Wednesday, July 17, 2019

Bills Introduced – 07-16-19


With both the House and Senate in session yesterday there were 42 bills introduced. One of those bills will probably receive additional coverage in this blog:

HR 3787 To amend the Homeland Security Act of 2002 to establish in the Department of Homeland Security an Unmanned Aircraft Systems Coordinator, and for other purposes. Rep. Perry, Scott [R-PA-10]

I suspect that this bill will be similar to HR 6438 that Perry introduced in the 115th Session.

Tuesday, July 16, 2019

HR 3699 Introduced – TSA Pipeline Security


Last week Rep. Cleaver (D,MO) introduced HR 3699, the Pipeline Security Act. The bill would specifically make the Transportation Security Administration (TSA) responsible for cybersecurity and physical security oversight for gas and hazardous liquid pipelines. It would also establish a Pipeline Security Section within the TSA.

Cybersecurity Responsibility


Section 2 of the bill would amend 49 USC 114(f), Additional Duties and Powers, to add a new paragraph (16) that would provide for the TSA responsibility “relating to securing pipeline transportation and pipeline facilities (as such terms are defined in section 60101 [link added] of this title) against cybersecurity threats (as such term is defined in section 102 of the Cybersecurity Information Sharing Act of 2015 (Public Law 114– 113; 6 U.S.C. 1501 [link added])), an act of terrorism (as such term is defined in section 3077 of title 18), and other nefarious acts that jeopardize the physical security or cybersecurity of such transportation or facilities”. The reliance on the §1501 definition for ‘cybersecurity threats’ would specifically include control systems in the cybersecurity responsibilities.

Pipeline Security Section


Section 3 of the bill would amend the Implementing Recommendations of the 9/11 Commission Act of 2007, by adding a new §1209. That section establishes within TSA “a pipeline security section to carry out pipeline security programs in furtherance of section 114(f)(16) of title 49 [as added by this bill], United States Code” {new §1209(a)}. The section would oversee the security of pipeline facilities against cybersecurity threats, terrorist attacks and “other nefarious acts that jeopardize the physical security or cybersecurity of such transportation or facilities” {new §1209(b)}.

The Pipeline Security Section would be headed by someone with “knowledge of the pipeline industry and security best practices” {new §1209(c)} and it would “be staffed by a workforce that includes personnel with cybersecurity expertise.”

The Section would be tasked with {new §1209(d)}:

Developing guidelines for improving the security of pipeline transportation and pipeline facilities against cybersecurity threats, an act of terrorism, and other nefarious acts that jeopardize the physical security or cybersecurity of such transportation or facilities;
Updating such guidelines as necessary based on intelligence and risk assessments, but not less frequently than every three years;
Sharing of such guidelines and, as appropriate, intelligence and information regarding such security threats to pipeline transportation and pipeline facilities, as appropriate, with relevant Federal, State, local, Tribal, and territorial entities and public and private sector stakeholders;
Conducting security assessments based on the guidelines developed above;
Carrying out a program to inspect pipeline transportation and pipeline facilities, including inspections of pipeline facilities determined critical by the Administrator; and
Preparing notice and comment regulations for publication, if determined necessary by the Administrator.

Moving Forward


Cleaver is a member of the House Homeland Security Committee and his influence has apparently been sufficient to have this bill considered in Committee in a markup hearing tomorrow. I suspect that there will be bipartisan support for this bill in Committee. If there is sufficient bipartisan support, this bill could move to the House floor under the suspension of the rules process. The relatively strong bipartisan support would be necessary there due to the requirement for a supermajority to pass under those provisions.

Commentary


There are a couple of problems with this bill. The first is that there is no mention of the Department of Transportation as a cooperative party in any of the provisions in the bill. DOT in general and the Pipeline and Hazardous Material Safety Administration have a major stake in the safe operation of gas and hazardous liquid pipelines. Existing federal law (6 USC 1207 for example) already requires that DHS consult with DOT on inspections, guidance development and crafting of security regulations. Those requirements should be referenced in this bill.

Safety and security go hand-in-hand, especially where emergency response activities are involved. And, that is another problem with this bill; there is no mention of emergency response planning or exercises. A security plan that does not include failure mode mitigation, is one that is going to end up doing a great deal of harm if a dedicated attacker is involved.

Furthermore, I do not understand why there is no mention of existing TSA pipeline security requirements in the §1209(d) outlining of responsibilities for the Pipeline Security Section. I have already mentioned 6 USC 1207, but 6 USC 1208 lists more existing TSA pipeline security requirements. Furthermore, §1208 already addresses the need for emergency response planning for security incidents. The new §1209 in this bill should reference these requirements as part of the responsibilities of the new Pipeline Security Section under paragraph (d).

Finally, there is no information sharing provisions in this bill. There should probably be a subparagraph in the new §1209(d) requiring the establishment of a security incident (to specifically include cybersecurity incidents) reporting system. It is probably too much to ask to make such reporting mandatory (though to be most effective it would have to be mandatory), but even voluntary information reporting with anonymized sharing of the information with other operator/owners could be valuable.

Rule Adopted for HR 3494 – FY 2020 Intel Authorization


Yesterday the House Rules Committee crafted the rule for the consideration of HR 3494, the Damon Paul Nelson and Matthew Young Pollard Intelligence Authorization Act for Fiscal Years 2018, 2019, and 2020. It provides a structured rule, allowing for the consideration of 31 amendments with limited debate. The bill will be considered by the House today.

The Ruppersberger amendment that I briefly discussed yesterday was included in the list of amendment authorized to be offered on the floor. It is amendment #6.

