Saturday, September 14, 2019

FAA Sends UAS Identification Rule to OMB


On Thursday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a notice of proposed rulemaking from the DOT’s Federal Aviation Administration (FAA) for “Remote Identification of Unmanned Aircraft Systems” (UAS).

The abstract for this rulemaking in the Spring 2019 Unified Agenda notes:

“This action would implement system(s) for the remote identification of certain unmanned aircraft systems. The remote identification of unmanned aircraft systems in the national airspace system would further address security and law enforcement concerns regarding the further integration of these aircraft into the national airspace while also enabling greater operational capabilities by these same aircraft.”

I suspect that this rulemaking will be limited to larger, commercial UAS not the smaller hobbies drones.

Public ICS Disclosures – Week of 09-07-19


This week we have 11 vendor disclosures for products from Siemens (3), Schneider (3), Bosch (2), 3S, Eaton, and Draeger. We also have 3 vendor updates from Schneider (2) and Siemens.

Siemens Advisories


DejaBlue Advisory

Siemens published an advisory describing the Microsoft Windows® DejaBlue vulnerabilities in the Siemens Healthineers Products. In most of the affected products Siemens is recommending applying the appropriate MS patches.

Siemens repeatedly makes the following observation: “The compatibility of Microsoft security patches with products from Siemens Healthineers that are beyond their End of Support date cannot be guaranteed.”

RUGGEDCOM URGENT/11 Advisory

Siemens published an advisory describing the Wind River URGENT/11 vulnerabilities in the Siemens RUGGEDCOM Win base stations. Siemens provides generic workarounds for the vulnerabilities.

SINEMA Advisory

Siemens published an advisory describing four vulnerabilities in the Siemens r SINEMA Remote Connect Server. The vulnerabilities were reported by Hendrik Derre and Tijl Deneut from HOWEST. Siemens has a new version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

Password guessing - CVE-2019-13918;
Privilege escalation - CVE-2019-13919;
Cross-site request forgery - CVE-2019-13920; and
Password hash - CVE-2019-13922

Siemens Update


Siemens published an update for an advisory that was originally published on June 9th, 2019. This update provides corrected version information and mitigation information for:

FieldPG M4;
FieldPG M5; and
ITP1000

Schneider Advisories


U.Motion Server Advisory

Schneider published an advisory describing six vulnerabilities in the Schneider U.motion din rail and touch panel servers. The vulnerabilities were reported by Zhu Jiaqi and Constantin-Cosmin Craciun. Schneider has a new version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

Cross-site scripting - CVE-2019-6835;
Improper access control (3) - CVE-2019-6836, CVE-2019-6838 and CVE-2019-6839;
Server-side request forgery - CVE-2019-6837; and
Format string - CVE-2019-6840

Modicon Quantum Advisory

Schneider published an advisory describing an improper check for unusual or exceptional conditions vulnerability for the Schneider Modicon Quantum 140 NOE771x1 controllers. The vulnerability is self-reported. Schneider has a new version that mitigates the vulnerability.

TwidoSuite Advisory

Schneider published an advisory describing two vulnerabilities in the Schneider TwidoSuite product. The vulnerability is self-reported. This product is no longer supported.

The two reported vulnerabilities are:

Untrusted search path;
Input validation

Schneider Updates


BlueKeep Update

Schneider published an update for an advisory that was originally published on July 12, 2019. The update includes:

Exploit information; and
Updated affected product versions

 Floating License Manager Update

Schneider published an update for an advisory that was originally published on May 14th, 2019. The update provides updated affected product information.

Bosch Advisories


Bosch published two advisories (here and here) describing vulnerabilities in the Access Professional access control system. The vulnerabilities were reported by Oleksii Orekhov. Bosch has a new version that mitigates the vulnerabilities. There is no indication that Orekhov has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

Hard-coded credentials - CVE-2019-11898; and
Improper access control - CVE-2019-11899

3S Advisory


3s published an advisory describing a stack-based buffer overflow vulnerability in the CODESYS V2.3 ENI servers. This vulnerability was reported by Chen Jie from NSFOCUS. 3S has an update that mitigates the vulnerability. There is no indication that Chen has been provided an opportunity to verify the efficacy of the fix.

Eaton Advisory


Eaton published an advisory describing multiple undisclosed vulnerabilities in the Eaton Intelligent Power Protector. The vulnerabilities are apparently self-reported. Eaton has a new version that mitigates the vulnerabilities.

NOTE: Eaton continues to publish unusable security advisories.

Drager Advisory


Drager published an advisory describing the Microsoft Windows® DejaBlue vulnerabilities in Drager products.

Friday, September 13, 2019

Bills Introduced – 09-12-19


Yesterday with both the House and Senate in session, there were 52 bills introduced. Of those, four will likely receive additional attention in this blog:

HR 4306 To require the Administrator of the Federal Railroad Administration to conduct an evaluation of the safety, security, and environmental risks of transporting liquefied natural gas by rail, and for other purposes. Rep. DeFazio, Peter A. [D-OR-4]

S 2469 A bill to amend title 49, United States Code, to require the use of advanced leak detection technology for pipelines, and for other purposes. Sen. Udall, Tom [D-NM]

S 2470 An original bill making appropriations for energy and water development and related agencies for the fiscal year ending September 30, 2020, and for other purposes. Sen. Alexander, Lamar [R-TN]

S 2474 An original bill making appropriations for the Department of Defense for the fiscal year ending September 30, 2020, and for other purposes. Sen. Shelby, Richard C. [R-AL]

DeFazio has been fighting a PHMSA special permit for shipping LNG by rail for a couple of months now. This appears to be the latest salvo.

