Tuesday, January 22, 2019

Two Advisories Published – 01-22-19


Today the DHS NCCIC-ICS published a control system security advisory for products from Johnson Controls and a medical device security advisory for products from Drager.

Johnson Controls Advisory


This advisory describes two vulnerabilities in the Johnson Controls Facility Explorer. The vulnerabilities were reported by Tridium. Johnson Controls has new versions that mitigate the vulnerabilities. There is no indication that Tridium has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Path traversal - CVE-2017-16744; and
Improper authentication - CVE-2017-16748

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit these vulnerabilities to allow an attacker to read, write, and delete sensitive files to gain administrator privileges in the Facility Explorer system.

Drager Advisory


This advisory describes three vulnerabilities in the Drager Infinity Delta patient monitoring devices. The vulnerabilities were reported by Marc Ruef and Rocco Gagliardi, of scip AG. Drager has new versions that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Improper input validation - CVE-2018-19010;
• Information exposure through log files - CVE-2018-19014; and
• Improper privilege management - CVE-2018-19012

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to cause information disclosure of device logs, denial of service through device reboots of the patient monitors, and privilege escalation.

NOTE: The Drager security advisory adds an additional vulnerability for one of the affected products; “Several 3rd party components were found outdated and vulnerable to several published security vulnerabilities.”

CFATS and Gun Shot Detection Systems


I got an interesting question from a reader yesterday. I whipped out a quick reply that I still standby, but I thought that it might need some additional discussion.

Question and Response


The original question was:

“Is there a requirement for chemical plants to have gunshot detection/notification? Esp after Metcalf incident, I would think.”

My initial reply was:

“The CFATS program certainly does not include such a requirement. I would not think that this would be cost effective for most manned facilities unless they were in a high crime area.”

CFATS Requirement?


First off, there are very few ‘security requirements’ under the Chemical Facility Anti-Terrorism Standards (CFATS) program. The program was crafted with the idea that each facility is unique and would have to design their security program to fit their unique character while fulfilling 12 operationally defined ‘Risk-Based Performance Standards’ (RBPS). Those standards are outlined at 6 CFR 27.230(a) and discussed in more depth in the RBPS Guidance Document. There is no specific mention of ‘gun shot detection systems’ in either document, thus there is no ‘CFATS requirement’ to employ such a system.

The RBPS Guidance Document does make two important points about detection systems. First:

“For a protective system to prevail, detection needs to occur prior to an attack (i.e., in the attack planning stages) or early enough in the attack where there is sufficient delay between the point of detection and the successful conclusion of the attack for the arrival of adequate response forces to thwart the attempt.” [pg 50]

And second:

“Typically, when a sensor or other IDS [intrusion detection system] component identifies an event of interest, an alarm notifies security, which then will assess the event either directly by sending persons to the location of the event or remotely by alerting personnel to evaluate sensor inputs and surveillance imagery.” [pg 52]

Interior and Exterior Shots Fired


There are two general scenarios where a gunshot detection system might be of use for a CFATS covered facility; shots fired inside the facility and shots fired outside the facility (okay, I guess there are no other scenarios).

For shots fired within the facility, it is, by definition, too late to prevent the attack. Information from a shot finder could provide information to response personnel to help pin down the location of the shooter. That will be problematic for most chemical facilities that do not have armed guards (the vast majority of chemical facilities in the United States). Detailed prior coordination with local law enforcement personnel (lacking at most chemical facilities) would be required to ensure that responding officers knew about the shot detection capabilities and had timely access to the location information when (and after) they arrived on scene.

The problem for shots fired outside of the facility would be determining if the impact area or trajectory of the projectiles was inside of the facility. For incidents where there is no facility impact, the ability to determine that would be helpful to frame interior incident response (do not panic, they are shooting at someone else). For shots targeted at the facility (with malice aforethought or inadvertently), the location of the impact point could have beneficial input into the emergency response within the facility.

Unfortunately, most shot detection systems do not track trajectory or impacts (okay, I do not know of ANY that do, but I am not current on the technology so someone may have addressed this issue). Setting up a system to predict impacts or trajectory would require at least two different detection systems; one to detect the initial gun shot location and one to detect the projectile in flight at at least one position. The second portion of that problem would require multiple sensors around the perimeter of the facility to detect boundary penetration.

The Metcalf Scenario


The original question specifically mentioned the Metcalf situation; the April 16th, 2013 sniper attack on the unmanned Metcalf Transmission Substation. The sniper was firing at transformers with the apparent intent (this incident is still ‘unsolved’) of causing equipment failure through a loss-of-coolant incident.

A shot detection system at this facility would not have prevented the attack, but it may have provided timely enough notification to have allowed police to have apprehended the perpetrator. Unfortunately, this presumes a timely response to a ‘shots fired’ report without any indication of an antipersonnel attack.

There are few ‘unmanned’ chemical facilities, but many facilities are not manned 24/7 so this scenario could apply to such facilities. Again, the big problem is not being able to determine what the target of the shooting is when the shot detection system goes off. This is a big problem in rural areas where the shots may be from legitimate hunters.

Alternatives


If a facility is concerned with protecting critical infrastructure from gunshot attacks (and storage tanks quickly come to mind in this regards) it is probably more effective to provide some sort of ballistic protection in the form of either intermediate barriers or bullet-proof coatings (ballistic plate or fabrics) for high-risk equipment. Even if gunshot detection is employed, such protection would still be necessary if there is a high-risk for a ballistic attack; gunshot detectors (shot location or impact location) only provide for response, they DO NOT prevent damage.

Conclusion


In short, I stand behind my earlier conclusion that these systems are not required for CFATS facilities and I doubt that they would be cost effective if employed. If systems are available (at a ‘reasonable’ cost) for predicting impact locations for shots fired, and a facility is in an area where there are frequently shots fired, it might be worthwhile to employ such a system to alert internal response personnel for inadvertent bullet impacts on site.

Monday, January 21, 2019

HR 480 Introduced – DHS Threat Assessment


A bit over a week ago Rep. Rogers (R,AL) introduced HR 480, the Homeland Threat Assessment Act. The bill would require DHS to conduct an annual “assessment of the terrorist threat to the homeland” {§2(a)}.

