Eliminating CVI in CFATS Reauthorization Bill?

I am hearing rumors that a CFATS reauthorization bill currently being drafted might include provisions that would eliminate the Chemical-Terrorism Vulnerability Information (CVI) program from the Chemical Facility Anti-Terrorism Standards (CFATS) program. The CVI program is authorized under 6 USC 623 and regulated under 6 CFR 27.400 and a detailed guidance document here. The CVI program protects security information about facilities in the CFATS program from public disclosure.

There have been complaints in Congress over the years that the presence of the CVI program interferes with facilities sharing information with emergency responders. Not having seen the specific wording of possible CVI removal provisions, I can only suppose that these provisions would be an attempt by congressional staffers to remove such impediments to information sharing.

CVI Background

The CVI program is one of the most unusual Controlled Unclassified Information (CUI) programs in the Federal government. Most CUI programs limit the Federal Government’s sharing of information provided to the government by the private sector or developed in house by government agencies. The CVI program, on the other hand, requires both the covered private sector organizations and the government to protect the covered information regardless of who initiates the information.

Information developed by covered facilities that is considered to be CVI (and thus protected from disclosure) includes all submissions made by the facility to DHS through the CFATS Chemical Security Assessment Tool (CSAT), copies of security vulnerability assessments and site security plans, and the working papers supporting those documents. Certain of those supporting documents are exempted from CVI classification; specifically, any records that are required to be maintained by other regulatory programs including chemical inventory information and emergency response plans are exempted from CVI protections.

Disclosures of CVI information can only be made to personnel who have received CVI Certification and have a verified ‘need-to-know’ the specific information. The ‘need-to-know’ requirements are outlined in §27.400(e) and specifically includes State and local officials.

CVI and Emergency Response Planning

Emergency response planning for chemical releases is covered briefly in the CFATS regulations as part of the Risk-Based Performance Standard #9 {§27.230(a)(9)}, but both the regulation and the CFATS RBPS Guidance document make it clear that those requirements are only response plans for security breaches, not accidental chemical releases. Even then, the CFATS planning process envisions inclusion of law enforcement personnel in preventing the attack or arresting the perpetrators, NOT fire or emergency medical technicians responding to the affects of the potential attack. That chemical emergency response is already covered under EPA regulations.

Law enforcement personnel working with facility personnel to develop security response plans at a CFATS covered facility would be expected to be covered by CVI rules including CVI training and certification requirements. Emergency medical technicians and fire fighters participating in planning for chemical releases (either accidental or deliberate) would be covered under the EPA regulations and would not require CVI clearances.

Members of a Local Emergency Response Committee (LEPC) would not require CVI certification to receive chemical inventory data from local chemical facilities covered by the CFATS program because the LEPC notification requirements are covered under the EPA regulations and are exempted from CVI classification {§27.405(1)}.

Continued Need for a CVI Process

The purpose of the CVI program is to ensure that critical security information about a CFATS covered facility is not made publicly known and thus become available to nefarious personnel who could use that information in the planning and execution of an attack on a chemical facility. The mere knowledge of the existence of an inventory of items on the DHS chemicals of interest (COI) list is not critical safety information. That information is generally already publicly available through the EPA (a discussion of the EPA’s limiting of the sharing of that information is an entirely separate topic).

I suppose that the CVI program could be replaced with another of the existing CUI programs, probably the DHS Protected Critical Infrastructure Information (PCII) program. That would also protect the information originating at the facility level from disclosure by Federal, State and local governments. What it would not do, however, is to establish standards for facility personnel to protect the required information. Without information protection requirements like those in the CVI program, it would be easy enough for attackers to get the information that terrorists need to circumvent the security procedures at CFATS covered facilities.

Rather than abolishing the CVI program, Congress might want to make clear that certain information will be freely shared with LEPCs, local law enforcement, fire departments and hospitals. Last year I suggested language for that information sharing that operates within the bounds of the CVI program. This would be in addition to any information sharing already required between facilities and LEPCs and fire departments by EPA regulations.

Chemical Sector Security Summit Announcement – 04-29-19

Yesterday the DHS Infrastructure Security Compliance Division (ISCD) announced that that the Chemical Sector Security Summit would be held in New Orleans, LA this summer. No real information beyond ‘mid-July 2019’ was provided. Until 2017 the CSSS was held every year, but the schedule has since been changed to every other year.

Committee Hearings – Week of 4-28-19

This week both the House and Senate are back from their two-week spring recess. Budget hearings continue. There is also a cybersecurity hearing and a pipeline safety hearing scheduled.

Budget Hearings

• Tuesday, DHS, House DHS Subcommittee;

• Tuesday, FEMA, House DHS Subcommittee;

• Tuesday, CISA, House Homeland Security Committee;

• Wednesday, CISA, House DHS Subcommittee;

• Wednesday, DOD, House DOD Subcommittee; and

• Thursday, DHS, Senate DHS Subcommittee (no link available);

Cybersecurity

On Tuesday the Senate Commerce, Science, and Transportation Committee will hold a hearing on “Strengthening the Cybersecurity of the Internet of Things”. The witness list includes:

• Michael Bergman, Consumer Technology Association;

• Matthew Eggers, U.S Chamber of Commerce

• Harley Geiger, Rapid7

• Robert Mayer, US Telecom – The Broadband Association

• Charles Romine, National Institute of Standards and Technology

Pipeline Safety

On Wednesday the Energy Subcommittee of the House Energy and Commerce Committee will hold a hearing on “The State of Pipeline Safety and Security in America”. The witness list includes:

• Howard R. “Skip” Elliott, PHMSA;

• W. William Russell, GAO;

• Lawrence Friedeman, Public Utilities Commission of Ohio;

• Andrew J. Black, Association of Oil Pipelines (AOPL);

• Carl Weimer, The Pipeline Safety Trust

The Staff Memo for the hearing indicates that the below listed items will be addressed in the hearing, but questions from various congresscritters could address cybersecurity and the incident in Merrimack Valley last year.

