Sunday, January 31, 2016

HR 4397 Introduced – Rail Oil Spill Response

On Thursday Rep. Kind (D,WI) introduced HR 4397, the Rail Safety Act. The bill would require FEMA to preposition fire-fighting equipment and other rail spill response equipment for accidents involving rail tank cars transporting crude oil or other flammable liquids.

Pre-Positioned Equipment

The bill would require that the equipment caches would include {§2(b)}:

• Firefighting equipment;
• Fire suppression agents; and
• Any other safety equipment considered necessary by the Administrator

The caches would be required to be placed {§2(c)}:

• Located along rail routes over which a high volume of high-hazard trains operate; and
• Strategically prepositioned along such routes in a manner that lowers the response time of firefighters.


The bill provides for two separate sources of funding for these caches. First it authorizes FEMA to collect fees from rail carriers. Second it authorizes appropriations to support the program. In neither case are any specific monetary amounts specified.

Moving Forward

Kind is not a member of the House Transportation and Infrastructure subcommittee, the committee to which this bill was referred for consideration. Without being a member of the Committee, it is unlikely that he will be able to influence the Committee to begin consideration of the bill.

If the bill were to be considered, I would expect that there would be considerable opposition to the bill from railroads since they would be subject to unspecified fees to support the program.


This bill is extraordinarily poorly written for an 18-year veteran of Congress. Kind does not, for instance, define ‘high volume of high-hazard trains’. It would have been easier to refer to high-hazard flammable trains defined under 49 CFR 171.8. Next, there is no requirement to report to Congress on the types and amounts of equipment (along with deployment costs) to be deployed under the requirements of this bill so that Congress could authorize spending.

It is a shame that Kind has not put a little more thought and effort into this legislation. The issue of responding to crude oil, ethanol and other flammable train derailments as a fire fighting issue has been grossly missed by Congress. This type of bill, with a few modifications, could serve a valuable aid to first responders to these potentially devastating railroad accidents.

The funding issue deserves a lot more thought. The railroads are not the ones responsible for the recent increase in the number of these high-hazard flammable trains. They are required by Congress to accept all properly presented rail loadings. This was done by Congress because the individual railroads have nearly monopolistic control over long distance rail shipping in many areas of the country. The people that are responsible for the large amount of hazardous chemical shipments are the shippers. And it is they, not the railroads, that should be required to pay fees to help off-set the cost of programs like this.

If this had been a serious attempt to address this serious problem, it would have started off with a more complete definition of the types of shipments that were targeted. Since the types of fire-fighting equipment (in particular the types of foam used to fight liquid chemical fires) are substantially defined by the types of chemical fires involved it would be more cost effective to focus on the two largest volume flammable liquids currently being shipped by rail; crude oil and ethanol.

Next the bill should have required a report by the DOT’s Security and Emergency Response Training Center (SERTC) as to the types of specialty equipment necessary to fight crude oil and ethanol fires associated with train derailments. The study would address:

• The types of equipment necessary;
• The time frame in which the equipment would have to be deployed to be successfully used;
• The training necessary to use the deployed equipment;
• The best methods for ensuring that the equipment was readily available;
• And the cost of pre-stocking the equipment and supplying the appropriate training for its use.

While pre-stocking sites along rail routes (as suggested in this bill) is certainly one way to ensure rapid availability, other options could be more effective. One in particular that I would like to see considered is to include a fire response car at the tail end of each high-hazard flammable train. Another possible option that could be considered would be the formation of air-deployable National Guard units trained and equipped to provide the necessary flammable liquid fire-fighting capabilities.

With better information on the amounts and types of equipment to be stockpiled and the type and frequency of training necessary to deploy the equipment clearly outlined, Congress could then weigh-in on a specific funding program that could include fees on each railcar of affected commodities shipped and/or authorization of direct Federal spending.

The basic idea behind this bill is sound, but a great deal more effort and imagination needed to be employed in its crafting. Perhaps the leadership of the House or Senate transportation committees might like to take a shot at this.

Saturday, January 30, 2016

Transportation Safety Plan ANPRM to OMB

On Thursday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that the DOT’s Federal Transit Administration (FTA – Old soldiers from the 70’s please no comments on that acronym) had submitted an advance notice of proposed rulemaking (ANPRM) for their National Public Transportation Safety Plan. This rulemaking was not listed in the 2015 Fall Unified Agenda so there is little to no public information available on this ANPRM.

While I am not intending to extend this blog’s coverage to public transportation in general, I will be interested to see if this rulemaking addresses cybersecurity, particularly in transportation control systems.

Responses to Latest CSF RFI – 01-30-16

This is part of an on-going look at the responses to the National Institute of Standards and Technology (NIST) latest request for information (RFI) on potential updates to the Cybersecurity Framework (CSF). A reminder, the comment period will remain open until February 9th, 2016. The previous posts in this series include:

As of this morning there are only one new response posted to the RFI Response site. They come from:

Prevent Duplication of Regulatory Processes

NIST question 9 asks:

“What steps should be taken to “prevent duplication of regulatory processes and prevent conflict with or superseding of regulatory requirements, mandatory standards, and related processes” as required by the Cybersecurity Enhancement Act of 2014?”

Emblem Health suggested using the CSF as the basis of any regulation noting: “If a minimum standard could be adopted that would allow health care companies to have a target that if reached would provide some guidance to the C-suite that the IT department had achieved the proper security level.”

Should CSF be Updated?

NIST question 10 asks:

“Should the Framework be updated?”

Emblem Health responded that: “The framework should be continuously reviewed and updated.”

Private Sector Involvement

NIST question 20 asks:

“What should be the private sector’s involvement in the future governance of the Framework?”

Emblem Health suggested participation in a ‘governing committee’ would be an appropriate for private sector organizations to be involved in the future governance of the Framework.


This week’s response was submitted using the NIST template and Emblem Health responded to nearly every question asked by NIST. The responses were short and to the point. It would be helpful to NIST if all responses were similarly prepared and targeted.

With less than two weeks left in the comment period, it is very disappointing to see only seven comments submitted to date. Hopefully we will begin seeing responses from corporate America next week.

Friday, January 29, 2016

Bills Introduced – 01-28-16

With the House in a pro forma session and the Senate discussing S 2012 there were 13 bills introduced yesterday. Once of those may be of specific interest to readers of this blog:

HR 4397 To direct the Administrator of the Federal Emergency Management Agency to provide for caches of emergency response equipment to be used in the event of an accident involving rail tank cars transporting hazardous material, crude oil, or flammable liquids. Rep. Kind, Ron [D-WI-3]

The text of this bill is already available from the GPO. This is the first time that I have seen fire-fighting equipment specifically mentioned in oil spill response legislation. While no funding level is specifically spelled out, the bill does authorize appropriations for funding of the prepositioning of fire-fighting equipment. More on this bill later.

