Wednesday, February 20, 2019

Legislative Cybersecurity Definitions


Earlier today in my post about the introduction of HR 1062 I briefly mentioned my concerns about the definitions related to cybersecurity used in current law and legislative proposals. In this post, I will be taking a more detailed look at the problem and my proposals for solutions.

Current Definitions


In writing legislation, congressional staffs (personal and committee) usually rely on definitions that currently exist in the United States Code. This reliance on previous work helps to establish a coherent lexicon of terminology that ensures that different programs in the government mean the same thing when the use the same terminology.

For cybersecurity issues we find the following definitions be referred to in many disparate types of legislation referring to cybersecurity:

Information System:

44 USC 3502(8) - the term ‘‘information system’’ means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information;

6 USC 1501(9) - The term ‘‘information system’’—

(A) has the meaning given the term in section 3502 of title 44; and

(B) includes industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers.

Cybersecurity Risk:

6 USC 659(a)(1) - the term "cybersecurity risk"-

(A) means threats to and vulnerabilities of information or information systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of such information or information systems, including such related consequences caused by an act of terrorism; and
(B) does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement;

Incident:

6 USC 659(a)(3) - the term "incident" means an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system; [NOTE: Based upon §3502 IT restricted definition of ‘information system’.

Cybersecurity Purpose

6 USC 1501(4) The term ‘‘cybersecurity purpose’’ means the purpose of protecting an information system or information that is stored on, processed by, or transiting an information system from a cybersecurity threat or security vulnerability.

Cybersecurity threat


(A) In general
Except as provided in subparagraph (B), the term ‘‘cybersecurity threat’’ means an action, not protected by the First Amendment to the Constitution of the United States, on or through an information system that may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system.

(B) Exclusion
The term ‘‘cybersecurity threat’’ does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement.

Definition Problems


When crafters of legislation describe computer systems, they generally use the term ‘information system’. Initially this was almost universally applied to systems that were used exclusively in the financial industry, but that expanded to include other types of information as legislators looked at protecting personally identifiable information (PII) and medical/healthcare information and more recently intellectual property.

As it became more and more evident that a variety of industrial control systems, transportation systems, medical devices and other computer systems that controlled physical processes were potentially subject to cyberattacks, legislative writers tried to squeeze these systems into the definition of ‘information system’. The one successful attempt at codifying that combination of IT and OT technology into a single term by adding the wording: “includes industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers” in a second subparagraph.

This bastardized definition still refers to “the collection, processing, maintenance, use, sharing, dissemination, or disposition of information” purpose of the ‘information systems’. This provides no connection to the physical processes controlled by control systems.

Similarly, the other cybersecurity related definitions listed above (including those based upon the OT inclusive definition of §1501) use IT limiting terms such as: “information that is stored on, processed by, or transiting an information system” or “the integrity, confidentiality, or availability of information”. This has been acceptable from a legislative perspective because control systems still rely on ‘information’ for their operation.

Unfortunately, it is becoming increasingly obvious to those in the control system community that the cybersecurity focus in that sector should be more intensely focused on the potential physical outcomes from a successful attack rather than the information used in the control processes.

Proposed Legislative Solution


With these problems in mind, I would like to propose that 6 USC 659(a) be amended to read:

(a) Definitions
In this section-

(1) the term ‘control system’ means a discrete set of information resources, sensors, communications interfaces and physical devices organized to monitor, control and/or report on physical processes, including manufacturing, transportation, access control, and facility environmental controls;

(2) the term "cybersecurity risk"-

(A) means threats to and vulnerabilities of information or information systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of such information or information systems, including such related consequences caused by an act of terrorism; and

(B) does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement;

(A) threats to and vulnerabilities of information, information systems, or control systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of such information, information systems, or control systems, including such related consequences caused by an act of terrorism; and

(B) does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement;

(3) the terms "cyber threat indicator" and "defensive measure" have the meanings given those terms in section 102 of the Cybersecurity Act of 2015 [6 U.S.C. 1501];

(4) the term "incident" means an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system;:

(A) the integrity, confidentiality, or availability of information on an information system,

(B) the timely availability of accurate process information, the predictable control of the designed process or the confidentiality of process information, or

(C) an information system or a control system;

(5) the term "information sharing and analysis organization" has the meaning given that term in section 671(5) of this title;

(6) the term "information system" has the meaning given that term in section 3502(8) of title 44; and

(7) the term "sharing" (including all conjugations thereof) means providing, receiving, and disseminating (including all conjugations of each of such terms).

