Tuesday, July 31, 2018

ICS-CERT Publishes 5 Advisories


Today the DHS ICS-CERT published five control system security advisories for products from AVEVA (2), WECON, Johnson Controls and Davolink.

Wonderware Advisory


This advisory describes an improper restriction in operations within the bounds of a memory buffer vulnerability in the AVEVA Wonderware License Server; the vulnerability is in the 3rd party  Flexera FlexNet Publisher software. The vulnerability was reported to AVEVA by an anonymous researcher. AVEVA has an update that mitigates the vulnerability.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit this vulnerability to effect remote code execution with administrative privileges.

NOTE: This vulnerability was also reported in the Rockwell Factory Talk Activation Manager earlier this year. There is an interesting blog post from 2016 about this vulnerability over at Security Mumblings.

InTouch Advisory


This advisory describes a cross-site scripting vulnerability in the AVEVA InTouch Access Anywhere product. The vulnerability was reported by Google’s Security Team. AVEVA has an update that mitigates the vulnerability. The AVEVA security advisory indicates that the researchers have verified the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit this vulnerability to obtain sensitive information and/or execute Javascript or HTML code.

WECON Advisory


This advisory describes two buffer overflow vulnerabilities in the WECON LeviStudioU. The vulnerabilities were reported by NSFOCUS security team, Ghirmay Desta and Mat Powell via the Zero Day Initiative.

The two reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2018-10602; and
Heap-based buffer overflow - CVE-2018-10606

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to execute remote code.

NOTE: Reading between the lines of the advisory, it looks like ICS-CERT did not get much cooperation from WECON on these vulnerabilities.

Johnson Controls Advisory


This advisory describes an information exposure through an error message vulnerability in the Johnson Controls Metasys and BCPro products. The vulnerability was reported by Dan Regalado of Zingbox. Newer versions mitigate the vulnerability. There is no indication that Regalado was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker on an adjacent network could exploit the vulnerability to obtain technical information about the Metasys or BCPro server, allowing an attacker to target a system for attack.

Davolink Advisory


This advisory describes a use of password hash with insufficient computational effort vulnerability in the Davolink DVW-3200N network switch. The vulnerability was reported by Ankit Anubhav of NewSky Security. There is new firmware for the device that mitigates the vulnerability. There is no indication that Anubhav was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to obtain the password to the device.

HR 6401 Introduced – Counter UAV


Earlier this month Rep. McCaul (R,TX) introduced HR 6401, the Preventing Emerging Threats Act of 2018. This bill is a refinement of S 2836, a bill of the same title introduced by Sen. Johnson (R,WI). Both bills would provide somewhat limited authority to DHS and DOJ to mitigate the threat “that an unmanned aircraft system or unmanned aircraft poses to the safety or security of a covered facility or asset” {new §210G(a)}.

Most of the changes made by this bill are simply the addition of clarifying language. For example, in §210G(a), this bill substitutes “sections 32, 1030, 1367 and chapters 119 and 206 of title 18, United States Code” for the “any provision of title 18, United States Code” used in the Senate bill.

Other changes actually narrow (albeit only slightly) the scope of the authority of DHS and DOJ to maintain records of information obtained while taking actions against UAS/UAVs. For example, in paragraph (e)(3) this bill replaces the broad “support one or more functions” language with the slightly more restrictive “support 1 or more safety or security functions” language in explicating when the departments can hold information obtained past 180 days.

There is also a minor narrowing of the definition of ‘covered facility or asset’ in paragraph (k)(3) with the frequent addition of the phrase “considered to be high-risk or assessed to be a target for unlawful unmanned aircraft activity” in the descriptions of the different categories of covered facilities, assets or activities.

Moving Forward


McCaul is the Chair of the House Homeland Security Committee and thus will call up this bill for consideration when ever he pleases. Interestingly, he did not include this bill in the recent markup hearing where other bills introduced on the same day were addressed. I suspect that this was due to concerns of Committee Democrats about some of the provisions of the bill. I expect that when this bill is considered, it will be with substitute language.

Commentary


Like S 2836, this bill does not address the problem of preventing potential UAS attacks on privately owned critical infrastructure. The reasons for that are two-fold. First, these bills are attempting to closely hold the authority to attack UAS, limiting it to actions undertaken by DHS and DOJ. There is going to be a strong reluctance on many in Congress to providing any authority to take down any sort of aircraft operating in the national airspace. Strictly limiting that authority is going to be a prerequisite to any congressional action.

The second problem is that too many people (congresscritters specifically included) have a hard time accepting that there is a realistic threat of a consequential attack by UAS. While everyone is well aware of the military use of attack drones, most people think of UAS in the national airspace as the quadcopters and small helicopters that are sold at the local mall. The use of those devices as a terrorist weapon of significance is generally discounted in the minds of most people.

I expect that for any counter UAV bill to make it to the President’s desk, the bill will have to restrict the definition of a UAV/UAS to the larger types of commercial aircraft that are able to carry a more substantial payload. The smaller quadcopters, camera platforms, and flying toys will just not be taken seriously as a substantial threat. Until, of course, one is actually used in a successful, high-profile attack. Then all bets are off….

Monday, July 30, 2018

ISCD Updates 2 FAQ Responses


Today, without any specific notice, the DHS Infrastructure Security Compliance Division (ISCD) updated the responses to two of the Frequently Asked Questions (FAQ) on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center. The lack of notice typically means that no substantive changes were made.

The two FAQs affected were:



For #1557 the change made was the removal of Amy Graydon’s name and title (as ‘Acting Director’) from the address to which the required letter would be sent. It was replaced with just the title “Director” with out a name (David Wulf’s currently). This will obviate having to continue to update this FAQ response jut to reflect a change in leadership of ISCD.

I cannot find the change that was made in the response to FAQ #1756; it must be very minor.

Senate Takes Up HR 6147 – Another Mini-Bus


Last week the Senate started consideration of HR 6147, the Interior, Environment, Financial Services, and General Government Appropriations Act, 2019. The Senate is considering substitute language (SA 3399) that adds language from S 2976 (FY 2019 ARF) and S 3028 (FY 2019 THUD spending). During the week there were a large number of amendments offered (see here, here, here and here), but only two of those may be of specific interest to readers of this blog. Once concerns unmanned aviation systems (UAS) and one addresses positive train control (PTC) implementation grants. Neither of the two amendments have been considered on the floor of the Senate to date.

