Friday, June 30, 2017

ICS-CERT Publishes Petya Alert

Today the DHS ICS-CERT published an alert for the Petya malware variant. It includes a brief description of the action of the worm with the information coming from a number of linked sources. As we saw with the ICS-CERT WannaCry alert, the alert provides links to vendor information about how the malware may be dealt with in their affected systems. The vendors in this initial (I expect to see a large number of updates as more vendor information becomes available) include:

• Rockwell (account required for access).

It is interesting that the US-CERT’s Petya announcement is not include in the Alert links. Nor are links from Drager, Schneider, and ABB; all of which were discussed yesterday on LinkedIn and other outlets. No really new important information in any of these documents; keep Windows OS updated and block ports 139/TCP and 445/TCP, all adequately mentioned in ICS-CERT alert.


One point not really mentioned in any of these, Petya is a poster child for why you should not pay ransom. There are no guarantees that you’ll get your files unlocked even if you pay the requested ransom.

ISCD Updates CSAT Site Access FAQ

Yesterday the DHS Infrastructure Security Compliance Division (ISCD) updated one of the responses to a frequently asked question (FAQ) on their Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center. The FAQ was #81:


In addition to adding the “2.0” in the question to reflect the new and improved CSAT tool two additions were made to the FAQ response:

• Added a clickable link to the CSAT 2.0 web site; and
• Added instructions for setting the TLS 1.0 security setting when using Chrome®.

This FAQ was previously changed in February when the Firefox TLS setting instructions were added.

BTW: I just noticed that the February changes to the Knowledge Center that I previously mentioned included removing at least three long standing FAQs (dated August 8th, 2008) and their responses. Those FAQs were:

• FAQ #42 Is DHS seeking to pre-empt State chemical security regulations with the new Federal regulations?
• FAQ #54 What role did private industry play in developing this rule?
• FAQ #55 Will there be fees involved for the chemical companies?

These FAQs were probably superfluous, but they provided some interesting insights into the early development of the CFATS program. I find it interesting that the response to FAQ #55 indicated that DHS had considered a number of fees to be associated with the program and kept the door open for their possible future application.


HR 3010 Introduced – Cyber Hygiene

Last week Rep. Eshoo (D,CA) introduced HR 3010, the Promoting Good Cyber Hygiene Act of 2017. The bill would require the National Institute of Standards and Technology to establish a list of best practices for effective and usable cyber hygiene based upon the Cybersecurity Framework (CSF) established pursuant to EO 13636.

Information System Guidelines


The best practice guidelines would be available to all personnel “utilizing an information system or device”. Adoption of the best practices would be voluntary and should serve as a baseline upon which additional cybersecurity practices are established. NIST would be required to update the guidelines on an annual basis.

The guidelines would {§2(a)}:

• Be a list of simple, basic controls that have the most impact in defending against common cybersecurity threats and risks; and
• Utilize technologies that are commercial off-the-shelf and based on international standards

IOT Cyber Hygiene


Paragraph 2(h) of the bill would require DHS (in coordination with NIST and the Federal Trade Commission)  to conduct a study of “cybersecurity threats relating to the Internet of Things” (IoT) {§2(h)(2)}. The study would {§2(h)(3)}:

• Assess cybersecurity threats relating to the Internet of Things;
• Assess the effect such threats may have on the cybersecurity of the information systems and networks of the Federal Government; and
• Develop recommendations for addressing such threats.

In this paragraph IoT is defined as “the set of physical objects embedded with sensors or actuators and connected to a network” {§2(h)(1)}.

Moving Forward


Neither Eshoo nor her co-sponsor, Rep. Brooks (R,IN), is a member of the House Science, Space, and Technology Committee, the Committee to which this bill was assigned for consideration. This means that it is extremely unlikely that the bill will be considered in that Committee.

There is nothing in this bill that would cause any serious opposition to the bill if it was considered in committee or on the floor of the House or Senate.

Commentary


The lack of a definition of ‘information system or device’ would typically mean that the common usage of that term, the narrow IT centric definition, would probably exclude industrial control systems (ICS) from specific inclusion in the cyber hygiene guidelines.

Having said that, the very wide and ICS-inclusive definition of IoT that would support Federal information systems and networks throws the whole meaning of ‘information system’ open to serious interpretive problems.

For the purposes of this bill, however, since neither NIST nor DHS would be provided any funding to establishing the guidelines or conducting the study, the two agencies would use the narrowest, IT-centric definition. They would certainly be ignoring the much more complex ICS cybersecurity issues for the NIST guidelines.


This would greatly reduce the scope of any IoT study conducted under provisions of this bill. The only devices that would probably be considered would be devices supporting network communications and server farms. That is a very small part of the IoT cybersecurity problem. Including the IoT study in this bill underlines how poorly congresscritters and their staffs understand the potential scope of IoT cybersecurity issues.

Bills Introduced – 06-29-17

Yesterday, with the House and Senate preparing to leave for their extended 4th of July holiday, there were 122 bills introduced. As with any time there is an extended congressional absence from Washington, most of these bills were introduced solely for the purpose of providing talking points (well bragging points) during fund raising and campaign activities back home. Few will see any sort of activity in Washington.

Of the bills introduced, there is one that may be of specific interest to readers of this blog:

S 1475 A bill to provide for the identification and documentation of best practices for cyber hygiene by the National Institute of Standards and Technology, and for other purposes. Sen. Hatch, Orrin G. [R-UT]


This bill is probably a companion bill to HR 3010 which I will be reviewing later today.

Thursday, June 29, 2017

ICS-CERT Publishes 3 Advisories

Today the DHS ICS-CERT published three control system security advisories for products from Siemens (2) and Schneider.