HR 1062 Introduced – Cybersecurity Consortium


Earlier this month Rep. Castro (D,TX) introduced HR 1062, the National Cybersecurity Preparedness Consortium Act of 2019. The bill would authorize the DHS NCCIC to work with a consortium of non-profit entities to “develop, update, and deliver cybersecurity training in support of homeland security” {§2(1)}. The bill is very similar to HR 1465 from the 115th Congress and HR 4743 from the 114th. No action was taken on HR 1465 but HR 4743 was passed in the House with bipartisan support.

Differences in the Bills


The current language is most closely a copy of the version of HR 1465 that was reported in the House. There are still a number of differences in the two versions of the bill; some of them minor and others with more significant.

The first noticeable change is the references to both the Homeland Security Act of 2002 and 6 USC. These changes are strictly editorial updates for changes made to that Act and the US Code (USC) by the CISA authorization bill that was passed last year. As usual I prefer to use the USC links. All references to 6 USC 659 in the current bill are the same as the old 6 USC 148 that I have made numerous references to in the past. Unfortunately, the GPO has yet to update the USC for last year’s modifications, so all links to 6 USC in this post will be to the congressional version of the US Code.

Next this bill removes almost all references to the phrase ‘including threats of terrorism and acts of terrorism’ that were included frequently in the earlier bills. This was used as a pretty constant modifier of the phrase ‘cybersecurity risks and incidents. The current bill only uses this phrase one time in §3(b)(3):

Provide technical assistance services to build and sustain capabilities in support of preparedness for and response to cybersecurity risks and incidents, including threats of terrorism and acts of terrorism, in accordance with such section 2209;

There are two paragraphs from the earlier bills that are completed removed in this latest version. Section 2(c) admonished the Secretary to “to prevent unnecessary duplication of existing programs or efforts of the Department of Homeland Security”. Section 2(g) terminated the authorization for the program in five years from the date of enactment. There is no similar language for either of these provisions in the current bill.

Finally, there are two additional sections found in this bill that were not included in the earlier versions. Section 2 provides definitions of important terms; those definitions were included in the text of various paragraphs in the reported version of HR 1465. Section 4 added an important rule of construction to the bill:

“Nothing in this Act may be construed to authorize a consortium to control or direct any law enforcement agency in the exercise of the duties of the law enforcement agency.”

Moving Forward


Neither Castro or any of his six bipartisan cosponsors are members of the House Homeland Security Committee to which this bill was assigned for consideration. HR 1465 had a similar problem last session which explains why it was not considered in Committee. If the bill were to be considered in Committee (possible if a new cosponsor who was on the Committee were added) it would probably be adopted by a bipartisan majority. There is nothing in the bill that should draw any significant opposition.

A similar sounding bill, S 333, was introduced in the Senate, but it looks to have a similar consideration problem; none of the four Senators currently associated with the bill are on the Senate Homeland Security and Governmental Affairs Committee.

Commentary


I did now write about HR 1465 last session because the definitions provided for ‘cybersecurity risk’ and ‘incident’ rely on the IT restrictive definition of information system used in §659. This means that there is no authorization for providing training for incident response or response planning for industrial control system incidents. As it becomes more and more apparent that the physical consequences of a potential attack on industrial control systems could be much more significant than a purely IT system attack, this restrictive definition becomes more and more problematic.

I have been complaining about this definitional problem for some time. As is usual I have offered a number of different possible suggestions for the problem. The most comprehensive can be found in my discussion of HR 2831 last session.

Tuesday, February 19, 2019

Four advisories Published – 02-19-19


Today the DHS NCCIC published four control system security advisories for products from Rockwell Automation, Horner Automation, Delta Industrial and Intel.

Rockwell Advisory


This advisory describes two vulnerabilities in the Rockwell Allen-Bradley PowerMonitor 1000. This vulnerability was reported by Luca Chiou of ACSI. Rockwell is working on mitigation measures. CheckPoint Software Technologies has released IPS rules to detect attempts to exploit CVE-2019-19615.

The two reported vulnerabilities are:

• Cross-site scripting - CVE-2019-19615; and
Authentication bypass using alternate path or channel - CVE-2019-19616

NCCIC-ICS reports that a relatively low-skilled attacker could use a publicly available exploits (here and here) to remotely exploit these vulnerabilities to allow a remote attacker to affect the confidentiality, integrity, and availability of the device.

NOTE: I discussed these vulnerabilities last Saturday.

Horner Advisory


This advisory describes an improper input validation vulnerability in the Horner Cscape control system application programming software. The vulnerability was reported by ‘anonymous’ via the Zero Day Initiative (ZDI). Horner has a new version that mitigates the vulnerability. There is no indication that anonymous has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to crash the device being accessed, which may allow the attacker to read confidential information and remotely execute arbitrary code.

