Saturday, May 18, 2019

Public ICS Disclosures – Week of 05-11-19


This week we have 14 vendor disclosures for products from Yokogawa, Drager, Tridium, Siemens and Schneider (10). We also have three researcher reported disclosures for products from Prima Systems, Optergy, and Computrols. Then there are five reported exploits for products from SOCA (4) and Schneider. There were also some vendor reports on the Microsoft RDP vulnerability.

Microsoft RDP Vulnerability


While the NCCIC-ICS has yet to release an alert or advisory on the Microsoft® RDP vulnerability (CVE-2019-0708), a number of control system vendors this week have released their own outlook on the vulnerability in their products. The vendors include:

BD;
Drager;
Philips;
Schneider; and
Siemens

Yokogawa Advisory


Yokogawa published an advisory describing another 3rd party vulnerability from Microsoft in a number of Yokogawa products. The remote code execution vulnerability was reported by MS in 2017. Yokogawa recommends deleting the outdate MS file.

Drager Advisory


Drager has published an advisory describing an unencrypted credential storage vulnerability in their Dräger ServiceConnect Client. The vulnerability was reported by a customer. Drager will be publishing a new version that mitigates the vulnerability and has provided specific workarounds in the meantime.

Tridium Advisory


Tridium has published an advisory describing a 3rd part vulnerability from Google (CVE-2019-5786) in the Tridium jxBrowser. Tridium has an updated version available to mitigate the vulnerability.

Siemens Advisory


Siemens published an advisory describing a code execution vulnerability in the Siemens LOGO! Soft Comfort engineering software. The vulnerability was reported by axt and iDefense Labs. Siemens has provided generic workarounds to mitigate the vulnerability.

NOTE: This was included in the Siemens tranche from Tuesday, but it was not picked up by NCCIC-ICS with the rest.

Schneider Advisories


1. Pelco Endura NET55XX Encoder

Schneider has published an advisory describing an improper access control vulnerability in the Schneider Pelco Endura NET55XX Encoder. The vulnerability was reported by Vitor Esperança. Schneider has a new version that mitigates the vulnerability. There is no indication that Esperança has been provided an opportunity to verify the efficacy of the fix.

2. Modicon and PacDrive Controllers

Schneider has published an advisory describing a missing authentication for critical function vulnerability in the Schneider Modicon and PacDrive Controllers. The vulnerability was reported by Yehuda A (Claroty). Schneider has provided specific workarounds to mitigate the vulnerability. There is no indication that Claroty has been provided an opportunity to verify the efficacy of the fix.

3. Floating License Manager

Schneider has published an advisory describing three vulnerabilities in the Schneider  Floating License Manager. Schneider has a new version that mitigates the vulnerabilities.

The three reported vulnerabilities are:

Denial of service vulnerability (2) - CVE-2018-20032 and CVE-2018-20034; and
Remote code execution vulnerability - CVE-2018-20033;

4. Modicon Controller

Schneider has published an advisory describing an improper check for unusual or exceptions condition vulnerability in the Schneider Modicon Controller. The vulnerability was reported by Zhang Xiaoming, Zhang Jiawei, Sun Zhonghao and Luo bing from CNCERT/CC. Schneider has a new version that mitigates the vulnerability. There is no  indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

5. Modicon RTU Module

Schneider has published an advisory describing a hard-coded credentials vulnerability in the Schneider Modicon RTU Module. The vulnerability was reported by VAPT Team. Schneider has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

6. ConneXium Gateway

Schneider has published an advisory describing a cross-site scripting vulnerability in the Schneider ConneXium Gateway. The vulnerability was reported by Ezequiel Fernandez. Schneicder recommends upgrading to a new product.

7. Modicon Quantum

Schneider has published an advisory describing a credentials management vulnerability in the Schneider Modicon Quantum. The vulnerability was reported by Chansim Deng. Schneider reports that newer versions mitigate the vulnerability. There is no indication that Chansim has been provided an opportunity to verify the efficacy of the fix.

8. Modicon Quantum

Schneider has published an advisory describing two vulnerabilities in the Schneider Modicon Quantum. The vulnerabilities were reported by Vyacheslav Moskvin and Ivan Kurnakov (Positive
Technologies). Schneider recommends upgrading to a new product.

The two reported vulnerabilities are:

Permission, privileges and access control - CVE-2019-6815; and
Code injection - CVE-2019-6816

9. Modicon Controller

Schneider has published an advisory describing a buffer errors vulnerability in the Schneider Modicon Controller. The vulnerability was reported by Nikita Maximov and Alexey Stennikov of Positive Technologies. Schneider has new firmware versions available to mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

10. Intel Microarchitectural Data Sampling

Schneider has published an advisory describing the impact of the Intel  Microarchitectural Data Sampling (aka: ZombieLoad, FallOut, and RIDL) vulnerability in Schneider products.

Prima Systems Report


Prime Risk has published a report describing ten vulnerabilities in the Prima Systems FlexAir Access Control Platform. Prima Systems has a new version that reportedly mitigates the vulnerabilities.

The ten reported vulnerabilities are:

Default credentials;
Command injection;
Unrestricted file upload;
Insufficient session-ID length;
Cross-site scripting;
Cross-site request forgery;
Predictable database name download;
Authentication with MD5 hash;
Hard-coded credentials;
Authenticated script upload code execution

Optergy Proton Report


Applied Risk published a report describing six vulnerabilities in the Optergy Proton Enterprise Building Management System. Optergy has a new firmware version that reportedly mitigates the vulnerabilities.

