Public ICS Disclosures – Week of 09-22-18

This week we have two vendor disclosures from Yokogawa and Phoenix Contact. The Yokogawa report could show up on the NCCIC-ICS site next week.

Yokogawa

The Yokogawa advisory describes four vulnerabilities in their STARDOM controllers. The vulnerabilities were reported by VDLab of Venustech. A new software version mitigates one of the vulnerabilities and Yokogawa has provided generic workarounds for the remaining three. There is no indication that VDLab has been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities (no CVE numbers are reported) are:

• Vulnerability of credential management;

• Denial of service vulnerability to remote management function;

• Hardcoded credential vulnerability of maintenance function; and

• Memory exhaustion vulnerability by not permitted request

Phoenix Contact

The Phoenix Contact advisory describes an incorrect handling of web request vulnerability in their Phoenix Contact AXL F BK bus coupler. The vulnerability was reported by Anne Borcherding, Steffen Pfrang, David Meier und Christian Haas from Fraunhofer IOSB. Phoenix Contact has provided generic workarounds to mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Bills Introduced – 09-29-18

Yesterday with both the House and Senate in session there were 68 bills introduced. Of those, I will be covering one here in this blog:

HR 6992 To reauthorize the Chemical Facility Anti-Terrorism Standards Program of the Department of Homeland Security. Rep. Katko, John [R-NY-24]

This is the long awaited CFATS reauthorization bill from the House. Katko is a Subcommittee Chair in the House Homeland Security Committee and an influential member of the Energy and Commerce Committee. This means that there is a good chance that this bill will be addressed in each Committee in a timely manner.

Neither of Katko’s two cosponsors are members of either of those two committees. I had hoped to see a senior Democrat as a cosponsor of the House bill to show that there would be bipartisan support for the bill. Interestingly, the two cosponsors {Rep Moolenaar (R,MI) and Rep Cuellar (D,TX)} are members of the House Appropriations Committee. This might indicate a potential move to include the language in this bill in the final spending bill of the year; the DHS minibus that will be taken up after the election.

It will be interesting to see how similar this bill is to S 3405, the Senate CFATS reauthorization bill.

Senate HSGAC Committee Amends and Adopts Bills – 09-26-18

Earlier this week the Senate Homeland Security and Governmental Affairs Committee held a business meeting at which a number of bills were considered, amended and ordered favorably reported. As is typical of the Senate committee operations, there are no public copies of the amendments provided before or after hearings. We will have to wait to see the reported version of the bill to see exactly what changes have been made.

S 3405 – CFATS Reauthorization

Sen. Johnson (R,WI) offered substitute language on the bill which was subsequently modified by two amendments by Sen. McCaskill (D,MO). All three amendments were adopted by voice votes as was the final bill.

There was some interesting back and forth between Johnson and McCaskill about this bill. McCaskill was concerned about the lack of bipartisan effort in the writing of this bill. She went so far as to complain about ‘industry being in driver’s seat’ in writing the bill [35:07 in the video]. She gave an example of this continuing during the substitute language development where whistleblower protections were added to last week’s draft of the language but were subsequently removed before this week’s hearing.

At the end of that discussion McCaskill made the comment that the bill “will not get my consent on the floor unless we get the whistleblower protections back in the bill” [39:26]. This referred back to an off-mike discussion between Johnson and the staff where he was apparently reminded that the bill will have to be considered on the Senate floor under the unanimous consent process rather than the ‘normal’ debate and amend process. This is due to the lack of time remaining in the session.

McCaskill had two amendments that were offered, considered, and adopted by voice vote. The first had to do with the recognition program. She noted that that changes were made to recognition program [40:04] and her first amendment would modify that language to authorize a DHS mechanism to recognize stewardship programs.

McCaskill’s second amendment to the bill had something to do with the revised explosive exemption language in the bill. Again, she thought [42:38] that either the original language or the revised language (it is not clear) went too far in bending to the desires of the explosives industry.

McCaskill did not have language ready to put whistleblower language back in the bill. As I noted above she vowed to object to the bill if it came to the floor for consideration without the language. We may see the material added to the bill between the time the report is published and the time that it comes to the floor for a vote.

Other Bills of Interest

There were a total of about 40 bills considered in the hearing this week. Most of them were considered en bloc near the end of the hearing, being passed with a single voice vote. These included:

S 278, the Support for Rapid Innovation Act of 2017 – Substitute language;

S 3085, the Federal Acquisition Supply Chain Security Act of 2018 – Substitute language and additional amendment; and

S 3309, the DHS Cyber Incident Response Teams Act of 2018 – Substitute language and additional amendment;

Commentary

Johnson made a point early in the hearing (in relation to a bill that did not end up being considered) about how the Committee works together in a ‘non-partisan’ manner. This is certainly the normal course of events in the Committee. This makes S 3405 very much an oddity in the process as it was written without the input of the Democrats on the Committee (or the Minority Staff). McCaskill’s displeasure with the process was evident in this week’s hearing, but she will go along with Johnson; as long as her party’s minimum requirements are met (whistleblower language). It is not clear that other Democrats in the Senate (not on the Committee; those McCaskill will almost certainly keep in line) will play along.

One Democrat that will have to be watched with respect to this bill is Sen. Markey (D,MA). With his recent attempts to frame himself as a cybersecurity expert, he might be expected to object to the removal of the cybersecurity risk-based performance standards from the CFATS program. Another senator with an interest in cybersecurity that also might object is Sen. Blumenthal (D,CT). That is, of course, if those provisions remain in the bill as amended.

4 ICS Advisories

Yesterday the DHS NCCIC-ICS (okay, I finally gave in; ICS-CERT is gone; please clean up the web site) published four control system security advisories for products from Delta Electronics, Fuji Electric (2) and Emerson.

Delta Advisory

This advisory describes an out-of-bounds read vulnerability in the Delta Industrial Automation PMSoft software development tool. The vulnerability was reported by Mat Powell via ZDI. Delta has an update available that mitigates the vulnerability. There is no indication that Powell has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to read confidential information.