Delta Advisory


This advisory describes an out-of-bounds read vulnerability in the Delta Industrial Automation CNCSoft. The vulnerability was reported by Natnael Samson (@NattiSamson) via ZDI. Delta has an updated version that mitigates the vulnerability. There is no indication that Samson was provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to cause a buffer overflow condition that may allow information disclosure or crash the application.

Intel Advisory


This advisory describes eleven vulnerabilities in the Intel Data Center Manager SDK. The vulnerability was reported by Intel’s Product Security Incident Response Team. Intel has a new version that mitigates the vulnerability.

The eleven reported vulnerabilities are:

• Improper authentication - CVE-2019-0102;
• Protection mechanism failure (4) - CVE-2019-0103, CVE-2019-0104, CVE-2019-0106, and CVE-2019-0107,
• Permission issues (4) - CVE-2019-0105, CVE-2019-0108, CVE-2019-0109, and CVE-2019-0111;
• Key management issues - CVE-2019-0110;
• Insufficient control flow management - CVE-2019-0112

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow escalation of privilege, denial of service, or information disclosure.

Monday, February 18, 2019

S 315 Introduced – DHS Cyber Response Teams


Last month Sen. Hassan (D,NH) introduced S 315, the DHS Cyber Hunt and Incident Response Teams Act of 2019. The bill would authorize the current cyber incident response teams in the DHS NCCIC. The bill is very similar to HR 5074 from the 115th Congress which passed in the House but was never taken up in the Senate.

The bill does not name the teams, but the description certainly refers to the incident investigation teams associated with US-CERT and ICS-CERT. The bill specifically mentions ‘control systems’ {6 USC 659(f)(1)(D)} but does not provide a definition for that term.

Hassan and her two cosponsors {Sen. Peters (D,MI) and Sen. Portman (R,OH)} are all influential members of the Senate Homeland Security and Governmental Affairs Committee to which this bill was assigned for consideration. This should mean that the bill has a good chance of being considered in that Committee. A recent article over on Politico.com pointed out, however, how hard it is to get cybersecurity legislation through that Committee. Since this bill does not contain any new authority for NCCIC nor does it approve any new funding, this bill may be able to avoid that cybersecurity trap.

NOTE: HR 1158 was recently introduced in the House with a similar sounding name, but the text has not yet been published. I suspect that it will be very similar to this bill.

Sunday, February 17, 2019

S 300 Introduced – DOE Pipeline Security


Earlier this month Sen. Cornyn (R, TX) introduced S 300, the Pipeline and LNG Facility Cybersecurity Preparedness Act. This is a companion bill (identical language) to HR 370 that was introduced in January. The bill would define cybersecurity oversight requirements for DOE over energy pipelines and LNG facilities.

While there is a good chance for committee action on HR 370 in the House, neither Cornyn nor his single cosponsor {Sen. Heinrich (D,NM)} are members of the Senate Commerce, Science, and Transportation Committee to which this bill was assigned for consideration. This means that it is extremely unlikely that the bill will be considered in that Committee.

Saturday, February 16, 2019

Public ICS Disclosures – Week of 02-09-19


This week we have five vendor disclosures for products from Kunbus, Schneider (3) and Rockwell; five vendor updates from Siemens; one coordinated disclosure for products from Resource Data Management and one exploit for a previously disclosed vulnerability for products from AVEVA.

Kunbus Advisory


Kunbus published an advisory for five vulnerabilities in its KUNBUS-GW Modbus TCP PR100088 product. The vulnerabilities were reported by Nicolas Merle of Applied Risk. Kunbus is working on an update to mitigate the vulnerabilities.

The five reported vulnerabilities are:

• Conditional authentication bypass;
• Missing authentication for critical function;
• Denial of service;
• Publication of information by parameter data in an HTTP GET request; and
Plain text storage of passwords

Schneider Advisories


Schneider has published an advisory describing six vulnerabilities in its Sarix Enhanced and Spectra Enhanced cameras. The vulnerabilities were reported by Deng Yongkai (NSFOCUS) and Gjoko Krstic (Zero Science). Schneider has a new firmware version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• A permissions, privileges, and access control vulnerability - CVE-2018-7816;
• A command injection vulnerability (2) - CVE-2018-7825 and CVE-2018-7826;
• A cross-site scripting (XSS) vulnerability (2) - CVE-2018-7827 and CVE-2018-7828; and
• An improper neutralization of special elements in query vulnerability - CVE-2018-7829


Schneider has published an advisory describing a buffer error vulnerability in its Vijeo Designer Lite software. The vulnerability is self-reported. Schneider has provided generic mitigations as the product has reached end-of-life status.


