Friday, November 15, 2019

Bills Introduced – 11-14-19



Yesterday with both the House and Senate in session there were 75 bills introduced. One of those bills may receive additional coverage in this blog:

S 2877 A bill to reauthorize the Terrorism Risk Insurance Act of 2002, and for other purposes. Sen. Tillis, Thom [R-NC]

6 Advisories and 2 Updates Published – 11-14-19


Yesterday the CISA NCCIC-ICS published five control system security advisories for products from ABB, Omron and Siemens (3); and one medical device security advisory for products from Philips. They also updated two previously published advisories for products from Siemens.

ABB Advisory


This advisory describes an authentication bypass using an alternate path or channel vulnerability in the ABB Power Generation Information Manager (PGIM) and Plant Connect monitoring platforms. This vulnerability was reported by Rikard Bodforss. ABB reports that PGIM will transition to a limited support phase in January 2020, and Plant Connect is already obsolete.

NCCIC reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow a remote attacker to bypass authentication and extract credentials from the device.

NOTE: I briefly reported on this vulnerability earlier this month.

Omron Advisory


This advisory describes a use of obsolete function vulnerability in the Omron CX-Supervisor. The vulnerability was reported by Michael DePlante of the Zero Day Initiative. Omron has a new version that mitigates the vulnerability. There is no indication that DePlante has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to result in information disclosure, total compromise of the system, and system unavailability.

Desigo PX Advisory


This advisory describes an external control of assumed immutable web parameter vulnerability in the Siemens Desigo PX automation controllers. The vulnerability was reported by Gjoko “LiquidWorm” Krstic from Zero Science Lab. Siemens has updates that mitigate the vulnerability. There is no indication that Kristic has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to cause a denial-of-service condition on the device’s web server, requiring a reboot to recover the web interface.

S7-1200 Advisory


This advisory describes an exposed dangerous method or function vulnerability in the Siemens S7-1200 CPU. The vulnerability was reported by Ali Abbasi from Ruhr University of Bochum. Siemens has provided generic workarounds for this vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit this vulnerability to  expose additional diagnostic functionality to an attacker with physical access to the UART interface during boot process. The Siemens advisory notes that the attacker must have physical access to the UART interface during boot process to exploit the vulnerability (feature).
NOTE: I briefly discussed this vulnerability last weekend.

Mentor Nucleus Advisory


This advisory describes an improper input validation vulnerability in the Siemens Mentor Nucleus Networking Module. The vulnerability was reported by Armis. Siemens has updates that mitigate the vulnerability. There is no indication that Armis was provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to affect the integrity and availability of the device. According to the Siemens advisory adjacent network access (but no authentication and no user interaction) is required to exploit the vulnerability

Philips Advisory


This advisory describes an inadequate encryption strength vulnerability in the Philips IntelliBridge EC40 and EC80 data transfer devices. The vulnerability was reported by The Medical Technology Solutions team of NewYork-Presbyterian Hospital. Philips has provided generic workarounds while developing formal mitigation.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit this vulnerability to allow an attacker unauthorized access to the IntelliBridge EC40/80 hub and may allow access to execute software, modify system configuration, or view/update files, including unidentifiable patient data.

PROFINET Update


This update provides additional information on an advisory that was originally published on October 10th, 2019. The new information includes new affected version information and mitigation measures for:

• SINAMICS S120 V4.7;
• SINAMICS S150;
• SINAMICS G130 V4.7;
• SINAMICS G150; and
• SINAMICS SL150 V4.7

Industrial Products Update


This update provides additional information on an advisory that was was originally published on September 10th, 2019 and most recently updated on October 8th, 2019. The new information includes:

• Updated version information and mitigation link for SIMATIC MV500; and
• Removed SIMATIC RF166C from affected products.

Other Siemens Updates


On Tuesday Siemens also published two other advisory updates that have not yet been addressed by NCCIC-ICS, nor do I expect them to be addressed as the underlying vulnerabilities have not been reported by NCCIC-ICS. I will report on them tomorrow.

Thursday, November 14, 2019

HR 4987 Introduced – FDPREP Act


Last week Rep Herrera Beutler (R,WA) introduced HR 4987, the Fire Department Proper Response and Equipment Prioritization (FDPREP) Act. The bill would require the Federal Emergency Management Agency (FEMA) to give priority in administration of firefighter assistance grants to grant requests related to crude-by-rail or ethanol-by-rail response.

The bill amends 15 USC 2229(c) (Assistance to firefighters grants) by adding a new paragraph (4) that would require FEMA to “give high priority consideration to grants providing for planning, training, and equipment to firefighters for crude oil-by-rail and ethanol-by-rail derailment and incident response”.

Moving Forward


Herrera Beutler is a member of the House Science, Space, and Technology Committee to which this bill is assigned. She should have adequate influence to see this bill considered in Committee. There is nothing in the language of this bill that would engender any significant opposition since no new funds are being allocated. This bill would probably have enough bipartisan support to have it considered on the floor of the House under the suspension of rules process.

Commentary


Herrera Beutler is an interesting case, a Republican opponent of crude-by-rail. This is an important issue for her constituents. Her district sits astride the main rail corridor for Bakken crude oil destined for west coast refineries.

This very simple and direct bill addresses the very real problem of how local fire departments pay for planning and training for, and the execution of, emergency response measures for a low-probability, high-consequence event like an oil-train fire.

This is not a total solution to the problem, as these grants are relatively limited and there are hundreds of communities potentially affected by this issue. But it is certainly a step forward in helping these fire departments.

Wednesday, November 13, 2019

S 2775 Introduced – HACKED Act


Last week Sen Wicker (R,MS) introduced  S 2775, the Harvesting American Cybersecurity Knowledge through Education (HACKED) Act of 2019. The bill would modify a number of existing federal computer training related programs to specifically include cybersecurity training.

