Friday, November 30, 2018

S 3405 Dies in the Senate


Yesterday Sen. Johnson (R,WI), Chair of the Senate Homeland Security and Governmental Affairs Committee, called for the Senate to consider S 3405, the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2018, under the unanimous consent process. Instead of the substitute language reported out of Committee, Johnson offered a second substitute as an amendment. Sen. Carper (D,DE) objected, and the consideration was prevented.

Sen. Johnson published a press release on the situation that would make it appear that he was being blindsided by the opposition to the bill. A reading of the Congressional Record for the debate between Johnson and Carper makes it clear that the situation is complicated. What is clear from the debate however is that Johnson is clearly upset by the failure of the two House committees to come up with a reauthorization bill and then at the last minute come up with a two-year extension of the CFATS program that apparently disregards the work done by the Senate Committee. The fact that Johnson had to go to someone outside of the leadership of the two House committees with CFATS oversight responsibility to get a companion bill introduced made it clear that he knew about the opposition to his proposed reforms in the House.

Unfortunately, the version of S 3405 that Johnson asked the Senate to approve (essentially unseen) was not printed in the Congressional Record. Neither was the extension bill that Carper said in the debate he was introducing.

Carper offered Johnson a way out of yesterday’s immediate conflict; withdraw the unanimous consent request. Johnson declined. They both agreed to continue to work together to work out the problems with the S 3405. Johnson, however, said that he would rather see the CFATS program die than see a short-term extension approved without some sort of program reforms. It was not clear from yesterday’s debate what reforms would be the minimum acceptable.

I suspect that the minimum would be the explosive exception and the recognition program. Unfortunately, it may be just those reforms that Secretary Nielson was concerned about when she sent her letter to Johnson (and presumably Rep. McCaul (R,TX) and Rep. Walden (R,OR). That is not certain because that letter has not yet been made public.

I have not yet seen the Committee Report on S 3405 (still not published), but the reported language has been published. It was nearly identical to the language that was proposed in HR 6992. Of course, that language was still not the language that Johnson was asking to have adopted today.

Johnson faces a difficult decision on the CFATS authorization. The bipartisan support Johnson received in Committee for the industry favorable reforms included in S 3405 indicates that they might survive a Democratic House next year, but the opposition of the DHS to those reforms indicates that there may be opposition from his own party in subsequent Senate hearings. It apparently looks to him like those reforms have to pass in this session of Congress or not pass at all.

It’s just too bad that he did not try to get this bill to the Senate floor before Nielsen became aware of the problems. Or maybe it is not.

Now it comes down to how much time both sides have to work out a deal. Right now it looks like it might be easier to pass immigration reform.

PHMSA Harmonization NPRM – Corrosive Classification Process


Earlier this week I wrote about the recent publication of a notice of proposed rulemaking from DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) proposing the latest set of revisions to the hazardous material regulations (HMR) to harmonize those regulations with international hazmat shipping rules. Today I would like to address a specific portion of that NPRM; the classification process for corrosive materials in accordance with 49 CFR 173.137.

Overview


In section 4 of the NPRM, PHMSA briefly describes the changes to the HMR being proposed. With regards to the classification of corrosive materials it notes:

“Alternative criteria for classification of corrosive materials: PHMSA proposes to include non-testing alternatives for classifying corrosive mixtures that instead uses existing data on the chemical properties. Currently the HMR require offerors to classify Class 8 corrosive material and assign a packing group based on test data. The HMR authorize a skin corrosion test and various in vitro test methods that do not involve animal testing. However, data obtained from testing is currently the only data acceptable for classification and assigning a packing group. These alternatives would afford offerors the ability to make a classification and packing group assignment without the need to conduct physical tests.”

PHMSA is also proposing to update the incorporation by reference OECD Guidelines for the Testing of Chemicals to the 2015 version. Specifically, for the testing of corrosive materials for determination of packing group determination, this will affect OECD tests 404, 430, 431, and 435.
Along with the similar change to the definition of ‘corrosive material’ in 173.136, PHMSA is proposing to remove the phrase “full thickness destruction” and replace it with “irreversible damage” in all instances where it occurs in 173.137.

PHMSA is not proposing to add additional corrosivity testing protocols in this NPMR.

Corrosion Classification Alternatives


The proposed regulation provides two non-testing alternatives to determine the packing group containing mixtures of chemicals including one or more previously tested corrosive chemicals. The first, bridging {§173.137(d)(1)}, would be used when “there is sufficient data on both the individual ingredients and similar tested mixtures to adequately classify and assign a packing group for the mixture”. There are five bridging principals that could be applied to mixtures under this provision:

Dilution;
Batching;

The second technique is the calculation method {§173.137(d)(2)}. This technique uses known concentration data and regulatory information from the Hazmat Table to calculate which packing group a product would be in. A proposed Appendix I helps translate the calculations into actual packing group determination.

Calculation Process


By their very nature, regulatory documents are not real clear in explaining how a process will work. After some careful reading of the NPRM and the proposed changes to §173.137 and the new Appendix I, this is how I see the calculation process working.

First, someone is going to have to make a technical determination of whether or not any interactions (or chemical reactions) will enhance the corrosive effects of any of the constituent materials. It that determination is positive, then physical testing will be required, or the organization will have to assume PG I status for the material.

Next all of the corrosive constituents of the product will have to be identified. The Hazmat Table (§172.101 table) will then be used to determine the packing group and any minimum concentration limit associated with that material in the Table. That minimum concentration limit is called the ‘specific concentration limit (SCL)’ in this NPRM. Unfortunately, it is not specifically defined.

