Monday, July 31, 2017

S 1544 Introduced – Cyber Coordination with Russia

Earlier this month Sen. Klobuchar (D,MN) introduced S 1544, the No Funds for Cyber Coordination with Russia Act of 2017. This is one of three bills (others: HR 3191 and HR 3259) written by Democrats in response to President Trump’s brief statement of support (and quickly withdrawn support) for a joint US-Russian cybersecurity unit.

Background Information


The bill includes a great deal of background information before it gets to the meat of the matter. It includes broadly written definitions of ‘cybersecurity’ and ‘cybersecurity unit’ that are, in turn based upon the following definition of ‘cyberspace’ {§2(4)}:

“The term ‘‘cyberspace’’ means the global domain within the information environment consisting of the interdependent network of information systems infrastructures (including the Internet, telecommunications networks, computer systems, and embedded processors and controllers).”

Section 3 of the bill sets forth the purpose of the bill:

“The purpose of this Act is to protect United States cybersecurity and critical infrastructure by preventing the President from establishing a cybersecurity unit in coordination with the Government of the Russian Federation, a known foreign adversary.”

Section 4 of the bill outlines a series of ‘findings of Congress’ that deal with the intelligence community’s assessment of Russian governmental involvement in a wide variety of cyber-attacks against the US, including their meddling in the 2016 US presidential election.

The Prohibition


Section 5 of the bill provides a very succinct statement of prohibition of funding, very similar to that found in the other two bills:

“No Federal funds may be used to establish a cybersecurity unit, or any variation thereof, in cooperation or connection with the Government of the Russian Federation.”

Section 7 of the bill even sets forth the conditions under which the provisions of this bill will no longer apply; the President certifies to Congress that the government of the Russian Federation has:

• Ceased ordering, controlling, or otherwise directing, supporting, or financing acts intended to undermine democracies around the world; and
• Submitted a written statement acknowledging interference in the 2016 United States Presidential election.

Moving Forward


While Klobuchar is not a member of the Senate Foreign Affairs Committee (to which this bill has been assigned for consideration), four of her 14 co-sponsors {Sen. Cardin (D,MD), Sen. Markey (D,MA), Sen. Shaheen (D,NH), and Sen. Merkley (D,OR)} are. This means that would normally be possible for the four to ensure that the bill was considered in Committee. With a bill as politically pointed as this one, however, there is little or no chance that the Republican leadership will allow the bill to be considered in Committee, and certainly not on the floor of the Senate.

Commentary


Of the three bills submitted to date on this topic, this one was the most professionally written. This one shows the type of legislative crafting one expects to see in a bill worthy of consideration (if not necessarily passage). While the prohibition in paragraph 5 is as broadly worded as the similar statements in the other two bills, the remainder of the bill would provide enough evidence of specific congressional intent that most judicial reviews of the provisions would have no difficulty in separating out purely police activities of a cyber nature that might involve Russian police cooperation from the more politically charged cybersecurity joint venture proposed by Trump.

Note that Klobuchar has submitted a proposed amendment to HR 2810 (SA 655) that would attempt to accomplish the same purpose, but it is missing the background information portions of this bill. That would bring it more in line with more crassly political standards set in the two bills that were introduced in the House.

HR 3259 Introduced – Russia Cybersecurity

Earlier this month Rep. Speier (D,CA) introduced HR 3259, the Preventing Usurpation Through International Networks (PUTIN) Act. The bill would prevent participation in a US-Russian cybersecurity unit. This bill is very similar to HR 3191.

Section 2 of the bill is slightly less expansive in its exclusion as the one found in HR 3191, stating:

“No Federal funds may be used to establish or support a cybersecurity unit in which the Government of the Russian Federation, or any individual acting on behalf of such Government, is a participant.”

Moving Forward


Neither Speier nor any of her 12 cosponsors are members of the House Foreign Affairs Committee, the committee to which this bill was referred for consideration. This makes this bill even less likely than HR 3191 to be considered by the Committee.

Commentary


The language of this bill is slightly less inclusive in the programs that might be expected to be prohibited, but it is still potentially restrictive of politically inoffensive law enforcement activities.


I do, however, have to give grudging kudos to Ms Speier’s staff for coming up with a bill name that results in a cutely offensive acronym.

Senate Amendments to HR 2810 (FY 2018 NDAA) – 7-27-17

With the Senate possibly getting ready to take up HR 2810, the FY 2018 National Defense Authorization Act (NDAA) the amendment process started in earnest last week. While a significant number of amendments were submitted on Wednesday, I did not see any of potential specific interest to readers of this blog until Thursday. Those amendments included:

• SA 427. Mr. Brown - collaboration between federal aviation administration and department of defense on unmanned aircraft systems (pg s4455);
• SA 435. Mr. Rounds - report on progress made in implementing the cyber excepted personnel system (pgs s4456-7);
• SA 437. Mr. Rounds - sense of congress on establishing an award program for the cyber community of the department of defense (pg s4457);
• SA 461. Ms. Cantwell - collaboration on cybersecurity of industrial control systems for critical infrastructure (pg s4465);
• SA 488. Ms. Heitkamp - sense of congress on use of test sites for research and development on countering unmanned aerial systems (pgs s4474-5);
• SA 525. Mr. Whitehouse - United States-Israel cybersecurity cooperation (pgs s4526-7);
• SA 557. Mr. Gardner - mandatory Sanctions with respect to Iran relating to significant activities undermining United States cybersecurity (pgs s4533-4);
• SA 559. Mr. Gardner - comptroller general of the United States report on department of defense critical telecommunications equipment or services obtained from suppliers closely linked to a leading cyber-threat actor (pg s4534);
• SA 575. Mr. Nelson - protecting critical infrastructure against cyber attacks from foreign governments (pgs s 4538-9);
• SA 613. Ms. Cortez Masto - department of defense cyber workforce development pilot program (pg s4564);
• SA 623. Mr. Warner - department of defense cyber workforce development pilot program (pgs 4568-9);
• SA 655. Ms. Klobuchar - prohibition on use of federal funds for joint cybersecurity initiative with Russia (pg s 4574);
• SA 663. Mrs. Shaheen - prohibition on use of software platforms developed by Kaspersky lab;
• SA 666. Mr. Brown - cybersecurity cooperation with Ukraine (pg s4579);
• SA 686. Ms. Warren - report on significant security vulnerabilities of the national electric grid (pg s4587);
• SA 700. Ms. Harris - pilot program on integrating into the department of defense workforce individuals with cybersecurity skills whose services are donated by private persons (pg s4590);
• SA 712. Mr. Portman - plan to meet demand for cyberspace career fields in the reserve components of the armed forces (pg s4597);
• SA 713. Mr. Portman - department of defense integration of information operations and cyber-enabled information operations (pgs s4597-8);
• SA 725. Mr. Cassidy - report on cyber capability and readiness shortfalls of army combat training centers (pg s4604).

