HR 2960 Reported in House – FY 2020 EW Spending

Last week Rep. Kaptur (D,OH) introduced HR 2960, the Energy and Water Development and Related Agencies Appropriations Act, 2020, and the House Appropriations Committee published their report on the bill. There is no specific cybersecurity language in the bill, but the report includes some interesting information in the section on Cybersecurity, Energy Security, and Emergency Response (pgs 96-7).

CESER

This is the second year that this program has been included in the spending bill. The bill provides from $150 million in 2020 spending, up $20 million from FY 2019 but $6.5 million less than the President requested.

The Report recommends that CESER spend $5 million on the DarkNet project. This was not mentioned in last year’s House bill (HR 5895), but it is a significant reduction from the $10 million spending recommendation in last year’s Senate bill (S 2975). The DarkNet project is a DOE project dating back to at least 2017 that would (ORNL, pg 3):

“Define the requirements for a secure energy delivery control system network that is independent of the public internet, and uses existing but currently unused optical fiber, so called “dark fiber”.

Finally, for cybersecurity, the Committee recommends (pg 96):

“The Committee encourages the Department to continue its focus on the development of private-sector partnerships to secure industrial control systems across multiple critical infrastructure entities without duplicating existing private sector capabilities. The Committee encourages continued investment in collaborative threat detection and intelligence partnerships that makes industrial control systems threat analytics and data accessible to the greater industrial control systems community. [emphasis added] The Committee also encourages the Department to collaborate with other federal agencies on these efforts to ensure they are further contributing to the overall success of the federal critical infrastructure security mission.

Moving Forward

It is still too early to see how effective the new Democratic leadership in the House will be at moving these FY 2020 spending bills to the floor for action. I suspect that the House will take up these bills in June and pass them, perhaps with some bipartisan support. How open the floor amendment process will be remains to be seen, but I do expect to see a large number of amendments considered.

The big question remains how well the Senate will deal with their versions of the spending bills. If the Senate can pass bills this year, the question will then come down to how well the conference system can work to effect compromise bills that can then pass in both the House and Senate. I am afraid that we will again see brinksmanship as the order of business at the end of the year with a continuing resolution style omnibus bill being the end game.

HR 2721 Introduced – Cybersecurity Apprenticeships

Earlier this month Rep. Lee (D,NV) introduced HR 2721, the Cyber Ready Workforce Act. The bill would require the Department of Labor to establish a grant program “to support the establishment, implementation, and expansion of registered apprenticeship programs in cybersecurity” {§4(a)}.

Apprenticeship Programs

The program to be established would {§4(b)}:

• Lead to industry-recognized certification in cybersecurity;

• Encourage stackable and portable credentials; and

• Lead to occupations such as computer support specialists, cybersecurity support technicians, cloud computing architects, computer programmers, computer systems analysts, or security specialists.

The bill provides a list of potential certificates that would include {§4(b)(1)}:

• CompTIA Network+;

• CompTIA A+;

• CompTIA Security+;

• Microsoft Windows 10 Technician;

• Microsoft Certified System Administrator;

• Certified Network Defender;

• Certified Ethical Hacker;

• ISACA Cybersecurity Nexus (CSX);

• (ISC)2’s Certified Information Systems Security Professional (CISSP); or

• Other industry-recognized certification in cybersecurity

The bill would “such sums as may be necessary to carry out this Act” {§6}.

Moving Forward

Lee and of her three cosponsors {Rep. Stefanik (R,NY)} are members of the House Education and Labor Committee to which this bill was assigned for consideration. This means that there should be enough influence to see this bill considered in Committee.

There is nothing in this bill that would engender any significant opposition. The vague ‘such funds as may be necessary’ authorization included in the bill may be weasel-worded enough to prevent spending issues from clouding the consideration of the bill. If the bill receives substantial bipartisan support in Committee, this bill would likely move to the floor of the House under the suspension of the rules process.

Commentary

The list of ‘cybersecurity certifications’ in the bill is rather interesting. Most of the certs listed are not directly cybersecurity related, though they could be useful to cybersecurity professionals. What is disappointing is that there is not a single certification listed that specifically addresses control system security (or design). I would have liked to have seen something like the Global Industrial Cyber Security Professional (GICSP) program listed. Control system security programs could be included in the catch-all ‘other industry recognized certification’, but the lack of mention of even one such program again shows how little knowledge congresscritters (and their staffs) have about control system security issues.

One Advisory Published – 05-30-19

Today the DHS NCCIC-ICS published a control system security advisory for products from AVEVA. The advisory describes an insufficiently protected credentials vulnerability in the AVEVA Vijeo Citect and CitectSCADA software. The vulnerability was reported by VAPT Team, C3i Center, and IIT Kanpur. AVEVA is recommending upgrading to a newer product; CitectSCADA 2018. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could exploit the vulnerability to allow a locally authenticated user to obtain Citect user credentials.