UAS Amendment


SA 3516 (pg S5308) was proposed by Sen. Gardner (D,CO). It would amend 18 USC by adding a new section making it illegal to operate unauthorized unmanned aircraft over wildfires. This amendment is very similar to S 3132 which I have only briefly addressed.

PTC Grants


SA 3527 (pg S 5310) was proposed by Sen. Blumenthal (D,CT). The amendment would make available $150 million of existing grant monies specifically available for “for the implementation of positive train control” projects with priority being provided to projects relating to commuter rail operations.

Moving Forward


A cloture vote on the substitute language is scheduled for this week. Once action on the substitute language takes place, a cloture vote will be held on HR 6147. There is the possibility that additional amendments (possibly including the two listed above) may be considered under unanimous consent motions during the remaining debate.

The revised language being considered by the Senate means that this bill will have to go back to the House for consideration. This will almost certainly result in the House insisting on their language (particularly since the Senate language is drastically different than the House language in the Agriculture section of the bill (seen in HR 5961) and will result in a conference committee. There is an outside chance that the call for a conference committee could come during a pro forma session in August. Absent that, it will be September before the conference could meet; pushing the deadline for a final vote by September 30th.

Saturday, July 28, 2018

Bills Introduced – 07-27-18


With just the House meeting in pro forma session yesterday there were four bills introduced. Of those, one may be of specific interest to readers of this blog:

HR 6638 To promote transparency in the oversight of cybersecurity risks at publicly traded companies. Rep. Himes, James A. [D-CT-4]

I will be watching this bill to see if it includes language that specifically addresses reporting of control system security issues; it probably will not.

Friday, July 27, 2018

Senate Passes HR 5729 – TWIC Reader Delay


Yesterday the Senate passed HR 5729, the Transportation Worker Identification Credential Accountability Act of 2018. The bill was passed by unanimous consent at the end of the session; no debate and no vote.

The bill now goes to the President’s desk. There is no indication that there will be any problem with the President signing the bill.

Bills Introduced – 07-26-18


Yesterday with both the House and Senate in session (and the House preparing to leave on its extended summer break) there were 131 bills introduced (109 in the House). Of these, five may be of specific interest to readers of this blog:

HR 6555 To amend the Homeland Security Act of 2002 to establish a DHS Cybersecurity On-the-Job Training and Employment Apprentice Program, and for other purposes. Rep. Jackson Lee, Sheila [D-TX-18]

HR 6609 To amend title 46, United States Code, to reauthorize the port security grant program, and for other purposes. Rep. Meng, Grace [D-NY-6]

HR 6617 To provide for a legal framework for the operation of public unmanned aircraft systems, and for other purposes. Rep. Poe, Ted [R-TX-2]

HR 6620 To require the Department of Homeland Security to prepare a threat assessment relating to unmanned aircraft systems, and for other purposes. Rep. Richmond, Cedric L. [D-LA-2]

S 3288 A bill to amend title 18, United States Code, to provide the Department of Justice needed legal authorities to combat cybercrime, including state sponsored cybercrime, and for other purposes. Sen. Graham, Lindsey [R-SC]

I suspect HR 6555 will be a program for federal employees, but it would still be worthwhile to watch how such a program was established. It could actually be an interesting model for similar programs in the private sector.

It will be interesting to see what sorts of restrictions are placed on public unmanned aircraft systems in HR 6617.

S 3288 will bear close scrutiny of definitions as they will likely have unintended bearing on activities of cybersecurity researchers.

Thursday, July 26, 2018

Rule to Consider Conference Report for HR 5515 – FY 2019 NDA


Last night the House Rules Committee crafted the rule for the consideration of the Conference Report on HR 5515. As is typical with conference reports, there will be limited debate and no amendments will be offered. This should come to the floor today.

We still do not have an official copy of the 2500+ page report. A quick review of the table of contents (which is 36 pages by itself) of the copy the Rules Committee has on their site shows that most of the cyber related provisions of both the House and Senate versions have made it into the final version of the bill. A more detailed analysis will take some time.

Wednesday, July 25, 2018

ISCD Opens Registration for East Regional Meeting


Yesterday the DHS Infrastructure Security Compliance Division (ISCD) announced on its Chemical Facility Anti-Terrorism Standards (CFATS) web site that the registration was open for the East Regional Meeting scheduled to take place in Philadelphia on August 2nd, 2018. This is the last of the three regional meetings that ISCD is conducting this year in lieu of the (previously) annual Chemical Sector Security Summit.

As with the two earlier meetings (West and Mid) there are no provisions for on-line attendance at the meeting. There has been no mention of any intention to post slides from the meetings as has always been done with the CSSS.

NOTE: Google Chrome is marking the landing page for the registration site as being “Not Secure” because it is not an HTTPS site. The page where information is submitted is an HTTPS page and is marked “Secure” by Chrome.

Tuesday, July 24, 2018

ICS-CERT Updates AutomationDirect Advisory


Today the DHS ICS-CERT published an update for a control system security advisory for products from AutomationDirect. This update provides additional information on an advisory that was originally published on November 9th, 2017 and updated on March 20th, 2018. It adds a new product (DirectSOFT Programming Software) to the list of vulnerable products and provided mitigation links for that product.

NOTE: The link ICS-CERT provided in their TWITTER feed for this update does not work, but the link provided in their email notification does. And, of course, the link provided above works.

S 3153 Introduced – FY 2018/19 Intel Authorization


Last month Sen. Burr (R,NC) introduced S 3153, the Matthew Young Pollard Intelligence Authorization Act for Fiscal Years 2018 and 2019. Both the bill and the accompanying Committee Report pay special attention to control system security issues.

Energy Sector Cybersecurity


Section 732 of the bill would require the Secretary of Energy to establish a 2-year pilot program to study control system security in the energy sector. The pilot program would be funded at $10 Million for the 2-year study. This section is essentially the same as S 79 which was reported in the Senate earlier this year by the Energy and Natural Resources Committee.