The Assessment


The bill would require the annual assessment to include {§2(b)}:

• Empirical data assessing terrorist activities and incidents over time in the United States:
• An evaluation of current terrorist tactics, as well as ongoing and possible future changes in terrorist tactics;
• An assessment of criminal activity encountered or observed by officers or employees of components in the field which is suspected of financing terrorist activity;
• Detailed information on all individuals denied entry to or removed from the United States as a result of material support provided to a foreign terrorist organization;
• The efficacy and spread of foreign terrorist organization propaganda, messaging, or recruitment;
• An assessment of threats, including cyber threats, to the homeland, including to critical infrastructure and Federal civilian networks;
• An assessment of current and potential terrorism and criminal threats posed by individuals and organized groups seeking to unlawfully enter the United States; and
An assessment of threats to the transportation sector, including surface and aviation transportation systems.

The bill would require the assessment to be presented to congress in a classified form with unclassified summaries and, potentially, unclassified annexes.

Moving Forward


Rogers is the Ranking Member of the House Homeland Security Committee and Rep. Thompson (D,MS), the single cosponsor, is the Chair. This means that this bill will almost certainly be considered in Committee in the not too distant future. There is nothing in the bill that would cause and serious opposition and it would almost certainly receive strong bipartisan support, both in Committee and on the Floor of the House.

Commentary


Now this bill is clearly about a ‘terrorist’ threat assessment, but the language in two of the sub-paragraphs in §2(b) very carefully do not contain the word ‘terrorist’ when all of the remaining sub-paragraphs do contain that word (or variations there on). This would lead me to suspect that Rogers (or the Committee Staff who actually crafted the legislation) intended the cybersecurity and transportation assessments to include threats other than just those posed by terrorists.

So far, the only terrorist cyber threat that we have seen in actual practice have been a variety of doxing attacks (publication of private personal information) against various members of the armed forces and their families. There is nothing that would stop various terrorist groups (or radicalized individuals) from conducting more serious cyber-attacks, but nation-state actors are currently much more of a cyberthreat than terrorists.

While the wording of this sub-paragraph {§2(b)(6)} does not specifically call for reporting on nation-state level cybersecurity threats, the wording is vague enough to invite DHS to do so. If that is actually the intent of the wording, it would appear that it was done with the intention of avoiding stepping on the toes of the House Intelligence Committee or specifically involving the US Cybercommand/NSA in the assessment (an action outside the purview of the Homeland Security Committee).

The intent of the similarly vague wording in §2(b)(8) regarding transportation threats is less clear until you think to include energy transportation (specifically gas and oil pipelines). There again we have seen indications of a potential nation-state level cyber-threat that the crafters of this bill might want to have included in this DHS threat assessment.

Saturday, January 19, 2019

Public ICS Disclosures – Week of 01-12-19


This week we have a vendor notification for products from Eaton and a broad research report on vulnerabilities in radio frequency (RF) controllers from TrendMicro.

Eaton Advisory


Eaton published an advisory describing a path traversal vulnerability in their Intelligent Power Manager (IPM) product. This vulnerability is apparently being self-reported. Eaton has new version of the firmware that mitigates the vulnerability.

RF Controller Vulnerabilities


TrendMicro has published a report on vulnerabilities in RF controller systems. Their work on this topic specifically on industrial cranes was highlighted in a Forbes.com article and a presentation at S4x19 this week in Miami.

Friday, January 18, 2019

HR 370 Introduced – Pipeline Security


Last week Rep. Upton (R,MI) introduced HR 370, the Pipeline and LNG Facility Cybersecurity Preparedness Act. This bill is nearly identical to the version of HR 5175 that was reported in the House last session. That bill never made it to the floor of the House for consideration. The bill would provide the Department of Energy with some level of responsibility for pipeline security (specifically including cybersecurity) but without any regulatory authority in the area. The respective responsibilities of DHS/TSA and DOT/PHMSA in the area would not be affected.

Moving Forward


The Republicans have yet to announce their committee rosters yet so it is too early to tell if Upton will be back on the Energy and Commerce Committee, the Committee to which this bill was referred for consideration. His single co-sponsor {Rep. Loebsack (D,IA)} is a member of that Committee so this bill may end up being considered in Committee.

There is a lesser chance that the bill will move directly to the floor of the House for consideration as so many bills reintroduced in the previous session are. If Upton were really hoping for that to happen, he probably should have had Loebsack listed as the sponsor of the bill.

This bill will almost certainly be approved with substantial bipartisan support. The modifications made in the marked-up version of the previous bill were designed to throw bones to the other committees (Transportation and Homeland Security) that might object to the bill overstepping into their areas of oversight. Additionally, the revised language now seen in this ‘original bill’ easy any potential industry concerns by clarifying that the tools and procedures developed by DOE under direction of this bill {in §2(3) and §2(6)} would be available for ‘voluntary use’ by industry and not mandated.

If this bill makes it through the backroom processes in the House and is considered on the floor, it will be sent to the Senate with bipartisan support.

Bills Introduced – 01-17-19


Yesterday with both the House and Senate in session there were 86 bills introduced. Of those, three may receive additional coverage on this blog:

HR 648 Consolidated Appropriations Act, 2019 Rep. Lowey, Nita M. [D-NY-17] 

HR 680 To provide for the establishment of a pilot program to identify security vulnerabilities of certain entities in the energy sector. Rep. Ruppersberger, C. A. Dutch [D-MD-2]

S 174 A bill to provide for the establishment of a pilot program to identify security vulnerabilities of certain entities in the energy sector. Sen. King, Angus S., Jr. [I-ME]

HR 648 is another version of an FY 2019 spending bill that addresses the spending for the shut down agencies in the Federal government (except for DHS). I will only be looking at this bill if there are specific provisions of the bill of interest. The schedule for next week has not yet been published, but I expect that it will be considered on the floor next week. This will be another attempt to get Republican support to re-open the government over Trump’s opposition.

It looks like the other two bills are companion bills, but I cannot be sure until I see the actual bills.

House Accepts Senate Amendment to HR 251 – CFATS Extension


Yesterday the House accepted the Senate amendment to HR 251, the Chemical Facility Anti-Terrorism Standards Program (CFATS) Extension Act. The amendments received bipartisan support and the House agreed to the Senate amendments by voice vote.

While all of the speakers on the floor during the short debate on the bill supported the Senate amendment, it is clear that their support was for extending the CFATS program rather than being specifically in favor of the shortened extension period found in the Senate revision.

