Thursday, February 28, 2019

One Advisory and One Update Published – 02-28-19


Today the DHS NCCIC-ICS published a control system security advisory for products from PSI GridConnect and an update for a previously published advisory for products from Kunbus.

PSI Advisory


This advisory describes a cross-site scripting vulnerability in the PSI Telecontrol Gateway, Smart Telecontrol Unit family,  and IEC104 Security Proxy. The vulnerability was reported by M. Can Kurnaz. PSI has a version that mitigates the vulnerability. There is no indication that Kurnaz has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to execute dynamic scripts in the context of the application, which could allow cross-site scripting attacks.

Kunbus Update


This update provides additional information on an advisory that was originally published on February 5th, 2019 and updated on February 7th, 2019. The update provides a link to a new version that mitigates the vulnerabilities. There is no indication that the researcher involved was provided an opportunity to verify the efficacy of the fix.

PHMSA Publishes Train OSPR Final Rule


Today the DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) published a final rule in the Federal Register (84 FR 6910-6952) on “Oil Spill Response Plans and Information Sharing for High-Hazard Flammable Trains”. The notice of proposed rulemaking (NPRM) was published in July 2016. The rulemaking modifies existing requirements for comprehensive oil spill response plans (COSRPs), establishing petroleum oil thresholds that apply to an entire train consist. The rule also requires railroads to share information about high-hazard flammable train (HHFT) operations with State and tribal emergency response commissions to improve community preparedness. It also incorporates a new voluntary standard for testing initial boiling point of crude oil; ASTM D7900.

The preamble to the rule makes it clear that the final rule implements the provisions of the NPRM “with minor changes for plain language or clarification in consideration of the comments received to the NPRM”. The preamble provides tables with the summary of the differences between the NPRM and the final rule:


No changes were made to the portion of the rule incorporating the new initial boiling point test method.

The effective date for this rule is April 1st, 2019.

Commentary


As I have stated before, while I think that the change in threshold requirements for COSRPs is appropriate, it continues to fail to address the planning requirements for addressing the fire and explosion response planning necessary for Highly Hazardous Flammable Trains (HHFT). Unfortunately, neither PHMSA nor the Federal Railroad Administration have been provided authority to require such emergency response planning. This is going to require congressional action.

Wednesday, February 27, 2019

San Pedro Butane Storage Again


At today’s CFATS hearing before the House Homeland Security Committee there was an interesting exchange between Rep. Barragan (D,CA) and Director Wulf (video starting at 1:59:41) about a butane storage facility near the Port of Los Angeles. The name of the facility is not mentioned, but it sounded very familiar. I have been pouring back through my records and I think that I know why it sounded so familiar.

Back in the summer of 2013 (I have been at this for a while now) then Rep. Waxman (D,CA) sent a letter to DHS expressing concerns about the CFATS related emergency response planning at the ‘Rancho Palos Verde facility’. He explained that chemical security inspectors had accepted company reports that they had shared their emergency response plan with local first responders while the EPA was taking action against the facility for failure to do exactly that.

Barragan’s comments today were related to the specific hazards associated with the facility and whether or not those had been adequately evaluated by the CFATS program. ISCD Director Wulf assured her that those hazards were well understood by the program. She also questioned if compliance inspections were being rushed (with the implied possibility for overlooking problems) and Wulf assured her that CSI were not being administratively pushed to too quickly successfully conclude a compliance inspection.

What was not addressed in the exchange was whether or not the CFATS security program at the facility adequately protected the community. Remembering that the CFATS program is designed to help facilities protect themselves from attack, not accidents; the chemical hazard is still there. Other agencies (the EPA and OSHA) oversee the programs designed to prevent accidents. And no safety or security program is ever going to be 100% effective.

Barragan’s concerns today were not the same as those expressed six years ago by Waxman, but local communities are going to continue to be concerned about their safety when living near big and potentially dangerous chemical facilities. The fact that this local facility has twice made the national news for chemical safety reasons, without an actual incident taking place, clearly reminds us about the legitimacy of those concerns.

The other thing of interest that this facility highlights is the legitimacy of the concerns expressed today by a number of the Committee Members about how well the CFATS program ensures that information about emergency response issues is shared with the local emergency response community. It is not enough that the facility have an emergency response plan drawn up, but it must be shared with the community and should be exercised to work out any bugs in the plan well before an incident takes place. I am sure that we are going to hear more about this issue in the House before a bill is sent to the Senate.

CFATS Hearing – 02-27-19


Today the House Homeland Security Committee held a hearing on the CFATS program. This hearing was with government witnesses only and provided Members with a chance to closely question Director Wulf of DHS Infrastructure Security Compliance Division. A video of the hearing is available on the Committee web site.

Witnesses


The two government witnesses at today’s hearing were:

• David Wulf, DHS – Testimony; and
Nathan Anderson, GAO – Testimony

Their initial testimony at the hearing contained no new information. Wulf summarized the advances that the CFATS program had undergone since the 2014 authorization bill was passed. Similarly, Anderson summarized the issues that GAO had previously identified in reports issued through last summer and the actions that GAO has verified that ISCD had undertaken to comply with the recommendations from those reports.

Hearing Overview


This is the first full Committee hearing on the CFATS program since the 2014 reauthorization bill was passed. The Committee has had a mixed past on how it has looked at the CFATS program depending on which party was in control of Congress. While both parties have broadly supported the CFATS program, the Democrats have tended to be more supportive of environmental and safety advocates view points on chemical safety issues and Republicans more supportive of business interests.

Interestingly today we saw an internal conflict between the majority and minority at the very start of the meeting. Apparently, the Republicans had asked for a non-governmental witness (probably from one of the many affected industry associations) to participate in today’s hearing and that was disallowed by Chairman Thompson since the hearing was being limited to governmental witnesses.

Thompson faced similar conflicts during the last two sessions of Congress as the Ranking Member and utilized the Minority’s right to hold separate hearings to get their views on the record. Rep. Rogers (R,AL) the Ranking Member, formally asked for a separate hearing today to hear from their witness.

