Thursday, November 30, 2017

ICS-CERT Publishes Latest Monitor – Sep-Oct 2017

Yesterday the DHS ICS-CERT published the latest version of the ICS-CERT Monitor. Long time readers of this blog will no doubt understand that I have become less than enamored with this periodical in recent years. It has become more of a corporate selfie than a real communications tool, but occasionally there is an information gem that is worthy of note.

Selfie Components

The Monitor starts with a Trumpian, “look how great I am”, article on a recent training program conducted by ICS-CERT in Japan. It then goes on to announce the publication of a 2-page, color glossy ‘fact sheet’ looking back at last year’s “Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies” update.

There is one page dedicated to ICSJWG news, including an announcement of the Spring meeting dates; April 10–12 in Albuquerque, NM. Unfortunately the ICSJWG web site still does not include an agenda for the fall 2017 meeting, nor is there any mention of the rumored announcement that was made about the reorganization/abolishment/fusion of ICS-CERT.

Finally, we have the standard elements that we have come to know and ignore:

• ICS-CERT Assessment Activity;
• Recent Product Releases;
• Coordinated Vulnerability Disclosure; and
• Upcoming Events

The Gem

Okay, this may be more of a sparkler than a true precious stone, but there is an interesting and worthwhile full-page article on updating of antivirus software in ICS systems. The core assumption in this article is found in the second paragraph:

“The recommended secure network architecture for ICS (Figure 1) places the antivirus, Windows Server Update Services (WSUS), and patch server(s) in the control center LAN DMZ. In this architecture, each level should only send or receive traffic to any directly adjacent level, which precludes the antivirus/WSUS/patch server from communicating directly with either the vendor antivirus servers or the organizational antivirus servers.”

This, of course, leads to the need for downloading the daily AV signature update onto removable media, checking that media for malware, checking the hash, running the update on test environment, and finally, updating the AV on the appropriate ICS systems. All very neat and tidy, and security compliant; I wonder how many folks actually do this. Or is this really the reason that so many folks are starting to talk about how outdated/useless AV is?

Of course, the same process would be required for updates for all Windows OS, control systems, and device software. Again, does this explain the apparently widespread practice of overlooking/ignoring system updates?

Wednesday, November 29, 2017

Bills Introduced – 11-28-17

Yesterday with both the House and Senate in session there were 31 bills introduced. Of these only one may be of specific interest to readers of this blog:

HR 4474 To enhance the security of surface transportation assets, and for other purposes. Rep. Watson Coleman, Bonnie [D-NJ-12]

Looking at the bill fact sheet prepared by Watson-Coleman’s office this looks like it will be a very comprehensive surface transportation security bill. While it does not appear to specifically address chemical transportation security issues, it would require DOT to complete their rulemaking on transportation security training and may address transportation cybersecurity issues.

ICS-CERT Publishes Two Advisories and Two Siemens Updates

Yesterday the DHS ICS-CERT published a medical device security advisory for products from Ethicon and a control system security advisory for products from Siemens. It also published two updates of control systems advisories for products from Siemens. The Siemens advisory and the two updates were announced by Siemens last week.

Ethicon Advisory

This advisory describes an improper authentication vulnerability in the Ethicon Endo-Surgery Generator Gen11. This vulnerability is apparently self-reported. A field cybersecurity update is reportedly being made available today. There is no FDA advisory for this vulnerability.

ICS-CERT reports that a highly skilled attacker with local access could exploit this vulnerability to allow for unauthorized devices to be connected to the generator, which could result in a loss of integrity or availability.

Siemens Advisory

This advisory describes multiple vulnerabilities in the Siemens SCALANCE, network interfaces. These vulnerabilities are being self-reported. Siemens is reporting work-around mitigation measures pending the development of updates for these products.

The reported vulnerabilities are:

•Uncontrolled resource consumption (3) - CVE-2017-13704, CVE-2017-14495, and CVE-2017-14496; and
• Improper restriction of operations within the bounds of a memory buffer - CVE-2017-14491

ICS-CERT reports that a relatively low skilled attacker with remote access could exploit these vulnerabilities to crash the DNS service or execute arbitrary code by crafting malicious DNS responses. The Siemens security advisory reports that the buffer vulnerability requires the attacker to be in a man-in-the-middle position to exploit the vulnerability.

S7-300 Update

This update provides new information on an advisory that was originally published on December 13th, 2016 and then updated on May 9th, 2017 and July 25th. This update provides new version information and an update link for the SIMATIC S7-400 V6PN.


This update provides new information on an advisory that was originally published on May 9th, 2017 and updated on June 15, 2017,on July 25th, 2017, on August 17th, 2017, on October 10th and most recently on November 14th. This update provides new version information and update links for:

• SCALANCE X200: All versions prior to V5.2.2
• S7-400 PN/DP V6 Incl. F: All versions prior to V6.0.6

Missing Siemens Update

On the same day that Siemens announced their advisories for the updates listed above, they also announced an update for their advisory for the DROWN (Decrypting RSA with Obsolete and Weakened eNcryption; CVE-2016-0800) vulnerability in their industrial products. The ICS-CERT advisory for this vulnerability was last updated on July 15th of this year.

OOPS. I missed the ICS-CERT update for this advisory (0725 EST 11-29-17).

Sunday, November 26, 2017

NMSAC to Discuss CG Cybersecurity Guidance

On Friday the Coast Guard published a meeting notice in the Federal Register (82 FR 55847-55848) for a teleconference of the National Maritime Security Advisory Committee (NMSAC) on December 14th, 2017. The conference will discuss the Cybersecurity Working Group’s recent work on the draft of the Navigation and Vessel Inspection Circular (NVIC) 05-17 (Note: the new CG Homeport does now support standard links, yeah); Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act Regulated Facilities, that was released earlier this year.

The teleconference is open to the public but registration is required. There will be a public comment period at the end of the NMSAC discussion.

Wednesday, November 22, 2017

ICS-CERT Publishes Another Vendor KRACK Advisory

Yesterday the DHS ICS-CERT published a control system security advisory for WLAN enabled products from Phoenix Contact. This is for the  Key Reinstallation Attack – (KRACK) set of vulnerabilities. ICS-CERT credits the original KRACK researcher, Mathy Vanhoef of imec-DistriNet, for reporting the vulnerability, but this instance was self-reported by Phoenix Contact.