Rep. Thompson (D,MS), the original author of the bill and Chair of the Homeland Security Committee said:

“I am concerned this abbreviated authorization period provides less stability for DHS and more uncertainty for the regulated community, but unless we act, the CFATS program will expire at midnight tonight.”

Rep. Shimkus (R,IL), a cosponsor of the bill and Ranking Member of the House Energy and Commerce Committee, before urging members to support the amendments to HR 251, said:

"What troubles me, though, about the other body’s amendment is it doesn’t give CFATS much room to make more improvement. One of the major lessons to come out of the hearings we had in my committee on the CFATS program was that, from 2009 to 2014, 1-year authority extensions did not offer program stability and stagnated the program’s improvement.”

The bill now goes to the President for signature. There has been no indication that the President Trump would not sign the bill.

Thursday, January 17, 2019

Reader Comment – Move CFATS to EPA


I received an interesting comment on a post from last week about the passage of HR 251 in the House. The comment was a short question: “Why not move the entire program under EPA?”

This question has been asked many times in the 10-year history of the Chemical Facility Anti-Terrorism Standards (CFATS) program. The short (and less than satisfying answer) is that security is the purview (for better or worse) of the Department of Homeland Security while the EPA is tasked with helping to prevent accidental discharges of hazardous chemicals. The reason that this answer is less than satisfying is that there is a great deal of practical overlap between these two missions.

The Differences


The better way to explain why CFATS should remain in DHS and not the EPA is to look at the differences between the CFATS program and the EPA’s Risk Management Program (RMP). While there is certainly a degree of commonality in the chemicals of concern between the two programs, there is a significant difference in the function of the two programs. The CFATS program is a risk management program and the RMP (despite the name) is a chemical management program.

If a facility has a designated minimum inventory of a covered chemical under the RMP program they are required to institute a number of internal programs to protect that chemical from accidental release as well as measures to coordinate with the local community to allow for an adequate response if those protections fail. The EPA will probably not get around to inspecting that facility for RMP program compliance unless there is a reportable release of a covered chemical. The result of that after-the-fact inspection will be a notice of non-compliance with one or more of the requirements of the program, a fine, and then a resumption of official ignorance until the next reportable release occurs.

That same inventory amount of the same chemical under the CFATS program triggers a reporting requirement to the DHS Infrastructure Security Compliance Division (ISCD). ISCD takes the required elements of that report and evaluates the risk that that facility might be a target of a terrorist attack. IF ISCD finds that the facility is at high-risk of such an attack, the facility is notified and is required to develop a site security plan to substantially reduce that risk. CFATS Chemical Security Inspectors will inspect the facility during the development process to help ISCD to determine if the SSP provides an adequate level of security for the facility in question. Once the plan is approved, ISCD will conduct periodic compliance inspections to ensure that the facility maintains their security program to the agreed upon standards.

Clearly, the CFATS program is a much more regulatorily hands-on program with a lot more interaction between inspectors and facility personnel. This is only possible because of the relatively small number of facilities covered by the program. Thus, 160 CSI can cover the 3,300+ facilities in the CFATS programs. The EPA would require thousands of inspectors to provide similar levels of coverage for the facilities covered by the RMP.

More Chemicals Covered


The CFATS program chemicals of interest (COI) is similar in many ways to the RMPs list of covered chemicals. The most toxic and most flammable chemicals are found on both lists with similar inventory levels triggering regulatory interest. The CFATS program, however, also includes chemicals in their COI list that could be used to make chemical warfare agents or improvised explosive devices.

This provides for some interesting differences between the two programs. Chlorine, for example, is covered by both programs as a toxic release hazard at similar inventory levels. Under the CFATS program it is also covered as a potential theft/diversion risk for use as a chemical weapon away from the covered chemical facility at much smaller inventory levels when packaged in portable containers. Again, this is a security risk (and an off-site security risk at that) not an environmental hazard.

Emergency Response Planning


Another area where there is some apparent overlap between the two programs is in the area of emergency response planning. Both programs contain an awareness that they will eventually fail in preventing an incident with serious off-site consequences. This will require that local emergency response personnel take some sort of action to mitigate the harm to local neighbors of the facility.

To date, neither program has a real strong history of ensuring that the covered facilities are providing local emergency response planners with all of the pre-incident assistance that would be needed to plan for an effective response to a hazardous chemical release. There are similar reasons for that failure. First, neither the program officials nor the facility management have any control over the local emergency planning process. Secondly, neither program has the congressional funding to provide the financial resources that the planning process requires.

Again, the CFATS program does have an advantage over the RMP; the CSI should be insuring as part of their inspection process that the facilities have at least provided the necessary information to the local emergency response folks. Again, the RMP only really provides for checking on this post-incident when it is too late to correct the problem.

Why?


The big question for me is not the ‘why not move it’ question provided by this reader, but why bother to try? Before the CFATS program was started, one could make the argument that at least the EPA had people with chemical safety knowledge that would be useful to setting up the CFATS program. The problem was (and remains) that the CFATS program is not mainly a safety program, it is much more about security than safety. If the CFATS program had been started in the EPA, the agency would have had same type initial problems with security that the folks at DHS had with chemical safety.

At this point, however, those types of safety vs security problems have been pretty much overcome. ISCD now has a pretty good mix of security and safety expertise in its CSI force. Their major problem now seems to be a lack of computer security (particularly for control systems) expertise, but that problem would be even worse in the EPA. ISCD is part of CISA and the control system security experience found in parts of that organization could be valuable for correcting the current ISCD cybersecurity shortcomings.

No, the CFATS folks need to remain as part of DHS; a move to EPA would solve almost no problems and create too many new ones. What we need now is for Congress to take a realistic look at the current program and decide what needs to be fixed and how best to take care of those issues. Unfortunately, in the current confrontational political environment we are working under, I expect that it will take longer than 15 months to accomplish that. I hope that I am wrong.

Three Advisories Published – 01-17-19


Today the DHS NCCIC-ICS published three control system security advisories for products from ControlByWeb, ABB and Omron.