Siemens Viewport Advisory


This advisory describes an improper authentication vulnerability in the Siemens Viewport for Web Office Portal. The vulnerability was reported by Hannes Trunde from Kapsch BusinessCom AG. Siemens has developed a new version that mitigates the vulnerability. There is no indication that Trunde has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to upload and execute arbitrary code. The Siemens security advisory reports that the attacker must have network access to the web server on port 443/TCP or port 80/TCP of the affected product.

Schneider Advisory


This advisory describes a number of vulnerabilities in the Schneider U.motion Builder. The vulnerabilities were reported by rgod via the Zero Day Initiative and were publicly disclosed on 6-12-17 on the ZDI site (ZDI-17-372 thru ZDI-17-392). Schneider has a firmware patch scheduled in August to mitigate these vulnerabilities.

The reported vulnerabilities include (there were 22 vulnerabilities identified on the ZDI site):

• SQL injection - CVE-2017-7973;
• Path Traversal - CVE-2017-7974;
• Improper authentication - CVE-2017-9956;
• Use of hard-coded password - CVE-2017-9957;
• Improper access control - CVE-2017-9958;
• Denial of service - CVE-2017-9959;
• Information exposure through an error message - CVE-2017-9960

ICS-CERT reports that a relatively low skilled attacker could use publicly available exploits to remotely exploit these vulnerabilities to execute arbitrary commands or compromise the confidentiality, integrity, and availability of the system. The Schneider Security Advisory provides a number of generic mitigation measures that should be employed until the patch is applied.

Siemens SIMATIC Advisory


This advisory describes a permissions, privileges, and access controls vulnerability in various Siemens industrial products. The vulnerability actually exists in the Intel processors used in these products. The vulnerability was reported by Maksim Malyutin from Embedi to Intel. Siemens has produced updates to a number of industrial product PCs and continues to work on the remainder.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to gain system privileges. The Siemens Security Advisory provides a detailed (2-page) list of vulnerable products.

NOTE: The Intel chipsets are almost certainly used in a wide variety of other ICS related PCs. I would like to assume that Intel has talked to other potentially affected vendors about this issue and that we can expect to see other similar announcements from other vendors.

ISCD Publishes July 2017 CFATS Update

Today the DHS Infrastructure Security Compliance Division (ISCD) published the July 2017 Chemical Facility Anti-Terrorism Standards (CFATS) Monthly Update. As with the previous report, this was published before the end-of-the-month and there is no indication of when the data cut-off dates was. This makes it hard to accurately compare month-to-month results.

DHS continues to report two sets of numerical data; one for ‘currently covered facilities’ (facilities currently in the CFATS program) and a separate set for all facilities ‘since the inception’ of the program (what I call ‘Total Facilities’). The reason for the two sets of data is that it provides a better perspective on the work that the Chemical Security Inspectors (okay, CSI, sigh) since the program began in 2007.

Current Facilities


Table 1 shows a comparison of the data reported this month and last month for facilities ‘currently’ in the CFATS program.

Current Facilities
June 2017
July 2017
Covered Facilities
2,750
3,018
+68
Authorization Inspections
2,349
2,347
-2
Approved Security Plans
2,282
2,266
-16
Compliance Inspections
1,996
2,025
+29
Table 1: Changes in ‘Current Facility’ Data

The data shows a net gain in the number of covered facilities. It is important to remember that DHS is continuing to send out Top Screen notification letters to a selection of current facilities and previously reporting facilities directing them to submit a new 2.0 Top Screen. Some of the previously reporting (but not covered) facilities will become covered facilities under the new risk assessment process and some of the current facilities will be dropped from the program because of the changes made in that assessment. Additionally, some number of facilities will continue to modify their processes and chemical inventories (or go out of business) resulting in their being dropped from the program.

The changes in the (unpublished) list of covered facilities and continuing efforts by CSI and covered facility teams also results in changes in the number of Authorization Inspections, Approved Site Security Plans and Compliance Inspections. This month there were net losses in the first two items and a net gain in the third.

Total Facilities


To get a better understanding of what that really tells us about the regulated community we need to look at the month-to-month changes in the number for all facilities since the inception of the program. Table 2 shows those numbers.

Total Facilities
June 2017
July 2017
Authorization Inspections
2,918
2,923
+5
Approved Security Plans
2,726
2,732
+6
Compliance Inspections
2,201
2,323
+122
Table 2: Changes in ‘Total Facility’ Data

From this data, we can see that CSI completed five authorization inspections and 122 compliance inspections in the period between the two reports. Additionally, 6 SSPs were approved by ISCD. This would seem to indicate that we lost somewhere between 7 (the difference in the ∆ numbers for authorization inspections) and 93 (the difference in the ∆ numbers for compliance inspections) covered facilities for the covered periods.

There does seem to be a possible problem with this data (or perhaps my analysis) however. Every facility that has completed a compliance inspection must have had at least one SSP approved. Most facilities that have an approved SSP have had at least one authorization inspection (the potential exception would be the very limited number of facilities that have availed themselves of the Expedited Approval Process; their SSPs were approved based upon their certification and did not require an authorization inspection). Thus, we should expect to see a much larger loss (change since last month) in the number of current authorization inspections and site security plans based upon the ∆ for compliance inspections.

New Data Reported



I mentioned last month that ISCD had not changed the numbers in ‘**’ footnote between the May and June reports. Those numbers reflected the mix of old and new Top Screens that were responsible for the current batch of covered facilities. In both of the earlier reports ISCD reported 2,268 CSAT 2.0 facilities and 302 original Top Screens. This month they reported 2,886 and 142 respectively. The two month ∆s for those numbers are 618 and 160. Trying to tease any more information out of those numbers is going to take some additional thought.

Bills Introduced – 6-28-17

Yesterday with both the House and Senate in session there were 48 bills introduced. Of those only one may be of specific interest to readers of this blog:

HR 3101 To enhance cybersecurity information sharing and coordination at ports in the United States, and for other purposes. Rep. Torres, Norma J. [D-CA-35]

It will be interesting to see if the bill includes control system cybersecurity provisions.

