Wednesday, May 31, 2017

Sigh – ICS-CERT Updates WannaCry Alert Again (#8)

Today the DHS ICS-CERT published another update to their WannaCry Alert that was originally published on May 15th. There is no new information specifically from ICS-CERT, but links are provided to information from four new vendors:

Beckman Coulter (multiple products);
Samsung (generic);
Toshiba (generic); and
Toshiba Medical Systems (generic).

Beckman takes a very detailed approach, but one that is significantly different than the one Siemens has used. They start off by providing a single web page that is the source of information about each of their product lines. Then they classify each product into specific and limited categories:

• Not a Microsoft OS – no problem;
• Microsoft patch has already been deployed by Beckman;
• Neither patch nor WannaCry is applicable to the version of Windows® used;
• Products where hardware firewall is recommended;
• Products where detailed specific recommendations are provided; and
• Oops, we don’t know yet; wait for more information.


Each time Beckman identifies a product as a firewall candidate, they include a link to an interesting article about firewall protections against WannaCry by the NH-ISAC. The Q&A at the end of that brief article is particularly well done. I am surprised that ICS-CERT has not included that link in this Alert.

ISCD Updates Two FAQs

Today the DHS Infrastructure Security Compliance Division (ISCD) updated the responses to two frequently asked questions (FAQ) on their Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center page. The changes were not substantial and did not reflect any changes in policy or procedure.

The two FAQ responses that were changed are:


Actually, I cannot see any changes in the response to FAQ #1374. The only change that I see in the response to FAQ #1756 is the addressee on the letter to be sent to ISCD. The previous version of this response had the letter addressed to “David Wulf, Director” and the new addressee is “Amy Graydon, Acting Director”.

This is not the result of some shake-up at ISCD. Back in January when the new Administration took office, the political appointees were required to submit their resignations. Pending new appointments by President Trump, various senior professional staff of the Department were bumped up in acting positions so that the management structure of the Department would be able to continue in force. David Wulf was jumped up to Acting Deputy Assistant Secretary for Infrastructure Protection, DHS and Amy was bumped up to temporarily fill his Director Position. Presumably at some point in the near future after the nomination and approval process is finally complete, all of these folks will revert back to the normal positions. This routinely happens when, for whatever reason, political appointees leave and are not immediately replaced.


I personally do not really understand why DHS includes personnel names in these official addresses. In the military they used the title of the person (ie: Commander) and the local clerks were smart enough to get the letter to the correct person. Personal mail got sent to a person’s name and official mail got sent to the office.

Tuesday, May 30, 2017

ICS-CERT Updates WannaCry Again (#7)

Today the DHS ICS-CERT published yet another update (#7) to their WannaCry Alert that was originally published on May 15th. While the previous updates just generally added links to vendor reports on affected products this one provides new information about the expansion of the number of malware that exploit the same Windows® SMB vulnerability used by WannaCry. It also continues to add new links to new and updated vendor information

More Malware


This update provides a very brief discussion about three additional malware examples that use the same Windows vulnerability. Those malware are:

UIWIX ransomware;
Adylkuzz Trojan; and
EternalRocks worm

New Vendor Links



The update provides links to a new vendor information product from Johnson Controls. Additionally, links are provided to updated information products from Siemens (Computed Tomography Products, Magnetic Resonance Products, and Biograph mMR). No really new information in any of these documents.

ISCD Publishes June 2017 CFATS Update

Today the DHS Infrastructure Security Compliance Division (ISCD) published their June 2017 CFATS Monthly Update a couple of days early. Interestingly the update was announced (or at least noted) on their Chemical Facility Anti-Terrorism Standards (CFATS) landing page, but not the CFATS Knowledge Center. I expect that we will see it announced there in the coming days.

Changes in Information


ISCD continues their old technique of keeping 90+% of the verbiage on the Monthly Update the same; just updating (most) of the data that changes. Table 1 below summarizes the current facility data from last month and this month.

Current Facilities
May 2017
June 2017
Covered Facilities
2,570
2,750
+180
Authorization Inspections
2,386
2,349
-37
Approved Security Plans
2,281
2,282
+1
Compliance Inspections
1,921
1,996
+75
Table 1: Current Facilities

The decrease in the number of ‘Current Facilities’ with Authorization inspections almost certainly indicates that there continues to be facilities that are leaving the CFATS program. ISCD does not specifically include a reporting of that number, but we can get a pretty good guess from the figures that they provide in their ‘Since Inception of Program’ reporting. Table 2 shows a comparison of those numbers in the two latest reports.

