Wednesday, November 30, 2016

House Passes S 546, the RESPONSE Act

Yesterday the House passed S 546, the RESPONSE Act, by a voice vote. There was less than five minutes of debate on the bill; mainly praise for the leadership of the House Transportation and Infrastructure Committee’s efforts to refine the provisions of the bill.


The bill now goes back to the Senate for action on the amended language. The Senate will probably accept the House changes and send the bill to the President. This will most likely be accomplished under the Senate’s unanimous consent process. If the Senate does insist on their language, there is little chance that a conference committee could complete action before the 114th Congress’ final session sometime towards the middle of December.

HR 6393 Introduced – FY 2017 Intel Authorization

Last week Rep. Nunes (R,CA) introduced HR 6393, the Intelligence Authorization Act for Fiscal Year 2017. This bill is apparently a replacement for both HR 5077 (which passed in the House in a strongly bipartisan vote) and S 3017. Both of those bills have stalled in the Senate. I suspect that Nunes and his Committee staff have coordinated with their Senate counterparts to remove/revise any provisions from the earlier bill that have held up consideration.

The cybersecurity intelligence report on US port operations requirement from HR 5077 remains in the new bill. Interestingly Dr. Andy Ozment, the Assistant Secretary for Cybersecurity and Communications at the Department of Homeland Security (DHS), published an opinion piece on CSOOnline.com Monday that describes the ICS-CERT response to a cyberattack on a US port control system earlier this year. Other than failing to note that there are only 13 of the vulnerable systems in use worldwide, the article does describe the ICS-CERT process fairly concisely.


HR 6393 is scheduled to be considered on the floor of the House today under the suspension of rules provisions. This provides for limited debate and no amendments from the floor. This bill should pass with strong bipartisan support. I suspect that the Senate will take up the bill under their unanimous consent procedures before the end of the lame duck session.

Tuesday, November 29, 2016

ICS-CERT Publishes 3 Emerson Advisories

Today the DHS ICS-CERT published three control system security advisories for three products from Emerson. I’m also reporting an update for a previously published advisory for a product from Schneider; the update was published last week.

DeltaV Wireless I/O Card Advisory


This advisory describes an open SSH port vulnerability in the Emerson DeltaV Wireless I/O Card. The vulnerability is apparently self-reported. Emerson has produced a firmware update to mitigate the vulnerability.

ICS-CERT reports that it would be difficult to develop a working exploit of this vulnerability, but it could be remotely exploited to access the file system of devices using the affected product.

DeltaV Easy Security Management Advisory


This advisory describes an improper privilege management vulnerability in the Emerson DeltaV Easy Security Management application. Apparently, this is a self-reported vulnerability. Emerson is discontinuing support for this application.

ICS-CERT reports that local network access is required to exploit this vulnerability, but that constructing an exploit would be difficult. A successful exploit would allow an attacker to elevate privileges within a DeltaV control system.

Liebert SiteScan Advisory


This advisory describes an XML external entity vulnerability in the Emerson Liebert SiteScan application. The vulnerability was reported by Evgeny Ermakov from Positive Technologies. Emerson has produced patches to mitigate the vulnerability.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability, which may lead to the disclosure of confidential data, denial of service (DoS), server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

Schneider Update


This update provides additional information about what versions affected by these vulnerabilities require a re-boot to recover from the denial of service. It also provides a link to the Schneider security notice that I mentioned.

BTW: Last Friday Siemens Tweeted about a new advisory and an update of another advisory. I had been expecting those to be reported by ICS-CERT today. Because of the holiday I did not notice them until yesterday.

HR 6381 Introduced – Homeland Security Improvements

Earlier in the lame duck session Rep. McCaul (R,TX) introduced HR 6381, the ‘DHS Reform and Improvement Act. This is essentially a DHS authorization bill, except that it only specifically authorizes funds for some of the programs described in the bill, not for the Department as a whole. The bill has been cobbled together from a wide variety of previously introduced (and in some cases amended) bills.

The bill is as wide ranging as is the coverage of DHS. Sections within this bill that may be of specific interest to readers of this blog include:

Sec. 101. Drone assessment and analysis;
Sec. 212. Transportation Worker Identification Credential waiver and appeals process;
Sec. 533. Medical Countermeasures Program;
Sec. 601. Cybersecurity and Infrastructure Protection Agency;
Sec. 701. Improving cybersecurity risk assessments, information sharing, and Coordination;
Sec. 702. Cybersecurity enhancements to maritime security activities;
Sec. 703. Vulnerability assessments and security plans;
Sec. 801. Authorization of the National Computer Forensics Institute of the Department of Homeland Security;
Sec. 901. CBRNE Office;
Sec. 902. Chemical Division;
Sec. 1901. [Cybersecurity] Information sharing;
Sec. 1902. Homeland security [cybersecurity] grants;
Sec. 2101. Cybersecurity research and development projects;
Sec. 3001. State and local coordination on cybersecurity with the National Cybersecurity and Communications Integration Center;
Sec. 3231. Surface Transportation Inspectors; and
Sec. 3234. Security training for frontline transportation workers;

I am not going to attempt to describe the provisions of all of the above sections; I’ve dealt with each of them in discussing their source legislation. Suffice to say there is nothing new here and I have not been able to find any significant changes in any of the provisions.

