Thursday, July 19, 2018

ICS-CERT Publishes 4 Advisories


Today the DHS ICS-CERT published four control system security advisories for products from Moxa, Echelon, and AVEVA(2).

Moxa Advisory


This advisory describes a resource exhaustion vulnerability in the Moxa NPort serial network interface. The vulnerability was reported by Mikael Vingaard. The latest firmware mitigates the vulnerability. There is no indication that Vingaard has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit this vulnerability  to send TCP SYN packages, causing a resource exhaustion condition that would cause the device to become unavailable.

Echelon Advisory


This advisory describes four vulnerabilities in the Ecelon Smart Server and i.LON products. The vulnerabilities were reported by Daniel Crowley and IBM’s X-Force Red team. Echelon has a new version that mitigates three of the vulnerabilities and provides a workaround for the fourth. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• Information exposure - CVE-2018-10627;
• Authentication bypass using an alternate path or channel - CVE-2018-8859;
• Unprotected credentials - CVE-2018-8851; and
Clear text transmission of critical information - CVE-2018-885

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow for remote code execution on the device.

In Touch Advisory


This advisory describes a stack-based buffer overflow vulnerability in the Aveva InTouch HMI. This vulnerability was reported by George Lashenko of CyberX. Aveva has updates available that mitigate the vulnerabilities. There is no indication that Lashenko has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit this vulnerability to remotely execute code with the same privileges as those of the InTouch View process which could lead to a compromise of the InTouch HMI.

InduSoft Advisory


This advisory describes a stack-based buffer overflow vulnerability in the Aveva InduSoft Web Studio and InTouch Machine Edition HMIs. This vulnerability was reported by Tenable Research. Aveva has updates available that mitigate the vulnerability. There is no indication that the researchers were provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow remote code execution.

ISCD Publishes CFATS Quarterly – July 2018


Today the DHS Infrastructure Security Compliance Division (ISCD) published the latest version of their Chemical Facility Anti-Terrorism Standards (CFATS) Quarterly. It was announced on the CFATS Knowledge Center with the link provided about half-way through the ‘CFATS Quarterlies and Webinars’ section at the bottom of the page.

This periodic document provides information on what has been going on in the CFATS program. Most of the news is about publications that have been made available to help facilities manage their CFATS process; nothing new here that I have not already covered.

In fact, the only really new piece of information is that David Wulf has finally returned to his job as Director of ISCD after having spent the last 18 months as Acting Deputy Assistant Secretary for Infrastructure Protection. This is the second time that Dave has filled this temporary position during the start of a new administration.

Classified ICS Security Information


There is an interesting discussion that has been taking place for a couple of days now over on LinkedIn. It was initiated by Isiah Jones from LEO Cyber Security. A lot of the response has been targeted at Isiah’s confrontational language, but the really important take away is that Isiah thinks/knows(?) that there is classified information available about threats to industrial control systems in critical infrastructure in the United States. Now Isiah is being necessarily vague about the information, but the discussion is important none the less.

Now I have not had access to classified information of any sort since I left the military a goodly number of years ago. My TS clearance is certainly not in force after this time and I have not had the necessary ‘need to know’ for access in any case. Having said that, I am absolutely certain that such classified information exists and that is unlikely to get into the hands of many of the people who could actively use that information to protect their facilities against serious nation-state level threats.

All is not lost, however. More about that later in the post.

The Need for Secrecy


Contrary to the beliefs of my friends in the black helicopter set, there are many legitimate reasons for the intelligence community (IC) to keep threat information classified. In most cases, the need to protect future access to critical information is more important than the need to share the current information; this is best exemplified by the Coventry-Ultra controversy from WWII. In other cases, the ‘knowledge’ is either so incomplete as to be useless (the Russians want to be able to attack the power grid) or the level of confidence in the information is so low that the intelligence community does not want to be accused of crying wolf.

Information Sharing Problems


Even when the IC is willing to share information, it is not easy to get the information to the correct people. First off, the information is going to be classified so the person receiving the information needs to be properly vetted to receive classified information. Anyone familiar with this process knows that it tedious and time consuming.

If IC waits until they know who will need a specific piece of information before the vetting process begins, the information will probably be worthless once the process is complete; the whole closing the barn door after the animals have gotten out thing. If you vet everyone that might need access to some specific piece of classified information at some unknown future time you end up clogging the vetting system even further with probably unnecessary vetting requests.

Even if the appropriate people have the necessary security clearances, getting them the appropriate information in a secure manner is also a problem. Even if secure messaging aps are used to protect the information in transit, the receiving device has to have minimum levels of security to prevent the information from getting into the wrong hands. Those security measures are expensive; too expensive to set up and maintain on the off chance of needing to receive classified information at some unknown point in the future.

This whole thing is further complicated by the fact that within the receiving organization, the information still needs to be protected during the internal sharing process. Everyone that needs access to the information to put proper protections in place needs to be vetted, their communications need to be protected, and many of their working files will be derivatively classified and need similar protections. This stuff gets very complicated; just ask anyone that has done operation planning in the military.