Industrial Control Systems


Three of these amendments specifically address (or at least include) industrial control system security issues.

Sen. Cantwell’s (D,WA) SA 461 would require DOD, DOE, and DHS to provide representative to a new Center of Excellence focusing on “cybersecurity of industrial control systems for critical infrastructure” {(b)(1)}. No funding nor further details are provided.

Sen. Nelson’s (D,FL) SA 575 is a ‘sense of Congress’ statement. It starts with a very bold and broad statement of the threat: “Authoritative evidence and testimony to Congress indicate that the United States Government cannot prevent cyber attacks by determined and capable adversaries from reaching critical infrastructure in the United States and that, absent major efforts to identify and eliminate vulnerabilities in the most critical nodes of the most critical infrastructure, such attacks would succeed in causing unacceptable damage to the United States” {(a)(1)}. It does require a report to Congress that would include “an analysis of cyber vulnerabilities in the most critical nodes of the most critical infrastructure” {(c)(1)} and a listing of potential design solutions. Again, no funding is provided.

Sen. Warren’s (D,MA) SA 686 would require another report to Congress on “the significant security vulnerabilities of the national electric grid that are susceptible to significant malicious cyber-enabled activities” {(a)(1)} and their effect on DOD. While control systems are not specifically mentioned in this amendment it does use the 6 USC 1501 definition of ‘security vulnerability’ that is based upon that section’s ICS-inclusive definition of ‘information system’. Again, no funding is provided.

Moving Forward


There is a possibility that the Senate will move forward to consider HR 2810 before they start their summer recess later next month. Those chances were decreased, however, when Sen. McCain (R,AZ; Chair of the Senate Armed Services Committee) returned to Arizona to undergo treatment for his newly diagnosed cancer.


Even if the bill does come to the floor for debate and amendment, there is no telling if/when any of the above amendments would be considered.

Saturday, July 29, 2017

NIST Cybersecurity Workforce RFI Comments – 07-29-17

This is the second in a series of blog posts looking at the comments that NIST has received on their request for information (RFI) on cyber workforce development. The comments are posted to the NIST National Initiative for Cybersecurity Education (NICE) web site. The earlier post in the series was:


Comments posted (16) this week came from:


Issues addressed include:

• The private sector vs government pay differential;
• The use of Cyber Security Gaming and Simulations Cloud (CGSC) academies to engage K12 students and teachers;
• The lack of standard metrics or data for cybersecurity education, training, and workforce development programs;
• The NIST NICE Regional Alliances for Multistakeholder Partnerships Program (RAMPS);
• The  NCSF Controls Factory™ model created by Larry Wilson, CISO in the university (U of Massachusetts) president’s office to engineer, operate and manage the business risk of a NIST Cybersecurity Program;
• Vehicle cybersecurity workforce development program paper;
• The Scholarships for Women Studying Information Security (SWSIS) program; and
• Support for academic training programs.


A much higher percentage of respondents attempted to specifically answer the question that were posed in the RFI document (marked with *). Those responses may be worth reading depending on the amount detail one is looking for in the RFI. NIST will certainly pay close scrutiny to those submissions.

Bills Introduced – 07-28-17

With just the House in session (and preparing to leave for their summer recess) there were 122 bills introduced. Of those, one may be of specific interest to readers of this blog:

HR 3623 To amend the Homeland Security Act of 2002 to secure and heighten the integrity of elections, and for other purposes. Rep. Sewell, Terri A. [D-AL-7]

I will be watching this bill for cybersecurity provisions.


Just a reminder, the vast majority of bills introduced just before a major break in the session of the various houses of Congress are usually introduced to provide the sponsor with talking points while they are campaigning back in their district. There never was an expectation that most of these bills would ever actually be considered in Congress. Still, they do provide a valuable window into the Congressional mind set.

Friday, July 28, 2017

ICS-CERT Publishes CAN Bus Alert

Today the DHS ICS-CERT published a control system security alert for a vulnerability in the CAN Protocol that allows for a denial-of-service (DoS) attack. A public disclosure of the vulnerability is the reason for the alert, even though the researchers (Andrea Palanca, Eric Evenchick, Federico Maggi, and Stefano Zanero) coordinated with ICS-CERT before the exposure.


ICS-CERT reports that a sophisticated attacker, with knowledge of the CAN bus protocol and physical access to the system can exploit the vulnerability to conduct a DoS attack. Whether or not a system employing the CAN bus protocol will be vulnerable will depend on the implementation of the system.

Senate Passes HR 3364 – Cyber Sanctions

Yesterday the Senate passed HR 3364, the Countering America’s Adversaries Through Sanctions Act by a vote of 98 to 2 (page S 4387). While the bill is generally addressed at Russia, Iran and Korea, it does contain specific sanction requirements based upon reported Russian cyber-attacks.