S 1589 Reported in the Senate – FY 2018, 2019, and 2020 Intel Authorization

Last week Sen. Burr (R,NC) introduced (and the Senate Intelligence Committee reported – without a written report) S 1589, the Damon Paul Nelson and Matthew Young Pollard Intelligence Authorization Act for Fiscal Years 2018, 2019, and 2020. This bill is essentially S 245 (introduced earlier this year) as division B with a relatively short Division A tacked onto the front for FY 2020.

Moving Forward

Okay, I have no clue. The Senate has not taken up an intelligence authorization bill since Trump came into office. This bill has been one of the annual ‘must pass’ bills for as long as I remember, but that is apparently no longer true.

Commentary

There is nothing in the new Division A language that I would care to take time to comment upon. See my comments on S 245 for the cybersecurity provisions in Division B.

HR 2644 Introduced – Internet Connected Device Industry

Earlier this month Rep. Latta (R,OH) introduced HR 2644, the State of Modern Application, Research, and Trends of (SMART) IoT Act. The bill would require the Commerce Department to conduct a study of the internet-connected devices industry. The bill is similar in purpose to HR 6032 from the 115^th Congress. The earlier bill passed in the House, but no action was taken in the Senate.

Differences

This bill is a re-write of the version passed in the House in the last session. The description of the study in §2(a) was completely re-written. The new description focuses the study on activities of the Federal government that support/regulate the internet connected device industry. All references to industry standard in the earlier bill have been removed. The only remaining non-governmental reference in the study description is a stripped down reference to ‘public-private partnerships’. Additionally, the new language also removes the requirement to “identify all regulations, guidelines, mandatory standards, voluntary standards, and other policies implemented by each of the Federal agencies” found in §2(a)(6) in the original bill.

Moving Forward

Lata is a subcommittee Chair in the House Energy and Commerce Committee, the committee to which this bill was assigned for consideration, so he likely has enough influence to see this bill considered in Committee in this session. As with HR 6032, there is nothing in the bill that would draw any serious opposition and the new bill is likely to receive the same bipartisan support that early version received in the 115^th Congress.

Commentary

I still have the same objections to this bill as I did to the earlier version. Most certainly the continued use of the extremely vague and overly inclusive definition of ‘internet connected device’ is going to make any report on the topic on the topic next to useless.

One Advisory Published – 05-28-19

Today the DHS NCCIC-ICS published a control system advisory for products from Emerson. The advisory describes two vulnerabilities in the Emerson Ovation OCR400 Controller. The vulnerability was reported by VDLab. Emerson has provided detailed mitigation measures. There is no indication that VDLab has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2019-10967; and

• Heap-based buffer overflow - CVE-2019-10965

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow privilege escalation or remote code execution, or it may halt the controller.

NOTE: The advisory notes that the vulnerabilities are “in the embedded third-party FTP server”. Failure to name the third-party vendor means it will be difficult for other vendors to know if the same vulnerability might exist in any of their products using a ‘third-party FTP server’.

NHTSA Publishes Automated Driving Systems ANPRM

Today the DOT’s National Highway and Traffic Safety Administration (NHTSA) published an advance notice of proposed rulemaking (ANPRM) in the Federal Register (84 FR 24433-24449) concerning possible changes to the Federal Motor Vehicle Safety Standards (FMVSS) that would be necessary to support the introduction of automated driving systems (ADS-DV). This rulemaking would specifically address changes to the 100-series (crash avoidance) FMVSS.

Barriers in FMVSS

The current rulemaking will seek to address barriers in the current crash avoidance FMVSS that would impede the introduction of ADS-DV designed without traditional manual controls. NHTSA has identified three categories of such impedances:

• The standard requires a manual control.

• The standard specifies how the agency will use manual controls in the regulatory description of how it will test.

• The definition or use of terms (e.g., “driver”) in the FMVSS that assume human control of vehicles.

The first two categories are addressed in this rulemaking. The last will be common to other sections of the FMVSS (which will be covered in separate rulemakings), so NHTSA is considering a completely separate rulemaking for the definitions problem.

Manual Control

After a brief discussion of one of the potential barriers in the FMVSS to ADS-DV introduction, NHTSA proposes four possible solutions to the manual control issue:

• First, if the required control is necessary for motor vehicle safety on all vehicles, NHTSA would retain the requirement for all vehicles, even if that requires potentially redundant technologies for certain ADS-DVs without traditional manual controls.

• Second, if the required control is no longer necessary for motor vehicle safety for any vehicle, NHTSA could remove or otherwise modify the requirement, if permitted to by law.