Two of the three spending bills that were scheduled for this week were adopted in the Senate Appropriations Committee. The failure of the Committee to vote on the Labor, Health and Human Services, Education, and Related Agencies bill reflects the continuing problem the Congress is having with spending bills.

This is going to have an impact on how the Senate deals with the first House spending minibus (HR 2740) that passed in the House in June. Since that minibus included all three of the spending bills mentioned above, the Senate will not be able to take up HR 2740 and substitute language from their three bills (only two have been published). They can either substitute language from the two bills that were adopted by Committee and try to just amend the House language on the LHHE portion of the bill, or just wait until the Committee can reach an internal compromise that would allow the introduction of the Senate LHHE bill. I suspect the later will be the case. If this cannot be accomplished in the next week or so, we have no real chance of seeing spending bills sent to the President and will have to wait for a continuing resolution and an omnibus bill later in the year. Not looking forward to this, haven’t been all year.

6 Advisories Published – 09-12-19


Yesterday the DHS NCCIC-ICS published five control system security advisories for products from 3S and a medical device security advisory for products from Philips.

Communication Server Advisory


This advisory describes a detection of error condition without action vulnerability in the CODESYS V3 products containing a CODESYS communication server. The vulnerability was reported by Martin Hartmann from cirosec GmbH. 3S has a new version that mitigates the vulnerability. There is no indication that Hartmann has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to cause a denial-of-service condition.

OPC UA Server Advisory


This advisory describes a null pointer dereference vulnerability in the CODESYS Control V3 OPC UA Server. The vulnerability is self-reported. 3S has a new version that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to cause a denial-of-service condition.

Online User Management Advisory


This advisory describes an incorrect permission assignment for critical resource vulnerability in the CODESYS Control V3 online user management. The vulnerability is apparently self-reported. 3S has a new version that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow unauthorized actors access to unintended functionality and/or information.

Library Manager Advisory


This advisory describes a cross-site scripting vulnerability in the CODESYS V3 Library Manager. The vulnerability was reported by Heinz Füglister of WRH Walter Reist Holding AG. 3S has a new version that mitigates the vulnerability. There is no indication that Füglister has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow malicious content from manipulated libraries to be displayed or executed.

Web Server Advisory


This advisory describes two vulnerabilities in the CODESYS V3 web server. The vulnerability was reported by Ivan Cheyrezy of Schneider Electric. 3S has new versions that mitigate the vulnerability. There is no indication that Cheyrezy has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

Path traversal - CVE-2019-13532; and
Stack-based buffer overflow - CVE-2019-13548

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to create a denial-of-service condition, to perform remote code execution, or to access restricted files.

NOTE 1: It is good to see cooperative sharing of vulnerability information between vendors, but I suspect that Schneider reported these vulnerabilities because they found them in their own product that used the CODESYS web server as a third-party component of one or more of their products. It will be interesting to see how long it takes Schneider to report these vulnerabilities.

NOTE 2: 3S has not yet reported any of the vulnerabilities in the above advisories on their web site. They did, however, publish an advisory on another product earlier this week that I will discuss tomorrow.

Philips Advisory


This advisory describes two vulnerabilities in the Philips IntelliVue WLAN, portable patient monitors. The vulnerabilities were reported by Shawn Loveric of Finite State, Inc. One of the affected WLAN versions is out-of-support and will not receive mitigation actions. Philips intends to have a patch available by the end of the year.

NCCIC-ICS reports that an uncharacterized attacker with uncharacterized access could exploit the vulnerabilities to cause corruption of the IntelliVue WLAN firmware and impact to the data flow over the WLAN Version A and WLAN Version B wireless modules. This would lead to an inoperative condition alert at the device and Central Station. The Phillips Advisory reports that it would take “an unauthorized user with a high skill level and access to the device’s local area network” to exploit the vulnerabilities.

Thursday, September 12, 2019

HR 4091 Introduced – ARPA-E Reauthorization


Last month Rep. Johnson (D,TX) introduced HR 4091, the ARPA–E Reauthorization Act of 2019. In addition to reauthorizing the DOE Advanced Research Projects Agency—Energy, it expands the goals of ARPA-E to include security.

Security Goal


The bill would amend 42 USC 16538(c)(1)(A) by adding a new subparagraph (v):

(v) improve the resilience, reliability, and security of infrastructure to produce, deliver, and store energy; and

There is no other discussion of ‘security’ within the bill and no definitions are provided.

Moving Forward


Johnson is the Chair of the House Science, Space, and Technology Committee to which this bill was assigned for consideration. There are 29 cosponsors to the bill; only two of those are Republicans and neither are on the Committee.

The bill was considered by the Energy Subcommittee yesterday and ordered reported favorably to the full Committee by a voice vote. One amendment was considered; a Republican amendment to reduce the amounts of monies authorized for Energy Transformation Acceleration Fund. The amendment failed on a voice vote.

Commentary


It would make some sense to me that when adding a goal to an agency mission one should ensure that the purpose of that goal is clearly defined. With that in mind, I would like to propose the addition of the following definition to §16538:

Section 16538(a) is amended by adding subparagraph (4):
“(4) Security – The term ‘security’ means measures undertaken to prevent, identify or respond to:
(i) unauthorized physical access to facilities;
(ii) the unauthorized application of force against, or direction of energy at, a facility with the intent to disrupt operations of the facility; or
(iii) to protect against cybersecurity threats as that term is defined in 6 USC 1501.