ICS Security and the Intelligence Community


On page 17 of the Committee Report, the matter of industrial control system security is directly addressed. The Report notes:

“The Committee is aware of significant threats to our critical infrastructure and industrial control systems posed by foreign adversaries. The sensitive nature of the information related to these threats make the role of the IC of vital importance to United States defensive efforts. The Committee has grave concerns that current IC resources dedicated to analyzing and countering these threats are neither sufficient nor closely coordinated. The Committee includes provisions within this legislation to address these concerns.”

Section 732 of the bill (described above) is the only place that I can find in the unclassified portions of the bill and annexes that directly mentions activities related to ICS security.

Moving Forward


The House passed HR 6237, the House version of this bill earlier this month. While the House bill did receive a large measure of bipartisan support, the Senate will still take up this version of the bill as an amendment to HR 6237 when it comes to the floor of the Senate. I expect that to happen sometime after the Senate returns from the abbreviated summer recess next month. There will be some contentious political amendments offered for the bill when it makes it to the floor, but eventually a version of the bill will be passed and then a conference committee will meld the two versions together into a workable whole.

Commentary


It is interesting to see the language from S 79 appear in this bill. Sen. King (I,ME) has been trying to get this bill to move forward through two sessions of Congress now, so it is not unexpected that he would use his position on the Intelligence Committee to try to advance the bill when it was apparently stalled after being approved in the Energy and Natural Resource Committee.

The association between this bill and the intelligence community is vague to say the least. The working group to be established would be under the Department of Energy which does have some tenuous ties to the IC, but that has been mainly in support of nuclear weapons program, not power generation. King has always included a representative of the IC in the working group {§732(c)(2)(F) in this bill}, but that always seemed to me to be a pro forma inclusion as a source of information rather than an actual participant.

It will be interesting to see where the funds come from to support this program. If they come out the intelligence spending bill, then I expect that the role of the IC will be much more important in the activities of the working group and the resulting study.

One political fact is certain however. Since the authorization for the program (if it makes it to the final bill that reaches the President’s desk) comes from the Intelligence Committee, it will be that Committee (and it’s House counterpart) that will provide the oversight for the program, that alone will color many of the decisions made as the program proceeds.

Bills Introduced – 07-23-18


Yesterday with both the House and Senate in Washington there were 28 bills introduced. Of these, only one may be of specific interest to readers of this blog:

HR 6470 Making appropriations for the Departments of Labor, Health and Human Services, and Education, and related agencies for the fiscal year ending September 30, 2019, and for other purposes. Rep. Cole, Tom [R-OK-4]

I principally watch this bill for comments in the Committee Report on either the FDA or OSHA. This bill will probably not be mentioned in the blog again.

Monday, July 23, 2018

Committee Hearings – Week of 07-22-18


This week with both the House and Senate in session but the House preparing to head home for the LONG summer recess, there is a slightly abbreviated hearing schedule. There are only two hearings of interest, the ‘last’ spending bill and a homeland security markup hearing.

DHS Spending Bill


On Wednesday the House Appropriations Committee will markup the FY 2019 DHS spending bill. The Homeland Security Subcommittee finished their work last week. The draft the Committee is working on does not include language for a short-term extension of the CFATS program, but does continue funding for the program through FY 2019,

Homeland Security Markup


Tomorrow the House Homeland Security Committee will hold a markup hearing on 12 bills and one resolution. These will include the following bills of potential interest to readers of this blog:

HR 6443, the Advancing Cybersecurity Diagnostics and Mitigation Act; and
HR 6438, the DHS Countering Unmanned Aircraft Systems Coordinator Act.

I have not yet reviewed either of the above bills as the official versions have yet to be published. I will look at the Committee Drafts (linked above) later today and comment as necessary. Interestingly HR 6401, Chairman McCaul’s counter UAV bill is not on the list for consideration tomorrow. That bill was published this weekend and at first glance looks very similar to S 2836, Chairman Johnson’s senate bill. More on that later.

On the Floor


Starting late today the Senate will take up HR 6147, the FY 2019 Interior, Environment and Related Agencies (IER) spending bill. There is at least one news report that there is a chance that the Senate may add the THUD spending (S 3023) to the already expanded mix of HR 6147. That might cause problems for the House since they have not yet dealt with the House version of that spending measure (HR 6072) and the membership has not had their chance to muddy the legislative waters with floor amendments. It is going to be an interesting summer.

There is a chance that the House will have a chance late this week to vote on the conference version of HR 5515, the FY 2019 DOD authorization bill. Other than that, there is nothing on the calendar of specific interest for the last week before vacation in the House.

WARNING: With the long vacation coming up there will be a large number of bills offered in the House this week so that members have something to talk about while they are in their districts during the coming weeks. A larger percentage than normal will not see the light of legislative day, but they will get talked about.

Sunday, July 22, 2018

FERC to Expand Cybersecurity Reporting Requirements


Earlier this week the DOE’s Federal Energy Regulatory Commission published an order (final rule) on their web site (it will become official when published, probably next week, in the Federal Register) directing the North American Electric Reliability Corporation (NERC) “to develop and submit modifications to the NERC Reliability Standards to augment the mandatory reporting of Cyber Security Incidents, including incidents that might facilitate subsequent efforts to harm the reliable operation of the bulk electric system (BES).” The notice of proposed rulemaking for this order was published in December of last year.

I am not going to go into a great deal of detail about this rule here; the complex relationships between FERC, NERC and the electric grid are just a little too byzantine for my simple mind to understand. The interesting take away here for the rest of the control system security community is that the new rules to be written by NERC will expand ‘Cyber Security Incidents’ (capitalized and not hyphenated in FERC SPEAK) to include some sort of measure of near misses and they will include a requirement to notify ICS-CERT of those incidents in addition to the current requirement to notify the Electricity Information Sharing and Analysis Center (E-ISAC).

Expanded Definition


Currently the NERC Reliability Standard CIP-008-05 requires the reporting of Cyber Security Incidents only if they have “compromised or disrupted one or more reliability tasks.” While such incidents are certainly worth reporting they leave a whole slew of potential preparatory ‘attacks’ and compromises outside of the mandatory reporting structure and completely ignore the salutatory effects of sharing information about ‘near misses’ or almost successful attacks.