It will be interesting to see how these minor conflicts (at least it looks like today’s problem was relatively minor) affect future operations of the Committee.

Information Sharing


As I noted in my discussions about last session’s CFATS hearing, the Democrats are certainly looking at the CFATS reauthorization process as a chance to address information sharing about chemical hazards. Thompson in particular wants to ensure that the problems encountered at the West Fertilizer incident are not repeated.

There were a number of questions to Wulf about the efforts that ISCD has undertaken to ensure that information about chemical hazards at CFATS facilities is shared with first responders. Wulf noted that facilities are required to coordinate with local police and emergency response personnel as part of their Site Security Plan (SSP) processes. Failure to effect that coordination would be cause for disapproval of an SSP or failing an SSP compliance inspection.

Wulf also reported in response to questions by Rep. Torres-Small (D,NM) that ISCD had placed ‘outreach officials’ at each regional office to aid in the outreach process with State and local officials.

Cybersecurity


Cybersecurity was another topic that brought questions from multiple Committee Members. Wulf received multiple questions about ‘cybersecurity requirements’. He noted that there were no specific ‘requirements’ since the CFATS regulations rely on risk-base performance standards that allow facilities to craft security measures specific to the risks at their facilities.

In response to a question by Rep. Langevin (D,RI), Anderson noted that GAO had not taken a specific look at cybersecurity processes within the CFATS program, but as a general matter they had concerns throughout DHS about the human resources that the Department had for supporting cybersecurity matters. Wulf noted that all chemical security inspectors (CSI) had ‘basic’ cybersecurity training; about half had an additional two-weeks of specific cybersecurity training and there was a limited number of cybersecurity subject matter expert CSI that provided specific support where needed.

Rep. Slotkin (D,MI) had some questions about cybersecurity threat awareness within ISCD. Wulf noted that DHS NCCIC was responsible for tracking cybersecurity threats and vulnerabilities. He also reported that there is an active information sharing process between NCCIC and ISCD. He also explained that as new threats are identified, facilities are notified and are prepared to put additional security measures into place as required.

Inherently Safer Technology


Wulf was handed a number of questions about the potential of adding requirements for implementing inherently safer technology (IST) to the CFATS program. He noted that over the years in which the CFATS program has been in operation over 3,000 facilities had been removed from the program by implementing various IST processes. Wulf admitted that the information collected by ISCD as those facilities left the program could provide information that could prove valuable for both facilities in the CFATS program and the 30,000 plus other facilities that have reported to ISCD via Top Screens but were not included in the program. Currently, ISCD does not have a process for that information sharing.

Fusion Centers


Rep. Rose (D,NY) asked an interesting series of questions about CFATS and fusion centers (a topic that I had never heard before). Wulf reported that ISCD has supported a number of fusion centers with CSI. Details were spare, but it sounded like specific CSI or CSI supervisors were in contact with fusion centers, not stationed with fusion centers full-time.

Commentary


For the most part I was pleasantly surprised at the general lack of speechifying during the questioning phase of this hearing. For most of the nearly two-hour long hearing, reasonably well-informed questions were posed to Wulf and Anderson with sufficient time allowed for responses.

Thompson is definitely interested in moving CFATS authorization legislation quickly to the President. He does not want to see a repeat of last year’s slow playing legislation leading to a near shutdown of the program. It will be interesting to see how quickly the staff crafts a bill to introduce over Thompson’s and Roger’s sponsorship. It will be interesting to see if Thompson can rope the leadership from the House Energy and Commerce Committee into cosponsoring such legislation like he did with the short-term reauthorization last month.

One delaying factor may be the need for a subcommittee hearing to look at cybersecurity concerns. The Cybersecurity and Infrastructure Subcommittee held a hearing last year, but it did not focus on cybersecurity. We may see Rep. Richmond (D,LA) hold a more cybersecurity focused hearing next month. That hearing would be interesting given the presence of both Reps. Slotkin (D,MI) and Langevin (D,RI) on the Subcommittee.

Tuesday, February 26, 2019

One Advisory Published – 02-26-19


Today the DHS NCCIC-ICS published a control system security advisory for products from Moxa. The advisory describes ten vulnerabilities in the Moxa IKS and EDS industrial switches. The vulnerabilities were reported by Ivan B, Sergey Fedonin, and Vyacheslav Moskvin of Positive Technologies Security. Moxa has a firmware patch that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The ten reported vulnerabilities are:

• Classic buffer overflow - CVE-2019-6557;
• Cross-site request forgery - CVE-2019-6561;
• Cross-site scripting - CVE-2019-6565;
• Improper access control - CVE-2019-6520;
• Improper restriction of excessive authentication request - CVE-2019-6524;
• Missing encryption of sensitive data - CVE-2019-6526;
• Out-of-bounds read - CVE-2019-6522;
• Unprotected storage of credentials - CVE-2019-6518;
• Predictable from observable state - CVE-2019-6563; and
Uncontrolled resource consumption - CVE-2019-6559

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow the reading of sensitive information, remote code execution, arbitrary configuration changes, authentication bypass, sensitive data capture, reboot of the device, device crash, or full compromise of the device.

Committee Hearings – Week of 02-24-19


This week with both the House and Senate in session there are a wide variety of important congressional hearings taking place. Among those are some that are of particular interest here; EMP effects on the grid, the CFATS program, and two cybersecurity hearings.

EMP and the Grid


On Wednesday the Senate Homeland Security and Governmental Affairs Committee will be holding a hearing on “Perspectives on Protecting the Electric Grid from an Electromagnetic Pulse or Geomagnetic Disturbance”. A witness list is not yet available.

