Sunday, April 22, 2018

NIST Publishes CSF v1.1


Earlier this week the National Institute of Science and Technology announced the released version 1.1 of their Cybersecurity Framework (CSF). According to the CSF web page, this new version includes updates on:

• Authentication and identity,
• Self-assessing cybersecurity risk,
• Managing cybersecurity within the supply chain and
Vulnerability disclosure.

An accompanying fact sheet outlines the three components of the CSF and summarizes the key points about the newest version of the CSF:

• Refined for clarity, it’s fully compatible with v1.0 and remains flexible, voluntary, and cost-effective;
• Declares applicability for "technology," which is minimally composed of Information Technology, operational technology,          cyber-physical systems, and Internet of Things
• Clarifies utility as a structure and language for organizing and expressing compliance with an organization’s own cybersecurity requirements;
• Enhances guidance for applying the Cybersecurity Framework to supply chain risk management;
• Summarizes the relevance and utility of Cybersecurity Framework measurement for organizational self-assessment; and
• Better accounts for authorization, authentication, and identity proofing

Vulnerability disclosure is addressed in a new sub-category (#5) in Respond – Analysis (pg 42). That subcategory notes that:

“Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers)”

The references for that sub-category are listed as:

CIS CSC 4, 19;
COBIT 5 EDM03.02, DSS05.07; and
NIST SP 800-53 Rev. 4 SI-5, PM-15


Saturday, April 21, 2018

Public ICS Disclosures – Week of 04-14-18


This week we have four new vendor reported vulnerabilities (all from ABB) and two vendor updates of previously disclosed vulnerabilities (both from Siemens).

Industrial Products Spectre and Meltdown Update


This update provides new mitigation information (for SIMATIC IPC427D, SIMATIC IPC477D, SIMATIC FieldPG M4) on the previously reported Spectre and Meltdown vulnerabilities in Siemens Industrial Products. The Industrial Products vulnerability was reported in the ICS-CERT Meltdown and Spectre Vulnerabilities Alert, but ICS-CERT does not issue an update for multivendor products when listed product advisories are updated.

To be fair, the link in the latest version of the ICS-CERT alert does take you to the latest version of the Siemens advisory, but you have no way of knowing that new information is available just by looking at the ICS-CERT alert. This is an ongoing issue for all ICS-CERT alerts/advisories covering multiple vendor vulnerabilities.

SIMATIC Denial of Service Vulnerability Update


This update provides new mitigation information (for SIMATIC BATCH V8.0 and V8.1) on the previously reported denial of service vulnerability in the Siemens SIMATIC product line. I am not sure why ICS-CERT did not update their advisory for this product on Thursday when they updated the SIMATIC IPC advisory that was released the same day.

Relion 630 Series Advisory #1


This advisory describes a weak database encryption vulnerability in the ABB Relion 630 Series relays. This vulnerability was privately reported to ABB. ABB has no plans of corrective measures for this specific issue in the affected products.

ABB reports that an uncharacterized attacker with uncharacterized access could exploit the vulnerability to delete or modify the database. Removing or modifying the database will make the device inoperable. ABB notes that the database contains cross reference data for faster indexing and searching and does not contain any secret information.

Relion 630 Series Advisory #2


This advisory describes a path traversal vulnerability in the IEC 61850 Manufacturing Message Specification (MMS) implementation in the ABB Relion 630 Series relays. The vulnerability was privately reported to ABB. ABB has new versions that mitigate the vulnerability.

ABB reports that an uncharacterized attacker with uncharacterized access could exploit the vulnerability to retrieve any file on the device’s flash drive without authentication on the device or make the product inoperative by deleting files from the device’s flash drive.

It is not clear if this is a problem that is unique to ABB implementation of the IEC 61850 MMS or whether it may apply to other vendor devices as well.

Relion 630 Series Advisory #3


This advisory describes a terminal reboot vulnerability in the SPA communications protocol in the ABB Relion 630 Series relays. The vulnerability was privately reported to ABB. ABB has new versions that mitigate the vulnerability.

ABB reports that an uncharacterized attacker with uncharacterized access could exploit the vulnerability to reboot the device resulting in a denial of service situation. During the reboot phase, the primary functionality of the device is not available.

PCM600 and SAB600 Advisory


This advisory describes multiple vulnerabilities in the Sentinel HASP Runtime Environment in the ABB PCM600 and SAB600 substation management devices. These vulnerabilities are apparently the Gemalto license management problems reported by Kaspersky Labs; ABB is reporting only four of the fourteen Gemalto vulnerabilities. ABB has new versions that mitigate the vulnerabilities.

ABB reports that an uncharacterized attacker with uncharacterized access could exploit the vulnerability to cause a buffer overflow. Buffer overflows may allow remote attackers to execute arbitrary code or to shut down the remote process (a denial of service).

Friday, April 20, 2018

ISCD Adds New FAQ to CFATS Knowledge Center


Today the DHS Infrastructure Security Compliance Division (ISCD) posted a new frequently asked question (FAQ) to their Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center web site. The new FAQ (#1791) asks: “What are Reportable Chemicals?” The answer is supposed to be a ‘video tutorial’, but the FAQ response does not actually show the video. If you right-click on the video box and copy the video address and then paste that into your browser you get (actually, I get; I don’t know what you will see) the following error message:

“Communication Error (tcp_error)

RP1a A communication error occurred: ""
The Web Server may be down, too busy, or experiencing other problems preventing it from responding to requests. You may wish to try again at a later time.”

The idea of using a video to explain regulatory issues fits in with the times as the YouTube generation seems to prefer getting information from videos rather than reading explanatory documents. Unfortunately, ISCD appears to be having some technical issues with embedding the video in their FAQ response. Perhaps they should have put the video on the DHS YouTube channel and then just provided a link to the video.

House Subcommittee Marks-Up Energy Security Bills


On Wednesday the Subcommittee on Energy, of the House Committee on Energy and Commerce, held a markup hearing on five energy bills. Four of the bills have been covered in this blog and those bills passed on voice votes; two of them were amended with substitute language from the original offerors. The four the bills that have been addressed in this blog:

HR 5174, Energy Emergency Leadership Act;
HR 5175, Pipeline and LNG Facility Cybersecurity Preparedness Act (amended);
HR 5239, Cyber Sense Act (amended); and
HR 5240, Enhancing Grid Security through Public-Private Partnerships Act

HR 5175 Changes


The one change made to HR 5175 in the substitute language is relatively minor. It adds a phrase to §2(1) to expand the coordination requirement by adding: “including through councils or other entities engaged in sharing, analysis, or sector coordinating”.