Programs Amended


This bill would make amendments to the following programs under the National Institute for Standards and Technology (NIST):

15 USC 7451 – National cybersecurity awareness and education program;
15 USC 7442 – Federal Cyber Scholarship-for-Service Program; and
15 USC 278g-3 – Computer standards program

This bill would make amendments to the following programs under the National Science Foundation (NSF):

42 USC 1862s-7 - Computer science education research;
42 USC 1862i – Scientific and technical education;
42 USC 1869c – Low-income scholarship program;
42 USC 1869 – Scholarships and graduate fellowships;
42 USC 1881b – Presidential awards for teaching excellence;
42 USC 1862s-6 – Presidential awards for excellence in STEM mentoring; and
42 USC 6621 - Coordination of Federal STEM education

This bill would make amendments to the following programs under the Department of Transportation:

49 USC 5505 - University transportation centers program;
49 USC 6503 - Transportation research and development 5-year strategic plan

Moving Forward


Wicker is the Chair of the Senate Commerce, Science, and Transportation Committee to which this bill was assigned for consideration. The bill is scheduled to be taken up by that Committee today as part of a business meeting. The bill will almost certainly be adopted by a significant bipartisan vote since no new funds are authorized by the bill.

Commentary


The biggest problem with this bill is that there is no definition of ‘cybersecurity’ anywhere in the bill. The underlying definitions for the NIST portions of the bill come from PL113-274. In my blog post about that bill I noted that while “industrial or supervisory control systems” are specifically mentioned in the underlying bill {§2(2)} they are only addressed in reference to IT specific information systems.

There are no definitions of ‘cybersecurity’ in any of the referenced NSF programs or DOT programs.

Now I have previously addressed a number of definitional issues related to cybersecurity. My most comprehensive attempt at coming up with cybersecurity definitions that were clearly applicable to both information and operational cyber systems can be found here. Unfortunately, I did not specifically address the term ‘cybersecurity’. I will try to take that up here.

I do not expect that this bill would be a good place (nor is this Committee the appropriate agent) to address each of the definitions that I proposed earlier, so I will try to accomplish this with just addressing two terms; ‘cybersecurity threat’ and ‘cybersecurity’. First, I would use the existing definition of ‘cybersecurity threat’ from 6 USC 1501; remember that definition relies on the ICS inclusive definition of ‘information system’ from that section. Then I would define ‘cybersecurity’:

Cybersecurity – The term cybersecurity means any actions, policies or procedures utilized to protect an information system (as that term is defined in 6 USC 1501) from a cybersecurity threat (as that term is defined in the same section) or mitigate the effects of a cybersecurity threat against such cybersecurity threat.

Bills Introduced – 11-12-19


Yesterday with both the House and Senate in session there were 46 bills introduced. One of those bills may receive additional coverage in this blog:

S 2840 A bill to authorize appropriations for fiscal year 2020 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, and for other purposes. Sen. Inhofe, James M. [R-OK]

This will be the third version (earlier versions were S 1790 and S 2731) of the National Defense Authorization Act that Inhofe has introduced this year. He is still making an attempt to move this ‘must pass’ legislation forward while keeping both the President and the House Democrats happy. It will be interesting to see what cybersecurity provisions remain in this one.

Tuesday, November 12, 2019

1 Update Published – 11-12-19



Today the CISA NCCIC-ICS published an update to an industrial control system security advisory for products from Siemens.

Siemens Update


This update provides additional information on an advisory that was originally published on August 15th, 2019. The new information includes updated version data and mitigation measures for SINAMICS SL150 V4.7.

Other Siemens Advisories


Siemens also published 3 new advisories and an additional four updates today as part of their monthly advisory drop. NCCIC-ICS will probably address some of them on Thursday. The remainder I will discuss Saturday.

Committee Hearings – Week of 11-10-19


This week both the House and Senate will be in Washington. Of course impeachment hearings will be all in the news, but there are two cybersecurity hearings that may be of interest; one a markup and one an oversight hearing.

Cybersecurity Markup


On Wednesday the Senate Commerce, Science, and Technology Committee will hold a business meeting where 22 bills, four nominations and a routine Coast Guard promotion list will be considered. Among the bills being considered in HR 2775, the Harvesting American Cybersecurity Knowledge through Education (HACKED) Act of 2019.

This bill was introduced last week, and the official copy of the language has yet to be printed. The hearing page has a link to a committee print of the bill. It addresses a wide range of existing cyber training programs. I have not had a chance to peruse it in detail, but there is little in the way of specific reference to control system security training issues beyond a brief mention of issues with automated driving systems.

Cybersecurity Oversight


On Thursday the Technology Modernization Subcommittee of the House Veterans Affairs Committee will hold an oversight hearing on “Cybersecurity Challenges and Cyber Risk Management at the Department of Veterans Affairs.” A witness list has not yet been published.

The hearing web page notes that: “The purpose of the hearing is to assess how the Department of Veterans Affairs (VA) manages its cybersecurity program, including controlling access to confidential data, supply-chain management, and the safeguarding of information technology assets.” I guess that means that medical device security issues will not be a major (probably not even a minor) issue in the hearing.

Saturday, November 9, 2019

Public ICS Disclosures – Week of 11-02-19


This week we have two vendor notifications from PEPPERL+Fuchs and Moxa. We also have a 0-day vulnerability report for products from Siemens. Plus there is an interesting look at the out-of-service problem and a follow-up to the ABB advisory I discussed last week.

PEPPERL+Fuchs Advisory


CERT VDE published an advisory describing a use after free vulnerability in the PEPPERL+Fuchs ecom Mobile Devices. The vulnerability was reported by Maddie Stone from Google Project Zero. This is a previously reported third-party (Linux) vulnerability in the underlying Android operating system. The vulnerable products are out of support.

NOTE: Other vendors using Android based devices will likely have similar vulnerabilities.