There has not yet been an official statement from the White House as to whether or not the President will sign or veto the legislation. There were, however, certainly sufficient votes in both the House and Senate to overturn any presidential veto.


As I mentioned in my earlier post, even if/when the bill becomes law there are sufficient provisions in the bill to allow the President to avoid placing any sanctions on the Russian Federation if he so desires.

HR 3180 Revived – FY 2018 Intel Authorization

Last night the House Rules Committee met to establish a rule for the consideration of HR 3180 under regular order after it was rejected under the suspension of the rules process. The Committee voted on party lines to bring HR 3180 back to the floor of the House under a closed rule with a longer debate period but no opportunities to amend the bill.

This means that there was nothing done to try to change the votes of the Democrats who opposed the bill so we can expect a similar party line vote. What will be different this time is that only a simple majority will be needed for passage; the bill will almost certainly pass.

The bill will most likely be considered this afternoon.


The bill will be unlikely to be considered in the Senate under its present form. 

Bills Introduced – 07-27-17

Yesterday with both the House and Senate in session (and the House preparing to leave for their summer recess) there were 125 bills introduced. Of those, three may be of specific interest to readers of this blog:

S 1655 An original bill making appropriations for the Departments of Transportation, and Housing and Urban Development, and related agencies for the fiscal year ending September 30, 2018, and for other purposes. Sen. Collins, Susan M. [R-ME] 

S 1656 A bill to amend the Federal Food, Drug, and Cosmetic Act to provide cybersecurity protections for medical devices. Sen. Blumenthal, Richard [D-CT]

S 1662 An original bill making appropriations for the Departments of Commerce and Justice, Science, and Related Agencies for the fiscal year ending September 30, 2018, and for other purposes. Sen. Shelby, Richard C. [R-AL]

As usual I will be watching the spending bills for cybersecurity measures, but the THUD bill will also be watched for chemical transportation measures.


An FDA cybersecurity bill will certainly receive follow-up coverage here.

ICS-CERT Publishes 3 Advisories and 2 Updates

Yesterday the DHS ICS-CERT published 3 control system security advisories for products from PDQ Manufacturing, Mirion Technologies and Continental AG. They also updated two previously issued advisories for products from Schneider Electric and Siemens.

PDQ Advisory


This advisory describes two vulnerabilities for the PDQ LaserWash, Laser Jet and ProTouch carwash control systems. The vulnerabilities were reported by Billy Rios and Jonathan Butts of WhiteScope and independent security researcher Terry McCorkle. PDQ is developing mitigation measures and has provided interim mitigating controls. This was publicly disclosed at Black Hat.

The two reported vulnerabilities are:

• Improper authentication - CVE-2017-9630; and
• Missing encryption of sensitive data - CVE-2017-9632

ICS-CERT reports that a relatively low skilled attacker could use publicly available exploits to remote exploit the vulnerabilities to gain unauthorized access to the affected system and to issue unexpected commands to impact the intended operation of the system.

Mirion Advisory


This advisory describes two vulnerabilities in Mirion Telemetry Enabled Devices (radiation sensors). These vulnerabilities were reported by Ruben Santamarta of IOActive and were reported at Black Hat. ICS-CERT reports that: “Mirion Technologies is continuing their investigation of this matter and expects to provide users with additional news and solutions in the next three months.” Interim mitigation measures are described.

The two vulnerabilities are:

• Use of a hard-coded cryptographic key - CVE-2017-9649; and
• Inadequate encryption strength - CVE-2017-9645

ICS-CERT reports that an uncharacterized attacker with uncharacterized access could use a publicly available exploit to transmit fraudulent data or perform a denial of service.

NOTE: The Santamarta paper also reports vulnerabilities in radiation detection products from Ludlum.

Continental Advisory


This advisory describes two vulnerabilities in the Continental Infineon S-Gold 2 (PMB 8876) chipset used in a variety of automotive telematics devices. The vulnerabilities were reported by Mickey Shkatov, Jesse Michael, and Oleksandr Bazhaniuk of the Advanced Threat Research Team at McAfee. ICS-CERT reports that: “Continental has validated the reported vulnerabilities but has not yet identified a mitigation plan.”

The reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2017-9647; and
• Improper restriction of operations within the bounds of a memory buffer - CVE-2017-9633

ICS-CERT reports that a relatively low skilled attacker using publicly available exploits could remotely exploit these vulnerabilities to disable the infotainment system of the vehicle and affect functional features of the vehicle. According to affected auto manufacturers, these vulnerabilities do not directly affect the critical safety features of the vehicle.

Schneider Update


This update provides new information on an advisory originally published on November 3rd, 2016 and updated on November 29th. The update provides information about the new version that does not include the web server feature.

Siemens Update


This update provides new information on an advisory that was originally published on July 6th, 2017, and updated on July 18th. This provides updated affected version and mitigation measures for Firmware variant IEC 104: All versions prior to V1.21.

Missed Siemens Advisory



Early last week Siemens reported two vulnerabilities is some of their XP® based Healthineers products. Siemens reports that they are working on updates for the affected products and provide workarounds that can be used until the updates become available. ICS-CERT has not reported on these vulnerabilities.

Thursday, July 27, 2017

HR 3364 Introduced – Foreign Sanctions

Earlier this week Rep. Royce (R,CA) introduced HR 3364, the Countering America’s Adversaries Through Sanctions Act. The bill provides for a variety of sanctions in response to actions taken (and future actions that may be taken) by Russia, Iran and North Korea. The bill specifically includes sanctions to be taken against Russia for cybersecurity related actions. These actions are outlined in:

§222. Codification of sanctions relating to the Russian Federation.
§224. Imposition of sanctions with respect to activities of the Russian Federation undermining cybersecurity.
§235. Sanctions described.

Imposing Sanctions


Section 222 of the bill continues in effect existing cybersecurity related sanctions under EO 13694 “relating to blocking the property of certain persons engaging in significant malicious cyber enabled activities), and Executive Order 13757” {§222(a)}.

