Thursday, January 31, 2019

Two Advisories and Two Updates Published – 01-31-19


Today the DHS NCCIC-ICS published two control system security advisories for products from Schneider and IDenticard. They also updated two previously published advisories for products from Omron and Siemens

Schneider Advisory


This advisory describes three vulnerabilities in the Schneider EVLink Parking product. The vulnerabilities were reported by Vladimir Kononovich and Vyacheslav Moskvin of Positive Technologies. Schneider has an update available that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Use of hardcoded credentials - CVE-2018-7800;
• Code injection - CVE-2018-7801; and
SQL injection - CVE-2018-7802

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to stop the device and prevent charging, execute arbitrary commands, and access the web interface with full privileges.

NOTE: I briefly discussed these vulnerabilities in December just as the Federal Funding Fiasco started.

IDenticard Advisory


This advisory describes three vulnerabilities in the IDenticard PremiSys WCF Service access control system. The vulnerabilities were reported by Jimi Sebree working with Tenable. IDenticard has a software update that mitigates two of the three vulnerabilities. There is no indication that Sebree has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Hard-coded credentials - CVE-2019-3906;
• Inadequate encryption strength - CVE-2019-3907; and
• Use of hard-coded password - CVE-2019-3908

NCCIC-ICS reports that a relatively low-skilled attacker could use a publicly available information to exploit the vulnerability to view sensitive information via backups, obtain access to credentials, and/or obtain full access to the system with admin privileges.

NOTE: The Tenable report on these vulnerabilities add a four vulnerability; default database credentials - CVE-2019-3909.

Omron Update


This update provides additional information on an advisory that was originally published on October 18th, 2018. The update added Esteban Ruiz (mr_me) of Source Incite as one of the researchers reporting the vulnerabilities.

Siemens Update


This update provides additional information on an advisory that was originally published on June 14th, 2018. The update added affected version information and provided a mitigation link for RUGGEDCOM WiMAX.

NOTE: I briefly discussed this update (and six other Siemens updates published on the same day) earlier this month.

HR 542 Introduced – Urban Security Lab


Earlier this month Rep. Rice (D,NY) introduced HR 542, the Supporting Research and Development for First Responders Act. The bill would authorize the current DHS National Urban Security Technology Laboratory (NUSTL). This is essentially the same bill as HR 4991 from last session. That bill passed in the House by a voice vote under the suspension of the rules process.

NUSTL


The NUSTL has been in the DHS Science and Technology Directorate since 2003. As outlined in this bill the purpose of the NUSTL is to “test and evaluate emerging technologies and conduct research and development to assist emergency response providers in preparing for, and protecting against, threats of terrorism” {new §321(a)}. The bill would require the NUSTL to {new §321(c)}:

• Conduct tests, evaluations, and assessments of current and emerging technologies, including, as appropriate, cybersecurity of such technologies that can connect to the internet, for emergency response providers;
• Conduct research and development on radiological and nuclear response and recovery;
• Act as a technical advisor to emergency response providers; and
Carry out other such activities as the Secretary determines appropriate.

Moving Forward


Rice is the Chair of the Cybersecurity, Infrastructure Protection, and Innovation Subcommittee of the House Homeland Security Committee. As such she certainly has the influence to ensure that the bill is addressed in Committee, if it does not go directly to the floor of the House. There is no reason to suspect that last sessions bipartisan support for HR 4991 would not be transferred to this bill.

As always, the question is whether or not the bill would be considered in the Senate. In the last session the bill was referred to the Senate Homeland Security and Governmental Affairs Committee which never took up the bill. This may be because of the efforts of the Trump administration to close the NUSTL as a budgetary move.

Commentary


I did not cover HR 4991 last year as there did not seem to be enough of a connection to cybersecurity concerns. The wording of the bill has not changed, but there has been a significant increase in cybersecurity concerns with a variety of urban security technologies. I suspect that the Lab is going to be spending more time on cybersecurity research in the coming years.

An interesting political aspect of this bill is that the greatest support for the NUSTL comes from officials in New York City. The lab is located in NYC and has always received strong support from the NY congressional delegation.

Wednesday, January 30, 2019

EPA Sends TSCA Reporting NPRM to OMB


Yesterday the EPA sent a notice of proposed rulemaking (NPRM) to the OMB’s Office of Information and Regulatory Repairs (OIRA) for review. The NPRM would address changes to the Toxic Substances Control Act (TSCA) Chemical Data Reporting requirements under section 8(a) and revise the size standards for small businesses under the act.

According to the Unified Agenda listing for the rulemaking, the EPA intends to have these changes in place before the 2020 reporting date. It also projected that the NPRM would be published in December 2018. Given the accuracy standards for Unified Agenda listings and the 35-day Federal Funding Fiasco, the EPA is just a tad late if they really intend to publish the final rule in time for that 2020 deadline.

Bills Introduced – 01-29-19


Yesterday with both the House and Senate in session there were 58 bills introduced. One of these will receive additional mention in this blog:

HR 851 To reinstate requirements pertaining to electronically controlled pneumatic brake systems on high-hazard flammable unit trains, and for other purposes. Rep. Herrera Beutler, Jaime [R-WA-3]

Interestingly, ECP brakes were required on HHFT by an act of Congress and then Congress required DOT to conduct a detailed cost benefit analysis of the requirement in subsequent legislation. The results of that analysis resulted (as directed by Congress) in the elimination of the ECP brake requirement. Herrera-Beutler represents a district that is strongly opposed to the transit of crude-oil trains through their communities.

Tuesday, January 29, 2019

5 Advisories Published – 01-29-19


Today the DHS NCCIC-ICS published three control system security advisories for products from AVEVA, Mitsubishi, and Yokogawa. They also published two medical device security advisories for products from BD and Stryker.

AVEVA Advisory


This advisory describes an insufficiently protected credential vulnerability in the AVEVA
Wonderware System Platform. The vulnerability was reported by Vladimir Dashchenko from Kaspersky Lab. AVEVA has an update that mitigates the vulnerability. There is no indication that Daschenko has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow unauthorized access to the credentials for the ArchestrA Network User Account.

NOTE: I briefly discussed this advisory last Saturday.