The six reported vulnerabilities are:

Open redirect;
Cross-site script forgery;
Unrestricted file upload;
Information disclosure;
Hard-coded credentials and SMS messages;
Back-door console.

Computrols Report


Applied Risk published a report describing ten vulnerabilities in the Computrols CBAS-Web Building Management System. Computrols has a new firmware version that reportedly mitigates the vulnerabilities.

The ten reported vulnerabilities are:

Cross-site scripting;
Cross-site request forgery;
Username enumeration;
Source code disclosure;
Default credentials;
Hard-coded encryption key;
Authenticated blind sql injection;
Authentication bypass;
Authenticated command injection; and
Mishandling of password hashes.

SOCA Exploits


Zero Science published exploits for four separate vulnerabilities in the SOCA Access Control System 180612. The vulnerabilities exploited are:


There is no reference to vendor notification or mitigation measures. I assume that these are zero-day exploits.

Schneider Exploit


RCE Security published an exploit for a command injection vulnerability in the Schneider U.Motion Builder. Schneider reported this vulnerability earlier this year.

2019 CSSS Registration Open


Yesterday DHS announced on the Chemical Facility Anti-Terrorism Standards (CFATS) program landing page that registration was now open for the 2019 Chemical Sector Security Summit (CSSS) in New Orleans on July 16th thru 18th, 2019. As we have seen in the last few Summits, there are provisions for registering for webcasts of selected presentations.

The CSSS web page has also been updated with additional information on this year’s program. The new information includes a list of agenda topics that looks to be very interesting.

Best practices and lessons learned in chemical security
Deep dive into CFATS and other federal regulations
Convergence of cyber and physical security in the current threat environment
Cyber Supply Chain Risk Management
Explosive precursors
Industrial Control Systems Vulnerabilities
Resources from federal stakeholders
Theft and diversion risk management

The no fee registration can be completed here.

2 Advisories Published – 05-16-19


On Thursday the DHS NCCIC-ICS published two control system security advisories for products from Fuji Electric and Schneider Electric.

Fuji Advisory


This advisory describes an out-of-bounds read vulnerability in the Fuji Alpha7 PC Loader motor controller. The vulnerability was reported by kimiya of 9SG Security Team via the Zero Day Initiative. Fuji has a new version that mitigates the vulnerability. There is no indication that kimiya has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit this vulnerability to crash the device..

Schneider Advisory


This advisory describes a use of insufficiently random values vulnerability in the Schneider Modicon M580, Modicon M340, Modicon Premium, and Modicon Quantum products. The vulnerability was reported by David Formby and Raheem Beyah of Fortiphyd Logic and Georgia Tech. Schneider has a firmware update available for one of the products and has provided generic workarounds for the others. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to to hijack TCP connections or cause information leakage.

DHS IED Precursor Meetings


Yesterday I saw a brief post by David Wulf, Director of the DHS Infrastructure Security Compliance Division (ISCD), on LinkedIn. In it he announced a series of ‘stakeholder engagement meetings’ in the coming months that the Cybersecurity and Infrastructure Security Agency will be holding on ‘explosive precursors’. There is not a lot of information in the post beyond the dates and locations for the meetings (listed below).

Los Angeles, CA                      May 23rd, 2019
Orlando, FL                             May 30th, 2019
Houston, TX                            June 4th, 2019
Indianapolis, IN                        June 11th, 2019
Chicago, IL                              June 13th, 2019

Unfortunately, the post on LinkedIn shows a photographic copy of the flyer about the meetings and what I would expect to be links on the flyer are not ‘active’ in the photo. Wulf does provide an email address for those wishing ore information; CFATS@hq.dhs.gov.

Background


This is part of the continuing saga of the Congressional mandate for DHS to regulate the commercial sale of ammonium nitrate. ISCD published an advanced notice of proposed rulemaking (ANPM) in 2008. Subsequently, ISCD published a notice of proposed rulemaking (NPRM) in 2011.

The big problem with the proposed ammonium nitrate security regulations is that they were going to involve a large number of people and would be very costly. DHS estimated that the ten-year cost for the program would be between “$364.2 million to $1.3 billion with a primary (mean) estimate of $814 million”. Balancing this against a cost of a Murrah Building attack estimated by DHS to be $1.35 billion. This would mean that the regulation cost would break even if the regulations prevented one Murrah scale attack every 14 years. Since there has not been such an attack in the 24 years since the Murrah attack, the cost of the program is not outweighed by the attack prevention. This calls into question whether or not ammonium nitrate regulation is cost effective, especially since ammonium nitrate no longer seems to be a favored precursor for terrorist explosive devices.

In 2016, in consultation with Congress, ISCD decided to look at the issue of regulating a wider range of chemicals as explosive precursors that could be expected to be used in preparing terrorist explosive devices. In August of 2016 DHS commissioned a study by the National Academies of Sciences, Engineering, and Medicine on the subject that would lead to a report being published in November of 2016; “Reducing the Threat of Improvised Explosive Device Attacks by Restricting Access to Chemical Explosive Precursors”.

This meeting announcement would seem to indicate that ISCD is considering moving forward with new rulemaking process. It is not currently clear whether or not the new process would be included in the current Chemical Facility Anti-Terrorism Standards (CFATS) program or if it would be a new standalone program also being operated out of ISCD. If this program is targeted at manufacturers and wholesale distribution, I suspect that it would be included in CFATS program. If it is focused at the retail level, it would be harder to fit it into the existing chemical security program.