Moxa Advisory


Moxa published an advisory describing two GET command vulnerabilities in the Moxa EDS-405A Series Ethernet Switches. The vulnerabilities are self-reported. Moxa has a patch available to mitigate the vulnerabilities.

Siemens Vulnerability


There is an interesting article over on DARKReading.com (thanks to @PatrickCMiller for pointing me at the article) describing an interesting feature/vulnerability in the Siemens Siemens' S7-1200 PLCs. The article notes that Siemens has been notified (okay, so not technically a 0-day), but there has not yet been an advisory or fix from Siemens. I expect we may see an advisory on Tuesday during the monthly Siemens advisory drop.

If it ain’t broke don’t fix it Department


There is an interesting announcement from Omron about the pending ‘out-of-support’ status for Windows 7®. The information is rather generic and references no specific Omron products. It does, however, provide a unique view of why it may be difficult for control system owners to transfer systems to newer versions of the Windows® operating system (or any updating to any new OS for that matter).

Omron notes that:

When upgrading an old control system including obsolete PCs and operating systems make sure you consider the following:
• Which Operating System should you upgrade to - the next OS or the latest OS?
• Will your PC hardware (CPU, disk space etc) support your new OS or will you need to purchase new hardware too?
• Will your existing software applications support your new OS or will you need to purchase a software upgrade?

Given the fact that industrial control systems are custom installations, potentially involving large numbers of vendors, it is easy to see that upgrading to a supported OS could get to be quite expensive in time and money. It is no wonder that we still have large numbers of systems operating on Windows XP®.

ABB Follow-up


An interesting tweet and associated blog post from Rikard Bodfros on last week’s ABB vulnerability report.

Friday, November 8, 2019

Bills Introduced – 11-07-19


Yesterday with just the Senate in session there were 30 bills introduced. One of these bills will receive future coverage in this blog:

S 2818 A bill to require the Secretary of the Interior to issue regulations to ban the venting and flaring of gas in oil and gas production operations in the United States, and for other purposes. Sen. Markey, Edward J. [D-MA]

Okay, I will admit to a viscerally horrified objection to this bill when I read the descriptive title above, but we will have to see what the wording of the prohibition actually is before we can tell if this is a totally misguided attempt to prohibit a legitimate and necessary safety process. I understand that methane gas is a powerful greenhouse gas and that venting it as a ‘waste disposal process’ is probably an insanely wasteful environmental mistake, but there are severe safety issues that must be taken into account.

Enough of the rant, I will wait for the bill to be published and report accordingly.

4 Advisories and 1 Update Published – 11-07-19


Yesterday the CISA NCCIC-ICS published two control system security advisories for products from Fuji Electric and Mitsubishi Electric; and two medical device security advisories for products from Medtronic (2). The also updated a previously published medical device advisory for products from Philips.

Fuji Advisory


This advisory describes a heap-based buffer overflow vulnerability in the Fuji V-Server. The vulnerability was reported by kimiya of 9SG via the Zero Day Initiative. Fuji has a new version that mitigates the vulnerability. There is no indication that kimiya has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to crash the device being accessed; several heap-based buffer overflows have been identified.

Mitsubishi Advisory


This advisory describes an uncontrolled resource consumption vulnerability in the Mitsubishi MELSEC-Q Series and MELSEC-L Series CPU Modules. The vulnerability was reported by Tri Quach of Amazon’s Customer Fulfillment Technology Security (CFTS) group. Mitsubishi has a new firmware version that mitigates the vulnerability. There is no indication that Tri has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to prevent the FTP client from connecting to the FTP server on MELSEC-Q Series and MELSEC-L Series CPU module. Only FTP server function is affected by this vulnerability.

Medtronic Advisory #1


This advisory describes two RFID security vulnerabilities in the Medtronic Valleylab energy and electrosurgery products. The vulnerabilities are self-reported. Medtronic has a patch available to mitigate the vulnerabilities.

The two reported vulnerabilities are:

• Improper authentication - CVE-2019-13531; and
• Protection mechanism failure - CVE-2019-13535

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to allow an attacker to connect inauthentic instruments to the affected products by spoofing RFID security mechanisms. This may lead to a loss of performance integrity and platform availability due to incorrect identification of instrument and associated parameters.

Medtronic Advisory #2


This advisory describes four vulnerabilities in the Medtronic Valleylab energy products. The vulnerabilities are self-reported. Medtronic has patches available to mitigate the vulnerability.

The four reported vulnerabilities are:

• Use of hard-coded credentials - CVE-2019-13543;
• Reversible one-way hash - CVE-2019-13539; and
• Improper input validation (2) - CVE-2019-3464, and CVE-2019-3463.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to  allow an attacker to overwrite files or remotely execute code, resulting in a remote, non-root shell on the affected products. By default, the network connections on these devices are disabled. Additionally, the Ethernet port is disabled upon reboot. However, it is known that network connectivity is often enabled.

Philips Update


This update provides new information for and advisory that was originally reported on April 30th, 2019.
The new information includes:

• Revised (increased) overall CVSS score;
• Information exposure vulnerability added;
• Added Tasy WEbPortal to affected product list;
• Added Trabalho M├ędico IT Department as a vulnerability reporter; and
• Reported that a new version mitigates the vulnerabilities.

Thursday, November 7, 2019

Senate Committee Amends and Adopts HR 1589 – CBRN Intelligence

Yesterday the Senate Homeland Security and Governmental Affairs Committee held a business meeting where they considered HR 1589, the CBRN Intelligence and Information Sharing Act of 2019. The Committee adopted substitute language and ordered the bill reported favorably by a voice vote.

