Saturday, April 29, 2017

Bills Introduced – 04-28-17

Both the House and Senate were in session yesterday. There were 43 bills introduced with only two of those that may be of specific interest to readers of this blog:

HR 2223 To amend title 49, United States Code, to provide for a rail spill preparedness fund, and for other purposes. Rep. DeFazio, Peter A. [D-OR-4]

H Res 298 Recognizing the security challenges of convening government officials in one specific place and directing the House of Representatives to take appropriate steps so that the House of Representatives can meet in a virtual setting. Rep. Pearce, Stevan [R-NM-2]

HR 2223 will probably be a rehash of HR 5786 that was introduced last fall, but saw no action in the House.

H Res 298 will probably not be covered in this blog since it certainly won’t address control system security issues. I am going to watch for the wording of this resolution to see if/how it addresses the obvious cybersecurity issues that will have to be addressed in virtualizing Congressional meetings. That may provide some insight into the cybersecurity state of mind in Congress.


BTW: In case you missed the news yesterday, both the House and Senate passed H J Res 99, extending the current FY 2017 spending continuing resolution until next Friday night. This gives Congress another week to finish up work on a final continuing resolution for FY 2017. Of course, then work needs to start in earnest on the FY 2018 spending bills.

Friday, April 28, 2017

Bills Introduced – 04-27-17

Yesterday with both the House and Senate in session there were 88 bills introduced. Of those, two may be of specific interest to readers of this blog:

HR 2184 To support meeting our Nation's growing cybersecurity workforce needs by expanding the cybersecurity education pipeline. Rep. McCaul, Michael T. [R-TX-10]

S 965 A bill to improve passenger vessel security and safety, and for other purposes. Sen. Blumenthal, Richard [D-CT]

HR 2184 looks like it will be one of a number of cybersecurity related bills being introduced by McCaul in the next month or so. As usual I will be watching for control system security related provisions, specifically ICS inclusive definitions.


S 965 is probably a companion bill to HR 2173 that was introduced earlier this week. I will be watching both bills for cybersecurity provisions.

ISCD Updates Three FAQ Responses

Yesterday the DHS Infrastructure Security Compliance Division (ISCD) updated the response to three frequently asked questions (FAQ) on it CFATS Knowledge Center web site. One was a minor revision for clarification, but two were complete rewrites.

The revised responses were for the following FAQs:


FAQ #1272


This was the minor revision. It added the words “of interest” to make the first sentence of the response read:

“Whether a landlord or tenant is responsible for submitting a Top-Screen will depend on which party is responsible for security of the chemicals of interest.”

FAQ #1392


This was a complete re-write of a FAQ that was changed just last month. The new verbiage is much more succinct and the new response provides a link to the new CSAT 2.0 manual. Unfortunately, the link does not work. Somehow the words “Section 10” were inadvertently included in the link. The working link should be https://www.dhs.gov/publication/csat-portal-user-manual.

Actually, the ‘Section 10’ reference is misleading. That section only discusses changing the Authorizer role. Changing (adding or deleting) the Submitter, Preparer, or Reviewer role is covered in Section 8 of the manual.

This FAQ is also being added back to the “All FAQs and Articles” .PDF document that can be downloaded at the bottom of the CFATS Knowledge Center. It stopped showing up in that document sometime after March 20th.

FAQ #1554


This rewrite takes a very short response and provides much more detail, including links to both the appropriate regulation and the new US Code section dealing with the issue. That US Code entry is important because it extended the enforcement authority of DHS to include the ability to sanction facilities that do not complete a required Top Screen. That authority had been overlooked in the original CFATS rule.


The new response also includes the new maximum daily penalty $33,333 that DHS can assess for a failing to comply with a compliance order. That amount was recently increased to reflect inflation and will be subject to periodic review and adjustment.

Thursday, April 27, 2017

ICS-CERT Publishes New Advisory and an Update

Today the DHS ICS-CERT published a control system security advisory for protective relays from GE. They also updated a previously issued advisory for a product from Certec EDV GmbH.

GE Advisory


This advisory describes a weak cryptography for passwords vulnerability in the GE Multilin SR Protective Relays. The vulnerability was initially reported by Anastasis Keliris, Charalambos Konstantinou, Marios Sazos, and Dr. Michail (Mihalis) Maniatakos of New York University. GE has provided firmware updates for all but one of the affected devices; firmware for the final device is expected to be available in June. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability to obtain weakly encrypted user passwords, which could be used to gain unauthorized access to affected products.

Certec EDV Update


This update provides additional information on the advisory that was originally published on April 6th, 2017. This update provides the following new information:

• The vulnerabilities can be mitigated in the affected versions by activating the “the vendor built-in security mechanism”; and

• Provides an outline of the information needed to activate the security mechanism.

Bills Introduced – 4-26-17

Yesterday both the House and Senate were in session. There were 59 bills introduced. Of those, only three may be of specific interest to readers of this blog:

HR 2169 To amend the Homeland Security Act of 2002 to enhance information sharing in the Department of Homeland Security State, Local, and Regional Fusion Center Initiative, and for other purposes. Rep. Katko, John [R-NY-24]

HR 2173 To improve passenger vessel security and safety, and for other purposes. Rep. Matsui, Doris O. [D-CA-6] 

HJ Res 99 Making further continuing appropriations for fiscal year 2017, and for other purposes. Rep. Frelinghuysen, Rodney P. [R-NJ-11]

The first two bills will only be of concern here if they contain specific cybersecurity language.


HJ Res 99 [.PDF text of resolution] is a short term continuing resolution moving the expiration date of the last year’s CR for FY 2017. The new expiration date would be May 5th, 2017. This provides additional time for Congress and the President to work out a deal to carry spending through until September 30th. This bill is very short and contains only one minor (pun intended) add-on, so it should be passed by voice votes in both the House and Senate before the Friday night deadline to avoid another shutdown fiasco.