ControlByWeb Advisory


This advisory describes two vulnerabilities in the ControlByWeb X-320M web-enabled weather station. The vulnerabilities were reported by John Elder and Tom Westenberg of Applied Risk. ControlByWeb has a firmware update that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Improper authentication - CVE-2018-18881; and
Cross-site scripting - CVE-2018-18882

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow arbitrary code execution and could cause the device being accessed to require a physical factory reset to restore the device to an operational state.

ABB Advisory


This advisory describes an improper input validation vulnerability in the ABB CP400 Panel Builder TextEditor. The vulnerability was reported by Ivan Sanchez of NullCode. ABB has a new version that mitigates the vulnerability. There is no indication that Sanchez has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker with uncharacterized access could exploit the vulnerability to allow an attacker to execute arbitrary code and cause a denial-of-service condition within the Text Editor application. The ABB security advisory reports that a social engineering attack would be required to get an operator to load a specially crafted file.

NOTE: I briefly discussed this vulnerability back in early December.

Omron Advisory


This advisory describes five vulnerabilities in the Omron CX-Supervisor. The vulnerabilities were reported by Esteban Ruiz (mr_me) of Source Incite via the Zero Day Initiative. Omron has a new version that mitigates the vulnerabilities. There is no indication that Ruiz has been provided an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

• Code injection - CVE-2018-19011;
• Command injection (2) - CVE-2018-19013 and CVE-2018-19015;
• Use after free - CVE-2018-19017; and
• Type confusion - CVE-2018-19019

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit these vulnerabilities to cause a denial-of-service condition, and/or allow an attacker to achieve code execution with privileges within the context of the application.

NOTE: The Omron release notes for the new version recommended in this NCCIC-ICS advisory lists 8 ZDI reported vulnerabilities (no details currently available on ZDI site) corrected and a couple of other cybersecurity improvements that are included.

Bills Introduced – 01-16-19


Yesterday with both the House and Senate in session there were 102 bills introduced. Only one of those bills may receive additional coverage in this blog:

HR 618 To establish the Office of Critical Technologies and Security, and for other purposes. Rep. Ruppersberger, C. A. Dutch [D-MD-2]

I will be watching this bill only if it contains cybersecurity provisions.


Senate Amends and Passes HR 251 – CFATS Extension


Yesterday the Senate amended and passed HR 251, the Chemical Facility Anti-Terrorism Standards Program (CFATS) Extension Act. The amendments were adopted, and the bill passed at the end of yesterday’s session under the unanimous consent process. There was no debate and no votes.

Two amendments were adopted. The first changed the ‘6 years’ change to amend 6 USC 621 Note (Effective and Termination Dates) to read ‘5 years and 3 months’ (15 months extension to March 17th, 2020). The second amendment changed the title to read: “An Act to extend by 15 months the Chemical Facility Anti-Terrorism Standards Program of the Department of Homeland Security, and for other purposes”.

The amendments were proposed by Sen. Johnson (R,WI) and Sen. Peters (D,MI), the Chair and Ranking Member respectively of the Senate Homeland Security and Governmental Affairs Committee. The Hill.com had a brief article last night on the deal making surrounding these amendments.

The House is scheduled to concur with the Senate’s amendments later today. That will take place under the suspension of the rules process with no amendments and a super majority (2/3) vote to pass. The House will almost certainly concur with the Senate amendments. There has been no comment from the President on whether or not he will sign the bill, but neither Rush Limbaugh nor Putin have voiced any opposition. (Okay, the last comment was more than a little flip and over the top, sorry).

Tuesday, January 15, 2019

One Advisory and One Update Published – 01-15-19


Today the DHS NCCIC-ICS published a control system security advisory for products from Leão Consultoria e Desenvolvimento de Sistemas Ltda (LCDS) and updated an advisory for products from Schneider Electric.

LCDS Advisory


This advisory describes eleven vulnerabilities in the LCDS LAquis SCADA. The vulnerabilities were reported by Esteban Ruiz (mr me) via the Zero Day Initiative. LCDS has a new version that mitigates the vulnerabilities. There is no indication that Ruiz has been provided an opportunity to verify the efficacy of the fix.

The eleven reported vulnerabilities are:

• Improper input validation - CVE-2018-18988;
• Out-of-bounds read (2) - CVE-2018-19004 and CVE-2018-18994;
• Code injection - CVE-2018-19002;
• Untrusted pointer dereference - CVE-2018-19029;
• Out-of-bounds write - CVE-2018-18986;
• Relative path traversal - CVE-2018-18990;
• Injection (2) - CVE-2018-18992 and CVE-2018-18996;
• Use of hard-coded credential - CVE-2018-18998; and
Authentication bypass using alternative path or channel - CVE-2018-19000

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow remote code execution, data exfiltration, or cause a system crash.

Schneider Update


This update provides additional information on an advisory that was originally published on January 8th, 2019. The new information includes an additional vulnerability, cryptographic issues.

HR 360 Introduced – Cyber Sense Program


Last week Rep. Latta (R,OH) introduced HR 360, the Cyber Sense Act of 2019. The bill is nearly identical to HR 5239 introduced last session and adopted by the House Energy and Commerce Commission. The new bill is most closely related to the reported version of the earlier bill.

Moving Forward


This bill was scheduled to be considered (along with HR 359)  in the House today under the suspension of the rules process, but that has since changed. This was apparently done to provide time for the consideration of HJ Res 27 as I mentioned earlier.

This bill received bipartisan support in Committee during the last session and I suspect that it will again, if/when it reaches the floor of the House.

The House has still not made committee assignments for its members (beyond most Chairs and Ranking Members), so it is not yet possible to definitively comment on the possibility of this bill being considered in the House Energy and Commerce Committee, it that is not pre-empted by floor action. I suspect that Latta and his co-sponsor {Rep. McNerney (D,CA)} will be influential members of that Committee.

Commentary


I still have concerns about the information sharing restrictions in the bill. Most of the devices that would be covered under the Cyber Sense program would be used by manufacturing facilities outside of the electric sector. They could be substantially harmed by restricting the sharing of vulnerability information about those devices by making that information Critical Electrical Infrastructure Information (CEII).

As I outlined in my post on the introduction to HR 5239, I would much rather see a requirement to provide restricted early notification of vulnerabilities to organizations in the electric sector before universal notifications are made by NCCIC-ICS.

Interestingly, device vendors would probably not be restricted from publishing vulnerability reports on their own products, even if ‘protected’ by the CEII labeling. CEII restrictions only apply to government agencies within the United States.