Total Facilities
May 2017
June 2017
Authorization Inspections
2,914
2,918
+4
Approved Security Plans
2,719
2,726
+7
Compliance Inspections
2,053
2,201
+148
Table 2: Total Facilities

Comparing the ∆ column (or the change between the two reports) we can see that there were at least 4 (+3) new authorization inspections conducted and 7 (+6) site security plans approved. Additionally, there were 148 (+73) compliance inspections completed. This should mean that we have had at least 82 (3 + 6 + 73) facilities leave the program in the Month of May. That should also mean that a total of 262 (180 + 73) new facilities were added to the CFATS program. The change in facility numbers pretty well tracks with what ISCD reported for the initial results for CSAT 2.0.

Missing Information


As long time readers might expect, there are additional pieces of information that I wish ISCD would include in their reporting. First I would like to see some additional reporting on the continued progress of the CSAT 2.0 implementation; numbers like the total number of Top Screen notification letters sent to date and the total number of Top Screen 2.0 submissions received.

Additionally, ISCD could have update the numbers that they have reported in the ‘**’ footnote in the Update. They continue to report that:

“DHS continues to issue new high-risk tiering determinations as Top-Screens are submitted. 2,268 [emphasis added] of the currently covered facilities were tiered using CSAT 2.0, and 302 [emphasis added] were tiered using the prior methodology.”

Finally, I have to harp on something or no one would believe it was me writing the blog. I really wish that ISCD would add go/no-go stats to their reporting on compliance inspections. It would be very informative to see whether or not there is an improvement over the nearly 50% no-go rate seen earlier in the program.

Manual Update


If you peruse (very closely) the updated CFATS landing page today you might have noticed that ISCD has also published another updated version of their CSAT 2.0 Security Vulnerability Assessment/ Site Security Plan Instructions manual. This is version 2.0.15. There are no details in the manual about what has been changed, but it looks like ISCD is continuing to tweak their manuals to improve clarity.


This was not announced on the CFATS Knowledge Center either. Again, we will probably see a note there in the next couple of days.

Saturday, May 27, 2017

Updated DHS Chemical Sector Information

This week DHS, acting as the Chemical Sector-Specific Agency (SSA) supporting the National Infrastructure Protection Plan (NIPP), published a new website that provides information to support the security and safety of small and medium sized chemical facilities. This new page serves as a landing page for chemical facilities to find the resources and information available from the US government and its chemical sector partner agencies.

Information Links


The new page provides links to:

Chemical Sector (5-27-17);
Chemical Sector Resources (04-07-17);
Chemical Sector Publications (02-06-17); and

Cybersecurity Support


Chemical manufacturing, warehousing, and transportation companies have specific cybersecurity concerns that extend beyond the standard IT cybersecurity issues with which all public and private sector organizations have to contend. With that in mind, the above listed page have many references to cybersecurity resources. They include:

Cybersecurity for Small Businesses (training exercise);

None of the above titles specifically addresses industrial control system security issues. There are references to the topic on two of the pages listed above (Chemical Sector Publications and Protecting Critical Infrastructure). The last only provides a link to arguably the most important DHS ICS cybersecurity site, ICS-CERT. The former provides a section on ICS security which describes a worthwhile DVD resource available upon request from DHS. There is only a passing reference to the ICS-CERT Cybersecurity Evaluation Tool (CSET).

Emergency Response Planning


What is sadly lacking from the resources listed is any significant reference to emergency response planning. The only information provided is a link to a FEMA site that provides generic small business emergency planning guidelines. That information is very limited and provides no mention of chemical emergency response planning.


While emergency response planning is important for all businesses, it is arguably much more important for chemical facilities, especially those with hazardous chemicals on site. The failure of emergency response planning for most businesses will not have significant off-site consequences, but that is not true for many (most?) chemical facilities. While the EPA is vaguely responsible for emergency response planning requirements at the most dangerous facilities, one would think that the Federal Emergency Management Agency (FEMA) would be much more proactive in this area.

Friday, May 26, 2017

ISCD Updates Whistleblower Information

Today the DHS Infrastructure Security Compliance Division (ISCD) updated the landing page for the Chemical Facility Anti-Terrorism Standards (CFATS) program, providing more information on how someone can report various concerns about the implementation of the CFATS program at facilities around the country. The new information includes:

• Links to a new ‘Reporting CFATS Violations’ web page;
• Links to a new ‘Report a Violation’ flyer;
• A new email address that can be used to report violations; and
• A brief blurb on the landing page describing all of the above.

Other than the email address there is no new information here. There is an understandable minor expansion of what can/should be reported; the new documentation specifically identifies failure to submit a Top Screen (which is, for some reason, not actually named in the flyer) as one of the things that should be reported to ISCD. That was never specifically mentioned in earlier discussions about CFATS’ violations reporting.


