Saturday, October 20, 2018

ICS Disclosures – Week of 10-13-18


This week we have a vendor disclosure from PEPPERL+FUCHS via CERT-VDE. There were also a significant number of exploits published this week for a variety of IP cameras.

PEPPERL+FUCHS Advisory


This advisory describes an Android privilege escalation vulnerability in the PEPPERL+FUCHS CT50-Ex hand-held computer for hazardous environments {NOTE: This is apparently the PEPPERL+FUCHS (ecom) rebrand of the Honeywell Dolphin CT50 -Ex}. The vulnerability was self-reported by PEPPERL+FUCHS. There is an update available to mitigate the vulnerability.

NOTE: This vulnerability was reported by Honeywell and covered by NCCIC-ICS in ICSA-18-256-01 back in September.

I wonder what other 2nd tier vendors have rebranded this vulnerable Honeywell product without informing their customers about the Honeywell advisory.

IP Camera Exploits


Gjoko Krstic (LiquidWorm) released exploit code for three IP cameras along with advisories on the seven vulnerabilities via Zero Science Labs. For the first six vulnerabilities (for products from FLIR Systems) listed below, the disclosures were coordinated with the vendor. The TP-Link advisory does not contain any vendor coordination information so that may be a zero vulnerability.


Bills Introduced – 10-19-18


Yesterday with both the House and Senate meeting in pro forma session (ie: 90+% of the congresscritters staying at home campaigning) there were 10 bills introduced. One of those bills is likely to receive further consideration in this blog:

HR 7076 To reinstate requirements pertaining to electronically controlled pneumatic brake systems on high-hazard flammable unit trains, and for other purposes. Rep. Herrera Beutler, Jaime [R-WA-3] 

Since Herrera-Beutler is representing Vancouver, WA, which is well known for its desire to restrict the operation of oil trains, I suspect that this bill is more about campaigning than legislating. Still, it will be interesting to see how bill intends to get around the cost-benefit issue that allowed the Trump Administration to kill the ECP brake requirements.



Thursday, October 18, 2018

Omron Advisory Published


Yesterday the DHS NCCIC-ICS published a control system security advisory for products from Omron. The advisory describes four vulnerabilities in the Omron CX-Supervisor. The vulnerabilities were reported by Mat Powell, Ariele Caltabiano (kimiya) of 9SG Security Team, and b0nd @garage4hackers via the Zero Day Initiative. Omron has a new version that mitigates the vulnerabilities. There is no indication that any of the researchers have been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• Improper restriction of operations within the bounds of a memory buffer - CVE-2018-17905;
• Out-of-bounds read - CVE-2018-17907;
• Use after free - CVE-2018-17909; and
Incorrect type version or cast - CVE-2018-17913

NCCIC-ICS reports that an uncharacterized hacker with uncharacterized access could exploit these vulnerabilities to execute code under the context of the application, corrupt objects, and force the application to read a value outside of an array.

Wednesday, October 17, 2018

Fall 2018 Unified Agenda – DHS


Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) published the Fall 2018 Regulatory Agenda. In the DHS section of the Agenda we continue to see movement between the Active and Inactive portions of the Agenda, but there are no new rulemakings on the Agenda that will be covered here.

Active Agenda


The table below shows the Active Agenda items that would be covered here in this blog. Rulemaking titles in italics indicate actions moved from the Inactive Agenda in the previous version of the Agenda.

OS
Final Rule
Ammonium Nitrate Security Program
OS
Final Rule
Homeland Security Acquisition Regulation: Safeguarding of Controlled Unclassified Sensitive Information (HSAR Case 2015-001)
OS
Final Rule
Homeland Security Acquisition Regulation: Information Technology Security Awareness Training (HSAR Case 2015-002)
USCG
Final Rule
Marine Transportation--Related Facility Response Plans for Hazardous Substances
USCG
Final Rule
2013 Liquid Chemical Categorization Updates
USCG
Final Rule
TWIC Reader Requirements; Delay of Effective Date
TSA
Proposed Rule
Vetting of Certain Surface Transportation Employees
TSA
Final Rule
Protection of Sensitive Security Information
TSA
Final Rule
Security Training for Surface Transportation Employees

The Ammonium Nitrate Security Program has been a problem for DHS from the beginning. It was mandated by Congress in 2007, but DHS has been unable to craft regulations implementing the requirements of that mandate yet meet cost-benefit analysis requirements for federal regulations. In 2016 DHS commissioned a study on the larger IED precursor issue and a public report on the study was published last year. In the abstract for the rulemaking in this version of the Agenda DHS notes:

“DHS intends to publish a notice announcing the availability of a redacted version of a technical report developed by Sandia National Laboratories titled Ammonium Nitrate Security Program Technical Assessment.”  The report documents Sandia National Laboratories’ technical research, testing, and findings related to the feasibility of weaponizing commercially available products containing ammonium nitrate.  DHS intends to use this notice to solicit comments on the report and its application to the proposed Ammonium Nitrate Security Program rulemaking.”