An alternative that many people have advocated (and I am certainly one) is for the IC to produce unclassified versions of their intelligence information to make the sharing process easier. I did this at the tactical intelligence level in one of my military jobs. It is time consuming to try to extract useable information from an intelligence report and then get that unclassified version vetted to ensure that means and methods are not inadvertently disclosed. Usually, the resulting product is useful for background purposes only, providing little or no information that provides for direct reaction by the recipient.

So, What to Do?


So, all is not lost. The IC can tell (and has told) us that adversaries are targeting control systems in critical infrastructure and has sophisticated techniques for doing so. The specific attack vectors are not necessarily important (as other attack vectors will certainly be used in future attacks). What is important to know is that nation-state level actors are involved and thus will ultimately get through defenses that they are really interested in attacking; THERE IS NO SUCH THING AS A SECURE SYSTEM.

First off, facilities need to determine what they really need to protect to survive and thrive. Information that would significantly hurt the company if it found its way into the hands of competitors or other adversaries needs to be encrypted at rest and in transit. Portions of control systems that are necessary for safety and quality control need to be isolated to the greatest extent possible. Where complete isolation is not possible for whatever reason, communications between the critical portions and other networks need to be closely monitored for anomalies. Where safety effects could be felt outside the facility, additional controls need to be implemented that are physically separated from the control network and analog safety measures should be established whenever possible.

Finally, a reaction plan needs to be firmly in place for all worst-case scenarios. The plan needs to assign specific responsibilities and identify any outside resources that need to be contacted, how that contact is to be made (with at least one alternative communications method identified), and who will make the contact. And, most importantly, those outside resources need to know in advance their roles in responding to an emergency event at the facility. That reaction plan needs to be trained and tested on a recurring basis.

Folks, none of this is new. We have been doing fire drills since we were little kids. We take precautions to prevent fires but recognize that fires can happen none-the-less. We install sprinkler systems and place fire extinguishers at key locations. At facilities where we have an unusually high threat for fires because of combustible materials we take additional precautions and put additional reactive measures in place. We need to extend that same mind set to control system security.

Bills Introduced – 07-18-18


Yesterday with both the House and Senate in session there were 41 bills introduced. Of those, one may be of specific interest to readers of this blog:

HR 6430 To amend the Homeland Security Act of 2002 to authorize the Secretary of Homeland Security to implement certain requirements for information relating to supply chain risk, and for other purposes. Rep. King, Peter T. [R-NY-2]

While this will probably be a federal IT specific bill, the supply chain risk requirements may end up being a standard that would be implementable by many organizations due to the purchasing power of the federal government.

Wednesday, July 18, 2018

OMB Approves PHMSA Classification ANPRM


Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced  that it had approved the advanced notice of proposed rulemaking (ANPRM) from the DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) in regards to actions to be taken by pipeline owners when class location changes result from population increases.

While the intent of this potential rulemaking is the same as when I posted my blog entry on the submission of this rulemaking to OIRA, there has been a substantial change to the Unified Agenda entry on the topic in the Spring 2018 version of the agenda that was released since that earlier post. The Fall 2017 version contained a great deal more supporting information and explanation of what this rulemaking could entail. It is not clear if this is a change in how PHMSA views this potential rulemaking or if it is just an attempt to reduce the verbiage in the Unified Agenda.

Bills Introduced – 07-17-18


Yesterday with both the House and Senate in session there were 37 bills introduced. Of these, three may be of specific interest to readers of this blog:

HR 6399 To direct that certain assessments with respect to toxicity of chemicals be carried out by the program offices of the Environmental Protection Agency, and for other purposes. Rep. Biggs, Andy [R-AZ-5]

HR 6401 To assist the Department of Homeland Security in preventing emerging threats from unmanned aircraft and vehicles, and for other purposes. Rep. McCaul, Michael T. [R-TX-10]

HR 6407 To require the Administrator of General Services to transfer certain surplus computers and technology equipment to nonprofit computer refurbishers for repair and distribution, and for other purposes. Rep. Garrett, Thomas A., Jr. [R-VA-5]

My interest in the first two bills should be rather obvious, but the third is a bit of a stretch for coverage here. What I will be looking for in this bill is any language in the bill that would require agencies to strip all information from the memories from the covered devices before providing them to refurbishers. I do not really expect such language to be there, but I can always hope.

Tuesday, July 17, 2018

ICS-CERT Publishes 3 Advisories and 1 Update


Today the DHS ICS-CERT published three new control system security advisories for products from PEPPERL+FUCHS, WAGO and ABB. They also updated a previously published advisory for products from Rockwell.

PEPPERL+FUCHS Advisory


This advisory describes an improper authentication vulnerability in the PEPPERL+FUCHS VisuNet RM, VisuNet PC, Box Thin Client (BTC) families of products. The vulnerability was reported by Eyal Karni, Yaron Zinar, and Roman Blachman with Preempt Research Labs. PEPPERL+FUCHS has firmware updates for HMI running RM Shell 4 or RM Shell 5. For HMI running on Windows 7 or Windows 10 platforms the recommendation is to run the applicable Windows update for CVE-2018-0866. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that an uncharacterized attacker with uncharacterized access could exploit this vulnerability to intercept sensitive communications, establish a man-in-the-middle attack, achieve administrator privileges, and execute remote code.