The first calculation will only involve PG I corrosive constituents of the product. For each PG I corrosive constituent the ratio of its concentration in the product to the SCL will be determined. For most corrosive materials, the Hazmat Table does not provide an SCL; for those chemicals a generic concentration limit (GCL; again, not specifically defined in the NPRM) of 1% will be assumed for this initial calculation. The sum of all of the PG1/SCL(GCL) ratios will be determined. If that sum is greater than or equal to one, Calculation #2 will be completed. If the sum is less than 1%, Calculation #3 will be completed.

Calculation #2. Again, just the concentration and GCL for the PG 1 corrosive materials in the product will be used. In this case (and in all subsequent calculations) the GCL will be equal to 5% and the concentration ratios for all PG I will be recalculated. If the sum of those ratios is greater than or equal to 5% then the material will be classified as Class 8, PG I. If the sum of those ratios is less than 5%, the material will be classified as Class 8, PG II.

Calculation #3. This calculation will use the same data from all PG I and PG II chemicals in the material being classified. Where a SCL is provided it will be used in the ratio calculation described above. Otherwise, a GCL of 5% will be used. The ratios for each of the PG I and PG II chemicals will be summed. If the sum is greater than or equal to 5%, the material will be classified as Class 8, PG II. If the sum is less than 5%, Calculation #4 will be completed.

Calculation #4. This calculation will use the same data from all PG I, PG II and PG III chemicals in the material being classified. Where a SCL is provided it will be used in the ratio calculation described above. Otherwise, a GCL of 5% will be used. The ratios for each of the PG I, PG II and PG III chemicals will be summed. If the sum is greater than or equal to 5%, the material will be classified as Class 8, PG III. If the sum is less than 5%, the material will not be classified in Class 8.

Bills Introduced – 11-29-18


Yesterday with both the House and Senate in Washington, there were 52 bills introduced. Three of those bills may see future coverage in this blog:

HR 7188 To extend by two years the Chemical Facility Anti-Terrorism Standards Program of the Department of Homeland Security, and for other purposes. Rep. Ratcliffe, John [R-TX-4]

HR 7192 To enhance the early warning reporting requirements for motor vehicle manufacturers, and for other purposes. Rep. Cartwright, Matt [D-PA-17] 

S 3677 A bill to provide for certain programs and developments in the Department of Energy concerning the cybersecurity and vulnerabilities of, and physical threats to, the electric grid, and for other purposes. Sen. Gardner, Cory [R-CO] 

With the Chair and Ranking Member of both the House Homeland Security and House Energy and Commerce Committees as cosponsors, HR 7188 will move to the floor of the House early next week. It will be interesting to see what “and for other purposes” are included in this bill. Needless to say this means that HR 6992 and S 3405 are effectively dead.

I would normally be watching HR 7192 specific cybersecurity reporting requirements, but this bill has little to no chance of being considered in the 115th Congress. We may see this again next year.

S 3677 could be interesting, but it will not see any action this year. Again, this will probably be reintroduced next year.

Thursday, November 29, 2018

One Advisory Published – 11-29-18


Today the DHS NCCIC-ICS published a control system security advisory for products from INVT Electric.

The advisory describes two vulnerabilities in the INVT VT-Designer. The vulnerabilities were reported by Ariele Caltabiano (kimiya) via the Zero Day Initiative. No mitigation measures are currently available for these vulnerabilities.

The two reported vulnerabilities are:

• Deserialization of untrusted data - CVE-2018-18987; and
Heap-based buffer overflow - CVE-2018-18983

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities cause the program to crash and may allow remote code execution.

NOTE: It looks like another Chinese ICS company is not quite responsive to NCCIC-ICS vulnerability coordination efforts.

HR 6032 Passes in House – Internet Connected Devices


Yesterday the House passed HR 6032, the State of Modern Application, Research, and Trends of (SMART) IoT Act, by a voice vote. The ‘debate’ lasted just over 8 minutes and consisted mainly of praising committee leadership for their bipartisan support for crafting this bill.

In my earlier post on this bill I had serious reservations about the definition of ‘internet connected devices’ used instead of trying to define IoT. That concern is further aggrevated by the discussion of the IoT problem found in the House Energy and Commerce Committee report on the bill. In both the sections describing the purpose of the bill and the need for the legislation, the term ‘internet connected devices’ is never used; all references are to the undefined acronym ‘IoT’.

Those discussions in the report clearly (but certainly not concisely) indicate that the Committee is concerned about a wide variety of devices that are connected to the internet but, may communicate over the internet without the specific control of the owner of the data that is being shared or with whom the data is being shared. But that concern is specifically ignored by the inclusion of the requirement in the definition of ‘internet connected devices’ that the physical object connected to the internet would “communicate information at the direction of an individual” {§2(c)(2)(A)}. One of the big problems of so many IoT devices is their capability to communicate information without the direction of the individual owner/operator of the device.

This bill obviously has bipartisan support and more importantly the lack of any significant opposition, so it could be passed in the Senate under their unanimous consent process. If there were a single Senator, however, that objected to this bill, the bill would languish in that body in the limited number of floor hours available for consideration of bills under regular order. I do not expect to see this bill reach the President’s desk.

Wednesday, November 28, 2018

S 140 Amendments Accepted by House – CG Authorization


Yesterday the House accepted the Senate amendments to S 140 that effectively turned that bill into the Frank LoBiondo Coast Guard Authorization Act of 2018. The action was taken on a voice vote. A similar voice vote was taken on S. Con. Res. 51 to officially change the enrollment of S 140 to reflect the change in purpose of the bill. The Senate amendments were considered under the suspension of the rules process with limited debate and no floor amendments.

Typically, we see very limited ‘debate’ on bills considered under suspension of the rules; a couple of people from both sides of the aisle praising the bipartisan effort to craft and pass the bill. The S 140 debate yesterday was something of an exception to that process. There was some opposition expressed to §834 of the bill that reinstates the fire safety exemption for the Delta Queen (starting with Rep. Garamendi on page H 9648). It was not enough debate to derail (or significantly slow) passage of the bill, but it was an actual policy discussion.