• Cost-benefit analysis;

• Mandamus (citizen suits);

• Automatic and remote-control shutoff valves; and

• Leak detection

HR 2139 Introduced – Gas Pipeline Safety

Earlier this month Rep. Trahan (D,MA) introduced HR 2139, the Leonel Rondon Pipeline Safety Act. The bill would make amendments to gas distribution pipeline safety rules. This bill is a companion bill (identical language) to S 1097.

While Trahan is not on either of the two Committees to which this bill was assigned, one of her two co-sponsors {Rep. Kennedy (D,MA)} is a member of the House Energy and Commerce Committee. This means that it is possible that this bill will be considered in Committee. While S 1097 is unlikely to be considered in the Senate, the Energy and Commerce Committee is likely to take up this bill where I would suspect that it would pass with a strictly partisan vote. Committee Chair politics almost ensures that the bill would not move to the floor of the House unless sponsors are added that have some influence on the Transportation and Infrastructure Committee.

The lack of bipartisan support for this bill ensures that it would have to be considered by the whole House subject to a rule. It is unlikely that anyone currently associated with the bill has enough political influence to see that happen.

These two bills are political moves to demonstrate to constituents that were directly or closely affected by a serious pipeline safety event that the sponsors of the bill are trying to do something to fix the problem. This is good politics even if no further action is taken on either bill.

ICS Public Disclosures – Week of 04-27-19

This week we have exploit code published for a possible zero-day vulnerability in products from Siemens.

Google Security Research published exploit code for a race condition vulnerability in Siemens R3964 line discipline code, a Linux driver that allows synchronous communication with devices using the Siemens R3964 packet protocol. The Google report notes that this vulnerability is fixed, but according to the Linux folks that fix is simply marking the code as ‘broken’. The Linux researcher notes that:

The n_r3964 line discipline driver was written in a different time, when SMP machines were rare, and users were trusted to do the right thing. Since then, the world has moved on but not this code, it has stayed rooted in the past with its lovely hand-crafted list structures and loads of "interesting" race conditions all over the place.

After attempting to clean up most of the issues, I just gave up and am now marking the driver as BROKEN so that hopefully someone who has this hardware will show up out of the woodwork (I know you are out there!) and will help with debugging a raft of changes that I had laying around for the code, but was too afraid to commit as odds are they would break things.

I am a tad bit over my head here technically, but this looks like a GNU library issue; part of the larger issue that Siemens is dealing with. The CVE for this vulnerability (CVE-2019-11486) was not included in the most recent Siemens advisory for the GNU library issues, but that is hardly surprising since the CVE was issued after the latest update to the Siemens advisory. These issues have still not been addressed by NCCIC-ICS.

S 1097 Introduced – Gas Pipeline Safety

Earlier this month Sen. Markey (D,MA) introduced S 1097, the Leonel Rondon Pipeline Safety Act. The bill would make amendments to gas distribution pipeline safety rules. Leonel Rondon was a teenager killed in the 2018 Merrimack Valley gas explosions. That incident is the impetus for the introduction of this legislation.

Distribution Integrity Management Plans

Section 2 of the bill would amend 49 USC 60109(e), Distribution Integrity Management Programs. The new sub-paragraph (7) would require the Secretary of Transportation within one year of adoption of this legislation to issue new regulations that would modify the requirements for distribution integrity management plan developed by operators of a distribution pipeline. The new language would require the evaluation of {new §60109(e)(7)(A)}:

• The risks resulting from the presence of cast iron pipes and mains in the distribution system; and

• The risks that could lead to or result from the operation of a distribution pipeline above the maximum allowable operating pressure.

This section would also require covered operators to submit to regulators within 180 days of the enactment of this bill {new §60109(e)(7)(C)}:

• The distribution integrity management plan of the operator;

• The emergency response plan under section 192.615 of title 49 CFR; and

• The procedural manual for operations, maintenance, and emergencies under section 192.605 of title 49 CFR.

The Secretary would also be required to promulgate regulations that would ensure that authorized State Regulating Authorities have the capabilities to review and evaluate the documents required to be submitted by this section.

Emergency Response Plans

Section 3 of the bill would amend 49 USC 60102 by adding a new paragraph (q). It would require the Secretary to amend the emergency response plan requirements of 49 CFR 192.615 by adding requirements for written procedures for {new §60102(q)}:

• Establishing communication with fire, police, and other relevant public officials as soon as practicable, but not later than 30 minutes, after a gas pipeline emergency;

• Establishing public communication as soon as practicable and in consultation with fire, police, and other public officials after a gas pipeline emergency; and

• The development and implementation of a voluntary, opt-in system that would allow operators of distribution pipelines to rapidly communicate with customers in the event of an emergency.

Operations and Maintenance Manuals

Section 4 of the bill would also amend §60102 by adding a new paragraph (r). This new paragraph would require the amendment of 49 CFR 192.605 to include requirements that the procedure manuals required by that paragraph include written procedures for {new §192.605(r)}:

• Responding to over pressurization alarms, including a clear timeline and order of operations for shutting down portions of the gas distribution system, if necessary; and

• A detailed procedure for a management of change process, which shall be applied to all changes to the distribution system, and which shall ensure that relevant employees of an operator of a distribution pipeline review construction documents for accuracy, completeness, and correctness.