HR 5239 Changes


The changes to HR 5239 are mainly grammatical and would have little to do with the operation of the Cyber Sense program that is proposed by this bill. There is one potentially significant change; §2(b)(7) from the original bill was removed. That paragraph had provided a requirement for the Secretary of Energy to “establish procedures for disqualifying products that were tested and identified as cyber-secure under the Cyber Sense program but that no longer meet the qualifications to be identified cyber-secure products”. There is nothing in the revised program that would prohibit that disqualification.

Moving Forward


The bipartisan support received in the subcommittee will almost certainly be duplicated when these bills are taken up by the whole committee. The question then will be to see if the sponsors and the Committee leadership have enough influence (or are willing to expend the effort to influence) to bring these bills before the full House. I firmly expect that we will see some version of these bills reach the floor under the suspension of the rules procedure in the House. Again, that means limited debate and no floor amendments. I would not be surprised to see all five bills considered on a single day.

Commentary


The removal of the language in HR 5239 providing for the establishment of a process to disqualify products that no longer meet the Cyber Sense standards brings up an interesting legal situation. As I said earlier, there is nothing in the bill that would specifically prohibit the Secretary from establishing such rules. But, having said that, a good lawyer could argue before a friendly judge that the removal of the specific authority to establish such a disqualification process from the language in the bill establishes a congressional intent that such authority can no longer be exercised by the Secretary absent specific authorization by Congress.

What this very well could end up meaning is that once a vendor becomes authorized to use the ‘Cyber Sense’ label on their product, they will no longer have to work to maintain the ‘Cyber Sense’ standards because the Secretary would not have the authority to require the vendor to remove the ‘Cyber Sense’ labeling. If the vendor flaunting of the ‘Cyber Sense’ standards becomes wide spread, the efficacy of the whole program would be called into question, destroying the process.

If this problem is to be addressed, it will almost certainly have to be done during the Energy and Commerce mark-up hearing that will probably be conducted in the next couple of weeks. After that, if the bill moves forward, it would almost certainly be under processes in both the House and Senate that would not allow for amendments to the bill from the floor.

OMB Receives Anti-Kaspersky FAR Rule for Review


Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received for review an interim final rule for a Federal Acquisition Regulation (FAR) for the use of products or services from the Kaspersky Labs. This rulemaking was not included in the Fall 2017 Unified Agenda.

This is probably a rule implementing the requirements of §1634 of HR 2810, the National Defense Authorization Act for Fiscal Year 2018. That bill was signed into law on December 12th, 2017 (PL 115-91, not yet printed); which would explain why this rule did not make the last Unified Agenda.

That section would prohibit any “department, agency, organization, or other element of the Federal Government” from using “any hardware, software, or services developed or provided, in whole or in part, by” {§1634(a)} Kaspersky Labs. The effective date of that prohibition is October 1st, 2018 which is undoubtedly the reason for going the ‘interim final rule’ route.

CG Sends TWIC Reader Rule Delay to OMB


Earlier this week the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a proposed rule from the Coast Guard that would delay the implementation of the TWIC Reader Rule. This rulemaking was not included in the Fall 2017 Unified Agenda so there are little or no details publicly available. The final rule for the TWIC Reader was published in 2016. The effective date is August 23, 2018.

While the Trump Administration has established a firm reputation for delaying the implementation of Obama Administration regulations, particularly those finalized in the closing months of that Administration, this action would appear to be something a tad bit different. This rulemaking was years in development and specifically required by law, so it clearly is not an Obama policy legacy.

It will be interesting to see what justification that the Coast Guard is using to delay the implementation of this rule.

Thursday, April 19, 2018

ICS-CERT Publishes Advisory and Three Updates for Siemens Products

Today the DHS ICS-CERT published one new control system security advisory for products from Siemens. They also provided updates for three previously published Siemens control system security advisories.

Siemens Advisory


This advisory describes a file and directory information exposure vulnerability in the Siemens Simatic WinCC OA iOS App. The vulnerability was reported by Alexander Bolshev of IOActive and Ivan Yushkevich of Embedi. Siemens has identified workarounds to mitigate the vulnerability. There is no indication that either researcher was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that an uncharacterized attacker with physical access to the mobile device could exploit the vulnerability to read sensitive data located in the app’s directory.

SIMATIC Update


This update provides additional information on an advisory that was originally published on March 18th, 2018. The update provides links to the updates for all of the affected products.

SIPROTEC Update #1


This update provides additional information on an advisory that was originally published on March 8th, 2018. The ICS-CERT update provided a link to the updated version of the EN100 Ethernet module DNP3 variant with additional mitigation measures. The Siemens update also provided corrected affected version information on the same product.

SIPROTEC Update #2


This update provides additional information on an advisory that was originally published on March 8th, 2018. The ICS-CERT update provided a link to the updated version of the EN100 Ethernet module DNP3 variant with additional mitigation measures. The Siemens update also provided corrected affected version information on the same product.

Bills Introduced – 04-18-18


With both the House and Senate in session yesterday there were 58 bills introduced. Of those, one may be of specific interest to readers of this blog:

HR 5576 To address state-sponsored cyber activities against the United States, and for other purposes. Rep. Yoho, Ted S. [R-FL-3]

Two separate things that may draw my further attention to this bill. First, and most obvious to long time readers, I will watch the definitions used in the bill to see if this bill will specifically address ‘activities’ targeted at control systems. Even if control systems are not covered, how the bill intends to ‘address’ the ‘cyber activities’ may still cause me to expand (slightly) my coverage of cybersecurity issues.

ICS-CERT Updates HatMan Attack Report


Yesterday the DHS ICS-CERT updated their Malware Analysis Report on the HatMan ( or TRITON or TRISIS depending on which analysis you are looking at) attack on a Schneider  Triconex Tricon safety shutdown system installation in Saudi Arabia. While this is labeled as an ‘update’ it is closer to a complete re-write of the original document. The new information comes from a joint investigation by ICS-CERT and Schneider.

