Friday, August 31, 2018

ICS-CERT Publishes Advisory and 2 Updates


Yesterday the DHS ICS-CERT published a control system security advisory for products from Philips. They also published updates for previous published advisory; one for control system products from Martem and one for medical device products from Philips.

Philips Advisory


This advisory describes 9 vulnerabilities in the Philips e-Alert Unit. The vulnerability is self-reported. Phillips has a version available that mitigates some of the vulnerabilities. A new version dealing with the remainder will be published by the end of the year.

The nine reported vulnerabilities are:

• Improper input validation - CVE-2018-8850;
• Improper neutralization of input during web page generation - CVE-2018-8846;
• Information exposure - CVE-2018-14803;
• Incorrect default permission - CVE-2018-8848;
• Cleartext transmission of sensitive information - CVE-2018-8842;
• Cross-site request forgery - CVE-2018-8844;
• Session fixation - CVE-2018-8852;
• Uncontrolled resource consumption - CVE-2018-8854; and
Use of hard-coded credentials - CVE-2018-8856

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit some of the vulnerabilities to allow attackers to provide unexpected input into the application, execute arbitrary code, display unit information, or potentially cause e-Alert to crash. The other vulnerabilities could only be exploited from the same subnet.

Martem Update


This update provides new information on an advisory that was previously published on May 22nd, 2018 and updated on May 24th, 2018. The new information includes:

• An additional vulnerability (incorrect default permissions);
• An additional risk consequence (full control over RTU);
• Updated affected version information; and
• Mitigation information for new vulnerability


Philips Update


This update provides new information on an advisory that was originally published on August 21st, 2018. The new information removes the ‘remotely exploitable’ language and notes that the “vulnerability is exploitable from within the same local device subnet”.

ISCD Updates Resources Page – 8-30-18


Yesterday the DHS Infrastructure Security Compliance Division (ISCD) updated their Chemical Facility Anti-Terrorism Standards (CFATS) Resources web page. While the page was reorganized there is no new information provided. ISCD has added a link to the recently published anhydrous ammonia flyer and added a section for their previously published documents translated into Spanish. Both additions are overdue.

Wednesday, August 29, 2018

ICS Advisory Study by Dragos


Yesterday I ran across an interesting infographic on LinkedIn that was produced by Dragos. It provided some provocative statistics about control system security advisories that were published in 2017. I am not a big fan of infographics; I prefer to look at the analysis that went into putting together the infographic. So, I asked for and received a link to the report from Dragos that actually includes the infographic.

I have generally been a fan of Dragos incident and vulnerability reporting, but I am disappointed in this report. The infographic has some tantalizing extracted information, but the full published report is little more than a series of bullet points that describes the information from the infographic. To tell the truth, I am not sure what came first, the infographic or the report.

The important information in the report is really summarized neatly by the two paragraph introduction by Reid Wightman. Unfortunately, the information supporting Reid’s comments is not very detailed and there is a total lack of specific examples that explicate the points that Reid makes. While I agree with Reid’s conclusions and almost all of the points raised in the report, it is not because of the in-depth reporting in this document. Rather I have seen what the report describes in my own perusal of ICS-CERT vulnerability reporting over the last ten years or so.

My major question about the reporting here is about the source of the data. According to the report the data is based upon the Dragos analysis of “163 vulnerability advisories
with an industrial control system (ICS) impact” that Dragos tracked in 2017. It is not clear if these were advisories produced by vendors or ICS-CERT. I am hoping that ICS-CERT advisories were the basis for the analysis, because those advisories at least have a commonality of terminology and an attempt at consistency of data presented. Furthermore, the ICS-CERT advisories for many vulnerabilities (particularly for the smaller vendors) are apparently the only real report for a large number of the advisories published by ICS-CERT.

If Dragos was relying on data from vendor vulnerability reports (and this would have certainly been a more chalenging analysis) then they have failed to acknowledge the disparity in the reporting efficacy of the different vendors. Major vendors (like Siemens, Rockwell, etc) do a much more complete job of reporting the kind of data that the Dragos’ report calls for. They should be commended for the efforts that they do take to produce useable (but still frequently flawed) vulnerability reports.

Two very important points are made in both the infographic and the report and they both deserve wide spread discussion. First, “85% of 2017 ICS-related vulnerabilities apply late in the kill chain and are not useful to gaining an initial foothold. If these vulnerabilities are exploited, it is likely the adversary has been active in the network for some time and already pivoted through various other systems”. Second, “61% of 2017 ICS-related vulnerabilities cause both a loss of view and a loss of control – likely causing severe operational impact”. What I would like to know, is what percentage of the vulnerabilities that could be useful to gain an initial foothold could lead to a loss of view and/or control. That is the type of information I was hoping to see in this Dragos report.

Do not get me wrong. Everyone in the ICS community should look at the infographic (which should certainly be shared with management outside of the immediate ICS environment) and read this report. Vendors should certainly take the reports recommendations to heart. I just wish that there had been a little more red-meat here.

ICS-CERT Publishes 5 Advisories


Yesterday the DHS ICS-CERT published four control system security advisories for products from ABB and Schneider (3). They also published on medical device security advisory for products from Qualcomm Life.

The ABB vulnerability was previously discussed here two weeks ago. Two of the Schneider vulnerabilities were discussed here last weekend.

ABB Advisory


This advisory describes an improper authentication vulnerability in the ABB eSOMS electronic shift operations management system. The vulnerability is self-reported (the ABB security advisory notes that they “received information about this vulnerability through responsible disclosure” but did not name the researcher). ABB will publish a new version on September 28th that will mitigate the vulnerability.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit this vulnerability to gain access to the application without authentication.

Note: The ICS-CERT link to the ABB security advisory does not work, use the link above.