CFATS Program


On Wednesday the House Homeland Security Committee will be holding a hearing on “Securing Our Nation’s Chemical Facilities: Building on the Progress of the CFATS Program”. The witness list includes:

• David Wulf, ISCD, DHS; and
Nathan Anderson, GAO

The lack of industry witnesses on the list may be just temporary, or it may indicate that Chairman Thompson (D,MS) intends to take a close look at the most recent GAO report (not yet available) on the program.

Surface Transportation Cybersecurity


Today two subcommittee of the House Homeland Security Committee will hold a hearing on “Securing U.S. Surface Transportation from Cyber Attacks”. The witness list includes:

• Bob Kolasky, CISA, DHS;
• Sonya T. Proctor, TSA, DHS;
• Rebecca Gagliostro, Interstate Natural Gas Association of America;
• James A. Lewis, Center for Strategic and International Studies;
• Erik Robert Olson, Rail Security Alliance; and
• John Hultquist, FireEye

Interesting that there will be witnesses representing pipelines and railroads, but no one from the trucking industry. Hopefully that has more to do with House committee politics than representing a cybersecurity blind spot.

DOD Cybersecurity


Today the Subcommittee on Intelligence and Emerging Threats and Capabilities of the House Committee on Armed Services will hold a hearing on “Department of Defense Information Technology, Cybersecurity, and Information Assurance”. The witness list includes:

• Dana Deasy, CIO, DOD;
• Lisa Hershman, Acting Chief Management Officer, DOD; and
• BG Dennis Crall, Deputy Principal Cyber Advisor, DOD

This looks like it will be principally an IT cybersecurity hearing, but topics of supply chain security may arise.

Sunday, February 24, 2019

Bills Introduced – 02-22-19


On Friday with the House meeting in proforma session there were 18 bills introduced. One of these may received future coverage in this blog:

HR 1315 To amend title II of the Department of Energy Organization Act to reauthorize an office within the Department of Energy, to direct the Secretary of Energy to establish and carry out a comprehensive, nationwide energy-related industries jobs program, and for other purposes.  Rep. Rush, Bobby L. [D-IL-1] 

I will be watching this bill to see if it includes specific language addressing cybersecurity jobs or training for such jobs.


Saturday, February 23, 2019

NIST Sends SP 800-171 Update to OMB for Review


Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received NIST Special Publication 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations) for review. This update was not listed in the Fall 2018 Unified Agenda.

The last revision of this document was published last June. It is not clear what changes that NIST is proposing to make to the document; there is nothing on the SP 800-171 web site.

This document establishes cybersecurity requirements for electronic systems that store, receive or send Controlled Unclassified Information (CUI). It mainly covers contractors, but facilities covered under the Chemical Facility Anti-Terrorism Standards (CFATS) program would be required to comply with these standards on systems containing Chemical-Terrorism Vulnerability Information (CVI).

Public ICS Disclosures – Week of 02-16-19


This week we have one vendor disclosure for products from CODESYS and two exploits for previously disclosed vulnerabilities for products from NUOO.

CODESYS Advisory


CODESYS has published an advisory that describes a directory traversal vulnerability in their runtime system. This vulnerability was reported by Ivan Cheyrezy of Schneider Electric. 3S has released a new version that mitigates the vulnerability. There is no indication that Cheyrezy has been provided an opportunity to verify the efficacy of the fix.

NOTE: Somehow, I suspect that Schneider identified this vulnerability in one of their products and traced it back to CODESYS code in that product. We may be seeing a Schneider advisory for this vulnerability in the near future.

NUOO Exploits


Pedro Ribeiro published two Metasploit modules for two vulnerabilities (here and here) that he had previously disclosed through NCCIC-ICS for vulnerabilities in the NUOO Central Management Software platform.

The two vulnerabilities for which the Metasploit modules were published are:

• Unrestricted upload of file of dangerous type; and
SQL injection


Friday, February 22, 2019

S 333 Introduced – Cybersecurity Consortium


Earlier this month Sen. Cornyn (R,TX) introduced S 333, National Cybersecurity Preparedness Consortium Act of 2019. The bill would authorize the DHS NCCIC to work with a consortium of non-profit entities to “develop, update, and deliver cybersecurity training in support of homeland security” {§2(1)}.

S 333 is a companion bill to HR 1062 that I discussed earlier this week. As I noted in that blog post, Neither Cornyn, nor his two co-sponsors are members of the Senate Homeland Security and Governmental Affairs Committee. Normally this would mean that it would be unlikely for that Committee to consider the bill. Interestingly, this bill is an exception to that ‘rule’. The bill was considered on February 13th and adopted without amendment in a voice vote.

If this bill makes it to the floor of the Senate (probably under their unanimous consent process) it is likely to pass.

OMB Approves FRA Automation Induced Human Error Study ICR


Yesterday the OMB’s Office of Information and Regulatory Affairs announced that it had approved an information collection request (ICR) from the DOT’s Federal Railroad Administration for an Experimental Investigation of Automation-induced Human Error in the Locomotive Cab. The study will be conducted by the DOT’s  Volpe Center using their Cab Technology Integration Laboratory (CTIL).

The Study


The study will look at two different types of train automation systems currently in use by railroads in the United states; the Trip Optimizer and Electronic Train Management System (ETMS) Positive Train Control (PTC). According to the final Supporting Statement [.DOXC download] provided to OIRA, the study will assess three working hypotheses:

• Automation provides specific performance benefits (e.g., TO reduces fuel usage; PTC prevents overspeeding and transgressions into workzones or past a red signal) compared with manual control;
• Automation does not reduce perceived workload in the locomotive cab compared with manual control; and
Automation condition will show more errors in high workload situations than in low workload situations (e.g., distractions lead to failure to notice mode transitions) and the manual condition will not.

That Supporting Document provides a fairly detailed description of the proposed test. The idea behind this study is that disruptions to the engineer/conductor attention at critical junctures in train operation lead to errors. The specific disruption that will be studied will be a radio call from the dispatcher carefully timed to changes in operation of the automation system. The Supporting Document notes that an earlier study suggested that this might be a specific cause of operator error in using train automation systems.