This is a technical report about the processes involved in the HatMan malware. It does include a mention of how the newly reported Schneider Triconex vulnerabilities were used by the malware. I will leave to more technically qualified personnel the task of reviewing the technical information provided in the report.

Having said that, there is one important point made about the operation of the malware on page 16. Under section 5.3.5 the report states:

“This code is run when the compromised TS protocol command is received and provides RAT-like functionality. Most importantly, it allows an actor to read and write memory—including within the in-memory firmware region—and execute arbitrary code regardless of the key switch position, including “RUN.” This allows an actor to effect changes on the controller while it is in full operation, not just while it is being reprogrammed.”

This may be the critical portion of the malware because it bypasses one of the primary protections designed into safety instrumented systems, essentially the manual safety switch. This type of protection is used in a number of control system elements (particularly PLCs) and is supposed to provide a level of control over the reprogramability of the devices. Being able to subvert this control re-emphasizes the ‘insecure by design’ nature of PLCs in particular. It is not clear from this report whether the techniques used in the HatMan malware against the Triconex devices would be adaptable to overcoming this safety switch feature in other systems.

Section 7 of the report, “Detection/Mitigation”, is well worth reading as a stand alone document. The statement about Yara rules, a standard detection tool advocated by ICS-CERT in many instances, should be read and memorized by researchers as a caution about relying on any specific tool:

“This is not a reliable method for detection, as the files may or may not be present on any workstation, and such a rule cannot be used on a Tricon controller itself; however, it could be useful for detection with agent-based detection systems or for scanning for artifacts.

And the final paragraph is probably the best summation of the current state of control system security that I have seen:

“Ultimately, the best mitigation strategy for this malware—and others of the same sort—is to employ defense in depth and follow any relevant best practices. Rather than solely attempting to protect vulnerable targets—such as the Triconex devices targeted by HatMan—one prevents an attacker from ever reaching them.”

Wednesday, April 18, 2018

S 1281 Passes in Senate – Hack DHS Act


Yesterday the Senate amended and then passed S 1281, the Hack the Department of Homeland Security (Hack DHS) Act of 2017, by a voice vote. The Senate took up the substitute language adopted by the Senate Homeland Security and Governmental Affairs Committee with a small change being made by a floor amendment.

The amendment changed the language in §2(c) of the bill. It changed the reporting requirements for the report to Congress on the pilot program outlined in the bill, changing the reporting time frame from 90-days to 180-days. The amendment was adopted by unanimous consent. The amendment was offered by Sen. McConnell (R,KY) for Sen. Hassan (D,NH), the author of the bill.

The bill, as amended, would require DHS to establish “a bug bounty pilot program to minimize vulnerabilities of Internet-facing information technology of the Department” {§2(b)(1)}. The bill uses an IT-limited definition of ‘information system’, so building control, access control, and security monitoring functions would not technically be covered by the pilot program.

The bill was brought to the floor under the Senate’s ‘unanimous consent’ process. A single senator could have prevented the bill from being considered. This means that the bill had a significant measure of bipartisan support and no opposition. If the bill is taken up in the House (and I suspect that it will), it is almost certain to be considered under the House ‘suspension of the rules’ process with limited debate and no amendments from the floor.

ICS-CERT Publishes 2 Medical Advisories and 5 ICS Advisories


Yesterday the DHS ICS-CERT published two medical device control system advisories for products from Biosense Webster, Inc (BWI) and Abbott Laboratories. They also published five industrial control system advisories for products from Schneider Electric (2) and Rockwell Automation (3).


Stratix Industrial Managed Ethernet Switch Advisory


This advisory describes eight vulnerabilities in the Allen-Bradley Stratix Industrial Managed Ethernet Switch. The 3rd party vulnerabilities were originally reported by Cisco in their IOS, IOS XE, and IOS XR Software. Rockwell specifically reports that only these 8 (of 22 Cisco reported) vulnerabilities apply to this product. Cisco has released new SNORT rules for some of the vulnerabilities and both Rockwell and Cisco have offered workarounds.

The eight reported vulnerabilities are:

• Improper input validation (4) - CVE-2018-0171, CVE-2018-0174, CVE-2018-0172, CVE-2018-0173;
• Resource management errors - CVE-2018-0156;
• PK-errors - CVE-2018-0155;
• Improper restriction of operations within bounds of a memory buffer - CVE-2018-0167; and
Use of an externally controlled format string - CVE-2018-0175

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to effect a loss of availability, confidentiality, and/or integrity caused by memory exhaustion, module restart, information corruption, and/or information exposure.

Stratix and ArmorStratix Switch Advisory


This advisory describes eight vulnerabilities in the Allen-Bradley Stratix and ArmorStratix Switches. The 3rd party vulnerabilities were originally reported by Cisco in their IOS, IOS XE, and IOS XR Software. Rockwell specifically reports that only these 8 (of 22 Cisco reported) vulnerabilities apply to this product (Note: not the same as 8 as above). Rockwell has provided updates for the affected products. Cisco has released new SNORT rules for some of the vulnerabilities and both Rockwell and Cisco have offered workarounds.

The eight reported vulnerabilities are:

• Improper input validation (6) - CVE-2018-0171, CVE-2018-0156, CVE-2018-0174, CVE-2018-0172, CVE-2018-0173, CVE-2018-0158, CVE-2018-0167;
• Improper restriction of operations within bounds of a memory buffer - CVE-2018-0167; and
• Use of an externally controlled format string - CVE-2018-0175

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to effect a loss of availability, confidentiality, and/or integrity caused by memory exhaustion, module restart, information corruption, and/or information exposure.

Stratix Services Router Advisory


This advisory describes four vulnerabilities in the Allen-Bradley Stratix Services Router. The 3rd party vulnerabilities were originally reported by Cisco in their IOS, IOS XE, and IOS XR Software. Rockwell specifically reports
 that only these 4 (of 22 Cisco reported) vulnerabilities apply to this product. Rockwell has provided updates for the affected products. Cisco has released new SNORT rules for some of the vulnerabilities and both Rockwell and Cisco have offered workarounds.