It looks like McCaul is making one last attempt to get Congress to address all of these homeland security issues. Addressing the individual bills piecemeal in the lame duck session is simply not possible, even under suspension of the rules. There is a remote chance that this bill could be considered, but first McCaul has to convince nine other Committee Chairs to sign-off on the bill before it comes to the floor.


I suspect that the bill could pass with some bipartisan support. The question is whether or not there is enough bipartisan support to allow the bill to be considered under suspension of the rules. If not, the bill is unlikely to be considered in the House and would never be considered in the Senate before the end of the session.

House Reports S 546, the RESPONSE Act

Earlier in the lame duck session the House Transportation and Infrastructure Committee published their report on S 546, the RESPONSE Act that was passed in the Senate back in May. The Committee made some minor revisions to the bill and that revised version will be considered on the floor of the House today under suspension of the rules. This means that the Republican leadership expects the bill to pass with substantial bipartisan support.

Revisions


The revisions made by the Committee in September did not reverse any of the changes made by the Senate in the original language (the same language seen in HR 1043). It did, however include:

• Adding the PHMSA Chief Safety Officer to, and removing the Federal Motor Carrier Safety Administration Chief Safety Officer from, the RESPONSE Subcommittee;
• Adding ‘Rail Labor’ to the types of non-governmental organizations to be represented on the Subcommittee;
• Removing requirements for twice-annual subsequent meetings of the Subcommittee;
• Removing provisions allowing the Transportation Secretary to extend the life of the Subcommittee; and
• Changing the termination of the Subcommittee to 90-days after submission of their report.

Moving Forward


This bill will almost certainly pass in today’s session in the House. There is a strong likelihood that the amended bill will be reconsidered in the Senate, probably under their unanimous consent provisions and sent to the President.

Commentary


This is another good example of Congress pushing the requirement to develop effective regulation of a complex topic to the relative expertise found in the Executive Branch (with outside technical assistance). Congress will still, of course, have to take the recommendations of the Subcommittee and turn it into actual legislation. This has met with mixed success in the past, but we can always hope that something good will come out of this effort.

The major drawback to this type legislative development is that it will take some amount of time (at least a year) for the Subcommittee to do its work and then even more time (maybe two more years) for Congress to act on that report and then even more time (three to five years) to develop the regulations needed to put that legislation into effect. This is why problems take so long to be ‘effectively’ addressed by the government.


In the meantime, if we have another major crude oil incident where there is a major loss of life or property damage due to a poor response by local agencies, we can expect a knee-jerk over-reaction by Congress that will mandate immediate implementation of poorly understood response activities that will only end up making matters worse. Fortunately, low crude oil prices have reduced the number of crude-oil trains substantially, reducing the chances of a catastrophic accident.

Wednesday, November 23, 2016

Bills Introduced – 11-22-16

Yesterday, with both the House and Senate out of town for the Thanksgiving holiday, there were two bills introduced in the House in a pro-forma session. Of those one may be of specific interest to readers of this blog:

HR 6393 To authorize appropriations for fiscal year 2017 for intelligence and intelligence-related activities of the United States Government, the Community Management Account, and the Central Intelligence Agency Retirement and Disability System, and for other purposes. Rep. Nunes, Devin [R-CA-22]


This bill is very likely to be considered and passed in some form during the lame duck session. I will be watching the unclassified provisions of the bill for cybersecurity provisions.

Tuesday, November 22, 2016

ICS-CERT Publishes Two Siemens Advisories and an Update

Today the DHS ICS-CERT published two control system security advisories for separate Siemens SIMATIC products. They also updated a third Siemens advisory that was originally reported on November 8th, 2016. These were reported by Siemens earlier on TWITTER (here, here and here).

Siemens SIMATIC CP 1543-1 Advisory 


This advisory describes two vulnerabilities in the Siemens SIMATIC CP 1543-1 communications processor. The vulnerabilities were reported by SOGETI via Agence nationale de la sécurité des systèmes d’information (ANSSI). Siemens has produced a firmware update to mitigate the vulnerability. There is no indication that SOGETI has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Improper input validation - CVE-2016-8561; and
• Improper privilege management - CVE-2016-8562

ICS-CERT reports that it would be difficult to craft a workable exploit of these vulnerabilities, but that they could be exploited remotely to elevate privileges on the affected devices or cause a denial-of-service condition. Siemens reports that: “Vulnerability 2 only applies if SNMPv1 is activated or SNMPv3 write access is activated.”