Monday, July 15, 2019

PSP Program – Conversation with ISCD


I had an interesting telephone conversation with Kelly Murray, the Compliance Branch Chief at the DHS Infrastructure Compliance Division (ISCD) about the Chemical Facility Anti-Terrorism Standards (CFATS) personnel surety program. She wanted to call attention to an error in my post on the expansion of the CFATS Personnel Surety Program (PSP) to Tier III and IV facilities. She was also kind enough to answer questions about the PSP and some new tools that ISCD had added since my earlier post.

Error Correction


In my earlier post I wrote:
First, once notified by ISCD that the facility will begin the implementation process (and that notice will start the 60-day clock implementation clock [emphasis added]), the facility will update their site security plan to include information about how they will implement the process at their facility.

Kelly pointed out that the initial notice triggers a 30-day clock for the submission of the facility site security plan (SSP) revision concerning the PSP. The 60-day clock is for the actual implementation of the SSP PSP provisions and it starts once ISCD notifies the facility that their SSP revision has been approved.

New PSP Tools


Later the same day as I posted about the PSP expansion, ISCD published the following notice on the CFATS Knowledge Center about additional tools that they had made available to assist facilities in dealing with the new PSP requirements:

07/11/19: CISA published a Federal Register notice (84 FR 32768) announcing the implementation of the CFATS Personnel Surety Program (PSP) at all high-risk chemical facilities—including Tier 3 and Tier 4 facilities. This implementation closes the final gap in vetting individuals with access to critical assets and restricted areas for terrorist ties.
Visit the PSP page for more details, the PSP Toolkit with new resources (e.g., updated RBPS 12(iv) fact sheet, PSP Samples Supplement, PSP Sample Bulk Upload, etc.), and a webinar demo of the PSP in the CSAT 2.0 portal.

In my opinion, one of the most valuable tools is the PSP Samples Supplement (.DOCX download link). It provides examples that facilities can use to answer the questions in the SSP Tool that relate to the PSP. It shows various ways that facilities can use the Four Options at their facilities.

Questions


There is an odd footnote at the end of the PSP Samples Supplement; footnote 1 reads:

“To date, DHS has not received any Site Security Plans selecting Option 3 and therefore the sample answers have been provided as an example but is not based on lessons learned or best practices.”

Given the clamor from industry during the development of the PSP to be able to use TWIC Readers and the subsequent demands from Congress on the same, I found this rather odd. Kelly did tell me that the footnote is no longer technically correct; since the document was approved a facility has submitted an SSP that designates Option 3 as one of the options that the facility will use to screen personnel.

I asked her why she thought facilities were not using this option and she noted that she thought it was because Option 1 (the most common option used according to her) was so easy to use/implement.

I did ask her the inevitable question; had any facilities been notified that an employee had been identified as having terrorist ties through this vetting process? As expected, she could not answer that question. An answer to a subsequent question, however, seemed to imply (not surprisingly) that such notifications had been received.

I asked her about the process for correcting an inappropriate response of potential terrorist ties. The ISCD privacy documentation does provide a process for employees to question the accuracy of information submitted via the PSP tool under Option 1 or 2, but that does not address the issue of legitimate bad Terrorist Screening Database information. Kelly noted that the PSP tool for Option 1 includes provisions for providing additional information about an individual and that ISCD could ask for that additional information if there was a terrorist association result from TSA. It sounded as if these questions had been asked in some number of instances.

Additional Information


Kelly noted that facilities could expect some sort of delay between submitting the SSP revision and receiving notification that the revision had been approved and the 60-day compliance clock starting. How long a delay would depend on how many facilities had submitted their SSP updates. Facilities should not be concerned about a lengthy delay being an indication that the SSP revision would be disapproved.

One other thing that did come up was a reinforcement of a point I had made in my post. ISCD is planning for substantial support from Chemical Security Inspectors during this process.

HR 3710 Introduced – Cybersecurity Vulnerabilities


Last week Rep. Jackson-Lee (D,TX) introduced HR 3710, the Cybersecurity Vulnerability Remediation Act. The bill would amend 6 USC 659 to allow the National Cybersecurity and Communications Integration Center (NCCIC) to “identify, develop, and disseminate actionable protocols to mitigate cybersecurity vulnerabilities” {new §659(n)}.

Changes to Section 659


Section 2 of the bill first adds a definition of ‘cybersecurity vulnerability’ taken from ‘security vulnerability; in 6 USC 1501. It then goes on to modify the functions of the NCCIC in §659(c). The revisions would make that paragraph read:

(c) Functions
The cybersecurity functions of the Center [NCCIC] shall include-

•••

(5)(A) conducting integration and analysis, including cross-sector integration and analysis, of cyber threat indicators, defensive measures, cybersecurity risks, and incidents; and

(B) sharing mitigation protocols to counter cybersecurity vulnerabilities pursuant to subsection (n); and

(C) (B) sharing the analysis conducted under subparagraph (A) and mitigation protocols to counter cybersecurity vulnerabilities in accordance with subparagraph (B) with Federal and non-Federal entities;

•••

(9) sharing cyber threat indicators, defensive measures, mitigation protocols to counter cybersecurity vulnerabilities and other information related to cybersecurity risks and incidents with Federal and non-Federal entities, including across sectors of critical infrastructure and with State and major urban area fusion centers, as appropriate;

Finally, it would add a new paragraph (n):

(n) PROTOCOLS TO COUNTER CYBERSECURITY VULNERABILITIES.—The Director may, as appropriate, identify, develop, and disseminate actionable protocols to mitigate cybersecurity vulnerabilities, including in circumstances in which such vulnerabilities exist because software or hardware is no longer supported by a vendor.

