CFATS Reauthorization - WMD Criminal Activities

This is part of a continuing series of blog posts on my proposed changes to the CFATS authorization. The current authorization for the program ends on December 18^th, 2018. These posts address some of the language that I would like to see in any re-authorization bill. Earlier posts in the series include:

CFATS Reauthorization – Cybersecurity

CFATS Reauthorization – Agricultural Production Facilities

CFATS Authorization – Protection from Drones

CFATS Authorization – Excluded Facilities

CFATS Reauthorization – Academic Laboratories

CFATS Reauthorization – Inherently Safer Technology

CFATS Reauthorization – STQ Adjustments

The current federal statutes on chemical weapons (18 USC Chapter 11B) do not specifically address the issue of theft or diversion of chemical precursors or an attack resulting in the release of toxic, flammable, or explosive chemicals from the chemical facilities covered under the CFATS program. This is an oversight that can be corrected during the reauthorization of the CFATS program.

The language below would correct that shortcoming:

Section 3 – Weapons of Mass Destruction Criminal Activities

(a) Section 229(a) of 18 USC is amended by adding at the end:

“(3) to attack or unlawfully enter a covered facility under 6 CFR Part 27 with the intent to cause a release of a release security issue chemical or to actual cause such a release;

“(4) to steal or cause the diversion of a delivery of a theft security issue chemical from a covered facility under 6 CFR Part 27;”

(b) Section 229(b) of 18 USC is amended by adding at the end:

“(3) Notwithstanding (a)(4), no person entering a covered facility under 6 CFR Part 27 with the sole purpose of exercising their freedom of expression rights to protest or call attention to the possession, manufacture, distribution or sale of a hazardous chemical, as long as the person does not touch, harm, or cause to be moved any storage container containing, or chemical processing equipment of, a release security issue chemical.”

(c) Section 229F of 18 USC is amended by adding at the end:

“(10) Covered Facility Under 6 CFR Part 27 – The term “covered facility under 6 CFR Part 27” means a facility that has been provided with a tiering letter in accordance with 6 CFR 27.200(a);

“(11) Release Security Issue Chemical – The term “release security issue chemical’ means any chemical listed in Appendix A to 6 CFR part 27 that is listed as having a release security issue;

“(12) Theft Security Issue Chemical – The term “theft security issue chemical” means any chemical listed in Appendix A to 6 CFR part 27 that is listed as having a theft security issue.”

CFATS Reauthorization – STQ Adjustments

This is part of a continuing series of blog posts on my proposed changes to the CFATS authorization. The current authorization for the program ends on December 18^th, 2018. These posts address some of the language that I would like to see in any re-authorization bill. Earlier posts in the series include:

CFATS Reauthorization – Cybersecurity

CFATS Reauthorization – Agricultural Production Facilities

CFATS Authorization – Protection from Drones

CFATS Authorization – Excluded Facilities

CFATS Reauthorization – Academic Laboratories

CFATS Reauthorization – Inherently Safer Technology

As I discussed in an earlier post the regulatory triggers for the CFATS program (known as ‘screening threshold quantity’ or STQ) are a politically influenced approximation of a risk assessment of the threat that a particular chemical poses in a potential terrorist attack on a facility. The CFATS program acknowledges that the assessment of the potential threat associated with holding a chemical of interest (COI) is much more complex than just looking at the physical characteristics of the chemical or potential uses of that chemical in a subsequent attack. That is why facilities possessing COI at or above the designated STQ are required to report information to ISCD utilizing the Top Screen tool. That information is used to make a detailed threat assessment of the threat of a terrorist attack on that facility.

Recently ISCD completed a re-assessment of the threat of terrorist attack on the full range of facilities that had previously submitted Top Screens using a revised Top Screen tool and a more formally vetted threat assessment protocol. The large number of facilities involved in that reassessment provide a unique opportunity to make a more detailed and statistically verifiable determination of STQs. To that end, I would suggest the following language.

Sec. 635 – Screening Threshold Quantity Adjustments

(a) The Comptroller General, within 90 days, will initiate a study of the results of the CSAT 2.0 reassessment initiated for the CFATS program in October of 2016. The study will look at the information reported by facilities in their Top Screens and results of the risk assessment subsequently conducted by DHS to determine the adequacy of the current screening threshold quantity (STQ) used by DHS to trigger reporting requirements for the CFATS program.

(b) Definition – COVERED FACILITY – In this section the term ‘covered facility’ means any facility that, subsequent to the submission of a Top Screen was provided with a Tiering Letter by DHS requiring the facility to submit a security vulnerability assessment / site security plan.

(c) For DHS chemicals of interest (COI) listed in Appendix A to 6 CFR Part 27 as a release security issue or theft security issue, the study described in (a) will look at:

(1) The inventory reported for each of the chemicals list in Appendix A to 6 CFR Part 27;

(2) Whether or not the facility was subsequently notified that it was a covered facility under the CFATS program;

(3) Based upon the lowest quantity of a COI reported for all facilities possessing that COI that were subsequently notified that they were a covered facility under the CFATS program, the study will report if:

(A) the STQ is too low – the lowest quantity reported is statistically greater (at the 95% confidence level) than the STQ; or

(B) the STQ is not too low – at least one covered facility reports a COI inventory level at the STQ level.

(4) For each COI found to have an STQ that is not too low, DHS will be required to re-run the risk assessment process for each facility possessing that COI. Those reassessments will be run with an artificial Top Screen reported value of 90%, 80% and 70% of the STQ value. The study will report the results in (3) for the COI at those values.

(d) For DHS chemicals of interest (COI) listed in Appendix A to 6 CFR Part 27 as a sabotage security issue, the study described in (a) will look at the lowest amount reported for any facility subsequently determined to be a covered facility under the CFATS program.