Siemens SIMATIC CP 343-1 Advisory 


This advisory describes two vulnerabilities in multiple Siemens SIMATIC products. The vulnerabilities were reported by Inverse Path auditors and the Airbus ICT Industrial Security team. Siemens has produced a new firmware version for some of the affected products and a workaround to the others. There is no indication that either reporting agencies were provided an opportunity to verify the efficacy of the fix.

The reported vulnerabilities are:

• Insufficient verification of data authenticity - CVE-2016-8673; and
• Sensitive cookie in HTTPS session without secure attribute - CVE-2016-8672

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to perform operations as an authenticated user. Siemens reports that the first vulnerability would require a social engineering attack.

Siemens Update



This update provides updated affected version data and mitigation information for WinCC v7.3.

Saturday, November 19, 2016

DHS Updated NTAS Bulletin – 11-15-16

Did you notice the homeland security uproar this week? Well, neither did I. But DHS did issue a new National Terrorism Advisory System (NTAS) bulletin on Tuesday. Why the lack of fear and consternation? It was just a continuation of the two previously issued bulletins (here and here).

An alert reader may have noticed that on Tuesday the NTAS widget on this blog (upper right side) changed from reporting a bulletin to now report ‘ACTIVE BULLETIN’. I’m sure that it caught everyone’s attention.

To be fair, DHS does have an information sharing conundrum. There is undoubtedly some level of existing threat of a terrorist attack in the United States. What real information there may be about specific threats known to the government will not be (and almost certainly shouldn’t be) shared by DHS while the government takes steps to prevent those attacks from unfolding.


But we do want them to tell us something, right? So we get another of these non-information bulletins. And it has become a non-event, as we should have expected. Not quite as ignored as the old color-coded threat levels that the NTAS replaced, but still ignored enough that when the system is used to share real information, it will probably be ignored. Of course, that won’t be a real problem because there will certainly be an official announcement that will make the news.

Bills Introduced – 11-18-16

Yesterday with only the House in a very short session there were 12 bills introduced. One of those bills may be of specific interest to readers of this blog:

HR 6381 To provide for certain homeland security improvements, and for other purposes. Rep. McCaul, Michael T. [R-TX-10]


This looks like it could be a very wide ranging bill as it was referred to ten committees for consideration. This could be interesting.

Public ICS Vulnerability Disclosure – 11-19-16

This week SEC Consult Vulnerability Lab published a report about multiple vulnerabilities in the I-Panda SolarEagle - Solar Controller Administration Software. The reported vulnerabilities include:

• Broken local admin authentication;
• Missing server side authentication;
• Unencrypted communication; and
• Denial of service


SEC Consult reported that they attempted to coordinate the disclosure with the vendor but got no response.

Friday, November 18, 2016

OMB Publishes Fall 2016 Unified Agenda – DHS

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) published the Fall 2016 Unified Agenda, outlining the current state of planned rulemakings by the Executive Branch. While the Obama Administration may be on its way out, the various agencies of the Federal government still have on-going rulemaking activities that will probably continue in the new administration.

The list of on-going rulemakings in the Department of Homeland Security shows the typical movement of the rule making process. The list of active rulemakings that may be of specific concern for readers of this blog are shown in Table 1 below.

OS
Final Rule
Petitions for Rulemaking, Amendment, or Repeal
OS
Proposed Rule
Chemical Facility Anti-Terrorism Standards (CFATS)
OS
Proposed Rule
Homeland Security Acquisition Regulation: Safeguarding of Sensitive Information
USCG
Final Rule
Revision to Transportation Worker Identification Credential (TWIC) Requirements for Mariners
USCG
Final Rule
2013 Liquid Chemical Categorization Updates
TSA
Prerule
Surface Transportation Vulnerability Assessments and Security Plans
TSA
Proposed Rule
Security Training for Surface Transportation Employees
TSA
Proposed Rule (New)
Vetting of Certain Surface Transportation Employees
Table 1: Current Rulemakings

The only ‘new’ rulemaking on the list is the last one, Vetting of Certain Surface Transportation Employees. This rulemaking is based upon a congressional mandate from 2008 (PL 110-53). The specific requirements of that mandate can be found in 6 USC §1140 (public transportation), §1143 (public transportation), §1162 (railroads), and §1170 (railroads).

OIRA also published the listing of ‘long-term actions’, rulemakings that are technically on-going, but without any specific plans for the date of the next action in the rulemaking process. The DHS list of rulemakings on that list include those listed in Table 2 below.

OS
Ammonium Nitrate Security Program
OS
Updates to Protected Critical Infrastructure Information
USCG
Transportation Worker Identification Credential (TWIC); Card Reader Requirements
USCG
Updates to Maritime Security
USCG
Amendments to Chemical Testing Requirements
TSA
Protection of Sensitive Security Information
TSA
General Aviation Security and Other Aircraft Operator Security
Table 2: Long-Term Actions


There is a continual switching between the current agenda and the long-term actions list. Nothing should be read into that other than DHS does not intend to see action on the items in the long-term actions list in the foreseeable future. Just remember that the items listed on the current Unified Agenda have mainly been there for some time and the time estimates provided for the next action may have no connection to reality.

