Thursday, June 30, 2016

ICS-CERT Publishes Two Advisories and an Alert

This afternoon the DHS ICS-CERT published two new control system security advisories for products from Siemens, Eaton. It also published an alert for a publicly shared vulnerability in a Sierra Wireless product.

Siemens Advisory


This advisory describes two vulnerabilities in the Siemens  SICAM PAS (Power Automation System). The vulnerabilities were reported by Ilya Karpov and Dmitry Sklyarov of Positive Technologies. Siemens has produced a new version and instructions to mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The vulnerabilities are:

• Insufficiently protected credentials - CVE-2016-5848; and
• Information exposure - CVE-2016-5849.

ICS-CERT reports that a relatively unskilled attacker with local access could exploit the vulnerability to obtain sensitive information under certain conditions. The Siemens-CERT advisory reports that the attacker must have local access to the SICAM PAS system and certain database privileges or the database must be in a stopped state.

Siemens reported this vulnerability this morning on TWITTER®.

Eaton Advisory


This advisory describes twin buffer overflow vulnerabilities in the Eaton ELCSoft programming software. The vulnerabilities were reported by Ariele Calgaviano via the Zero Day Initiative (ZDI). Eaton has released a revision to mitigate these vulnerabilities. There is no indication that Eaton has provided Calgaviano an opportunity to verify the efficacy of the fix.

The vulnerabilities are:

• Heap-based buffer overflow - CVE-2016-4509; and
• Stack-based buffer overflow - CVE-2016-4512.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to execute arbitrary code on the target system.

Sierra Wireless Alert


This alert describes three vulnerabilities in the Sierra Wireless AirLink Raven XE and XT gateways. The vulnerabilities were reported in a coordinated disclosure by Karn Ganeshen. Sierra Wireless has reported to ICS-CERT that these devices are end of life and no new firmware releases will be made available. Ganeshen released a public report on four vulnerabilities on the Full Disclosure site on June 22nd, 2016 after he was advised that no updates were planned by Sierra Wireless.

The four vulnerabilities reported by Ganeshen are:

• Weak credential management (not reported in ICS-CERT Alert);
• Ace Manager contains a global CSRF vulnerability;
• Sensitive information leakage via GET requests; and
• Unauthenticated access to directories + Arbitrary File Upload.

ICS-CERT reports that Sierra Wireless has provided written mitigation measures to reduce these vulnerabilities.

NOTE: ICS-CERT did report the name of the reporting researcher, but did not provide a link to the public report.

Unreported Siemens Update



Siemens reported in another TWEET® this morning that they had updated a Siemens-CERT advisory that was reported by ICS-CERT on May 19th, 2016. We may see the updated ICS-CERT advisory tomorrow.

PHMSA Publishes Petition Based NPRM

Today the DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) published a notice of proposed rulemaking (NPRM) in the Federal Register (81 FR 42609-42625) for revisions to the Hazardous Materials Regulations (HMR) based upon public petitions. Twenty-one topics are addressed in this NPRM.

The topics include (Petition #):

Testing for Aerosols - (P-1606), the Council on Safe Transportation of Hazardous Articles (COSTHA);
Cargo Tank Specification - (P-1615), The Walker Group;
Chlorine Institute Publications - (P-1619), the Chlorine Institute;
International Label and Placard Consistency - (P-1620), Labelmaster Services;
Toxic by Inhalation Tank Car Lifespan - (P-1636), the Chlorine Institute;
Limited Quantity Pallets - (P-1638), Labelmaster Services;
Emergency Response Numbers - (P-1639), Horizon Lines, LLC;
Units of Measurement for Limited Quantities of Ethyl Alcohol - (P-1640), the Association of HAZMAT Shippers;
Printing Tolerances for Labels and Placards - (P-1650), Labelmaster Services;
Incorporation of Department of Defense Standards - (P-1651), the Department of Defense (DoD) Explosives Safety Board;
Definitions for “Basic Description” and “Shipping Description” - (P-1655), the Dangerous Goods Trainers Association (DGTA);
Marked Date of Manufacture on Composite IBCs - (P-1662), Rigid Intermediate Bulk Container Association of North America (RIBCNA); and


PHMSA is soliciting public comments on the proposed rulemaking. Comments can be submitted via the Federal eRulemaking Portal {www.Regulations.gov; Docket #PHMSA-2015-0102 (HM-219A)}. Comments should be submitted by August, 29th, 2016.

ICS-CERT Mission

There is an interesting new link near the top of the ICS-CERT landing page that leads to a page that I have never seen before, but that is probably not new; About the Industrial Control Systems Cyber Emergency Response Team. It provides an overview of the ICS-CERT mission within the DHS National Protection and Programs Directorate.

The page outlines the ICS-CERT role in the DHS strategy for securing control systems. It lists six key responsibilities:

• Responding to and analyzing control systems-related incidents;
• Conducting vulnerability, malware, and digital media analysis;
• Providing onsite incident response services;
• Providing situational awareness in the form of actionable intelligence;
• Coordinating the responsible disclosure of vulnerabilities and associated mitigations; and
• Sharing and coordinating vulnerability information and threat analysis through information products and alerts.

It also provides links to a number of interesting (if severely dated) supporting documents, including:

Strategy for Securing Control Systems (dated October 2009);

In many ways the last document may be the most valuable if more people, particularly legislators and regulators, would use it. It would make talking about cybersecurity issues much easier. I’ll highlight three of the key definitions here; only two of which I like (guess which ones – grin):

Cyber Incident - An occurrence that actually or potentially results in adverse consequences to an information system or the information that the system processes, stores, or transmits and that may require a response action to mitigate the consequences.