Inactive Rulemakings


The table below shows the Inactive Active Agenda items that would be covered here in this blog. No new items of interest on this blog have been added to the Inactive Agenda. The only thing removed is the previously discussed Ammonium Nitrate Security Program rulemaking.

OS
Chemical Facility Anti-Terrorism Standards (CFATS)
OS
Updates to Protected Critical Infrastructure Information (PCII) Program
USCG
Amendments to Chemical Testing Requirements
USCG
Revision to Transportation Worker Identification Credential (TWIC) Requirements for Mariners
TSA
Surface Transportation Vulnerability Assessments and Security Plans

Commentary



The Unified Agenda is NOT a promise that the Administration is going to complete the next stage in the rulemaking process as predicted. That almost never happens (well, every once in a while). This is a regulatory requirement that really means very little. New rulemakings can spring up out of nowhere (as far as the Unified Agenda is concerned) and rulemakings can sit on the UA for decades without action. Having said that, once in a blue moon, the schedule posted in the Unified Agenda actually coincides with reality. We just have to wait and see when that happens next; maybe it will happen with the Ammonium Nitrate Security Program rulemaking.

OMB Approves New CEII NPRM


Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a notice of proposed rulemaking (NPRM) from the Department of Energy on their Critical Electric Infrastructure Information (CEII) program. The NPRM was submitted to OMB in July.

When this NPRM was submitted the rulemaking had not been listed in the latest (Spring 2018) Unified Agenda. Yesterday OIRA published the Fall 2018 Unified Agenda (more on this in another post) and this rulemaking was included; not much information in the listing, unfortunately. The abstract in the listing simply notes:

“The Department of Energy (DOE or Department) is publishing a proposed rule for public comment to implement DOE’s critical electric infrastructure information (CEII) designation authority under section 215A of the Federal Power Act.  The proposed administrative procedures are intended to ensure that stakeholders and the public understand how the Department would designate, protect, and share CEII under the Federal Power Act”

I expect that the NPRM will be published in the Federal Register in the next week or two; even when it initiates regulatory action, the Trump Administration is not quick about these things.


Advisory for LCDS Products


Yesterday the DHS NCCIC-ICS published a control system advisory for products from Leão Consultoria e Desenvolvimento de Sistemas Ltda (LCDS). The advisory describes six vulnerabilities in the LAquis SCADA software. The vulnerabilities were reported by Mat Powell, rgod of 9SG Security Team, Esteban Ruiz (mr_me) of Source Incite, b0nd @garage4hackers, and Ashraf Alharbi (Ha5ha5hin) via the Zero Day Initiative. LCDS has a new version that mitigates the vulnerability. There is no indication that any of the researchers have been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• Untrusted pointer dereference - CVE-2018-17893;
• Out-of-bounds read - CVE-2018-17895;
• Integer overflow to buffer overflow - CVE-2018-17897;
• Path traversal - CVE-2018-17899;
• Out-of-bounds write - CVE-2018-17901 and
Stack-based buffer overflow - CVE-2018-17911

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to execute arbitrary code, crash the system, or write controlled content to the target system.

Tuesday, October 16, 2018

HR 7045 Introduced – Avionics Cybersecurity


Earlier this month Rep. Meng (D,NY) introduced HR 7045, the Aircraft Avionics Systems Cybersecurity Act. The bill would require the FAA to revise airworthiness certification regulations to “address cybersecurity for avionics systems, including software components” {§2(a)(1)}.

Cybersecurity Requirements


Section 2(a) of the bill would require the FAA to revise airworthiness certification regulations “to require that aircraft avionics systems used for flight guidance or aircraft control be secured against unauthorized access via passenger inflight entertainment systems through such means as the Administrator determines appropriate to protect the avionics systems from unauthorized external and internal access” {§2(a)(2)}.

Section 2(b) of the bill would require the FAA in revising the regulations to take into account the recommendations of the Aircraft Systems Information Security Protection Working Group required by §2111(a)(2)(A)(iii)(I) of the FAA Extension Safety and Security Act of 2016 (PL 114-190, 130 STAT. 625). Those recommendations were published in August 2016.

Moving Forward


Meng is not a member of the House Transportation and Infrastructure Committee to which the bill was assigned for consideration, so it is unlikely that she has the influence necessary to have the bill considered in Committee. This is especially true so late in the session.

It is not clear what sort of support would be available for this bill. While it would require the FAA to establish new regulations (which would draw at least some sort of opposition from industry) the requirements for those regulations are extremely vague and broadly drawn. This bill could receive some bipartisan support because it would allow Congress to look like it was taking action without making any controversial decisions.

Saturday, October 13, 2018

Public ICS Disclosures – Week of 10-06-18


This week there was a vendor vulnerability disclosure from Siemens. There were also four exploits published for products from Delta Industrial, WAGO, and Phoenix Contact (2). I am also going to take a quick look at some additional information on an NCCIC-ICS advisory for the Hangzhou XMeye P2P Cloud Server published this week.