Bills Introduced – 11-17-16

Yesterday with both the House and Senate in lame duck session there were 70 bills introduced. Of those one may be of specific interest to readers of this blog:

HR 6337 To amend title 49, United States Code, with respect to the definition of urbanized area, and for other purposes. Rep. Weber, Randy K., Sr. [R-TX-14]


I’ll be watching this bill to see if it affects chemical transportation safety or security.

Thursday, November 17, 2016

ICS-CERT Publishes Two Advisories

Today the DHS ICS-CERT published two control system security advisories for products from Moxa and Vanderbilt Industries.

Moxa Advisory


This advisory describes multiple vulnerabilities in the Moxa SoftCMS Webserver Application. The vulnerabilities were reported by Zhou Yu (through the Zero Day Initiative) and Gu Ziqiang from Huawei Weiran Labs. Moxa has produced an update to mitigate the vulnerability. ICS-CERT reports that both researchers have validated the efficacy of the fix.

The reported vulnerabilities are:

• Improper input validation - CVE-2016-9332;
• Double free - CVE-2016-8360; and
• SQL injection - CVE-2016-9333

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to execute arbitrary commands on the target system, as well as gain access to administrative functions of the application.

Vanderbilt Industries Advisory


This advisory describes an insufficiently protected credential vulnerability in the Siemens-branded IP cameras from Vanderbilt Industries. Vanderbilt bought the security product line from Siemens in 2015. It appears that Siemens produced updates for the cameras that mitigate the vulnerability.

ICS-CERT reports that a relatively unskilled attacker with network access to the web server could remotely exploit this vulnerability to allow the attacker to obtain administrative credentials.


It is interesting that Siemens published a Security Notice for this vulnerability and publicized that notice on TWITTER®. BTW: I can find no mention of this vulnerability on the Vanderbilt Industries web site.

Wednesday, November 16, 2016

Missed Another ICS-CERT Advisory Update – 11-15-16

Last night when I did my blog post on the latest from ICS-CERT I failed to notice that the previous advisory for the CA Technologies Unified Infrastructure Management application had been updated. Readers will remember that I described that original advisory earlier this week. Fortunately, I did see (and retweeted) the ICS-CERT tweet on the update last night.


The update is relatively minor. It adds a link to the CA Technologies security notice about the vulnerability. I reported that link in my earlier post. Unfortunately, the revised advisory does not address the two additional vulnerabilities reported by CA Technologies in their notice (that I also mentioned earlier). Perhaps another update will address those.

Tuesday, November 15, 2016

ICS-CERT Publishes Advisory and IOT Security Documents

Today the DHS ICS-CERT published a control system security advisory for a product from Lynxspring. They also established a new web page and published two documents related to cybersecurity for internet-of-thing (IoT) devices.

Lynxspring Advisory


This advisory describes multiple vulnerabilities in the Lynxspring BAS Bridge application. The vulnerabilities were reported by Maxim Rupp. Lynxspring reports that the BAS Bridge has been discontinued and recommends that owners upgrade to the Onyxx Bridge product.

The reported vulnerabilities are:

• Permissions, privileges and access controls - CVE-2016-8357;
• Missing authentication for critical function - CVE-2016-8361;
• Insufficiently protected credentials - CVE-2016-8378; and
• Cross-site request forgery - CVE-2016-8369.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerabilities to change permissions and access controls and gain access to the system.

IOT Security


The new IOT web page provides links to two new IoT security publications:

IOT Fact Sheet; and

The IoT security discussion is based upon six principles:

• Incorporate Security at the Design Phase;
• Advance Security Updates and Vulnerability Management;
• Build on Proven Security Practices;
• Prioritize Security Measures According to Potential Impact;
• Promote Transparency across the IoT; and
• Connect Carefully and Deliberately

The Fact Sheet briefly describes these principles and the Strategy document fleshes out the discussion. Nothing really new in the discussion, but it is all brought together into a single document. The Strategy is written at a slightly more technical level than most recent ICS-CERT documents, directed more at CIO’s and security managers than CEO’s. It also provides a fairly diverse set of links in the Guidance and Additional Resources Appendix (I was especially pleased to see links to two documents from I Am The Cavalry (Five Star Automotive Cyber Safety Framework and Hippocratic Oath for Connected Medical Devices).

This discussion addresses the technical issues, but only briefly touches on the underlying problem of the wide diversity of IoT devices, vendors and users. Trying to get all of the parties to understand the state of the problem and the necessity of taking care of the problem cannot be overlooked in any discussion of IoT security. One area of that problem that receives very little attention in these documents is how to deal with the currently installed base (and devices already in the supply chain) of IoT devices that meet none of the principles discussed in the document.