This definition would make it clear that AREPA-E funded investigations could address the full range of security measure to protect energy product, storage or transmission facilities, including measures to prevent/mitigate cyberattacks and electromagnetic pulse attacks.

Bills Introduced – 09-11-19


Yesterday with both the House and Senate in session, there were 29 bills introduced. One of these bills may receive additional attention in this blog:

S 2466 A bill to provide supplemental appropriations for safe and secure water, and for other purposes. Sen. Harris, Kamala D. [D-CA] 

While I suspect that the ‘secure water’ mentioned in the description of this bill refers to water supply security not cybersecurity or chemical security at water treatment facilities, I could be wrong.

OMB Approves PHMSA Pipeline Safety Rule – 09-11-19


Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a final rule from the DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) that would expand certain pipeline safety requirements for gas transmission pipelines. The notice of proposed rulemaking (NPRM) for this rule was published in April 2016.

According to the abstract for this rulemaking published in the Spring 2019 Unified Agenda:

“This rulemaking amends the pipeline safety regulations to address the testing and pressure reconfirmation of certain previously untested gas transmission pipelines and certain gas transmission pipelines with inadequate records, require operators incorporate seismicity into their risk analysis and data integration, require the reporting of maximum allowable operating pressure exceedances, allow a 6-month extension of integrity management reassessment intervals with notice, and expand integrity assessments outside of high consequence areas to other populated areas.”

There is no telling how long it will take PHMSA to publish this final rule in the Federal Register. Agencies in the Trump Administration have been taking longer than the historical norm to publish regulations.

Wednesday, September 11, 2019

S 2297 Introduced – CG Authorization


Just before the summer recess Sen. Sullivan (R,AK) introduced S 2297, the Coast Guard Authorization Act of 2019. This annual bill provides continued authority for the operation of the Coast Guard and makes changes to that operation. The House version of this bill (HR 3409) passed in the House by a voice vote.

Port Security


Section 231 of the bill amends 46 USC 70116 which was completely re-written in the last session’s CG Authorization Act (PL 115-282 or S 140 as the PL has yet to be published). This new language expands the authority of DHS (presumably through the Coast Guard) to prevent or respond to security incidents beyond just ‘an act of terrorism’. The Department would have additional authority to prevent or respond to “cyber incidents, transnational organized crime, and foreign state threats” in both subsections (a) and (b).

The DHS actions in support of this authority are exempted from the Administrative Procedures and the Analysis of Regulatory Functions chapters of 5 USC.

No changes were made to the identical language to the existing §70116 found in §70102a.

Security Plan Review


Section 308 of this bill would provide the same requirement for DHS to review MTSA security plans updates as found in §317 of the House bill.

Moving Forward


Sullivan is the Chair of the Security Subcommittee of the Senate Commerce, Science, and Transportation Committee. As such he is at least partially responsible for Coast Guard related legislation (the security related provisions anyway) in that Committee. Sen. Markey (D,MA) is the Ranking Member of that Subcommittee and is a cosponsor of this bill. This bill will almost certainly be taken up in Committee in the coming months and it would appear that it would have substantial bipartisan support.

Commentary


It is interesting that none of the cybersecurity provisions found in the House bill (none of them really important or significant) were included in this bill. Markey has tried to make himself known as the cybersecurity senator, but that interest was not apparently extended to Coast Guard operations.

The expansion of the security interests of the Coast Guard is another oddity of this bill. It is not clear to me why Congress created identically worded Sections 70102a and 70116 last session, but it boggles the mind even more why only one of those sections would be changed to provide additional reaction authority to the Coast Guard. There is some sort of legislative logic to this oddity, I just cannot figure it out.

Tuesday, September 10, 2019

6 Advisories and 3 Updates Published – 09-10-19


The DHS NCCIC-ICS published six control system security advisories for products from OSIsoft, Siemens (4), and Delta Electronics. They also updated two previously published advisories for products from Siemens and an alert from Mitsubishi Electric Europe.

OSIsoft Advisory


This advisory describes an integer overflow or wraparound vulnerability in the OSIsoft PI SQL Client. The vulnerability is self-reported. OSIsoft has a new version that mitigates the vulnerability.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerability to allow remote code execution or cause a denial of service, resulting in disclosure, deletion, or modification of information.

SIMATIC Advisory


This advisory describes an improper input validation vulnerability in the Siemens SIMATIC TDC CP51M1 multiprocessor automation system. The vulnerability is self-reported. Siemens has a new version that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to create a denial-of-service condition within UDP communication.

WirelessHart Gateway Advisory


This advisory describes a cross-site scripting vulnerability in the Siemens IE/WSN-PA Link WirelessHART Gateway. The vulnerability is self-reported. Siemens has provided generic mitigation measures for the vulnerability.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerability to allow information disclosure, code execution, or denial-of-service.

Comment: Usually a vendor provides generic mitigation measures for a vulnerability when they are forced to disclose a vulnerability due to the disclosure process. With this being a self-disclosed vulnerability, Siemens was not forced to disclose this vulnerability with a generic mitigation. That takes a certain amount of integrity, but it does place some of their customers at an unusual level of risk. The generic mitigation measure is not unusual or even an unexpected requirement, but some customers will not have taken the standard precaution and are unlikely to implement it now.

Industrial Product Advisory


This advisory describes three vulnerabilities in the Siemens Industrial Products. The vulnerabilities were self-reported. Siemens has new versions that mitigate the vulnerabilities is some of the affected products.

The three reported vulnerabilities are:

Integer overflow or wraparound - CVE-2019-11477;
Uncontrolled resource consumption (2) - CVE-2019-11478, and CVE-2019-11479

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to cause denial-of-service condition.