Cyber System - Any combination of facilities, equipment, personnel, procedures, and communications integrated to provide cyber services; examples include business systems, control systems, and access control systems.

Cybersecurity - The full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities, including computer network operations, information assurance, law enforcement, diplomacy, military, and intelligence missions as they relate to the security and stability of the global information and communications infrastructure.

The one thing missing from this collection of information about ICS-CERT is some sort of fact sheet on the vulnerability disclosure process that outlines the process, procedures and ICS-CERT policies on the topic. I think that this would be a valuable addition to the page.


One other complaint that I have with the information presented here (and across most of the DHS web sites) is there is a real lack of information dating. It is hard to tell what information is dated and what information is new. This is particularly important when the organization updates the pages.

Wednesday, June 29, 2016

PHMSA Increases HMR Fines

The DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) published an interim final rule (IFR) in today’s Federal Register (81 FR 42266-42268) increasing the minimum and maximum fines for violations of hazardous material law (HML) or hazardous material regulations (HMR). DOT was directed by Congress to periodically adjust these fines in the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015 (§701 of PL 114-74).

The table below shows the existing penalties and the new ones established in this IFR. The adjustment multiplier is based upon changes in the Consumer Price Index since the fine was established or last changed.


Current
New
Knowing violation – Max
$75,000
$77,114
Severe violation – Max
$175,000
$179,933
Training violation – Min
$450
$463

A severe violation is a knowing violation of the HML or HMR that results in death, serious illness, or severe injury to any person or substantial destruction of the property.


Congress mandated this change in penalties and provided no discretion in the matter to DOT so the publish and comment process is unnecessary. The changes go into effect on August 1st, 2016.

Tuesday, June 28, 2016

Top Screen Roll Out Information

I have been hearing comments from a couple of readers about the new Top Screen being developed by the DHS Infrastructure Security Compliance Division (ISCD). There appears to be some confusion about the roll out of the new Top Screen. I have not seen any official documents from ISCD about the roll out timing, but some recent submissions (April) to the OMB’s Office of Information and Regulatory Affairs (OIRA), plus some private conversations that I have had may help clarify some of the issues being discussed.

The New Top Screen


Back in February ISCD announced that they would be changing the Top Screen and Security Vulnerability Assessment (SVA) tools in the on-line Chemical Security Assessment Tool (CSAT). DHS subsequently made it known that the changes in the two tools were being done to reflect the new risk analysis and tiering methodology that ISCD has been working on for a couple of years now. ISCD intends to implement the new risk analysis methodology sometime this fall and that implementation will include the new Top Screen and SVA.

I reported on the webinar where ISCD demonstrated the new Top Screen. The version that was demonstrated was more streamlined and it did include some questions that are currently in the SVA tool. The earlier presentation of these questions is necessitated by the new risk analysis model.

I understand that ISCD plans to demonstrate both the new Top Screen and SVA tools at the Chemical Sector Security Summit next month. I am hoping that they will be included in the presentations that will be web cast. We should be seeing a final listing of the web cast presentations in the next couple of weeks. DHS will be sending that out to people who have registered for the web cast.

Rulemaking


DHS does have a rulemaking in progress for changes in the Chemical Facility Anti-Terrorism Standards (CFATS) program and according to the latest Unified Agenda a notice of proposed rulemaking (NPRM) is scheduled to be published in September. The change in risk analysis protocol and subsequent changes in the Top Screen and SVA tools will not require rulemaking to effect since there will be no changes to the regulations required.

Because the Top Screen and SVA are information collections, ISCD is required to update their information collection request (ICR) with the OMB’s Office of Information and Regulatory Affairs (OIRA). A revised ICR for the Chemical Security Assessment Tool (CSAT) was submitted to OIRA on April 29th, 2016. OIRA’s published acceptance of the ICR will be required before ISCD can implement the changes to the Top Screen or SVA. There is no way to know when OIRA will approve the ICR.

Implementation


Based upon past actions by the ISCD, once OIRA publishes their approval of the changes to the ICR we can expect to see a notice published in the Federal Register outlining how DHS will implement the new Top Screen and SVA. This notice will not require any formal OMB approval since they will have already approved that implementation plan as part of the ICR.

There is a rumor going around that DSH is going to require all currently regulated facilities to submit a new Top Screen. Additionally, the rumor goes, all facilities that have (or have had in the last 60 days) an inventory of any of the 300+ DHS chemicals of interest (COI) at or above the screening threshold quantity (STQ) for the COI, regardless of whether or not they have already been notified by ISCD that they are not considered to be a high risk facility.

Section 27.200(a) of 6 CFR provides the DHS Secretary the authority to, “at any time, request information from chemical facilities that may reflect potential consequences of or vulnerabilities to a terrorist attack or incident, including questions specifically related to the nature of the business and activities conducted at the facility”. Thus, the authority does exist for the wholesale ‘re-do’ of the Top Screen as outlined in the rumors that I have been hearing.

On the other hand, on page 15 of the ICR support document [.DOC download] submitted to OIRA, DHS is expecting only 1,000 facilities to submit Top Screens each year and on average half of those facilities will submit 2 Top Screens in a year, reflecting changes in their COI inventory. This hardly sounds like a wholesale requirement to re-do Top Screens.