The new version of the landing page also provides a link to another ‘new’ page and an older document. The ‘new’ page is ‘Actions to Improve Chemical Facility Safety and Security - A Shared Commitment. It is dated December 16th, 2016, but this is the first time that I have seen it. The document linked to from that page is the final report on the response by EPA, OSHA and DHS to the President’s (Obama) Executive Order on Chemical Safety and Security (EO 13650). That reporting document was published in May 2014 and I commented on it soon after.

Bills Introduced – 05-26-17

Yesterday with the House and Senate preparing to leave for an extended Memorial Day weekend (10 days) there were 186 bills introduced. Of those three may be of specific interest to readers of this blog:

S 1269 A bill to require the Office of Pipeline Safety to consult with the Environmental Protection Agency or the Coast Guard in the event the Federal on-scene coordinator has concerns about the ability of a pipeline operator to respond to a worst case discharge. Sen. Stabenow, Debbie [D-MI]

S 1272 A bill to preserve State, local, and tribal authorities and private property rights with respect to unmanned aircraft systems, and for other purposes. Sen. Feinstein, Dianne [D-CA]

S 1281 A bill to establish a bug bounty pilot program within the Department of Homeland Security, and for other purposes. Sen. Hassan, Margaret Wood [D-NH]


Most of the bills yesterday were introduced to allow various congresscritters the opportunity to show their constituents (and funders) that they are doing something in Washington. The vast majority of those bills will never see the light of day or even a congressional hearing. The first of these probably falls into that category, the other two I am not so sure. In any case I will almost certainly be covering these three bills.

ICS-CERT Updates WannaCry Again (#6)

Yesterday the DHS ICS-CERT provided their 6th update to their WannaCry Alert that was originally published on May 15th and last updated on May 22nd. They added links to vendor advisories from:


Both of these vendor advisories make an important note of one of those problems that have not generally been mentioned in the WannaCry debate; control system compatibility with operating system updates. Both vendors specifically state that they have verified the operation of the their Windows® based products with the March MS update that dealt with the SMB vulnerability that underlies the WannaCry attack.

I did a more lengthy post on this issue back in January of 2012 and it is something that all ICS owners should be aware of. Automatic updating of the OS on the machine upon which the industrial control system resides is not necessarily a good thing. Add to that the cases where the ICS is so intertwined with the MS-OS that the vendor has to issue their own patch (see the Spacelabs discussion about their XTR 96280) to implement the MS fix. This results in an additional delay between the identification of the problem and the time that the device owner has any chance of fixing it.


Just one more problem with implementing security on industrial (and medical, and ….) control systems.

Thursday, May 25, 2017

Bills Introduced – 05-25-17

Yesterday with both the House and Senate in session there were 61 bills introduced. Of those one may be of specific interest to readers of this blog:

S 1225 A bill to support research, development, and other activities to develop innovative vehicle technologies, and for other purposes. Sen. Peters, Gary C. [D-MI]


This bill will only be covered here if it contains specific cybersecurity coverage for the innovative vehicle technologies described in the bill.

Wednesday, May 24, 2017

EPA Sends New TSCA Prioritization NPRM to OMB

NOTE: Corrected title 5-24-17 10:30 EDT

Yesterday the Environmental Protection Agency (EPA) sent a notice of proposed rulemaking (NPRM) to the OMB’s Office of Information and Regulatory Affairs (OIRA) for review. The NPMR implements the requirements of §6(b)(1) of the Frank R. Lautenberg Chemical Safety for the 21st Century Act (PL 114-182; 130 Stat 461) for the establishment of a process for the prioritization of risk evaluations.

The TSCA revisions outlined in that Act were generally supported by both the chemical industry and the environmental activism community. This will be the first major set of implementing regulations and it will be interesting to see how far the support for those continues. There have already been a number of official meetings between the EPA staff and organizations representing the regulated community concerning this rulemaking. Interestingly, all of those meetings occurred during the Obama Administration.


It will be interesting to see how long it takes OIRA to approve this rulemaking. Their workload has been generally light since Trump took office (42 rulemakings submitted/13 approved), but this will certainly be a controversial rulemaking that could take some time to wade through, particularly given Trump’s attitude about regulations.

Tuesday, May 23, 2017

ICS-CERT Publishes 3 Advisories

Today the DHS ICS-CERT published two industrial control system advisories for products from Rockwell and Moxa. They also published a medical control system advisory for products from B Braun Medical. The Rockwell advisory was previously published on the NCCIC Portal on April 25th, 2017. The Braun Medical advisory was previously published on the NCCIC Portal on March 23rd, 2017l

B Braun Medical Advisory


This advisory describes an open redirect vulnerability on the B Braun Medical SpaceCom module. The vulnerability was reported by Marc Ruef and Rocco Gagliardi of scip AG. Braun has produced a software update that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to  allow URL redirection to untrusted web sites.

