Friday, March 23, 2018

Bills Introduced – 03-22-18

Yesterday with the House and Senate preparing to leave for their Easter Recess, 94 bills were introduced. Of these, two may be of specific interest to readers of this blog:

HR 5399 To amend the Homeland Security Act of 2002 to clarify that grants made pursuant to the Urban Area Security Initiative and the State Homeland Security Grant Program may be used to increase the preparedness of high-risk State, local, territorial, and tribal governments against weapons of mass destruction and biological and chemical attacks, and for other purposes. Rep. Gabbard, Tulsi [D-HI-2]

S 2620 A bill to establish a Federal cyber joint duty program for cyber employees of Federal agencies. Sen. Peters, Gary C. [D-MI]

As always, the large number of bills introduced before a major break in congressional attendance in Washington is not an indicator of congressional zeal. Rather, it is an indicator of campaigning initiatives. The talking points provided by most of these bills show that the introducing congresscritters are committed/interested in specific concerns of their constituents. The vast majority of these bills will see no congressional action beyond their introduction

It will be interesting to see if the wording of HR 5399 will allow the use of these grants for preparedness activities for attacks on chemical facilities or chemical transportation assets designed to specifically release hazardous chemicals. I am not going to hold my breath.

As with any of these clearly federal-limited cyber efforts, I will be watching this bill to see if it includes specific provisions related to industrial control system cybersecurity efforts. Yes, the federal government does have ICS, if you include building automation and security systems under the ICS umbrella.

ICS-CERT Publishes 2 Advisories and Siemens Update

Yesterday the DHS ICS-CERT published two control system security advisories for products from Beckhoff and Siemens. They also updated a previously published advisory for products from Siemens. The two Siemens products were mentioned in a previous blog post.

Beckhoff Advisory

This advisory describes an untrusted pointer dereference vulnerability in the Beckhoff TwinCAT PLC products. The vulnerability was reported by Steven Seeley of Source Incite. According to the Beckhoff security advisory, the company has updates available that mitigate the vulnerability. There is no indication that Seeley has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to escalate privileges. ICS-CERT reports that Matlab modules need to be recompiled after updating.

Siemens Advisory

This advisory describes an improper access control vulnerability in the Siemens SIMATIC WinCC OA UI mobile app. The vulnerability was reported by Alexander Bolshev from IOActive, and Ivan Yushkevich from Embedi. Siemens has updates available that mitigate the vulnerability. There is no indication that the researchers have verified the efficacy of the fix.

ICS-CERT reports that an uncharacterized attacker on an adjacent network could exploit the vulnerability to read and write data from and to the app’s project cache folder. The Siemens security advisory notes that a social engineering attack is required to convince the App user to connect to an attacker-controlled WinCC OA server

Siemens Update

This update provides new information on an advisory that was originally published on January 25th, 2018 and updated on February 6th. The update removes a product from the affected product list.

Thursday, March 22, 2018

Rules Committee Approves HR 1625 Amendment – FY 2018 Spending Bill

Late last night the House Rules Committee met to consider the rule for the floor consideration of the Senate amendment to HR 1625. This bill has become the vehicle for the Consolidated Appropriations Act, 2018. The Committee approved a closed rule for the consideration of the bill, with one hour of debate and no floor amendments to be considered.

The Spending Bill

The Committee web site has a link to the full amendment that is the spending bill. There are also links to most of the separate divisions of the bill (essentially individual spending bills) to make it somewhat easier to wade through the bill. The divisions of potential specific interest to readers of this blog include:

• Division B CJS;
• Division C DOD;
• Division F DHS; and
Division L THUD

Division S of the bill contains a number of provisions that are separate from the actual spending bills, but need to be reauthorized, at least on a short-term basis. There is no separate Division S document, but the Committee did provide a summary document providing a very brief description of the programs covered.

The Explanatory Statement for this spending bill has not been published. The rule for the consideration of this bill (H Res 796) allows the Chair of the Appropriations Committee to insert the Statement in today’s Congressional Record. The Statement provides most of the details normally seen in the committee reports on the individual spending bills.