PowerLogic Advisory


This advisory describes a cross-site scripting vulnerability in the Schneider PowerLogic PM5560 power management system. The vulnerability was reported by Ezequiel Fernandez and Bertin Jose. Schneider has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow user input to be manipulated, allowing for remote code execution.
                                             

Modicon 221 Advisory (1)


This advisory describes an improper check for unusual or exceptional conditions vulnerability in the Schneider Modicon 221 PLCs. The vulnerability was reported by Yehonatan Kfir of Radiflow. A new firmware version mitigates the vulnerability. There is no indication that Kfir has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that an uncharacterized attacker could remotely exploit this vulnerability to remotely reboot the device.

Modicon 221 Advisory (2)


This advisory describes three vulnerabilities in the Schneider Modicon 221 PLCs. The vulnerabilities were reported by Irfan Ahmed, Hyunguk Yoo, Sushma Kalle, and Nehal Ameen of the University of New Orleans. A new firmware version mitigates the vulnerability. There is no indication that researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Information management errors - CVE-2018-7790; and
Permissions, privileges and access controls (2) - CVE-2018-7791 and CVE-2018-7792

ICS-CERT reports that an uncharacterized attacker could remotely exploit the vulnerabilities to replay authentication sequences, overwrite passwords, or decode passwords.

Qualcomm Advisory


This advisory describes a code weakness vulnerability in the Qualcomm Life Capsule Datacaptor Terminal Server (DTS). The vulnerability was reported by Elad Luz of CyberMDX. A new firmware update mitigates the vulnerability in one of the affected products and work arounds have been identified for the remaining products. There is no indication that Luz has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability  to execute unauthorized code to obtain administrator-level privileges on the device.

Tuesday, August 28, 2018

S 3378 Introduced – Cyber Sanctions


Last week Sen. Gardner (R,CO) introduced S 3378, the Cyber Deterrence and Response Act of 2018. This bill is very similar to HR 5576 which was introduced in the House in May; no action has taken place on that bill.

Deletions


Most of the changes are grammatical or structural and are of little interest anyone but legal scholars. There are, however, some significant provisions from HR 5576 that did not make it into this bill.

The last two sub-paragraphs from §3(a)(1) did not make it into the senate bill. They allowed the President to take action against governments or persons that attempted to engage in any of the sanctioned activities listed in the bill.

The Senate bill does not include some of the sanctions provided in the House bill. These include prohibiting:

• Non-humanitarian United States development assistance under chapter 1 of part I of the Foreign Assistance Act of 1961 {§3(b)(2)(A)};
• Approval of the issuance of any guarantees, insurance, extensions of credit, or participations in the extension of credit {§3(b)(2)(D)};
• Transactions in foreign exchange that are subject to the jurisdiction of the United States and in which the government of the foreign state has any interest {§3(d)(2)(E)}; and
Transfers of credit or payments between one or more financial institutions or by, through, or to any financial institution, to the extent that such transfers or payments are subject to the jurisdiction of the United States {§3(d)(2)(F)};

The Senate bill also removes the limited Congressional oversight provision of initial briefing to Congress required by §3(f) in the House bill.

Moving Forward


Both Gardner and his single cosponsor {Sen. Coons (D,DE)} are members of the Senate Foreign Relations Committee to which this bill was referred for consideration. Gardner is a sub-committee chair so he should have enough influence to see this bill considered in Committee. However, seeing the lack of action in the House, I suspect that the chances for this bill being considered during this session are rather remote.

Monday, August 27, 2018

Senate Passes HR 6157, FY 2019 DOD Spending


Last Thursday the Senate passed HR 6157, the Department of Defense and Labor, Health and Human Services, and Education Appropriations Act, 2019 by a strongly bipartisan vote of 85 to 7. While the base bill did not contain any language of specific interest to readers of this blog, one amendment passed during the closing debate might be of interest.

Cyber Solarium Commission


Amendment SA 3710 (pg S5698) submitted by Sen. Sasse (R,NE) was included in a block of amendments referred to as ‘the manager’s package’ that were agreed to under the unanimous consent process (no vote, no discussion). The amendment allocated $4 million from the existing Operation and
Maintenance, Defense-Wide account to fund the Cyber Solarium Commission established by §1652 of the John S. McCain National Defense Authorization Act for FY 2019.

I discussed the Solarium Commission in an earlier post, but it would essentially establish a commission to look at strategic concepts to defend cyber space.

As is becoming typical for Congress, this is not new money for the Commission, nor does it make any hard decisions about where the money will come from. It places that burden on DOD. Granted, $4 million is just a minor blip in the DOD budget, but some other program(s) will have to cut back operations to provide that money.

Moving Forward


Since this is a wholesale rewrite of the House bill, the bill heads back to the House for approval. The House will almost certainly ‘insist’ on their language forcing the bill to a conference committee. There is a decent chance that bill will make it back to the floor of the House and Senate before October 1st.

Commentary


As is becoming typical for Congress, this is not new money for the Commission, nor does it make any hard decisions about where the money will come from. It places that burden on DOD. Granted, $4 million is just a minor blip in the DOD budget, but some other program(s) will have to cut back operations to provide that money.

I do want to mention in passing another amendment that was included in the manager’s package along with Solarium Commission amendment; SA 3835 (pg 5774) submitted by Sen. Flake (R,AZ). Flake’s amendment would have prohibited DOD from spending any money on the “the development of a beerbot or other robot bartender”. There have been some semi-serious press discussions about this boondoggle spending targeted by Flake’s amendment (see here and here for example), but if you dig down through the links and then read the paper on the MIT research project that started this whole thing, you can see that the research provides a detailed look at how to coordinate complex activities by cooperating robots which have applications far beyond beerbots. I suspect that the research will continue, but using some other sort of application; how about locating and disarming land mines? Of course, that research would have to be classified.


Saturday, August 25, 2018

Public ICS Disclosure – Week of 08-25-18


This week we have two vendor disclosures and three exploits for previously disclosed vulnerabilities; all for products from Schneider.