Bills Introduced – 01-14-19


Yesterday with both the House and Senate back in Washington there were 26  bills introduced. Of these, three may receive additional coverage in this blog:

HR 542 To amend the Homeland Security Act of 2002 to establish the National Urban Security Technology Laboratory, and for other purposes. Rep. Rice, Kathleen M. [D-NY-4]

HJ Res 27 Making further continuing appropriations for fiscal year 2019, and for other purposes. Rep. Lowey, Nita M. [D-NY-17]

HJ Res 28 Making further continuing appropriations for fiscal year 2019, and for other purposes. Rep. Lowey, Nita M. [D-NY-17]

I will be watching HR 542 for chemical security issues or drone interdiction issues.

I do not suspect that either of the CR’s offered yesterday provides any breakthrough for the Federal Funding Fiasco, but the Democrats in the House continue to look for something to entice the Senate Republicans to make some sort of move towards a resolution. Both CR’s are straight forward extensions of the now-expired CR that kept the government operating until December 21st; no other provisions are found in either bill. HJ Res 27 would open the government until February 1st and HJ Res 28 would open the government until February 28th. Neither bill would affect the current expiration of the Chemical Facility Anti-Terrorism Standards (CFATS) program scheduled for January 18th (Friday).

The House Rules Committee is currently scheduled to formulate a rule for the consideration of HJ Res 28 tomorrow. HJ Res 27 will be considered on the floor of the House today under suspension of the rules. Since this would require a super-majority (2/3 vote), this is a move to see how many Republican defections could be garnered for a short CR; not that that would in any way affect Sen. McConnel’s (R,KY) considerations in the Senate.

Monday, January 14, 2019

HR 359 Introduced – DOE Cybersecurity


Last week Rep. McNerney (D,CA) introduced HR 359, the Enhancing Grid Security through Public-Private Partnerships Act. This bill is nearly identical to HR 5240 that was introduced last session and cleared through the House Energy and Commerce Committee without modification. While the earlier bill did not make it to the floor of the House, HR 359 will be considered under suspension of rules tomorrow.

The only differences between the two bills in that HR 359 now includes ‘the Electric Reliability Organization’ in the §2(a) list of organizations with which the Secretary of Energy will consult in developing the program to promote and advance physical security and cybersecurity of electric utilities. The second and final change is that the new bill includes a definition f ‘the Electric Reliability Organization’ in the list of definitions in §5. Needless to say, these changes are inconsequential.

The House leadership expects that this bill will pass with substantial bipartisan support; the same support that it received in Committee last session.


Saturday, January 12, 2019

ICS Public Disclosures – Week of 01-05-19


This week we have five new vendor disclosures and seven vendor updates, all for products from Siemens.

EN100 Ethernet Advisory


Siemens published an advisory for their EN100 Ethernet communication module for SWT 3000 describing two denial of service vulnerabilities. The vulnerabilities were reported by Victor Nikitin, Vladislav Suchkov, and Ilya Karpov from ScadaX. Siemens has identified a workaround that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

SICAM A8000 Advisory


Siemens published an advisory for their SICAM A8000 RTU series describing an denial of service vulnerability. The vulnerability was reported by Emanuel Duss and Nicolas Heiniger from Compass Security. Siemens has new versions that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

CP1604 and CP1616 Advisory


Siemens published an advisory for their CP1604 and CP1616 devices describing a denial of service vulnerability. The vulnerability is self-reported. Siemens has new versions that mitigate the vulnerability.

SIMATIC S7-300 Advisory


Siemens published an advisory for their SIMATIC S7-300 CPU describing a denial of service vulnerability. The vulnerability was reported by the Electronic Technology Information Research Institute. Siemens has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

S7-1500 Advisory


Siemens published an advisory for their S7-1500 CPU describing two denial of service vulnerabilities. The vulnerabilities were reported by Georgy Zaytsev, Dmitry Sklyarov, Druzhinin Evgeny, Ilya Karpov, and Maxim Goryachy from Positive Technologies. Siemens has new versions that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Siemens Updates


As part of the swath of 12 advisories and updates issued by Siemens this week there was one update that was not covered by NCCIC-ICS updates. This was for vulnerabilities addressed in ICS-CERT generic alerts; NCCIC-ICS does not update these alerts for new information from the existing vendor list on the alert, the links on those alerts already take interested parties to this latest information.

SSB-439005: v 1.2 - Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP - Added CVE-2018-19931 and CVE-2018-19932;

There were six additional updates that I suspect that NCCIC-ICS could still pick-up in the coming week.

SSA-592007: v 1.3 - Denial-of-Service Vulnerability in Industrial Products – NCCIC-ICS published their latest update (ICSA-18-079-02A) on October 9th, 2018 - Added update for SIMATIC S7-300 incl. F and T;
SSA-535640: v 1.3 - Vulnerability in Industrial Products – NCCIC-ICS published their latest update (ICSA-17-243-01B) on November 30th, 2017 - Added fix for SIMATIC NET PC Software;
SSA-348629: v 1.7 - Denial-of-Service Vulnerability in SIMATIC PCS 7, SIMATIC WinCC, SIMATIC WinCC Runtime Professional and SIMATIC NET PC Software - NCCIC-ICS published their latest update (ICSA-18-088-03E) on December 13th, 2018 - Updated patch links for WinCC 7.2 and 7.4;
SSA-346262: v 2.1 - Denial-of-Service in Industrial Products - NCCIC-ICS published their latest update (ICSA-17-339-01J) on December 12th, 2018 - Updated solution for SIMATIC S7-300;4
SSA-293562: v 2.6 - Vulnerabilities in Industrial Products - NCCIC-ICS published their latest update (ICSA-17-129-02N) on December 12th, 2018 - Updated information for CP 1243-1; and
SSA-181018: v 1.3 - Heap Overflow Vulnerability in SCALANCE X switches, RUGGEDCOM WiMAX, RFID 181-EIP, and SIMATIC RF182C - NCCIC-ICS published their original advisory (ICSA18-165-01) on June 13th, 2018 - Added solution for RUGGEDCOM WiMAX

Friday, January 11, 2019

HR 43 Introduced – Cyber Vulnerability Disclosure Coordination


Last week Rep. Jackson-Lee (D,TX) introduced HR 43, the Cyber Vulnerability Disclosure Reporting Act. The bill would require a report to Congress on the DHS policies and procedures for coordinating cyber vulnerability disclosures. This is essentially the same bill as HR 3202 that Jackson-Lee introduced in the 115th Congress. That bill was passed in the House on a voice vote but was never taken up by the Senate.