I would expect ICSD to have a pretty good idea as to whether the changes in the risk tiering methodology will result in any changes in the Tiering level of existing facilities. I would not be surprised if ISCD were to notify such facilities to submit a new Top Screen. The notification of facilities that had previously been notified that they were not at high-risk of terrorist attack would be more problematic because of the numbers involved (about 45,000 facilities), but it would be possible on a case-by-case basis.

It must be remembered that existing CFATS facilities are already on a regulatory schedule {§27.210(b)} to re-submit Top Screens (in addition to the requirement to submit a new Top Screen when there is a material change in COI or processes involving those COI). So all CFATS facilities will have to submit the new Top Screen at some point in their future.

In Short


In short, ISCD is planning on rolling out their Congressionally mandated, revised and vetted risk assessment methodology later this year, probably in the Fall. This methodology will be used to determine which facilities are at high-risk of terrorist attack and thus covered by the CFATS program. It is also used to establish the Tier level (relative degree of high risk) that determines the relative level of coverage of the security measures included in the Site Security Plan based upon the Risk Based Performance Standards guidance.

The revised methodology can be expected to require changes in the information submitted in Top Screen and Security Vulnerability Assessment tools in the CSAT process. The new information could result in changes in the CFATS status of a chemical facility or the Tier rankings of covered facilities. All CFATS facilities will eventually have to submit data about their facility under the new Top Screen. All chemical facilities that have new COI added to their chemical inventories at or above the SQT or have an increase in inventories already reported to ISCD will also have to complete the new Top Screen.


More information is expected to be released at the Chemical Sector Security Summit next month.

Committee Hearings – Week of 6-26-16

This week only the Senate is in Washington; the House has already started their long 4th of July weekend. There are two hearings of potential interest to readers of this blog; both dealing with cybersecurity issues.

IOT and Transportation


The first hearing will be conducted this morning by the Senate Commerce, Science and Transportation Committee on “How the Internet of Things (IoT) Can Bring U.S. Transportation and Infrastructure into the 21st Century”. The witness list includes:

• Carlos Monje, DOT;
• Seleta Reynolds, Los Angeles Department of Transportation
• Jordan Kass, C.H. Robinson
• Doug Davis, Intel Corporation
• Robert Edelstein, AECOM

Cybersecurity issues may be (hopefully) raised during this hearing.

DOD – Cybersecurity and Encryption



The Senate Armed Services Committee will be holding a hearing on Thursday on “National Security Cyber and Encryption Challenges”. This is a closed hearing so we will probably hear nothing about the actual discussion here. Admiral Rogers is currently the only scheduled witness for this hearing.

Saturday, June 25, 2016

Bills Introduced – 06-24-16

Neither the Senate nor the House were actually in Washington yesterday, but both bodies held pro forma sessions with 17 bills introduced in the House. Of these, one may have been of specific interest to readers of this blog:

HR 5579 To control the export of electronic waste in order to ensure that such waste does not become the source of counterfeit goods that may reenter military and civilian electronics supply chains in the United States, and for other purposes. Rep. Cook, Paul [R-CA-8]


I doubt that this bill will be, strictly speaking, a cybersecurity bill, but it could end up having an influence on cybersecurity activities. 

Thursday, June 23, 2016

ICS-CERT Publishes Three Advisories

Earlier today the DHS ICS-CERT published three new control system security advisories for products from Meinberg, Unitronics, and Rockwell.

Meinberg Advisory


This advisory describes multiple vulnerabilities in the Meinberg NTP Time Servers Interface. The vulnerabilities were reported by Ryan Wincey. Meinberg has produced a new version that mitigates the vulnerabilities. ICS-CERT reports that Wincey has verified the efficacy of the fix.

The vulnerabilities include:

• Twin stack-based buffer overflows - CVE-2016-3962 and CVE-2016-3988; and
• Privilege escalation - CVE-2016-3989

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to cause a buffer overflow condition that may allow escalation to root privileges.

Unitronics Advisory


This advisory describes a stack-based overflow vulnerability in the Unitronics VisiLogic product. The vulnerability was reported by Steven Seeley of Source Incite via ZDI. Unitronics has produced a new version that mitigates the vulnerability. There is no indication that Seeley has been given an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to remotely execute arbitrary code.

The Unitronics’ CERT Compliance page reports that the vulnerability is in the 'Xceed Zip Compression Library' (the XceedZip.dll), - a 3rd party component from Xceed. Unitronics upgraded to version 6.5.16068.0 in their updated version.

NOTE: Once again a vulnerability in a 3rd party library raises the question of what other control system programs are using the vulnerable version of this .DLL?


Rockwell Advisory


This advisory describes a resource management vulnerability in the Rockwell Allen-Bradley Stratix 5400 and Allen-Bradley Stratix 5410 industrial networking switches. The vulnerability is apparently self-reported.


ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to impact traffic (or packets) transiting the affected device.

ISCD Updates More FAQs – 06-23-16

Today the DHS Infrastructure Security Compliance Division (ISCD) updated nine of the frequently asked question (FAQ) responses on the CFATS Knowledge Center. The FAQ responses updated today were:









In each of these FAQ responses the earlier responses (dating back to 2008) simply referred the reader to the CSAT Registration User Guide; some with the link tagged to the page in an earlier version of the manual that addressed the issue raised in the FAQ. Today’s responses provide the actual explanation from that User Guide. This certainly provides a quicker response to the FAQ, but most of today’s responses do not provide links to the manual for further information.