Rockwell Advisory


This advisory describes multiple vulnerabilities in the Allen-Bradley MicroLogix 1100 and 1400 PLCs. The three of the vulnerabilities were reported by David Formby and Raheem Beyah of Georgia Tech and Fortiphyd Logic, Inc with the last one being reported by Ilya Karpov of Positive Technologies. Rockwell has provided a firmware update for one of the affected products and recommends disabling the web server as an alternative and/or additional mitigation measure. There is no indication that the researchers have been provide an opportunity to verify the efficacy of the fix.

The reported vulnerabilities are:

• Predictable value range from previous values - CVE-2017-7901;
• Reusing a nonce, key pair in encryption - CVE-2017-7902;
• Information exposure - CVE-2017-7899;
• Improper restriction of excessive authentication attempts- CVE-2017-7898; and
• Weak password requirements - CVE-2017-7903

ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerabilities  to gain unauthorized access to the affected programmable logic controllers and to spoof or disrupt TCP connections.

Moxa Advisory


This advisory describes three vulnerabilities in the Moxa OnCell IP gateways. The vulnerabilities were reported by Maxim Rupp. Moxa reports that the latest version of two of the products mitigate the vulnerabilities and provides a work around for the remainder. There is no indication that Rupp was provided an opportunity to verify the efficacy of the fix.

The reported vulnerabilities are:

• Improper restriction of excessive authentication attempts - CVE-2017-7915;
• Plain text storage of a password - CVE-2017-7913; and
• Cross-site request forgery - CVE-2017-7917


ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to allow an attacker to use brute force to determine parameters needed to access the application. An attacker may also obtain credentials by obtaining files that store passwords in clear text.

PHMSA Publishes GPAC Meeting Notice

Today the DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) published a meeting notice in the Federal Register (82 FR 23714-23715) for a meeting of the Gas Pipeline
Advisory Committee (GPAC). The meeting will be held in Arlington, VA on June 6th and 7th, 2017. The meeting is open to the public.

The meeting will provide the advisory committee a chance to review the PHMSA rulemaking on the safe operation of gas transmission and gathering pipelines. The notice of proposed rulemaking (NPRM) was published on April 8th, 2016.

PHMSA is suggesting that people who wish to attend the meeting (no web cast is planned) should register no later than June 2nd. People wishing to submit written comments may do so through the Federal eRulemaking Portal (www.Regulations.gov; Docket # PHMSA-2016-0136). This is the same docket used to receive comments on the NPRM.

Commentary


While President Trump has been vociferously anti-regulation in general, there were a number of provisions in the NPRM that were specifically required by Congress, so in some form this rulemaking will proceed. It will be interesting to see if the GPAC is asked to provide suggestions for the two regulations that will presumably be revoked to allow this rulemaking to proceed.


Monday, May 22, 2017

HR 2518 – CG Authorization – Markup Hearing

Today the House Transportation and Infrastructure Committee announced that there would be a markup hearing on Wednesday. Among the bills to be marked up will be HR 2518, the Coast Guard Authorization Act of 2017.


I have not reviewed HR 2518 here because there is nothing of specific interest to readers of this blog. I will continue to watch HR 2518 (and S 1119, it’s Senate counterpart) for any amendments that might address cybersecurity, the MTSA program, or chemical transportation safety or security.

ICS-CERT Updates WannaCry Alert Again (#5)

For the fifth consecutive business day ICS-CERT has updated its WannaCry Alert that was originally published on May 15th, 2017. Today’s update includes:

• Updates of two previously issued Siemens Security Advisories (Imaging and Diagnostics Products; and (Laboratory Diagnostics Products);
• Adds a new Siemens Security Advisory (Ultrasound Products); and
• A link to a Honeywell Security Update.

I have not mentioned it to date because I have been expecting ICS-CERT or US-CERT to mention this in their alerts (they have not done so as of yet), but Siemens has been reporting since their first advisory publication that there are actually six vulnerabilities involved in the WannaCry malware. Those are:

• CVE-2017-0143 - Windows SMB Remote Code Execution Vulnerability (Input Validation);
• CVE-2017-0144 - Windows SMB Remote Code Execution Vulnerability (Input Validation);
• CVE-2017-0145 - Windows SMB Remote Code Execution Vulnerability (Input Validation);
• CVE-2017-0146 - Windows SMB Remote Code Execution Vulnerability (Input Validation);
• CVE-2017-0147 - Windows SMB Information Disclosure Vulnerability (Information Leak / Disclosure); and
• CVE-2017-0148 - Windows SMB Remote Code Execution Vulnerability (Input Validation)


I’m not sure that this really provides much in the way of actionable information. Both the Mitre CVD and NIST CVE listings for these CVE are dated from before the WannaCry outbreak. The Microsoft TechCenter reports for these CVE are also dated; still reporting that there have been no exploits of the vulnerabilities.

