Saturday, March 23, 2019

FMCSA Sends Automated Vehicle ANPRM to OMB


On Thursday the DOT’s Federal Motor Carrier Safety Administration (FMCSA) sent an advance notice of proposed rulemaking (ANPRM) to the OMB’s Office of Information and Regulatory Affairs (OIRA) for review. The ANPRM would address the “Safe Integration of Automated Driving Systems-Equipped Commercial Motor Vehicles”.

According to the abstract in the Fall 2018 Unified Agenda:

“FMCSA requests public comment about Federal Motor Carrier Safety Regulations (FMCSRs) that may need to be updated, modified, or eliminated to facilitate the safe introduction of automated driving systems (ADS) equipped commercial motor vehicles (CMVs) onto our Nation's roadways. FMCSA requests comment on specific regulatory requirements that are likely to be affected by an increased integration of ADS-equipped CMVs. However, the Agency is not seeking comments on its financial responsibility requirements because they are not directly related to CMV technologies and because future insurance requirements will depend in part on the evolution of State tort law with respect to liability for the operation of ADS-equipped vehicles.”

Public ICS Disclosures – Week of 03-16-19


CERT-VDE published an advisory describing nine vulnerabilities in the ENDRESS-HAUSER Field Xpert hand-held devices. These are the KRACK WPA2 vulnerabilities. The vulnerabilities are being self-reported. ENDRESS-HAUSER points to 3rd party mitigations for the affected devices.

NOTE: It is disappointing to note that we can still see original reporting of KRACK vulnerabilities when these were first reported in the ICS environment back in October of 2017. It is particularly aggravating in this case since the vulnerability was already reported in the affected devices by the manufacturer.

Friday, March 22, 2019

S 333 Reported in Senate – Cybersecurity Consortia

The Senate Homeland Security and Governmental Affairs Committee published their report on S 333, National Cybersecurity Preparedness Consortium Act of 2019. The bill was adopted in Committee without amendment. The bill is now cleared for consideration by the full Senate. That consideration will take place under the Senate unanimous consent process if it does occur. HR 1062, the companion bill in the House, has not yet been considered in Committee.

The only thing of interest in the report is the clarification that the actions that would be authorized by the bill are already being undertaken by the Department of Homeland Security. This may be why Johnson’s Committee was so quick to take up a bill that was not sponsored by Committee members

Thursday, March 21, 2019

1 Advisory Published – 03-21-19


Today the DHS NCCIC-ICS published a medical device security advisory for products from Medtronic.

The advisory describes two vulnerabilities in Medtronic MyCareLink Monitor, CareLink Monitor, CareLink 2090 Programmer, and specific Medtronic implanted cardiac devices. The vulnerabilities were reported by Peter Morgan of Clever Security; Dave Singelée and Bart Preneel of KU Leuven; Eduard Marin formerly of KU Leuven, currently with University of Birmingham; Flavio D. Garcia; Tom Chothia of the University of Birmingham; and Rik Willems of University Hospital Gasthuisberg Leuven. Medtronic has provided generic mitigation measures pending development of appropriate updates.

The two reported vulnerabilities are:

• Improper access control - CVE-2019-6538; and
Clear-text transmission of sensitive information - CVE-2019-6540

NCCIC-ICS reports that a relatively low-skille attacker with adjacent access could exploit these vulnerabilities to  allow an attacker with adjacent short-range access to one of the affected products to interfere with, generate, modify, or intercept the radio frequency (RF) communication of the Medtronic proprietary Conexus telemetry system, potentially impacting product functionality and/or allowing access to transmitted sensitive data.

NOTE: The Food and Drug Administration has published a separate advisory for these vulnerabilities.

HR 1493 Introduced – Cyber Sanctions


Earlier this month Rep. Yoho (R,FL) introduced HR 1493, the Cyber Deterrence and Response Act of 2019. The bill is very similar to S 602 introduced last month in the Senate and less similar to HR 5567 introduced last session by Yoho; which was passed by the House, but not taken up by the Senate.

Differences


This bill contains the same additions to HR 5567 that I mentioned were seen in S 602. The Senate bill did contain a reference {§3(d)(2)(D)} to Export Control Reform Act of 2018 {50 USC 4813(a)(1))} that could not have been included in HR 5567 since the Act had not been passed when the bill was introduced. That reference is not included in this bill. This means that any successor munitions control list created in accordance with §4813 provisions would not automatically be included in the sanctions applicable under this bill.

Paragraph (f) from S 602 that provided for the applicability of penalties under the Emergency Economic Powers Act {50 USC 1705(b) and (c)} to violations of §3(b)(2)(H) of this bill was not included in S 602. This may be because Yoho’s staff considered those provisions to be included by reference in §3(b)(2)(H). Or, it may just have been an oversight.

Moving Forward


As with last year with HR 5567, Yoho and his cosponsors are influential, bipartisan members of the committees to which this bill was assigned for consideration. Last session this influence was enough to ensure consideration in a Republican controlled House, both in the Foreign Affairs Committee and on the floor of the House. In both places it received strong bipartisan support.

Similar bipartisan support would be expected this year, but it remains to be seen if the priorities of the Democratic leadership will allow for the same consideration of this bill.

Commentary


I still have the same problems with this bill that I had with S 602; the lack of definition of the term ‘cyber activities’ that could trigger the designation of ‘a critical cyber threat’. While I understand that a certain amount of latitude should be allowed for in that definition as cyber technologies and attack methodologies evolve, but I do think that a definition is required to constrain actions of the President.

Having said that, it is probably incumbent upon me to provide a suggested definition. I would suggest the following changes to the definition of ‘state sponsored cyber activities’:

“The term ‘‘state-sponsored cyber activities’’ means any malicious cyber-enabled activities incident (as defined in 6 USC 659(a) [proposed here]) that directly affected government information systems, a critical infrastructure information system or a control system that affected public safety and was caused by  
“(A) are carried out by a government of a foreign state or an agency or instrumentality of a foreign state; or
“(B) are carried out by a foreign person that is aided, abetted, or directed by a government of a foreign state or an agency or instrumentality of a foreign state.