CFATS Landing Page Updated for CISA


Yesterday the DHS Infrastructure Security Compliance Division (ISCD) updated the landing page for the Chemical Facility Anti-Terrorism Standards (CFATS) program to show that it is now part of the Cybersecurity and Infrastructure Security Agency (CISA). It provides links to the new ISCD/CISA page and updates the agency TWITTER handle to @CISAgov (this replaces the old @NPPD).

The ISCD page has links to the new CISA web site. At this point this is a bit of a mixed bag as there are still lots of references to NPPD (for example the old NPPD organization chart), but that is probably to be expected since the organization is less than two weeks old. The NCCIC web page on that site does provide a graphic (and brief) description of the death and rebirth of ICS-CERT (as NCCIC-ICS) at the bottom of the page.

Tuesday, November 27, 2018

One Advisory is Published – 11-27-18


Today the DHS NCCIC-ICS published a control system security advisory for products from AVEVA.

This advisory describes an uncontrolled search path vulnerability in a third-party product used in the AVEVA Vijeo Citect, Citect SCADA product lines. The vulnerability is self-reported. The third party product is the Schneider Electric Software Update (SESU) software. This vulnerability was reported by Schneider earlier this month. The Schneider update mitigates this vulnerability in the AVEVA products.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit this vulnerability to execute arbitrary code on the target system.

NOTE: The AVEVA advisory was addressed in my blog post on Saturday.

PHMSA Publishes HMR Harmonization NPRM – 11-27-18


Today the DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) published a notice of proposed rulemaking (NPRM) in the Federal Register (83 FR 60970-61070) proposing to update the hazardous materials regulations (HRM) to bring them closer into harmony with various international hazardous material shipping regulations. This is a periodic regulatory update by PHMSA.

Overview


In this NPRM PHMSA proposes changes in the following areas:


NOTE: The links above are to the PHMSA summaries about the changes, not the detailed discussions of those changes. Would that it were that easy.

PHMSA is not currently proposing to address the following recent changes seen in international hazmat regulations:


NOTE: PHMSA is specifically soliciting comments on the competency-based training issue for possible future rulemaking.

PHMSA is soliciting public comments on this NPRM. Comments must be submitted by January 28th, 2018. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; docket # PHMSA-2017-0108).

HMR Tables


The Hazmat Table revisions are extensive. They include:

New HMT entries (additional N.O.S. entries);
Amendments to column (2) hazardous materials descriptions and proper shipping names;
Amendments to column (5) packing group;
Amendments to column (7) special provisions; and
Amendments to column (10) vessel stowage requirements;

In addition, PHMSA is proposing changes to the following areas of the HRM related to the Hazmat Table:

SECTION 172.102 Special Provisions;


Public Comments


PHMSA is soliciting public comments on this NPRM. Comments must be submitted by January 28th, 2018. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; docket # PHMSA-2017-0108).

Monday, November 26, 2018

HR 2825 Reported in Senate – FY2018 DHS Authorization


The Senate Homeland Security and Governmental Affairs Committee published their report on HR 2825, the Department of Homeland Security (DHS) Authorization Act of 2017, as amended by that Committee back in March. There is no new information of consequence in this report, but its publication does effectively clear this bill for consideration by the full Senate.

Interestingly this bill does also include authorization language for the DHS Cybersecurity and Infrastructure Security Agency which was earlier authorized by the passage of HR 3359. There are some differences in the CISA authorization language in the two bills. The language of this bill would supersede the language of HR 3359 if it is adopted.

CISA Authorization


The first major difference between the two bills is the addition of the responsibility for the oversight of electromagnetic pulse (EMP) and geomagnetic disturbance (GMD) protection and preparedness activities. This is initially set forth in the new 6 USC 2202(c)(5) (pg 940). The requirement is further outlined in the new 6 USC 2204 setting forth the duties of the Infrastructure Security Division of CISA.

Section 2204(d)(6) requires annual reports to Congress on “the threats and con5
sequences, as of the date of the information, of electromagnetic events to the critical infrastructure of the United States”. That report would include outlining DHS activities with respect to {new §2204(d)(6)(B), pg 958}:

• Risk assessments;
• Mitigation actions;
• Coordination with the Department of Energy to identify critical electric infrastructure assets subject to EMP or GMD risk; and
Current and future plans for engagement with the Department of Energy, the Department of Defense, the National Oceanic and Atmospheric Administration, and other relevant Federal departments and agencies;

The report to Congress would also address present and future collaborative efforts the Department has (or plans to have) with critical infrastructure owners and operators as well as {new §2204(d)(6), pg 958}:

• An identification of internal roles to address electromagnetic risks to critical infrastructure; and
• Plans for implementation and protecting and preparing United States critical infrastructure against electromagnetic threats.

The final major difference between the two bills with respect to CISA authorization is the way they handle the movement of Federal Protective Service within DHS. HR 3359 allowed the Secretary to either move FPS into CISA or some other organization within DHS and then report to Congress on that move. HR 2825 instead requires the Secretary to make a determination on the best place to move FPS and then seek Congressional approval for that move.

There are a couple of relatively minor wording changes in the language of the two bills. One is rather odd. In the new §2202(i), the savings clause that affirms that the revision in both bills has no effect on any existing authorities the following final phrase found in HR 3359 is absent in HR 2825:

“including the authority provided to the Sector-Specific Agency specified in section 61003(c) of division F of the Fixing America’s Surface Transportation Act (6 U.S.C. 121 note; Public Law 114–94).”