Vulnerability Disclosure


Section 3 of the bill would require a report to Congress on how the Cybersecurity and Infrastructure Security Agency (CISA) on how the Agency carries out its vulnerability disclosure responsibilities described in §659(m). That report would include activities undertaken to “to disseminate actionable protocols to mitigate cybersecurity vulnerabilities” {§3(a)} outlined in this bill. That unclassified report would include:

A description of the policies and procedures relating to the coordination of vulnerability disclosures.
A description of the levels of activity in furtherance of such subsections (m) and (n) of §659;
Any plans to make further improvements to how information provided pursuant to such subsections can be shared (as such term is defined in §659) between the Department and industry and other stakeholders.
Any available information on the degree to which such information was acted upon by industry and other stakeholders; and
A description of how privacy and civil liberties are preserved in the collection, retention, use, and sharing of vulnerability disclosures.

Vulnerability Competition


Section 4 of the bill would allow CISA to “establish an incentive-based program that allows industry, individuals, academia, and others to compete in providing remediation solutions for cybersecurity vulnerabilities”. No funding is provided.

Moving Forward


As I mentioned in an earlier post, this bill will be marked up by the House Homeland Security Committee tomorrow. I do not expect any amendments will be offered and the bill will almost certainly receive bipartisan support. I expect that the bill will be considered by the full House under the suspension of the rules process; limited debate and no floor amendments. It is very likely to pass with strong bipartisan support.

Commentary


The final phrase in §659(n) is very interesting; “including in circumstances in which such vulnerabilities exist because software or hardware is no longer supported by a vendor.” This clearly recognizes that software (and of course, operating systems) is (are) quite frequently used well after the vendor stops providing support and that this significantly increases the risk associated with that continued use. And, I would assume that the ‘competition’ outlined in §4 is primarily aimed at these out-of-support systems.

There is a significant problem with this approach. While the vendors have stopped support for these systems, I do not think that most would surrender their copywrite rights or outright ownership of the ‘non-supported’ systems. This means that it would be a violation of any of a number of Federal (and probably international) laws to modify the software, firmware or operating system to mitigate any vulnerabilities found after the close of support on the product without the specific authorization of the vendor. These issues will have to be resolved by Congress.

Committee Hearings – Week of 7-14-19


With both the House and Senate in Washington and looking towards their extended summer recess, there are a number of interesting hearings on the schedule for this week. In addition to the House Rules Committee hearing on HR 3494 there will be two markup hearings addressing cybersecurity bills and two other hearings that may address cybersecurity issues.

Cybersecurity Markups


On Tuesday the Senate Energy and Natural Resources Committee will conduct a markup hearing on 23 bills. Bills of interest here include:

S 174, a bill to provide for the establishment of a pilot program to identify security vulnerabilities of certain entities in the energy sector. (King/Risch); and
S 715, a bill to improve the productivity and energy efficiency of the manufacturing sector by directing the Secretary of Energy, in coordination with the National Academies and other appropriate Federal agencies, to develop a national smart manufacturing plan and to provide assistance to small- and medium-sized manufacturers in implementing smart manufacturing programs, and for other purposes. (Shaheen)

On Tuesday the House Homeland Security Committee will conduct a markup hearing on 18 bills. Bills of interest here include:

HR 3318, (Mr. Joyce) The “Emerging Transportation Security Threats Act of 2019”;
HR 3699, (Mr. Cleaver) The “Pipeline Security Act” (not yet reviewed here);
HR 3710, (Ms. Jackson Lee) The “Cybersecurity Vulnerability Remediation Act” (not yet reviewed here).

Both of these hearings are going to be dealing with a large number of bills. I do not expect much in the way of amendments and very little discussion.

Cybersecurity (?) Hearings


On Wednesday the Energy Subcommittee of the House Energy and Commerce Committee will be holding a hearing on “The Future of Electricity Delivery: Modernizing and Securing Our Nation’s Electricity Grid”. The witness list includes:

Karen Evans, DOE;
Juan Torres, National Renewable Energy Laboratory;
Kelly Speakes-Backman, Energy Storage Association; and
Katherine Hamilton, Advanced Energy Management Alliance

This is almost certainly going to focus on energy supply security, not cybersecurity, but Evans is the head of Office of Cybersecurity, Energy Security, and Emergency Response (CESER), so there will likely be some questions about grid cybersecurity.

On Thursday the House Oversight and Reform Committee will hold a hearing with Kevin K. McAleenan. There is no official indication of the topics to be discussed, but I suspect that it will focus on ‘border security issues.’ There is a slight chance that cybersecurity questions will be addressed to the Acting Secretary.

Sunday, July 14, 2019

HR 3494 Reported in House – FY 2020 Intel Authorization


This week the House Intelligence Committee reported on HR 3494, Damon Paul Nelson and Matthew Young Pollard Intelligence Authorization Act for Fiscal Years 2018, 2019, and 2020. While the bill contains some cyber operations and cyber intelligence language, it does not address any control system cybersecurity issues. There is, however, a brief discussion in the Committee Report about the development of a “cybersecurity and intelligence collection doctrine” that bears some scrutiny.

The House Rules Committee is meeting tomorrow to create the rule under which this bill will be considered on the floor later this week. A total of 46 amendments were proposed to the Committee last week. They will consider which amendments may be considered during the consideration of the bill on the floor of the House. One of those amendments addresses cybersecurity in the energy sector.