Wednesday, June 28, 2017

ISCD Publishes Updated CFATS Web Pages

Today the DHS Infrastructure Security Compliance Division (ISCD) updated their Chemical Facility Anti-Terrorism Standards (CFATS) program landing page. The new version provides links to three recently updated web pages:


The changes to the Compliance Assistance Visit web page were cosmetic.

CFATS Presentation


This page added some information that should be included in the email requesting a presentation. The new questions include:

• Is this presentation part of a larger event or conference?
• How long is this presentation? Should the Department representative allot time for questions and answers from audience?
• Background of attendees?
• What other speakers will be presenting on the same topic/forum?
• Is the event open or closed to the press? If open, are press attending?
• Event agenda and website (when available)

RBPS



This page now includes a link to a new web page describing the new RBPS 18 guidance documents that were released last week. That new web page provides essentially the same information that I described in my earlier post on the topic.

HR 2930 Introduced – UAS Policy

Earlier this month Rep. Lewis (R,MN) introduced HR 2930, the Drone Innovation Act of 2017. The bill would require the Department of Transportation to publish policy guidelines outlining State and local governments ability to regulate the operation of small unmanned aircraft systems (UAS). In many ways the bill is similar to S 1272, but it is in no way a companion bill.

Local Operation


In §2 of the bill the terms ‘local operation’ and ‘local in nature’ are defined. They are the key, in this bill, to establishing in what areas State and local governments may regulate UAS operations. The mutual definition of these terms refers to flights or portions of civil unmanned aircraft flights that occur in airspace {§2(3)}:

• Up to 200 feet above ground level; and
• Within the lateral boundaries of a State, local, or Tribal government’s jurisdiction.

Policy Guidelines


Section 3 outlines the framework that DOT is required to develop to help standardize (as much as possible) State and local rules with regards to “reasonable time, manner, and place limitations and other restrictions on operations of civil and small unmanned aircraft that are local in nature” {§3(b)(1)}. Additionally, the section outlines the limits on future federal rulemaking so as to “preserve the legitimate interests of State, local, and Tribal governments” {§3(c)}. Those limits include {§3(d)}:

• Any limitation on small or civil unmanned aircraft should be consistent with maintaining the safe use of the navigable airspace and the legitimate interests of State, local, and Tribal governments.
• Innovation and competition are best served by a diverse and competitive small and civil unmanned aircraft systems industry.
• Any limitation on small or civil unmanned aircraft should not create an unreasonable burden on interstate or foreign commerce.
• The operation of small and civil unmanned aircraft systems that are local in nature have more in common with terrestrial transportation than traditional aviation.
• As it relates to the time, manner, and place of unmanned aircraft local operations, and the need to foster innovation, States, local, and Tribal governments uniquely possess the constitutional authority, the resources, and the competence to discern the sentiments of the people and to govern accordingly.
• Relying upon technology solutions, such as unmanned traffic management, provided by private industry, will effectively solve policy challenges.
• State, local and Tribal officials are best positioned to make judgments and issue dynamic limitations around events, including, fires, accidents and other first responder activity, public gatherings, community events, pedestrian thoroughfares, recreational activities, cultural activities, heritage sites, schools, parks and other inherently local events and locations, which may justify limiting unmanned aircraft activity that is local in nature while balancing the activities or events against the need for innovation.
• The economic and non-economic benefits, of small and civil unmanned aircraft operations may be best achieved by empowering the State, local, and Tribal governments to create a hospitable environment to welcome innovation.
• Innovation and competition in the unmanned aircraft industry are best served enabling State, local, and Tribal governments to experiment with a variety of approaches to policies related to unmanned aircraft.
• The Department of Transportation shall, when making policy related to small or civil unmanned aircraft systems, recognize that problems that are merely common to the State, local, and Tribal governments will not justify Federal action because individual State, local, and Tribal governments, acting individually or together, can effectively deal with such problems and may find and implement more innovation friendly policies than Federal agencies.
• The Department shall, when making policy related to small or civil unmanned aircraft systems, provide timely information and assistance to State, local, and Tribal governments that will ensure collaboration.

Privacy and Property Rights


Section 5 of the bill addresses a number of privacy and property right issues. First, like S 1272, the bill prohibits DOT from authorizing “the operation of a small or civil unmanned aircraft in airspace local in nature above property where there is a reasonable expectation of privacy without permission of the property owner” {§5(a)}.

Second, it addresses the fact that this bill would not affect a whole slew of federal, State and local government regulations and civil actions including “personal injury, wrongful death, property damage, inverse condemnation, trespass, nuisance or other injury based on negligence, strict liability, products liability, failure to warn, or any other legal theory of liability” {§5(b)}.

Third, it provides State and local governments exclusive authority to define private property rights with respect “to unmanned aircraft in the airspace above property that is local in nature” {§5(c)}.

Next the bill prohibits the State and local governments from “unreasonably or substantially impeding the ability of a civil unmanned aircraft, from reaching the navigable airspace” {§5(d)}, or the national airspace above 200ft.

Finally, the bill provides no authority is provided within the bill for federal, State, or local governments “to prevent an operator or pilot from operating a small or civil unmanned aircraft over their own property, right of way, easement, lands, or waters” {§5(e)}.

Moving Forward


Lewis is a freshman member of the House Transportation and Infrastructure Committee. His bipartisan co-sponsors are also members of that Committee. Between them they probably have enough influence to ensure consideration by the Committee. Whether or not there is enough political will to move this bill to the full House remains to be seen.

I expect that the largest problem with this bill (from the point of view of passing the bill) is that it lacks any language protecting the operation of model aircraft. This has been a recurring requirement in any legislation making a serious attempt at setting standards for the operation of UAS.