Thursday, January 28, 2016

ICS-CERT Publishes Advisory and ICSJWG Notice

This afternoon the DHS ICS-CERT published an advisory for Westermo switches. They also announced registration and request for papers for the Spring 2016 ISJWG meeting.

Westermo Advisory

This advisory describes a hard-coded certificate vulnerability in Westermo Ethernet switches. The vulnerability was reported by Neil Smith. ICS-CERT reports that Westermo has produced a firmware update that mitigates the vulnerability. Smith have verified the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability after conducting a successful man-in-the-middle attack to obtain authenticated access to the device.

Later in the advisory ICS-CERT reports that: “Westermo is working on an update to automate the changing of the key, which will be published on its web site as soon as it is ready.” The advisory then provides a work around for changing the hard-coded SSL certificate. There is nothing about this vulnerability on the public portion of the Westermo web site. The latest version of the WeOS on that website is 4.18.0 (released this month) which according to the advisory is an affected version. So, apparently the fix that Smith validated is the workaround.

ICSJWG Spring Meeting

I reported in an earlier blog post that the date for the Spring 2016 ICSJWG meeting had been set for May 3rd thru 5th. Today ICS-CERT announced that the registration for that meeting was now open. You can register on-line here and there is still no cost to attend the meeting. Registrations should be completed by April 28th, 2016.

ICS-CERT also published a call for abstracts for that meeting. They are looking for four types of presentations:

• Presentation;
• Panel;
• Demonstration;
• Lightning round

Amendments to S 2012 – 01-27-16

Yesterday there were 84 amendments submitted to S 2012 that is currently being considered in the Senate. Of those only one may be of specific interest to readers of this blog:

SA 2997 – Sen. Wyden (D,OR) – pg S 272

Internet of Things

Wyden’s amendment would add paragraph (d), Internet of Things (IOT), to §1021, Study and report on energy savings benefits of operational efficiency programs and services. It would require that the report required under §1021 would include an analysis of the impact of IOT technology on energy and water systems. It would be required to identify IOT technology solutions that {new §1021(d)(B)(ii)}, “through features embedded in hardware and software from the outset” … “promote security, privacy, interoperability, and open standards”.

Moving Forward

Yesterday was only the first day of consideration of this complex bill. At this point in their deliberations there is no clear indication of how many or which amendments will ultimately be considered on the floor of the Senate. If this amendment does make it to the floor it will likely be approved since it only requires a modification to an existing report.


This amendment contains an interesting definition of IOT. Paragraph (d)(1) defines IOT as a set of technologies that:

• Connect to the Internet; and
• Provide real-time and actionable analytics and predictive maintenance

The inclusion of a requirement for ‘actionable analytics and predictive maintenance’ a number of devices that most people would lump together under the IOT rubric. Even in the industrial IOT realm operational devices connected to control systems in electric utility or water utility facilities would not fall under this relatively limited definition.

Senate Considering S 2012

Yesterday the Senate began consideration of S 2012, the Energy Policy Modernization Act of 2015. Somehow I missed this bill when it was introduced back in September, but it is very similar to HR 8 that was passed by the House last month. The bill does contain cybersecurity related provisions, but certainly not all of those included in the House bill.

Critical Electric Infrastructure Information

Like the House bill, §2001 amends the Federal Power Act to include specific authority to designate Critical Electric Infrastructure Information (CEII). As I explained in an earlier post, while a CEII program does currently exist it is not specifically authorized by statute. This will become important when the National Archives and Records Administration finally publishes its final rule on Controlled Unclassified Information (CUI). Being authorized by statute would allow the DOE Secretary more latitude on the way CUI is controlled.

There are several provisions of the HR 8 CUI section that are not included in S 2012. They include provisions associated with:

• Submission of information to congress;
• Disclosure of protected information;
• Duration of designation;
• Removal of designation; and
• Judicial review of designations

The lack of coverage of these items in the bill simply means that the NARA regulations would govern these areas, not the DOE regulations.

Enhanced Grid Security

Section 2002 of the bill establishes a number of cybersecurity programs, some of which already exist in fact, if not in law. Each of the programs include authorized funding. They include:

• Cybersecurity sector specific agency designation;
• Cybersecurity for the energy sector research, development, and demonstration program;
• Energy sector component testing for cyberresilience program;
• Energy sector operational support for cyberresilience program;
• Modeling and assessing energy infrastructure risk;
• Study on expanding industry membership and participation in ES–ISAC

The component testing program is somewhat similar to the Cyber Sense program include in §1106 of HR 8. The Senate version is not nearly as comprehensive or detailed. The Senate program does include $15 Million in annual funding where the Cyber Sense program included no funding, relying entirely on 3rd party testing and certification.

Moving Forward

Consideration of the bill continues today and there is not currently a schedule for a final vote. Sen. Murkowski (R,AK) is working hard to keep the amendment process limited to energy matters so that the bill does not get saddled with any of the controversial riders that have earned HR 8 a Presidential veto threat.

It is very likely that this bill will pass in the Senate. The House will then have to decide whether or not to accept the Senate bill or insist on the language of HR 8. If the latter occurs there would probably be a conference committee formed to work out the differences in the two bills.

Tuesday, January 26, 2016

ICS-CERT Publishes Two Advisories

This morning the DHS ICS-CERT published two control system advisories. They were for systems from Rockwell Automation and MICROSYS.

Rockwell Advisory

This advisory describes a stack-based buffer overflow vulnerability in the Allen-Bradley MicroLogix 1100 PLCs. The vulnerability was reported by David Atch of CyberX. Rockwell has produced a firmware update that mitigates the vulnerability, but there is no indication that Atch has been provided the opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to run arbitrary code on the device.


This advisory describes a memory corruption vulnerability in the MICROSYS PROMOTIC application. The vulnerability was reported by Praveen Darshanam of Versa Networks. MICROSYS has produced a new version which mitigates the vulnerability and Darshanam has verified the efficacy of the fix.

ICS-CERT reports that it would be relatively easy to craft a social engineering exploit of this vulnerability. This is the first time that I have seen ICS-CERT that crafting a specific social engineering exploit “would be simple”.

The PROMOTIC update note indicate that the vulnerability exists in the TrendsView ActiveX component.

Emergency Notification Systems Survey

The publisher of Disaster Resource Guide is conducting a survey about the use of emergency notification systems. They are specifically looking to get responses from organizations that are considering acquiring such systems. The survey looks at the types of capabilities that organizations are looking for in such systems. There is a drawing incentive (iPad2) for those completing the survey.