Cybersecurity and Intelligence Collection Doctrine


On page 95 of the Report, the Committee directs the Office of the Director of National Intelligence (ODNI) “to develop an analytic framework that could support the eventual creation and execution of a Government-wide cybersecurity and intelligence collection doctrine.” The framework would include:

An assessment of the current and medium-term cyber threats to the protection of the United States’ national security systems and critical infrastructure;
IC definitions of key cybersecurity concepts, to include cyberespionage, cyber theft, cyber acts of aggression, and cyber deterrence;
Intelligence collection requirements to ensure identification of cyber actors targeting U.S. national security interests, and to inform policy responses to cyberattacks and computer network operations directed against the United States;
The IC’s methodology for assessing the impacts of cyberattacks and computer network operations incidents directed against the United States, taking into account differing levels of severity of incidents;
Capabilities that the IC could employ in response to cyberattacks and computer network operations incidents, taking into account differing levels of severity of incidents;
A policy and architecture for sharing cybersecurity-related intelligence with government, private sector, and international partners, including existing statutory and other authorities which may be exercised in pursuit of that goal; and
Any necessary changes in IC authorities, governance, technology, resources, and policy to provide more capable and agile cybersecurity.

Possible Cybersecurity Amendment


Amendment #20 was submitted by Rep. Ruppersberger (D,MD) and Rep. Carter (R,TX). This amendment would authorize a pilot program identifying new classes of security vulnerabilities and researching technology to address the ever-present and changing face of cyber security threats to the energy grid. The amendment is essentially HR 680, which Ruppersberger and Carter introduced in January. No action has been taken on that bill. Nearly identical language was included (§10742) Intel Authorization Act that was included in S 1790, the FY 2020 NDAA that was passed last month.

There is no resolution of the vulnerability disclosure issue  that I discussed in my post on HR 680 in either this submitted amendment to HR 3494 or in §10742 in S 1790.

Moving Forward


The House is currently scheduled to consider HR 3494 on Tuesday. With the small number of amendments be submitted to the Rules Committee, it looks like it could complete consideration of the bill on the same day. The bill is likely to pass, but I suspect it will be largely a party-line vote. The problem is going to come with how to deal with the intel authorization once the House vote is completed. Normally, there would be a conference committee to iron out the differences, but the Senate passed their intel authorization act as part of the DOD authorization act. It will be interesting to see how this procedural issue is resolved.

Saturday, July 13, 2019

House Amends and Passes HR 2500 – FY 2020 NDAA


Yesterday the House concluded the amendment process for HR 2500, the FY 2020 National Defense Authorization Act (NDAA) and passed the bill on a near party-line vote of 220 to 197 (eight Democrats voted NAY). Among the literally hundreds of amendments passed are all five of the amendments I mentioned in my post earlier in the week. As expected, they all passed by voice votes as part of en bloc amendments.

There were a number of provisions in the version of the bill considered in the House and a number of passed amendments that would not be able to pass in the Senate. The Senate already passed their version of the bill (S 1790) with a strongly bipartisan vote. A conference committee will ultimately combine the two versions into something that will subsequently pass in both the House and Senate and would ultimately be signed by the President.

Public ICS Disclosures – Week of 07-06-19


This week we have vendor disclosures from Schneider, Johnson Controls, and Siemens. We also have updates of previously issued advisories from Schneider (3) and Siemens (5).

Schneider Advisory


Schneider published an advisory that describes a buffer error vulnerability in the Schneider Modicon M580 controller product. The vulnerability is self-reported. Schneider has a new version that mitigates the vulnerability.

Schneider Updates


1. Schneider updated an advisory that was originally published on May 14th, 2019 for a vulnerability in the Schneider Modicon Controller products. The new information corrected the CVSS v3.0 Base Score from 7.4 to 7.5.

2. Schneider updated an advisory that was originally published on May 23rd, 2017 for a vulnerability in the Schneider Modicon Controllers and SCADAPack RTUs. The new information includes:

Updated affected products section to include SCADAPack RTUs;
Updated remediation section to include information for SCADAPack RTUs; and
Updated researcher acknowledgment section

3. Schneider updated an advisory that was originally published on May 14th, 2019 for multiple vulnerabilities in its Modicon Controller products.  The new information includes:

Updated to include links to M580 V2.90 Firmware and Control Expert Hot Fix V14.0; and
Updated mitigations for CVE-2019-6808

NOTE: I missed the original publication of the Schneider advisory, but I did report on the vulnerabilities when reported by Talos.

Johnson Controls Advisory


Johnson Controls published an advisory reporting an undescribed vulnerability in the Johnson Controls TrueInsight modules used to connect Simplex® Fire Alarm Control Panels to the TrueInsight Remote Service. This vulnerability is apparently self-reported. Johnson Controls has remotely disabled the modules with active customers.

Comment: Wow. This very brief advisory begs more questions than it answers. An 11-9-16 advertorial over on FacilityExecutive.com ‘reports’:

“SimplexGrinnell's True Insight Remote Service is an internet based software platform that provides SimplexGrinnell an electronic window into the operation of your entire simplex fire system 24/7.”

Remotely disconnecting the link between fire alarm control panels and this platform slams shut that ‘electronic window’. I hope that Johnson Controls notified their customers before they disconnected the system.

Siemens Advisory


Siemens published an advisory describing four microarchitectural vulnerabilities in Siemens Industrial Products. The vulnerabilities are self-reported. Siemens has produced some BIOS updates that include chipset microcode updates and recommends applying OS vendor updates that address these vulnerabilities.