• Third, if the required control is still necessary for motor vehicle safety for traditional vehicles, but not necessary for the safety of ADS-DVs without traditional manual controls, NHTSA could retain the requirement only for traditional vehicles and, if permitted by law, exclude ADS-DVs without manual controls.

• Fourth, if the required control is necessary for motor vehicle safety, but a different control (i.e., a non-human-actuated control) would be necessary for an ADS-DV to perform the same function, NHTSA may retain the existing requirement for traditional vehicles, but have a separate, different control or equipment requirement for ADS-DVs without traditional manual controls.

Testing

Currently, the FMVSS “outline performance requirements that must be met under certain test procedures and NHTSA will conduct compliance verification tests in accordance with these procedures”. Where the existing language requires the use of manual controls that may not exist in ADS-DV these requirements would impede the introduction of ADS-DV. Removing these impedances will almost certainly require the development of new testing methods.

NHTSA has identified the following potential approaches to this testing dilemma:

• Normal ADS-DV operation;

• Test Mode with Pre-Programmed Execution (TMPE);

• Test Mode with External Control (TMEC);

• Simulation;

• Technical Documentation for System Design and/or Performance Approach; and

• Use of Surrogate Vehicle with Human Controls

Questions

The ANPRM provides a table that lists the current crash prevention FMVSS provisions that may impeded the introduction of ADS-DV. NHTSA is requesting comments on the general approaches to the manual control and testing problems identified above. It also proposes a series of questions (here, here, here, here, here, here, and here)   that it would like commenters to address.

The list of questions includes only two that address (even broadly) cybersecurity issues. They are:

22. How could vehicle-based electronically accessible libraries for conducting FMVSS testing be developed in a way that would allow NHTSA to access the system for compliance testing but not allow unauthorized access that could present a security or safety risk to an ADS-DV?

27. Could a means of manual control be developed that would allow NHTSA to access the system for compliance testing but not allow unauthorized access that could present a security or safety risk to an ADS-DV?

Comments on this rulemaking are due by July 29^th, 2019. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # NHTSA-2019-0036).

Commentary

There is a lot of interesting problems identified in this rulemaking that are going to have a profound impact on the introduction of automated driving systems. To add to the complexity, the fact that NHTSA is considering at least two (probably 3) more rulemakings addressing FMVSS compliance issues and it becomes clear that engineering for these ADS-DV systems is much further along that the regulatory scheme. Inevitably, these regulatory changes are going to cause additional problems for the engineers.

I continue to be concerned with how NHTSA is apparently glossing over the cybersecurity issue in their regulatory schema. Acknowledging that there are effectively no current cybersecurity requirements in the FMVSS, NHTSA needs to start the public comment process on how such requirements should be addressed in any modified  FMVSS requirements supporting ADS-DV introduction. Since automated controls are not going to have driver backup in vehicles designed without manual controls, security systems and requirements for those automated controls is going to be even more important than in existing cyber-augmented vehicles.

I applaud NHTSA for learning the lesson from the Volkswagen diesel mileage testing fiasco and recognizing that any automated testing program needs to be protected from on-board gaming of the test. I just wish that it could be as forward thinking in identifying potential requirements in the FMVSS for general cybersecurity protections for the vehicle.

HR 2636 Introduced – Smart Technology

Earlier this month Rep. DelBene (D,WA) introduced HR 2636, the Smart Cities and Communities Act of 2019. The bill is designed to “promote smart technologies and systems to improve community livability, services, communication, safety, mobility, energy productivity, and resilience” {§2}. The bill is very similar to HR 3895 from the 115^th Congress.

Differences

Most of the differences between the two bills are inconsequential, though a grammatical change in §401(c)(2) from ‘may be not used’ to ‘may not be used’ is kind of interesting.

The one significant change is the addition of a new §205 that would require DOE to establish a Smart City Voucher Pilot Program. This program would be designed to “to improve the access of cities to the expertise, competencies, and infrastructure of National Laboratories for the purposes of promoting smart city technologies” {§205(b)(1)}. It would also expand the DOE’s current Technologist in Residence Program to include ‘smart cities’ efforts. Section 205 includes an annual authorization of $20 million to support the program through 2024.

Moving Forward

As with the earlier bill DelBene is not a member of any of the four committees to which this bill was assigned for consideration. Again, Rep. Lujan (D,NM), her sole cosponsor, is a member of the House Energy and Commerce Committee, but his influence on that Committee is much increased with the change in House leadership. I suspect that the bill has a much higher chance of committee consideration than did the earlier bill.

There is nothing in this bill that would drive any ideological opposition, but the spending authorizations (including the new §205 authorization), while federal chump change, still will have to come from somewhere. That will call for some additional backroom negotiations for this bill to move forward.