Moving Forward

The House will almost certainly take up this bill this afternoon. Due to the late availability of the huge bill, it is not yet clear if the Republicans will have enough votes to pass this bill on their own or if they will receive any support from House Democrats. I suspect that the bill will pass.

The big question will, of course, be the Senate. I would like to hope that the negotiators have done an adequate job to ensure that they have the necessary votes, but you can never tell for sure with a bill as complex as this. There is an interesting news report about the potential delay of the consideration of the bill in the Senate by a single Senator.

Bills Introduced – 03-21-18

Yesterday with the House and Senate both in session, there were 34 bills introduced. Of those two (see note below) may be of specific interest to readers of this blog:

HR 5366 To amend title 18, United States Code, to provide for certain authorized actions regarding interdiction of unmanned aircraft, and for other purposes. Rep. Hartzler, Vicky [R-MO-4]

HR 1625 TARGET Act [Consolidated Appropriations Act, 2018] House Amendment to Senate Amendment to H.R. 1625 (Rules Committee Print 115-66—Showing the text of the Consolidated Appropriations Act, 2018)

NOTE: Okay, HR 1625 was not actually introduced yesterday in the formal sense of the word. The House Rules Committee published the text that will be considered as substitute language for the Senate amendment to HR 1625. The important thing is that this will now be the omnibus spending bill for 2018. More on this bill later.

Wednesday, March 21, 2018

Bills Introduced – 03-20-18

Yesterday, with both the House and Senate in session, there were 33 bills introduced. Of those, one may be of specific interest to readers of this blog:

HR 5356 To establish the National Security Commission on Artificial Intelligence. Rep. Stefanik, Elise M. [R-NY-21]

Okay, I am not an AI geek, but this sounds like it may be interesting. It was assigned to too many committees (5) to have much chance of advancing, but I am probably going to be watching this one anyway. It will be real interesting to see how they define ‘artificial intelligence’.

I have to mention another bill (actually a resolution) in passing; no further coverage here. H Res 791 was introduced “Expressing support for the designation of Cesar Chavez's birthday, March 31, as National Border Control Day”. I’m not sure if this was intended as irony or a slap at Cesar Chavez; it is hard to tell with Rep Gohmert (R,TX).

ICS-CERT Publishes 2 Advisories and 3 Updates

Yesterday the DHS ICS-CERT published two new control system advisories for products from Siemens and Geutebruck. It also updated three previously published control system advisories for products from Siemens (2) and AutomationDirect. ICS-CERT has missed some recent Siemens updates and an advisory.

Siemens Advisory

This advisory describes an improper input validation vulnerability in the Siemens SIMATIC, SINUMERIK, and PROFINET IO products. The vulnerability is being self-reported by Siemens. Siemens has provided updates that mitigate the vulnerability is some products and has provided generic workarounds for the remaining products while updates are developed for them.

ICS-CERT reports that an uncharacterized attacker on an adjacent network could exploit this vulnerability to execute a denial-of-service condition requiring a manual restart to recover the system. The Siemens security advisory notes that OSI Layer 2 access is required to exploit the vulnerability.

Geutebruck Advisory

This advisory describes six vulnerabilities in the Geutebruck IP cameras. The vulnerabilities were reported by Davy Douhine of RandoriSec and Nicolas Mattiocco of Greenlock. Geutebruck has a new firmware version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• Improper authentication - CVE-2018-7532;
• SQL injection - CVE-2018-7528;
• Cross-site request forgery - CVE-2018-7524;
• Improper access control - CVE-2018-7520;
• Server-side request forgery - CVE-2018-7516; and
• Cross-site scripting - CVE-2018-7512

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to lead to proxy network scans, access to a database, adding an unauthorized user to the system, full configuration download including passwords, and remote code execution.