This advisory only reports three of the ten reported KRACK CVE. It is not clear if the vendor has evaluated the other potential KRACK instances and found them missing (not implemented) on their devices, or just thought that these were the most serious implementation issues in their devices.

The Phoenix Contact advisory at CERT@VDE provides much more detailed information about the extent of the vulnerability. They report:

“PHOENIX CONTACT embedded devices running in AP mode are not affected by these vulnerabilities. If devices are used in client or repeater mode, an attacker could in theory decrypt any packet sent by the client. Devices of the FL WLAN 110x, 210x, and 510x product families are only affected to a very limited extent. With these devices, only data packets sent within three seconds after key renewal could possibly be decrypted by a successful attacker. In general, if TCP SYN packets are decrypted, this can be used to hijack TCP connections and inject malicious traffic into unencrypted protocols. However, to perform the attack, the attacker must be significantly closer to the WLAN client than the access point. In industrial or indoor applications, the attacker would have to be inside the plant. A successful external attack therefore seems to be very difficult. Furthermore, the WPA2 password cannot be compromised using a KRACK attack. It is not possible for the attacker to gain full access to the network. However, note that if WPA-TKIP is used instead of AES-CCMP, the impact of this vulnerability is much more severe, because an attacker can then not only decrypt packets, but also forge and inject packets directly into the WLAN.”

TIRADE ALERT – Another vendor provides information on KRACK and ICS-CERT has still failed to publish an alert about the vulnerability, or even just a link to the original paper. I have been complaining about this inaction on the part of ICS-CERT where ever I talk about ICS security issues. I had an interesting conversation with Anton Shipulin, of Kaspersky Labs, over on LinkedIn about the issue and he noted that this could be the result of the recent NCCIC reorganization that ‘moved’ ICS-CERT into NCCIC. I still have not seen anything from DHS about the move, but if the reorganization changed the information sharing responsibilities of ICS-CERT to the control system security community, then DHS needs to reverse that change as quickly as possible. Perhaps Congress needs to look into this.

Saturday, November 18, 2017

Public ICS Disclosure – Week of 11-12-17

Today this is not about a new disclosure but about some new information on an ICS-CERT advisory that was published this week. SEC Consult published additional information on the Siemens SICAM vulnerabilities on the FullDisclosure web site.

The ICS-CERT advisory reported that publicly available exploits were available, but did not provide a link. This report from SEC Consult provides proof of concept code for exploiting the first two vulnerabilities and a link to a very old (2003) link to an earlier report on the code injection vulnerability. That link leads to a report by Luigi Auriemma, a name that hasn’t been seen on this blog in quite some time.

The Luigi report is about the GoAhead web server that was apparently used by Siemens in the affected versions of the SICAM devices. This is not noted in either the ICS-CERT advisory or the Siemens security advisory. Luigi describes GoAhead this way:

“Goahead (sic) webserver is an embedded OpenSource server that can be build (sic) on a lot of systems (CE, Ecos, GNU/Linux, Lynx, MacOS, NW, QNX4, VXWORKS, Win32 and others).
“It is supported by a lot of companies that use it for their projects and it is also used like ‘base’ for other webservers, furthermore it has been developed for be very tiny and to run on embedded systems.”

Apparently, Siemens used an unpatched version of the webserver (Luigi reported that the vulnerability he reported was fixed in December 2003) in the affected versions of the SICAM devices. Since Siemens (and almost all other ICS vendors) did not start to take control system security seriously until after 2010 (STUXNET), it is not surprising that a newer version of the webserver was not incorporated in these devices; in fact, it is quite possible that they were not informed of the vulnerability.

This is an old, but continuing problem, with third party software used in many of the control system devices used still today. If the original vendor does not have an active method for sharing vulnerability information with all of its customers, the using vendor may not become aware of the vulnerability until some third-party researcher discovers the problem.

More disturbing in this case is the fact that neither ICS-CERT nor Siemens mentioned that the vulnerabilities (apparently all three) in the SICAM devices were based upon vulnerabilities in a GoAhead web server. If it were not for this separate SEC Consult disclosure, the community would not realize that that there was a third-party vulnerability involved that may still exist in other non-Siemens devices.

Friday, November 17, 2017

S 2083 Introduced – Port Cybersecurity

Earlier this month Sen. Harris (D,CA) introduced S 2083, the Strengthening Cybersecurity Information Sharing and Coordination in Our Ports Act of 2017. This bill is essentially identical to the version of HR 3101 that was passed in the House last month.

While Harris is not a member of the Senate Commerce, Science, and Transportation Committee (the committee to which this bill was assigned for consideration), her co-sponsor, Sen Sullivan (R,AK) is. This means that there is a chance that the Committee could take up the bill.

It is unusual for companion legislation to be introduced this late in the process. It probably means that Harris does not think that there is a reasonable chance that the Senate will take up HR 3101, even though there was bipartisan support for that bill in the House. That is not unusual, the House passes a lot of bills that are never taken up by the Senate; the Senate is slower to pass legislation.

If this bill is marked up by the Commerce Committee there will be a better chance that it will be taken up by the whole Senate. Unless there are significant amendments made to the bill, there is a good chance that the House would accept the Senate version of the bill and not require it to go to conference.

It is unlikely that this bill will receive any consideration this year.

CSB’s Arkema Investigation Update

Earlier this week the Chemical Safety Board (CSB) held a news conference (note this link is to a copy of the email that I received about the press conference, the Sutherland statement is not currently available on the CSB web site) to provide an update on their investigation of the fires at the Arkema site in Crosby, TX after Hurricane Harvey (discussed in this blog here). As part of that news conference, CSB released a video showing the time-line of activities that took place during the incident.

The Time Line

CSB shared the following time-line graphic at that news conference


Sutherland concluded her statement by saying: “There is a valuable lesson that facilities in the Gulf and elsewhere should note:  Reassess continuity of operations plans and worst case (sic) scenario assumptions.  Plan and plan again. Don’t be lulled into a false sense of safety by thinking that ‘it can’t/ won’t happen here.’”

A key part of that planning process is the identification of the key assumptions made during that process. Here, for example, the assumption was that flood waters would not exceed 2-ft. I would be surprised if this assumption was made and documented in any formal fashion, but it was made when it was decided to elevate the backup generators by that much.