Committee Hearings – Week of 05-21-17

With both the House and Senate in Washington this week the focus will start to be on the FY 2018 budget. Other topics will also be addressed in Congressional hearings including one cybersecurity hearing.

Potentially Interesting Budget Hearings


With the President’s FY 2018 budget heading to the Hill this week we will be starting to see a series of hearing on that budget request. Some of the hearings that may be of particular interest to readers of this blog include:

US Cyber Command (House) – Tuesday;
DOT (House) – Wednesday;
DHS (House) – Wednesday;
DOD (Senate) – Wednesday;

Cybersecurity


Okay, ‘cybersecurity’ will really be one of the (major) sub-texts of this hearing. On Tuesday the Cybersecurity Subcommittee of the Senate Armed Services Committee will be holding a hearing on ‘Cyber Posture of the Services’. The witness list includes:

• Vice Admiral Marshall B. Lytle III, USCG
• Vice Admiral Michael M. Gilday, USN
• Lieutenant General Paul M. Nakasone, USA
• Major General Christopher P. Weggeman, USAF
• Major General Loretta E. Reynolds, USMC


I expect that there will be passing references to WannaCry and perhaps some obscure references to industrial control system security issues.

Friday, May 19, 2017

ICS-CERT Updates WannaCry Alert Again (#4)

For the fourth day in a row the DHS ICS-CERT updated their alert for the WannaCry ransomware. It was originally published on Monday and the latest update was yesterday. Today’s update adds links to WannaCry notifications from the following vendors:

Tridium; and


The update also provides a link to a general WannaCry support document from Siemens Healthineers. This document and a further linked Siemens’ blog post provides a good technical discussion of the WannaCry problem and solutions; including links to Microsoft updates for ‘unsupported’ (outdated?) Windows operating systems still in use by Siemens Healthineer (and too many other industrial control) products.

Bills Introduced – 05-18-17

Yesterday with both the House and Senate in session there were 75 bills introduced. One of those may be of specific interest to readers of this blog:

HR 2518 To authorize appropriations for the Coast Guard for fiscal years 2018 and 2019, and for other purposes. Rep. Hunter, Duncan D. [R-CA-50]

The Senate version of this bill was introduced on Tuesday and marked up yesterday (more on both later):


I will be watching both bills for cybersecurity as well as chemical transportation safety and security provisions.

ICS-CERT Updates WannaCry Alert, Updates 2 Advisories and Publishes 2

Yesterday the DHS ICS-CERT published another update of their WannaCry ransomware alert, updates for two advisories, and published new advisories for products from Schneider Electric and Miele Professional. They also published a notice about the date of the Fall 2017 ICSJWG meeting in Pittsburg, PA on September 12-14, 2017.

WannaCry Update


This update provides new information on the alert published on May 15th and updated on May 16th and again on May 17th. Unfortunately, I missed yesterday’s update so I will list both sets of changes at one time. The new information includes WannaCry advisories from the following vendors:

Phillips (general security web page, scroll down to WannaCry article);
Johnson & Johnson (general security web page, scroll down to WannaCry article); and

GE Proficy Update


This update provides new information on the advisory originally published on January 17th, 2017 and updated on January 24th. The update provides links to updates for the following products:

• GE has released new versions of the Historian software, Version 6.0 SIM 9 (Standard and Enterprise);
• GE has released a new version of the Historian software, Version 5.5 SIM 37;
• GE has released a new version of the CIMPLICITY software, Version 8.2 SIM 49; and
• GE has released a new version of the CIMPLICITY software, Version 9.0 SIM 22

NOTE: The contact information for receiving CIMPLICITY v9.5 and Historian v7.0 have inexplicably been removed from this update. GE still recommends updating to these versions.

GE Multilin Update


This update provides new information on the advisory originally published on April 27th, 2017. The update adds two new affected product lines to the advisory:

• Universal Relay, firmware Version 6.0 and prior versions, and
• URplus (D90, C90, B95), all versions.

Update information is provided for the Universal Relay products. GE expects to release the URplus firmware updates in July. The 369 Motor Protection Relay firmware update is still expected to be released next month.