The Revisions


For the most part the substitute language adopted by the Committee was a technical re-wording of the House bill with little or no change in intent. For example, see the differences below in the wording of the proposed §210F(a):

HOUSE - ‘‘(a) IN GENERAL.— The Office of Intelligence and Analysis of the Department of Homeland Security shall—”

SENATE - ‘‘(a) IN GENERAL.—The Secretary, acting through the Undersecretary for Intelligence and Analysis, and working with the intelligence components of the Department, shall—”

In this case (and in most of the bill) the two versions really mean the same thing; they just reflect a different editorial style. There are a couple of places that substantive changes have been made in the bill. For example, the House version of §210F(a)(5) reads:

‘‘(5) share information and provide tailored analytical support on such threats to State, local, Tribal, and territorial authorities, and other Federal agencies, as well as relevant national biosecurity and biodefense stakeholders, as appropriate; and”

The Senate version of the same paragraph deletes the phrase: “, as well as relevant national biosecurity and biodefense stakeholders”.

The other significant change is found in the complete re-write of §210F(b). The House version reads:

‘‘(b) COORDINATION.—Where appropriate, the Office of Intelligence and Analysis shall coordinate with other relevant Department components, including the Countering Weapons of Mass Destruction Office and the National Biosurveillance Integration Center, agencies within the intelligence community, including the National Counter Proliferation Center, and other Federal, State, local, Tribal, and territorial authorities, including officials from high-threat urban areas, State and major urban area fusion centers, and local public health departments, as appropriate, and enable such entities to provide recommendations on optimal information sharing mechanisms, including expeditious sharing of classified information, and on how such entities can provide information to the Department.”

The Senate version changes this subsection to read:

‘‘(b) COORDINATION.—Where appropriate, the Undersecretary for Intelligence and Analysis shall—
‘‘(1) coordinate with—
‘‘(A) other Departmental components, including the Countering Weapons of Mass Destruction Office, the Cybersecurity and Infrastructure Security Agency, the Science and Technology Directorate; and
‘‘(B) other Federal, State, local, and Tribal entities, including officials from high-threat urban areas, State and major urban area fusion centers, and local public health departments; and
‘‘(2) enable such components and entities to provide recommendations on—
‘‘(A) optimal information sharing mechanisms, including expeditious sharing of classified information; and
‘‘(B) how such components and entities can provide information to the Undersecretary and other components of the Department.”

Moving Forward


As soon as the Committee publishes their report on this bill, it could be considered by the full Senate. The bill was adopted as part of an en bloc consideration of a large number of bills. The voice vote heard for that en bloc vote in the video of the hearing did not include any ‘No’ votes. Given this bipartisan support I would suspect that the bill would be considered under the Senate’s unanimous consent process. I doubt that it could make it to the floor under regular order; there is just too much going on for the Senate to take up debate and procedural time on this bill.

I suspect that the House could accept the changes proposed by the Committee if the leadership allowed the language to come to an open vote.

Commentary


I think that the two substantive changes that I described above have made a major change in the focus of this bill. I have maintained that the House wording, with its specific references to biosecurity and biodefense, made this bill a biosecurity bill and not a chemical, biological, radiological and nuclear security bill. The changes made by the Committee return this to a more balanced look at all four of these threats.

Wednesday, November 6, 2019

Bills Introduced – 11-04-19


Yesterday with the Senate in Washington and the House meeting in pro forma session there were 33 bills introduced. Two of those bills may receive future coverage in this blog:

HR 4987 To provide first responders with planning, training, and equipment capabilities for crude oil-by-rail and ethanol-by-rail derailment and incident response, and for other purposes. Rep. Herrera Beutler, Jaime [R-WA-3]

S 2775 A bill to improve the cyber workforce of the United States, and for other purposes. Sen. Wicker, Roger F. [R-MS]

Herrera-Beutler is an outspoken critic of oil trains, especially ones that traverse her district. It will be interesting to see if this bill drifts over into being designed to being an impediment to oil train formation or whether it remains a well-considered emergency response measure.

As always with cyber related bills I will be watching S 2775 for language and definitions to see if this bill specifically addresses control system security training.

Tuesday, November 5, 2019

1 Advisory and 2 Updates Published


Today the CISA NCCIC-ICS published a control system advisory for products from Omron. They also updated two previously published security advisories for products from Omron and Interpeak (medical device advisory).

Omron Advisory


This advisory describes a use of obsolete function vulnerability in the Omron CX-Supervisor. The vulnerability was reported by Michael DePlante of the Zero Day Initiative. Omron has a new version that mitigates the vulnerability. There is no indication that DePlante has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to result in information disclosure, total compromise of the system, and system unavailability.

Omron Update


This update provides additional information on an advisory that was originally published on May 14th, 2019. The new information includes the announcement of a new version that mitigates the vulnerability.


Interpeak IPnet (medical device) Update


This update provides additional information on an advisory that was originally published on October 1st, 2019 and last updated on October 10th. The new information is the addition of Hillrom to the list of vendors that have also released security advisories related to their affected products. Unfortunately, the link provided takes one to a generic responsible disclosure page with no mention of security advisories.


S 2714 Introduced – ARPA-E Reauthorization


Last week Sen Van Hollen (D,MD) introduced S 2714, the ARPA–E Reauthorization Act of 2019. The bill is very similar to HR 4091 that was adopted in Committee last month.

The Senate version of the bill does not include the radioactive waste addition to the ARPA-E goals (42 USC 16538(c) that was included in the House version, but it did include the broad ‘security’ provision that I discussed in my post about the introduction of HR 4091.

Most of the other changes to §16538 made by this version of the bill are similar to those made in the House version. The spending authorizations are the same as were included in the managers amendment to HR 4091 that was included in the Committee’s approval of that bill.

Moving Forward


Van Hollen is not a member of the Senate Energy and Natural Resources Committee to which this bill was assigned for consideration. His one cosponsor, Sen Alexander (R,TN), is, however, so it is reasonable to suspect that this bill could be considered in Committee. I would suspect that it would receive the same bipartisan support as was seen in the House for HR 4091.

As I noted earlier today, this bill was included in the list of bills that will be addressed tomorrow in a legislative hearing before the Committee. That does not mean that the bill will automatically be considered in a markup, but it is very likely.