Commentary


As I mentioned with S 1272, the main shortcoming of this bill is the failure to address the problem of enforcement because of the legal restrictions on interfering with the flight of aircraft found in (18 USC 32). Failure to address this issue will make many regulatory issues practicably unenforceable.

In this bill in particular the privacy rights outlined in the bill cannot be enforced without the property owner or local police being able to stop the operation of the UAS over the property in question.


The question of protection of critical infrastructure from surveillance or attack via UAS is completely ignored in this bill. Lacking a federal will to set and enforce such rules, this bill could be a vehicle for allowing State and local governments to do so by adding ‘protecting the security of critical infrastructure’ to the list of State and local governments ‘legitimate interests’ in §3(c).

Tuesday, June 27, 2017

ICS-CERT Published Newport Advisory

Today the DHS ICS-CERT published a control system security advisory for an improper authentication vulnerability in the Newport XPS-Cx and XPS-Qx controllers. The vulnerability was reported by Maxim Rupp. Newport will reportedly address this vulnerability in the next generation XPS-Dx controller.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to view and edit settings without authenticating by accessing a specific uniform resource locator (URL).

Commentary


It never ceases to amaze me when a company refuses to fix security issues in a current product, but expect customers to buy the next product that ‘will fix’ this problem. Why would anyone expect them to support that next product when a new vulnerability is found?

Of course, that assumes that their current (or future) customers will hear about this vulnerability. It was published in this advisory, but how many owners, ICS security managers, control system engineers, or integrators actually read these advisories (or are even aware that they exist)? Unless the company proactively forces notification to all of its current (and past) customers, there are going to be some number (high, medium or low %, who knows) that never get the word and remain vulnerable by default.

This is a problem that critical infrastructure security regulators are going to have to address. Cybersecurity plans must address the measures that covered facilities are going to take to identify known vulnerabilities in their systems so that they can do a proper risk assessment to identify the mitigation measures (if any) that the facility will take to address the known vulnerabilities


This topic is not addressed in the Chemical Facility Anti-Terrorism Standards (CFATS) Risk-Based Performance Standards (RBPS) guidance document. We are still waiting on the Coast Guard cybersecurity guidance document. I am not sure if it is adequately addressed in the NERC regulations.

HR 2922 Introduced – PREPARE Act

Earlier this month Rep. Donovan (R,NY) introduced HR 2922, the Promoting Resilience and Efficiency in Preparing for Attacks and Responding to Emergencies (Prepare) Act. The bill authorizes and modifies a number of DHS emergency planning, preparation and training programs.

Readers of this blog will probably be most interested in the following sections of the bill:

• §106. Allowable uses.
• §114. Port security grant program.
• §120. Cyber preparedness.
• §302. Medical Countermeasures Program.

Allowable Uses


Section 106 amends 6 USC 609 adding two new uses of funds to a number grant programs for States and high-risk urban areas. The two new uses are {new §609(a)(6) and (7)}:

Enhancing medical preparedness, medical surge capacity, and mass prophylaxis capabilities, including the development and maintenance of an initial pharmaceutical stockpile, including medical kits and diagnostics sufficient to protect first responders, their families, immediate victims, and vulnerable populations from a chemical or biological event;

Enhancing cybersecurity, including preparing for and responding to cybersecurity risks and incidents (as such terms are defined in section 227 [6 USC 148(1) and (3]) and developing statewide cyber threat information analysis and dissemination activities;

Port Security Program


Section 114 authorizes the port security grant program under 46 USC 70107. The section would authorize $200 Million dollars per year for the grants through 2022.

Cyber preparedness


Section 120 amends 6 USC 124h making cybersecurity additions to the support requirements set upon DHS for State, local and regional fusion centers. It requires DHS to provide fusion centers {new §124h(b)(10)}:

“…with expertise on Department resources and operations, including, in coordination with the national cybersecurity and communications integration center [(NCCIC)] under section 227 [6 USC 148], access to timely technical assistance, risk management support, and incident response capabilities with respect to cyber threat indicators, defensive measures, cybersecurity risks, and incidents (as such terms are defined in such section), which may include attribution, mitigation, and remediation, and the provision of information and recommendations on security and resilience, including implications of cybersecurity risks to equipment and technology related to the electoral process;”

It would also require the DHS NCCIC to review cybersecurity information developed by fusion centers, incorporate that information (where appropriate) into NCCIC information shared with fusion centers and other government agencies. It also adds the NCCIC as a potential personnel resource for fusion centers.

Medical Countermeasures Program


Section 302 adds a new §528 to the Homeland Security Act of 2002 that would add a requirement for DHS to {new §528(a)}:

“… establish a medical countermeasures program to facilitate personnel readiness, and protection for the Department’s employees and working animals and individuals in the Department’s care and custody, in the event of a chemical, biological, radiological, nuclear, or explosives attack, naturally occurring disease outbreak, or pandemic, and to support Department mission continuity.”

Moving Forward


Donovan is the Chair of the Emergency Preparedness, Response, and Communications Subcommittee of the House Homeland Security Committee; one of the three committees to which this bill was referred for consideration. Neither Donovan nor this three cosponsors are members of the other two committees (Transportation and Infrastructure Committee and Energy and Commerce Committee). This bill will certainly be considered in the Homeland Security Committee in the near future.

The bill does not currently have any Democratic cosponsors. This would seem to indicate that there is some opposition to at least some of current provisions (or missing provisions) of the bill. We will have to watch the markup of this bill to see how much bipartisan support there is for the bill. Bipartisan support is not really necessary in the House, but for the bill to make it to the floor of the Senate there cannot be serious Democratic opposition to the bill.

Commentary


The cybersecurity provisions of this bill all refer to 6 USC 148 with its IT-centric definitions of cybersecurity. Again, this would restrict the grant programs and fusion center support provisions limited to information system security, ignoring potential risks to critical infrastructure from attacks on industrial control systems (ICS) or the energy systems in this country.