Schneider Advisory


This advisory describes an incorrect default permissions vulnerability in the Schneider Wonderware InduSoft Web Studio. The vulnerability was reported by Karn Ganeshen. Schneider has released a new service pack to address the vulnerability. There is no indication that Ganeshen has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker with authorized access could exploit this vulnerability to escalate his or her privileges. The Schneider Security Notification expands that to state:

“The directory and files are added to system's PATH. Therefore, they can be manipulated by non-administrator users to write malicious files/DLLs and escalate privileges once these are executed.”

Miele Advisory


This advisory describes a path traversal vulnerability in the in the Miele Professional PG 8528, a large capacity cleaner and disinfector used in hospitals and laboratory settings. This advisory provides updated information on the ICS-CERT alert on this vulnerability reported on March 30th, 2017. ICS-CERT still does not provide a link to the public disclosure by Jens Regel. Miele has provided software updates to mitigate the vulnerability. There is no indication that Regel has been provided an opportunity to verify the efficacy of the fix.


ICS-CERT reports that a relatively unskilled attacker could remotely use the publicly available exploits to read or modify sensitive data or files, execute unauthorized code or commands, and possibly cause a system crash.

Thursday, May 18, 2017

ISCD Updates NTAS FAQ

Yesterday the DHS Infrastructure Security Compliance Division (ISCD) updated one of the responses to a frequently asked question (FAQ) on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center. The change in the FAQ referring to the National Terrorism Advisory System (NTAS) is significant enough that it was specifically mentioned in the ‘Latest News’ section of the Knowledge Center.

The FAQ response to FAQ #1724 (How do National Terrorism Advisory System (NTAS) Alerts and Bulletins affect a CFATS Facilities’ RBPS 13 compliance responsibilities?) is a complete re-write and should be read by anyone responsible for security at a CFATS covered facility. The change basically delineates between the differences in facility response requirements for an NTAS Alert and an NTAS Bulletin.


Coincidentally, DHS published a new NTAS Bulletin earlier this week. As with the previous update there is nothing new here. It looks like we probably should have stuck with the earlier, color-coded version of the NTAS; at least you did not need to read anything to know that the situation was still the same.

Wednesday, May 17, 2017

Bills Introduced - 05-16-17

With both the House and Senate in session yesterday there were 78 bills introduced. One of those bills may be of specific interest to readers of this blog:

S 1129 A bill to authorize appropriations for the Coast Guard, and for other purposes. Sen. Sullivan, Dan [R-AK]


This is the bill that I mentioned earlier this week. A copy of the text (official or otherwise) is still not available. I will be watching for cybersecurity issues as well as chemical transportation safety and security requirements. A reminder: the Senate Commerce, Science, and Transportation Committee will mark-up this bill up tomorrow.

ICS-CERT Updates WannaCry Alert and Publishes 4 Advisories

Yesterday the DHS ICS-CERT updated their earlier alert on the WannaCry ransomware. They also published four control system security advisories for products from Schneider Electric (2), Hanwha Techwin, and Detcon.

WannaCry Update


This update provides additional information on the alert that was issued yesterday. The new information includes:

• Links to two new vendor advisories from ABB and Siemens; and
• Links to some generic information (here and here) from the FDA on medical device security.

Siemens makes an important point about medical device cybersecurity:

“We would like to point out that neither the use of an email client nor browsing the internet is part of the intended use of most of the product types covered by this Siemens Security Bulletin.”

The ABB document does mention restricting SMB protocol use but stops short of recommending disabling the protocol as suggested by Microsoft. They do note:

“This will help to prevent spreading of the WannaCry malware from individual compromised computers. For specific guidance please see additional communication for specific ABB solutions and contact your local ABB service organization.”

NOTE: The US-CERT also updated their alert for this malware.

Schneider VAMPSET Advisory


This advisory describes an improper input validation vulnerability in the Schneider VAMPSET tool. The vulnerability was reported by Kushal Arvind Shah from Fortinet's Fortiguard Labs. Schneider has produced a new firmware version to mitigate the vulnerability. There is no indication that Shah has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker with local access could exploit the vulnerability to cause the software to enter a denial-of-service condition. The Schneider Security Notification reports that vulnerability has no effect on the operation of the protection relay to
which VAMPSET is connected.

Techwin Advisory


This advisory describes an improper access control vulnerability in the Hanwha Techwin SRN-4000 network video management platform. The vulnerability was reported by Can Demirel and Faruk Unal of Biznet Bilisim. Techwin reports that a newer version mitigates the vulnerability. ICS-CERT reports that the researchers have verified the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to allow the attacker remote access to the web management portal with admin privileges without authentication.