Siemens Advisory


Siemens published an advisory on Foreshadow and L1 Terminal Fault (L1TF) in their industrial product line. These are another pair of speculative execution attack vulnerabilities based on processors used in the affected devices. More details on the generic vulnerabilities can be found here. Siemens has some bios updates available to mitigate the vulnerabilities (three separate CVE’s involved) and has provided workarounds for other products.

This advisory was published in the same batch that was covered extensively by NCCIC-ICS on Tuesday. I have no idea why this was not included unless NCCIC-ICS is lumping these new vulnerabilities in with the Spectre and Meltdown problem. Even if that is the case, this would then have deserved an update to their alert on those issues.

Delta Industrial Exploit


A Metasploit module was published for a previously identified stack-based buffer overflow vulnerability in the Delta Industrial COMMGR software.

WAGO Exploit


SecuNinja published an exploit for a cross-site scripting vulnerability in the WAGO 750-881 ethernet controller. There is no CVE number provided so it is possible that this is a 0-day vulnerability being exploited.

Phoenix Contact Exploit


Photubias published two exploits for previously identified vulnerabilities in the Phoenix Contact ILC PLC vis their WebVisit HMI page.

The three reported vulnerabilities covered in these exploits are:

• Cleartext storage of sensitive information - CVE-2016-8366;
• Authentication bypass issues - CVE-2016-8371; and
• Access to critical private variable via public method - CVE-2016-8380.

Hangzhou Advisory


Earlier this week NCCIC-ICS published their advisory for three vulnerabilities in the Hangzhou XMeye P2P Cloud Server. As is typical for these advisories NCCIC-ICS provided summary data on the issue. Since Hangzhou effectively did not respond to the coordination efforts of NCCIC-ICS there was no vendor information provided in the advisory. While NCCIC-ICS did acknowledge the vulnerability reporting effort of SEC Consult, they did not (as is their apparent policy) provide any link to the reporting agency’s information on the vulnerabilities.

Generally speaking this policy of not linking to supporting documentation from researchers is a mistake and, in this instance, it does a gross disservice to the affected community by severely understating the potential problems associated with the affected devices. In particular, it fails to explain that the vulnerabilities affect a large number of vendors that rebrand and sell the affected Hangzhou DVR products.

SEC Consult published an advisory on the vulnerabilities as well as a lengthy blog post. Brian Krebs also did a lengthy blog post on the topic.

Friday, October 12, 2018

3 Advisories and 4 Updates


Yesterday the DHS NCCIC-ICS published three control system security advisories for products from Delta Industrial Automation and NUUO (2). They also updated a previously published control system security advisory for products from Yokogawa medical device security advisories for products from Medtronic, BD and Phillips.

Delta Advisory


This advisory describes two vulnerabilities in the Delta Industrial Automation TPEditor. The vulnerabilities were reported by Ariele Caltabiano (kimiya) of 9SG Security Team and Mat Powel. Delta has a new version that mitigates the vulnerability. There is no indication that the researchers were provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2018-17929; and
Out-of-bounds write - CVE-2018-17927

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to crash the accessed device, resulting in a buffer overflow condition that may allow remote code execution.

CMS Advisory


This advisory describes four vulnerabilities in the NUUO CMS software management platform. The vulnerabilities were reported by Pedro Ribeiro. NUUO has a firmware update that mitigates the vulnerabilities. There is no indication that Ribeiro has been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• Use of insufficiently random values - CVE-2018-17888;
• Use of obsolete function - CVE-2018-17890;
• Incorrect permission assignment for critical resource - CVE-2018-17892; and
• Use of hard-coded credentials - CVE-2018-17894

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to result in arbitrary remote code execution.

NVRmini2 Advisory


This advisory describes two vulnerabilities in the NUUO NVRmini2, NVRsolo network video recorders. The vulnerabilities were reported by Jacob Baines of Tenable. NUUO has a firmware update that mitigates the vulnerabilities. There is no indication that Baines has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2018-1149; and
• Leftover debug code - CVE-2018-1150

NCCIC-ICS reports that a relatively low-skilled attacker using publicly available exploit code could remotely exploit the vulnerabilities to achieve remote code execution and user account modification.

Yokogawa Update


This update provides additional information on an advisory that was originally reported on May 31st, 2018. The new information includes:

• Addition of four new vulnerabilities;
• Revision of exploit consequences;
• Addition of new products affected; and
• Addition of mitigation information for newly identified products.

NOTE: All of this new information was reported in a separate Yokogawa advisory that I discussed here last month. That new advisory was not referenced in this update.

Medtronic Update


This update provides additional information on an advisory that was originally published on February 27th, 2018 and updated on June 27th, 2018. The new information includes:

• Addition of a new affected product;
• Addition of statement on possible remote access exploitation;
• Addition of a third vulnerability;
• Addition of report of new mitigation measure implemented by Medtronic

An FDA notice was published for the revised Medtronic advisory.

