Saturday, December 30, 2017

Publicly Disclosed ICS Vulnerabilities – Week of 12-23-17

This week we have two vendor notifications that were not covered by ICS-CERT. These were for products from Siemens and ABB.

Siemens Update


Siemens announced another update to their July advisory about vulnerabilities in their SIPROTEC 4 and SIPROTEC Compact devices. ICS-CERT updated their advisory for the previous Siemens update, but has not done so for this one. I suspect this is a holiday delay.

Siemens is providing updated version information and mitigation measures for their SIPROTEC 7UT686.

ABB Advisory


Joel Langill provided a link to an ABB security advisory linked to the TRITON/TRISIS/HATMAN malware. While the TTH attack did not involve any ABB products, the company notes that “conceptually a similar attack can be leveraged against any safety system with a sufficiently similar design concept”. The advisory then goes on to provide a link to a product specific advisory (registration required) for the ABB System 800xA High Integrity safety instrumented system.


Since I am not a registered user I do not have access to the advice provided by ABB but I suspect that it pretty much reiterates standard security protocols for the device. That is not a bad thing in view of some the lapses reported in both the Dragos and FireEye reports. In fact, it might be a good idea for all vendors of safety instrumented systems to review those two reports and provide a security update for their products that emphasizes the lessons learned in the Saudi attack.

Friday, December 29, 2017

S 2220 Introduced – Alternative Timing System

Earlier this month Sen. Cruz (R,TX) introduced S 2220, the National Timing Resilience and Security Act of 2017. The bill would require the Secretary of Transportation to establish a land-based alternative to the GPS timing signal. The new system would be designed to{§2(a)}:

• Reduce critical dependencies and provide a complement to and backup for the timing component of the Global Positioning System (in this section referred to as ‘‘GPS’’); and
• Ensure the availability of uncorrupted and non-degraded timing signals for military and civilian users in the event that GPS timing signals are corrupted, degraded, unreliable, or otherwise unavailable.

Procurement Requirements


Section 2(b) of the bill would require the Secretary of Transportation, in consultation with the Homeland Security Secretary, to establish procurement requirements for the alternative timing system. Those requirements would be based upon the study required by §1618 of the FY 2017 NDAA (PL 114-328; 130 Stat. 2595). Those requirements would include in the design criteria that the system would {§2(b)(2)}:

• Be wireless;
• Be terrestrial;
• Provide wide-area coverage;
• Deliver a precise, high-power 100 kilohertz signal;
• Be synchronized with coordinated universal time;
• Be resilient and extremely difficult to disrupt or degrade;
• Be able to penetrate underground and inside buildings;
• Be capable of deployment to remote locations;
• Take full advantage of the infrastructure and spectrum of the existing, unused government long-range navigation system (commonly known as ‘‘LORAN’’);
• Be developed, constructed, and operated incorporating applicable private sector expertise;
work in concert with and complement any other similar positioning, navigation, and timing systems, including enhanced long-range navigation systems and Nationwide Differential GPS systems;
• Be made available by the Secretary of Transportation for use by other Federal and non-Federal Government agencies for public purposes at no cost;
• Be capable of adaptation and expansion to provide position and navigation capabili12
ties;
• Incorporate the recommendations from any GPS back-up demonstration program initiated and completed by the Secretary, in coordination with other Federal agencies, before the date specified in subsection (c)(1); and
• Incorporate such other elements as the Secretary considers appropriate.

Implementation Plan


Section 2(c) of the bill would give the DOT Secretary a 180-day requirement to report to Congress on the plan to develop, construct, and operate the back-up timing system. The DOT would have two years from the enactment of this legislation to have the system in operation. And, the system would be required to be operational for at least 20 years.

LORAN Facilities


The bill envisions that the timing system would incorporate some or all of the existing, but now essentially unused LORAN navigation beacon stations. Section 2(d) of the bill would require the Coast Guard to transfer any of the necessary LORAN real property or radio frequencies to DOT.

Moving Forward


Both Cruz and his cosponsor {Sen. Markey (D,MA)} are members of the Senate Commerce, Science and Transportation Committee to which this bill was referred for consideration. This means that it is very likely that the two would have the necessary influence to have the Committee take up the bill for consideration.

The fact that these two particular senators that agree on very little would cosponsor this bill would seem to indicate that there should be bipartisan support for the bill. Unfortunately, there is one major impediment to the bill, the unspecified cost of the development and implementation of the timing system.

Commentary


There are a couple of interesting things buried in the language of this bill. First the bill requires the DOT to consult with DHS on designing the system, but the report for establishing the system requirements was written by DOT, DHS and DOD {§1618(c)(2)}. The failure to include DOD involvement in the system design and implementation was probably done to exclude the Senate Armed Services Committee from also being assigned consideration of the bill. This would seem to indicate that Cruz (who is a member of that Committee) expects significant opposition to the bill in that quarter.

Secondly, this bill only touches on GPS timing issues, not the additional positioning or navigation problems that would arise if the current GPS system was spoofed or blocked. Two bills in the House, HR 2515 (§411) and HR 2825 (§5411), contain similar requirements for DHS to establish a land based backup system for all three GPS components. And both of those bills also envision using the existing LORAN facilities. It would seem to me that the incremental costs of adding location and navigation information to a land-based signal for timing would be relatively low.


Finally, the requirement in this bill for DOT to be the lead agency for this backup timing system, is a tad bit odd. I suspect that it is based upon the original ownership of the LORAN system by DOT since it was used as a navigation tool for maritime and air traffic. But with this bill being limited to the timing side of the system it would seem to me that the Department of Commerce would be the more appropriate agency for a timing limited system.

