Thursday, May 31, 2018

HR 5729 Introduced – TWIC Reader Rule Delay


Earlier this month Rep. Katko (R,NY) introduced HR 5729, the Transportation Worker Identification Credential Accountability Act of 2018. The bill would delay implementation of the TWIC Reader Rule, which is due to become effective on August 23rd, 2018. The delay would extend until after report to Congress was made that is required by the Transportation Security Card Program Assessment Act (PL 114-278).

Reports to Congress


The earlier act required DHS to commission a study by a “research organization with
significant experience in port or maritime security” {§1(b)(2)} that would include an assessment of the efficacy of the TWIC program. That assessment was to have included a review of {§1(b)(3)}:

• The credentialing process;
• The process for renewing applications; and
The security value of the program.

The original version of HR 710 included language {§2(f)} that would have delayed implementation of the TWIC Reader Rule until the reports required by the bill had been submitted to Congress. That language was removed in a last minute amendment to the bill when it was passed by the Senate in the closing hour of the 114th Congress.

Moving Forward


Katko is the Chair of the Transportation and Protective Security Subcommittee of the House Homeland Security Committee, one of the two committees to which this bill was assigned for consideration. He is also a member of the House Transportation and Infrastructure Committee, the other committee to which the bill was assigned. This means that he should have sufficient influence to have the bill considered in at the very least the Homeland Security Committee. And the bill does have bipartisan leadership sponsorship; Rep. McCaul (R,TX), Rep. Jackson-Lee (D,TX) and Rep. Richmond (D,LA).

The main issue here is the short time frame for the passage of this bill for it to be effective. It has been four weeks since this bill was introduced and there has been no committee (or even subcommittee) action on the bill. We have one month left before the currently scheduled summer recess. If action is not taken during that time (and the schedule is already busy with spending bills and nominations) the TWIC Reader Rule is scheduled to go into effect during that recess.

It seems unlikely that this bill would get the abbreviated treatment that HR 710 got in the Senate (no debate and no vote). There was obviously some objection in the Senate to the language requiring the stay of the implementation of the rule that held up consideration of HR 710 until the last minute in that body. That objection is unlikely to have changed.

There is, however, some possibility that the effective deadline for the passage of this bill could slip. DHS has submitted a rulemaking to OMB to delay the implementation of the TWIC Reader Rule. The details of that rule, including the reasons for change and the revised implementation date, are not publicly available. It is unclear whether such a rulemaking could be completed in time to avoid the August implementation date, though it is unlikely that affected industries would object to the delay.

Wednesday, May 30, 2018

HR 5952 Introduced – FY 2019 CJS Spending Bill


Last week Rep. Culberson (R,TX) introduced HR 5952, the Commerce, Justice, Science, and Related Agencies (CJS) Appropriations Act, 2019. There is one cybersecurity provision in the bill that may be of interest to readers of this blog and a couple of related comments in the Committee Report on the bill that bear review.

Cybersecurity


Section 513 of the bill provides binding guidance to all of the agencies funded by this bill on the supply chain security requirements for all “high-impact or moderate impact information system” {§513(a)} as defined by NIST FIPS SP 199. The requirements include:

• Reviewing the supply chain risk for the information systems against criteria developed by NIST and the Federal Bureau of Investigation (FBI);
• Reviewing the supply chain risk from the presumptive awardee against available and relevant threat information provided by the FBI and other appropriate agencies; and
Conducting an assessment of any risk of cyber-espionage or sabotage associated with the acquisition of such system, including any risk associated with such system being produced, manufactured, or assembled by one or more entities identified by the United States Government as posing a cyber threat, specifically including those that may be owned, directed, or subsidized by the People’s Republic of China, the Islamic Republic of Iran, the Democratic People’s Republic of Korea, or the Russian Federation.

SP 199 used the IT-centric definition of ‘information system’ from 44 USC 3502(8).

Committee Comments


In its discussion of spending for the National Institute of Standards and Technology (NIST) the Committee addresses internet of things (IOT) (pg 12):

“The Committee recognizes the importance of United States’ leadership in addressing security concerns for users and data within the Internet of Things and appreciates NIST’s ongoing work in this area. The Committee encourages NIST to continue strengthening its cybersecurity standard-setting efforts related to the Internet of Things.”

Later (on pg 80) the Committee briefly addresses cybersecurity research:

“The Committee encourages NSF to form partnerships with Hispanic Serving Institutions and Historically Black Colleges and Universities with respect to cybersecurity research.”

Moving Forward


Most of my comments about HR 5895 moving forward apply to this bill as well. There is one big difference, however, there is not bipartisan support for HR 5952 in the Appropriations Committee (and I apparently overstated the bipartisan support that could be expected on HR 5895 as well). Comments by Ranking Member Lowey (D,NY) and Subcommittee Ranking Member Serrano (D,NY) in the ‘Minority Views’ (pgs 136-42) portion of the report outline the problems that the Democrats have with the bill. They close those comments by noting (pg 142):

“Inviting partisanship back into the appropriations process by shortchanging critical domestic and international priorities will endanger the good work in this and other bills.”

The lack of bipartisan support will not stop these bills from passing in the House (unless there is significant conservative opposition as well). But, if the Senate has similar problems with the lack of bipartisan support for their version of this bill (yet to be published) or the EWR bill, these stand-alone spending bills will not move to the Senate floor, killing chances of getting 12 spending bills to the President before the November elections, much less before the end of the fiscal year.

