Tuesday, February 20, 2018

CFATS Program Oversight Hearing

Last week the Cybersecurity and Infrastructure Protection Subcommittee of the House Homeland Security Committee held an oversight hearing looking at the Chemical Facility Anti-Terrorism Standards (CFATS) program. According to the opening statement of the Chair, this is the first step in the reauthorization process for that program. The current authorization for the program ends on December 18th, 2018.

Support for CFATS Program

Three of the witnesses were from chemical manufacturing organizations who represent CFATS covered facilities in a range of industries. The fourth witness was a well-known environmental advocate who has frequently addressed chemical manufacturing safety issues.

Generally speaking, all four witnesses supported the CFATS program and advocated for its reauthorization. All expressed concerns that the reauthorization should not take the form of year-to-year extensions of the program that were seen prior to 2014.

Suggestions for Reauthorization Changes

Chet Thompson, representing the American Fuel & Petrochemical Manufacturers, specifically recommended another medium-term extension of the program requiring specific congressional reauthorization, as was done in 2014. His other recommendations for the reauthorization were generally restrictive:

• Do not include an inherently safer technology mandate (in oral testimony);
• Require changes in the Appendix A chemical of interest (COI) list to go through comment-response process;
• Avoid extending the anti-terrorist vetting program to Tier III and Tier IV facilities; and
Avoid any major changes to the program.

Kirsten Meskill, representing the American Chemistry Council, had three recommendations in her written testimony for the reauthorization of the CFATS program:

• Improve transparency in DHS risk determinations;
• Reconsider the value of Terrorist Screening Database (TSDB) screening at low risk facilities; and
• Recognize industry stewardship programs.

Pete Mutschler, representing both the Fertilizer Institute and the Agricultural Retailers Association, included two reauthorization suggestions in his testimony;

• Continue to protect the confidentiality of site security information; and
• Recognize industry stewardship programs.

Paul Orum, representing the Coalition to Prevent Chemical Disasters, was the most detailed in his recommendations for reauthorization changes. In his testimony Orum addressed (with specific suggestions):

• Use all available options – not just management and control strategies;
• Exercise oversight – especially of the ability of CFATS standards to realistically ensure protection;
• Use available resources – especially make better use of employee input;
• To improve public confidence, respect community concerns; and
• Support other programs that improve chemical security;


Readers will remember that I started the CFATS reauthorization discussion rolling last fall when I did two blog posts on my suggestions for changes to the program (here and here).

My first post addressed cybersecurity issues. None of the witnesses addressed cyber issues in their prepared testimony and there was only one question about cybersecurity during the hearing (52 minutes). The responses were fairly generic calls for information sharing. Thompson did note that the current Risk Based Performance Standard 8 of the CFATS program addresses cybersecurity.

One interesting topic that did come up during questioning (49 minutes) was the use of unmanned aerial vehicles (UAV) or drones. There was just one question (51 minutes) on the topic and the answers were very generic. Meskil pointed out that drones are a duel edged sword; they are useful in many inspection and maintenance operations at facilities, but weaponized drones are a potential threat that has yet to be addressed. While I will address specific recommendations for drone provisions of the CFATS reauthorization, I will note here that drone rules have to take into account two specific restrictions:

• Interference in the operation of a drone is a federal felony; and
• Tracking and intercepting a drone is technologically and operationally complicated.

Finally, on the topic of inherently safer technology (IST); there should be no mistake made, the CFATS regulations have had a positive impact on the application of risk reduction measures at a relatively large number of chemical facilities. This is clearly seen in the reduction in the number of facilities over the years that have left the CFATS program. Orum is correct that DHS and ISCD could further aid this legitimate risk reduction effort by being more forthcoming about the number and types of facilities that have exited the program by reducing and/or eliminating their COI inventories. As I have said on a number of occasions, requiring a specific IST review/implementation process ignores the complexity of the situation, but ISCD should be providing information gleaned (and anonymized) from former CFATS facilities to similar facilities to make the process somewhat less complicated.

Saturday, February 17, 2018

NIST Framework Update – 02-17-18

This week the National Institute of Standards and Technology updated their Cybersecurity Framework web site. Only two things of potential new interest on the redesigned web site; new CSF ‘Online Learning’ and a brief announcement about the date of the next CSF Workshop.

Framework Learning

The new Online Learning page is going to be a disappointment to anyone that expects NIST to provide some new high-tech learning environment. What NIST has provided is three new pages with old-fashioned written discussions with minimal graphics addressing the following topics:

• Components of the Framework;
• Uses and Benefits of the Framework; and
History and Creation of the Framework.

The information presented is useful and well written. It is just odd to see this presentation format used to address such a modern issue. Actually, I kind of liked it.

Framework Workshop

The new Latest Update page announces that NIST intends to hold their next CSF workshop on September 11th -13th, 2018 in the Washington, DC area. Further information will be published in the coming weeks.


Back in December NIST published the latest draft version of CSF v1.1 for comments. The comment period closed on January 18th. NIST has still not published the comments that it has received. The Latest Update page still notes that: “All responses will be published publicly in the coming weeks.”

NIST has chosen not to use the Federal eRulemaking Portal (www.Regulations.gov) to receive comments for a variety of reasons. Most importantly, the justification is that the CSF is not a regulatory regime, so that particular public comment process is not necessary.