BD Update


This update provides additional information on an advisory that was originally published on May 22nd, 2018. The new information includes a report of implementation of the promised mitigation measures.

Phillips Update


This update provides additional information on an advisory that was originally published on August 21st, 2018 and updated on August 30th, 2018. The new information includes the announcement of future mitigation measures to be undertaken by Phillips.

Thursday, October 11, 2018

HR 6992 Introduced – CFATS Reauthorization


Last month Rep. Katko (R,NY) introduced HR 6992, the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2018. This is a significant re-write of the Senate bill of the same name (S 3405).

Major Changes from S 3405


There were three major changes made in crafting this new bill. Two sections found in S 3405 were deleted and one new section was added.

The removed sections were:

§3 – Risk-based performance standards (removed cybersecurity RBPS); and
§11 – Small covered chemical facilities (also removed cybersecurity requirements)

The added section (§9 in new bill) deals with products and mixtures containing DHS chemicals of interest. It would require DHS to set up process for facilities to request specific non-hazardous mixtures be exempt from COI reporting requirements.

There were some changes to the CFATS recognition program that I will address in a future post. Similarly, changes were made in the following sections:

§2 Definitions;
§5 Frequency of audits and inspections;
§7 Security risk assessment approach and corresponding tiering methodology;
§8 Security risk assessment approach and corresponding tiering methodology;
§13 Assessment, report, briefing, and updated retrospective estimate on costs;

Moving Forward


Katko and one of his six cosponsors {Rep. Fitzpatrick (R,PA)} are members of the House Homeland Security Committee; one of the committees to which this bill was assigned for consideration. The CFATS reauthorization is a ‘must pass’ bill (unless a short term extension is added to the DHS minibus) so this bill will likely be considered in Committee after the election.

It will be interesting to see how many Democrats on the Committee support this bill that has no language addressing any of the long-standing chemical facility concerns of that party. It is odd that neither Rep. Thompson (D,MS) or Rep. Jackson-Lee (D,TX) are signed on as cosponsors of this bill. With the current Republican majority in the House (at least for the remainder of this session) their support is not needed, but they are important CFATS voices on the Committee. Even more unusual is the lack of support from Rep. Ratcliffe (R,TX) who is the Chair of the Cybersecurity and Infrastructure Protection Subcommittee; the subcommittee which oversees the CFATS program.

Commentary


I am very happy to see the changes made that allow cybersecurity to remain part of the CFATS program. I wish that there was additional language that addressed the problems that were identified in the Senate CFATS hearing earlier this year, but at this point I will be somewhat satisfied if the status quo remains the status.

EPA Earthquake Resilience Tools


Having grown up in California and lived through the Sylmar quake in ’71 I have a healthy respect for this particular physical hazard. Thus, I appreciate Bridget O’Grady’s blog post from earlier this week pointing at an EPA earthquake resiliency resource for water treatment facilities.

It is interesting to note the EPA’s explanation of why water treatment and waste water treatment facilities are vulnerable to earthquake damage:

“Water and wastewater utilities are particularly vulnerable to earthquakes because of the extensive network of above and below ground pipelines, pumps, tanks, administrative and laboratory buildings, reservoirs, chemical storage buildings and treatment facilities.”

The same can certainly be said for chemical manufacturing facilities (okay, all facilities, but this is a chemical security and safety blog), so much of the information on the three tools will be useful for chemical manufacturers as well.

Wednesday, October 10, 2018

7 Advisories and 7 Updates Published


Yesterday the DHS NCCIC-ICS published seven control system security advisories for products from Fuji Electric, Hangzhou Xiongmai Technology Co, Siemens (4) and GE. They also updated seven previously issued advisories for products from Siemens.

Fuji Advisory


This advisory describes an uncontrolled search path element advisory in the Fuji Electric Energy Savings Estimator. The vulnerability was reported by Karn Ganeshen. Fuji has released an update that mitigates the vulnerability. There is no indication that Ganeshen has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker with uncharacterized access could exploit this vulnerability to allow an attacker to load a malicious DLL and execute code on the affected system with the same privileges as the application that loaded the malicious DLL.

Hangzhou Advisory


This advisory describes three vulnerabilities in the Hangzhou XMeye P2P Cloud Server. The vulnerabilities were reported by Stefan Viehböck of SEC Consult Vulnerability Lab. Hangzhou has not provided mitigations for these vulnerabilities.

The three reported vulnerabilities are:

• Predictable from observable state - CVE-2018-17917;
• Hidden functionality - CVE-2018-17919; and
Missing encryption of sensitive data - CVE-2018-17915

NCCIC-ICS reports that a relatively low-skilled attacker with remote access could use a publicly available exploit to exploit these vulnerabilities to allow unauthorized access to video feeds with the potential to modify settings, replace firmware, and/or execute code.