Commentary


The §513 provisions on supply chain security could end up being the next big thing in cybersecurity protections and the supply-chain issues would certainly apply to control systems as well. Interestingly, the SP 199 definitions of “high-impact or moderate impact information system” (Table 1, pg 6) could be directly applicable to control system evaluations if the ICS-friendly definition of ‘information systems’ used in 6 USC 1501 were applied in FIPS.

To make this section work to include control system supply-chain security issues we would just have to add a new paragraph (c) to §513:

(c) In determining which information systems meet the requirements of high-impact and medium impact for the purposes of (a), the definition of ‘information system’ used in 6 USC 1501 will be used.

Tuesday, May 29, 2018

Resources for Law Enforcement and First Responders fact sheet


Last week the DHS Infrastructure Security Compliance Division (ISCD) announced on their Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center the publication of a new fact sheet for law enforcement personnel and first responders. They also announced that the registration for the 2018 DHSChemSecurityTalks – MID was now open.

Fact Sheet


The new Resources for Law Enforcement and First Responders fact sheet provides a broad overview of the information that facilities are required to make available under federal programs administered by the EPA, OSHA and DHS.

As would be expected, the section on DHS information includes a mention of the IP Gateway that I mentioned earlier last week. A new piece of information is being made available in this new fact sheet; the information available to State, local and tribal government agencies (including law enforcement and first responders) on the IP Gateway includes information on all facilities that have submitted Top Screens.

Facility name and location are only protected by For Official Use Only (FOUO) rules while more detailed facility information is protected by Chemical-terrorism Vulnerability Information (CVI) rules. According to DOD rules {32 CFR 291.9} an FOUO marking is not automatically a protection against public disclosure. Those rules note that {§291.9(a)}: “If any [Freedom of Information Act] exemption or exemptions apply or applies, it may nonetheless be released when it is determined that no governmental interest will be jeopardized by its release.” CVI rules, however, provide nearly the same level of disclosure protection as federal classified information rules.

MID Registration


The event registration site provides information about the meeting that will be held in Chicago on July 19th at the Federal Building in downtown Chicago. Registration is required, but there is no fee to attend. As with the WEST meeting in Oakland next month, there will apparently not be a web cast of the meeting.

The agenda for the MID meeting is nearly identical to the WEST meeting agenda. The one difference is the last presentation in Chicago will address “DHS Soft Target Security” instead of the “Next Steps: Joint Regulatory & Voluntary Program Outreach to Facilities” presentation being made in Oakland.

NOTE: The Chemical Sector Regional Events web site has not yet been updated to reflect that the registration for the MID meeting has been opened.

Monday, May 28, 2018

HR 5895 Introduced – FY 2019 Energy and Water Spending


Last week Rep. Simpson (R,ID) introduced HR 5895, the Energy and Water Development and Related Agencies (EWR) Appropriations Act. For the first time the bill contains a separate reportable category for “Cybersecurity, Energy Security, and Emergency Response”.

CESER


The new ‘Cybersecurity, Energy Security, and Emergency Response’ section (under Title III) of the bill covers “expenses including the purchase, construction, and acquisition of plant and capital equipment, and other expenses necessary for energy sector cybersecurity, energy security, and emergency response activities” (pg 22). The spending is set at “$146,000,000, to remain available until expended”.

The Committee Report notes (pg 88) that this is $50.2 million more than requested by the President and $50 million more than was included for similar activities in the FY 2018 spending bill. The spending tables for CESER (pg 126) show three-line items:

• Cybersecurity for Energy Delivery Systems - $116.5 million;
• Infrastructure Security and Energy Restoration - $18.0 million; and
Program Direction - $11.5 million

The bulk of the funding increase ($48.5 million) is found in the first category with the remainder put into Program Direction spending.

The Report also explains that (pg 89):

“Within available funds for Cybersecurity for Energy Delivery Systems, $10,000,000 is for research and development on concepts to simplify and isolate automated systems and remove vulnerabilities that could allow unauthorized access to the grid through digital software systems.”

Moving Forward


The Appropriations Committee markup of this bill has been completed so the next step is to move to the floor of the House. I expect that we will see this bill on the floor sometime in June. There will be amendments from the floor during the debate, but those will be limited by a Rule. The bill is likely to pass with significant bipartisan support and some conservative opposition. The Minority Views section (pgs 192-6) of the Committee Report indicates strong Democratic opposition to many elements of this bill, but the bill will probably pass with just Republican support [added 5-31-18, 12:23 am EDT].

The Senate will take up their own version of the bill, probably in July, if some level of bipartisan support can be found [added 5-31-18, 12:23 am EDT]. A conference committee will work out the inevitable differences in the two bills. There is a distinct possibility that a final version of this bill could be on the President’s desk before the end of the fiscal year.

CSB Releases Final Report on Arkema Fire


Last week the Chemical Safety Board (CSB) released their final report [.PDF download] on the Arkema chemical facility fire that occurred as a result of the flooding during Hurricane Harvey last year. The detailed report is lengthy and detailed and deserves the attention of safety professionals, but the Executive Summary is surprisingly detailed and should be read by everyone in the chemical industry. And, as usual, the CSB has produced another excellent video providing a good review of the incident. I cannot say enough good things about CSB incident videos.

High Points


I am not going to go into much detail here because I do not want to give anyone an excuse for not reading the report, but there are a couple of things that need to be highlighted.

First, the Arkema facility team did do a good job in analyzing the safety issues and preparing for the storm. While the CSB report does raise some specific questions and identifies some things that could have been done better, the pre-planning and on-site reactive measures that were taken demonstrate that Arkema was proactive and properly reactive regarding this incident.