In earlier iterations of the CSF process NIST published the responses on the CSF web site as they came in. This allowed interested parties to see what other interested individuals and organizations were saying and add their two-cents worth as appropriate. It also allowed gadflies like myself to conduct on-going analysis and comments (see here for example) as the comments came in. Again, I would like to think that commentators such as myself helped to publicize the CSF discussions and maybe even inspire some additional comments being submitted that would not have otherwise been made.

I am disappointed that NIST did not provide the cybersecurity community to see these comments as they came in. It makes the revision process look much more closed than were the earlier efforts. I am afraid that this type of government activity that is being moved back behind closed doors by an Administration that supposed to be ‘business friendly’. Failing to conduct public business in the public eye is not now, nor never has been ‘business friendly’.

We need NIST to move the CSF modification process fully back into the public spotlight.

Public ICS Disclosures – Week of 02-10-18

This week we have seen an apparently new zero-day reported in an Advantech product, an exploit for a previously released Siemens vulnerability, two new vendor reports from OSIsoft that have not been addressed by ICS-CERT and two vendor reports that were reported late this week that may show up in ICS-CERT advisories.

Advantech Zero-Day

Nassim Asrir reported a remote code execution vulnerability in the Advantech WebAccess product. The report on ExploitDB.com includes exploit code. Asrir reports that an attacker could remotely exploit the vulnerability to execute arbitrary OS commands via a single argument.

Siemens Exploit

M. Can Kurnaz published exploit code on ExploitDB.com this week for a previously published vulnerability in the Siemens SIPROTEC 4 and SIPROTEC Compact product families. ICS-CERT had previously reported that a relatively unskilled attacker could remotely exploit this vulnerability, but this just made it that much easier. A firmware patch was made available almost three years ago to mitigate this vulnerability, so hopefully this exploit will be of no practical use.

OSIsoft Advisories

This week OSIsoft released two new product updates that were specifically listed as ‘security updates’. The two products involved were PI Data Archive 2017 R2 and PI Vision 2017 R2.

There were five ‘issues’ reported in the PI Data Archive alert:

• Privilege escalation;
• Improper handling of serialization or comparison of a variable;
• Improper input validation;
• Authentication protocol flaws; and
High Availability authentication protocol flaws

The PI Vison alert notes that changes were made in the default configuration of HTTP headers to prevent a cross-site scripting issue and two information disclosure issues.

Possibly Pending on ICS-CERT

We have two vendor reports that were issued on Thursday that may still make it to the ICS-CERT site next week so I will just mention them in passing.

ABB does not generally report their advisories to ICS-CERT, but they updated their Meltdown & Spectre advisory that has been mentioned in ICS-CERT alert on the same topic.

Schneider released a new security advisory listing new products that were affected by one of the previously reported vulnerabilities in their FlexNet Publisher Licensing Service.

Friday, February 16, 2018

ISCD Publishes Two More Industry Outreach Fact Sheets

Today the DHS Infrastructure Security Compliance Division (ISCD) published links to two new fact sheets on their Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center. The first is another in the recent series explaining the impact of the CFATS program on various industries; this one addresses laboratories. This is part of the ongoing ISCD outreach effort designed to connect with facilities that have not realized that they may be covered under the CFATS program. The second fact sheet outlines the first steps that a facility needs to take when it determines that it may be affected by the CFATS program.

Laboratory Outreach

This fact sheet is very similar in format and information to the ones that I have previously discussed. The major difference is that the list of potentially affected chemicals is significantly different. One major difference in the list is that it includes a wide variety of chemical warfare agents. Unfortunately, ISCD failed to address the most contentious issue associated with those chemicals; the incredibly small amount (100-g) that qualifies as a screening threshold quantity (STQ) that would require reporting under CFATS.

First Steps

This fact sheet outlines the initial steps that a chemical facility needs to take when it suspects that it may be covered by the CFATS regulations (6 CFR 27), culminating in the submission of a Top Screen. The steps outlined include:

• Check your chemicals of interest (COI);
• Complete Chemical-terrorism Vulnerability Information (CVI) training;
• Register your facility; and
Submit a Top Screen

As you would expect from a ‘fact sheet’ the explanations provided for each of the steps are very brief and lacking in detail. Fortunately, links are provided to the appropriate parts of the CFATS web site for a more detailed explanation.


There is one unusual comment in the first steps fact sheet that I do not recall having seen in any other ISCD publication to date. In the discussion of what constitutes a chemical facility under the CFATS regulations, the fact sheet notes that:

“Under CFATS, a chemical facility is any establishment, from a large facility to an individual person [emphasis added] which possesses or plans to possess at any point in time, certain COI at or above a specified quantity or concentration.”

The definition of ‘chemical facility’ under the CFATS regulations states that {§27.105}:

“Chemical Facility or facility shall mean any establishment [emphasis added] that possesses or plans to possess, at any relevant point in time, a quantity of a chemical substance determined by the Secretary to be potentially dangerous or that meets other risk-related criteria identified by the Department.”

That ‘any establishment’ term is undefined, and I suppose that it could be stretched to include an ‘individual person’. At the very least I would expect to hear some arguments from lawyers if ISCD attempted to push regulatory activity down to a personally owned laboratory not associated with a business.

Having said that, it is not beyond the bounds of possibility that there could exist personal labs (particularly in the biological, pharmaceutical or agricultural sectors) where COI could be found at or above the STQ. The fact that that such laboratories would generally be expected to have less security than a similar corporate lab or even an academic lab would be of potential concern to ISCD as a possible terrorist target.