The four reported vulnerabilities are:

• Improper input validation - CVE-2018-0158;
• Improper restriction of operations within bounds of a memory buffer (2) - CVE-2018-0151, and CVE-2018-0167; and
• Use of an externally controlled format string - CVE-2018-0175

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to effect a loss of availability, confidentiality, and/or integrity caused by memory exhaustion, module restart, information corruption, and/or information exposure.

Triconex Advisory


This advisory describes two vulnerabilities in the Schneider Triconex Tricon safety system. The vulnerabilities were discovered by ICS-CERT and Schneider during the investigation of the HatMan attack. Schneider has new firmware that mitigates the vulnerabilities.

The two reported vulnerabilities are:

• Improper restriction of operations within bounds of a memory buffer (2) - CVE-2018-8872 and CVE-2018-752.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to allow the attacker to misinform or control the Safety Instrumented System which could result in arbitrary code execution, system shutdown, or the compromise of safety systems. These vulnerabilities were exploited during the HatMan attack.

NOTE: Interestingly, Schneider has not yet published their security notification on these vulnerabilities.

InduSoft Web Studio Advisory


This advisory describes a buffer overflow vulnerability in the Schneider InduSoft Web Studio and InTouch Machine Edition products. The vulnerability was reported by Tenable. Schneider has new versions that mitigate vulnerabilities. There is no indication that Tenable has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker can remotely exploit the vulnerability to allow remote code execution that, under high privileges, could completely compromise the device.

Biosense Advisory


This advisory describes a large number of vulnerabilities in the BWI CARTO 3 System, a 3D cardiovascular mapping platform. The vulnerabilities were self-reported. BWI has a new version available that mitigates the vulnerabilities. These vulnerabilities have not been reported on the FDA device safety page.

ICS-CERT reports that an uncharacterized attacker with persistent physical access could exploit these vulnerabilities to access information stored in the device, including individually identified health information about patients, affect the integrity of CARTO 3, or deny availability of the device. If the CARTO 3 V4 System is networked, an attacker with persistent physical access may also be able to access other systems within the user’s network.

NOTE: The 12+ pages of vulnerability listing consist of Microsoft vulnerabilities listed back to 2012. There are publicly available exploits for many of these vulnerabilities.

Abbott Advisory


This advisory describes two vulnerabilities in the Abbott Implantable Cardioverter Defibrillator and Cardiac Synchronization Therapy Defibrillator. The vulnerabilities were reported by MedSec Holdings. Abbott has produced a firmware update to mitigate the vulnerability. There is no indication that MedSec Holdings has been provided an opportunity to verify the efficacy of the fix. These vulnerabilities have been reported by the FDA on their medical device safety page.

The two reported vulnerabilities are:

• Improper authentication - CVE-2017-12712; and
• Improper restriction of power consumption - CVE-2017-12714

ICS-CERT reports that an uncharacterized attacker could remotely exploit these vulnerabilities to gain unauthorized access to an ICD to issue commands, change settings, or otherwise interfere with the intended function of the ICD.

Monday, April 16, 2018

Committee Hearings – Week of 04-15-18


With both the House and Senate in session this week the budget process continues. We also have a confirmation hearing for the Coast Guard Commandant.

FY 2019 Budget

These are budget hearings, so they will not delve into policy matters in any great depth. We may see brief mentions of cybersecurity in either (or both) of these hearings.

4-17-18 House – Energy and Commerce Committee  - Oversight of the Federal Energy Regulatory Commission and the FY2019 Budget
4-17-18 House – Homeland Security Subcommittee - FY 2019 Budget - United States Coast Guard

Commandant Confirmation


On Thursday the Senate Commerce, Science, and Transportation Committee will hold a confirmation hearing on promoting Vice Admiral Karl L. Schultz to Admiral and Commandant of the Coast Guard.

We may hear mention of chemical transportation safety and security issues, but it would be in passing on a high-level policy discussion. Schultz will be in favor of safety and security; detials will come later.

Sunday, April 15, 2018

Bills Introduced – 04-13-18


On Friday, with just the House in session, there were 23 bills introduced. Of those, three may be of specific interest to readers of this blog:

HR 4 To reauthorize programs of the Federal Aviation Administration, and for other purposes. Rep. Ryan, Paul D. [R-WI-1]

HR 5515 To authorize appropriations for fiscal year 2019 for military activities of the Department of Defense and for military construction, to prescribe military personnel strengths for such fiscal year, and for other purposes. Rep. Thornberry, Mac [R-TX-13]

HR 5517 To improve assistance provided by the Hollings Manufacturing Extension Partnership to small manufacturers in the defense industrial supply chain on matters relating to cybersecurity, and for other purposes. Rep. Panetta, Jimmy [D-CA-20]

The first two are important authorization bills. The FAA bill has already been printed and includes a title on unmanned aircraft systems that will be looked at here. The NDAA will be watched for cybersecurity provisions. Note that it is odd for Speaker Ryan to introduce the FAA authorization bill and even more so for him to use one of his reserved bill numbers.

I will be looking at HR 5517 for control system security issues. The defense industrial base regulation is always a potential forward indicator of possible congressional action on cybersecurity issues.

NIST Announces CSF 1.1 Webinar


Earlier this week the National Institute for Science and Technology (NIST) announced a webinar providing an overview of the Cybersecurity Framework (CSF) version 1.1. The webinar will be held April 27th, 2018 at 1:00 pm EDT.

The webcast page describes the webinar as:

“This webcast will provide the audience with a brief history of how the Framework was developed, supply an understanding of basic components of the Framework (Core, Implementation Tiers, and Profiles), demonstrate how the Framework can be used by organizations, highlight the latest features added in version 1.1, and introduce the Framework Roadmap and Industry Resources.  The audience will have an opportunity to ask questions during a Q&A session at the end of the presentation.”

NIST will be using #CyberFramework for its live TWITTER® chat during the webinar.

Register early.

Saturday, April 14, 2018

ICS Public Disclosure – Week of 04-07-18


This week we have one new vendor report from Rockwell and two updates from Siemens.