Moving Forward


As I mentioned earlier this report now clears the bill for potential consideration by the whole Senate. The bipartisan support seen in Committee should mean that the bill would pass the Senate. The problem here, this late in the session is that it will be difficult to bring up the bill in normal order with debate and further amendments. Practically speaking this means that this bill would have to be passed under the unanimous consent process which could be stopped by the opposition of a single senator to even relatively minor provisions in the bill. I suspect that this report is the last we will see of this bill in the 115th Congress.

Saturday, November 24, 2018

Public ICS Disclosures – Week of 11-17-18


This week we have a vendor disclosure for products from AVEVA.

The AVEVA advisory describes a DLL hijacking vulnerability in 3rd party software included in Vijeo Citect and Citect SCADA products. This is the Schneider Software Update (SESU) vulnerability reported earlier this month.

Wednesday, November 21, 2018

FAA Publishes Two Cybersecurity Special Condition Rules


Today the DOT’s Federal Aviation Administration (FAA) published two cybersecurity related special condition final rules in the Federal Register (83 FR 58739-58740, and 83 FR 58740-58742). Both rules are for Garmin International G5000 avionics systems in Textron Model 560XL aircraft. The FAA has crafted these rules due to the fact that the G5000 system allows internal and external connections “to previously isolated data networks, which are connected to systems that perform functions required for the safe operation of the airplane”.

Special Conditions


The first rule addresses internal (to the aircraft) access and provides the following additional safety certification requirement:

“The applicant must ensure that the design provides isolation from, or airplane electronic-system security protection against, access by unauthorized sources internal to the airplane. The design must prevent inadvertent and malicious changes to, and all adverse impacts upon, airplane equipment, systems, networks, or other assets required for safe flight and operations.”

The second rule addresses external (to the aircraft) access to the control system and provides the following two additional safety certification requirements:

“The applicant must ensure airplane electronic-system security protection from access by unauthorized sources external to the airplane, including those possibly caused by maintenance activity.

“The applicant must ensure that electronic-system security threats are identified and assessed, and that effective electronic-system security protection strategies are implemented to protect the airplane from all adverse impacts on safety, functionality, and continued airworthiness.”

Both rules also contain the following additional safety certification requirement:

“The applicant must establish appropriate procedures to allow the operator to ensure that continued airworthiness of the airplane is maintained, including all post-type-certification modifications that may have an impact on the approved electronic-system security safeguards.”

Public Comment


Both special conditions have an effective date of today. The FAA is soliciting public comments on both rules. Comments need to be submitted by January 7th, 2019. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; docket #s, FAA-2018-0782 and FAA-2018-0781).

Commentary


These ‘special conditions’ are identical to those that the FAA has released in similar situations in the past (see here for example). The requirements are generic. What will be important (and largely outside of public view) will be the processes the FAA uses to verify the efficacy of the efforts that Garmin, Textron and aircraft owners exhibit during the certification process.

I continue to be disappointed that the FAA does not provide a generic requirement in these special condition notices requiring that the manufacturer and aircraft owners establish processes to accept, evaluate and notify the FAA of any reported vulnerabilities in the avionics systems or the cybersecurity processes employed to protect those systems. I would like to think that the FAA considers this lumped in with the “continued airworthiness” standard included in both special condition rules, but I suspect that this rather reflects a serious oversight on the part of the FAA.

Tuesday, November 20, 2018

Two Advisories and One Update Published – 11-20-18


Today the DHS NCCIC-ICS published two control system security advisories for products from Schneider Electric and Teledyne DALSA. They also published an update for a previously published advisory for products from NUOO.

Schneider Advisory


This advisory describes an insufficient verification of data authenticity vulnerability in the Schneider Modicon M221 PLC. The vulnerability was reported by Eran Goldstein of CRITIFENCE. Schneider has provided workarounds to mitigate the vulnerability. There is no indication that Goldstein has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to cause a change of IPv4 configuration (IP address, mask, and gateway) when remotely connected to the device.

Teledyne Advisory


This advisory describes a stack-based buffer overflow vulnerability in the Teledyne Sherlock machine vision software interface. The vulnerability was reported by Robert Hawes. Teledyne reports that newer versions mitigate the vulnerability. There is no indication that Hawes has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to crash the device being accessed; a buffer overflow condition may allow remote code execution.

NUOO Update


This update provides additional information on an advisory that was originally reported on October 11th, 2018. The update adds additional affected version information and three new vulnerabilities:

• Path traversal - CVE-2018-17934;
• Unrestricted upload of file of dangerous type - CVE-2018-17936; and
SQL injection - CVE-2018-18982

HR 6992 Recognition Program – CFATS Reauthorization


As I noted in an earlier post HR 6992, the House version of a Chemical Facility Anti-Terrorism Standards (CFATS) program reauthorization bill, made some changes to the CFATS Recognition Program introduced in S 3405. It is not yet clear (since the Senate Homeland Security and Governmental Affairs Committee have not yet published their report and amended version of the bill) whether this new language will also be reflected in the reported version of the Senate bill.

Definitions


Section 4 of the bill (as does §5 of S 3405) adds a new subparagraph (5) to 6 USC 622(c). HR 6992 adds two additional definitions, and excludes a definition found in the Senate bill. The first new definition is for the term ‘participating facility’ which is defined as “a covered chemical facility that is a member of a participating industry stewardship program” {new §622(c)(5)(A)(ii)}.

HR 6992 does away with the definition of ‘industry stewardship program’ and substitutes instead ‘participating industry stewardship program’. That term is defined as an industry stewardship program that {new §622(c)(5)(A)(iii)}:

• Meets the eligibility requirements under subparagraph (C)(i); and
Provides regulatory recognition to covered chemical facilities that meet industry best practices.