(e) Within 60 days of the completion of the report required in (a) the Secretary will initiate a rulemaking to adjust the STQ values in Appendix A, 6 CFR Part 27. Those adjustments will:

(1) For any COI evaluated as ‘too low’ under the requirements of (c)(3), increase the STQ to the lowest value reported for any facility deemed to be a covered facility;

(2) For any COI evaluated under (c)(4), decrease the STQ to the highest value where a ‘too low’ report was made or 70% of the STQ, whichever is higher;

(3) for any COI evaluated under (d), adjust the STQ to the lowest value reported by a facility subsequently reported to be a covered facility.

Public ICS Disclosures – Week of 04-21-18

This week we have three vendor disclosures from Schneider Electric and one researcher report for cloud services from Hikvision.

Wiser for KNX Advisory

This advisory describes an FTP access vulnerability in the Schneider Wise for KNX logic controller. The vulnerability was reported by Jokin Guevara. Schneider has an update that mitigates the vulnerability. There is no indication that Guevara has been provided an opportunity to verify the efficacy of the fix.

Schneider reports that an uncharacterized attacker could remotely exploit the vulnerability to gain unauthorized access.

EVlink Charging Station Advisory 

This advisory describes a cookie modification privilege escalation in the Schneider EVlink charging station. This vulnerability was reported by Joakim B. Hellum. Schneider has an update that mitigates the vulnerability. There is no indication that Hellum has been provided an opportunity to verify the efficacy of the fix.

Schneider reports that an uncharacterized attacker could remotely exploit the vulnerability to gain administrative privileges without properly authenticating remote users.

Pelco Sarix Professional Advisory 

This advisory describes three vulnerabilities in the Schneider Pelco Sarix Professional IP cameras. The vulnerabilities were reported by Weapon x, Giri Veeraraghavan Veda, and Gulf Business Machines. Schneider has an update available that mitigates the vulnerabilities. There is no indication that any of the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Buffer overflow - CVE-2018-7780;

• Authenticated password disclosure and privilege escalation - CVE-2018-7781; and

• Authenticated password disclosure - CVE-2018-7782

Hikvision Advisory

This advisory describes an authentication vulnerability in the Hikvision hik-connect.com and ezvizlife.com cloud services. The vulnerability was reported by Vangelis Stykas and the hack process reported in depth here (Medium.com registration required). Hikvision has a fix available, but there is no indication that Stykas has been provided an opportunity to verify the fix.

HR 4 Further Amended and Passed in House – FAA Authorization

Today the House finished consideration of the amendments cleared by the House Rules Committee for HR 4, the FAA Reauthorization Act of 2018. They then passed the bill by a strongly bipartisan vote of 393 to 13; the No votes were nearly evenly split between Republicans and Democrats.

There were two remaining amendments from those I described earlier left to be considered today. Amendment #111 (FEMA emergency response plan support) was passed by a voice vote as part of en block amendment 4. Amendment #98 (FAA artificial intelligence report) was not offered during the consideration of the bill either today or yesterday.

The Senate will probably take up the bill with a substitute language amendment that will address a number of different issues with some language in common. This typically would lead to a conference committee to work out the differences between the two bills.

IST Ammonia Systems and Regulatory Triggers

Inherently safer technology, or IST, has long been viewed by industry as code words for replacing hazardous chemicals with less hazardous alternatives. In reality, it also includes reducing the amount of hazardous chemicals stored on site. An interesting article at Ammonia21.com points out how industrial cooling equipment manufacturers are helping facilities avoid costly regulation compliance issues by reducing the amount of anhydrous ammonia (AA) used in commercial refrigeration units.

While an accompanying article on the same site provides more details on the safety improvement (and on-going safety requirements) for these advanced cooling systems, the first article makes it clear that the goal is reducing the amount of AA on-site below the 10,000-lb threshold that triggers coverage under EPA Risk Management (RMP), OSHA Process Safety Management (PSM) and DHS Chemical Facility Anti-Terrorism Standards (CFATS) regulations.

Increase Safety or Reduce Regulatory Burden

Both of the above articles (and another here) strive to show that the advanced refrigeration techniques do enhance safety at the facilities that employ them in ways that extend beyond just reducing the amount of AA on hand. One key method would be removing the need to circulate liquid AA through process areas in the facilities. This greatly reduces the number of places where leaks can happen and moves the remaining potential leak sites away from employees.

If the goal were to simply reduce the amount of AA on hand to avoid regulatory compliance issues, it would seem that the manufacturers would just concentrate on the employment of advanced technology evaporators in current cooling systems. This would seem to be a lower initial cost alternative to reducing inventories below the 10,000-lb trigger. The more complete system change being advocated in these articles do appear to provide increased safety benefits beyond the inventory reduction.

Regulatory Triggers

This provides a good place to talk about the efficacy of regulatory triggers like this 10,000-lb anhydrous ammonia inventory trigger for RMP, PSM and CFATS. If a facility works at ensuring that they never exceed 9,999-lbs of AA on-site, they will not have to worry about complying with the requirements of the regulatory programs mentioned above. Reaching that 10,000-lb trigger, however, means that the facility is required to comply with a host of complicated and expensive regulatory requirements.

Is there a significant difference in the safety and/or security of a facility if they have 9,999-lbs or 10,000-lbs of anhydrous ammonia on hand? Of course not. That one-pound difference has no practical effect on the safety or security risks of the facility. These trigger-based regulatory standards are political artifacts based upon attempts to craft ‘risk-based’ safety and security standards.

The CFATS program acknowledges this trigger problem by having facilities that have reached that trigger submit data (Top Screen) to the Infrastructure Security Compliance Division (ISCD). A more complex threat assessment process uses this data to determine if facilities are at high-risk for terrorist attack and thus require compliance with the CFATS regulations. While the base trigger problem remains, the two-step assessment process acknowledges that risk determination cannot rely on a single factor.

Industry Response

Since regulatory compliance is associated with significant costs, industry has significant financial incentives to avoid coverage under these regulatory programs. When companies are designing new facilities or refurbishing older facilities process designers take these regulatory triggers into account. If it does not significantly interfere with the process efficiency, special care will be taken to avoid reaching the regulatory triggers under these three federal programs.