Wednesday, April 26, 2017

DHS Publishes CSAT 2.0 Results Webinar Slides

Today the DHS Infrastructure Security Compliance Division (ISCD) published a copy of the slides used in their webinar earlier this week concerning the tiering results from the initial batch of facilities that have submitted new Top Screens under CSAT 2.0. I discussed this webinar earlier this week and, as I suspected, the early slides that I missed help clear-up some of the questions that I raised in my earlier post.

Risk Assessment Methodology


A couple of the slides provide some additional information about the new risk assessment process that complement the new CSAT 2.0 tools. Not a great depth of details, but it does look at some of the consequence, vulnerability and threat considerations that are considered by the new methodology. I am relatively sure that these are not all of the considerations used in the new risk assessment and, of course, there is no information on the weighting applied to the various considerations.

I do not think that some people in the security community that had concerns about the lack of threat analysis in the earlier risk assessment methodology are really going to be very happy about the considerations shown in the table on slide 4. Many of the comments that I have seen and heard about the ‘threat’ issue were more concerned about potential threat actors and an assessment of their intent and capabilities to carry out attacks on high risk chemical facilities. I do not understand how anyone could expect that to be included in the Top Screen assessment since, even if accurate information was available to conduct such an assessment, that information would only be applicable to a specific point in time.

Numbers Review


As I noted in my earlier post I missed the early slides in the presentation earlier this week. The one in particular that I was concerned about was slide #5. It provides more detail about the number of facilities involved to date (and into the future) in the new Top Screen submissions. It seems that ISCD is intending to send out 27,000 Top Screen letters; a number smaller than the 40,000+ that I had expected. The difference is that ISCD did not send out letters to facilities that previously submitted Top Screens that did not report a screening threshold quantity (STQ) of any of the 300+ chemicals of interest (COI).

ISCD reports that they have sent out more than 10,000 Top Screen notification letters and as of April 3rd had received over 10,000 Top Screen 2.0 submissions. The two numbers are probably only coincidentally the same as all of the facilities notified almost certainly have not yet completed their Top Screens. But remember, ISCD in their announcement in October said that facilities did not need to wait to receive their notification letter to submit a new CSAT 2.0 Top Screen.

My Analysis Questions


It looks like many of the questions that I raised in the earlier post about analysis issues were due to poor note taking on my part. For example my questions about the 5% reported moving from untiered to tiered were answered by the wording: “5% of the currently untiered populations”.

Since all currently covered facilities were included in the 27,000 figure, this must mean that about 24,000 facilities that are not currently tiered (covered by CFATS rules) will receive a Top Screen notification letter. This means that we can probably expect about 1,200 new facilities to be added to the CFATS roles.

Similarly, the 5% decrease was based upon the number of currently tiered facilities. This means that about 150 facilities are expected to ‘Tier out’ of the CFATS program. This means that we should expect a net gain of about 1,050 facilities after all 27,000 Top Screens are evaluated. That is about a 30% increase in covered facilities.

The question still remains about what the missing 9% (51% moving between tiers + 35% staying within their tier + 5% tiering out = 91%) of the currently tiered facilities are doing.

Received a Tiering Letter?


The slides also outline what actions a facility needs to take once they receive their tiering letter after the submission of the CSAT 2.0 Top Screen.

The only new thing here is that facilities with a currently approved site security plan (SSP) may (that is a complete separate blog post) have to amend their site security plan to reflect changes in COI and/or security issues. ISCD is giving facilities 30-days to submit those SSP changes. As always, if that is not going to be enough time, request an extension.

Re-Do Webinar



As I mentioned on Monday, ISCD is re-presenting this webinar on May 3rd. Apparently there are still open slots. Sign-up if you have any questions that you want to ask the presenters. Otherwise, I expect that ISCD will be making a recording of the webinar available on their CFATS Knowledge Center.

Tuesday, April 25, 2017

DHS Publishes Three Advisories

Today the DHS ICS-CERT published three control system security advisories for products from Hyundai Motor, Sierra Wireless and BLF-Tech.

Hyundai Motor Advisory


This advisory describes two vulnerabilities in the Hyundai Motor Blue Link. The vulnerabilities were reported by Will Hatzer and Arjun Kumar working with Rapid7. Hyundai produced a new version that mitigates the vulnerability. There is no indication that the researchers have been provided the opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Man-in-the-Middle – CVE-2017-6052; and
• Use of Hard-Coded Cryptographic Key – CVE-2017-6054

ICS-CERT reports that an attacker (no characterization of the skill level is provided) could remotely exploit this vulnerability to gain access to insecurely transmitted sensitive information, which could allow the attacker to locate, unlock, and start a vehicle associated with the affected application.

NOTE: A Rapid7 blog post provides more details about the vulnerability.

Sierra Wireless Advisory


NOTE: This advisory provides additional information on vulnerabilities that were initially reported by ICS-CERT in an Alert last June.

This advisory describes three vulnerabilities in the Sierra Wireless AirLink Raven XE and XT. The vulnerabilities were reported by Karn Ganeshen. Sierra Wireless has produced new firmware that mitigates two of the three reported vulnerabilities. There is no indication that Ganeshen was provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities were:

• Improper Authorization – CVE-2017-6044;
• Cross-Site Request Forgery – CVE-2017-6042; and
• Insufficiently Protected Credentials (Not mitigated) – CVE-2017-6046

Neither this advisory nor the Sierra Wireless Technical Bulletin [.DOC download] from last summer address the fourth vulnerability reported by Ganeshen in his disclosure; unauthenticated access to directories and arbitrary file upload.

ICS-CERT reports that a relatively unskilled attacker could use the publicly available exploits for these vulnerabilities to remotely attack these devices to perform unauthorized sensitive functions compromising the confidentiality, integrity, and availability of the affected system.

BLF-Tech Advisory


This advisory describes an uncontrolled search path element vulnerability in the BLF-Tech VisualView HMI. The vulnerability was reported by Karn Ganeshen. BLF-Tech has produced a new version to mitigate the vulnerability. There is no indication that Ganeshen was provided an opportunity to verify the efficacy of the fix.


ICS-CERT reports that a relatively unskilled attacker (access requirements not characterized) could exploit the vulnerability to to execute arbitrary code within the system.