I am not sure how ISCD would locate such labs in order to conduct outreach activities. I suspect that the most common way of identifying such labs would be as the result of investigations of chemical releases or other chemical incidents by local authorities. If it was a purely local investigation (not the CSB, EPA, or OSHA for instance), I doubt that the word would get back to ISCD.

Bills Introduced – 02-15-18

With the Senate heading home for a week in district (and the House preparing to do the same) there were 65 bills introduced yesterday. Of those, four may be of specific interest to readers of this blog:

HR 5040 To authorize the President to control the export, reexport, and transfer of commodities, software, and technology to protect the national security, and to promote the foreign policy, of the United States, and for other purposes. Rep. Royce, Edward R. [R-CA-39]

S 2444 A bill to provide for enhanced energy grid security. Sen. Cantwell, Maria [D-WA]

S 2445 A bill to provide for the modernization of the electric grid, and for other purposes. Sen. Cantwell, Maria [D-WA] 

S 2447 A bill to accelerate smart building development, and for other purposes. Sen. Cantwell, Maria [D-WA]

With all of these bills I will be looking for control system cybersecurity issues in determining whether or not to continue coverage of the bill in this blog. I suspect hat S 2444 has the highest chance of future coverage.

As always, the large number of bills introduced before an extended stay outside of Washington is seldom due to an increased interest in legislative activity. Most of the bills introduced yesterday will receive no consideration on the Hill. Most are introduced to allow the submitter to claim to be taking action of interest in speaking before organizations and financial supporters back home.

Thursday, February 15, 2018

ICS-CERT Publishes 4 Advisories and One ABB Update

Today the DHS ICS-CERT published four new control system security advisories for products from Schneider Electric (2), GE and Nortek. Additionally, they provided an update for a previously published advisory for products from ABB.

StructureOn Advisory

This advisory describes an unrestricted upload of file with dangerous type vulnerability in the Schneider StruxureOn Gateway software management program. The vulnerability is being self-reported.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to upload a malicious file to any directory on the device, which could lead to remote code execution. The Schneider security advisory reports that the file must be a .zip file with specifically modified metadata for this vulnerability to be exploited.

IGSS Mobile Advisory

This advisory describes two vulnerabilities in the Schneider IGSS Mobile application (iOS and Android). The vulnerabilities were reported by Alexander Bolshev (IOActive) and Ivan Yushkevich (Embedi). Schneider has produced updates for both versions. There is no indication that either researcher has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Improper certificate validation - CVE-2017-9968; and
Plaintext storage of password - CVE-2017-9969

ICS-CERT reports that a relatively low-skilled attacker with local access (okay they, actually said: “Locally exploitable”; that may not mean ‘local access’) could exploit the vulnerability to execute a man-in-the-middle attack. In addition, passwords can be accessed by unauthorized users.

NOTE: Marc Ayala pointed out to me that anyone can download these apps from the appropriate (iOs/Android) app store. This means that it would be easy to exploit a compromised mobile password. All the attacker needs to do is to get access to the IGSS configuration file on an oh so secure smart phone to compromise the password.

GE Advisory

This advisory describes two vulnerabilities in the GE D60 Line Distance Relay. The vulnerabilities were reported by Kirill Nesterov of Kaspersky Labs. GE has released new firmware that mitigates the vulnerability. There is no indication that Nesterov was provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2018-5475; and
• Improper restriction of operations within bounds of memory buffer - CVE-2018-5473

ICS-CERT reports that relatively low-skilled attacker could remotely exploit the vulnerability to execute arbitrary code on the device.

Nortek Advisory

This advisory describes a command injection vulnerability in the Nortek Linear eMerge E3 Series access control interface. The vulnerability was reported by Evgeny Ermakov and Sergey Gordeychik. Nortek recommends upgrading the system using established procedures. There is no indication that either researcher was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability  to execute malicious code on the system with elevated privileges, allowing for full control of the server.

ABB Update

This update provides additional information on an advisory that was originally published on November 14th, 2017. The update reports that the new update of Mesh OS mitigates the KRACK vulnerability in these devices.

NOTE: The updated ABB security advisory that forms the basis for this ICS-CERT update was published on January 11th, 2018.

Wednesday, February 14, 2018

House NHTSA Oversight Hearing

Today the Digital Commerce and Consumer Protection Subcommittee of the House Energy and Commerce Committee held an oversight hearing looking at the DOT’s National Highway Transportation Safety Administration (NHTSA). The sole witness at the hearing was Heidi King, the Deputy Administrator (the de facto Administrator since no one has yet been nominated to that position) for NHTSA.

There was no mention of cybersecurity in any of the statements published on the Committee’s web site (Committee Chair Latta, Subcommittee Chair Walden, and Ms King), but the Committee Staff background memo does include (pg 6) a brief, 3-paragraph, summary of cybersecurity issues related to automated driving systems.

Watching the video of the hearing it is clear that this was intended to be a wide ranging oversight hearing that touched on a number of issues. Unfortunately, few of the congress critters asking questions had much interest in cybersecurity issues. There were only three cybersecurity related question (at 1 hour 10 minutes, at 1 hour 20 minutes and at 2 hours 30 minutes into the video). King’s responses to the questions were very generic with the one strong point being made that she appreciated the formation of the Automotive ISAC.