I remember working at a facility that was planning on using aqueous ammonia to adjust the pH of a chemical manufacturing process. All of the lab work during product development used 20% aqueous ammonia for the formulation, the industry standard concentration. The CFATS program had used that concentration as part of the trigger for ammonia coverage under the program. The chemical distributor that we were using suggested that we should use a new product they were offering, 19% ammonia, so as to avoid CFATS coverage. We changed our formulations.

Regulatory Efficacy

Since the compliance costs required by reaching these regulatory triggers are significant, the question has to be asked, do facilities on either side (±1-lb) of the trigger inventory level present similar levels of risk after regulatory compliance has been achieved by facilities passing the trigger amounts? Since the answer has to be ‘no’, how can we justify the use of these triggers.

For the EPA and OSHA regulations, the simple answer is that regulators had to have some method of separating the wheat from the chaff and this was the most expedient method of setting some sort of regulatory cutoff. The regulators established some measurable standard for risk assessment for each class of hazardous chemical, applied it to individual chemicals, and then rounded the results to some ‘reasonable’ number. No assessment of actual risk at individual facilities was attempted or even considered.

Until the CFATS program came along, this was considered to be the easiest and most efficient way of establishing regulatory limits. Fortunately, time passed, computer processing became more efficient and cheaper, and the internet expanded access to high-speed data communications. The crafters of the CFATS program used these changes to craft a regulatory program that actually attempted to measure the risk at individual facilities before determining whether or not there was sufficient risk at the facility to justify the added costs associated with a fairly extensive security management program. The program did continue to use triggers (and copied the triggers from the RMP/PSM programs where they were applicable), but those numbers only triggered a one-time, relatively inexpensive, reporting requirement that would provide the data necessary for the risk assessment process.

Re-Look at Triggers Required

Perhaps it is time that Congress directs the EPA and OSHA to take a hard look at modifying the RMP and PSM programs to include an actual risk assessment process that addresses whether individual facilities need to establish expensive compliance programs to protect the public (EPA RMP) and facility employees (OSHA PSM) from the chemical hazards found at that specific site. Triggers (possibly even the current triggers) would still be used, but they would trigger a reporting requirement similar to the CFATS Top Screen that would provide information to the respective agency to make the actual regulatory risk-assessment.

Bills Introduced – 04-26-18

With the House and Senate preparing to leave Washington for a week working in their home districts (House is in session today), there were 74 bills introduced yesterday. Of these, one may be of specific interest to readers of this blog:

S 2763 A bill to provide grants to State, local, territorial, and tribal law enforcement agencies to purchase chemical screening devices and train personnel to use chemical screening devices in order to enhance law enforcement efficiency and protect law enforcement officers. Sen. Brown, Sherrod [D-OH]

While I suspect that this bill may be a reaction to fentanyl exposure issues amongst law enforcement personnel, I will be watching to see if the definition of ‘chemical screening devices’ would include detectors that could warn officers of the presence of dangerous industrial chemicals.

House Amends HR 4 – FAA Authorization Act

The House started consideration of HR 4, the FAA Reauthorization Act of 2018, today. Amendments were taken in numerical order with a number of en bloc considerations. The last amendment considered this evening was #97.

Of the UAS amendments that I described in my earlier post, all have been adopted by voice votes. Amendments #25 and #26 were considered as part of en block #1. Amendment #47 was taken up on its own. And amendment #80 was taken up as part of en block #3.

The House will resume consideration of HR 4 on Friday morning (okay, technically that is this morning now).

ICS-CERT Publishes 2 Alerts and Updates Meltdown Alert

Today the DHS ICS-CERT published two control system security advisories for products from WECON Technology and Delta Electronics. They also updated their control system security alert for the Meltdown/Spectre vulnerabilities.

WECON Advisory

This advisory describes a stack-based buffer overflow vulnerability in the WECON LEVI Studio HMI Editor and PI Studio HMI Project Programmer. The vulnerability was reported by Sergey Zelenyuk of RVRT and Michael DePlante of Leahy Center for Digital Investigation via the Zero Day Initiative (ZDI). WECON has a new version that mitigates the vulnerability. There is no indication that either researcher was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow remote code execution.

Delta Advisory

This advisory describes multiple stack-based buffer overflows (on a single CVE) in the Delta PMSoft, a software development tool for motion controllers. The vulnerabilities were reported by Ghirmay Desta via ZDI. Delta has a new version available that mitigates the vulnerability.

ICS-CERT reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to cause the application to crash; stack-based buffer overflow conditions may allow arbitrary code execution.

Meltdown Update

This update provides new information on an alert that was originally published on January 11^th, 2018 and updated on January 16^th, 2018, January 17^th, 2018, January 30^th, 2018, February 20^th, 2018, February 22^nd, 2018 and again on March 1^st, 2018. The update provides a link to a new vendor report from:

• PHOENIX CONTACT

Not specifically mentioned in the update, but the current links also provide access to updated information from:

• Becton Dickinson;

• Siemens (which I mentioned Saturday); and

• Yokowgawa

PHMSA Announces HAZMAT Safety Research Meeting – 05-16/17-18

Yesterday the DOT’s Pipeline and Hazardous Material Safety Administration published a meeting notice in the Federal Register (83 FR 18126) for a public Research and Development Forum that will be held May 16 and 17, 2018, in Washington, DC. The meeting will review recently completed projects, provide updates on on-going investigations and solicit public input on possible future activities.

The notice comments that the PHMSA Office of Hazardous Materials Safety (OHMS) is particularly interested in the research gaps associated with energetic materials characterization and transport, safe transport of energy products, safe containment and transportation of compressed gasses, safe packaging and transportation of charge storage devices, and others. As part of this focus OHMS intends to address the safety gaps recently identified in a 2017 cooperative research report completed by the National Academy of Sciences titled “Safely Transporting Hazardous Liquids and Gases in a Changing U.S. Energy Landscape”.