FDA Announces Medical Device Cybersecurity Workshop

Today the Food and Drug Administration published a meeting notice in the Federal Register (82 FR 19059-19060) for a public workshop on “Cybersecurity of Medical Devices: A Regulatory Science Gap Analysis”. The two-day workshop will be held on May 18th, 2017 in Silver Springs, MD. The objective of the workshop is to facilitate a discussion on the current state of regulatory science in the field of cybersecurity of medical devices, with a focus on patient safety.

Cybersecurity Regulatory Science


The FDA notes that their Center for Devices and Radiological Health (CDRH) identified medical device cybersecurity as one of their top 10 regulatory science gaps. In the CDRH publication “Regulatory Science Priorities (FY2016)” it was noted that (page 8):

“Digital Health and cybersecurity are some of the fastest growing areas impacting medical devices. Devices are being increasingly used in networked environments and are expected to communicate with one another securely and accurately. To ensure these technologies and technological environments achieve the desired public health impact, research is needed to enhance performance and security of medical devices and interoperability, and to understand the impact of software modifications on device performance.”

With that in mind the FDA, in conjunction with the National Science Foundation and the DHS Science and Technology Directorate, is attempting to establish a cybersecurity regulatory science research framework to foster a collaborative research conducted between federal agencies such as NSF, DHS S&T, academia, medical device industry, and third party experts and other organizations with input from FDA.

Workshop Agenda


This scheduled workshop is designed to support that effort by conducting a number of simultaneous working sessions discussing the following topics:

• Relationship between medical device cybersecurity and patient safety;
• Unique cybersecurity and regulatory challenges for medical devices;
• Differences in cybersecurity between home care, large health care providers, and acute care settings (e.g., ambulance, emergency room);
• The roles and intersection of information technology professionals and biomedical engineering staff;
• Potential metrics, evaluation tools to test and quantify the cybersecurity of medical devices and systems;
• Automated and manual tools for communicating cybersecurity information about medical device design and function;
• Best practices for cybersecurity of medical devices at deployment and how to apply updates throughout the medical device lifecycle;
• Human factor issues in cybersecurity of medical device development, deployment, and use of devices; and
• Best practices in cybersecurity design, deployment, and post-deployment activities and procedures.

Each of the sessions will attempt to add to address the:

• Immediate cybersecurity challenges and potential solutions to facilitate entry of innovative medical devices into the marketplace;
• Cybersecurity regulatory science gaps to which solutions can be developed through additional scientific research; and
• Long-term cybersecurity research challenges which may need significant additional basic research.

Public Participation


Personnel wishing to participate in the workshop need to register in advance via the FDA’s workshop registration page. Unfortunately, as of 8:20 am EDT today that page does not show this planned workshop even though the notice states that early registration is recommended due to limited seating.

The FDA is also soliciting written comments on the above topics. Written comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # FDA-2017-N-1572). Those comments should be submitted by June 23rd, 2017.

Please note that the Federal Register notice specifically states that the workshop is not designed to discuss FDA policy regarding cybersecurity of medical devices.


Monday, April 24, 2017

CFATS 2.0 Results Webinar

I just completed watching the DHS “CFATS Tiering Update - April 2017” webinar. This webinar provided information on the preliminary outcomes of the DHS Infrastructure Security Compliance Division’s (ISCD) review of CSAT 2.0 Top Screen submission that were started last fall. I say ‘preliminary’ because ISCD is still reviewing a number of the submitted Top Screens and is presumably still sending out Top Screen submission letters.

It was an interesting presentation and I recommend that interested parties that missed this webinar sign up for the next session that will be held early next month.

There have been a number of questions about the potential effects of the new risk-assessment methodology that is part of CSAT 2.0. The main question that folks have been asking is how that new methodology would end up affecting the Risk Tiering within the Chemical Facility Anti-Terrorism Standards (CFATS) program. The presentation today provides at least a partial answer.

Changed Risk Assessment Methodology


ISCD took a sample of 8,000 new Top Screen submissions and specifically looked at the new tiering results. Here are the results that ISCD reported today (Note: there was no mention of the missing 4% of the facilities):

• 5% moved from untiered to tiered;
• 5% moved from tiered to untiered;
• 51% moved between the four tier rankings; and
• 35% remained within their existing tier rankings

Remember, untiered facilities are not covered facilities under the CFATS program, and thus do not have to submit an SVA/SSP or have an approved site security plan (SSP) or alternative security plan (ASP).

The presenters also described two specific trends that they saw in tier changes. First, facilities that had just weapon of mass effect (WME) security issues tended to see a decrease in tier ranking because the new ‘physics-based modeling’ tended to see a lower risk for the same situation for these chemicals as compared to the old risk modeling process. Second, a counter-trend was seen with two specific chemicals (triethanolamine and methyldiethanolamine); the same ‘physics-based modeling’ tended to see an increased risk for these chemicals as compared to the previous methodology.

The presenters also noted that there were 235 facilities (not clear if they were part of the 8,000 used for the above analysis) that were facilities with only theft/diversion security issues that now had added release security issues. The presenters did not make it clear whether this was due to the risk modeling or if it was due to changes in the reported DHS chemicals of interest on site.

Commentary


I missed the early portion of the webinar, so I almost missed the information that ISCD probably presented on the number of letters sent out and the number of Top Screens that have been submitted. I should have more information on that in the near future.

I have some serious questions about the reported analysis of the risk assessment results presented in the webinar. Now this is probably due to my nitpicking of statistical analysis in general. I have a little more training (not that much though) in statistical analysis than most people, so I generally cringe whenever I see the word ‘analysis’ used in a presentation.

First, let’s look at that missing 4% I mentioned earlier. There is one category that is specifically missing from those reported, the untiered facilities that remained untiered facilities. For the sake of discussion, let us assume that those unreported 4% were those untiered facilities that did not change. That would mean that only 9% of the facilities in the 8,000-facility sample were untiered or facilities that were not covered by the CFATS program.