Committee Hearings – Week of 11-3-19


This week just the Senate will be in session; the House is working (campaigning? Or just explaining impeachment?) in their districts. There are two cybersecurity related hearings scheduled; one a markup and one a DOE look at legislation.

Markup Hearing


On Wednesday the Senate Homeland Security and Governmental Affairs Committee will be holding a business meeting that includes marking up 16 bills (plus 11 postal naming bills and four nominations). Only one of those bills is of interest here:

HR 1589, the CBRN Intelligence and Information Sharing Act of 2019

The House passed this bill by a voice vote back in April. I would not normally expect the Committee to make any substantive changes to this bill in this type of crowded hearing.

Legislative Hearing


On Wednesday the Energy Subcommittee of the Senate Energy and Natural Resources Committee will hold a legislative hearing looking at 11 Department of Energy related bills. There is only one witness scheduled; Daniel Simmons from DOE. Two of those bills are of interest here:

S 2556 – Protecting Resources On The Electric grid with Cybersecurity Technology Act of 2019
S 2714 – ARPA-E Reauthorization Act

The language for S 2714 has just become available. I hope to be able to review it in detail before tomorrow’s hearing.

Monday, November 4, 2019

S 2731 Introduced – Skinny NDAA


Last week Sen. Inhofe (R,OK) introduced S 2731, the Essential National Security Authorities Act for Fiscal Year 2020. This is a ‘skinny’ national defense authorization act (NDAA), with the bare minimum authorization requirements needed to keep the defense apparatus of the United States in operation through FY 2020. Both the House (HR 2500) and Senate (S 1790) passed expanded versions of this bill earlier in the year, but have not yet been able to work out a compromise version of the bill in conference committee.

Cybersecurity


This ‘skinny’ NDAA only contains 2 of the 49 cybersecurity sections found in Title XVI, Division A of the original bill:

§1627. Authority to use operation and maintenance funds for cyber operations-peculiar capability development projects.
§1639. Extension of authorities for Cyberspace Solarium Commission.

Moving Forward


The NDAA is a ‘must pass’ bill. While there is still a chance that the conference committee will work out their differences on the previously passed versions, Inhofe is concerned enough to offer up this bill as a minimum workable solution. I suspect that this bill could be passed in the Senate under their unanimous consent process if the failure of the conference committee became obvious enough; though I would have been more hopeful if Sen Reed (D,RI), the Ranking Member of the Senate Armed Services Committee had signed on as a cosponsor of the bill.

There is also a chance that the conference committee could use this language as a new starting point for working out a compromise version of the NDAA.

Commentary


There is an interesting set of remarks [pg S6246] by Inhofe in the Congressional Record on the introduction of this bill. He explains the dangers of a ‘must pass bill’; everyone wants to add on language that probably would not pass on its own. If that tendency is not adequately controlled, we end up in our current apparent stalemate.

This also provides a good point for the discussion of the term ‘control of the Congress’. Typically, most people mean that a party controls Congress when it has a majority of the elected legislators in both the House and the Senate. That is not exactly the case. Under current rules, the Senate requires a vote of 60 Senators to begin consideration of most legislation. Thus, a minority of 41 Senators can block legislation in that body. True legislative control of the Senate (again under current rules) requires a party to have 60 Senators.

There have been frequent calls for doing away with, or at least restricting, this requirement for a super majority to pass legislation in the Senate. The majority party frequently complains that they are being hamstrung in their efforts to pass legislation that they have promised their voters. And, to be fair, this is frequently true.

Unfortunately, we have seen in recent years what the probable outcome would be if this supermajority requirement were removed or even seriously restricted. Whenever the opposition party gained control of the Senate it would spend a great deal of its time and effort repealing laws and rules established by the other party. Now there are certainly instances where one could fairly describe this as a good thing, but business and society both require a certain amount of stability in the rules and regulations under which they operate. If the Senate could unwrite laws and regulations every two-years, nothing would ever get done and we would have regulatory anarchy.

Saturday, November 2, 2019

Public ICS Disclosures – Week of 10-26-19


This week we have four vendor disclosures from Phoenix Contact, ABB, Johnson Controls, and BD. There are three vendor updates from 3S, Yokogawa, and Belden. There are also three exploit reports from researchers for products from Carel and Intelligent Security Systems. The later may be a 0-day exploit.

Phoenix Contact Advisory


Phoenix Contact published an advisory [.PDF download link] describing an unauthorized access vulnerability in their FL NAT industrial ethernet switch/router. The vulnerability is self-reported. Phoenix Contact provides generic mitigation measures pending the development of new firmware.

ABB Advisory


ABB published an advisory describing an authentication bypass vulnerability in their Power Generation
Information Manager. The vulnerability was reported by Rikard Bodforss at CS3STHLM. ABB has a new version that mitigates the vulnerability. Bodforss has verified the efficacy of the fix.

NOTE: The disclosure blog post by Bodforss has an excellent discussion about the vulnerability disclosure dilemma from the viewpoint of a researchers. Well worth reading.

Johnson Controls Advisory


Johnson Controls has published an advisory describing two vulnerabilities in their FX Supervisory Controller. The vulnerabilities were reported in the third-party QNX operating system. Johnson Controls has patches to mitigate the vulnerability and a new version to be released later this month will fully address the problems.

The two reported vulnerabilities are:

• Information exposure - CVE-2019-8998; and
• Improper authorization - CVE-2019-13528

NOTE 1: I wonder if NCCIC-ICS will update their Tridium advisory to provide a link to this advisory? Nah.

NOTE 2: Just another case of wondering what other vendors use the same vulnerable operating system?

BD Advisory


BD has published an advisory for the DejaBlue remote desktop vulnerabilities in their products. BD has provided generic work arounds while it continues to test and validate the Microsoft patch for BD products.