Thursday, December 28, 2017

FERC NPRM to Increase Cybersecurity Incident Reporting

Today the Federal Energy Regulatory Commission (FERC) published a notice of proposed rulemaking (NPRM) in the Federal Register (82 FR 61499-61505) proposing to require the North American Electric Reliability Corporation (NERC) to improve mandatory reporting of Cyber Security Incidents, including incidents that might facilitate subsequent efforts to harm the reliable operation of the bulk electric system.

New Reporting Requirements


Because of the way that FERC utilizes NERC as the actual regulatory agency for the bulk electric system, this NPRM does not include any actual regulatory language. Instead it proposes to require NERC to develop changes to the Critical Infrastructure Protection (CIP) Reliability Standards, specifically CIP-008-5. This NPRM proposed that FERC would direct NERC to modify the CIP Reliability Standards to:

Include the mandatory reporting of Cyber Security Incidents that compromise, or attempt to compromise, a responsible entity's Electronic Security Perimeter (ESP) or associated Electronic Access Control or Monitoring System (EACMS);
Specify the required content in a Cyber Security Incident report;
Establish requirements outlining deadlines for filing a report once a compromise or disruption to reliable bulk electric system operation, or an attempted compromise or disruption, is identified by a responsible entity; and
Require that the reports submitted under the enhanced mandatory reporting requirements would be provided to E-ISAC, similar to the current reporting scheme, as well as ICS-CERT.

Public Comments


FERC is soliciting public comments on this NPRM. Comments may be submitted via the FERC eFiling page (registration required). Comments should be filed by February 26th, 2018.

Commentary


The FERC/NERC relationship is more than a little odd as compared to the rest of the federal government. Readers who work in and/or around the bulk electrical system are probably used to this, but for a relative outsider like myself, the quirks of the rulemaking process are just a tad byzantine.

For example, the notice states that: “the Commission certifies that this Notice of Proposed Rulemaking will not have a significant economic impact on a substantial number of small entities”. They can get away with saying that because, technically, the NPRM only will affect NERC; nobody else will have to take any actions because of this rulemaking. Of course, once NERC modifies CIP-008-05, bunches of other folks (including some number of ‘small entities’) will have to make changes to the way they operate, but that is years down the road.

One of the interesting aspects of this NPRM is that it uses the FY 2016 ICS-CERT Year in Review as part of the justification for the increased reporting requirements. Apparently in 2016 CERC reported that there were no cybersecurity incidents reported to it while ICS-CERT reported investigating 59 incidents in the 'Energy Sector’ (which may or may not have – but probably did - included anyone in the bulk electric systems).

As I pointed out in a blog post about that report (and in numerous other posts over the years) there is a problem with the ICS-CERT incident reporting numbers, it is based upon a non-existent (but apparently very broad) definition of the term incident. This problem is not unique to ICS-CERT and is actually addressed in this NPRM.

After discussing the issue FERC would actually add a new term; ‘a reportable cybersecurity incident’. Unfortunately, the NPRM does not contain a specific definition of the term. Rather it generally describes the issue by stating: “we believe it is reasonable to establish the compromise of, or attempt to compromise, an ESP or its associated EACMS as the minimum reporting threshold”. Because the NERC CIPs are in effect the regulations that this NPRM is attempting to modify, we will have to see what definition that NERC will establish for the ‘reportable cybersecurity incident’ terminology.


One requirement that is not explicitly explained in the NPRM is why FERC wants ICS-CERT to be included as a recipient of any cybersecurity incident report. While I completely agree (and have advocated such reporting requirements for other sectors as well), it would have been helpful to have FERC explicate their reasoning. For me, the inclusion of ICS-CERT would help to ensure that compromises of control system components (including software and firmware) that are also used in other sectors are shared with those sectors. I suspect that the FERC reasoning is similar, but it would have been helpful to have this spelled out.

Wednesday, December 27, 2017

ISCD Publishes 60-day Personnel Surety ICR Revision

Today the DHS National Protection and Programs Directorate (NPPD) published a 60-day Information Collection Request (ICR) revision notice in the Federal Register (82 FR 61312-61317) for the expansion of the personnel surety program (PSP) to Tier 3 and Tier 4 facilities covered under the Chemical Facility Anti-Terrorism Standards. The PSP implements the requirement of 6 CFR 27.230(a)(12)(iv) to vet personnel with access to CFATS covered facilities “to identify people with terrorist ties”.

The NPPD’s Infrastructure Security Compliance Division (ISCD) is not proposing any changes to the four options for vetting covered personnel that were established when the current ICR was approved for Tier 1 and Tier 2 facilities.

Under this proposed revision ISCD would begin a phased notification of Tier 3 and Tier 4 facilities over a three-year period to revise their site security plan to reflect their implementation of the PSP terrorist vetting requirement. This notification would only begin once the OMB’s Office of Information and Regulatory Affairs (OIRA) approved this ICR.

ISCD has made some revisions to the ICR burden estimates in this notice based upon the data that they have received during the PSP implementation at Tier 1 and Tier 2 facilities. Generally they have reduced the number of estimated data submissions and the amount of time per submission to lower the burden estimate.


ISCD is soliciting public feedback on this ICR notice. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket #DHS-2017-0037). Comments need to be submitted by 02/26/2018. This ICR notice will be followed by a 30-day notice once ISCD has a chance to respond to the comments submitted to this notice.

Tuesday, December 26, 2017

OMB Approves Grid Emergency Order Rule

On Friday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that they had approved the final rule from the Department of Energy regarding the procedures for issuing grid security emergency orders. The notice of proposed rulemaking for this rule was published on December 7, 2016. This rule was submitted to OIRA on December 19th, 2017 for review.


The rule was approved ‘consistent with change’. Typically, this means that OIRA required some relatively minor changes in the draft of the rule. This rule will probably appear later this week in the Federal Register.

EPA Sends TSCA Fee Rule to OMB

On Friday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a notice of proposed rulemaking (NPRM) from the EPA relating to the establishment of fees for the administration of the toxic substances control act.