Section 224 of the bill requires the President to impose sanctions upon any person the President determines that {§224(a)(1)}:

• Knowingly engages in significant activities undermining cybersecurity against any person, including a democratic institution, or government on behalf of the Government of the Russian Federation; or
• Is owned or controlled by, or acts or purports to act for or on behalf of, directly or indirectly, a person described above.

The required sanctions include {§224(b)}:

• Asset blocking;
• Exclusion from the united states and revocation of visa or other documentation;

Additionally, the President is directed to {§224(a)(2)}:

• Impose 5 or more of the sanctions described in §235 with respect to any person that the President determines knowingly materially assists, sponsors, or provides financial, material, or technological support for, or goods or services (except financial services) in support of, a cybersecurity activity described above; and
• Impose 3 or more of the sanctions described in 22 USC 8923(c) with respect to any person that the President determines knowingly provides financial services in support of a cybersecurity activity described above.

The “significant activities undermining cybersecurity” mentioned in this section include significant efforts to {§224(d)}:

• To deny access to or degrade, disrupt, or destroy an information and communications technology system or network; or
• To exfiltrate, degrade, corrupt, destroy, or release information from such a system or network without authorization for purposes of:
Conducting influence operations; or
Causing a significant misappropriation of funds, economic resources, trade secrets, personal identifications, or financial information for commercial or competitive advantage or private financial gain;
• Significant destructive malware attacks; and
• Significant denial of service activities.

New Sanctions


Section 235 of the bill describes a new set of sanctions available to the President for imposition in response to significant activities undermining cybersecurity and other non-cybersecurity regimes described in the bill. Those sanctions include {§235(a)}:

• Export-import bank assistance for exports to sanctioned persons;
• Export sanction;
• Loans from united states financial institutions;
• Loans from international financial institutions;
• Prohibitions on financial institutions;
• Procurement sanction;
• Foreign exchange;
• Banking transactions;
• Property transactions;
• Ban on investment in equity or debt of sanctioned person;
• Exclusion of corporate officers;
• Sanctions on principal executive officers.

Moving Forward


As I mentioned earlier this week, this bill passed in the House on Tuesday with a strongly bipartisan vote. I suspect that it will be taken up quickly in the Senate where it will pass with broad support (possibly under the unanimous consent process).

I have seen one report that the President may veto the bill if/when it gets to his desk. If the vote in the House is any indicator of support in the Senate (and that is never a perfect predictor) then there are probably more than enough votes available to override any veto on this bill.

Commentary


One of the reasons that this bill is getting bipartisan support is that it provides Democrats an apparent opportunity to hold the President’s feet to the political fire with regards to cyber operations by Russia. While the bill does require the President to impose sanctions, there are two necessary weasel word provisions that provide potential escape hatches.

First the bill only requires the President to impose sanctions when he “determines” that the sanctioned activity has taken place. Given Trump’s public statements about the inability to really know who is responsible for cyber activities (a statement with which, to some extent at least, many cyber professionals would agree), this may be a very substantial loop hole.

The second is a very real recognition of the President’s prerogatives with respect to foreign affairs and national defense. In every instant where the bill requires the President to impose sanctions it specifically provides the President to avoid that requirement by certifying to Congress that an exception is needed due to ‘vital national security interests of the United States’ or that failure to impose sanctions will further enforcement of the provisions of this bill. Interestingly, the crafters of this bill added an additional requirement to these certifications; the President also has to certify that the “that the Government of the Russian Federation has made significant efforts to reduce the number and intensity of cyber intrusions conducted by that Government” {§224(c)(2) for example}.

Neither of these necessary loopholes detracts from the seriousness of the provisions of this bill. While economic sanctions like those outlined in this bill do not have a strong history of success, they are a necessary step to notify opponents (like Russia, Iran and North Korea) that their actions have consequences without the necessity of employing physical (military) or (increasingly more likely) cyber force to get the opponent to modify their behavior.


What might have made this bill more effective in countering the explicated actions of these three adversaries would have been included some sort of reference to possible future application of more expansive responses. It would have been easy to add a requirement for the President to report on the effectiveness of the required sanctions 18 months after they were applied along with a recommendation to Congress as to what escalative measures, up to and including military force if necessary, may be required to stop the sanctioned behavior.

Bills Introduced – 07-26-17

Yesterday with both the House and Senate in session there were 58 bills introduced. Of those, nine may be of specific interest to readers of this blog:

HR 3401 To amend chapter 301 of subtitle VI of title 49, United States Code, to update or provide new motor vehicle safety standards for highly automated vehicles, and for other purposes. Rep. Schakowsky, Janice D. [D-IL-9]

HR 3404 To provide for the establishment in the National Highway Traffic Safety Administration of a Highly Automated Vehicle Advisory Council. Rep. Cardenas, Tony [D-CA-29]

HR 3405 To amend title 49, United States Code, to expand the exemption from the motor vehicle safety standards for testing or evaluation purposes to cover manufacturers of highly automated vehicles and automated driving system components, and for other purposes. Rep. Walters, Mimi [R-CA-45]

HR 3406 To amend section 30113 of title 49, United States Code, to increase the annual number of vehicles that may be exempted for the development of new vehicle safety features, and for other purposes. Rep. Upton, Fred [R-MI-6]

HR 3407 To amend chapter 301 of subtitle VI of title 49, United States Code, to require a cybersecurity plan for highly automated vehicles, and for other purposes. Rep. Kinzinger, Adam [R-IL-16]

HR 3408 To amend section 30113 of title 49, United States Code to establish new exemptions for motor vehicle safety standards, and for other purposes. Rep. Lance, Leonard [R-NJ-7]

HR 3411 To establish in the National Highway Traffic Safety Administration an Automated Driving System Cybersecurity Advisory Council to make recommendations regarding cybersecurity for the testing, deployment, and updating of automated driving systems. Rep. Costello, Ryan A. [R-PA-6]

HR 3412 To amend section 30103 of title 49, United States Code, to establish sole authority for the National Highway Traffic Safety Administration over the regulation of highly automated vehicles, and for other purposes. Rep. Mullin, Markwayne [R-OK-2]

HR 3435 To prohibit the transportation of certain volatile crude oil by rail. Rep. Lowey, Nita M. [D-NY-17]

This block of ‘highly automated vehicles’ legislation (along with a couple of other bills that I don’t expect to be of specific interest here) all come from members of the Digital Commerce and Consumer Protection Subcommittee of the House Energy and Commerce Committee. It looks like these bills may have arisen out of a mark-up hearing that was held on July 19th by that Subcommittee. That marked-up bill has not been introduced.