NOTE: The four FAQ responses that I reported that still remained to be updated have not been updated for the new CSAT URL.

Wednesday, June 22, 2016

House Passes Two Cybersecurity Bills

Yesterday the House took up two cybersecurity bills under the suspension of the rules process and passed both by strongly bipartisan votes. HR 5388, the Support for Rapid Innovation Act of 2016 passed by a vote of 351 – 4. HR 5389, the Leveraging Emerging Technologies Act of 2016 passed by a vote of 347 – 8. In both cases the opposing votes came from Republicans.

HR 5388 includes specific control system security language. That language is in the section dealing with what types of research would be authorized under the new §319 of the Homeland Security Act of 2002. It would authorize research to “assist the development and support of technologies to reduce vulnerabilities in industrial control systems” {§319(b)(6)}. Still, no new funding for this research (or any of the cybersecurity research authorized by the bill) was provided in the bill, so the additional cybersecurity research effectively dilutes the money made available by DHS S&T for research grants.


Both bills now head to the Senate for consideration. If they do make it to the floor they will undoubtedly pass, but whether or not they are considered is an open question. I suspect that the best chance for their consideration is under the unanimous consent provisions, but that requires that no Senator object. With the minor conservative opposition in the House, the prospect of an objection by at least one conservative Senator is a very real possibility.

Tuesday, June 21, 2016

ICS-CERT Publishes Two Advisories

This afternoon the DHS ICS-CERT published two control system advisories for products from Schneider and Advantech.

Schneider Advisory


This advisory describes a cross-site scripting vulnerability in the Schneider Electric PowerLogic PM8ECC communications add-on module for the Series 800 PowerMeter. The vulnerability is apparently self-reported. Schneider has produced a firmware update for the module.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to inject arbitrary JavaScript in a specially crafted URL request where the response containing user data is returned to the web browser without being made safe to display.

Schneider published their Security Notice on this vulnerability on May 11th, 2016.

Advantech Advisory


This advisory describes multiple vulnerabilities in the Advantech WebAccess product. The vulnerabilities were reported by Zhou Yu of Acorn Network Security. Advantech has produced a new version that mitigates the vulnerabilities. ICS-CERT reports that Zhou has had a chance verify the efficacy of the fix.

The vulnerabilities include:

• Unsafe ActiveX controls marked as safe for scripting - CVE-2016-4525; and
• Classic buffer overflow - CVE-2016-4528.

ICS-CERT reports that a social engineering attack is required to exploit these vulnerabilities, but a successful exploit could allow an attacker to insert and run arbitrary code on an affected system.

The Advantech version notes for the new version (8.1_20160519) produced to correct these vulnerabilities mentions ‘buffer-overrun’ vulnerabilities in BwAspObj.dll and cellvision.ocx, but it does not mention any ActiveX vulnerabilities. It does, however, mention a vulnerability to reveal password in Project User web page that was not mentioned in the ICS-CERT advisory.

Another Schneider Product Vulnerability



When looking for the Schneider Security Note mentioned above I also found another Schneider product vulnerability reported on the Schneider web site. This Security Note was for an elevation of privilege vulnerability in the – Pelco Digital Sentry Video Management System.

Bills Introduced – 06-20-16

With the Senate in full session and the House meeting in pro forma yesterday there were 16 bills introduced. Only one of those may be of interest to readers of this blog:

HR 5531 To amend title 46, United States Code, to improve maritime transportation, and for other purposes. Rep. Hunter, Duncan D. [R-CA-50]


This is the bill that I mentioned yesterday as being scheduled for markup on Thursday. In that post I suggested that the bill might include maritime security provisions. A draft copy of the proposed bill is available on the Committee web site. There are no maritime security provisions but there is a requirement for the Coast Guard to establish a land-based “land-based positioning, navigation, and timing system [emphasis added] to provide a complement to and backup for the Global Positioning System” {new 46 USC 80701(a)}. The current language does not mention the fact some SCADA systems use the GPS timing system for control system synchronization, it would be nice if that were specifically addressed in the bill.

Monday, June 20, 2016

Congressional Hearing – Week of 6-19-16

Both the House and Senate will be in Washington again this week. There is less than a month left now before the summer recess; we will have to wait and see how successful Congress is in getting the spending bills completed. There will be two markup hearings (including the DHS spending bill) and hearings on military cyber operations.

DHS Spending


On Wednesday the House Appropriations Committee will be holding their markup of the FY 2017 DHS spending bill. This hearing was originally scheduled for last week.

Military Cyber Operations


On Wednesday the House Armed Services Committee will be holding a hearing on Military Cyber Operations. The witness list includes:

• Thomas Atkin, Office of the Secretary of Defense
• LTG Kevin McLaughlin, U.S. Cyber Command
• BG Charles Moore, Joint Staff, J-39


Maritime Security Markup


On Thursday the House Committee on Transportation and Infrastructure will hold a markup hearing on three bills, including the as of yet unintroduced “Miscellaneous Maritime Transportation Amendments Act of 2016”. I am guessing that there will be some maritime security provisions.

On the Floor


On Tuesday the House will take up two bills of interest to readers of this blog under the suspension of rules provision. This means limited debate, no amendments and a 2/3 vote for passage. This generally means that the leadership considers the bill non-controversial. The two bills of specific interest are:

HR 5388, the Support for Rapid Innovation Act of 2016 (Sponsored by Rep. John Ratcliffe / Homeland Security Committee); and

HR 5389, the Leveraging Emerging Technologies Act of 2016.