The Meetings


David notes the reason for the meetings: “As we work with Congress to enhance the security of IED precursor chemicals, we want to hear from you!” What is important, however, is that these are being billed as ‘stakeholder engagement meetings’ rather than ‘public listening sessions’. Remembering back to the Obama era Chemical Safety and Security EO, those listening sessions were designed to provide a wide range of public input into those EO processes. This is apparently something different, however.

The stakeholders in this process would appear to be those portions of the chemical industry that are involved in the manufacture, distribution and potentially the commercial sale of chemicals that have been identified as key precursors to the manufacture of improvised explosives. There is a remote possibility that it could also include the transportation of those chemicals, but I suspect that it would take congressional action to include that sector.

Possibilities


This is very early in the potential rulemaking process; we have not yet even seen an advanced notice of proposed rulemaking. At this point I do not think that ISCD has got a firm grip on what they want to do. The ammonium nitrate security program is effectively dead, but what could we be looking at down the road? ISCD is tight lipped on this, so I am speculating here, but I see a variety of options available.

First ISCD could seek changes to the DHS chemicals of interest (COI) list addressing the list of precursor chemicals identified in the Report (pg 28). This could include adding some new chemicals and potentially changes to the screening threshold quantities for some existing chemicals. This would certainly require a formal rulemaking and would add a substantial number of facilities to the CFATS program. This would necessitate addition funding from Congress for more chemical security inspectors.

ISCD could also modify their existing CFATS risk assessment process to increase the risk assumptions associated with existing COI that are included in the Report’s list of precursor chemicals. This could almost certainly be done without a rulemaking. We would see a process similar to that used when ISCD implemented CSAT 2.0. A modification of the current CSAT information collection request would be necessary and that would provide industry (and the public) with a chance to comment on the proposed changes. Again, this would result in more facilities in the CFATS program and the need for more money.

If the decision is made to keep the precursor chemical security program within CFATS. I would really expect to see it include a combination of these two processes. I might expect to see some additional changes including a requirement for covered facilities to provide ISCD with a list of customers to which precursor COI are shipped.

The most comprehensive solution would be to stand up an entirely new program within ISCD. If this route is taken, I suspect it would include some sort of voluntary program for commercial retailers and large-scale users of these precursor chemicals. The thing that effectively killed the ammonium nitrate security program was the costs associated with setting up and administering a registration program for retailers and users of ammonium nitrate. These costs would quickly escalate if a similar registration program were instituted for all of the listed chemicals.

Moving Forward


As I said, earlier this is very early in the regulatory process, but stakeholders need to get involved early in the process if they want to effectively impact how the new procedures are implemented.

Friday, May 17, 2019

9 Advisories and 4 Updates Published – 05-14-19


Tuesday the DHS NCCIC-ICS published nine control system security advisories for products from Siemens (8) and Omron and updated four previously published advisories for Siemens (3) and WIBU-Key.

SIMATIC Panels Advisory


This advisory describes three vulnerabilities in the Siemens SIMATIC WinCC Runtime Advanced, WinCC Runtime Professional, WinCC (TIA Portal); HMI Panels. The vulnerabilities are self-reported. Siemens has updates available for many of the affected products.

The three reported vulnerabilities are:

Use of hard-coded credentials - CVE-2019-6572;
Insufficiently protected credentials - CVE-2019-6576; and
Cross-site scripting - CVE-2019-6577

NCCIC-ICS reports that a relatively low-skilled attacker with network access could remotely exploit these vulnerabilities to allow an attacker with network access to the device to read/write variables via SNMP.

NOTE: The NCCIC-ICS advisory references the incorrect Siemens advisory, it should have been SSA-804486. The incorrect advisory listed is for a different vulnerability in a similar list of products.

SIMATIC PCS7 Advisory


This advisory describes three vulnerabilities in the Siemens SIMATIC PCS 7, WinCC Runtime Professional, WinCC (TIA Portal) products. The vulnerabilities were reported by Vladimir Dashchenko and Sergey Temnikov from Kaspersky Lab, CNCERT/CC, and ChengBin Wang from Guoli Security Technology. Siemens has an update for one of the affected products and has provided generic workarounds for the remainder pending mitigation development. There is no indication that any of the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

SQL injection - CVE-2019-10916;
Uncaught exception - CVE-2019-10917; and
Exposed dangerous method or function - CVE-2019-10918

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an attacker to execute arbitrary commands on the affected system.

SCALANCE Advisory


This advisory describes five vulnerabilities in the Siemens SCALANCE W1750D. The vulnerability is self-reported. Siemens has a new version that mitigates the vulnerability.

The five reported vulnerabilities are:

Command injection (2) - CVE-2018-7084 and CVE-2018-7082;
Information exposure (2) - CVE-2018-7083 and CVE-2018-16417; and
Cross-site scripting - CVE-2018-7064

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker execute arbitrary commands within the underlying operating system, discover sensitive information, take administrative actions on the device, or expose session cookies for an administrative session.

Perfect Harmony Advisory


This advisory describes an improper input validation vulnerability in the Siemens SINAMICS PERFECT HARMONY GH180 medium voltage converter. The vulnerability is self-reported. Siemens has an upgrade available to mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to cause a denial-of-service condition.