FRENIC Advisory

This advisory describes three vulnerabilities in the Fuji FRENIC HVAC drive devices. The vulnerability was reported by Michael Flanders and Ghirmay Desta via ZDI. Fuji is working on mitigation measures.

The three reported vulnerabilities are:

• Buffer over-read - CVE-2018-14790;

• Out-of-bounds read - CVE-2018-14798; and

• Stack-based buffer overflow - CVE-2018-14802

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow for arbitrary remote code execution affecting the availability of the device.

Alpha5 Advisory

This advisory describes two buffer-overflow vulnerabilities in the Fuji Alpha5 Smart Loader servo drive. The vulnerability was reported by Michael Flanders via ZDI. Fuji is working on mitigation measures.

The two reported vulnerabilities are:

• Classic buffer overflow - CVE-2018-14788; and

• Heap-based buffer overflow - CVE-2018-14794

NCCIC-ICS reports that a relatively low-skilled attacker could remotely use publicly available exploits to allow for arbitrary remote code execution on the device.

NOTE: It is disappointing that Fuji was not even able to provide workaround security measures for these two product lines. Does anyone know if NCCIC-ICS is still giving the 45-day grace period before publishing their advisories?

Emerson Advisory

This advisory describes two vulnerabilities in the Emerson AMS Device Manager. The vulnerabilities were reported by Sergey Temnikov of Kaspersky Lab and Emerson. Emerson has patches available to mitigate the vulnerabilities. There is no indication that Temnikov has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Improper access control - CVE-2018-14804; and

• Improper privilege management - CVE-2018-14808

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to

Bills Introduced – 09-26-18

Yesterday with both the House and Senate in Session (and the election recess quickly approaching) there were 61 bills introduced. Of those, three may receive additional attention in this blog:

HR 6913 To direct the Secretary of Commerce to establish a working group to recommend to Congress a definition of blockchain technology, and for other purposes. Rep. Guthrie, Brett [R-KY-2] 

H Res 1082 Providing for the concurrence by the House in the Senate amendment to H.R. 302, with an amendment. Rep. Williams, Roger [R-TX-25]

S 3513 A bill to establish a deadline for the establishment of a process to allow applicants to petition the Administrator of the Federal Aviation Administration to prohibit or restrict the operation of an unmanned aircraft in close proximity to a fixed site facility. Sen. Cortez Masto, Catherine [D-NV]

With the exception of H Res 1082 (which passed in the House yesterday by a vote of 398 to 23) it is unlikely that these bills will see any action between now and the end of the session in December.

The resolution is the vehicle for changing HR 302 into the FAA Reauthorization Act (plus boondoggles) that I described on Tuesday. I presume that the actual text of the amendment is what I linked to in that post, but we will have to wait and see what is actually included in the official text to be sure.

I am assuming that the ‘blockchain’ definition being requested in HR 6913 will be related to cybersecurity, but it is really to early to be sure. I am not sure for what use Guthrie is intending the definition, but this will be interesting to watch, if and when this is addressed.

S 3513 becomes potentially important with yesterday’s inclusion of the ‘Preventing Emerging Threats Act of 2018’ language in the revised HR 302. Declaring UAS ‘no fly zones’ around critical infrastructure will be ineffective unless Congress gets around to extending authorization to intercept violating UAS, but this could be an important first step; again if and when this is passed.

Bills Passed Under Suspension of Rules in House – 09-25-18

Yesterday as part of their consideration of bills under suspension of the rules, the House passed two bill that I have been covering here; HR 6620, the Protecting Critical Infrastructure Against Drones and Emerging Threats Act and HR 6229, the National Institute of Standards and Technology Reauthorization Act of 2018. Both bills passed by voice vote.

As is typical for bills considered under this procedure there was limited debate on each bill (10 minutes on HR 6620 and 17 minutes on HR 6229). Nary a word was said in opposition.

House Set to Pass Anti-UAS Provisions?

Yesterday I ran across (and was pointed to by a couple of readers) an interesting NBC News article that was headlined: “New law would give federal government the right to shoot down private drones inside U.S.”. I thought that it was an oddly timed article on a couple of bills that I had previously reviewed here (HR 6401 or S 2836), but I went on and read it anyway. It turns out that I was right and woefully wrong.

HR 302 – FAA Reauthorization

The article noted that the bill was part of the FAA reauthorization bill that will be considered in the House tomorrow. I quickly did a search on my machine for FAA reauthorization bills and came up with HR 4, which was passed in the House in April and awaits Senate action. That bill did not contain any anti-UAS provisions and would not be reconsidered in the House until the Senate took action.

So next I looked at the House Majority Leader’s schedule page and scanned down to Wednesday, and sure enough there was a listing for HR 302, the FAA Reauthorization Act of 2018. Its not listed in my files, so I have not covered it; odd.

Then I looked on the Congress.gov web site and found HR 302, the Sports Medicine Licensure Clarity Act of 2017 (well that explains why I did not cover it). The listing for HR 302 on that site contains no mention of the FAA nor UAS; something is starting to smell here.

So I go back to the Majority Leader’s page and click on the link provided there to HR 302 and low and behold I find a monstrosity; a very much amended version of HR 302 that is indeed renamed the FAA Reauthorization Act of 2018 that includes so much more.

One last thing to check, I go to the House Transportation and Infrastructure Committee web site and see what I can find there. On that site I find a press release on HR 302 that explains that:

“House and Senate Committee leaders tonight announced that they have reached a bipartisan final agreement on legislation that provides long-term stability and critical reforms to the Federal Aviation Administration (FAA) and transforms federal disaster programs to better prepare communities for disaster.  The agreement also includes a reauthorizations and reforms of the Transportation Security Administration (TSA) and the National Transportation Safety Board (NTSB).”

The press release concludes by explaining:

“The announced agreement includes the FAA Reauthorization Act of 2018, the Disaster Recovery Reform Act of 2018, a three-year reauthorization of the Transportation Security Administration (TSA), and a four year reauthorization of the National Transportation Safety Board. Also included in H.R. 302 are sports medicine licensure legislation, the BUILD Act of 2018, a requirement for an assessment of the situation in Syria, the Preventing Emerging Threats Act of 2018, and supplemental appropriations for disaster relief.”