The four reported vulnerabilities are:

Microarchitectural Store Buffer Data Sampling (MSBDS) - CVE-2018-12126;
Microarchitectural Load Port Data Sampling (MLPDS) - CVE-2018-12127;
Microarchitectural Fill Buffer Data Sampling (MFBDS) - CVE-2018-12130; and
Microarchitectural Data Sampling Uncacheable Memory (MDSUM) - CVE-2019-11091

Siemens Updates


1. Siemens published an update for Siemens Advanced Therapy Products from Siemens Healthineers an advisory that was originally published on May 24th, 2019. The new information includes:

Added mitigation; and
Clarified affected versions

2. Siemens published an update for Siemens RAPIDPoint® 500 Operating on Windows XP that was originally published on May 24th, 2019. The new information includes:

Removed AUWi and AUWi Pro; and
Changed patch release date

3. Siemens published an update for Siemens Laboratory Diagnostics Products from Siemens Healthineers that was originally published on May 24th, 2019. The new information includes:

Removed CS 5100 for Windows XP; and
Added patch information

NOTE: These first three Siemens updates are all for the Microsoft® RDP vulnerability.

4. Siemens published an update for Siemens SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP that was last updated on June 11th, 2019. The new information includes:

Added CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091, CVE-2019-11477, CVE-2019-11478, CVE-2019-11479, CVE-2019-12900; and
Changed NVD links to MITRE

Friday, July 12, 2019

7 Advisories Published – 07-11-19


Yesterday the DHS NCCIC-ICS published six industrial control system advisories for products from Schneider Electric (2), AVEVA, Siemens (3) and Delta Industrial. They also published a medical device security advisory for products from Philips.

Interactive Graphical SCADA Advisory


This advisory describes an out-of-bounds write vulnerability in the Schneider Interactive Graphical SCADA System (IGSS). The vulnerability was reported by mdm and rgod of 9SG Security Team via the Zero Day Initiative. Schneider has new versions that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker with uncharacterized access could exploit the vulnerability to  allow an attacker to achieve arbitrary code execution or crash the software.

Floating License Manager Advisory


This advisory describes four vulnerabilities in the Schneider Floating License Manager. The vulnerabilities are self-reported. According to the Schneider advisory, the vulnerabilities are in a third-party component (Flexera FlexNet Publisher) of their product. Schneider has a patch available that mitigates the vulnerability.

The four reported vulnerabilities are:

Improper input validation (3) - CVE-2018-20031, CVE-2018-20032, and CVE-2018-20034; and
Memory corruption - CVE-2018-20033

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to deny the acquisition of a valid license for legal use of the product.

NOTE: There are still three other advisories published by Schneider on Tuesday that have not been reported by NCCIC-ICS; all for Modicon controllers. I will address these on Saturday.;

AVEVA Advisory


This advisory describes the same four vulnerabilities reported above, this time in the AVEVA Vijeo Citect and Citect SCADA Floating License Manager. These vulnerabilities have not yet been reported by AVEVA. A new version is available from Schneider to mitigate the vulnerabilities.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to deny the acquisition of a valid license for legal use of the product.

SIMATIC Advisory


This advisory describes three vulnerabilities in the Siemens SIMATIC RF6XXR. The vulnerabilities are in older, third-party SSL and TLS applications still in use by these products. The vulnerabilities were reported by Wendy Parrington from United Utilities. Siemens reports that newer versions mitigate the vulnerabilities.

The three reported vulnerabilities are:

Improper input validation - CVE-2011-3389; and
Cryptographic issues (2) - CVE-2016-6329 and CVE-2013-0169

NCCIC-ICS reports that an uncharacterized attacker could use publicly available exploits (two of these are older, well recognized vulnerabilities) to remotely exploit the vulnerabilities to allow access to sensitive information.

TIA Portal Advisory


This advisory describes an improper access control vulnerability in the Siemens TIA Administrator (TIA Portal). The vulnerability was reported (with proof of concept code) by Joseph Bingham of Tenable. Siemens has an update that mitigates the vulnerability. There is no indication that Bingham has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an execution of some commands without proper authentication.

SIMATIC WinCC Advisory


This advisory describes an unrestricted upload of file with dangerous type vulnerability in the Siemens SIMATIC WinCC and SIMATIC PCS7 devices. The vulnerability was reported by Xuchen Zhu from ZheJiang Guoli Security Technology. Siemens has updates available that mitigates the vulnerability. There is no indication that Xuchen has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to cause a denial-of-service condition on the affected service or device. The Siemens advisory notes that the attacker has to be authenticated with a valid user account.

NOTE: There is still one new advisory that Siemens published on Tuesday that has not been reported by NCCIC-ICS. I will cover it tomorrow.

Delta Industrial Advisory


This advisory describes two vulnerabilities in the Delta Electronics CNCSoft ScreenEditor. The vulnerability was reported by Natnael Samson (@NattiSamson) via ZDI. Delta has a new version that mitigates the vulnerabilities. There is no indication that Samson was provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

Heap-based buffer overflow - CVE-2019-10982; and
Out-of-bounds read - CVE-2019-10992

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to cause buffer overflow conditions that may allow information disclosure, remote code execution, or crash the application.

Philips Advisory


This advisory describes a use of obsolete function vulnerability in the Philips Holter 2010 Plus, a 12-lead EKG analysis software program. The vulnerability is self-reported. Philips provides generic measures to mitigate the vulnerability.

NCCIC-ICS reports that an uncharacterized attacker with uncharacterized access could exploit this vulnerability to lead to a product feature escalation.