NXG I and II Advisory


This advisory describes an uncontrolled resource consumption vulnerability in the Siemens SINAMICS PERFECT HARMONY GH180 Drives with NXG I and NXG II controls. The vulnerability is self-reported. Siemens has an upgrade available to mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker with access to the Ethernet Modbus Interface could exploit the vulnerability to cause a denial-of-service condition exceeding the number of available connections.

LOGO!8 Advisory


This advisory describes three vulnerabilities in the Siemens LOGO!8 BM programmable logic controller. The vulnerability was reported by Manuel Stotz and Matthias Deeg from SySS GmbH. Siemens has provided generic mitigation measures for the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

Missing authentication for critical function - CVE-2019-10919;
Improper handling of extra values - CVE-2019-10920; and
Plain-text storage of a password - CVE-2019-10921

NCCIC-ICS reports that a relatively low-skilled attacker with access to port 10005/tcp could remotely exploit the vulnerability to allow device reconfiguration, access to project files, decryption of files, and access to passwords.

SIMATIC WinCC Advisory


This advisory describes a missing authentication for critical function vulnerability in the Siemens SIMATIC WinCC and SIMATIC PCS 7 products. The vulnerability was reported by Vladimir Dashchenko and Sergey Temnikov from Kaspersky Lab. Siemens has newer versions that along with enabling ‘encrypted communications’ mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an unauthenticated attacker with access to the affected devices to execute arbitrary code.

Omron Advisory


This advisory describes an untrusted search path vulnerability in the Omron Network Configurator for DeviceNet. The vulnerability was anonymously reported by n0b0dy. Omron is working on an update to mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to achieve arbitrary code execution under the privileges of the application.

Industrial Products with OPC Update


This update provides additional information on an advisory that was originally published on April 9th, 2019. The new information includes:

Clarifying product names for SIMATIC HMI Products;
Adding solution for SIMATIC S7-1500 CPU family; and
Modifying affected versions for SIMATIC Net PC Software

SIMATIC Update


This update provides additional information on an advisory that was originally published on April 9th, 2019. The new information from Siemens included:

Specification for SINAMICS products;
Adding solution for SIMATIC S7-1500 CPU family; and
Adding solution for SIMATIC S7-PLCSIM Advanced

NCCIC-ICS also added a number of affected products that were missing from their original advisory.

WIBU Key Update


This update provides additional information on an advisory that was originally published on February 12th, 2019 and updated on March 12th, 2019 and again on April 9th, 2019. The new information includes:

A reference to a new Siemens Advisory;
Adding new affected products from Siemens.

S7-400 Update


This update provides additional information on an advisory that was originally published on November 13th, 2018. The new information includes:

Adding the names of the researchers who reported the vulnerabilities; and
Adding solution for S7-400H V6.

Thursday, May 16, 2019

Bills Introduced – 05-15-19


Yesterday with both the House and Senate in session there were 74 bills introduced. One of these may receive additional coverage in this blog:

HR 2740 Making appropriations for the Departments of Labor, Health and Human Services, and Education, and related agencies for the fiscal year ending September 30, 2020, and for other purposes. Rep. DeLauro, Rosa L. [D-CT-3]

I will be watching this bill for cybersecurity provisions and chemical safety issues.

Wednesday, May 15, 2019

Bills Introduced – 05-14-19


Yesterday with both the House and Senate in session there were 102 bills introduced. Three of these bills may receive additional coverage in this blog:

HR 2705 To establish a Water Infrastructure Trust Fund, and for other purposes. Rep. Blumenauer, Earl [D-OR-3] 

HR 2721 To establish a grant program within the Department of Labor to support the creation, implementation, and expansion of registered apprenticeship programs in cybersecurity. Rep. Lee, Susie [D-NV-3]

S 1466 A bill to establish a grant program within the Department of Labor to support the creation, implementation, and expansion of registered apprenticeship programs in cybersecurity. Sen. Rosen, Jacky [D-NV]

I will be watching the water infrastructure bill to see if it includes language specifically allowing for fund expenditures for chemical security measures or cybersecurity measures; I am not holding my breath.

The other two bills are probably companion measures (identical language). I will be watching them for definitions and language that would specifically include control system cybersecurity apprenticeship programs.

Monday, May 13, 2019

Committee Hearings – Week of 5-12-19


This week with both the House and Senate in session work starts to begin in the House on spending bills. Both Homeland Security Committee are holding markup hearings that include cybersecurity bills.

FY 2020 Spending Bills


These subcommittee hearings are all closed, but we may see their final drafts of the spending bills after the hearings are completed. Full Committee work has yet to be announced.

House – Wednesday – DOD – Subcommittee
House – Wednesday- Energy and Water - Subcommittee
House – Wednesday – Interior, Environment and Related Agencies – Subcommittee

Cybersecurity Markups


On Wednesday the Senate Homeland Security and Governmental Affairs Committee will hold a business meeting that will include the markup of 17 separate bills, including S 1388, Supply Chain Counterintelligence Training Act of 2019. This bill has yet to be published; we may see it before the hearing on Wednesday. Markups in this Committee are carefully choreographed and little information on the bill or changes made will be gleaned from watching this hearing.

On Wednesday the House Homeland Security Committee will hold a markup hearing for 10 bills, including HR 1158, the DHS Cyber Incident Response Team Act. The House Committee is more forthcoming in what they publish about amendments proposed to bill, so we will have a good sense of what changes (if any) are made to HR 1158 during this markup.