The unclassified report would be submitted to Congress within 240 days of the date of enactment. The requirement for establishing the policies and procedures is found in 6 USC 148(m) {or 6 USC 659(m) in the yet to be published 2018 version of the USC; modified by last year’s CISA authorization bill}.

The bill would require an annex to the report that would contain information on {§2(a)}:

• Instances in which such policies and procedures were used to disclose cyber vulnerabilities in the prior year; and
The degree to which such information was acted upon by industry and other stakeholders.

Moving Forward


Committee assignments have not yet been completed, but I suspect that Ms. Jackson-Lee will return to the House Homeland Security Committee (the committee to which this bill was assigned for consideration) and will probably be a Subcommittee Chair. If that comes to pass, this bill will receive quick attention from the Committee and will probably be considered by the full House under suspension of the rules. It would be expected to receive wide bipartisan support once again. Whether or not it will be taken up by the Senate is a completely different question.

House Passes Two FY 2019 Spending Bills


Yesterday the House passed two FY 2019 spending bills; HR 265, for Agriculture, Rural Development, Food and Drug Administration, and related agencies; and HR 267, for Department of Transportation, and Housing and Urban Development, and related agencies. Both bills passed by near party-line votes; HR 265 – 243 to 183 and HR 267 – 244 to 180.

The final spending bill in this series (HR 266, for Department of the Interior, environment, and related agencies) will be considered on the floor today. A similar result is expected.

NOTE: None bills contains cybersecurity or chemical security/transportation provisions that would lead to detailed coverage here.

None of these spending bills is likely to be considered in the Senate. Yesterday during an attempt to consider HR 21, the FY 2019 Consolidated Spending Bill, under the Senate’s unanimous consent process, Sen. McConnel (R,KY) objected to consideration of the bill (pg S 113). In his discussion leading up to the official objection to proceeding McConnel noted:

“We [McConnel and Sen. Schumer (D,NY)] agreed that we wouldn’t waste the Senate’s time on show votes related to government funding until a global agreement was reached that could pass the House, pass the Senate, and which the President could sign.”

Thus, until all five (McConnel, Schumer, Rep. Pelosi (D,CA), Rep. McCarthy (R,CA) and President Trump) reach an agreement on the termination of the Federal Funding Fiasco, the Senate is unlikely to consider any spending bill.

Bills Introduced – 01-10-19


Yesterday with both the House and Senate in session there were 109 bills introduced. Only one of those bills is likely to see further consideration in this blog:

HR 480 To require an annual homeland threat assessment, and for other purposes. Rep. Rogers, Mike D. [R-AL-3]


Four Advisories and One Update Published – 01-10-19


Yesterday the DHS ICS-CERT published four control system security advisories for products from Tridium, Pilz, Omron and Emerson. They also updated a previously issued advisory for products from Schneider. The Tridium advisory was originally posted to the HSIN ICS-CERT library on November 29, 2018.

Tridium Advisory


This advisory describes a cross-site scripting vulnerability in the Niagara Enterprise Security, Niagara AX, and Niagara 4 products. The vulnerability was reported by Daniel Santos and Elisa Costante of SecurityMatters. Tridium has new versions available that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an authenticated user to inject client-side scripts into some web pages that could then be viewed by other users.

NOTE: The link to the Tridium bulletin is for a .PDF download. Registered users can view the bulletin here.

Pilz Advisory


This advisory describes a clear-text storage of sensitive information vulnerability in the Pilz PNOZmulti Configurator tool. The vulnerability was reported by Gjoko Krstikj of Applied Risk. Pilz has a new version that mitigates the vulnerability. There is no indication that Krstikj was provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow sensitive data to be read from the system.

Omron Advisory


This advisory describes a type confusion vulnerability in the Omron CX-Protocol within CX-One. The vulnerability was reported by Esteban Ruiz (mr_me) of Source Incite via the Zero Day Initiative. Omron has a new version that mitigates the vulnerability. There is no indication that Ruiz has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to execute code under the privileges of the application.

Emerson Advisory


This advisory describes an authentication bypass vulnerability in the Emerson DeltaV Distributed Control System Workstations. The vulnerability was reported by Alexander Nochvay of Kaspersky Lab. Emerson has a patch that mitigates the vulnerability. There is no indication that Nochvay has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to shut down a service, resulting in a denial of service.

Schneider Update


This update provides additional information on an advisory that was originally published on February 23rd, 2017. The new information includes:

• New researcher acknowledgements; and
New products affected.

Thursday, January 10, 2019

Bills Introduced – 01-09-19


Yesterday with both the House and Senate in session there were 89 bills introduced. Of these, three bills will likely receive future mention in this blog:

HR 359 To provide for certain programs and developments in the Department of Energy concerning the cybersecurity and vulnerabilities of, and physical threats to, the electric grid, and for other purposes. Rep. McNerney, Jerry [D-CA-9]

HR 360 To require the Secretary of Energy to establish a voluntary Cyber Sense program to test the cybersecurity of products and technologies intended for use in the bulk-power system, and for other purposes. Rep. Latta, Robert E. [R-OH-5] 

HR 370 To require the Secretary of Energy to carry out a program relating to physical security and cybersecurity for pipelines and liquefied natural gas facilities. Rep. Upton, Fred [R-MI-6] 

Bills Also Worth Mentioning


I am also going to call attention here to six other bills here that would attempt to mitigate the effects of the current Federal Funding Fiasco. I will briefly discuss these bills in this post and will probably not mention them again in this blog.