PowerLogic PM5560 Advisory


Schneider published an advisory for their PowerLogic PM5560 product for a cross protocol injection vulnerability. The vulnerability was reported by Ezequiel Fernandez and Bertin Jose. Schneider has an update available that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Modicon M221 Advisory


Schneider published an advisory for their Modicon M221 product for an improper check for unusual or exceptional conditions vulnerability. The vulnerability was reported by Yehonatan Kfir of Radiflow. Schneider has a firmware update available that mitigates the vulnerability. There is no indication that Kfir has been provided an opportunity to verify the efficacy of the fix.

Schneider Electric IGSS Exploit


Alejandro Parodi published exploit code for a remote code execution vulnerability in the Schneider Electric IGSS. This vulnerability was previously reported by ICS-CERT in January 2013.

Schneider Electric Serial Modbus Drive Exploits


Alejandro Parodi published exploit code (here and here) for two separate vulnerabilities in the Schneider Electric Serial Modbus Drive; a denial of service vulnerability and a remote code execution vulnerability. Both vulnerabilities were previously reported by ICS-CERT in March 2014.

Friday, August 24, 2018

Bills Introduced – 08-23-18


Yesterday with just the Senate in session there were 22 bills introduced. Of those one may be of specific interest to readers of this blog:

S 3378 A bill to impose sanctions with respect to state-sponsored cyber activities against the United States, and for other purposes. Sen. Gardner, Cory [R-CO]

I will be watching this bill for language specifically identifying industrial control system issues.

Thursday, August 23, 2018

ICS-CERT Publishes BD Advisory


Today the DHS ICS-CERT published a medical device security advisory for BD Alaris syringe pumps. The advisory describes an improper authentication vulnerability. The vulnerability was reported by Elad Luz of CyberMDX. BD has identified work arounds and there is no indication that BD intends to further mitigate this vulnerability.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability  to gain unauthorized access to various Alaris Syringe pumps and impact the intended operation of the pump when it is connected to a terminal server via the serial port.

PHMSA Sends Oil Spill Response Plan Rule to OMB


Yesterday the DOT’s Pipeline and Hazardous Material Safety Administration sent a final rule to the OMB’s Office of Information and Regulatory Affairs (OIRA) concerning oil spill response plans for Highly Hazardous Flammable Trains (HHFT). The notice of proposed rulemaking (NPRM) for this rule was published in August of 2016.

According to the Unified Agenda abstract for this rulemaking, this final rule will:

• Expand the applicability of comprehensive oil spill response plans (OSRP) based on thresholds of liquid petroleum oil that apply to an entire train;
• Require railroads to share information about high-hazard flammable train operations with State and Tribal emergency response commissions to improve community preparedness in accordance with the Fixing America's Surface Transportation Act of 2015 (FAST Act); and
Incorporate by reference an initial boiling point test [probably ASTM D7900] for flammable liquids for better consistency with the American National Standards Institute/American Petroleum Institute Recommend Practices 3000, "Classifying and Loading of Crude Oil into Rail Tank Cars," First Edition, September 2014.

As I have noted on a number of occasions, this rulemaking will not address the response to fires and explosions that have been such an obvious part of so many crude oil spills over the last five years. The OSRP requirements are derived from the Clean Water Act and deal with oil getting into water ways. Until Congress addresses the issue of responding to oil spill fires, this rulemaking will have little impact on addressing response to crude oil train fires.

Wednesday, August 22, 2018

S 3311 Introduced – Voting Cybersecurity


Last month Sen. Blumenthal (D,CT) introduced S 3311, the Defending the Integrity of Voting Systems Act. The bill would amend the definition of ‘protected computer’ in 18 USC 1030 to include voting systems.

Protected Computer


Section 2 of the bill amends the definition of ‘protected computer’ §1030(e)(2) by adding “is part of a voting system”. It further clarifies that the voting system is either:

• Used for the management, support, or administration of a Federal election; or
Has moved in or otherwise affects interstate or foreign commerce.

Moving Forward


Blumenthal and his two cosponsors {Sen. Graham (R,SC) and Sen. Whitehouse (D,RI)} are all members of the Judiciary Committee. This means that there is a good chance that they would have sufficient influence to have this bill considered in Committee. I do not see anything that would draw significant opposition to the bill. I suspect, however, that the current political back-and-forth on foreign political influence will cause slow movement on this bill, preventing consideration during the remaining months of this session.

Commentary


The big problem with this bill is the lack of definition of ‘voting system’. While the new paragraph §1030(e)(2)(C)(I) looks like an attempt at a definition by stating “is used for the management, support, or administration of a Federal election” the subsequent inclusion of the next phrase “or, has moved in or otherwise affects interstate or foreign commerce” compromises that definition by overly expanding the possible universe of covered computers. I understand that the crafters were trying to specifically include State and local government computers, but a broader reading of that language, especially the word ‘support’, is encouraged by the way Congress has been talking about ‘election interference’ to include influence operations on social media.

I also am concerned about any broadening of the scope of §1030 generally without some sort of effort to ensure that studies of computer systems by legitimate security researchers are not stymied by application of this section by prosecutors seeking to protect owners from the embarrassment of being publicly told that their computers are poorly secured.

Tuesday, August 21, 2018

ICS-CERT Publishes 2 Advisories and an Update


Today the DHS ICS-CERT published a control system security advisory for products from Yokogawa and a medical device security advisory for products from Philips. They also updated a previously published control system advisory for products from GE. The Yokogawa vulnerability is one of the two that I briefly addressed on Saturday.

Yokogawa Advisory


This advisory describes a stack-based buffer overflow vulnerability in the Yokogawa iDefine, STARDOM, ASTPLANNER, and TriFellows. The vulnerability affects the licensing function of the products. The vulnerability is being self-reported. Yokogawa has updates available to mitigate the vulnerability.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow arbitrary code execution, or the stopping of the license management function.