Saturday, May 11, 2019

Bills Introduced – 05-10-19


Yesterday with just the House in session (the Senate having left for the weekend) 35 bills were introduced. One of those bills may receive further coverage in this blog:

HR 2665 To direct the Secretary of Energy to establish a smart energy and water efficiency program, and for other purposes. Rep. McNerney, Jerry [D-CA-9]

Again, I am not so much interested in ‘smart’ technology in this blog, but I will be watching this bill for cybersecurity (or the lack thereof) provisions.

Friday, May 10, 2019

LNG Railcar NPRM to OMB


Yesterday the OMB’s Office of Information and  Regulatory Affairs (OIRA) announced that it had received a notice of proposed rulemaking (NPRM) from the DOT’s Pipeline and Hazardous Materials Safety Administration (PHMSA) regarding the regulation of shipping liquified natural gas, (LNG) by rail.

This rulemaking first showed up on the Unified Agenda in the Spring of 2018, so it looks like this is a Trump administration initiative. According to the latest version of the Agenda:

Liquefied natural gas (LNG) is a critical energy resource for the 21st century. Currently, the Hazardous Materials Regulations (HMR) do not contain the necessary provisions to allow for the bulk transport of LNG in rail tank cars. PHMSA, in collaboration with the Federal Railroad Administration (FRA), believe this is a potential area for industry innovation and support infrastructure development while maintaining a high level of safety. This rulemaking intends to develop a framework for the safe transport of LNG in rail tank cars.

This could take six-months to a year to make it through the OIRA review and into the Federal Register.

Bills Introduced – 05-09-19


Yesterday with both the House and Senate in session there were 101 bills introduced. Four of those bills will likely see future coverage on this blog:

HR 2636 To promote the use of smart technologies and systems in communities, and for other purposes. Rep. DelBene, Suzan K. [D-WA-1]

HR 2644 To direct the Secretary of Commerce to conduct a study and submit to Congress a report on the state of the internet-connected devices industry in the United States. Rep. Latta, Robert E. [R-OH-5]

S 1388 A bill to manage supply chain risk through counterintelligence training, and for other purposes. Sen. Peters, Gary C. [D-MI]

S 1398 A bill to promote the use of smart technologies and systems in communities, and for other purposes. Sen. Cantwell, Maria [D-WA]

I will be watching all four bills for cybersecurity language, particularly language pertinent to control system security.

I suspect that HR 2636 and S 1398 are companion bills.

Tuesday, May 7, 2019

DHS Publishes 30-Day CSAT ICR Change Notice – 05-07-19


Today the DHS Infrastructure Security Division of CISA published a 30-day Information Collection Request (ICR) revision notice for the Chemical Security Assessment Tool in the Federal register (84 FR 19929-19933). The 60-day ICR revision notice was published on February 7th, 2019. This notice includes a detailed response to questions submitted by an unnamed commenter (official comment here) on the 60-day ICR notice.

The 30-day ICR Comments


Alert readers will recall that I pointed out two discrepancies in an otherwise detailed ICR notice. Those discrepancies are related to incomplete data being presented on two of the information collections covered in this ICR:

• Identification of Facilities at Risk; and
• Assets at Risks

The first deals with information collected from facilities that ship DHS chemicals of interest (COI) about facilities to which they ship COI. The second deals with information collected about industrial control systems that are related to the use, storage or loading of COI at the facility. I posed a number of questions about each of those collections and todays ICR notice provides detailed answers to those questions.

Identification of Facilities at Risk


While the full set of comments concerning the Identification of Facilities at Risk information collection is well worth reading, particularly by facilities that have thought that DHS would not be able to find out that they had COI and thus could get away without filing a Top Screen, the data that I found interesting was presented in response to my questions about the history of this information collection. I’ll briefly summarize it below:

Number of potential responses per year – 845
Number of voluntary responses that identified facilities actually received – 15
Number of facilities of concern identified – 172
Number of Top Screens from newly identified facilities – 27 (to date, may be more pending)
Number of new CFATS covered facilities from those Top Screens – 18

This final data section on the Identification of Facilities at Risk data collection concludes with the following editorial comment:

CISA believes that voluntarily supplied customer and suppliers lists are an excellent source of information to identify chemical facilities of interest and covered chemical facilities.

Assets at Risk


This is the data collection that was completely overlooked in the 60-day notice. Again, the full response to the questions I asked about this data collection are worth reading, particularly by anyone interested in the regulation of industrial control system security. I will highlight a few of the more interesting data points here.

The number of times Chemical Security Inspectors requested information about assets at risk:
FY 2017 – 2,018
FY 2018 – 3,328
FY 2019 (to date) – 1,107
The number of voluntary responses – all requested facilities;

The following comment was provided about the information collected:

CISA has found that the information generally collected under the section (Assets at Risk) is not information previously provided in an approved facility's SSP or ASP. The information collected through the second section of the instrument generally supplements the information provided by covered chemical facilities in their SSP or ASP. Information collected through this instrument is recorded in case files created by CISA employees outside of the SSP or ASP (e.g., Compliance Inspection Reports).

Commentary


Once again, I would like to commend the folks at DHS for the way that they have dealt with these questions and ICRs related to the Chemical Anti-Terrorism Standards (CFATS) program in general. The wealth of information provided to the regulated community to justify the information collection requests is a model that other agencies in the Federal Government should follow.

The differences in the response rates to the two voluntary information collections is more than a little interesting. The 100% response rate to the questions about industrial control system security issues seems to me to be indicative of the industry’s cooperative compliance with the CFATS program. The Infrastructure Security Compliance Division (ISCD) has worked very hard to foster a strong working relationship with the regulated industry and this is a great indicator of how well that hard work has paid off.