I will be watching these bills for cybersecurity language.

HR 3435 is probably similar to HR 2379 that was introduced by Lowey in the 114th Congress. No action was taken on that bill.

Wednesday, July 26, 2017

Bills Introduced – 07-25-17

Yesterday with both the House and Senate in session, there were 34 bills introduced. Of those, two may be of specific interest to readers of this blog:

HR 3393 To increase cybersecurity education and job growth, and for other purposes. Rep. Lieu, Ted [D-CA-33]

S 1631 A bill to authorize the Department of State for Fiscal Year 2018, and for other purposes. Sen. Corker, Bob [R-TN]

HR 3393 will only receive additional coverage here if the definitions used in the bill are inclusive of control system security education programs.


 I will be watching (but not holding my breath) S 1631 to see if it includes any cybersecurity provisions.

Tuesday, July 25, 2017

House Passes HR 3364 – Cyber Sanctions

Today the House passed HR 3364, the Countering America’s Adversaries Through Sanctions Act by a nearly unanimous vote of 419 to 3. The bill includes provisions requiring the President to enforce various economic sanctions against anyone in Russia whom the President determines “knowingly engages in significant activities undermining cybersecurity against any person, including a democratic institution, or government on behalf of the Government of the Russian Federation” {§224(a)(1)(A)}.


I’ll be doing a more thorough review of this bill in the near future.

ICS-CERT Published an Alert, an Advisory and 4 Updates

Today the DHS ICS-CERT published a control system security alert for the CRASHOVERRIDE malware and a control system security advisory for products from NXP. The NXP advisory was previously published on the NCCIC Portal on June 1st, 2017. ICS-CERT also updated four previously issued control system advisories for products from Siemens (3) and GE.

CRASHOVERRIDE Alert


This alert briefly describes the CRASHOVERRIDE malware. This malware was previously identified by ESET (on June 12th), Dragos (on June 12th) and US CERT (on June 12th) which ICS-CERT fully credits. All three reports provide much more information than does the ICS-CERT Alert. ICS-CERT has provided a different set of YARA rules for the detection of the malware than those previously published by Dragos. The ICS-CERT rules appear to target different portions of the malware.

NXP Advisory


This advisory describes two vulnerabilities in the NXP i.MX Devices, used on logic boards. The vulnerabilities were reported by Quarkslab. These are hardware vulnerabilities that generally cannot be corrected by a software fix. ICS-CERT notes that the vulnerabilities “are only exploitable when the device is placed in security enabled mode”.

The two reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2017-7936; and
• Improper certificate validation - CVE-2017-7932

ICS-CERT reports that a successful attack (by an uncharacterized attacker with uncharacterized access) could exploit the vulnerability to create a denial of service attack or to load an unauthorized image on the device affecting secure boot.

NOTE: These are not stand-alone devices, they are chip sets found on circuit boards on unnamed devices from unnamed supplier. Hopefully one (or more) of those downstream suppliers will develop a successful mitigation for this problem on their devices. But, it has been almost two months since notification was made to those vendors….

S7-300 Update


This update provides new information on an advisory that was originally published on December 13th, 2016 and then updated on May 9th, 2017. The update provides a link to a firmware update for the  S7-CPU 410 CPUs.

GE Update


This update provides new information on an advisory that was originally published on April 27th, 2017, and updated on May 18th, 2017. The new update identifies 8 legacy products that are affected by the vulnerability. It also provides links to previously identified firmware versions and newly mitigated products, including the newly identified legacy products. The firmware update for the URplus platform is still expected to be released this month.

PROFINET 1 update


This update provides new information on an advisory that was originally published on May 9th, 2017 and updated on June 15th, 2017, on June 20th, 2017, and again on July 6th, 2017. The update provides updated version information and mitigation information for the SINEMA Server: All versions < V14.


PROFINET 2 update


This update provides new information on an advisory that was originally published on May 9th, 2017 and updated on June 15, 2017. The update provides new affected version information and mitigation links for:

• SCALANCE XM400, XR500: All versions prior to V6.1;
• S7-400 PN/DP V6 Incl. F: All versions;
• S7-400-H V6: All versions prior to V6.0.7;
• S7-400 PN/DP V7 Incl. F: All versions;
• S7-410: All versions prior to V8.2;
• SINAMICS S110 w. PN: All versions prior to V4.4 SP3 HF5;
• SINAMICS S120 V4.7: All versions prior to V4.7 H27; and

• SINAMICS V90 w. PN: All versions prior to V1.1

Private vs Public Vendor Vulnerability Disclosures

Yesterday I had an interesting Twitversation with Michael Toecker (@mtoecker) about vulnerability disclosures for distributed control systems (DCS) a type of industrial control system apparently frequently used in power generation facilities (and a number of chemical manufacturing facilities). Apparently one major DCS vendor (Emmerson) does not publicly report their DCS vulnerabilities (via ICS-CERT for example), but relies upon private disclosure to system owners.