Bills Introduced – 07-11-19


Yesterday with both the House and Senate in session there were 64 bills introduced. Four of those bills may see additional coverage in this blog:

HR 3699 To codify the Transportation Security Administration's responsibility relating to securing pipelines against cybersecurity threats, acts of terrorism, and other nefarious acts that jeopardize the physical security or cybersecurity of pipelines, and for other purposes. Rep. Cleaver, Emanuel [D-MO-5]

HR 3710 To amend the Homeland Security Act of 2002 to provide for the remediation of cybersecurity vulnerabilities, and for other purposes. Rep. Jackson Lee, Sheila [D-TX-18]

HR 3714 To amend title 18, United States Code, to reauthorize and expand the National Threat Assessment Center of the Department of Homeland Security. Rep. Deutch, Theodore E. [D-FL-22]

S 2095 A bill to provide for certain programs and developments in the Department of Energy concerning the cybersecurity and vulnerabilities of, and physical threat to, the electric grid, and for other purposes. Sen. Gardner, Cory [R-CO]

I will be watching HR 3710 and S 2095 for specific language referring to industrial control system security issues. For HR 3714 I will be watching for general cybersecurity language while hoping for ICS mentions.

Thursday, July 11, 2019

DHS Publishes PSP Program Announcement – 07-09-19


On Tuesday the DHS Cybersecurity and Infrastructure Security Agency (CISA) published a notice in the Federal Register (84 FR 32768-32777) outlining the implementation process for the expansion of the Personnel Surety Program (PSP) to Tier III and IV facilities. Yesterday they updated the Chemical Facility Anti-Terrorism Standards (CFATS) program landing page with a note about that expansion that pointed at the revised PSP web site.

Overview


Back in 2016 the DHS Infrastructure Security Compliance Division (ISCD, now part of CISA) implemented the portion of the PSP that provided for identifying CFATS employees and contractors or visitors with unaccompanied access to critical areas in covered facilities that may have ties to terrorist. The initial implementation was limited to Tier I and II facilities. In late 2017, ISCD started the process to expand the PSP process to Tier III and IV facilities.

The PSP web site has an interesting graphic that conceptually explains the PSP implementation process:



First, once notified by ISCD that the facility will begin the implementation process (and that notice will start the 60-day clock implementation clock), the facility will update their site security plan to include information about how they will implement the process at their facility. This weeks’ notice provides a look at what types of information ISCD will be looking for in that SSP modification. When ISCD approves that amended SSP the clock will again start on the facility’s actual implementation of that facility specific process.

ISCD will phase this implementation in over the next two years or so. They will provide each Tier III and IV facility with a notice of when they will officially begin the implementation process and the date of that notice begins the 60-day period in which the facility must submit a revised SSP. Facilities can begin work on that SSP revision now, or they can wait until they receive the notice. Facilities can even submit the amended SSP before they receive their notice.

Tier III and IV facilities that have not yet had their SSP approved (or perhaps even authorized) should expect that their SSP will have to include PSP implementation before ISCD give approval to the plan.

PSP Options


The CFATS PSP provides four different options that facilities may use to screen individuals for possible terrorist ties; actually five since ISCD included an obligatory possibility for facilities to propose some sort of alternative that would accomplish the same thing. Facilities may use any option or combination of options that they wish.

The notice describes each of these four options (imaginatively entitled: Option 1, Option 2, Option 3 and Option 4) in some detail. In my 2016 blog post I described them this way:

Option 1 – Facility submits data and ISCD has TSA conduct screening;
Option 2 – Facility submits data on personnel with previous screening and ISCD has TSA confirm that screening is current;
Option 3 – Facility uses TWIC Reader to verify identity and screening status of Transportation Workers Identification Credential (TWIC) holder; and
Option 4 – Facility visually inspects TSDB based identity document to verify that person had been screened against TSDB.

Commentary


I will keep this brief today since I already said most of what I want to say back in 2016. In fact, I did an entire blog post about what problems I expected facilities to face in implementing the PSP. I have not seen anything since then that would significantly change those observations.

Most facilities are going to find that they need a blended approach using two or more of the options that ISCD has provided. I think that every facility should probably expect to use all four options at one point or another. If the initial SSP revision addresses all four options, then the facility will have the maximum amount of flexibility in the PSP implementation. It would certainly save time down the road.

Remember, facilities can (should) begin their SSP revision process before they receive their notice from ISCD. I would not recommend submitting the revised SSP before that notice is received, because the official notice is also going to trigger specific Chemical Security Inspector support for the revision process.

Wednesday, July 10, 2019

5 Advisories and 4 Updates Published – 07-09-19


Yesterday the DHS NCCIC-ICS published four control system security advisories {Siemens (2), Schneider Electric, Rockwell and Emerson}, one medical device security advisory for products from GE, and updated four previously published advisories for products from Siemens.

SIPROTEC Advisory


This advisory describes two improper input validation vulnerabilities in the Siemens SIPROTEC 5 and DIGISI 5 products. The vulnerability was reported by Pierre Capillon, Nicolas Iooss, and Jean-Baptiste Galet from Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI). Siemens has new versions that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow a denial-of-service condition and limited control of file upload, download, and delete functions.

Spectrum Power Advisory


This advisory describes a cross-site scripting vulnerability in the Siemens Spectrum Power product. The vulnerability was reported by Ismail Mert AY AK of Biznet Bilisim AS. Siemens has an update available that mitigates the vulnerability. There is no indication that Mert has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to inject arbitrary code in a specially crafted HTTP request and monitor information.

NOTE 1: The Siemens advisory uses new terminology for reporting NCCIC-ICS coordination efforts, it cites “CISA-Industrial Control System Vulnerability Disclosure team” as the coordinating agency. I am wondering if this is an official designation of a specific group of people operating at NCCIC or just another smoke and mirrors name change.