Bills Introduced – 01-25-16

Yesterday the House met in an extended pro forma session. Because of the weekend snow storm the scheduled pro-forma session had to include postponing some legislative actions that had been scheduled for this week to next week. There were, however, three bills introduced and one of those may be of tangential interest to readers of this blog:

HR 4393 Clean Distributed Energy Grid Integration Act Rep. Castor, Kathy [D-FL-14]

This bill (and yes the GPO does have the official copy on line) proposes to require the DOE Secretary to address issues related to “clean distributed energy technologies” (energy technologies that are located on the customer site operating on the customer side of the electric meter and are interconnected with the electric grid).

The only reason that I am mentioning this bill is that, while the bill recognizes that “new advances in intelligent sensing and simulation and control technologies” will aid the integration of clean distributed energy technologies, there is no mention of the cybersecurity vulnerabilities that such technologies bring to the electric grid networks. This is very disappointing.

Any way this will be the last mention of this bill as it does not appear that Castor has enough political influence to get this bill considered in committee.

Monday, January 25, 2016

NIST Wireless Medical Infusion Pumps Use Case Notice

The National Institute of Standards and Technology (NIST) published a notice in today’s Federal Register (81 FR 4016-4018) inviting organizations to provide products and technical expertise to support and demonstrate security platforms for the Wireless Medical Infusion Pumps use case for the health care sector.  This is the first step in the National Cybersecurity Center of Excellence’s (NCCoE) collaberation with technology companies to address cybersecurity challenges identified under the Health Care Sector program.

At this point NIST is looking for organizations to submit a letter of interest (template is available from NIST on-line) if they are interested in entering into a Cooperative Research and Development Agreement (CRADA) to provide products and technical expertise to support and demonstrate security platforms for the Wireless Medical Infusion Pumps use case for the health care sector. More information is available on the project here and here. You can see more information about the items that NIST is looking to include in the use case here.

NOTE: The second project reference mentioned above contains an interesting application (pgs 11-14) of the NIST Cybersecurity Framework (CSF) to analyze the cybersecurity requirements for the use of infusion pumps in a hospital setting. This is the first time that I have seen the CSF used at this level in an organizational review.

I’m not going to go into any more detail on this process as the way the NIST notice is worded seems to be very convoluted. I don’t stay current on acquisition and R&D project language at the Federal level, so I don’t want to put any inappropriate words into the interpretation of the NIST notice. If you’ve done work with NIST before you have a better understanding of the details of what is going on here. If you have not worked with NIST before but are still interested, contact Gavin O'Brien via email at for more information.  

Sunday, January 24, 2016

Drone Threats for Chemical Facilities

There was an interesting article this week over at about a British report on the potential use of drones by terrorist organizations. That report provides an interesting set of data about potential drone threats. It includes capability tables for a number of aerial (UAV) ground (UGV) and marine (UMV) drones. Unfortunately, there is no specific discussion about such vehicles and chemical facilities.

Activist Propaganda

Let me start off by saying that I know of only one ‘instance’ of use of a UAV ‘against’ a chemical facility. Back in 2010 Greenpeace made a big show using their small blimp to investigate chemical facility security. There was apparently no attempt made to overfly the facilities and the photographs published by Greenpeace were from another aircraft (almost certainly a helicopter) with the blimp in the fore ground and the facility in the background.

Smaller, more modern UAVs, will not have the same sort of visual impact that the Greenpeace blimp had. This means that they are unlikely to be used for propaganda type efforts. These more maneuverable UAVs are more suited to surveillance and data gathering. The use of onboard cameras and chemical detectors could be used by various environmental and environmental justice organizations to document chemical releases at chemical facilities. The use of UGVs and UMVs can certainly be expected to be added to this effort as they become more commercially available.

I would not be surprised to hear of the use of UAVs in civil disobedience actions where they could be employed to deliver paint bombs against transportation assets in and around chemical facilities. Paint bombs deployed against tractor or railroad windshields could serve to delay or disrupt chemical transportation operations.

UAV support of conventional civil disobedience operations is only going to increase. Aerial filming of the activity and the security/law enforcement response to the activity can be expected to be used for propaganda purposes for money raising and encouraging copy-cat operations.

Pre-Attack Reconnaissance

Because of the large number of relatively cheap UAVs available with onboard video capability, it is to be expected that there will be an increasing number of UAV’s flown around, over and through chemical facilities. While the vast majority of these will probably be flown by local activists for propaganda purposes or just busybodies looking to see what is going on, some will be flown by activists or terrorists (different objectives and ‘attack’ methodologies) gathering intelligence to support possible future actions.
Activist ‘attacks’ are typically civil disobedience activities designed to interfere with facility operations, particularly those associated with transportation activities. UAV reconnaissance would be used to identify critical activity locations, points of entry and routes between the two. Of particular interest would be areas to hang banners and choke points where a small number of activists could block vehicle movements. As UGVs become more robust and cheaper their use in these types of reconnaissance operations can be expected to increase.

The British report does a good job of outlining the experience of many terror groups with the use of UAVs for battlefield reconnaissance as well as command and control. Significant terror attacks on chemical facilities will almost certainly include pre-operational reconnaissance by UAVs.

This type of UAV reconnaissance will include gathering of the same sort of information that activists would look for, but in much greater detail. In many cases the reconnaissance effort will include looking for specific chemical storage and transfer facilities. If a vehicle born improvised explosive (VBIED) attack is intended, the best site for vehicle placement and routes to that location will be the primary focus. If smaller, more targeted IEDs are to be employed, then tanks, valves and transfer lines will be the recon objectives. In both cases, internal security measures and response routes for security forces will also be important.

For possible attacks against water-side facilities the use of UMVs is a possibility. The British report, however, shows that the current cost of such vessels is quite high and there are only a limited number of options currently available. This will change if there is an increase in hobby use of this type of craft.

The use of UGVs is even less likely. Because of the prevalence of spill containment dikes and multi-story buildings and pipe structures, only a very limited amount of ground level reconnaissance will be possible. Route reconnaissance for VBIEDs is one area where UGVs may be very helpful, but they are still more likely to be detected and intercepted.

Attack Vehicles

All three classes of drones could certainly be used to deliver explosive devices in attacks on chemical facilities. They have the advantage of reducing the casualties in the attacking force and could potentially be used to allow a large diversionary attack at a secondary facility to allow a more complicated attack to go unopposed at the primary target.