Rockwell Advisory


Rockwell reports (registration required) two vulnerabilities in the FactoryTalk Activation Manager. Both are 3rd party vendor problems. Rockwell has a new version that mitigates the vulnerabilities. The two reported vulnerabilities are:

• CodeMeter Cross-Site Scripting; and
FlexNet Publisher Remote Code Execution

Rockwell has thoughtfully provided links to more information on each of these vulnerabilities (CodeMeter and FlexNet). Proof of concept exploits are available for each vulnerability.

If you click thru the FlexNet stuff you can get to an interesting blog post about this software license manager vulnerability. It appears that this is the same vulnerability that was reported earlier this year in products from Schneider. That blog post notes that FlexNet counts Siemens as a customer. We have, of course, seen Siemens reporting vulnerabilities in their license manager from Gemalto, so I do not know how current that FlexNet data is.

Industrial Products KRACK Update


Siemens published an update to their KRACK advisory for their Industrial Products. ICS-CERT has published previous updates on these vulnerabilities so it is surprising that there has been no update that was published over a week ago. The update provides revised version information and a mitigation link for SCALANCE W1750D.

SCALANCE DNSMasq Update


Siemens published an update on the DNSMasq vulnerabilities in their SCALANCE products. ICS-CERT did issue an advisory on these vulnerabilities, so again, I have no idea why they have not published an update. The update provides essentially the same new information for the SCALANCE W1750D product.

Friday, April 13, 2018

ICS-CERT Publishes a Yokogawa Advisory


Yesterday the DHS ICS-CERT published a control system security advisory for products from Yokogawa.

Yokogawa Advisory


This advisory describes an access controls vulnerability in the Yokogawa Centum series products. This vulnerability is being self-reported by Yokogawa. Yokogawa has produced updated versions of the supported products affected.

ICS-CERT reports that an uncharacterized attacker with uncharacterized access could exploit the vulnerability to generate false system or process alarms, or block system or process alarm displays. The Yokogawa advisory reports additional mitigation measures that would seem to indicate that the vulnerability could be exploited remotely.

Yokogawa also indicates that the two non-Centum products listed in the ICS-CERT advisory are not directly affected by this vulnerability but could have their alarm functions affected if the products are on the same computer as an exploited Centum product.

Wednesday, April 11, 2018

ISCD Publishes Propane Fact Sheet


Today the DHS Infrastructure Security Compliance Division (ISCD) published a fact sheet about how propane is treated under the Chemical Facility Anti-Terrorism Standards (CFATS) program. It would appear that this fact sheet is yet another effort in the CFATS outreach program.

This is a one-page fact sheet (as opposed to the two-page sheets that address industry groups) so the amount of information that is provided is somewhat limited. Fortunately for DHS, the internet provides a way to pack a great deal of information into that one page via links to various information sources.

Propane Concentration


There is one link to an often over looked piece of information related to propane, the Federal Register notice outlining the special status of propane when looking at the mixture rule. Appendix A clearly states that the ‘Minimum Concentration’ for propane is 1%, the same as all other flammable release DHS chemical of interest (COI). But, the Federal Register Notice from March 21, 2008 clearly states that:

“Since DHS intends the COI propane to refer to products containing at least 87.5 percent of propane, as well as other release-flammable COI, it follows that the release-flammable mixtures rule does not apply to such products. In fact, it would not make sense to apply the release-flammable mixtures rule to the combination of chemicals that constitute the COI propane because that would largely negate the intended effect of the 60,000 pound STQ and the special STQ counting rule for the COI propane.[6] By contrast, the release- flammable mixtures rule does apply to products that are a combination of less than 87.5 percent propane and other release-flammable COI, since such mixtures are not themselves the COI propane.”

This oddity means that if you have 60,000 lbs of a commercial product that is only 87.4% propane and 13.6% butane, then the standard 1% mixture rule would be in effect and both propane and butane would have to be reported on a Top Screen at 60,000 lbs. If the product were stored at less than 60,000 lbs but more than 10,000 lbs (the STQ for butane), then only butane would have to be reported on the Top Screen as the total amount stored. But, again with ‘standard commercial propane’, only the propane has to be reported on the Top Screen.

Another Propane Oddity


There is one odd piece of information that is not directly referenced in the fact sheet, the odd way that propane STQ is calculated. For any other flammable release DHS chemical of interest, the STQ is calculated by adding up the total amount of the COI that is stored on the facility or used in processes at the facility. For propane, in another move to appease the agricultural community, only propane that is stored in tanks containing more than 10,000-lbs needs to be counted towards the 60,000-lb STQ.

CFATS Outreach


One thing that is not clear from the publication of these outreach fact sheets on the CFATS Knowledge Center is how ISCD expects these fact sheets to get to the facilities that are not presently covered under the CFATS program but probably would be if they submitted a Top Screen. This is, after all, the whole purpose of the outreach program; get the word out to facilities that are required to submit a Top Screen.

For the industry fact sheets, I would suspect that ISCD is counting on (and has almost certainly asked) the various professional organizations that support the covered industries to forward the fact sheet to their members. While the same technique may be used here I would guess that ISCD is going to request that covered CFATS facilities that ship propane forward this fact sheet to their customers that hold inventories over 60,000-lbs in 10,000-lb or greater tanks.

There is an easier way to conduct this outreach effort, ISCD could always require facilities that ship COI in greater than STQ quantities to provide ISCD with a list of those customers. Then ISCD could directly contact the facilities that have not yet submitted Top Screens and require them to do so under 6 CFR 27.200(b). The authority to request a list of customers is already provided in 27.200(a):

“… the Secretary may, at any time, request information from chemical facilities that may reflect potential consequences of or vulnerabilities to a terrorist attack or incident, including questions specifically related to the nature of the business and activities conducted at the facility; information concerning the names, nature, conditions of storage, quantities, volumes, properties, customers, major uses, and other pertinent information about specific chemicals or chemicals meeting a specific criterion….” [emphasis added]

The fact that ISCD has, as of yet, not decided to take this rather drastic step is probably a matter of consideration of the business needs of the current CFATS facilities. It is, however, just a matter of time if we continue to see chemical release incidents at facilities that were, in retrospect, obviously required to submit Top Screens. Congress can politically withstand only so many West Fertilizer type incidents with ISCD saying; “Nope, never heard of them.”

Tuesday, April 10, 2018

ICS-CERT Publishes Two Advisories


Today the DHS ICS-CERT published two control system security advisories for products from Omron and ATI Systems.