Mitsubishi Advisory


This advisory describes a resource exhaustion vulnerability in the Mitsubishi MELSEC-Q series PLCs. The vulnerability was reported by Tri Quach of Amazon’s Customer Fulfillment Technology Security (CFTS) group. Mitsubishi has a new firmware version that mitigates the vulnerability. There is no indication that Tri has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow a remote attacker to send specially crafted packets to the device, causing Ethernet communication to stop.

Yokogawa Advisory


This advisory describes an unrestricted upload of files with dangerous type vulnerability in the Yokogawa License Manager Service. The vulnerability was reported by Kaspersky Lab. The latest version mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NOTE: I briefly discussed this advisory last Saturday.

BD Advisory


This advisory describes an improper access control vulnerability in the BD FACSLyric. This vulnerability was self-reported. BD will directly apply mitigation measures to the affected systems.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to gain unauthorized access to administrative level privileges on a workstation, which could allow arbitrary execution of commands. This vulnerability does not impact BD FACSLyric flow cytometry systems using the Windows 7 Operating System.

NOTE: This is not the BD advisory that I briefly discussed last Saturday.

Stryker Advisory


This advisory describes a reusing a nonce vulnerability. advisory for the Stryker Secure II MedSurg Bed, S3 MedSurg Bed, and InTouch ICU Bed products. This is for the Key Reinstallation Attack – (KRACK) set of vulnerabilities. This advisory only reports nine of the ten CVE’s for the KRACK vulnerability. Stryker has software updates to mitigate the vulnerability.

HR 327 Introduced – Data Breach Arbitration


Earlier this month Rep. Lieu (D,CA) introduced HR 327, the Ending Forced Arbitration for Victims of Data Breaches Act of 2019. The bill would make mandatory arbitration agreements unenforceable for ‘security breaches’.

Arbitration Agreements


Section 2 of the bill simply states that:

“An entity may not require, as part of a customer or other similar agreement, an individual to agree to submit any dispute related to a security breach, including any dispute related to identity theft, to arbitration.”

Section 3 of the bill would make any such existing provisions void.

Section 4 of the bill would make the Federal Trade Commission responsible for enforcement of these provisions. Section 5 provides for State enforcement of the provisions of the bill while allowing the FTC to intervene in any prosecution. Individuals harmed by arbitration agreements would be give authorization for private action under Section 6 of the bill with a two-year statute of limitations.

Definitions


Section 7 of the bill provides the two key definitions for the bill. The first definition is for the term ‘security breach’. This is defined as “a compromise of the security, confidentiality, or integrity of, or the loss of, computerized data that results in, or there is a reasonable basis to conclude has resulted in” {§7(1)(a)} the unauthorized acquisition of, or access to, sensitive personally identifiable information.

The second definition is of the term ‘sensitive personally identifiable information’. That definition is quite lengthy and encompassing.

Moving Forward


Lieu is not a member of the House Energy and Commerce Committee to which this bill was assigned for consideration. This means that the bill is unlikely to be considered in Committee. If the bill were considered it is very likely that there would be substantial opposition from organizations representing any number of commercial enterprises which currently rely on forced arbitration agreements.

It this bill were considered it is possible that the bill could be approved on party-line votes in the House, but it would never receive consideration in the Senate.

Commentary


I am not sure how prevalent the use of arbitration ‘agreements’ is in contracts for industrial control system installations or components, but I suspect that they would be fairly common. This bill would not address those agreements except for the very narrow area of the protection of personally identifiable information.

Crafting effective language to include security breaches of control systems is going to be interesting. Part of the problem would be defining what constitutes a breach of a control system. The relatively easy part would be defining situations where there was a loss of control or loss of view of the process. The more difficult part would be defining situations leading to the loss of proprietary process data or design.

While this bill is unlikely to go anywhere (unless Lieu signs up cosponsors who are more influential on the Energy and Commerce Committee), it is probably a good idea for the industry to start to look as this as an area where we are probably going to see future legislation that does address control system security breaches and has a better chance of passing.

Bills Introduced – 01-28-19


Yesterday with both the House and Senate back in Washington, there were 51 bills introduced. One of these may see additional coverage in this blog:

S 245 A bill to authorize appropriations for fiscal year 2019 for intelligence and intelligence-related activities of the United States Government, the Community Management Account, and the Central Intelligence Agency Retirement and Disability System. Sen. Burr, Richard [R-NC]

The Senate looks to be trying to clear up some business from the 115th Congress where they never took action on either version (S 3153 or HR 6237) of the FY 2018/2019 intel authorization bill. Better luck in this session; who knows?

Saturday, January 26, 2019

Public ICS Disclosures – Week of 01-19-19


This week we have vendor notifications from Bosch, AVEVA, Drager, Yokogawa and BD. We also have an exploit of a previously disclosed set of vulnerabilities for products from NUUO.

Bosch Advisory


Bosch has published an advisory for two vulnerabilities in their DIVAR 400 & 600 digital recorders. The vulnerabilities were reported by Maxim Rupp. Bosch has provided generic workarounds to mitigate the vulnerability. There is no indication that Rupp has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Improper access control; and
Unprotected credentials

AVEVA Advisory


AVEVA has published an advisory for three vulnerabilities in their Wonderware System Platform. The vulnerabilities were reported by Vladimir Dashchennko from Kaspersky Lab. AVEVA has a new update that mitigates the vulnerabilities. There is no indication that Daschennko has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Insufficiently protected credentials;
• Execution with unnecessary privilege; and
• Missing authorization

These vulnerabilities were coordinated through ‘ICS-CERT’ so I expect that we will see an advisory from NCCIC-ICS next week (though they may have a backlog to work through now that the Federal Funding Fiasco is at least temporarily over).

Drager Advisory


Drager published an advisory that is not technically for a control system vulnerability. They are advising customers of a number of reported fraudulent emails from apparent Drager email addresses that have been part of schemes to have companies make payments to non-Drager accounts.

Yokogawa Advisory


Yokogawa has published an advisory for an access control vulnerability in their License Manager Service. The vulnerability was reported by Kaspersky Lab. Yokogawa has patches that mitigate the vulnerability. There is no indication that Kaspersky Lab has been provided an opportunity to verify the efficacy of the fix.

BD Advisory


BD has published an advisory  (actually an update for an advisory that was issued last summer) for a Microsoft Windows vulnerability in the task scheduler that affects a number of BD products. BD will patch the software during the next patch cycle.