3S Update


3S published an update of their CODESYS ENI server advisory that was originally published on September 12, 2019. The new information includes:

Additional mitigation measure;
Mitigated version updated; and
CVE added

Yokogawa Update


Yokogawa published an update of their unquoted service path advisory that was originally published on September 27th, 2019 and most recently updated on October 24th. The new information is another change to the Exaquantum mitigation.

Belden Update


Belden published an update of their URGENT/11 advisory that was originally published on July 11th, 2019 and most recently updated on September 5th. The new information includes updated mitigation information for their EAGLE and EAGLE one products.

Carel Exploits


Red Team Pentesting published exploit code for an unsafe storage of credentials vulnerability in the Carel pCOWeb card. This vulnerability was previously reported in the Rittal Chiller using the pCOWeb card. Red Team Pentesting reports that Carel consideres this product obsolete and no longer provides updates for the firmware.

Red Team Pentesting published exploit code for an unauthenticated access to modbus interface vulnerability in the Carel pCOWeb card. This vulnerability was previously reported in the Rittal Chiller using the pCOWeb card. Red Team Pentesting reports that Carel consideres this product obsolete and no longer provides updates for the firmware.

Intelligent Security System Exploit


Alberto Vargas published exploit code for an unquoted service path vulnerability in the Intelligent Security System SecurOS Enterprise. There is no indication that this disclosure was coordinated with the vendor so this may be a 0-day exploit.

Friday, November 1, 2019

Senate Amends and Passes HR 3055 – First Senate Minibus


Yesterday the Senate passed an amended version of HR 3055, the first Senate FY 2020 spending minibus by a bipartisan vote of 84 to 9. They first adopted 48 amendments including the substitute language offered by Sen. Shelby (R,MS); only one amendment considered was rejected.

None of the 49 amendments considered specifically addressed chemical safety, chemical security or cybersecurity concerns. Forty-five of the amendments were considered en bloc [pg S6311] under the unanimous consent process with no debate.

Next week the House may consider the Senate version of the bill. When they do, they will probably ‘insist’ on their version. A conference committee will then take up the two versions and try to work out a compromise version. There is a slight chance that this will happen before the current continuing resolution runs out on November 21st.

It seems unlikely that the full 12 spending bills (four were included in the Senate version of HR 3055) will be passed by the 21st. This means that we will likely (depending on the President) see another continuing resolution to keep the government working past that date. Various news reports (see here for example) claim that the CR under consideration behind closed doors will continue into next year.

HR 4792 (S 2664) Introduced – Cyber Shield Program


Last week Rep. Lieu (D,CA) introduced HR 4792, the Cyber Shield Act of 2019. The bill {and its companion bill, S 2664; introduced by Sen Markey (D,MA)} would establish require the Department of Commerce to establish the Cyber Shield Program; a program for the voluntary certification and labeling of products that meet industry-leading cybersecurity and data security benchmarks to enhance cybersecurity and protect data.

The products referenced in the bill only apply to ‘consumer facing objects’ that {§2(3)}:

Connect to the internet or other network; and
Collect, send, or receive data; or
Control the actions of a physical object or system

Commentary


Presumably the ‘consumer facing’ portion of the definition excludes industrial control systems but may apply to certain medical devices. Unfortunately, the FDA is not specifically mentioned as one of the federal agencies to be consulted with on establishing standards in this program. Nor is the Cybersecurity and Infrastructure Security Agency (CISA) mentioned; surprising in that they would certainly have an interest in cybersecurity certifications of consumer products used by federal agencies.

In general, these bills are weak on definitions; no definition of the key term ‘cybersecurity’ for instance. They also fail to address the issue of coordination of vulnerability reporting or even take into account the fact that independent researchers are the most common source for reporting vulnerabilities.

The basic premise is helpful, but this implementation is weak to say the least. This is surprising since Lieu and Markey have both tried to position themselves as cybersecurity gurus in Congress.

Thursday, October 31, 2019

4 Advisories Published – 10-31-19


Today the CISA NCCIC-ICS published four control system security advisories for products from Honeywell (3) and Advantech.

Cameras and Recorder Advisory


This advisory describes an authentication bypass by capture-replay vulnerability in the Honeywell equIP series and Performance series IP cameras and recorders. The vulnerability is self-reported. Honeywell has a firmware update that mitigates the vulnerability.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerability to result in unauthenticated access.

NOTE: I briefly reported on this vulnerability on September 14th, 2019.

Cameras Advisory


This advisory describes a missing authentication for critical function vulnerability in the Honewell equIP series and Performance series IP cameras. The vulnerability is self-reported. Honeywell has a firmware update that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to could result in unauthenticated access.

 

equip Advisory


This advisory describes an improper input validation vulnerability in the Honeywell equIP series IP cameras. This vulnerability is self-reported. Honeywell has a firmware update that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to result in a denial of service.

NOTE: I briefly reported on this vulnerability on September 14th, 2019.

Advantech Advisory


This advisory describes four vulnerabilities in the Advatech WISE-PaaS/RMM IoT device remote monitoring and management platform. The vulnerabilities were reported by rgod of 9sg Security Team and trendytofu via the Zero Day Initiative (ZDI). The product is out-of-support and Advantech recommends replacing the product with EdgeSense and DeviceOn.

The four reported vulnerabilities are:

Path traversal - CVE-2019-13551;
Missing authorization - CVE-2019-13547;
Improper restriction of an XML external entity reference - CVE-2019-18227; and
SQL injection - CVE-2019-18229

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow information disclosure, remote code execution, and compromise system availability.

Bills Introduced – 10-30-19


Yesterday with both the House and Senate in session there were 54 bills introduced. One of those bills may receive future consideration in this blog:

HR 4915 To amend the Small Business Act to provide loan guarantees for the acquisition of cybersecurity technology and services by eligible small businesses, and for other purposes. Rep. Schneider, Bradley Scott [D-IL-10] 

I will be watching this bill for language and definitions that would specifically allow loans for control system cybersecurity or medical device cybersecurity.