The very low voluntary compliance rate on the facility identification collection poses an interesting conundrum for the folks at ISCD. First, the success rate for identifying facilities that have not followed the law (for what ever reason) and completed a Top Screen is phenomenal. That combined with the higher than normal conversion of initial Top Screen submissions to identification of submitting facilities as CFATS covered facilities means that this is a very effective tool for achieving the congressional mandate in 6 USC 629, Outreach to chemical facilities of interest.

The low voluntary compliance rate for this collection is almost certainly based upon organizations wanting to protect customer relationships. Non-complying companies are probably trying to avoid the appearance of ‘ratting out’ their customers, and this is certainly understandable. ISCD recognition of this concern is also why this is a voluntary information collection.

During the CFATS reauthorization Congress might want to take a look at whether or not they might want to mandate this information collection. Being able to collect this information from each covered facility that ships COI domestically will certainly bring ISCD much closer to 100% identification of facilities of interest. Whether or not this is worth the political cost of mandating the disclosure is something that only Congress can answer.

Monday, May 6, 2019

S 315 Reported in Senate – Cyber Hunt Teams


Last month the Senate Homeland Security and Governmental Affairs Committee published their report on S 315, the DHS Cyber Hunt and Incident Response Teams Act of 2019. The Committee marked up the bill on February 13th, 2019; adopting substitute language for the bill.

Changes to the Bill


The first change was a rewrite of 6 USC 659(f)(2), expanding on the generic requirement to use ‘robust metrics’ to continually ‘assess and evaluate’ the newly authorized (but long existing ICS-CERT and US-CERT teams) ‘cyber hunt and incident response teams’. The new language uses slightly less generic language to require DHS to ‘define goals and desired outcomes’ and to develop metrics that are ‘quantifiable and actionable’.

The second change was to add a definition sub-paragraph to the congressional reporting requirements of §2(b) of the bill. The bill defines the following terms by reference to the existing definitions from 6 USC 659:

• Center (NCCIC);
• Cyber hunt and incident response team (as added by this bill); and
• Incident

Moving Forward


The bill as amended was approved by the Committee by a voice vote; indicating that there was substantial bipartisan support for the bill. While Sen. Johnson (R,WI) has been loath to act on any cybersecurity bills that call for regulation of industry, there was no objection to this bill as it merely codifies existing NCCIC operations and adds a congressional reporting requirement for those operations. But, allowing this bill to move forward out of Committee is not necessarily supporting the bill. Active support by Johnson will now be required to move the bill to the floor of the Senate.

If this bill is considered by the Senate, it will most likely be taken up under the Senate’s unanimous consent process. The problem with that process is that a single voice in the Senate can quash consideration of the bill; and that voice would not necessarily be against the language of the bill, but it could raised in opposition to something else that CISA or DHS is doing that is not under active consideration by the Senate.

The revised language in this bill could also be included in a DHS reauthorization bill that the House and Senate each periodically intend to pass. The Department has not been reauthorized since it was established; too many controversies to allow a reauthorization bill to make it through the legislative process.

Commentary


The newly added definitions, while not really important, rely on the IT restrictive definition of ‘information system’ from 6 USC 659(a). I am going to abbreviate my rant on the inadequacies of that definition when considering security of industrial control systems, transportation systems, medical devices, etc and simply refer the reader to my blog post on legislative cybersecurity definitions.

Sunday, May 5, 2019

HR 2500 Introduced – FY 2020 NDAA


On Friday Rep. Smith (D,WA) introduced HR 2500, National Defense Authorization Act (NDAA) for Fiscal Year 2020. This is the bare bones of the bill that will ultimately be considered by the full House. Mark-ups in the subcommittees of the House Armed Services Committee will probably start later this coming week. Those markups will start to fill in the many blanks in the current bill.

HR 2044 Introduced – Smart Buildings


Last month Rep. Welch (D,VT) introduced HR 2044, the Smart Building Acceleration Act. The bill would require the Secretary of Energy to establish a Federal Smart Building Program that would implement smart building technology and demonstrate the costs and benefits of smart buildings. The bill is very similar to HR 5069 and S 2447 that were introduced in the 115th Congress; no action was taken on either bill. Welch also proposed an amendment to HR 8 in the 115th Congress that was similar to this bill; it was not considered.

Differences in the New Bill


There were two additions made to this bill (as compared to S 2447). First, a definition was added for the new term ‘internet of things technology solution’ {§3(6)}. Then that new term was used in a new subparagraph (K) in the description of the proposed research program in §6(b)(2):

(K) integration of internet of things technology solutions, including measures to increase water and energy efficiency, improve water quality, support real-time utility management, and enable actionable analytics and predictive maintenance to improve building systems long term viability; and

Moving Forward


Welch is a member {as is his single cosponsor, Rep. Kinzinger (R,IL)} of the House Energy and Commerce Committee, one of the three Committees to which this bill is assigned for consideration. With the new Democratic leadership in the House, I think that it is more likely that this bill will be considered in that Committee this session.

As with the earlier bills, I do not see anything in the language of this bill that would cause any serious opposition especially since there are no regulations proposed nor specific spending authorized. If the bill is considered, I suspect that there will be substantial bipartisan support. The biggest impediment to this bill getting to the floor of the House (most likely under the suspension of the rules process) is the intra-committee infighting over jurisdiction with the bill being referred to three committees. The Energy and Commerce Committee is the only one likely to hold hearings, but it will take some horse-trading with the other two committee chairs to bring the bill to the floor of the House. I am not sure that the Chairman Pallone has enough interest in this bill to call in the necessary favors from the other two chairs.