Commentary

The general problems that I had with the cybersecurity language in the earlier bill remains in the new language; nothing in the new section alleviates any of those concerns. In a bill like this that attempts to comprehensively address the issues of enhancing the employment of undefined ‘smart technology’, the failure to specifically address the control system cybersecurity issues associated with this new technology is more than shortsighted, it borders on the legislative incompetence.

Then again, it may be deliberate. Adding significant cybersecurity language might have called for the addition of the House Homeland Security Committee to the list of committees from which the bill would require consideration. That added intra-committee conflict might be enough to kill any real consideration of this bill.

Public ICS Disclosure – Week of 05-18-19

This week we have three vendor disclosures from Eaton, Bosch and Miele. There is also one exploit report for products from Anvis. I also found more vendor information on the Microsoft® RDP  vulnerability.

Microsoft RDP Vulnerability

While the NCCIC-ICS has only released a very generic notice on the Microsoft® RDP vulnerability (CVE-2019-0708), a number of control system vendors this week have released their own outlook on the vulnerability in their products. The vendors include:

• Rockwell;

• Johnson & Johnson;

• Philips (update); and

• Siemens Healthineers:

◦ Advanced Therapy Products;

◦ Healthineers Software Products;

◦ Radiation Oncology Products;

◦ Laboratory Diagnostics Products;

◦ Radiography and Mobile X-ray Products; and

◦ Point of Care Diagnostics Products

With the number of medical device manufacturers reporting on the RDP vulnerability and the healthcare industry’s history of problems with WannaCry you would think that the FDA would have issued at least a generic warning on the issue; but no, there is nothing on the medical device safety page.

Eaton Advisory

Eaton published an advisory reporting an undescribed vulnerability in the Eaton easySoft V6. Eaton is working on a new version to mitigate the vulnerability and offers generic workarounds in the mean time.

NOTE: This has to be the worst corporate vulnerability disclosure ever. Oh well, at least an advisory was published.

Bosch Advisory

Bosch has published an advisory describing an unauthenticated certificate access vulnerability in the Bosch Video Recording Manager (VRM) software. Bosch has firmware updates that mitigate the vulnerability.

Miele Advisory

CERT-VDE has published an advisory describing two vulnerabilities in the Miele XGW 3000 ZigBee Gateway. The vulnerability was reported by Maxim Rupp. Miele has a new version that mitigates the vulnerability. There is no indication that Maxim has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Improper authorization; and

• Cross-site request forgery

Anvis Exploit

Wizlab-IT published an exploit for security issues with the Anvis M3 RFID Access Control product. This was a coordinated disclosure and Anvis has a new version of the device that mitigates the vulnerability.

NOTE: So all of the vulnerable devices will be replaced?????

Bills Introduced – 05-23-19

Yesterday with the House and Senate preparing to leave for the long Memorial Day weekend there were 169 bills introduced. Two of those bills are likely to receive additional coverage in this blog:

HR 2960 Making appropriations for energy and water development and related agencies for the fiscal year ending September 30, 2020, and for other purposes.  Rep. Kaptur, Marcy [D-OH-9] 

HR 2968 Making appropriations for the Department of Defense for the fiscal year ending September 30, 2020, and for other purposes. Rep. Visclosky, Peter J. [D-IN-1]

2019 Spring Unified Agenda – DHS

Yesterday the OMB’s Office of Information and Regulatory Affairs published the Spring 2019 Unified Agenda. There have been some changes in DHS regulatory identification numbers (RIN) since the publication of the Fall 2018 Unified Agenda due to the formation of the Cybersecurity and Infrastructure Security Agency (CISA). There have also been some changes in the status in one of the rulemakings included in the DHS portion of the Agenda.

Current Agenda

The table below shows the rulemakings that I am following in the Current Unified Agenda.

OS	Final Rule Stage	Homeland Security Acquisition Regulation: Safeguarding of Controlled Unclassified Sensitive Information (HSAR Case 2015-001)	1601-AA76
OS	Final Rule Stage	Homeland Security Acquisition Regulation: Information Technology Security Awareness Training (HSAR Case 2015-002)	1601-AA78
USCG	Prerule Stage	Identifying Barriers to Autonomous Vessels	1625-AC54
USCG	Final Rule Stage	2013 Liquid Chemical Categorization Updates	1625-AB94
USCG	Final Rule Stage	TWIC Reader Requirements; Delay of Effective Date	1625-AC47
TSA	Proposed Rule Stage	Vetting of Certain Surface Transportation Employees	1652-AA69
TSA	Final Rule Stage	Protection of Sensitive Security Information	1652-AA08
TSA	Final Rule Stage	Security Training for Surface Transportation Employees	1652-AA55
CISA	Proposed Rule Stage	Ammonium Nitrate Security Program	1670-AA00

One item from the Fall 2018 Unified Agenda is no longer listed; Marine Transportation--Related Facility Response Plans for Hazardous Substances. The Trump Administration cancelled that rulemaking.