NUOO Exploit


Pedro Ribeiro published a set of exploits for the NUOO CMS software management platform. The vulnerabilities were reported by NCCIC-ICS in an advisory published on October 12th, 2018 and updated on November 20th, 2018. Ribeiro was the one who originally reported the NUOO vulnerabilities to NCCIC-ICS.

In addition to publishing four Metasploit modules as part of his exploit report, Ribeiro reports that one of the vulnerabilities reported through NCCIC-ICS (Use of hard-coded credentials - CVE-2018-17894) has not actually been fixed as was reported in the NCCIC-ICS advisory.

Reading the exploit report from Ribeiro provides an interesting look into the coordinated disclosure process where the vendor is less than cooperative. Pedro has all sorts of nice things to say about the folks he worked with at ‘ICS-CERT’ during the two-year process but suffice to say he is disappointed with NUOO.

Friday, January 25, 2019

Reader Comment – CFATS and Active Shooters


Earlier this week over on LinkedIn, Michael Kennedy, a long-time reader and a lawyer active in CFATS matters, left an interesting comment about my gun shot detection post:

“I just wonder if it's cost effective, and if the juice is worth the squeeze? But, what if CFATS had active shooter classes as a requirement? Something to kick around for the next reiteration...”

His question about an ‘active shooter classes’ requirement in the next iteration of the Chemical Facility Anti-Terrorism Standards (CFATS) authorization is an interesting suggestion that deserves discussion.

Active Shooters and Chemical Facilities


Michael provided a link to the DHS Active Shooter web site (which is still up during this extended Federal Funding Fiasco; I with NIST would follow the DHS example, but that is a whole separate discussion). This site provides a wealth of information and reflects the current DHS interest in helping facilities and responders prepare for an active shooter situation. Unfortunately, it overlooks the unique planning and training requirements for addressing active shooter situations at chemical plants.

I have written about these issues a number of times over the years (see here and here for example) and even prepared a training program for a law enforcement training site (now off-line) on the topic. For this post, I will just summarize the problems potential problems associated with an active shooter response at a facility that stores, manufactures or uses industrial chemicals. For facilities with:

• Flammable chemicals on hand, flammable atmosphere situations should be expected and muzzle flashes from firearm discharges could ignite such atmospheres;
• Flammable chemicals on hand, bullets flying around should be expected to pierce storage containers producing flammable atmospheres (see above);
• Toxic inhalation hazard chemicals on hand, bullets flying around could be expected to pierce storage containers to release toxic fumes to the atmosphere, endangering personnel over a wide area;
• Chemicals with heavier-than-air vapors, bullets flying around could be expected to pierce storage containers producing locally oxygen deficient atmospheres;
Chemicals on site that are capable of reacting with one another could be released producing unexpected toxic inhalation, fire, or heavy vapor hazards; and
The release of any number of less-than-immediately toxic chemicals during such an attack could lead to unpredictable medical issues amongst responders and innocent bystanders.

Each industrial facility with chemicals on hand is going to have to analyze for the specific hazards associated with their facility in a potential active shooter incident and plan for measures to mitigate those hazards. Security responders and law enforcement personnel will need to be trained to recognize the hazards at specific facilities and modify their use of firearms as appropriate to avoid escalating a relatively simple active shooter response to an active chemical release incident with potential off-site consequences where responders are also having to deal with an active shooter.

Active Shooter CFATS Language


In keeping with the earlier set of posts that I did on potential language that I would like to see in a CFATS reauthorization bill, I would like to see the following language considered for active shooter situation planning and response:

(h) The Secretary will revise 6 CFR 27.230(a) to include a risk-based performance standard addressing planning for an active shooter incident. The language would include requirements for that RBPS would include:


(1) Identification of chemical hazards that would have to be considered during planning for an active shooter incident;

(2) Plans to limit active shooter access to areas where the identified chemicals are stored, used or produced;

(3) Training for armed facility security personnel and/or local law enforcement personnel about areas in the facility where special precautions would have to be taken when discharging firearms during an active shooter response; and

(4) Unique emergency response requirements for chemical releases during an active shooter incident.

Existing CFATS facilities would be given a reasonable deadline (6 months?) to revise approved site security plans to take into account the new RBPS requirements.

Thursday, January 24, 2019

Two Advisories Published – 01-24-19


Today the DHS NCCIC-ICS published two control system security advisories for products from Phoenix Contact and Advantech.

Phoenix Contact Advisory


This advisory describes six vulnerabilities in the Phoenix Contact FL SWITCH. The vulnerabilities were reported by Evgeniy Druzhinin, Ilya Karpov, and Georgy Zaytsev of Positive Technologies via CERT@VDE. Phoenix Contact reports that newer firmware versions mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• Cross-site request forgery - CVE-2018-13993;
• Improper restriction of excessive authentication attempts - CVE-2018-13990;
• Cleartext transmission of sensitive information - CVE-2018-13992;
• Resource exhaustion - CVE-2018-13994;
• Insecure storage of sensitive information - CVE-2018-13991; and
Memory corruption - CVE-2017-3735

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow attackers to have user privileges, gain access to the switch, read user credentials, deny access to the switch, or perform man-in-the-middle attacks.

NOTE: The CERT@VDE advisory notes that CVE-2018-13992 has not been fixed in the newer firmware versions available. A generic fix for that vulnerability has been recommended.

Advantech Advisory


This advisory describes three vulnerabilities in the Advantech WebAccess/SCADA platform.
The vulnerabilities were reported by Devesh Logendran of Attila Cybertech. Advantech has a new version that mitigates the vulnerabilities. There is no indication that Logendran has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Improper authentication - CVE-2019-6519:
• Authentication bypass using an alternate path or channel - CVE-2019-6521; and
• SQL injection - CVE-2019-6523

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to access and manipulate sensitive data.

DHS OIG TWIC Assessment


Last week Laurie Thomas published a lengthy blog post about a DHS Inspector General report on the Transportation Workers Identification Credential (TWIC) program. This report was required by the 114th Congress’ HR 710 (PL 114-278). Laurie’s blog does a good job of looking at the report, but I would also recommend reading the report after reading her post. Doing so would provide background on her somewhat understated concerns.

Background


HR 710 went through a rather convoluted legislative process (see my posts here, here and here) culminating in a rare final approval during a pro-forma session in House at the end of the 114th Congress.