That is a problem because that would mean that 81% of the 8,000 facilities in the sample were currently covered facilities. That would be 6,480 facilities. But, as of the last reporting by ISCD, there were less than 3,000 covered facilities in the program. That means that the reported percentages cannot be of the whole 8,000 facility sample.

Let’s assume for the sake of argument that the all 2,948 facilities reported in the last CFATS Fact Sheet from October 1st of last year were included in the 8,000-facility sample. That would mean that there were 5,052 initially untiered facilities in the sample. Plugging these numbers into the previously reported percentages we get:

• 252 moved from untiered to tiered;
• 147 moved from tiered to untiered;
• 1503 moved between the four tier rankings; and
• 1031 remained within their existing tier rankings


This still leaves 716 facilities for which no data was provided, or 24% of the covered facilities. So, any way we look at it we have internally inconsistent information provided. I will try to get clarification from ISCD.

Committee Hearings – Week of 04-23-17

With both the House and Senate back in Washington after their two-week recess, the main focus this week will be on getting a spending bill passed for the remainder of FY 2017. The deadline for that is Saturday, else the dreaded government shutdown will occur (unlikely). With that on the congressional platter the hearing schedule is relatively light this week; there is just one hearing that may be of specific interest to readers of this blog. It will address hazmat transportation issues.

HAZMAT Transportation


On Wednesday the Railroads, Pipelines, and Hazardous Materials Subcommittee of the House Transportation and Infrastructure Committee will be holding a hearing looking at “Building a 21st Century Infrastructure for America: The State of Railroad, Pipeline, and Hazardous Materials Safety Regulations and Opportunities for Reform”. The witness list includes:

• Linda B. Darr, American Short Line and Regional Railroad Association;
• Roger Nober, BNSF Railway
• Paul Rankin, Reusable Industrial Packaging Association;
• Robin Rorick, American Petroleum Institute;
• Donald J. Santa, Jr., Interstate Natural Gas Association of America; and
• John Tolman, Brotherhood of Locomotive Engineers and Trainmen

I expect that we will hear very little about new regulations that the industries need to protect the public and more about what current and proposed rules need to be reviewed, revamped, or removed.

On the Floor


Nothing of specific interest expected to come to the floor of either the House or Senate this week beyond the FY 2017 Continuing Resolution. That bill has not yet been made public; still too much horse trading going on for that. It is interesting that we are seeing news this week about what bill components (or lack thereof) might result in a Trump veto of the spending bill coming out of a Republican controlled Congress.


As always, I will leave the gross reporting on the bill to the national press. I will focus on the specifics of what the bill might mean to the chemical safety, security and transportation communities and the control system cybersecurity community.

Saturday, April 22, 2017

DHS Announces Date and New Location for 2017 CSSS

Yesterday the DHS Office of Infrastructure Protection (IP) and the Chemical Sector Coordinating Council announced via the Chemical Sector Security Summit (CSSS) web page that the 2017 CSSS will be held in Houston, TX on July 19-21, 2017. Those of us who signed up for future information about the 2017 CSSS (see the bottom of the web page) received an email from DHS providing the same information yesterday.


Information concerning registration and the agenda will be published on the web page (and certainly here) later this spring.

NIST Announces CSF 1.1 Workshop – May 16th, 2017

NIST has announced another in a series of workshops concerning the proposed new version of their Cybersecurity Framework (CSF 1.1). The 2-day workshop will be held in Gaithersburg, Maryland on May 16th, 2017. The draft agenda for the workshop was made available this week on their CSF website.

I have not covered CSF 1.1 because the CSF is not operationally an industrial control system (ICS) security program. There are ICS components, but this is a cybersecurity management tool, not actually a cybersecurity tool. I have not seen anything in CSF 1.1 that would change that assessment.

Having said that, I am mentioning this workshop because it contains an internet of things (IOT) breakout session on the second day of the CSF 1.1 workshop. The agenda describes it this way:

“Cyber Meets the Physical World: The diverse use and rapid proliferation of connected devices – typically captured by the “Internet of Things (IoT)” – creates enormous value for industry, consumers, and broader society. At the same time, emerging threats, such as last year’s Mirai DDoS attacks, highlight the critical need to develop and apply guidance to maintain the cybersecurity of devices and the ecosystems into which they are deployed. NIST is seeking feedback on how the Framework may be applied to the IoT, both in terms of the devices themselves, as well as their integration into broader enterprise and network environments. Topics in this breakout may include: existing IoT definitions and taxonomies and their consistency with the Framework; IoT specific threats and constraints; sector-specific considerations for IoT security; and the integration of IoT-specific threats into the Framework model.”

Even this description of ‘Cyber Meets the Physical World’ contains no specific reference to industrial control systems, or even really hints at their existence. This is the thing that continues to concern me about the CSF. I hope that I am reading too much into this brief description and I hope that we hear from some attendees with an ICS cybersecurity background that there was some specific and realistic discussion of ICS specific security concerns with IOT and how that might be dealt with in the CSF environment.


Early registration is recommended by NIST due to the limited seating available. Registration closes on May 9th, 2017.

Friday, April 21, 2017

PHMSA Publishes 11 60-Day ICR Renewals

Today the DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) published a 60-day information collection request (ICR) renewal notice in the Federal Register (82 FR 18828-18831) for eleven separate existing ICRs. While the limited information provided in this notice would seem to indicate that there are no changes from the currently approved versions of these ICR, there is something odd going on with one of the ICRs.

The eleven ICRs are listed in the table below. The link in the title of the ICR is to its appearance in this notice and the link in the RIN is to the currently approved ICR.



The odd thing about the Approval for Hazardous Material ICR is that earlier this month PHMSA submitted an ICR revision request to OIRA for the ICR. That ICR revision was to support a final rule published by PHMSA on March 30th, 2017. That rulemaking simply reports that there are expected to be an additional 3,600 responses and an increase of 1,800 hours in the burden required by this new rule. A more detailed accounting of that change can be found in the supporting document [.DOC download] that was sent to OIRA earlier this month.