HR 367 Making appropriations for Coast Guard pay in the event an appropriations Act expires before the enactment of a new appropriations Act. Rep. DeFazio, Peter A. [D-OR-4]

HR 371 Making appropriations for certain Federal employees working during the Government shutdown beginning on or about December 22, 2018, and for other purposes. Rep. Biggs, Andy [R-AZ-5]

HR 374 To make continuing appropriations for Coast Guard pay in the event that appropriations for Coast Guard pay in fiscal year 2019 expire and a new appropriations Act has not been enacted. Rep. Byrne, Bradley [R-AL-1]

HR 419 To make continuing appropriations for the Federal Aviation Administration for fiscal year 2019. Rep. Van Drew, Jefferson [D-NJ-2]

HR 421 Making continuing appropriations for the Coast Guard. Rep. Wild, Susan [D-PA-7] 

S 72 A bill to suspend the enforcement of certain civil liabilities of Federal employees and contractors during a lapse in appropriations, and for other purposes.  Sen. Schatz, Brian [D-HI]

FFF Effect Mitigation


As we quickly approach the 21-day FFF record it is interesting to note the efforts by a wide variety of congresscritters to protect various agencies and employees of the Federal government from the effects of the FFF. At first glance it would seem that these efforts are commendable as they would reduce the suffering of employees who are, after all, bearing the direct brunt of this political foofaraw.

On the other hand, and there is ALWAYS an ‘other hand’ when it comes to politics, I think that these efforts are misguided. While reducing the pain and suffering of these employees would be great for them and their families, it would also serve to reduce the political price for shutting down the government (or portions thereof) and make future shutdowns more likely.

On the first Tuesday in November, 2020, the voters of this country will remember this little game of political hostage taking. The hardcore supporters of both the President and the Democratic leadership of Congress will probably reward them for their intransience, but the vast majority of folks in the center will take revenge for those hurt during this FFF. They will go into the voting booth having decided who was mainly at fault (both sides share at least some portion of the blame) and will vote for their political retirement.

That is as it should be, there should be a high price to pay for using the disruption of the government as a political tool. Unfortunately, any measures taken to reduce the impact of that disruption will lesson the anger of the electorate and thus reduce the price to be paid for this game of political one-up-man-ship.  That could have the unintended consequence of extending the length of the current FFF and increase the chance of a repeat performance in FY 2020.

Wednesday, January 9, 2019

HR 251 Passed in House – CFATS Extension


Yesterday the House passed HR 251, the Chemical Facility Anti-Terrorism Standards (CFATS) Program Extension Act, by a strongly bipartisan vote of 414 to 3. The debate on the bill was even more one-sided as no one spoke in opposition. The only negative comments dealt with non-security related safety issues at chemical facilities.

It is looking more and more like emergency response and community communications are going to be major issues for the Democrats in the House in crafting a long-term extension of the CFATS program. Both of these issues are certainly related to security programs at these facilities, but the clamor from Democrats makes it clear that they are concerned about these issues at chemical plants that are not currently covered by the CFATS program.

While current EPA and OSHA regulations do address these issues, what is clear is that the proactive enforcement seen with the CFATS program ensures that processes are put in place to address regulatory issues and those processes
 are subsequently maintained. The active CFATS inspection process is much better at ‘enforcing’ regulatory compliance than either the EPA’s or OSHA’s reactive inspection process.

To be fair, both of these agencies cover a much larger (at least an order of magnitude larger) regulated community and neither agency has the budget or personnel available to implement an inspection scheme as effective as the CFATS process.

Perhaps it is time to look at modifying the EPA’s Risk Management Program to establish a special high-risk category of facilities that would be required to comply with a risk-based regulatory process like that seen in the CFATS program where a risk-analysis and risk-prevention planning process were required with an EPA approval of the risk prevention plan with subsequent periodic compliance inspections for plan compliance.

This risk prevention plan would certainly be expected to address the emergency response and community communication concerns that have been expressed by Democrats in their discussions about the CFATS program. Those processes would probably be better covered under the EPA’s mantle of protecting the environment and local communities from accidental chemical releases than under the DHS anti-terrorism standards.


Bills Introduced – 01-08-19


Yesterday with both the House and Senate in Washington there were 132 bills introduced. Of these 8 may receive further attention in this blog:

HR 265 Making appropriations for Agriculture, Rural Development, Food and Drug Administration, and Related Agencies programs for the fiscal year ending September 30, 2019, and for other purposes. Rep. Bishop, Sanford D., Jr. [D-GA-2]

HR 266 Making appropriations for the Department of the Interior, environment, and related agencies for the fiscal year ending September 30, 2019, and for other purposes. Rep. McCollum, Betty [D-MN-4]

HR 267 Making appropriations for the Department of Transportation, and Housing and Urban Development, and related agencies for the fiscal year ending September 30, 2019, and for other purposes. Rep. Price, David E. [D-NC-4]

HR 269 To reauthorize certain programs under the Public Health Service Act and the Federal Food, Drug, and Cosmetic Act with respect to public health security and all-hazards preparedness and response, to clarify the regulatory framework with respect to certain nonprescription drugs that are marketed without an approved drug application, and for other purposes. Rep. Eshoo, Anna G. [D-CA-18]

HR 327 To prohibit entities from requiring individuals to submit to arbitration for disputes arising from a security breach, and for other purposes. Rep. Lieu, Ted [D-CA-33]

HR 328 To require the Secretary of State to design and establish a Vulnerability Disclosure Process (VDP) to improve Department of State cybersecurity and a bug bounty program to identify and report vulnerabilities of internet-facing information technology of the Department of State, and for other purposes. Rep. Lieu, Ted [D-CA-33]

HR 334 To increase cybersecurity education and job growth, and for other purposes. Rep. Lieu, Ted [D-CA-33]

HR 350 Making continuing appropriations for the Coast Guard. Rep. Van Drew, Jefferson [D-NJ-2]

FY 2019 Spending Bills


It looks like the Democratic leadership in the House has accepted that the Senate will not take action on the two spending bills that they had passed last week (no surprise here). So they are going to go through the ‘normal’ legislative process for each of the four (of five) spending bills that were not passed last session (well they missed the DHS bill, but I think they are going to go with the CR for DHS that was passed last week for the time being). I have not included HR 264, Financial Services and General Government, in the list above because there is little in that bill that I am interested in.

The House will begin considering these bills today, starting with HR 264. This is a major change from the legislative plan for the week that was announced last Friday. The GPO has not yet printed any of these bills (they are behind because of the large (but not unusual) number of bills introduced in the first days of this session), so we will only get to see ‘draft’ copies on the Majority Leader’s web site sometime the day before the bill is considered. The leadership is already violating their ’72 hour’ rule, but this was to be expected in ‘fast moving’ situations like this.