Schneider SoMachine Advisory

This advisory describes two vulnerabilities in the Schneider SoMachine HVAC software. The vulnerabilities were separately reported by Zhou YU and Himanshu Mehta. Schneider reports that a newer version mitigates the vulnerability. There is no indication that either researcher has been provided the opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2017-7965; and
• Uncontrolled search path element - CVE-2017-7966

ICS-CERT reports that a relatively unskilled attacker (no access characterization) could exploit the vulnerability to allow arbitrary code execution and could cause the device that the attacker is accessing to crash due to a buffer overflow condition.

NOTE: The Schneider Security Notification only addresses the buffer overflow vulnerability.

Detcon Advisory


This advisory describes two vulnerabilities in the Detcon SiteWatch Gateway. The vulnerabilities were reported by Maxim Rupp. ICS-CERT reports that Detcon no longer owns or services the SiteWatch Gateway product, but it attempting to notify customers of the vulnerabilities.

The two reported vulnerabilities are:

• Improper authentication - CVE-2017-6049; and
• Plaintext storage of passwords - CVE-2017-6047


ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to allow remote code execution. An attacker who exploits these vulnerabilities may be able to change settings on the affected product or obtain user passwords.

Tuesday, May 16, 2017

Committee Hearings – Week of 05-14-17

With both the House and Senate in Washington this week there are a number of hearings scheduled. Three of those hearings may be of specific interest to readers of this blog. The relate to updating the Emergency Alert System (EAS), a hearing on emerging transportation technologies, and markup of a Coast Guard authorization bill.

EAS


On Wednesday the Communications and Technology Subcommittee of the House Energy and Commerce Committee will hold a hearing to look at the “Future of Emergency Alerting”. A witness list is not currently available. The staff memo on the topic does not mention potential cybersecurity concerns; a surprising omission given the recent EAS fiasco in Dallas, TX.

Transportation Technologies


The Transportation, Housing and Urban Development, and Related Agencies Subcommittee of the House Appropriations Committee will be holding a hearing on “Emerging Transportation Technologies”. The witness list includes:

• Nidhi Kalra, RAND Corporation;
• Mykel Kochenderfer, Stanford University Department of Aeronautics and Astronautics
• David Strickland, Self-Driving Coalition for Safer Streets and
• Brian Wynne, Association of Unmanned Vehicle Systems International

There is a distinct possibility that cybersecurity issues may be briefly and lightly discussed.

CG Authorization


The Senate Commerce, Science, and Transportation Committee will hold a markup hearing on Thursday. A number of bills are on the agenda including an as of yet unintroduced bill for the FY 2018 authorization for the Coast Guard. No copies of the bill are currently available on the Committee web site. It will be interesting to see if chemical transportation safety or security, or cybersecurity receive a mention in this bill.

On the Floor


The only thing of potential interest on the floor of the House this week is the consideration of HR 1616, Strengthening State and Local Cyber Crime Fighting Act of 2017. I have not covered this bill because it includes no mention or coverage of control system security issues. It is being considered under the suspension of rules process, so there will be limited debate and no amendments. The leadership expects this bill to pass with substantial bipartisan support.


I will be very surprised if we do not hear at least some mention of  WannaCry in the debate on this bill.

ICS-CERT Publishes WannaCry Alert

Yesterday the DHS ICS-CERT published a control system security alert for the WannaCry ransomware. This alert is a follow-up to the US-CERT alert on the same attack vector. The alert provides links to three vendor sites providing information about indicators of attacks on their Microsoft Windows® based control system products. Those vendors (and their WannaCry links) are:

Rockwell Automation (log on required);

Both the Schneider and BD advisories emphasize that while medical and industrial control systems have been affected this is a Microsoft Windows based ransomware attack. They both recommend ensuring that Microsoft patch for the MS17-010 SMB vulnerability be applied to all Windows based machines (including Windows XP and Windows 8). Interesting that neither vendor alerts nor the ICS-CERT alert discusses the Microsoft suggestion to turn of the SMB file sharing tool.


ICS-CERT expects to update this alert with additional vendor information when it becomes available.

Thursday, May 11, 2017

ICS-CERT Publishes Two Advisories

Today the DHS ICS-CERT published two control system security advisories for products from Satel Iberia and Phoenix Contact.

Satel Iberia Advisory


This advisory describes a command injection vulnerability in the Satel Iberia SenNet Data Logger and Electricity Meters. The vulnerability was reported by Karn Ganeshen. A new version is available that mitigates the vulnerability. There is no indication that Ganeshen was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to gain root privilege to run arbitrary commands and change system data.

Phoenix Contact Advisory


This advisory describes two vulnerabilities in the Phoenix Contact mGuard. The vulnerabilities were self-reported. A new firmware version is available that mitigates the vulnerability.