SIMATIC S7-1500 Advisory


This advisory describes an improper input validation vulnerability in the Siemens SIMATIC S7-1500, SIMATIC S7-1500 Software Controller and SIMATIC ET 200SP Open Controller. The vulnerability was reported by Marcin Dudek, Jacek Gajewski, Kinga Staszkiewicz, Jakub Suchorab, and Joanna Walkiewicz from National Centre for Nuclear Research Poland. Siemens has updates to mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to cause a denial-of-service condition on the network stack.

SIMATIC S7-1200 Advisory


This advisory describes a cross-site request forgery vulnerability in the Siemens SIMATIC S7-1200 CPU Family Version 4. The vulnerability was reported by Lisa Fournet and Marl Joos from P3 communications GmbH. Siemens has a firmware update that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerability to allow a CSRF attack if an unsuspecting user is tricked into accessing a malicious link.

ROX II Advisory


This advisory describes two improper privilege management vulnerabilities in the Siemens ROX II. The vulnerabilities were reported by Gerard Harney from NCC Group (reported in Siemens advisory not NCCIC-ICS). Siemens has a new version that mitigates the vulnerabilities. There is no indication that Harney has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow valid users to escalate their privileges and execute arbitrary commands.

SCALANCE Advisory


This advisory describes a cryptographic issues vulnerability in the Siemens SCALANCE W1750D. The vulnerability is fully described on the Return of Bleichenbacher's Oracle Threat (ROBOT) web site. Siemens is self-reporting the vulnerability. Siemens has a firmware update that mitigates the vulnerability.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit this vulnerability using publicly available exploits to allow an attacker to decrypt TLS traffic.

NOTE: I suspect that other ICS devices using TLS services could face similar TLS ROBOT problems. Too bad NCCIC-ICS has not done an alert on this issue. Then again, does NCCIC-ICS do alerts?

GE Advisory


This advisory describes an unsafe ActiveX control marked safe for scripting vulnerability in the GE Gigasoft component of iFix. The vulnerability was reported by LiMingzheng of 360 aegis security team. Recent versions of iFIX mitigate the vulnerability. There is no indication that LiMingzheg has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to cause a buffer overflow condition.

Industrial Products Update


This update provides additional information on an advisory that was that originally published on May 9th, 2017 and updated on June 15, 2017,on July 25th, 2017, on August 17th, 2017, on October 10th, on November 14th, November 28th, February 27th, 2018, May 3rd, 2018 May 15th, 2018, , and most recently on September 11th, 2018. The new information includes revised affected versions data and mitigation measures for SIMATIC S7-1200 CPU.

SIMATIC Update


This update provides additional information on an advisory that was originally published on March 20th, 2018. The new information includes revised affected versions data and mitigation measures for SINUMERIK 828D.

SIMATIC PCS7 Update


This update provides additional information on an advisory that was This update provides new information on an advisory that was originally published on November 2nd, 2018 and updated on June 12th, 2018. The new information includes revised affected versions data and mitigation measures for:

• OpenPCS 7 V8.1; and
• SIMATIC WinCC Runtime Professional V13

SIMATIC WinCC Update


This update provides additional information on an advisory that was originally published on April 19th, 2018. The new information includes revised affected versions data and mitigation measures for WinCC OA Operatopr App.

SINAMICS Update


This update provides additional information on an advisory that was originally published on May 8th, 2018. The new information includes revised affected versions data and mitigation measures for SINAMICS GM150 V4.7 w. PROFINET.

SIMATIC Step7 Update


This update provides additional information on an advisory that was originally published on August 14th, 2018. The new information includes revised affected versions data and mitigation measures for:

• SIMATIC STEP 7 (TIA Portal); and
• WinCC (TIA Portal) V13

OpenSSL Update


This update provides additional information on an advisory that was originally published on August 14th, 2018 and updated on September 11th, 2018. The new information includes revised affected versions data and mitigation measures for:

• SIMATIC S7-1200 CPU;
• SIMATIC STEP 7 (TIA Portal) V13; and
• SIMATIC WinCC (TIA Portal) V13

Tuesday, October 9, 2018

S 3513 Introduced – UAS Restricted Areas

Last month Sen Cortez-Masto (D,NV) introduced S 3513, the UAS Critical Infrastructure Protection Act. The bill would amend provisions in the 2016 FAA Extension, Safety, and Security Act of 2016 (PL 114-190) that would allow facilities to petition the FAA to be declared restricted flight zones for unmanned aircraft.

UAS Restricted Areas


Section 2 of the bill would add ‘railroad facilities’ to the limited list of facilities that should be authorized to request that the FAA “prohibit or restrict the operation of an unmanned aircraft in close proximity” {PL 114-190 §2209(a), (130 STAT. 634)} to the facility.

The bill would also establish a deadline of March 31, 2019 for the FAA to publish a notice of proposed rulemaking to carry out §2209 and a requirement to publish the final rule within one year of that date.