This update provides additional information on an advisory that was originally published on February 27th, 2018. It provides updated version information and mitigation measures for:

• SIMATIC IPC547G: Update BIOS to R1.21.0


This update provides additional information on an advisory that was originally published on July 6th, 2017, and updated on July 18th, on July 28th, on October 10th, on November 30th, and then again on January 4th, 2018. It provides updated version information and mitigation measures for:

• SIPROTEC 7SJ66: All versions prior to V4.30

AutomationDirect Update

This update provides additional information on an advisory that was originally published on November 9th, 2017. It adds a new product (Do-more Designer) to the list of vulnerable products and provided mitigation links for that product.

Missing Siemens Updates

Siemens has published updates and advisories that have not been covered in this latest series of ICS-CERT publications. Normally, I would not mention the ones from yesterday (two updates here and here, and a new advisory here), but today’s new Siemens advisory was also released yesterday. There is also an update from last week (here) that was not mentioned.

Two of the updates (here and here) are for the Spectre and Meltdown vulnerabilities in the Siemens Industrial products. ICS-CERT is unlikely to update their alert to reflect these new mitigation measures since the existing link to the Siemens advisory will take someone to the new information. This is a potential problem for anyone that is relying on ICS-CERT for information, but because of the way that ICS-CERT does their updates (and does not provide detailed change information) this appears to be unavoidable.

Tuesday, March 20, 2018

House Passes HR 5074 – Cyber Incident Response Teams

Yesterday the House passed HR 5074, the DHS Cyber Incident Response Teams Act of 2018, by a voice vote. The bill would authorize the establishment and use of “cyber hunt and incident response teams” in the National Cybersecurity and Communications Integration Center (NCCIC). No additional funding is provided in this bill.

As I mentioned yesterday, this bill has been officially referred to as being considered “as amended” and no amendments were offered or approved when the bill was considered by the House Homeland Security Committee. The Congressional Record for yesterday (pg H 1661) makes the same statement. I have reviewed the original bill, the reported version (published overnight) and the version published in the Record and can find no differences between these three versions. Maybe there will be some explanation when the Committee Report (H Rept 115-607) is printed later this week.

It is difficult to predict whether or not this bill will be taken up by the Senate. If it does make it to the Senate floor, I suspect that it will be at the end the day under the Senate’s ‘without objection’ procedures; meaning no debate and no vote.

If this bill does become law, it will have an interesting potential consequence. With the use of the term ‘control systems’ in the new paragraph (f)(1)(D) of 6 USC 148, we see an official opening of the NCCIC to consideration of control system incidents, particularly since the term is used with these incident response teams. The IT-limited definition of ‘information systems’ in §148 has not specifically prohibited NCCIC from consideration of ICS incidents, but it has not provided specific authorization either. I would still prefer to see the definition of ‘information systems’ at §148(a)(5) to an ICS inclusive definition (as in §1501), but the provision in this bill should make it reasonably clear that NCCIC should consider control system incidents as part of its area of interest.

Monday, March 19, 2018

S 1281 Reported in Senate – Hack DHS Act

Earlier this month the Senate Homeland Security and Governmental Affairs Committee published their report on S 1281, the Hack the Department of Homeland Security (Hack DHS) Act of 2017. The Committee amended and approved the bill at a markup hearing conducted on October 4th, 2017.

Changes to Bill

The Committee approved a substitute language amendment to the bill. Several minor changes were made to the bill. For example; in two different places in the bill the term ‘information technology’ was modified by preceding it with the words ‘Internet facing’.

The most extensive changes were found in §2(b) and §2(c). The changes to (b) were mostly changes in the order of the subparagraphs in (b)(2), but wording was added to change the hacker registration to a process with the contractor running the program rather than directly with DHS.

The changes in §2(c) deal with the required report to Congress on the pilot program. Two new subparagraphs were added, and one was deleted. The added subparagraphs deal with the “the current number of outstanding previously unidentified security vulnerabilities and Department remediation plans” {§2(c)(4)} and “types of compensation provided” {§2(c)(6)}. The removed subparagraph {§2(c)(5)} would have required more details about the types of compensation provided.