To be fair to ICS-CERT these problems are more political and sociological than technical. It would have been nice, however, for ICS-CERT to at least identified these problems in these documents.

Monday, November 14, 2016

Committee Hearings – Week of 11-13-16

Congress heads back to Washington today to start their lame duck session. What will be accomplished in this session is more up in the air than normal because of the unexpected (by most folks) results of last week’s election. The hearing schedule is pretty light this week (and will probably change as the week progresses) with only one hearing of possible specific interest to readers of this blog.

Automated Vehicles


On Wednesday, the Transportation, Housing and Urban Development, and Related Agencies Subcommittee of the Senate Appropriations Committee will hold a hearing on “The Automated & Self-Driving Vehicle Revolution: What Is the Role of Government?” The witness list includes:

• Mark Rosekind, National Highway Traffic Safety Administration;
• Deborah Hersman, National Safety Council;
• Paul Brubaker, The Alliance for Transportation Innovation; and
• Nidhi Kalra, RAND Center for Decision Making Under Uncertainty

On the Floor


Nothing of specific interest to readers of this blog is currently scheduled to make it to the floor of the House this week. I do want to briefly mention one bill, however, that will be considered under a rule this Wednesday; HR 5982, Midnight Rules Relief Act of 2016.

This bill is being touted as a way to stop some of the last minute regulations being promulgated by the outgoing Obama Administration. While it looks like it targets any regulation issued in the last year of an outgoing Administration, it does nothing to change the 60-day requirement for the introduction of a joint resolution of disapproval in 5 USC 802(a). It may make it easier to obtain a favorable vote on such a resolution (and more importantly on a subsequent veto override vote) by bundling a number of rules into the same resolution. Such bundling could provide for some vote trading to get enough votes to override a presidential veto.


Veto overrides are tough (especially in the current congressional split). That means that for these disapproval resolutions to really be effective is for the approved bill to be sent to the new President for signing, evading the possibility of a veto. This effectively means that only regulations published in the last two months of the outgoing administration really have any real chance of being cancelled by Congress in this manner. This is one of the reasons that the Obama Administration’s OMB has been trying real hard to ensure that any potentially offensive regulations have already been published.

Thursday, November 10, 2016

ICS-CERT Publishes One Advisory and Updates Another

Today the DHS ICS-CERT published a new control system security advisory for a product from CA Technologies. Earlier this week I missed the fact that they also updated a previously published (and much updated) advisory for multiple products from Siemens.

CA Technologies Advisory


This advisory describes a directory traversal vulnerability in the CA Technologies Unified Infrastructure Management application. The vulnerability was reported by Andrea Micalizzi (rgod), working with Zero Day Initiative. CA Technologies has produced an update to mitigate the vulnerability. There is no indication that Andrea has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to create or overwrite critical files that are used to execute code, such as programs or libraries.

The CA Technologies Security Notice (not referenced in the ICS-CERT Advisory) includes two additional vulnerabilities:

• Insecure handling of session id’s - CVE-2016-9164; and
• Path traversal information disclosure - CVE-2016-9165

Latest Siemens Update



This update provides updated affected version information for SIMATIC S7 products. It also provides links for new updates for various SIMATIC S7 products. The latest update of the Siemens Security Notification also notes that Siemens corrected fix information for PCS 7 V8.0 and V8.1.

Wednesday, November 9, 2016

OMB Approves TSA Surface Transportation Security Training NPRM

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a notice of proposed rulemaking (NPRM) from the DHS Transportation Security Administration (TSA) regarding transportation security training requirements for surface transportation organizations. The rulemaking was submitted to the OMB back in July.

This rulemaking was required by Congress in 2007 in the Implementing Recommendations of the 9/11 Commission Act of 2007 (PL 110-53). Security training requirements for surface transportation organizations were specifically required by:

Section 1408 (6 USC 1137), Public transportation security training program;
Section 1517 (6 USC 1167), Railroad security training program;
Section 1534 (6 USC 1184), Over-the-road bus security training program;

Congress required that each of these training program rules to be established within six months of the adoption of the bill (August 3, 2007). Each of these training program requirements include the same program elements including the requirement to submit those training programs to DHS for approval.


There have recently been some significant delays in many rulemakings between the time of OIRA approval and publication in the Federal Register. This probably entails an internal requirement for additional justification of publishing rulemakings this late in the Obama administration. Since this has no chance of moving to a final rule until well after the Trump administration inauguration this rulemaking may escape that midnight rule review delay.

ICS-CERT Publishes 3 Advisories and Latest Monitor

Yesterday the DHS ICS-CERT published three control system security advisories for products from OSIsoft, Siemens and Phoenix Contact. Earlier this week they also published the September – October 2016 Monitor.