ICS-CERT and the Secure Portal

Long time readers of this blog will undoubtedly remember me discussing (see here and here for example) the ICS-CERT use of the US-CERT Secure Portal to initially share control system advisories with a limited audience to allow critical infrastructure facilities a chance to address those vulnerabilities before their existence became public knowledge. Over the weekend, the DHS ICS-CERT added a new page to their web site describing how to gain access to these early releases of ICS-CERT advisories.

The new page introduces a new name for the US-CERT Secure Portal, apparently it is now called the NC4 Mission Center secure portal. I say apparently because of search of the US-CERT web site contains no mention of that name. A Google search for the term does show a series of results for the NC4 Mission Center name (see here), but that is a trademarked name for an organization headquartered in el Segundo, CA that apparently markets the cybersecurity services to the government and private sectors. Interestingly, a search of the NC4 web site for the term ‘ICS-CERT’ turns up no results.

The NC4 websites appear to be very carefully written to foster some level of confusion about whether or not the organization is directly affiliated with the Federal government. See for example here; “Leveraging its U.S. Federal Government heritage and experience garnered from supporting over 100,000+ operational users for over a decade, NC4 brings organizations proven and trusted, web-accessible, secure communication and collaboration solutions.” Though, to be fair NC4 has apparently been around for some time since it was mentioned (pg 18) in a 2011 US Army War College paper (.PDF Download).

To avoid confusion, and stop inadvertently sending people to do business with NC4, ICS-CERT really does need to clear up this name issue and go back to using the US-CERT Secure Portal terminology that is apparently still in use in the rest of DHS.


Still, I highly recommend that any critical infrastructure security manager with any level of responsibility for control system security join ICS-CERT on the US-CERT Secure Portal. The early notification of selected control system advisories could be very beneficial. 

Saturday, June 18, 2016

CG Announces NMSAC Meeting – 7-5-16

The Coast Guard is publishing a meeting notice in Monday’s Federal Register (81 FR 39939-39940; available on-line today) for a meeting of the National Maritime Security Advisory Committee. The public meeting will be conducted via teleconference.

Topics to be discussed during the meeting include:

• Coast Guard Cyber Security Tasking;

Cybersecurity Tasking


The NMSAC has been tasked (See CG Homeport NMSAC Full Committee Meeting Minutes September, 29-20 2015 for a list of the latest tasking statements; sorry the CG does not use links) to take a look at the feasibility of forming a Maritime Information Sharing and Analysis Center (ISAC) to share cybersecurity related information with the maritime industry. NMSAC has been asked to answer three questions:

• Is a Cybersecurity ISAC in the best interest of the Maritime Industry?
• Is a Cybersecurity ISAC feasible?
• What elements/mechanisms should exist to actively engage and recruit participation in Cybersecurity ISAC?

Next Generation TWIC


A year ago the NMSAC was tasked with looking at potential card options and features for future development of a standard which is sensible, achievable, and timely for the NexGen TWIC. That tasking included the following questions to be addressed by NMSAC:

• Should TWIC consider additional markers, if it can be accommodated, such as a QR barcode detailing card care information?
• Should TWIC consider changes to the topographical features on the front or back of the TWIC card?
• Should TWIC permit reading of the facial image in the same manner as fingerprints? [The facial image would be readable without PIN and over contact OR contactless interface]?
• Although not readily available in the immediate future, should the TWIC be available as a virtual credential?
• What other additional information should be imbedded in the TWIC, if any?

Extremely Hazardous Cargo Security


The NMSAC will receive a tasking at this meeting to work with the Chemical Transportation Advisory Committee to develop an implementation strategy for the Extremely Hazardous Cargo Security Strategy. The term ‘Extremely Hazardous Cargo’ describes a specific subset of Certain Dangerous Cargo (CDC) shipped in bulk by ship or barge. It includes bulk shipments of Chlorine, Ammonium Nitrate, Anhydrous Ammonia, LPG, and LNG. The requirement to establish this strategy was set by Congress in §812 of the Coast Guard Authorization Act for Fiscal Years 2010 and 2011 (PL 111-281).

Public Comments



There is a 15-minute period set aside for public comments during the teleconference. Written comments on the above topics may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # USCG-2016-0499). Written comment should be submitted by 6-27-16.

HR 5443 Introduced – PHMSA Accountability

Earlier this month Rep. Speier (D,CA) introduced HR 5443, the PHMSA Accountability Act. The bill would provide for mandamus actions under 49 USC Chapter 601, the Pipeline Safety Regulations.

The bill would amend 49 USC 601021 by adding:

“(e) Mandamus.—A person may bring a civil action in an appropriate district court of the United States to compel the Secretary to perform a nondiscretionary duty under this chapter that the Secretary has failed to perform.”

Moving Forward


Speier and five of her seven Democrat co-sponsors serve on the House Energy and Commerce Committee, one of the three committees to which this bill was referred for consideration. This means that there is at least some chance that the bill could be considered by that Committee. This bill is, however, controversial enough that I doubt that it will be considered this late in the session.

Even if the bill were considered in the Energy and Commerce Committee, I doubt that the Chairs of the Judiciary or Transportation and Infrastructure Committees would allow the bill to move to the floor of the House without their committee acting on the bill. Such actions are very unlikely to be forthcoming with no bill sponsors on those committees.