Moving Forward

With the bill being reported out of Committee by voice vote indicates that the bill has significant bipartisan support within the Committee. This will probably translate into a lack of significant opposition if the bill were to make it to the floor of the Senate, and I would suspect that it would be considered under the Senate’s unanimous consent procedure with no debate and no formal vote.


The minor change made by adding the words ‘Internet facing’ could significantly reduce the number of systems that could be included in the pilot bug bounty program outlined in the bill. It reflects a common misunderstanding of the vulnerability of computer systems that are not ‘Internet facing'. The lack of ‘Internet facing’ is not even the same as the fabled ‘air gapped’ protection of control systems. Information systems will typically be accessible by networked computers that are Internet accessible even if the information system is not internet facing.

The addition of this limitation on the systems to be included in the pilot program is even more confusing because the term ‘Internet facing’ is not defined in the bill. If the staff really wanted to limit the application of the program they should have included a definition that specified what limits they expected the Department to apply.

There was one interesting definition change made in the bill. The original bill cited 44 USC 3502 for the definition of ‘information system’. The new version of the bill instead uses the definition from 40 USC 11101. This really is not a change in definition since §11101(5) refers back to §3502 for the definition of the term. The term is still the IT-limited definition of the term, so no Department control system (building automation or access control systems for example) would be considered for the pilot program.

Committee Hearings – Week of 03-18-18

There are a significant number of hearings scheduled this week with both the House and Senate in session. Budget hearings predominate, but none that are of specific interest to readers of this blog. In fact, I do not see any hearings of specific interest here this week. There are, however, two bills that will make it to the floor of the House this week that I am watching and, of course, there is a spending bill deadline approaching at the end of the week.

On the Floor of the House

There are a number of bills that are scheduled to come to the floor on Monday under the suspension of the rules provisions of the House. These provisions limit debate, prohibit floor amendments, and require a super-majority to pass. Bills of potential interest include:

HR 5074, the DHS Cyber Incident Response Teams Act of 2018;
HR 5089, Strengthening Local Transportation Security Capabilities Act of 2018;

Interestingly, both of these bills are listed in the Majority Leader’s schedule as being considered “as amended”. The Homeland Security Committee mark-up hearing for both of these bill resulted in an order for each bill that the bill be “reported to the House with a favorable recommendation, without amendment”. No report has been published for either bill (will probably be submitted today and published later this week), so I cannot tell if Chairman McCaul (R,TX) subsequently ordered some revisions be made to the bill. It would not be too unusual for minor technical revisions to be made after mark-up, but substantial revisions are seldom made.

FY 2018 Spending Bill

The current continuing resolution (CR, HR 1892) will expire on Friday night. The hope has been that the House and Senate will consider and pass an omnibus spending bill this week that would include all of the non-DOD operations of the government (DOD spending was included in the last CR). News reports (see here for example) would seem to indicate that there is still some hard negotiating to be done on this bill.

Is there a chance that there will be another CR? It increasingly seems that there is always a chance. One remote possibility is that a CR for the rest of the fiscal year could be passed, keeping the current funding levels. While the inclusion of DOD spending in HR 1892 would seem to make that possibility easier, it would violate the agreement to increase spending levels in non-DOD areas that allowed HR 1892 to eventually be passed.

Saturday, March 17, 2018

CFATS Authorization – Excluded Facilities

This is part of a continuing series of blog posts on my proposed changes to the CFATS authorization. The current authorization for the program ends on December 18th, 2018. These posts address some of the language that I would like to see in any re-authorization bill. Earlier posts in the series include:

The current CFATS authorization lists five types of facilities that are ‘excluded’ from the requirements of the CFATS program {6 USC 621(4)}:

• A facility regulated under the Maritime Transportation Security Act of 2002 (Public Law 107–295; 116 Stat. 2064);
• A public water system, as that term is defined in section 300f of title 42;
• A Treatment Works, as that term is defined in section 1292 of title 33;
• A facility owned or operated by the Department of Defense or the Department of Energy; or
A facility subject to regulation by the Nuclear Regulatory Commission.