What seems likely is that whomever was responsible for crafting this ICR notice for PHMSA just copied the previous 60-day ICR notice submitted three years ago, made some cosmetic changes for dates and then submitted the revised document to OIRA. And I suspect that too many ICR renewals suffer the same problem; someone just going through the motions. It makes a mockery of the requirement for agencies to submit, and OMB approve, these ICRs to ensure that the regulated public is not unnecessarily burdened by the data collection demands of the Federal government.

At the very least, PHMSA needs to stop this ICR renewal and publish a new 60-day ICR notice without including the Approval for Hazardous Material ICR.


PHMSA is soliciting public comments on this ICR notice. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; PHMSA-2017-0018) I will be submitting a copy of this post as a comment.

Bills Introduced – 04-21-17

Yesterday both the House and Senate met in proforma session. There were twelve bills introduced in the House while the vast majority (probably only three in attendance) remained in their home districts campaigning, raising money and meeting with constituents (Senate rules do not allow introduction of bills during proforma sessions). Of these, only two may be of specific interest to readers of this blog:

HR 2105 To require the Director of the National Institute of Standards and Technology to disseminate guidance to help reduce small business cybersecurity risks, and for other purposes. Rep. Webster, Daniel [R-FL-11]

HR 2114 To require the Secretary of the Treasury to implement security measures in the electronic tax return filing process to prevent tax refund fraud from being perpetrated with electronic identity theft. Rep. Yoho, Ted S. [R-FL-3] 

It will be interesting to see what form the ‘disseminate guidance’ will take and what additional guidance (over and above the already existing guidance documents) will be required. I really do not expect that the guidance will include industrial control system guidance though it almost certainly should (IMHO).

I will only be mentioning HR 2114 in this blog post. I mention it to remind readers how long it takes Congress to react to real problems. Brian Krebs first wrote about this problem in 2015, so the problem has been around for a while now. To be fair Yoho introduced an earlier version of this bill in the 114th Congress (HR 1595) but there was no action taken on that bill even though it ultimately had 33 bipartisan cosponsors. I expect a similar fate this session.

Thursday, April 20, 2017

DHS Publishes 60-Day ICR Revision Notice for CVI Program

Yesterday the DHS National Protection and Programs Directorate (NPPD) published a 60-day information collection request (ICR) notice in the Federal Register (82 FR 18466-18468) for revisions being made to support the Chemical-Terrorism Vulnerability Information (CVI) program within the Chemical Facility Anti-Terrorism Standards (CFATS). The proposed changes reduce the number of information collections and the DHS burden estimate for that program.

Changes


Based upon the experience of the last three years, the Infrastructure Security Compliance Division (ISCD) of the NPPD is removing five information collection instruments from this ICR. They are:

• “Determination of CVI”;
• “Determination of a “Need to Know” by a Public Official”;
• “Disclosure of CVI Information;
• “Notification of Emergency or Exigent Circumstances”; and
• “Tracking Log for CVI Received”

This leaves just one ICR instrument covered by this collection, the information collected by the CVI Training web site and the subsequent CVI user application. ISCD reports that they expect a reduction in the number of respondents for this remaining instrument to decrease from 30,000 to 20,000.

Commentary


Once again it is nice to see a detailed accounting of the changes being proposed by a federal agency in the ICR process. Such details provide the data necessary to make informed comments for ultimate consideration by the OMB’s Office of Information and Regulatory Affairs.

I also commend DHS for this review of the collection instruments covered by the ICR and their intent to remove little used or unnecessary instruments. Having said that, I have concerns about the removal three of the identified instruments;

• “Disclosure of CVI Information;
• “Notification of Emergency or Exigent Circumstances”; and
• “Tracking Log for CVI Received”

All three of these instruments are still required by the DHS CVI Procedural Manual; the first with mandatory language (“must promptly report”) and the other two with permissive language (“should be kept and submitted” and “DHS encourages"). In fact, the first is required by the CFATS regulations {6 CFR 27.400(d)(7)}.

The notice would appear to attempt to address these three instruments by stating that:

“The Department expects that in many instances when the Department may need or want to collect information regarding emergency and/or unauthorized disclosure of CVI, the collection would not be covered by the Paperwork Reduction Act because the information would be collected during the conduct of an investigation involving specific individuals or entities. See 44 U.S.C. 3518(c)”

That would certainly be true of the subsequent investigation of the reports in the first two instances, but not the initial reports themselves.

I would like to suggest that DHS continues to retain these three instruments in this ICR with an appropriate low number of respondents and the current estimate of burden hours and cost rates.

Public Comments


DHS is soliciting public comments about this ICR. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; DHS-2017-0015). Comments should be submitted by June 19th, 2017.

A copy of this blog post is being submitted as a comment to this ICR notice.

Wednesday, April 19, 2017

ICS-CERT Updates an Advisory and an Alert

Yesterday the DHS ICS-CERT updated two control system security notices; one an alert for the BrickerBot vulnerability and the other affecting products from Belden Hirschmann.

BrickerBot Update


This update provides new information on the alert that was originally published on April 12th, 2017. The update more specifically acknowledges the Radware contribution to the state of current knowledge about BrickerBot. It also provides:

• A slightly more detailed and updated description of the operation of both BrickerBot.1 and BrickerBot.2; and
• A new mitigation measure; updating Ubiquiti device firmware.

Belden Hirschmann Update


This update provides new information on the advisory that was originally published on January 26th, 2017. The update expands the scope of the advisory; adding three new vulnerabilities that were apparently fixed with the originally reported new software version. The newly reported vulnerabilities are:

• Server-side request forgery - CVE-2017-6036;
• Cross-site request forgery - CVE-2017-6038; and
• Information exposure - CVE-2017-6040

Belden did not change their original Security Bulletin. Instead, they issued an additional Security Bulletin to describe the ‘new’ request forgery vulnerabilities. Belden actually describes the cross-site request forgery as a subset of the server-side request forgery, rather than specifically listing it as a separate vulnerability. Belden never does specifically acknowledge the ‘information exposure’ vulnerability reported by ICS-CERT.