ICS-CERT Monitor

The latest issue of the ICS-CERT Monitor reports on activities of the DHS ICS-CERT for September and October of 2016. No real valuable information in this issue of the Monitor with ICS-CERT returning to the glossy corporate quarterly report format for this issue. The main articles include:

• ICS-CERT Vulnerability Coordination;
• Cybersecurity Crawl, Walk, Run;
• DHS Moving US-CERT Portal to HSIN, Rebranding as NCCIC Portal;
• ICSJWG Fall 2016 Meeting Recap;
• ICS-CERT Hosts Regional Training in Lisbon, Portugal;
• ICS-CERT Releases Defense-in-Depth and Annual Vulnerability Coordination Reports; and
• What is a CSET Assessment?

OSIsoft Advisory


The advisory describes an incomplete model of endpoint features vulnerability in the OSIsoft PI System software. This is apparently a self-reported vulnerability. OSIsoft has produced a new version that mitigates the vulnerability.

ICS-CERT reports that a relatively unskilled attacker with local access could effect a DOS attack to cause a shutdown of the PI Data Archive or connected applications. The OSIsoft Security Update, on the other hand reports that an exploit of the session management issue could “result in remote shutdown of the PI Data Archive or connected applications”.

Siemens Advisory


The advisory describes a privilege escalation vulnerability that affects several of industrial products from Siemens (18 products listed in advisory). The vulnerability was reported by WATERSURE and KIANDRA IT. Siemens has produced updates for six of the products and temporary fixes for the remaining products pending the production of new updates.

ICS-CERT reports that it would be difficult to effect a working exploit of the vulnerability and would require local authenticated access to the product. Interestingly the Siemens Security Advisory notes that:

“If the affected products are installed under their default path (“C:\Program Files\*” or the localized equivalent) and the default file system access permissions for drive C:\ were not modified, the security vulnerability is not exploitable.”

Phoenix Contact Advisory


The advisory describes multiple authentication vulnerabilities in the Phoenix Contact ILC (inline controller) PLCs. The vulnerabilities were reported by Matthias Niedermaier and Michael Kapfer of HSASec Hochschule Augsburg. Phoenix Contact has produced an update and recommended security practices to mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The vulnerabilities include:

• Cleartext storage of sensitive information - CVE-2016-8366;
• Authentication bypass issues - CVE-2016-8371; and
• Access to critical private variable via public method - CVE-2016-8380.


ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to access human-machine interface (HMI) pages and to modify programmable logic controller (PLC) variables. ICS-CERT explains that the new version only corrects the plaintext password storage issue.

Friday, November 4, 2016

Oops, Missed Second Schneider Advisory

Last night I missed the second Schneider control system security advisory published yesterday by ICS-CERT. It describes two vulnerabilities in their IONXXXX series power meters and it is a follow up to an earlier alert. The vulnerabilities were reported by Karn Ganeshen. Schneider has provided instructions to mitigate these vulnerabilities. There is no indication that Ganeshen has been provided an opportunity to verify the efficacy of the fix.

The two vulnerabilities identified in the advisory (the second was not identified in the original alert) are:

• Cross-site request forgery - CVE-2016-5809; and
• Improper access control - CVE-2016-5815

The ICS-CERT advisory does not address the three separate default password issues for the HTTP, Telnet and front panel access to the device though it was mentioned in passing in the earlier alert. These are specifically addressed in the Schneider Security Notification referenced in the advisory. That notification only addresses the default password issue (urging owners to change their device passwords from default values to prevent unauthorized access), but not either vulnerability addressed in this advisory.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit the two covered vulnerabilities to make configuration changes on the device.


BTW: While ICS-CERT notes that there are no “known public exploits specifically target these vulnerabilities” (Karn’s disclosure did not provide a POC) it does not mention that Karn provided a partial list of organizations that are using the affected power meters.

Thursday, November 3, 2016

ICS-CERT Publishes Two Advisories

Today the DHS ICS-CERT published two control system security advisories for products from Schneider and Moxa.

Schneider Advisory


This advisory describes twin uncontrolled resource consumption vulnerabilities in the Schneider Electric Magelis human-machine interface (HMI) products. The vulnerabilities were reported in a coordinated disclosure by Eran Goldstein, in collaboration with Check Point Software Technologies and CRITIFENCE and publicly reported earlier this week. Schneider plans on having a new release available next spring, but is providing work arounds listed in this advisory.

While ICS-CERT calls both vulnerabilities ‘uncontrolled resource consumption vulnerabilities. CRITIFENCE uses more descriptive names:

• Improper implementation of HTTP get request – CVI-2016-8367; and
• Improper implementation of HTTP chunked Transfer-Encoding request - CVI-2016-8374.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to cause a denial of service for the affected devices. The Schneider security notification notes that the vulnerabilities can only be exploited when the Web Gate Server is activated; the function is disabled by default.

BTW: These are the Schneider vulnerabilities that I retweeted about earlier this week.