The presumption is that the federal programs that are responsible for the facility oversight already adequately address site security concerns. This presumption was a political decision made when the CFATS program was originally authorized in 2006. Since the program was developed there has been no outside comparison of the various security requirements of the various programs.

Study Requirement

The major problem in comparing these security programs is that only the CFATS program is specifically targeted at protecting chemicals from terrorist attacks. What is needed is a formal program comparison that specifically addresses the security controls that provide protections to on-site chemicals found in Appendix A to 6 CFR 27. To that end, I would include the following language:

Sec. 632 – Excluded Facility Study

(a) The Comptroller General will, within 180 days, prepare a report to Congress on the comparative security requirements between the existing CFATS regulations, as defined in §621(1), and the provisions associated with the federal programs regulating excluded facilities, as that term is defined in §621(4). The study will compare the program requirements that would prevent:

(1) The release of chemicals identified as a release security issue in Appendix A to 6 CFR Part 27;
(2) The theft or diversion of chemicals identified as theft security issue in Appendix A to 6 CFR Part 27; and
(3) The sabotage of chemicals identified as a sabotage security issue in Appendix A to 6 CFR Part 27.

(b) The report will specifically identify any deficiencies in the respective regulatory program as compared to the CFATS regulations to provide equivalent levels of protection for chemicals identified in (a)(1), (2) and (3);

(c) The report to Congress will be unclassified with a classified annex if deemed appropriate by the Comptroller General. The unclassified version of the report will be published on the CFATS web site.

(d) The Secretary, in consultation with the Environmental Protection Agency, the Department of Energy, the Department of Defense and the Nuclear Regulatory Commission, will, within 1 year of the publication of the report required in (a), report to Congress on any recommendations for changes in changes in the excluded facilities provisions of this subchapter that would correct deficiencies noted in (b) above.

Public ICS Disclosure – Week of 03-10-18

We have two exploit code releases this week for industrial control systems, the vulnerability for one was previously reported by ICS-CERT. The vulnerable products come from Prisma Industriale and Advantech.

Prisma Exploit

Gjoko 'LiquidWorm' Krstic published exploit code for a hard-coded credential vulnerability in the Prisma Industriale Checkweigher, an in-line weighment device. The vulnerability had been previously published by Zero Science Labs; who had attempted to coordinate the disclosure with the vendor.

The vulnerability reportedly allows a successful attacker administrator level access to the device.

Advantech Exploit

Chris Lyne published exploit code for a directory traversal vulnerability in the Advantech WebAccess products. The vulnerability was previously reported by ICS-CERT and ZDI. According to ZDI, the vulnerability allows a successful attacker administrative-level remote-code execution ability.

Friday, March 16, 2018

TSA Publishes 2017 Surface Enforcement Summary

Earlier this week the DHS Transportation Security Administration (TSA) published a notice in the Federal Register (83 FR 11236-11240) providing a summary of the enforcement actions that were undertaken in the surface transportation security realm for calendar year 2017. Looking at the results it is apparent that the TSA significantly stepped up its enforcement of the Transportation Workers Identification Credential (TWIC) program under 49 CFR 1570. For the second year in a row TSA reported no enforcement actions under the rail security provisions of 49 CFR 1580.

The table below shows a summary of the last four year’s enforcement activities. The total for this year’s report is a little overstated because there were twenty instances in this report where two or more violations were reported for a single incident.

Did not allow TSA Inspection
Rail Car Chain of Custody
Rail Car Security
Rail Car Location
Reporting Security Concern
Use of another’s TWIC
Direct the use of another's TWIC
Fraudulent Manufacture of TWIC
Use of an altered TWIC

The continued failure to report any railroad enforcement actions would tend to indicate that the TSA is effectively ignoring rail security issues. This is hardly surprising with the very small Surface Transportation Security inspection force and the very widely spread rail network. It is much easier to concentrate efforts in the fairly limited port areas of the country. What is disappointing however, it the apparent failure to look at rail security operations in the port areas where the inspection forces are apparently concentrated.