UAV’s have limited payload capability so they would have to be used in precision type attacks rather than area effect attacks. Placing explosive devices on the top of storage tanks or isolated pipelines are well within the capabilities of such vehicles.

UGV’s up to and including remotely operated cars (see the British report – pg 11 - for an actual incident of such cars being by ISIS) could deliver larger explosive packages to accessible areas within the facility. The payload is still going to be significantly smaller than the typical truck VBIED that have been used by any number of terror groups around the world.

The high-cost and relative unavailability of UMVs probably argues against their use for delivery of explosives in an attack in the near term. It must be remembered, however, that smaller underwater explosives are more effective due to pressure waves underwater.

Attack Support

As the British report notes, ISIS has been gaining proficiency in the use of UAVs for battlefield surveillance and command and control activities. The use of UAV’s in such roles in terrorist attacks has not yet been seen, but is clearly an activity that can be expected in the future. For ground based terror operations to seize or destroy a chemical facility, the ability to use UAV’s to watch responding security or law enforcement personnel will make for a much more effective terror operation.

The use of small explosive devices deployed by UAVs used to attack or disrupt such response could be used to allow the ground team to harden their position or more time to emplace their explosive devices.

Stopping Drones

There is very little that chemical facilities can do to stop drone operations near, over and in their facilities. In addition to the known difficulties in spotting and disabling UAVs in flight, there is currently no legal authority for chemical facilities to take them down, even if they are in the facility airspace. Currently the best bet is to deploy anti-drone netting to snare UAVs and prevent them from approaching critically vulnerable assets.

A more important security job, however, is the spotting and hopefully identifying UAVs as they approach the facility. This should be part of the facility anti-reconnaissance plan that is designed to detect a terrorist attack before it happens. Every employee should be required to report any UAV sighting at or near the facility to their supervisor and the security manager should consolidate such reports to be submitted to local law enforcement. All such reports should include the location of the siting, the type of UAV, the direction of approach and the direction the drone departed.

While little can currently be done to prevent UAV incursions, facility security managers need to take a hard look at their facility from the point of view of UAV attack vulnerabilities. Facilities need to begin consideration of measure that they can take to hide such vulnerabilities or prevent UAV access.

Saturday, January 23, 2016

Responses to Latest CSF RFI – 01-23-16

This is part of an on-going look at the responses to the National Institute of Standards and Technology (NIST) latest request for information (RFI) on potential updates to the Cybersecurity Framework (CSF). A reminder, the comment period will remain open until February 9th, 2016. The previous posts in this series include:

As of this morning there are only one new response posted to the RFI Response site. They come from:

Prevent Duplication of Regulatory Processes

NIST question 9 asks:

“What steps should be taken to “prevent duplication of regulatory processes and prevent conflict with or superseding of regulatory requirements, mandatory standards, and related processes” as required by the Cybersecurity Enhancement Act of 2014?”

Danilo noted that existing duplications and inconsistent policies across agencies resulted from “lack of collaboration and coordination across agencies”. This could be prevented by continuing NIST process.

Should CSF be Updated?

NIST question 10 asks:

“Should the Framework be updated?”

Not addressed in this response.

Private Sector Involvement

NIST question 20 asks:

“What should be the private sector’s involvement in the future governance of the Framework?”

Not addressed by this commenter.


The response today continues the unresponsive nature of the contributions to date. While the comments certainly have merit, they continue to ignore the basic questions posed by NIST in regards to future actions to improve the CSF.

With just a little over two weeks left in the comment period, it is very disappointing to see only six comments submitted to date. Hopefully we will begin seeing responses from corporate America next week.

Friday, January 22, 2016

CSB to Hold West Fertilizer Meeting

The Chemical Safety and Hazard Investigation Board (CSB) published a meeting notice in today’s Federal Register (81 FR 3780) for a public meeting on January 28th in Waco, TX concerning the 2013 fire and explosion at the West Fertilizer facility. The CSB Staff will present their final report on the incident.

The Staff will also present a proposed study on land use planning. This type of study is especially important in relation to this incident due to the amount of destruction to a nearby school and residential area that resulted from this explosion. The study would presumably look at how communities allow such areas to grow up around chemical facilities with known hazards.

There will be a public comment period at the meeting and written comments may be submitted to the CSB via email ( The meeting will be web cast on the web site.

Thursday, January 21, 2016

ICS-CERT Publishes Two Advisories

This morning the DHS ICS-CERT published two advisories for control systems from Hospira and CAREL.

Hospira Advisory

This advisory describes a buffer overflow vulnerability in two older versions of Hospira infusion pumps. The vulnerability was reported by Jeremy Richards of SAINT Corporation. Existing newer versions of the software do not contain the vulnerability.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to “to remotely execute code on the affected device”. ICS-CERT notes that neither Hospira or Richards have demonstrated the code execution outcome, but it includes the possibility out of an abundance of caution.

In addition to updating to newer versions of the software, ICS-CERT recommends the following mitigation measures for these devices:

• Ensure that unused ports are closed on the affected devices to include Port 20/FTP, Port 21/FTP, and Port 23/TELNET.
• Ensure that the default password used to access Port 8443 has been changed, or verify that the port is closed.
• Closing Port 5000/TCP does not impact the intended use of the device.
• Monitor and log all network traffic attempting to reach the affected products, to include Port 20/FTP, Port 21/FTP, Port 23/TELNET, Port 8443, and Port 5000/TCP.
• Isolate all medical devices from the Internet and untrusted systems.
• Produce a hash of key files to identify any unauthorized changes.

Hospira’s infusion pump web site contains two cybersecurity links for previously identified infusion pump vulnerabilities. It does not, however, mention this newly discovered vulnerability.

CAREL Advisory

This advisory describes an authorization bypass vulnerability in the CAREL PlantVisor application. The vulnerability was reported by Maxim Rupp. CAREL will not be fixing the vulnerability since the devices is no longer supported (replaced by newer product in 2007).

ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to gain system access.

PHMSA Publishes SP Incorporation Final Rule

Today the DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) published a final rule in the Federal Register (81 FR 3635-3686) that incorporates 96 existing special permits (SP) into the Hazardous Material Regulations (HMR). Nine SPs that were included in the January 2015 notice of proposed rulemaking (NPRM) were not adopted in this rulemaking. Four SPs (SP 11624, SP 13052, SP 14712, and SP 15235) that were not included in the NPRM were added to this final rule.