Commentary


Section 601021 already provides for brining “a civil action in an appropriate district court of the United States for an injunction against another person (including the United States Government and other governmental authorities to the extent permitted under the 11th amendment to the Constitution) for a violation of this chapter or a regulation prescribed or order issued under this chapter”. All this bill does is provide specific authority for the court to issue a writ of mandamus to the Secretary.

Environmental activists have been very successful in using similar suits against the Administrator of the Environmental Protection Agency to undertake rulemaking activities required by legislation, but that have been stalled in the bureaucracy for any of a number of reasons. The number and complexity of the rulemaking activities required by Congress can frequently overload the limited resources of government agencies such as PHMSA. Administrators then have to pick and choose which rulemakings upon which they intend to expend their limited resources. This bill would provide a mechanism for ‘adjusting’ that prioritization.

Many business owners and conservative politicians are afraid that activist judges could issue writs mandating legally questionable rulemaking activities that a liberal administration might not actively fight if the rulemaking fit their political agenda. While the same could happen with a conservative political alignment, business owners seldom call for additional regulations upon their operations.


This is one of those issues that is not as clear cut as either side would like to argue. Technically this process is already allowed under §601021, but Courts are generally loath to order actions by the Executive Branch due to separation of powers issues. Those concerns are eased when Congress provides specific authorization to issue writs of mandamus. 

Friday, June 17, 2016

House Passes HR 5293 – FY 2017 DOD Spending

Yesterday the House amended and passed HR 5293, the FY 2017 DOD Spending bill. The lengthy amendment process included the adoption of the one cybersecurity related amendment as part of an en bloc amendment consideration. The final tally on the bill was a partially bipartisan vote of 282 to 138.


The Senate will likely substitute language from S 3000 when it takes up the bill later this month or early next month. A conference committee will not complete work on the bill before the summer recess in mid-July. There is a distinct possibility that work will not be completed on this bill (and at least some/most other spending bills) prior to the end of the fiscal year resulting in a continuing resolution to keep the government functioning until after the election.

Thursday, June 16, 2016

Bills Introduced – 06-15-16

With the House and Senate both in session today there were 21 bills introduced. Of those one may be of interest, okay it will probably only be of interest to me:

HR 5493 To direct the Librarian of Congress to ensure that each version of a bill or resolution which is made available for viewing on the Congress.gov website is presented in a manner which permits the viewer to follow and track online, within the same document, any changes made from previous versions of the bill or resolution. Rep. Stefanik, Elise M. [R-NY-21]


This would make it so much easier to follow changes in bills during the legislative process. It is thus unlikely that this will pass.

ICS-CERT Publishes Moxa Advisory

Today the DHS ICS-CERT published a new control system security advisory for the Moxa Industrial Ethernet Switch PT-7728 series. The advisory describes an improper authorization vulnerability in the switch. The vulnerability was reported by Can Demirel. Moxa has produced an update to mitigate the vulnerability. Demirel has been provided an opportunity to verify the efficacy of the fix.


ICS-CERT reports that crafting an exploit for this remotely accessible vulnerability would require the use of a local proxy to interrupt traffic and update switch configuration.

ISCD Updates 3 More FAQ Responses – 06-16-16

Today the DHS Infrastructure Security Compliance Division (ISCD) updated three more frequently asked questions (FAQ) on the CFATS Knowledge Center. The following FAQs were updated:



FAQ #1662 is the same change made as was made to the four FAQs yesterday.  The change to #1606 (which was changed yesterday) corrected a minor typo in the printed CSAT link that did not affect the use of the link. The change to #1387 was actually a change to the question, not the response. The original FAQ read: “When logged in to the TS, how do you know which role you are logged in as?” Today’s change should clear up any confusion about to what ‘TS’ refers. The response has not changed.


If you go back to the last time that the CSAT portal link was changed by DHS (5-11-16) it looks like we have at least one more to be changed; #1407. Also, doing a .PDF search of the latest list of all FAQs (.PDF download) shows that the ‘old link’ is still listed in FAQs #1363, #1406, and Article #1670. So it looks like we have a few more FAQ updates on this topic to go.

Wednesday, June 15, 2016

ISCD Updates CFATS FAQ – 06-15-16

This afternoon the folks at DHS ISCD updated the responses to four frequently asked questions (FAQs) on the CFATS Knowledge Center. These same four FAQs had similar updates on May 11th of this year.

Today’s update was a new change to the printed link (https://csat.dhs.gov/industry) to the Chemical Security Assessment Tool (CSAT). The actual URL for the CSAT tool (https://csat.dhs.gov/dana-na/auth/url_62/welcome.cgi) remains the same. The old links (even from before the 5-11-16 change) still work.


DHS Updates Terrorism Bulletin – 06-15-16

With less than a day left on the first NTAS Bulletin published on National Terrorism Advisory System (NTAS) web site DHS published a new NTAS Bulletin. With very few changes in wording between the two bulletins we are seeing essentially an extension of the first bulletin until November 15, 2016. It is beginning to look like the ‘bulletin’ addition to the NTAS is a return to the old color coded system that the NTAS supplanted because the old system provided little information and never changed.

S 2943 Passed in Senate – FY 2017 NDAA

Yesterday the Senate completed consideration of S 2943, the FY 2017 National Defense Authorization Act. One additional amendment was adopted and then the bill passed by a strongly bipartisan vote of 85-13.