Fortunately, the bill does include some modifications to definitions in §148, so it could be possible to clear up the multiple areas where we see similar problems with ignoring the ICS cybersecurity threat. The definition of ‘information system’ could be changed from its current reference to 44 USC 3502(8) to 6 USC 1501(9).


The medical countermeasures program is certainly important to providing support to DHS. I am glad to see that it specifically includes language about chemical incidents instead of just biological and radiological incidents; just see my post about the use of Cyanokits in response to an acrylonitrile spill. It would be nice to see some language in this authorization bill requiring the managers of the program to coordinate with local agencies when such countermeasures are not required by the Department, but could provide support to communities.

Monday, June 26, 2017

Committee Hearings – Week of 6-25-17

This week with both the House and Senate in session, we are starting to see movement on spending bills, continued work on the National Defense Authorization Act (NDAA) and a couple of interesting markup hearings this week.

NDAA


As I mentioned last week the House Armed Services Committee started their work on HR 2810 in subcommittee markups. This week they will move to a full committee markup on Wednesday. The Senate bill has not been made public at this point.

Senate Armed Services Committee, 6-28-17 and 6-29-17 (maybe 6-30-17)

The HASC web site has a link to a brief (16 page) description of HR 2810. There is an interesting one paragraph blurb on cyber issues on page 11.

Spending Bills


The House Appropriations Committee starts public work on the FY 2018 spending bills this week, starting with markups of the individual spending bills by the appropriate subcommittee. We will be starting with the DOD spending bill (actually the Defense Construction and Veterans Affairs bill was marked-up last week) and the Commerce, Justice and Science (CJS) bill this week. A committee draft of the DOD bill is available, but I have not had a chance to look at it.

DOD, House, subcommittee markup, 6-26-17
CJS, House, subcommittee markup, 6-29-17

Other Mark-up Hearings


On Wednesday the House Energy and Commerce will be holding a mark-up hearing looking at a number of bills including HR 3050, Enhancing State Energy Security Planning and Emergency Preparedness Act of 2017. I did not catch this bill when it was introduced on Friday because of the way it was described at Congress.gov. Seeing the title of the bill today got me to take a quick look at the available committee draft (GPO version is not yet available) and it does have cybersecurity provisions (more later). I will be watching this bill.

On Thursday the Senate Commerce, Science, and Transportation Committee will be holding an executive session that will include the markup of S 1405, the FY 2018 FAA authorization bill. The GPO version is not yet available but the committee draft shows that a number of sections of the bill deal with unmanned aircraft systems (UAS) including a re-write of the model aircraft restrictions on the FAA regulatory authority. There is currently no mention of cybersecurity in the bill.

Saturday, June 24, 2017

Bills Introduced – 06-23-17

Yesterday with just the House still in Washington, there were 25 bills introduced. Of those, one may be of specific interest to readers of this blog:

HR 3033 To secure the technological edge of the United States in civil and military aviation. Rep. Knight, Stephen [R-CA-25]


This bill will only receive future mention here if it includes cybersecurity language.

HR 2810, NDAA – Cyber Subcommittee Markups

As I mentioned earlier this week the subcommittees of the House Armed Services Committee held a series of markup hearings looking at HR 2810, the FY 2018 National Defense Authorization Act (NDAA). The hearing of the Emerging Threats and Capabilities Subcommittee added Title XVI, Subtitle D – Cyber Related Matters, to the language of HR 2810.

Items in that subtitle include:

§1641—Notification Requirements for Sensitive Military Cyber Operations and Cyber Weapons
§1642—Modification to Quarterly Cyber Operations Briefings
§1643—Cyber Scholarship Program
§1644—Plan to Increase Cyber and Information Operations, Deterrence, and Defense

None of the above sections contain any language that specifically identifies or includes industrial control system (ICS). There are, however, a series of definition changes identified in §1643 that eliminate ‘information technology’, ‘information security’ or ‘IT’ references by substituting ‘cyber’. No definition of the term ‘cyber’ is provided.

Those definitions would be found in 10 USC Chapter 112, Information Security Scholarship Program. There is nothing in the Subcommittee report that would specifically indicate that this was done to add ICS programs to the scholarship program, but it would seem that that would be the major practical consequence of this change.


The full Committee is scheduled to markup HR 2810 on Wednesday.

OMB Approves Two Final Rules for TSCA Update

Over the last two days the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved two final rules (here and here) submitted by the EPA supporting changes required by §6(b) and §8(a) of the Frank R. Lautenberg Chemical Safety for the 21st Century Act (PL 114-182). The EPA has sent copies of those two final rules (here and here) to the Office of the Federal Register for publication. Those rules are not scheduled for Monday publication, but they will almost certainly be published next week.

It is unclear how much of a re-write these rules are from the notices of proposed rulemaking (NPRMs) written by the Obama Administration (here and here) shortly before Trumps inauguration. I did not review those NPRMs at the time because I was sure that there would either be new NPRMs published by the incoming administration or complete rewrites in the final rulemaking. Whether or not the rewrites here are legally justifiable will inevitably be determined by the courts.

I will not start commenting on these rules until they are published in the Federal Register. Other organizations have already started their commenting process (see for example here), but I prefer to wait because the formal publication allows me to link to specific paragraphs in the rule and preamble. This allows people to better understand what I am saying and check on my interpretations.


One point that I will comment upon. Both rules will become effective upon publication. This is unusual, but it is a result of congressionally mandated reporting requirements that become effective upon publication. The EPA determined (rightly so in my opinion) that there was no regulatory purpose to be served by adding a 60-day or 90-day effective date when that would just cut into the 180-day reporting requirements in the bill. There is, of course, the possibility that there could be a court stay of the effective date, but that cannot change the mandated reporting schedule.