NOTE: I initially reported on this vulnerability on July 7th, 2018.

WAGO Advisory


This advisory describes three vulnerabilities in the WAGO e!DISPLAY Web-Based-Management. These vulnerabilities were reported by T. Weber of SEC Consult. The latest firmware version mitigates the vulnerabilities. There is no indication that Weber has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Cross-site scripting - CVE-2018-12981;
• Unrestricted upload of file with dangerous type - CVE-2018-12980; and
Incorrect permission for critical resource - CVE-2018-12979

ICS-CERT reports that a relatively low-skilled attacker could use publicly available exploits to remotely exploit the vulnerabilities to execute code in the context of the user, execute code within the user’s browser, place malicious files within the filesystem, and replace existing files to allow privilege escalation.

NOTE: I initially reported on these vulnerabilities on July 14th, 2018.

ABB Advisory


This advisory describes an improper input validation vulnerability in the ABB Panel Builder 800. The vulnerability was reported by Michael DePlante of Leahy Center and Michael Flanders of Trend Micro vis the Zero Day Initiative. ABB has provided work arounds pending further investigation of the vulnerabilities.

ICS-CERT reports that an uncharacterized attacker with uncharacterized access could conduct a social engineering attack to exploit this vulnerability to insert and run arbitrary code.

NOTE: I initially reported on these vulnerabilities on July 7th, 2018.

Rockwell Update


This update provides new information on an advisory that was originally published on June 21st 2018. The new information is an expansion of the affected versions for all affected products.

Monday, July 16, 2018

Committee Hearings – Week of 07-15-18


With both the House and Senate in Washington there will be a fairly active committee schedule, but little of specific interest to readers of this bill. There will be a rules hearing on a spending bill that will be considered this week in the House.

HR 6147 – IER Spending


Today the House Rules Committee will hold a rules hearing to establish a structured rule for the consideration of HR 6147, Department of the Interior, Environment, and Related Agencies Appropriations Act, 2019. Actually, this will be another mini-bus consideration as HR 6258, the Financial Services and General Government Appropriations Act, 2019, is being added to the bill for consideration in the House.

The Committee has received 170 amendments for the IER portion of the bill, but none of them are of specific interest to readers of this blog. The Committee will select a portion of those (and of the 85 offered for the HR 6258 portion of the bill) to be considered on the floor of the House later this week.

On the Floor


As noted above, HR 6147 will come to the House floor either Tuesday or Wednesday of this week. It will pass, but there is little likelihood that the bill will receive substantial bipartisan support.

We have seen substantial progress this year on spending bills in the House but have yet to see any real action in the Senate. Part of this is due to the backlog of nominations that still plagues the Senate and the procedural delays in the consideration of those nominations. Another part of the problem is an unintended consequence of the decision to reduce the length of the summer recess in the Senate. This has reduced some of the pressure on the Senate to act early on the spending bills that have passed in the House.

Unfortunately, this could backfire on the leadership. The House has not announced a reduction in their summer recess schedule. This means that they will likely be recess when the Senate completes action on at least some of the spending bills. This means that a vote to go to conference will likely be delayed on those bills until the House comes back to Washington in September.

There is a way out of that dilemma, but it would require a great deal of cooperation and trust between Ryan and Pelosi. Since the House will meet in pro forma session throughout their recess there could be unanimous consent votes on going to conference during the proforma sessions. With no one calling for role call votes, the two representatives representing the Speaker and the Minority Leader could go through the procedural dance of initiating the conference committees. Unfortunately, with pressure of both Ryan and Pelosi from their party’s more radical elements, this is unlikely to take place.

Saturday, July 14, 2018

ICS Public Disclosure – Week of 07-07-18


This week we have two vendor disclosures from Siemens and WAGO with a concurrent publication of exploit code for the WAGO vulnerabilities.

Siemens Advisory


This advisory describes two denial of service vulnerabilities in the Siemens EN100 Ethernet communication module and SIPROTEC 5 relays. The vulnerabilities were reported by Victor Nikitin, Vladislav Suchkov, and Ilya Karpov from ScadaX. Siemens recommends blocking access to port 102/tcp e.g. with an external firewall.

WAGO Advisory


This VDE-CERT advisory describes three vulnerabilities in the WAGO e!DISPLAY. The vulnerabilities were reported by SEC Consult. WAGO has a new firmware version that mitigates the vulnerabilities. There is no indication that SEC Consult has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Improper neutralization of input during web page generation - CVE-2018-12981;
• Unrestricted upload of file with dangerous type - CVE-2018-12980; and
Incorrect permission assignment for critical resource - CVE-2018-12979

The day after VDE-CERT released this advisory SEC Consult published exploit code for all three vulnerabilities on their web site and other locations (see here for example).