 

Compliance Requirements


The new §622(c)(5)(C)(ii) from both bills provides the performance requirements for facilities participating in the CFATS Recognition Program, but there are significant differences in language of the two subparagraphs.

The House bill provides two new reporting requirements for the sponsoring industry organizations. These establish a requirement for the organization to ‘promptly report’ when an participating facility ceases to be{§622(c)(5)(C)(ii)(II)}:

• A member in good standing of the participating industry stewardship program; or
In full compliance with the requirements of the participating industry stewardship program.

The House bill also completely removes the program description requirements found in the new §622(c)(5)(C)(ii)(II) proposed in the Senate bill. Those requirements were near duplicates of the program criteria established earlier in the new §622(c)(5)(C)(i) in both bills.

Incentive Exceptions


Section 5 of the Senate bill establishes a program of incentives to encourage facility participation in the in the CFATS Recognition Program and §4 of the House bill makes some significant changes to those incentives. First, it removes the Tier reduction incentive provided for in the Senate bill. Then it adds two exception conditions to the reduction in inspection frequency provisions of the Senate program. Those exceptions are {new §622(c)(5)(C)(iii)(I)(aa)(AA)}:

• In the case of any inspection relating to any planned measure in the site security plan of a participating facility that has not been fully implemented; or
• In a case in which a participating facility is not in full compliance with the requirements under the Chemical Facility Anti-Terrorism Standards Program;

Implementation Requirements Erased


The House bill also completely does away with the ‘implementation’ requirements found in the new §622(c)(5)(D) in the Senate bill. Those requirements set forth:

• How stewardship programs would apply to participate in the CFATS Recognition Program;
• How the Department would respond to those applications; and
• How stewardship programs could submit revised applications for program denied participation.

Commentary


Michael Kennedy, a lawyer long involved in the CFATS program, has an interesting article over at SecurityInfoWatch.com about the CFATS reauthorization process that includes both HR 6993 and S 3405. Since Michael has been involved in much of the behind the scenes negotiations between industry and committee staff on these two bills, his comments are inciteful and cogent.

Towards the end of the article he makes an important point about the CFATS Recognition Program:

“Because many of these recognition programs, commonly referred to as industry stewardship programs, are closed to the public, security consultants could be forced to work closer with or even become dues paying members of various trade organizations, such as the American Chemistry Council, Association of Chemical Distributors, Agricultural Retailers, the Society of Chemical Manufacturers and the Fertilizer Institute – all of which support the measures – in order to access these programs and properly advise their clients.”

Another point that Congress needs to keep in mind is that wide spread use of these recognition programs will reduce congressional oversight capabilities over the implementation of the CFATS programs. Rather than having a one-stop shop for information about inspection processes, inspector qualifications and site security plan implementation details, congressional investigators will have to dig into the processes at multiple private organizations.

This recognition program could also exacerbate the inconsistency problems that some in industry are complaining about. While the current CFATS program has a certain (certainly inevitable) level of inconsistent application due to how individual chemical security inspectors interpret security guidance form the Director this will certainly expand when security program managers at different industry stewardship programs interpret that guidance from the DHS Infrastructure Security Compliance Division. I doubt that industry will complain about those inconsistencies since most facilities would have the option to shop different organizations to find the most compatible (less costly) implementation for their facility.

Of course, the details are in the DHS implementation of the program. The language in the House bill provides ISCD with the wider latitude in establishing the program. In the long run, with the further opportunity for open industry, labor and activist community involvement in the process of writing of the regulations, I think that the House language for the program is the better bet.

Saturday, November 17, 2018

Public ICS Disclosures – Week of 11-10-18


This week we have vendor updates of previously issued advisories from Siemens and an apparently uncoordinated vendor disclosure for products from SourceForge (an open source product web site).

Siemens Advisory Updates


As part of the swath of 16 advisories and updates issued by Siemens this week there were three updates that were not covered by NCCIC-ICS updates. These were for vulnerabilities addressed in ICS-CERT generic alerts; NCCIC-ICS does not update these alerts for new information from the existing vendor list on the alert, the links on those alerts already take interested parties to this latest information.

SSA-168644 v1.8 – Spectre and Meltdown Vulnerabilities in Industrial Products. Updated solution for RUGGEDCOM RX1400 VPE;
SSA-254686 v1.1 – Foreshadow / L1 Terminal Fault Vulnerabilities in Industrial Products. Added solution for SIMATIC IPC647D, SIMATIC IPC847D, SIMATIC IPC647C,
SIMATIC IPC847C, SIMATIC IPC627C, SIMATIC IPC677C, SIMATIC IPC827C,
SIMOTION P320-4S, SIMOTION P320-4E;
SSA-268644 v1.2 – Spectre-NG (Variants 3a and 4) Vulnerabilities in Industrial Products; and

GPS Tracking System Vulnerabilities


Ihsan Sencan published an exploit for an SQL injection vulnerability in the SourceForge GPS Fleet/Vehicle Tracking System Using Open Source Traccar Server. There is no CVE associated with this exploit and SourceForge lists the software as “abandoned” so this is probably a 0-day exploit. The product webpage says that there were 48 downloads this week, but I suspect that most of those were security researchers following up on Sencan’s exploit release.

Friday, November 16, 2018

DHS Publishes Semiannual Regulatory Agenda – 11-16-18


Today the Department of Homeland Security (DHS) published their Fall 2018 Semiannual Regulatory Agenda in the Federal Register (83 FR 58031-58038). This is essentially an abstract of some of the information that was originally published in the Fall 2018 Unified Agenda. This Regulatory Agenda identifies a few of the rulemaking activities from the UA that agencies of DHS probably intend to getting around to in the coming six months or so, but is clearly not any indication of whether or not that activity will actually occur.