UAS Provisions

The new bill greatly expands the number of UAS provision from those found in HR 4. The version of HR 4 that was passed in the House included 19 sections in Subtitle B of the Safety title of the bill. HR 302 includes 43 sections. Some of the interesting provisions include:

§363 – Prohibition regarding weapons [on UAS, with exceptions];

§364 – US Counter-UAS system review of interagency coordination processes;

§365 – Cooperation related to certain counter-UAS technology;

§366 – Strategy for responding to public safety threats and enforcement utility of unmanned aircraft systems;

§370 – Sense of Congress on additional rulemaking authority;

§371 – Assessment of aircraft registration for small unmanned aircraft;

§372 – Enforcement;

§376 – Plan for full operational capability of unmanned aircraft systems traffic management; and

§382 – Prohibition [flying over wildfires].

Counter-UAS Provisions

Division H of the bill is the Preventing Emerging Threats Act of 2018. This is essentially a combination of HR 6401 and S 2836 that I have addressed separately. It does contain the more restrictive ‘notwithstanding’ clause in the new §210G(a) that was found in the House bill; limiting the laws that may be ignored in the process of identifying, tracking and bringing down a threatening UAS.

Commentary

The NBC News article that started off the search for this bill with a number of vague or lacking definitions in the bill. I would have preferred to see some of those concerns addressed in the bill, but it is probably more appropriate for those details to be hashed out in the regulatory process required in the new §210G(d).

My specific concerns about the language in the Counter-UAS section of the bill have been addressed in my earlier posts about the two bills that form the basis of the provisions in HR 302. It is clear to me, however, that some sort of authority needs to be provided to address specific threats posed by weaponized UAS. I am not sure that this language is the best way to deal with that, but it is limited enough to be a decent first step.

I do have, however, a major concern with the way this bill is being slid through the House. The FAA provisions have been greatly expanded from those found (and debated) in HR 4. Those provisions have been worked out behind closed doors and likely have many problems associated with them. Pushing them through the House with 40 minutes of debate that will be mainly limited to congratulating the Chair and Ranking Member of the Transportation and Infrastructure Committee on their bipartisan coordination in putting this bill together is an egregious misuse of the suspension of the rules process.

This revised bill is, however, an excellent example of the old-fashioned, horse-trading legislative process that Tip O’Neal would have been proud of. The crafters just kept adding divisions to the bill until they bought off every committee chair and ranking member that might have objected to the bill. We will see how well their efforts have paid off tomorrow when this bill comes up for consideration early in the session, though I expect that the vote will come later in the day. The leadership apparently thinks that this will pass and I suspect that they are correct.

There is a good chance, however, that even if this bill slides through the House it will die in the Senate. There it takes only a single senator to object to the political shenanigans involved in this Frankenstein’s monster of a creation to stop the bill from being considered in any abbreviated forum. And there are a number of bomb-throwers in the Senate who might take objection to this bill.

S 3405 CFATS Reauthorization – Explosive Materials

This is another in a series of blog posts about S 3405, the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2018, which would reauthorize the Chemical Facility Anti-Terrorism Standards (CFATS) program for five years. The other blog posts in the series include:

Sen Johnson Proposes Gutting Cybersecurity Provisions of CFATS Program

S 3405 Introduced – CFATS Authorization

S 3405 CFATS Reauthorization – EAP

S 3405 CFATS Reauthorization – CFATS Recognition Program

S 3405 CFATS Reauthorization – Inspection Frequency

S 3405 CFATS Reauthorization – PSP

Explosive Materials

Section 12 of the bill replaces the current 6 USC 629, Outreach to chemical facilities of interest, with a new section dealing with ‘Explosive Materials’. The new section prohibits DHS from designating regulated explosive materials as chemicals of interest in Appendix A, 6 CFR 27. This would effectively stop DHS from regulating security at facilities based solely on the presence of explosive chemicals.

Commentary

The regulated explosives industry (27 CFR 555) has long maintained that the ATF regulations under which they operate provide for adequate security and have routinely objected to ATF licensed facilities being covered under CFATS. This was reiterated in the latest Senate hearing on the CFATS program.

I am not conversant with the ATF security requirements, so I cannot judge whether they are more or less stringent than the CFATS requirements. I would assume, however, that they are certainly more stringent than the EPA security requirements for public water system or wastewater treatment works; both of which are excluded from the CFATS requirements under 6 USC 621(4). So, on that basis one could easily argue that ATF licensed manufacturers or approved storage facility should also be exempt from the CFATS program.

Unfortunately, Sen. Johnson has tried to go about this in a round-about way and has ended up compromising his efforts. Instead of adding language to §621(4) adding ATF regulated facilities to the list of excluded facilities, Johnson attempted to define the exemption based upon the presence of explosive materials at the facility. This would effectively exempt most approved storage facilities (unless they stored ammonium nitrate, for example), but licensed manufacturers would still be liable for coverage under the CFATS rules because of the presence of explosives precursors that remain on the list of COI.

Actually, I am beginning to wonder just how well Sen. Johnson and his staff understand the operation of the CFATS program.

S 3405 CFATS Reauthorization – PSP

This is another in a series of blog posts about S 3405, the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2018, which would reauthorize the Chemical Facility Anti-Terrorism Standards (CFATS) program for five years. The other blog posts in the series include:

Sen Johnson Proposes Gutting Cybersecurity Provisions of CFATS Program

S 3405 Introduced – CFATS Authorization

S 3405 CFATS Reauthorization – EAP

S 3405 CFATS Reauthorization – CFATS Recognition Program

S 3405 CFATS Reauthorization – Inspection Frequency

Personnel Surety Program

Section 7 of the bill was written in response to industry concerns about the expansion of the personnel surety program reporting requirements to Tier 3 and Tier 4 facilities. It amends 6 USC 622(d)(2)(A) in two instances. The first would make participation in the terrorist screening database (TSDB) via the Chemical Security Assessment Tool (CSAT) mandatory for all Tier 1 and 2 facilities and optional (at the owner’s discretion) for Tier 3 and 4 facilities.