Second, the police officers that were exposed to smoke from the decomposition fires during this incident were well within the mile and a half evacuation zone established around the plant when the plant lost the ability to cool the organic peroxides. This was due to the fact that the road outside the plant fence was kept open during much of the evacuation because it was one of the few remaining accessible roads in the area. The affected officers were patrolling that road to monitor the potential effects of the Arkema incident on users of that route.

Finally, the flooding levels seen in the area of the plant exceeded the ‘500-year flood’ level. While it appears that Arkema was not aware of what the 100- and 500-year flood levels were for the facility, this does demonstrate the magnitude of the disaster that was the proximate cause of the Arkema incident.

Commentary


The CSB makes the point that all of the protective measure put in place to prevent the organic peroxides from reaching their self-accelerating decomposition temperature (SADT) failed from a common cause; the flooding at the site. They then go on to recommend (Recommendation 2017-08-I-TX-R1) that the Arkema Facility:

“Reduce flood risk to as low as reasonably practicable (ALARP). Ensure that any safeguards for flooding meet independent layer of protection requirements.”

The fact that Arkema was not aware that a significant part of the facility was within the “500-year” flood plain is a point well taken, but it is not clear that before this incident anyone would have considered preparing for a 500-year flood to be a reasonable standard for preparedness.

Having said that, this incident and the whole Harvey flood calls into question the efficacy of the use of historical flood data in predicting future flooding. Sections 12 and 13 of the report deal with the issue of increasing risks related to ‘extreme weather’ events while being very careful to avoid any discussion of climate change. While the CSB is an independent agency not directly responsive to the Trump Administration (Could that have anything to do with the attempts to defund the organization?) it appears that the agency was very careful to avoid getting caught up in that controversy.

Unfortunately, anyone with a modicum of intellectual honesty has to admit that there has been an ongoing increase in the severity of rain events in the southeast (and along the Texas and Louisiana coast in particular) in recent history. And, that increase is significantly outside of the historic norms. While there may be some room for debate as to the cause of this recent change, the fact that the change exists cannot be ignored. The hard part, however, is going to try to determine what the 500-year flood plain is in the current reality.

Now, I suspect that for political reasons, the FEMA flood maps for the area flooded during Hurricane Harvey will not reflect the fact that the areas flooded now represent the defacto 100-year flood plain, but planners, specifically including emergency response planners, will have to accept that as the current reality.

One final note here worthy of consideration by chemical facility planners (and I will be taking this up in more detail in a future blog post) is the fact that the CSB recommendations do not limit themselves to extreme flooding events. In the Executive Summary (though carefully missing from the official recommendations in the report) the CSB also recommends that (pg 8):

“Seismic hazard maps should be evaluated to determine the potential risk of earthquake. Risk of other extreme weather events such as lightning strikes and high wind events should also be considered.”

Saturday, May 26, 2018

Public ICS Disclosure – Week of 5-19-18


This week we have one vendor disclosure from Philips, six exploits for previously disclosed vulnerabilities and two exploits for previously undisclosed vulnerabilities.

Philips Disclosure


The Philips security web page mentions vulnerabilities in its EncoreAnywhere hosted web application. No real details available beyond the explanation that a successful exploit could result in “unencrypted communication and improper disclosure of sensitive data”. The page does note that ICS-CERT has been notified, so we may see an advisor from ICS-CERT next week.

t4rkd3vilz Exploits

Researcher t4rkd3vlz has published six new exploits on ExploitDB.com for previously disclosed vulnerabilities. As usual these are mentioned here because ICS-CERT does not update their advisories to reflect new publicly available exploits.


New Exploits


Researcher t4kd3vlz published an additional exploit on ExploitDB.com that appears to be for a previously undisclosed information disclosure vulnerability in the Honeywell Scada System (sic). He (she?, not making assumptions here) usually includes CVE numbers in his description for previously disclosed vulnerabilities and there is none here.

Emre ÖVÜNÇ published an exploit on ExploitDB.com for a hardcoded username and password in the mySCADA myPRO 7.

House Passes HR 5515 – FY 2019 NDAA


On Thursday the House passed HR 5515, the FY 2019 National Defense Authorization Act (NDAA) by a bipartisan vote of 351-66 (7 Republicans voted Nay). On Wednesday the House passed the Coast Guard Authorization Act amendment (amendment #52) to the bill as part of en bloc amendment #1 by a voice vote.

The Senate Armed Services Committee completed work on their version of the NDAA this week and will have a bill to introduce the week after next when Congress returns from its extended Memorial Day Weekend. That bill will move to the Senate floor in the coming weeks for a contentious amendment process. Once it is passed (probably before the summer recess) it will go to a conference committee to work out the differences. Both of the amendments that I have covered here will likely make it into the final bill.

Friday, May 25, 2018

Bills Introduced – 05-24-18


Yesterday, with both the House and Senate preparing to leave Washington for their long Memorial Day Weekend, there were 75 bills introduced. Of these, four bills may be of specific interest to readers of this blog:

HR 5952 Making appropriations for the Departments of Commerce and Justice, Science, and Related Agencies for the fiscal year ending September 30, 2019, and for other purposes. Rep. Culberson, John Abney [R-TX-7]

HR 5961 Making appropriations for Agriculture, Rural Development, Food and Drug Administration, and Related Agencies programs for the fiscal year ending September 30, 2019, and for other purposes. Rep. Aderholt, Robert B. [R-AL-4]

S 2975 An original bill making appropriations for energy and water development and related agencies for the fiscal year ending September 30, 2019, and for other purposes. Sen. Alexander, Lamar [R-TN]

S 2976 An original bill making appropriations for Agriculture, Rural Development, Food and Drug Administration, and Related Agencies programs for the fiscal year ending September 30, 2019, and for other purposes. Sen. Hoeven, John [R-ND] 

Thursday, May 24, 2018

ICS-CERT Publishes 2 Advisories and 3 Updates

Today the DHS ICS-CERT published a control system security advisory for products from Schneider Electric and a medical device security advisory for products from BeaconMedaes. They also published updates to previously published advisories for products from Rockwell, Siemens, and Martem.

