Tuesday, February 28, 2017

Bills Introduced – 02-27-17

Yesterday, with both the House and Senate in session, there were 48 bills introduced. Of those one may be of specific interest to readers of this blog:

HR 1224 To amend the National Institute of Standards and Technology Act to implement a framework, assessment, and audits for improving United States cybersecurity. Rep. Abraham, Ralph Lee [R-LA-5] 


This is the bill that I mentioned in yesterday’s blog post. The GPO does not yet have the official copy of this bill, but the Committee web site does have a committee draft available along with a list of proposed amendments. I haven’t had a chance to review these yet.

ICS-CERT Publishes a Siemens Advisory and Update

Today the DHS ICS-CERT published a new control system security advisory and updated another; both of those were for products from Siemens.

Siemens Advisory


This advisory describes two vulnerabilities in the Siemens RUGGEDCOM NMS monitoring products. It appears that these vulnerabilities are self-reported by Siemens. Siemens has produced a new version that mitigates the vulnerabilities.

The two vulnerabilities are:

• Cross-site request forgery - CVE-2017-2682; and
• Cross-site scripting - CVE-2017-2683

ICS-CERT reports that a relatively low skilled attacker could remotely export these vulnerabilities to perform administrative operations under certain conditions.

Siemens Update


This update address changes to an advisory that was originally published on April 12th, 2016. The new information includes:

• Updated version information for SCALANCE X200 IRT family; and
• Provides link to a new version for SCALANCE X200 IRT family.

NOTE: These were the two (oops, not three; the other was from the 13th and already reported by ICS-CERT) advisories that I mentioned last week the day after Siemens announced their notifications on TWITTER® on February 22nd

Monday, February 27, 2017

DHS Publishes 3 New CFATS FAQ and Updates 13

Today the folks at the DHS Infrastructure Security Compliance Division (ISCD) published a brief note on their CFATS Knowledge Center that they had added three new frequently asked questions (FAQ). An additional search of the Knowledge Center also showed that ISCD had updated the responses to thirteen previously released FAQ.

The three new FAQ’s are:



The updated FAQ’s are:

FAQ #706 I have multiple usernames. Can I get rid of the duplicates? Last updated - August 14, 2009;
FAQ #707 How do I change the name of the Authorizer/Submitter/Preparer? Last updated - August 14, 2009;
FAQ #708 I have multiple usernames. Can I get rid of the duplicates? Last updated - August 08, 2008;
FAQ #711 What are the responsibilities of a Submitter? Last updated - August 14, 2009;
FAQ #716 What is the Notification Code and where can I find it? Last updated - August 08, 2008;
FAQ #718 How do I enter additional facilities? Last updated - August 08, 2008;
FAQ #1392 How do I transfer my account or reassign my user role? Last updated - October 21, 2009;

FAQ #1610 Can a consultant request a user change? Last updated - November 13, 2009

Committee Hearings - Week of 2-26-17

Both the Senate and House will be back in Washington this week. The Senate is still working on cabinet nominations and the House has at least one more regulation reversal to deal with. There are a number of hearings this week, but only two that may be of specific interest to readers of this blog; one on cybersecurity and one on the FY 2018 spending for DHS.

Cybersecurity


On Wednesday, the House Science, Space, and Technology Committee will hold a markup hearing on an as of yet unintroduced bill on “NIST Cybersecurity Framework, Assessment, and Auditing Act of 2017”. There is no draft of this bill publicly available at this time. I expect that the actual bill will be introduced today or tomorrow.

DHS Spending


On Wednesday, the Homeland Security Subcommittee of the House Appropriations Committee will hold a ‘Members’ Day’ hearing to start the hearing process that will eventually lead to the introduction of the DHS spending bill. This hearing is where individual members of the House get their chance to tell the Committee what they would like to see included in the DHS spending bill.

On the Floor



There is nothing of specific interest to readers of this blog currently scheduled on the floor of the House. There are two bill that may have a long-term effect on the regulatory process that will make it to the floor near the end of the week; HR 1009, the OIRA Insight, Reform, and Accountability Act, and HR 1004, the Regulatory Integrity Act of 2017. Both of these bills would combine to try to make the regulatory process more regular and ‘accountable’. Most of the changes will be relatively invisible to the public, but they would provide more chances for Congress to interfere in the regulatory process. Regardless of your political view point, it is easy to see that the regulatory process will become more complex and unpredictable if these bills pass.

Sunday, February 26, 2017

HR 988 Introduced – Hazmat Rail Routing Study

Earlier this month Rep Ellison (D,MN) introduced HR 988, a bill that would require the Department of Transportation (DOT) to arrange with the Transportation Research Board of the National Academies to conduct a study on the “cost and impact of rerouting freight rail traffic containing hazardous material to avoid transportation of such hazardous material through urban areas” {§1(a)}.

This bill is similar to HR 1290 that Ellison introduced in the 114th Congress. No action was taken on the earlier bill.

The Study


The study required by this bill would address:

• The benefits of rerouting freight rail traffic containing hazardous material to alternate railroad routes that avoid urban areas, including benefits to the health and safety of the individuals living in such urban areas {§1(b)};
• The benefits of construction of alternative railroad routes that avoid urban areas for transportation of freight rail containing hazardous material;
• The logistical feasibility of rerouting or constructing new routes; and
• The costs of rerouting or constructing new routes.

The bill authorizes $850,000 for the study.

Moving Forward


Ellison is not a member of the House Transportation and Infrastructure Committee to which this bill was assigned for consideration. This means that it is unlikely that the bill will be considered by that committee. Since the bill does authorize the spending there is going to be some basic opposition to this bill since that money would have to come from some other part of the DOT budget.

Ellison made one significant change in the drafting of HR 988. He stripped out the ‘findings’ section that was included in HR 1290. That section was a lengthy listing of facts about the hazards associated with the shipping of crude oil by rail. Since the study being required in the bill refers to hazardous materials in general, it really did not make a lot of sense to include it, except as a political statement to catch the eye of voters back home. It probably engendered more opposition to the bill in Congress than it gained him in political points in a safe congressional district.