According to the Fall 2017 Unified Agenda:

“As part of EPA's ongoing efforts to implement the Frank R. Lautenberg Chemical Safety for the 21st Century Act, which amended the Toxic Substance Control Act (TSCA) with immediate effect upon its enactment on June 22, 2016, EPA is developing a proposed rule to implement TSCA section 26(b)(1). TSCA section 26(b)(1), as amended, authorizes the EPA to issue a rule to establish fees to defray a portion of the cost of administering sections 4, 5, and 6, and collecting, processing, reviewing, and providing access to and protecting from disclosure as appropriate under section 14 information on chemical substances (including contractor costs incurred by the Agency).”

Commentary


According to 15 USC 2625(b) this is a permitted rulemaking as opposed to a required rulemaking. Apparently, the Trump Administration is not totally averse to applying ‘costly regulations’ upon private enterprise.

Monday, December 25, 2017

DOT Publishes Energy Growth Report

On Friday the Department of Transportation published a notice in the Federal Register (82 FR 60693) announcing the publication of their report on “Agency Recommendations to Alleviate or Eliminate Actions That Burden Domestic Energy Production” that was required by EO 13783, Promoting Energy Independence and Economic Growth.

The report addressed the following actions:

• Licensing of Deepwater Ports for Export of Oil and Liquefied Natural Gas (pg 4);
• Cylinder Requalification Requirements (pg 5)( 2137-AF30);
• Rail Transport of LNG (pg 5);
• Design Criteria and Limitations on the Use of Plastic Pipe (pgs 5-6)( 2137-AE93);
• Small Scale LNG Siting (pg 6);
• Small LPG Applicability (pgs 6-7); and
• Class Location Requirements (pg 7)( 2137-AF29).

Only three of the seven items have current rulemaking activities reported in the Fall 2017 Unified agenda; I have included links to those listings where they exist. The report explains that the Maritime Administration plans on publishing an Export Policy Notice in the Federal Register next month on the deep-water port issue. The report notes that PHMSA may consider issuing advanced notices of proposed rulemaking (ANPRM) on the three remaining activities.


There are no specific provisions in either the notice nor the report soliciting public comments on the report. 

Sunday, December 24, 2017

HR 4629 Introduced – Chemical Transportation Security

Earlier this month, Rep. Norton (D,DC) introduced HR 4629, the Save Our Communities from Risky Trains Act of 2017. The bill would make changes to current statutes (6 USC 1151 and 1201)  and regulations (49 CFR 172.820) related to the protection of security-sensitive materials in rail transportation.

Security Sensitive Materials


The term ‘security sensitive materials’ was originally defined by congress in 2007. That definition {6 USC 1151(13)} required TSA to establish a working definition of the term with a requirement to specifically consider:

• Class 7 radioactive materials.
• Division 1.1, 1.2, or 1.3 explosives.
• Materials poisonous or toxic by inhalation, including Division 2.3 gases and Division 6.1 materials.
• A select agent or toxin regulated by the Centers for Disease Control and Prevention under part 73 of title 42, Code of Federal Regulations.

TSA complied with that mandate in 2008 in 49 CFR 172.820(a) and modified it in 2015 as part of their highly-hazardous flammable trains regulations. It did not specifically use the term ‘security sensitive material’, but required railroads to provide additional security measures to the following materials:

• More than 2,268 kg (5,000 lbs) in a single carload of a Division 1.1, 1.2 or 1.3 explosive;
• A quantity of a material poisonous by inhalation in a single bulk packaging;
• A highway route-controlled quantity of a Class 7 (radioactive) material, as defined in §173.403 of this subchapter; or
• A high-hazard flammable train (HHFT)

Without specifically amending §1151, the bill would again require TSA to establish a working definition of the term while specifically requiring TSA to consider:

• A highway route-controlled quantity of a Class 7 (radioactive) material, as defined in section 173.403 of title 49, Code of Federal Regulations, in a motor vehicle, railroad car, or freight container.
• More than 25 kilograms of a division 1.1, 1.2, or 1.3 explosive, as defined in section 173.50 of title 49, Code of Federal Regulations, in a motor vehicle, rail car, or freight container.
• More than one liter per package of a material poisonous by inhalation, as defined in section 171.8 of title 49, Code of Federal Regulations, that meets the criteria for hazard zone A, as specified section 173.116(a) or section 173.133(a) of title 49, Code of Federal Regulations.
• A shipment of a quantity of hazardous materials in a bulk packaging having a capacity equal to or greater than 13,248 liters for liquids or gases or more than 13.24 cubic meters for solids.
• A select agent or toxin regulated by the Centers for Disease Control and Prevention under part 73 of title 42, Code of Federal Regulations.
• A quantity of hazardous material that requires placarding under the provisions of subpart F of part 172 of title 49, Code of Federal Regulations.

Rail Route Analysis


Again, in 2007 Congress mandated (6 USC 1201) that TSA complete a rulemaking providing a requirement for railroads to enhance the safety and security of sensitive security materials. Those regulations were to require railroads to prepare reports on;

• Security-sensitive materials commodity data;
• The safety and security risks for the transportation routes identified in the security-sensitive materials commodity data; and
• An alternative route analysis;

Section 2(c) of the bill sets forth a similar requirement for commodity data reporting for security sensitive materials. The wording of paragraph (c) seems to be a little bit different because it includes a requirement for the commodity data to include ‘storage patterns’ but that requirement is already included in §1201 by the definition of ‘route’ in §1201(i)(1) where it specifies that the term includes “storage facilities and trackage used by railroad cars in transportation in commerce”.

Section 2(d) of the bills addresses the requirement for a safety/security risk assessment on current security sensitive material routes. There is one change that this section makes; it requires that the assessment be “submitted to the Secretary”. Neither this bill nor the existing code makes any mention of a requirement of governmental approval of the route safety/security assessment.