King did make a very interesting point in her response to the last question, from Rep. Costello (R,PA). She noted that vehicle owners had a very important role to play in regard to vehicle cybersecurity. After once again praising the formation of the Auto ISAC, she said:

“Cybersecurity is not the domain of highly technical experts alone, but in fact cybersecurity is a concern to all of us. We see from our own experience, whether it be in our home computers or in our phones, there may be vulnerabilities that are driven by users, and so part of the cybersecurity journey will be to educate all of us to be thoughtful about how we use our devices or our cars, and make sure that we are all partners in our cybersecurity journey.”

It will be interesting to see if the auto industry actually attempts to try to make autonomous vehicle cybersecurity inherently secure, or whether they will follow the model of the computer and smart phone manufacturers and make security a feature that must be selected by the owner, often without specifically notifying the owner of the security options available.

Tuesday, February 13, 2018

ICS-CERT Publishes Two Advisories

Today the DHS ICS-CERT published two control system security advisories for products from Schneider Electric and WAGO.

Schneider Advisory

This advisory describes a security misconfiguration vulnerability in the Schneider IGSS SCADA software. The vulnerability was reported by Ivan Sanchez of Nullcode. Schneider has developed a new version that mitigates the vulnerability. There is no indication that Sanchez has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively high-skilled attacker with local access could exploit the vulnerability to crash or execute arbitrary code.

WAGO Advisory

This advisory describes an improper authentication vulnerability in the WAGO PFC200 Series. The firmware vulnerability is due to a vulnerability in the CoDeSys Runtime that is included in that firmware. The CoDeSys Runtime vulnerability was reported by Reid Wightman in 2012 and was addressed by ICS-CERT in 2013. The vulnerability was reported in this WAGO product by SEC Consult. NOTE: ICS-CERT published an alert about this vulnerability last December.

ICS-CERT reports that a relatively low-skilled attacker could use a publicly available exploit to remotely exploit the vulnerability to gain unauthorized access to the PLC to perform operations on the file system without authentication.

Committee Hearings – Week of 02-11-18

This week both the House and Senate will be in session. The big news is, of course, the President’s FY 2019 budget request is arriving on the Hill. This leads to the official start of the spending bill process, so the various committee budget hearings will start to provide a look at how those spending bills are going to shape up. There are also three oversight hearings this week in the House that may be of specific interest to readers of this blog: NHTSA, Positive Train Control and the CFATS program.

FY 2019 Budget Hearings

The actual budget being submitted by the President is essentially a meaningless exercise as Congress has their own internal considerations that drive the budgeting and spending process. The hearings starting this week, however, will provide a window into what the various oversight committees will be looking to see in the final spending bills.

House Budget Committee – 02-14-18; and

NHTSA Oversight

The Digital Commerce and Consumer Protection Subcommittee of the House Energy and Commerce Committee will hold an oversight hearing on Wednesday of the National Highway Traffic Safety Administration (NHTSA). The Deputy Administrator will be the only witness. This hearing is likely to focus on cybersecurity as it pertains to data protection in advanced driving systems, but we may hear questions on operational controls as well.

PTC Oversight

On Thursday the Railroads, Pipelines, and Hazardous Materials Subcommittee of the House Transportation Committee will be holding an oversight hearing of the progress of the implementation of the congressionally mandated positive train control network. With the spate of recent rail accidents that involved sections of track not currently under PTC the questions will be sharp and unfriendly. The witness list includes:

• Juan D. Reyes III, Federal Railroad Administration;
• Robert Sumwalt, National Transportation Safety Board;
• Edward Hamberger, Association of American Railroads;
• Richard Anderson, Amtrak
• Paul Skoutelas, American Public Transportation Association
John P. Tolman, Brotherhood of Locomotive Engineers and Trainmen

The Staff summary of the PTC program points out (pg 6) that the freight railroad systems is significantly further along the implementation process than is the passenger rail system. The current flexible deadline for PTC implementation is December 31st, 2018.

CFATS Oversight

On Thursday the Cybersecurity and Infrastructure Protection Subcommittee of the House Homeland Security Committee will be holding an oversight hearing on the Chemical Facility Anti-Terrorism Standards (CFATS) program, focusing on industry feedback. There is no witness list currently available, but I expect that we will see industry representatives from the major chemical manufacturing organizations.

The CFATS program is currently set to expire on December 18th, 2018. This hearing is the first step in the reauthorization process. I do not expect to see any major complaints from industry about the program, but it will be interesting to see what questions about the new threat assessment model being used by DHS to determine which facilities are included in the program. I also expect to see some serious questions about the personnel surety vetting program.

There has not yet been a reauthorization bill introduced. This may not be necessary if Congress does not see any need for specific revisions to the program. We could see Congress return to the annual extensions of the program in spending bills that we saw before the current program authorization bill was passed in 2014. It will be interesting to see if any of the witnesses address this reauthorization process question in their prepared testimony.

Saturday, February 10, 2018

OMB Approves DOE ASHRAE 2016 Determination

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that they had approved the DOE’s final rule on ASHRAE 2016 Determination. DOE should publish this ‘determination’ in the Federal Register this week.

In an earlier blog post I opined that this may be related to the publication of the  American Society of Heating, Refrigerating and Air-Conditioning Engineers (ASHRAE) standard on the Facility Smart Grid Information Model (FSGIM; ASHRAE 201-2016). Since this rulemaking is was not included in the latest version of the Unified Agenda, I was looking for a possible explanation for what DOE was doing. Subsequent investigation has shown that I was probably wrong.