The discussion of the SPs adopted is done by similar functionally defined areas to those used in the NPRM. Those areas in the final rule were:

Cylinders, general;
Cylinders, non-destructive testing, aerosols;
Cargo tanks, rail cars, portable tanks;
Operational air, vessels;
Operational highway, rail, shipper, others;
Non-bulk packaging specification, IBC;

The existing SPs covered in this rulemaking will cease to exist on the mandatory compliance date listed below. Because there were some changes made in the regulatory language that were slightly different than that found in the original SP, some current SP holders may not be able to comply with the new wording. They can request a renewal or modification of the SPs if appropriate.

The effective date of this rulemaking is February 2th, 2016. Voluntary compliance is authorized on that date. Unless otherwise specified in the rulemaking, mandatory compliance is required on January 17th, 2017.

Wednesday, January 20, 2016

GPS Jamming

Thanks to Laurie Thomas of Maritime Security/MTSA News for pointing me at a Coast Guard blog post about a safety alert the Coast Guard has issued about outages of the GPS navigation system. The safety alert describes a GPS outage noted recently at a ‘non-US port’ that covered a significant area of that port and surrounding ocean.

The Coast Guard is obviously concerned with outages like this being a hazard to navigation and that is the point of their alert. Other users of the GPS navigation system should also be similarly concerned. More important to readers of this blog are the potential effects of these types of outages could have on SCADA systems that use the GPS for control system timing.

The Safety Alert does not characterize this particular outage as either natural or man-made. From the point of view of the Coast Guard, this apparently isn’t really important as either would have similar effects on navigation. That is probably short sighted as someone that deliberately jams GPS signals over this large an area is probably intending to use that disruption to have other, more serious effects on maritime traffic.

In many ways industrial control system owners should follow the general guidelines in the Safety Advisory. They need to have in place plans for using alternative methods of timing synchronization during local GPS outages. More importantly they need to think about the potential security implications for such outages as they may signal an attempt to disrupt or gain access to remote SCADA installations as part of an attack on the ICS network.

NOTE: I have commented elsewhere that it would have been more helpful if the Coast Guard had characterized the reported outage as either man-made or natural. If natural it is a clear reminder that satellite communications of all sorts can be disrupted by geomagnetic storms. If man-made it is a clear declaration that at least one attacker has shown the ability and willingness to use wide spread GPS jamming with a certain level of immunity.

Tuesday, January 19, 2016

ICS-CERT Publishes Siemens Advisory

This morning the DHS ICS-CERT published an advisory for a cross-site scripting vulnerability in building controller communications modules from Siemens. The vulnerability was reported by Aditya Sood. Siemens has produced a firmware update that mitigates the vulnerability, but there is no indication that Sood has had a chance to verify the efficacy of the fix.

ICS-CERT reports that a moderately skilled attacker could remotely exploit this vulnerability to change data and settings on the target device.

The Siemens Advisory does mention the web server login form as being associated with this vulnerability that the ICS-CERT advisory describes. On the other hand, the ICS-CERT advisory does not mention needing to use a social engineering attack (usually prominently featured in ICS-CERT advisories) to get the user to access a specially crafted web site to exploit the vulnerability that the Siemens Advisory describes. It is almost as if the two advisories are describing different vulnerabilities using the same CVE.

NOTE: The different CVSS base scores is more easily explained because of the different versions of the scoring system used by the two organizations to calculate those scores.

NOTE: Siemens announced this vulnerability on TWITTER® last Friday.

Railroad Control System Security

There is an interesting article on the site about control system security in US railroads. Unfortunately, the author (Bryce Emley) was not able to document a lot of the suspected control system attacks described in the article. This was not because of any lack of research on his part, but probably has more to do with the same sort of reluctance to discuss cyber incidents that we see throughout industry.
Cybersecurity Rules Non-existent

The article includes a rather lengthy discussion about the positive train control (PTC) technology that is still being implemented by the railroad industry. Now I did do a blog post on the security rules in the NPRM for the PTC rule back in 2009 and it is interesting to see how much our ideas about control system security have changed since that time.

As I described in 2009 the current PTC security rules (49 CFR 236.1033) are actually communications security rules and have nothing to do with the cybersecurity other than how secure encryption will be used to communicate between devices.

For other railroad safety systems (and older systems still in place until fully replaced by PTC by 2021) the closest you get to cybersecurity rules can be found in §236 Subpart H; Standards for Processor-Based Signal and Train Control Systems. But the scoping statement for that subpart never mentions security, just safety. The closest you get is found in §236.901:

“This subpart prescribes minimum, performance-based safety standards for safety critical products, including requirements to ensure that the development, installation, implementation, inspection, testing, operation, maintenance, repair, and modification of those products will achieve and maintain [emphasis added] an acceptable level of safety.”

What is Missing

What should have been included (to be fair, no one was really talking about this type stuff for control systems back in 2009, or year 1BS – Before Stuxnet) in the original PTC rulemaking? First, since the railroad industry was being tasked to design, essentially from scratch, a new industrial control system network, this would have been an ideal time to require that secure design tools and processes would be used in developing and manufacturing all components that would be included in PTC installations.

Next the railroads should have been required to develop and maintain network diagrams for all fixed components of their PTC systems and a similar network diagram for each mobile platform traversing those systems. Those diagrams would have to include all devices connected to the systems and all communications modes available to connect with each of those devices.

The rules should have also included requirements for railroads to conduct intrusion detection monitoring of those networks. Because public safety (both passenger and right-of-way neighbors) is involved there should have been requirements to establish internal reporting and incident response plans with requirements for reporting certain types of breaches to the TSA.

Finally, there should have been provisions made for reporting and coordinating component vulnerability disclosure and mitigation. Those provisions should have included specific DMCA exemptions for security researchers looking at PTC components or systems.

Conflicting Responsibilities
Sharp eyed readers will note that I listed TSA as the breach reporting agency. This is because TSA has been given responsibility for surface transportation security, not because they have expertise in cybersecurity matters. They do have a security incident reporting infrastructure in place, but they would probably have to pull in experts from ICS-CERT and/or the FRA for analysis and mitigation measures.

The FRA certainly has a certain amount of internal expertise on matters dealing with PTC systems. I am almost certain, however, that they have little or no cybersecurity expertise as it pertains to those systems. To be fair, nor does anyone else. The closest thing to having an agency with that sort of expertise is the ICS-CERT. A large measure of their control system security expertise would be directly translatable and the probable system specific blank spots would not be difficult to overcome; certainly more so for ICS-CERT than either FRA or TSA.

And there is yet a fourth agency that has a horse in this race, the Federal Communications Commission. Since the PTC systems use broadcast communications both between fixed components and mobile units and intra-fixed network communications over long distances. In fact, the FCC’s permitting process was responsible for some of the delays that the railroads experienced in setting up their PTC systems.