Those gaps are identified in the ‘Recommendations’ section of the report. They include recommendations that PHMSA should:

• Consult with industry on developments impacting energy liquids and gas transportation and report annually on steps that are being taken to monitor and assess the risk implications of such developments (pg 118);

• Evaluate the utility of existing incident- and traffic-reporting data for the purpose of identifying and assessing public safety and environmental risks associated with transporting energy liquids and gases, determine whether new and improved incident- and traffic-reporting systems are needed (pg 118):

• Encourage pipeline, barge, and rail carriers to make greater use of quantitative risk analysis tools to inform decisions about the routing of energy liquids and gases and about priorities for maintenance and integrity management of the equipment and infrastructure used (pg 119);

Regularly and systematically assess the risk-reducing effects of the HHFT rule, perhaps starting with a review of the crash and thermal performance of the new DOT-117 tank car designs (pg 119);

• Seek to model the full array of factors that can give rise to and affect the severity of flammable liquids train crashes (pg 119); and

• Make a concerted effort to ensure that federal emergency preparedness grants are being used to meet the planning, training, and resource needs of communities that are facing new and unfamiliar risks as a result of the changes that have occurred in the routing and volume of energy liquids and gas shipments (pg 120);

The registration page indicates that there will be a small-group discussion breakout on the second day of the meeting. The groups have been identified as:

• Risk management and communication (electronic hazard communication, GHS and PHMSA HM communications, and emergency response);

• Emerging technologies and risk mitigation (energy products classification, energy products packaging, and batteries and fuel cells);

• Packaging integrity (bulk packaging and non-bulk packaging); and

• Technical analysis of risk (energetic materials and compressed gases)

The meeting will include provisions for attending via teleconference and on-line participation. Details on those processes will become available at some future date on the PHMSA Research and Development Branch web site.

Bills Introduced – 04-24-18

Yesterday, with both the House and Senate in session, there were 41 bills introduced. Of these, one may be of specific interest to readers of this blog:

S 2735 A bill to amend the Small Business Act to provide for the establishment of an enhanced cybersecurity assistance and protections for small businesses, and for other purposes. Sen. Risch, James E. [R-ID]

I will be watching this bill for the definitions it uses related to cybersecurity. If the bill specifically includes control system security issues in its coverage, then I will continue reporting on the bill. By the title, it looks like this may be a companion bill to HR 4668 which I am no longer following.

Rules Committee Approves Rule for HR 4, FAA Reauthorization Act

Last night the House Rules Committee held their scheduled meeting to formulate the rule for the consideration of HR 4, the FAA Reauthorization Act of 2018. The rule approved is a structured rule that will allow for consideration of 114 amendments from the floor during the debate on the bill. These included amendments on unmanned aircraft systems (UAS), cybersecurity and FEMA emergency response coordination.

UAS Amendments

There were 14 amendments approved that dealt with UAS operations and regulations. Of those there were five that may be of specific interest to readers of this blog:

# 25 - §3XX. Special rules for model aircraft;

# 26 - §45509. Exception for limited recreational operations of unmanned aircraft;

# 47 - §543. Prohibition regarding weapons;

# 80 - §XXX. Applications for designation;

Amendments # 25 and # 26 address issues related to the non-commercial operation of hobby UAS. They would provide for similar limitations on rulemakings on such hobby aircraft; updating the existing limitations provided by §336 of the FAA Modernization and Reform Act of 2012 (PL 112-95). Both would specifically authorize the existing FAA rule on registering operators of hobby UAS.

Amendment # 47 would prohibit the operation of “an unmanned aircraft or unmanned aircraft system that is equipped or armed with a dangerous weapon” {§543(a)}. The definition of the term ‘dangerous weapon’ is taken from 18 USC 930(g)(2). That definition is very expansive and could be argued to include a UAS if used in an attack. Violation of the provisions of this amendment would be subject to a $25,000 civil penalty.

Amendment # 80 would amend §2209 of the FAA Extension, Safety, and Security Act of 2016 (PL 114-190; 130 STAT. 634). It would add “railroad facilities” {§XXX(1)} to the list of facilities in §2209(b)(2)(c) that can petition to have the FAA restrict the operations of UAS near their facility. It would also require the FAA to initiate a rulemaking to implement §2209 by the end of this year and to complete the rulemaking within one year.

Cybersecurity Amendment

There are two cybersecurity amendments that were approved for floor consideration, neither would be of specific interest to readers of this blog. I will, however, mention one in passing; amendment #97 #98 [Corrected 4-26-18, 2357 EDT] This amendment would require the FAA submit to Congress “a report that contains a cybersecurity and artificial intelligence standards plan for Federal Aviation Administration operations that takes into consideration the influence of cybersecurity on artificial intelligence and of artificial intelligence on cybersecurity”.

Emergency Response Coordination

There are a couple of amendments that would modify Title VI, the Disaster Recovery Reform Act, of the bill. One of those may be of specific interest to readers of this blog. Amendment # 111 would add a new section to the bill: §637 - Guidance and training by FEMA on coordination of emergency response plans.

This new section would require FEMA to “provide guidance and training on an annual basis to State, local, and Tribal governments, first responders, and facilities that store hazardous materials on coordination of emergency response plans in the event of a major disaster or emergency, including severe weather events” {§637(a)}. That guidance and training would include:

• Providing a list of equipment required in the event a hazardous substance is released into the environment;

• Outlining the health risks associated with exposure to hazardous substances to improve treatment response;

• Publishing best practices for mitigating further danger to communities from hazardous substances

Moving Forward

The resolution approving the rule will probably be considered today. The actual consideration of HR 4 could begin this evening. With the number of amendments being considered (even with some en bloc groupings) the bill will not be completed any earlier than tomorrow evening. I expect that the bill will pass with substantial bipartisan support.

Commentary

The two ‘model aircraft’ amendments are going to be problematic for the FAA if adopted. Individually they add a probably necessary level of complexity to the current regulation of UAS. I am surprised that the Committee allowed for the consideration of both of these amendments. While not contradictory, they do take different approaches to regulatory scheme. If both pass (a distinct possibility) the FAA will have additional problems (on top of the complex problems associated with regulating UAS operations) meeting the requirement of both amendments.