SINETPLAN Advisory


This advisory describes an improper authorization vulnerability in the Siemens Network Planner (SINETPLAN). The vulnerability is self-reported. Siemens has a new version that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow information disclosure, code execution, and denial-of-service. The Siemens Advisory notes that the vulnerability can only be exploited “local users”.

Delta Electronics Advisory


This advisory describes three vulnerabilities in the Delta Electronics TPEditor. The vulnerabilities were reported by kimiya of 9sg Security Team vis the Zero Day Initiative. Delta has a new version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

Stack-based buffer overflow - CVE-2019-13540;
Heap-based buffer overflow - CVE-2019-13536; and
Out-of-bounds write - CVE-2019-13544

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to allow information disclosure, remote code execution, or may crash the application.

PCS7 Update


This update provides new information on an advisory that was originally reported on July 9th, 2019 and last updated on August 13th, 2019. The new information includes updated version information and mitigation links for SIMATIC WinCC Runtime Professional V14 and V15.

WinCC Update


This update provides new information on an advisory that was originally reported on July 11th, 2019 and updated on August 13th, 2019.

Mitsubishi Update


This update provides new information on an alert that was originally published on August 13, 2019. The revised alert changes the name of the vendor to “Mitsubishi Electric Europe B.V.”.

Other Siemens Advisories


Today was disclosure Tuesday for Siemens. They published six advisories and three updates. Two of those advisories are for third-party vulnerabilities (DejaBlue and Urgent/11). The Urgent/11 advisory could be added to the NCCIC-ICS advisory on those vulnerabilities via an update on Thursday. To date, NCCIC-ICS has not addressed DejaBlue, so I suspect that this Siemens advisory will be ignored. The last advisory will probably be addressed by NCCIC-ICS on Thursday.

Monday, September 9, 2019

Committee Hearings – Week of 09-08-19


This week both the House and Senate will be back in Washington after their long summer recess. Spending bills will be the big news this week, but congressional committees will be tackling some other issues as well. Of concern here will be a Chemical Facility Anti-Terrorism Standards (CFATS) hearing, DOE security, homeland security threats, and TSA oversight.

Appropriations


With spending bills (or continuing resolution) due by the end of the month, the Senate Appropriations Committee will start marking up spending bills this week (they were waiting on the budget deal to be completed before they started their work). The following hearings are scheduled:

Defense Subcommittee – 9-10-19;
• Labor, Health and Human Services, Education, and Related Agencies Subcommittee – 9-10-19;
• State, Foreign Operations, and Related Programs Subcommittee – 09-11-19; and
• Full Committee – 09-12-19

It looks like the Full Committee bill will be minibus combining the bills from the three committees listed above. This would be the equivalent of the first minibus (HR 2740) that was passed in the House back in June. We are likely to see this bill next week on the floor of the Senate. Even if it is passed then, it will likely have to go to conference with the House before it can be sent to the President. That is unlikely (possible though depending on how partisan the bill is) to happen before the end of the month.

Homeland Security Threats


On Tuesday the House Homeland Security Committee will hold a hearing on "Global Terrorism: Threats to the Homeland, Part I". No witness list is available. I doubt that there will be much (if any) focus on cybersecurity or specific threats against chemical facilities, but we will have to wait and see.

CFATS Hearing


On Wednesday the House Energy and Commerce Committee will hold a hearing on "Protecting and Securing Chemical Facilities from Terrorist Attacks". The witness list includes:

• David Wulf, DHS;
• Matthew Fridley, Brenntag North America, Inc;
• Michele Roberts, Environmental Justice Health Alliance (EJHA);
• John Paul Smith, United Steelworkers (USW); and
• Scott Welchel, Dow Chemical Company

NOTE: Wulf is listed as the “Acting Deputy Assistant Secretary for Infrastructure Protection” not the Director of the DHS Infrastructure Security Compliance Division (ISCD). This is a recurring problem for Wulf, every there is a vacancy up the chain of command at DHS Wulf moves up to the IP position.

The ‘missing’ witness here is a representative from the GAO. We typically see the GAO representative on these CFATS hearings. The other, oddly refreshingly, thing about the witness list is that it presents a balanced list of witnesses, two activist organizations and two industry organizations. Typically, a committee controlled by Democrats has three activist and one industry representative on the witness panel (and to be fair, Republican controlled committees generally reverse the ratio).

This is being billed as a ‘legislative hearing’ focusing on HR 3256, Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2019. In other words, the Committee would expect to hear the witness opinions about the provisions of the bill. Interestingly, the copy of the bill is the copy of the bill as introduced, not the amended version that was passed in the Homeland Security Committee. The summary provided in the Staff Briefing Memo, however, refers to the amended version of the bill.

DOE Security


On Wednesday the Senate Energy Subcommittee of the Energy and Natural Resources Committee will hold a legislative hearing looking at nine pending bills. The witness list includes:

• Mark Menezes, DOE; and
• Anton Porter, FERC

One of the nine bills one has been covered here: S 2095, Enhancing Grid Security Through Public-Private Partnerships Act.

TSA Oversight


On Wednesday the Senate Commerce, Science, and Transportation Committee will hold a hearing on “Protecting the Nation’s Transportation Systems: Oversight of the Transportation Security Administration”. The current witness list has only one witness, Patricia Cogswell, Acting Deputy Administrator, TSA,

As with most TSA related hearings, I suspect that this vast majority of the discussion at this hearing will be targeted at passenger air security, not surface security issues.