If the facility had documented the reasoning process that lead to that decision, a periodic review of the plan may have noted that the increased rainfall that storms have been producing in the north-western Gulf Coast in recent years might have called for a revision of that assumption.

All emergency response plans need to be formally reviewed a recurring basis. For example, along the Gulf and Atlantic Coast, chemical facilities should formally review their hurricane response plans every spring, well before the start of the season. That review should include:

• Lessons learned from previous seasons;
• Assumptions about storm action levels;
• Assumptions about worst-case scenarios;
• Shutdown decision points;
• Evacuation decision points;
• Coordination activities with local community responders;
• Facility protection plans; and
• Recovery plans.

Worst-case scenario planning, it must be remembered, should not start with an assumption about what is the worst thing that could happen to the facility. It should start with an analysis of what is the worst thing that can happen at a facility. At the Arkema facility this would have been the decomposition/fire/explosion of the material in one of the cold storage buildings. From that worst-case incident the planning process needs to identify possible routes to that incident and the mitigation measures necessary to prevent those causes.

Was the worst-case planning at the Arkema facility adequate? In hind sight, it is easy to come to the conclusion that it was not; easy, but not necessarily correct. Three feet of flood water had never been documented in that area, so it is hard to fault Arkema (or any of its neighbors) for planning for such flooding. Plans going forward will have to be revised for that eventuality, but it was not reasonable pre-Harvey.

The other thing about emergency planning that we see clearly from this event is that plans need to be modified on the fly as situation change. It is clear from the timeline presented by CSB, that Arkema continued to recognize that the situation was changing for the worst and that they adapted in a timely and proactive manner to those changes. This is one of the reasons that facility evacuation plans in the face of storms like these must consider leaving a team on site to respond to changing conditions.

Any stay behind team needs to include knowledgeable management and operations/maintenance personnel that have the authority and skills to react to changing conditions. They must be protected against the potential storm effects and provided with communications tools to be able to coordinate with local response agencies if required.

As I have noted before in discussing this event, the CSB investigation of the incident should focus on the planning process that was in place for this facility. The result of the investigation should include recommendations for emergency planning actions that chemical facilities should take to prevent damage (with off-site consequences) from predictable natural disasters like hurricanes, floods, tornados, and earthquakes (all in appropriate areas of the country).

Thursday, November 16, 2017

ICS-CERT Publishes Two Advisories

Today the DHS ISC-CERT published two control system security advisories for products from Siemens and Moxa.

Siemens Advisory

This advisory describes multiple vulnerabilities in Siemens SICAM RTU products. The vulnerabilities were reported by SEC Consult Vulnerability Lab. Siemens is recommending that the web server be disabled after system commissioning to mitigate the vulnerabilities in current versions.

The three vulnerabilities reported are:

• Missing authentication for critical function - CVE-2017-12737;
• Improper neutralization of input during web page generation - CVE-2017-12738; and
• Improper control of generation of code - CVE-2017-12739

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability using a publicly available exploit to execute arbitrary code. The Siemens security advisory notes that network access to the affected devices is required.

Moxa Advisory

This advisory describes multiple vulnerabilities in the Moxa NPort serial network interface products. The vulnerabilities were reported by Florian Adamsky. Moxa has a new firmware version that mitigates the vulnerability. There is no indication that Adamsky has been provided an opportunity to verify the efficacy of the fix.

The three vulnerabilities reported are:

• Improper neutralization of special elements in output used by downstream component - CVE-2017-16719;
• Information exposure - CVE-2017-16715; and
• Uncontrolled resource consumption - CVE-2017-14028

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow for remote code execution on the device.

ICSD Publishes SSP Revision Decision Tool

Today the DHS Infrastructure Security Compliance Division (ISCD) published a new tool on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center. The tool can be used by facilities to help decide if their recent CSAT 2.0 tiering letter will require edits of a currently approved site security plan.

The new tool, the “Decision Tree: Could Site Security Plan Edits be Required?”, is a flowchart with a series of binary response questions. The answers to each question either lead to another question or one of two ultimate answers:

“Edit may not be required”; or
“Recommended edit”

The alert reader will recognize that neither of those responses are definitive. With the exception of one decision tree, the reason for this is clear, the decision trees end with a question about the appropriateness of existing security measures for the new situation. Since it is not technically possible for the facility to definitively answer that question, the facility will be required to make their best, educated-guess in answering that question.

As in all things CFATS, if there are questions, contact your facility Chemical Security Inspector, Regional Compliance Manager, or the CFATS Hotline.

Wednesday, November 15, 2017

IED Precursor Chemical Study Published

Today the DHS Chemical Facility Anti-Terrorism Security (CFATS) web site was updated to include links to a pre-publication copy of the report of the National Academies report on possible modes of regulating improvised explosive device (IED) precursor chemicals. This study was commissioned by DHS in August 2016 as part of their efforts to craft effective regulations for the prevention of the use of ammonium nitrate in IEDs.

A quick review of the 191-page document would indicate that the study committee has taken a very nuanced look at the issue of controlling precursor chemicals to prevent their use in the construction and use of IEDs by terrorists. There is no quick fix proposed by the study. Instead they have produced six broad recommendations:

Federal, state, local, and private sector entities attempting to reduce the threat of IED attacks by restricting access to precursor chemicals should focus on both person-borne and vehicle-borne IEDs.

Federal, state, local, and private sector entities attempting to reduce the threats from person-borne and vehicle-borne IEDs should consider multi-chemical, rather than single-chemical, strategies.

Federal, state, local, and private-sector entities attempting to reduce the threats from person-borne and vehicle-borne IEDs should focus on retail-level transactions of precursor chemicals, especially e-commerce.

Federal, state, local, and private-sector entities should explore strategies for harmonizing oversight of the sale and use of commercially available kits that contain precursor chemicals that are specifically designed to be combined to produce homemade explosives.

US DHS should engage in a more comprehensive, detailed, and rigorous analysis of specific provisions for proposed mandatory and voluntary policy mechanisms to restrict access to precursor chemicals by malicious actors.

The federal government should provide additional support for voluntary measures, activities, and programs that can contribute to restricting access by malicious actorsto precursor chemicals used to manufacture IEDs.