Moving Forward


Both Cortez-Masto and her single cosponsor {Sen. Fischer (R,NE)} are members of the Senate Commerce, Science, and Transportation Committee to which this bill was assigned for consideration. Earlier in the session this might have allowed for their influence to ensure that this bill was considered in Committee. It is certainly less likely now, however, that this bill will receive any additional attention in the closing days of the session. The bill is likely to be re-introduced in the 116th Congress.

The original authorization bill that this bill amends received bipartisan support in both the House and Senate. There is nothing in this bill that would raise the prospects for significant opposition. If the bill were to be considered in this session it would likely pass in both Committee and on the floor with bipartisan support.

Commentary


The practical problem with this bill and the underlying requirement for establishing critical infrastructure ‘no fly zones’ is that there is currently no way to enforce the restrictions. Unmanned aerial systems (UAS) are typically too small to have readily identifiable identification numbers while they are in flight and it is currently illegal for anyone in the private sector or non-federal law enforcement to interfere with the operation of UAS or intercept the communications between the UAS and its controller. Even the recent authorization (sent to the President on October 4th) for DHS or DOJ physical action against UAS would not apply at these facilities.

The inclusion of a new deadline for the FAA to take regulatory action on the requirements of §2209 is interesting. The original legislation already required the FAA to establish the facility registration program within 180-days of the enactment of HR 636 (July 15th, 2016). The only way that Congress has of forcing compliance with such deadlines is by restricting funding for Department operations until the requirements are met, something for which there is very little political will to support.

Monday, October 8, 2018

HR 6913 Introduced – Blockchain Technology


Last month Rep. Guthrie (R,KY) introduced HR 6913, the Blockchain Promotion Act of 2018. The bill would require the Secretary of Commerce to establish a Blockchain Working Group.

Blockchain Working Group


The Blockchain Working Group (BWG) would consist of members representing both the federal government and the private sector. The Secretary would select the federal agencies to be represented with a view to ensuring “representation of a cross-section of Federal agencies that could use or benefit from blockchain technology” {2(b)(2)(A)}. The private sector members would be selected to include representatives from the following {§2(b)(2)(B)(i)}:

• Information and communications technology manufacturers, suppliers, software providers, service providers, and vendors.
• Subject matter experts representing industrial sectors other than the technology sector that the Secretary determines can benefit from blockchain technology.
• Small, medium, and large businesses.
• Individuals and institutions engaged in academic research relating to blockchain technology.
• Nonprofit organizations and consumer advocacy groups engaged in activities relating to blockchain technology.
Rural and urban stakeholders.

Within a year the BWG would be required to report to Congress a recommended definition of ‘blockchain technology’ along with recommendations for {§2(c)(1)(B)}:

• A study to be conducted by the Assistant Secretary of Commerce for Communications and Information, in coordination with the Federal Communications Commission, on the impact of blockchain technology on electromagnetic spectrum policy;
• A study that examines a range of potential applications, including non-financial applications, for blockchain technology; and
• Opportunities within Federal agencies to use blockchain technology.

Moving Forward


Both Guthrie and his single cosponsor {Rep. Matsui (D,CA)} are members of the House Energy and Commerce Committee, one of the two committees to which this bill was assigned for consideration. Earlier in the session this might have allowed for sufficient influence to ensure that the bill was considered in Committee. Now any consideration would have to take place during the post-election section of the session which is unlikely.

If this bill were considered, it is likely that it would receive bipartisan support, both in Committee and on the floor of the House. No money is being allocated and no regulations are being proposed, so there should be no basis for any serious opposition to the bill.

The bill will likely be re-introduced in the 116th Congress.

Commentary


I rather frequently disparage bills that require the Executive Branch to report to Congress as a buck-passing measure. There are times, however, when this is the most appropriate way for Congress to gather the necessary information to determine if legislative action is necessary. With blockchain becoming the tech-pop culture answer to all of the world’s problems, I think that this is an appropriate area for a study and report bill.

Having said that, there are two problems that I see with this bill as written. First it is way to vague in its definition of which federal agencies should be represented on the BWG. And second there is no reference to including representatives from State and local governments on the BWG.

There are two main areas where blockchain is touted as a panacea for the ills of the world; in finance and security. At the very least the Treasury Department, Homeland Security and DOD should have been listed as agencies that should be represented on the BWG.

If blockchain is actually going to be able to solve a multitude of societal problems (I am not holding my breath) then State and local governments will also need to get into the blockchain act and should have at least some representation on the BWG to ensure that their concerns are addressed in the subsequent studies.

Saturday, October 6, 2018

ISCD Updates CSAT 2.0 Users Manual – 09-28-18


This week the DHS Infrastructure Security Compliance Division posted a link to a new version of the Chemical Security Assessment Tool (CSAT) 2.0 Portal User Manual. The new version is dated 09-28-18. This Chemical Facility Anti-Terrorism Standards (CFATS) manual is a major revision from the March 1, 2017 version. Major changes include additions for the personnel surety program and password changes.