Moxa Advisory


This advisory describes two vulnerabilities in the Moxa OnCell Security Software. The vulnerabilities were reported by Maxim Rupp (who at this point should be listed as a member of the Moxa cybersecurity team; just saying). Moxa has produced a new version (for two of the ten affected systems) that mitigates the vulnerability. There is no indication that Rupp was provided an opportunity to verify the efficacy of the fix.

The vulnerabilities include:

• Improper authentication - CVE-2016-8362; and
• Permissions, privileges and access control - CVE-2016-8363


ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to download files or execute arbitrary command by web console.

Wednesday, November 2, 2016

Anhydrous Ammonia and Roadways

I ran across an interesting editorial about a recent anhydrous ammonia pipeline leak. The focus of the editorial was on the problem of aging pipelines, but it briefly addressed an issue that I have touched upon on several occasions; the problem of anhydrous ammonia leaks near major roadways.

The Incidents


The most recent incident was on October 18th near Tekamah, NE (see news reports here, here, here and here). There was a major leak on an above ground portion of an 8” diameter pipeline carrying liquefied anhydrous ammonia. The resulting vapor cloud crossed US 75. A motorist drove through the cloud and died. The accident is being investigated by the National Transportation Safety Board (NTSB).

The other incident that I have reported on was in August of 2009 in South Carolina where there was a hose rupture during a tankwagon unloading incident. Again, the resulting vapor cloud crossed a major highway (US 321). A mother of two drove into the cloud and died.

In both cases the facility owners properly notified authorities of the incidents, but the response was not quick enough (or perhaps not well planned enough) to have stopped the victims from driving into the cloud.

PHMSA and Leak Detection


Back in 2010 while reporting on an advanced notice of proposed rulemaking (ANPRM) from the DOT’s Pipeline and Hazardous Material Safety Administration on hazardous liquid pipelines I did a special post of the comments that I submitted on that rulemaking. In those comments I noted that pipelines carrying poisonous inhalation hazard (PIH) chemicals (like anhydrous ammonia) pose a special hazard in the case of leaks. I suggested that:

“Any time that a PIH pipeline traverses an area near major thorough fare the PHMSA regulations should provide treatment similar to the HCA provisions even if the roadway is in an otherwise rural area. Once again, any above ground portions of the PIH pipeline in these areas will have an even larger potential affect.”

I also noted that:

“Once again, I would like to suggest that any place where a PIH pipeline is above ground externally based leak detection sensors are the only technology that would provide adequate warnings of the relatively small leaks of PIH materials that could affect unprotected civilians.”

In its notice of proposed rulemaking (NPRM) on the hazardous material pipeline revisions PHMSA responded to my comments (and similar comments by others) about HCA provisions for pipeline segments near roadways by saying:

“PHMSA is not proposing to designate major road and railway crossings as HCAs, but will consider whether the pipeline IM requirements should be applied to these areas when completing the study that Congress mandated under section 5 of the Pipeline Safety Act of 2011. PHMSA notes that the pipelines at such crossings would be afforded additional protections under the other proposals made in this proceeding, including the requirements for the performance of periodic internal inspections and the use of leak detection systems.”

On the external leak detection issues, PHMSA responded:

“PHMSA commissioned Kiefner and Associates, Inc., to perform a study on leak detection systems used by hazardous liquid operators. That study, titled “Leak Detection Study,” [4] was completed on December 10, 2012, and was submitted to Congress on December 27, 2012. PHMSA is considering, in a different rulemaking activity, whether to adopt additional or more stringent requirements for sensitive areas in response to this study.”

It should be noted that in the recent incident, it appears that the pipeline operator did have flow-based leak detection active on the affected pipeline section. One news report stated that: “the company’s remote sensing system detected a pressure drop on the portion of the pipeline that runs through Burt County. A pressure drop means a release may have occurred, he said.” Automated valves were then closed and authorities notified, just not soon enough to stop the one victim from driving into the ammonia cloud.

Emergency Notification


In both of these incidents the facility owner made all of the appropriate notification when the leak was discovered and there is no indication that the emergency response was not prompt. Still, in both cases an innocent third-party, with no connection to the facility, died as a consequence of the leak. In both cases they drove into a vapor cloud that looked no different than innocent bank of fog. Once in the cloud the auto’s motor stopped (for lack of oxygen) and the people died either from ammonia exposure or lack of oxygen.

While it is easy to say that better something would have prevented the leak (and the NTSB investigation will tell us that), it is even easier to say that if the person driving the car had been warned not to drive into the cloud, they would not have been killed. We have to expand our definition of emergency notification.

For local residents, notifications can be made by a reverse 911 notification system. In the most recent incident that would have saved the victim; he was a local who apparently was in search of the source of the ‘pungent odor’ of ammonia that he had smelled. If he had been notified by a reverse 911 system, he may never have left the house, and almost certainly would not have driven into the cloud if the message had been properly crafted.