The second change is an additional attempt to limit the scope of the TSDB screening. It modifies the description of those covered by the requirement by adding the qualifier “who will have access to any chemical of interest”. Currently the program covers all facility employees, as well as most contractors and visitors that have unaccompanied access to critical areas of the facility.

Commentary

The big problem with both this section and the DHS effort to expand the application of the personnel surety program to Tier 3 and 4 facilities (already required, but the Infrastructure Security Compliance Division set up the implementation of the PSP in a two phased process) is that there has been no official evaluation of the efficacy of the program. I would have been much more comfortable with the section if it had prohibited ISCD from starting phase II of the PSP implementation until after the GAO had a chance to report on the first phase. Two important items would have to be included in that report, the number of people in Tier 1 and 2 facilities that were reported as being found on the TSDB and the number of those who were inappropriately identified.

One thing that Sen. Johnson appears to have not taken into account in his effort to appease the chemical industry’s ongoing complaints about the PSP is that a large proportion of the Tier 3 and Tier 4 facilities are in the CFATS program because of their possession or manufacture of chemicals that are on the list of DHS chemicals of interest (COI) because they can be used to make improvised chemical weapons or improvised explosives. This means that they are at risk, not so much for release on site, but for theft or diversion to some underground manufacturing site where they would be converted into weapons. These facilities would be prime targets for infiltration (if we had an active terrorist threat) by terrorist organizations to effect the theft or diversion of these COI.

Committee Hearings – Week of 9-23-18

Both the House and Senate are in Washington this week and it is likely to be the last week the House will be in session before the election. A lot of political hearings this week but there are three hearings that may be of interest; HR 6157 conference report, a homeland security markup hearing and cybersecurity in the energy sector.

HR 6157 Conference

On Tuesday the House Rules Committee will hold a hearing on the Conference Report on HR 6157, the FY 2019 DOD and HHS spending minibus. They will formulate the rule for the floor consideration of the bill. This bill will also include new language providing for the continuing resolution (CR) for DHS spending thru December 6^th.

The Senate has already acted favorably on the Conference Report and the other two mini-busses have been sent to the White House. Congress has not come this close to finishing spending bills before the end of the fiscal year in quite some time. This may be the most important achievement of the 115^th Congress.

Homeland Security Markup

On Wednesday the Senate Homeland Security and Governmental Affairs Committee will hold a business meeting that will include the markup of a number of homeland security related bills, including:

• S 3405, Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2018;

• S 3309, OHS Cyber Incident Response Teams Act of 2018; and  

• S 594, National Cybersecurity Preparedness Consortium Act of 2017;

There will be a total of 43 bills considered during this meeting, but 21 of them are postal facility naming bills. Most of the remaining bills will be approved by unanimous consent. It will be interesting to see how many amendments are offered on S 3405. The bill did not have any cosponsors when offered and has not acquired any since then. This is unusual in a bill of this type where there is a general consensus on the need for extending the covered program (CFATS).

Unfortunately, we are unlikely to see the text of any of the offered amendments. We will see the revised version of the bill (if changes are made) when the committee report is published in the next month or so (if we are lucky).

Energy Cybersecurity

On Thursday, the Energy Subcommittee of the House Energy and Commerce Committee will hold a hearing looking at “DOE Modernization: The Office of Cybersecurity, Energy Security, and Emergency Response (CESER)”. The witness list has not yet been posted, but a press release notes that the Subcommittee will hear from Assistant Secretary Karen Evens who is in charge of the CESER. The discussions here will almost certainly focus on policy level issues, but cybersecurity will certainly be the overarching topic.

On the Floor

With the mid-term election pending the House will be trying to clean up a lot of miscellaneous business this week with grandstanding and political posturing making the most news, but lots of less controversial stuff being taken care of as well. The HR 6157 Conference Report will be the most important, but the House will also be taking up 54 bills under their suspension of the rules procedure; most of these will pass with significant bipartisan support. Bills of interest here include:

• HR 6620 – Protecting Critical Infrastructure Against Drones and Emerging Threats Act; and

• HR 6229 – National Institute of Standards and Technology Reauthorization Act of 2018, as amended;

As always there will be limited debate, no floor amendments and a supermajority will be required to pass. Both of these bills will pass; no political posturing here – okay, bipartisan posturing.

ISCD Updates FAQ Responses – 09-14-18

Yesterday the DHS Infrastructure Security Compliance Division (ISCD) updated responses to two Frequently Asked Questions (FAQ) on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center web page. Both questions deal with calculating screening threshold quantities for mixtures of flammables (one is specifically for propane).

The two revised FAQs are:

#1373 When filling out the Top-Screen questionnaire, how should a facility report a mixture with multiple release-flammable Chemicals of Interest (COIs)? Does the facility need to list the entire weight of the mixture for each COI or does it only need to be listed once? The mixture is not a fuel.

#1566 How does a facility calculate the Screening Threshold Quantity (STQ) for propane in a mixture?

Flammable Mixtures

The response for FAQ #1373 was completely re-written with a completely different process from the original description.

The original response said essentially that when COI were in a mixture at more than 1% the entire weight of the COI was reported as the COI with the highest concentration; the facility did not report the weight of the other COI in that mixture. The exception to that was propane; if propane was in the mixture at less than 87.5% the next greatest COI in that mixture was reported, not the propane.

The new response also requires the checking of the NFPA flammability rating of the mixture. If the NFPA rating is 4 then the rule described above applies. If the NFPA rating is 1, 2 or 3 (and not a fuel), then only the actual weight of each COI in the mixture (present at 1% or more) would be reported.

Interestingly, no mention is made of propane in the new FAQ response.

Propane Mixtures

A relatively minor modification was made to the response to FAQ #1566. The second paragraph was expanded to provide more of the information from the FAQ response above for mixtures that contain less than 87.5% propane. It addresses the case where the NFPA rating of the propane containing mixture is 4. This response does not address the situation where the NFPA rating is 1, 2, or 3.