Interestingly, the only change that ICS-CERT makes to their ‘impact’ statement designed to reflect the additional vulnerabilities is to change the words ‘of this vulnerability’ to ‘of these vulnerabilities’. It does not acknowledge the Belden report that the ‘new’ vulnerabilities may allow an attacker to “trick administrators into changing the configuration of the device”.

Tuesday, April 18, 2017

ISCD Updates Two FAQ Responses and Adds a New Article

Today the DHS Infrastructure Security Compliance Division (ISCD) updated two frequently asked question (FAQ) responses and added a new article on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center. There is no specific notice on that site concerning the presence of the new article.

FAQ Updates


The two changed FAQ responses were significant rewrites of the verbiage but no real new information was provided. The updated FAQ responses were for the following existing FAQ:


The new response to FAQ #1489 is significantly shorter than the previous response. ISCD has removed verbiage about the need for facility knowledge on the part of the Preparer and the unrelated information that the Submitter should be an officer or employee of the company who is domiciled in the US. That was perfectly good information, but it was not really pertinent to the FAQ.

For FAQ #1579 there was actually a significant change to the wording of the FAQ as well as nearly complete rewrite of the response. The original FAQ started off with “How does a college define itself….” The new FAQ substitutes ‘facility’ for ‘college’; expanding the coverage of the response to include a more diverse set of facilities. That expansion did not have any real effect on the new response.

The new response would seem to imply that ISCD is taking a different sort of look at facilities that choose to only include isolated parts of their overall facility in their definition of the facility for the purpose of Top Screen submissions. The original FAQ response included this:

“As such, an institution of higher learning can, if appropriate, submit a Top-Screen on a facility-by-facility basis or on a campus-wide basis. However, the Department will evaluate whether or not the facility or facilities, if determined to be high-risk, have complied with CFATS and, specifically, the Risk-Based Performance Standards (RBPS).”

The new response substitutes the following language:

Individual buildings within a facility site can be registered as separate facilities if they possess COI at or above the screening threshold quantity (STQ). For example, a college or university can, if appropriate, submit a Top-Screen on a building-by-building basis or on a campus-wide basis and need not necessarily count the total of all COI in separate buildings to ascertain whether it meets or exceeds the applicable STQ for each COI. However, the Department will evaluate whether or not the definition of the parameters of the facility or facilities to determine whether such definition appears intended to thwart or evade regulation under CFATS.

It is clear to see that the original response had more of a focus on how the identification of multiple facilities impacted the site security plan for the sites. The new response would seem to indicate that ISCD has new concerns about people attempting to evade coverage under the CFATS program by filing multiple sites that might not be considered at high risk of terrorist attack when the combination of the facilities might be considered to be at high risk.

Both the original response and the new response provide a link to the final rule on Appendix A to the CFATS regulations (6 CFR Part 27) and a description of the area within that final rule where the discussion takes place that affect the response to this FAQ. If ISCD had used a link to the Federal Register web site instead of their own listing of the publication, they would have been able to provide a more direct link to the discussion (here).

New Article



The new article (Article #1780) provides a fairly detailed discussion of the categories of facilities that are exempt from the requirement to submit a Top Screen and are thus exempt from coverage under the CFATS program. The information provided in this article has, for the most part, been provided in individual FAQ responses to questions about the specific programs that form the basis for the exemption from CFATS program coverage. This is the first time, however, that it has been included in a single place on the CFATS Knowledge Center.

HR 1891 Introduced – Methyl Bromide

Earlier this month Rep. LaMalfa (R,CA) introduced HR 1891, the Safe Agriculture Production Act of 2017. The bill would authorize the continued use of methyl bromide as a pesticide and/or fungicide for certain emergency uses. The bill is essentially identical to HR 3710 from the 114th Congress. That earlier bill saw no action.

LeMalfa and his 10 cosponsors (9 Republicans and 1 Democrat) are all from agricultural districts that were presumably affected by the phase out of methyl bromide under the Montreal Protocol to Protect the Ozone Layer as enforced by 40 CFR Part 82. 2017 is the first year that there are no authorized essential uses for methyl bromide and its manufacture, importation or use in the United States is generally outlawed.

As I outlined in my blog post about HR 3710, the bill would amend 7 USC 7719 concerning the agricultural uses of methyl bromide. The amendment is in effect a complete re-write of §7719. Something that I failed to mention in that earlier post is an important provision of §7719 that was not included in the new rewrite in this (or the earlier) bill. That provision was found at §7719(d)(2):

“Nothing in this section shall be construed to alter or modify the authority of the Administrator of the Environmental Protection Agency or to provide any authority to the Secretary of Agriculture under the Clean Air Act (42 U.S.C. 7401 et seq.) [link added] or regulations promulgated under the Clean Air Act.”

This type verbiage is typically added when there is a conflict between the authorities and responsibilities of two different sections of the Executive Branch. The removal of this language in the rewrite of §7719 and the inclusion of the “Notwithstanding any other provision of law…” verbiage in the new §7719(f) is effectively intended to remove the EPA from any regulation of methyl bromide in the ‘emergency’ situations broadly outlined in the bill.

The lack of any action in the last session on the previous version of this bill is a pretty good indicator that bill is unlikely to be considered in this session. There is, however, more incentive for the sponsors of this bill to push for action since methyl bromide use is completely disallowed for the first time this year. The replacement chemicals are not as effective as methyl bromide and many farmers and agricultural importers are going to be bothering these representatives for some sort of relief.

Even given that, I see little chance that this bill will make it through the legislative process. Passage may be possible in the House, but the bill would never make it to the floor in the Senate. The only chance that I see this making it into law is if it was included in the agriculture authorization bill, and that chance is fairly remote seeing that Rep. Conaway (R,TX; the Chair of the House Agriculture Committee) did not allow any action on the previous version of the bill in his Committee in the 114th Congress.


As always, my concern with this bill lies in the failure of DHS to include methyl bromide (a toxic inhalation hazard chemical) in its list of chemicals that would trigger a Top Screen reporting requirement under the Chemical Facility Anti-Terrorism Standards (CFATS) program. This is the only TIH chemical not on that list and it was specifically removed because it was being phased out by Montreal Protocol.