Friday, July 13, 2018

OOPS – Big Mistake on Previous Post


I do not know how it happened (probably too tired to read straight), but I linked to (and got wrong) the incorrect roll-call vote and reported it as being on HR 6237. The actual vote was 363 to 54 which is substantially bipartisan and should reflect enough bipartisan support for the bill to be considered in the Senate in its current form.

House Passes HR 6237 – FY 2018/19 Intel Authorization


Today the House passed  HR 6237, the Matthew Young Pollard Intelligence Authorization Act for Fiscal Years 2018 and 2019, on a nearly party-line vote of 233 to 184 (6 Republican Noes and 9 Democrat Ayes). Twelve amendments were considered, but none were of specific interest to readers of this blog.

The bill has now been tossed to the Senate. Unfortunately, with the party-line vote in the House, there is not much of a chance that the Senate will take up the bill in its current form. There has not been a Senate version of the bill to substitute for the House language like we have seen in the spending bills, so that is probably not an option for consideration of HR 6237 in the Senate.

The intel community can survive without an authorization bill as long as the spending bills continue to pass. The big problem with the lack of authorization is that this reinforces the fact that Congress really has no stomach for maintaining oversight of the grey areas that surround the IC. Congress as a whole is perfectly content to allow a small number of Senators and Representatives to exercise the oversight out of sight and mind. Until, of course, something blows up….

See next post (Updated 07:30 EDT 7-13-18)

Thursday, July 12, 2018

ICS-CERT Publishes an Advisory and an Update


Today the DHS ICS-CERT published a control system security advisory for products from Eaton. They also updated a medical device security advisory for products from Medtronic.

Eaton Advisory


This advisory describes a stack-based buffer overflow in the Eaton 9000X Drive. The vulnerability was reported by Ghirmay Desta working with the Zero Day Initiative. Eaton has an update available that mitigates the vulnerability. There is no indication that Desta was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that an uncharacterized attacker could remotely exploit the vulnerability to allow remote code execution.

Medtronic Update

This update provides additional information for an advisory that was originally published on May 17th, 2018. The update adds a second vulnerability (Protection mechanism failure - CVE-2018-10631). This necessitated an increase of the CVSS (v3) ranking from 4.6 to 6.3 and an expanded risk evaluation section of the advisory.

Wednesday, July 11, 2018

House Passes HR 5729 – TWIC Reader Rule Delay

Yesterday the House passed HR 5729, the Transportation Worker Identification Credential Accountability Act of 2018, by a voice vote. There was a short nine-minute debate on the bill with two representatives speaking in favor of the bill.

Both Rep. Katko (R,NY) and Rep. Norton (D,DC) mentioned in their floor speeches concerns about the “expanded scope of the final [TWIC Reader] rule where facility areas subject to the TWIC reader requirement went beyond what was included in the proposed rule and regulatory analysis accompanying that rule” (pg H5996). Norton also mentioned “concerns and questions about the reliability of background check information, the efficacy of fraud detection capabilities, and the relatively high cost of the credential have been persistent shortfalls that the Department of Homeland Security has never gotten right.”

Unfortunately for the two representatives neither issue is addressed by this bill. The bill simply extends the effective date for the TWIC Reader Rule until the “end of the 60-day period beginning on the date of the submission under paragraph (5) of section 1(b) of Public Law 114–278 [link added] (130 Stat. 1411 to 1412) of the results of the assessment required by that section.”

It will be interesting to see if the Senate takes up this bill before August 18th, 2018. If it is signed by the President sometime after the 18th it will have the interesting effect of prohibiting the implementation of something that will have already been implemented. That will cause all sorts of potentially interesting legal complications, at least until the report is filed.

This bill would have no effect on the current Coast Guard rulemaking underway to delay for three years the implementation of the TWIC Reader Rule for a limited sub-set of the currently affected facilities.

DOE Sends CEI Rulemaking to OMB for Approval


Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that DOE had submitted a notice of proposed rulemaking (NPRM) on Critical Electric Infrastructure (CIE) for approval. This rulemaking was not published in the Spring 2018 Unified Agenda, so it is not clear what the rule would specifically address.

An article (registration required) in E&E News yesterday, however, states:

“The Department of Energy will soon publish proposed regulations outlining how it plans to ‘receive, hold and share’ critical electricity infrastructure information from utilities, a senior DOE official [Catherine Jereza, DOE's deputy assistant secretary for transmission planning and technical assistance] said yesterday.”

Most of what Jereza describes is covered under 18 CFR 388.113. Interestingly that Critical Electric Infrastructure Information (CEII) regulation only covers information disclosed to the Federal Energy Regulatory Commission (FERC). It does not specifically include similar (or even identical) information disclosed directly to DOE.

Tuesday, July 10, 2018

ICS-CERT Publishes 2 Advisory – Updates Spectre Alert


Today the DHS ICS-CERT published two control system security advisories for products from Schweitzer Engineering and Universal Robots. They also updated their alert for Meltdown/Spectre vulnerabilities.