Long-Term Actions

The table below shows the rulemakings that I am following in the Long-Term Actions section of the Unified Agenda. There are no changes from the Fall 2018 Agenda.

USCG	Amendments to Chemical Testing Requirements	1625-AB58
TSA	Surface Transportation Vulnerability Assessments and Security Plans	1652-AA56
CISA	Chemical Facility Anti-Terrorism Standards (CFATS)	1670-AA01
CISA	Updates to Protected Critical Infrastructure Information (PCII) Program	1670-AA02

Commentary

As I like to remind readers each time a new  version of the Unified Agenda is published, this is an aspirational listing of potential actions that the Administration is considering taking in the next year. Do Not hold your breath waiting for actions to be taken on the dates listed. They almost never happen on those dates. And the Administration is free to propose new rules that are not listed in the Agenda. A compliance requirement has been met with the publication of the Spring 2019 Unified Agenda, that is all.

PHMSA Sends Pipeline MOAP Final Rule to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received from DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) the final rule for “Pipeline Safety: Safety of Gas Transmission Pipelines, MAOP Reconfirmation, Expansion of Assessment Requirements and Other Related Amendments”. The notice of proposed rulemaking (NPRM) for this was published in April, 2016.

Bills Introduced – 05-22-19

Yesterday with both the House and Senate in session, there were 102 bills introduced. Two of those bills may see future coverage in this blog:

HR 2915 To amend the Federal Food, Drug, and Cosmetic Act to require physicians and physician's offices to be treated as covered device users required to report on certain adverse events involving medical devices, and for other purposes.  Rep. Fitzpatrick, Brian K. [R-PA-1] 

S 1589 An original bill to authorize appropriations for fiscal years 2018, 2019, and 2020 for intelligence and intelligence-related activities of the United States Government, the Community Management Account, and the Central Intelligence Agency Retirement and Disability System, and for other purposes. Sen. Burr, Richard [R-NC]

I will be watching HR 2915 to see if the ‘certain adverse events’ covered in the bill specifically include cyber events.

Two Advisories Published – 05-21-19

Today the DHS NCCIC-ICS published two control system security advisories for products from Mitsubishi Electric and Computrols.

Mitsubishi Advisory

This advisory describes an uncontrolled resource consumption vulnerability in the Mitsubishi MELSEC-Q series Ethernet module. The vulnerability was reported by Younes Dragoni and Alessandro Di Pinto of Nozomi Networks. Mitsubishi has a new firmware version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to render the device unresponsive, requiring a physical reset of the PLC (Programmable Logic Controller).

Computrols Advisory

This advisory describes nine vulnerabilities in the Computrols CBAS Web, a Web Building Management System (BMS). The vulnerabilities were reported by Gjoko Krstic of Applied Risk. Computrols has new firmware versions that mitigate the vulnerabilities. There is no indication that Krstic has been provided an opportunity to verify the efficacy of the fix.

The nine reported vulnerabilities are:

• Cross-site request forgery - CVE-2019-10847;

• Information exposure through discrepancy - CVE-2019-10848;

• Cross-site scripting - CVE-2019-10846;

• Command injection - CVE-2019-10854;

• Information exposure through source code - CVE-2019-10849;

• Hard-coded encryption key - CVE-2019-10851;

• SQL injection - CVE-2019-10852;

• Authentication bypass using alternate path or channel - CVE-2019-10853; and

• Inadequate encryption strength - CVE-2019-10855

NOTE: the Applied Risk report and the Computrols advisory also include an additional vulnerability; default credentials - CVE-2019-10850.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow unauthorized actions with administrative privileges, disclosure of sensitive information, execution of code within a user’s browser, execution of unauthorized OS commands, unauthorized access to the database, execution of unauthorized SQL commands, authentication bypass, or decryption of passwords.

NOTE: I briefly discussed these vulnerabilities on Saturday.

HR 2665 Introduced – Smart Energy and Water

Earlier this month Rep. McNerney (D,CA) introduced HR 2665, Smart Energy and Water Efficiency Act of 2019. This is a relatively minor revision of a bill earlier introduced by McNerney; HR 2019. None of the comments that I made on the earlier bill have been affected by the rewrite of this bill.

Committee Hearings – Week of 05-20-19

Both the House and Senate will be in session this week. The House Appropriations Committee continues working on FY 2020 spending bills while the Senate Armed Services Committee finishes marking up the FY 2020 National Defense Authorization Act.