Schneider Advisory


This advisory describes three vulnerabilities in the Schneider Floating License Manager. The vulnerabilities are being self-reported. Schneider has new versions available to mitigate the vulnerabilities.

The three reported vulnerabilities are:

• Heap-based buffer overflow - CVE-2016-2177;
• Improper restriction of operations within bounds of a memory buffer - CVE-2016-10395; and
• URL redirection to an untrusted site - CVE-2017-5571

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to cause a denial of service, allow arbitrary execution of code with system level privileges, or send users to arbitrary websites.

BeaconMedaes Advisory


This advisory describes three vulnerabilities in the BeaconMedaes TotalAlert Scroll Medical Air Systems web application. These vulnerabilities were reported by Maxim Rupp. BeaconMedaes has a new version that mitigates the vulnerability, There is no indication that Rupp has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Improper access control - CVE-2018-7526;
• Insufficiently protected credential - CVE-2018-7518; and
• Unprotected storage of credentials - CVE-2018-7515;

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities  to view and potentially modify some device information and web application setup information, which does not include access to patient health information.

NOTE: These vulnerabilities were not reported on the FDA Medical Device Safety Communication site.

Rockwell Update


This update provides new information on an advisory that was originally published on May 10th, 2018. The new information is supposed to be a link to the Rockwell security advisory [log-in required]. Unfortunately, that link is to the Rockwell Arena advisory (the ICS-CERT advisory for that was publicly published on the same day as the Factory Talk advisory that is currently being updated here. The correct link is https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1073133.


Siemens Update


This update provides new information on an advisory that was originally published on May 8th, 2018. The new information is a revision to the instructions as to how owner/operators should go about getting the updated version. It removed the original link to the ‘hotfix’ and substitutes the instruction to “Obtain the update via the local Siemens representative”.

Martem Update



This update provides new information on an advisory that was originally published on May 22nd, 2018. The new information is links to the Martem advisories for vulnerability CVE-2018-10603 and CVE-2018-10607. A link to the Martem advisory for the third vulnerability was already included in the initial ICS-CERT advisory.

S 2836 Introduced – UAS Interdiction


Earlier this month Sen. Johnson (R,WI) introduced S 2836, the Preventing Emerging Threats Act of 2018. The bill would provide somewhat limited authority to DHS and DOJ to mitigate the threat “that an unmanned aircraft system or unmanned aircraft poses to the safety or security of a covered facility or asset” {new §210G(a)}. In many ways this bill is similar to HR 5366.

Authorized Actions


This bill would amend the Homeland Security Act of 2002 by adding a new section, §210G. It would authorize DHS and/or DOJ to take the following actions {§210G(b)(1)}:

• Detect, identify, monitor, and track the unmanned aircraft system or unmanned aircraft, without prior consent, including by means of intercept or other access of a wire communication, an oral communication, or an electronic communication used to control the unmanned aircraft system or unmanned aircraft;
• Warn the operator of the unmanned aircraft system or unmanned aircraft, including by passive or active, and direct or indirect physical, electronic, radio, and electromagnetic means;
• Disrupt control of the unmanned aircraft system or unmanned aircraft, without prior consent, including by disabling the unmanned aircraft system or unmanned aircraft by intercepting, interfering, or causing interference with wire, oral, electronic, or radio communications used to control the unmanned aircraft system or unmanned aircraft;
• Seize or exercise control of the unmanned aircraft system or unmanned aircraft;
• Seize or otherwise confiscate the unmanned aircraft system or unmanned aircraft; or
Use reasonable force to disable, damage, or destroy the unmanned aircraft system or unmanned aircraft.

The definition of ‘covered facility or asset’ describes facilities designated by the Secretary or Attorney General that directly relates to {new §210G(k)(3)(C)}:

• Specific DHS missions related to Coast Guard and US Customs and Border Protection security operations, protection operations of the Secret Service, or protection of federal property under 40 USC 1315;
• Specific DOJ missions related to FBI and Marshals Service protection operations, Federal Bureau of Prisons operations,  or protection of DOJ facilities and Federal Courts;
• Specific DHS or DOJ missions related to National Special Security Events and Special Event Assessment Rating events, protection of people and property at mass gatherings (when requested by State, local or tribal governments), active Federal law enforcement investigations, emergency responses, or security operations, or when a national security threat has been identified.

The authority to undertake these actions would expire five years after the legislation is adopted with a one-time presidential authority to extend that authority for 180-days.

UAS and Critical Infrastructure Assessment


Paragraph 210G(l) would require DHS to conduct an assessment of the threat of UAS to critical infrastructure and domestic large hub airports. That assessment would include {new §210G(l)(1)}:

• An evaluation of current Federal and State, local, or tribal law enforcement authorities to counter the threat identified;
• An evaluation of the knowledge of, efficiency of, and effectiveness of current procedures and resources available to owners of critical infrastructure and domestic large hub airports when they believe a threat from unmanned aircraft systems is present;
• An assessment of what, if any, additional authorities the Department needs to counter the threat identified; and
• An assessment of what, if any, additional research and development the Department needs to counter the threat.