Section 2(e) of the bill addresses the alternative route safety/security risk assessment requirements. Again, the bill requires {§2(e)(1)} that a report on the alternative route assessment be submitted to the Secretary.

Section 2(e)(3) contains an important exemption to the alternative route assessment that is not found in the current code. It provides two specific cases where the railroad can make an a priori determination that the route is not a practical alternative for avoiding an area of concern:

• The shipment originates in or is destined for the area of concern; or
• There would be no harm beyond the property of the railroad carrier transporting the shipment or storage facility storing the shipment in the event of a successful terrorist attack on the shipment.

Safest Route


Section 1201(e) requires railroads to “to select the safest and most secure route to be used in transporting security-sensitive materials”. Section 2(f) of the bill does essentially the same thing except that it requires the use of the route within 90 days of submission of the report on alternative routes. It does not, however, use the phrase ‘safest and most secure route’. Instead the bill uses a more expansive requirement: the route that “best reduces the risk, including consequences, of a terrorist attack on, or derailment of, a shipment of security sensitive material that is transported through or near an area of concern”.

Moving Forward


Norton is a member of the House Transportation and Infrastructure Committee, the committee to which this bill was assigned for consideration. This means that it is possible that Norton could have enough influence to have this bill considered in Committee.

If this bill were passed it would require toughening of existing regulations concerning the transportation of security sensitive materials. With no history of terrorist attacks on such materials it is extremely unlikely that this bill would have the support necessary to pass in committee or reach the floor of the House in a Republican controlled Congress.

Commentary


There are two major issues with this bill; one is procedural and the other is a regulatory concern.

The procedural issue is that this bill, in practice, changes standards set for in existing US Code, but does amend that code. Thus, is would set up a situation where there would be conflicting requirements laid upon the Executive Branch. Norton (or more properly her staff) should have set this up as amendments to 6 USC §1151 and §1201. Only that would have eliminated the conflicting requirements. Norton has been a member of Congress for 26 years and there is no excuse for her authoring a bill that makes this rookie mistake.

The regulatory concern is that this bill would radically extend the sensitive security requirements of existing regulations when there has been no practical indication that those regulations have been effective at their assigned task, reducing the routing of very hazardous materials through urban areas.

Section 2(b) of this bill radically expands the definition of sensitive security materials. Three of the specific expansions are ludicrous when it comes to rail transportation; the 25-kg limit for explosives and the 1-liter limit for poisonous by inhalation hazard (PIH) material have no practical effect on rail transportation. Railroads transport commodity amounts of these materials not commercial quantities. Similarly, select agents or toxins, when shipped are not sent by rail, the quantities are too small and rail service is too time consuming for such service. When legislative requirements are this far out of line with practical issues, they are political posturing not problem solving.

While those three changes would have no practical effect on rail transportation the expansion of the sensitive security definition to effectively all hazardous materials would place an enormous administrative burden on railroads. And this would be a burden that there is no data to support a contention that the additional burden (or even the existing burden) would materially reduce the threat of terrorist attack on the rail transportation of these materials.

Part of the problem with the existing requirements is that while DOT is authorized {49 CFR 172.820(j)} to require the use of an alternative route as being safer and/or more secure, there is no practical way for DOT to analyze the supporting data in a meaningful way that would stand up to a court challenge. This bill does require the report (but not necessarily the supporting data) to be submitted to DOT instead of being made available to inspectors. That means that DOT would be inundated with reports without having the tools required to conduct the assessment in a meaningful manner.

I have long maintained that for this route analysis to be an effective risk reduction tool there has to be an automated analysis and scoring of the relative risks along each segment of the route. The current list of 27 variables that need to be addressed in the analysis ensures that the analysis is too complicated to be conducted (or reviewed) on a manual basis. The railroads have come up with an analysis tool, but I have not seen any data (perhaps because I have not looked closely enough?) that would indicate that these tools have been adequately reviewed and vetted by an independent agency. Nor has there been a legal consensus reached on the weights to be applied to each of the 27 variables.


The expansion by this bill of the definition of sensitive security materials to essentially include all hazardous material shipped by rail would radically increase the administrative burden place upon railroads with no apparent positive effect. Any regulations that would attempt to implement the expanded requirements of this bill would fail in the courts because of the inability to show any kind of reasonable cost-benefit ratio.

Saturday, December 23, 2017

DOE Sends Smart Grid Rule to OMB

On Thursday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received for review from the Department of Energy a final rule with regards to “ASHRAE 2016 Determination”.

This rulemaking was not listed in the Fall 2017 Unified Agenda, so it is difficult to be sure what this determination refers to. I suspect that it has to do with the recent adoption of the American Society of Heating, Refrigerating and Air-Conditioning Engineers (ASHRAE) standard on the Facility Smart Grid Information Model (FSGIM; ASHRAE 201-2016) by the International Standards Organization as ISO 17800. The DOE ‘determination’ would likely be about whether or not the standard will be incorporated by reference in appropriate DOE grid regulations.


NOTE: It interesting that this rulemaking was not listed in last week’s Unified Agenda update. The Trump Administration has taken the Obama Administration to task for lack of transparency for not listing planned regulatory actions on the Unified Agenda or its related lists. This reported action by DOE would certainly seem to fall into that lack of transparency category.

Friday, December 22, 2017

Bills Introduced – 12-21-17

Yesterday with the House and Senate cleaning up in preparation for their Christmas/New Year recess, there were 51 bills introduced. Of those, one may be of specific interest to readers of this blog:

S 2261 A bill to protect the administration of Federal elections against cybersecurity threats. Sen. Lankford, James [R-OK] 


I am not sure if there is anything here that will merit further discussion of this bill in this blog, but I thought that it was worth noting, in passing if nothing else. Two things worthy of mention here. First this is supported by an interesting list of bipartisan supporters. Second, the bill was referred to the Senate Rules and Administration Committee instead of one of the committees to which we normally see cybersecurity bills referred.