ICS Public Disclosures – Week of 09-08-18

This week we have three control system exploits being published for products from Schneider (AVEVA?)(2) and CirControl (an automobile charging station vendor).

Schneider Exploits

NOTE: Neither of the exploit reports described below include CVE numbers so it is possible that these are 0-day exploits, but they are both for very common vulnerabilities, so it is hard to tell.

Luis Martinez published an exploit for a local buffer overflow vulnerability in the Schneider InTouch Machine.

Martinez also published an exploit for a local buffer overflow vulnerability in the Schneider InduSoft Web Studio.

CirControl Exploit

David Castro (SadFud) published an exploit for a credential exposure vulnerability in the CirCarLife SCADA. The CVE indicates that the vulnerability was announced in June, but there is no indication that CirControl was notified and there is no listing of anything to do with cybersecurity on the CirControl web site.

ICS-CERT Publishes Honeywell Advisory

Today the DHS ICS-CERT published a control system security advisory for mobile computers from Honeywell. The advisory describes an improper privilege management vulnerability. The vulnerability was reported by the Google Android Team. Honeywell has updates available to mitigate the vulnerability.

ICS-CERT reports that a skilled attacker could remotely exploit the vulnerability to allow a malicious third-party application to gain elevated privileges. This could enable the attacker to obtain access to keystrokes, passwords, personal identifiable information, photos, emails, or business-critical documents.

It is too early to tell if this vulnerability affects all Android devices (probably?) so other mobile ICS devices might also be affected. Of course (sarcasm alert), no one would use non-approved applications on a device used to access a control system, so this really is not a problem (SIGH).

HR 6638 Introduced – Cybersecurity Governance

Back in July Rep. Himes (D,CT) introduced HR 6638, the Cybersecurity Disclosure Act of 2018. The bill directs the Security and Exchange Commission to require reporting companies to include in annual reports a listing of senior personnel with expertise or experience in cybersecurity.

The bill gives the gives the Commission 360 days to issue final rules requiring reporting companies “disclose whether any member of the governing body, such as the board of directors or general partner, of the reporting company has expertise or experience in cybersecurity and in such detail as necessary to fully describe the nature of the expertise or experience” {2(b)(1)}.

Moving Forward

Himes and his two Democratic cosponsors {Rep. Meeks (D,NY) and Rep. Heck (D,WA)} are members of the House Financial Affairs Committee two which this bill was assigned for consideration. Normally, this could provide them with sufficient influence to have the bill considered in Committee. This late in the session, however, such consideration is unlikely.

Business interests with no cybersecurity representation (probably a large majority of middle size and smaller businesses) would be expected to oppose such reporting requirements. Since this is a major Republican constituency, I expect that there will be little or no support from Republicans on this bill.

Commentary

There is something odd about the way this bill was written. It includes a list of definitions in §2(a), two of which are never used in the bill. Those two definitions are the only reason that I am discussing the bill. The two terms? “Cybersecurity Threat” and “Information System”.

The first term is defined in two parts. The first {§2(a)(2)(A)}:

An action, not protected by the First Amendment to the Constitution of the United States, on or through an information system that may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system.”

The second part of the definition is the now obligatory {§2(a)(2)(B)}:

Does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement.

Nothing new or interesting here; it is a now standard IT-centric cybersecurity definition. The next term would normally also fall within that description, but the crafters of this bill included an addendum to one of the standard ‘information system’ definitions {§2(a)(3)(B)}:

Includes industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers.

We have seen both of these in other pieces of legislation, but the odd thing here is that neither definition has anything to do with the requirements of the bill. The definition of the key term in the bill; ‘expertise or experience in cybersecurity’ is left for the Commission to define; in consultation with NIST.

The best that I can figure is that Hines is using these two definitions to establish congressional intent that cybersecurity (for the purposes of this particular Commission regulation) includes control system security. Whether or not this would encourage reporting companies to include people with an ICS background in their governing bodies remains to be seen, but it might (should?) encourage the SEC to allow for such eventuality in their definition of ‘expertise or experience in cybersecurity’.

Bills Introduced – 09-12-18

Yesterday with both the House and Senate in session, there were 48 bills introduced. Of those three may be of specific interest to readers of this blog:

HR 6776 Making appropriations for the Department of Homeland Security for the fiscal year ending September 30, 2019, and for other purposes. Rep. Yoder, Kevin [R-KS-3]

HR 6791 To establish a grant program within the Department of Labor to support the creation, implementation, and expansion of registered apprenticeship programs in cybersecurity. Rep. Rosen, Jacky [D-NV-3]

S 3437 A bill to establish a Federal rotational cyber workforce program for the Federal cyber workforce. Sen. Peters, Gary C. [D-MI] 

Yes, the last spending bill has finally been introduced. Obviously, this will never make it to the floor of the House, much less the Senate. It may, however, form the base for the final spending bill that will be considered after the election.

Both HR 6791 and S 3437 are at base cybersecurity workforce measures. I will be watching both of these bills for the definitions to see if the bills specifically include industrial control system security folks.

On a lighter note: Election season is here (in case you had not noticed) and we are seeing legislators use the power of proposed legislation to support their campaigns. Usually this takes the form of proposing legislation supporting part of their electoral base. These bills are never really intended to be considered and passed; they just allow the proposer to point to the bill and say; “Look, I am trying to do something about…. Send me back for another term to be able to continue.”

Yesterday we saw the introduction of a resolution that clearly meets that criteria; H Con Res 135; Requiring Members of the House of Representatives and the Senate to participate in random drug testing. Rep Higgins (R,LA) introduced this resolution. It should certainly resonate with his constituents that have mandatory drug testing in their work place.

HR 6620 Introduced – UAS Threat Assessment

Back in July Rep. Richmond (D,LA) introduced HR 6620, the Protecting Critical Infrastructure Against Drones and Emerging Threats Act. The bill requires data collection and analysis activities about the threats posed by unmanned aircraft systems (UAS).