The table of contents additions tells the tale of the changes to this manual. The following new items show up:

3 CSAT Personnel Surety Program (PSP) User Roles
5.1 Forgot Password
5.3 Rules of Behavior
10.4.1 Export User List
10.4.2 View User Information
10.4.3 Forget Password
10.4.4 Delete User Account
10.4.6 Personnel Surety Program (PSP) Submitter Access
10.5 Groups
11.1 Search Affected Individuals
11.2 Affected Individuals
11.3 User Defined Fields
12.3 Two-Factor Authentication / Self-Password Reset

There is a link to this new manual on the CFATS Knowledge Center, but there is no notice on that page announcing the presence of the new manual nor is there one on the CSAT web page.

Public ICS Disclosures – Week of 09-29-18


This week we have two new vendor notifications for products from Schneider Electric and PTC. We also have a vendor update from BD.

Schneider Advisory


This advisory describes an insufficient verification of data authenticity vulnerability in the Schneider Modicon M221. The vulnerability was reported by Eran Goldstein of CRITIFENCE. Schneider reports on workarounds to mitigate the vulnerability. There is no indication that Goldstein has been provided an opportunity to verify the efficacy of the fix.

PTC Advisory


This advisory describes three vulnerabilities in the PTC ThingWorx Platform. The vulnerability was reported by Matteo Tomaselli from the SEC Consult Vulnerability Lab. PTC has new versions that mitigate the vulnerabilities. There is no indication that Tomaselli has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Disclosure of User Password Hashes to Privileged Users - CVE-2018-17216;
• Disclosure of Encrypted Credentials and Use of Hard-Coded Passwords - CVE-2018-17217; and
Reflected Cross-Site Scripting - CVE-2018-17218

BD Update


This update provides additional information on an advisory that was originally published on May 22, 2018. The update provides previously promised mitigation measures.

Bills Introduced – 10-05-18


With the Senate in full session and the House in pro forma session there were 24 bills introduced yesterday. Of those only one may received additional coverage here:

HR 7045 To require the Federal Aviation Administration to address cybersecurity concerns for aircraft avionics systems, including software components. Rep. Meng, Grace [D-NY-6]

NOTE: The Senate is still officially in session for Friday as I write this and there are no Senate bills included in the ‘24’ mentioned above. Once the Kavanaugh nomination is finally dealt with the Friday session will end and we may yet see some bills from the Senate side of the Hill.

Friday, October 5, 2018

ICS Advisory and 2 Medical Device Advisories


Yesterday the DHS NCCIC-ICS published a controls system security advisory for products from WECON and two medical device security advisories for products from Change Healthcare and Carestream.

WECON Advisory


This advisory describes four vulnerabilities in the WECON PI Studio, a HMI project programmer. The vulnerabilities were reported by Mat Powell and Natnael Samson (Natti) via the Zero Day Initiative. WECON is working on mitigation measures.

The four reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2018-14818;
• Out-of-bounds write - CVE-2018-14810;
• Information exposure through XML external entity reference - CVE-2018-17889; and
Out-of-bounds read - CVE-2018-14814

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow remote code execution, execution of code in the context of an administrator, read past the end of an allocated object or allow an attacker to disclose sensitive information under the context of administrator.

Change Healthcare Advisory


This advisory describes an information exposure through error message vulnerability in the Change Healthcare PeerVue Web Server. The vulnerability was reported by Dan Regalado of Zingbox. Change Healthcare has a patch available to mitigate the vulnerability. There is no indication that Regalado has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker on an adjacent network could exploit the vulnerability to allow an attacker to obtain technical information about the PeerVue Web Server, allowing an attacker to target a system for attack.

Carestream Advisory


This advisory describes an information exposure through an error message vulnerability in the Carestream Vue RIS, a web-based radiology information system. The vulnerability was reported by Dan Regalado of Zingbox. Carestream has a new version that mitigates the vulnerability and has provided workarounds. There is no indication that Regalado has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker with access to the network can exploit the vulnerability to passively read traffic.

NOTE: It is always interesting to see a researcher who has found an unusual vulnerability in one system to then look for the same type vulnerability in other related systems. It makes me wonder if developers reading these advisories (and of course they do, right?) ask themselves if their systems have the same vulnerability.

Thursday, October 4, 2018

Senate Amends and Passes HR 3359 – DHS Reorganization


Yesterday the Senate amended and passed HR 3359, the ‘Cybersecurity and Infrastructure Security Agency Act of 2018. The bill creates the Cybersecurity and Infrastructure Security Agency within DHS. The bill was passed earlier this year in the House. Two amendments were made; the first (SA 4403, pg S6497) substitute language from Sen. Johnson (R,WI) and the second a minor amendment (SA 4404, pg S6502) from Sen. Murkowski (D,MO). Both amendments and the bill were adopted without debate or vote. The bill will now have to be reconsidered by the House.