The two reported vulnerabilities are:

• Resource exhaustion - CVE-2017-7935; and
• Improper authentication - CVE-2017-7937


ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerabilities to disrupt the availability of the device and gain unauthorized access to the device.

Reader Comment – NIST Working Group

An informative comment from RCandell on this morning’s blog post about the Wireless Systems for Industrial Environments (WSIE) program. I had sent Richard Candell, the lead for the working group, an email asking about cybersecurity concerns in the working group. Read his comment, but the short answer is that ICS cybersecurity is being handled elsewhere within NIST. His group will rely on NIST SP 800-82 and the Cybersecurity Framework for the cybersecurity information that they will include in their guidelines product.


Nice to have a prompt response from Richard. Not what you always get from the guvmint (Grin).

NIST Announces Wireless Control System Network Study

Today the National Institute of Standards and Technology (NIST) published a notice in the Federal Register (82 FR 21980) that it was establishing a technical working group (TWG) to develop best practices guidelines in selecting and deploying industrial wireless solutions within industrial environments such as process control and manufacturing.

The TWG would be established under the Networked Control System Group (NCSG). NIST is asking for organizations that wish to participate in the TWG to notify them within the next 180 days. No further details are provided in the notice.


The NCSG does have a web page established for their Wireless Systems for Industrial Environments (WSIE) program. That page does briefly acknowledge that one of the problems facing the adoption of wireless control systems technology is cybersecurity. A separate web page for the new TWG does not mention cybersecurity at all. It is not clear at this point whether or not cybersecurity concerns will be addressed in the best practice guidelines being developed.

Wednesday, May 10, 2017

ISCD Publishes CFATS Quarterly

I missed this last night because of problems with accessing the CFATS Knowledge Center, but on Monday the DHS Infrastructure Security Compliance Division published the latest version of their Chemical Facility Anti-Terrorism Standards (CFATS) Quarterly. The latest version provides information on the CSAT 2.0 tiering results, an overview of facility response requirements for a new tiering letter, and a brief reminder about annual CFATS audits.

Tiering Results


Not much new information provided in what is really just a summary of the recent webinars that ISCD held concerning the tiering results. The number of new Top Screens received has been raised to 12,000 and ISCD reports that they will be continuing to send out Top Screen notification letters for 18 months for the remaining 15,000 facilities that are on the list of facilities that have previously submitted Top Screens showing the presence of DHS chemicals of interest (COI) at or above the screening threshold quantity.

Tiering Letter Response Requirements


While ISCD did briefly discuss what a facility needs to do to respond to a new Tiering Letter during their webinar, the Quarterly provides a discussion that is a bit more detailed. It is still not a definitive discussion, but ‘definitive’ is not really possible given the wide variety of facilities and circumstances involved. The final paragraph provides the solution to the lack of a definitive answer:

“DHS will assess facilities on a case-by-case basis to ensure security measures are appropriate to their level of risk. You may reach out to your Chemical Security Inspector or Compliance Case Manager if you are unsure what specific steps to take.”

CFATS Audits


There is a brief sidebar at the bottom of the second page of the Quarterly that reminds facility security managers that every CFATS covered facility with an approved site security plan (SSP) is required {6 CFR 27.225(e)} to conduct an annual audit of their compliance with that SSP. The CFATS rule does not provide detailed guidance on what such an audit will include. This brief piece in the Quarterly provides the following suggestions:

· Verification of Top-Screen and SVA data, including ensuring COI information is current;
· Confirmation of all CSAT user roles;
· Confirmation of all existing and planned measures from the SSP/ASP; and
· Review of current policies, procedures, training, etc.


I briefly addressed this issue back in December 2014 and I still think that post provides a useful look at audit requirements. A formal audit summary document certainly needs to be prepared and it needs to be made available during any compliance inspection.

Tuesday, May 9, 2017

Committee Hearings – Week of 5-7-17

With just the Senate in Washington this week (the House is taking a District Work Week) there are a relatively limited number of hearings scheduled. There is only one hearing currently scheduled this week that may be of specific interest to readers of this blog; a cybersecurity hearing.

The Senate Homeland Security and Governmental Affairs Committee will hold a hearing on Wednesday on “Cyber Threats Facing America: An Overview of the Cybersecurity Threat Landscape”. The witness list includes:

• Jeffrey E. Greene, Symantec Corporation;
• Steven Chabinsky, White & Case LLP;
• Brandon Valeriano, Marine Corps University
• Kevin Keeney, Monsanto Company


There is no indication that there will be any significant discussion of industrial control system security issues.
 
/* Use this with templates/template-twocol.html */