The conversation started when Michael tweeted that “Ovation has ~51% of the generation DCS market”. I had never heard of Ovation (not terribly unusual) so I looked it up on the ICS-CERT vulnerabilities page and could not find any listings of any vulnerabilities. I asked Michael about that and he replied: “They have their own cert for Ovation Users.” And the conversation went on from there and well worth reading aside from this post.

Which brings up the whole issue of vendors fixing and then communicating about security vulnerabilities in their software (which is different than the whole coordinated disclosure debate). I cannot remember discussing this particular issue in any detail before so now seems like a good time.

Mitigation Decisions


Software vendors have been dealing with fixing program bugs forever. They have developed techniques for identifying problems (including outside ‘help’ from researchers), fixing them and then getting the fixes into the hands of consumers. Some are better at it than others.

For industrial control system owners, the fixing of software (lumping in firmware and even some hardware issues here) problems is a bit more problematic than with a standard desktop software issue. The system needs to be taken off-line for some amount of time which requires a shutdown of production. The ‘update’ may cause unknown interactions with other control system components that interfere with production. And finally, the owner may not have anyone ‘on staff’ trained to deal with the above issues. So, the decision to apply a software fix is a cost benefit analysis that frequently results in a ‘if it ain’t broke don’t fix it’ response.

For a security related issues the ‘cost benefit analysis’ is even more difficult. The cost analysis remains the same, but the benefit side is much more difficult since it deals with risk analysis. The cost of potential failure has to be modified by how likely is the failure event to happen. Where no failure history exists (no attacks here) that probability is really difficult to determine.

That is especially true if there are no in-house cybersecurity experts to help make the decision. This is where the system owner has to rely on the information provided by the vendor (and/or system integrator) in describing the vulnerability that is being fixed by the most recent update (patch, new version, etc). A detailed description of what could go wrong, what an attacker would need to successfully exploit the vulnerability and other potential mitigation measures that could reduce the risk will greatly assist the asset owner/operator in making a realistic risk analysis.

Vulnerability Reports


In a near perfect world (no vulnerabilities in a ‘perfect world’) a software engineer from the vendor would call up the control system engineer at the user site and have a detailed discussion of the discovered vulnerability, the fix applied in the latest update, the potential interactions with other systems in use and the probability that an attacker could/would use that vulnerability upon that particular user. That is not going to happen for a whole host of obvious and not so obvious reasons.

In a less perfect world, the conversation would be replace by a detailed written report from the vendor describing the vulnerability in great detail, how it would affect operations and interactions with all probable other devices and software with which the product could be expected to interact. It would also include a discussion of the threat environment in which the product existed, with a report on the history of known/suspected exploits and the potential for exploits in a variety of customer environments.

Again, not going to happen. Too much time and expertise would be required to develop such reports that would also end up disclosing too much proprietary information. And, probably more importantly, they would never actually be read by the owner/operator.

In the real world, what happens is that a brief report (one to two pages) is prepared describing the vulnerability, who it might effect and the potential consequences of a successful exploit. To make the preparation and subsequent analysis of the report easier, a set of standard descriptions is developed and used in standardized report format. Not as much information would be provided, but that which is provided is more accessible and more likely to be used.

Vulnerability Communication


Now, not all vendors have the staff necessary for the development, publication and dissemination of these reports. Instead, they will rely on various computer emergency response teams (CERTs) to provide the communications. A vendor engineer will communicate with a CERT engineer to provide the necessary information and the CERT will write the vulnerability report. Frequently, but certainly not always, the individual who discovered the vulnerability will be involved in providing information to the CERT.

The decision then has to be made as to how the vulnerability report will get into the hands of the owner/operator. Where the vendor/CERT has contact information on all the owner/operators of the affected equipment the report can be directly communicated to them. Where the vendor/CERT does not have that contact information then the only way to get the information to the owner/operator is via public communication of the report.

Public disclosure has a couple of problems associated with it. First it is a public admission by the vendor that a mistake was made in the development of the product; something that the sales department does not generally want to tell potential customers. Second, it substantially increases the number of people that know about the vulnerability, thereby increasing the risk of potential attempts at exploiting the vulnerability.

Typically, the former problem is dealt with by the vendor/CERT first distributing the vulnerability reports privately to those customer with whom they are in contact (generally larger customers), allowing some reasonable time to lapse to allow those customers to remediate their systems and then make a public disclosure to the remainder of the customer base.

Oh, and that first problem? Sales is told to suck it up. After all, the other vendors in the market place (especially the big ones) are publicly disclosing their vulnerabilities, so it is not really an issue.

Public Disclosure Benefits


So, are there benefits to public disclosure that might suggest that it is a good alternative even when customer contact information is available? Actually, there are a number. First, and personally most important, non-customers get a chance to look the disclosure reports and provide their two cents worth in the risk evaluation process. Gadflies, like yours truly, get a chance to provide an outside quality control process to the vulnerability disclosure process to ensure that owner/operators have as much information as practical about the vulnerabilities.

Second, outsiders to the communication process have some access to the vulnerability information. This includes folks like investors, corporate management and yes, regulatory agencies. These are the folks that have a vested interest in ensuring that the proximate decision makers at the owner/operator are making reasonable decisions in their cost-benefit and risk analysis calculations. If they do not know about the existence of the vulnerabilities, they have no way of asking questions about the implementation of those processes with respect to those vulnerabilities.

And, last but not least, researchers in the field get a chance to see what types of vulnerabilities other researchers are finding (and ethically disclosing) and how vendors are dealing with those vulnerabilities. This provides some incentives for ethical (coordinated, or whatever current term you want to use) disclosure and it provides for a robust research community that has a source of fresh ideas about what types of vulnerabilities for which they should be searching.


Needless to say, I am a fan of public disclosure.