NOTE 2: Siemens published four other advisories yesterday in addition to these two. If they are not addressed by NCCIC-ICS later this week, I will be looking at them Saturday.

Schneider Advisory


This advisory describes a use after free vulnerability in the Schneider Zelio Soft programming platform. The vulnerability was reported by 9sg Security Team via the Zero Day Initiative. Schneider has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow remote code execution through the opening of a specially crafted project file.

NOTE 1: NCCIC-ICS does not provide a link to the Schneider Zelio Soft advisory.

NOTE 2: Schneider published five other advisories yesterday as well as the Zelio Soft advisory. It was a busy ICS security day.

Rockwell Advisory


This advisory describes an improper access control vulnerability in the Rockwell PanelView 5510 HMI. This vulnerability is self-reported. Rockwell has new versions that mitigate the vulnerability.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit this vulnerability to allow a remote unauthenticated user to gain root privileges on the device.

Emerson Advisory


This advisory describes a hard-coded credential vulnerability in the Emerson DeltaV Distributed Control System (DCS) software platform. The vulnerability was reported by Benjamin Crosasso of Sanofi. Emerson has a patch available to mitigate the vulnerability. There is no indication that Crosasso has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to gain administrative access to DeltaV Smart Switches.

GE Advisory


This advisory describes an improper authentication vulnerability in the GE Aestiva and Aespire Anesthesia Machines. The vulnerability was reported by Elad Luz of CyberMDX. GE has provided generic workarounds to mitigate the vulnerability. The FDA has not published a safety communication on this vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker the ability to remotely modify GE Healthcare anesthesia device parameters.

SIMATIC PCS Update


This update provides additional information on an advisory that was originally published on May 14th, 2019. The new information includes updated version data and links to mitigation measures for:

SIMATIC WinCC V7.4;
SIMATIC PCS 7 V8.2; and
SIMATIC PCS 7 V9.0

SIMATIC Update


This update provides additional information on an advisory that was originally published on April 9th, 2019 and updated on May 14th, 2019 and June 11th, 2019. The new information includes updated version data and links to mitigation measures for:

SIMATIC RF600R;
SIMATIC RF185C;
SIMATIC RF186C; and
SIMATIC RF188C

Industrial Products Update


This update provides additional information on an advisory that was originally published on April 9th, 2019 and updated on May 14th, 2019 and June 11th, 2019. The new information includes updated version data and links to mitigation measures for:

SIMATIC RF600R;
SIMATIC RF188C; and
SINEMA Server

CP 1604 Update


This update provides additional information on an advisory that was originally published on February 12th, 2019. The new information includes:

Update version information and mitigations; and
Add fixes for older product versions for CVE-2018-13808

NOTE: Siemens published four additional advisory updates yesterday. NCCIC-ICS is unlikely to address them so I will on Saturday.

Committee Adopts Rule for Consideration of HR 2500 – FY 2020 NDAA


Last night the House Rules Committee formulated the Rule for the consideration of HR 2500, the FY 2020 National Defense Authorization Act (NDAA). It is a structured rule with 439 amendments that may be offered (with provisions for en bloc consideration of amendments. I will be watching five of those amendments. Consideration of the bill begins this afternoon.

The Five Amendments


These are the five amendments that I will be watching. These are the five that I briefly listed last week in my post about the report on HR 2500.

53. Aguilar (D,CA) #244 Expands the Department of Defense Cyber Scholarship Program (formerly known as the Information Assurance Scholarship Program) to include students attending certificate programs that span 1 to 2 years.

158. Gallego (D,AZ) #415 Requires a report on the National Guard's capacity to meet Homeland Defense missions.

200. Jackson-Lee (D,TX) #160 (REVISED) Requires that a report from the Secretary of Defense 240 days after the date of the enactment to the congressional defense committees that accounts for all of the efforts, programs, initiatives, and investments of the Department of Defense to train elementary, secondary, and postsecondary students in fields related to cybersecurity, cyber defense, and cyber operations.

363. Speier (D,CA) #395 (REVISED) Increases funding for the Defense Security Service by $5,206,997 for the purposes of procurement of advanced cyber threat detection sensors, hunt and response mechanisms, and commercial cyber threat intelligence to ensure Defense Industrial Base networks remain protected from nation state adversaries.

381. Torres, Norma (D,CA), Panetta (CA), Cisneros (CA), Stevens (MI) #457 (REVISED) Requires the Department of Defense, in consultation with the Manufacturing Extension Partnership program, to develop policies to assist small- and mid-sized manufacturers to meet cybersecurity requirements.

The Gallego amendment is interesting. It would require a DOD report to Congress setting out “the roles and missions, structure, capabilities, and training of the National Guard and the United States Northern Command, and an identification of emerging gaps and shortfalls in light of current homeland security threats to our country” {new §520(1)}. Critical infrastructure cybersecurity is never explicitly mentioned in the amendment (an odd oversight) but would almost certainly be covered in any DOD report submitted in response to this amendment.

The one specific threat that is mentioned is a “multi-State electromagnetic pulse event” {new §520(2)}. Presumably DOD would also include a geomagnetic storm event in any report on the topic as the response to the two would be similar.

Moving Forward


None of the amendments listed above are very controversial and only one provides a specific spending authorization. Spier would off-set that spending increase by decreasing the spending on “in section 101 for other procurement, Air Force” {new §16XX(b)}. I suspect that all five of these amendments will be adopted; most will be included in en bloc amendments.