The bill would require the DHS Office of Intelligence and Analysis (OIA) within 120 days to {§2(a)}:

• Request additional information from other agencies of the Federal Government, State and local government agencies, and the private sector relating to threats of unmanned aircraft systems and other emerging threats associated with such new technologies;

• Develop and disseminate a security threat assessment regarding unmanned aircraft systems and other emerging threats associated with such new technologies;

• Establish a secure reporting infrastructure for reporting information on emerging threats, such as the threat posed by unmanned aircraft systems

Within one year of the bill being adopted, OIA would be required to report to Congress on the threat posed by unmanned aircraft systems.

No monies are authorized by this bill.

Moving Forward

This bill will be considered by the House Homeland Security Committee tomorrow. I suspect that the bill will receive bipartisan support. If this bill does come to the floor of the House before the end of the session (probable) it will almost certainly be considered under the suspension of the rules process with minimal debate, no amendments and would require a supermajority to pass.

I really doubt that if this bill were considered in the House that it would make it to the floor of the Senate before the 115^th Senate adjourns for good in December.

Commentary

This is another one of those motherhood and apple pie bills that allows congress critters to feel good about ‘doing something’ without raising any controversies or spending any money. Unfortunately, it will accomplish virtually nothing.

Oh yes, the bill includes an attempt to cover the important tech buzz words in §2(b)(3):

“establish and utilize, in conjunction with the Chief Information Officer of the Department and other relevant entities, a secure communications and information technology infrastructure, including data-mining and other advanced analytical tools, in order to access, receive, and analyze data and information in furtherance of the responsibilities under this section, including by establishing a voluntary mechanism whereby critical infrastructure owners and operators may report information on emerging threats, such as the threat posed by unmanned aircraft systems.”

They missed ‘artificial intelligence’ and ‘blockchain’; maybe they can add those tomorrow.

ICS-CERT Publishes 5 Advisories and 4 Updates

Yesterday the DHS ICS-CERT published five control system security advisories for products from Siemens (3) and Fuji electric (2). They also updated three previously published advisories for products from Siemens and the Meltdown/Spectre alert.

SCALANCE Advisory

This advisory describes an improper input validation vulnerability in the Siemens SCALANCE X Switches. The vulnerability is being self-reported. Siemens has updates available for two of the three affected products and has identified mitigation measures.

ICS-CERT reports that a relatively low-skilled attacker could use publicly available exploits to remotely exploit the vulnerability to cause a denial-of-service condition.

SIMATIC Advisory

This advisory describes an improper access control vulnerability in the Siemens SIMATIC WinCC OA HMI. The vulnerability is being self-reported. Siemens has an update available to mitigate the vulnerability.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to escalate their privileges in the context of the program.

TD Keypad Designer Advisory

This advisory describes an unprotected search path element vulnerability in the Siemens TD Keypad Designer. The vulnerability is being self-reported. Siemens has identified generic mitigation measures for the vulnerability.

ICS-CERT reports that a relatively low-skilled attacker with local access could exploit the vulnerability  to escalate their privileges.

V-Server Lite Advisory

This advisory describes a classic buffer overflow vulnerability in the Fuji V-Server Lite. The vulnerability was reported by Ariele Caltabiano (kimiya) via the Zero Day Initiative (ZDI). Fuji has a firmware update available to mitigate the vulnerability. There is no indication that Caltabiano has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to view sensitive information and disrupt the availability of the device.

V-Server Advisory

This advisory describes seven vulnerabilities in the Fuji V-Server. The vulnerabilities were reported by Steven Seeley (mr_me) of Source Incite via ZDI. Fuji has a new software version that mitigates the vulnerabilities. There is no indication that Seeley has been provided an opportunity to verify the efficacy of the fix.

The seven reported vulnerabilities are:

• Use after free - CVE-2018-14809;

• Untrusted pointer dereference - CVE-2018-14811;

• Heap-based buffer overflow - CVE-2018-14813;

• Out-of-bounds write - CVE-2018-14815;

• Integer underflow- CVE-2018-14817;

• Out-of-bounds read - CVE-2018-14819; and

• Stack-based buffer overflow - CVE-2018-14823

ICS-CERT reports that a relatively low-skilled attacker could use publicly available exploits to remotely exploit the vulnerabilities to allow for remote code execution on the device, causing a denial of service condition or information exposure.

Industrial Products Update

This update provides new information on an advisory that originally published on May 9^th, 2017 and updated on June 15, 2017,on July 25^th, 2017, on August 17^th, 2017, on October 10^th, on November 14^th, November 28^th, February 27^th, 2018, May 3^rd, 2018 and most recently on May 15^th, 2018. The new information includes revised affected versions data and mitigation measures for:

• SINAMICS DCP w. PN; and

• SINAMICS DCM w. PN

SIMATIC Update

This update provides new information on an advisory that was originally published on May 17^th, 2018. The new information includes additional mitigation measures that can be used.

OpenSSL Update

This update provides new information on an advisory that was originally published on August 14^th, 2018. The new information includes revised affected versions data and mitigation measures for WinCC OA.

Meltdown/Spectre Update

This update provides new information on an alert that was originally published on January 11^th, 2018 and updated on January 16^th, 2018, January 17^th, 2018, January 30^th, 2018, February 20^th, 2018, February 22^nd, 2018, March 1^st, 2018, and most recently on July 10^th, 2018. The new information includes a link to a new Meltdown/Spectre advisory from Siemens.

Note: While this newly added advisory from Siemens and another Siemens advisory on the older versions of Meltdown/Spectre address newer versions of the vulnerability, ICS-CERT has failed to provide any information (or links to information) about these new problems.

ISCD Publishes Resource Flyer – 09-11-18

Yesterday the DHS Infrastructure Security Compliance Division (ISCD) published a ‘news item’ on their Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center web page about a new flyer on “DHS Chemical Security Preparedness Resources”. You have to search through the ‘Fact Sheets and Flyers’ section of the page to find the link (or you could look on the CFATS Resources page under ‘Fact Sheets’).