Moving Forward


Johnson is the Chair of the Senate Homeland Security and Governmental Affairs Committee to which this bill was assigned for consideration. This certainly means that this bill is likely to be considered in Committee. And with two influential Committee Democrats {Sen. McCaskill (D,MO) and Sen. Heitkamp (D,ND)} as co-sponsors it would seem that there is probably enough bipartisan support for this bill to be favorably reported by the Committee.

Commentary


The differences between these two bills show a very different approach to the matter while trying to accomplish almost the same ends. The House bill amended 18 USC which immediately ensured that the Judiciary Committee would have to be included in the deliberations. Johnson’s bill amends just the Homeland Security Act which limits the consideration to just the Homeland Security Committee even though the DOJ is specifically included in the bill.

Another major difference is that the House bill specifically listed the provisions of 18 USC that were excepted in providing DHS and DOJ with authority to take counter-UAS activities. This bill exempts “any provision of title 18, United States Code” {new §210G(a)} from interfering with these activities. It seems to me that the Johnson approach is overly broad and would inadvertently provide DHS and DOJ from coverage for all sorts of otherwise illegal acts if they can claim they were in support of covered anti-UAS activities.

Unlike the House bill, S 2836 puts off the issue of protecting critical infrastructure from UAS mounted attacks until some unknown future date after DHS completes their assessment and gets back to Congress. While critical infrastructure owners (including State, local and tribal governments) certainly should be concerned about the delay, I think that this is a generally reasonable approach to a very complex, resource intensive, and difficult problem.

DHS and DOJ are going to have a very difficult time adding the additional manpower and equipment needed to provide the activities outlined in this bill if they are going to provide continuous protection for the fixed facilities outlined in the bill. I suspect that initially the two Departments will concentrate on providing as needed protections when a specific threat is identified ahead of time. This will still require the addition of counter-UAS assets, but on a much more manageable scale.

The more limited approach taken by this bill (and the fact that it will actually get considered in Committee) may make it easier to get this bill passed, but I still think that there is going to be significant opposition from parties that will be reluctant to authorize activities that endanger aircraft.

Wednesday, May 23, 2018

HR 5515 Debate in House


Yesterday the House began their debate on HR 5515, the National Defense Authorization Act for FY 2019. The initial rule for the consideration of HR 5515 made 103 of the 564 proposed amendments in order for consideration.

Of the nine amendments that I had identified as being of potential interest here, only one made the short list; #189 submitted by Rep. Jackson-Lee (D,TX) regarding cybersecurity apprenticeships. That amendment was adopted as part of en block amendment #6 at the close of debate last night.

Apprenticeship Amendment


The Jackson-Lee amendment would require DOD to submit a “report on the feasibility of establishing a Cybersecurity Apprentice Program to support on-the-job training for certain cybersecurity positions and facilitate the acquisition of cybersecurity certifications.” The amendment does not define the term ‘certain cybersecurity positions’ nor does it explicate the certifications to be considered.

Today’s Debate


The debate will resume today under the provisions of a second rule. Under that rule an additional 168 amendments from the list of 564 submitted will be allowed to be proposed on the floor. Only one more of the amendments that I previously identified made it to the second short list; amendment # 357, the Coast Guard Authorization Act of 2017. It will be debated as amendment # 52.

CG Authorization


While this amendment is entitled “the Coast Guard Authorization Act of 2017” it does not look anything like HR 2518 or S 1129 with the same title. Neither of those bills contained any language of particular interest here. This amendment does, however, contain language of potential interest to readers of this blog; these two sections in particular:

§319. Protecting against unmanned aircraft (pg 93);
§602. Maritime Security Advisory Committees (pg 200);

Section 319 would add a new §528 to 14 USC. That section would authorize DHS to take actions to mitigate the threat “that an unmanned air craft system or unmanned aircraft poses to the safety or security of a covered vessel or aircraft” {new §528(a)} with exceptions to current law (18 USC 32, 18 USC 1030, 18 USC 2510–2522, 18 USC 3121–3127, and 49 USC 46502) being provided to allow such actions. The allowed actions would specifically include {new §528(c)}:

• Detect, identify, monitor, and track the unmanned aircraft system or unmanned aircraft, without prior consent, including by means of intercept or other access of a wire, oral, or electronic communication used to control the unmanned aircraft system or unmanned aircraft;
• Warn the operator of the unmanned aircraft system or unmanned aircraft, including by passive or active, and direct or indirect physical, electronic, radio, and electromagnetic means;
• Disrupt control of the unmanned aircraft system or unmanned aircraft, without prior consent, including by disabling the unmanned aircraft system or unmanned aircraft by intercepting, interfering, or causing interference with wire, oral, electronic, or radio communications used to control the unmanned aircraft system or unmanned aircraft;
• Seize or exercise control of the unmanned aircraft system or unmanned aircraft;
• Seize or otherwise confiscate the unmanned aircraft system or unmanned aircraft; or
Use reasonable force to disable, damage, or destroy the unmanned aircraft system or unmanned aircraft.

The definition of ‘covered vessel or aircraft’ is somewhat limited and regulations implementing this section will be required.

Section 602 is a complete re-write of 49 USC 70112. It looks, however, as if the rewrite was done to make the section easier to read with less bouncing back and forth between information about the National Maritime Security Advisory Committee and Area Maritime Security Advisory Committees.

Moving Forward


The debate on HR 5515 resumes today and will probably finish today. I suspect that amendment #52 will be adopted.

Again, the Senate will take up its own version of the bill which is being marked up this week. A conference committee with then work out the differences between the two bills. There is a decent chance that this process could be completed before the summer recess.