Wednesday, March 20, 2019

HR 1420 Introduced – Energy Efficient Cyber Tech


Last month Rep. Eshoo (D,CA) introduced HR 1420, the Energy Efficient Government Technology Act. The bill would require the OMB to establish a strategy for the maintenance, purchase, and use by Federal agencies of energy-efficient and energy-saving information technologies at or for federally owned and operated facilities.

This is not one of the bills one would normally expect for me to cover in this blog; it does not address any cybersecurity issues. It does, however, point to a problem of congressional understanding of cyber issues that does have an impact on the legislative process in general and cybersecurity legislation in particular.

Commentary


The bill would amend the Energy Independence and Security Act of 2007 by adding a new §530, Energy-Efficient and Energy-Saving Information Technologies. A key definition in the bill is for the term ‘information technology’ which is defined as having “the meaning given that term in section 11101 of title 40, United States Code [link added]” {new §530(a)(2)}. This is one of the most IT-limited definitions used in the USC and it is further limited to equipment owned by an agency of the Executive Branch of the Federal Government.

The bill then goes on to require the OMB to develop its strategy for the use of “energy-efficient and energy-saving information technologies” {new §530(b)}. Paragraph (c) then goes on to identify six elements that should be included in that strategy:

• Advanced metering infrastructure;
• Energy-efficient data center strategies and methods of increasing asset and infrastructure utilization;
• Advanced power management tools;
• Building information modeling, including building energy management;
• Secure telework and travel substitution tools; and
Mechanisms to ensure that the agency realizes the energy cost savings brought about through increased efficiency and utilization.

Three of the six elements (1, 3, and 4) deal with operational technology (otherwise known under the rubric of ‘industrial control systems’) not information technologies. Now in the scope of this bill, the confusion between OT and IT is probably of little consequence. There is nothing in the guidance provided in the bill that would be dealt with differently if applied to either OT or IT.

Unfortunately, we see the same failure to differentiate between OT and IT in many pieces of cybersecurity legislation. There the differences between the two types of technology do make a difference in how cybersecurity strategies are applied. In IT cybersecurity the emphasis is on protecting information. In OT cybersecurity the focus is on protecting the physical processes involved with protection of the information (normally intellectual property) being a secondary or even tertiary consideration.

Until Congress (and more importantly it’s staffs) are able to distinguish between the two types of cyber technology, their ability to effectively legislate cybersecurity matters or either technology will be severely lacking. But even in this bill, the failure to understand that the massive information technology complex of the federal government is dependent on a largely misunderstood operational technology component means that the crafters of this legislation almost certainly left some important considerations out of this bill. Energy efficiency is at heart a matter of energy management which rests on OT not IT.

PHMSA Sends Pipeline Safety Final Rule to OMB


Yesterday the DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) sent a final rule to the OMB’s Office of Information and Regulatory Affairs (OIRA) for review. The rule addresses the safety of hazardous liquid pipelines and has been in the works since 2010. The notice of proposed rulemaking was published in 2015.

According to the Fall 2018 Unified Agenda, this final rule seeks to:

• Extend reporting requirements to gravity lines that do not meet certain exceptions;
• Extend certain reporting requirements to all hazardous liquid gathering lines;
• Require inspections of pipelines in areas affected by extreme weather, natural disasters, and other similar events;
• Require periodic assessments of onshore transmission pipelines that are not already covered under the integrity management (IM) program requirements;
• Expand the use of leak detection systems on onshore hazardous liquid transmission pipelines to mitigate the effects of failures that occur outside of high consequence areas;
• Modify the IM repair criteria, both by expanding the list of conditions that require immediate remediation and consolidating the time frames for re-mediating all other conditions;
• Increase the use of inline inspection tools by requiring that any pipeline that could affect a high consequence area be capable of accommodating these devices within 20 years, unless its basic construction will not permit that accommodation; and
Clarify other regulations to improve compliance and enforcement.


Tuesday, March 19, 2019

2 Advisories Published – 03-19-19


Today the DHS NCCIC-ICS published two control system security advisories for products from Columbia Weather Systems and AVEVA.

Columbia Advisory


This advisory describes six vulnerabilities in the Columbia Weather MicroServer weather monitoring system. The vulnerabilities were reported by John Elder and Tom Westenberg of Applied Risk. Columbia has a firmware update that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• Cross-site scripting (2) - CVE-2018-18875 and CVE-2018-18880;
• Path traversal - CVE-2018-18876;
• Improper authentication - CVE-2018-18877;
• Improper input validation - CVE-2018-18878; and
Code injection - CVE-2018-18879

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow disclosure of data, cause a denial-of-service condition, and allow remote code execution.

AVEVA Advisory


This advisory describes an uncontrolled search path element vulnerability in the AVEVA InduSoft Web Studio, InTouch Edge HMI products. The vulnerability is in a third-party component; Gemalto Sentinel UltraPro encryption keys (separately reported last week). The vulnerability was reported by ADLab of Venustech. AVEVA has updates available to mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit this vulnerability to allow execution of unauthorized code or commands.

NOTE: I wonder how many other vendors are using the Gemalto product?

NHTSA Publishes Two Automated Driving System Petitions


Today the DOT’s National Highway Transportations Safety Administration (NHTSA) published two notices in the Federal Register (84 FR 10172-10182 and 84 FR 10182-10191) requesting public comments on petitions for exemptions from Federal Motor Vehicle Safety Standards (FMVSS) for two fully-automated-driving vehicles. The first is for an autonomous delivery vehicle from Nuro, Inc. The second is for a driverless passenger vehicle from General Motors.

Nuro Petition


The Nuro petition is for a low-speed delivery vehicle without human occupants. It requests exemption from the following FMVSS standards:

• FMVSS #500 – exemption from rear view mirror requirements;
• FMVSS #250 – exemption from windshield requirements;
FMVSS #111 – exemption from back-up camera requirements.

The petition is limited in scope because the intended Nuro vehicle is already exempt from most FMVSS standards for a normal passenger vehicle because it is a low-speed vehicle as defined under 49 CFR 571.3.