Saturday, September 7, 2019

OMB Approves PHMSA Emergency Order Procedures Final Rule


Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a final rule from the DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) for “Pipeline Safety: Enhanced Emergency Order Procedures”. The approval was provided ‘Consistent with Change’ indicating that OMB required some sort of normally minor revisions to the document.

The abstract from the 2019 Unified Agenda entry for this rulemaking explains:

“PHMSA issued an interim final rule (IFR) that established regulations implementing the emergency order authority conferred on the Secretary of Transportation by the Protecting our Infrastructure of Pipelines and Enhancing Safety Act of 2016 (PIPES Act of 2016 or Act). These regulations are mandated by the PIPES Act of 2016 and establish procedures for the issuance of emergency orders (restrictions, prohibitions) to address unsafe conditions or practices posing an imminent hazard. The purpose of these requirements is to improve PHMSA's existing enforcement authority to allow us to respond immediately and effectively to conditions or practices that pose serious threats to life, property, or the environment. The next planned action is to finalize the interim final rule.”

This final rule would formalize the requirements established in the interim final rule (IFR) published in October 2014. According to 49 USC 60117(o)(7)(A), this final rule should have been published by March 20th, 2017 (270 days from June 22nd, 2016).

There is no way of knowing when this rule will eventually be published in the Federal Register.

Public ICS Disclosures – Week of 08-31-19


This week we have a vendor disclosure from Niagara and vendor updates from Belden and Phoenix Contact. There is also a researcher report of vulnerabilities for products from Danfoss and a public report of an exploit for previously reported vulnerabilities from Siemens.

Niagara Advisory


Niagara published an advisory describing two privilege escalation vulnerabilities in their QNX operating system that is used in a number of embeded automotive systems. The vulnerabilities are apparently self-reported. Niagara has updates that mitigate the vulnerabilities.

Belden Update


Belden published an update for their advisory on the WindRiver VX works vulnerabilities (Urgent/11). The new information includes product version numbers that mitigate the vulnerabilities.

Phoenix Contact Update


Phoenix Contact published an update [.PDF download] for previously reported vulnerabilities in their AXC F 2152 products. The new information includes an added remediation option for SD-Card issue (page 6).

Danfoss Report


RiskBased Security published a report (see threatpost.com article) describing seven vulnerabilities in the Danfoss AK-EM 800 Enterprise Management solution from Danfoss for the food retail industry. This was a coordinated disclosure and Danfoss has released an updated version that mitigates the vulnerabilities. There is no indication that the researchers have verified the efficacy of the fix.

The seven reported vulnerabilities are:

Undocumented debug service predictable password remote backdoor;
LogFilesDownloadServlet unauthorized remote access;
Web interface user authentication account lockout remote DoS;
Insecure default permissions local privilege escalation;
Multiple files insecure default permissions local credential disclosure;
Web interface default credentials; and
Unsafe third-party components

Siemens Exploit


Pen Test Partners published a report on their development of an exploit for reversable encryption vulnerabilities in the Siemens SCALANCE switches. Siemens reported these vulnerabilities back in June.

Friday, September 6, 2019

2 Advisories and 2 Updates Published – 09-05-19


Today the DHS NCCIC-ICS published a controls system security advisory for products from Red Lion Contols and a medical device security advisory for products from BD. They also published two advisory updates for products from Rockwell.

Red Lion Advisory


This advisory describes four vulnerabilities in the Red Lion Controls Crimson (Windows configuration software). The vulnerabilities were reported by Michael DePlante, Anthony Fuller, and Todd Manning via the Zero Day Initiative. Red Lion has a new release that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The four reported advisories are:

Use after free - CVE-2019-10996;
Improper restriction of operations within the bounds of a memory buffer - CVE-2019-10978;
Pointer issues - CVE-2019-10984; and
Use of hard-coded cryptographic key - CVE-2019-10990

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to execute code, crash the device, or view protected data.

BD Advisory


This advisory describes a session fixation vulnerability in the BD Pyxis medication management platform. The vulnerability is self-reported. BD has a new version that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow the Active Directory (AD) credentials of a previously authenticated user to gain access to the device. This could result in an attacker having the same level of privilege previously granted to a user prior to account expiration, and could allow access to patient data and medications. The BD advisory reports that “a malicious attacker must bypass physical controls to obtain physical access to the hospital, physical access to the devices impacted and utilize expired Active Directory credentials.”

Medical Device Security Patient Engagement Meeting


The FDA announced that the Center for Devices and Radiological Health’s (CDRH) Patient Engagement Advisory Committee will be holding a meeting on September 10th, 2019 to address “Cybersecurity in Medical Devices:  Communication That Empowers Patients”. The meeting will be webcast and the public is invited to participate.

Allan Bradley Update


This update provides additional information on an advisory that was originally published on February 19th, 2019 (not the 2-9-19 date reported in the update). The new information includes a link to a patch that mitigates the vulnerabilities.

NOTE: I briefly reported on the Rockwell update last Saturday.

Arena Simulation Update


This update provides additional information on an advisory that was originally published on August 1st, 2019. The new information includes:

Two new vulnerabilities (type confusion and insufficient UI warning of dangerous operations); and
Removes link to Rockwell advisory.

NOTE 1: The link provided in the original advisory did not work. Here is the one that I use to get to the list of Rockwell advisories (log in required) https://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102.

NOTE 2: There is no corresponding update to the Rockwell Advisory.

Thursday, September 5, 2019

Sandia Labs Crude Oil Fire Report – August 2019


Last month Sandia National Laboratories published a report on a series of experiments done looking at the pool fire characteristics of a variety of crude oil samples with a wide range of vapor pressures. At least one news organization has jumped on the conclusions explicated in the Abstract to express support for the contention that the regulation of crude oil shipping should not take into account differences in oil vapor pressure.