If Ellison is serious about getting this bill passed (and it’s second introduction would seem to indicate some level of seriousness) then he is going to have to do more on this version of the bill than he did in the last Congress. He basically has two realistic options, convince some influential member of the Transportation Committee to cosponsor this bill and then get it considered by the committee, or introduce the bill as an amendment to either (both?) the transportation spending or authorization bills.

Commentary


With the relatively small size of the urban areas affected in this bill, only 30,000 residents, re-routing hazardous material shipments around all ‘urban areas’ would certainly not be possible in most areas of the country. Cities and towns grew up around railroad terminals as a matter of commerce. This makes the of looking at the construction of bypass lines around urbanized areas the only real way of avoiding potential hazmat accidents in such areas.

But, even if hazardous materials transiting around urban areas were possible it would not completely eliminate the potential hazards as most of the places that use those hazardous materials are located in or around urban areas (given the broad definition used in this bill). This means that that the hazmat railcars would still need to go into railyards (frequently located near city centers), be switched and then transit urban rail lines to their destination rail sidings. Relocating those railyards and urban rail lines would be much more expensive than constructing bypass lines around cities and towns.

Even so, a study of this sort really could be a valuable tool for taking a realistic look at the rail hazmat routing issue and see which large urban areas could realistically be bypassed. With the new administration committed to supporting infrastructure improvements this might be an especially beneficial time to have this conversation.


With PHMSA’s adoption of its rail routing rules in 2008 (49 CFR 172.820) the railroads have been collecting and analyzing route selection data for the most dangerous forms of hazardous materials (most recently including crude oil). While the railroads are not required to routinely share that data with PHMSA, this bill could require them to share the data with the Transportation Research Board as part of the study. That data would provide a wealth of detailed information that would not be otherwise reasonably accessible to the Board.

Friday, February 24, 2017

HR 1049 Introduced – DOD Cybersecurity Database

Last week Rep. Langevin (D,RI) introduced HR 1049, the Department of Defense Emergency Response Capabilities Database Enhancement Act of 2017. This is a companion bill to S 307; that is an identical bill introduced to allow for simultaneous action by both houses of Congress instead of serial consideration.


Langevin is a member of the House Armed Services Committee, the committee to which this bill was referred for consideration. This means that it is possible that he could have enough influence to have this bill considered in committee. As I mentioned with S 307, there is nothing in this bill which should engender significant opposition.

Thursday, February 23, 2017

ICS-CERT Publishes Three Advisories

Today the DHS ICS-CERT published three control system security advisories for products from Schneider Electric, Red Lion Controls and VIPA Controls.

Schneider Advisory


This advisory describes a resource exhaustion vulnerability in the Schneider Electric Modicon M340 PLC. The vulnerability was reported by Luis Francisco Martin Liras. Schneider has released a new firmware version that mitigates the vulnerability. There is no indication that Liras has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to render the device unresponsive requiring a physical reset of the PLC.

Red Lion Controls Advisory


This advisory describes a hard-coded cryptographic key vulnerability in the Red Lion Controls Sixnet-Managed Industrial Switches and the AutomationDirect STRIDE-Managed Ethernet Switch models. The vulnerability was reported by Mark Cross of RIoT Solutions. New firmware versions have been made available for both sets of devices. There is no indication that Cross has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability to effect the loss of data confidentiality, integrity, and availability.

VIPA Controls Advisory


This advisory describes a stack-based buffer overflow vulnerability in the VIPA Controls WinPLC7. The vulnerability was reported by Ariele Caltabiano (kimiya) through ZDI. VIPA Controls has developed a patch to mitigate the vulnerability. There is no indication that kimiya has been provided the opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to crash the device; a buffer overflow condition may allow remote code execution.


NOTE: Yesterday Siemens announced on TWITTER® the publication of two security notification updates (here and here) and the publication of a new security notification (here). I had almost expected ICS-CERT to publish their updates and advisory today; maybe tomorrow.

Wednesday, February 22, 2017

HR 1030 Introduced – Cyberattack Measurement

Last week Rep. Wilson (R,SC) introduced HR 1030, the Cyber Attack Standards of Measurement Study. The bill would require the Director of National Intelligence (DNI) to conduct a study on measuring and quantifying damage from cyber incidents.

This bill is virtually identical to HR 2708 that was introduced by Wilson in the 114th Congress. That bill was incorporated in the final version of Consolidated Appropriations Act, 2016 as §313 of Division N, the Cybersecurity Act of 2015 {PL 114-113 (129 STAT. 2920)}.

Commentary


In my post on HR 2708 I noted that Wilson was not a member of the House Intelligence Committee so that there was little chance of that bill being considered in Committee. It was never taken up by the Committee, but it did apparently attract the attention of someone in the Republican leadership (or, more likely, their staff) so that it was added to the Cybersecurity Act.

What is so odd here is that Wilson is not aware that the language from HR 2708 was added to the Cybersecurity Act and felt that it was necessary to re-introduce this bill. Part of this is due to the way that the Cybersecurity Act was put together at the last minute with little communication with the members of Congress and that is part of the reason for the attempt to repeal that portion of the spending bill.


Since it has been well over a year now since the spending bill was passed, the introduction of this bill calls into question how well Wilson and his staff are working with their fellow Republicans. It is really sad that the wording of his original bill was included in a larger bill (not an unusual occurrence) and no one thought that he was influential enough to notify.

ICS-CERT Updates XZERES Advisory

Yesterday the DHS ICS-CERT updated a control system security advisory for products from XZERES. The original advisory was published on December 8th, 2015 and then updated on December 10th, 2015. The new update describes new mitigation measures for the cross-site scripting vulnerability and adds the name of a new researcher, Tim Thurlings, to the advisory.

The new mitigation measures include:

• A new ‘Secure Gateway’ module to install between the internet and the Controller board;
• New notebooks for remote access that include a Secure Remote Connection system; and

• A work around that includes shutting down the port forwarding feature.