Tuesday, May 22, 2018

ICS-CERT Publishes 2 Advisories


Today the DHS ICS-CERT published a control system security advisory for products from Martem. They also published a medical device security advisory for products from Becton, Dickinson and Company (BD).

Martem Advisory


This advisory describes three vulnerabilities in the Martem TELEM-GW6/GWM products. The vulnerabilities were reported by Bernhards Blumbergs and Arturs Danilevics of CERT.LV, Latvia. Martem has described work arounds to mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Missing authentication for critical function - CVE-2018-10603;
• Uncontrolled resource consumption - CVE-2018-10607; and
Cross-site scripting - CVE-2018-10609

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to allow execution of unauthorized industrial process control commands, denial of service, or client-side code execution.

BD Advisory


This advisory describes three separate SQL related vulnerabilities in the BD BD Kiestra and InoqulA systems. These vulnerabilities are being self-reported. BD intends to have mitigations in place by July. In the mean-time BD has described workarounds to mitigate the vulnerabilities.

The following applications in the affected products fail to warn users of unsafe actions:

• Database (DB) Manager;
• ReadA Overview; and
• PerformA

ICS-CERT reports that an uncharacterized attacker with access to an adjacent network could exploit the vulnerabilities which may lead to loss or corruption of data.

NOTE: These vulnerabilities have not been reported on the FDA Medical Device Safety Communications site.

Bills Introduced – 05-21-18


With both the House and Senate back in town yesterday, there were 25 bills introduced. Of those, two may be of specific interest to readers of this blog:

HR 5895 Making appropriations for energy and water development and related agencies for the fiscal year ending September 30, 2019, and for other purposes. Rep. Simpson, Michael K. [R-ID-2]

S 2887 A bill to amend title 10, United States Code, to provide for the establishment and operation of reserve component cyber civil support teams, and for other purposes. Sen. Cantwell, Maria [D-WA]

As is usual with these spending bills, I will be watching for items of potential interest to readers of this blog. With HR 5895 I will be specifically looking for cybersecurity and chemical safety provisions.

There has been a great deal of talk about these type units over the last couple of years. It will be interesting to see how Cantwell addresses the issue in S 2887. As always, I will be watching for definitions and provisions that specifically address control system security issues.

ISCD Updates Two Fact Sheets


Yesterday the DHS Infrastructure Security Compliance Division updated their Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center. One ‘latest news’ item announced the publication of two updated CFATS fact sheets. A second item talked about the upcoming regional meeting. And, finally, ISCD re-did the ‘Documentation’ section, providing links to the above items and eliminating many of the outdated documents that had been accumulating in the section.

Fact Sheets


The two updated fact sheets dealt with Risk Based Performance Standard (RBPS) #9 (Response) and the Infrastructure Protection (IP) Gateway. The RBPS 9 fact sheet was originally published last July. The IP Gateway fact sheet was older, being originally published in 2015.

The changes to the RBPS 9 fact sheet are relatively minor. In the opening paragraph they clarified that the CFATS program was designed to ensure security measures were in place to protect against “hazardous chemicals being exploited in a terrorist attack” rather than to “reduce the risks associated with their chemicals”. The second change was to add a bullet point about the IP Gateway in the discussion about DHS compliance assistance and outreach.

The IP Gateway fact sheet, on the other hand, under went a complete re-write. The fact sheet explains that the IP Gateway was established as part of the Obama Administration’s efforts under EO 13650, Improving Chemical Facility Safety and Security. It was established to help share chemical safety and security information from federal agencies (like ISCD) with other Federal, State, local and tribal government agencies.

The revised fact sheet does a better job of explaining both what CFATS facility information is shared with these government agencies and how that information is required to be protected by those agencies. One important part of the revision is a link to a web site that provides even more information about the IP Gateway Program.

Regional Meeting


The brief news item on the West Regional Meeting that I have been discussing for the last week or so (most recently here). There is little new information either in the news entry or in the new flyer linked to in the Documentation section. ISCD is, however, using the CFATS Knowledge Center as an additional way to reach out to facilities to ensure that they know about their DHSChemSecurityTalks program.

Documents Section Update


I have not mentioned it (because I am an information junky) but the Documentation section of the CFATS Knowledge Center has become rather bloated over the last year or so. Part of this is because ISCD has been actively working to ensure that they are communicating with the regulated (and potentially regulated) community and has been producing a large number of outreach documents. Unfortunately, part of the bloat has also been because of a failure to routinely purge the section of outdated materials. Yesterday that purge was done. Things like old monthly update notices were removed from the section. Even with the addition of the three new products mentioned above, the total number of documents listed in the Section went from 69 down to 54. There are still plenty of informative documents listed on the site.

Interestingly, it seems that removal of the document listings does not mean that the documents have been removed from the web site. There is at least one old monthly update for which the old link still works; at least as of this morning.

Monday, May 21, 2018

Committee Hearings – Week of 05-20-18


This week the House and Senate are trying to get things done before heading home for an extended Memorial Day weekend. The priority this week is continued work on ‘must pass’ legislation like spending bills and the National Defense Authorization Act (NDAA). We also have an IOT bill being marked up.

Spending Bills

• Tuesday – House – Full Committee - FY 2019 Interior and Environment Appropriations Bill;
• Tuesday – Senate – Subcommittee - FY2019 Agriculture Appropriations Bill;
• Tuesday – Senate – Subcommittee - Energy & Water Development Appropriations Bill; and

2019 NDAA

As I mentioned this weekend, the House Rules Committee will take up HR 5515 today and tomorrow in preparation for floor votes this week. There are lots (564) of amendments and many will be controversial.