GM Petition


The GM petition is for a passenger vehicle in limited service. It would have no provisions for an occupant to take control of the vehicle during operation. It requests exemption from the following FMVSS standards:

FMVSS #101 – exemption from motor vehicle controls, telltales and indicators requirements;
FMVSS #102 – exemption from transmission shift position sequence, starter interlock, and transmission braking effect requirements;
FMVSS #108 – exemption from headlamp switch requirements;
FMVSS #111 – exemption from rearview mirror requirements;
FMVSS #114 – exemption from parking brake, service brake or transmission gear selection test requirements;
FMVSS #124 – exemption from return of the throttle to the idle position requirements;
FMVSS #126 – exemption from driver loss of directional control requirements;
FMVSS #135 – exemption from human breaking control requirements;
FMVSS #138 – exemption from tire pressure warning requirements;
FMVSS #141 – exemption from gear shift selector test requirements;
FMVSS #203, #204, and #207 – exemption from steering wheel impact test requirements;
FMVSS #208 and #214 – exemption from drivers position crash-test requirements; and
FMVSS #226 – exemption from airbag indicator requirements;

Public Comments


NHTSA is soliciting public comments on the petitions. Comments are required to be submitted by May 20th, 2019. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # NHTSA-2019-0017, Nuro petition; and NHTSA-2019-0016, GM petition).

Commentary


An interesting component of both of these petitions is that they are for electric vehicles. That does not seem to matter much except that both petitions include reference to regulatory exemptions for ‘low emission vehicles’. Congress gave DOT authority (49 USC 30113) to ease the introduction of ‘low-emission vehicles’ by providing temporary exemptions to vehicle safety standards. Both petitions are using the argument from §30113(b)(3)(B)(iii) that “the exemption would make easier the development or field evaluation of a new motor vehicle safety feature providing a safety level at least equal to the safety level of the standard”; the new ‘motor vehicle safety feature’ being the autonomous operation system.

While avoiding the well known and documented safety problems associated with human drivers, autonomous vehicle operating systems are going to present their own problems. Both petitioners are making the point that to be able to identify (the necessary precursor to fixing) problems of their systems in real-world operations is the only way to move these systems into full-scale production. In many ways, this seems to be a valid argument, except….

The big problem missing from the discussion in either petition is the cybersecurity of their operating systems. A major reason for this is that NHTSA (and at base, Congress) have failed to explicate how they expect developers to protect these systems. With no federal regulatory requirements in existence, neither applicant is under any obligation to provide information on how (or even if) they are addressing the cybersecurity issue. This does not provide me with a warm fuzzy feeling.

The current crop of autonomous vehicles undergoing real-world testing still have the capability of human intervention to overcome software issues of malware or bad code. Granted that oversight has not been perfect by any stretch of the imagination, but it is there. These two proposals specifically and graphically have removed that intervention; a necessary next-step in the development of truly autonomous vehicles. The question, however, is are we ready to take that next step when we do not yet have a definition of the cybersecurity requirements for these systems, or a way to evaluate the efficacy of the cybersecurity systems put into play (whatever they are). Before we take the next step, we need to have a handle on, or at least a definition of the cybersecurity of these systems.

Monday, March 18, 2019

S 602 Introduced – Cyber Sanctions


Last month Sen. Gardner (R,CO) introduced S 602, the Cyber Deterrence and Response Act of 2019. The bill would require the President to identify foreign persons or agencies of a foreign state that are ‘critical cyber threats’ and impose sanctions on such persons or agencies. The bill is very similar to S 3378 that was introduced by Gardner during the 115th Congress; no action was taken on that bill.

Differences


This new version of the bill makes a large number of relatively minor wording and phrasing changes that would be of interest only to an English teacher. There are, however, two sanction additions found in S 602:

• Allows for the withdrawal, limitation, or suspension of non-humanitarian development assistance from the United States to the foreign state under chapter 1 of part I of the Foreign Assistance Act of 1961 {§3(b)(2)(B)}; and
Allows the President to direct Overseas Private Investment Corporation, the United States International Development Finance Corporation, or any other Federal agency not to provide assistance to a designated critical cyber threat {§3(b)(2)(D)};

Additionally, there are two procedural measures added in the latest version of the proposed bill:

• Instead of publishing a notice in the Federal Register listing the designation of a critical cyber threat, S 602 requires a report to Congress {§3(a)(2)}; and
• Spells out actions that President should take to coordinate sanctions with allies and partners of the United States {§3(g)(2)}.

Moving Forward


Both Gardner and his cosponsor {Sen. Coons (D,DE)} are influential members of the Senate Foreign Affairs Committee, the Committee to which this bill was assigned for consideration. One would normally expect that this would mean that the bill could be expected to be considered in Committee. Last session, S 3378 did not see the light of day after introduction. This may mean that the bill will face a similar fate in this session.

Commentary


The most critical definition in this bill is for the term ‘state-sponsored cyber-activities’ since this is the key to determining whether a person or agency should be designated ‘a critical cyber threat’. Unfortunately, that term ‘state-sponsored cyber-activities’ is essentially defined as a cyber-activity that is state-sponsored. No attempt was made to establish a definition of ‘cyber-activity’.

NHTSA Barriers to Automated Driving Systems ANPRM to OMB


On Thursday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received from DOT’s National Highway Traffic Safety Administration (NHTSA) an advanced notice of proposed rulemaking (ANPRM) on “Removing Regulatory Barriers for Automated Driving Systems” for review.

The Fall 2018 Unified Agenda listing for this rulemaking explains:

“This notice seeks comment on existing motor vehicle regulatory barriers to the introduction and certification of automated driving systems. NHTSA is developing the appropriate analysis of requirements that are necessary to maintain existing levels of safety while enabling innovative vehicle designs and removing or modifying those requirements that would no longer be appropriate if a human driver will not be operating the vehicle. NHTSA previously published a Federal Register notice requesting public comment on January 18, 2018.”

Saturday, March 16, 2019

Public ICS Disclosures – Week of 03-09-19


This week we have five vendor notifications for products from Siemens, PEPPERL+FUCHS, and Schneider(3) and four vendor updates of previously published advisories for products from Siemens(3) and Medtronics.