Bills Introduced – 07-24-17

Yesterday with both the House and Senate back in session there were 37 bills introduced. Of those, four may be of specific interest to readers of this blog:

HR 3358 Making appropriations for the Departments of Labor, Health and Human Services, and Education, and related agencies for the fiscal year ending September 30, 2018, and for other purposes. Rep. Cole, Tom [R-OK-4]

HR 3359 To amend the Homeland Security Act of 2002 to authorize the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security, and for other purposes. Rep. McCaul, Michael T. [R-TX-10]

HR 3362 Making appropriations for the Department of State, foreign operations, and related programs for the fiscal year ending September 30, 2018, and for other purposes. Rep. Rogers, Harold [R-KY-5]

HR 3364 To provide congressional review and to counter aggression by the Governments of Iran, the Russian Federation, and North Korea, and for other purposes. Rep. Royce, Edward R. [R-CA-39]

As usual I will be watching the two spending bills for cybersecurity measures (probably none in the case of these two bills, but you never know).

HR 3359 is the homeland security bill that I talked about briefly in my blog yesterday. The official text is not yet available, but I may review later today it based upon the committee draft that will be considered tomorrow by the House Homeland Security Committee.


HR 3364 may be of interest if the bill addresses cyber related aggression or cyber response to aggression by these three countries.

Monday, July 24, 2017

HR 3180 Fails in House – FY 2018 Intel Authorization

Today the House failed to pass HR 3180, the FY 2018 Intel authorization bill. It failed on a vote of 241 to 163 with a 2/3 vote (290 Ayes) being required for passage. It was a nearly party-line vote with 10 Republicans voting Nay and 30 Democrats voting Aye. The House Intelligence Committee will have to go back to the drawing board and try to craft a bill that can garner more support from the Democrats if the leadership continues to rely on passing the bill under suspension of the rules.

The other point to remember, however, is that if the bill could not garner the 2/3 vote required under the suspension of the rules process, then it likely would not be able to make it to the floor of the Senate due to the cloture vote requirement (3/5ths vote).


There were no cybersecurity provisions in this bill that would have been of specific interest to readers of this blog.

Committee Hearings – Week of 7-23-27

This week, with both the House and Senate in session we start to see action on spending bills in the Senate while House spending bills start to move to the floor of the House. Additionally, there is two cybersecurity hearing scheduled this week one on insurance and the other a markup hearing.

Spending Bills (Senate Appropriations Committee)


DOD Spending Bill


The House Rules Committee will hold a hearing to formulate the rule for HR 3219 tonight. What was the DOD FY 2018 spending bill is now the Make America Secure Appropriations Act, 2018; a mash-up of four spending bills {HR 3219 (DOD), HR 3162 (Legislative Branch), HR 2998 (Military Construction/VA), and HR 3266 (Energy and Water Development)}.

None of those bills currently have any provisions of specific interest here. The amendment process could certainly change that.

Proposed amendments are supposed to be submitted by later this morning. There were 28 amendments already submitted by 8:00 am EDT. There is only one cyber related amendment (cyber scholarship spending) currently on the list, but that will probably change.

The bill is currently scheduled to come to the floor later this week (Wednesday?).

Cybersecurity Insurance


On Wednesday the House Small Business Committee will be holding a hearing on “Protecting Small Businesses from Cyber Attacks: The Cybersecurity Insurance Option”. The witness list includes:

• Robert Luft, SureFire Innovations;
• Erica Davis, Zurich Insurance;
• Eric Cernak, Munich Re US;
• Daimon Geopfert, Security and Privacy ConsultingRisk Advisory Services

I will be very surprised if control system security issues are even mentioned in passing, but I am certainly open to surprises.

Cybersecurity Markup


The House Homeland Security Committee will be holding a mark-up hearing on Wednesday. Two of the bills may be of specific interest to readers of this blog. The first is HR 3202, Cyber Vulnerability Disclosure Reporting Act, the bill I reviewed yesterday. I certainly hope the Committee adds provisions requiring public posting of the unclassified report.

The second is a new (not yet introduced) bill by Chairman McCaul (R,TX) that would establish the Cybersecurity and Infrastructure Security Agency to replace the current National Protection and Programs Directorate. A committee print of the bill is available and a quick review of the provisions shows that it still relies on the IT-centric definition of ‘cybersecurity risk’ found in 6 USC 148(a). I would really like to see this bill change that definition to one based on the ‘information system’ definition found in 6 USC 1501(9). More on this bill later.

On the Floor of the House


In addition to HR 3219 mentioned above there are two other bills of potential interest currently on the schedule for consideration on the floor of the House. The first is HR 3180, the Intelligence Authorization Act for Fiscal Year 2018. While there are some cyber related provisions in the unclassified portion of the bill, none are of specific interest to readers of this blog. The bill will be considered today under the suspension of the rules, so no amendments will be possible.


The second is an as of yet unintroduced “Russia, Iran, and North Korea Sanctions Act”. It will be considered tomorrow, so it will be introduced today. A very quick review of the committee draft of bill does show mention of cybersecurity related sanctions. I’ll review those in more detail later. Interestingly, this bill is also being considered under the suspension of the rules provisions indicating that the leadership thinks this bill will receive substantial bipartisan support to meet the 2/3 majority vote required for passage.

Sunday, July 23, 2017

HR 3202 Introduced – Cybersecurity Reporting

Earlier this month Rep. Jackson-Lee (D,TX) introduced HR 3202, the Cyber Vulnerability Disclosure Reporting Act. The bill would require a report to Congress on procedures that DHS has developed in regards to vulnerability disclosures.

Section 2 of the bill requires DHS (within 240 days of passage of the bill) to report to Congress that describes “the policies and procedures developed for coordinating cyber vulnerability disclosures, in accordance with section 227(m) of  the Homeland Security Act of 2002 (6 U.S.C. 148(m) [Link Added; Note: it is §148(l) at this link, an amendment changing that para to (m) has not yet been published])” {§2(a)}.