Last session, Congress took official umbrage with DHS over the failure to comply with the requirements of HR 710 and passed HR 5729, the Transportation Worker Identification Credential Accountability Act of 2018. This IG report does not fulfill the preconditions in that bill that would allow the Coast Guard to implement the TWIC Reader Rule. Those preconditions are the submission of the Rand Report that the OIG briefly discusses in the first two full paragraphs on page 3 {expected(?) April 27th, 2019} and the subsequent plan from DHS to implement the report recommendations within 60 days of the publication of the report.

I expect that we will see early hearings in the House on this IG report in both the Homeland Security and Transportation committees on this IG report. I would be surprised if either committee waits until the Rand Report comes out; too many problems identified here.

CFATS and TWIC


I do not see any immediate implications for the use of TWICs as part of the personnel surety program (PSP) in the Chemical Facility Anti-Terrorism Standards (CFATS) program. Too many companies have made the management decision that the TWIC is an easier way to vet against the Terrorist Screening Database (TSDB) than submitting employee information via the new CSAT tool.

Having said that, I think that the Infrastructure Security Compliance Division is going to have a harder time getting approval to start the Tier 3 and Tier 4 implementation of the PSP as a result of this report. More people will be arguing with the OMB’s Office of Information and Regulatory Affairs (OIRA) that the expansion of the PSP should be held in abeyance until the Rand Report and the DHS response are published.

There is going to be a counter argument from some at ISCD that this would be a better reason to scrap the use of the TWIC in the CFATS PSP will still not fly. There is too much support in Congress for the TWIC alternative, even with the problems in the TWIC program identified in this report. Only a truly awful Rand Report will erode that political support.

Problems with the IG Report


Laurie’s discussion at the end of her blog post discusses some of the shortcomings with TWIC program that were addressed in the report. That discussion should be read very carefully.

Unfortunately, Laurie does not address the shortcomings in the methodology that the IG employed in their investigation/audit. The IG gave TSA credit for completing requirements just by examining documents such as contracts and procedure manuals. The report specifically states that they did not question people that actually implemented those documents or followed those procedures.

The fact that the IG found so many shortcomings in just the high-level administration of the program leads me to believe that there are even more problems with the actual implementation of the program where decisions are made in assessing the validity of documentation or the vetting of personnel. Hopefully, these types of problems will be looked at more closely by the Rand people.

Wednesday, January 23, 2019

HR 334 Introduced – Cybersecurity Education


Earlier this month Rep. Lieu (D,CA) introduced HR 334, the New Collar Jobs Act of 2019. The bill would amend the Internal Revenue Code to add a new section establishing an “employee cybersecurity education credit” {new §45S(a)}.

The Tax Credit


The general business tax credit to be included under 26 USC §38 would be for 50% of cybersecurity education expenses (up to $5,000 per year per employee) “paid or incurred by the employer during such taxable year”. The qualified expenses would be the “amounts paid or incurred for each employee who earns a certificate or degree at the undergraduate or graduate level or industry-recognized certification relating to those specialty areas and work roles that are listed in NCWF Work Roles in the document entitled, ‘NICE Cybersecurity Workforce Framework (NCWF)’ [NIST Special Publication 800-181; NOTE: the link does not work during the current Federal Funding Fiasco]” {new §45S(c)}.

Moving Forward


Because of the politics of the Federal Funding Fiasco the committee membership listing for the House has not yet been completed so it is hard to tell what sort of influence Lieu and his three cosponsors will have to see that HR 334 is considered in committee.

I do not see anything in the bill that would raise any great objection to the bill. I suspect that if it were considered in committee or on the Floor it would generally receive bipartisan support.

Commentary


While there are no definitions in the bill nor can we see the current listing of the ‘specialty areas and work roles’ to which this tax credit would apply, it would be reasonable to assume that it would include cybersecurity training for industrial control systems (ICS). I say this because the Congressional Findings portion of the bill specifically notes {§2(2)}:

“As manufacturers leverage new technologies from robotics to distributed control systems to create modern factories and industrial plants, different employment requirements have emerged including the need for cybersecurity talent.”

The next subparagraph goes on to explain:

“Leading cybersecurity experts have reported spike of 250 percent in industrial automation and control system cyber-incidents occurring during the period between 2011 and 2015 and as a result are seeking personnel with knowledge of their industry coupled with knowledge of security technology to prevent their organization from becoming victims of cyber-attacks.”

I do not believe that the bill would limit the tax credit to just ICS cybersecurity programs, but this clearly explicates the crafters intent that such programs would be covered under this proposed tax credit.

Tuesday, January 22, 2019

Two Advisories Published – 01-22-19


Today the DHS NCCIC-ICS published a control system security advisory for products from Johnson Controls and a medical device security advisory for products from Drager.

Johnson Controls Advisory


This advisory describes two vulnerabilities in the Johnson Controls Facility Explorer. The vulnerabilities were reported by Tridium. Johnson Controls has new versions that mitigate the vulnerabilities. There is no indication that Tridium has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Path traversal - CVE-2017-16744; and
Improper authentication - CVE-2017-16748

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit these vulnerabilities to allow an attacker to read, write, and delete sensitive files to gain administrator privileges in the Facility Explorer system.

Drager Advisory


This advisory describes three vulnerabilities in the Drager Infinity Delta patient monitoring devices. The vulnerabilities were reported by Marc Ruef and Rocco Gagliardi, of scip AG. Drager has new versions that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Improper input validation - CVE-2018-19010;
• Information exposure through log files - CVE-2018-19014; and
• Improper privilege management - CVE-2018-19012

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to cause information disclosure of device logs, denial of service through device reboots of the patient monitors, and privilege escalation.

NOTE: The Drager security advisory adds an additional vulnerability for one of the affected products; “Several 3rd party components were found outdated and vulnerable to several published security vulnerabilities.”

CFATS and Gun Shot Detection Systems


I got an interesting question from a reader yesterday. I whipped out a quick reply that I still standby, but I thought that it might need some additional discussion.

Question and Response


The original question was:

“Is there a requirement for chemical plants to have gunshot detection/notification? Esp after Metcalf incident, I would think.”

My initial reply was:

“The CFATS program certainly does not include such a requirement. I would not think that this would be cost effective for most manned facilities unless they were in a high crime area.”