What Needs to Be Done

At this point adding any new PTC regulations for cybersecurity is going to be difficult. No agency has specific authority to issue such regulations and after recently extending the PTC implementation deadline, Congress is unlikely to provide specific regulatory authority. Unless, of course, we have a railroad hacking event of sufficient magnitude that the public and political outcry forces Congress to over-react.

It is probably too late at this point to include secure design requirements in any cybersecurity legislation. New equipment and system modifications could be addressed at this point, but most of the system design and much of the hardware acquisition has already taken place, so the secure design benefits would be somewhat lessened.

All of the other security measures discussed above, however, could be added onto the PTC systems already in place. They would go a long way to preventing the sorts of problems we have seen to date with security reporting. They would also provide for early detection of hacking attempts that could certainly prevent both intended and unintended railroad accidents resulting from such hacking attempts. That early detection and accident prevention fits well into the whole concept of positive train control.

Sunday, January 17, 2016

Chemical Alarms

There was an interesting article on the this week about a leak of a chlorine cylinder at a water treatment plant. A leaking 150-lb chlorine cylinder was detected by a local chemical alarm. The local area was evacuated, the cylinder was isolated and removed, and the area remediated. No injuries were sustained and the water treatment facility continued to operate as normal during the incident.

Gas Alarm

So, what made the incident interesting? What first caught my eye was the following:

“According to Manuel Aguilar, who oversees the water treatment plant, he arrived for work at about 6:30 a.m. and soon found the plant’s alarm, which detects the presence of chlorine in the air, was going off.”

Any facility that manufactures, stores or uses toxic inhalation hazard (TIH) chemicals typically uses chemical alarms to notify personnel in and around the area of the release of the TIH chemicals. By definition, TIH chemicals like chlorine can cause serious injury or death at relatively low concentrations. Even when chemicals like chlorine have distinctive odors the human nose cannot distinguish between relatively safe or unsafe levels of the chemical in the atmosphere.

Ideally chemical alarms used in TIH containing facilities should perform two functions. First they should act as a warning to those in the local area that are not wearing the personal protective equipment (PPE) necessary to operate in an exposure situation to evacuate the area as quickly as possible. Second it should serve as notification to initiate emergency response activities. In facilities that are not manned 24-7, there should be an off-site notification system to a response agency that is operational 24-7.

The Response

According to the news report Aguilar checked the chlorine tank in active use to see if it or any of its connections were leaking; no leak was found in the active system. Then:

“When he walked to where the chlorine gas canisters were secured, he could smell the pungent odor of chlorine, and noticed one of the 150pound canisters had ice builtup [sic] around an apparent leak at its base.”

Now there are a couple of things wrong with this picture. First off, since the active cylinder and the stored cylinder were stored in separate locations, the gas alarm should have indicated which location had the gas leak. It appears that there were sensors in the two locations, but the alarm indicator did not apparently indicate in which of the two areas that a leak was occurring. This would make it more difficult for emergency responders to locate the leak.

The second problem is that there is no way that Aguilar should have been able to smell the chlorine leak since he should have been in proper PPE when investigating a leak of unknown size and origin. And that PPE should have included a respirator. The fact that he looked for a potentially leaking tank without PPE probably indicates that either he was inadequately trained about the hazards of chlorine gas or that small leaks were relatively common and he had stopped taking the training that he had received seriously. The former is quite common.

Fortunately for the unprotected Aguilar the leak in the tank had essentially been stopped by the formation of chlorine gas hydrates. The evaporation of the chlorine liquid leaking from the bottom of the tank (nice picture here) created ice from the water vapor in the air which encapsulated much of the chlorine gas and ended up at some point blocking further leakage. If the full 75-lb (estimated) of chlorine lost from the cylinder had been in vapor form the concentration in the air could have been enough to cause serious injury or perhaps death to Aguilar when he entered the area.

The Ideal

Here is probably what should have happened. Sometime in the middle of the night (when the leak started) the person on duty at the Public Works Department should have received an alarm notification from the water treatment plant. The alarm would have indicated the location of the alarm (the cylinder storage area) and the chlorine concentration in that area. Calls would have been made to the local police and fire department and the facility manager. Based upon the location of the alarm and the chlorine gas concentration the facility emergency response plan may have called for local evacuations or shelter in place for the houses and business adjacent to the facility.

Depending in the training available (this is a small facility and full hazwoper training is typically not provided to facility personnel in such facilities) a team from the facility, local fire department and/or regional HAZMAT team would have suited up and entered the facility to investigate the leak.

Chemical Security

There is nothing in the article about security at the site, and that is to be expected since this was a leak incident not a security incident. Having said that, you can look at the facility on Google Street View and see that the cylinders not in use are being stored outside (which, to be fair, reduced the risk to Aguilar in this situation) with the only security being a chain link fence with two locked gates very close to the cylinders. The only thing securing the cylinders to the facility are the cloth safety straps designed to keep them from falling over.

If this were a facility covered by the Chemical Facility Anti-Terrorism Standards (CFATS) program those security measures would be totally inadequate. Unfortunately, Congress in its infinite wisdom exempted water treatment facilities from CFATS coverage because the EPA had its own water security program in place. This facility apparently meets those (obviously very lax) standards.

The CFATS program treats 150-lb chlorine cylinders as a theft-diversion risk. The idea is that the cylinders like these could be used by terrorists to attack indoor gatherings of people (like shopping malls, churches or schools). Or they could be used in conjunction with an explosive device to make an improvised chemical bomb (like we have seen used in Syria and Iraq by ISIS). In any case, preventing the theft of this type of cylinder takes a lot more than just a chain link fence with gates that can be opened with a pair of bolt cutters.

KUDOS: I would like to mention that the news report from David Alderstein was very professionally done. I was particularly pleased to see the description of the chlorine hydrate that was provided; a very nice touch. It is not often that we see chemical incident news reports handled this well in the press.

Saturday, January 16, 2016

Responses to Latest CSF RFI – 01-16-16

This is part of an on-going look at the responses to the National Institute of Standards and Technology (NIST) latest request for information (RFI) on potential updates to the Cybersecurity Framework (CSF). A reminder, the comment period will remain open until February 9th, 2016. The previous posts in this series include:

As of this morning there are only two new responses posted to the RFI Response site. They come from:

Prevent Duplication of Regulatory Processes

NIST question 9 asks:

“What steps should be taken to “prevent duplication of regulatory processes and prevent conflict with or superseding of regulatory requirements, mandatory standards, and related processes” as required by the Cybersecurity Enhancement Act of 2014?”

Not addressed by either commenter.

Should CSF be Updated?

NIST question 10 asks:

“Should the Framework be updated?”