HR 940 Introduced – Securing Communications

Earlier this month Rep. Jackson-Lee (D,TX) introduced HR 940, the Securing Communications of Utilities from Terrorist Threats (SCOUTS) Act. The bill addresses the relationships between DHS and critical infrastructure in planning for, and responding to, terrorist attacks.

Policy


Section 2 of the bill sets some pretty broad policy guidelines for DHS. First it allows DHS to work with “critical infrastructure owners and operators and State, local, tribal, and territorial
entities” {§2(a)} to determine how DHS “can best serve the sector-specific cybersecurity needs to manage risk and strengthen the security and resilience of the Nation’s critical infrastructure against terrorist attacks”.

In fulfilling this policy DHS is specifically directed to “seek to reduce vulnerabilities, minimize consequences, identify and disrupt terrorism threats, and hasten response and recovery efforts related to impacted critical infrastructures” {§2(b)}. Additionally, the Secretary is allowed to “investigate the best means for engaging sector-specific agencies in participation in a voluntary cybersecurity information sharing, emergency support, and emerging threat awareness program” {§2(c)}.

Strategic Imperatives


Section 3 of the bill requires DHS to “implement an integration and analysis function for critical infrastructure that includes operational and strategic analysis on terrorism incidents, threats, and emerging risks” {§3(b)}. That ‘function’ will include data sharing with Fusion Centers to accomplish the following:

• Determine the appropriate role that Fusion Centers may fill in reporting data related to cybersecurity threat or incident information regarding individuals or service providers with access to or ongoing business relationships with critical infrastructure.
• Determine whether or how the National Protection and Programs Directorate and the National Cybersecurity and Communications Integration Center may work with Fusion Centers to report possible cybersecurity incidents.
• Determine a means for Fusion Centers to report availability of critical infrastructure to support local, State, Federal, tribal, and territorial law enforcement and the provision of basic public services after disruption events such as electric power brownouts and blackouts, accidents that disrupt service, and vandalism to or near facilities.
• Categorize and prioritize cybersecurity intake risk information based on relevance to critical infrastructure owners or operators in the area served by the Fusion Center.
• Establish an emerging threat hotline and secure online sector-specific cybersecurity incident reporting portal by which information may be disseminated through Fusion Centers.
• Develop, keep up to date, and make available a Federal agency directory of designated offices or individuals tasked with responding to, mitigating, or assisting in recovery from cybersecurity incidents involving critical infrastructure and make the directory available on a voluntary basis to critical infrastructure owners and operators.
• Establish a voluntary incident access portal with the ability to allow users to determine the means, methods, and level of incident reporting that is sector-specific and relevant to the recipient as defined and controlled by the recipient.
• Gather voluntary feedback from critical infrastructure owners and operators on the value, relevance, and timeliness of the information received, which shall include how they believe information and the means used to disseminate that information might be improved.
• Report to Congress every 2 years on the voluntary participation of critical infrastructure owners and operators in the programs established under this title.
• Implement a capability to collate, assess, and integrate vulnerability and consequence information with threat streams and hazard information
• Support the Department of Homeland Security’s ability to maintain and share, as a common Federal service, a near real-time situational awareness capability for critical infrastructure.

In evaluating vulnerability and consequence information the bill specifies the following cybersecurity related considerations {§3(b)(10)}:

• Evaluate the impact of cybersecurity and cyberphysical impacts of critical physical assets;
• Determine, through the voluntary cooperation of critical infrastructure owners and operators, the staffing and professional need for cybersecurity critical infrastructure protection with Fusion Centers;
• Determine, through coordination with the sector-specific agencies, the agency staffing needed to support cybersecurity critical infrastructure protection and report the findings to Congress;
• Anticipate interdependencies and cascading impacts related to cyber telecommunications failures;
• Recommend security and resilience measures for critical infrastructure prior to, during, and after a terrorism event or incident;
• Evaluate interdependencies and cascading impacts related to electric grid failures; and
• Make recommendations on preventing the collapse or serious degrading of the telecommunication capability in an area impacted by a terrorism event.

Moving Forward


Jackson-Lee is an influential member of the House Homeland Security Committee, the committee to which this bill was assigned for consideration. She certainly has the political influence to see this bill considered in committee.

Since the bill requires no new regulations or spending, there is little to attract the ire of the Republican leadership. It is very likely that if this bill is considered that it would attract bipartisan support. I suspect that if it would make it to the floor of the House for consideration, that it would be considered under the House suspension of the rules process. This means there would be limited debate, no floor amendments and it would require a super-majority for passage.

Commentary


The title of this bill is more misleading than most. The bill has only very limited influence on ‘securing communications of utilities’. It is a much more generalized counter-terrorism support of critical infrastructure bill that would probably have minimal impact on operations of DHS, fusion centers or critical infrastructure.

The term ‘cybersecurity’ is thrown into various places in the bill in a haphazard manner. We see it combined frequently with ‘critical infrastructure’ in a way that makes it unclear whether the bill is calling out a new, undefined, type of critical infrastructure or whether it is referring to cybersecurity for each of the current critical infrastructure categories.

The closest the bill comes to defining its use of cybersecurity is the definition of the term ‘security’. That is defined as “reducing the risk to critical infrastructure by physical means or defense cyber measures to intrusions, attacks, or the effects of terrorist intrusions or attacks” {§4(4)}. This is about as useless a definition as I have seen in proposed legislation.


I suspect that this bill will make it to the President’s desk as a feel-good measure for congress critters to be able to claim that they have done something about counterterrorism and cybersecurity. At least it will not cost anything; except perhaps the preemption of attempts at actually doing something.

Monday, February 20, 2017

HR 923 Introduced – Repeal of Cybersecurity Act

Earlier this month Rep. Amash (R,MI) introduced HR 923 which would repeal the Cybersecurity Act (Division N, PL 114-113). Amash and his bipartisan cosponsors are concerned about the way the Cybersecurity Act was slipped into the 2016 Consolidated Appropriations Act at the last minute.

Amash introduced a similar bill (HR 4350) last year in the 114th Congress. That bill was also assigned to eight committees for consideration. No action was taken in four of those committees and the remaining four only further assigned it to subcommittees for consideration. No hearings were held and no further action was taken.