The flyer contains links to a number of DHS programs that may be of use to chemical facilities both in and outside of the CFATS program. One interesting inclusion on the list is a link to a US-CERT page to use to request a download of the Cyber Security Evaluation Tool (CSET). I have written favorably about CSET a number of times in this blog (see here for example), but the CSET program information is no longer accessible from the ICS-CERT web site (though the old CSET page is still active). This looks like it is part of the continuing winding down of ICS-CERT in favor of NCCIC-ICS. Unfortunately, this looks like it includes a reduction in support for a valuable assessment tool, CSET.

Homeland Security Mark-up Hearing – 09-13-18

This morning the House Homeland Security Committee announced that it would be conducting a mark-up hearing for five pieces of legislation including:

• H.R 6620, Protecting Critical Infrastructure Against Drones and Emerging Threats Act;

• HR 6735, To direct the Secretary of Homeland Security to establish a vulnerability disclosure policy for Department of Homeland Security internet websites, and for other purposes; and

• S 1281, Hack the Department of Homeland Security Act of 2017

The official copy of HR 6620 just recently became available and I have just glanced through it at this point; hopefully I’ll get a chance to review it here before Thursday. The quick glance that I have done indicates that this is a ‘collect information and report to Congress’ type of bill, rather than something that will authorized any sort of action similar to S 2836.

The official copy of HR 6735 is not yet available, but a Committee Print is. There is not much in this bill of specific interest to readers of this blog beyond the fact that it uses the definition of ‘security vulnerability’ from 6 USC 1501 which is, in turn, based upon the ICS-inclusive definition of information system while the bill uses the IT-restrictive definition of ‘information system’ from 44 USC 3502.

S 3405 CFATS Reauthorization – Inspection Frequency

This is another in a series of blog posts about S 3405, the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2018, which would reauthorize the Chemical Facility Anti-Terrorism Standards (CFATS) program for five years. The other blog posts in the series include:

Sen Johnson Proposes Gutting Cybersecurity Provisions of CFATS Program

S 3405 Introduced – CFATS Authorization

S 3405 CFATS Reauthorization – EAP

S 3405 CFATS Reauthorization – CFATS Recognition Program

Inspection Frequency

Section 6 of the bill addresses inspection and audit frequency. It would amend 6 USC 622(d)(1), Audits and Inspections. It would add a new subparagraph that would prohibit DHS from conducting CFATS program audits or inspections more frequently than once every two years; three years for facilities in the CFATS Recognition Program.

Commentary

This portion of the bill is another attempt by Sen. Johnson to provide regulatory relief to covered facilities under the CFATS program. Unfortunately, the wording of text indicates a profound misunderstanding of the CFATS process.

Currently, when a CFATS facility submits their site security plan for approval there is a somewhat less than formal visit to the facility by a team of Chemical Security Inspectors to audit the provisions of that plan. Essentially, they are trying to acquire sufficient information about the facility and its security plan to allow the review process to determine whether or not that plan should be authorized. Once the details of the site security plan (SSP) are agreed upon between DHS and the facility there will then be a formal Authorization Inspection. Then a year or two later DHS will conduct a compliance inspection (see ISCD CI fact sheet).

Additionally, a facility could face a requirement to revise their SSP because of changes in their situation (including perhaps a Tier reduction) which could require a new Authorization Inspection depending on the extent of the required changes.

Under the letter of the requirements in §6 there would have two be a two-year period between any of those inspection. I think that what Johnson was trying to accomplish was to establish the minimum period between compliance inspections. Even that requirement could raise problems for the program if a facility failed a compliance inspection and had to be re-inspected after taking subsequent corrective actions.

This is one of those instances where it would behoove crafters of legislation to take language of a proposed bill and walk it back through the regulatory agency to ensure that there are no unintended consequences of the wording of the bill. I am not suggesting that Johnson needed to have the wording ‘approved’ by DHS, just checked to see what the consequences of the language would actually be in practice.

Committee Hearings – Week of 09-09-18

In a much abbreviated week with both the House and Senate in Washington, there will only be a limited number of committee hearings. There will be two of potential interest to readers of this blog; one dealing with the national threat landscape (including cyber) and the other a look at the status of the implementation of positive train control (PTC) systems.

Threat Landscape

On Thursday the Senate Homeland Security and Governmental Affairs Committee will be holding a hearing looking at “Evolving Threats to the Homeland”. The witness list includes:

• Kevin Mandia, FireEye, Inc.;

• Cathy Lanier, National Football League;

• Scott McBride, Idaho National Laboratory; and

• Jennifer Bisceglie, lnteros Solutions, Inc.

It certainly looks like cybersecurity will be an issue at this hearing, just not the only one.

PTC Update

On Thursday the House Transportation and Infrastructure Committee will hold a hearing on “The State of Positive Train Control Implementation in the United States”. The witness list includes:

• Ronald L. Batory, Federal Railroad Administration;
• Robert Sumwalt, National Transportation Safety Board;

• Susan A. Fleming, Government Accountability Office;
• Scot Naparstek, Amtrak;
• Edward Hamberger, Association of American Railroads;
• Jeffrey D. Knueppel, Southeastern Pennsylvania Transportation Authority;

• Stacey Mortensen, Altamont Corridor Express

This hearing could get contentious with the relatively poor performance of the passenger rail lines in complying with the PTC requirements. The Committee Staff has prepared a detailed background document on the PTC program.

On the Floor

It is looking increasingly likely that the House could take up the Conference Report on HR 5895, the EWR spending bill. The Conference Committee completed their work yesterday, but a copy of the report has not yet been issued. This bill is likely to be taken up in at least the House this week. This is the first of the three mini-bus bills that has made it out of conference; HR 6147 and HR 6157 still remain to be addressed.

There is at least one news report that claims only two of the three mini-busses will be approved before the end of the month, meaning that the expected 3-department continuing resolution would have to be expanded to 6 departments. The article does not name the bill that will not make it out of conference, but I suspect that it is HR 6157. The conflict between the House and Senate there was the inclusion of the Health and Human Services spending in with the DOD bill; just too many controversies in the House version of the HHS spending.