One of the commenters noted that the use of the CSF should be expanded to all small and medium businesses, even those not specifically considered ‘critical infrastructure’.

Private Sector Involvement

NIST question 20 asks:

“What should be the private sector’s involvement in the future governance of the Framework?”

Not addressed by either commenter.


Both responses posted today were remarkably non-contributory to the intended discussion. With the comment period over half-way completed the number of responses has been underwhelming to say the least, but that is fairly typical of the response process. The response rate should increase significantly as the deadline approaches. It takes time for organizations to develop their official responses.

Thursday, January 14, 2016

ICS-CERT Publishes Advantech Advisory

This afternoon the DHS ICS-CERT published an advisory for the Advantech WebAccess application. The Advisory covers 15 vulnerabilities identified by a number of different researchers, including Ivan Sanchez. I think this sets an ICS-CERT record for the number of vulnerabilities is a single advisory. Advantech has produced a new version that mitigates the vulnerabilities and Sanchez has tested it to verify the efficacy of the fix for the unidentified vulnerabilities that he reported.

The vulnerabilities [corrected word 10:20 CST, 1-16-16] include:

• Access of memory location after end of buffer - CVE-2016-0851;
• Unrestricted upload of file with dangerous type - CVE-2016-0854;
• Path traversal - CVE-2016-0855;
• Stack-based buffer overflow - CVE-2016-0856;
• Heap-based buffer overflow - CVE-2016-0857;
• Race condition - CVE-2016-0858;
• Integer overflow to buffer overflow - CVE-2016-0859;
• Improper restriction of operations within bounds of a memory buffer - CVE-2016-0860;
• Improper access control - CVE-2016-0852;
• Improper input validation - CVE-2016-0853;
• Cross-site scripting - CVE-2016-0848;
• SQL injection - CVE-2016-0847;
• Cross-site request forgery - CVE-2016-0846;
• External control of file name or path - CVE-2016-0867; and
• Clear text storage of sensitive information - CVE-2016-08443;

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities.

There is nothing in the Advantech press release for this new version or the release notes that indicates that any security issues (much less 15 of them) exist and have been resolved. The description of some of the ‘resolved problems’ can be traced back to some of the vulnerabilities listed above by someone versed in cybersecurity vulnerabilities, but there is nothing in the Advantech literature that would indicate that there was any security need to switch to the new version


Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a notice of proposed rulemaking (NPRM) from the DOT’s National Highway Transportation Safety Administration (NHTSA) on vehicle to vehicle (V2V) communications. The advance notice of proposed rulemaking (ANPRM) for this was published in August 2014.

The Fall 2015 Unified Agenda describes the rulemaking this way:

“V2V communications uses on-board dedicated short-range radio communication (DSRC) devices to broadcast messages about a vehicle's speed, heading, brake status, and other information to other vehicles and receive the same information from the messages, with extended range and "line-of-sight" capabilities. V2V's enhanced detection distance and ability to "see" around corners or "through" other vehicles helps V2V-equipped vehicles uniquely perceive some threats and warn their drivers accordingly. V2V technology can also be fused with vehicle-resident technologies to potentially provide greater benefits than either approach alone. V2V can augment vehicle-resident systems by acting as a complete system, extending the ability of the overall safety system to address other crash scenarios not covered by V2V communications, such as lane and road departure. Additionally, V2V communication is currently perceived to become a foundational aspect of vehicle automation.”

This rulemaking may be the first place that NHTSA attempts to address cybersecurity issues related to automobiles. Based upon questions asked in the ANPRM it certainly looks like NHTSA has been looking at this as a potential vehicle for vehicle cybersecurity regulations.

There were over 900 comments received on the ANPRM in 2014. Surprisingly, a large number of them were from private citizens objecting to V2V implementation because of perceived health issues associated with electromagnetic radiation (EMR) from the radio transmissions involved in the communications. It will be interesting to see how NHTSA deals with those comments in this NPRM.

Wednesday, January 13, 2016

ICS-CERT Publishes Nov-Dec Monitor

This afternoon the DHS ICS-CERT published the latest version of their periodic report on activities under taken by ICS-CERT. Long-time readers will recall that I have become increasingly dismissive of this publication over the years. Unfortunately, I have to continue that trend.

As usual this issue starts off with a ‘report’ on an actual incident that was investigated by ICS-CERT. The details are even more sketchy than normal with no positive indication that a control system was actually involved. I understand that ICS-CERT is restricted in what information that it can share in a public environment, but all were told here is that the Assessment team noted indications of malware and the Incident Response team was called in. They confirmed the infection and provided information to allow the clean-up process to begin. Sorry, but we get more useful information from CSI Cyber®.

There is a nice fluff piece on vulnerability coordination in the medical device space. It contains a nice description of the coordination process but it is a feel good article that weakly makes the case for vulnerability disclosures. I hope ICS-CERT does a better job at next week’s FDA Conference.

We have the typical year end summary of ICS-CERT incidents where ICS-CERT continues to conflate ICS incidents and IT incidents at facilities with ICS. The section in this issue does make one very cogent point:

“While sophisticated intrusions against asset owners persist, in FY 2015, ICS-CERT responded to a significant number of incidents enabled by insufficiently architected networks, such as ICS networks being directly connected to the Internet or to corporate networks, where spear phishing can enable access. It is uncertain if this was a change in targeting by adversaries, if these systems merely represented targets of opportunity, or if there is some other explanation. Regardless of cause, this reinforces the need for asset owners/operators to focus on security fundamentals such as those outlined in our DHS/FBI/NSA joint publication ‘Seven Steps to Effectively Defend Industrial Control Systems’ and ICS-CERT’s ‘Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-In-Depth Strategies.’”

The FY 2015 highlights section of the Monitor does provide some interesting factoids about ICS-CERT and industrial control system security. An important milestone mentioned here is the elevation of the ICS-CERT to a continuous presence on the National Cybersecurity and Communications Integration Center (NCCIC) floor. This does mark an important increase in the perceived level of importance of control system security.

There is another mention in the highlights section that deserves some discussion here. That is the apparent release of version 7.0 of the Cyber Security Evaluation Tool (CSET). Unfortunately, there is no information about the differences between v7.0 and earlier versions and there is no indication on the ICS-CERT web site that the CSET has changed since May of 2014. This is a shame because this has been a valuable tool that can be used either in the stand-alone mode by a facility team or in conjunction with an assistance team from ICS-CERT. I really wish that ICS-CERT would do a better job publicizing the CSET.

In the final analysis, this is a short document that costs nothing but the very short download time. We are going to be hearing about the misleading incident stats for the next 9 months so you might as well read the document.