Schneider has published an advisory describing three vulnerabilities in its  Modicon M221 and
SoMachine Basic products. The vulnerabilities were reported by Matthias Niedermaier (Hochschule Augsburg), Jan-Ole Malchow (Freie Universit├Ąt Berlin), Florian Fischer (Hochschule Augsburg) and Reid Wightman (Dragos Inc.). Schneider has updates available to mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• An environment vulnerability (2) - CVE-2018-7821 and CVE-2018-7823; and
• An incorrect default permissions vulnerability - CVE-2018-7822

Rockwell Advisory


Rockwell has published an advisory describing two vulnerabilities in its PowerMonitor 1000 monitor that were publicly reported (with exploits) in December (here and here) by Luca Chiou. Rockwell has provided generic mitigation measures pending development of updates. It also provides a link to intrusion prevention system (by CheckPoint) rules to detect the cross-site scripting vulnerability.

The two reported vulnerabilities are:

• Cross-site scripting - CVE-2019-19615; and
• Authentication bypass - CVE-2019-19616

 Siemens Updates


Siemens published an update for their advisory on Spectre and Meltdown Vulnerabilities in Industrial Products. They added updated affected version data and provided links to mitigations for:

• SIMATIC ET 200 SP Open Controller; and
• SIMATIC IPC547E

NOTE: NCCIC-ICS updated their alert (ICS-ALERT-18-011-01) for this vulnerability when Siemens added a new advisory. That technically included this update since the link provided in the alert goes to the latest version of the Siemens advisory.


Siemens published an update for their advisory on Spectre-NG (Variants 3a and 4) Vulnerabilities in Industrial Products. They added updated version data and provided links to mitigations for:

• SIMATIC ET 200 SP Open Controller:
• SIMATIC ET 200 SP Open Controller (F);
• SIMATIC S7-1500 Software Controller;
• SIMATIC IPC547E;
• SIMATIC ITP1000;
• SIMATIC IPC3000 SMART V2;
• SIMATIC IPC347E;
• SIMATIC HMI Basic; and
• Panels 2nd Generation:

They also removed the following unaffected products from the advisory:

• SIMATIC IPC227E;
• SIMATIC IPC277E;
• SIMATIC IPC327E; and
• SIMATIC IPC377E

NOTE: NCCIC-ICS is expected to update their advisory.


Siemens published an update for their advisory on Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP. They added two additional vulnerabilities to the list for these products:

• CVE-2018-1000876; and
• CVE-2018-16862
NOTE: NCCIC-ICS has not published an advisory/alert on these vulnerabilities.

Siemens has published an update for their advisory on Denial-of-Service in SICAM A8000 Series. They updated the CVSS vector due to known exploit.


Siemens has published an update for their advisory on Foreshadow / L1 Terminal Fault Vulnerabilities in Industrial Products. They updated the affected version data and provided links to the mitigation measures for:

• SIMATIC IPC547E;
• SIMATIC IPC547G;
• SIMATIC ITP1000;
• SIMATIC IPC3000 SMART V2; and
• SIMATIC IPC347E

They also removed the following unaffected products from the advisory:

• SIMATIC IPC227E;
• SIMATIC IPC277E;
• SIMATIC IPC327E; and
• SIMATIC IPC377E
NOTE: NCCIC-ICS has not published an advisory/alert on these vulnerabilities.

Resource Data Management


Safety Detective published an article describing default credential vulnerabilities for commercial refrigeration systems from Resource Data Management. The article describes how the researchers were able to locate vulnerable systems, change settings, and manipulate controls in systems in hospitals and stores.

AVEVA Exploit


Jacob Baines published an exploit for vulnerabilities in the AVEVA InduSoft Web Studio. The vulnerabilities were reported by NCCIC-ICS earlier this month.

Bills Introduced – 02-14-19


On Thursday, with both the House and Senate in session there were 144 bills introduced. One of these may receive further future mention in this blog:

S 495 A bill to amend title 18, United States Code, to reauthorize and expand the National Threat Assessment Center of the Department of Homeland Security. Sen. Grassley, Chuck [R-IA]

I will be watching this bill for specific mention of chemical security, chemical transportation security or cybersecurity.

NOTE: On Thursday I mistakenly titled the ‘Bills Introduced’ blog post as referring to bills introduced on 2-14-19, it should have read ‘2-13-19’. That has been corrected.