On the Senate side we see the start of the markup process on an unpublished bill. This bill will also see a number of amendments on the floor next month. Then we will have the behind the scenes work of the conference committee to work out a final bill that will eventually get to the President.

• Tuesday – Senate – Subcommittee on Cybersecurity.  CLOSED;
• Tuesday – Senate – Subcommittee on Emerging Threats.  CLOSED;
• Wednesday – Senate – Full Committee. CLOSED; and
• Thursday – Senate – Full Committee. CLOSED

IOT Bill


The Digital Commerce and Consumer Protection Subcommittee of the House Energy and Commerce Committee will hold a mark-up hearing on Tuesday on an original (not yet introduced) bill, the State of Modern Application, Research, and Trends of (SMART) IoT Act. The bill would require the Department of Commerce to conduct a study on the state of the internet-connected devices industry.

Sunday, May 20, 2018

HR 5515 Reported in House – FY 2019 NDAA

Earlier this month Rep. Thornberry (R,TX) introduced HR 5515, the National Defense Authorization Act for FY 2019. The bill has been marked-up by the House Armed Services Committee and its subcommittees and the Committee Report on the bill has been published. As is to be expected, the bill contains a number of cyber provisions, some of which may be of specific interest to members of the cybersecurity community.

The major cyber provisions in the bill are found in Subtitle C of Title XVI. They include:

• §1631. Amendments to pilot program regarding cyber vulnerabilities of Department of Defense critical infrastructure.
• §1632. Budget display for cyber vulnerability evaluations and mitigation activities for major weapon systems of the Department of Defense.
• §1633. Transfer of responsibility for the Department of Defense Information Network to United States Cyber Command.
• §1634. Pilot program authority to enhance cybersecurity and resiliency of critical infrastructure. (pg 754)
• §1635. Pilot program on regional cyber security training center for the Army National Guard. (pg 756)
• §1636. Procedures and reporting requirement on cybersecurity breaches and loss of personally identifiable information.
• §1637. Cyber institutes at the senior military colleges.
• §1638. Study and report on reserve component cyber civil support teams. (pg 763)

Cybersecurity Provisions


Three of the sections mentioned above may be of interest to the cybersecurity community.

Section 1634 would authorize DOD to detail up to 50 cybersecurity technical personnel to assist DHS. While the DOD assistance is specifically targeted at supplementing the operations of the National Cybersecurity and Communications Integration Center (NCCIC), the support authority would extend to other DHS operations as well. This authority is for a ‘pilot program’ that would expire on September 30th, 2020.

Section 1635 would authorize the Department of the Army to establish a pilot training center for National Guard cyber protection teams and cyber network defense teams. The goal would be to establish common training standards to allow these teams to defend {§1635(c)(1)(A)}:

• The information network of the Department of Defense in a State environment;
• While acting under title 10, United States Code, the information networks of State governments; and
• Critical infrastructure.

The pilot program would include activities that would {§1635(d)}:

• Provide joint education and training and accelerating training certifications for working in a cyber range;
• Integrate education and training between the National Guard, law enforcement, and emergency medical and fire first responders;
• Provide a program to continuously train the cyber network defense teams to not only defend the information network of the DOD, but to also provide education and training on how to use defense capabilities of the team in a State environment; and
• Develop curriculum and educating the National Guard on the different missions carried out under titles 10 and 32, United States Code, in order to enhance interagency coordination and create a common operating picture.

Section 1638 would require DOD to conduct a study “on the feasibility, advisability, and necessity of the establishment of reserve component cyber civil support teams for each State” {§1638(a)}. The section provides a comprehensive list of requirements for the study that specifically includes {§1638(b)}:

• An examination of the potential ability of the teams referred to in such subsection to respond to an attack, natural disaster, or other large-scale incident affecting computer networks, electronics, or cyber capabilities;
• An analysis of State and local civilian and private sector cyber response capabilities and services, including an identification of any gaps in such capabilities and services; and
• Any effects on the privacy and civil liberties of United States persons that may result from the establishment of such teams.

The study would also be required to look at how the establishment of such teams would affect the operations DOD cyber mission forces and DHS cyber incident response activities.

Moving Forward


As I reported last week, the House Rules Committee announced that they were taking potential amendments to HR 5515. Those amendments were supposed to have been submitted by last Thursday. The Committee web site lists 564 amendments that have been submitted. Some of the amendments that may be of interest include:

55
Requires the Secretary of Defense to provide Congress a report on malicious cyber activities against the DOD systems within the past 24 months by the Russian Federation
78
Establishes the DOD Cyber Institute to serve as the principal Department entity for facilitating cyber cooperation between the Department and outside entities, including industry, academia, and other government organizations.
179
Directs the Secretary of Defense to develop plans for early detection, mitigation, and defense against state sponsored cyberattacks targeting federal public election assets, election administrators, election workers, or voter engagement efforts.
189
Seeks a report on the feasibility of the DOD developing a cybersecurity apprentice program that provides on the job training for certain cybersecurity positions and in support of acquisition of cybersecurity certifications.
337
Contains the Coast Guard Authorization Act of 2017
405
Directs the Secretary of Defense, in consultation with the Hollings Manufacturing Extension Partnership (MEP) and the Office of Small Business Programs, to establish a pilot program to extend the sharing of cyber threat information to contractors, including small and medium-sized manufacturers, who otherwise do not have appropriate security clearance
436
Prohibits the use of funds for cyber collaborations with China and Russia.
558
Late Supports state-led efforts to enhance cybersecurity by establishing a 5-year pilot program of National Guard cyber civil support teams in 10 states.
563
Late Amendment directs Secretary of Defense to develop effective countermeasures for cyber weapons developed for offensive purposes.