It looks like this ‘determination’ is actually related to the DOE’s responsibility under 42 USC 6833(b)(2)(A) to determine if the latest version of ASHRAE Standard 90.1 (in this case the 2016 version) “will improve energy efficiency in commercial buildings”. Last September DOE published their preliminary determination analysis that the 2016 version would improve energy efficiency and requested public comments on their draft report.

Since this final rule almost certainly pertains to energy efficiency not smart grid implementation, I doubt that this rulemaking will have any further mention in this blog.

Public ICS Disclosures – Week of 02-04-18

This week we have two vendor (ABB and OSIsoft) released security reports that were not addressed by ICS-CERT, most likely because the vendor did not report these directly to that organization. We also have an interesting report on an unusual class of IOT devices

ABB Advisory

ABB published a security advisory describing an improper access control vulnerability in their SYS600 product. The vulnerability was reported by Fritz Sands via the Zero Day Initiative. ABB has provided a work around to mitigate the vulnerability.

An attacker with physical access to the server or with authenticated network access could exploit the vulnerability to add files and run arbitrary code and possibly escalate privileges.

OSI Advisory

OSIsoft released a new version of their PI Web API that addressed (among other things) an escalation of privilege vulnerability. The release notes [page for .PDF download] for the new version report the vulnerability as being fixed and note that it is a critical vulnerability. The vulnerability is described as:

“Core Services – CRITICAL VULNERABILITY: Escalation of privileges when Kerberos and Basic Authentication are enabled is mitigated.”

Further information on the vulnerability is supposed to be included in a dedicated security bulletin which has apparently not yet been published.

IOT Security Issue

For those with a prurient interest in cybersecurity of IOT, I will provide this link to SEC Consult’s blog post on the ‘Internet of Dildos’. I nearly stopped reading the post when I got to: “Moreover, an attacker was able to remotely pleasure individuals without their consent.” This is, however, a serious report on a large number of vulnerabilities in a real IOT product.

Thursday, February 8, 2018

ISCD Publishes Truck Terminal FAQ

Today the DHS Infrastructure Security Compliance Division (ISCD) published a new frequently asked question (FAQ) on their Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center page. The new FAQ (#1789) addresses the definition of ‘truck terminals’ as they relate to coverage under the CFATS program.

On November 20th, 2007 DHS published the final rule establishing Appendix A to 6 CFR 27. In the preamble to that rule DHS stated: “DHS presently does not plan to screen truck terminals for inclusion in the Section 550 regulatory program [the earlier legislative basis for the CFATS program], and therefore DHS will not request that owners and operators of truck terminals complete the Top-Screen risk assessment methodology.”

FAQ #1789 states that:

“Truck terminals, for the purposes of CFATS, are facilities which serve as a temporary waypoint in the transportation system between a shipment’s point of origin and final destination. While at a truck terminal, the freight remains in its original shipping container and is not opened, regardless of the freight’s dwell time at a truck terminal. Truck terminals are thus distinguishable from distribution centers at which freight is removed from its original shipping container and assembled or repackaged for follow-on shipment using different inbound-outbound modes of transportation.”

This, of course, does not mean that ISCD cannot change its mind at some future date if circumstances change. If they do, however, a new rulemaking would be required; with the attendant public comment and response process.

NOTE (not covered in the FAQ): For facilities with a blended operation with parts of the facility acting as a terminal operation and other parts operating as a distribution center, if the facility owner can separate the two operations they would only be required to complete a Top Screen on the distribution center portion of the facility.

CG Announces CTAC Meeting

Today the Coast Guard published a meeting notice in the Federal Register (83 FR 5638-5640) for a three-day meeting of the Chemical Transport Advisory Committee on March 7-9, 2018 in Houston, TX. Subcommittee meetings will take up the first two days.

There are two subcommittees that maybe of specific interest to readers of this blog:

• Hazardous Substance Response Plans for Tank Vessels and Facilities (HAZSUB Twins) (Fall 2017 Report, PPT download); and
Hazardous Cargo Transportation Security Subcommittee (Fall 2017 Report, PPT download).

The full Committee meeting will review the work of the subcommittees and formulate recommendations to the Commandant on their activities. Additionally, presentations will be made on:

• CG update on International Maritime Organization activities as they relate to the marine transportation of hazardous materials; and
• Presentation of interest related to safe and secure shipment of hazardous materials.

Public attendance is encouraged, but advance registration is required. Public comment periods will be included in all meetings. Written comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; docket # USCG-2018-0042). Comments to be considered at this meeting must be submitted by February 28th, 2018.

Bills Introduced – 02-07-18

With both the House and Senate in session there were 47 bills introduced yesterday. Of those, one may be of specific interest to readers of this blog:

S 2392 A bill to amend the Homeland Security Act of 2002 to authorize the Secretary of Homeland Security to designate cybersecurity technologies that qualify for protection under systems of risk and litigation management. Sen. Daines, Steve [R-MT]

I will be watching this bill to see if it includes cybersecurity measures for industrial control systems.

Wednesday, February 7, 2018

Reader Comment - Schneider S4x18 Presentation

Yesterday Toshio Miyachi posted a reply to my latest public ICS disclosure blog post providing a link to the Schneider Electric TRISIS presentation at S4x18. Just finished watching the 26-minute video and it is well worth the time to view it. Dale Peterson’s opening comments are right on point about both the tactical and strategic (my terminology, not Dale’s) importance of this video.