Omron Advisory


This advisory describes three vulnerabilities in the Omron CX-One. The vulnerabilities were reported by rgod via the Zero Day Initiative. Omron has released new versions that mitigate the vulnerabilities. There is no indication that rgod was provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Heap-based buffer overflow - CVE-2018-8834;
• Stack-based buffer overflow - CVE-2018-7514; and
Type confusion - CVE-2018-7530

ICS-CERT reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow remote code execution (which sounds like ‘remote access’ to me).

ATI Systems Advisory


This advisory describes two vulnerabilities in the ATI Emergency Mass Notification Systems. The vulnerabilities were reported by Balint Seeber of Bastille. ATI will be making a patch available to mitigate the vulnerability.

The two reported vulnerabilities are:

• Improper authentication - CVE-2018-8862; and
• Missing encryption of sensitive data - CVE-2018-8864

ICS-CERT reports that an uncharacterized attacker could remotely exploit the vulnerabilities to trigger false alarms.

NOTE: While Seeber notified ICS-CERT of this vulnerability in a coordinated disclosure, he also apparently notified a number of reporters (not me, sigh-grin) because articles about this vulnerability have appeared today at Wired, Gizmodo, and SecurityWeek; they all have more (but not all) details about the vulnerability and its discovery than you would expect to see in an ICS-CERT advisory. Interestingly, none of these articles mentions this ICS-CERT advisory. Oh, and the Bastille web site has a ‘white paper’ that will supposedly be available on the ‘SirenJack’ vulnerability. I have requested my copy and am waiting….

CFATS Reauthorization – Inherently Safer Technology


This is part of a continuing series of blog posts on my proposed changes to the CFATS authorization. The current authorization for the program ends on December 18th, 2018. These posts address some of the language that I would like to see in any re-authorization bill. Earlier posts in the series include:


Environmentalists and Democrats have been after the EPA and DHS to implement a chemical risk reduction program known as inherently safer technology (IST). The standard approach advocated by these groups has been a Federal mandate to implement IST (typically assumed to be replacing hazardous chemicals with less hazardous alternatives) unless a facility can demonstrate that it is economically detrimental.

Risk reduction through the use of less dangerous chemicals, reducing the amount of dangerous chemicals and/or altering chemical processes to less hazardous conditions is a well-established engineering approach that the chemical process industry generally supports. What the industry objects to is a mandate enforced by regulators that do not understand the engineering or business conditions involved.

The CFATS program has been an unintended experiment in a non-mandated IST program. Because of the costs associated with a security program that meets the Risk-Based Performance Standards (and is inspected to ensure that it complies with those standards), the cost-benefit standards for IST implementation have changed in a significant part of the chemical industry. Unfortunately, we only have the absolute minimum of information available about the results of this experiment. I would propose the following language to correct that dearth of information:

Sec. 634 – Inherently Safer Technology

(a) Definitions -

(1) Inherently Safer Technology – The term ‘inherently safer technology’ or ‘IST’ means any combination of chemical engineering or inventory management practices that reduces the risk of a release, discharge, or the theft or diversion of a chemical of interest (COI) listed in Appendix A. These practices may include changing chemical process conditions, changing the form of COI used, substitution of less hazardous chemicals for release security issue COI, or any other measure that, when reported to ISCD, would allow for the facility to be removed from its covered facility status.

(2) ISCD – The term ‘ISCD’ means the Infrastructure Security Compliance Division, or any successor organization, that is responsible for the oversight of the Chemical Facility Anti-Terrorism Standards (CFATS) program described under this sub-chapter.

(b) The Secretary will commission a study to be conducted by the National Academies of Sciences, Engineering and Medicine (the Academies) to look at the IST practices used by chemical facilities that were able to leave the CFATS program since its inception in 2007. The study will look at:

(1) Each facility that was removed from the CFATS program;

(2) Determine what changes were reported to the ISCD that allowed ISCD to remove the facility from the CFATS program;

(3) What IST changes were made at the facility that allowed the changes in reported information;

(4) The cost of the implementation of the IST used;

(5) The cost savings associated with the IST implementation; and

(6) Any lessons learned

(c) In support of the conduct of the study described in (b) the Secretary will:

(1) Ensure that each researcher involved in the program have clearance for access to Chemical-terrorism Vulnerability Information (CVI) in accordance with 6 CFR 27.400;

(2) Provide researchers with a list of previously covered facilities that were removed from the CFATS program because of new information provided to ISCD;


(3) Ensure that full access to Chemical Security Inspectors and ISCD records about the facilities identified as being part of the study will be made available to researchers;

(4) Will forward to the identified facilities any questionnaires developed by the research team that support the preparation of the report described in (b) with a notice of a requirement to provide the information requested under authority of this section and, that the information will be protected in accordance with §623;

(d) The report described in (b) will be prepared in an unclassified form and will not include any information that would allow for the identification of a facility that was previously or currently a covered facility under the CFATS program. An annex may be published that contains CVI and will be protected accordingly. The report, without any CVI annex, will be published on the CFATS web site.

(e) Within one year of the report described in (b) being published, the Secretary will prepare recommendations to Congress about how the conclusions reached in the report could be incorporated in the authorization language for the CFATS program.

Monday, April 9, 2018

HR 5366 Introduced – UAS Interdiction


Last month Rep. Hartzler (R,MO) introduced HR 5366, the Safeguarding America’s Skies Act of 2018. The bill would authorize DHS and DOJ personnel to take actions to interdict unmanned aerial systems around selected critical infrastructure facilities.

Authorized Actions


The bill would add a new section to 18 USC would give the Secretary of Homeland Security and the Attorney General the authority to “authorize officers, employees, and contractors of the department assigned with duties that include safety, security, or protection of personnel, facilities, or assets of the department” to take actions to mitigate a threat “that an unauthorized UAV poses to the safety or security of a covered facility or asset” {new §28(a)}. The authorized actions include {new §28(b)}:

• Detect, identify, monitor, and track, without prior consent, a UAV, to evaluate whether the UAV poses a reasonable threat to the safety or security of a covered facility or asset
• Warn the operator of the UAV;
• Redirect, alter control, disable, disrupt, seize, or confiscate, without prior consent, a UAV that poses a reasonable threat, including by intercepting, substituting, or disrupting wire, oral, electronic, or radio communications or signals transmitted to or by UAV;
• Use reasonable force to disable, disrupt, damage, or destroy a small unmanned aircraft, unmanned aircraft system, unmanned aircraft, or unmanned aircraft’s attached system, payload, or cargo that poses a reasonable threat to the safety or security of a covered facility or asset.
Conduct research, testing, training on, or evaluation of any equipment, including any electronic equipment, to determine its capability and utility to enable (sic).