FY 2020 Spending Bill Markups

• Tuesday, Full Committee, Energy and Water;

• Tuesday, Full Committee, DOD;

• Wednesday, Full Committee, Commerce, Justice, and Science;

• Wednesday, Full Committee, Interior and Environment

FY 2020 NDAA Markups (Senate)

• Tuesday, Subcommittee on Cybersecurity;

• Tuesday, Subcommittee on Emerging Threats and Capabilities;

• Thursday, Full Committee

Public ICS Disclosures – Week of 05-11-19

This week we have 14 vendor disclosures for products from Yokogawa, Drager, Tridium, Siemens and Schneider (10). We also have three researcher reported disclosures for products from Prima Systems, Optergy, and Computrols. Then there are five reported exploits for products from SOCA (4) and Schneider. There were also some vendor reports on the Microsoft RDP vulnerability.

Microsoft RDP Vulnerability

While the NCCIC-ICS has yet to release an alert or advisory on the Microsoft® RDP vulnerability (CVE-2019-0708), a number of control system vendors this week have released their own outlook on the vulnerability in their products. The vendors include:

• BD;

• Drager;

• Philips;

• Schneider; and

• Siemens

Yokogawa Advisory

Yokogawa published an advisory describing another 3^rd party vulnerability from Microsoft in a number of Yokogawa products. The remote code execution vulnerability was reported by MS in 2017. Yokogawa recommends deleting the outdate MS file.

Drager Advisory

Drager has published an advisory describing an unencrypted credential storage vulnerability in their Dräger ServiceConnect Client. The vulnerability was reported by a customer. Drager will be publishing a new version that mitigates the vulnerability and has provided specific workarounds in the meantime.

Tridium Advisory

Tridium has published an advisory describing a 3^rd part vulnerability from Google (CVE-2019-5786) in the Tridium jxBrowser. Tridium has an updated version available to mitigate the vulnerability.

Siemens Advisory

Siemens published an advisory describing a code execution vulnerability in the Siemens LOGO! Soft Comfort engineering software. The vulnerability was reported by axt and iDefense Labs. Siemens has provided generic workarounds to mitigate the vulnerability.

NOTE: This was included in the Siemens tranche from Tuesday, but it was not picked up by NCCIC-ICS with the rest.

Schneider Advisories

1. Pelco Endura NET55XX Encoder

Schneider has published an advisory describing an improper access control vulnerability in the Schneider Pelco Endura NET55XX Encoder. The vulnerability was reported by Vitor Esperança. Schneider has a new version that mitigates the vulnerability. There is no indication that Esperança has been provided an opportunity to verify the efficacy of the fix.

2. Modicon and PacDrive Controllers

Schneider has published an advisory describing a missing authentication for critical function vulnerability in the Schneider Modicon and PacDrive Controllers. The vulnerability was reported by Yehuda A (Claroty). Schneider has provided specific workarounds to mitigate the vulnerability. There is no indication that Claroty has been provided an opportunity to verify the efficacy of the fix.

3. Floating License Manager

Schneider has published an advisory describing three vulnerabilities in the Schneider  Floating License Manager. Schneider has a new version that mitigates the vulnerabilities.

The three reported vulnerabilities are:

• Denial of service vulnerability (2) - CVE-2018-20032 and CVE-2018-20034; and

• Remote code execution vulnerability - CVE-2018-20033;

4. Modicon Controller

Schneider has published an advisory describing an improper check for unusual or exceptions condition vulnerability in the Schneider Modicon Controller. The vulnerability was reported by Zhang Xiaoming, Zhang Jiawei, Sun Zhonghao and Luo bing from CNCERT/CC. Schneider has a new version that mitigates the vulnerability. There is no  indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

5. Modicon RTU Module

Schneider has published an advisory describing a hard-coded credentials vulnerability in the Schneider Modicon RTU Module. The vulnerability was reported by VAPT Team. Schneider has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

6. ConneXium Gateway

Schneider has published an advisory describing a cross-site scripting vulnerability in the Schneider ConneXium Gateway. The vulnerability was reported by Ezequiel Fernandez. Schneicder recommends upgrading to a new product.

7. Modicon Quantum

Schneider has published an advisory describing a credentials management vulnerability in the Schneider Modicon Quantum. The vulnerability was reported by Chansim Deng. Schneider reports that newer versions mitigate the vulnerability. There is no indication that Chansim has been provided an opportunity to verify the efficacy of the fix.

8. Modicon Quantum

Schneider has published an advisory describing two vulnerabilities in the Schneider Modicon Quantum. The vulnerabilities were reported by Vyacheslav Moskvin and Ivan Kurnakov (Positive

Technologies). Schneider recommends upgrading to a new product.