Schweitzer Advisory


This advisory describes three vulnerabilities in the Schweitzer Compass and AcSELerator Architect products. The vulnerabilities were reported by Gjoko Krstic of Applied Risk. The latest versions of the software mitigate the vulnerability. There is no indication that Krstic has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Incorrect default permissions - CVE-2018-10604;
• Improper restriction of XML external entity reference - CVE-2018-10600; and
Uncontrolled resource consumption - CVE-2018-10608

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit this vulnerability with publicly available exploit code to allow modification/replacement of files within the Compass installation directory, disclosure of information, or denial of service.

Universal Robots Advisory


This advisory describes two vulnerabilities in the Universal Robots Robot Controllers. The vulnerabilities were reported by Davide Quarta, Mario Polino, Marcello Pogliani, and Stefano Zanero from Politecnico di Milano as well as Federico Maggi with Trend Micro Inc. Universal Robots has described generic workarounds to mitigate the vulnerabilities. There is no indication that any of the researchers have been provided with an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Use of hard-coded credentials - CVE-2018-10633; and
• Missing authentication for critical function - CVE-2018-10635

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to run arbitrary code on the device.

Meltdown/Spectre Update


This update provides additional information on an alert that was originally published on January 11th, 2018 and updated on January 16th, 2018, January 17th, 2018, January 30th, 2018, February 20th, 2018, February 22nd, 2018, March 1st, 2018 and again on April 26th, 2018 (typo in ICS-CERT update says 4-27-18). The update provides a link to the new PEPPERL+FUCHS (ecom mobile devices) advisory that I discussed on Saturday.

ISCD Updates CFATS Knowledge Center – 07-10-18


Today the DHS Infrastructure Security Compliance Division (ISCD) updated their Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center. This was an update to the page layout and appearance; no new information was added.

I have done a quick check and all of the old functionality that I have been using on the site remains and I have not discovered any neat new tools. The appearance has certainly changed and it shows Version # 3.0.00, so something was done. I am not a big fan of change for changes sake, but this is prettier.

I have one minor typography complaint. There is nothing that sets off the links in the text (other than the fact that they are URLs), so it is not quick and easy to find the links. Again, a very minor (and perhaps idiosyncratic) complaint.

Monday, July 9, 2018

Committee Hearings – Week of 07-08-18


With both the House and Senate in session this week we start to see movement on other things than just spending bills. We have two cybersecurity hearings of potential interest and HR 6237, the FY 2018/19 intel authorization bill.

Spending Bills

• Wednesday – House – Committee - Labor, Health and Human Services, Education, and Related Agencies
Wednesday – House – Rules Committee – HR 6147 (LHHE)  Amendment Deadline

Cybersecurity


On Wednesday the House Homeland Security Committee will be holding a hearing on “DHS’s Progress In Securing Election Systems And Other Critical Infrastructure”. The witness list includes:

• Christopher Krebs, DHS; and
Nellie Gorbea, State of Rhode Island

While securing the election process is certainly important it is generally outside of the scope of this blog. I am mentioning this hearing though because of the following statement on the hearing web site:

“The hearing will also provide Members an opportunity to hear about DHS’s role working across all 16 critical infrastructure sectors because a cyber threat to elections may pose a similar threat to other critical infrastructure sectors.”

It will be interesting to hear what questions the Committee has for Krebs.

On Wednesday the Senate Commerce, Science, and Transportation will hold a hearing on “Complex Cybersecurity Vulnerabilities: Lessons Learned from Spectre and Meltdown”. The witness list includes:

• Donna Dodson, NIST;
• José-Marie Griffiths, Dakota State University;
• Joyce Kim, ARM;
• Art Manion, Carnegie Mellon University; and
• Sri Sridharan, University of South Florida

This is potentially too complex a topic for a congressional hearing. I hope the witnesses take this into account and concentrate on policy type issues instead of the technical details. It will be interesting to see what questions are posed by the Senators; this will reflect on the quality of the technical support the committee has.

Intelligence Authorization Act


On Wednesday the House Rules Committee will hold a hearing to set the rule for the consideration of HR 6237, the Matthew Young Pollard Intelligence Authorization Act for Fiscal Years 2018 and 2019. Thirty-seven amendments have been submitted to the Committee for consideration for inclusion in the debate on HR 6237. None of those amendments should be of specific interest to readers of this blog.

Last year’s version of the bill, HR 3180, finally passed the House under a closed rule (limited debate, no amendments), but was never considered in the Senate. It will be interesting to see how the Committee deals with this bill this year. The bill is scheduled to come to the floor on Thursday.

On the Floor


In addition to HR 3180, the House will also take up HR 5729, the Transportation Worker Identification Credential Accountability Act of 2018. That bill will be considered tomorrow under the suspension of the rules process; limited debate, no amendments, and a super-majority to pass. The bill will almost certainly pass with wide bipartisan support.

As I noted in my post on S 3094, the companion bill to HR 5729, from reading the Committee Report on the bill it is clear that the impetus for proposing this bill was to ‘punish’ DHS and the Coast Guard for ignoring the dictates of Congress. That will not, however, be the basis for the wide spread support for the bill. It provides a wide variety of congress critters a chance to vote against the TWIC program (for an equally wide variety of reasons) without taking any real action to affect the program. They get a show vote for certain constituencies without having to negatively effect a security program. You cannot get a better bill for politicians.