Substitute Language


Most of the additions made by the Johnson amendment added references to ‘Sector-Specific Agency’. This included a new definition of that term added in the new §2201.

The language regarding the transfer of the DHS Federal Protective Service {§3(b)} was greatly expanded. The original bill provided that DHS could transfer the FPS to the new CISA. The substitute language approved yesterday expands on that by providing instructions on what needs to occur if DHS declines to make that move. This would include specific notifications to Congress and the involvement of the OMB in subsequent evaluation of what to do with the FPS.

A new §4 of the bill was added that requires a report to Congress by DHS on the “leadership role of the Department in cloud-based cybersecurity deployments for civilian Federal departments and agencies” {§4(b)}.

There were a number of wording deletions made by the substitute language. These include the rather inconsequential deleting of the definitions of the terms ‘federal entity’ and ‘non-federal entity’.

One potentially significant deletion in the new §2202 is made in paragraph (e)(1) where the responsibilities of the new CISA Director are enumerated. Sub-paragraph (M) was deleted. That originally read:

“To ensure, in conjunction with the chief information officer of the Department, that any information databases and analytical tools developed or utilized by the Department—
“(i) are compatible with one another and with relevant information databases of other Federal Government agencies; and
“(ii) treat information in such databases in a manner that complies with applicable Federal law on privacy.”

Finally a change was made to the wording in the bill dealing with the Chemical Facility Anti-Terrorism Standards (CFATS) program. In explicating the responsibilities of the new Assistant Director for the new Infrastructure Security Division we see both an addition and deletion made to the wording of the original bill. The quote below shows both the addition (underlined) and the deletion (struck-through) made to §2204(b)(2).

“(2) carry out efforts, at the direction of the Director, to secure the United States high-risk chemicals and chemical facilities consistent with law, including the Chemical Facilities Anti-Terrorism Standards Program established under title XXI and the secure handling of ammonium nitrate program established under subtitle J of title VIII, or any successor programs;”

Commentary


I continue to believe that this change to the status of the current National Protection and Programs Directorate is mainly a smoke and mirrors change. I have had a number of people with closer connection to the operation of DHS inform me that this has to do mainly with the status of the new Director and the authority of the new agency to deal with administrative and spending matters; none of which is directly addressed in the language of the bill.

The change in wording of §2204(b)(2) has me a little bit concerned. Neither the addition or deletion has any direct affect on the CFATS program. The added ‘any successor’ language is typically a legal distinction addressing the fact that Congress could change the name of the program at any time. Similarly, the deleted words have no apparent practical effect on the inclusion of the CFATS program in the new Infrastructure Security Division. But, there is a nagging question in my mind as to why Johnson made these specific changes to the wording about the CFATS program; is there something in the works?

I am more concerned, however, with the deletion of §2202(e)(1)(M). I am not an active privacy advocate particularly when it comes to the Federal government; mainly because I suspect that we have completely surrendered any pretense of privacy protection and any attempts to put the genie back in the bottle are mainly for show rather than for any practical effect. Having said that, I am concerned that Johnson thought that it was appropriate to remove language from the bill that provided some modicum of privacy protection to information collected by DHS. It probably was not going to be very effective, but it at least made a show of being concerned.

ISCD Publishes CFATS Update – 10-03-18


Yesterday the DHS Infrastructure Security Compliance Division (ISCD) published their monthly The number of facilities in the program continued the slight increase we saw in the previous month and there is continued, long-term improvement in the number of facilities with approved site security update of the Chemical Facility Anti-Terrorism Standards (CFATS) implementation statistics. plans.

Facility Status


The table below shows the reported status of facilities covered under the CFATS program. The decline in the number of Tiered and Authorized facilities continues to reflect the expected movement of facilities through the SSP submission and approval process.

CFATS Facility Status
Jul-18
Aug-18
Sep-18
Tiered
213
218
211
Authorized
618
562
493
Approved
2531
2586
2665
Total
3362
3366
3369

ISCD Activities


The table below shows the reported activities that the DHS chemical security inspectors (CSI) from ISCD undertook in the support of the CFATS program in September.

CFATS Activities
Jul-18
Aug-18
Sep- 18
Authorization Inspections to Date
3768
3822
3854
Authorization Inspections Month
44
68
35
Compliance Inspections to Date
3752
3819
3891
Compliance Inspections Month
59
78
71
Compliance Assistance Visits to Date
4598
4749
4897
Compliance Assistance Visits Month
103
158
126

It is hard to judge the fluctuations in the number of activities undertaken by CSI. Each facility is different and would be expected to require differing amounts of time and number of inspectors involved to complete the reported inspections or visits. Additionally, ISCD does not report on the different types of training activities that its personnel require, nor does this report show changes in the number of CSI employed by the program.


 
/* Use this with templates/template-twocol.html */