The two reported vulnerabilities are:

• Permission, privileges and access control - CVE-2019-6815; and

• Code injection - CVE-2019-6816

9. Modicon Controller

Schneider has published an advisory describing a buffer errors vulnerability in the Schneider Modicon Controller. The vulnerability was reported by Nikita Maximov and Alexey Stennikov of Positive Technologies. Schneider has new firmware versions available to mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

10. Intel Microarchitectural Data Sampling

Schneider has published an advisory describing the impact of the Intel  Microarchitectural Data Sampling (aka: ZombieLoad, FallOut, and RIDL) vulnerability in Schneider products.

Prima Systems Report

Prime Risk has published a report [updated link - 7-30-19] describing ten vulnerabilities in the Prima Systems FlexAir Access Control Platform. Prima Systems has a new version that reportedly mitigates the vulnerabilities.

The ten reported vulnerabilities are:

• Default credentials;

• Command injection;

• Unrestricted file upload;

• Insufficient session-ID length;

• Cross-site scripting;

• Cross-site request forgery;

• Predictable database name download;

• Authentication with MD5 hash;

• Hard-coded credentials;

• Authenticated script upload code execution

Optergy Proton Report

Applied Risk published a report describing six vulnerabilities in the Optergy Proton Enterprise Building Management System. Optergy has a new firmware version that reportedly mitigates the vulnerabilities.

The six reported vulnerabilities are:

• Open redirect;

• Cross-site script forgery;

• Unrestricted file upload;

• Information disclosure;

• Hard-coded credentials and SMS messages;

• Back-door console.

Computrols Report

Applied Risk published a report describing ten vulnerabilities in the Computrols CBAS-Web Building Management System. Computrols has a new firmware version that reportedly mitigates the vulnerabilities.

The ten reported vulnerabilities are:

• Cross-site scripting;

• Cross-site request forgery;

• Username enumeration;

• Source code disclosure;

• Default credentials;

• Hard-coded encryption key;

• Authenticated blind sql injection;

• Authentication bypass;

• Authenticated command injection; and

• Mishandling of password hashes.

SOCA Exploits

Zero Science published exploits for four separate vulnerabilities in the SOCA Access Control System 180612. The vulnerabilities exploited are:

• Cross-site request forgery;

• SQL injection and authentication bypass;

• Reflected cross-site scripting; and

• Information disclosure

There is no reference to vendor notification or mitigation measures. I assume that these are zero-day exploits.

Schneider Exploit

RCE Security published an exploit for a command injection vulnerability in the Schneider U.Motion Builder. Schneider reported this vulnerability earlier this year.

2019 CSSS Registration Open

Yesterday DHS announced on the Chemical Facility Anti-Terrorism Standards (CFATS) program landing page that registration was now open for the 2019 Chemical Sector Security Summit (CSSS) in New Orleans on July 16^th thru 18^th, 2019. As we have seen in the last few Summits, there are provisions for registering for webcasts of selected presentations.

The CSSS web page has also been updated with additional information on this year’s program. The new information includes a list of agenda topics that looks to be very interesting.

• Best practices and lessons learned in chemical security

• Deep dive into CFATS and other federal regulations

• Convergence of cyber and physical security in the current threat environment

• Cyber Supply Chain Risk Management

• Explosive precursors

• Industrial Control Systems Vulnerabilities

• Resources from federal stakeholders

• Theft and diversion risk management

The no fee registration can be completed here.

2 Advisories Published – 05-16-19

On Thursday the DHS NCCIC-ICS published two control system security advisories for products from Fuji Electric and Schneider Electric.

Fuji Advisory

This advisory describes an out-of-bounds read vulnerability in the Fuji Alpha7 PC Loader motor controller. The vulnerability was reported by kimiya of 9SG Security Team via the Zero Day Initiative. Fuji has a new version that mitigates the vulnerability. There is no indication that kimiya has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit this vulnerability to crash the device..

Schneider Advisory

This advisory describes a use of insufficiently random values vulnerability in the Schneider Modicon M580, Modicon M340, Modicon Premium, and Modicon Quantum products. The vulnerability was reported by David Formby and Raheem Beyah of Fortiphyd Logic and Georgia Tech. Schneider has a firmware update available for one of the products and has provided generic workarounds for the others. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to to hijack TCP connections or cause information leakage.

DHS IED Precursor Meetings

Yesterday I saw a brief post by David Wulf, Director of the DHS Infrastructure Security Compliance Division (ISCD), on LinkedIn. In it he announced a series of ‘stakeholder engagement meetings’ in the coming months that the Cybersecurity and Infrastructure Security Agency will be holding on ‘explosive precursors’. There is not a lot of information in the post beyond the dates and locations for the meetings (listed below).