The results of the study will be published as an FRA technical report at some future date.

Commentary


This looks like it will be an interesting study and it may have important implications for a number of other areas where automated safety critical systems require operator interactions.

The three hypotheses being tested here are an interesting look at automation systems in their own right. The first goes to the efficacy of the safety-critical automation system; if that assumption is not true, then the entire design of the system is called into question. The second hypothesis is a human factors issue, but it also is an important question of safety design. If the safety critical system requires operator action, it should not add to the operator’s workload else it increases the probability of a safety-critical human-error; that is the third hypothesis in a nutshell.

The FRA is fortunate that it has simulator capacity to evaluate these concerns. Designers of a process safety system at a chemical plant (for instance) are unlikely to have that capability.

Thursday, February 21, 2019

One Update Published – 02-21-19

NCCIC-ICS published an update of a control system security advisory for products from Wind River. The advisory was originally published on April 1st, 2013. The updated information includes:

• Adds GE D20MX as an affected product;
• Changes characterization of CVE-2013-0715 from ‘Command Injection’ to ‘Improper Input Validation’; and
• Provides GE mitigation measures for vulnerabilities.

There must be an interesting story here, just do not know what it is.

Wednesday, February 20, 2019

Legislative Cybersecurity Definitions


Earlier today in my post about the introduction of HR 1062 I briefly mentioned my concerns about the definitions related to cybersecurity used in current law and legislative proposals. In this post, I will be taking a more detailed look at the problem and my proposals for solutions.

Current Definitions


In writing legislation, congressional staffs (personal and committee) usually rely on definitions that currently exist in the United States Code. This reliance on previous work helps to establish a coherent lexicon of terminology that ensures that different programs in the government mean the same thing when the use the same terminology.

For cybersecurity issues we find the following definitions be referred to in many disparate types of legislation referring to cybersecurity:

Information System:

44 USC 3502(8) - the term ‘‘information system’’ means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information;

6 USC 1501(9) - The term ‘‘information system’’—

(A) has the meaning given the term in section 3502 of title 44; and

(B) includes industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers.

Cybersecurity Risk:

6 USC 659(a)(1) - the term "cybersecurity risk"-

(A) means threats to and vulnerabilities of information or information systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of such information or information systems, including such related consequences caused by an act of terrorism; and
(B) does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement;

Incident:

6 USC 659(a)(3) - the term "incident" means an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system; [NOTE: Based upon §3502 IT restricted definition of ‘information system’.

Cybersecurity Purpose

6 USC 1501(4) The term ‘‘cybersecurity purpose’’ means the purpose of protecting an information system or information that is stored on, processed by, or transiting an information system from a cybersecurity threat or security vulnerability.

Cybersecurity threat


(A) In general
Except as provided in subparagraph (B), the term ‘‘cybersecurity threat’’ means an action, not protected by the First Amendment to the Constitution of the United States, on or through an information system that may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system.

(B) Exclusion
The term ‘‘cybersecurity threat’’ does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement.

Definition Problems


When crafters of legislation describe computer systems, they generally use the term ‘information system’. Initially this was almost universally applied to systems that were used exclusively in the financial industry, but that expanded to include other types of information as legislators looked at protecting personally identifiable information (PII) and medical/healthcare information and more recently intellectual property.

As it became more and more evident that a variety of industrial control systems, transportation systems, medical devices and other computer systems that controlled physical processes were potentially subject to cyberattacks, legislative writers tried to squeeze these systems into the definition of ‘information system’. The one successful attempt at codifying that combination of IT and OT technology into a single term by adding the wording: “includes industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers” in a second subparagraph.

This bastardized definition still refers to “the collection, processing, maintenance, use, sharing, dissemination, or disposition of information” purpose of the ‘information systems’. This provides no connection to the physical processes controlled by control systems.

Similarly, the other cybersecurity related definitions listed above (including those based upon the OT inclusive definition of §1501) use IT limiting terms such as: “information that is stored on, processed by, or transiting an information system” or “the integrity, confidentiality, or availability of information”. This has been acceptable from a legislative perspective because control systems still rely on ‘information’ for their operation.

Unfortunately, it is becoming increasingly obvious to those in the control system community that the cybersecurity focus in that sector should be more intensely focused on the potential physical outcomes from a successful attack rather than the information used in the control processes.

Proposed Legislative Solution


With these problems in mind, I would like to propose that 6 USC 659(a) be amended to read:

(a) Definitions
In this section-

(1) the term ‘control system’ means a discrete set of information resources, sensors, communications interfaces and physical devices organized to monitor, control and/or report on physical processes, including manufacturing, transportation, access control, and facility environmental controls;

(2) the term "cybersecurity risk"-

(A) means threats to and vulnerabilities of information or information systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of such information or information systems, including such related consequences caused by an act of terrorism; and

(B) does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement;

(A) threats to and vulnerabilities of information, information systems, or control systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of such information, information systems, or control systems, including such related consequences caused by an act of terrorism; and

(B) does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement;

(3) the terms "cyber threat indicator" and "defensive measure" have the meanings given those terms in section 102 of the Cybersecurity Act of 2015 [6 U.S.C. 1501];

(4) the term "incident" means an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system;:

(A) the integrity, confidentiality, or availability of information on an information system,

(B) the timely availability of accurate process information, the predictable control of the designed process or the confidentiality of process information, or

(C) an information system or a control system;

(5) the term "information sharing and analysis organization" has the meaning given that term in section 671(5) of this title;

(6) the term "information system" has the meaning given that term in section 3502(8) of title 44; and

(7) the term "sharing" (including all conjugations thereof) means providing, receiving, and disseminating (including all conjugations of each of such terms).