Friday, June 23, 2017

Bills Introduced – 6-22-17

Yesterday, with both the House and Senate in session there were 67 bills introduced. Of those, two may be of specific interest to readers of this blog:

HR 3010 To provide for the identification and documentation of best practices for cyber hygiene by the National Institute of Standards and Technology, and for other purposes. Rep. Eshoo, Anna G. [D-CA-18]

S 1405 A bill to amend title 49, United States Code, to authorize appropriations for the Federal Aviation Administration, and for other purposes. Sen. Thune, John [R-SD]

As readers of this blog would expect, HR 3010 will only receive further coverage here if it contains specific control system security language.

The FAA authorization act will be watched for cybersecurity provisions.

ICS-CERT Publishes Two Siemens Advisories

Yesterday the DHS ICS-CERT published two control system security advisories for two products from Siemens.

XHQ Advisory


This advisory describes an improper access control vulnerability in the Siemens XHQ operations intelligence product. This vulnerability is being self-reported. Siemens has developed a new version that mitigates the vulnerability.

ICS-CERT reports that a relatively low skilled attacker (who is an authorized user) could remotely exploit the vulnerability to gain read access to data in the XHQ solution exceeding his configured permission level.

SIMATIC CP 44x-1 Advisory


This advisory describes an improper authentication vulnerability in the Siemens SIMATIC CP 44x-1 Redundant Network Access (RNA) modules. This vulnerability is being self-reported. Siemens has released a firmware update to mitigate the vulnerability.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to perform administrative actions under certain conditions. The Siemens’ Security Advisory reports that the attacker must have network access to port 102/TCP of the affected device and the

configuration data of the CP must be stored on the CPU.

Bills Introduced – 06-21-17

On Wednesday, with both the House and Senate in session, there were 47 bills introduced. Of those only one may be of specific interest:

HR 2975 To make certain improvements in the laws administered by the Secretary of Homeland Security relating to public transportation security, and for other purposes. Rep. Lipinski, Daniel [D-IL-3]


This bill will probably address chemical transportation issues (if at all) peripherally. It will only be covered in this blog if chemical transportation issues or cybersecurity issues are addressed.

ISCD Publishes Records Maintenance Guidance – RBPS 18

Yesterday the DHS Infrastructure Security Compliance Division (ISCD) added links to two documents on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center web site. The Documents provide information to help CFATS covered facilities comply with Risk Based Performance Standard (RBPS) 18, Records. The documents are a records reporting template and a fact sheet providing information on the RBPS 18 requirements.

The fact sheet expands on the information provided in the RBPS Guidance Document, providing additional information about what types of documents CFATS facilities need to retain to comply with RBPS 18. The template provides a voluntary tool that facilities can use document some of the records retention requirements covered in RBPS 18. In particular it provides specific examples for reporting formats (with fictitious data samples) for:

• Sample Record of Breaches of Security
• Sample Record of Drills and Exercises
• Sample Record of Maintenance
• Sample Record of Security Threats
• Sample Record of Site Security Plan (SSP) Audit
• Sample Record of Training Delivered

The use of this particular tool is not required for compliance. ISCD is providing the tool as an example of a ‘best practice’. Facilities are free to use their own formats and reporting documents. Based upon my personal experience in the military, however, as both a unit security ‘manager’ and as a security inspector, using a common reporting format makes for easier inspections. Inspectors can spend less time looking for details and are more likely to overlook minor lapses.


NOTE: The example data provided in the template provides some interesting insight into what types of information that ISCD is really looking for.

Thursday, June 22, 2017

OMB Approves EPA TSCA Guidance Document

Yesterday the OMB’s Office of Information and Regulatory Affairs announced the approval of the publication of a new EPA guidance document supporting the implementation of some of the requirements of the Frank R. Lautenberg Chemical Safety for the 21st Century Act (PL 114-182). Specifically, this document, “Guidance to Assist Interested Persons in Developing and Submitting Draft Risk Evaluations Under the Toxic Substances Control Act (TSCA)”, should provide information to industry in determining what information should be included in requesting EPA risk evaluations under 15 USC 2605 as modified by §6 of the Act (130 Stat 460).

OIRA was pretty quick in approving this publication (submitted on June 13th), especially considering that it was substantially written under the Obama Administration. It is unclear how soon this will be published by the EPA since two of the regulations that this supports are still under review by OIRA (here and here) at the notice of proposed rulemaking (NPRM) stage. Technically this could move forward without those rules being approed since those regulations probably have more effect on EPA actions taken on the submitted data than upon industry submitting the data.


Obviously, the Trump Administration will not meet the June 22nd (today) deadline for implementing the requirements of §6. To be fair neither would have the Obama Administration. That deadline was totally unrealistic given the rulemaking process and the complexity of the issues involved. I do suspect that we will see the two TSCA NPRMs published this summer.

Wednesday, June 21, 2017

ICS-CERT Publishes New Advisory and Updates 2 Siemens Advisories

Yesterday the DHS ICS-CERT published a new control system security advisory for a product from Ecava. They also update two previously published advisories for products from Siemens.

Ecava Advisory


This advisory describes an SQL injection vulnerability in the Ecava IntegraXor. The vulnerability was reported by Tenable Security. Ecava has produced a new version that mitigates the vulnerability. ICS-CERT reports that Tenable has verified the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to effect unauthenticated remote code execution.

PROFINET Update


This update provides additional information on an advisory originally published on May 9th, 2017 and updated on June 15th, 2017. This update provides new affected version data and links to updates for Primary Setup Tool (PST): All versions prior to  V4.2 HF1.

Interestingly, this information on the PST was made available in the same updated version of the Siemens Advisory published on June 13th that was used for the previous ICS-CERT update. A close comparison of the original Siemens Advisory and the June 13th versions shows that there was an additional product that was updated, but also not mentioned in the earlier ICS-CERT update or in this update; the Security Configuration Tool (SCT): All versions < V5.0.