CFATS Requirement?


First off, there are very few ‘security requirements’ under the Chemical Facility Anti-Terrorism Standards (CFATS) program. The program was crafted with the idea that each facility is unique and would have to design their security program to fit their unique character while fulfilling 12 operationally defined ‘Risk-Based Performance Standards’ (RBPS). Those standards are outlined at 6 CFR 27.230(a) and discussed in more depth in the RBPS Guidance Document. There is no specific mention of ‘gun shot detection systems’ in either document, thus there is no ‘CFATS requirement’ to employ such a system.

The RBPS Guidance Document does make two important points about detection systems. First:

“For a protective system to prevail, detection needs to occur prior to an attack (i.e., in the attack planning stages) or early enough in the attack where there is sufficient delay between the point of detection and the successful conclusion of the attack for the arrival of adequate response forces to thwart the attempt.” [pg 50]

And second:

“Typically, when a sensor or other IDS [intrusion detection system] component identifies an event of interest, an alarm notifies security, which then will assess the event either directly by sending persons to the location of the event or remotely by alerting personnel to evaluate sensor inputs and surveillance imagery.” [pg 52]

Interior and Exterior Shots Fired


There are two general scenarios where a gunshot detection system might be of use for a CFATS covered facility; shots fired inside the facility and shots fired outside the facility (okay, I guess there are no other scenarios).

For shots fired within the facility, it is, by definition, too late to prevent the attack. Information from a shot finder could provide information to response personnel to help pin down the location of the shooter. That will be problematic for most chemical facilities that do not have armed guards (the vast majority of chemical facilities in the United States). Detailed prior coordination with local law enforcement personnel (lacking at most chemical facilities) would be required to ensure that responding officers knew about the shot detection capabilities and had timely access to the location information when (and after) they arrived on scene.

The problem for shots fired outside of the facility would be determining if the impact area or trajectory of the projectiles was inside of the facility. For incidents where there is no facility impact, the ability to determine that would be helpful to frame interior incident response (do not panic, they are shooting at someone else). For shots targeted at the facility (with malice aforethought or inadvertently), the location of the impact point could have beneficial input into the emergency response within the facility.

Unfortunately, most shot detection systems do not track trajectory or impacts (okay, I do not know of ANY that do, but I am not current on the technology so someone may have addressed this issue). Setting up a system to predict impacts or trajectory would require at least two different detection systems; one to detect the initial gun shot location and one to detect the projectile in flight at at least one position. The second portion of that problem would require multiple sensors around the perimeter of the facility to detect boundary penetration.

The Metcalf Scenario


The original question specifically mentioned the Metcalf situation; the April 16th, 2013 sniper attack on the unmanned Metcalf Transmission Substation. The sniper was firing at transformers with the apparent intent (this incident is still ‘unsolved’) of causing equipment failure through a loss-of-coolant incident.

A shot detection system at this facility would not have prevented the attack, but it may have provided timely enough notification to have allowed police to have apprehended the perpetrator. Unfortunately, this presumes a timely response to a ‘shots fired’ report without any indication of an antipersonnel attack.

There are few ‘unmanned’ chemical facilities, but many facilities are not manned 24/7 so this scenario could apply to such facilities. Again, the big problem is not being able to determine what the target of the shooting is when the shot detection system goes off. This is a big problem in rural areas where the shots may be from legitimate hunters.

Alternatives


If a facility is concerned with protecting critical infrastructure from gunshot attacks (and storage tanks quickly come to mind in this regards) it is probably more effective to provide some sort of ballistic protection in the form of either intermediate barriers or bullet-proof coatings (ballistic plate or fabrics) for high-risk equipment. Even if gunshot detection is employed, such protection would still be necessary if there is a high-risk for a ballistic attack; gunshot detectors (shot location or impact location) only provide for response, they DO NOT prevent damage.

Conclusion


In short, I stand behind my earlier conclusion that these systems are not required for CFATS facilities and I doubt that they would be cost effective if employed. If systems are available (at a ‘reasonable’ cost) for predicting impact locations for shots fired, and a facility is in an area where there are frequently shots fired, it might be worthwhile to employ such a system to alert internal response personnel for inadvertent bullet impacts on site.

Monday, January 21, 2019

HR 480 Introduced – DHS Threat Assessment


A bit over a week ago Rep. Rogers (R,AL) introduced HR 480, the Homeland Threat Assessment Act. The bill would require DHS to conduct an annual “assessment of the terrorist threat to the homeland” {§2(a)}.

The Assessment


The bill would require the annual assessment to include {§2(b)}:

• Empirical data assessing terrorist activities and incidents over time in the United States:
• An evaluation of current terrorist tactics, as well as ongoing and possible future changes in terrorist tactics;
• An assessment of criminal activity encountered or observed by officers or employees of components in the field which is suspected of financing terrorist activity;
• Detailed information on all individuals denied entry to or removed from the United States as a result of material support provided to a foreign terrorist organization;
• The efficacy and spread of foreign terrorist organization propaganda, messaging, or recruitment;
• An assessment of threats, including cyber threats, to the homeland, including to critical infrastructure and Federal civilian networks;
• An assessment of current and potential terrorism and criminal threats posed by individuals and organized groups seeking to unlawfully enter the United States; and
An assessment of threats to the transportation sector, including surface and aviation transportation systems.

The bill would require the assessment to be presented to congress in a classified form with unclassified summaries and, potentially, unclassified annexes.

Moving Forward


Rogers is the Ranking Member of the House Homeland Security Committee and Rep. Thompson (D,MS), the single cosponsor, is the Chair. This means that this bill will almost certainly be considered in Committee in the not too distant future. There is nothing in the bill that would cause and serious opposition and it would almost certainly receive strong bipartisan support, both in Committee and on the Floor of the House.

Commentary


Now this bill is clearly about a ‘terrorist’ threat assessment, but the language in two of the sub-paragraphs in §2(b) very carefully do not contain the word ‘terrorist’ when all of the remaining sub-paragraphs do contain that word (or variations there on). This would lead me to suspect that Rogers (or the Committee Staff who actually crafted the legislation) intended the cybersecurity and transportation assessments to include threats other than just those posed by terrorists.