HR 1062 Introduced – Cybersecurity Consortium


Earlier this month Rep. Castro (D,TX) introduced HR 1062, the National Cybersecurity Preparedness Consortium Act of 2019. The bill would authorize the DHS NCCIC to work with a consortium of non-profit entities to “develop, update, and deliver cybersecurity training in support of homeland security” {§2(1)}. The bill is very similar to HR 1465 from the 115th Congress and HR 4743 from the 114th. No action was taken on HR 1465 but HR 4743 was passed in the House with bipartisan support.

Differences in the Bills


The current language is most closely a copy of the version of HR 1465 that was reported in the House. There are still a number of differences in the two versions of the bill; some of them minor and others with more significant.

The first noticeable change is the references to both the Homeland Security Act of 2002 and 6 USC. These changes are strictly editorial updates for changes made to that Act and the US Code (USC) by the CISA authorization bill that was passed last year. As usual I prefer to use the USC links. All references to 6 USC 659 in the current bill are the same as the old 6 USC 148 that I have made numerous references to in the past. Unfortunately, the GPO has yet to update the USC for last year’s modifications, so all links to 6 USC in this post will be to the congressional version of the US Code.

Next this bill removes almost all references to the phrase ‘including threats of terrorism and acts of terrorism’ that were included frequently in the earlier bills. This was used as a pretty constant modifier of the phrase ‘cybersecurity risks and incidents. The current bill only uses this phrase one time in §3(b)(3):

Provide technical assistance services to build and sustain capabilities in support of preparedness for and response to cybersecurity risks and incidents, including threats of terrorism and acts of terrorism, in accordance with such section 2209;

There are two paragraphs from the earlier bills that are completed removed in this latest version. Section 2(c) admonished the Secretary to “to prevent unnecessary duplication of existing programs or efforts of the Department of Homeland Security”. Section 2(g) terminated the authorization for the program in five years from the date of enactment. There is no similar language for either of these provisions in the current bill.

Finally, there are two additional sections found in this bill that were not included in the earlier versions. Section 2 provides definitions of important terms; those definitions were included in the text of various paragraphs in the reported version of HR 1465. Section 4 added an important rule of construction to the bill:

“Nothing in this Act may be construed to authorize a consortium to control or direct any law enforcement agency in the exercise of the duties of the law enforcement agency.”

Moving Forward


Neither Castro or any of his six bipartisan cosponsors are members of the House Homeland Security Committee to which this bill was assigned for consideration. HR 1465 had a similar problem last session which explains why it was not considered in Committee. If the bill were to be considered in Committee (possible if a new cosponsor who was on the Committee were added) it would probably be adopted by a bipartisan majority. There is nothing in the bill that should draw any significant opposition.

A similar sounding bill, S 333, was introduced in the Senate, but it looks to have a similar consideration problem; none of the four Senators currently associated with the bill are on the Senate Homeland Security and Governmental Affairs Committee.

Commentary


I did now write about HR 1465 last session because the definitions provided for ‘cybersecurity risk’ and ‘incident’ rely on the IT restrictive definition of information system used in §659. This means that there is no authorization for providing training for incident response or response planning for industrial control system incidents. As it becomes more and more apparent that the physical consequences of a potential attack on industrial control systems could be much more significant than a purely IT system attack, this restrictive definition becomes more and more problematic.

I have been complaining about this definitional problem for some time. As is usual I have offered a number of different possible suggestions for the problem. The most comprehensive can be found in my discussion of HR 2831 last session.

Tuesday, February 19, 2019

Four advisories Published – 02-19-19


Today the DHS NCCIC published four control system security advisories for products from Rockwell Automation, Horner Automation, Delta Industrial and Intel.

Rockwell Advisory


This advisory describes two vulnerabilities in the Rockwell Allen-Bradley PowerMonitor 1000. This vulnerability was reported by Luca Chiou of ACSI. Rockwell is working on mitigation measures. CheckPoint Software Technologies has released IPS rules to detect attempts to exploit CVE-2019-19615.

The two reported vulnerabilities are:

• Cross-site scripting - CVE-2019-19615; and
Authentication bypass using alternate path or channel - CVE-2019-19616

NCCIC-ICS reports that a relatively low-skilled attacker could use a publicly available exploits (here and here) to remotely exploit these vulnerabilities to allow a remote attacker to affect the confidentiality, integrity, and availability of the device.

NOTE: I discussed these vulnerabilities last Saturday.

Horner Advisory


This advisory describes an improper input validation vulnerability in the Horner Cscape control system application programming software. The vulnerability was reported by ‘anonymous’ via the Zero Day Initiative (ZDI). Horner has a new version that mitigates the vulnerability. There is no indication that anonymous has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to crash the device being accessed, which may allow the attacker to read confidential information and remotely execute arbitrary code.

Delta Advisory


This advisory describes an out-of-bounds read vulnerability in the Delta Industrial Automation CNCSoft. The vulnerability was reported by Natnael Samson (@NattiSamson) via ZDI. Delta has an updated version that mitigates the vulnerability. There is no indication that Samson was provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to cause a buffer overflow condition that may allow information disclosure or crash the application.

Intel Advisory


This advisory describes eleven vulnerabilities in the Intel Data Center Manager SDK. The vulnerability was reported by Intel’s Product Security Incident Response Team. Intel has a new version that mitigates the vulnerability.

The eleven reported vulnerabilities are:

• Improper authentication - CVE-2019-0102;
• Protection mechanism failure (4) - CVE-2019-0103, CVE-2019-0104, CVE-2019-0106, and CVE-2019-0107,
• Permission issues (4) - CVE-2019-0105, CVE-2019-0108, CVE-2019-0109, and CVE-2019-0111;
• Key management issues - CVE-2019-0110;
• Insufficient control flow management - CVE-2019-0112

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow escalation of privilege, denial of service, or information disclosure.

Monday, February 18, 2019

S 315 Introduced – DHS Cyber Response Teams


Last month Sen. Hassan (D,NH) introduced S 315, the DHS Cyber Hunt and Incident Response Teams Act of 2019. The bill would authorize the current cyber incident response teams in the DHS NCCIC. The bill is very similar to HR 5074 from the 115th Congress which passed in the House but was never taken up in the Senate.