With this order NERC will be required to recraft CIP-008 to include “Cyber Security Incidents that compromise, or attempt to compromise, a responsible entity’s [Electronic Security Perimeter] ESP or associated [Electronic Access Control or Monitoring Systems] EACMS” in the reporting requirements.

ICS-CERT


In the NPRM it was noted that the DOE noted only two Cybersecurity Incident Reports in 2015/2016 while in the same time frame the DHS ICS-CERT responded to 125 cybersecurity incidents in 2014/2015. Ignoring the whole apples and rocks comparisons here, it becomes apparent that some sort of reporting is already underway to ICS-CERT. The FERC order would formalize that and make it a reporting requirement.

Commentary


The expansion of the reporting requirements for Cyber Security Incidents (and I AM NOT going to do another ‘CSI’ acronym; can’t do it, sorry) cannot help but be a good thing; except….

Okay, we have no idea how many new reports this requirement will generate. IF the industry complies with the intent of the rule (an open question) the number of reports could be quite large. Does NERC (who owns E-ISAC) have the necessary number of analysts necessary to review, catalogue, cross-reference, and then deduce attack information from such submissions and then produce properly anonymized information to share with the remainder of the community in a timely manner. Because of the lack of a reasonable estimate of the potential number of reports, and the apparently expanding interest in probing/compromising the grid, I suspect not.

Then there is the whole issue of the quality of information that will be submitted to E-ISAC. Obviously, the more complete the information, particularly on attempted attacks, the easier it will be for E-ISAC to establish actionable information to share with the other E-ISAC members; poor quality or inaccurate information means the information ultimately shared is less useful and potentially even counter-productive.

That leads to the question of who will train facility control system engineers to recognize, isolate and document cyber-attacks. Oh, sorry, control system engineers will not be doing that, it will be the Security Operations Center with its staff of forensically trained experts. I forgot that those existed at each facility in the Bulk Electric System (SIGH).

Actually, I suspect that this is the reason that the Order includes a requirement to report to ICS-CERT. I do not expect (that is my guess, I certainly do not know) that E-ISAC has fly-way teams of control system experts to investigate these incidents. That is not a complaint, it is just not what one should probably expect from any ISAC.

The problem that arises from this is has anyone looked at the capability of ICS-CERT to expand the operations of its fly-away teams to respond to an increasing number of incidents. Who is going to pay for the additional costs of the investigations of the new reports? FERC has no control of ICS-CERT either directly nor through the DOE, so is there a memorandum of understanding between the two organizations about how ICS-CERT is supposed to respond to these newly required reports?

All sorts of interesting questions being raised by this relatively simple final rule, but I will ask but one more (really); how are the Critical Electrical Infrastructure Information (CEII) regulations going to affect the information submitted by owners to ICS-CERT? Owners can request that sensitive security information submitted to FERC or NERC be protected by CEII disclosure rules, but not information directly submitted to ICS-CERT. Information submitted to ICS-CERT by NERC or FERC could be so protected, but there are no provisions for information submitted directly from the private sector to ICS-CERT. Another important quandary to be considered stumbling down the road to information sharing.

Classified ICS Security Information – An Example


Earlier this week I wrote a post on sharing of classified industrial control system (ICS) information sharing. As one of the ways to avoid the many complications of sharing classified information I mentioned preparing unclassified derivative works. This week the DHS US-CERT announced a series of web awareness briefings on one such derivative work; US-CERT Alert TA 18-074A, Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors.

The alert was issued in March of this year and includes a wealth of technical data including indications of compromise that could be used to search systems to see if similar attempts had been made to compromise those systems. But, being a technically oriented document, it does little to convince non-cybersecurity personnel about the existence and scope of the potential threat and who should be concerned about it. Hopefully, that is what these four web briefings (actually 1 briefing x 4) will address. The briefings will take place on:

• July 23rd, 2018, at 1:00 to 2:30 pm EDT;
• July 25th, 2018, at 1:00 to 2:30 pm EDT;
• July 30th, 2018, at 1:00 to 2:30 pm EDT; and
August 1st, 2018, at 1:00 to 2:30 pm EDT.

The webinar will be available via the Homeland Security Information Network (HSIN). An HSIN login is not required, but the Adobe Connect® application is being used so you need to allow time to download and install that before accessing one of the briefings. A dial-in audio link (1-888-221-6227) is also provided. Hopefully, this briefing will remain available after these dates for those of us who already have obligations at these dates and times.

Saturday, July 21, 2018

Public ICS Disclosures – Week of 07-14-18


This week we have two vendor updates (Rockwell and Siemens), two coordinated disclosures with POC (Sony), and proof-of-concept code (POC) for a recently disclosed vulnerability in Echelon products. There is also an announcement about an update to a security tool from OSIsoft.

Rockwell Update


Rockwell updated their FactoryTalk® Activation Manager advisory (previous update). The new version notes that: “Cisco has released several Snort Rules [Snort Rule 38246Snort Rule 38247, Snort Rule 39910] to addressing the Flexera software vulnerability.”

NOTE 1: Since at least one other vendor (Schneider) apparently uses the same third-party software these Cisco snort rules may be more widely applicable in the control system community.

NOTE 2: This was published on Friday so there is a good chance that we will see the ICS-CERT version of this advisory updated in the coming week.

Siemens Update


Siemens published an update of their general advisory on the Spectre/Meltdown vulnerabilities. Siemens continues to expand their coverage of the newer versions of this problem; this time adding information on the Lazy FP State Restore and Spectre V1.1 vulnerabilities. While the latest version of the ICS-CERT Spectre/Meltdown alert does provide a link to this advisory, there is no mention of the newer versions of this continuing problem in that alert.

Sony Vulnerabilities


Talos Intelligence published two vulnerability reports (here and here) for coordinated disclosures of vulnerabilities in the Sony IPELA E Series Camera. According to the reports Sony has a patch available to mitigate the vulnerabilities, but there is no indication that they have had the opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Command injection - CVE-2018-3937; and
Stack-based buffer overflow - CVE-2018-3938

NOTE: This was reported Friday, so there is always a chance that ICS-CERT will report this in the coming week. They have reported on IP camera vulnerabilities before, but do not necessarily report on all such vulnerabilities.