Friday, February 15, 2019

HR 851 Introduced – ECP Brakes


Last month Rep. Herrera-Beutler introduced HR 851, the Oil and Flammable Material Rail Transportation Safety Act. This bill would reinstate the electronically-controlled pneumatic brake provisions of 49 CFR 174.310 for highly-hazardous flammable unit trains (HHFUT). This bill is identical to HR 7076 from last session. Since Herrera-Beutler is still not on the House Transportation and Infrastructure Committee, the committee to which this bill was assigned for consideration, this bill will die from lack of attention unless she attracts a cosponsor assigned to that Committee.


S 245 Introduced – FY 2019 Intel Authorization

Last month Sen. Burr (R,NC) introduced S 245, the Damon Paul Nelson and Matthew Young Pollard Intelligence Authorization Act for Fiscal Years 2018 and 2019. Intel authorization bills were introduced last session (HR 6237 and S 3153), but only the House bill received any action; it passed by a vote of 363 to 54. No action was taken in the Senate on either bill.

Cybersecurity Provisions


There are a number of cybersecurity related provisions in this bill, but only one of potential specific interest to the industrial control system community. The cybersecurity sections of note include:

§303. Modification of special pay authority for science, technology, engineering, or mathematics positions and addition of special pay authority for cyber positions.
§307. Consideration of adversarial telecommunications and cybersecurity infrastructure when sharing intelligence with foreign governments and entities.
§308. Cyber protection support for the personnel of the intelligence community in positions highly vulnerable to cyber attack.
§309. Modification of authority relating to management of supply-chain risk.
§422. Establishment of Energy Infrastructure Security Center.
§701. Limitation relating to establishment or support of cybersecurity unit with the Russian Federation.

EISC


The potentially interesting ICS provision is, of course, §422 establishing the EISC. A nearly identical provision (different section/paragraph numbers is the only difference) was included in HR 6237. I covered that issue in my post on the introduction of the earlier bill.

Missing Provision


Last year Burr’s authorization bill included a section on energy sector cybersecurity. This was taken almost in whole cloth from last session’s S 79. A bill similar to S 79 was introduced earlier this session; S 174. It is not clear if Burr left this out because he felt that S 174 had a good chance to pass on its own (not likely in my opinion) or whether he got push-back from including the costly provisions in last year’s intel bill.

Moving Forward


Burr’s bill will move forward in Committee, he is after all the Chair of the Senate Select Committee on Intelligence. Getting it to the floor of the Senate may prove to be a bigger problem; he has not had an intel authorization bill on the floor since the FY 2017 bill passed.

Commentary


This used to be considered one of the ‘must pass’ annual authorization bills, but since Trump came to town that does not seem to be the case. Spending bills continue to be approved, but the general Congressional oversight provided through the authorization bills seems to be less important as the community status has waned under Trump. This is doubly unfortunate given the cybersecurity troubles being seen in the world.

Thursday, February 14, 2019

Two Advisories and Three Updates Published – 02-14-19


Today the DHS NCCIC-ICS published two control system security advisories for products from gpsd Open Source Project and Pangea. They also updated three previously published advisories for products from Fuji and Siemens (2). The gpsd advisory was originally published on the HSIN ICS-CERT library on November 6, 2018.

gpsd Advisory


This advisory describes a stack-based buffer overflow vulnerability in the gpsd, an open-source GPS framework. The vulnerability was reported by GE Digital Cyber Security Services, working with GE-PSIRT. A new version is available that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker with uncharacterized access could exploit this vulnerability to allow remote code execution, data exfiltration, or denial-of service via device crash.

Note: This advisory is a ‘third-party vendor’ vulnerability report. NCCIC-ICS reports that gpsd can be found in many mobile embedded systems such as Android phones, drones, robot submarines, driverless cars, manned aircraft, marine navigation systems, and military vehicles.

Pangea Advisory


This advisory describes an authentication bypass using an alternate path or channel vulnerability in the Pangea Internet FAX Analog Telephone Adapter (ATA). The vulnerability was reported by Ankit Anubhav of NewSky Security. Pangea has a patch deployed that mitigates the vulnerability. There is no indication that Anubhav has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could use a publicly available exploit to remotely exploit the vulnerability to cause the device to reboot and create a continual denial-of-service condition.

Fuji Update


This update provides additional information on an advisory that was originally published on September 27th, 2018. The update announces the availability of a new firmware version that mitigates the vulnerabilities.

Licensing Software Update


This update provides additional information on an advisory that was originally published on February 12th, 2019. The update makes a number of editorial corrections in the data presentation on the vulnerabilities reported. I missed identifying these inconsistencies as I reported on the vulnerabilities based upon the Talos reports. The update still does not mention that there are publicly available exploits for these vulnerabilities from those reports.