Pipeline Safety Management Systems

Section 5 of the bill would further amend §60102 with another new paragraph (s). This would require regulations establishing requirements for distribution  pipeline operators to develop and implement a pipeline safety management systems framework in accordance with Recommended Practice 1173 of the American Petroleum Institute. Copies of the framework would be submitted to regulators. Regulators would then be required to evaluate the documents to ensure that {new §60102(s)(4)}:

• Those frameworks are effective and complete; and

• Operators of distribution pipelines are in compliance with those frameworks.

The use of 3^rd party auditors to conduct the required evaluations would be authorized by this bill.

Pipeline Safety Practices

Section 6 of the bill would finally add a new paragraph (t) to §60102. This would also require the Secretary to prepare new regulations to:

• Add new record keeping requirements;

• Require a licensed professional engineer to approve work plans required under 49 CFR 192.801(b);

Include in those work plans a requirement to “monitor gas pressure and have the capability to shut down the flow of gas at a district regulator station during any construction project that has the potential to cause a hazardous over-pressurization at that station” {new §60102(t)(3)(A)};

• Require gas line distribution operators to ensure that {new §60102(t)(4)(A)}:

◦ There is no possibility for a common mode of failure in the regulator technology of the station that could lead to an operating pressure that is greater than the maximum allowable operating pressure;

◦ The station has monitoring technology that provides constant awareness of gas pressure at the station; and

◦ The station has additional pressure-relieving safety technology, such as a relief valve or automatic shutoff valve, as appropriate for the configuration and siting of the station.

• Promote sufficient staffing for monitoring and regulating gas pressure levels by each operator of a distribution pipeline.

Civil Penalties

Section 7 of the bill amends 49 USC 60122(a)(1) increasing civil penalty limits for both per violation and total amount for a related series of violations of 49 USC 60114(b) and (d) (One-call notification system requirements) and §60118(a) (safety standards and integrity management program mandate). The minimum per violation – per day penalty limit would be increased from $200 thousand to $20 million and the penalty limit for a related series of violations would be increased from $2 million to $200 million.

Moving Forward

Markey and one of this two cosponsors {Sen. Blumenthal (D,CT)} are both influential members of the Senate Commerce, Science, and Transportation Committee. Generally, this is sufficient to make it likely that the bill would be considered in Committee. Unfortunately, the fine increases in §7 of the bill will almost certainly cause the Republican committee leadership to ignore this bill and I suspect that the Republican members of the Committee would quickly fall in line to oppose this bill if it were brought before the Committee.

Commentary

Some of the changes to 49 USC proposed in this legislation directly address recommendations made by the National Transportation Safety Board (NTSB) in their interim Safety Recommendation Report on the Merrimack Valley incident. The NTSB report targets their recommendations at the Commonwealth of Massachusetts NiSource, Inc, rather than at the gas pipeline industry in general. Markey’s bill would make the recommended changes across the gas transmission pipeline industry. Whether or not that is regulatory overreach remains to be seen. It would be interesting to see what congressional hearings on the topic revealed.

One of the problems with knee-jerk legislative-responses to very visible tragic industrial accidents is that there are frequently unintended consequences of well-meaning legislative-requirements. It is usually difficult to predict those unintended consequences, but there is one in this bill that could potentially be far reaching. In the new §60122(t)(4)(A)(i) the bill requires new DOT regulations to ensure that “there is no possibility for a common mode of failure in the regulator technology of the station that could lead to an operating pressure that is greater than the maximum allowable operating pressure”. One very real ‘common mode of failure in regulatory technology’ would be a cyberattack on the industrial control system that controlled the pipeline pressure. Since we have seen that even automated safety systems are potentially subject to cyber-attack, the ‘no-possibility’ standard would require a fully-analog safety system. While such systems are also subject to failure, they generally would be unaffected by the ‘common mode failure’ due to cyber-attack.

While I would certainly argue that the reasonable regulation of cybersecurity for gas transmission pipelines would be a good thing, such regulations should be carefully considered and well thought out by both regulators and the system operators. A backdoor cybersecurity requirement in a knee-jerk response to mainly analog system incident certainly does not meet that standard.

S 1065 Introduced – State Cybersecurity Grants

Earlier this month Sen. Warner (D,VA) introduced S 1065, the State Cyber Resiliency Act. The bill would establish a new Federal Emergency Management Administration (FEMA) grant program to develop and implement a State cyber resiliency program. This is a companion bill to HR 2130.

Neither Warner nor his sole cosponsor {Sen. Gardner (R,CO)} is a member of the Senate Homeland Security and Governmental Affairs Committee to which this bill was assigned for consideration. This means that the Committee is unlikely to take up this bill for consideration.

There is a possibility that HR 2130, if passed by the House, could make it to the floor of the Senate under the unanimous consent process, but that process is very iffy. It requires the personal support of Sen. McConnel (R,TN) and no member of the Senate objecting to the bill, even objections on grounds unrelated to the provisions of the bill. For this bill, objections to other FEMA grant programs or desire to get more controversial grant legislation to the floor could form a very real basis for objecting to HR 2130 being considered.

CFATS Podcast

This week Dan Verton had me on his LiveSafe podcast discussing the Chemical Facility Anti-Terrorism Standards (CFATS) program reauthorization process. He discussed some of the Congressional concerns that have been raised during the reauthorization process to date and we talked about the practical aspects of some of those issues. Its well worth the listen even ignoring my contribution at the end (grin).