Echelon Exploit


Maxim Rupp published proof-of-concept exploit code on TWITTER for one of the Echelon vulnerabilities reported this week by ICS-CERT. Maxim has reportedly known about this vulnerability for about a year now; no word on why he has not reported it.

OSIsoft Security Audit Tool


OSIsoft announced that they have a new version of their PI Security Audit Tools (v. 2.2.0.3) available. They note that: “This tool is a PowerShell module that performs validation checks for the machine, PI Data Archive, PI AF Server, SQL Server, and PI Vision, indicating areas where the security configuration is out of compliance with best practices, and providing actionable information to address the issue.”

Friday, July 20, 2018

HR 6147 Passed in House


Yesterday the House passed HR 6147, the Department of the Interior, Environment, and Related Agencies Appropriations Act, 2019 by a strongly partisan vote of 217 to 199 (15 Republicans did note Nay). The floor amendment process took three days, but none of the amendments were of specific interest to readers of this blog.

The Senate is scheduled to start consideration of this bill on Monday after the vote on the Wilke nomination at 5:30 pm EDT. No amendments have been proposed yet in the Senate (that will start on Monday as well), but one of the first will be substitute language taken from S 3073. That bill would also include full funding for the Chemical Safety Board, but at $11 million dollar (FY 2018 level) instead of the $12 million in the House bill.

Bills Introduced – 07-19-18

Yesterday with the House and Senate preparing to leave Washington for the weekend there were 49 bills introduced. Of those, three may be of specific interest to readers of this blog:

HR 6438 To amend the Homeland Security Act of 2002 to establish in the Department of Homeland Security an Unmanned Aircraft Systems Coordinator, and for other purposes.  Rep. Perry, Scott [R-PA-4]

HR 6443 To amend the Homeland Security Act of 2002 to authorize the Secretary of Homeland Security to establish a continuous diagnostics and mitigation program at the Department of Homeland Security, and for other purposes. Rep. Ratcliffe, John [R-TX-4] 

HR 6461 To amend title 49, United States Code, to establish in the Transportation Security Administration a National Deployment Office, and for other purposes. Rep. Watson Coleman, Bonnie [D-NJ-12]

There were a number of other homeland security related bills introduced yesterday, but none of specific interest here. Interestingly most of these bills were proposed by leadership of the House Homeland Security Committee (on both sides of the dais) and will be considered next week in a full committee hearing.

I will be watching 6438 to see if it contains counter UAS language instead of just coordinating DHS UAS operations.

I suspect that 6443 will be focused on federal IT programs, but I will be watching (as normal) for control system security information.

On HR 6461 I will be watching for surface transportation language, but I suspect that this will focus on passenger air security technology deployments.

Thursday, July 19, 2018

ICS-CERT Publishes 4 Advisories


Today the DHS ICS-CERT published four control system security advisories for products from Moxa, Echelon, and AVEVA(2).

Moxa Advisory


This advisory describes a resource exhaustion vulnerability in the Moxa NPort serial network interface. The vulnerability was reported by Mikael Vingaard. The latest firmware mitigates the vulnerability. There is no indication that Vingaard has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit this vulnerability  to send TCP SYN packages, causing a resource exhaustion condition that would cause the device to become unavailable.

Echelon Advisory


This advisory describes four vulnerabilities in the Ecelon Smart Server and i.LON products. The vulnerabilities were reported by Daniel Crowley and IBM’s X-Force Red team. Echelon has a new version that mitigates three of the vulnerabilities and provides a workaround for the fourth. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• Information exposure - CVE-2018-10627;
• Authentication bypass using an alternate path or channel - CVE-2018-8859;
• Unprotected credentials - CVE-2018-8851; and
Clear text transmission of critical information - CVE-2018-885

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow for remote code execution on the device.

In Touch Advisory


This advisory describes a stack-based buffer overflow vulnerability in the Aveva InTouch HMI. This vulnerability was reported by George Lashenko of CyberX. Aveva has updates available that mitigate the vulnerabilities. There is no indication that Lashenko has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit this vulnerability to remotely execute code with the same privileges as those of the InTouch View process which could lead to a compromise of the InTouch HMI.

InduSoft Advisory


This advisory describes a stack-based buffer overflow vulnerability in the Aveva InduSoft Web Studio and InTouch Machine Edition HMIs. This vulnerability was reported by Tenable Research. Aveva has updates available that mitigate the vulnerability. There is no indication that the researchers were provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow remote code execution.

ISCD Publishes CFATS Quarterly – July 2018


Today the DHS Infrastructure Security Compliance Division (ISCD) published the latest version of their Chemical Facility Anti-Terrorism Standards (CFATS) Quarterly. It was announced on the CFATS Knowledge Center with the link provided about half-way through the ‘CFATS Quarterlies and Webinars’ section at the bottom of the page.

This periodic document provides information on what has been going on in the CFATS program. Most of the news is about publications that have been made available to help facilities manage their CFATS process; nothing new here that I have not already covered.

In fact, the only really new piece of information is that David Wulf has finally returned to his job as Director of ISCD after having spent the last 18 months as Acting Deputy Assistant Secretary for Infrastructure Protection. This is the second time that Dave has filled this temporary position during the start of a new administration.

Classified ICS Security Information


There is an interesting discussion that has been taking place for a couple of days now over on LinkedIn. It was initiated by Isiah Jones from LEO Cyber Security. A lot of the response has been targeted at Isiah’s confrontational language, but the really important take away is that Isiah thinks/knows(?) that there is classified information available about threats to industrial control systems in critical infrastructure in the United States. Now Isiah is being necessarily vague about the information, but the discussion is important none the less.

Now I have not had access to classified information of any sort since I left the military a goodly number of years ago. My TS clearance is certainly not in force after this time and I have not had the necessary ‘need to know’ for access in any case. Having said that, I am absolutely certain that such classified information exists and that is unlikely to get into the hands of many of the people who could actively use that information to protect their facilities against serious nation-state level threats.

All is not lost, however. More about that later in the post.

The Need for Secrecy


Contrary to the beliefs of my friends in the black helicopter set, there are many legitimate reasons for the intelligence community (IC) to keep threat information classified. In most cases, the need to protect future access to critical information is more important than the need to share the current information; this is best exemplified by the Coventry-Ultra controversy from WWII. In other cases, the ‘knowledge’ is either so incomplete as to be useless (the Russians want to be able to attack the power grid) or the level of confidence in the information is so low that the intelligence community does not want to be accused of crying wolf.