An easy to overlook part of this presentation starts at about 5:14 into the video where Paul Forney outlines the people that helped in the TRISIS incident analysis. The slide shown at 5:14 minutes provides a short list which Paul expands upon.. Two points that I want to make about this. First ICS-CERT is not mentioned, it’s parent organization, NCCIC, gets credit for the work done predominantly (I would suspect) by the technical folks at ICS-CERT.

The second item is the credit that Forney gives to DOD for coordinating the government efforts in the data collection and analysis effort. I suspect that this was predominantly Cyber Command. While this says good things about the control system understanding of DOD, I think that this could raise posse comitatus concerns if the incident had occurred in the United States. If DOD is going to be an important player in cybersecurity response, Congress needs to specifically outline the legal permissible limits of that involvement. Otherwise, the NCCIC is going to have to beef up its capabilities to accept that role.

Tuesday, February 6, 2018

House Further Amends HR 1892 – Short-Term CR and DOD Spending

Earlier this evening the House took up the Senate amendment to HR 1892 and adopted that amendment with a further amendment; adding the language of HJ Res 128. The final vote was a very modestly bipartisan vote of 245 to 182; 17 Democrats voted Yea and 8 Republicans voted Nay.

As I noted earlier today this was not crafted as a compromise bill to make it easy for the Senate to adopt the measure. It looks more like a gauntlet flung in the face of Senate Democrats, daring them to shut down the government again. The saving grace is that the current Continuing Resolution does not run out until Midnight, February 8th; leaving time for additional work on some sort of spending compromise.

ICS-CERT Publishes an Advisory and an Update

Today the DHS ICS-CERT published a medical device security advisory for products from Vyaire Medical. They also updated a control system security advisory for products from Siemens.

Vyaire Advisory

This advisory describes an uncontrolled search path element vulnerability in the Vyaire CareFusion Upgrade Utility. The vulnerability was reported by Mark Cross (@xerubus). Vyaire no longer supports the affected version and recommends that owners upgrade to the newer version of the utility. ICS-CERT notes that “This updated Upgrade Utility will not install on Windows XP and will require updating the underlying system to Windows 7 or later.” There is no indication that Cross was provided an opportunity to verify that the newer version is not affected.

ICS-CERT reports that an uncharacterized attacker with local access could exploit the vulnerability to insert a malicious DLL on the target system and run arbitrary code.

Siemens Update

This update provides additional information on an advisory that was originally published on January 25th, 2018. The update removes a broken link that was included in the original Siemens security notice.


Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved the EPA’s notice of proposed rulemaking (NPRM) for establishing fees for the Toxic Substances Control Act (TSCA). The rule was sent to OMB on December 22nd, 2017.

The EPA is authorized by 15 USC 2625(b) to collect fees “from any person required to submit data under section 2603 or 2604 of this title to defray the cost of administering this chapter”. That section limits the fee to a maximum of $2,500 ($100 for small businesses). I expect that the maximum will be reflected in the rulemaking.

The NPRM should be published this week.

Bills Introduced – 02-05-18

Yesterday, with both the House and Senate in session, there were 35 bills introduced. Of these, two may be of specific interest to readers of this blog:

HR 4925 To require the Administrator of the Federal Railroad Administration to implement certain recommendations for management and collection of railroad safety data. Rep. Gottheimer, Josh [D-NJ-5]

HJ Res 128 Making a further extension of continuing appropriations for fiscal year 2018, and for other purposes. Rep. Frelinghuysen, Rodney P. [R-NJ-11]

I will be watching HR 4925 for references to chemical transportation issues.

HJ Res 128 is the next proposed iteration of a continuing resolution to keep the government funded through the end of September. A copy of the bill has been published by the GPO. It would provide funding for DOD through the end of the fiscal year and the remainder of the government through March 23rd, 2018. HJ Res 128 will be considered by the House Rules Committee this afternoon where it will be considered as an amendment to the Senate amendment to HR 1892. The bill will probably reach the House floor this afternoon.

Two things make this bill very iffy when it comes to consideration in the Senate. First it does nothing to solve the Dreamer issue, which was the proximate cause for the short shutdown last month. Second it effectively sets a new spending cap for DOD (§1408 exempts the authorized spending for DOD from sequestration) without addressing spending caps for non-security funding or specifically setting new spending cap calculations.

I expect that this CR will pass in the House with a party-line vote (it looks like it was crafted specifically to get conservative support). The big question is whether or not the Democrats in the Senate were burned bad enough by the January shutdown to roll over and accept this. I do not think that that is the case. There will still be time to come up with an alternative CR, but to be acceptable to the Senate it would have to draw Democratic support in the House as there would be conservative objections to anything that does not include a full year DOD spending provision

Monday, February 5, 2018

ICS-CERT Removed AV Update Publication

Sometime today (I’m pretty sure) the DHS ICS-CERT removed mention of their “Recommended Practice: Updating Antivirus in an Industrial Control System” from both their ICS-CERT landing page and their Recommended Practices page. The previously provided link to this document (that was originally published on January 8th, 2018) now returns an “Access denied. You are not authorized to access this page” message.