S 2607 Introduced – Local UAS Control


Earlier this month Sen Lee (R,UT) introduced S 2607, the Drone Integration and Zoning Act of 2019. The bill would provide for State and authority over ‘civil unmanned aircraft systems’ within 200-ft above the ground. Currently, sole jurisdiction over US airspace rest with the Federal Aviation Administration.

Definitions


Section 2 of the bill provides ten definitions to be used in the bill; most reference existing definitions in either the United States Code (USC) or the Code of Federal Regulations (CFR). Two new definitions are of specific interest: ‘immediate reaches of airspace’ and ‘unmanned aircraft take-off and landing zone’:

‘Immediate reaches of airspace’ “means, with respect to the operation of a civil unmanned aircraft system, any area within 200 feet above ground level” {§2(4)}.

‘Unmanned aircraft take-off and landing zone’ “means a structure, area of land or water, or other designation for use or intended to be used for the take-off or landing of civil unmanned aircraft systems operated by a commercial operator” {§2(10)}

This section uses the broad definitions of the terms ‘unmanned aircraft’ and ‘unmanned aircraft systems’ form 49 USC40101 Note (pg 869). The terms would include commercial UAS, small UAS, hobby UAS, and recreational  UAS.

Immediate Reaches of Airspace


Section 3 of the bill would amend the definition of ‘navigable airspace’ found in 49 USC 40102(32) by adding at the end: “In applying such term to the regulation of civil unmanned aircraft systems, such term shall not include the area within the immediate reaches of airspace (as defined in section 2(4) of Drone Integration and Zoning Act of 2019).’’ {§3(a)}.

Subsection (b) would then require the FAA to conduct a rulemaking to “to update the definition of ‘navigable airspace’” {§3(b)(1)}. The rulemaking would also designate the area between 200-ft and 400-ft above ground level for the operation of “civil unmanned aircraft systems under the exclusive authority of the Administrator”. The final rule would be required to be published within one year of the enactment of this bill.

Restrictions on Federal Actions


Section 4 of the bill starts out with a listing of congressional findings and deduced set of ‘sense of Congress’ elements that delineate the areas of responsibility for control of the ‘immediate reaches of airspace. The final conclusion is that: “the Federal Government lacks the authority to intrude upon a State’s sovereign right to exercise reasonable time, manner, and place of operations of unmanned aircraft systems operating within the immediate reaches of airspace” {§4(a)(2)(C)}.

The bill then goes on to further clarify the meaning of ‘immediate reaches of airspace’ in so far as it limits the FAA’s authority to regulate civil unmanned aircraft around buildings that are over 200-ft in height. It extends that area to 50-ft above the building and to within 200-ft (or the property line of the owner) laterally of the building. Those limits to not apply to UAS flying “directly within or above an authorized public right of way” {§4(b)(2)(C)}.

The bill then proceeds to outline what would be considered to be “reasonable restrictions on the time, manner, and place of operation of a civil unmanned aircraft system” {4§(b(3)}:

Specifying limitations on speed of flight over specified areas.
Prohibitions or limitations on operations in the vicinity of schools, parks, roadways, bridges, moving locations, or other public or private property.
Restrictions on operations at certain times of the day or week or on specific occasions such as parades or sporting events, including sporting events that do not remain in one location.
Prohibitions on careless or reckless operations, including operations while the operator is under the influence of alcohol or drugs.
Other prohibitions that protect public safety, personal privacy, or property rights, or that manage land use or restrict noise pollution.

Section 4(c) of the bill provides the FAA with the authority to designate ‘authorized commercial routes’ for civil unmanned aircraft with the limitation that such routes would be above 200-ft above ground level.

UAS Takeoff and Landing Zones


Section 5 of the bill outlines the limits of the authority of State and local governments to regulate the “designation, placement, construction, or modification of an unmanned aircraft take-off and landing zone” {§5(a)}. While most of the limitations are procedural limits on the zoning process, the section does provide a general limit on discrimination. Section 5(b) provides that the “regulation of the designation, placement, construction, or modification of an unmanned aircraft take-off and landing zone by any State, local, or Tribal government may not—
“(1) unreasonably discriminate among commercial operators of unmanned aircraft systems; or
“(2) prohibit, or have the effect of prohibiting, a commercial operator from operating an unmanned aircraft system.”

Restriction on State and Local Actions


Section 6 of the bill provides limits on State and local government authority to restrict the operation of civil UAS between the ground and the 200-ft limit of the ‘navigable air space’. Generally, such governments are prohibited from taking actions that unreasonably or substantially impede {§6(a)(1)}:

The ascent or descent of an unmanned aircraft system, operated by a commercial operator, to or from the navigable airspace in the furtherance of a commercial activity; or
A civil unmanned aircraft from reaching navigable airspace where operations are permitted.

Moving Forward


Lee is a member of the Senate Commerce, Science, and Transportation Committee, the committee to which this bill was assigned for consideration. This means that there is a good chance that Lee has enough influence to see this bill considered in Committee. This is a relatively comprehensive bill and with no cosponsors it would seem likely that one or more of the provisions might draw significant opposition from various factions. I suspect that we will not be able to determine what opposition might arise until the bill makes it to Committee consideration.

This bill would almost certainly require being considered in regular order on the floor of the Senate. That provides a practical limit on its possibility of being considered. This language could, however, be included as part of an FAA reauthorization bill, if there is sufficient support in Committee.

Commentary


There is nothing in this bill that would allow an exception to the 18 USC 32 prohibitions about interfering with the actual flight of a civil unmanned aircraft.

Wednesday, October 30, 2019

DOE CEII Final Rule to OMB – 10-29-19


Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a final rule from the DOE on “Critical Electric Infrastructure” According to the Spring 2019 Unified Agenda, the rule would outline the “administrative procedures [that] are intended to ensure that stakeholders and the public understand how the Department would designate, protect, and share CEII under the Federal Power Act”. The notice of proposed rulemaking for this action was published in October 2018.