None of the amendments adopted during the consideration of this bill included cybersecurity language. The original bill did include significant cybersecurity provisions, including a requirement for DOD to conduct a cyber-informed engineering pilot program.

The House passed its own version of the NDAA (HR 4909) last month by a more partisan vote. There will almost certainly be a conference committee to iron out the differences between the two bills.


According to TheHill.com: “The White House is threatening to veto the Senate version [of the NDAA] over several of its policy provisions, including restrictions on Guantanamo Bay detainee transfers and a cap on the size of the White House National Security Council staff.” There were more than enough Yea votes on S 2943 to overcome a veto, so it is not clear that such a veto would actually be forthcoming if those provisions made it into the compromise bill.

Tuesday, June 14, 2016

HR 5293 Amendment Process - FY 2017 DOD Spending

The House Rules Committee completed work on their rule for the amendment process for HR 5293, the FY 2017 DOD spending bill. As expected the rule is a structured rule that will only allow for the consideration of 75 specific amendments. Only one of those amendments is cybersecurity related, providing funding for the Information Assurance Scholarship Program for DOD personnel.

Cybersecurity Provisions in Bill


There were no specific cybersecurity provisions in the actual bill and there was only a single limited mention of cybersecurity issues in the Committee Report supporting the bill. That two paragraph mention notes that the funding in the bill provide a $992 million increase in cybersecurity related spending throughout the bill over the FY 2016 spending. The second paragraph mentioned the Committee’s concerns about recruiting and retaining a trained and qualified cyber workforce.

Cybersecurity Amendment



The one cybersecurity amendment is # 54 proposed by Rep. Aguilar (D,CA). It would take $5 million dollars out of the $32 billion Operation and Maintenance, Defense-Wide, account to provide funding for the Information Assurance Scholarship Program. The funding for this program initiated in 2012 has been hit and miss.

Two New Cybersecurity Hearings

Today the House Homeland Security Committee added two new hearings on cybersecurity topics for this week.

The Hearings


On Wednesday the Cybersecurity, Infrastructure Protection, and Security Technologies Subcommittee will be holding a hearing on “Oversight of the Cybersecurity Act of 2015”. This is the second hearing on the CSA scheduled for tomorrow. The witness list includes:

• Matthew J. Eggers, U.S. Chamber of Commerce
• Robert H. Mayer, United States Telecom Association
• Mark G. Clancy, Soltra

On Thursday the Emergency Preparedness, Response and Communications Subcommittee will hold a markup hearing on three bills, one of which is HR 5459, the Cyber Preparedness Act of 2016. The text of the bill is not yet available from the GPO, but a committee draft is available.

HR 5346 Draft


Section 2 of the bill would amend 6 USC 124h adding cybersecurity information sharing responsibilities to the existing “homeland security information, terrorism information, and weapons of mass destruction information” sharing requirements for Fusion Center in paragraphs (b)(6), (b)(8) and (d)(a). It would also amend 6 USC 148 adding requirements for the National Cybersecurity and Communications Integration Center to provide support to Fusion Centers.

Section 3 of the bill would add “enhancing cybersecurity, including preparing for and responding to cybersecurity risks and incidents” to the list of types of projects for which a variety of Homeland Security Grants can be used.

No additional funds are authorized by this bill.

Commentary



The language of HR 5346 does not change the existing language in §148 that limits the term ‘information system’ to classic IT systems, not control systems. There is no language in §124h defining ‘cybersecurity risk information’ so a broad use of that term could conceivably include risk information about control systems, but I would be surprised to see that broader definition used in practice due to the shortage of control system security experts, especially since no additional funds are being made available.

ICS-CERT Publishes Two OSIsoft PI Advisories

This afternoon the DHS ICS-CERT published twin advisories for control system vulnerabilities in OSIsoft PI products. Both advisories were based upon self-disclosed vulnerabilities.

AF Server Advisory


This advisory describes an input validation vulnerability in the PI AF Server. OSISoft has produced a new version that mitigates the vulnerability.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability to execute a denial of service attack.

ICS-CERT reports that the vulnerability is limited to Port 5459 and lists the two OSISoft products (and versions) that require access to the port. OSIsoft provides a tech document that lists all of the port requirements for the AF Server. ICS-CERT also suggests limiting access to the AF Server and OSIsoft notes that the “Built-in PI AF Identity "World" is mapped to the Windows Everyone users group by default” and suggests replacing that PI AF Identity.

SQL Database Access Server Advisory


This advisory describes an input validation vulnerability in the PI SQL Data Access Server. OSIsoft has produced a new version that mitigates the vulnerability.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to stop responding in a way that may cause an incomplete update resulting in partial data loss.


ICS-CERT reports that the vulnerability is limited to Port 5461 and 5462 and lists the two OSISoft products (and versions) that require access to the port. OSIsoft provides a tech document that lists all of the port requirements for the AF Server.

Bills Introduced – 06-13-16

Yesterday with both the House and Senate in session there were 16 bills introduced. Of these, only one may be of specific interest to readers of this blog:

HR 5459 To amend the Homeland Security Act of 2002 to enhance preparedness and response capabilities for cyber attacks, bolster the dissemination of homeland security information related to cyber threats, and for other purposes. Rep. Donovan, Daniel M., Jr. [R-NY-11]


Cybersecurity bills continue to proliferate. It will be interesting to see what this one adds to the information sharing universe.