Information Sharing Problems


Even when the IC is willing to share information, it is not easy to get the information to the correct people. First off, the information is going to be classified so the person receiving the information needs to be properly vetted to receive classified information. Anyone familiar with this process knows that it tedious and time consuming.

If IC waits until they know who will need a specific piece of information before the vetting process begins, the information will probably be worthless once the process is complete; the whole closing the barn door after the animals have gotten out thing. If you vet everyone that might need access to some specific piece of classified information at some unknown future time you end up clogging the vetting system even further with probably unnecessary vetting requests.

Even if the appropriate people have the necessary security clearances, getting them the appropriate information in a secure manner is also a problem. Even if secure messaging aps are used to protect the information in transit, the receiving device has to have minimum levels of security to prevent the information from getting into the wrong hands. Those security measures are expensive; too expensive to set up and maintain on the off chance of needing to receive classified information at some unknown point in the future.

This whole thing is further complicated by the fact that within the receiving organization, the information still needs to be protected during the internal sharing process. Everyone that needs access to the information to put proper protections in place needs to be vetted, their communications need to be protected, and many of their working files will be derivatively classified and need similar protections. This stuff gets very complicated; just ask anyone that has done operation planning in the military.

An alternative that many people have advocated (and I am certainly one) is for the IC to produce unclassified versions of their intelligence information to make the sharing process easier. I did this at the tactical intelligence level in one of my military jobs. It is time consuming to try to extract useable information from an intelligence report and then get that unclassified version vetted to ensure that means and methods are not inadvertently disclosed. Usually, the resulting product is useful for background purposes only, providing little or no information that provides for direct reaction by the recipient.

So, What to Do?


So, all is not lost. The IC can tell (and has told) us that adversaries are targeting control systems in critical infrastructure and has sophisticated techniques for doing so. The specific attack vectors are not necessarily important (as other attack vectors will certainly be used in future attacks). What is important to know is that nation-state level actors are involved and thus will ultimately get through defenses that they are really interested in attacking; THERE IS NO SUCH THING AS A SECURE SYSTEM.

First off, facilities need to determine what they really need to protect to survive and thrive. Information that would significantly hurt the company if it found its way into the hands of competitors or other adversaries needs to be encrypted at rest and in transit. Portions of control systems that are necessary for safety and quality control need to be isolated to the greatest extent possible. Where complete isolation is not possible for whatever reason, communications between the critical portions and other networks need to be closely monitored for anomalies. Where safety effects could be felt outside the facility, additional controls need to be implemented that are physically separated from the control network and analog safety measures should be established whenever possible.

Finally, a reaction plan needs to be firmly in place for all worst-case scenarios. The plan needs to assign specific responsibilities and identify any outside resources that need to be contacted, how that contact is to be made (with at least one alternative communications method identified), and who will make the contact. And, most importantly, those outside resources need to know in advance their roles in responding to an emergency event at the facility. That reaction plan needs to be trained and tested on a recurring basis.

Folks, none of this is new. We have been doing fire drills since we were little kids. We take precautions to prevent fires but recognize that fires can happen none-the-less. We install sprinkler systems and place fire extinguishers at key locations. At facilities where we have an unusually high threat for fires because of combustible materials we take additional precautions and put additional reactive measures in place. We need to extend that same mind set to control system security.

Bills Introduced – 07-18-18


Yesterday with both the House and Senate in session there were 41 bills introduced. Of those, one may be of specific interest to readers of this blog:

HR 6430 To amend the Homeland Security Act of 2002 to authorize the Secretary of Homeland Security to implement certain requirements for information relating to supply chain risk, and for other purposes. Rep. King, Peter T. [R-NY-2]

While this will probably be a federal IT specific bill, the supply chain risk requirements may end up being a standard that would be implementable by many organizations due to the purchasing power of the federal government.

Wednesday, July 18, 2018

OMB Approves PHMSA Classification ANPRM


Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced  that it had approved the advanced notice of proposed rulemaking (ANPRM) from the DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) in regards to actions to be taken by pipeline owners when class location changes result from population increases.

While the intent of this potential rulemaking is the same as when I posted my blog entry on the submission of this rulemaking to OIRA, there has been a substantial change to the Unified Agenda entry on the topic in the Spring 2018 version of the agenda that was released since that earlier post. The Fall 2017 version contained a great deal more supporting information and explanation of what this rulemaking could entail. It is not clear if this is a change in how PHMSA views this potential rulemaking or if it is just an attempt to reduce the verbiage in the Unified Agenda.

Bills Introduced – 07-17-18


Yesterday with both the House and Senate in session there were 37 bills introduced. Of these, three may be of specific interest to readers of this blog:

HR 6399 To direct that certain assessments with respect to toxicity of chemicals be carried out by the program offices of the Environmental Protection Agency, and for other purposes. Rep. Biggs, Andy [R-AZ-5]

HR 6401 To assist the Department of Homeland Security in preventing emerging threats from unmanned aircraft and vehicles, and for other purposes. Rep. McCaul, Michael T. [R-TX-10]

HR 6407 To require the Administrator of General Services to transfer certain surplus computers and technology equipment to nonprofit computer refurbishers for repair and distribution, and for other purposes. Rep. Garrett, Thomas A., Jr. [R-VA-5]

My interest in the first two bills should be rather obvious, but the third is a bit of a stretch for coverage here. What I will be looking for in this bill is any language in the bill that would require agencies to strip all information from the memories from the covered devices before providing them to refurbishers. I do not really expect such language to be there, but I can always hope.

Tuesday, July 17, 2018

ICS-CERT Publishes 3 Advisories and 1 Update


Today the DHS ICS-CERT published three new control system security advisories for products from PEPPERL+FUCHS, WAGO and ABB. They also updated a previously published advisory for products from Rockwell.