The definition of the term ‘covered facility or asset’ describes facilities designated by the Secretary or Attorney General that could include {new §28(h)(2)(C)}:

• Buildings and grounds leased, owned, or operated by or for the Federal Government, including Federal Facility protection operations;
• Authorized protective operations, including but not limited to the protection of Federal jurists, court officers, witnesses, and other persons;
• Penal, detention, correctional, and judicial operations;
• National Security Special Events, Special Event Assessment Ratings Events, or other mass gatherings or events that are reasonably assessed by the Department of Justice to be a potential target for terrorism or other criminal activity;
• Active Federal law enforcement investigations;
• Operations that counter terrorism, narcotics, and transnational criminal organizations;
• Securing authorized vessels, whether moored or underway;
• Protection operations pursuant to section 3056;
• Critical infrastructure;
• Emergency Response Operations;
• National Disaster Areas, Natural, or Hazardous Disaster Areas if it is determined by the • Secretary of Homeland Security that unauthorized access to the airspace would restrict recovery efforts;
• Other areas identified by the President.

The other key term ‘critical infrastructure’ is defined {new §28(h)(6)} by reference to 18 USC 2339D that uses the broad definition of “systems and assets vital to national defense, national security, economic security, public health or safety including both regional and national infrastructure” instead of one of the more restrictive definitions {see for example 42 USC 5195c(e)} that uses the phrase “…so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact…”.

The bill would provide certain restrictions on the actions authorized to be taken. In addition to specific privacy restrictions outlined in the new §28(3) the bill would also require DHS and DOJ to {new §28(a)}:

• Avoid any infringement of the privacy and civil rights of the people of the United States and the freedom of the press consistent with the First and Fourth Amendments, including with regard the testing of any equipment and the interception or acquisition of communications;
• Limit the geographic reach and the duration of such actions to only those areas and timeframes that are reasonably necessary to address a reasonable threat; and
• Use reasonable care not to interfere with non-targeted manned or unmanned aircraft, communications, equipment, facilities, or services.

Information Disclosure


The new §28(d) provides that:

“Information pertaining to the technology, procedures, and protocols used to carry out this section, including any regulations or guidance issued to carry out this section, shall be exempt from disclosure under section 552(b)(3) of title 5 and exempt from disclosure under State and local law requiring the disclosure of information.”

DOT Action Required


The new §28(b)(5) would require DOT within one year to “issue a final rule requiring remote identification and tracking of UAVs, including UAVs for recreational use, to ensure that cooperative aircraft are identified”.

Other 18 USC Amendments


Section 2(c) of the bill amends various other portions of 18 USC to exempt actions taken under the proposed §28. These include:

18 USC 32 - Destruction of aircraft or aircraft facilities;
18 USC 1030 - Fraud and related activity in connection with computers;
18 USC 1632 - Communication lines, stations or systems;
18 USC 1367 - Interference with the operation of a satellite;
18 USC Chapter 119 - Wire and Electronic Communications Interception and Interception of Oral Communications; and
18 USC Chapter 206 - Pen Registers and Trap and Trace Devices

Moving Forward


Neither Hartzler nor her two co-sponsors {Scott (GA) and Hanabusa (HI)} are members of any of the three committees (Judiciary, Homeland Security, and Transportation and Infrastructure) to which this bill was assigned for consideration. This means that the bill is unlikely to receive consideration in any of the committees. I suspect that even if it were considered in committee it would not receive majority support; it is too radical a change in the way that aircraft are protected in law to receive the necessary support.

Commentary


For about a year now I have been advocating for changes to US statutes to specifically allow for interdiction of drones over high-risk chemical facilities (and other critical infrastructure). This bill provides a good look at just how complicated that type legislation could be. Section 2(c) of the bill provides a pretty good insight into what laws might have to be revised to allow for the interdiction of UAS.

BTW: You can see my effort to craft a more limited drone interdiction authorization here.

The bill takes an odd turn when it only allows agents of the United States (employees and contractors of DHS and DOJ) to interdict UAS. I see this as a method to keep tight control of the technology and weapons involved. Unfortunately, this would probably result in as many problems as it would solve. Neither DHS nor DOJ has enough manpower to assign UAS control teams to critical public buildings on a long-term basis, much less privately owned critical infrastructure. This would mean that both agencies would have to have UAS response teams that could be tasked to support (on a short-term response basis) individual sites that are having (or reasonably expect to have UAS overflight problems that would potentially affect the security of the site or the safety of personnel on the site.

Another odd provision is found in the information disclosure paragraph. While I certainly understand the crafters concerns about the protection of information obtained during the unintended interception of communications with UAS that really should not be intercepted under the rules envisioned by this bill. Unfortunately, the crafters either poorly worded the paragraph or they specifically intended DHS and DOJ to write the rules required by this bill without sharing those rules with the public. I really hope it is an English usage problem and not an attempt at specifying unnecessary government secrecy.  

Sunday, April 8, 2018

Committee Hearings – Week of 4-7-18


Both the House and Senate are coming back to Washington this week after their two-week Easter Recess. There are no hearings of specific interest to readers of this blog in the strictest sense, but there are two categories of hearings that may be of general interest. They deal with (non-ICS) cybersecurity and money.

Cyber Hearings


April 10th, Senate Judiciary, “Facebook, Social Media Privacy, and the Use and Abuse of Data”;
April 11th, House Energy and Commerce, “Facebook: Transparency and Use of Consumer Data”;
April 11th, House Armed Services, “Cyber Operations Today: Preparing for 21st Century Challenges in an Information-Enabled Society”;
April 11th, Emerging Threats and Capabilities Subcommittee (House Armed Services), “A Review and Assessment of the Department of Defense Budget, Strategy, Policy, and Programs for Cyber Operations and U.S. Cyber Command for Fiscal Year 2019”;

Zuckerberg gets a chance to respond to Congressional critics and the military will talk about cyber operations.