Siemens Advisory


Siemens published an advisory describing a mirror port isolation vulnerability in their SCALANCE X switches. The vulnerability is being self-reported. Siemens has provided generic workarounds to mitigate the vulnerability.

PEPPERL+FUCHS Advisory


VDE CERT published an advisory describing two vulnerabilities in the PEPPERL+FUCHS ecom mobile devices. The vulnerabilities were reported by Ben Seri and Gregory Vishnepolsky of Armis; the armis 2017 Blueborne disclosure includes exploits. PEPPERL+FUCHS points to (no links provided) OEM vendors for updates for some of the affected products.

Schneider Advisories


Schneider published an advisory describing an uncontrolled search path element vulnerability in their Pelco VideoXpert OpsCenter. The vulnerability was reported by Osama Radwan. Schneider has a new version that mitigates the vulnerability. There is no indication that Radwan has been provided an opportunity to verify the efficacy of the fix.

Schneider published an advisory describing an SQL injection vulnerability in their U.motion Builder software product. The vulnerability was reported by Julien Ahrens (RCE Security). Schneider recommends that customers stop using the their U.motion Builder software product as it is no longer supported.

Schneider published an advisory describing an improper check for unusual or exceptional conditions vulnerability in their Triconex TriStation Emulator. The vulnerability was reported by Tom Westenberg – Applied Risk. Schneider plans to have an update available in July and has provided generic workarounds to mitigate the vulnerability in the mean time.

Siemens Updates


Siemens published an update for their advisory on Spectre and Meltdown Vulnerabilities in Industrial Products. They added an updated solution for their SINUMERIK PCU. NCCIC-ICS is not expected to publish and update for their Meltdown/Spectre alert (ICS-ALERT-18-011-01) since the link in that Alert to the Siemens Industrial Products already takes one to this latest update.

Siemens published an update for their advisory on Foreshadow / L1 Terminal Fault Vulnerabilities in Industrial Products. They added an updated solution for their SINUMERIK PCU. NCCIC-ICS has not published any advisories or alerts about the Foreshadow vulnerabilities.

Siemens published an update for their advisory on Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP. They added 14 new CVE’s to the already lengthy list of CVE’s covered in the advisory. NCCIC-ICS has not published an advisories or alerts on this family of Linux vulnerabilities.

Medtronic Update


Medtronic published an update for their advisory on MiniMed™ Paradigm™ Insulin Pumps. They added:

• Two new affected devices available in the US; and
A link to the field safety notification letter issued in August, 2018.

The NCCIC-ICS advisory (ICSMA-18-219-02) was originally published on August 8th, 2018. I suspect that this will be updated in the coming week.

NOTE: It is interesting that the letter (dated August 7th, 2018; the date of the original advisory) includes the two affected devices that are being added to the advisory via this update. The original Medtronic advisory made special note that none of the affected devices were available for sale in the United States.

Friday, March 15, 2019

S 592 Introduced – Cybersecurity Reporting


Last month Sen. Reed (D,RI) introduced S 592, the Cybersecurity Disclosure Act of 2019. The bill would require the Securities and Exchange Commission to establish rules requiring the reporting of whether there was cybersecurity expertise on the board of directors or other governing body of each company required to file annual reports. The bill is very similar to HR 6638 that was introduced last summer in the 115th Congress. No action was taken on that earlier bill. It looks like Rep. Himes reintroduced that bill in the House earlier this week but it will be a week or two until the bill is printed.

Differences Between Bills


The main difference between S 592 and the earlier House bill is that this bill amends the Securities Exchange Act of 1934 by adding a new §14C which would become 15 USC 78n-3 if the bill becomes law. The earlier bill made essentially the same requirements as a stand alone measure.

The new bill also takes a little bit of puffery out of the final paragraph of the bill. The change is shown below:

“(c) CYBERSECURITY EXPERTISE OR EXPERIENCE.— For purposes of subsection (b), the Commission, in consultation with NIST, shall define what constitutes expertise or experience in cybersecurity, such as professional qualifications to administer information security program functions or experience detecting, preventing, mitigating, or addressing cybersecurity threats, using commonly defined roles, specialities, knowledge, skills, and abilities, such as those provided in NIST Special Publication 800–181 entitled ‘‘NICE Cybersecurity Workforce Framework’’, or any successor thereto.”

Interestingly, this language deletion removes the final faint traces for the need for the definition of the term ‘information system’ that remains in the bill. The control system friendly definition of ‘information system’ was used to support the use of that term in the definition of ‘cybersecurity threat’ that was only used in the phrase deleted above. Both definitions remain in the new bill.

Moving Forward


Reed is a member of the Senate Banking, Housing and Urban Affairs Committee to which this bill was assigned for consideration. Additionally, his cosponsors include Sen. Warner (D,VA), the Ranking Member of the Security, Insurance, and Investment Subcommittee and two Republican members of the Committee. This means that it is very likely that the bill will be considered in Committee.

There is nothing in the bill that would seem to draw any obvious opposition, so it should pass in Committee. Whether or not it will make it to the floor for consideration is very difficult to determine. This bill would normally be considered under the unanimous consent process and a single voice in opposition would prevent it from being considered under that process. And the voice could be raised in ire over something the SEC had done and have nothing to do with this bill.

Commentary


This is all and good to call for cybersecurity experience on corporate boards, but there are not that many people that would fit the probable description to go around to all of the corporate boards in the country.

The bigger question would be is it really necessary? While it would be hard to find a corporation that did not have at least some level of cybersecurity exposure, do all of them have enough that require board level oversight? With the relative scarcity of board-level qualified cybersecurity experts available, there should probably be mandatory cybersecurity representation on some specific subset of corporations, either size limits or in specific sectors (banking, insurance, energy sector, etc). Of course, that bill would be much harder to write.

More on CFATS Hearing and Emergency Response


It is becoming increasingly obvious that the Democrats on both the House and Senate Homeland Security Committees are concerned about the role of emergency response in the Chemical Facility Anti-Terrorism Standards (CFATS) program. This means that it is becoming increasingly likely that some sort of emergency response provision will find its way into whatever final bill comes out of the 116th Congress reauthorizing the CFATS program. Thus, the topic bears more discussion.