HR 6229 Introduced – NIST Reauthorization


Last month Rep. Comstock (R,VA) introduced HR 6229, the National Institute of Standards and Technology (NIST) Reauthorization Act of 2018. The bill would provide authorization for NIST for both FY 2018 and FY 2019. The bill was adopted by a voice vote in a mark-up hearing by the Committee on Space, Science, and Technology on June 27th, 2018 with one amendment. The bill contains a number of cybersecurity provisions.

Cybersecurity


Section 4 of the bill addresses the NIST cybersecurity programs. Most of it deals with support for the cybersecurity operations of agencies of the Federal government, but paragraph (c) addresses the cybersecurity research activities of NIST. These include:

• The development of research and engineering capabilities to provide practical solutions, including measurement techniques and engineering toolkits, to solve cybersecurity challenges such as human factors, identity management, network security, privacy, and software;
• Investment in tools to help private and public-sector organizations measure their cybersecurity, manage their risks and ensure workforce preparedness for new cybersecurity challenges; and
Investment in programs to prepare the United States with strong cybersecurity and encryption technologies to apply to emerging technologies such as artificial intelligence, the internet of things, and quantum computing.

Section 7 of the bill addresses NIST research activity associated with the internet of things (IoT). It specifically addresses cybersecurity in two subparagraphs:

• The development of new tools and methodologies for cybersecurity of the internet of things; and
• The development and publication of new cybersecurity tools, encryption methods, and best practices for internet of things security.

None of the research requirements mentioned above include specific authorization for funding, so NIST will have to fund this research out of existing programs.

Committee Amendment


Rep. Comstock (R,VA) introduced the only amendment to HR 6229 to be considered by the Committee. It increased the authorized FY 2019 spending for NIST from $1.115 to $1.125 trillion dollars. It allocated all of that the funding increase to spending for industrial technology services; increased from $145 million to $155 million. It also removed the sub-allocation amounts in that account for the Manufacturing Extension Partnership and Manufacturing Innovation programs.

Moving Forward


This bill will move forward to the floor of the House. It will probably be considered under the suspension of the rules provisions with limited debate and no floor amendments. It will receive wide bipartisan support.

Commentary


It was disappointing to me to see no specific mention of industrial control system cybersecurity in the NIST research agenda while IoT received equal billing with cybersecurity and quantum information science. This is not implying that ICS cybersecurity research will not be conducted by NIST, just that Congress still does not see ICS cybersecurity as a priority. I expected better from the Science, Technology, and Space Committee.

On a nit-picking side note. There had been one other amendment proposed to this bill, but it was withdrawn by its author, Rep. Tonko (D,NY), presumably in favor of the Comstock amendment. Tonko’s version would have reduced the overall R&D authorization by $10 million to $840 million while increasing the industrial technology services account to the same $150 million set in the Comstock amendment. Tonko, however, would have allocated all of that increase to the Manufacturing Innovation Program.

The administrative problem with both of these amendments is that neither says where the additional $10 million for industrial technology services would come from. Comstock did not increase the R&D authorization and Tonko actually would have reduced it. Thus, both amendments would require NIST to reduce funding for other existing (but not specifically authorized) programs to provide the additional funding required.

Saturday, July 7, 2018

Public ICS Disclosures – Week of 06-30-18


This week we have four vendor reports of vulnerabilities {Siemens, ABB, and PEPPERL+FUCHS (2)} and exploits for two previously reported vulnerabilities (Cisco and Delta Industrial)

Siemens Advisory


This advisory describes six vulnerabilities in the Siemens SICLOCK TC devices. These vulnerabilities are being self-reported. The products are at end-of-life and thus Siemens is just providing workarounds for these vulnerabilities (and probably explains why they have not reported this to ICS-CERT).

Siemens reports that the vulnerabilities could be exploited by an attacker with network access to the device to allow an attacker to cause Denial-of-Service conditions, bypass the authentication, and modify the firmware of the device or the administrative client.

ABB Advisory


This advisory describes a file parser vulnerability in the ABB Panel Builder 800 products. The vulnerability was reported by Michael DePlante of Leahy Center for Digital Investigation and Michael Flanders of Trend Micro. ABB is working on an update for this product, but has provided workarounds to mitigate the vulnerability.

ABB notes that a social engineering attack is required to exploit the product. A successful exploit would allow the attacker to insert and run arbitrary code on a computer where the affected product is used.

NOTE: There was a second advisory reported on the ABB web site for their Sentinel HASP/LDK License Manager, but the some sort of problem with the link provided.

PEPPERL+FUCHS Advisories


The first advisory addresses the Spectre and Meltdown vulnerabilities in their ecom mobile devices. This is separate from their previously reported Spectre/Meltdown advisory for their HMI products. That other advisory is listed in the most recent ICS-CERT alert update.

The advisory notes that firmware updates will be released for the affected products.