I will be taking more detailed reviews of various portions of the study in future blog posts.

ICS-CERT Publishes 3 Advisories and Updates 2

Yesterday the DHS ICS-CERT published one medical system security advisory and two control system security advisories. Those advisories were for products from Philips, ABB and Siemens. They also updated two Siemens advisories.

Philips Advisory

This advisory describes an insufficiently protected credentials vulnerability in the Philips IntelliSpace Cardiovascular and Xcelera cardiac image and information management systems. This vulnerability were apparently self-reported. The Philips security page notes that the vulnerability was reported to Philips by a customer. Philips has produced a hot fix update to mitigate the vulnerability.

ICS-CERT reports that an uncharacterized attacker could remotely exploit this vulnerability to access sensitive information stored on the system, modify device configuration, and gain access to connected devices.

NOTE: The Philips security page also has a note about the KRACK vulnerability potential effect on Philips products. Research is ongoing at Philips.

ABB Advisory

This advisory describes multiple security features vulnerabilities in the ABB TropOS. These are the KRACK vulnerabilities in this product that I discussed earlier. ICS-CERT reports that ABB is still working on mitigation measures.

ICS-CERT reports that an uncharacterized attacker within radio range of the product could exploit these vulnerabilities to decrypt, replay, and forge some frames on a WPA2 encrypted network.

Siemens Advisory

This advisory describes multiple security features vulnerabilities in the Siemens SCALANCE, SIMATIC, RUGGEDCOM, and SINAMICS Products. These are the KRACK vulnerabilities. Siemens is continuing to work on updates.

ICS-CERT reports that an uncharacterized attacker within radio range of the product could exploit these vulnerabilities to decrypt, replay, and forge some frames on a WPA2 encrypted network.


This update provides new information for an advisory that was originally published on May 9th, 2017 and updated on June 15th, 2017, on June 20th, 2017, on July 6th, 2017, on July 25th, 2017 on August 17th, 2017 and most recently on October 10th. The update provides new affected version information and mitigation links for:

• SIMATIC NET PC-Software: All versions prior to V14 SP1


This update provides new information for an advisory that was originally published on May 9th, 2017 and updated on June 15, 2017,on July 25th, 2017, on August 17th, 2017, and most recently on October 10th. The update provides new affected version information and mitigation links for:

• Softnet PROFINET IO for PC-based Windows systems: All versions prior to V14 SP1
• SIMATIC ET 200AL: All versions prior to V1.0.2

KRACK Commentary

ICS-CERT publishes two vendor reports (one two-week old and the other almost a week old) of the KRACK vulnerability in wireless networks (and misses the publicly available information from a third vendor), and still does not see a problem common to all industrial and medical control systems that allow for wireless access, a problem severe enough to provide an alert on the vulnerabilities? SHAME on DHS for allowing this blindness to continue.

Tuesday, November 14, 2017

CFATS Reauthorization – Agricultural Production Facilities

This is the second in a continuing series of blog posts on my proposed changes to the CFATS authorization. The current authorization for the program ends on December 18th, 2018. These posts address some of the language that I would like to see in any re-authorization bill. The initial post was:

The Current Exemption

In January of 2008, shortly after the initial Top Screen submission requirements were established, DHS caved to the agriculture lobby and published a notice in the Federal Register explaining that “until further notice or unless specifically notified in writing” agricultural production facilities were not required to submit Top Screens for DHS chemicals of interest (COI) (except propane or fuel) held in quantities in excess of the screening threshold quantity (STQ) if those COI were used:

• In preparation for the treatment of crops, feed, land, livestock (including poultry) or other areas of an agricultural production facility; or
• During application to or treatment of crops, feed, land, livestock (including poultry) or other areas of an agricultural production facility.

While this is technically an extension of the time requirement for the submission of a Top Screen (by regulation 90 days from the publication of the original Top Screen requirement in December 2007 or within 60 days of holding a COI at or above the STQ), because of the length of time that has elapsed since this notice was published, this has, in reality, become the 5th type of facility exempted from the reporting requirements of the CFATS regulations.

The Basis for the Exemption

The agriculture lobby has argued since the inception of the CFATS program that agricultural production facilities should not be considered chemical facilities under this program because they were hardly targets of terrorist attack based upon the presence of COI, generally due to their relatively isolated locations. This is certainly true for release consequence chemicals like anhydrous ammonia or propane; an ammonia cloud or propane fire on a farm is going to have very limited effect on the neighboring community.

The one potential large-scale chemical threat was the theft of the improvised explosive precursor, ammonium nitrate. When this notice was published, Congress had just enacted legislation specifically requiring DHS to set up a separate chemical security program to address the security of ammonium nitrate, so it appeared that the threat of the theft of this chemical would be adequate addressed under that program, so CFATS coverage would not be that important.

The agriculture community was convinced that DHS would take their remote locations into account when analyzing the data submitted in the Top Screen to determine whether or not their facilities presented a risk of terrorist attack. DHS was not willing to talk about any of the details of their risk assessment process, nor were they willing to delay its implementation to allow for an outside review of that process.

In light of these concerns, given the isolated locations of most of these facilities, and not wishing to undertake a political or court fight with the well-funded agriculture lobby that might end up undermining the whole CFATS program, DHS implemented the ‘Top Screen extension’.

Option 1

The easiest way to deal with this situation would be to make the ‘extension’ legally permanent. This would be done in two steps. First the following definition of ‘agricultural production facility’ would be added to 6 USC 621:

The term “agricultural production facility” means:

(A) a facility operated for the commercial production of products by the means of cultivating soil; planting, raising, and harvesting crops; or rearing, feeding, and managing animals; and
(B) it specifically includes facilities such as farms (e.g., crop, fruit, nut, and vegetable); ranches and rangeland; poultry, dairy, and equine facilities; turfgrass growers; golf courses; nurseries; floricultural operations; and public and private parks.

Then the definition of ‘excluded facility’ in §621(4) would be amended by adding:

(f) Agricultural production facility as that term is defined in this section; unless that facility possesses propane, fuel, or fumigant chemicals included in the list of DHS chemicals of interest as defined in Appendix A, 6 CFR 27.

I did add ‘fumigant chemicals’ to the list in (f) because the DHS Infrastructure Security Compliance Division (ISCD) recently ‘clarified’ that the current extension does not apply to fumigants.