Thursday, December 21, 2017

ICS-CERT Publishes Two Advisories

Today the DHS ICS-CERT published control system security advisories for products from Schneider and Moxa.

Schneider Advisory 

This advisory describes three vulnerabilities in the Schneider Pelco VideoXpert Enterprise products. The vulnerabilities were reported by Gjoko Krstic. Schneider has released a firmware update that mitigates the vulnerabilities. There is no indication that Krstic has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Path traversal (2) - CVE-2017-9964, CVE-2017-9965; and
• Improper access control - CVE-2017-9966

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to gain system privileges or allow an unauthorized user to view files.

Moxa Advisory


This advisory describes a credentials management vulnerability in the Moxa NPort serial network interface. The vulnerability was reported to Federico Maggi. Moxa has produced a new firmware version that mitigates the vulnerability. There is no indication that Maggi was provided an opportunity to verify the efficacy of the fix.


ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow unauthorized access.

Wednesday, December 20, 2017

HR 4474 Introduced – Surface Transportation Security

Last month Rep. Watson-Coleman (D,NJ) introduced HR 4474, the Surface Transportation and Public Area Security Act of 2017. While the main focus of the bill is on public transportation security issues, it would have some impact on chemical transportation security issues.

Sections of the bill that may be of specific interest to readers of this blog include:

§106. Frontline employee security training.
§202. Risk scenarios.
§203. Assessments and security plans.
§301. Threat information sharing.
§302. Integrated and unified operations centers.
§304. Security technologies tied to foreign threat countries.

Security Training


Section 106 attempts to address the failure of the Transportation Security Administration (TSA) to implement surface transportation employee security training requirements established by Congress in 2007 (6 USC 1137, 1167, and 1184). TSA published a notice of proposed rulemaking in December 2016. The Fall 2017 Unified Agenda indicates that the Trump Administration currently intends to publish a final rule in September of next year, though that date slips each time the Unified Agenda is updated.

This section would require a report to Congress by the TSA on the status of the rulemaking and a subsequent review of that report by the DHS Inspector General.

Risk Scenarios


Section 202 would require TSA to annually use terrorist attack scenarios in establishing risk-based priorities supporting the modal transportation security plans currently required by 49 USC 114(s)(1)(B). Those scenarios are specifically required to include “cyber attack scenarios” {§202(b)}. A report to Congress is required on the priorities established, but details on the scenarios used is not required to be part of that report.

Security Plans


Similar to §106, §203 would require a report to Congress (with a subsequent review by the DHS IG) of the status of the rulemaking supporting the congressionally mandated (6 USC 1134, 1162, and 1181) development of security assessments and security plans by various surface transportation organizations. TSA published an advanced notice of proposed rulemaking on these requirements in December 2016 and the Trump Administration re-opened the comment period in March of this year. The current Unified Agenda lists this rulemaking under the ‘Long-Term Actions’ section with a ‘to be determined’ date for the issuance of an NPRM.

Information Sharing


Section 301 would specifically require TSA to provide personnel to support fusion centers “in jurisdictions with a high-risk surface transportation asset” {§302(a)} to improve the “timely sharing of classified information regarding terrorist and other threats”. It would also require DHS to provide assistance in obtaining security clearances for “appropriate owners and operators of surface transportation assets, and any other person that the Secretary determines appropriate to foster greater sharing of classified information relating to terrorist and other threats to surface transportation assets” {§302(c)}.

Security Technologies


Section 304 would require DHS to provide a report to Congress on the threats posed to surface transportation assets “posed by the use of security technologies, including soft4
ware and networked technologies, developed or manufactured by firms that are owned or closely linked to the governments of countries that are known to pose a cyber or homeland security threat”.

Moving Forward


Watson-Coleman is a member of the House Homeland Security Committee (as are a number of her co-sponsors), one of the two committees to which this bill was assigned for consideration. Other co-sponsors {including Rep. Lipinski, (D,IL)} are members of the House Transportation and Infrastructure Committee, the other committee to which the bill was assigned. This means that it is possible that this bill could be considered in either or both committees. There are no Republican co-sponsors, however, which would suggest that there is insufficient bipartisan support to move the bill forward in Committee.


The security training and security plan provisions of this bill are sure to draw objections from owners of the potentially affected transportation companies and their lobbying organizations. This makes it unlikely that the bill would be supported by a sufficient number of Republicans to move the bill forward in the House.

Tuesday, December 19, 2017

ICS-CERT Publishes 5 Advisories and 2 Updates

Today the DHS ICS-CERT published control system security advisories for products from WECON, Siemens, Ecava, PEPPERL+FUCHS and ABB. They also published updates for two previous published advisories for products from Siemens.

WECON Advisory


This advisory describes a heap-based buffer overflow in the WECON LeviStudio HMI. The vulnerability was reported by Michael DePlante working with the Zero Day Initiative (ZDI). WECON notes that the current version mitigates the vulnerability. There is no indication that DePlante was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to crash the device and a buffer overflow condition may allow remote code execution.

Siemens Advisory


This advisory describes a download of code without integrity check vulnerability in the Siemens LOGO! Soft Comfort engineering software product. The vulnerability was reported by Tobias Gebhardt. Siemens is providing SHA-256 checksums for all LOGO! Soft Comfort software packages via a secured HTTPS channel.

ICS-CERT reports that an uncharacterized attacker could remotely exploit the vulnerability to manipulate a software package during download. The Siemens security advisory reports that a successful exploitation would require that the attacker must be able to gain a privileged network position allowing him to capture and modify the affected system’s network communication.