Amendment #80 presents an interesting look at one of the specific levels of complexity in the regulation of UAS. The §2209 provisions enacted over two years ago allow the FAA to designate air space around certain types of critical infrastructure as restricted air space. Unfortunately, the tools available to monitor (much less than control) access to that airspace are ineffective at best. Furthermore, enforcement of that restriction (even the basic identification of the offenders) would run afoul of a number of other federal laws and regulations that have yet to be addressed (see my discussion here).

The FEMA amendment is an excellent example of congresscritters trying to do something good but failing miserably because of a total lack of comprehension of the complexity of the problem being addressed. I would certainly love to see FEMA address the issue of coordination of emergency action plans for hazardous material facilities, but this amendment is not the way to accomplish that goal.

Since each class of hazardous substances (and frequently each specific hazardous substance) requires a different type of response and mitigation response, it is effectively impossible for FEMA to complete the requirements of the proposed §637 in any detail. A document already exists that provides general guidance (the PHMSA Emergency Response Guidebook), but as anyone familiar with the document knows, the guides provided are very generic and lack any real specificity.

FEMA already has a number of training programs available that address bits and pieces of the requirements in the amendment. To completely comply with even a basic interpretation of the broadly writing requirements would, however, break the bank at FEMA and endanger their entire training program. To meet these requirments FEMA would need a massive infusion of funds and personnel.

ICS-CERT Publishes 4 Advisories and 2 Siemens Updates

Yesterday the DHS ICS-CERT published three control system security advisories for products from Advantech, Intel and Vecna. They published a medical device security advisory for products from Becton, Dickinson and Company (BD). They also updated two control system security advisories previously published for products from Siemens. I have previously reported these two updates (here and here).

Advantech Advisory

This advisory describes three vulnerabilities in the Advantech WebAccess HMI Designer. The vulnerabilities were reported by Steven Seeley of Source Incite thru the Zero Day Initiative. No mitigation measures have yet been provided.

The three reported vulnerabilities are:

• Heap-based buffer overflow - CVE-2018-8833;

• Double free - CVE-2018-8835; and

• Out-of-bounds write - CVE-2018-8837

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to remotely execute arbitrary code.

Intel Advisory

This advisory describes a classic buffer overflow vulnerability in the Intel 2G modem products. The vulnerability was reported by Dr. Ralph Phillip Weinmann and Dr. Nico Golde from Comsecuris. Intel is making firmware updates available to device manufacturers that protect systems from this vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The Intel advisory notes that: “The vulnerability affects Intel® 2G Modem products where the Earthquake Tsunami Warning System (ETWS) feature is enabled in Modem firmware.”

ICS-CERT reports that an uncharacterized attacker could remotely exploit this vulnerability to allow remote code execution.

It will be interesting to see if ICS-CERT provides us a list of the affected vendors as they update their products with the new Intel firmware. Given that this is Intel, I suspect that the list of affected vendors could be extensive.

Vecna Advisory

This advisory describes two vulnerabilities in the Vecna VGo Robot, a mobile robotic assistant. The vulnerability was reported by Dan Regalado from Zingbox. Vecna has released an update that mitigates the vulnerability. There are no indications that Regalado has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• OS command injection - CVE-2018-8866; and

• Clear transmission of sensitive information - CVE-2018-8860

ICS-CERT reports that a relatively low-skilled attacker on an adjacent network could exploit the vulnerability to capture firmware updates through network traffic and could allow remote code execution.

BD Advisory

This advisory describes the KRACK vulnerabilities in the BD BD Pyxis Products. BD is reporting being affected by 9 of the 10 reported KRACK vulnerabilities (not reporting - CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake). BD has implemented third-party vendor patches through BD's routine patch deployment process that resolves these vulnerabilities for most devices. The BD advisory that for three of the affected products coordination with customers is necessary to properly deploy patches and they are contacting the affected customers.

SIMATIC Update

This update provides new information on an advisory that was originally published on March 29^th, 2018. The update provides new affected version information and mitigation measures for SIMATIC BATCH V8.0 and V8.1.

SCALANCE Update

This update provides new information on an advisory that was originally published on November 14^th, 2017 and updated on December 5^th, 2017, December 19^th, 2017 and again on January 25^th, 2018. The update provides new affected version information and mitigation measures for SCALANCE W1750D.

ISCD Publishes Two New FAQs

Today the DHS Infrastructure Security Compliance Division (ISCD) published two new (mainly) frequently asked questions (FAQs) on their Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center. The responses to both FAQs are videos that run about 8 minutes each.

The two new FAQs are:

#1790 What is CFATS?

#1791 What are Reportable Chemicals?

Sharp eyed readers will recognize that ISCD attempted to publish the second FAQ last Friday but had problems with the video. As I reported earlier (as an addendum to the initial post) the FAQ came down yesterday. Today the FAQ was republished (with today’s date as the ‘date published’) and the videos for both FAQs work.

I am not a big fan of video tutorials, but that probably has more to do with my age than the efficacy of medium. Both videos are fairly typical of the quality one expects to see on video tutorials on YouTube. That is not a criticism, just a statement on the lack of “professional production values” folks of my era would expect to see in a training film.

Committee Hearings – Week of 04-22-18

With both the House and Senate in Washington this week things start to get busy before the primary season starts to make Congress really political. In addition to marking up the FY 2019 National Defense Authorization bill and budget hearings we have three hearings that may be of potential interest to readers of this blog; HR 4 and cybersecurity.