Philips Advisory


This advisory describes an uncontrolled resource consumption vulnerability in the Philips  IntelliVue Information Center iX. An unidentified user notified Philips of the problem. Philips has identified work arounds and expects to provide an update in the 3rd quarter, 2018.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit this vulnerability to effect a denial of service, the operating system will become unresponsive due to the network attack, which will affect the applications ability to meet the intended use.

GE Update


This update provides additional information on an advisory that was originally published on June 27th, 2012. The update provides a link to the GE advisory that was last updated on February 22nd, 2013. A document linked to in that advisory provides a more detailed description of the vulnerabilities and mitigation measures. That document was updated this weekend to correct broken links to the ICS-CERT; interestingly I cannot find any ICS-CERT links in either GE document.

Arkema Incident Indictments


On August 3, 2018 a Houston, TX grand jury returned indictments against Richard P. Rowe, Leslie Comardelle, and Arkema, Inc for the chemical releases that occurred as a result of the flooding from Hurricane Harvey. While there have been news reports about the indictments (see here, here, and here for example) I have held off commenting on the situation because I did not have access to copies of the indictments. A long-time reader has provided me a copy (without links, unfortunately) of the indictments, so here goes.

The Indictments


Each of the indictments includes four counts of:

“… failing to remove temperature sensitive organic peroxides from the Arkema facility located at 18000 Crosby Eastgate Road, Crosby, TX before the arrival of rainfall and / or flooding associated with Hurricane Harvey, recklessly caused the emission of an air contaminant, namely organic peroxides and / or byproducts of organic peroxides and / or petroleum distillates and / or soot and / or particulate matter on or about August 31st, 2017 thereby placing name in imminent danger of death or serious bodily injury, and said release was not in strict compliance with Chapter 382 of the Health and Safety Code, or a permit, variance or order issued by the Texas Commission on Environmental Quality.”

The four counts differed only by the names listed. Those names are:

• David Klosik (count #1);
• Shannon Wheeler (count #2);
• Christy Graves (count #3); and
Steve Schreiber (count #4)

The Chemical Safety Board’s “Arkema Inc. Chemical Plant Final Investigation Report” notes (pgs 59-60) that on August 31st, five police officers and two emergency medical technicians were exposed to a black-smoke cloud as they drove down Highway 90 outside of the Arkema Plant. This section of road was well within the 1.5-mile evacuation zone around the plant established on August 29th. This route remained open to emergency response personnel because it was the only available route traversing the area that was not flooded. It was closed after the five police officers were exposed. Presumably, the four victims named in the indictments came from this pool of seven people.

The Law


The law cited in the indictments is Chapter 382 of the Texas Health and Safety Code, also known as the Texas Clean Air Act. While the indictment does not specify the section of the chapter that was violated by the three defendants, it would appear that it was §382.085, Unauthorized Emissions Prohibited. That section states in part: “a person may not cause, suffer, allow, or permit the emission of any air contaminant or the performance of any activity that causes or contributes to, or that will cause or contribute to, air pollution” {§382.085(a)}.

Typically, the Texas Commission on Environmental Quality (TCEQ) enforces the provisions of Chapter 382. The TCEQ has established provisions for enforcement of environmental rules under Title 30, Chapter 70 of the Texas Administrative Code. Two provisions of that chapter are probably specifically applicable to this case, §70.7 (Force Majeure) and §70.206 (Factors Considered in the Criminal Enforcement Review Process).

Section 70.7 provides that: “If a person can establish that an event that would otherwise be a violation of a statute, rule, order, or permit was caused solely by an act of God, war, strike, riot, or other catastrophe, the event is not a violation of that statute, rule, order, or permit”.

Section 70.206(a) sets forth the considerations that the TCEQ will include when determining whether or not a criminal enforcement action is necessary. The most pertinent one for this case would probably be §70.206(a)(2)(B); “the degree of culpability, including whether the violation was attributable to mechanical or electrical failures and whether the violation could have been reasonably anticipated and avoided”.

Arkema Preventive Activities


The CSB final report on the Arkema incident lays out in some detail the activities that Arkema undertook to prevent this incident, both in their process safety planning process and in their response to Harvey (before and during the storm). A full review of the process hazard assessment (PHA) of for the organic peroxide storage is contained in Appendix C to the report.

The CSB reports reminds us that there is no requirement for the conduct of a PHA for organic peroxides either under the OSHA Process Safety Management program or the EPA Risk Management Plan program because neither regulatory program addresses the chemical risks associated with reactive chemicals like organic peroxides.

While the Report takes issue with the common failure mode (flooding) of the protective measures put into place by Arkema to protect the organic peroxide storage from high temperatures, the report does note that “even if Arkema had applied this [the available flood protection] guidance before Hurricane Harvey, the incident likely would not have been averted” (pg 88).

Commentary


It is interesting that the indictments specifically fault Arkema for not “removing temperature sensitive organic peroxides” from the facility before the “arrival of rainfall and / or flooding” and not for having inadequate protective measures in place to prevent the overheating and subsequent fires that were seen at the facility. While removing the material from the facility would certainly have prevented this incident, the CSB report notes (pgs 86-7) that three previous hurricanes {Rosa (1994), Rita (2005) and Ike (2008)} that hit the facility did not have any effect on the storage of organic peroxides at the facility even though Rosa and a non-tropical storm in 2015 produced significant flooding at the site.

What concerns me most about these indictments is that the four counts each rely on the injuries to personnel who were operating within the evacuation zone at the orders of public officials. While I may agree that the maintenance of the Highway 90 route was of significant importance to public safety officials, requiring personnel to navigate that route without providing them with adequate personal protective equipment (PPE) when there was a distinct probability of a predicted exposure to organic peroxides and their combustion products was really the proximate cause of the injuries to these personnel. Responsibility for the exposure of these personnel does not rest with Arkema, it rests on the head of the public servants who failed to provide these individuals with the appropriate PPE and the training in its use before sending them into a probable exposure situation.

