 2016 Unified Agenda – DOT

As I mentioned yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) published the Spring 2016 Unified Agenda. Today I want to look at the Unified Agenda for the Department of Transportation. I do not follow this portion of the Unified Agenda as closely as I do the DHS portion; mainly because DOT is a much more prolific writer of regulations than is DHS.

The Current Agenda


The table below lists the DOT rulemakings on the current agenda that I find interesting. This is a smaller set of interest than I normally follow here in this blog, but I do have some space and reader interest limitations that I need to take into consideration.

FAA
Proposed Rule Stage
Operations of Small Unmanned Aircraft Over People
FAA
Final Rule Stage
Operation and Certification of Small Unmanned Aircraft Systems
FAA
Final Rule Stage
Registration and Marking Requirements for Small Unmanned Aircraft
NHTSA
Proposed Rule Stage
Federal Motor Vehicle Safety Standard FMVSS 150 -- Vehicle to Vehicle (V2V) Communication
PHMSA
Proposed Rule Stage
Hazardous Materials: Review and Update of Rail Carrier Regulations in Part 174 RRR
PHMSA
Proposed Rule Stage
Hazardous Materials: Oil Spill Response Plans and Information Sharing for High-Hazard Flammable Trains
PHMSA
Proposed Rule Stage
Hazardous Materials: Real-Time Emergency Response Information by Rail
PHMSA
Final Rule Stage
Hazardous Materials: FAST Act Requirements for Flammable Liquids and Rail Tank Cars

The FAA


The Federal Aviation Administration (FAA) has 38 rulemakings listed in this version of the Unified Agenda. Unfortunately, none of those seems to address cybersecurity issues. While the FAA, aircraft manufacturers, and airlines are beginning to look at the potential risk from these issues, it does not appear that we are anywhere near regulatory considerations at this point.

I have selected three unmanned aerial system (UAS) rulemakings to include in my table. The first deals with flying small UAS over people and its abstract includes an interesting sentence; “This rulemaking would provide relief from certain operational restrictions implemented in the Operation and Certification of Small Unmanned Aircraft Systems final rule.” That rule prohibited the flying of small UAS over people.

The second rulemaking deals with the regulation of the operation of commercial small UAS. Since this rulemaking is supposed to look at registration and marking of small UAS, I included the third rulemaking which already addressed those issues in an interim final rule. The FAA still intends to issue a final rule on this topic.

NHTSA


The National Highway Transportation Safety Administration (NHTSA) has 25 rulemakings on the Unified Agenda. Only one of those may be of specific interest to readers of this blog, the vehicle-to-vehicle (V2V) rulemaking. That is because of the cybersecurity provisions that may be included in the rulemaking. I addressed these in my blog post on the ANPRM back in 2014; yes, NHTSA moves as fast as the rest of DOT in their rulemaking process.

PHMSA


The Pipeline and Hazardous Material Safety Administration (PHMSA) also has 25 rulemakings listed on the Unified Agenda. I selected four of those that deal, at least tangentially, with crude oil transportation by rail.

The first is a somewhat cooperative venture between PHMSA and the Federal Railroad Administration (FRA). This rulemaking would address results of an FRA study that identified “several trends in industry practices and operating procedures that present new and different risks to safety”. Addressing those risks and just generally updating the regulations regarding the handling of hazardous materials via rail should make for an interesting rulemaking.

The rail oil spill response plan rulemaking is high on the Congressional wish list and they have been applying pressure on PHMSA to complete this rulemaking. As would be expected, similar pressure is being exerted by a variety of environmental and safety activist organizations. Unfortunately, those two pressure points are pushing towards entirely different outcomes in the regulatory schema so I expect that we will see continued delays on this rulemaking.

The third PHMSA rulemaking was dictated by Congress in §7302 of the Fixing America's Surface Transportation (FAST) Act passed last December. It would require the creation of electronic train consists that include the identification of hazardous materials and emergency response information for those materials. Class 1 railroads are already developing/deploying this technology so PHMSA is behind the regulatory power curve.

The last rulemaking was also specified by the FAST Act in sections 7304, 7305, and 7306. In this case Congress was much more specific about what the rule should entail so PHMSA is going with a direct final rule without the publish and comment process to speed up their response to the Congressional requirement. Congress mandated that the final rule be published by May 16th, 2016, so PHMSA is already late on this rulemaking; no surprise here.

Long-Term Actions


While the DOT Unified Agenda is lengthy, they keep (with the exception of NHTSA) relatively few items on their long-term actions list. Only two items on their list made it to my list of interst:

OST
Protection of Sensitive Security Information
FRA
Track Safety Standards; Improving Rail Integrity

The first is included because both DHS and DOT have responsibility for protecting SSI and both have this on their long-term action list. Of course their continued inaction will mean that the SSI program will be more impacted by the National Archives and Records Administration rulemaking on sensitive but unclassified information that is in OIRA review.

At first glance I was severely disappointed to see this new rulemaking listed on the long-term actions page, but after a closer look I am just as confused as I am disappointed. Anyone that has followed the crude oil train issue in any detail will know that a large number of the crude oil train derailments that we have seen have been due, at least in part, by rail integrity issues. This rulemaking should be a priority for the FRA.


What makes me confused is that looking at the rulemaking page it shows that FRA intends to have a notice of proposed rulemaking (NPRM) ‘scheduled’ for June 2016. While I never believe projected dates in the Unified Agenda, that would indicate a fairly short-term long-term action. Oh well.
 
/* Use this with templates/template-twocol.html */