PEPPERL+FUCHS Advisory


This advisory describes an improper authentication vulnerability in the PEPPERL+FUCHS VisuNet RM, VisuNet PC, Box Thin Client (BTC) families of products. The vulnerability was reported by Eyal Karni, Yaron Zinar, and Roman Blachman with Preempt Research Labs. PEPPERL+FUCHS has firmware updates for HMI running RM Shell 4 or RM Shell 5. For HMI running on Windows 7 or Windows 10 platforms the recommendation is to run the applicable Windows update for CVE-2018-0866. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that an uncharacterized attacker with uncharacterized access could exploit this vulnerability to intercept sensitive communications, establish a man-in-the-middle attack, achieve administrator privileges, and execute remote code.

NOTE: I initially reported on this vulnerability on July 7th, 2018.

WAGO Advisory


This advisory describes three vulnerabilities in the WAGO e!DISPLAY Web-Based-Management. These vulnerabilities were reported by T. Weber of SEC Consult. The latest firmware version mitigates the vulnerabilities. There is no indication that Weber has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Cross-site scripting - CVE-2018-12981;
• Unrestricted upload of file with dangerous type - CVE-2018-12980; and
Incorrect permission for critical resource - CVE-2018-12979

ICS-CERT reports that a relatively low-skilled attacker could use publicly available exploits to remotely exploit the vulnerabilities to execute code in the context of the user, execute code within the user’s browser, place malicious files within the filesystem, and replace existing files to allow privilege escalation.

NOTE: I initially reported on these vulnerabilities on July 14th, 2018.

ABB Advisory


This advisory describes an improper input validation vulnerability in the ABB Panel Builder 800. The vulnerability was reported by Michael DePlante of Leahy Center and Michael Flanders of Trend Micro vis the Zero Day Initiative. ABB has provided work arounds pending further investigation of the vulnerabilities.

ICS-CERT reports that an uncharacterized attacker with uncharacterized access could conduct a social engineering attack to exploit this vulnerability to insert and run arbitrary code.

NOTE: I initially reported on these vulnerabilities on July 7th, 2018.

Rockwell Update


This update provides new information on an advisory that was originally published on June 21st 2018. The new information is an expansion of the affected versions for all affected products.

Monday, July 16, 2018

Committee Hearings – Week of 07-15-18


With both the House and Senate in Washington there will be a fairly active committee schedule, but little of specific interest to readers of this bill. There will be a rules hearing on a spending bill that will be considered this week in the House.

HR 6147 – IER Spending


Today the House Rules Committee will hold a rules hearing to establish a structured rule for the consideration of HR 6147, Department of the Interior, Environment, and Related Agencies Appropriations Act, 2019. Actually, this will be another mini-bus consideration as HR 6258, the Financial Services and General Government Appropriations Act, 2019, is being added to the bill for consideration in the House.

The Committee has received 170 amendments for the IER portion of the bill, but none of them are of specific interest to readers of this blog. The Committee will select a portion of those (and of the 85 offered for the HR 6258 portion of the bill) to be considered on the floor of the House later this week.

On the Floor


As noted above, HR 6147 will come to the House floor either Tuesday or Wednesday of this week. It will pass, but there is little likelihood that the bill will receive substantial bipartisan support.

We have seen substantial progress this year on spending bills in the House but have yet to see any real action in the Senate. Part of this is due to the backlog of nominations that still plagues the Senate and the procedural delays in the consideration of those nominations. Another part of the problem is an unintended consequence of the decision to reduce the length of the summer recess in the Senate. This has reduced some of the pressure on the Senate to act early on the spending bills that have passed in the House.

Unfortunately, this could backfire on the leadership. The House has not announced a reduction in their summer recess schedule. This means that they will likely be recess when the Senate completes action on at least some of the spending bills. This means that a vote to go to conference will likely be delayed on those bills until the House comes back to Washington in September.

There is a way out of that dilemma, but it would require a great deal of cooperation and trust between Ryan and Pelosi. Since the House will meet in pro forma session throughout their recess there could be unanimous consent votes on going to conference during the proforma sessions. With no one calling for role call votes, the two representatives representing the Speaker and the Minority Leader could go through the procedural dance of initiating the conference committees. Unfortunately, with pressure of both Ryan and Pelosi from their party’s more radical elements, this is unlikely to take place.

Saturday, July 14, 2018

ICS Public Disclosure – Week of 07-07-18


This week we have two vendor disclosures from Siemens and WAGO with a concurrent publication of exploit code for the WAGO vulnerabilities.

Siemens Advisory


This advisory describes two denial of service vulnerabilities in the Siemens EN100 Ethernet communication module and SIPROTEC 5 relays. The vulnerabilities were reported by Victor Nikitin, Vladislav Suchkov, and Ilya Karpov from ScadaX. Siemens recommends blocking access to port 102/tcp e.g. with an external firewall.

WAGO Advisory


This VDE-CERT advisory describes three vulnerabilities in the WAGO e!DISPLAY. The vulnerabilities were reported by SEC Consult. WAGO has a new firmware version that mitigates the vulnerabilities. There is no indication that SEC Consult has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Improper neutralization of input during web page generation - CVE-2018-12981;
• Unrestricted upload of file with dangerous type - CVE-2018-12980; and
Incorrect permission assignment for critical resource - CVE-2018-12979

The day after VDE-CERT released this advisory SEC Consult published exploit code for all three vulnerabilities on their web site and other locations (see here for example).

Friday, July 13, 2018

OOPS – Big Mistake on Previous Post


I do not know how it happened (probably too tired to read straight), but I linked to (and got wrong) the incorrect roll-call vote and reported it as being on HR 6237. The actual vote was 363 to 54 which is substantially bipartisan and should reflect enough bipartisan support for the bill to be considered in the Senate in its current form.

House Passes HR 6237 – FY 2018/19 Intel Authorization


Today the House passed  HR 6237, the Matthew Young Pollard Intelligence Authorization Act for Fiscal Years 2018 and 2019, on a nearly party-line vote of 233 to 184 (6 Republican Noes and 9 Democrat Ayes). Twelve amendments were considered, but none were of specific interest to readers of this blog.

The bill has now been tossed to the Senate. Unfortunately, with the party-line vote in the House, there is not much of a chance that the Senate will take up the bill in its current form. There has not been a Senate version of the bill to substitute for the House language like we have seen in the spending bills, so that is probably not an option for consideration of HR 6237 in the Senate.