I have a copy of the web page from Friday morning that shows the notice for this document on the landing page. I am pretty sure that it was there on both Saturday and this morning when I check the web site. There is no indication that the item was removed, much less an explanation for why. I did not see anything in the document that should have caused any problems and the same information is still available in the Sept-October NCCIC/ICS-CERT Monitor.

It will be interesting to see if this comes back….

BTW: For some reason I never saved a copy of the publication. Could someone please send me a copy? NOTE (added 2-7-18 09:04 EST): I now have a copy from a reader. Thanks to all of those who have offered to provide me a copy.

Sunday, February 4, 2018

Bills Introduced – 02-02-18

On Friday, with both the House and Senate meeting in pro forma session, there were 11 bills introduced. Of these, one may be of specific interest to readers of this blog:

HR 4918 To authorize dedicated domestic terrorism offices within the Department of Homeland Security, the Department of Justice, and the Federal Bureau of Investigation to analyze and monitor domestic terrorist activity and require the Federal Government to take steps to prevent domestic terrorism. Rep. Schneider, Bradley Scott [D-IL-10]

I will be watching this bill for its definition of domestic terrorism to see if it specifically includes cyber activities and how those activities are defined. I doubt that it will address attacks on control systems.

Saturday, February 3, 2018

Public ICS Disclosures – Week of 1-25-18

This week we have a new coordinated disclosure for a Sprecher Automation remote terminal unit (RTU), exploit code for an Advantech WebAccess vulnerability and a late discussion of new information on the TRISIS attack.


SEC Consult Vulnerability Lab published a vulnerability report on the FullDisclosure.com web site this week for multiple vulnerabilities in the Sprecher SPRECON-E-C RTU. It reports five vulnerabilities (with proof of concept code), including:

• Authenticated path traversal;
• Client-side password hashing;
• Missing authentication;
• Permanent denial of service via port scan; and
Outdated Linux kernel.

Three of the five vulnerabilities have reportedly been fixed and work arounds have been provided for the other two.

Advantech Exploit

Chris Lyne published exploit code on the ExploitDataBase.com web site this week for an SQL injection vulnerability in the Advantech WebAccess application. The vulnerability was included in a recent ICS-CERT Advisory that was most recently updated on January 11th. For obvious reasons, ICS-CERT did not mention the publicly available exploit code and they have not made it a practice to further update their advisories to report the presence of exploits.


Most readers will probably be familiar with the Schneider presentation at S4X18 about new information on the recent attack on a Triconex safety system. The Schneider reported that they discovered a zero-day vulnerability used by the attacker and have provided a firmware update that mitigates the vulnerability. Schneider updated their security notification to reflect the new information.

ICS-CERT published a malware report not a control system advisory for the situation. It did provide a link to the original Schneider notification. I do not expect ICS-CERT to update their malware report, but I have been hoping to see an advisory for the newly reported vulnerability.

I cannot wait for DigitalBond to make the Schneider presentation available on their site.

Friday, February 2, 2018

ISCD Updates Monthly Update Page – 02-02-18

Today the DHS Infrastructure Security Compliance Division (ISCD) updated the data on the Chemical Facility Anti-Terrorism Standards (CFATS) Monthly Update page. The new data for January 2018 shows the continued progress being made implementing the CFATS program.

Facility Status

The table below shows the facility status at the end of the month of January. As I predicted last month, we have now seen our first decline in the number of covered facilities since the implementation of CSAT 2.0 in October of 2016. Remember, facilities have every incentive to take actions to reduce/eliminate their use or inventories of DHS chemicals of interest (COI) so as to avoid being covered by the costly CFATS program.

CFATS Facility Status

We should continue to see a decline in the number of tiered facilities now that the CSAT 2.0 implementation has essentially been completed. It is unlikely to ever drop to zero as the ISCD outreach plan continues to identify new potential facilities and changes in the chemical industries brings new facilities into the possession of COI. I suspect that in the coming months we will see the increase in the number of Authorized facilities begin to level off and eventually start to drop as more facilities complete the site security plan approval process.

ISCD Activities

The table below shows the activities that the chemical security inspectors have undertaken in support of the CFATS program.

CFATS Activities
Authorization Inspections to Date
Authorization Inspections Month
Compliances Inspections to Date
Compliances Inspections Month
Compliance Assistance Visits to Date
Compliance Assistance Visits Month

Once a facility receives administrative approval of their submitted site security plan (SSP) and receive their ‘Authorization Letter’ they have to pass an Authorization Inspection to receive final approval of their SSP. The Authorization Inspection checks to ensure that the facilities have all of the security measures in place that they have described in their authorized SSP. Compliance Inspections, on the other hand, is a periodic check of the facility’s compliance with the terms of their SSP, including the scheduled implementation of their ‘pending security measures’.

The comparison of the ‘to Date’ data and the January data shows a much closer match that we have been seeing. The four-inspection difference on reported numbers for authorization inspections and one-inspection difference for compliance inspections could certainly fall within the ‘glitch in the system’ that ISCD reports on the page. The not so subtle difference between the delta on ‘to Date’ Compliance Assistance Visits of 74 and the reported 122 conducted during the month of January is less easy to accept. Since this is more of a manpower utilization issue than a actual compliance issue, I’ll leave this to the DHS IG to question if they feel it is appropriate.