So far, the only terrorist cyber threat that we have seen in actual practice have been a variety of doxing attacks (publication of private personal information) against various members of the armed forces and their families. There is nothing that would stop various terrorist groups (or radicalized individuals) from conducting more serious cyber-attacks, but nation-state actors are currently much more of a cyberthreat than terrorists.

While the wording of this sub-paragraph {§2(b)(6)} does not specifically call for reporting on nation-state level cybersecurity threats, the wording is vague enough to invite DHS to do so. If that is actually the intent of the wording, it would appear that it was done with the intention of avoiding stepping on the toes of the House Intelligence Committee or specifically involving the US Cybercommand/NSA in the assessment (an action outside the purview of the Homeland Security Committee).

The intent of the similarly vague wording in §2(b)(8) regarding transportation threats is less clear until you think to include energy transportation (specifically gas and oil pipelines). There again we have seen indications of a potential nation-state level cyber-threat that the crafters of this bill might want to have included in this DHS threat assessment.

Saturday, January 19, 2019

Public ICS Disclosures – Week of 01-12-19


This week we have a vendor notification for products from Eaton and a broad research report on vulnerabilities in radio frequency (RF) controllers from TrendMicro.

Eaton Advisory


Eaton published an advisory describing a path traversal vulnerability in their Intelligent Power Manager (IPM) product. This vulnerability is apparently being self-reported. Eaton has new version of the firmware that mitigates the vulnerability.

RF Controller Vulnerabilities


TrendMicro has published a report on vulnerabilities in RF controller systems. Their work on this topic specifically on industrial cranes was highlighted in a Forbes.com article and a presentation at S4x19 this week in Miami.

Friday, January 18, 2019

HR 370 Introduced – Pipeline Security


Last week Rep. Upton (R,MI) introduced HR 370, the Pipeline and LNG Facility Cybersecurity Preparedness Act. This bill is nearly identical to the version of HR 5175 that was reported in the House last session. That bill never made it to the floor of the House for consideration. The bill would provide the Department of Energy with some level of responsibility for pipeline security (specifically including cybersecurity) but without any regulatory authority in the area. The respective responsibilities of DHS/TSA and DOT/PHMSA in the area would not be affected.

Moving Forward


The Republicans have yet to announce their committee rosters yet so it is too early to tell if Upton will be back on the Energy and Commerce Committee, the Committee to which this bill was referred for consideration. His single co-sponsor {Rep. Loebsack (D,IA)} is a member of that Committee so this bill may end up being considered in Committee.

There is a lesser chance that the bill will move directly to the floor of the House for consideration as so many bills reintroduced in the previous session are. If Upton were really hoping for that to happen, he probably should have had Loebsack listed as the sponsor of the bill.

This bill will almost certainly be approved with substantial bipartisan support. The modifications made in the marked-up version of the previous bill were designed to throw bones to the other committees (Transportation and Homeland Security) that might object to the bill overstepping into their areas of oversight. Additionally, the revised language now seen in this ‘original bill’ easy any potential industry concerns by clarifying that the tools and procedures developed by DOE under direction of this bill {in §2(3) and §2(6)} would be available for ‘voluntary use’ by industry and not mandated.

If this bill makes it through the backroom processes in the House and is considered on the floor, it will be sent to the Senate with bipartisan support.

Bills Introduced – 01-17-19


Yesterday with both the House and Senate in session there were 86 bills introduced. Of those, three may receive additional coverage on this blog:

HR 648 Consolidated Appropriations Act, 2019 Rep. Lowey, Nita M. [D-NY-17] 

HR 680 To provide for the establishment of a pilot program to identify security vulnerabilities of certain entities in the energy sector. Rep. Ruppersberger, C. A. Dutch [D-MD-2]

S 174 A bill to provide for the establishment of a pilot program to identify security vulnerabilities of certain entities in the energy sector. Sen. King, Angus S., Jr. [I-ME]

HR 648 is another version of an FY 2019 spending bill that addresses the spending for the shut down agencies in the Federal government (except for DHS). I will only be looking at this bill if there are specific provisions of the bill of interest. The schedule for next week has not yet been published, but I expect that it will be considered on the floor next week. This will be another attempt to get Republican support to re-open the government over Trump’s opposition.

It looks like the other two bills are companion bills, but I cannot be sure until I see the actual bills.

House Accepts Senate Amendment to HR 251 – CFATS Extension


Yesterday the House accepted the Senate amendment to HR 251, the Chemical Facility Anti-Terrorism Standards Program (CFATS) Extension Act. The amendments received bipartisan support and the House agreed to the Senate amendments by voice vote.

While all of the speakers on the floor during the short debate on the bill supported the Senate amendment, it is clear that their support was for extending the CFATS program rather than being specifically in favor of the shortened extension period found in the Senate revision.

Rep. Thompson (D,MS), the original author of the bill and Chair of the Homeland Security Committee said:

“I am concerned this abbreviated authorization period provides less stability for DHS and more uncertainty for the regulated community, but unless we act, the CFATS program will expire at midnight tonight.”

Rep. Shimkus (R,IL), a cosponsor of the bill and Ranking Member of the House Energy and Commerce Committee, before urging members to support the amendments to HR 251, said:

"What troubles me, though, about the other body’s amendment is it doesn’t give CFATS much room to make more improvement. One of the major lessons to come out of the hearings we had in my committee on the CFATS program was that, from 2009 to 2014, 1-year authority extensions did not offer program stability and stagnated the program’s improvement.”

The bill now goes to the President for signature. There has been no indication that the President Trump would not sign the bill.

Thursday, January 17, 2019

Reader Comment – Move CFATS to EPA


I received an interesting comment on a post from last week about the passage of HR 251 in the House. The comment was a short question: “Why not move the entire program under EPA?”

This question has been asked many times in the 10-year history of the Chemical Facility Anti-Terrorism Standards (CFATS) program. The short (and less than satisfying answer) is that security is the purview (for better or worse) of the Department of Homeland Security while the EPA is tasked with helping to prevent accidental discharges of hazardous chemicals. The reason that this answer is less than satisfying is that there is a great deal of practical overlap between these two missions.

The Differences


The better way to explain why CFATS should remain in DHS and not the EPA is to look at the differences between the CFATS program and the EPA’s Risk Management Program (RMP). While there is certainly a degree of commonality in the chemicals of concern between the two programs, there is a significant difference in the function of the two programs. The CFATS program is a risk management program and the RMP (despite the name) is a chemical management program.