Some of the DHS rulemakings from this RA that I will be watching if/when they are actually published will be:

Homeland Security Acquisition Regulation: Safeguarding of Controlled Unclassified Sensitive Information (HSAR Case 2015-001);
Homeland Security Acquisition Regulation: Information Technology Security Awareness Training (HSAR Case 2015-002);

It is odd that the last of the rulemakings listed above is not actually explicated in the DHS document. Instead, you have to go to the Regulatory Information Service Center’s RA entry in the Federal Register to find the full explanation for the security training rulemaking.

Of course, there is nothing new here that was not published weeks ago in the UA; publishing it in the Federal Register just makes is slightly more official. It does not, however, mean that we will see these specific rulemakings any quicker. Rulemaking is like making fine wines, it takes a long time and you cannot tell until the process is completed how good the product actually is.

Thank goodness we are not relying on paper distribution of the Federal Register anymore, this would be a deforestation product.

Thursday, November 15, 2018

Senate Passes S 140 – 2018 CG Authorization


Yesterday the Senate adopted substitute language (S Amendment 4054) for S 140 which changed that bill to the Frank LoBiondo Coast Guard Authorization Act. The new version of this bill is basically a reorganization of the sections of the US Code that are applicable to the Coast Guard. Most of it is way over my head, but it will certainly mess with the way people will reference sections of the code that they have been working with for years.

There are two sections that caught my attention:

§ 514. Backup national timing system [pg S6849]; and
§ 602. Maritime Security Advisory Committees [pgS6853]

Section 514 looks very much like S 2220, the National Timing Resilience and Security Act of 2017. Like that bill it would require the Secretary of Transportation to establish a land-based alternative to the GPS timing signal generally based upon the old LORAN navigation system.

Section 602 would completely rewrite 46 USC 70112, the current authorizing language for both national and local MSACs. I do not follow the CG real closely, but the changes do not appear to be significant.

The revised bill goes back to the House. It is possible that the bill could be dealt with under the same unanimous consent process that was used earlier this week for HR 3359. It depends on if there are any controversial measures buried in the revised Senate language. It does not look like it from the way the bill slipped through the Senate.

Wednesday, November 14, 2018

HR 3359 Senate Amendment Accepted by House – CISA Authorization


Yesterday the House accepted the Senate’s amendment to HR 3359, the Cybersecurity and Infrastructure Security Agency Act of 2018. The bill creates the Cybersecurity and Infrastructure Security Agency (CISA) within DHS. The bill was passed earlier this year in the House. The Senate amendment was accepted by the House by ‘unanimous consent’, so no actual vote was taken, but a single voice in objection would have derailed the process.

The bill now goes to the President for signature. There has been no objection raised by the Administration about this bill. In fact, there has been lots of pressure to pass the measure.

8 Advisories and 5 Updates (all Siemens) Published


Yesterday the DHS NCCIC-ICS published eight control system security advisories and updated five previously published advisories; all for products from Siemens.

SIMATIC Panels Advisory


This advisory describes two vulnerabilities in the Siemens SIMATIC HMI and WinCC. The vulnerabilities were reported by Hosni Tounsi from Carthage Red Team. Siemens has newer versions that mitigate the vulnerability. There is no indication that Tounsi has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Path traversal - CVE-2018-13812; and
Open redirect - CVE-2018-13813

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow download of arbitrary files from the device, or allow URL redirections to untrusted websites.

SIMATIC IT Advisory


This advisory describes an improper authentication vulnerability in the Siemens SIMATIC IT Production Suite. The vulnerability is self-reported. Siemens has updated to mitigate the vulnerability.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerability to allow an attacker to compromise confidentiality, integrity and availability of the system.

SIMATIC Step 7 Advisory


This advisory describes an unprotected storage of credential in the Siemens SIMATIC STEP 7 (TIA Portal). This vulnerability is self-reported. Siemens has updates available that mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to reconstruct passwords.

SIMATIC S7 Advisory


This advisory describes a resource exhaustion vulnerability in the Siemens SIMATIC S7. The vulnerability was reported by Younes Dragoni of Nozomi Networks. Siemens has a new version for the S7-1500 that mitigates the vulnerability. There is no indication that Dragoni was provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to cause a denial-of-service condition that could result in a loss of availability of the affected device.

SCALANCE S Advisory


This advisory describes a cross-site scripting vulnerability in the Siemens SCALANCE S firewalls. The vulnerability was reported by Nelson Berg of Applied Risk. Siemens has a new version that mitigates the vulnerability. There is no indication that Berg has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker using social engineering could remotely exploit this vulnerability to allow arbitrary script injection (XSS).

SIMATIC WinCC Advisory


This advisory describes a code injection vulnerability in the Siemens SIMATIC Panels and SIMATIC WinCC (TIA Portal). The vulnerability is self-reported. Siemens has updates available for all but one of the affected devices.

NCCIC reports that a relatively low-skilled attacker with network access could exploit the vulnerability to perform a HTTP header injection attack.

S7-400 Advisory


This advisory describes two improper input validation vulnerabilities in the Siemens S7-400 CPUs. The vulnerability was reported by CNCERT/CC. Siemens has provided specific workarounds to mitigate the vulnerabilities.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to crash the device being accessed which may require a manual reboot or firmware re-image to bring the system back to normal operation.

IEC 61850 Advisory


This advisory describes an improper access control vulnerability in the Siemens IEC 61850 system configurator, DIGSI 5, DIGSI 4, SICAM PAS/PQS, SICAM PQ Analyzer, and SICAM SCC. The vulnerability is self-reported. Siemens has updates to mitigate the vulnerability.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerability to exfiltrate limited data from the system or execute code with operating system user permissions.