The bill does not name the teams, but the description certainly refers to the incident investigation teams associated with US-CERT and ICS-CERT. The bill specifically mentions ‘control systems’ {6 USC 659(f)(1)(D)} but does not provide a definition for that term.

Hassan and her two cosponsors {Sen. Peters (D,MI) and Sen. Portman (R,OH)} are all influential members of the Senate Homeland Security and Governmental Affairs Committee to which this bill was assigned for consideration. This should mean that the bill has a good chance of being considered in that Committee. A recent article over on Politico.com pointed out, however, how hard it is to get cybersecurity legislation through that Committee. Since this bill does not contain any new authority for NCCIC nor does it approve any new funding, this bill may be able to avoid that cybersecurity trap.

NOTE: HR 1158 was recently introduced in the House with a similar sounding name, but the text has not yet been published. I suspect that it will be very similar to this bill.

Sunday, February 17, 2019

S 300 Introduced – DOE Pipeline Security


Earlier this month Sen. Cornyn (R, TX) introduced S 300, the Pipeline and LNG Facility Cybersecurity Preparedness Act. This is a companion bill (identical language) to HR 370 that was introduced in January. The bill would define cybersecurity oversight requirements for DOE over energy pipelines and LNG facilities.

While there is a good chance for committee action on HR 370 in the House, neither Cornyn nor his single cosponsor {Sen. Heinrich (D,NM)} are members of the Senate Commerce, Science, and Transportation Committee to which this bill was assigned for consideration. This means that it is extremely unlikely that the bill will be considered in that Committee.

Saturday, February 16, 2019

Public ICS Disclosures – Week of 02-09-19


This week we have five vendor disclosures for products from Kunbus, Schneider (3) and Rockwell; five vendor updates from Siemens; one coordinated disclosure for products from Resource Data Management and one exploit for a previously disclosed vulnerability for products from AVEVA.

Kunbus Advisory


Kunbus published an advisory for five vulnerabilities in its KUNBUS-GW Modbus TCP PR100088 product. The vulnerabilities were reported by Nicolas Merle of Applied Risk. Kunbus is working on an update to mitigate the vulnerabilities.

The five reported vulnerabilities are:

• Conditional authentication bypass;
• Missing authentication for critical function;
• Denial of service;
• Publication of information by parameter data in an HTTP GET request; and
Plain text storage of passwords

Schneider Advisories


Schneider has published an advisory describing six vulnerabilities in its Sarix Enhanced and Spectra Enhanced cameras. The vulnerabilities were reported by Deng Yongkai (NSFOCUS) and Gjoko Krstic (Zero Science). Schneider has a new firmware version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• A permissions, privileges, and access control vulnerability - CVE-2018-7816;
• A command injection vulnerability (2) - CVE-2018-7825 and CVE-2018-7826;
• A cross-site scripting (XSS) vulnerability (2) - CVE-2018-7827 and CVE-2018-7828; and
• An improper neutralization of special elements in query vulnerability - CVE-2018-7829


Schneider has published an advisory describing a buffer error vulnerability in its Vijeo Designer Lite software. The vulnerability is self-reported. Schneider has provided generic mitigations as the product has reached end-of-life status.


Schneider has published an advisory describing three vulnerabilities in its  Modicon M221 and
SoMachine Basic products. The vulnerabilities were reported by Matthias Niedermaier (Hochschule Augsburg), Jan-Ole Malchow (Freie Universität Berlin), Florian Fischer (Hochschule Augsburg) and Reid Wightman (Dragos Inc.). Schneider has updates available to mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• An environment vulnerability (2) - CVE-2018-7821 and CVE-2018-7823; and
• An incorrect default permissions vulnerability - CVE-2018-7822

Rockwell Advisory


Rockwell has published an advisory describing two vulnerabilities in its PowerMonitor 1000 monitor that were publicly reported (with exploits) in December (here and here) by Luca Chiou. Rockwell has provided generic mitigation measures pending development of updates. It also provides a link to intrusion prevention system (by CheckPoint) rules to detect the cross-site scripting vulnerability.

The two reported vulnerabilities are:

• Cross-site scripting - CVE-2019-19615; and
• Authentication bypass - CVE-2019-19616

 Siemens Updates


Siemens published an update for their advisory on Spectre and Meltdown Vulnerabilities in Industrial Products. They added updated affected version data and provided links to mitigations for:

• SIMATIC ET 200 SP Open Controller; and
• SIMATIC IPC547E

NOTE: NCCIC-ICS updated their alert (ICS-ALERT-18-011-01) for this vulnerability when Siemens added a new advisory. That technically included this update since the link provided in the alert goes to the latest version of the Siemens advisory.


Siemens published an update for their advisory on Spectre-NG (Variants 3a and 4) Vulnerabilities in Industrial Products. They added updated version data and provided links to mitigations for:

• SIMATIC ET 200 SP Open Controller:
• SIMATIC ET 200 SP Open Controller (F);
• SIMATIC S7-1500 Software Controller;
• SIMATIC IPC547E;
• SIMATIC ITP1000;
• SIMATIC IPC3000 SMART V2;
• SIMATIC IPC347E;
• SIMATIC HMI Basic; and
• Panels 2nd Generation:

They also removed the following unaffected products from the advisory:

• SIMATIC IPC227E;
• SIMATIC IPC277E;
• SIMATIC IPC327E; and
• SIMATIC IPC377E

NOTE: NCCIC-ICS is expected to update their advisory.


Siemens published an update for their advisory on Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP. They added two additional vulnerabilities to the list for these products:

• CVE-2018-1000876; and
• CVE-2018-16862
NOTE: NCCIC-ICS has not published an advisory/alert on these vulnerabilities.

Siemens has published an update for their advisory on Denial-of-Service in SICAM A8000 Series. They updated the CVSS vector due to known exploit.