I have written rather extensively on the CFATS reauthorization issue. In particular, last year I did a series of blog posts on language that I would like to see included in the reauthorization bill. These posts include:

• Cybersecurity;

• Agricultural exemption;

• Protection from drones;

• Excluded facilities;

• Academic laboratories;

• Inherently safer technologies;

• STQ adjustments;

• WMD criminal activities; and

• Emergency response;

HR 2130 Introduced – State Cybersecurity Grants

Earlier this month Rep. Kilmer (D,WA) introduced HR 2130, the State Cyber Resiliency Act. The bill would establish a new Federal Emergency Management Administration (FEMA) grant program to develop and implement a State cyber resiliency program. This bill is nearly identical to HR 1344 from the 115^th Congress; no action was taken on that bill.

Differences in the Bills

There are no substantive changes made in the bill. The only differences are minor editorial changes like substituting ‘5-year’ for ‘five-year’; cosmetic changes only.

Moving Forward

Kilmer is not a member of either the House Homeland Security nor Transportation and Infrastructure Committees to which this bill was assigned for consideration. Rep. McCaul (R,TX), his sole cosponsor, is an influential member of the Homeland Security Committee, so it is possible that this bill will see consideration in that Committee this session. This is different from last year when none of the eleven cosponsors were members of the appropriate committees.

I do not see anything in this bill that would engender any specific opposition to this bill. There is no specific authorization of funds for the grant program so that ‘problem’ has been avoided. I suspect that there would be substantial bipartisan support for the bill if/when it is considered in Committee. That would lead to the bill being considered under the House suspension of the rules process if it makes it to the floor of the House.

HR 2019 Introduced – Smart Water

Earlier this month Rep. McNerney (D,CA) introduced HR 2019, the Smart Energy and Water Efficiency Act of 2019. The bill would require DOE carry out a smart energy and water efficiency management pilot program.

The $15 million grant program {§2(c)} would be designed to help eligible entities to demonstrate advanced and innovative technology-based solutions that would {§2(b)(2)}:

• Increase and improve the energy efficiency of water, wastewater, and water reuse systems to help communities across the United States make significant progress in conserving water, saving energy, and reducing costs;

• Support the implementation of innovative processes and the installation of advanced automated systems that provide real-time data on energy and water; and

• Improve energy and water conservation, water quality, and predictive maintenance of energy and water systems, through the use of internet-connected technologies, including sensors, intelligent gateways, and security embedded in hardware.

Moving Forward

McNerney is a member of the House Science, Space, and Technology Committee to which this bill was assigned for consideration. This means that there is a good chance that the bill will be considered in Committee.

I see nothing in the bill that would engender any serious opposition, but the inclusion of the $15 million grant program means that money would have to be taken from somewhere to fund the program. This means that it will be difficult to get the bill through committee deliberations. I suspect that if the bill did make it through the committee it would receive bipartisan support and would thus be considered in the House under the suspension of the rules process.

Commentary

I initially looked at this bill because it was initially billed as an attempt to “provide for a smart water resource management pilot program.” Anytime I see ‘smart’ as a modifier to any process I am hoping to see some mention of cybersecurity to protect those ‘smart’ activities. I was disappointed when I read the actual text of this bill. There is only a single mention of cybersecurity in the bill and that is the passing mention of a rather generic cybersecurity technique (security embedded in hardware) in the discussion of ‘internet connected devices’ that would be encouraged by the grant program.

While the use of hardware security modules will certainly have a place in the cybersecurity processes used to protect ‘smart water systems’ it is hardly the be-all and end-all of cybersecurity techniques that would have to be employed to ensure the safe and security operations of such systems.

If McNerney is really serious about encouraging the use of internet connected devices in the physical operation of municipal water systems (and I am sure that he is), he really should have included a much more detailed discussion of cybersecurity practices in this bill. First he would have had to start off with the definitions of a number of cybersecurity terms (see my suggested definitions). Then, he would have had to include specific cybersecurity language in grant requirements. Legislation is not the place to get into specific cybersecurity techniques, but two specific items could have been added to this bill to address cybersecurity issues.

First the Secretary should have been required to work with NIST and independent standard setting organizations in the water sector to establish voluntary cybersecurity standards for smart water systems. The language below is a quick example of how such language could have been included in the bill by inserting a new paragraph (c).

(c) Voluntary Cybersecurity Standards:

(1) The Secretary, in coordination with the Director of the National Institute of Standards and Technology, will work with one or more independent standards setting organizations recognized by the water sector to develop a set of voluntary standards to reduce the cybersecurity risks associated with the information technology and control systems associated with smart water systems.

(2) The voluntary standards would include requirements to:

(A) Identify the components and communications networks used in the smart water system;

(B) Monitoring components and communications to identify unauthorized access or process changes;

(C) Identify the known cybersecurity risks associated with those components and communications networks;

(D) Establish methods to be used to mitigate those known risks;

(E) Define the processes used to identify newly discovered cybersecurity risks including membership in industry information sharing and analysis centers; and

(F) Establish requirements and methods for reporting cybersecurity incidents.

Then paragraph (b)(2) would then be modified:

(C) improve energy and water conservation, water quality, and predictive maintenance of energy and water systems, through the use of internet-connected technologies, including sensors, and intelligent gateways, and security embedded in hardware.; and

(D) address adoption of the voluntary cybersecurity standards described in §2(c).

These changes would help to ensure that smart water systems do not become an easy method for a smart attack on a community.

Two Advisories Published – 04-23-19

Yesterday the DHS NCCIC-ICS published a control system security advisory for products from Rockwell and a medical device security advisory for products from Fujifilm.