This is not an uncommon situation. Law enforcement personnel are routinely called to enter potential contamination zones to make notifications for evacuations and shelter-in-place during chemical release incidents. And almost as routinely they are injured by exposures to those releases because they have not been provided either chemical protective equipment nor detection equipment to identify and avoid contaminated areas. In many instances, and certainly in this case, the wearing of a filtered full-face respirator [like those worn during the employment of riot control agents] would have provided adequate protection of the personnel involved.

Furthermore, requiring law enforcement personnel to conduct what was in essence a chemical detection patrol of the route near the Arkema site without providing them with chemical detection equipment was a recipe for disaster if subsequent equipment convoys were cleared to pass through the area based upon a visual failure of detection of contamination.

The reckless action in this incident was not the failure to remove the organic peroxides from the facility; Arkema made a series of decisions based upon reasonable assumptions that ultimately failed due to the inadequacies of those assumptions. That happens frequently with assumption. The reckless behavior was the requiring of public safety personnel to enter an area of known risk without providing them with reasonable and readily available protections against that risk. The wrong people have been indicted.

Monday, August 20, 2018

Committee Hearings – Week of 08-19-18


With just the Senate in session this week there will be three cybersecurity related hearings. They will address blockchain, critical infrastructure protection and election security.

Blockchain


On Tuesday the Energy and Natural Resources Committee will hold a hearing on “Energy Efficiency of Blockchain and Similar Technologies”. The witness list includes:

• Paul Skare, Pacific Northwest National Laboratory;
• Thomas Golden, Electric Power Research Institute;
• Claire Henly, Energy Web Foundation;
• Arvind Narayanan, Princeton University; and
Robert Kahn, Corporation for National Research Initiatives

As with any technical topic like this, it will be interesting to see during the questioning period how well the staff has prepped the Committee Members.

Critical Infrastructure Protection


On Tuesday the Crime and Terrorism Subcommittee of the Judiciary Committee will hold a hearing on “Cyber Threats to Our Nation’s Critical Infrastructure”. The witness list includes:

• Sujit Raman, DOJ
• Michael J. Moss, Office of the Director of National Intelligence;
• Robert Kolasky, NPPD, DHS;
• Thomas A. Fanning, Southern Company; and
• James A. Lewis, Center for Strategic and International Studies

I certainly expect that control system security, at least in the energy sector, will receive some attention during this hearing.

Election Cybersecurity


On Wednesday the Rules and Administration Committee will hold a mark-up hearing on S 2593, the Secure Elections Act. Substitute language will be considered. I have not covered this bill here and am only mentioning this hearing in passing.

On the Floor


The Senate will continue working on HR 6157 the DOD spending bill that is being expanded to include Health, Human Services and Education in the substitute language being considered in the Senate. A final vote on this bill is possible this week. No cybersecurity related amendments have been offered to date.

ISCD Publishes Anhydrous Ammonia Flyer


On Friday the DHS Infrastructure Security Compliance Division (ISCD) published a notice in the “Latest News” section of the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center that they have a new flyer for shippers of anhydrous ammonia. That notice does not provide a link to the flyer; that has to be found by scrolling down the “Fact Sheets and Flyers” list on the same page.

The intent of this flyer is very similar to the generic COI shipping flyer that was published in July 2017. It is part of the ISCD outreach program to try to ensure that all facilities that receive DHS chemicals of interest (COI) are aware of the reporting requirements for the CFATS program. ISCD is not requiring companies to send this flyer to their anhydrous ammonia customers; it is not clear that they have the legal authority to make such a demand. This may, however, be something that Congress may consider providing in the expected extension of the CFATS program.

The advantage (from the DHS perspective) of this type of chemical specific flyer over the generic flyer published earlier is that this flyer is able to include the specific screening threshold quantity (STQ) for anhydrous ammonia. It is also able to specifically address the agriculture reporting exception for some uses of anhydrous ammonia and that exception was not addressed at all in the generic flyer.

The extensive use of anhydrous ammonia as a refrigerant means that this chemical is shipped to a large number of facilities that would not normally consider themselves to be ‘chemical companies’. It would be expected that such companies might not be aware of the CFATS program, though ISCD has attempted to reach out to such facilities through a number of industry organizations that would affect such facilities. I would suspect that ISCD will also reach out to those organizations to ask them to distribute this flyer as well.

NOTE: The CFATS Resources page has not yet been updated to reflect this new flyer. I expect that will happen sometime this week.

Saturday, August 18, 2018

Public ICS Disclosures – Week of 08-11-18


This week we have three vendor disclosures from Yokogawa (2), and Belden and an advisory update from Siemens. There are also two disclosures from vdeCERT for products from Phoenix Contact and WAGO. Both of those disclosures pointed to an interesting research paper on “Measuring PLC Cycle Times under Attacks”.

Vnet/IP Network Switches Advisory


Yokogawa reports a debug vulnerability in their Vnet/IP network switches. The vulnerability is due to a third-party software issue (see Belden below). Yokogawa reports a work around since there “is no provision of firmware’s which are countermeasures against this vulnerability”.

License Management Advisory


Yokogawa reports a buffer overflow vulnerability in the license management function in a number of their products. Yokogawa has an update that mitigates the vulnerability. The advisory notes that ICS-CERT has been notified so there is a strong chance that this will be reported by ICS-CERT in the coming week.

Belden Advisory


Belden reports (.PDF Download) 16 separate vulnerabilities in the TCPdump functionality of their OWL industrial routers and HiOS ethernet switches. Belden provides a work around and notes that the TCPdump functionality is inactive by default.

NOTE: This advisory is actually dated July 27th, 2018 (and outside of this week’s window), but because of its relation to the Yokogawa advisory it is being included here because of the potential for other vendors being affected. Also note that the CVE’s for the vulnerabilities date back to 2016 and 2017. That indicates that either it took a long time to figure out the minor workaround, or Belden was not really concerned about these vulnerabilities.