Siemens has published an update for their advisory on Foreshadow / L1 Terminal Fault Vulnerabilities in Industrial Products. They updated the affected version data and provided links to the mitigation measures for:

• SIMATIC IPC547E;
• SIMATIC IPC547G;
• SIMATIC ITP1000;
• SIMATIC IPC3000 SMART V2; and
• SIMATIC IPC347E

They also removed the following unaffected products from the advisory:

• SIMATIC IPC227E;
• SIMATIC IPC277E;
• SIMATIC IPC327E; and
• SIMATIC IPC377E
NOTE: NCCIC-ICS has not published an advisory/alert on these vulnerabilities.

Resource Data Management


Safety Detective published an article describing default credential vulnerabilities for commercial refrigeration systems from Resource Data Management. The article describes how the researchers were able to locate vulnerable systems, change settings, and manipulate controls in systems in hospitals and stores.

AVEVA Exploit


Jacob Baines published an exploit for vulnerabilities in the AVEVA InduSoft Web Studio. The vulnerabilities were reported by NCCIC-ICS earlier this month.

Bills Introduced – 02-14-19


On Thursday, with both the House and Senate in session there were 144 bills introduced. One of these may receive further future mention in this blog:

S 495 A bill to amend title 18, United States Code, to reauthorize and expand the National Threat Assessment Center of the Department of Homeland Security. Sen. Grassley, Chuck [R-IA]

I will be watching this bill for specific mention of chemical security, chemical transportation security or cybersecurity.

NOTE: On Thursday I mistakenly titled the ‘Bills Introduced’ blog post as referring to bills introduced on 2-14-19, it should have read ‘2-13-19’. That has been corrected.

Friday, February 15, 2019

HR 851 Introduced – ECP Brakes


Last month Rep. Herrera-Beutler introduced HR 851, the Oil and Flammable Material Rail Transportation Safety Act. This bill would reinstate the electronically-controlled pneumatic brake provisions of 49 CFR 174.310 for highly-hazardous flammable unit trains (HHFUT). This bill is identical to HR 7076 from last session. Since Herrera-Beutler is still not on the House Transportation and Infrastructure Committee, the committee to which this bill was assigned for consideration, this bill will die from lack of attention unless she attracts a cosponsor assigned to that Committee.


S 245 Introduced – FY 2019 Intel Authorization

Last month Sen. Burr (R,NC) introduced S 245, the Damon Paul Nelson and Matthew Young Pollard Intelligence Authorization Act for Fiscal Years 2018 and 2019. Intel authorization bills were introduced last session (HR 6237 and S 3153), but only the House bill received any action; it passed by a vote of 363 to 54. No action was taken in the Senate on either bill.

Cybersecurity Provisions


There are a number of cybersecurity related provisions in this bill, but only one of potential specific interest to the industrial control system community. The cybersecurity sections of note include:

§303. Modification of special pay authority for science, technology, engineering, or mathematics positions and addition of special pay authority for cyber positions.
§307. Consideration of adversarial telecommunications and cybersecurity infrastructure when sharing intelligence with foreign governments and entities.
§308. Cyber protection support for the personnel of the intelligence community in positions highly vulnerable to cyber attack.
§309. Modification of authority relating to management of supply-chain risk.
§422. Establishment of Energy Infrastructure Security Center.
§701. Limitation relating to establishment or support of cybersecurity unit with the Russian Federation.

EISC


The potentially interesting ICS provision is, of course, §422 establishing the EISC. A nearly identical provision (different section/paragraph numbers is the only difference) was included in HR 6237. I covered that issue in my post on the introduction of the earlier bill.

Missing Provision


Last year Burr’s authorization bill included a section on energy sector cybersecurity. This was taken almost in whole cloth from last session’s S 79. A bill similar to S 79 was introduced earlier this session; S 174. It is not clear if Burr left this out because he felt that S 174 had a good chance to pass on its own (not likely in my opinion) or whether he got push-back from including the costly provisions in last year’s intel bill.

Moving Forward


Burr’s bill will move forward in Committee, he is after all the Chair of the Senate Select Committee on Intelligence. Getting it to the floor of the Senate may prove to be a bigger problem; he has not had an intel authorization bill on the floor since the FY 2017 bill passed.

Commentary


This used to be considered one of the ‘must pass’ annual authorization bills, but since Trump came to town that does not seem to be the case. Spending bills continue to be approved, but the general Congressional oversight provided through the authorization bills seems to be less important as the community status has waned under Trump. This is doubly unfortunate given the cybersecurity troubles being seen in the world.

Thursday, February 14, 2019

Two Advisories and Three Updates Published – 02-14-19


Today the DHS NCCIC-ICS published two control system security advisories for products from gpsd Open Source Project and Pangea. They also updated three previously published advisories for products from Fuji and Siemens (2). The gpsd advisory was originally published on the HSIN ICS-CERT library on November 6, 2018.

gpsd Advisory


This advisory describes a stack-based buffer overflow vulnerability in the gpsd, an open-source GPS framework. The vulnerability was reported by GE Digital Cyber Security Services, working with GE-PSIRT. A new version is available that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker with uncharacterized access could exploit this vulnerability to allow remote code execution, data exfiltration, or denial-of service via device crash.

Note: This advisory is a ‘third-party vendor’ vulnerability report. NCCIC-ICS reports that gpsd can be found in many mobile embedded systems such as Android phones, drones, robot submarines, driverless cars, manned aircraft, marine navigation systems, and military vehicles.

Pangea Advisory


This advisory describes an authentication bypass using an alternate path or channel vulnerability in the Pangea Internet FAX Analog Telephone Adapter (ATA). The vulnerability was reported by Ankit Anubhav of NewSky Security. Pangea has a patch deployed that mitigates the vulnerability. There is no indication that Anubhav has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could use a publicly available exploit to remotely exploit the vulnerability to cause the device to reboot and create a continual denial-of-service condition.