Los Angeles, CA                      May 23^rd, 2019

Orlando, FL                             May 30^th, 2019

Houston, TX                            June 4^th, 2019

Indianapolis, IN                        June 11^th, 2019

Chicago, IL                              June 13^th, 2019

Unfortunately, the post on LinkedIn shows a photographic copy of the flyer about the meetings and what I would expect to be links on the flyer are not ‘active’ in the photo. Wulf does provide an email address for those wishing ore information; CFATS@hq.dhs.gov.

Background

This is part of the continuing saga of the Congressional mandate for DHS to regulate the commercial sale of ammonium nitrate. ISCD published an advanced notice of proposed rulemaking (ANPM) in 2008. Subsequently, ISCD published a notice of proposed rulemaking (NPRM) in 2011.

The big problem with the proposed ammonium nitrate security regulations is that they were going to involve a large number of people and would be very costly. DHS estimated that the ten-year cost for the program would be between “$364.2 million to $1.3 billion with a primary (mean) estimate of $814 million”. Balancing this against a cost of a Murrah Building attack estimated by DHS to be $1.35 billion. This would mean that the regulation cost would break even if the regulations prevented one Murrah scale attack every 14 years. Since there has not been such an attack in the 24 years since the Murrah attack, the cost of the program is not outweighed by the attack prevention. This calls into question whether or not ammonium nitrate regulation is cost effective, especially since ammonium nitrate no longer seems to be a favored precursor for terrorist explosive devices.

In 2016, in consultation with Congress, ISCD decided to look at the issue of regulating a wider range of chemicals as explosive precursors that could be expected to be used in preparing terrorist explosive devices. In August of 2016 DHS commissioned a study by the National Academies of Sciences, Engineering, and Medicine on the subject that would lead to a report being published in November of 2016; “Reducing the Threat of Improvised Explosive Device Attacks by Restricting Access to Chemical Explosive Precursors”.

This meeting announcement would seem to indicate that ISCD is considering moving forward with new rulemaking process. It is not currently clear whether or not the new process would be included in the current Chemical Facility Anti-Terrorism Standards (CFATS) program or if it would be a new standalone program also being operated out of ISCD. If this program is targeted at manufacturers and wholesale distribution, I suspect that it would be included in CFATS program. If it is focused at the retail level, it would be harder to fit it into the existing chemical security program.

The Meetings

David notes the reason for the meetings: “As we work with Congress to enhance the security of IED precursor chemicals, we want to hear from you!” What is important, however, is that these are being billed as ‘stakeholder engagement meetings’ rather than ‘public listening sessions’. Remembering back to the Obama era Chemical Safety and Security EO, those listening sessions were designed to provide a wide range of public input into those EO processes. This is apparently something different, however.

The stakeholders in this process would appear to be those portions of the chemical industry that are involved in the manufacture, distribution and potentially the commercial sale of chemicals that have been identified as key precursors to the manufacture of improvised explosives. There is a remote possibility that it could also include the transportation of those chemicals, but I suspect that it would take congressional action to include that sector.

Possibilities

This is very early in the potential rulemaking process; we have not yet even seen an advanced notice of proposed rulemaking. At this point I do not think that ISCD has got a firm grip on what they want to do. The ammonium nitrate security program is effectively dead, but what could we be looking at down the road? ISCD is tight lipped on this, so I am speculating here, but I see a variety of options available.

First ISCD could seek changes to the DHS chemicals of interest (COI) list addressing the list of precursor chemicals identified in the Report (pg 28). This could include adding some new chemicals and potentially changes to the screening threshold quantities for some existing chemicals. This would certainly require a formal rulemaking and would add a substantial number of facilities to the CFATS program. This would necessitate addition funding from Congress for more chemical security inspectors.

ISCD could also modify their existing CFATS risk assessment process to increase the risk assumptions associated with existing COI that are included in the Report’s list of precursor chemicals. This could almost certainly be done without a rulemaking. We would see a process similar to that used when ISCD implemented CSAT 2.0. A modification of the current CSAT information collection request would be necessary and that would provide industry (and the public) with a chance to comment on the proposed changes. Again, this would result in more facilities in the CFATS program and the need for more money.

If the decision is made to keep the precursor chemical security program within CFATS. I would really expect to see it include a combination of these two processes. I might expect to see some additional changes including a requirement for covered facilities to provide ISCD with a list of customers to which precursor COI are shipped.

The most comprehensive solution would be to stand up an entirely new program within ISCD. If this route is taken, I suspect it would include some sort of voluntary program for commercial retailers and large-scale users of these precursor chemicals. The thing that effectively killed the ammonium nitrate security program was the costs associated with setting up and administering a registration program for retailers and users of ammonium nitrate. These costs would quickly escalate if a similar registration program were instituted for all of the listed chemicals.

Moving Forward

As I said, earlier this is very early in the regulatory process, but stakeholders need to get involved early in the process if they want to effectively impact how the new procedures are implemented.