Since the Cybersecurity Act was only added to the appropriations bill with the full consent of the House Republican leadership, I do not suspect that there will be any actions taken on this bill.

Sunday, February 19, 2017

HR 905 Introduced – Computer Code Copywrite Transfer

Earlier this month Rep. Farenthold (R,TX) introduced HR 905, the You Own Devices Act. This bill address some of the copywrite issues related to software used to operate equipment.

Software Copywrite Issues


The bill amends 17 USC 109, “Limitations on exclusive rights: Effect of transfer of particular copy or phonorecord”. It adds a new paragraph (f) to the section. That paragraph addresses the transfer of certain computer programs.

The first provision codifies the legal transfer of the software that “enables any part of a machine or other product to operate” {§109(f)(1)} when that machine or product is legally sold or otherwise transferred.

The second provision addresses software updates. It specifies that the right to receive any software changes related “in whole or in part to security or error correction” {§109(f)(2)} is transferred along with any transfer of the equipment that the software operates.

The third provisions prohibits the retention of a copy of the software when a party transfers the equipment and/or software to another party.

Moving Forward


Farenthold is a member of the House Judiciary Committee (the committee to which this bill was assigned for consideration) so there is a decent possibility that this bill could be considered in committee. There may be some opposition to the update provisions of this bill from some software vendors, so it is unclear at this point if there would be enough support in the House for the bill to allow it to be considered under suspension of the rules. It is unlikely that this bill would make it to the floor of the House under a rule.

If the bill were considered in the House, I suspect that it would pass.

Commentary


I think that this bill could end up being important for security researchers. The first provision allowing that legally buying software operated equipment automatically includes the legal transfer of the copy of the operation software precludes a vendor from threatening to prosecute researchers for illegally accessing the software.

The second provision means that when a researcher finds a vulnerability in a piece of control system software and the vendor issues an update or patch, the researcher is entitled to obtain a copy of that patch or update as long as he owns a piece of equipment that uses that software to operate. This would make it easier for the researcher to determine the efficacy of the fix.


One software related copywrite issue that is not addressed in this bill is the legal right to modify software used to operate a piece of equipment.

Saturday, February 18, 2017

Reader Comment – Moxa NPort Advisory

Today Reid Wightman posted a comment to a December blogpost that mentioned a control system security advisory published by ICS-CERT for Moxa NPort products. Reid was identified as one of the researchers that identified one or more of the vulnerabilities covered in that advisory. Reid’s comments that the reported fix for CVE-2016-9361 does not work. Please read his comment for more details.

Alert readers might remember that Digital Bond (with whom Reid was associated at the time) publicly disclosed the vulnerability in April of last year, resulting in an ICS-CERT control system security alert. Given the total elapsed time between the initial notification by Digital Bond and the published “fix”, it is especially disconcerting that Reid has to report that the fix does not work.

Assuming that there was no deliberate malfeasance involved on the part of Moxa, I can only conclude that Moxa did not really understand the cause of the vulnerability discovered by Reid. This is one of the reasons that it is important to have someone not employed by the vendor verify the efficacy of the fix. I think it would be best if the discovering researcher were the one to do the verification testing. That way there can be no doubt about how well the fix mitigates the discovered vulnerability.


Reid does not mention in his comment whether or not he had coordinated the report of the failure of the vendor’s fix with ICS-CERT. In some ways, I am hoping that he did not. If he had, it would seem to indicate that ICS-CERT (or perhaps Moxa) did not accept Reid’s judgement about the efficacy of the fix. Given the seriousness of the vulnerability (CVSS v3 base score of 9.8) I would have hoped that ICS-CERT would have tried to corroborate Reid’s report.

S 307 Introduced – DOD Cyber Capability Database

Earlier this month Sen. Ernst (R,IA) introduced S 307, the Department of Defense Emergency Response Capabilities Database Enhancement Act of 2017. The bill would require DOD to specifically include cybersecurity capabilities in an existing DOD emergency response capabilities database.

Database Expansion


The bill would amend §1406 of the ‘John Warner National Defense Authorization Act for Fiscal Year 2007 {PL 109-364 §1406 (120 STAT. 2436)} which required DOD to establish a database that recorded the “emergency response capabilities that each State’s National Guard, as reported by the States, may be able to provide in response to a domestic natural or manmade disaster, both to their home States and under State-to-State mutual assistance agreements” {§1406(1)}.

The bill would add two specific cybersecurity related requirements to that database {§2(b)(2)}:

• Cyber capabilities of the National Guard that are identified by the Department as important to national security and for response to domestic natural or manmade disasters.
• Cyber capabilities of the other reserve components of the Armed Forces that are identified by the Department as important to national security.

Moving Forward


Ernst is a member of the Senate Armed Services Committee (the committee to which the bill was assigned for consideration) and two of her co-sponsors {Sen. Gillibrand (D,NY) and Sen. Fischer (R,NE)} are members of the Cybersecurity Subcommittee of that Committee. This means that there is a good chance that there will be sufficient political influence to have that Committee take up this bill.

There is nothing in this bill that would cause any substantial opposition to its consideration. If this bill were taken up on its own, it would likely be considered under the Senate’s unanimous consent procedure. This bill is also a good candidate for inclusion in the 2018 DOD authorization bill, either in the initial draft or as a floor amendment.

Commentary


There is nothing in the bill that would specifically require the inclusion of industrial control system security experience/expertise in the database listing. It is likely that DOD would take that step on their own initiative.


What is not clear with respect to either the original database requirement, or this modification, is to what use DOD is expected to put this database; whether it is only for internal DOD use or whether other government organizations (FEMA for example) would have access to the database. This bill would be a good place to clarify which agencies are expected to have access to the database.

Friday, February 17, 2017

Bills Introduced – 02-16-17

Yesterday with the House and Senate getting ready to depart for their Presidential Day recess next week there were 154 bills introduced. Many of these bills were introduced to provide fundraising talking points next week, but one of the bills may be of specific interest to readers of this blog:

S 412 A bill to amend the Homeland Security Act of 2002 to require State and local coordination on cybersecurity with the national cybersecurity and communications integration center, and for other purposes. Sen. Peters, Gary C. [D-MI]


It will be interesting to see how this bill avoids the ‘unfunded federal mandate’ label. I’ll only be covering this bill if it specifically includes control system security issues.