EPCRA


The CFATS regulations are not the base law in the United States for emergency response information sharing and planning for most chemical facilities. The base law for that requirement is found in the Emergency Planning and Community Right-to-Know Act (EPCRA) codified at 42 USC Chapter 116 with the regulations established at 40 CFR 355. Among other things that Chapter establishes the Local Emergency Planning Committees, provides for the preparation of comprehensive emergency response plans, and details what facilities are covered under the provisions of EPCRA.

Under the EPCRA regulations a facility is subject to the emergency planning requirements of the regulation if they have any chemicals on either of the extremely hazardous substance lists {Appendixes A (alphabetical order) & B (CAS # order) to §355} in excess of the threshold planning quantity listed in those appendixes. For chemicals on those lists that were included in the DHS list of chemicals of interest (COI), a large portion of the toxic-release hazard chemicals on the COI list, were taken with the same TPQ (called screening threshold quantity in the CFATS program).

Most of the chemicals on the EPCRA lists were not included in the CFATS COI list. Only the most toxic chemicals from the list were included as DHS concluded that only the most toxic would form the basis for a credible terrorist attack on a facility holding those chemicals.

Interestingly, two other categories of chemicals that are included in the DHS COI as release hazard chemicals are not addressed in the EPCRA emergency planning regulations or statutes; flammable and explosive chemicals. Congress intended for the EPCRA requirements only to apply to toxic-release hazard chemicals.

Actually, the EPCRA regulations do not require companies or facilities holding extremely hazardous chemicals to do any sort of emergency planning. Those facilities are simply required to report the following types of applicable information to their Local Emergency Planning Committee (LEPC) {§355.21 table}:

• Provide notice that the facility is subject to the emergency planning requirements of EPCRA;
• Designate (and provide notice to the LEPC of) a facility representative who will participate in the local emergency planning process as a facility emergency response coordinator;
• Provide notice of any changes occurring at the facility that may be relevant to emergency planning; and
Provide any information necessary for developing or implementing the local emergency plan if requested by the LEPC.

All of the responsibility for planning, training, coordinating and exercising the emergency plan fall to the LEPC {42 USC 11003(c)}. Unfortunately, Congress has provided no funding to, or even provided provisions for funding, the LEPCs. With the Federal government providing no funding for these organizations, there is no effective way for the EPA to regulate the operation of LEPCs or their emergency planning function. Congress has essentially left that responsibility to the States.

CFATS


The CFATS regulations (6 CFR part 27) were originally authorized as part of a DHS spending bill over 10 years ago, but have been more recently been authorized by 6 USC Part XVI. Nothing in the current authorizing statute specifically mentions ‘emergency response planning’ at CFATS covered facilities. That is addressed, very briefly, in the CFATS regulations at §27.230(a)(9) as part of the risk-based performance standards used to develop and evaluate site security plans. That sub-paragraph states:

“Response. Develop and exercise an emergency plan to respond to security incidents internally and with assistance of local law enforcement and first responders”

The CFATS Risk-Based Performance Standards Guidance manual emphasizes that RBPS #9, Response, is targeted at the response to a security situation and that ‘emergency response’ is only a relatively small part of the response obligation of the facility under the CFATS program. The manual explains the difference this way (pg 84):

“It is important not to confuse a “security response” intended to engage and hopefully neutralize the adversaries with the broader “emergency response” that follows an attack and attempts to reduce the severity of the event and lessen the consequences in terms of loss of life and destruction of property or production capability. The initial “security response” has tactical considerations addressed in RBPS 4 – Deter, Detect, and Delay, whereas the “emergency response” relates to the more traditional efforts to contain the damage and lessen the consequences after a security event. These planning considerations overlap to some degree, and both involve establishing strong, functional, relationships with the various response organizations and personnel that may be needed to support this performance standard. It should be noted that individuals involved in security response activities also often have an integral role in emergency response, and this dual role should be taken into consideration when developing comprehensive crisis management plans.”

In the metrics included at the end of the RBPS 9 that facilities and DHS use to evaluate a CFATS site security plan (SSP), there are only mentions of ‘emergency response’ (Metric 9.1; pg 85):

“Documented agreements and/or written procedures for emergency response, including off-site responder services, such as ambulance support, explosive device disposal support, firefighting support, hazardous material spill/recovery support, and medical support.”

There are other requirements within the RBPS 9 metrics for outreach to ‘local law enforcement and emergency responders’ (including LEPCs), but these are not planning requirements; though the metric does note that facilities can fulfill this measure by participation “in incident response drills and exercises in conjunction with off-site responder organizations” (Metric 9.4; pg 86).

Problems With Current Models


The two regulatory models described above take two different approaches to the emergency response planning problem. The EPA model calls for unfunded agencies, the LEPCs, to conduct the emergency response planning for all facilities in their operations area. The CFATS model calls places the planning responsibility with the covered facility. Both models contain serious disconnects from reality.

The first problem common to both models is the funding issue. Emergency response planning takes time and expertise to accomplish the frontend work; develop the plan. That requires money to pay for the expert’s time. Even if the expert is volunteering their time there is the cost of the time lost to that expert’s normal job. Next, in order to be an effective plan, the plan must be reviewed, revised, exercised, reviewed and revised on a periodic basis. Again, the time involved in the process is costly and limited. LEPCs in large urban areas may be able to absorb this cost by having a full-time professional planner on staff with a local agency, but that is not going to be an option for most communities.

For large CFATS facilities, it may be possible to have a full-time emergency response planner on staff or finances may be available to pay for an emergency response contractor to undertake the planning necessary. At some point, however, as facility’s decrease in size that professional capability is going to be impossible to afford. But even where the facility has the financial resources to fund a planner, the community is still going to have to fund the review and exercise portion of the emergency planning process. Again, smaller communities are going to find this extremely difficult or impossible to afford.

The second problem is the information sharing issue. At first glance, in the EPA model this does not seem to be much of a problem. Facilities are required to provide LEPCs with the required information, either directly by law or by response to requests from the LEPC. Unfortunately, the amount required directly by statute is relatively limited and the LEPC can only request the information that it knows that it needs. There is no incentive for facilities to share additional information such as the presence of other chemicals on site that may complicate the emergency response process.