Commentary


This bill includes the same vague cybersecurity language as did the earlier versions. As I said in my earlier post on S 2447, the research provision in §6(b)(2)(E) is likely to be the most important. Having said that, I would like to propose a few changes that would address the cybersecurity challenges that I identified in that earlier blog post.

First, I would add a definition of ‘cybersecurity’ to §3:

(7) Cybersecurity – The term ‘cybersecurity’ means a set of actions, policies and procedures established to reduce the cybersecurity risk (as defined in 6 USC 1501) to building information technology and control systems supporting the smart building processes and specifically including the internet of things technology solutions being implemented.

Next, I would propose an addition to the initial requirement to establish the ‘Federal Smart Building Program’ by adding an information sharing provision to §4(a):

(3) to provide agencies a method of sharing information about smart building technology.

Then, I would add language to the ‘leveraging existing program’ requirements of §6 by adding a new paragraph specifically addressing cybersecurity information sharing:

(b) In coordination with the Director of the DHS Cybersecurity and Infrastructure Security Agency, establish a mechanism for sharing information with owners/managers of facilities identified as being part of the Smart Building Program about the cybersecurity risks to building information technology and control systems, specifically including newly identified vulnerabilities in the components of those systems;

These changes would help to better address the cybersecurity concerns about smart building technology without adding overly specific (and subject to rapid change) cybersecurity requirements.

Saturday, May 4, 2019

Public ICS Disclosures – Week of 04-25-19


This week we have two vendor disclosures on security products from Cisco and Gemalto.

Cisco Advisory


Cisco published an advisory describes a denial of service vulnerability in the Cisco Adaptive Security Appliance (ASA) Software. (NOTE: Cisco ASA software is used as third-party software in at least one control system security product.) The vulnerability is self-reported. Cisco has updates available that mitigate the vulnerability.

Gemalto Advisory


Gemalto has announced that it has an advisory available for vulnerabilities in the Gemalto Sentinel LDK product. The advisory is only available to those with an account with Gemalto (not me). We may see an advisory from NCCIC-ICS on these vulnerabilities.

Friday, May 3, 2019

Bills Introduced – 05-02-19


Yesterday with the House and Senate preparing to depart Washington for the weekend 101 bills were introduced. Of these one will likely receive additional coverage here:

HR 2500 To authorize appropriations for fiscal year 2020 for military activities of the Department of Defense and for military construction, to prescribe military personnel strengths for such fiscal year, and for other purposes. Rep. Smith, Adam [D-WA-9] 

As with each new NDAA I will be watching this bill for cybersecurity provisions.

Three Advisories Published – 05-02-19


Yesterday the DHS NCCIC-ICS published three control system security advisories for products from Sierra Wireless, GE, and Orpak

Sierra Wireless Advisory


This advisory describes seven vulnerabilities in the Sierra Wireless AirLink ALEOS. The vulnerabilities were reported by Carl Hurd and Jared Rittle of Cisco Talos. Sierra Wireless reports that the latest version of ALEOS (not all yet available) mitigates the vulnerability. There is no indication that the researchers were provided an opportunity to verify the efficacy of the fix.

The seven reported vulnerabilities are:

OS command injection - CVE-2018-4061;
Use of hard-coded credentials - CVE-2018-4062;
Unrestricted upload of file with dangerous type - CVE-2018-4063
Cross-site scripting - CVE-2018-4065;
Cross-site request forgery - CVE-2018-4066;
Information exposure - CVE-2018-4067; and
Missing encryption of sensitive data - CVE-2018-4069

The Talos web site lists six additional vulnerabilities (with exploits) {NOTE: the Sierra Wireless advisory (.PDF Download) explains these ‘vulnerabilities’}:

Information exposure -  CVE-2018-4068;
Unverified password change - CVE-2018-4064;
Information disclosure (2) - CVE-2018-4070, CVE-2018-4071; and
Permission assignment (2) - CVE-2018-4072, CVE-2018-4073

NCCIC-ICS reports that a relatively low-skilled attacker could use publicly available exploits to remotely exploit these vulnerabilities to remotely execute code, discover user credentials, upload files, or discover file paths.

GE Advisory


This advisory describes five vulnerabilities in the General Electric Communicator. Reid Wightman of Dragos. GE has a new version that mitigates the vulnerability. There is no indication that Reid has been provided an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

Uncontrolled search path (2) - CVE-2019-6564 and CVE-2019-6546;
Hard-coded credentials - CVE-2019-6548; and
Improper access controls (2) - CVE-2019-6544 and CVE-2019-6566

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to gain administrative privileges, manipulate widgets and UI elements, gain control over the database, or execute administrative commands.

Orpak Advisory


This advisory describes six vulnerabilities in the Orpak SiteOmat fuel management software. The vulnerabilities were reported by Ido Naor of Kaspersky Lab. Orpak has an update available that mitigates the vulnerability. This is no indication that Naor has been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

Use of hard-coded credentials - CVE-2017-14728;
Cross-site scripting - CVE-2017-14850;
SQL injection - CVE-2017-14851;
Missing encryption of sensitive data - CVE-2017-14852;
Code injection - CVE-2017-14853; and
Stack-based buffer overflow - CVE-2017-14854

NCCIC-ICS reports that a relatively low-skilled attacker could use publicly available exploits (NOTE: The exploits have been available for over one year) to remotely exploit these vulnerabilities to effect arbitrary remote code execution resulting in possible denial-of-service conditions and unauthorized access to view and edit monitoring, configuration, and payment information.