Rockwell Advisory

This advisory describes an open redirect vulnerability in the Rockwell MicroLogix 1400 and CompactLogix 5370 Controllers. The vulnerability was reported by Josiah Bryan and Geancarlo Palavicini. Rockwell has new versions or updates to mitigate the vulnerabilities in most devices. There is no indication that the researchers have verified the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to input a malicious link redirecting users to a malicious website.

Fujifilm Advisory

This advisory describes two vulnerabilities in the Fujifilm FCR Capsula X/Carbon X. The vulnerability was reported by Marc Ruef and Rocco Gagliardi of Scip AG. Fujifilm has provided generic mitigation measures. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Uncontrolled resource consumption - CVE-2019-10948; and

• Improper access control - CVE-2019-10950.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to effect a denial-of-service condition in affected cassette reader units, causing potential image loss or device unavailability. Attackers could gain unauthorized access to the underlying operating system, allowing arbitrary code execution.

HR 1975 Introduced – Cybersecurity Advisory Committee

Last month Rep. Katko (R,NY) introduced HR 1975, the Cybersecurity Advisory Committee Authorization Act of 2019. The bill would require the DHS Cybersecurity and Infrastructure Security Agency (CISA) to establish a cybersecurity advisory committee to advise the Director on the development, refinement, and implementation of policies, programs, rulemakings, planning, training, and security directives pertaining to the mission of CISA.

Composition

The Committee would be composed of 35 individuals representing State and local governments and of a broad range of industries, including {new §2215(c)(1)(C)}:

• Defense.

• Education;

• Financial services;

• Healthcare;

• Manufacturing;

• Media and entertainment;

• Chemicals;

• Retail;

• Transportation;

• Energy;

• Information Technology; and

• Communications.

Moving Forward

Katko is a member of the House Homeland Security Committee, one of the three committees to which this bill was assigned for consideration. This means that it is likely that this bill will receive consideration in that Committee. None of the current cosponsors of the bill are members of the other two committees to which the bill was assigned. This greatly decreases the possibility that this bill will be considered in those committees. There is a reasonable chance that the bill could move to the floor without action by the Energy and Commerce or Oversight and Reform committees if the Homeland Security Committee were to strongly indorse the bill.

There is nothing in this bill that would engender serious opposition. If the bill were to be considered it would probably receive broad bipartisan support. I suspect that there is a good chance that this bill will come to the floor of the House under the suspension of the rules process.

Commentary

There is no language in this bill that specifically identifies control system cybersecurity as a targeted interest of the Committee. But, having said that, it seems clear to me that the crafters of the bill intended operational technology cybersecurity to be included in the Committee’s purview. One just has to look at the industrial sectors specified to see that a wide variety of industrial control systems are core technologies for many of the sectors. I do have a minor concern, however, that the support side (vendors, integrators and researchers) of control system security may not receive any recognition in this committee. This concern could be reduced by changing the name of one of the industries from ‘information technology’ to ‘information and operational technology’.

The Federal government has successfully used this type of advisory committee to help provide regulators with a wide span of technical expertise. There have periodically been complaints about the ‘influence’ these industry insiders have over the regulatory process. Usually, this type of complaint has been short circuited by ensuring the inclusion of counter-industry advocacy representative like labor organizations or privacy groups. For this Committee, I think the failure to include representative of privacy groups is a significant shortcoming that should be corrected before this legislation makes its way to the President.

S 876 Introduced – DOE Vet Training

Last month Sen. Duckworth (D,IL) introduced S 867, the Energy Jobs for Our Heroes Act of 2019. The bill would require DOE to establish a program to prepare eligible participants for careers in the energy industry as part of the DOD’s SkillBridge (program web site ‘under construction’) program.

Energy Ready Vets Program

The bill would add a new section to the Energy Policy Act of 2005. It would require DOE to establish the ‘Energy-Ready Vets Program’ to prepare eligible participants for careers in the energy industry. The program would “provide standardized training courses, based, to the maximum extent practicable, on existing industry-recognized certification and training programs, to prepare eligible participants in the program for careers in the energy industry” {new §1107(d)}.

Cybersecurity Training

The program would provide training in five energy sectors, including the cybersecurity sector of the energy industry. The training would prepare participants for jobs in {§1107(d)(1)(C)}:

Cybersecurity preparedness;

• Cyber incident response and recovery;

• Grid modernization, security, and maintenance;

• Resilience planning; and

• Other areas relating to the cybersecurity sector of the energy industry;

The bill provides for a grant program “to assist the industry in developing such an industry-recognized certification and training program” {§1107(f)(1)} when such programs do not currently exist. Funding for the grant programs comes out of a generic “such sums as are necessary to carry out this section” authorization included in §1107(g)(1).

Moving Forward

While Duckworth is not a member of the Senate Energy and Natural Resources Committee, one of her two cosponsors {Sen. Gardner (R.CO)} is. This means that there is a strong possibility that this bill will be considered in Committee. I suspect that there will be bipartisan support for the bill both in Committee and on the floor as it hits three key political targets: veterans, jobs and clean energy (one of the job sectors not covered in this post).

The key problem this bill faces is getting it to the floor of the Senate for a vote. Time is the big issue and the bill is not important enough to get full debate in the Senate. This means that it would have to be considered under the Senate’s unanimous consent process where the voice of a single Senator can stop the bill from being considered. I do not see anything in the bill to draw strong opposition, but ‘objections’ are frequently raised on bills as a means of expressing political opposition to any of a number of loosely related issues.