NDAA Markup

The introduced version of HR 5515, the National Defense Authorization Act for Fiscal Year 2019 was published last week. It has a number of large holes in it that will be filled this week by subcommittee markups. The full Armed Services Committee will not finish the markup process until the House comes back from their spring break the week after next. These two subcommittee hearings may be of specific interest:

April 26^th – Readiness Subcommittee;

April 26^th – Emerging Threats and Capabilities Subcommittee;

Budget

There are still a number of hearings being held looking at the President’s proposed budget. This week there is only one that may be of specific interest here:

April 26^th, DHS, House Homeland Security;

HR 4 Rule

As I mentioned over the weekend, the House Rules Committee will be holding a hearing on Tuesday to formulate the rule for the consideration of HR 4, the FAA Reauthorization Act of 2018, later this week. Two hundred and thirty-one proposed amendments have been submitted to the Committee for possible consideration on the floor of the House; the vast majority will not make it. Fourteen of those amendments deal with unmanned aircraft systems and two deal with cybersecurity issues. A large number of the rest deal with airport noise issues, a perennial concern of congresscritters. The bill will probably make it to the floor on Thursday.

Cybersecurity

On Tuesday the Senate Homeland Security and Governmental Affairs Committee will hold a hearing on “Mitigating America’s Cybersecurity Risk”. The witness list includes:

• Jeanette Manfra, DHS;

• Gregory C. Wilshusen, GAO; and

• Eric Rosenbach; Harvard University

This hearing could go one of two ways; most likely a look at cybersecurity issues in the Federal government (always a problem), or it could look at the cybersecurity concerns in critical infrastructure that we have been hearing about in the mainstream news. In either case it will likely be a high-level policy type discussion rather than focusing in-depth on any actual security issues.

HR 4 Introduced – FAA Reauthorization

Earlier this month Rep. Schuster (R,PA) introduced HR 4, the FAA Reauthorization Act of 2018. The bill includes a number of provisions that address unmanned aircraft system (UAS) operations and aviation cybersecurity.

UAS Provisions

The bill addresses UAS issues in two separate sub-titles; Sub-Title B of Title 3 and Sub-Title C of Title 7. Between these two sub-titles there are 17 separate sections addressing a wide variety of UAS topics. Of those, the following may be of specific interest to readers of this blog:

§337. Evaluation of aircraft registration for small unmanned aircraft;

§338. Study on roles of governments relating to low-altitude operation of small unmanned aircraft;

§341. Cooperation related to certain counter-UAS technology.

Section 337 of the bill requires FAA to “develop and track metrics to assess compliance with and effectiveness of the registration of small unmanned aircraft systems” {§337(a)} required by the interim final rule published in December of 2015. It would also require the DOT Inspector General to report to Congress on both the metric development required and the overall “reliability, effectiveness, and efficiency of the Administration’s registration program for small unmanned aircraft” {§337(b)(2)}.

Section 338 of the bill requires the DOT Inspector General to begin a study of the “the regulation and oversight of the low-altitude operations of small unmanned aircraft and small unmanned aircraft systems” {§338(a)(1)} and the appropriate roles of Federal, State, local, and Tribal governments in regulating UAS operations below 400 ft above ground level (AGL). An obligatory report to Congress is required.

Section 341 of the bill would require DOT to consult with DOD about efforts to streamline the deployment of systems “in the national airspace system intended to mitigate threats posed by errant or hostile unmanned aircraft system operations”.

Cybersecurity Provisions

The cybersecurity sub-title includes six sections. Of these, the following three sections may be of specific interest to readers of this blog:

§732. Cabin communications, entertainment, and information technology systems cybersecurity vulnerabilities.

§733. Cybersecurity threat modeling.

§736. Cybersecurity research and development program.

Section 732 would require the FAA to “determine the research and development needs associated with cybersecurity vulnerabilities of cabin communications, entertainment, and information technology systems on civil passenger aircraft” {§732(a)}. Those R&D needs would include an assessment of:

• Technical risks and vulnerabilities;

• Potential impacts on the national airspace and public safety; and

• Identification of deficiencies in cabin-based cybersecurity.

Section 733 would require the FAA, in consultation with the National Institute of Standards and Technology, to “develop an internal FAA cybersecurity threat modeling program to detect cybersecurity vulnerabilities, track how those vulnerabilities might be exploited, and assess the magnitude of harm that could be caused by the exploitation of those vulnerabilities” {§733(a)(1)}.

Section 736 would require the FAA to “establish a research and development program to improve the cybersecurity of civil aircraft and the national airspace system” {§737(a)}. In support of that program the FAA would be required to establish a plan to implement that program. The plan would include objectives, proposed tasks, milestones, and a 5-year budgetary profile. The FAA would also be required to commission a National Academies study of that plan.

Moving Forward

This bill is scheduled to be considered by the House this week. The House Rules Committee will hold a hearing on Tuesday to prepare the rule for the consideration of the bill. There have been 231 proposed amendments to the bill submitted to the Committee for consideration. These amendments include a number that address either UAS or cybersecurity provisions.

I suspect that we will have a managed rule for this bill that will include a relatively small number of those amendments. I suspect that the bill will pass with at least some bipartisan support. This is one of those ‘must pass’ bills that Congress has to deal with every year. We have not yet seen a Senate version of the bill, but the Senate will take up their own version of the bill which typically means that a conference committee will have to be convened to work out the differences between the two versions.

Commentary

I am more than a little concerned that this bill addresses (§341) the deployment of weapon systems to mitigate the threat of UAS systems without addressing the legal issues associated with interfering with the operation of aircraft. While the bill does not specifically mention weapons the vague use of the phrase “systems in the national airspace system intended to mitigate threats” can only be considered weapons. Whether those weapons conduct physical attacks to destroy the UAS or electronic attacks to cause the UAS to crash (any landing outside of the control of the pilot/operator is a crash; controlled or otherwise) still mean that the systems employed are weapons.

See my discussion of HR 5366 to see the extent of the legal complications that are apparently being ignored in this section.

ISCD Updates SSP Instruction Manual – 04-12-18

Earlier this week the DHS Infrastructure Security Compliance Division (ISCD) published a link to a new version of their Security Vulnerability Assessment (SVA) – Site Security Plan (SSP) Instructions manual on the SVA-SSP manual web site. This manual explains the question asked in the SVA-SSP portion of the Chemical Security Assessment Tool (CSAT) for the Chemical Facility Anti-Terrorism Standards (CFATS) program.