The Rules Committee will meet on Monday to set the general debate rule for this bill and then again on Tuesday to determine what amendments will be authorized to be considered on the floor of the House. The House will take up the bill this week and will almost certainly pass it with some level of bipartisan support.

The Senate Armed Services Committee will finish marking up their version of this bill this week. The two versions will not be the same and will almost certainly require a conference committee to work out the differences between the two bills.

Saturday, May 19, 2018

ICS Public Disclosure – Week of 5-12-18


This week we have two vendor disclosures (ABB), two exploits published for previously disclosed vulnerabilities (Rockwell and Schneider) and two reports of vulnerabilities in a third-party service (Calamp) used by various automotive automation systems. There is also a third vendor (Philips) disclosure that is probably being reported by ICS-CERT next week that I am just mentioning in passing.

ABB Disclosures


ABB reports three vulnerabilities in the Welcome IP-Gateway product. The vulnerabilities were reported by Florian Grunow of ERNW GmbH. ABB has a new version that mitigates the vulnerabilities. There is no indication that Grunow has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Remote code injections – no CVE reported; and
Missing session management (2) - CVE-2017-7931, and CVE-2017-7906

ABB reports an exploitable RSS function in their Elipse Application. This vulnerability is self-reported. ABB has new versions that mitigate the vulnerability by removing the RSS service.

Rockwell Exploit


t4rkd3vilz published an exploit on ExploitDB.com for the Rockwell CompactLogix SCADA system. The vulnerability that this exploit uses was reported by ICS-CERT in March of 2016.

Schneider Exploit


t4rkd3vilz published an exploit on ExploitDB.com for the Schneider Electric IONXXXX Series Power Meter. The vulnerability that this exploit uses was reported by ICS-CERT in November of 2016.

Calamp Vulnearbilities


Vangelis Stykas has two posts (here and here) and a blog post on two vulnerabilities in backend services provided by Calamp that are used by automotive vendors such as Viper SmartStart and Directed SmartStart. These were coordinated disclosures, patches have been made to the system and Stykas has verified the efficacy of the fix.

Thursday, May 17, 2018

ICS-CERT Publishes 4 Advisories and 2 Siemens Updates


Today the DHS ICS-CERT published three control system security advisories for products from Delta Electronics, Siemens, Phoenix Contact, and Medtronic. They published on medical device security advisory for products from Medtronic. They also updated two previously issued control system security advisories for products from Siemens.

The three Siemens advisories/updates are the ones I mentioned in passing earlier this week.

Delta Advisory


This advisory describes a heap-based buffer overflow vulnerability in the Delta Industrial Automation TPEditor. The vulnerability was reported by ThePotato working with ZDI. Delta has released a new version that mitigates the vulnerability. There is no indication that the researcher was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to crash the accessed device, resulting in a buffer overflow condition that may allow remote code execution.


Siemens Advisory


This advisory describes an improper input validation vulnerability in the Siemens S7-400 CPU. The vulnerability is being self-reported. Siemens has updates that mitigate the vulnerability.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to cause a denial-of-service condition of the CPU. The CPU will remain in DEFECT mode until a manual restart is performed. The Siemens security advisory notes that:

“Successful exploitation requires an attacker to be able to send a specially crafted S7 communication packet to a communication interface of the CPU. This includes Ethernet, PROFIBUS, and Multi Point Interfaces (MPI). No user interaction or privileges are required to exploit the security vulnerability”

Phoenix Contact Advisory


This advisory describes four vulnerabilities in the Phoenix FL SWITCH 3xxx/4xxx/48xx Series. The vulnerabilities were reported by  Vyacheslav Moskvin, Semen Sokolov, Evgeniy Druzhinin, Georgy Zaytsev and Ilya Karpov of Positive Technologies working through CERT@VDE. Newer firmware mitigates the vulnerability. There is no indication that any of the researchers have been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• Command injection - CVE-2018-10730;
• Information exposure - CVE-2018-10729; and
Stack-based buffer overflow (2) - CVE-2018-10728, and CVE-2018-10731

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow for remote code execution and information disclosure.

GE Advisory


This advisory describes an improper input validation vulnerability n the GE PACSystems, an industrial Internet controller. The vulnerability was reported by Younes Dragoni of Nozomi Networks. GE has released new firmware to mitigate the vulnerability. There is no indication that Dragoni was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to cause the device to reboot and change its state, causing the device to become unavailable.

Medtronic Advisory


This advisory describes a missing encryption of sensitive data vulnerability in the Medtronic N’Vision Clinician Programmer. The vulnerability was reported by Billy Rios of Whitescope LLC. Medtronic has mitigated the vulnerability.

ICS-CERT reports that a relatively low-skilled attacker with physical access to the card could exploit the vulnerability to access personal health information (PHI) or personally identifiable information (PII).

NOTE: This vulnerability was not reported on the FDA Medical Device Safety Communications page.

SIPROTEC Update #1


This update provides additional information on an advisory that was originally reported by ICS-CERT on May 19th, 2016 and updated on July 5th, 2016. This update removes 7SD80 from list of affected products.

SIPROTEC Update #2


This update provides additional information on an advisory that was was originally published on March 8th, 2018 and updated on April 19th, 2018. This update provides updated effected version information and mitigation measures for 7SD80.

 
/* Use this with templates/template-twocol.html */