Option 2

The problem with both Option 1 and the current ‘extension’ is that it fails to take into account the presence of theft-diversion chemicals such as ammonium nitrate. The second option takes a more nuanced approach to the exemption. It would start with adding the definition of an ‘agricultural production facility’ described above. It would then add a new §630:

Sec. 630 – Agricultural Production Facilities

(a) General – The Secretary will take into account the general geographic isolation of agricultural production facilities as that term is defined in the addition to §621 provided in this Act in implementing the CFATS program.

(b) The Secretary will ensure that the current risk assessment processes and protocols used by the Department take into account the following considerations:

(1) the geographically isolated nature of agricultural production facilities;
(2) the ease with which outsiders are generally recognized in communities surrounding agricultural production facilities;
(3) and the difficulties an outsider would have in obtaining information about the presence, storage locations and security measures in place at an agricultural production facility.

(c) For any agricultural production facility that is more than 1 mile distant from any public or private school, place of worship, or other similar place of regular or routine public assembly, the Secretary will:

(1) Exempt such facilities from the reporting requirements of §622(a)(2)(b) for any release security risk chemicals of interest listed in Appendix A, 6 CFR 27; and

(2) Exempt such facilities from the reporting requirements of §622(a)(2)(b) for any release sabotage and contamination risk chemicals of interest listed in Appendix A, 6 CFR 27.

(d) Will work with the Secretary of Agriculture to develop an addendum to the Risk Based Performance Standards guidance document that will:

(1) Identify the specific risk based performance standards that specifically apply to those facilities that only have theft-diversion security risk chemicals;

(2) Provide performance standards specific to agricultural production facilities taking into account the considerations outlined in (b)

Monday, November 13, 2017

Committee Hearings – Week of 11-12-17

Both the House and Senate will be in session again this week ahead of their Thanksgiving recess. 2018 spending bill, budget and 2018 NDAA take up most of the attention on the Hill. There will be one hearing this week of specific interest to readers of this blog, a cybersecurity hearing.

Cybersecurity Information Sharing

The Cybersecurity and Infrastructure Protection Subcommittee of the House Homeland Security Committee will be holding a hearing on “Maximizing the Value of Cyber Threat Information Sharing”. No witness list is currently available. A Committee Report on the topic will certainly be a feature of this hearing.

HR 2810 Conference Report – 2018 NDAA

This week the conference committee considering the differences in the House and Senate versions of HR 2018, the FY 2018 National Defense Authorization Act (NDAA) published their report on a final version of the bill. Additionally, the bill contains an explanation of how the conferees came to compromise language.

Cybersecurity Provisions

As is to be expected there are a number of cyber related provisions found in the bill. The list below shows the title of the appropriate sections and the pages within the report for both the actual language adopted by the conference and the discussion of how that language was arrived at.

§1090. Providing assistance to House of Representatives in response to cybersecurity events. (pgs 326-7; discussion pg 933)
§1110. Pilot program on enhanced personnel management system for cybersecurity and legal professionals in the Department of Defense. (pgs 352-6; discussion pg 950)

Subtitle C—Cyberspace-Related Matters
§1631. Notification requirements for sensitive military cyber operations and cyber weapons. (pgs 457-8; discussion pgs 1016-7)
§1632. Modification to quarterly cyber operations briefings. (pg 459; discussion pg 1017)
§1633. Policy of the United States on cyberspace, cybersecurity, and cyber warfare. (pgs 459-60; discussion 1017-8)
§1634. Prohibition on use of products and services developed or provided by Kaspersky Lab. (pgs 460-2; discussion pg 1018)
§1635. Modification of authorities relating to establishment of unified combatant command for cyber operations. (pg 462; discussion pgs 1018-9)
§1636. Modification of definition of acquisition workforce to include personnel contributing to cybersecurity systems. (pg 462; discussion pg 1019)
§1637. Integration of strategic information operations and cyber-enabled information operations. (pg 462-5; discussion 1019-20)
§1638. Exercise on assessing cybersecurity support to election systems of States. (pg 465; discussion pg 1020)
§1639. Measurement of compliance with cybersecurity requirements for industrial control systems. (pg 465; discussion pg 1020)
§1640. Strategic Cybersecurity Program. (pgs 465-7; discussion pgs 1020-1)
§1641. Plan to increase cyber and information operations, deterrence, and defense. (pg 467; discussion pg 1021)
§1642. Evaluation of agile or iterative development of cyber tools and applications. (pgs 467-9; discussion pg 1021)
§1643. Assessment of defense critical electric infrastructure. (pg 469; discussion pg 1021)
§1644. Cyber posture review. (pgs 469-70; discussion pgs 1021-2)
§1645. Briefing on cyber capability and readiness shortfalls. (pgs 470-1; discussion pg 1022)
§1646. Briefing on cyber applications of blockchain technology. (pg 471; discussion pg 1022)
§1647. Briefing on training infrastructure for cyber mission forces. (pgs 471-2; discussion pg 1022)
§1648. Report on termination of dual-hat arrangement for Commander of the United States Cyber Command. (pg 472; discussion pgs 1022-3)

§1649. Cyber Scholarship Program. (pgs 473-4; discussion pg 1023)
§1649A. Community college cyber pilot program and assessment. (pgs 474-5; discussion pg 1023)
§1649B. Federal Cyber Scholarship-for-Service program updates. (pgs 475-6; discussion pg 1023)
§1649C. Cybersecurity teaching. (pg 477; discussion 1023)

The one provision listed above that may be of specific interest to readers of this blog is §1639. It requires the Secretary of Defense to measure “the progress of each element of the Department of Defense in securing the industrial control systems of the Department against cyber threats, including such industrial control systems as supervisory control and data acquisition systems, distributed control systems, programmable logic controllers, and platform information technology” {§1639(a)}. This measurement is to be included in the scorecard used in the implementation of the DOD Cybersecurity Discipline Implementation Plan.

An interesting term is used here; ‘platform information technology’. It is a military term that can be defined as computer hardware and/or software used to support operations technology. In an industrial control system environment this would certainly include human machine interfaces and data historians as well as the communications systems involved in the control system.