In previous years reporting (see here for example) I tried to summarize the information provided on fines proposed and assessed. This year, with the huge increase in the reported incidents, I have not attempted to do so. Most of the incidents reported resulted in just warnings being issued. The largest fine proposed this year was $6,000 and the largest actually assessed was $2,000. With the violations being typically assessed against individuals rather than commercial organizations, these figures are probably reasonable.

One final point that is interesting in this TSA report; the file numbering system that TSA uses to track their surface transportation security enforcement activities. It consists of a four-digit year number, a three-character city code, and a four-number sequence code. The city code is the international airport code for the city involved instead of the 4-character code for the port involved. This is just another indication of the extreme airport bias of the TSA.

Bills Introduced – 03-15-18

Yesterday with both the House and Senate preparing to leave for the weekend, there were 45 bills introduced. Of these on may be of specific interest to readers of this blog:

HR 5300 To provide agencies with discretion in securing information technology and information systems. Rep. Palmer, Gary J. [R-AL-6]

Okay, this clearly seems to be an IT security bill, and it probably does not include any OT provisions, and appears to be limited to government computer systems; so why am I including it here? The phrase ‘discretion in securing’ raises all sort of red flags that bear further investigation. This probably will not show up here again, but who knows what silliness congresscritters can come up with.

BTW: If you ever doubted the potential for congressional knee-jerk response, there were companion bills (HR 5315 and S 2556) introduced in the House and Senate yesterday to establish federal regulations prohibiting putting a live animal in an overhead bin on an aircraft (incident news story here).

Wednesday, March 14, 2018

ISCD Updates CFATS Monthly Update Page – 03-13-18

Yesterday the DHS Infrastructure Security Compliance Division (ISCD) updated their Chemical Facility Anti-Terrorism Standards (CFATS) Monthly Update page reflecting the changes in the implementation of the CFATS program that apparently took place last month (there is no effective date given for the data). The numbers continue to show progress in the implementation and compliance verification efforts of ISCD.

ISCD Activities

The table below shows the reported numbers for the key activities undertaken by ISCD in support of the implementation of the CFATS program.

CFATS Activities
Authorization Inspections to Date
Authorization Inspections Month
Compliances Inspections to Date
Compliances Inspections Month
Compliance Assistance Visits to Date
Compliance Assistance Visits Month

We continue to see an increase in the number of Authorization Inspections being conducted as more of the newly added facilities from the CSAT 2.0 process move through the Site Security Plan submission process. This number should level off and then decline in the coming months as more facilities move into the program compliance stage.

Facility Status

The table below shows the status of the facilities currently covered by the CFATS program. Note: there were two typographical errors on the web page table; the ‘authorized number’ was shown as ‘6665’ and the ‘total’ was shown as ‘4007’.

CFATS Facility Status

The numbers for tiered facilities continues to go down as these newly tiered facilities move through the CFATS implementation process. The numbers for authorized facilities reflect the movement of facilities through the site security plan implementation process.

The total number of covered facilities shows an apparently increasing number of facilities leaving the CFATS program. I would assume, however, that the earlier months increases in the total numbers, reflecting the new facilities being added by the CSAT 2.0 implementation, masked a substantial number of facilities leaving the program. Facilities have substantial financial incentives to exit the program and there are a number of legitimate methods of risk reduction/elimination that facilities can employ that would allow them to exit the program.


ISCD does not include, what is to my mind, a very important statistic in their monthly report; the results of the compliance inspections that have been conducted by the Chemical Security Inspectors. I expect that we will be seeing a new report from either the Congressional Research Office or the Government Services Agency as part of the Congressional review of the program leading to a reauthorization decision later this year. That report should cover the compliance inspection results data.

ICS-CERT Publishes 5 Advisories

Yesterday the DHS ICS-CERT published a medical device security advisory for products from GE. They also published four control system security advisories for products from OSIsoft (3) and Omron. The GE advisory was originally published on the secure HSIN ICS-CERT library on February 6, 2018.