ICS Hacker Convicted

Yesterday the US Attorney’s Office for the Middle District of Louisiana announced that an individual had been sentenced to serve 34 months and pay $1.1 million as a result of his conviction for “for hacking into the computer system of an industrial facility to disrupt and damage its operations”. This appears to be the first conviction for an attack on an industrial control system in the United States.

The Attack


There is very limited information available on the attack. What is publicly available is that a fired IT worker at the Georgia Pacific Port Hudson Mill (Port Hudson, LA, just north of Baton Rouge) accessed “the control and quality control systems for making paper towels” according to one news report. The attack was conducted via a virtual private network (VPN) connection to the plant computer network.

A plant spokesman was quoted as saying: “"Things that were automatic were completely shut down.”

Another news report notes that there were multiple attacks on the facility computers between February 14th and 27th in 2014.

On the face of it, this does not appear to have been a sophisticated attack involving unknown or ineffectually mitigated control system vulnerabilities. Rather it looks like a fairly standard case of a system-knowledgeable person who did not have his system access adequately revoked when he was terminated.

The Law


The individual was convicted for violations of 18 USC 1030(a)(5)(A). Section 1030 is known as the “Fraud and related activity in connection with computers” section of the US Code and was designed to deal with financial crimes dealing with computers. The specific sub-paragraph charged explains the offense as whoever “knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer”.

The key definition here is that for a ‘protected computer’. The first part of that definition applies specifically to computers at financial institutions or the US government; which obviously does not apply in this case. Instead the second part of the definition (which I’ll call the ‘interstate commerce clause’) which states:

A computer “which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States” {§1030(e)(2)(B)}.

Since Georgia Pacific is a multi-national company that certainly sells materials from this facility across state-lines, it would be easy how to see that the US Attorney could argue that this attack had a significant effect on either interstate and foreign commerce if the damage caused by the attack interfered with timely product shipments.

In establishing the ability for the court to punish a violation of §1030(a)(5)(A) the prosecution would have to prove that the attack resulted in one of six specific types of harm outlined in §1030(b)(4)(A)(i). Only four of those are potential interest in this case:

• Loss to 1 or more persons during any 1-year period aggregating at least $5,000 in value;
• Physical injury to any person;
• A threat to public health or safety;
• Damage affecting 10 or more protected computers during any 1-year period.

Give the $1.1 million restitution ordered by the court, I would assume that the US Attorney used the first harm category.

Commentary


There is nothing in readily available information on this case that explains how the damage of $1.1 million occurred. Having worked in a company that sold into the paper industry for years I have learned a little about the paper making process. As each large paper roll is made any interruption of the machinery making that roll significantly damages that roll and requires a restart of a fresh roll of paper. If stoppages occurred on multiple occasions that week, I suspect that an accounting of damaged rolls and lost production could total $1.1 million without having to have included any physical damage to the equipment at the facility.

These attacks happened in 2014 and the Federal Grand Jury indicted the individual in 2015. There is no indication that the DHS ICS-CERT was involved in the investigation of the incident (and given the rapidity with which the FBI responded to the issue, it does not appear that it would have been necessary).

It would have been nice, however, if ICS-CERT had been brought into the case early on, not so much to help in the arrest and prosecution of the perpetrator, but so that ICS-CERT could publicize the attack to the ICS community. This could have been used to reinforce the need for some basic security procedures (revocation of access) and to point out (again) the vulnerability of ICS to easy attacks by anyone with control system network access.

It is not too late, however, for ICS-CERT to prepare a public report on this attack. While there was no trial for this case (the perpetrator plead guilty) there was a grand jury indictment in which the process of the attack had to presented in some detail. That should provide enough detail for ICS-CERT to prepare a relatively detailed report on the attacks.

This case also raises some interesting legal questions (DISCLAIMER: I AM NOT A LAWYER) about the adequacy of §1030 for the prosecution of attacks on industrial control systems. There have been a couple of attempts to amend §1030 (for example S 2931 in the 114th Congress) to specifically address industrial control system attacks, but none of them have proceeded past the introduction phase.

The big problem is that §1030 is a fraud related section of the US Code and attacks against control system (other than perhaps ransomware attacks) are not really related to fraud. The problem is further aggravated by the fact that the definition of computer used in that section is really designed to identify IT or communications systems not industrial control systems. Since this bill never came to trial, the use of this section to prosecute ICS related attacks has not really been legally tested.

I am sure that the US Attorney was prepared to argue that the definition could be interpreted (very broadly) to have included control system computers. A defense lawyer, on the other hand, could argue that the failed congressional attempts to specifically include ICS computers in the definition reflect a congressional intent not to allow that inclusion.

Unfortunately, it is impossible to determine in advance how a specific court would deal with such arguments. Appellate court acceptance of any outcome of that decision would be even harder to predict. The fact that this individual’s legal team did not (apparently) recommend such a fight of the prosecution might simply reflect the legal cost of such a fight rather than having reached a conclusion on the merits of the use of §1030 to prosecute an ICS attack.

That fight is almost certain to occur on some future case.


NOTE: Thanks to Chris Sistrunk for sharing the press release on this case on the ICS-ISAC Open Community on Facebook.

Thursday, February 16, 2017

ICS-CERT Published Rockwell Update

Today the DHS ICS-CERT published an update to their control system security advisory for products from Rockwell Automation that was originally published on September 15th, 2016. The update provides information on:

• A new software version to replace the original patch mitigation;
• More detailed information on the affected versions; and
• Notification that the previous patch is only to be used on version 8.40.00.


Wednesday, February 15, 2017

Bills Introduced – 02-14-17

Yesterday, with both the House and Senate in session, fifty bills were introduced in Congress. Of those two may be of specific interest to readers of this blog:

HR 1030 To direct the Director of National Intelligence to conduct a study on cyber attack standards of measurement. Rep. Wilson, Joe [R-SC-2]

HR 1049 To enhance the database of emergency response capabilities of the Department of Defense. Rep. Langevin, James R. [D-RI-2]

HR 1030 is almost certainly a repeat of HR 2708 that was introduced in the 114th Congress and died in committee. This will probably suffer the same fate.