For CFATS covered facilities this problem is aggravated by the statutory restrictions on the sharing of Chemical-Terrorism Vulnerability Information (CVI). Now the information about CFATS facility holdings of the toxic-release hazard chemicals covered under the EPCRA rules is not generally going to be classified as CVI, at least as that information relates to the type, amount and location of the Highly Hazardous Chemicals listed in the EPCRA regulations. As noted earlier, however, flammable and explosive release hazard chemicals covered under CFATS are not addressed in EPCRA and the sharing of information about those chemicals (which also need emergency response planning under CFATS) is limited to only those individuals that have been trained in handling of CVI materials and have the appropriate means to protect that information. Again, there is a time cost associated with receiving the CVI training (the training is free) and the cost of the physical security and cybersecurity for protecting that information is not negligible.

And the final problem with the current models is that both EPA and DHS have made it difficult to share information with the potentially affected neighbors about the emergency response planning. Both agencies have done this with the intent to deny information to potential attackers. The EPA restricts access to the facility data to people who physically access an EPA reading room (limited locations), and DHS prohibits sharing of CVI information with the public. While done with the best of motives, both agencies have ensured that in most cases the public does not have access to the necessary information to promptly respond to an emergency response situation.

Fixing the Problem


Because of the size of the universe of EPCRA covered facilities, I do not foresee Congress attempting to provide enough funding to allow LEPCs to fix the emergency response planning problems identified above. If they are fixed it will be on a case by case basis where either the local community or large chemical facility is able to provide the necessary funding.

Because the CFATS covered facility universe is much smaller (3,330 as of March 1st) some of these issues may be more tractable. I have addressed in some detail how I would modify the current authorization in a blog post from last year. The money issue still remains, my suggestion to allow (gently require) FEMA to use grant funds for emergency response planning for CFATS covered facilities only partially addresses the issue due to the limited nature of those funds and I did not propose increasing them because that would increase the problems with getting the reauthorization bill passed. Realistically, FEMA needs a specific emergency response planning grant authority and is probably going to have to be required (and funded) to provide professionals to help LEPCs conduct both the planning and exercises of those plans. That will almost certainly have to be addressed in separate legislation.

Finally, none of my suggestions in the earlier post address the issue of information sharing with the local, potentially directly affected population. It is easy to say that information must be shared but legislating that in an effective manner is going to be difficult. Defining who the potentially affected population is will be hard enough. Crafting language describing an effective outreach program that will overcome what is unfortunately in many cases a mistrust of the chemical industry based upon decades of poor, incomplete and often misleading information is going to be difficult.

The best I can suggest at this point is adding an additional sub-paragraph to the end of §636(b) proposed in that earlier blog post:

(6) Conduct an annual outreach class for the immediate neighbors potentially affected by a full release of any toxic-release COI on the facility describing:

(A) What such a release might look and or sound like;
(B) What measures the facility has in place to warn neighbors of such a release;
(C) What immediate actions neighbors should take to best protect themselves in the event of such a waring;
(D) How neighbors will be made aware of an all-clear status after an incident;
(E) What medical treatment should be sought after such a release.
(F) A point of contact for reporting suspicious activities in the neighborhood that may be directed at the facility.

Thursday, March 14, 2019

3 Advisories Published – 03-14-19


Today the DHS NCCIC-ICS published three control system security advisories for products from PEPPERL+FUCHS, Gemalto and Leão Consultoria e Desenvolvimento de Sistemas Ltda (LCDS).

PEPPERL+FUCHS Advisory


This advisory describes a path traversal vulnerability in the PEPPERL+FUCHS WirelessHART-Gateways. The vulnerability was publicly reported (with exploit) by Hamit CİBO. PEPPERL+FUCHS has firmware upgrades to mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could use publicly available code to remotely exploit this vulnerability to allow access to files and restricted directories stored on the device through the manipulation of file parameters.

NOTE: I briefly reported on this vulnerability last Saturday.

Gemalto Advisory


This advisory describes an uncontrolled search path element in the Gemalto Sentinel UltraPro. The vulnerability was reported by ADLab of Venustech. Gemalto has a software update to mitigate the vulnerability. There is no indication that the researchers were provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit this vulnerability to load and execute a malicious file from the ux32w.dll in Sentinel UltraPro.

NOTE: Gemalto issued an early warning to upgrade the UltraPro software back on January 19th, 2019 with a restricted link to their advisory on this product. I do not know what information was included in that advisory.

LCDS Advisory


This advisory describes an out-of-bounds write vulnerability in the LCDS LAquis SCADA. The vulnerability was reported by Mat Powel via the Zero Day Infitiative. LCDS has a new version that mitigates the vulnerability. There is no indication that Powel was provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit this vulnerability to allow remote code execution.

Bills Introduced – 03-13-19


Yesterday with both the House and Senate in session there were 87 bills introduced. Two of these were cybersecurity related bills that may receive additional coverage in this blog:

HR 1731 To amend the Securities Exchange Act of 1934 to promote transparency in the oversight of cybersecurity risks at publicly traded companies. Rep. Himes, James A. [D-CT-4]

S 771 A bill to amend section 21 of the Small Business Act to require cyber certification for small business development center counselors, and for other purposes. Sen. Rubio, Marco [R-FL]

I will be watching these bills for specific language and or definitions related to industrial control system security.

Wednesday, March 13, 2019

HR 1589 Marked Up in House


Today the House Homeland Security Committee held a markup hearing to consider seven bills, including HR 1589, the CBRN Intelligence and Information Sharing Act of 2019. That bill was amended twice and adopted by the Committee by unanimous consent as part of a block of bills.

Both of the amendments to HR 1589 were relatively minor wording additions.

The first amendment from Rep. Clarke (D,NY) changed §210H(a)(1) to read:

“(1) support homeland security-focused intelligence analysis of terrorist actors, their claims, and their plans to conduct attacks involving chemical, biological, radiological, or nuclear materials against the United States, including critical infrastructure [added];”

The second amendment from Rep. Jackson-Lee (D,TX) changed §210H(a)(4) to read:

“(4) leverage existing and emerging homeland security intelligence capabilities and structures to enhance early detection, [added] prevention, protection, response, and recovery efforts with respect to a chemical, biological, radiological, or nuclear attack;”

As I mentioned in my earlier blog post today, this bill will make its way to the floor of the House where it will be considered under the suspension of the rules process. That process does not provide for any additional amendments to be made from the floor. The bill will almost certainly pass with a significant bipartisan vote.