Saturday, April 15, 2017

Public ICS Vulnerability Disclosure – Week of 04-09-17

This week John Page (HYP3RLINX) published three control system security vulnerability reports on the Full Disclosure mailing list; all three reports include proof of concept exploit code. All three of the vulnerabilities were for products from Moxa; two for Moxa MXView (here and here) and one for MX-AOPC UA SERVER (here). Page reports that these were coordinated disclosures and that Moxa has updated firmware to mitigate all three vulnerabilities.

MXView


The two reported vulnerabilities are:

• Remote private key disclosure - CVE-2017-7455; and
• Denial of service - CVE-2017-7456

MX-AOPC UA SERVER



The sole reported vulnerability for this product is an XML external entity injection (CVE-2017-7457) vulnerability.

Friday, April 14, 2017

NTIA Announces IOT Cybersecurity Meeting

Today the Department of Commerce’s National Telecommunications and Information Administration published a meeting notice in the Federal Register (82 FR 17977-17978) concerning their Multistakeholder Process on Internet of Things (IOT) Security Upgradability and Patching. The public meeting will be held on April 26th, 2017 in Washington, DC.

The earlier meetings on this topic were held by NTIA on October 19th, 2016 and January 31st, 2017.

An agenda for the meeting is not yet available, but according to the meeting notice:

“Stakeholders have identified four distinct work streams that could help foster better security across the ecosystem. The main objectives of the April 26, 2017 meeting are to share progress from the working groups and hear feedback from the broader stakeholder community. Stakeholders will also discuss their vision of the timing and outputs of this initiative, and how the different work streams can complement each other.”

The meeting will be webcast. See the Multistakeholder web site for more information. 

ICS-CERT Publishes Two Advisories

Yesterday the DHS ICS-CERT published two control system security advisories for products from Schneider Electric and Wecon Technologies.

Schneider Advisory


This advisory describes two vulnerabilities in the Schneider Modicon M221 PLCs and SoMachine Basic. The vulnerabilities were reported by Simon Heming, Maik Brüggemann, Hendrik Schwartke, and Ralf Spenneberg of Open Source Security. Schneider has announced an encryption work around and that they will introduce a new version of SoMachine Basic in June.

The two reported vulnerabilities are:

• Use of Hard-Coded Cryptographic Key – CVE-2017-7574; and
• Protection Mechanism Failure – CVE-2017-7575

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities using a publicly available exploit to extract a protected project file from the controller to obtain sensitive project information, or allow a user with access to a protected project file to decrypt it in order to obtain sensitive information without authorization.

Interestingly, the Schneider security notification only addresses the vulnerability in their SoMachine Basic; ignoring the vulnerability in their Modicon M221 PLCs. Could that vulnerability be a ‘design feature’?

NOTE: These are the vulnerabilities that I reported on last weekend. OpenSource published the vulnerabilities on their web site (here and here) a week ago last Tuesday.

Wecon Advisory


This advisory describes two buffer overflow vulnerabilities in the Wecon LEVI Studio HMI Editor. The vulnerabilities were reported by Andrea (rgod) Micalizzi, working with iDefense Labs. Wecon has developed a new version that mitigates the vulnerabilities. There is no indication that rgod has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Heap-based buffer overflow – CVE-2017-6037; and
• Stack-based buffer overflow – CVE-2017-6035


ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to cause the device to become unresponsive; a buffer overflow condition may allow remote code execution.

Thursday, April 13, 2017

ISCD Publishes Three FAQ Updates

Today the DHS Infrastructure Security Compliance Division (ISCD) published three revised frequently asked question (FAQ) responses on its Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center. While many recent changes have been made to add regulatory links, the three FAQ responses published today had some significant word changes.

The three FAQ responses that were updated today were:


FAQ #1291


The basic change to this FAQ response was the addition of links to the CFATS regulation and to the CFATS Advisory Opinion web site where there is a link to Opinion 2016-02 that addresses the ‘A Commercial Grade’ (ACG) issue in some detail. The greater detail found that opinion apparently provides a reasonable justification to remove some of the explanatory wordage in the original FAQ response.

FAQ #1383


The new FAQ #1383 response if very much shorter than the original response. It removes the explanation of why ANFO is not treated as an explosive by the CFATS program. While the new answer does specifically answer the question posed, I think that the information provided in the earlier version should have been retained for clarities sake. For the record, here is the old response with the deleted language highlighted:

No. As stated in the preamble to the final Appendix A to the Chemical Facility Anti-terrorism Standards (CFATS), the only explosive Chemicals of Interest (COI) listed in Appendix A (i.e., release explosives and theft/diversion explosives) are those listed by the Department of Transportation (DOT) as Class 1, Division 1 explosives. See 72 Fed. Reg. 65402-65403, [Link Added] 65405 & n. 37 (Nov. 20, 2007). Although ANFO is an explosive, it is not listed by DOT as a Division 1.1 explosive, and thus it is not covered by Appendix A. However, a facility that manufactures ANFO and possesses any chemical of interest (e.g. ammonium nitrate) in a quantity at or above the applicable STQ would be required to submit a Top-Screen.

FAQ #1437


The response to FAQ 1437 is a complete re-write of the original FAQ response; removing any mention of ACG which was never really pertinent to the question. Unfortunately, the new language is a little bit confusing until one actually looks at the Appendix A table.

The new response states:

“As provided in 6 CFR §27.203(d), https://www.gpo.gov/fdsys/pkg/CFR-2016-title6-vol1/pdf/CFR-2016-title6-vol1-sec27-203.pdf, a facility shall count toward the STQ the total quantity of any placarded amount of a sabotage/contamination chemical that the facility ships.”

The actual wording of §27.203(d) reads:

“A facility meets the STQ for a sabotage/contamination chemical of interest if it ships the chemical and is required to placard the shipment of that chemical pursuant to the provisions of subpart F of 49 CFR part 172 [Link Added].”