As has become the standard for CSAT manuals, ISCD has stopped including version numbers and explanation of changes made in this new version. A quick review of the Table of Contents and a random check of pages seems to indicate that the changes made to this manual are minor changes in explicatory language rather than policy or substantive changes in processes. Even so, Facility Security Managers will want to have the newest version of the manual on-hand.

The last time this manual was updated was March of last year.

NIST Publishes CSF v1.1

Earlier this week the National Institute of Science and Technology announced the released version 1.1 of their Cybersecurity Framework (CSF). According to the CSF web page, this new version includes updates on:

• Authentication and identity,

• Self-assessing cybersecurity risk,

• Managing cybersecurity within the supply chain and

• Vulnerability disclosure.

An accompanying fact sheet outlines the three components of the CSF and summarizes the key points about the newest version of the CSF:

• Refined for clarity, it’s fully compatible with v1.0 and remains flexible, voluntary, and cost-effective;

• Declares applicability for "technology," which is minimally composed of Information Technology, operational technology,          cyber-physical systems, and Internet of Things

• Clarifies utility as a structure and language for organizing and expressing compliance with an organization’s own cybersecurity requirements;

• Enhances guidance for applying the Cybersecurity Framework to supply chain risk management;

• Summarizes the relevance and utility of Cybersecurity Framework measurement for organizational self-assessment; and

• Better accounts for authorization, authentication, and identity proofing

Vulnerability disclosure is addressed in a new sub-category (#5) in Respond – Analysis (pg 42). That subcategory notes that:

“Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers)”

The references for that sub-category are listed as:

• CIS CSC 4, 19;

• COBIT 5 EDM03.02, DSS05.07; and

• NIST SP 800-53 Rev. 4 SI-5, PM-15

Public ICS Disclosures – Week of 04-14-18

This week we have four new vendor reported vulnerabilities (all from ABB) and two vendor updates of previously disclosed vulnerabilities (both from Siemens).

Industrial Products Spectre and Meltdown Update

This update provides new mitigation information (for SIMATIC IPC427D, SIMATIC IPC477D, SIMATIC FieldPG M4) on the previously reported Spectre and Meltdown vulnerabilities in Siemens Industrial Products. The Industrial Products vulnerability was reported in the ICS-CERT Meltdown and Spectre Vulnerabilities Alert, but ICS-CERT does not issue an update for multivendor products when listed product advisories are updated.

To be fair, the link in the latest version of the ICS-CERT alert does take you to the latest version of the Siemens advisory, but you have no way of knowing that new information is available just by looking at the ICS-CERT alert. This is an ongoing issue for all ICS-CERT alerts/advisories covering multiple vendor vulnerabilities.

SIMATIC Denial of Service Vulnerability Update

This update provides new mitigation information (for SIMATIC BATCH V8.0 and V8.1) on the previously reported denial of service vulnerability in the Siemens SIMATIC product line. I am not sure why ICS-CERT did not update their advisory for this product on Thursday when they updated the SIMATIC IPC advisory that was released the same day.

Relion 630 Series Advisory #1

This advisory describes a weak database encryption vulnerability in the ABB Relion 630 Series relays. This vulnerability was privately reported to ABB. ABB has no plans of corrective measures for this specific issue in the affected products.

ABB reports that an uncharacterized attacker with uncharacterized access could exploit the vulnerability to delete or modify the database. Removing or modifying the database will make the device inoperable. ABB notes that the database contains cross reference data for faster indexing and searching and does not contain any secret information.

Relion 630 Series Advisory #2

This advisory describes a path traversal vulnerability in the IEC 61850 Manufacturing Message Specification (MMS) implementation in the ABB Relion 630 Series relays. The vulnerability was privately reported to ABB. ABB has new versions that mitigate the vulnerability.

ABB reports that an uncharacterized attacker with uncharacterized access could exploit the vulnerability to retrieve any file on the device’s flash drive without authentication on the device or make the product inoperative by deleting files from the device’s flash drive.

It is not clear if this is a problem that is unique to ABB implementation of the IEC 61850 MMS or whether it may apply to other vendor devices as well.

Relion 630 Series Advisory #3

This advisory describes a terminal reboot vulnerability in the SPA communications protocol in the ABB Relion 630 Series relays. The vulnerability was privately reported to ABB. ABB has new versions that mitigate the vulnerability.

ABB reports that an uncharacterized attacker with uncharacterized access could exploit the vulnerability to reboot the device resulting in a denial of service situation. During the reboot phase, the primary functionality of the device is not available.

PCM600 and SAB600 Advisory

This advisory describes multiple vulnerabilities in the Sentinel HASP Run‐time Environment in the ABB PCM600 and SAB600 substation management devices. These vulnerabilities are apparently the Gemalto license management problems reported by Kaspersky Labs; ABB is reporting only four of the fourteen Gemalto vulnerabilities. ABB has new versions that mitigate the vulnerabilities.

ABB reports that an uncharacterized attacker with uncharacterized access could exploit the vulnerability to cause a buffer overflow. Buffer overflows may allow remote attackers to execute arbitrary code or to shut down the remote process (a denial of service).

ISCD Adds New FAQ to CFATS Knowledge Center

Today the DHS Infrastructure Security Compliance Division (ISCD) posted a new frequently asked question (FAQ) to their Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center web site. The new FAQ (#1791) asks: “What are Reportable Chemicals?” The answer is supposed to be a ‘video tutorial’, but the FAQ response does not actually show the video. If you right-click on the video box and copy the video address and then paste that into your browser you get (actually, I get; I don’t know what you will see) the following error message:

“Communication Error (tcp_error)

RP1a A communication error occurred: ""

The Web Server may be down, too busy, or experiencing other problems preventing it from responding to requests. You may wish to try again at a later time.”

The idea of using a video to explain regulatory issues fits in with the times as the YouTube generation seems to prefer getting information from videos rather than reading explanatory documents. Unfortunately, ISCD appears to be having some technical issues with embedding the video in their FAQ response. Perhaps they should have put the video on the DHS YouTube channel and then just provided a link to the video.