The intel community can survive without an authorization bill as long as the spending bills continue to pass. The big problem with the lack of authorization is that this reinforces the fact that Congress really has no stomach for maintaining oversight of the grey areas that surround the IC. Congress as a whole is perfectly content to allow a small number of Senators and Representatives to exercise the oversight out of sight and mind. Until, of course, something blows up….

See next post (Updated 07:30 EDT 7-13-18)

Thursday, July 12, 2018

ICS-CERT Publishes an Advisory and an Update


Today the DHS ICS-CERT published a control system security advisory for products from Eaton. They also updated a medical device security advisory for products from Medtronic.

Eaton Advisory


This advisory describes a stack-based buffer overflow in the Eaton 9000X Drive. The vulnerability was reported by Ghirmay Desta working with the Zero Day Initiative. Eaton has an update available that mitigates the vulnerability. There is no indication that Desta was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that an uncharacterized attacker could remotely exploit the vulnerability to allow remote code execution.

Medtronic Update

This update provides additional information for an advisory that was originally published on May 17th, 2018. The update adds a second vulnerability (Protection mechanism failure - CVE-2018-10631). This necessitated an increase of the CVSS (v3) ranking from 4.6 to 6.3 and an expanded risk evaluation section of the advisory.

Wednesday, July 11, 2018

House Passes HR 5729 – TWIC Reader Rule Delay

Yesterday the House passed HR 5729, the Transportation Worker Identification Credential Accountability Act of 2018, by a voice vote. There was a short nine-minute debate on the bill with two representatives speaking in favor of the bill.

Both Rep. Katko (R,NY) and Rep. Norton (D,DC) mentioned in their floor speeches concerns about the “expanded scope of the final [TWIC Reader] rule where facility areas subject to the TWIC reader requirement went beyond what was included in the proposed rule and regulatory analysis accompanying that rule” (pg H5996). Norton also mentioned “concerns and questions about the reliability of background check information, the efficacy of fraud detection capabilities, and the relatively high cost of the credential have been persistent shortfalls that the Department of Homeland Security has never gotten right.”

Unfortunately for the two representatives neither issue is addressed by this bill. The bill simply extends the effective date for the TWIC Reader Rule until the “end of the 60-day period beginning on the date of the submission under paragraph (5) of section 1(b) of Public Law 114–278 [link added] (130 Stat. 1411 to 1412) of the results of the assessment required by that section.”

It will be interesting to see if the Senate takes up this bill before August 18th, 2018. If it is signed by the President sometime after the 18th it will have the interesting effect of prohibiting the implementation of something that will have already been implemented. That will cause all sorts of potentially interesting legal complications, at least until the report is filed.

This bill would have no effect on the current Coast Guard rulemaking underway to delay for three years the implementation of the TWIC Reader Rule for a limited sub-set of the currently affected facilities.

DOE Sends CEI Rulemaking to OMB for Approval


Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that DOE had submitted a notice of proposed rulemaking (NPRM) on Critical Electric Infrastructure (CIE) for approval. This rulemaking was not published in the Spring 2018 Unified Agenda, so it is not clear what the rule would specifically address.

An article (registration required) in E&E News yesterday, however, states:

“The Department of Energy will soon publish proposed regulations outlining how it plans to ‘receive, hold and share’ critical electricity infrastructure information from utilities, a senior DOE official [Catherine Jereza, DOE's deputy assistant secretary for transmission planning and technical assistance] said yesterday.”

Most of what Jereza describes is covered under 18 CFR 388.113. Interestingly that Critical Electric Infrastructure Information (CEII) regulation only covers information disclosed to the Federal Energy Regulatory Commission (FERC). It does not specifically include similar (or even identical) information disclosed directly to DOE.

Tuesday, July 10, 2018

ICS-CERT Publishes 2 Advisory – Updates Spectre Alert


Today the DHS ICS-CERT published two control system security advisories for products from Schweitzer Engineering and Universal Robots. They also updated their alert for Meltdown/Spectre vulnerabilities.

Schweitzer Advisory


This advisory describes three vulnerabilities in the Schweitzer Compass and AcSELerator Architect products. The vulnerabilities were reported by Gjoko Krstic of Applied Risk. The latest versions of the software mitigate the vulnerability. There is no indication that Krstic has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Incorrect default permissions - CVE-2018-10604;
• Improper restriction of XML external entity reference - CVE-2018-10600; and
Uncontrolled resource consumption - CVE-2018-10608

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit this vulnerability with publicly available exploit code to allow modification/replacement of files within the Compass installation directory, disclosure of information, or denial of service.

Universal Robots Advisory


This advisory describes two vulnerabilities in the Universal Robots Robot Controllers. The vulnerabilities were reported by Davide Quarta, Mario Polino, Marcello Pogliani, and Stefano Zanero from Politecnico di Milano as well as Federico Maggi with Trend Micro Inc. Universal Robots has described generic workarounds to mitigate the vulnerabilities. There is no indication that any of the researchers have been provided with an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Use of hard-coded credentials - CVE-2018-10633; and
• Missing authentication for critical function - CVE-2018-10635

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to run arbitrary code on the device.

Meltdown/Spectre Update


This update provides additional information on an alert that was originally published on January 11th, 2018 and updated on January 16th, 2018, January 17th, 2018, January 30th, 2018, February 20th, 2018, February 22nd, 2018, March 1st, 2018 and again on April 26th, 2018 (typo in ICS-CERT update says 4-27-18). The update provides a link to the new PEPPERL+FUCHS (ecom mobile devices) advisory that I discussed on Saturday.

ISCD Updates CFATS Knowledge Center – 07-10-18


Today the DHS Infrastructure Security Compliance Division (ISCD) updated their Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center. This was an update to the page layout and appearance; no new information was added.

I have done a quick check and all of the old functionality that I have been using on the site remains and I have not discovered any neat new tools. The appearance has certainly changed and it shows Version # 3.0.00, so something was done. I am not a big fan of change for changes sake, but this is prettier.

I have one minor typography complaint. There is nothing that sets off the links in the text (other than the fact that they are URLs), so it is not quick and easy to find the links. Again, a very minor (and perhaps idiosyncratic) complaint.

 
/* Use this with templates/template-twocol.html */