Siemens Update


Siemens updated their general customer advisory for the Spectre/Meltdown vulnerabilities. The advisory was last updated on July 17th, 2018.This update adds information on the L1 Terminal Fault / Foreshadow versions of the vulnerabilities.

NOTE: The latest version (update H) of the ICS-CERT alert on Spectre/Meltdown still does not mention the newer variants of the vulnerabilities reported in this Siemens advisory.

Phoenix Contact Advisory


VDE-CERT reports an uncontrolled resource consumption vulnerability in the Phoenix Contact ILC 1x1 ETH. The vulnerability was reported by Matthias Niedermaier (Hochschule Augsburg), Jan-Ole Malchow (Freie Universität Berlin) and Florian Fischer (Hochschule Augsburg). A generic workaround has been provided.

WAGO Advisory


VDE-CERT reports an uncontrolled resource consumption vulnerability in the WAGO 750-8xx Controllers. he vulnerability was reported by Matthias Niedermaier (Hochschule Augsburg), Jan-Ole Malchow (Freie Universität Berlin) and Florian Fischer (Hochschule Augsburg). A generic workaround has been provided.

Measuring PLC Cycle Times under Attacks


The research paper that pointed out the Phoenix Contact and WAGO vulnerabilities discussed above provides an interesting look at the possibility of detecting on-going control-system attacks by monitoring PLC cycle times. As an academic look at this potential attack detection technique, this paper is well worth reading. From a process chemist’s point of view this points out a specific, unintended process problem, that these attacks might pose that also provide an indication of an on-going cyber-attack.

One of the problems that a process engineer/chemist has to deal with in designing a control system scheme in the chemical industry (and that is probably true for other industries as well) is the lag time between when a process indicator (sensor) notes that a process state needs to be changed and when the process actuator (valve for example) can complete its action to effect that change. A great deal of effort goes into ‘tuning’ the system to minimize the potential adverse impacts caused by that time lag.

This paper notes that a variety of attacks can affect the lag time within the PLC. Normally, this portion of the total lag time is small and nearly constant, so it is essentially ignored in the tuning process. This paper notes that in some attacks the lag time can be increased by up to several seconds (this can be an eternity in critical portions of many chemical reactions). To make things even more interesting it appears that TCPdump attacks (like those discussed in the Yokogawa and Belden advisories above) can actually speed-up the PLC processing and decrease the overall lag time, creating a whole new set of process problems.

This means that certain types of process upsets can be an indication of on-going cyber-attacks on control systems. To say the least, this complicates the job of the process overseers (another root cause possibility that needs to be examined), but it could provide control systems engineers with a warning to check their systems for other signs of attacks.

Friday, August 17, 2018

ICS-CERT Publishes 3 Advisories


Yesterday the DHS ICS-CERT published two control system security advisories for products from Tridium and Emerson and a medical device security advisory for products from Philips. The Tridium advisory was previously published on the HSIN ICS-CERT library on July 10, 2018. For more on this HSIN resource see the final section below.

Tridium Advisory


This advisory describes two vulnerabilities in the Tridium Niagara controller. The vulnerabilities were reported by Johnathan Gains and Leet Cyber Security. Tridium has updates available that mitigate the vulnerability. There is no indication that that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Path traversal - CVE-2017-16744; and
Improper authentications - CVE-2017-16748

ICS-CERT reports that an uncharacterized attacker could remotely exploit these vulnerabilities to crash the device being accessed; a buffer overflow condition may allow remote code execution.

Emerson Advisory


This advisory describes four vulnerabilities in the Emerson DeltaV DCS Workstations. The vulnerabilities were reported by Younes Dragoni of Nozomi Networks, Ori Perez of CyberX. Emerson has a patch available that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• Uncontrolled search path element - CVE-2018-14797;
• Relative path traversal - CVE-2018-14795;
• Improper privilege management - CVE-2018-14791; and
• Stack-based buffer overflow - CVE-2018-14793

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow arbitrary code execution, malware injection, or malware to spread to other workstations.

Philips Advisory


This advisory describes two vulnerabilities in the Philips PageWriter Cardiographs. Philips is self-reporting these vulnerabilities to ICS-CERT. Philips has produced generic workarounds and plans to issue updates to mitigate the vulnerabilities in the middle of next year.

The two reported vulnerabilities are:

• Improper input validation - CVE-2018-14799; and
• Use of hard-coded credentials - CVE-2018-14801

ICS-CERT reports that a relatively low-skilled attacker with uncharacterized access could exploit these vulnerabilities to allow buffer overflows or allow an attacker to access and modify settings on the device.

HSIN Library


It has been a while since I mentioned the ICS-CERT library on the Homeland Security Information Network. This restricted access, on-line resource provides ICS-CERT a method of sharing information with the user community for vulnerabilities that may affect critical homeland resources. This restricted release is designed to allow owners a chance to implement mitigation measures before the vulnerability becomes public knowledge.

For more information about this program and to request access see this ICS-CERT page.

Thursday, August 16, 2018

Senate to Take Up HR 6157 – FY 2019 DOD Spending


Yesterday the Senate returned from the first part of their abbreviated summer recess as part of their August agenda it was announced that they would take up HR 6157, the Department of Defense Appropriations Act, 2019. There are at least two nominations that will be dealt with before the consideration process begins on that bill.

The amendment process began yesterday with three amendments being offered. The most important will be SA 3695 (pg S5622-59) being offered by Sen. Shelby (R,AL). This is the substitute language that will be considered instead of the House language on the bill. This language was generally taken from S 3159 (the Senate version of the bill), but also includes language from S 3158, the Departments of Labor, Health and Human Services, and Education, and Related Agencies Appropriations Act, 2019. Neither bill has been reviewed here as I found little of specific interest to readers of this blog.