I will mention this, however. ISCD provides the following explanation for the Compliance Assistance Inspection:

“This metric shows the number of Compliance Assistance Visits completed. ISCD offers CAVs to CFATS-covered facilities and facilities of interest so that the facilities have an in-depth knowledge of how to meet the requirements of the CFATS regulation. These visits can perform various functions, such as assisting with determining COI reporting requirements, submitting or resubmitting a Top-Screen, developing an SSP or ASP, editing a SSP based on a change in security posture or tiering, or assistance with complying with any other part of the regulation.”

I would like to think that the “complying with any other part of the regulation” would include inspections when a facility reports that they have either reduced their COI inventory below the Screening Quantity Threshold or removed the COI entirely from the facility. All other things being equal, the reduction/removal of the COI would be a prerequisite from removal of a facility from the CFATS program.

ICS-CERT Publishes 3 Advisories and 1 Update

Yesterday the DHS ICS-CERT published three control system security advisories for products from Gemalto, Smart Software Solutions (3S), and Fuji Electric. They also updated a previously published control system security advisory for products from NXP Semiconductor.

Gemalto Advisory

This advisory describes multiple vulnerabilities in the Gemalto Sentinel License Manager. The vulnerabilities were reported by Kaspersky Labs. The latest version of the software mitigates the vulnerability. There is no indication that Kaspersky Labs has been provided an opportunity to verify the efficacy of the fix.

The seven reported vulnerabilities are:

• Null pointer dereference - CVE-2017-11498;
• Stack-based buffer overflow (4) - CVE-2017-11497, CVE-2017-11496, CVE-2017-12818 and CVE-2017-12821;
• Heap-based buffer overflow - CVE-2017-12820; and
Improper access control - CVE-2017-12822

NOTE: This is essentially the same vulnerability that I have discussed previously (here and here). The Kaspersky article on this problem actually list 14 vulnerabilities not the seven being reported here. I mentioned earlier that there may be as many as 40,000 products (not all being ICS, obviously) being affected by this issue. If the Gemalto dongle is clearly identified as being a ‘Sentinel License Manager’, then this advisory is clearly a much more effective means of addressing the issue rather than issuing advisories on each of the affected product lines. If the using vendors, however, have relabeled their dongles, then this advisory will not be effective in those cases. But that is not ICS-CERT’s fault.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities and that could lead to remote code execution or cause a denial-of-service condition, rendering the Sentinel LDK License Manager service unavailable (and the supported product also being unavailable).

3S Advisory

This advisory describes a stack-based buffer overflow in the 3S CODESYS Web Server. The vulnerability was reported by Zhu WenZhe of Istury IOT security lab. 3S has released a security patch to mitigate this vulnerability. There is no indication that Zhu was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability causing the device to crash, resulting in a buffer overflow condition that may allow remote code execution.

Fuji Advisory

This advisory describes a stack-based buffer overflow vulnerability in the Fuji V-Server VPR. The vulnerability was reported by Ariele Caltabiano (kimiya) via the Zero Day Intitiative. Fuji has produced a new firmware version that mitigates the vulnerability. There is no indication that Caltabiano has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability  to view sensitive information and disrupt the availability of the device.

NXP Update

This update provides new information for an advisory that was originally published on October 12th, 2017. The update provides links to the new version of the single remaining product that was not previously fixed.

Thursday, February 1, 2018

DHS Publishes Private Sector Clearance Program 60-day ICR Renewal Notice

Today the DHS Office of Infrastructure Protection (IP) published a 60-day information collection request renewal notice in the Federal Register (83 FR 4670-4671) for the Private Sector Clearance Program (PSCP), Cooperative Research and Development Agreement, and Classified Critical Infrastructure Protection Program Request. This collection is for the initial information submitted to DHS to start the security clearance review process for private sector individuals in the following programs:

• Sector Coordinating Councils (SCCs);
• Cooperative Research and Development Agreements (CRADA) with NCCIC;
• Classified Critical Infrastructure Protection Program (CCIPP); and
Cyber Information Sharing and Collaboration Program (CISCP)

This renewal expands the PSCP information collection to include the new CISCP. The revised estimate for the annual burden of this collection includes an expected 600 responses at 10 minutes per response. This burden only covers the initial information collected by DHS not the much more extensive (and very time consuming) background information collected by the OMB’s secure portal for investigation processing.

OIP is soliciting public feedback on this ICR renewal. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # DHS-2017-0061). Comments should be submitted by April 2nd, 2018.


The limits on this classified information sharing program outlined in this ICR demonstrate how little sharing of classified intelligence information does with the private sector critical infrastructure. Beyond the normal reluctance of the government to share classified information, there are a number of other factors which help to limit this information sharing process. First and foremost are the expensive requirements for appropriate technology to receive and store classified information.

In the ‘old-days’ when most classified information was stored as paper files, a GSA-approved safe secured in a locked room in a protected building provided ‘sufficient’ protection for all but the most sensitive classified information. That was an expense that could be afforded by most corporations. Today, with classified documents being transmitted and stored in electronic format, the security requirements have dramatically increased and the costs skyrocketed. Even when large corporations can afford such installations in their corporate headquarters, they cannot share the information with their scattered subordinate locations where the intelligence would most likely be used.

As I have said on numerous occasions, to share intelligence information with the increasing number of potentially affected private sector organizations, DHS and the rest of the intelligence community must be more proactive (and maybe more importantly) and timely in abstracting actionable information from intelligence reports (separate from the means and methods information which leads to most classification labels) so that the information may be shared in less-than classified formats.

/* Use this with templates/template-twocol.html */