GE Advisory

This advisory describes an improper authentication vulnerability in a number of GE healthcare products. The vulnerability was reported by Scott Erven. GE has produced updates for all but three of the products that mitigate the vulnerability. There is no indication that Erven has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit this vulnerability to bypass authentication and gain access to the affected devices.

Interestingly, these vulnerabilities were reported to ICS-CERT in 2015 and advisories were subsequently issued (SB 15-222) by US-CERT. Forbes reported on the issue in 2015 and a presentation was made by Erven at Shakacon (see Dale Peterson’s Tweet) about the issues the same year. I cannot understand why a secure posting about the vulnerability was justified or why it took almost three years to fix the problem. Oh, the FDA has not published anything about these vulnerabilities on the Device Safety page (either for 2015 or 2018). BTW: Rocky and Bullwinkle fans, take a close look at the URL for the 2015 Safety Communications page.

PI Web API Advisory

This advisory describes two vulnerabilities in the OSIsoft Web API. OSIsoft is self-reporting these vulnerabilities. They have provided an update that mitigates the vulnerability.

The two reported vulnerabilities are:

• Permissions, privileges and access controls - CVE-2018-7500; and
Improper neutralization of input during web page generation - CVE-2018-7508

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow escalated privileges and may allow remote code execution.

PI Vision Advisory

This advisory describes two vulnerabilities in the OSIsoft PI Vision. These vulnerabilities are self-reported. OSIsoft has an update available that mitigates the vulnerabilities.

The two reported vulnerabilities are:

• Protection mechanism failure - CVE-2018-7504; and
• Information exposure - CVE-2018-7496

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow remote code execution and expose information.

NOTE: I reported on these vulnerabilities last month when OSIsoft first published their advisory. The OSIsoft alert notes that there are two separate information exposure vulnerabilities, but OSIsoft does not publish CVE numbers so it is not easy to tell if there is an actual discrepancy here.

PI Data Archive Advisory

This advisory describes three vulnerabilities in the OSIsoft PI Data Archive. These vulnerabilities are being self-reported by OSIsoft. They have an update available that mitigates the vulnerabilities.

The three reported vulnerabilities are:

• Deserialization of untrusted data - CVE-2018-752;
• Incorrect default permissions - CVE-2018-7533; and
• Improper input validation - CVE-2018-7531

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to cause loss of network access to the device or allow escalated privileges that may result in gaining full control of the PI Data Archive server.

NOTE: I reported on these vulnerabilities last month when OSIsoft first published their advisory.

Omron Advisory

This advisory describes seven vulnerabilities in the Omron CX-Supervisor. The vulnerabilities were reported by rgod via the Zero Day Initiative. Omron has released a new version that mitigates the vulnerability. There is no indication that rgod has been provided an opportunity to verify the efficacy of the fix.

The seven reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2018-7513;
• Use after free - CVE-2018-7521;
• Access of uninitialized pointer - CVE-2018-7515;
• Double free - CVE-2018-7523;
• Out-of-bounds write - CVE-2018-7517;
• Untrusted pointer dereference - CVE-2018-7525; and
• Heap based buffer overflow - CVE-2018-7519

ICS-CERT reports that a relatively low-skilled attacker with uncharacterized access could exploit these vulnerabilities to allow remote code execution.

CFATS Penalty Documents Published

Yesterday the DHS Infrastructure Security Compliance Division updated their Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center with a news item pointing to links to two documents related to CFATS penalty assessments. The “Policy for Assessing a Civil Penalty under the Chemical Facility Anti-Terrorism Standards” and the accompanying fact sheet appear to be the same documents (same policy number and publication dates) that were published on the CFATS web site last year. That web page is still active, but it is not listed on the CFATS landing page.

Tuesday, March 13, 2018

Not a Markup Hearing

Well, it turns out that the Energy Subcommittee hearing on the four DOE emergency response and security bills is not a mark-up hearing after all. Last night the witness list was announced, so it seems as if this will be an information gathering hearing with a possible mark-up at some later date.