Wednesday, May 1, 2019

Two Advisories Published – 04-30-19


Yesterday the DHS NCCIC-ICS published a control system security advisory for products from Rockwell and a medical device security advisory for products from Philips.

Rockwell Advisory


This advisory describes two vulnerabilities in the Rockwell CompactLogix 5370 programmable automation controllers. The vulnerabilities were reported by Younes Dragoni of Nozomi Networks and George Lashenko of CyberX respectively. Rockwell has firmware updates to mitigate the vulnerabilities. There is no indication that either researcher was provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

Uncontrolled resource consumption - CVE-2019-10952; and
Stack-based buffer overflow - CVE-2019-10954

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow a remote attacker to render the web server unavailable and/or place the controller in a major non-recoverable faulted state (MNRF).

Philips Advisory


This advisory describes a cross-site scripting vulnerability in the Philips Tasy EMR workflow based information system. The vulnerability was reported by Rafael Honorato. Phillips has provided generic workarounds to mitigate the vulnerability. There in no indication that Honorato has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with site or VPN access could exploit the vulnerability to provide unexpected input into the application, execute arbitrary code, alter the intended control flow of the system, and access sensitive information.

Tuesday, April 30, 2019

Eliminating CVI in CFATS Reauthorization Bill?


I am hearing rumors that a CFATS reauthorization bill currently being drafted might include provisions that would eliminate the Chemical-Terrorism Vulnerability Information (CVI) program from the Chemical Facility Anti-Terrorism Standards (CFATS) program. The CVI program is authorized under 6 USC 623 and regulated under 6 CFR 27.400 and a detailed guidance document here. The CVI program protects security information about facilities in the CFATS program from public disclosure.

There have been complaints in Congress over the years that the presence of the CVI program interferes with facilities sharing information with emergency responders. Not having seen the specific wording of possible CVI removal provisions, I can only suppose that these provisions would be an attempt by congressional staffers to remove such impediments to information sharing.

CVI Background


The CVI program is one of the most unusual Controlled Unclassified Information (CUI) programs in the Federal government. Most CUI programs limit the Federal Government’s sharing of information provided to the government by the private sector or developed in house by government agencies. The CVI program, on the other hand, requires both the covered private sector organizations and the government to protect the covered information regardless of who initiates the information.

Information developed by covered facilities that is considered to be CVI (and thus protected from disclosure) includes all submissions made by the facility to DHS through the CFATS Chemical Security Assessment Tool (CSAT), copies of security vulnerability assessments and site security plans, and the working papers supporting those documents. Certain of those supporting documents are exempted from CVI classification; specifically, any records that are required to be maintained by other regulatory programs including chemical inventory information and emergency response plans are exempted from CVI protections.

Disclosures of CVI information can only be made to personnel who have received CVI Certification and have a verified ‘need-to-know’ the specific information. The ‘need-to-know’ requirements are outlined in §27.400(e) and specifically includes State and local officials.

CVI and Emergency Response Planning


Emergency response planning for chemical releases is covered briefly in the CFATS regulations as part of the Risk-Based Performance Standard #9 {§27.230(a)(9)}, but both the regulation and the CFATS RBPS Guidance document make it clear that those requirements are only response plans for security breaches, not accidental chemical releases. Even then, the CFATS planning process envisions inclusion of law enforcement personnel in preventing the attack or arresting the perpetrators, NOT fire or emergency medical technicians responding to the affects of the potential attack. That chemical emergency response is already covered under EPA regulations.

Law enforcement personnel working with facility personnel to develop security response plans at a CFATS covered facility would be expected to be covered by CVI rules including CVI training and certification requirements. Emergency medical technicians and fire fighters participating in planning for chemical releases (either accidental or deliberate) would be covered under the EPA regulations and would not require CVI clearances.

Members of a Local Emergency Response Committee (LEPC) would not require CVI certification to receive chemical inventory data from local chemical facilities covered by the CFATS program because the LEPC notification requirements are covered under the EPA regulations and are exempted from CVI classification {§27.405(1)}.

Continued Need for a CVI Process


The purpose of the CVI program is to ensure that critical security information about a CFATS covered facility is not made publicly known and thus become available to nefarious personnel who could use that information in the planning and execution of an attack on a chemical facility. The mere knowledge of the existence of an inventory of items on the DHS chemicals of interest (COI) list is not critical safety information. That information is generally already publicly available through the EPA (a discussion of the EPA’s limiting of the sharing of that information is an entirely separate topic).

I suppose that the CVI program could be replaced with another of the existing CUI programs, probably the DHS Protected Critical Infrastructure Information (PCII) program. That would also protect the information originating at the facility level from disclosure by Federal, State and local governments. What it would not do, however, is to establish standards for facility personnel to protect the required information. Without information protection requirements like those in the CVI program, it would be easy enough for attackers to get the information that terrorists need to circumvent the security procedures at CFATS covered facilities.

Rather than abolishing the CVI program, Congress might want to make clear that certain information will be freely shared with LEPCs, local law enforcement, fire departments and hospitals. Last year I suggested language for that information sharing that operates within the bounds of the CVI program. This would be in addition to any information sharing already required between facilities and LEPCs and fire departments by EPA regulations.

 
/* Use this with templates/template-twocol.html */