Unmanned Aircraft Systems

There are a number of provisions in the revised language for HR 2810 that refer to unmanned aircraft systems (UAS). One is of potential interest to readers of this blog because it addresses DOD authority to deal with intrusive UAS at or near DOD facilities or operations.

§1692. Protection of certain facilities and assets from unmanned aircraft. (pgs 509-12; discussion pgs 1038-40)

This provision will provide an exemption for DOD from the air piracy provisions of 49 USC 46502 and from “any provision of title 18 (USC)” {§1692(a)} for actions taken to protect DOD covered facilities from the threat posed by UAS. This would include actions taken to {§1692(b)}:

• Detect, identify, monitor, and track the unmanned aircraft system or unmanned aircraft, without prior consent, including by means of intercept or other access of a wire communication, an oral communication, or an electronic communication used to control the unmanned aircraft system or unmanned aircraft;
• Warn the operator of the unmanned aircraft system or unmanned aircraft, including by passive or active, and direct or indirect physical, electronic, radio, and electromagnetic means;
• Disrupt control of the unmanned aircraft system or unmanned aircraft, without prior consent, including by disabling the unmanned aircraft system or unmanned aircraft by intercepting, interfering, or causing interference with wire, oral, electronic, or radio communications used to control the unmanned aircraft system or unmanned aircraft;
• Seize or exercise control of the unmanned aircraft system or unmanned aircraft;
• Seize or otherwise confiscate the unmanned aircraft system or unmanned aircraft; or
• Use reasonable force to disable, damage, or destroy the unmanned aircraft system or unmanned aircraft.

Moving Forward

The House Rules Committee is currently scheduled to hold a hearing this evening to construct the rule for the floor consideration of the conference report. This will almost certainly be a structured rule with limited debate and no floor amendments. The House is then scheduled to take up the conference report under that rule on Tuesday. It will almost certainly pass with some measure of bipartisan support; as it will later in the week in the Senate.


It would have been helpful if §1639 had included some sort of requirement for DOD to publicly publish the measurement guidelines that would be used to evaluate the cybersecurity of industrial control systems. Those guidelines could be very useful for other large organizations to conduct a similar high-level review of the cybersecurity of ICS.

In the section on UAS protections for DOD facilities I find it extremely interesting that the language ‘any provision of’ 18 USC was used instead of just references to the specific aircraft protection provisions of 18 USC 32. Other provisions that could have been specifically included:

§39A - Aiming a laser pointer at an aircraft;
§1030 - Fraud and related activity in connection with computers; or
§2511 - Interception and disclosure of wire, oral, or electronic communications prohibited.

Of course, lawyers are well known for their ability to attempt to stretch legal requirements to cover unusual circumstances, so perhaps the crafters of §1692 were justified in their use of ‘any provisions’. We will just have to wait and see how much the lawyers at DOD stretch that language to include not so reasonable actions taken against UAS and their pilots.

Saturday, November 11, 2017

An Early Update to the NTAS Bulletin

Earlier this week DHS updated the National Terrorism Advisory Systems (NTAS) bulletin. This has been a semi-annual activity since 2015. It has become a relatively unimportant news item because there has been little or no change in the wording of each successive bulletin; last May it did not even rate a full blog post here.

There is little change in this iteration, but there is a small change that may be of specific interest to readers of this blog:

“Some terrorist groups overseas are using battlefield experiences to pursue new technologies and tactics, such as unmanned aerial systems and chemical agents [emphasis added] that could be used outside the conflict zones. Additionally, terrorists continue to target commercial aviation and air cargo, including with concealed explosives.”

There have been a number of news articles over the last six months or so about the Isis use of UAS and chemical agents on the battlefield. It is not a great stretch to assume that such tools could be used in terrorist attacks. I would like to think, however, that DHS would not mention these attack options in this venue unless there were specific intelligence that Isis was attempting to move these technologies off the conventional battlefield and into the terrorist playbook. That may just be wishful thinking on my part.

Friday, November 10, 2017

ICS-CERT Publishes Two Advisories

Yesterday the DHS ICS-CERT published two control system security advisories for products from Schneider and AutomationDirect.

Schneider Advisory

This advisory describes a stack-based buffer overflow vulnerability in the Schneider InduSoft Web Studio and InTouch Machine Edition. The vulnerabilities were reported by Aaron Portnoy, formerly of Exodus Intelligence. Schneider has produced new versions that mitigate the vulnerability. There is no indication that Portnoy has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could use a publicly available exploit to remotely exploit this vulnerability to remotely execute code with high privileges. The Schneider security bulletin notes that the vulnerability exists during tag subscription.

AutomationDirect Advisory

This advisory describes and uncontrolled search path element vulnerability in a number of AutomationDirect products. The vulnerability was reported by Mark Cross of RIoT Solutions. Newer software versions are available from AutomationDirect that mitigate the problem. There is no indication that Cross has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that an uncharacterized attacker with uncharacterized access to execute arbitrary code on the system.

Wednesday, November 8, 2017

Bills Introduced – 11-07-17

Yesterday with both the House and Senate in session, there were 49 bills introduced. Of those, on may be of specific interest to readers of this blog:

S 2083 A bill to enhance cybersecurity information sharing and coordination at ports in the United States, and for other purposes. Sen. Harris, Kamala D. [D-CA]

This bill may (possibly?) be a companion bill to HR 3101 that was recently passed in the House. I suspect that it is a re-write of the bill instead of trying to get the Senate Homeland Security and Governmental Affairs Committee trying to take up and amend HR 3101. I’ll know better when the bill is printed.

ISCD Updates CFATS Web Pages – 11-08-17

The DHS Infrastructure Security Compliance Division (ISCD) has been busy over the last week or so making changes to their extensive Chemical Facility Anti-Terrorism Standards (CFATS) web site. These changes include:

• Updating two Chemical Security Assessment Tool (CSAT) user manuals;
• Publishing two new program fact sheets;
• Updating a third fact sheet; and
• Updating various web pages to point out the above changes.

Updated Manuals

On November 3rd, ISCD updated the CSAT Top Screen page to include a link to the newest version of the Top Screen Instructions. Yesterday the CFATS landing page revision included a link to the newest version of the CSAT Survey Application User Manual. Both manuals now have a publication date of October 31st, 2017.

Long ago (regulatorily speaking) ISCD (or maybe DHS?) stopped putting revision notes in their manuals. The latest version of these two manuals now remove version numbers. This means that the average user has no idea about the scale, extent or details about the changes made to these manuals.