Fuji Update


This update provides additional information on an advisory that was originally published on September 27th, 2018. The update announces the availability of a new firmware version that mitigates the vulnerabilities.

Licensing Software Update


This update provides additional information on an advisory that was originally published on February 12th, 2019. The update makes a number of editorial corrections in the data presentation on the vulnerabilities reported. I missed identifying these inconsistencies as I reported on the vulnerabilities based upon the Talos reports. The update still does not mention that there are publicly available exploits for these vulnerabilities from those reports.

PROFINET Update


This update provides additional information on an advisory that was originally published on May 9th, 2017 and updated on June 15, 2017,on July 25th, 2017, on August 17th, 2017, on October 10th, 2017, November 14th, 2017, January 23rd, 2018, February 27th, 2018, and most recently on June 21st, 2018. The update provides updated affected version information and mitigation links for SINAUT ST7CC.

Bills Introduced – 02-13-19


Yesterday with both the House and Senate in session there were 98 bills introduced. Three of those bills may receive additional coverage in this blog:

HR 1158 To authorize cyber incident response teams at the Department of Homeland Security, and for other purposes. Rep. McCaul, Michael T. [R-TX-10] 

HJ Res 45 Making further continuing appropriations for fiscal year 2019, and for other purposes. Rep. Biggs, Andy [R-AZ-5]

S 482 A bill to strengthen the North Atlantic Treaty Organization, to combat international cybercrime, and to impose additional sanctions with respect to the Russian Federation, and for other purposes.  Sen. Graham, Lindsey [R-SC] 

I will be watching S 482 for language that would include attacks on industrial control systems in the definition of ‘cybercrime’, but I am not holding my breath.

There was one other oddly named bill that I will personally be watching (but will probably not be writing about here), S 483. Introduced by Sen. Roberts (R,KS) it is titled: “A bill to enact into law a bill by reference.” Odd.

Wednesday, February 13, 2019

CSAT 60-Day ICR Comment


Last week the DHS Cybersecurity and Infrastructure Security Agency published a 60-day information collection request (ICR) for the Chemical Security Assessment Tool (CSAT) for the Chemical Facility Anti-Terrorism Standards (CFATS) program. In my post on the ICR I noted that there was a little known collection included in the ICR: “Identification of Additional Facilities and Assets at Risk”. As is typical in a well-constructed ICR notice, there is little detail provided about the actual collection; the details provided only apply to the burden estimate associated with the collection.

Questions on Collection


I attempted to gather some information on this collection from official sources at the DHS Infrastructure Security Compliance Division. My questions were forwarded to Bardha Azari of the CISA Office of External Affairs. Azari responded and told me that in order to “consolidate all questions and concerns regarding the CSAT ICR, and to maintain a transparent public process, your questions and comments on the ICR should be submitted through the Federal eRulemaking Portal”. This post will form that ICR response.

Unfortunately, not having answers to the question that will be asked below, I will not be able to provide a proper response to the question of the adequacy of the burden estimate or the need of the agency to collect the information as envisioned in the Paperwork Reduction Act of 1995. An adequate response will have to wait until the 30-day ICR notice is published.

Data on the Current ICR


Looking at the Reginfo.gov website for the current ICR there is a link to a document [DOCX. Download] explaining the current collection tool. It explains that there are two sections for the current ‘instrument’ involved in this collection;

• Identification of Facilities at Risk; and
Assets at Risks

Because these resources are not available until the approved ICR is published, respondents to the current ICR notice are forced to rely on information provided in the current ICR data. A detailed look at the existing data leads to questions that should be answered before the adequacy of the revised ICR can be assessed.

Identification of Facilities


The explanation document explains that:

“In this section the instrument will collect, on a voluntary basis, the following information when the facility identifies it ships and/or receives COI:
• Shipping and/or receiving procedures
• Invoices and receipts
• Company names and locations that COI is shipped to and/or received from”

The new ICR notice reports that the voluntary collection will be limited to only 845 respondents, “because CISA only requests this information from covered chemical facilities that undergo compliance inspections and ship chemicals of interest (COI)”. This would seem to indicate that ISCD is changing the focus of this collection to just identify facilities that receive DHS chemicals of interest (COI).

To adequately assess the appropriateness of this collection, I think that the community needs answers to the following questions:
1. How many facilities were asked to provide responses to this collection since October 2016?

2. How many facilities voluntarily provided information on the vendors that shipped COI to the inspected facility?

3. How many facilities voluntarily provided information on the customers to whom they shipped COI from the inspected facility?

4. How many of those facilities identified in the voluntary collection had not previously completed Top Screen submissions to ISCD?

5. Of those previously unidentified facilities, how many subsequently submitted Top Screens?

6. Of those previously unidentified facilities that submitted Top Screens, how many were subsequently identified as being at high-risk?

7. Why wasn’t this data collection mentioned in the FY 2019 CFATS Outreach Implementation Plan?

Assets At Risk


The explanation document explains that:

“In this section the instrument will collect, on a voluntary basis, the following information when the facility identifies a SCADA, DCS, PCS, or ICS:
• Provide details on the system(s) that controls, monitors, and/or manages small to large production systems as well as how the system(s) operates.
If it is standalone or connected to other systems or networks and document the specific brand and name of the system(s).”

There is no mention of an industrial control system data collection in the ICR notice and only asking for voluntary data submissions from “facilities that undergo compliance inspections and ship chemicals of interest (COI)”. That would hardly be a limited category of facilities from which ISCD would wish to collect the above described data.

To adequately comment on the removal of this information from the collection, the community would need answers to the following questions:

1. Has the section actually been removed from the collection? If so, why?

2. How many facilities were asked to voluntarily provide the information since October 2016?

3. What criteria was used to select the facilities that were asked to provide the information?

4. How many facilities responded to the information collection?

5. Was any data provided in this information collection that had not bee previously provided in the approved facility site security plan?

 
/* Use this with templates/template-twocol.html */