Ecava Advisory


This advisory describes two SQL injection vulnerabilities in the Ecava IntegraXor. The vulnerabilities were independently reported by Steven Seeley of Source Incite, and Michael DePlante and Brad Taylor (working with ZDI). Ecava reports that a newer version mitigates the vulnerability. There is no indication that the researchers were provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to disclose sensitive information from the database or generate an error in the database log.

PEPPERL+FUCHS Advisory


This advisory describes the key reinstallation attacks (KRACK) vulnerabilities in various WLAN enabled products from PEPPERL+FUCHS. This report lists 9 of the 10 KRACK CVE’s. The vendor is still working on fixes for their Android® based products. For their Windows® based products they are recommending that users apply the security update provided by Microsoft. If users are using WPA-TKIP in their WLAN, users should switch to AES-CCMP immediately.

ABB Advisory


This advisory describes an unprotected transport of credentials vulnerability in the ABB Ellipse. ICS-CERT reports that this vulnerability was self-reported by ABB, but the ABB security advisory notes that ABB had received information about this vulnerability through responsible disclosure from an unnamed researcher. ABB has released product updates to mitigate the vulnerability.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to discover authentication credentials by sniffing the network traffic. ABB notes that local network access is required for the exploit.

NOTE: I reported on this vulnerability earlier this month.

Industrial Products Update


This update provides additional information on an advisory that was originally published on December 5th, 2017. It provides updated affected version information and mitigation information for:

• SIMATIC S7-400 H V6: All versions prior to V6.0.8,
• SIMATIC S7-1500: All versions prior to V2.0,
• SIMATIC S7-1500 Software Controller: All versions prior to V2.0,

SCALANCE Update


This update provides additional information on an advisory that was originally published on November 14th, 2017 and updated on December 5th, 2017. It provides updated affected version information and mitigation information for:

• RUGGEDCOM RX1400 with WLAN interface: All versions prior to V2.11.2
• SIMATIC RF350M: All versions with Summit Client Utility prior to V22.3.5.16
• SIMATIC RF650M: All versions with Summit Client Utility prior to V22.3.5.16.


Note: Siemens has issued a separate security advisory for the last two products listed above. That advisory only lists two of the 10 KRACK CVEs instead of the 10 listed in the original Siemens KRACK advisory. It is not clear why ICS-CERT merged these two advisories.

DOE Sends Emergency Order Rule to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a final rule for review from the Department of Energy establishing procedures for the issuance of grid security emergency orders. The Secretary of Energy derives the authority to issue such orders under 18 USC 824o-1(b).


The notice of proposed rulemaking (NPRM) was published on December 7, 2016.

Bills Introduced – 12-18-17

With both the House and Senate in session, there were 20 bills introduced. Of those, one may be of specific interest to readers of this blog:

HR 4668 To amend the Small Business Act to provide for the establishment of a enhanced cybersecurity assistance and protections for small businesses, and for other purposes. Rep. Chabot, Steve [R-OH-1]


I’ll be watching this bill for language that includes control system security as part of the allowable assistance provided.

Monday, December 18, 2017

Committee Hearings – Week of 12-17-17

This week with both the House and Senate trying to get things ‘cleaned-up’ so that they can head home for Christmas and New Years, there will only be one hearing of potential specific interest to readers of this blog; another continuing resolution.

Tomorrow the House Rules Committee will hold a hearing to formulate the rule for the consideration of HR 1370, which will be used as the vessel to move forward with a continuing resolution. It will be based on HJ Res 124 which would extend the current spending authorization until January 18th, 2018 and provide for full funding of DOD through the end of the fiscal year.

Note: I can find no specific mention of any cybersecurity provisions in HJ Res 124.


The bill will probably be considered on the floor of the House on Wednesday or Thursday and then in the Senate later the same day. No debate and no amendments in either house.

ICS-CERT Publishes Malware Report on ‘HatMan’ (TRITON or TRISIS)

Today the DHS published their malware report on HatMan the recently reported attack on a safety-instrumented-system. This is essentially the same information that was provided in the earlier FireEye and Dragos report. ICS-CERT did, however, include a link to the Schneider advisory on the malware.

The ICS-CERT report makes an interesting observation (pg 1):

“This report will discuss the malware as though it is entirely functional. We are aware that the malware may currently have bugs—due to descriptions of how it is behaving—that prevent it from effecting its desired changes. Though this report presents a “worst case scenario,” it should be considered accurate. We have no reason to suspect that the malware’s creators have not fixed its bugs, or that a functional copy does not exist somewhere that we have not yet seen.”

The report provides a copy of a Yara Rule for the detection of the three components of the HatMan malware. ICS-CERT prefaces this with the following warning:


“In addition, a YARA rule that matches the three binary components—trilog.exe, inject.bin, and imain.bin—is included as an appendix. This is not necessarily a reliable method for detection, as the files may or may not be present on any workstation, and such a rule cannot be used on a Triconex controller itself; however, it could be useful for detection with agent-based detection systems or for scanning for artifacts.”

Fall 2017 Regulatory Agenda – DHS

Last week the Trump Administration published their 2017 Fall Unified Agenda. There have been some interesting changes in regulatory planning since their original Unified Agenda was printed in July.

Active Agenda


The following items of interest were on the DHS portion of the Active Agenda:

USCG
Proposed Rule
Revision to Transportation Worker Identification Credential (TWIC) Requirements for Mariners
USCG
Final Rule
Marine Transportation--Related Facility Response Plans for Hazardous Substances
USCG
Final Rule
Tank Vessel Response Plans for Hazardous Substances
USCG
Final Rule
2013 Liquid Chemical Categorization Updates
TSA
Proposed Rule
Vetting of Certain Surface Transportation Employees
TSA
Final Rule
Protection of Sensitive Security Information
TSA
Final Rule
Security Training for Surface Transportation Employees

The items on the Active Agenda are regulatory items upon which the Administration intends to take action. Each item has a projected date by which the next regulatory step will be taken, but those dates are aspirational, and should no way be expected to be a deadline for action; some of these items have been on and off the Active Agenda for nearly 10 years.