Closely looking at the 5-page Table of Contents for the Application manual I do not see any changes between this latest version and the March 29th, 2017 version. A similar check of the Top Screen manuals also reveals no changes on their Table of Contents (the earlier version here was also dated March 29th). Unfortunately, I do not have time to do a line-by-line check to see exactly what changes have been made. I suppose that we just have to assume (there is an old military saying about that; something about ‘making an ass out of you and me’) that ISCD is continuing their CSAT 2.0 manual tradition of just making minor, clarifying word-changes to their manuals.

New Fact Sheets

On November 3rd, ISCD updated their Top Screen web page to include a link to a new fact sheet concerning the “temporary time extension” for farmers needing to submit a Top Screen because they possess DHS chemicals of interest (COI) in quantities above the screening threshold quantity (STQ). That ‘time extension’ was granted in 2008, briefly looked at again in 2010, but it is still in effect for apparently an indefinite future.

Typically, these ISCD fact sheets are simply documents that can be circulated summarizing information that is readily available elsewhere on the CFATS web site. That is not the case with this fact sheet. It provides an interesting list of chemical uses by agricultural organizations that do not qualify for the ‘extension’; in other words, agricultural facilities using COI in these cases in quantities that exceed the STQ have 60 days to submit a Top Screen. Those exemptions include:

· If a facility uses a COI for fuel, storage, or distribution purposes.
· If a commercial application service is using COI for distribution.
· If the facility is a fishery and/or hatchery, as fish are not considered livestock.
· If an agricultural facility stores and/or distributes a COI.
· If a park uses chlorine for an onsite pool.
· If an agricultural facility uses propane for heating.
· If a facility uses chlorine, hydrogen peroxide, or sulfur dioxide for the cleaning and treatment of equipment and products, such as at wineries, breweries, or food manufacturers.
· If a facility utilizes phosphine or other COI for fumigation purposes.

Most of these exceptions seem to be a reasonable set of COI uses that are not specifically covered under the 2008 letter, though I can see lawyers having fun with the fumigation example. I would bet, however, that a significant number of agricultural facilities will look at this list with dismay. If they see it; it was not prominently mentioned on the CFATS web site. Perhaps ISCD is directly sharing the fact sheet with the agricultural community; I hope so.

Yesterday ISCD provided links to another new fact sheet on the CFATS landing page, the Top Screen page and the CFATS Knowledge Center. This fact sheet outlines the fact that nitromethane is a DHS chemical of interest and thus requires reporting when it is held in quantities in excess of 400-lbs (in transportation packaging since it is a theft/diversion COI; not mentioned in the fact sheet). This is a more typical ISCD fact sheet with no really new information.

I would assume that ISCD has concluded that there are a significant number of folks holding STQ quantities of nitromethane (in the racing world in particular since it is frequently used as a fuel additive in that realm) and have not reported that fact on a Top Screen. Again, those folks are not going to be visiting the CFATS web site, so I would expect the ISCD outreach efforts would include making this fact sheet visible in appropriate places.

Updated Fact Sheet

Yesterday’s update of the CFATS landing page also included a link (without fanfare or notice) to a revised version of the CFATS Fact Sheet (now called the CFATS Overview to distinguish it from the monthly updates). This is a complete rewrite of the original version that was published in October 2016.

The new version provides more details (and more links) about the CFATS program, but there is still nothing new here that folks familiar with the program (or this blog) have not heard or read dozens of times. Still it is a good outreach document and deserves wide dissemination.

BTW: Both the CFATS landing page and the CFATS Knowledge Center now have links to the November 2017 CFATS update that I discussed earlier.

Tuesday, November 7, 2017

ICS-CERT Updates Kabona Advisory

Today the DHS ICS-CERT published an update for a control system security advisory for the Kabona WebDatorCentral (WDC) application that was originally published on October 13th, 2016.

This update provides information on a new vulnerability; a plain-text storage of password vulnerability - CVE-2016-0872. There is no explanation of why this vulnerability was not reported in the original advisory. Apparently, the new version of the WDC software originally reported also corrects this ‘new’ vulnerability.

CFATS Reauthorization – Cybersecurity

The current authorization for the Chemical Facility Anti-Terrorism Standards (CFATS) program expires on December 18th, 2018. Sometime within the next year, Congress will most likely be taking up some form of reauthorization of the program. While we might expect to see simple inclusion of extension language in the DHS spending bill, it would be more efficient if Congress took up a standalone reauthorization bill that updated the program. This is the first in a series of posts that looks at what I would like to see included in such a bill. It should come as no surprise to readers of this blog that I would like to see cybersecurity addressed in some detail.


I might as well start out this discussion by providing realistic definitions of cybersecurity that address the differences between security in information technology and operations (control systems) technology. Readers of this blog will recognize that these definitions have been proposed here in other contexts.

6 USC 621 is amended by adding at the end:

(15) The term ‘information system’ has the meaning given the term in section 3502 of title 44;

(16) The term ‘control system’ means a discrete set of information resources, sensors, communications interfaces and physical devices organized to monitor, control and/or report on physical processes, including manufacturing, transportation, access control, and facility environmental controls;

(17) The term ‘cybersecurity risk’ means:

(A) threats to and vulnerabilities of information, information systems, or control systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of such information, information systems, or control systems, including such related consequences caused by an act of terrorism; and

(B) does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement;

(18) The term ‘cybersecurity incident’ means an occurrence that actually, or imminently jeopardizes, without lawful authority:

(A) the integrity, confidentiality, or availability of information on an information system,

(B) the timely availability of accurate process information, the predictable control of the designed process or the confidentiality of process information, or

(C) an information system or a control system;

Incident Reporting

There are currently no regulatory requirements for CFATS facilities to report cybersecurity incidents. The closest current regulations come is in 6 CFR 27.230(8) is a requirement to ‘deter cyber sabotage’ or the more general requirement. There is a strong suggestion in the Risk Based Performance Standards (RBPS) guidance document that {Metric 8.5.4; pg 80}: “Significant cyber incidents are reported to senior management and to the DHS’s US-CERT at” To date, there is no public record that any such reports have been made.