HR 1049 is probably going to be a companion bill to S 307 that was introduced earlier this month in the Senate; the official text is still not available on S 307, but there is a draft available. Interesting post here on S 307.

Tuesday, February 14, 2017

ICS-CERT Publishes 3 Advisories and 3 Updates

Today the DHS ICS-CERT published three control system security advisories for products from Siemens, Geutebrück and Advantech. They also updated three control system security advisories for products from Siemens and Rockwell.

Siemens Advisory


This advisory describes an authentication bypass vulnerability in the Siemens SIMATIC Logon application. This vulnerability is being self-reported by Siemens. Siemens has produced an updated version of the application to mitigate the vulnerability.

ICS-CERT reports that an relatively low skilled attacker could remotely exploit this vulnerability to circumvent user authentication under certain conditions.

Geutebrück Advisory


This advisory describes two vulnerabilities in the Geutebrück G-Cam IP camera. The vulnerabilities were reported by Davy Douhine of RandoriSec, Florent Montel and Frédéric Cikala. There is no indication that the researchers were provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Authentication bypass using an alternative path or channel - CVE-2017-5174;
• Improper neutralization of special elements used in an OS command - CVE-2017-5173

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to bypass authentication and obtain remote anonymous access to the device; these vulnerabilities may allow remote code execution.

Advantech Advisory


This advisory describes a DLL hijacking vulnerability in the Advantech WebAccess application. The vulnerability was reported by Li MingZheng Kuangn. Advantech has produced a new version to mitigate the vulnerability. There is no indication that the researcher has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could exploit the vulnerability o execute arbitrary code within the system. ICS-CERT does not mention what type access is required or comment on the need for an social engineering attack.

Siemens APOGEE Update


This update provides additional information about an advisory originally published on March 22nd, 2016. The update includes:

• A correction of the name of one of the reporting institutions;
• Additional information about the affected versions; and
• Reports a new version that mitigates the vulnerability.

Siemens Industrial Produces Update


This update provides additional information about an advisory originally published on November 8th, 2016 and then updated on November 22nd, 2016 and updated again on December 22nd. The update includes:

• Updated ‘version affected’ information on SIMATIC IT Production Suite;
• Provided mitigation information for SIMATIC IT Production Suite; and
• Removed SIMATIC IT Production Suite from the temporary fix list.

Rockwell Update


This update provides additional information about an advisory originally published on January 5th, 2017. The update includes:

• Adds PowerFlex 700S drives to the list of affected devices;
• Adds DriveLogix 5730 controller option explanation; and

• Explains that the PowerFlex 700S is not covered by the new firmware version mitigation.

Monday, February 13, 2017

Committee Hearings – Week of 02-12-17

Both the House and Senate will be in session this week. The House continues to focus on repealing Obama Administration regulations and the Senate focuses on Cabinet nominations. There will be two cybersecurity related hearings that may be of interest to readers of this blog.

Self-Driving Cars


On Tuesday the Digital Commerce and Consumer Protection Subcommittee of the House Energy and Commerce Committee will hold a hearing to look at “Self-Driving Cars: Road to Deployment”. The witness list includes:

• Mike Abelson, General Motors;
• Nidhi Kalra, RAND Center for Decision Making Under Uncertainty;
• Anders Karrberg, Volvo Car Group
• Joesph Okpaku, Lyft
• Gill Pratt, Toyota Research Institute

None of the current witness statements mention cybersecurity concerns with self-driving vehicles. Perhaps we will see some discussion during the questioning phase of the hearing. You probably should not hold your breath.

US Cybersecurity Capabilities


On Tuesday the Research and Technology Subcommittee of the House Science, Space, and Technology Committee will hold a hearing on “Strengthening US Cybersecurity Capabilities”. The witness list includes:

• Charles H. Romine, National Institute of Standards and Technology (NIST);
• Iain Mulholland, VMware, Inc;
• Diana Burley, The George Washington University; and
• Gregory Wilshusen, Government Accountability Office (GAO)


Witness testimony documents are not yet available, so it is too early to tell if industrial control system security will be mentioned, but with no witnesses specifically representing ICS organizations it is probably not happening. The document to watch will be the new GAO report.

Committee Hearings, Cybersecurity Capabilities, Self-Driving Cars

Sunday, February 12, 2017

S 278 Introduced – Cybersecurity Research

Earlier this month Sen. Daines (R,MT) introduced S 278, the Support for Rapid Innovation Act of 2017. The bill would require the DHS Science and Technology Directorate to support the research, development, testing, evaluation, and transition of cybersecurity technologies.

Cybersecurity Research


The bill would add a new §312, Cybersecurity Research and Development, to Title III of the Homeland Security Act of 2002 (6 USC 181 et seq). The new section outlines a number of areas of cybersecurity research, including {§321(b)}:

• Advancing the development and accelerating the deployment of more secure information systems;
• Improving and creating technologies for detecting and preventing attacks or intrusions;
• Improving and creating mitigation and recovery methodologies;
• Assisting the development and supporting infrastructure and tools to support cybersecurity research and development efforts;
• Assisting the development and support of technologies to reduce vulnerabilities in industrial control systems [emphasis added];
• Assisting the development and support cyber forensics and attack attribution capabilities;
• Assisting the development and accelerating the deployment of full information lifecycle security technologies to enhance protection, control, and privacy of information to detect and prevent cybersecurity risks and incidents;
• Assisting the development and accelerating the deployment of information security measures, in addition to perimeter-based protections;
• Assisting the development and accelerating the deployment of technologies to detect improper information access by authorized users;
• Assisting the development and accelerating the deployment of cryptographic technologies to protect information at rest, in transit, and in use;
• Assisting the development and accelerating the deployment of methods to promote greater software assurance;
• Assisting the development and accelerating the deployment of tools to securely and automatically update software and firmware; and
• Assisting in identifying and addressing unidentified or future cybersecurity threats.