Wednesday, August 15, 2018

ISCD Publishes 2018 Regional Meeting Presentations


Today the DHS Infrastructure Security Compliance Division (ISCD) published a notice on the Chemical Facility Anti-Terrorism Standards (CFATS) landing page that ‘select presentations’ from the 2018 Regional Meetings are available on the Chemical Sector Regional Event Presentations page.

Five presentations are available:


After a quick review of each of the slide sets, it is easy to tell that there is worthwhile information available just reviewing the slides. Unfortunately, if the presenters were worth anything at all (and I expect that they were well prepared), then the oral presentation provided a lot more information, clarification and insight. Unfortunately, not everyone has a travel budget that allowed for attending a regional meeting; this is why I have advocated for the use of either video conferencing or at least video recording the key presentations at meetings such as this.

I was disappointed that two presentations were not included in the selection published today. The ones that I was also hoping to see were:

• Cybersecurity Capability Overview; and
• Malicious Use of Drones

Tuesday, August 14, 2018

ICS-CERT Publishes 4 Advisories


Today the DHS ICS-CERT published three control system security advisories for products from Siemens and one medical device security advisory for products from Philips. The three Siemens advisories were briefly discussed here over the weekend.

Automation License Manager Advisory


This advisory describes two vulnerabilities in the Siemens Automation License Manager. The vulnerabilities were reported by Vladimir Dashchenko from Kaspersky Lab. Siemens has updates available to mitigate the vulnerability. There is no indication that Dashchenko was provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Relative path traversal - CVE-2018-11455; and
Improper input validation - CVE-2018-11456

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow remote code execution or allow an attacker to determine port status on another remote system.

OpenSSL Advisory


This advisory describes a cleartext transmission of sensitive information vulnerability in the Siemens Industrial Products. The vulnerability is being self-reported by Siemens. Siemens has updates for some of the affected products and continues to work on the remainder.

ICS-CERT reports that an uncharacterized attacker could remotely exploit this vulnerability to result in unencrypted data being transmitted by the SSL/TLS record layer.

SIMATIC Advisory


This advisory describes two incorrect default permissions vulnerabilities in the Siemens SIMATIC STEP 7 (TIA Portal) and SIMATIC WinCC (TIA Portal). The vulnerabilities were reported by Younes Dragoni from Nozomi Network. Siemens has updates that mitigate the vulnerabilities. There is no indication that Dragoni has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker with local access could exploit the vulnerability to manipulate files and cause a denial-of-service-condition, or execute code both on the manipulated installation as well as devices configured using the manipulated installation.

Philips Advisory


This advisory describes two vulnerabilities in the Philips Philips’ IntelliSpace Cardiovascular (ISCV)/Xcelera server products. Philips identified the problem due to a customer complaint. Philips has produced a work around pending publication of an updated version.

The two reported vulnerabilities are

• Improper privilege management - CVE-2018-14787; and
• Unquoted search path or element - CVE-2018-14789

ICS-CERT reports that a relatively low-skilled attacker with local access and users privileges to the ISCV/Xcelera server to escalate privileges on the ISCV/Xcelera server and execute arbitrary code.

S 3309 Introduced – Cyber Incident Response Teams


Last month Sen. Hassan (D,NH) introduced S 3309, the DHS Cyber Incident Response Teams Act of 2018. This bill is nearly identical to HR 5074 which was passed in the House in March on a voice vote. The bill essentially authorizes the existing response teams of the US-CERT and ICS-CERT in the National Cybersecurity and Communications Integration Center's (NCCIC).

The differences between the two bills are editorial in nature and are only of interest to legislative grammarians. This new version does still include the same ‘control system security’ language found in the House bill. Similarly, it does not include a definition of ‘control system’.

Moving Forward


Both Hassan and her cosponsor, Sen. Portman (R,OH), are members of the Senate Homeland Security and Governmental Affairs Committee to which this bill (and HR 5074) was assigned for consideration. Normally, this would mean that there would be a possibility that the bill could be considered in Committee. This late in the session, however, I suspect that the only consideration that this bill will receive is as a potential amendment to the DHS authorization bill when that bill comes up for consideration after the election.

Nothing in this bill should draw any sort of opposition other than the fact that it would require the House to subsequently reconsider their vote on HR 5074, a cumbersome process going into election season. I suspect that if the Senate were to take up this bill as a stand-alone measure it would consider the House language under the unanimous consent process.

Commentary


Since the existing response teams from NCCIC are already included in the DHS funding, there is no real need in either of these bills for authorization of new funding. It would have been helpful for Congress to increase the funding so that the activities (and number) of these teams could be expanded, but that is unlikely in the current spending climate.

Of specific interest is the language specifically authorizing the use of “cybersecurity specialists from the private sector” {new §148(f)(2)}. This establishes the Congressional intent that these teams are not an inherently governmental service. This may have some interesting legal implications further down the road.

There are two other interesting things missing from this authorization language (in both bills). First, there is no mention of protections for the information gathered by the response teams. This means that there is no specific reason why a Freedom of Information Act request for results of the investigations of these teams should be denied. This could be a cause for organizations to not request support from these teams.

The second is the lack of any requirement for these teams to coordinate their activities with the FBI or some other law enforcement activity. Nor is there any requirement to preserve forensics evidence during the investigations conducted by these teams. At some point the government is going to have to go after the folks conducting these attacks and the preservation of chain of custody and other legal requirements of preserving evidence is going to raise its ugly head.

Monday, August 13, 2018

S 3288 Introduced – Cybercrime


Last month Sen. Graham (R,SC) introduced S 3288, the International Cybercrime Prevention Act. The bill would make a number of amendments to 18 USC that are intended to make it easier to prosecute a variety of cybercrimes and to effectively increase the punishments available for such crimes by allowing for seizures and forfeitures in conjunction with the prosecution of those crimes.