PROFINET Update


This update provides additional information on an advisory that was originally published on May 9th, 2017 and updated on June 15, 2017,on July 25th, 2017, on August 17th, 2017, on October 10th, 2017, November 14th, 2017, January 23rd, 2018, February 27th, 2018, and most recently on June 21st, 2018. The update provides updated affected version information and mitigation links for SINAUT ST7CC.

Bills Introduced – 02-13-19


Yesterday with both the House and Senate in session there were 98 bills introduced. Three of those bills may receive additional coverage in this blog:

HR 1158 To authorize cyber incident response teams at the Department of Homeland Security, and for other purposes. Rep. McCaul, Michael T. [R-TX-10] 

HJ Res 45 Making further continuing appropriations for fiscal year 2019, and for other purposes. Rep. Biggs, Andy [R-AZ-5]

S 482 A bill to strengthen the North Atlantic Treaty Organization, to combat international cybercrime, and to impose additional sanctions with respect to the Russian Federation, and for other purposes.  Sen. Graham, Lindsey [R-SC] 

I will be watching S 482 for language that would include attacks on industrial control systems in the definition of ‘cybercrime’, but I am not holding my breath.

There was one other oddly named bill that I will personally be watching (but will probably not be writing about here), S 483. Introduced by Sen. Roberts (R,KS) it is titled: “A bill to enact into law a bill by reference.” Odd.

Wednesday, February 13, 2019

CSAT 60-Day ICR Comment


Last week the DHS Cybersecurity and Infrastructure Security Agency published a 60-day information collection request (ICR) for the Chemical Security Assessment Tool (CSAT) for the Chemical Facility Anti-Terrorism Standards (CFATS) program. In my post on the ICR I noted that there was a little known collection included in the ICR: “Identification of Additional Facilities and Assets at Risk”. As is typical in a well-constructed ICR notice, there is little detail provided about the actual collection; the details provided only apply to the burden estimate associated with the collection.

Questions on Collection


I attempted to gather some information on this collection from official sources at the DHS Infrastructure Security Compliance Division. My questions were forwarded to Bardha Azari of the CISA Office of External Affairs. Azari responded and told me that in order to “consolidate all questions and concerns regarding the CSAT ICR, and to maintain a transparent public process, your questions and comments on the ICR should be submitted through the Federal eRulemaking Portal”. This post will form that ICR response.

Unfortunately, not having answers to the question that will be asked below, I will not be able to provide a proper response to the question of the adequacy of the burden estimate or the need of the agency to collect the information as envisioned in the Paperwork Reduction Act of 1995. An adequate response will have to wait until the 30-day ICR notice is published.

Data on the Current ICR


Looking at the Reginfo.gov website for the current ICR there is a link to a document [DOCX. Download] explaining the current collection tool. It explains that there are two sections for the current ‘instrument’ involved in this collection;

• Identification of Facilities at Risk; and
Assets at Risks

Because these resources are not available until the approved ICR is published, respondents to the current ICR notice are forced to rely on information provided in the current ICR data. A detailed look at the existing data leads to questions that should be answered before the adequacy of the revised ICR can be assessed.

Identification of Facilities


The explanation document explains that:

“In this section the instrument will collect, on a voluntary basis, the following information when the facility identifies it ships and/or receives COI:
• Shipping and/or receiving procedures
• Invoices and receipts
• Company names and locations that COI is shipped to and/or received from”

The new ICR notice reports that the voluntary collection will be limited to only 845 respondents, “because CISA only requests this information from covered chemical facilities that undergo compliance inspections and ship chemicals of interest (COI)”. This would seem to indicate that ISCD is changing the focus of this collection to just identify facilities that receive DHS chemicals of interest (COI).

To adequately assess the appropriateness of this collection, I think that the community needs answers to the following questions:
1. How many facilities were asked to provide responses to this collection since October 2016?

2. How many facilities voluntarily provided information on the vendors that shipped COI to the inspected facility?

3. How many facilities voluntarily provided information on the customers to whom they shipped COI from the inspected facility?

4. How many of those facilities identified in the voluntary collection had not previously completed Top Screen submissions to ISCD?

5. Of those previously unidentified facilities, how many subsequently submitted Top Screens?

6. Of those previously unidentified facilities that submitted Top Screens, how many were subsequently identified as being at high-risk?