Updated Hearing Information

The witness list includes:

Mark Menezes, US Department of Energy;
Scott Aaronson, Edison Electric Institute;
Mark Engels, Dominion Energy;
Kyle Pitsor, National Electrical Manufacturers Association;
Zachary Tudor, Idaho National Laboratory; and
Tristan Vance, Indiana Office of Energy Development

The links provided above are to the witness testimony that will be presented at tomorrow’s hearing. The Sub-Committee staff has also produced a background document for the meeting.

Interesting Info in Testimony

Menezes notes that (pg 1):

“To demonstrate our focus on the aforementioned mission [to protect the Nation’s critical energy infrastructure from physical security events, natural and man-made disasters, and cybersecurity threats], the Secretary announced last month that he is establishing an Office of Cybersecurity, Energy Security, and Emergency Response (CESER). This organizational change will strengthen the Department’s role as the Sector-Specific Agency (SSA) for Energy Sector Cybersecurity, supporting our national security responsibilities.”

Menezes also notes that (pg 6):

“Advancing the ability to improve situational awareness of OT networks is a key focus of DOE’s current activities. The Department is currently in the early stages of taking the lessons learned from CRISP and developing an analogous capability for threat detection on OT networks via the Cybersecurity for the Operational Technology Environment (CYOTE) pilot project. Observing anomalous traffic on networks – and having the ability to store and retrieve network traffic from the recent past – can be the first step in stopping an attack in its early stages.”

Engels notes that (pg 3):

“A more expedient [coordinating security activities of DOT and TSA] approach may be to encourage a Memo of Understanding (MOU)between DOE and TSA that outlines roles and responsibilities for dealing with cyber and physical security for the ONG sector. TSA already has an MOU with the DOT’s Pipeline and Hazardous Materials Safety Administration (PHMSA) which has responsibility for pipeline safety. Depending on the type of event, the TSA/DOT MOU has been critical in helping operators understand which Federal entity is the lead agency.”

Engels also notes that (pg 8):

“In 2016, TSA, again working with asset owners, industry associations, and the Department of Homeland Security’s Industrial Control System’s Cyber Emergency Response Team (DHS ICS-CERT), gathered input to update the Guidelines using the National Institute of Standards and Technology’s (NIST) Cyber Security Framework as a model. The updated [Pipeline Security] Guidelines are scheduled for release in the first half of 2018. Industry also provided input to augment the set of cybersecurity questions used in the Corporate Security Reviews (CSR) conducted by TSA.”

Engels also notes that (pgs 12-13):

“INL has undertaken several initiatives to stand up test environments for Industrial Control Systems (ICS). One such initiative was called RENDER (Risk Evaluation Nexus for Digital Age Energy Reliability). RENDER created a three way sharing arrangement involving the lab, the vendor and the asset owner. Previous projects excluded the asset owner from the equation, creating uncertainty associated with remediation of the vulnerabilities identified by INL. With RENDER, the asset owner not only could see what vulnerabilities were discovered, but provide input to the vendor about how critical or not the vulnerability was to the asset owner. This allowed the vendor to prioritize corrections that made the most sense to the asset owners.”

Tudor notes that (pg 4):

“INL developed and completed an initial pilot study of our proprietary Consequence driven, Cyber-informed Engineering (CCE) methodology with Florida Power and Light (FPL) through a Cooperative Research and Development Agreement (CRADA). CCE was developed to address the realization that constantly “chasing” threats and vulnerabilities, rather than getting ahead of these problems, is not sufficient to secure our critical systems. CCE is designed to assist asset owners in understanding the most effective and immediate actions they can take to eliminate the opportunity of the “worst-case” cyber-physical impacts from an attack by the most capable cyber adversaries. CCE leverages an organization’s knowledge and experiences with their systems and processes to “engineer out” the potential for the highest consequence events.”

This could be an interesting hearing.

/* Use this with templates/template-twocol.html */