For out of area personnel traversing highways near such incidents, the reverse 911 system is much more problematic. More advanced systems use phone location for notifications not sign-up addresses. But, then again, safety people are trying very hard to stop people from answering phone calls while driving. Something else is needed.

I proposed in an earlier blog post that signs could be posted on major roadways near fixed facilities and pipelines that handle PIH chemicals. These would be digital signs that would flash a warning not to proceed when a local PIH chemical detector detected a chemical cloud near the roadway. When not warning of a PIH leak, the signs could display other safety messages.

Moving Forward


The editorial that peaked my interest in this incident concludes by saying:

“Nebraska’s congressional delegation needs to work together to ensure the agency [PHMSA] is giving Nebraska proper attention, particularly in the case of anhydrous ammonia, to avoid a repeat of the tragedy caused by the leak in Burt County.”

The Nebraska congressional delegation does have some influence. Rep. Fortenberry (R,NE) is on the House Appropriations Committee (but not the Transportation Subcommittee). Sen. Fischer (R,NE) is an influential member of the Senate Commerce, Science and Transportation Committee and Chair of the Surface Transportation and Merchant Marine Infrastructure, Safety and Security Subcommittee (at least until December 31st).


The most immediate thing that will influence any legislative or regulatory action on the pipeline safety issues involved in this incident will be the outcome of the NTSB investigation. The preliminary investigation by NTSB has not yet resulted in the incident being added to the list of current investigations. This means that there may not be a formal NTSB investigations. If, the NTSB does not take up this investigation then the effects of this accident on future legislative or regulatory actions will be very limited.

Tuesday, November 1, 2016

ICS-CERT Publishes 3 Advisories and Malware Trends Paper

Today the DHS ICS-CERT published three new control system security advisories and an in-house paper on malware trends. The three new advisories are for control system products from Schneider and IBHsoftec. One of the Schneider advisories addresses a vulnerability I discussed on Saturday. Neither of the Schneider advisories listed here are the ones referenced in a TWEET® from Critifence that I retweeted this morning.

Schneider Unity Pro Advisory


This advisory describes an insufficient control flow management vulnerability in the Schneider Electric Unity PRO Software product. The vulnerability was reported by Avihay Kain and Mille Gandelsman of Indegy. Schneider produced a new version of the software that mitigates the vulnerability. There is no indication that the Indegy researchers have been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that while this vulnerability could be exploited remotely, since a two-stage social engineering attack would be required to exploit the vulnerability, developing a working exploit would be difficult. The Schneider Security Notification implies that direct loading of the corrupted file by the attacker could be possible “when the application program loaded in the simulator is not password protected”.

IHBsoftec Advisory


This advisory describes a buffer overflow vulnerability in the IBHsoftec S7-SoftPLC. The vulnerability was reported by Ariele Caltabiano (kimiya) through ZDI. IHBsoftec has produced a new version to mitigate the vulnerability. There is no indication that kimiya has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that relatively unskilled attacker could remotely exploit the vulnerability to “be able to affect integrity, confidentiality, and availability of the target device”.

Schneider ConneXium Advisory


This advisory describes a buffer overflow vulnerability in the Schneider Electric ConneXium firewall product. The vulnerability was reported by Nir Giller. According to ICS-CERT,Schneider is developing a firmware update, but the Schneider Security Notification (not listed in the ICS-CERT advisory) indicates that an update is currently available through “your local Schneider Electric representative”.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to execute code during the SNMP (Simple Network Management Protocol) login authentication process.

The Schneider document also provides workaround information for the vulnerability.

Malware Trends


This white paper was produced by the ICS-CERT Advanced Analytic Laboratory (AAL). It is a 24-page review of the current state of malware. Once again ICS-CERT has produced a nice review document suitable for updating non-technical management on cybersecurity issues. It covers the following topics:

• Attacker tactic changes;
• Malware evolution;
• Persistence methods;
• Infection vectors;
• Defensive tactics; and
• Platform challenges

Unfortunately, like most recent ICS-CERT technical documents, it is very light on data specific to the control system (ICS) security community. It is not until page 17 where we see the first specific ICS discussion in a subsection of the platform challenges discussion. Even that discussion is very brief and very light on the details. For example, half of the discussion about Black Energy consists of the following paragraph:

“BlackEnergy is an interesting case of malware that has undergone a dramatic change in its design and target depending on the groups that use it. Initially, BlackEnergy was a DDoS bot primarily used by the Russian hacker underground to take down sites. Support for plugins was added in the next major revision (BlackEnergy2), changing the exclusively DDoS box into a powerful multi-tool. Years later, researchers discovered that threat actors utilized zero-day exploits and spear phishing, combined with BlackEnergy 2 and specially-tailored plugins, to target and compromise ICS networks.”


This is a good overview document that I would have been proud to have authored. The technical skills and experience of the AAL deserve a much better showcase.
 
/* Use this with templates/template-twocol.html */