If a facility has a designated minimum inventory of a covered chemical under the RMP program they are required to institute a number of internal programs to protect that chemical from accidental release as well as measures to coordinate with the local community to allow for an adequate response if those protections fail. The EPA will probably not get around to inspecting that facility for RMP program compliance unless there is a reportable release of a covered chemical. The result of that after-the-fact inspection will be a notice of non-compliance with one or more of the requirements of the program, a fine, and then a resumption of official ignorance until the next reportable release occurs.

That same inventory amount of the same chemical under the CFATS program triggers a reporting requirement to the DHS Infrastructure Security Compliance Division (ISCD). ISCD takes the required elements of that report and evaluates the risk that that facility might be a target of a terrorist attack. IF ISCD finds that the facility is at high-risk of such an attack, the facility is notified and is required to develop a site security plan to substantially reduce that risk. CFATS Chemical Security Inspectors will inspect the facility during the development process to help ISCD to determine if the SSP provides an adequate level of security for the facility in question. Once the plan is approved, ISCD will conduct periodic compliance inspections to ensure that the facility maintains their security program to the agreed upon standards.

Clearly, the CFATS program is a much more regulatorily hands-on program with a lot more interaction between inspectors and facility personnel. This is only possible because of the relatively small number of facilities covered by the program. Thus, 160 CSI can cover the 3,300+ facilities in the CFATS programs. The EPA would require thousands of inspectors to provide similar levels of coverage for the facilities covered by the RMP.

More Chemicals Covered


The CFATS program chemicals of interest (COI) is similar in many ways to the RMPs list of covered chemicals. The most toxic and most flammable chemicals are found on both lists with similar inventory levels triggering regulatory interest. The CFATS program, however, also includes chemicals in their COI list that could be used to make chemical warfare agents or improvised explosive devices.

This provides for some interesting differences between the two programs. Chlorine, for example, is covered by both programs as a toxic release hazard at similar inventory levels. Under the CFATS program it is also covered as a potential theft/diversion risk for use as a chemical weapon away from the covered chemical facility at much smaller inventory levels when packaged in portable containers. Again, this is a security risk (and an off-site security risk at that) not an environmental hazard.

Emergency Response Planning


Another area where there is some apparent overlap between the two programs is in the area of emergency response planning. Both programs contain an awareness that they will eventually fail in preventing an incident with serious off-site consequences. This will require that local emergency response personnel take some sort of action to mitigate the harm to local neighbors of the facility.

To date, neither program has a real strong history of ensuring that the covered facilities are providing local emergency response planners with all of the pre-incident assistance that would be needed to plan for an effective response to a hazardous chemical release. There are similar reasons for that failure. First, neither the program officials nor the facility management have any control over the local emergency planning process. Secondly, neither program has the congressional funding to provide the financial resources that the planning process requires.

Again, the CFATS program does have an advantage over the RMP; the CSI should be insuring as part of their inspection process that the facilities have at least provided the necessary information to the local emergency response folks. Again, the RMP only really provides for checking on this post-incident when it is too late to correct the problem.

Why?


The big question for me is not the ‘why not move it’ question provided by this reader, but why bother to try? Before the CFATS program was started, one could make the argument that at least the EPA had people with chemical safety knowledge that would be useful to setting up the CFATS program. The problem was (and remains) that the CFATS program is not mainly a safety program, it is much more about security than safety. If the CFATS program had been started in the EPA, the agency would have had same type initial problems with security that the folks at DHS had with chemical safety.

At this point, however, those types of safety vs security problems have been pretty much overcome. ISCD now has a pretty good mix of security and safety expertise in its CSI force. Their major problem now seems to be a lack of computer security (particularly for control systems) expertise, but that problem would be even worse in the EPA. ISCD is part of CISA and the control system security experience found in parts of that organization could be valuable for correcting the current ISCD cybersecurity shortcomings.

No, the CFATS folks need to remain as part of DHS; a move to EPA would solve almost no problems and create too many new ones. What we need now is for Congress to take a realistic look at the current program and decide what needs to be fixed and how best to take care of those issues. Unfortunately, in the current confrontational political environment we are working under, I expect that it will take longer than 15 months to accomplish that. I hope that I am wrong.

Three Advisories Published – 01-17-19


Today the DHS NCCIC-ICS published three control system security advisories for products from ControlByWeb, ABB and Omron.

ControlByWeb Advisory


This advisory describes two vulnerabilities in the ControlByWeb X-320M web-enabled weather station. The vulnerabilities were reported by John Elder and Tom Westenberg of Applied Risk. ControlByWeb has a firmware update that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Improper authentication - CVE-2018-18881; and
Cross-site scripting - CVE-2018-18882

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow arbitrary code execution and could cause the device being accessed to require a physical factory reset to restore the device to an operational state.

ABB Advisory


This advisory describes an improper input validation vulnerability in the ABB CP400 Panel Builder TextEditor. The vulnerability was reported by Ivan Sanchez of NullCode. ABB has a new version that mitigates the vulnerability. There is no indication that Sanchez has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker with uncharacterized access could exploit the vulnerability to allow an attacker to execute arbitrary code and cause a denial-of-service condition within the Text Editor application. The ABB security advisory reports that a social engineering attack would be required to get an operator to load a specially crafted file.

NOTE: I briefly discussed this vulnerability back in early December.

Omron Advisory


This advisory describes five vulnerabilities in the Omron CX-Supervisor. The vulnerabilities were reported by Esteban Ruiz (mr_me) of Source Incite via the Zero Day Initiative. Omron has a new version that mitigates the vulnerabilities. There is no indication that Ruiz has been provided an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

• Code injection - CVE-2018-19011;
• Command injection (2) - CVE-2018-19013 and CVE-2018-19015;
• Use after free - CVE-2018-19017; and
• Type confusion - CVE-2018-19019

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit these vulnerabilities to cause a denial-of-service condition, and/or allow an attacker to achieve code execution with privileges within the context of the application.

NOTE: The Omron release notes for the new version recommended in this NCCIC-ICS advisory lists 8 ZDI reported vulnerabilities (no details currently available on ZDI site) corrected and a couple of other cybersecurity improvements that are included.