NOTE: As of 9:50 pm EDT on 4-23-18 this FAQ is no longer on the CFATS Knowledge Center. It was apparently taken down some time today.

House Subcommittee Marks-Up Energy Security Bills

On Wednesday the Subcommittee on Energy, of the House Committee on Energy and Commerce, held a markup hearing on five energy bills. Four of the bills have been covered in this blog and those bills passed on voice votes; two of them were amended with substitute language from the original offerors. The four the bills that have been addressed in this blog:

• HR 5174, Energy Emergency Leadership Act;

• HR 5175, Pipeline and LNG Facility Cybersecurity Preparedness Act (amended);

• HR 5239, Cyber Sense Act (amended); and

• HR 5240, Enhancing Grid Security through Public-Private Partnerships Act

HR 5175 Changes

The one change made to HR 5175 in the substitute language is relatively minor. It adds a phrase to §2(1) to expand the coordination requirement by adding: “including through councils or other entities engaged in sharing, analysis, or sector coordinating”.

HR 5239 Changes

The changes to HR 5239 are mainly grammatical and would have little to do with the operation of the Cyber Sense program that is proposed by this bill. There is one potentially significant change; §2(b)(7) from the original bill was removed. That paragraph had provided a requirement for the Secretary of Energy to “establish procedures for disqualifying products that were tested and identified as cyber-secure under the Cyber Sense program but that no longer meet the qualifications to be identified cyber-secure products”. There is nothing in the revised program that would prohibit that disqualification.

Moving Forward

The bipartisan support received in the subcommittee will almost certainly be duplicated when these bills are taken up by the whole committee. The question then will be to see if the sponsors and the Committee leadership have enough influence (or are willing to expend the effort to influence) to bring these bills before the full House. I firmly expect that we will see some version of these bills reach the floor under the suspension of the rules procedure in the House. Again, that means limited debate and no floor amendments. I would not be surprised to see all five bills considered on a single day.

Commentary

The removal of the language in HR 5239 providing for the establishment of a process to disqualify products that no longer meet the Cyber Sense standards brings up an interesting legal situation. As I said earlier, there is nothing in the bill that would specifically prohibit the Secretary from establishing such rules. But, having said that, a good lawyer could argue before a friendly judge that the removal of the specific authority to establish such a disqualification process from the language in the bill establishes a congressional intent that such authority can no longer be exercised by the Secretary absent specific authorization by Congress.

What this very well could end up meaning is that once a vendor becomes authorized to use the ‘Cyber Sense’ label on their product, they will no longer have to work to maintain the ‘Cyber Sense’ standards because the Secretary would not have the authority to require the vendor to remove the ‘Cyber Sense’ labeling. If the vendor flaunting of the ‘Cyber Sense’ standards becomes wide spread, the efficacy of the whole program would be called into question, destroying the process.

If this problem is to be addressed, it will almost certainly have to be done during the Energy and Commerce mark-up hearing that will probably be conducted in the next couple of weeks. After that, if the bill moves forward, it would almost certainly be under processes in both the House and Senate that would not allow for amendments to the bill from the floor.

OMB Receives Anti-Kaspersky FAR Rule for Review

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received for review an interim final rule for a Federal Acquisition Regulation (FAR) for the use of products or services from the Kaspersky Labs. This rulemaking was not included in the Fall 2017 Unified Agenda.

This is probably a rule implementing the requirements of §1634 of HR 2810, the National Defense Authorization Act for Fiscal Year 2018. That bill was signed into law on December 12^th, 2017 (PL 115-91, not yet printed); which would explain why this rule did not make the last Unified Agenda.

That section would prohibit any “department, agency, organization, or other element of the Federal Government” from using “any hardware, software, or services developed or provided, in whole or in part, by” {§1634(a)} Kaspersky Labs. The effective date of that prohibition is October 1^st, 2018 which is undoubtedly the reason for going the ‘interim final rule’ route.

CG Sends TWIC Reader Rule Delay to OMB

Earlier this week the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a proposed rule from the Coast Guard that would delay the implementation of the TWIC Reader Rule. This rulemaking was not included in the Fall 2017 Unified Agenda so there are little or no details publicly available. The final rule for the TWIC Reader was published in 2016. The effective date is August 23, 2018.

While the Trump Administration has established a firm reputation for delaying the implementation of Obama Administration regulations, particularly those finalized in the closing months of that Administration, this action would appear to be something a tad bit different. This rulemaking was years in development and specifically required by law, so it clearly is not an Obama policy legacy.

It will be interesting to see what justification that the Coast Guard is using to delay the implementation of this rule.

ICS-CERT Publishes Advisory and Three Updates for Siemens Products

Today the DHS ICS-CERT published one new control system security advisory for products from Siemens. They also provided updates for three previously published Siemens control system security advisories.

Siemens Advisory

This advisory describes a file and directory information exposure vulnerability in the Siemens Simatic WinCC OA iOS App. The vulnerability was reported by Alexander Bolshev of IOActive and Ivan Yushkevich of Embedi. Siemens has identified workarounds to mitigate the vulnerability. There is no indication that either researcher was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that an uncharacterized attacker with physical access to the mobile device could exploit the vulnerability to read sensitive data located in the app’s directory.

SIMATIC Update

This update provides additional information on an advisory that was originally published on March 18^th, 2018. The update provides links to the updates for all of the affected products.

SIPROTEC Update #1

This update provides additional information on an advisory that was originally published on March 8^th, 2018. The ICS-CERT update provided a link to the updated version of the EN100 Ethernet module DNP3 variant with additional mitigation measures. The Siemens update also provided corrected affected version information on the same product.

SIPROTEC Update #2

This update provides additional information on an advisory that was originally published on March 8^th, 2018. The ICS-CERT update provided a link to the updated version of the EN100 Ethernet module DNP3 variant with additional mitigation measures. The Siemens update also provided corrected affected version information on the same product.