S 3405 CFATS Reauthorization – CFATS Recognition Program

This is another in a series of blog posts about S 3405, the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2018, which would reauthorize the Chemical Facility Anti-Terrorism Standards (CFATS) program for five years. The other blog posts in the series include:

Sen Johnson Proposes Gutting Cybersecurity Provisions of CFATS Program

S 3405 Introduced – CFATS Authorization

S 3405 CFATS Reauthorization – EAP

CFATS Recognition Program

In response to industry requests for CFATS recognition of industry stewardship programs (Responsible Care® or Responsible Distribution for example) Sen. Johnson included §5 of the bill to require DHS to set up a formal recognition program for industry stewardship programs. Michael Kennedy, in a recent blog post, suggested that this could be similar to the OSHA Voluntary Protection Program (VPP), but that is not clear from the text of §5.

The bill adds a new subparagraph (5) to 6 USC 622(c). It would give DHS 180 days to establish a CFATS Recognition Program (CFATS-RP) that would establish {new §622(c)(5)(B)(i)(II)}:

• Eligibility criteria for industry stewardship programs seeking to participate in the CFATS Recognition Program; and

• Performance requirements for participating facilities; and

• Incentives to encourage participation in the CFATS Recognition Program.

Industry Program Requirements

The new §622(c)(5)(C)(i) establishes broad the industry program requirements that DHS would be required to incorporate into the CFATS-RP. First the ‘industry program’ would have to be sponsored/run by a §501(c) tax exempt organization with a “a documented top management commitment to chemical facility security” {new §622(c)(5)(C)(i)(II)}. Additionally, the DHS rules would be required to define the criteria that the ‘industry program’ would have to address concerning {new §622(c)(5)(C)(i)(III)}:

• Auditing requirements and frequency;

• Security vulnerability assessment requirements and frequency;

• Security measures; and

• Reporting required to be done by any industry stewardship program desiring to participate in the CFATS Recognition Program.

With regards to the ‘security measures’ mentioned above, the bill would require that they address {new §622(c)(5)(C)(i)(III)(cc)}:

• Detection measures;

• Delay measures;

• Response measures; and

• Security management.

Facility Performance Requirements

The new §622(c)(5)(C)(ii) establishes the facility requirements that DHS would incorporate into the CFATS-RP regulations. The new regulations would require that participating organizations:

• Provide proof of program participation to include being in “full compliance with the requirements of the industry stewardship program” §622(c)(5)(C)(ii)(bb);

• Conduct initial and periodic (3 year) vulnerability assessments; and

• Develop and maintain site security plan using the same scope of security measures described above.

Program Incentives

The new §622(c)(5)(C)(iii) establishes the incentives that DHS would incorporate into the CFATS-RP regulations. Those incentives would include:

• Reduction of Tier level of participating facilities;

• Reduction in the frequency of compliance inspections;

• Streamlined site security plan process; and

• ‘Other’ incentives developed by DHS.

Regulatory Process

With the 180-day deadline provided for in this bill for establishing the CFATS-RP, there is certainly not time for that standard publish, comment and revise process normally required for the regulatory process. The bill provides for an exemption for “developing and issuing, or amending, the guidance relating to carrying out the CFATS Recognition Program” {new §622(c)(5)(B)(ii)}.

Commentary

There are some major holes in the CFATS-RP as outlined in this bill. First, there are no provisions for making any regulatory changes in the CFATS program. All of the requirements provided in the bill for this recognition program are intended to be embodied in a ‘guidance’ document. This means that the process would have to be shoe-horned into 6 CFR 27.235, Alternative Security Plans (ASP).

In many ways the ASP process is a good fit for these recognition programs except that it provides no room for the incentive program required by the bill, but those incentives could be addressed by other parts of the CFATS regulations. For example, the tiering reduction can be seen to be included in the authority/process outlined in §27.220(b) and the inspection frequency change is already allowed under §27.210(c).

The big question here, however, is how the CFATS-RP affects the current risk-based performance standards (RBPS) incorporation into any recognition program ASP. There is nothing in the bill that would specifically exempt facilities from complying with current RBSP requirements. Actually, the description of ‘security measures’ in §622(c)(5)(C)(i)(III)(cc)} very closely follows the description DHS uses of their “RBPS Overarching Security Guidelines” on their Risk-Based Performance Standards web site. The exception, of course, is the failure to include ‘Cyber’ in the bills description of security measures, but that is due to the removal of cybersecurity measures from the RBPS effected elsewhere in the bill.

This CFATS-RP looks to be a natural extension of the ASP process already in existence in the CFATS program. The American Chemistry Council (ACC) has established {and the National Association of Chemical Distributors (NACD) has signed onto} an ASP that could be expanded to form the basis of an industry program under the CFATS-RP.

My biggest problem with the proposed CFATS-RP deals with the Tier reduction. While this certainly seems to be a reasonable ‘incentive’, there are some issues that would have to be resolved for it to be effective. If the Tier reduction is made after the site security plan is approved, the facility would already have put most of the security measures in place that a Tier reduction might be expected to reduce. If the Tier reduction is applied before the site security plan is submitted, the facility would have no way of knowing how much of an incentive the reduction would be. To be effective the Tier reduction would have to be effected after the SSP was authorized but before it was approved. This would allow the facility to amend the SSP to reflect the lowered Tier level. Unfortunately, this would complicate the inspection/approval process, not make it easier.

The other question with regards to Tier reduction has to do with what happens with Tier 4 facilities? The only tier reduction available would be to drop them out of the CFATS program. It is not clear whether or not Johnson intended that to happen as a result of the CFATS-RP. The deeper question is how would DHS ensure that facilities remained compliant with the CFATS-RP program if they were dropped from the program?

For this CFATS-RP to be truly effective in both reducing the regulatory burden on the participating, the program would need to use the industry association (or its designated contractors) for at least part of the inspection burden. That would be much closer to Kennedy’s OSHA VPP reference. This is, of course, already authorized by §622(d)(1)(B), but to the best of my knowledge the Department has not yet utilized non-governmental inspectors.