Moving Forward


Jackson-Lee is an influential member of the House Homeland Security Committee, the committee to which the bill was assigned for consideration. It is very likely that she has enough influence to have this bill considered in Committee. There is nothing in the bill that would draw the ire of any organization. Since it just requires a very legitimate report to Congress it is likely that this bill would have enough bipartisan support to allow it to be considered under the suspension of the rules procedures in the House. If it were to be considered in the Senate, it would likely be considered under their unanimous consent procedure.

Commentary


Since the bill specifies that the main report will be unclassified (with a potential classified annex) I would have liked to have seen the bill include a provision for DHS to post a copy of the unclassified version of the report to the NCCIC web site. That would allow these policies and procedures to become public knowledge, as they should be. Without that sort of provision we may never see this report; it certainly will not show up on a congressional web site.


Trump Administration Updates Unified Agenda – DHS

This week the Trump Administration’s Office of Information and Regulatory Affairs (OIRA) published an Update to the Unified Agenda. This provides a look at the results of the review of on-going regulatory actions previously addressed by the Obama Administration and new regulatory initiatives started by the new administration. The last Obama update of the Unified Agenda (Fall 2016 Unified Agenda) took place in November, 2016.

Trump’s OIRA described the current Unified Agenda this way:

“The Agenda represents ongoing progress toward the goals of more effective and less burdensome regulation and includes the following developments:
“Agencies withdrew 469 actions proposed in the Fall 2016 Agenda;
“Agencies reconsidered 391 active actions by reclassifying them as long-term (282) and inactive (109), allowing for further careful review;
“Economically significant regulations fell to 58, or about 50 percent less than Fall 2016;
“For the first time, agencies will post and make public their list of "inactive" rules-providing notice to the public of regulations still being reviewed or considered.”

DHS Active Rulemaking


As usual, I have gone through the list of active DHS rulemaking activities and came up with a list that may be of specific interest to readers of this blog. Table 1 lists those rulemaking activities.

OS
Proposed Rule
Chemical Facility Anti-Terrorism Standards (CFATS)
USCG
Proposed Rule
Revision to Transportation Worker Identification Credential (TWIC) Requirements for Mariners
TSA
Proposed Rule
Surface Transportation Vulnerability Assessments and Security Plans
Table 1: Items on Current Unified Agenda

This is down from eight that were on the Fall 2016 Agenda. One (1601-AA56) action has been completed with the final rule being published last December. Four items (1601-AA76, 1625-AB94, 1652-AA55, and 1652-AA69) have been moved to the long-range portion of the Agenda (see below).

The pages for each of the rulemakings have been substantially changed in this update. This version does not include a regulatory history (listing of when various stages of the rulemaking process have been completed including a link to the Federal Register for each publication noted). The update also does not provide an expected date for the publication of the next stage in the rulemaking process. In the past those have proven to be grossly inadequate guesses, so there is really not much lost by not including that information.

Long-Term Actions


The long-term action section of the Unified Agenda contains the listing of on-going rulemaking efforts that the Administration does not expect to see reach the next publication stage for at least 12 months. The long-term action section for DHS is quite lengthy. The list includes the rulemakings shown in Table 2 that may be of specific interest to readers of this blog.


OS
Ammonium Nitrate Security Program
OS
Homeland Security Acquisition Regulation: Safeguarding of Controlled Unclassified Sensitive Information (HSAR Case 2015-001)
OS
Updates to Protected Critical Infrastructure Information
USCG
Amendments to Chemical Testing Requirements
USCG
2013 Liquid Chemical Categorization Updates
Maritime Security--Vessel Personnel Security Training
TSA
Protection of Sensitive Security Information
TSA
Security Training for Surface Transportation Employees
TSA
Vetting of Certain Surface Transportation Employees
Table 2: Long-Term Actions for DHS

This list is longer than the one found in the Fall 2016 Unified Agenda. I have already noted that three items were moved here from the active agenda. Additionally, the Trump Administration added a new rulemaking (1625-AC36) that has been placed on the long-term action list. Finally, OIRA removed a rulemaking (1625-AB21) that had actually been completed (final rule published) well prior to the publication of the Fall 2016 Unified Agenda. The Obama OIRA apparently kept it on the list because the effective date was not until 2018.

Inactive Items


It is interesting to see the Trump Administration introduce the concept of the ‘Inactive Items’ list; rulemakings that have dropped off the Unified Agenda, but are still in the working files of the agency involved and action could possibly be expected at some future date. This list is also odd in that it is a .PDF document rather than an HTML table.

There are four rulemakings on the DHS portion of the list that may be of specific interest to readers of this blog. I have included in the list below a link to the last time that the rulemaking showed up in the Unified Agenda. It is very clear that the administration officials took their mandate to identify such latent rulemakings very seriously.

• 1625-AA12 – USCG – Marine Transportation--Related Facility Response Plans for
Hazardous Substances (Fall 2013);
• 1625-AA13 – USCG – Tank Vessel Response Plans for Hazardous Substances (Fall 2013);
• 1652-AA16 – TSA – Transportation of Explosives from Canada to the United States Via Commercial Motor Vehicle and Railroad Carrier (Fall 2011)
• 1652-AA50 – TSA – Drivers Licensed by Canada or Mexico Transporting Hazardous Materials to and Within the United States (Fall 2015)

Commentary


While Trump vociferously campaigned on a stand against new regulations, this publication of the Unified Agenda update makes it clear that we can still expect to see regulatory actions being taken by this administration. In fact, with respect to those types of regulations that would be of specific interest here, there has been absolutely no indication of a reduction in the change in the number of regulatory actions being undertaken.


It is not entirely clear at this point that the one new rulemaking added to the Unified Agenda Long-Term Agenda in this update (1625-AC36) is really a new regulatory action initiated by the Trump Administration. This has been an on-going issue since the 2010 amendments to the Standards of Training, Certificate, and Watchkeeping Convention and Code, but this is the first time that it has been officially noted in the Unified Agenda.
 
/* Use this with templates/template-twocol.html */