The House Rules Committee adopted a single rule yesterday for the consideration of all four of the spending bills. It provides for a closed rule with limited debate and no amendments. I expect that we will see a party-line vote on each of these bills in the House and the Senate will ignore them as well (at least until some sort of agreement is reached between the Democrats and the President).

In any case, the Democrats will point to these actions as ‘proof’ that they are actively working on opening the government. Political grandstanding? Just a little.

HR 269


This is the medical emergency response bill that I discussed yesterday. It was passed in the House last night on a very strongly bipartisan vote of 401 to 17 with very little debate. It will be interesting to see how long it takes the Senate to take up this bill, but there is no guarantee that it will. If it does reach the Senate floor, I expect that it will do so under their unanimous consent process.

Tuesday, January 8, 2019

2 Advisories and an Update Published – 01-08-19


Today the DHS NCCIC-ICS published two control system security advisories and an update for a previously published advisory; all for products from Schneider Electric.

IIoT Monitor Advisory


This advisory describes three vulnerabilities in the Schneider IIoT Monitor monitoring platform. The vulnerabilities were reported by rgod via the Zero Day Initiative. Schneider has new software available that mitigates the vulnerabilities. There is no indication that rgod has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Path traversal - CVE-2018-7835;
• Unrestricted upload of a file with dangerous type - CVE-2018-7836; and
XXE - CVE-2018-7837

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to

Zelio Soft 2 Advisory


This advisory describes a use after free vulnerability in the Schneider Zelio Soft programing platform. The vulnerability was reported by rgod and mdm of 9SG Security Team via ZDI. Schneider has a new version that mitigates the vulnerability. There is no indication that the researchers were provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow for remote code execution when opening a specially crafted project file.

NOTE: I briefly discussed this vulnerability last Saturday.

U.motion Builder Update


This update provides additional information on an advisory that was originally published on June 29th, 2017. The new information includes:

• Adding the other 17 vulnerabilities that I mentioned in the original post; and
• Report of a firmware update that mitigates ‘most of these vulnerabilities’;

NOTE: The latest revised Schneider advisory (v5) that was published on November 20th, 2018 reports that the firmware update only mitigates six of the vulnerabilities.

Siemens Update


This is the second Tuesday in January and Siemens published five new advisories and seven updates this morning. None made it to the NCCIC-ICS site today. I expect that we should start seeing most of them tomorrow.

House to Consider Medical Emergency Response Bill


When the House returns to Washington today one of the first items on its agenda will be an as of yet unintroduced bill, the Pandemic and All-Hazards Preparedness and Advancing Innovation Act of 2019. This is pretty much the same bill as HR 7328 from the last session which passed in the House by a strongly bipartisan vote of 367 to 9 (all 9 Nays were from Republicans).

Cybersecurity


The bill contains the same vague cybersecurity provisions that was seen in HR 7328. The requirements of §703 are not so vague. The bill would require the Secretary of Health and Human Services to submit to Congress a “strategy for public health preparedness and response to address cybersecurity threats” {§703(a)(1)}. That strategy would include:

• Identifying the duties, functions, and preparedness goals for which the Secretary is responsible in order to prepare for and respond to such cybersecurity threats, including metrics by which to measure success in meeting preparedness goals;
• Identifying gaps in public health capabilities to achieve such preparedness goals; and
Strategies to address identified gaps and strengthen public health emergency preparedness and response capabilities to address such cybersecurity threats.

What is vague is the type of cybersecurity threat that these strategies would address. The bill relies on 6 USC 1501(5) for the definition of ‘cybersecurity threat’. While that definition relies on the ICS-inclusive definition of ‘information system found in §1501(9), the definition of ‘cybersecurity threat’ uses terminology that is more IT-centric; actions that “may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system”.

Thus, it would seem that the bill is targeting classic information system attacks like ransomware attacks on hospitals or the theft or publication of personally identifiable information or classified/sensitive information about emergency response capabilities. Section 703 does not, however, provide any authority to address these gaps through regulatory actions.

The conflict in the two §1501 definitions could, however, provide a proactive Secretary sufficient leeway to include in the strategies potential responses to incidents related to the release of industrial chemical resulting from a cyberattack. Unfortunately, I do not foresee that much foresight from a political appointee in this Department; certainly not the current Secretary.

Industrial Chemical Incident Response


This bill amends a wide variety of existing laws covered under 42 USC 201 et seq. While there are frequent mentions of ‘chemical, biological, radiological, or nuclear agents’ in both the bill and the underlying statutes, the focus here remains on biological agents. While this is an understandable view to be taken by HHS, it essentially ignores the more likely threat to wide spread exposure to industrial chemicals released to the environment through either a deliberate effort or large-scale industrial accident.

As I have pointed out a number of times in this blog and more recently in my ‘Future ICS Security News’ blog, the release of any of a wide variety of industrial chemicals could cause a significant public health situation where local hospitals and first responders would be ill equipped to respond with life-saving measures in a timely manner.

The failure of the medical establishment, including HHS, to have adequately planned for and stockpiled necessary equipment and countermeasures is due to a two-part inadequacy in our current system. Local administrators have no way of knowing of the local scope of the potential for release of toxic industrial chemicals, and if they had the knowledge would not have the funds necessary to prepare for an adequate response on a local basis.

Incidents like the 2015 rural release of acrylonitrile point out the potential problem. If that relatively minor railroad accident had occurred in an urban area or a more densely populated suburb the lack of availability of Cyanokits would have been a mass casualty event of staggering proportions. Or a potential incident like a chlorine attack could lead to a severe shortage of ventilators that could prevent a large number of deaths in such an attack. These are the types of issues that should have been included in this bill.

Unfortunately, this bill will not see any committee consideration and the suspension of the rules process under which it will be considered today does not provide for any possibility of floor amendments. If/when this bill is considered in the Senate, it will probably receive the same rubber stamp approach to passage.

The sad part is that the House Energy and Commerce Committee will try to address issues like this in their consideration of a bill to provide for long-term reauthorization of the Chemical Facility Anti-Terrorism Standards (CFATS) program. While that would certainly by a step forward the relatively small number of chemical facilities addressed in that manner and the total lack of coverage of transportation related issues would ensure that such an effort would only address a very small part of the problem.

 
/* Use this with templates/template-twocol.html */