The way the regulation reads, if a facility ships one shipment of a sabotage/contamination chemical of interest that DOT required to be placarded (either on the container or the vehicle carrying the material) then the facility would have met the STQ requirements for that COI, regardless of the size of the shipment. The FAQ response would seem to indicate that you could have some number of placarded shipments of a sabotage/contamination COI, but not yet reach the COI level.


Looking at the COI table in Appendix A, however, quickly clears up the matter. The STQ for all sabotage/contamination COI is listed as ‘APC’ or ‘a placarded amount’; confirming that a single placarded shipment of the COI would meet the STQ for that sabotage/contamination COI.

S 768 Introduced – Smart Manufacturing

Last month Sen. Shaheen (D,NH) introduced S 768, the Smart Manufacturing Leadership Act. The bill would require the Secretary of Energy to develop a smart manufacturing plan and to provide assistance to small- and medium-sized manufacturers in implementing smart manufacturing programs.

Definition of Smart Manufacturing


The basic definition of smart manufacturing in this bill encompasses the technologies that digitally {§3(9)(A)}:

• Simulate manufacturing production lines;
• Operate computer-controlled manufacturing equipment;
• Monitor and communicate production line status; and
• Manage and optimize energy productivity and cost throughout production


The bill goes on to further expand the definition to include technologies that {§3(9)}:

• Model, simulate, and optimize the energy efficiency of a factory building;
• Monitor and optimize building energy performance;
• Model, simulate, and optimize the design of energy efficient and sustainable products, including the use of digital prototyping and additive manufacturing to enhance product design;
• Connect manufactured products in networks to monitor and optimize the performance of the networks, including automated network operations; and
• Digitally connect the supply chain network.

Smart Manufacturing Plan


Section 4 of the bill would require DOE to develop and implement a smart manufacturing plan within 3 years to improve the productivity and energy efficiency of the manufacturing sector of the United States. The plan would identify actions that the Federal government would take to {§4(b)(1)}:

• Facilitate quicker development, deployment, and adoption of smart manufacturing technologies and processes;
• Result in greater energy efficiency and lower environmental impacts for all American manufacturers; and
• Enhance competitiveness and strengthen the manufacturing sectors of the United States.

Moving Forward


Shaheen is not a member of the Senate Energy and Natural Resources Committee to which this bill was assigned for consideration. This means that there is little chance that she has the influence necessary to have that Committee take up the bill.

The only thing in this bill that would cause any significant opposition to its consideration (in committee or on the floor) is the inclusion of a relatively modest new grant program. The $10 million dollars authorized for the grant program would have to come out of an already limited budget environment. That would probably be sufficient to ensure that the bill will not receive consideration.

Commentary


Sharp eyed readers will see little above that indicate that I would spend any time evaluating this bill on this blog; there are no chemical safety or cybersecurity provisions mentioned in the bill. The lack of cybersecurity provisions in the bill is what concerns me here.

Shaheen does mention cybersecurity a couple of place in Section 2 of the bill; the congressional findings section. These finding spell out the reason that the programs outlined in the bill are necessary. And she lays out a pretty good set of reasons to include cybersecurity.

First, she establishes that “the interconnection of the many components of manufacturing within a manufacturing plant with other business functions within a company and across companies within a supply chain will enable new production efficiencies” {§2(4)}. Those of us who follow control system security recognize (and object to) these ‘interconnections’ as a great source of the vulnerability of control systems that until recently were considered to have isolation as their greatest security measure.

Second, in laying out the barriers to adoption of smart manufacturing technologies, she specifically identifies the lack of “common cybersecurity protocols and standards” {§2(7)(D)}.

Finally, she establishes that the Department of the Energy is (and should be) specifically working “with the private sector to reduce the market barriers through the development of voluntary protocols and standards” {§2(9)} to overcome these barriers to smart manufacturing technology adoption in the US.

So why is there no mention of cybersecurity in the discussion of the smart manufacturing plan the DOE is supposed to develop and implement? It is almost certainly not because Shaheen and her staff (who really write these bills) do not see the need; they specifically mentioned the need. It is probably not because they are technologically ill equipped to set cybersecurity standards; there is no specificity in the other requirements for the smart manufacturing plan. I do not even believe it is because of the current resistance in the business community to establishing cybersecurity regulations; the bill could have easily called for the establishment of ‘voluntary standards or protocols’ for cybersecurity.

No, I think that the problem here is committee politics. If Shaheen had added the word ‘cybersecurity’ to section 4 of the bill, it would have forced the bill to have been referred to at least one more Committee (the Commerce, Science, and Technology Committee) for consideration. This would have destroyed any minor hope that Shaheen would have had for being able to horse trade with a Committee Chair to get the bill considered by a committee to which she was not a member.

Further, I suspect that she was hoping that the bill would have been assigned to the Senate Committee on Small Business and Entrepreneurship (of which she is the Ranking Member) not the Energy and Natural Resources Committee. That was the reason that she makes a major point of addressing small business concerns in the bill. Unfortunately, the inclusion of the DOE really put a kibosh on that hope.

I really think that we might see this bill again later this year when the DOE authorization bill makes it to the floor of the Senate as an amendment to that bill. If it does, I would hope to see some added cybersecurity language. To that end, I would suggest the following specific language:

Add a new §3(10): “VOLUNTARY CYBERSECURITY STANDARDS AND PROTOCOLS -The term “voluntary cybersecurity standards and protocols” means a standard and/or protocol developed by the National Institute of Standards and Technology (NIST) or recognized independent standards setting organizations that an electronic equipment manufacturer, system integrator or system owner may voluntarily apply in the manufacture, integration or operation of an industrial control system, energy management system or information and communication technology system, that would protect such systems from a cyber threat as that term is defined in 6 USC 1501.”

Add a new §4(b)(1)(C): “encourage to the development, promulgation and implementation of voluntary cybersecurity standards and protocols in smart manufacturing operations; and”


This simple, generic language could add a significant measure of cybersecurity support to this bill without drawing any significant opposition from manufacturers fearing new government regulations.
 
/* Use this with templates/template-twocol.html */