The second advisory describes a remote code execution vulnerability in the PEPPERL+FUCHS HMI products. The vulnerability was reported by Eyal Karni, Yaron Zinar, Roman Blachman @ Preempt, Research Labs. This vulnerability is in a third-party product, Microsoft's Credential Security Support Provider. PEPPERL+FUCHS has provided updates for some of the affected products and recommended using the Microsoft Windows update for the remaining Windows 7 or Windows 10 based systems.

Cisco Exploit


Yassine Aboukir published exploit code on ExploitDB.com for a path traversal vulnerability in the Cisco ASA Software and Cisco Firepower Threat Defense (FTD) Software. This vulnerability was most recently reported by ICS-CERT as a third party vulnerability in the Rockwell Allen-Bradley Stratix 5950.

Delta Industrial Exploit


t4rkd3vilz published exploit code on ExploitDB.com for a stack-based buffer overflow vulnerability in the Delta Industrial Automation COMMGR. This vulnerability was reported by ICS-CERT on June 21st, 2018.

Friday, July 6, 2018

ISCD Publishes CFATS Update – 07-05-18


Yesterday the DHS Infrastructure Security Compliance Division (ISCD) published their latest statistics on the continued implementation of the Chemical Facility Anti-Terrorism Standards (CFATS) program. We continue to see a slow decline in the number of covered facilities while we see a sharper rise in the number of approved Site Security Plans (SSPs).

Facility Status


Table 1 shows the facility status for CFATS covered facilities.

CFATS Facility Status
Apr-18
May-18
Jun-18
Tiered
363
293
216
Authorized
639
628
623
Approved
2397
2468
2528
Total
3399
3389
3367
Table 1 CFATS Facility Status

The ‘tiered’ facilities are those facilities that have been notified that they are covered facilities but have not yet had their SSPs authorized. The ‘authorized’ facilities have had their SSPs authorized but have not yet had them approved. The ‘approved’ facilities have had their SSPs approved and are thus subject to compliance inspections.

Generally, we should expect to see the number of tiered facilities to decrease overtime as the facilities move through the CFATS process. New facilities will enter (or even re-enter) the CFATS program, but at this point the month-to-month number of these ‘new facilities’ should be relatively low unless ISCD discovers some new class of potentially covered facilities that has not been aware of the CFATS program.

There should also be a declining trend in the number of authorized facilities, but there will be more variability in the rate of decline. There is a regulatory time-limit for the initial submission of the facility SSP, but there is a variable time-frame after that submission for the facility and ISCD to ‘negotiate’ the provisions of the SSP that will be required for the SSP to become authorized. Another factor that affects the number of facilities in this status is the number of facilities that modify their operations so that they are no longer considered to be at high-risk of a terrorist attack and are removed from the program.

We currently see a relatively high rate of increase in the number of approved facilities. This reflects the large number of facilities that were added to the program last year as a result of the CSAT 2.0 introduction. This should begin to level out in the coming months and we will eventually reach a point where the number will decline as facilities that leave the CFATS program outnumber the number of new facilities being added.

ISCD Activities


Table 2 shows the reported activities that ISCD has been undertaking to support the implementation of the CFATS program.

CFATS Activities
Apr-18
May-18
Jun-18
Authorization Inspections to Date
3600
3652
3713
Authorization Inspections Month
110
59
66
Compliance Inspections to Date
3413
3553
3684
Compliance Inspections Month
76
140
131
Compliance Assistance Visits to Date
4238
4359
4463
Compliance Assistance Visits Month
143
109
113
Table 2 – CFATS Activities

It may be easier to see what is going on if I graph the monthly numbers for the last five months. Figure 1 shows the change in reported numbers of monthly activities as well as a combined total for those activities.


Figure 1 – Rate of Monthly Activities

The time period is too short (and ISCD has not provided effective dates of the data) to do real statistical analysis of the data in Figure 1, but it would seem that in general the trend is for fewer authorization inspections and more compliance inspections (both are expected from the discussion above). The most difficult trend to sus out is the change in rate for compliance assistance visits. This is not unexpected since these are done at the specific request of facilities.

At first glance the change in the total number of activities would seem to indicate a slowing of the pace by the ISCD inspection force. This is almost certainly misleading. These numbers reflect the number of facilities specifically ‘touched’ by the Chemical Security Inspectors, not the number of inspector hours involved or even the number of CSI involved in the activities. So we have to be careful in drawing too many detailed conclusions about the data presented. In fact, the only thing that we can probably conclude from the data presented is that the ISCD inspection force is actively engaged in the field.

Thursday, July 5, 2018

HR 6237 Introduced – Intel Authorization


Last month Rep. Nunes (R,CA) introduced HR 6237, the Matthew Young Pollard Intelligence Authorization Act for Fiscal Years 2018 and 2019. The bill contains the two Divisions reflecting authorizations for both fiscal years. There are two reports of interest and a requirement to establish an Energy Infrastructure Security Center mentioned in the unclassified portion of the bill. Additionally, the Committee Report discusses a topic with a potential for impact on cybersecurity information sharing.