HR 1589 Introduced – CBRN Intelligence


Last week Rep. Walker (R,NC) introduced HR 1589, the CBRN Intelligence and Information Sharing Act of 2019. The bill would establish DHS responsibilities for collecting and disseminating intelligence information involving terrorist threats “involving chemical, biological, radiological, or nuclear materials against the United States” {new §210H(a)(1)}. The bill is very similar to HR 677 from the last session which passed in the House without amendment.

There are a number of relatively small changes made in the current bill. The largest is the addition of the words “the Countering Weapons of Mass Destruction Office and” in paragraph (b). This office was created since HR 677 was introduced in 2017 and it would be added to the list of offices with which the DHS Office of Intelligence and Analysis would coordinate in developing CBRN information.

Moving Forward


As I mentioned earlier this week, HR 1589 will be considered by the House Homeland Security Committee in a markup hearing today. It is expected to pass by a voice vote without amendment. The bill is likely to come to the House floor in the not too distant future under the suspension of the rules process where there will be limited debate and no floor amendments will be authorized. The bill would be expected to pass there with substantial bipartisan support.

As in the last two sessions of Congress it is likely that this bill will not receive consideration in the Senate.

Commentary


While the word ‘chemical’ in the ‘CBRN’ of the title of this bill and in a couple of places within the language itself, there appears to be little intent to involve DHS intelligence in trying to track terrorist threats to chemical manufacturing or transportation. This bill remains at heart a bill addressing the potential threat of bioterror attacks.

While bioterrorism certainly presents a theatrical level threat, that type of attack is much harder to successfully pull off than a conventional or even a cyber attack on chemical storage or transportation systems. In my opinion paragraph (a)(5) of this bill should be modified to reflect this by making it read:

“(5) share information and provide tailored analytical support on such threats to:

(A) State, local, Tribal, and territorial authorities, and other Federal agencies;

(B) Relevant national biosecurity and biodefense stakeholders, as appropriate;

(C) Owners and operators of chemical facilities operating under the Chemical Facility Anti-Terrorism Standards and the Maritime Transportation Security Act; and

(D) Freight rail owners operating under conditions specified in 49 CFR 1580 Subpart B.”

An interesting side note here; HR 677 was introduced by then Rep. McSally (R,AZ). She has since moved on to the Senate and has not yet introduced a version of this bill in the Senate. McSally was the chair of the Intelligence and Counterterrorism Subcommittee of the Homeland Security Committee when she introduced HR 677. Walker is not the Ranking Member of that Committee. This would seem to indicate that this bill is a priority for the Republican leadership of the Homeland Security Committee.

Tuesday, March 12, 2019

1 Advisory and 6 Updates Published – 03-12-19


Today the DHS NCCIC-ICS published on control system security advisory for products from WIBU Systems and six updates for previously published advisories for products from Siemens.

WIBU Advisory 


This advisory describes three vulnerabilities in the WibuKey Digital Rights Management tool. NCCIC-ICS reports that the vulnerabilities were reported to it by Siemens, but the vulnerabilities were originally reported by Talos (here, here and here) with exploits. Wibu has an updated software version that mitigates the vulnerability. There is no indication that Talos has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Information exposure - CVE-2018-3989;
• Out-of-bounds write - CVE-2018-3990; and
Heap-based buffer overflow - CVE-2018-3991

NCCIC-ICS reports that a relatively low-skilled attacker could use a publicly available exploit to remotely exploit the vulnerabilities to allow information disclosure, privilege escalation, or remote code execution.

NOTE: This advisory originally published on February 12th, 2019 by NCCIC-ICS and updated on February 14th, 2019 as a third-party software problem only affecting the Siemens SICAM 230. This advisory was renamed today as a Wibu Systems problem affecting Siemens (2 product lines, the second reported here on March 2nd, 2019) and three other vendors; COPA-DATA, SPRECHER Automation, and Phoenix Contact (reported here last Saturday). As with other third-party software issues, there may be other vendors added to this revised advisory in the future.

Industrial Products Update


This update provides additional information on an advisory that was originally published on May 9th, 2017 and updated on June 15, 2017,on July 25th, 2017, on August 17th, 2017, on October 10th, on November 14th, November 28th, February 27th, 2018, May 3rd, 2018 May 15th, 2018, September 11th, 2018, October 9th, 2018, November 13th, 2018, December 11th, 2018, February 5th, 2019 and most recently on February 12th, 2019. The update provides additional affected version information and links for mitigation measures for SINUMERIK 840D sl.

Desigo PXC Update


This update provides additional information on an advisory that was originally published on January 25th, 2018, February 6th, and updated on March 22nd, 2018. Added links to mitigation measures for products before v 6.00.

SIPROTEC 4 Update


This update provides additional information on an advisory that was originally published on March 8th, 2018, April 19th, 2018, and updated on May 17th, 2018. The update provides additional affected version information and links for mitigation measures for:

• 7SJ61;
• 7SJ62;
• 7SJ64; and
• Contacts for mitigation measures for products without solution.

SIMATIC PCS 7 Update


This update provides additional information on an advisory that was originally published on March 29th, 2018 and updated on April 24th, 2018, June 12th, 2018, and again on November 13th, 2018. The update corrected the data for fixed version for the WinCC 7.4.

NOTE: This should be “Update E” not “Update G”.

SIMATIC S7 Update


This update provides additional information on an advisory that was originally published on November 13th, 2018. The update provides additional affected version information and links for mitigation measures for SIMATIC S7-1200.

SINUMERIK Update


This update provides additional information on an advisory that was originally published on December 11th, 2018. The update provides additional affected version information and links for mitigation measures for SINUMERIK 808D.