Industrial Products Update


This update provides additional information on an advisory that was originally published on May 9th, 2017 and updated on June 15, 2017,on July 25th, 2017, on August 17th, 2017, on October 10th, on November 14th, November 28th, February 27th, 2018, May 3rd, 2018 May 15th, 2018, September 11th, 2018 and most recently on October 9th, 2018. The update provides new affected version and mitigation information for:

• SINAMICS S120;
• PN/PN Coupler;
• SIMATIC ET200 SP;
• SIMATIC S7-400 V; and
• SIMOCODE pro V PROFINET

SCALANCE Update


This update provides additional information on an advisory that was originally published on November 14th, 2017 and updated on December 5th, 2017, December 19th, 2017, January 25th, 2018 and again on April 24th, 2018. The update changed the update information for SCALANCE W-700 (IEEE 802.11n).

PROFINET Update


This update provides additional information on an advisory that was originally published on May 9th, 2017 and updated on June 15, 2017,on July 25th, 2017, on August 17th, 2017, on October 10th, on November 14th,  November 28th, 2017January 18th, 2018, January 25th, 2018, January 27th, 2018, March 6th, 2018 and most recently on May 3rd, 2018. The update provides new affected version and mitigation information for:

• SINAMICS S120;
• SIMATIC ET 200SP (except IM155-6 PN ST); and
• SIMATIC Panels

OpenSSL Update


This update provides additional information on an advisory that was originally published on August 14th, 2018 and updated on September 11th, 2018 and again on October 9th, 2018. The update provides new affected version and mitigation information for:

• SIMATIC HMI WinCC Flexible; and
• SIMATIC IPC DiagMonitor

SIMATIC S7 Update


This update provides additional information on an advisory that was originally published on March 29th, 2018 and updated on April 24th, 2018, and again on June 12th, 2018. The update provides new affected version and migitagion information for:

• SIMATIC BATCH V8.2;
• OpenPCS 7 V8.2; and
• SIMATIC Route Control V8.2

NOTE: I will address the other four updates that Siemens published on Saturday.

Tuesday, November 13, 2018

Committee Hearings – Week of 11-11-18


The House and Senate are back in Washington for the first week of the 115th Lame Duck session. The hearing schedule is relatively lite this week. There is one hearing of potential interest that looks at DHS-DOD cybersecurity cooperation.

DHS-DOD Cybersecurity


On Wednesday there will be a joint hearing of the Emerging Threats and Capabilities Subcommittee (House Armed Services Committee) and the Cybersecurity and Infrastructure Protection Subcommittee (House Homeland Security Committee) on “Interagency Cyber Cooperation: Roles, Responsibilities and Authorities of the Department of Defense & the Department of Homeland Security”. The witness list includes:

• Ms. Jeanette Manfra, DHS;
• Kenneth Rapuano, DOD; and
LTG Bradford "B.J." Shwedo

Looking Ahead


Lame duck sessions are always unpredictable, particularly when there is an upcoming change in control of the House. On some issues we could see an increase in bipartisanship because departing members are freer to vote their personal conscience or beliefs because they no longer need to consider the desires of their constituents or financial supporters and on other issues the opposite will be true for the same reasons. Unfortunately, it is hard to predict which will rule on a particular issue.

There are two measures that I will personally be watching for in the coming weeks; the final spending bill (which includes DHS) and the extension of the CFATS program. The first will be publicly controversial mainly because of border wall spending and immigration issues. This may be a bill in the House where we see moderate, out-going Republicans working with Democrats to get a bill passed.

The CFATS situation is more complicated. Most of the controversies on the two bills involved (HR 6992 and S 3405) are being discussed behind the scenes in committee staffs so it is hard to tell what is going on. S 3405 could come to a floor vote (no debate, no amendments) in the Senate at any time once all of the infighting has been resolved. The House bill will probably require at least one hearing, probably two (Homeland Security and Energy and Commerce Committees) before it can come up for a vote on the floor. Of course, we could just see a one-year extension of the program added to the DHS minibus spending bill, but that would mean two Republican committee chairs in the House giving up their influence on the program.

The current deadline for the minibus is December 7th, but that could be extended up to and beyond (‘beyond’ is possible but highly unlikely) December 31st. In either case, passing that bill will effectively mark the passing of the 115th Congress so the CFATS issue will have to be cleared up by that time as well.

Saturday, November 10, 2018

Public ICS Disclosures – Week of 11-03-18


This week we have a vendor disclosure for products from Rockwell and researcher disclosures for products from D-Link and Advantech.

Rockwell Advisory


Rockwell published an advisory for an IP configuration vulnerability in their  Micrologic 1400 controllers and 1756 ControlLogix EtherNet/IP Communications Modules. The vulnerability was reported to Rockwell by ICS-CERT (and an NCCIC-ICS advisory should be expected this coming week). Rockwell has firmware updates available for currently supported products that mitigate the vulnerability.

NOTE: The advisory indicates that this might be a problem with the ODVA EtherNet/IP standard, so this vulnerability might affect products from other vendors as well.

D-Link Vulnerabilities


John Page (hyp3rlinx) reports three vulnerabilities in the D-Link Central WifiManager CWM-100. The reports indicate that D-Link has been notified of the vulnerabilities but has not communicated successful mitigation measures to Page. The reports include POC exploits.

The three reported vulnerabilities are:

Server-side request forgery - CVE-2018-15517; and
FTP server PORT bounce scan - CVE-2018-15516

Advantech Vulnerabilities


Tenable has published an advisory for three vulnerabilities in the Advantech WebAccess/SCADA 8.3.2. product. Chris Lane has published exploit code for two of the vulnerabilities. Tenable reports that Advantech has published a new version that mitigates the vulnerabilities. There is no indication that Tenable has verified the efficacy of the fix.