Reports


Section 1506 of the bill requires the Director of National Intelligence (DNI) to submit a report to Congress on “the potential establishment of a fully voluntary exchange program between elements of the intelligence community and private technology companies” {§1501(a)}. The report would address intelligence community (IC) to private sector and private sector to IC sharing of cybersecurity qualified personnel.

Section 1510 of the bill would require the DNI to prepare a report to Congress on how each element of the IC implements the Vulnerabilities Equities Policy and Process. The report would address who at each agency is responsible for determining whether “a vulnerability must be submitted for review under the Vulnerabilities Equities Process” {§1510(a)(1)(A)(i)} and the process used for making that determination. A subsequent report would be required when changes are made at an agency. The required report would be unclassified (but generally unavailable to the public) but, could potentially include classified annexes. Additionally, the section would require an annual classified report to congress on {§1510(b)(1)}:

• The number of vulnerabilities submitted for review under the Vulnerabilities Equities Process;
• The number of vulnerabilities described in subparagraph (A) disclosed to each vendor responsible for correcting the vulnerability, or to the public, pursuant to the Vulnerabilities Equities Process; and
The aggregate number, by category, of the vulnerabilities excluded from review under the Vulnerabilities Equities Process, as described in paragraph 5.4 of the Vulnerabilities Equities Policy and Process document

Energy Infrastructure Security Center


Section 2422 amends 42 USC 7144b by inserting a new paragraph (d) which requires the Secretary to establish the Energy Infrastructure Security Center within the DOE’s Office of Intelligence and Counterintelligence (the old Office of Counterintelligence as revised by this bill). The EISC will coordinate and disseminate intelligence relating to the security of the energy infrastructure of the United States. This mission will include {new §7144b(d)(2)}:

• Establishing a primary organization within the United States Government for analyzing and integrating all intelligence possessed or acquired by the United States pertaining to the security of the energy infrastructure of the United States;
• Ensuring that appropriate departments and agencies have full access to and receive intelligence support needed to execute the plans or activities of the agencies, and perform independent, alternative analyses;
• Establishing a central repository on known and suspected foreign threats to the energy infrastructure of the United States, including with respect to any individuals, groups, or entities engaged in activities targeting such infrastructure, and the goals, strategies, capabilities, and networks of such individuals, groups, or entities; and
• Disseminating intelligence information relating to the security of the energy infrastructure of the United States, including threats and analyses, to the President, to the appropriate departments and agencies, and to the appropriate committees of Congress.

Committee Report

On page 48 of the Committee Report the Committee notes that “businesses without ownership of a Sensitive Compartmented Information Facility (SCIF), which includes many small businesses, find it very difficult to perform classified work”. They go on to note that “Construction and accreditation of SCIF spaces may be cost-prohibitive for small business and non-traditional government contractors.”

After briefly discussing the apparently unrelated idea of innovation hubs, the Committee suggests that such hubs might be a model to solve the problem of providing small businesses access to SCIFs. They then call for a report to Congress that addresses:

• Potential approaches to allow for SCIF spaces to be certified and accredited outside of a traditional contractual arrangement;
• Options for classified co-use and shared workspace environments such as: innovation, incubation, catalyst, and accelerator environments;
• Pros and cons for public, private, government, or combination owned classified neutral facilities; and
• Any other opportunities to support companies with appropriately cleared personnel but without ownership of a SCIF effective access to a neutral SCIF.

Moving Forward


This bill was approved by a unanimous vote of the Committee. That would normally mean that bipartisan support for the bill could be expected when the bill gets to the floor in the coming weeks. Unfortunately, as we saw with HR 3180 (the FY 2018 version of this bill) that is not necessarily true. That bill was finally passed in the House by a near party-line vote and was thus not able to receive consideration in the Senate.

This bill also contains a number of provisions (see the ‘Minority Views’ section of the Report starting on page 164) that might draw opposition from Democrats, especially in an election year. We will have to wait and see how this bill fairs on the House floor before we can predict its chance of final passage.

Commentary


The establishment of the EISC is certainly a measure of the congressional recognition of the potential foreign threats to the energy infrastructure in this country. I am concerned, however, with bill’s failure to address the need for sharing the intelligence information produced by the EISC with private sector entities responsible for the operation of that infrastructure. I suppose it could be argued that the Federal Energy Regulatory Commission (FERC) would be the appropriate agency through which that information might be expected to flow, but I still would have expected to see specific private sector information sharing requirements in the EISC language.

Of course, congressional intent to share intelligence information with appropriate private sector entities is not always successful as we have seen with the DHS automated information sharing (AIS) program. Part of that is the failure of the intelligence community to prepare unclassified briefs on intelligence information, but that is not always possible to do. The larger problem is the inability of many private sector organizations to handle classified information. This is where the Report’s attention to SCIFs may end up being more important than the Committee intended.

They were specifically looking at expanding the access to classified information to small contractors, but the larger use of non-traditional SCIFs may be for the sharing and processing of classified information by organizations that cannot justify the cost of establishing their own SCIF so that they may be able to process classified intelligence reports that may or may not be made available to them.

 
/* Use this with templates/template-twocol.html */