Budget and Spending Hearings


April 11th, Homeland Security Subcommittee (House Appropriations), “FY 2019 Department of Homeland Security”;
April 12th, Transportation and Protective Security Subcommittee (House Transportation), “Examining the President’s FY 2019 Budget Request for the Transportation Security Administration”;

We are still too early in the FY 2019 process for any particular details to begin to emerge but, listening to the questions asked at these hearings can give a picture of what may be coming down the road.

Thursday, April 5, 2018

ICS-CERT Publishes 3 Advisories and 2 Siemens Updates


Today the DHS ICS-CERT published three control system security updates for products from Leão Consultoria e Desenvolvimento de Sistemas (LCDS), Moxa, and Rockwell. They also updated two previously published control system security advisories for products from Siemens.

LCDS Advisory


This advisory describes an improper check of handling of exceptional conditions vulnerability in the LCDS LAquis SCADA. The vulnerability was reported by Karn Ganeshen. LCDS has a new version that mitigates the vulnerability. There is no indication that Ganeshen has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a highly-skilled attacker with local access could exploit this vulnerability to cause the device an attacker is accessing to crash, resulting in a structured exception handler overflow condition, which may allow code execution.

Moxa Advisory


This advisory describes an information exposure vulnerability in the Moxa MXview, network management software. The vulnerability was reported by Michael DePlante of Leahy Center for Digital Investigation at Champlain College. Moxa developed a new version to mitigate the vulnerability. There is no indication that DePlante has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit this vulnerability to read the private key of the web server, which may allow a remote attacker to decrypt encrypted information.

Rockwell Advisory


This advisory describes six vulnerabilities in the Rockwell MicroLogix Controller. The vulnerabilities were reported by Jared Rittle and Patrick DeSantis of Cisco. Rockwell has provided mitigation strategies in their customer notification (registration required). There is no indication that the researchers were provided an opportunity to verify the efficacy of the fixes.

The six reported vulnerabilities (according to ICS-CERT) are:

Improper authentication (6) - CVE-2017-12088, CVE-2017-12089, CVE-2017-12090, CVE-2017-12092, and CVE-2017-12093

NOTE: Rockwell does not use the ‘improper authentication’ description for any of the six (actually 17) vulnerabilities. Instead they report (using the same CVE numbers):

• Denial of service via ethernet functionality - CVE-2017-12088;
• Denial of service via download functionality - CVE-2017-12089;
• Denial of service – SNMP-set request - CVE-2017-12090;
• Access control vulnerabilities (12) - CVE-2017-14462 thru CVE-2017-14473;
• File-write vulnerability in memory module - CVE-2017-1209; and
• Malicious register session packets lead to communication loss - CVE-2017-12093

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to cause denial of service, disclosure of sensitive information, communication loss, and modification of settings or ladder logic.

SCALANCE Update


This update provides additional details on an advisory that was originally published on November 28th, 2017. The new version provides updated mitigation information for the SCALANCE W1750D.

Building Technologies Products Update


This update provides additional details on an advisory that was originally published on April 3rd, 2017. The new information provides a link to the updated LMS. I mentioned this new information in my earlier post.

Wednesday, April 4, 2018

ISCD Updates CFATS Monthly Update Page – 04-03-18


Yesterday the DHS Infrastructure Security Compliance Division (ISCD) updated the Chemical Facility Anti-Terrorism Standards (CFATS) Monthly Update web page. This page provides a summary of ISCD activities and CFATS facility status over the previous month. The data presented continues to show progress on the implementation of the CFATS program.

The table below shows the reported ISCD activities over the last two months. The ‘to Date’ lines show the numbers for the activity since the program was started in 2007. The ‘Month’ lines show numbers for the same activity in the indicated month.

CFATS Activities
Feb-18
Mar-18
Authorization Inspections to Date
3352
3496
Authorization Inspections Month
133
149
Compliances Inspections to Date
3249
3349
Compliances Inspections Month
79
90
Compliance Assistance Visits to Date
4007
4096
Compliance Assistance Visits Month
172
86

The numbers continue to reflect the maturation of the CFATS program. As more of the new facilities from the CSAT 2.0 implementation submit their site security plan (SSP) and have it authorized, we will continue to see increases in the monthly rate of authorization inspections and a decline in the compliance assistance inspections. And as more facilities have their SSP approved we will see an increase in the number of compliance inspections.

The table below shows the status of the facilities in the CFATS program over the last two months. Tiered facilities are those that have had their submitted Top Screen reviewed by ISCD and have been notified that they are covered facilities under the CFATS program and have been assigned their risk-based Tier ranking. The Authorized and Approved facilities refer to the status of the facility’s SSP. Approved facilities are in the compliance phase of the program where they will receive periodic compliance inspections by ISCD to ensure that the facility is in compliance with its negotiated SSP standards.

CFATS Facility Status
Feb-18
Mar-18
Tiered
474
387
Authorized
665
681
Approved
2345
2373
Total
3485
3441

The decline in the number of Tiered facilities is to be expected as the facility begin to move through the SSP submission and approval process. We may see minor periodic upticks in that number as ISCD continues its facility outreach program to identify chemical facilities that may be required to submit Top Screens.

I continue to be concerned about the resumption in the decline in the number of covered facilities. On one hand, the facility risk reduction efforts necessary for leaving the CFATS program means that the risks of a successful terrorist attack on that facility are diminished; which is certainly a good thing. The potential downsides are that the facility risk reduction comes at the cost of increasing the risks to another facility (for example having a larger inventory of chemicals of interest at a supplier location instead of at the using facility) and/or by increasing the transportation risk by increasing the number of shipments of COI.

For a variety of reasons ISCD has not provided the regulated community with any kind of information about the ‘successful’ risk reduction efforts at the facilities that have departed the program. I am hoping that this will be one of the issues that Congress will address during its process of re-authorizing the CFATS program; either during hearings where David Wulf is testifying or in the various reports that Congress is sure to request (almost certainly already have requested) from both the DHS Inspector General and the Government Accounting Office.

 
/* Use this with templates/template-twocol.html */