Study Conclusions


The lengthy and very technical report from Sandia, part of the ongoing DOE investigation of the hazards associated with crude oil shipments, makes the following statement in the Abstract (pg 3):

“The results indicate that all the oils tested here have comparable thermal hazard distances and the measured properties are consistent with other alkane-based hydrocarbon liquids. The similarity of pool fire and fireball burn characteristics pertinent to thermal hazard outcomes of the three oils studied indicate that vapor pressure is not a statistically significant factor in affecting these outcomes. Thus, the results from this work do not support creating a distinction for crude oils based on vapor pressure with regards to these combustion events.”

The key phrase in the above quote is found in the last sentence; “with regards to these combustion events.” Pool fires and fireballs were created and analyzed. The study assumed that in a crude oil derailment accident the conditions would exist to cause these two conditions. In the discussion portion of the report it is noted that (pg 75): “Based on the Phase I effort, the premise is that most train accidents
provide enough kinetic energy to exceed the parameter thresholds indicating flammability;
consequently, ignition is highly probable regardless of the crude oil type.”

Vapor Pressure Measurement


This study used an automated vapor pressure measurement system (ASTM D6377) at 100˚F. This is a different method from the ones that I have discussed previously in this blog (see here for instance), but the report authors include an important discussion (Section 1.1, pg 26) about the need for proper sampling techniques and storage of tested samples. Any discussion of vapor pressure testing needs to address these issues.

Fireball Testing


The fireball testing conducted in this study was designed to look at the effects of the ignition of vapor clouds over a derailment event. It is clear from the description of the test methodology (pg 253) that investigators were concerned about vapor releases from intact railcars that were subject to the intense heating associated with direct flame impingement from a pool fire caused by a release of crude oil (or other flammable liquid) from a nearby ruptured railcar.

The test tanks were heated to 300˚C and 280 psi and a rupture disk was then command released via explosives. To ensure ignition of the resulting vapor cloud, a second explosive device was then detonated.

Commentary


The test information presented in the report is very valuable for fire response planning. It is not really surprising that the test concluded that there is little effective difference in the thermal effects of a pool fire from crude oil with wide variations in vapor pressure. Those thermal effects are more closely related to the heat released in the combustion of hydrocarbons and that is directly related to the number of carbon atoms burned, not the physical state of the molecules within which they are contained. Similar masses of carbon atoms in linear chains will produce similar amounts of heat. This is chemistry 101.

The testing of the fireball, similarly restricts the evaluation to the heat effects and the size of the fireball. Again, this is useful information for fire response planning, but it does little to address the underlying concerns about the dangers associated with variations in crude oil vapor pressure; that is the likelihood of a vapor cloud forming in a given accident.

Since DOT mandates that the pressure relief valve (PRV) on crude oil railcars release vapors at 32 psi, the testing at 280 psi is of little value. What would have been more impressive would have been gradually heating the samples in a pressure vessel until a standard 32 psi PRV opened and then igniting the resulting vapor cloud after some preset time limit. The emissivity testing reported in this study would be done on the resulting fireball, but overpressure testing at set distances from the test to evaluate differences in the blast effects from the resulting fireball should also be required.

Vapor pressure testing of crude oil is going to be of only very limited usefulness. For relatively pure substances, calculating vapor pressures at varying temperatures from single temperature testing is a rather simple application of Boyles Law. For complex mixtures like crude oil this is not the case. Each of the hundreds of components of crude oil has its own boiling point, the temperature at which it begins to significantly contribute to the vapor pressure of the mixture.

To be a valuable predictor of fireball formation in a crude oil derailment, we need a new vapor pressure testing method. Instead of measuring vapor pressure at a fixed temperature, it would be more useful to regulators to have a test that measures the temperature at which we would expect safety devices to release a vapor cloud. For rail transportation that would be 32 psi. Unfortunately, such a test would present an interesting set of potential physical hazards in the testing facility. And that would significantly increase the cost of testing.

It would be helpful in Sandia did a test evaluating a similar variety of crude oils as seen in this testing to see what sort of temperature variations were seen in the temperature necessary to reach 32 psi vapor pressure and what variations were seen in the fireball testing conducted at those temperatures. Oh, yes, please include overpressure measurements during the fireball testing. If there were relatively little practical difference in the release temperature, emissivity and/or overpressure, then we could probably conclude that vapor pressure testing was a dead issue.

Wednesday, September 4, 2019

DOC Sends IT Supply Chain Security Rule to OMB


Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received an interim final rule (IFR) from the Department of Commerce on Securing the Information and Communications Technology and Services Supply Chain for review. This rulemaking was not listed in the 2019 Spring Unified Agenda.

With this rulemaking starting out as an IFR, it must be implementing a specific congressional mandate. I suspect that it deals with restrictions on the use of Chinese telecom equipment.

2 Advisories Published – 09-03-19


Yesterday the DHS NCCIC-ICS published two control system security advisories for products from EZAutomation.

PLC Editor Advisory


This advisory describes an improper restriction of operations within the bounds of a memory buffer vulnerability in the EZAutomation EZ PLC Editor. The vulnerability was reported by 9sg Security Team via the Zero Day Initiative. EZAutomation has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to execute code under the privileges of the application.

EZ Touch Editor Advisory


This advisory describes a stack-based buffer overflow vulnerability in the EZAutomation EZ Touch Editor. The vulnerability was reported by 9sg Security Team via the Zero Day Initiative. EZAutomation has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to execute code under the privileges of the application.