7. Why wasn’t this data collection mentioned in the FY 2019 CFATS Outreach Implementation Plan?

Assets At Risk


The explanation document explains that:

“In this section the instrument will collect, on a voluntary basis, the following information when the facility identifies a SCADA, DCS, PCS, or ICS:
• Provide details on the system(s) that controls, monitors, and/or manages small to large production systems as well as how the system(s) operates.
If it is standalone or connected to other systems or networks and document the specific brand and name of the system(s).”

There is no mention of an industrial control system data collection in the ICR notice and only asking for voluntary data submissions from “facilities that undergo compliance inspections and ship chemicals of interest (COI)”. That would hardly be a limited category of facilities from which ISCD would wish to collect the above described data.

To adequately comment on the removal of this information from the collection, the community would need answers to the following questions:

1. Has the section actually been removed from the collection? If so, why?

2. How many facilities were asked to voluntarily provide the information since October 2016?

3. What criteria was used to select the facilities that were asked to provide the information?

4. How many facilities responded to the information collection?

5. Was any data provided in this information collection that had not bee previously provided in the approved facility site security plan?

6 Advisories and 7 Updates Published – 02-12-19


Yesterday the DHS NCCIC-ICS published six control system security advisories for products from Siemens (5) and OSIsoft. They also updated seven previously published advisories for products from Siemens.

CP1604 Advisory


This advisory describes three vulnerabilities in the Siemens CP1604 and CP1616 products. These vulnerabilities were self-reported. Siemens has a new version that mitigates the vulnerabilities.

The three reported vulnerabilities are:

• Clear-text transmission of sensitive information - CVE-2018-13808;
• Cross-site scripting - CVE-2018-13809; and
Cross-site request forgery - CVE-2018-13810

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow a denial-of-service condition and information exposure. An attacker could inject arbitrary JavaScript in a specially crafted URL request to execute on unsuspecting user’s systems, allowing an attacker to trigger actions via the web interface that a legitimate user is allowed to perform.

NOTE: I briefly discussed this advisory on January 12th.

Intel Active Management Advisory


This advisory describes three vulnerabilities in the Intel Active Management Technology (AMT) of Siemens SIMATIC IPCs. The vulnerabilities are self-reported. These vulnerabilities exist in third-party (Intel) firmware on the affected PCs. Siemens has firmware updates that mitigate the vulnerabilities.

The three reported vulnerabilities are:

• Cryptographic issues - CVE-2018-3616;
• Improper restrictions of operations within the bounds of a memory buffer - CVE-2018-3657; and
• Resource management errors - CVE-2018-3658

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow arbitrary code execution, a partial denial-of-service condition, or information disclosure. The Siemens advisory reports that:

“The security vulnerability could be exploited by an attacker with network access to the affected systems. Successful exploitation requires no system privileges and no user interaction.”

NOTE: These vulnerabilities could be found on a large number of industrial PC’s not related to the Siemens products in this advisory.

SIMATIC Advisory


This advisory describes an improper input validation vulnerability in the Siemens SIMATIC S7-300 CPU. The vulnerability was reported by the China Industrial Control Systems Cyber Emergency Response Team (CIC). Siemens has a firmware update that mitigates the vulnerability. There is no indication that CIC has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to all the attacker to  crash the device being accessed, resulting in a denial-of-service condition.

NOTE: I briefly discussed this advisory on January 12th.

Licensing Software Advisory


This advisory describes three vulnerabilities in the Siemens WibuKey Digital Rights Management (DRM) used with SICAM 230. These vulnerabilities are self-reported. Siemens has provided links to a third-party update to mitigate the vulnerabilities. These vulnerabilities were originally reported in the WibuKey product in December by Talos; see the links on the CVE numbers for the Talos reports.

The three reported vulnerabilities are:

• Input validation (3) - CVE-2018-3989, CVE-2018-3990, and CVE-2018-3991.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow information disclosure, privilege escalation, or remote code execution. NOTE: The Talos reports provide proof of concept exploit code.

Again, as with any third-party vulnerability, these problems could be seen in systems from other vendors that also use the WibuKey DRM.

EN100 Ethernet Communications Module Advisory


This advisory describes an improper input validation vulnerability in the Siemens EN100 Ethernet Communication Module and SIPROTEC 5 Relays. The vulnerability was reported by Lars Lengersdorf from Amprion GmbH. Siemens has updates for some of the affected products. There is no indication that Lengersdorf has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to conduct a denial-of-service attack over the network.

OSIsoft Advisory


This advisory describes a cross-site scripting vulnerability in the OSIsoft PI Vision application. The vulnerability is self-reported. OSIsoft has a new version that mitigates this vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit this vulnerability to allow an attacker to read and modify the contents of the PI Vision web page and data related to the PI Vision application in the victim’s browser.