Industrial Products Update


This update provides additional information on an advisory originally issued on November 8, 2016 and then updated November 22nd, 2016; December 23rd, 2016; February 14th, 2017; March 2nd, 2017 and May 9th, 2017. This update provides the same new information as the ICS-CERT updated described above. Interestingly (and kudos to ICS-CERT for really prompt reporting), Siemens published their updated Security Advisory just yesterday morning (ICS-CERT time).


NOTE: Siemens also announced (via TWITTER®; @ProductCERT ) yesterday that they had published a new security advisory (SSA-126840) and updated another advisory (SSA-275839)with the same SCT information noted above. I expect that we will see those reflected on the ICS-CERT site today or tomorrow.

Monday, June 19, 2017

Committee Hearings – Week of 6-18-17

With both the House and Senate in session the focus this week remains budget hearings. There are no budget hearings of specific interest this week, but the budget process is still taking up a large portion of congressional focus. There is only one cybersecurity hearing currently scheduled for this week though there may be cybersecurity amendments offered in the NDAA markup process that also begins this week.

NDAA Act


The FY 2018 National Defense Authorization Act (NDAA) is another priority moving forward. HR 2810 currently has no cybersecurity provisions, but there are gaping holes in the bill that will be filled-in during the markup process. That process starts this week in subcommittees of the House Armed Services Committee:


Cybersecurity


On Wednesday, the Senate Homeland Security and Governmental Affairs Committee will be holding a hearing on “Cybersecurity Regulation Harmonization”. The witness list includes:

• Christopher F. Feeney, BITS/Financial Services Roundtable
• Dean C. Garfield, Information Technology Industry Council
• Daniel Nutkis, Health Information Trust Alliance
• James "Bo" Reese, National Association of State Chief Information Officers


This will certainly focus on IT cybersecurity, but there may be some minor attention paid to control system security.

Sunday, June 18, 2017

HR 2825 Amended and Approved in Committee

Last week the House Homeland Security Committee held a markup hearing on HR 2825, the DHS Authorization Act of 2018 [corrected date 6-19-17 0710 EDT]. The Committee adopted a large number of amendments, including substitute language.

Substitute Language


The original bill was extremely light in its coverage and was obviously missing some titles. The substitute language offered by Rep. McCaul (R,TX) substantially enlarged and expanded the coverage of the bill. New sections in the substitute language that may be of specific interest to readers of this blog include:

§403. Cyber at ports.
§409. Repeal of interagency operational centers for port security and secure systems of transportation.
§572. Surface transportation security assessment and implementation of
risk-based strategy.
§577. Surface transportation security advisory committee.
§583. Study on surface transportation inspectors.
§584. Security awareness program.
§585. Voluntary use of credentialing.
§586. Background records checks for issuance of hazmat licenses.
§587. Recurrent vetting for surface transportation credential-holders.
§588. Pipeline security study.
§589. Repeal of limitation relating to motor carrier security-sensitive material
tracking technology.
§620. Cyber preparedness.
§642. Medical Countermeasures Program.

The provisions I discussed in my post about the original bill remain essentially unchanged.

Maritime Security


Title IV of the substitute language addresses maritime security issues. Most of the provisions found in this title were included in HR 2831, the Maritime Security Coordination Improvement Act that I reviewed yesterday. That bill includes provisions not seen in this bill, so it is likely to continue forward. I suspect that the duplicate provisions in this bill are those that McCaul considers the most important.

The cybersecurity provisions that I discussed in HR 2831 are included in this bill (§403) essentially unchanged.

Surface Transportation Security Studies


The substitute language contains a new Title V, Subtitle G (sections 571 thru 589) that addresses a number of surface transportation security issues. Many of them deal with various study and report requirements. There are two studies outlined in this subtitle that may be of specific interest to owners and operators of surface transportation organizations and activities.

Section 583 would require the Government Accountability Office (GAO) to conduct a study looking at potential duplications or redundancies between TSA and DOT “relating to surface transportation security inspections or over sight” {§583(1)}. While TSA has been given the responsibility for overseeing all transportation security issues, its main (some would say almost exclusive) focus has been on passenger air transportation security. As a result, the DOT modal agencies have continued to oversee the pre-TSA security requirements that were initiated by the modal agencies. There exists a very real potential that this study could lead to the disbanding of the TSA surface transportation security program as duplicative and ineffective.

Section 588 requires a separate GAO study of the TSA/DOT oversight conflict in the pipeline security arena. Of particular interest to readers of this blog is the specific inclusion of cybersecurity issues in the study parameters. The GAO is tasked with looking at how the current memorandum of understanding between DHS and DOT adequately delineates the responsibility for {§588(a)(1)}:

• Protecting against intentional pipeline breaches and cyber-attacks;
• Responding to intentional pipeline breaches and cyber-attacks; and
• Planning to recover from the impact of intentional pipeline breaches and cyber-attacks.

The big problem here is that most of the activities that are used to respond to a pipeline breach are the same for both intentional and accidental breaches. Given the fact that accidental breaches are much more common than intentional breaches, the DOT pipeline safety folks will have much more practical experience in this field.

The one area that is not specifically identified in the §588 requirements is having the GAO study identify if either PHMSA or TSA have enough people with the requisite skill and background in control system security to deal with cyber-attacks.

Other Amendments


An amendment offered by Rep. Thompson (D,MS) amended the new requirement for surface security awareness training outlined in §584. The Thompson amendment would reiterate that this new requirement would not “replace or affect in any way the security training program requirements” specified in 6 USC sections 1137, 1167, and 1184. Readers of this blog will remember that TSA finally published a notice of proposed rulemaking (NPRM) on those requirement last December. This amendment was adopted by voice vote.