Siemens Advisory Day


The six Siemens updates published today by NCCIC-ICS were all published by Siemens today on their monthly release of vulnerabilities and updates. There was also one new advisory published today by Siemens and three other updates.

CFATS Subcommittee Hearing – 03-12-19


Today the Cybersecurity, Infrastructure Protection, and Innovation Subcommittee of the House Homeland Security Committee held a hearing on “Securing Our Nation's Chemical Facilities: Stakeholders Perspectives on Improving the CFATS Program” (video here). The Subcommittee heard from a panel of labor and safety advocates as well as a representative of the American Chemistry Council (ACC).

Witnesses


Today’s witnesses included (link to prepared testimony):

Mr. John Morawetz, International Chemical Workers Union Council;
Dr. Mike Wilson, Ph.D, MPH, BlueGreen Alliance;
Pamela Nixon, People Concerned About Chemical Safety; and
Kirsten Meskill, BASF

As I mentioned in an earlier blog post, there was a fifth witness originally scheduled to be on the panel. There was no indication today why Randy E. Manner, Manner Analytics, was not present at the hearing.

Expected Coverage


As expected, based upon previous hearings and the change in leadership in the House, much of the questioning today addressed four topics:

• Voluntary ‘best practices’;
• Information sharing;
• Employee involvement; and
• Whistleblower protections

The ‘new’ term ‘best practices’ has apparently replaced the more controversial ‘inherently safer technology (IST)’ that was used extensively in the chemical safety and security discussions in the earlier Democratic lead House. All of the questioners and panel members (even to an extent Meskill) generally agreed that the sharing of ‘best practices’ related to actions that facility could take to reduce their chemical risk was a good idea. There were no concrete ideas (or even suggestions) how those ‘best practices’ could be implemented at other facilities. There was a general agreement that DHS Infrastructure Security Compliance Division (never named in the hearing) should share what information that it did have.

The ‘information sharing’ bit was mainly about how and what CFATS facilities should share with local first responders, emergency planners and local communities to help respond to the release of chemicals or chemical incidents resulting from terrorist attacks, weather emergencies or accidents. Again, there was a general agreement that that information sharing was important and should be expanded. Ranking Member Katko (R,NY) made the point that other regulatory programs had more expansive information sharing requirements where concerns should more probably be addressed. Katko made a vague point about the CVI requirements for first responders.

Employee involvement in safety and security planning has long been a priority for Democrats. The point was made many times by Committee members and panelists that line employees would have valuable insights that should be included in identifying security vulnerabilities and planning for site security plans. Meskill made the point that they included employees at all stages of the security (and safety) planning and implementation process but agreed that she could not speak for all CFATS facilities.

The Democrats again have long had concerns about the whistleblowing protections provided to employees. Member concerns about protecting employees from retaliation due to their reporting security (and safety) problems at facilities. Interesting, none of the panel members could provide any information on the problem when questioned. Katko pointed out (in the only second round of questioning in the hearing) that the CFATS Tip Line provided a way that employees could anonymously report problems at covered facilities (including the lack of initial notification to ISCD).

Cybersecurity


The one new (and unexpected to me) topic that came up a number of different times was cybersecurity. Langevin (D,RI), Rice (D,NY) and Jackson-Lee (D,TX) all had questions about cybersecurity issues. Langevin questioned cybersecurity training (particularly in control rooms); Rice asked about cybersecurity standards in CFATS and Jackson-Lee announced that she would be introducing the Frank Lautenberg Chemical Facility Cybersecurity. No detailed responses were available from any of the panel members.

Commentary


In an earlier set of blog posts I identified those items that I though should be addressed in any legislation reauthorizing the CFATS program. Two of those posts are appropriate (in my opinion) responses to some of the questions raised today. Those include:

Best practices (IST); and

There are a couple of things that still need to be addressed here. First is Katko’s comments about the applicability of Chemical-Terrorism Vulnerability Information (CVI) requirements to first responders. ISCD has long maintained that first responders entering a facility in response to an actual emergency situation are not required to be CVI qualified; actual emergency response does not rely on access to CVI controlled information. Emergency planning is something else entirely. There are requirements (§7.02) outlined in the CVI Guidance manual for providing access to CVI information to State and local officials, including emergency response planners. That guidance ends by explaining:

“State, local, and tribal officials, including first responders, must have access to any information that is necessary to plan for and respond to an emergency event at a chemical facility [emphasis added]. It is equally important that this information is available in a form that is readily accessible and easily disseminated. Accordingly, to the extent possible, facilities should provide information to State, local and tribal entities in non-CVI form. In many cases, a facility can provide a product that contains all of the necessary operational and facility-specific information and excludes CVI.”

Katko also made a point that should be remembered by everyone involved in the CFATS reauthorization process; the CFATS regulations are not the only federal rules that require chemical companies to coordinate emergency response planning information with local authorities. Facilities could easily find the necessary information for emergency response planners in their already required information provided to local fire departments and Local Emergency Planning Committees (LEPCs).

There are some exceptions to the EPA reporting requirements that apply to CFATS facilities. Most chemicals on the DHS list of chemicals of interest (COI) that triggers CFATS reporting requirements that are not on the EPA’s Risk Management Program list of covered chemicals are covered by CFATS because they can be used for preparing improvised explosives or improvised chemical weapons. While these chemicals are not generally as much of an off-site hazard as the RMP covered chemicals, the emergency response planning is more of a law enforcement issue than fire department response planning. This would make for some interesting information sharing requirements that are not specifically outlined in any existing regulations.

The other interesting thing that came out of this hearing was the new Committee interest in cybersecurity issues. Richmond’s Subcommittee should probably hold another hearing (maybe two) specifically about cybersecurity issues. This is going to be a complex set of issues and a wide variety of experts and stakeholders are going to have to be involved in the efforts to address it.

One thing that the Committee crafters are going to have to deal with in writing cybersecurity requirements is that the CFATS program is a risk-based program that prohibits DHS from requiring specific security measures. This is due to the recognition that each of the very wide variety of covered facilities (from a number of different chemical and non-chemical manufacturing facilities) require differing security measures to protect against terrorist attacks. This remains true for the varying information and control system technologies that will be found in these facilities.

 
/* Use this with templates/template-twocol.html */