This bill, however, is certainly a strong candidate for inclusion in a DOE or even DOD authorization bill either as part of the introduced bill or as an amendment.

Commentary

The lack of people with cybersecurity training is an ongoing problem for many industrial sectors and the energy sector specifically. Training veterans for such jobs is a win-win solution. Since the SkillBridge program is targeted at individual military facilities, the provisions of this bill would allow DOE to tailor cybersecurity training programs at facilities with high-concentrations of military members with cybersecurity skills. This could allow the programs to focus on certification skills rather than basic cybersecurity training. This would make it easier for cyber warriors to transition into critical cybersecurity jobs.

HR 1731 Introduced – Cybersecurity Reporting

Last month Rep. Hines (D,CT) introduced HR 1731, Cybersecurity Disclosure Act of 2019. The bill would require the Securities and Exchange Commission to establish rules requiring the reporting of whether there was cybersecurity expertise on the board of directors or other governing body of each company required to file annual reports. This is a companion bill to S 592.

Hines and both of his two cosponsors {Rep. Heck (D,WA) and Rep. Meeks (D,NY)} are members of the House Financial Services Committee to which this bill was assigned for consideration. This means that the bill can probably be expected to receive consideration. I see nothing in the bill that would cause any serious opposition; it would probably receive bipartisan support.

Hines introduced a similar bill last session (HR 6638) that died without action. Part of the reason was it’s relatively late introduction in the session, but it was also unlikely to receive active support from the more business friendly Republican leadership of the Committee. When (if) this bill is considered in Committee, the vote will provide a better view of how much bipartisan support the bill would actually receive on the floor. The bill is only likely to get House action if it can draw the super-majority support necessary for passage under the suspension of the rules process.

HR 1668 Introduced – IoT Cybersecurity

Last month Rep. Kelly (D,IL) introduced HR 1668, the Internet of Things (IoT) Cybersecurity Improvement Act of 2019. This is a companion bill to S 734.

Kelly (and at least two other cosponsors) is a member of the House Oversight and Reform Committee, one of the two committees to which this bill was assigned for consideration. Rep. Foster (D,IL) is a member of the House Science, Space, and Technology Committee, the other Committee to which the bill was assigned. This means that there is a decent chance that this bill will be considered in these committees.

This bill is more likely to advance in the House than S 734 is to advance in the Senate. I suspect that there would be significant bipartisan support and the bill would be passed in the House under the suspension of the rules process.

HR 1648 Introduced – SBA Security Assistance

Last Month Rep. Chabot (R,OH) introduced HR 1648, the Small Business Advanced Cybersecurity Enhancements Act of 2019. The bill would require the Small Business Administration to establish a Central Small Business Cybersecurity Assistance Unit as well as regional cybersecurity assistance units.

Cybersecurity Assistance Units

The CSBCAU would be collocated with the DHS National Cybersecurity and Communications Integration Center (NCCIC) and would serve as a conduit for sharing cybersecurity threat information between small businesses and the federal government. All of the information sharing protections provided under the CISA legislation {6 USC 1503(c)} would apply to information sharing via the CSBCAU {new 15 USC 648(a)(9)(B)(iii)}. Information on cyberthreat indicators or defensive measures shared through the CSBCAU will not be subject to the narrow regulatory exemption found in 6 USC 1504(d) (5)(D)(ii)(I).

The regional small business cybersecurity assistance units will be part of each Small Business Administration (SBA) small business development center. The bill would require the SBA to set aside $1 million from the monies authorized for small business development centers for the operation of regional SBCAU’s.

Moving Forward

Chabot and both of his cosponsors {Rep. Balderson (R,OH) and Rep. Velasquez (D,NY)} are members of the House Small Business Committee, the Committee to which this bill was assigned for consideration. This means that there is a good chance that this bill will be considered in Committee.

There is nothing in this bill that would incur any significant opposition. I suspect that if it is considered in committee that it would pass with significant bipartisan support. If considered by the full House it would likely be considered under the suspension of the rules process with limited debate and no floor amendments. Again, it would probably pass with substantial bipartisan support.

Commentary

This bill is an attempt to encourage small business owners to participate in the existing cybersecurity information sharing program with CISA by using familiar SBA channels of communication. Unfortunately, it does not address the underlying issues that appear to be hindering businesses in general from participating in the information sharing process. That is the appearance that the information sharing process is a one-way street with little useable information flowing back to the private sector.

The one small sop thrown to the small business community, the §1504 exception will do little to add encouragement for small businesses to participate in the CISA information sharing process. Section 1504 allows units of the federal government to use information shared with NCCIC to be used to fine tune existing cybersecurity regulations. Since there are few areas of the federal regulatory system that are specifically allowed to regulate cybersecurity, this is a fairly unimportant exception.

There is no mention in this bill of industrial control system security issues. The findings section of the bill only mentions information technology security concerns. Fortunately, since this bill attempts to supplement the CISA information sharing process, it uses control system friendly definitions from 6 USC 1501 that are based on the definition of ‘information system’ that specifically includes control systems. Unfortunately, this is as unlikely to encourage small businesses to share control system security threat information with CISA as it is purely IT threat information. Congress needs to clearly identify the existing impediments to information sharing and rectify those before they can expect small businesses to become part of the process.

Public ICS Disclosures – Week of 04-13-19

This week we have two vendor disclosures from CODESYS.

Gateway V3 Memory Management Advisory

CODESYS published an advisory describing an uncontrolled memory allocation vulnerability in the CODESYS V3 products. The vulnerability was reported by Martin Hartmann from cirosec GmbH. 3S has released a new version that mitigates the vulnerability. There is no indication that Hartmann has been provided an opportunity to verify the efficacy of the fix.