The bill also specifies that no additional funding is provided to support these research efforts. It closes by noting that {§2(c)}: “Such requirements shall be carried out using amounts otherwise authorized.”

Moving Forward


Daines is a member of the Senate Homeland Security and Governmental Affairs Committee, the committee to which this bill was assigned for consideration. This means that there is at least the potential that the Committee will consider this bill. If the bill were considered, it is likely that it would be approved since there are no new regulations or spending authorized by the bill. Similarly, if the bill were to make it to the floor of the Senate, it would likely pass. It is too early to tell if there is the necessary political will to advance this bill.

Back on January 10th the House passed HR 240 by a voice vote with limited debate. HR 240 is a companion bill to S 278 according to the introductory speech (pgs S 657-8) by Daines. There was no committee action on HR 240 in the House Homeland Security Committee.

Commentary


It is a good thing that industrial control systems are specifically mentioned in the bill since the bill relies on the IT limited definition of ‘information system’ both in the bill {new §312(e)(4)} and as a part of the support for the definition of the term ‘incident’ {new §312(e)(4)}. That information system definition is found in 44 USC 35002(8).


Given the funding limitation in this bill and the long list of cybersecurity research activities to be supported, it is extremely unlikely that the bill will result in any new significant cybersecurity research support. But passing the bill would make it look like Congress is doing something; appearances are everything.

Saturday, February 11, 2017

Trump EO and New Regulations

I read an interesting blog post by Michael Kennedy about President Trump’s executive order entitled “Reducing Regulation and Controlling Regulatory Costs” (EO 13771). Anyone trying to predict the regulatory burden of the new Trump administration should read Michael’s post. The new powers given to the OMB Director (and presumably through the Office of Information and Regulatory Affairs – OIRA) just mean that the White House will retain tighter control over the regulatory actions of the Executive Branch.

There is an additional caveat restricting the application of this EO. In multiple place we see phrases like “unless otherwise required by law”. The EO explicitly acknowledges that regulations required by statute must be implemented by the Executive Branch. This includes, for instance, the current DOT rulemaking on security training for surface transportation organizations.

Before anyone gets too excited about the prospects of reduced Federal regulations we need to wait and see what the Spring 2017 Unified Agenda looks like. That will provide the first formal look at what the Administration really intends to do in the regulatory arena. But even that will not be the final story.


One thing is already clear; Donald Trump is a man who expects to get his way. I suspect that we will see him continue the Obama legacy of legislating via executive order. And implementation of those orders will require regulations. And those regulations will be much harder to predict.

Friday, February 10, 2017

Bills Introduced – 02-09-17

With just the Senate in session (and actually in continuous session since Monday) and the House ‘meeting’ in proforma session yesterday there were 25 bills introduced. Of those one may be of specific interest to readers of this blog:

HR 988 To provide for a study by the Transportation Research Board of the National Academies on the impact of diverting certain freight rail traffic to avoid urban areas, and for other purposes. Rep. Ellison, Keith [D-MN-5]


It will be interesting to see if this bill is targeted against crude oil trains, toxic inhalation hazard chemicals or hazardous chemicals of any sort. Environmental and safety advocates have pushed for all three types of chemicals to be routed around urban areas. A comprehensive independent study of the issue would certainly be beneficial.

Thursday, February 9, 2017

ICS-CERT Publishes Hanwha Techwin Advisory

Today the DHS ICS-CERT published an industrial control system advisory for products from Hanwha Techwin. The advisory describes two vulnerabilities in the Hanwha Techwin Smart Security Manager. The vulnerabilities were reported by Steven Seeley of Source Incite. Hanwah Techwin has produced a patch to mitigate the vulnerability. There is no indication that Seely has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Path traversal - CVE-2017-5168; and
• Cross-site request forgery - CVE-2017-5169


ICS-CERT only notes that the vulnerabilities are remotely exploitable and reports that a successful exploit could lead to create an arbitrary file on the server with attacker controlled data as well as an attacker gaining root shell access.

Wednesday, February 8, 2017

Bills Introduced – 02-07-17

With both the House and Senate in session there were 133 bills introduced yesterday. Of those six may be of specific interest to readers of this blog:

HR 905 To amend title 17, United States Code, to provide that the first sale doctrine applies to any computer program that enables a machine or other product to operate, and for other purposes. Rep. Farenthold, Blake [R-TX-27]

HR 923 To repeal the Cybersecurity Act of 2015. Rep. Amash, Justin [R-MI-3]

HR 935 To codify an office within the Department of Homeland Security with the mission of strengthening the capacity of the agency to attract and retain highly trained computer and information security professionals, and for other purposes. Rep. Jackson Lee, Sheila [D-TX-18]

HR 940 To secure communications of utilities from terrorist threats, and for other purposes. Rep. Jackson Lee, Sheila [D-TX-18]

HR 945 To codify the objective of Presidential Policy Directive 21 to improve critical infrastructure security and resilience, and for other purposes. Rep. Jackson Lee, Sheila [D-TX-18]

HR 955 To require the Director of National Intelligence to conduct a study on the feasibility of establishing a Cyber Defense National Guard. Rep. Jackson Lee, Sheila [D-TX-18]

It looks like HR 905 would allow the purchaser of ICS software or firmware to sell or transfer that software without permission of the vendor; see 17 USC 109. This may be an interesting bill.

HR 923 is likely a repeat of HR 4350 introduced in the 114th Congress. The House leadership killed that bill by referring it to eight separate committees for consideration; no action was taken in any of the committees.

HR 935 looks to be a repeat of HR 53 introduced in the 114th Congress; no action was taken on HR 53.

It looks like HR 940 is new legislation. If it contains specific mention of control system security, it will be covered in this blog.

I will be watching HR 945 for mention of cybersecurity, chemical facility security and/or chemical transportation security.


It looks like HR 955 will be a repeat of HR 60 in the 114th Congress; no action was taken on that bill.

ICS-CERT Updates Another Advisory

I missed it last night, but yesterday the DHS ICS-CERT updated a controls system security advisory for products from BINOM3. That advisory was originally published on January 31st, 2017.