FDA Workshop on Cybersecurity for Medical Devices

The Food and Drug Administration has announced the agenda for their conference on Medical Device Cybersecurity to be held later this month. The 2-day conference and workshop is designed to engage the multi-stakeholder community in focused discussions on unresolved gaps and challenges that have hampered progress in advancing medical device cybersecurity.

Included on the agenda are sessions on:

• Keynote Address: Marty Edwards, Director of ICS–CERT;
• Medical Device Cybersecurity: A Year in Reflection and Looking Ahead;
• Cyber Threat Landscape within the Healthcare and Public Health Sector;
• FDA's Current Thinking: Implementation of the NIST ‘Framework for Improving Critical Infrastructure Cybersecurity’ for Strengthening Security throughout the Total Product Life Cycle;
• Information Sharing and Analysis Organization (ISAO);
• Vulnerability Handling Processes and Coordinated Vulnerability Disclosure;
• Overcoming Challenges Manufacturers face with Increased Cybersecurity Collaboration;
• Identifying and Crafting Action Plans to Address Gaps and Challenges in Strengthening the Cybersecurity Stance of the Medical Device Ecosystem;
• Gaining Situational Awareness of Current Activities in the Healthcare and Public Health Sector to Enhance Medical Device Cybersecurity; and
• Adapting and/or Implementing Medical Device Cybersecurity Standards

The link for the webcast is still not available. It should be on the conference web site by the time of the meeting.

Cyber Weapon Testing

As the use of cyber tools to attack infrastructure is apparently starting to be used as a means of effecting nation state political goals it is necessary to examine how those tools can be honed, improved and tested without risking conventional warfare. While in the early days of cyber weapon development (ala Stuxnet) subterfuge or obfuscation was adequate to prevent retaliation, strides in the technologies for isolation, identification and attribution of cyber weapons are making real world testing of these weapons more difficult.

Artificial testbeds and weapons ranges will certainly have their place in cyber weapon development and evaluation, but a cautious adversary would be wary of relying on new strategic weapons in a full scale attack without having tested both their capability and their target’s potential responses to such an assault.

Proxy Targets

A time honored tradition in conventional weapon development has been the use of new weapon systems against proxy targets. Lesser third party nations that had limited retaliatory capability were attacked with new weapons to see how well the weapons actually fared in combat conditions. If the proxy target had some of the defensive armament used by the primary opponent, the test would provide important data to the developers of weapons and tactics as to how best employ the new weapons in future conflicts.

There have been people that have suggested that the recent cyber-attacks on the electric grid in the Ukraine was just this type of attack. While the Russians certainly have local interests vis a vis the Ukraine that might cause them to execute this type of attack, the use of a new cyber-attack methodology in actual field conditions could certainly be used to refine and improve such methods.

Mini Attacks

Limited attacks with conventional kinetic weapons against one’s primary adversary are very hard to hide. That may not be the case with cyber weapons. If one were to employ portions of the attack tools against an adversary during events when the target was already being stressed, the target might not notice the small cyber effects.

For example, if during a winter storm when a certain amount of electric distribution and transmission failures are to be expected, an adversary were to us new cyber weapons in very limited application the failures related to those attacks might not be investigated in sufficient detail to identify them as a cyber-attack.

An adversary that had already gained access to an electrical distribution network, for instance, could cause an automated breaker to open and carefully watch how that opening affected the remainder of the network. If the breaker controller had been doctored to not show that particular directed opening it is unlikely that the utility would take particular note of that breaker opening in the grand scheme of responding to the weather related problems.

Camouflaged Attacks

In a posting on the SANS ICS Blog last summer I described how isolated changes could be made to the controls of chemical reactions in a chemical manufacturing plant and make them seem like operator errors. Such attacks could be used to map control system responses at such a facility. Lacking detailed process knowledge, an attacker could use such response mapping over time as a method for developing an effective attack that could shut down or even damage the facility.


The last two weapon testing methodologies should be of increasing concern to control system owners as it becomes more obvious that there are nation states (and possibly non-state organizations) that are actively developing technology to attack industrial control systems as a tool of cyber warfare.

While few organizations are going to have the internal resources to complete prevent the possibility of such an attack, the ability to identify unauthorized intrusions into control system networks is a key to limiting the effectiveness of such attacks if they do occur. Such identification should allow for the emergency isolation/shutdown of the affected systems in a way that minimizes the potential damage. 

Tuesday, January 12, 2016

Bills Introduced – 01-11-16

With both the Senate and House in Session yesterday there were 12 bills introduced. Of those one may be of specific interest to readers of this blog:

HR 4361 Federal Information Systems Safeguards Act of 2016. Rep. Palmer, Gary J. [R-AL-6] 

This is the bill that I mentioned yesterday as being on the markup list for today’s hearing of the House Oversight and Government Reform Committee. A draft copy of the bill is on the Committee web site and as currently crafted does not contain any control system language. We’ll see what amendments come out this morning.

Monday, January 11, 2016

ICS-CERT Updates BlackEnergy Advisory

Today the DHS ICS-CERT updated their advisory on “Ongoing Sophisticated Malware Campaign Compromising ICS”, or BlackEnergy. The original advisory was published in October 2014 and updated in October and December of that year.

The update is based on information about the recent cyber based attack on Ukrainian power distribution systems over the Christmas holidays. More detailed information on that attack can be found on the SANS ICS Blog. The ICS-CERT update makes the point that a new variant of BlackEnergy (BlackEnergy 3) has been associated with this event and that the vector for the delivery of the malware appears to have been via “spear phishing via a malicious Microsoft Office (MS Word) attachment”.

The second addition to this advisory deals with the use of YARA rules to detect BlackEnergy infections. ICS-CERT maintains that the originally published YARA rules “has been shown to identify a majority of the samples seen as of this update and continues to be the best method for detecting BlackEnergy infections”. They also point out that using YARA signature with a control system must be done carefully since there are potentials for unintended interactions with control systems. They note:

“ICS-CERT has published instruction for how to use the YARA signature for typical information technology environments. ICS-CERT recommends a phased approach to utilize this YARA signature in an industrial control systems (ICSs) environment. Test the use of the signature in the test/quality assurance/development ICS environment if one exists. If not, deploy the signature against backup or alternate systems in the top end of the ICS environment; this signature will not be usable on the majority of field devices.”

NOTE: ICS-CERT continues to not list updates on their main landing page. For an update that is potentially important as this, it defies explanation why they did not at least make an exception in for this particular update. The only saving grace is that they did announce the update on TWITTER®.
/* Use this with templates/template-twocol.html */