Bills Introduced – 01-16-19


Yesterday with both the House and Senate in session there were 102 bills introduced. Only one of those bills may receive additional coverage in this blog:

HR 618 To establish the Office of Critical Technologies and Security, and for other purposes. Rep. Ruppersberger, C. A. Dutch [D-MD-2]

I will be watching this bill only if it contains cybersecurity provisions.


Senate Amends and Passes HR 251 – CFATS Extension


Yesterday the Senate amended and passed HR 251, the Chemical Facility Anti-Terrorism Standards Program (CFATS) Extension Act. The amendments were adopted, and the bill passed at the end of yesterday’s session under the unanimous consent process. There was no debate and no votes.

Two amendments were adopted. The first changed the ‘6 years’ change to amend 6 USC 621 Note (Effective and Termination Dates) to read ‘5 years and 3 months’ (15 months extension to March 17th, 2020). The second amendment changed the title to read: “An Act to extend by 15 months the Chemical Facility Anti-Terrorism Standards Program of the Department of Homeland Security, and for other purposes”.

The amendments were proposed by Sen. Johnson (R,WI) and Sen. Peters (D,MI), the Chair and Ranking Member respectively of the Senate Homeland Security and Governmental Affairs Committee. The Hill.com had a brief article last night on the deal making surrounding these amendments.

The House is scheduled to concur with the Senate’s amendments later today. That will take place under the suspension of the rules process with no amendments and a super majority (2/3) vote to pass. The House will almost certainly concur with the Senate amendments. There has been no comment from the President on whether or not he will sign the bill, but neither Rush Limbaugh nor Putin have voiced any opposition. (Okay, the last comment was more than a little flip and over the top, sorry).

Tuesday, January 15, 2019

One Advisory and One Update Published – 01-15-19


Today the DHS NCCIC-ICS published a control system security advisory for products from Leão Consultoria e Desenvolvimento de Sistemas Ltda (LCDS) and updated an advisory for products from Schneider Electric.

LCDS Advisory


This advisory describes eleven vulnerabilities in the LCDS LAquis SCADA. The vulnerabilities were reported by Esteban Ruiz (mr me) via the Zero Day Initiative. LCDS has a new version that mitigates the vulnerabilities. There is no indication that Ruiz has been provided an opportunity to verify the efficacy of the fix.

The eleven reported vulnerabilities are:

• Improper input validation - CVE-2018-18988;
• Out-of-bounds read (2) - CVE-2018-19004 and CVE-2018-18994;
• Code injection - CVE-2018-19002;
• Untrusted pointer dereference - CVE-2018-19029;
• Out-of-bounds write - CVE-2018-18986;
• Relative path traversal - CVE-2018-18990;
• Injection (2) - CVE-2018-18992 and CVE-2018-18996;
• Use of hard-coded credential - CVE-2018-18998; and
Authentication bypass using alternative path or channel - CVE-2018-19000

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow remote code execution, data exfiltration, or cause a system crash.

Schneider Update


This update provides additional information on an advisory that was originally published on January 8th, 2019. The new information includes an additional vulnerability, cryptographic issues.

HR 360 Introduced – Cyber Sense Program


Last week Rep. Latta (R,OH) introduced HR 360, the Cyber Sense Act of 2019. The bill is nearly identical to HR 5239 introduced last session and adopted by the House Energy and Commerce Commission. The new bill is most closely related to the reported version of the earlier bill.

Moving Forward


This bill was scheduled to be considered (along with HR 359)  in the House today under the suspension of the rules process, but that has since changed. This was apparently done to provide time for the consideration of HJ Res 27 as I mentioned earlier.

This bill received bipartisan support in Committee during the last session and I suspect that it will again, if/when it reaches the floor of the House.

The House has still not made committee assignments for its members (beyond most Chairs and Ranking Members), so it is not yet possible to definitively comment on the possibility of this bill being considered in the House Energy and Commerce Committee, it that is not pre-empted by floor action. I suspect that Latta and his co-sponsor {Rep. McNerney (D,CA)} will be influential members of that Committee.

Commentary


I still have concerns about the information sharing restrictions in the bill. Most of the devices that would be covered under the Cyber Sense program would be used by manufacturing facilities outside of the electric sector. They could be substantially harmed by restricting the sharing of vulnerability information about those devices by making that information Critical Electrical Infrastructure Information (CEII).

As I outlined in my post on the introduction to HR 5239, I would much rather see a requirement to provide restricted early notification of vulnerabilities to organizations in the electric sector before universal notifications are made by NCCIC-ICS.

Interestingly, device vendors would probably not be restricted from publishing vulnerability reports on their own products, even if ‘protected’ by the CEII labeling. CEII restrictions only apply to government agencies within the United States.

Bills Introduced – 01-14-19


Yesterday with both the House and Senate back in Washington there were 26  bills introduced. Of these, three may receive additional coverage in this blog:

HR 542 To amend the Homeland Security Act of 2002 to establish the National Urban Security Technology Laboratory, and for other purposes. Rep. Rice, Kathleen M. [D-NY-4]

HJ Res 27 Making further continuing appropriations for fiscal year 2019, and for other purposes. Rep. Lowey, Nita M. [D-NY-17]

HJ Res 28 Making further continuing appropriations for fiscal year 2019, and for other purposes. Rep. Lowey, Nita M. [D-NY-17]

I will be watching HR 542 for chemical security issues or drone interdiction issues.

I do not suspect that either of the CR’s offered yesterday provides any breakthrough for the Federal Funding Fiasco, but the Democrats in the House continue to look for something to entice the Senate Republicans to make some sort of move towards a resolution. Both CR’s are straight forward extensions of the now-expired CR that kept the government operating until December 21st; no other provisions are found in either bill. HJ Res 27 would open the government until February 1st and HJ Res 28 would open the government until February 28th. Neither bill would affect the current expiration of the Chemical Facility Anti-Terrorism Standards (CFATS) program scheduled for January 18th (Friday).

The House Rules Committee is currently scheduled to formulate a rule for the consideration of HJ Res 28 tomorrow. HJ Res 27 will be considered on the floor of the House today under suspension of the rules. Since this would require a super-majority (2/3 vote), this is a move to see how many Republican defections could be garnered for a short CR; not that that would in any way affect Sen. McConnel’s (R,KY) considerations in the Senate.

 
/* Use this with templates/template-twocol.html */