HR 2500 will pass, probably along a nearly party-line vote. The Senate already passed their version of the NDAA, S 1790, so differences between the two bills will have to be worked out (probably over the summer recess) in a conference committee. Normally, that reported version of the NDAA would be expected to pass, but with the whimsical nature of the current occupant of the White House, that is not a guarantee that anyone would be willing to make.

Monday, July 8, 2019

Committee Hearings – Week of 07-07-19


With both the House and Senate back in Washington after their 4th of July recess there is a relatively light committee hearing schedule. Only two hearings of interest here; one on grid cybersecurity and a Rules Committee hearing on the House version of the NDAA.

Grid Cybersecurity


On Friday, the Energy Subcommittee of the House Energy and Commerce Committee will hold a hearing on “Keeping The Lights On: Addressing Cyber Threats To The Grid”. The witness list is not yet available.

HR 2500 Rule


On Tuesday the House Rules Committee will meet to consider HR 2500, the FY 2020 National Defense Authorization Act. To date, a total of 658 amendments have been submitted to the Committee for consideration. This hearing will determine which of those amendments will be considered on the Floor of the House.

The bill is currently scheduled to be considered on the floor starting on Wednesday with a final vote likely on Friday.

NOTE: While there had been some talk about including the DHS appropriations bill (still not published by the House Appropriations Committee) in this bill as a way to move that forward, it does not look like that will happen.

Saturday, July 6, 2019

HR 3318 Introduced – TSA Threat Analysis

Last month Rep. Joyce (R,PA) introduced HR 3318, the Emerging Transportation Security Threats Act of 2019. The bill would require the Transportation Security Administration (TSA) to “establish a task force to conduct an analysis of emerging and potential future threats to transportation security” {§2(a)}. No specific funding for the task force is authorized in the bill.

Emerging and Future Threats


The Task Force analysis would include emerging and potential future threats posed by the following {§2(b)}:

• Evolving tactics by terrorist organizations that may pose a catastrophic risk to an aviation or surface transportation entity.
• Explosive and explosive devices or attacks involving the use of explosives that may cause catastrophic damage to an aviation or surface transportation system.
• Chemical or biological agents being released in either aviation or surface transportation systems.
• Cyberthreat actors seeking to undermine confidence in transportation systems or cause service disruptions that jeopardize transportation security.
• Unmanned aerial systems with the capability of inflicting harm on transportation targets.
• Individuals or groups seeking to attack soft targets, public areas, or crowded spaces of transportation systems.
• Inconsistent or inadequate security screening protocols at last point of departure airports with direct flights to the United States.
• Information sharing challenges within the Federal Government and among partner governments.
• Information sharing challenges between the Administration or other relevant Federal agencies and transportation stakeholders, including air carriers, airport operators, surface transportation operators, and State and local law enforcement.
• Growth in passenger volume in both the aviation and surface transportation sectors.

Threat Mitigation


The bill would subsequently require the TSA to develop “a threat mitigation strategy for each of the threats examined in such analysis” {§2(c)}. This would include:

• Assigning appropriate resources of the Administration to address such threats, based on calculated risk; or
• Provide recommendations through the Department of Homeland Security to the appropriate Federal department or agency responsible for addressing such threats.

TSA would also be required to improve stakeholder engagement and provide a briefing to Congress.

Moving Forward


Joyce and his cosponsor, Rep. Rogers (R,AL) are both members of the House Homeland Security Committee (and Rogers is the Ranking Member of that Committee), so there is a reasonable chance that this bill could be considered by the Committee.

There is nothing in the bill that would engender any specific political or business opposition to the bill; study and report bills seldom do. I suspect that the bill would receive substantial bipartisan support in Committee. With such support the bill would be considered by the full House (if there were enough political influence to move the bill forward) under the suspension of the rules process.

Commentary


Joyce’s staff did a good job of ensuring that the language of the bill provided nearly equal coverage to threats against both airline and surface transportation assets. Unfortunately, the language is clearly focused on passenger transportation, and calls for scant scrutiny of freight transportation (either air or ground) or pipeline security. This is especially true when it comes to the one reference to chemical threats.

With that in mind, I would like to offer the following changes to some of the ‘elements’ of the threat that are be considered by the threat analysis in §2(b) (Highlighted words are added):


(1) Evolving tactics by terrorist organizations that may pose a catastrophic risk to an aviation or surface transportation entity including freight transportation in both modes.

(2) Explosive and explosive devices or attacks involving the use of explosives that may cause catastrophic damage to an aviation or surface transportation system or cause a release of hazardous industrial chemicals in surface freight transportation.

(4) Cyberthreat actors seeking to undermine confidence in transportation systems or cause service disruptions that jeopardize transportation security or cause catastrophic damage to a hazardous material or fuel pipeline.

The other problem that this bill ignores is the lack of specific authority provided to TSA to issue security regulations for surface transportation or the failure of TSA to implement the few regulations that it has been authorized to issue. With that in mind I would re-do paragraph (e) to read:

(e) BRIEFING TO CONGRESS.—The Administrator of the Transportation Security Administration shall brief the Committee on Homeland Security of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate on: the results of the analysis required under subsection (a) and relevant mitigation strategies developed in accordance with subsection (c).
(1) The results of the analysis required under subsection (a);
(2) The relevant mitigation strategies developed in accordance with subsection (c);
(3) The status of current rulemakings authorized by Congress that might address the threats identified in subsection (a); and
(4) What rulemaking authorities that TSA or other Federal agencies might need from Congress to appropriately apply the mitigation strategies developed in accordance with subsection (c).
 
/* Use this with templates/template-twocol.html */