Only one of these items was on the Active Agenda in the earlier version of the Unified Agenda; 1625-AB80. Three of the items were on the earlier Inactive Agenda; 1625-AB94, 1652-AA08, and 1652-AA55.

Two items were actually from the Inactive Items list that the Administration started publishing in July; 1625-AA12 and 1625-AA13. Both of these rulemakings began with an Advance Notice of Proposed Rulemaking in 1996. This move back to the Active Agenda does not really reflect a change in the intention of the Coast Guard to proceed with these two rule-makings. They have, instead, changed the next step in the regulatory process to “Notice of Withdrawal”. Both Agenda entries note that:

“This project supports the Coast Guard's broad roles and responsibilities of maritime safety and maritime stewardship by reducing the consequences of pollution incidents.  In light of the time elapsed since the beginning of this project and since the last comment period, further review is required.  Accordingly, the Coast Guard is withdrawing this entry.”

Long-Term Agenda


The following items were published in the Long-Term Actions agenda:

OS
Ammonium Nitrate Security Program
OS
Chemical Facility Anti-Terrorism Standards (CFATS)
OS
Homeland Security Acquisition Regulation: Safeguarding of Controlled Unclassified Sensitive Information (HSAR Case 2015-001)
OS
Updates to Protected Critical Infrastructure Information
USCG
Amendments to Chemical Testing Requirements
USCG
Maritime Security--Vessel Personnel Security Training
TSA
Surface Transportation Vulnerability Assessments and Security Plans

Items on the Long-Term Actions portion of the Unified Agenda are rulemaking activities that are on-going, but the responsible agency is not sure when the next step in the process will take place (or in many cases what that next step may be).

Two items were moved from the Active Agenda to the Long-Term Actions list since July; 1601-AA69 and 1652-AA56. Both of these rulemaking activities have a long history of moving back and forth between the two agenda listings.

Inactive Agenda


There are now five DHS rulemaking activities listed on the Inactive List:

• 1601-AA75 Chemical Facility Anti-Terrorism Standards Conforming Edits
• 1625-AA12 Marine Transportation--Related Facility Response Plans for Hazardous Substances
• 1625-AA13 Tank Vessel Response Plans for Hazardous Substances
• 1652-AA16 Transportation of Explosives from Canada to the United States Via Commercial Motor Vehicle and Railroad Carrier
• 1652-AA50 Drivers Licensed by Canada or Mexico Transporting Hazardous Materials to and Within the United States


The first item is new on this list and I have not been able to find it in any of the earlier versions of the Unified Agenda. I suspect that this rulemaking was designed to make miscellaneous changes to the Chemical Facility Anti-Terrorism Standards (CFATS) regulations required by the passage of the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014 (PL 113-254). Most of the policy objectives in that law have been implemented by the Infrastructure Security Compliance Division, but there have been none of the required changes made to the language of the CFATS regulations (6 CFR 27). This is probably a non-issue since the current authorization for the program lapses on December 14th, 2018 and the program will either lapse or be reauthorized by then. The reauthorization legislation will probably make additional changes to the program.

Friday, December 15, 2017

Bills Introduced – 12-14-17

Yesterday with both the House and Senate in session, there were 33 bills introduced. Of those, one may be of specific interest to readers of this blog:

HR 4650 To amend the Homeland Security Act of 2002 to develop and make available guidance relating to domestic preparedness for and collective response to terrorism regarding active shooter and mass casualty incident response assistance, and for other purposes. Rep. Aguilar, Pete [D-CA-31]


I will only be following this bill if it includes language requiring the guidance to include specific information for facilities that store, produce or ship hazardous chemicals relating to the special chemical hazards associated with the use of firearms at such facilities.

ISCD Publishes CFATS Quarterly – 12-15-17

Today the DHS Infrastructure Security Compliance Division (ISCD) published the latest issue of the Chemical Facility Anti-Terrorism Standards (CFATS) Quarterly on the CFATS Knowledge Center. This two page newsletter provides an update on what has been going on in the CFATS program over the last quarter.

Actually, as befits a year-end issue, a goodly portion of the Quarterly provides a brief review of what has been going on in the Program over the last year. Most of the stuff included has been talked about here (and in other ISCD forums) in more detail, but there were two paragraphs that deserve special mention; a short recognition of the lessons learned during the 2017 Hurricane Season and a terse forward look at the upcoming (?) reauthorization of the CFATS program.

Other items included in this issue include:

• A very brief CFATS numbers update;
• An inspection best practices article;
• A brief (and far from comprehensive) list of CFATS program resources;
• A brief blurb on the NAS Improvised Explosives Study; and
• A list of recently published CFATS fact sheets and notices


So far, ISCD seems to be doing a good job avoiding turning this publication into a three-colored, glossy corporate report. I hope they can keep it up.

Thursday, December 14, 2017

Another ICS Attack in the Wild

It has not made the mainstream news yet, but today FireEye and Dragos are both reporting an attack on an industrial control system in an unnamed facility in Saudi Arabia. While the details being released are sketchy (paying customers are presumably getting more details), the important take-away from these two reports is that both organizations confirm that a successful attack (plant shutdown) was made on the safety-instrumented-system (SIS) at the facility.

For those readers with a good technical background, read the two reports noted above; these two organizations have a much better grasp of the technical details than I. For those with a less technical background read-on (and note: the mistakes of interpretation are mine).