CODESYS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to cause a denial-of-service condition.

Gateway V3 Channel Management Advisory

CODESYS published an advisory describing two vulnerabilities in the CODESYS V3 products. The vulnerabilities were reported by Martin Hartmann from cirosec GmbH. 3S has released a new version that mitigates the vulnerabilities. There is no indication that Hartmann has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities (on a single CVE - CVE-2019-9010) are:

• Insufficiently random values to identify the communication channel; and

• Insufficiently verifies the ownership of a channel

CODESYS reports that a moderately skilled attacker could remotely exploit these vulnerabilities to close existing communication channels or to take over an already established user session to send crafted packets to a PLC.

S 715 Introduced – Smart Manufacturing

Last month Sen. Shaheen (D,NH) introduced S 715, the Smart Manufacturing Leadership Act. The bill would require the Secretary of Energy to develop a smart manufacturing plan and to provide assistance to small- and medium-sized manufacturers in implementing smart manufacturing programs. The bill is almost identical to S 768 that Shaheen introduced in the 115^th Congress; no action was taken on that bill.

Differences in the Bills

There are two differences between these two versions of the bill; one minor and one significant. The minor change is found in §7(g); the dates have been changed for the authorization of funding. It now reads: “$10,000,000 for each of fiscal years 2020 through 2023”; this is an expected change.

The significant change addresses my one major complaint about the previous version of this bill; it did not address cybersecurity issues. Two new subparagraphs were added to §4(b)(2) addressing the requirements for what items must be included in the Secretary’s plan. The new subparagraphs are:

(C) the use of smart manufacturing to improve energy efficiency and reduce emissions in supply chains across multiple companies;

(D) actions to increase cybersecurity in smart manufacturing infrastructure;

Moving Forward

While Shaheen is still not a member of the Senate Energy and Natural Resources Committee to which this bill was assigned for consideration, one of her cosponsors {Sen. Alexander (R,TN)} is an influential member of that Committee. This greatly increases the possibility that the Committee will consider this bill during the session.

Since no regulatory authority is actually provided by the bill, the main sticking point for its adoption (either in Committee or on the floor of the Senate) is the inclusion of $10 million in appropriations for the grant program outlined in the bill. This is not a large amount of money in federal spending terms, but it is money that will have to come from somewhere; probably from other programs in the DOE budget.

Commentary

The cybersecurity provision added to this bill is even more generic than the one I proposed in my posting of S 768. There are certain advantages in Congress employing vague, generic language in legislation; it allows regulatory agencies more leeway in adopting (and even more importantly) and later modifying actual regulatory or guidance language. While the process required to actually make such modifications is lengthy and time consuming, it would be much longer, if the agency had to rely on changes in congressional language to start the change process.

This time issue has been one of the problems cited whenever there is discussion about cybersecurity language or regulation. The cybersecurity risk landscape changes so quickly special care needs to be taken to ensure that outdated security measures are not locked into the regulatory process. Shaheen’s staff appears to have realized that problem and looks to have done their part to ensure that Congress is not the source of that kind of problem in this bill.

OMB Approves two Automated Driving Rules

Earlier this week the OMB’s Office of Information and Regulatory Affairs (OIRA) approved two advanced notices of proposed rulemaking (ANPRMs) from DOT agencies starting the regulatory process on two separate automated vehicle regulatory actions. The first was a rulemaking from the National Highway Transportation Safety Administration (NHTSA) on “Removing Regulatory Barriers for Automated Driving Systems”. The second was from the Federal Motor Carrier Safety Administration (FMCSA) on “Safe Integration of Automated Driving Systems-Equipped Commercial Motor Vehicles”.

Both of these rulemaking submissions were approved pretty quickly. The NHTSA ANPRM was submitted on March 14^th, 2019 and the FMCSA ANPRM on March 21^st, 2019. ANPRM’s are the first step in the rulemaking process and typically propose a list of questions that the agency would like answered by the regulated and affected communities before they actually propose regulatory action.

There is no telling when these ANPRMs will actually be published in the Federal Register. There is no procedural reason that it should be more than a couple of days, Both rulemakings were approved by OIRA ‘consistent with change’ so I suspect that it will probably be at least a month before these ANPRMs are published given the rulemaking history of the Trump Administration.

Three Advisories Published – 04-16-19

Yesterday the DHS NCCIC-ICS published two control system security advisories for products from WAGO and Delta Industrial Automation, and one for PLC products from multiple vendors.

PLC Advisory

This advisory describes an uncontrolled resource consumption vulnerability in specific PLC products from ABB, Phoenix Contact, Schneider Electric, Siemens, WAGO. The vulnerability was reported by Matthias Niedermaier (Hochschule Augsburg), Jan-Ole Malchow (Freie Universität Berlin), and Florian Fischer (Hochschule Augsburg). The responses range from a firmware update from Schneider, to ‘its not really a vulnerability but here are generic workarounds’, to ‘its not a vulnerability’ from Siemens. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fixes.

NCCIC-ICS reports that a relatively low-skilled attacker could use a publicly available exploit to emotely influence configured cycle times.

NOTE: The Schneider advisory referenced in this advisory was released in February and listed a 2018 CVE number for the reported vulnerability. Neither CVE number is currently available.

WAGO Advisory

This advisory describes a hard-coded credential vulnerability in the WAGO Series 750-88x and 750-87x PLCs. The vulnerability was reported by Jörn Schneeweisz of Recurity Labs. WAGO has new firmware that mitigates the vulnerability. There is no indication that Schneeweisz has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to change the settings or alter the programming of the device.