The new update greatly expands the impact assessment of the multiple vulnerabilities. Instead of just allowing inaccurate reporting of electric quality measurements, the new impact statement reports:


“Successful exploitation of these vulnerabilities could cause unauthorized access to the device, sensitive information leakage, arbitrary script/code execution, unauthorized functional configuration and data changes, and denial-of-service attacks.”

Tuesday, February 7, 2017

ICS-CERT Publishes 3 Advisories and 1 Update

Today the DHS ICS-CERT published two medical control system security advisories for products from Becton, Dickinson and Company (BD) and an industrial control system advisory for products from Sielco Sistemi. Both BD advisories were previously published on the NCCIC Portal on January 17, 2017. Yesterday ICS-CERT updated their medical control system advisory for products from St. Jude; that advisory was originally published on January 9th, 2017.

BD Alaris 8015 Advisory


This advisory describes twin insufficiently protected credentials vulnerabilities in the BD Alaris 8015 Point of Care (PC) unit, which provides a common user interface for programming intravenous infusions. The vulnerabilities were self-reported, but the BD Security Bulletin reports that unnamed “independent security researchers” were involved in finding the vulnerability. The advisory provides multiple compensating controls that mitigate the vulnerability.

ICS-CERT reports that both vulnerabilities could be exploited by a relatively unskilled attacker with physical access to the devices. Both would require access to a flash drive; one installed in the unit the other one removeable. A successful exploit would allow the attacker access to the host facility’s wireless network authentication credentials and other sensitive technical data.

There is no mention of this vulnerability on the FDA Medical Device Safety Communications page.

BD Alaris 8000 Advisory


This advisory describes an insufficiently protected credentials vulnerability in the BD Alaris 8015 Point of Care (PC) unit, which provides a common user interface for programming intravenous infusions. The only difference in this advisory is that only an internal flash memory device is involved.

ICS-CERT reports that a relatively low skilled attacker with physical access to the device could exploit this vulnerability. The BD Security Bulletin, however, notes:

“Attack complexity is HIGH based on limited availability of these wireless credentials that are stored in the PCU on internal flash memory. The attacker would then have to use advanced tools to read the flash memory, decode the file system, and then locate and read the credential data. No system privilege is required and an attacker would be able to read the credential data without a user name or password.”

Sielco Sistemi Advisory


This advisory describes an uncontrolled search path element vulnerability in the Sielco Sistemi Winlog SCADA software. The vulnerability was reported by Karn Ganeshen. Sielco Sistemi has released a new version of the software to mitigate the vulnerability. There is no indication that Ganeshen has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT did not comment on the exploitability of this vulnerability except to note that a successful exploit may allow an attacker to load a malicious DLL and execute code on the affected system with the same privileges as the application that loaded the malicious DLL.

St Jude Update


This update provides new information on:

• The versions of the device that are affected by the vulnerability; and
• How the various versions of the device may be affected.


The FDA Safety Communication about this vulnerability has not been updated with the new information.

Bills Introduced – 02-06-17

Yesterday, with both the House and Senate in session, there were 54 bills introduced. Once of those may be of specific interest to readers of this blog:

HR 876 To amend the Homeland Security Act of 2002 to reform programs of the Transportation Security Administration, and for other purposes. Rep. Katko, John [R-NY-24]


I’ll only be covering this bill if it includes surface transportation security provisions related to the transportation of chemicals.

Saturday, February 4, 2017

HR 701 Introduced – NHTSA Cybersecurity

Last month Rep. Wilson (R,SC) introduced HR 701, the Security and Privacy in Your (SPY) Car Study Act of 2017. The bill would require DOT’s National Highway Transportation Safety Administration (NHTSA) to conduct a study to determine appropriate standards for the regulation of the cybersecurity of motor vehicles.

The Study


The study would be required to address {§2(a)}:

• The isolation measures that are necessary to separate critical software systems from other software systems;
• The measures that are necessary to detect and prevent or minimize in the software systems of motor vehicles anomalous codes associated with malicious behavior;
• The techniques that are necessary to detect and prevent, discourage, or mitigate intrusions into the software systems of motor vehicles and other cybersecurity risks in motor vehicles, such as continuous penetration testing and on-demand risk assessments;
• Best practices to secure driving data collected by the electronic systems of motor vehicles;
• A timeline for implementing systems and software that reflect the measures, techniques, and best practices identified.

The bill requires a report to Congress within one year of passage of this bill. Presumably, then Congress would take necessary actions to pass legislation requiring implementation of the suggested program.

Moving Forward


Neither Wilson nor his co-sponsor {Rep. Lieu (D,CA)} are members of the House Energy and Commerce Committee, the committee to which this bill was referred for consideration. This means that the bill is unlikely to be considered by that Committee.

There is nothing in the bill that would draw substantial ire of any group. Since only a study is being required (with no spending to support the study) that could only serve to pass the buck to a future Congress, this bill would be adopted in committee if it was considered and subsequently passed if it made it to the floor of the House.

Commentary


The first major problem with this bill is that it fails to include the DHS ICS-CERT in the list of organizations with which NHTSA is required to consult in the conduct of the study. In fact, there is no mention of DHS, the agency designated by Congress to be responsible for cybersecurity matters, in the bill. This was almost certainly done to avoid the inevitable inter-committee conflicts that affect most homeland security legislation.

The major technical issue with this bill (other than the complete misuse/misunderstanding of technical terminology – ‘continuous penetration testing’???) is that it completely fails to address the communications issues that are an integral part of most any cyber threat. The current existence of in-car Wi-Fi nodes and the imminent future impact of vehicle-to-vehicle and vehicle-to-infrastructure communications systems cannot be overlooked in any study of automotive cybersecurity issues.


Finally, the bill overlooks the role of the independent security researcher in identification of cybersecurity vulnerabilities. Any cybersecurity study that fails to look at the relationships between such researchers, vendors and regulators is missing an important component of identifying and fixing cybersecurity vulnerabilities.
 
/* Use this with templates/template-twocol.html */