HR 5312 Passes in House – Cybersecurity Research

Yesterday the House passed HR 5312, the Networking and Information Technology Research and Development Modernization Act of 2016. The bill was ‘debated’ for twenty minutes, but nary a negative word was heard. The final vote was a strongly bipartisan 385-7, with most of the negative votes coming from Republicans.

The bill does add the term ‘cyber-physical system’ to the definition to the High-Performance Computing Act of 1991 (15 USC Chapter 81), but it limits it to large, complex systems “whose networking and information technology functions and physical elements are deeply integrated”. No additional funding is provided for the research that this bill supports. This means that the existing funding is being diluted by expanding the areas of research authorized.


With no serious opposition to the bill, it is likely that, if the bill is considered in the Senate (not a forgone conclusion by any means), it would likely be considered under the unanimous consent process.

Monday, June 13, 2016

Committee Hearings – Week of 6-12-16

The House and Senate are both in Washington this week, trying hard to get the important bills passed before they take their election year lengthened summer recess in mid-July. There are six hearings currently scheduled for this week that may be of interest to readers of this blog; three spending bill hearings, one cybersecurity, and one Coast Guard and one pipeline safety hearing.

Spending Bills


The House Rules Committee is holding a hearing as I write this blog to determine the rule for the consideration of HR 5293, the FY 2017 DOD spending bill. The Republicans are going to be backing off of open rules for these spending bills to ensure that Democrats don’t add poison pill amendments that will prevent the bills from passing (help pass a moderately liberal amendment that draws the ire of the hardcore conservatives and then vote against the final bill). We will only see some amendments in today’s rule.

Tomorrow the Rules Committee will hold their second hearing on HR 5293 to set out the remainder of the amendments that will be considered on the floor of the House.

The House Appropriations Committee will be meeting Tuesday to markup the FY 2017 DHS spending bill.

Coast Guard Hearing


The Coast Guard and Maritime Transportation Subcommittee of the House Transportation and Infrastructure Committee will be meeting Tuesday to look at “Coast Guard Mission Needs and Resources Allocation”. The hearing will probably not address chemical transportation safety or security issues. The witness list is short:

• Admiral Michel, United States Coast Guard; and
• Jennifer Grover, US GAO

Cybersecurity


The House Homeland Security Committee will be holding a hearing on Wednesday to look at “The Cybersecurity Act of 2015: Industry Perspectives”. The witness list includes:

• Matthew J. Eggers, U.S. Chamber of Commerce
• Robert H. Mayer, United States Telecom Association
• Mark Clancy, Soltra
• Mordecai Rosen, CA Technologies
• Ola Sage, e-management

Pipeline Safety


The Senate Energy and Natural Resource Committee will be holding a hearing on Tuesday to “Examine oil and gas pipeline infrastructure and the economic, safety, environmental, permitting, construction, and maintenance considerations associated with that infrastructure.” The witness list includes:

• Andrew Black, Association of Oil Pipe Lines;
• Sean McGarvey, North America's Building Trades Unions;
• Paul W. Parfomak, Congressional Research Service;
• N. Jonathan Peress, Environmental Defense Fund

On the Floor

Earlier this afternoon the House considered HR 5312, the Networking and Information Technology Research and Development Modernization Act of 2016. A vote will take place later this evening or tomorrow. Later this week the House will consider HR 5293 described above.


The Senate will be finishing up consideration of S 2943, the FY 2017 National Defense Authorization Act. As of this morning none of the amendments that have been mentioned in this blog have been considered and there is no telling if any will make it to the floor. After action is completed on S 2943, the Senate will take up S 2837, the FY 2017 Commerce, Justice and Science spending bill.

S 3024 Introduced – Small Business Cybersecurity Support

Last week Sen. Vitter (R,LA) introduced S 3024, Small Business Cyber Security Improvements Act of 2016. The bill would amend 15 USC 648 to add cybersecurity services to those currently offered by Small Business Development Centers (SBDCs).

SBDC Changes


Section 2 of the bill would add “providing access to external cyber security specialists to counsel, assist, and inform small business concerns”, to the list of possible services provided by SBDCs under §648(c).

Section 3 of the bill would add a provision to §648(a) that would allow DHS to “provide assistance to small business development centers, through the dissemination of cyber security risk information and other homeland security information, to help small business concerns in developing or enhancing cyber security infrastructure, cyber threat awareness, and cyber training programs for employees”.

Section 4 would require a GAO study of current GAO cybersecurity resources. It would also require the Administrator of the Small Business Administration (SBA) to develop a cybersecurity strategy for the SBDCs.

Moving Forward


Vitter’s bill was reported out of the Senate Small Business and Entrepreneurship Committee last week without amendment or written report. This is not unexpected since Vitter is the Chair of that Committee. It remains to be seen if Vitter can get this bill before the full Senate before the summer recess in the middle of July. Lacking that I do not expect that the bill would be considered by the Senate.

If the bill does make it to the floor, it will probably be considered under the unanimous consent provisions at the end of a day. There is little or nothing that would bring any objections from the floor.

Commentary



The cybersecurity language in this bill is the most neutral language that I have seen, never mentioning either information technology or control system technology or any of their code words. So the bill would theoretically allow the SBDCs to provide control system security support as part of this program. The difference, however, between allowing such support and actually providing such support is quite large. I really would not expect most centers to provide ICS security support.
 
/* Use this with templates/template-twocol.html */