An amendment offered by Rep. Langevin (D,RI) would add a new section to the bill that would require the FEMA Administrator to conduct a study on the use of grant funds awarded pursuant to 6 USC §604 (Urban Area Security Initiative) and §605 (State Homeland Security Grant Program) to support efforts to prepare for and respond to cybersecurity risks and incidents (as such terms are defined in 6 USC 148. Readers should see my discussion on HR 2831 on why the reference to 6 USC 148 ignores control system security issues. This amendment was adopted by voice vote.

Moving Forward



The amended substitute language on this bill passed by a voice vote. Even with the Democrats losing party line votes on six amendments, there is still substantial bipartisan support within the Committee for the amended bill. If McCaul can get buy in from the House leadership (including the chairs of a number of other potentially interested committees) to bring this bill to the floor, it is almost certain to pass. Convincing the Senate leadership to bring the bill to the floor in that body will be another intra-party, political issue.

Saturday, June 17, 2017

HR 2831 Introduced – Port Security Corrections

Last week Rep. Rutherford (R,FL) introduced HR 2831, the Maritime Security Coordination Improvement Act. The bill makes a number of changes to laws pertaining to port security operations conducted by the Coast Guard. Changes of specific interest to readers of this blog would be increased emphasis on cybersecurity and changes to Maritime Transportation Security Act (MTSA) inspection requirements.

Cybersecurity


Section 4 of the bill address three separate issues related to port cybersecurity related to different levels of cybersecurity interest; DHS/CG, Captain of the Port (COTP), and MTSA covered facility owner.

Section 4(b) of the bill specifically adds cybersecurity to the areas of potential weakness that DHS/CG is required to look at when they are assessing the “detailed vulnerability assessment of the facilities and vessels that may be involved in a transportation security incident” 46 USC 70102(b)(1)(C).

Section 4(a) addresses cybersecurity at the COTP level by adding a new requirement for Area Maritime Security Advisory Committees (AMSAC) under 46 USC 70112(a)(2)(A). The AMSACs would be specifically required to “shall facilitate the sharing of information relating to cybersecurity risks and incidents (as such terms are defined in section 227 of the Homeland Security Act of 2002 (6 U.S.C. 148)) to address port-specific cybersecurity risks and incidents, which may include the establishment of a working group of members of such committees to address such port-specific cybersecurity risks and incidents” {§70112(a)(2)(A)(i)}.

At the facility owner level the bill would require vessel and facility security plans under 46 USC 70103(c) to specifically address “prevention, management, and response to cybersecurity risks and incidents (as such terms are defined in section 227 of the Homeland Security Act of 2002 (6 U.S.C. 148) [link added])” {new §70103(c)(3)(C)(v)}.

Facility Inspections

Section 5 of the bills makes a change to the requirements for the Coast Guard to inspect MTSA covered facilities under 46 USC 70103(c)(4)(D). Instead of inspecting at least twice a year (one conducted without advanced notice), the new requirement would reduce that to at least once a year without notice.

Moving Forward


Rutherford and all three of his cosponsors {including Chairman McCaul (R,TX)} are members of the House Homeland Security Committee, one of the two committees to which the bill was assigned for consideration. This bill will almost certainly be considered (and approved) in the Homeland Security Committee; consideration by the Transportation and Infrastructure Committee is much less assured.

There does not appear to be anything in the bill that would raise any significant opposition in the House. If McCaul can get the bill to the floor of the House, it is likely to eventually reach the President’s desk.

Discussion


There are no cybersecurity definitions in the bill beyond reference to the terms ‘cybersecurity risks’ and ‘incident’ from §148(a). Those definitions both rely on the definition of ‘information system’ which §148 takes from 44 USC 3502(8). That definition is very IT-centric; “the term ‘information system’ means a discrete set of information resources [emphasis added] organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information”. Thus, it could be argued that these cybersecurity requirements do not address control system, security system, or building maintenance system security issues.

In many industries (finance, commercial sales, and healthcare for example) protecting information is the paramount concern when we talk about cybersecurity. In port operations, however, the operational side of the house is probably more significant than is the need to protect just information. Thus, it would behoove Congress to ensure that the language in this bill reflects the importance of operational cybersecurity.

The only place that currently expands the IT-centric definitions of cybersecurity to include operations technology is 6 USC 1501(9). There the definition of ‘information system’ is still based on a reference to §3502, but it was specifically expanded by adding subparagraph (B) “includes industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers”.

The problem is, however, that §1501 does not also include the terms ‘cybersecurity risks’ or ‘incident’. One could use the current reference to §148 for those terms but specify that the term ‘information system’ is based upon §1501. Doing that in both instances where the first two terms are currently used would be very wordy and potentially confusing.

It would probably be better to add a new paragraph to §4 of the bill that provides definitions that would be used in the Port Security chapter of the US Code (46 USC 70101). If I were doing this, I would add the following definitions:

(1) The term ‘information system’ has the meaning given the term in section 3502 of title 44;

(2) The term ‘control system’ means a discrete set of information resources, sensors, communications interfaces and physical devices organized to monitor, control and/or report on physical processes, including manufacturing, transportation, access control, and facility environmental controls;

(3) The term ‘cybersecurity risk’ means:

(A) threats to and vulnerabilities of information, information systems, or control systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of such information, information systems, or control systems, including such related consequences caused by an act of terrorism; and

(B) does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement;

(4) The term ‘incident’ means an occurrence that actually, or imminently jeopardizes, without lawful authority:

(A) the integrity, confidentiality, or availability of information on an information system,

(B) the timely availability of accurate process information, the predictable control of the designed process or the confidentiality of process information, or

(C) an information system or a control system;


With these definitions in place the references to §148 are superfluous and should be removed. Then the intent would be clear that the bill would be addressing both the information and control system cybersecurity of port operations. And that is almost certainly the intent of the crafters of this bill.
 
/* Use this with templates/template-twocol.html */