NOTE: I briefly mentioned this vulnerability last Saturday.

Delta Advisory

This advisory describes three vulnerabilities in the Delta Industrial Automation CNCSoft screen editor software. The vulnerabilities were reported by Natnael Samson and an anonymous researcher via the Zero Day Initiative. Delta has an updated version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2019-10947;

• Heap-based buffer overflow - CVE-2019-10951; and

• Out-of-bounds read - CVE-2019-10949

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit this vulnerability to cause buffer overflow conditions that may allow information disclosure, remote code execution, or crash the application.

Public ICS Disclosures – Week of 04-06-19

This week we have four vendor disclosures from WAGO, Bosch (2), and Schneider; and two vendor updates from Siemens.

WAGO Advisory

CERT-VDE published an advisory describing a use of hardcoded credentials vulnerability in the WAGO Series 750-88x and 750-87x devices. The vulnerability was reported by Jörn Schneeweisz of Recurity Labs. WAGO has firmware updates available that mitigate the vulnerability. There is no indication that Schneeweisz has been provided an opportunity to verify the efficacy of the fix.

NOTE: I suspect that NCCIC-ICS will publish an advisory on this vulnerability next week.

Bosch Advisories

Bosch published an advisory describing a buffer overflow vulnerability in the Bosch Security Systems Software for Video, PSIM and Access. This vulnerability is apparently self-reported. Bosch has software updates that mitigate the vulnerability.

Bosch published an advisory describing an improper access control vulnerability in the Bosch Security Systems Software for Video, PSIM and Access Control Systems. This vulnerability is apparently self-reported. Bosch has software updates that mitigate the vulnerability.

Schneider Advisory

Schneider published an advisory describing an externally controlled reference to a resource vulnerability in the Schneider Modbus Serial Driver. The vulnerability was reported by Reid Wightman of Dragos. Schneider has an updated driver that mitigates the vulnerability. There is no indication that Reid has been provided an opportunity to verify the efficacy of the fix.

Siemens Updates

Siemens updated an advisory for Spectre-NG (Variants 3a and 4) Vulnerabilities in Industrial Products. Siemens added a solution for SIMATIC HMI Panels V14.

NOTE: NCCIC-ICS will not update their advisory for this vulnerability since the link to the Siemens advisory will take one to the current version.

Siemens updated an advisory for Vulnerabilities in the additional GNU/Linux subsystem

of the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP. Siemens added CVE-2019-6293 to the list of vulnerabilities covered by this advisory.

NOTE: NCCIC-ICS has not published an advisories or alert on this family of Linux vulnerabilities.

Bills Introduced – 04-11-19

Yesterday, with just the Senate in Washington (the House has already departed on their Easter Recess), there were 94 bills introduced. Only one of those bills will receive future coverage in this blog:

S 1215 A bill to authorize appropriations for fiscal year 2020 for military activities of the Department of Defense and for military construction, to prescribe military personnel strengths for such fiscal year, and for other purposes. Sen. Inhofe, James M. [R-OK] 

ISCD Updates 4 FAQs – 4-10-19

Earlier this week the DHS Infrastructure Security Compliance Division (ISCD) updated the response to four frequently asked questions (FAQ) on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center. The four updated FAQs are:

#1178 Are truck terminals and railroad facilities regulated under the Chemical Facility Anti-Terrorism Standards (CFATS)?

#1579 How does a facility define itself if it has multiple buildings, yet only a few select buildings possess Chemicals of Interest (COI) that are subject to being regulated by the Chemical Facility Anti-Terrorism Standards (CFATS)?

#1777 How do I determine “Need to Know” under Chemical-terrorism Vulnerability Information (CVI)?

#1789 How does the Department define truck terminals as referred to in the Chemical Facility Anti-Terrorism Standards (CFATS) Final Rule?

No substantive changes were made in any of these FAQ response updates. It appears that ISCD is just updating the links to further information provided in these responses. I suspect that this is a CISA organizational change. If that is the case, we will be seeing more of these changes in the future.

Committee Hearings – Week of 03-31-19

This week with both the House and Senate in session we continue to see a number of budget hearings. There is also a pipeline safety hearing

Budget Hearings

• House Homeland Security Subcommittee - TSA

• House Intelligence Committee – Intel Community (closed)

• House Energy and Water Development Subcommittee – Science, Energy and Environment

• Senate Energy and Natural Resources Committee - DOE

Pipeline Safety

On Tuesday the Railroads, Pipelines, and Hazardous Materials Subcommittee of the House Transportation and Infrastructure Committee will hold a hearing on “Pipeline Safety: Reviewing the Status of Mandates and Examining Additional Safety Needs”. The witness list includes:

• Howard "Skip" R. Elliott, PHMSA;
• Jennifer L. Homendy, NTSB;
• Carl Weimer, Pipeline Safety Trust;

• Andrew J. Black, Association of Oil Pipe Lines;

• Dan Eggleston, International Association of Fire Chiefs;

• Richard B. Kuprewicz, Accufacts Inc.;

• Robin Rorick, API; and

• Elgie Holstein, Environmental Defense Fund

There is an outside chance that there will be a few questions related to pipeline cybersecurity.

On the Floor of the House

As I reported on Saturday the House will take up HR 1589, the CBRN Intelligence and Information Sharing Act of 2019. The bill will be considered under the House suspension of the rules process. This requires a super-majority to pass with minimal debate and no floor amendments. The bill is expected to receive substantial bipartisan support.