Saturday, August 31, 2019

Public ICS Disclosures – Week of 08-24-19


This week we have vendor updates for products from Schneider and Rockwell.

Schneider Update


Schneider published an update for their advisory on Wind River Urgent/11 vulnerabilities. The update adds the list of affected energy management products.

Rockwell Update


Rockwell published an update for vulnerabilities in their Allen-Bradley PowerMonitor™ 1000 monitors. The update provides a link to patch that mitigates the vulnerabilities.

Bills Introduced – 08-30-19


Yesterday with both the House and Senate meeting in proforma session (almost no one present) there were 15 bills introduced. One of these bills will receive future consideration in this blog:

HR 4217 To amend the Homeland Security Act of 2002 to develop tools to help State and local governments establish or improve cybersecurity, and for other purposes.  Rep. Katko, John [R-NY-24]

This bill would (text has already been published) would establish three separate cybersecurity grant programs for State and local governments.

Interesting side note: While Congresscritters are not in Washington, staffs certainly are. The House Homeland Security Committee filed six committee reports in yesterday’s session. Two of those (HR 3318 and HR 3710) will likely be addressed here in more detail when the reports are actually published next week.

Thursday, August 29, 2019

2 Advisories Published – 08-29-19


Today the DHS NCCIC-ICS published two medical device control system security advisories for products from Philips and Change Healthcare.

Philips Advisory


This advisory describes a use of obsolete function vulnerability in the Philips HDI 4000 Ultrasound Systems. The vulnerability was reported by Check Point. Philips has provided generic measure to mitigate the vulnerability and reports that the devices reached end-of-support in December of 2013. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker with access to the local subnet could use publicly available exploits to exploit the vulnerability to lead to exposure of ultrasound images (breaches of confidentiality) and compromised image integrity.

Change Healthcare Advisory


This advisory describes an incorrect default permissions vulnerability in the Change Healthcare Cardiology Devices. The vulnerability was reported by Alfonso Powers and Bradley Shubin of Asante Information Security. Change Healthcare has a patch to mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker with authenticated access can exploit the vulnerability to allow a locally authenticated user to insert specially crafted files that could result in arbitrary code execution.

NIST Sends Security Plan Guide Update to OMB


Yesterday the OMB’s Office of Information and Regulatory Affairs announced that it had received a proposed revision for NIST SP 800-18, Guide for Developing System Security Plans, for review. This guide for federal information-system security planners was originally published in 1998 and updated in 2006. It will be a while before OIRA approves this document and we see an official version.


A lot has changed in the IT security world since 2006; new technologies and vulnerabilities. This should be a major re-write. The (okay 'a') big question is: will they address OT security for building control systems and security systems for data centers?

Tuesday, August 27, 2019

2 Advisories Published – 08-27-19


Today the DHS NCCIC-ICS published two control system security advisories for products from Datalogic and Delta Controls.

Datalogic Advisory

This advisory describes an authentication bypass using an alternate path or channel vulnerability in the Datalogic AV7000 Linear Barcode Scanner. The vulnerability was reported by Tri Quach and Blake Johnson of Amazon’s Customer Fulfillment Technology Security (CFTS) group. Datalogic has a new firmware version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to remotely execute arbitrary code.

Delta Controls Advisory

This advisory describes a buffer overflow vulnerability in the Delta Controls enteliBUS Controllers. The vulnerability was reported by Douglas McKee @fulmetalpackets and contributing researcher Mark Bereza @ROPsicle of McAfee Advanced Threat Research. Delta Controls has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to remotely execute arbitrary code.

ISCD Updates a Number of CFATS Information Documents


Recently the DHS Infrastructure Security Compliance Division (ISCD) provided links to a number of new and updated information documents related to the Chemical Facility Anti-Terrorism Standards (CFATS) program. Links were provided on either the CFATS Knowledge Center page or the CFATS Resources page.

The new or revised documents I found are:


I have not done (and probably will not do) a detailed review of the revised documents. These are ‘fact sheets’ and those are seldom (if ever) used to announce new policy. If new policy were involved, we would have seen a more formal announcement of the revised documents. I suspect that this was mainly a branding exercise for the new Cybersecurity and Infrastructure Security Administration (CISA).

The odd one on the list above was the EAP guidance document. It was not rebranded with the CISA format or logo. There is no date on the document, so I am not even sure that it was revised. It was listed on the top of the ‘User Manuals’ column of the CFATS Knowledge Center, so ISCD is apparently attempting to at least call attention to the manual. The EAP program was mandated by Congress in the first re-write of the CFATS legislation and may not survive the second re-write. It has not been used by more than a handful of facilities, but that is more because it was introduced after the vast majority of facilities had already submitted proposed Site Security Plans under the existing program than it was because of any problems with the EAP.

Most of the documents listed above have dates back in May. I am not sure when they were actually published or the links made available. A couple of years ago DHS generally stopped putting date of change notices on their web pages. With web sites that are as voluminous as the CFATS program this makes it very difficult to keep up with the changes. I had hoped with the rise of CISA (and the fall of NPPD, its predecessor) that we would see a change in this policy. Every once-in-a-while a ‘last published date’ slips in (see here), but I have not seen any indication that this is more than the action of isolated web-scriptors trying to do right.

Saturday, August 24, 2019

Public ICS Disclosures – Week of 08-17-19


This week we have two vendor disclosures for products from Bosch and Schneider and an update from Schneider.