Racketeering


Section 2 of the bill would add language to 18 USC 1956 (Laundering of monetary instruments) that would include §2512 (Manufacture, distribution, possession, and advertising of wire, oral, or electronic communication intercepting devices prohibited) as a predicate act for §1956. It would additionally add language to §1961 (Definitions section of the RICO chapter) that would include violations of §1030 (Fraud and related activity in connection with computers) in the crimes which could be included in the definition of ‘racketeering activity’.

Forfeiture


Section 3 of the bill completely rewrites §2513 (Confiscation of wire, oral, or electronic
communication intercepting devices). First it expands the confiscation authority to include ‘other property’ to include “any property, real or personal, constituting or derived from any gross proceeds, or any property traceable to such property, that such person obtained or retained directly or indirectly” {new §2513(a)(1)(A)} as a result of a violation of §2511 (Interception and disclosure of wire, oral, or electronic communications prohibited) or §2512.

Section 3 provides for criminal forfeiture proceedings using the procedures established for controlled substance under 21 USC 853 and for civil forfeiture proceedings using the procedures established under 18 USC Chapter 46.

Botnets


Section 4 of the bill amends 18 USC 1345 (Injunctions against fraud). First it expands the heading of the section to read “Injunctions against fraud and abuse” {§4(a)(1)}. Then it adds a new subparagraph (a)(1)(D) which adds a violation of  §1030(a)(5) to the list of offenses under which §1345 allows the Attorney General to “commence a civil action in any Federal court to enjoin such violation” {existing §1345(a)(1)}. The §1030 offense may only included if it adversely affects 100 or more protected computers in a one-year period.

Critical Infrastructure Computer


Section 5 of the bill would add a new §1030A (Aggravated damage to a critical infrastructure computer) to 18 USC. This new section would make it separately illegal during the violation of §1030 “to knowingly cause or attempt to cause damage to a critical infrastructure computer” {new §1030A(a)} if the damage results in substantial impairment of:

• The operation of the critical infrastructure computer; or
The critical infrastructure associated with such computer

The section uses the definition of ‘computer’ and ‘damage’ from §1030. The definition of ‘critical infrastructure’ is spelled out in §1030A(d)(2). In general it is a pretty generic definition except that it specifically adds “including voter registration databases, voting machines, and other communications systems that manage the election process or report and display results on behalf of State and local governments”.

18 USC 1030 Amended


Section 6 of the bill amends 18 USC 1030. First it adds a new subparagraph (8) to §1030(a) that essentially expands the list of potential offenses covered under this computer fraud statute. That new offense would be the trafficking “in the means of access to a protected computer” {new §1030(a)(8)}. While similar to §1030(a)(6), it does not include the ‘intent to defraud’ language of that section. It also includes a requirement that trafficker knows that the recipient of the means of access intends to use that access to “damage a protected computer in a manner prohibited by this section” or “violate section 1037 [Fraud and related activity in connection with electronic mail; link added] or 1343 [Fraud by wire, radio, or television; link added]”

Section 6 then goes on to add the same injunction provisions to §1030 added to §2513 by section 3 of the bill (described above).

Moving Forward


Graham is a member of the Senate Judiciary Committee and the Chair of the Subcommittee on Crime and Terrorism. It is very likely that he has sufficient influence to see this bill considered in Committee. His two Democratic cosponsors {Sen. Blumenthal (D,CT) and Sen. Whitehous (D,RI)} are also influential members of the Judiciary Committee, so it would appear that there will be at least some bipartisan support for the legislation.

I will be very surprised if this bill makes it through the Committee process this late in the session. It almost certainly will not make it to the floor of the Senate, because this is a complex bill that would require floor debate and an amendment process that would interfere with the work the Senate needs to complete before the end of the year.

Saturday, August 11, 2018

Public ICS Disclosures – Week of 08-04-18


This week we have four vendor advisories from Siemens (3) and ABB and an update of a vendor advisory from Siemens. There were also a number of BlackHat Briefings this week that touched on control system security issues.

Automation License Manager Advisory


Siemens reported two vulnerabilities in their Automation License Manager. The vulnerabilities were reported by Vladimir Dashchenko from Kaspersky Lab. Siemens has updates available to mitigate the vulnerabilities. There is no indication that Dashchenko was provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Directory traversal - CVE-2018-11455; and
Network canning vulnerability - CVE-2018-11456

OpenSSL Advisory


Siemens reported an ‘open error state’ vulnerability in the OpenSSL implementation in a number of Siemens Industrial Products. This third-party software vulnerability is being self-reported by Siemens. Siemens has developed updates for some of the affected products (additional work is ongoing) to mitigate the vulnerability.

As always with third-party software issues, there is always the possibility that this vulnerability may affect control system products from other vendors.

SIMATIC Advisory


Siemens reported two improper file permission vulnerabilities in their SIMATIC Step 7 and WinCC products. The vulnerabilities were reported by Younes Dragoni from Nozomi Networks. Siemens has updates for some of the affected products and has reported work arounds.

NOTE: Siemens notes that this vulnerability was coordinated through ICS-CERT so we will probably see this reported by ICS-CERT next week.

ABB Advisory


ABB reported (registration required) an  LDAP authentication vulnerability in their eSOMS product. The vulnerability was reported by an undisclosed researcher. ABB is working on a new version to mitigate the vulnerability and has reported a work around.

Siemens Update


Siemens updated their Spectre/Meltdown advisory. This advisory was last updated on June 26th, 2018. This latest update adds update information for SIMATIC IPC6x7C, SIMAITC IPC8x7C, SIMOTION P320-4S, and SIMOTION P320-4E.

BlackHat Briefings


The latest BlackHat conference was held in Las Vegas this week. There were six briefings that the conference web site identifies as touching on Smart Grid/Industrial Security. There were:



Speaker: Thomas Roth

Speaker: Justin Shattuck


Speaker: Balint Seeber

 
/* Use this with templates/template-twocol.html */