NOTE: I briefly discussed this vulnerability on December 18th, 2018.

Meltdown Spectre Update


This update provides additional information on an advisory that was originally published on January 11th, 2018 and updated on January 16th, 2018, January 17th, 2018, January 30th, 2018, February 20th, 2018, February 22nd, 2018, March 1st, 2018, July 10th, 2018, and most recently on September 11th, 2018.. The new information includes a link to a new Meltdown/Spectre advisory from Siemens for their SIMATIC Industrial Thin Clients.

EN100 Ethernet Communications Module Update


This update provides additional information on an advisory that was originally published on December 13th, 2018. The new information includes updated version data and mitigation links for or firmware variant IEC104 for EN100 Ethernet modules.

SIMATIC S7-1500 Update


This update provides additional information on an advisory that was originally published on October 9th, 2018. The new information includes updated version data and mitigation links for:

• SIMATIC ET 200 SP Open Controller; and
• SIMATIC S7-1500 Software Controller

Open SSL Update


This update provides additional information on an advisory that was originally published on August 14th, 2018 and updated on September 11th, 2018, October 9th, 2018, and again on November 13th, 2018. The update provides new affected version and mitigation information for:

• SIMATIC S7-1500 Software Controller; and
• SIMATIC ET 200SP Open Controller CPU 1515SP PC

SIPROTEC 4 Update


This update provides additional information on an advisory that was originally published on March 8th, 2018 and updated on April 18th, 2018. The update provides new affected version and mitigation information for IEC 104 variant of EN100 module.

Industrial Products Update #1

This update provides additional information on an advisory that was originally published on May 9th, 2017 and updated on June 15, 2017,on July 25th, 2017, on August 17th, 2017, on October 10th, on November 14th, November 28th, February 27th, 2018, May 3rd, 2018 May 15th, 2018, September 11th, 2018, October 9th, 2018, November 13th, 2018, December 11th, 2018, and most recently on February 5th, 2019. The update provides new affected version and mitigation information for SIMATIC ET 200SP IM155-6 PN HA.

Industrial Products Update #2


This update provides additional information on an advisory that was originally published on January 12th, 2018. The update provides new affected version and mitigation information for SIMATIC CP 1626.

Siemens Advisory Update


Yesterday’s publications by ICS-CERT is really rather remarkable since most of the Siemens advisories covered were published yesterday. NCCIC-ICS has now reported on all of the original advisories from Siemens from January and all but one of the updates (the GNU/Linux vulnerabilities that have not been reported by NCCIC-ICS).

Of the four advisories and 12 updates published yesterday by Siemens only 8 updates have not been directly covered by NCCIC-ICS in yesterday’s reporting. Unless those are reported by NCCIC-ICS on Thursday, I will have more details this weekend.

Monday, February 11, 2019

ISCD Publishes CFATS Update for December and January


Today the DHS Infrastructure Security Compliance Division (ISCD) published their Chemical Facility Anti-Terrorist Standards (CFATS) update for December 2018 and January 2019. Needless to say the Federal Funding Fiasco has had a major impact on the numbers being reported since the Chemical Security Inspectors were furloughed for 35-days straddling those two months. Sorry to say, this is going to play hell with statistical analysis.

The first table below shows the reported CSI activity data for December and January from today’s report (the November numbers come from the ISCD report in early December). The Authorization and Compliance inspection goose eggs are due to the fact that these inspections require more prior coordination than does a compliance inspection. The ‘NR’ notation means ‘not reported’.

CFATS Activities
Nov-18
Dec-18
Jan-19
Authorization Inspections to Date
3886
NR
3913
Authorization Inspections Month
14
18
0
Compliance Inspections to Date
4135
NR
4269
Compliance Inspections Month
143
97
3
Compliance Assistance Visits to Date
5065
NR
5131
Compliance Assistance Visits Month
53
36
0

The second table shows the status of covered facilities. ISCD did not report interim numbers for December.

CFATS Facility Status
Nov-18
Dec-18
Jan-19
Tiered
178

137
Authorized
454

426
Approved
2723

2766
Total
3355

3329

The sharp drop in the number of covered facilities (-26) since November is large, but not the largest two-month drop. That was -27 in June-July of 2018. Still it is rather impressive given that ISCD was not processing Top Screens for 35-days during the period and every one was kind of holding their breath until January 18th, when the President signed the 15-month extension of the CFATS program authorization.

BTW: The CFATS landing page was updated to ‘report’ the signing of the extension.

 
/* Use this with templates/template-twocol.html */