The three reported vulnerabilities are:

• Directory traversal (2) - CVE-2018-15705, and CVE-2018-15706; and
• Reflected cross-site scripting - CVE-2018-15707

Thursday, November 8, 2018

One Advisory and One Update Published


Today the DHS NCCIC-ICS published a medical device security advisory for products from Philips. They also updated a previously published medical device security advisory for products from Roche.

Philips Advisory


This advisory describes a weak password requirement vulnerability in the Philips iSite and IntelliSpace PACS. The vulnerability was reported by a customer. Philips reports existing generic mitigation measures should take care of any problems with this vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access to the system could exploit the vulnerability to allow an attacker to compromise a component of the system.

Roche Update


This update provides additional information on an advisory that was originally published on November 6th, 2018. The update changes the way that the advisory reports affected version numbers of the products and corrects the location of the corporate headquarters.

Wednesday, November 7, 2018

S 3021 Changes Water Security Requirements


Thanks to Jake Brodsky for pointing me at an article about recent legislation affecting water treatment and waste water treatment cybersecurity. I did not cover S 3021, the America’s Water Infrastructure Act of 2018, when it was amended in the House (it was introduced as a courthouse name change bill in the Senate) as I did not see any cybersecurity or chemical security references in the long table of contents. Ooops, they slid in in as “SEC. 2013. COMMUNITY WATER SYSTEM RISK AND RESILIENCE”.

Cybersecurity Assessment


Section 2013 re-writes $1433 of the Safe Drinking Water Act (42 USC 300i–2) the current law regarding EPA’s regulation of security at water treatment facilities and waste water treatment facilities. The focus of §1433 is changed somewhat as reflected in the change of the title from “Terrorist and other intentional acts” to “Community water system risk and resilience”. Similar wording changes are found throughout the revised section.

The item that caught the author’s attention is found in the new §1433(a)(1)(A) risk assessment requirements:

“(A) shall include an assessment of—
‘‘(i) the risk to the system from malevolent acts and natural hazards;
‘‘(ii) the resilience of the pipes and constructed conveyances, physical barriers, source water, water collection and intake, pretreatment, treatment, storage and distribution facilities, electronic, computer, or other automated systems (including the security of such systems) [emphasis added] which are utilized by the system;

Interestingly, the new language in §1433(a) makes two other significant changes to the assessment requirements. First it removes the requirement for providing the EPA with a copy of the assessment; it only requires a brief certification statement to be submitted to the EPA. Secondly, it reduces the disclosure protections for the assessments; removing protection from disclosure requirements of 5 USC 522. Fortunately, no information of is being provided to the EPA that could be required to be disclosed under §522 beyond the certification statement.

Cybersecurity Emergency Response Plans


The emergency response plan requirements of §1433(b) have also been revised to include specific cybersecurity requirements. In addition to the formatting changes made to this paragraph, it now includes:

(1) strategies and resources to improve the resilience of the system, including the physical security and cybersecurity of the system; [emphasis added]

Again, the new language only requires covered entities to provide certification to the EPA that the emergency response plans have been prepared.

Alternative Programs


Paragraph (f) of the revised section allows facilities to meet the assessment and/or planning requirements by satisfying “technical standards that are developed or adopted by third-party organizations or voluntary consensus standards bodies that carry out the objectives or activities required by this section” {new §1433(f)(2)}.

Funding


Paragraph (g) establishes the Drinking Water Infrastructure Risk and Resilience Program which includes provisions for grants and technical assistance to support the assessment and response plan requirements of this section. It also authorizes $25 million for the Program for FY2020 and FY2021, with $5 million of that earmarked for ‘technical assistance’ and $10 million for grants to small (supporting less than 3,300 people; facilities that are not required to comply with §1433) facilities.

Commentary


This bill does very little to change the EPA’s oversight of security of water treatment or waste water treatment facilities. It does not require the EPA to review or approve the assessments or emergency response plans, nor even give them the authority to suggest changes to those activities. The additional cybersecurity language simply recognizes that the control systems at these facilities are potentially subject to attack or internal malfeasance and that their security should be addressed by facilities.

The ludicrously small amount of money remaining for grants to covered treatment facilities or works how little Congress appreciates the scope of the problem.

One Advisory and One Update Published


Yesterday the DHS NCCIC-ICS published a medical device security advisory for products from Roche. It also updated a control system security advisory for products from Schneider.

Roche Advisory


This advisory describes five vulnerabilities in Point of Care handheld medical devices. The vulnerabilities were reported by Niv Yehezkel of Medigate. Roche has generic work arounds to mitigate the vulnerabilities. There is no indication that Yehezkel has been provided an opportunity to verify the efficacy of the fix (okay in this case that is just boilerplate since there are no real mitigation measures to evaluate).

The five vulnerabilities are:

• Improper authentication - CVE-2018-18561;
• OS command injection - CVE-2018-18562;
• Unrestricted upload of a file with dangerous type - CVE-2018-18563; and
Improper access control (2) - CVE-2018-18564 and CVE-2018-18565

NCCIC-ICS reports that a relatively low-skilled attacker with adjacent access could exploit these vulnerabilities to allow an attacker to gain unauthorized access to modify system settings or execute arbitrary code.

NOTE: NCCIC-ICS has taken the unusual step of listing the vulnerable devices for each vulnerability. This is a very complicated advisory, particularly since there is no practical security advice provided.

Schneider Update


This update provides new information on an advisory that was previously published on November 1st, 2018. The new information includes:

• Removing the list of products that can load the affected software and pointed at the Schneider advisory instead (the latest version of that advisory adds new affected products);
Changing the wording about the availability of the software update.

NOTE: The revised Schneider advisory also adds the following generic mitigation measure:

“Physical controls should be in place so that no unauthorized person would have access to the ICS and safety controllers, peripheral equipment or the ICS and safety networks.”

 
/* Use this with templates/template-twocol.html */