Bosch Advisory


Bosch published an advisory describing three vulnerabilities in their ProSyst mBS SDK and Bosch IoT Gateway Software. The vulnerabilities are being self-reported. Bosch has new versions that mitigate the vulnerabilities.

The three reported vulnerabilities are:

Path traversal - CVE-2019-11601;
Server-side request forgery - CVE-2019-11897; and
Information exposure through an error message - CVE-2019-11602

Schneider Advisory


Schneider published an advisory for the latest Microsoft® Remote Desktop Services (DejaBlue) vulnerabilities in their products running on machines using various MS operating systems. Generic mitigations are provided. Schneider does provide the following warning about applying the MS patches that should mitigate these vulnerabilities:

“Please note that as of the date of this publication, it is unclear how Microsoft’s patches and updates will affect systems performance. Therefore, customers should proceed with caution when applying these patches to critical operating systems and/or performance-constrained systems. We strongly recommend evaluating the impact of these patches in a Test and Development environment or on an offline infrastructure.”

NOTE: This advisory has already been updated twice.

Schneider Update


Schneider published an update for their advisory on the Wind River VxWorks vulnerabilities in their products. They changed the affected products list by:

Removin Modicon M580 Ethernet / Serial RTU Module; and
Adding Modicon eX80 - BMEAHI0812 HART Analog Input Module

Tuesday, August 20, 2019

1 Advisory, 2 Updates Published – 08-20-19

Today the DHS NCCIC-ICS published a control system security advisory for products from Zebra and two updates for advisories for products from Siemens and Sierra Wireless.

Zebra Advisory

This advisory describes an insufficiently protected credentials vulnerability in the Zebra Industrial Printers. The vulnerability was reported by Tri Quach. Zebra has a new version that mitigates the vulnerability. There is no indication that Tri has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow a remote attacker to send specially crafted packets to a port on the printer, resulting in the retrieval of a front control panel passcode.

Siemens Update

This update provides new information on an advisory that was originally published on August 13th, 2019. NCCIC-ICS changed the vulnerability description from ‘uncontrolled resource consumption’ to ‘insufficient resource pool’. There was no corresponding change in the Siemens advisory; Siemens does not use CWE vulnerability titles or codes in their advisories.

Sierra Wireless Update

This update provides new information on an advisory that was originally published on May 2nd, 2019. The  update reports that the ALEOS 4.12.0 Release Note is now available.

Monday, August 19, 2019

S 2333 Introduced – Grid Security


Last month Sen. Cantwell (D,WA) introduced S 2333, the Energy Cybersecurity Act of 2019. The bill would require the Department of Energy to address electric grid cybersecurity, resiliency and risk assessment issues. This bill is essentially identical to S 2444 from last session which was also introduced by Cantwell. No action was taken on the earlier bill.

Cantwell is still a senior member of the Senate Energy and Natural Resources Committee to which this bill was assigned for consideration. That was not enough last session to ensure that the bill was considered in Committee. The problem remains the authorization for the expenditure of funds for the various programs in bill. It is unlikely that the new budget agreement reached just before the Senate left for summer recess will change the funding situation.

OMB Approves ICR for Surface Transportation Security Survey


Last Friday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved an information collection request (ICR) for a Surface Transportation Stakeholder Survey to be conducted by the TSA. The survey was mandated by Congress in §1983 of the FAA Reauthorization Act of 2018 (HR 302 from the 115th Congress, it was signed as PL115-254, but that law has not yet been published).

Stakeholder Survey


Congress required the TSA to conduct a survey of surface transportation security stakeholder “regarding resource challenges, including the availability of Federal funding, associated with securing such assets that provides an opportunity for respondents to set forth information on specific unmet needs” {§1983(a)}. TSA reports [.DOCX download link] that it will be offering the survey to 3,200 organization “with whom TSA has established working relationships” (pg 1). It only expects that about 20% of those organizations to respond during the 21-days that TSA will have the survey available on their web site. This accounts for the 641 surveys expected to be collected under this ICR.

OIRA published [.DOCX download link]  a copy of the questions that will be asked on the TSA’s Survey Monkey operated web site for the survey (the URL is not available in the ICR documents). The questions are a relatively broad look at the application of federal grant programs to support surface transportation security efforts. The last two questions directly address the congressional mandate to provide “an opportunity for respondents to set forth information on specific unmet needs.”

TSA is not going to meet the 120-day deadline for conducting the survey that was established in HR 302. Given the requirement to get OMB approval to conduct the information collection, that deadline was never reasonably set. It took TSA almost that long to put the information together necessary to publish the 60-day ICR notice in March of this year. The 30-day ICR notice quickly followed the close of the comment period on the first ICR notice and it only took OIRA a little more than 2-months to approve the ICR, a remarkably short time for ORIA approval.

TSA will probably not provide a notice in the Federal Register concerning the publication of the survey on a TSA web site. The congressional mandate was to collect information from “stakeholders responsible for securing surface transportation assets”, not the public, community organizations or emergency response personnel. Thus, TSA will directly contact organizations with whom it has established relationships as well as surface transportation trade associations to announce the start of the survey period and the location of the survey web site.

Commentary


I am concerned that there is no mention of cybersecurity in the survey; not even a hint that TSA was including cybersecurity challenges in the surface transportation efforts being surveyed. This is not entirely TSA’s fault, the congressional mandate for this survey did not include any mention of cybersecurity either. Hopefully, the stakeholders being surveyed will be able to read between the lines and will specifically include mention of the concerns that they have about cybersecurity efforts in protecting surface transportation assets from outsider (and insider) attacks.

 
/* Use this with templates/template-twocol.html */