Safety Instrumented Systems


For most automated manufacturing systems, if something really goes wrong with the system, then some product is messed up, maybe some workers get injured, or maybe someone gets killed; but the results are local. For some manufacturing systems, however, the consequences can be much larger and harder to control. Some chemical plants and nuclear power generation facilities come readily to mind.
For these types of automated facilities there is another (additional) type of control system that stands between normal operations and catastrophe, the Safety Instrumented System. These generally separate control systems rely on the fact that at some intermediate point between normal operations and catastrophe there is a point that, if the proper steps are taken in a timely manner, the process can be safety shut-down before catastrophe becomes inevitable and everyone has to run for the hills.

We used to rely on human operators to perform these emergency shutdowns. But, as processes became more complex and the paths to catastrophe became more numerous, it quickly became apparent that only automated control systems could be relied upon to recognize the burgeoning problem and take the appropriate timely actions necessary, each and every time. And safety instrumented systems were born.

At its most basic, a SIS consists of a computer, a limited number of sensor, and a limited number of process actuators (valves and such). The computer is programed to watch the sensor(s); if they reach certain value(s) then the actuator(s) are operated, and the process is safely terminated. The product is almost certainly bad, local equipment may be damaged, some cleanup and downtime will be required, but catastrophe will have been averted.

If the SIS fails, there is one final layer of protection that will help mitigate the resulting catastrophe. These are things like pressure relief valves, rupture disks, sprinkler systems, and spill control systems. Unfortunately, if these were truly effective responses to the catastrophic failure, then a SIS would not probably be employed. The SIS is a pain to design (each is a custom design), expensive to install and a maintenance problem. They are typically not employed if the worst-case scenario for a facility will be contained within the facility.

SIS Security


While industrial control system security has been problematic at best, SIS security is a slightly different story. Not because anyone was really concerned about hackers, but because no one wanted human error to get in the way of proper system operation. So, SIS were generally the last systems to be connected to any outside networks and most include the need for the operation of an actual, true-to-life physical key, to program the computer.

The SIS is placed in the program mode where it is programed, tested, and then placed in the stop mode with the key removed from the system. Before the hazardous process is started, the key in re-inserted, and the SIS is placed in the run mode and the key is again removed. The process is reversed when the hazardous process is over. This should be just about as good as it gets.

Unfortunately, someone again has proved that what man can secure, some other man can hack. Again, for details, read the two reports.

Take Away


DO NOT PANIC This is not the end of industrial control system safety. Who ever attacked this facility went to an awful lot of work. First to reverse engineer the SIS system involved, second to understand the process at the facility where this attack was initiated, and third to compromise the security at the facility to get the hack initiated. A lot of time, engineering and money (sounds like a nation-state to me) went into this attack and it failed. It screwed up and apparently unintentionally shutdown the process (safely) which ended up alerting the system owners to the apparent hack.


If you want to know how to protect your SIS, read either (better, both) reports, but there is really nothing new there. Isolate your SIS from the internet and other networks, secure access (physical and virtual) to the SIS equipment and follow SIS operations guidelines. And from me, train your operations personnel so that they fully understand the processes they control and listen to them when they report anomalous system behaviors.

Wednesday, December 13, 2017

Bills Introduced – 12-12-17

Yesterday with both the House and Senate in session there were 33 bills introduced. Of these, two may be of specific interest to readers of this blog:

HR 4629 To direct the Department of Transportation to issue regulations to require enhanced security measures for shipments of security sensitive material, and for other purposes. Rep. Norton, Eleanor Holmes [D-DC-At Large]

S 2220 A bill to provide for the development, construction and operation of a backup to the Global Positioning System, and for other purposes. Sen. Cruz, Ted [R-TX]

Something odd going on with HR 4629, the current security regulations for ‘security sensitive materials’ are not DOT regulations, but rather TSA (49 CFR 1580.101). Having said that, Norton is well known for her concern about the security of rail transportation of hazardous materials because there is a major rail transshipment point in Washington, DC (very close to the Capital) that handles large volumes of hazardous materials.


S 2220 will be followed here if it specifically includes a backup to the GPS timing system used by many industrial control systems. BTW: The Cosponsor for this bill is Sen. Markey (D,MA); talk about a political odd couple; firebrands from both the Right and Left.

Tuesday, December 12, 2017

ICS-CERT Updates Smiths Medical Advisory

Today the DHS ICS-CERT updated a medical control system security advisory for products from Smiths Medical. The advisory was originally published on September 7th, 2017. The update provides information on a patch that is available to mitigate the vulnerabilities as well as additional point of contact information for the company.

House Passes HR 3359 CISA Authorization

Yesterday the House passed HR 3359, the Cybersecurity and Infrastructure Security Agency Act of 2017 by a voice vote. The bill is Rep. McCaul’s (R,TX) long awaited reorganization of the DHS National Protection and Programs Division (NPPD).

Commentary


This bill is really nothing more than an exercise in bureaucratic shuffling. The existing NPPD is now called CISA; an Under Secretary will be known as the Director and a number of sections in 6 USC are being renumbered. The most important part of the bill is found in section 4 of the bill; nothing in the bill confers new authorities or reduces existing authorities existing the day before this bill is enacted.

There is one subtle change made by this bill in the new definitions section 2201. There are two cybersecurity related definitions in this new section; both taken from existing statutes. The bill uses the IT-limited definition of ‘cybersecurity risk’ from the current 6 USC 148 (moving to §2209) and the ICS-inclusive definition of ‘cybersecurity threat’ from 6 USC 1501. The definitional disconnect between these two very similar (and closely intertwined) terms could cause some interesting confusion about the authority of this ‘new’ agency to address control system security issues.

Moving Forward



The bill moves forward to the Senate where it will pass with similar bipartisan support if it reaches the floor for consideration. The big question is whether or not the bill will have the leadership support necessary to bring it to the floor for consideration. At this point, I am not sure that it does.
 
/* Use this with templates/template-twocol.html */