Bills Introduced – 10-29-19


Yesterday with both the House and Senate in session there were 36 bills introduced. Of those bills, two may receive additional coverage in this blog:

S 2730 A bill to establish and ensure an inclusive transparent Drone Advisory Committee. Sen. Peters, Gary C. [D-MI]

S 2731 An original bill to authorize appropriations for fiscal year 2020 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, and for other purposes. Sen. Inhofe, James M. [R-OK] 

I will only be covering S 2730 if the advisory committee is specifically authorized to address counter-drone activities.

Tuesday, October 29, 2019

1 Advisory Published – 10-29-19


Today the CISA NCCIC-ICS published a control system security advisory for products from Phoenix Contact.

Phoenix Contact Advisory


This advisory describes an improper input validation vulnerability in the Phoenix Contact Automation Worx Software Suite. The vulnerability was reported by the 9sg Security Team via the zero day initiative.
Phoenix Contact provided generic workarounds while it continues to work on an update to mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to compromise the availability, integrity, or confidentiality of an application programming workstation. Automated systems programmed using one of the affected products are not impacted.

NOTE: I briefly reported on this vulnerability on October 19th, 2019.

Bills Introduced – 10-28-19


Yesterday with both the House and Senate in session there were 48 bills introduced. Three of those bills may receive future coverage in this blog:

HR 4891 To provide for the conduct of certain water security measures in the Western United States, and for other purposes. Rep. Torres Small, Xochitl [D-NM-2]

S 2714 A bill to amend the America COMPETES Act to reauthorize the ARPA-E program, and for other purposes. Sen. Van Hollen, Chris [D-MD]

S 2718 A bill to provide for the conduct of certain water security measures in the State of New Mexico, and for other purposes. Sen. Udall, Tom [D-NM] 

I suspect that the ‘water security measures’ referenced in HR 4891 and S 2718 are related to ‘supply security’ not physical or cyber security of the water systems.

Monday, October 28, 2019

Senate Committee Reports for HR 3055 – First Senate Minibus

The version of HR 3055 that the Senate will resume considering today is based upon four spending bills proposed by the Senate Appropriations Committee. While there may be some slight differences in the language included in Senate Amendment 948 that amendment specifically adopts the four committee reports “for purposes of determining the allocation of funds provided by, and the implementation of,’ each of the four divisions in the proposed bill.

Those reports are:

S Rept 116-127 (Div A - CJS)

S Rept 116-110 (Div B – ARD)

S Rept 116-123 (Div C – IER)

S Rept 116-109 (Div D – THUD)

As is typical for spending bills, the important details are found in these reports, not in the bill language. Below I will discuss some of the more interesting details.

Cybersecurity


Every division (and most titles) of the proposed amendment contain some sort of cybersecurity language. Mostly though those references and spending allocations pertain to protecting the IT systems of the US government.

Not unexpectedly the NIST section of the Division A report deals with supporting cybersecurity workforce training. While no specific funding is outlined the Committee “directs that no less than the fiscal year 2019 level is provided for cybersecurity research, outreach, industry partnerships, and other activities at NIST, including the National Cybersecurity Center of Excellence” (pg 23). Interestingly the Committee desires to see “a priority being placed on areas with a high concentration of Department of Defense, automotive, and health care related industries”.

NIST is also called upon to address industrial cybersecurity via Industrial Internet of Things (IIoT) cybersecurity research. The report calls for spending ‘no less than’ $2 million “to improve the sustainable security of IIoT devices in industrial settings” (pg 23). The Committee calls for comprehensive strategies that would “couple computer science and engineering, psychology, economics, cryptography, and network research to deliver significant mitigations and options for industrial adoption, as well as guidance to consumers and industry on how to manage and utilize these devices consistent with best security practices” (pg 24).

The National Science Foundation ‘Education and Human Resources’ section of the Division A report also significantly addresses cybersecurity training issues. The Committee provides $55 million (pg 169) for the CyberCorps scholarship program with $7.5 million of that going to support the two year programs at NSA sponsored Center of Academic Excellence in Information Assurance 2–Year Education [CAE2Y] program community colleges.


The DOJ portion of the Division A report addresses another aspect of cybersecurity education; computer forensics and digital investigation. The State and Local Law Enforcement and Cybercrime Prevention section includes a requirement for DOJ to allocate $2 million “for a separate competitive grant program to expand a partnership with an institution for higher learning for the purposes of furthering educational opportunities for students training in computer forensics and digital investigation” (pg 130).

There is an interesting control system cybersecurity provision in the Division D Report. The Federal Railroad Administration (FRA) portion of the DOT Title “urges FRA to prioritize funding to establish enhanced cybersecurity methods, standards, and best practices, especially as it relates to the implementation of PTC [Positive Train Control] technology and future versions of this technology” (pg 73). Specifically, the Committee directs the FRA to “work with industry to identify current vulnerabilities and prepare for threats that could arise from future updates and the migration to future designs.”

Chemical Safety


There is only one mention of chemical safety issues that I can find in the four reports. That deals with the continued funding of the Chemical Safety Board. While the initial Trump Administration budget proposed eliminating the CSB, this year’s budget proposed $10.2 million and the Committee recommends continuing the current funding level of $12 million. The report notes that “The Board has the important responsibility of independently investigating industrial chemical accidents and collaborating with industry and professional organizations to share safety lessons that can prevent catastrophic incidents and the Committee expects this work to continue.”

Moving Forward


It is looking more likely that the Senate will pass HR 3055 later this week. The bill would then have to go back to the House. The House is unlikely to accept the Senate version so the bill would have to go to conference. The conference report would also address the differences in allocations and implementation directions, essentially rewriting the two versions of the Committee Reports.
 
/* Use this with templates/template-twocol.html */