I think that this suggestion should be a requirement of the CFATS program and further strengthened. I propose that the following amendment to 6 USC 622:

(f) Cybersecurity Incident Reporting

(1) The Secretary will revise 6 CFR 27.230(15) to include requirements for the reporting of cybersecurity incidents or suspected cybersecurity incidents. Those revisions will address:

(A) Reporting cybersecurity incidents related to information systems to the DHS US-CERT or successor organization;

(B) Reporting cybersecurity incidents related to control systems to the DHS ICS-CERT or successor organization;

(C) Insuring that information provided to US-CERT or ICS-CERT in such reports will be protected under provisions outlined in 6 USC 23;

(D) Requiring US-CERT or ICS-CERT to provide copies of the final reports on such incidents to the head of the agency designated for the enforcement of the CFATS regulations. Anonymized information about such incidents will be further shared with CFATS covered facilities as deemed appropriate.

(2) The Secretary will revise 6 CFR 27.230(15) to ensure that significant cybersecurity incidents will be reported to the FBI.

Control System Vulnerabilities

There are no provisions in the current CFATS regulations or the RBPS Guidance documents that address the identification and mitigation of control system vulnerabilities. To correct that missing element of control system security I would propose the following additional amendment to 6 USC 622:

(g) Control System Vulnerabilities

(1) The Secretary will revise 6 CFR 27.230(8) to address the identification and mitigation of vulnerabilities in control system identified in facility site security plans. The revision will address requirements to:

(A) Identify critical control system components that effect the storage, use, or movement of DHS chemicals of interest identified in the facility tiering letter;

(B) Maintain a list of vulnerability reports from ICS-CERT and/or the vendor concerning those components;

(C) Conduct a risk assessment of those reported vulnerabilities; and

(D) Maintain a record of the outcome of those risk assessments that includes if/when appropriate mitigation measures were implemented.

(2) The Secretary will require ICS-CERT, or successor organization, to identify control system security advisories and alerts that could apply to chemical facilities and notify the agency responsible for the enforcement of the CFATS regulations when such advisories and alerts are published.

Monday, November 6, 2017

ISCD Publishes New Anhydrous Ammonia FAQ

On Friday the DHS Infrastructure Security Compliance Division (ISCD) published a new frequently asked question (FAQ) on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center. The question, FAQ# 1786, addresses the effect of change of state in anhydrous ammonia in a refrigeration system on the reporting requirements for the CFATS Top Screen.

The response to the question reads:

“The total mass quantity within the system and the physical state, temperature, and pressure of the ammonia as it exists in the vessel(s) downstream of the condenser(s) should be reported.”

The ‘mass quantity’ portion of that response refers to the information that would need to be provided to question ‘Q1.70.010 Total Onsite Quantity’ on the Top Screen. The remainder of the response addresses the requirements to answer ‘Q1.70.030 Circle 1 Details’ for the largest quantity location for anhydrous ammonia.

Sunday, November 5, 2017

ISCD Publishes CFATS Update – November 2017

On Friday the DHS Infrastructure Security Compliance Division (ISCD) published their Chemical Facility Anti-Terrorism Standards (CFATS) Monthly Update for November. The casual CFATS web site observer would be surprised to hear this since this has not been shown on either the Critical Infrastructure: Security Compliance web page or the CFATS Knowledge Center web page.

Published Data

Table 1 below shows the data published indicating the compliance data published for the facilities currently covered under the CFATS program. The numbers show a continued increase in the number of covered facilities and the number of compliance inspections being conducted.

Current Facilities
Covered Facilities
Authorization Inspections
Approved Security Plans
Compliance Inspections
Table 1: Current CFATS Facilities

Table 2 shows the data showing the data on all facilities since the program was initiated back in 2007. Again, we see increases across the board.

Total Facilities
Authorization Inspections
Approved Security Plans
Compliance Inspections

Data Analysis

Figure 1 below is a graph showing the number of authorization inspections conducted since ISCD resumed reporting in May of this year. Both lines show a slight uptick in the number of inspections conducted. This is to be expected as facilities have had a chance to begin submitting SVA/SSPs for the new tiering letters that have begun to be issued under the new risk assessment process was implemented. We can expect to see a sharper increase in coming months.

Figure 1: Authorization Inspections

The compliance inspection information continues to require us to make some assumptions about how ISCD is counting the difference between current and total compliance inspections. Figure 2 shows the data reported since May.

Figure 2: Compliance Inspection Data

The total number of compliance inspections data continues to show a fairly consistent rate of increase (linear regression analysis shows R2 of .996) since May. This would be consistent with ISCD’s current emphasis on ensuring that facilities with approved site security plans are in compliance with those plans. As ISCD begins to conduct more authorization inspections on newly submitted SSPs this rate will probably flatten out as the limited manpower available to the Division is re-purposed.

When we compare the current to total compliance inspection data we begin to see some discrepancies; a much steeper increase in the total number of compliance inspections as compared to the relatively flat increase in current inspections. When we look at the number of current compliance inspections compared to the number of currently approved SSPs we have to draw the conclusion that ISCD is reporting only one ‘current’ compliance inspection per facility with an approved SSP.

There are only two ways that ISCD can be reporting a large number of new inspections each month with only a small increase in the number of current SSP’s; either there are a significant number of facilities exiting the CFATS program or there are multiple compliance inspections being conducted on current facilities. The number of currently approved SSPs does show a slight decrease (8) since reporting resumed in May even though the total number of SSPs that have been approved has increased by 60. That would seem to indicate that some facilities have left the program (68?) during the reporting period and that is within the magnitude of what ISCD reported back in April.

The change in the number of compliance inspections tells a completely different story. Since May there has been an increase of 901 total compliance inspections completed and only an increase of 191 current compliance inspections. Since a facility must have an approved SSP prior to having a compliance inspection the 68 disappearing SSPs does not explain the difference of 710 compliance inspections. Combining the two data sets we can see that there have been 642 (710 – 68) compliance inspections that are not accounted for in the total number of current compliance inspections.

The only thing that I can conclude is that ISCD chemical security inspectors have conducted at least 642 compliance inspections since reporting resumed in May where the facility was not in compliance with the currently approved SSP. How many of these are unique facilities vs facilities with multiple non-compliant inspections results cannot be determined from the data presented in these reports.
/* Use this with templates/template-twocol.html */