Tuesday, July 30, 2019

2 Advisories and 1 Alert Published – 07-30-19


Today the DHS NCCIC-ICS published a control system security alert for CAN bus network implementation in avionics and two control system security advisories for products from Prima Systems ad Wind River.

CAN Bus Alert


This alert briefly describes a public report about insecure implementation of CAN bus networks affecting aircraft. The report was published by Patrick Kiley of Rapid7.

Prima Systems Advisory


This advisory describes nine vulnerabilities in the Prima Systems FlexAir access control platform. The vulnerabilities were reported by Gjoko Krstic of Applied Risk. Prima Systems has a new version that mitigates the vulnerabilities. There is no indication that Krstic has been provided an opportunity to verify the efficacy of the fix.

The nine reported vulnerabilities are:

OS command injection - CVE-2019-7670;
Unrestricted upload of file with dangerous type (2) - CVE-2019-7669 and CVE-2019-9189;
Cross-site request forgery - CVE-2019-7281;
Small space of random values - CVE-2019-7280;
Cross-site scripting - CVE-2019-7671;
Exposure of a backup file to an unauthorized control sphere - CVE-2019-7667;
Improper authentication - CVE-2019-7666; and
Use of hard-coded credentials - CVE-2019-7672

NOTE 1: NCCIC-ICS does not include a default credentials vulnerability, CVE-2019-7668, reported by Krstic.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to execute commands directly on the operating system, upload malicious files, perform actions with administrative privileges, execute arbitrary code in a user’s browser, discover login credentials, bypass normal authentication, and have full system access.

NOTE 2: I briefly described the Rapid7 report back in May.

Wind River Advisory


This advisory describes eleven vulnerabilities in the Wind River VxWorks operating system. The vulnerabilities were reported by Armis researchers Gregory Vishnepolsky, Dor Zusman, and Ben Seri. Wind River has patches to mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The eleven reported vulnerabilities are:

Stack-based buffer overflow - CVE-2019-12256;
Heap-based buffer overflow - CVE-2019-12257;
Integer underflow - CVE-2019-12255;
Improper restrictions of operations within the bounds of a memory buffer (2) - CVE-2019-12260 and CVE-2019-12261;
Race condition - CVE-2019-12263;
Argument injection or modification (4) - CVE-2019-12258, CVE-2019-12262, CVE-2019-12264 and CVE-2019-12265; and
Null pointer dereference - CVE-2019-12259;

Since the affected operating systems are used in a large number of IoT and ICS systems we can expect advisories from affected vendors implementing the Wind River mitigations measures. The NCCIC-ICS advisory already lists 2 vendor advisories and the Armis report adds a third. The three vendor advisories available to date include:

Rockwell,
Xerox, and

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow remote code execution.

Committee Hearings – Week of 07-28-19


With just the Senate in session (the House already having started their summer recess) the committee hearing list is pretty short this week. We do have two hearings of interest to look at. The first is a markup hearing looking at two authorization bills that were introduced last week and the second is re-look at positive train control implementation.

Authorization Markups


On Wednesday the Senate Commerce, Science, and Transportation Committee will markup two bills:

S 2297, Coast Guard Reauthorization Act of 2019; and
S 2299, Protecting Our Infrastructure of Pipelines Enhancing Safety (PIPES) Act of 2019

Neither bill has yet been officially published; the links above are to committee prints. A quick review of S 2297 shows that it includes a similar change to the MTSA rules found in the House version of the bill (HR 3409) requiring DHS to approve updates to security plans. HR 3409 was passed in the House last week.

PTC Hearing


On Wednesday the Senate Commerce, Science, and Transportation Committee will hold a hearing on “Next Steps for Positive Train Control Implementation”. The witness list includes:

Ronald Batory, Federal Railroad Administration;
Robert Bourg, Wabtec Corporation;
Jim Derwinski, Metra;
Susan Fleming, Government Accountability Office; and
Chris Matthews, BNSF Railway

Saturday, July 27, 2019

DHS Updates CFATS Manuals – July 2019


This week (apparently, DHS no longer provides ‘last published’ dates on their web pages) the DHS Cybersecurity and Infrastructure Security Agency (CISA) posted links to new versions of three manuals used by facilities covered under the Chemical Security Anti-Terrorism Standards (CFATS) program. The manuals are ‘dated’ June and July 2019, but there has been no notice of the new manuals provided on either the CFATS web site landing page nor on the CFATS Knowledge Center. The two remaining manuals for the Chemical Security Assessment Tool (CSAT) have not yet been updated.

The manuals affected are:

CSAT User Manual; and

DHS has long stopped putting change notices in their documents, so it is difficult to tell what changes, if any, have been made in the documents. One change is obvious in all three documents, they have been rebranded with a CISA front page; a branding that reflects more on the CISA cybersecurity mission than the chemical security mission of the CFATS program.

PSP Instructions


This manual has certainly been revised to reflect the recent implementation of the extension of the terrorist ties screening requirement to Tier III and IV facilities. You can tell this by the new ‘Note’ on page 4:

“For more information on RBPS 12(iv) and the Personnel Surety Program, see 84 FR 32768, Notice of Implementation Chemical Facility Anti-Terrorism Standards Personnel Surety Program published on July 9, 2019 or access the DHS Personnel Surety Program.”

Since there was no reference to the submitting facility’s tiering in the original manual, there was no need to make changes reflecting the expanded implementation. In a quick perusal of the two versions, I do not see any changes beyond pagination and layout changes, with one exception. The ‘addendums’ at the end of the 2018 manual have been renamed ‘Appendix A’, ‘Appendix B’ and the acronym list has been labeled ‘Appendix C’ in the new version.

CSAT User Manual


This User Manual has been substantially reformatted and ‘enhanced’. The table of contents page, for instance now provides a link to the indicated section and the sub-sections of the text are listed down to the X.Y.Z level where the previous version was limited to the X.Y level. The other major enhancement is that each graphic provides a textbox with additional details when the cursor is placed on the graphic; this will, of course, only be useful in the electronic version.

This manual is ‘dated’ June 2019, so it would presumably predate the PSP changes.

SVA/SSP Instructions


As one would expect this manual has been updated to reflect the expansion of the PSP program. A note similar to that in the PSP manual can be found on page 97 of the new manual.

Commentary


None of the changes that I have seen are significant; they would have no impact on a facility’s implementation of the CFATS program in general or the PSP program in particular. I have not, however, done a line by line review of any of the documents. In any case, security managers and those interested in the CFATS program should download these new manuals, just to ensure that they have the latest version available.

Oh, it is interesting to note that while the description of the SVA/SSP manual found on the CFATS Knowledge Center describe the previous version of these manual, the links take one to the newer version. This is unusual in that the URL’s for the document are completely different than those found on the CSAT web site. The links for the other two manuals on the Knowledge Center page still go to the older manuals.

Friday, July 26, 2019

Bills Introduced – 07-26-19


Yesterday with both the House and Senate in session, and the House preparing to leave for their summer recess, 176 bills were introduced. As is typical with bill introductions before a long recess, the vast majority of these bills were introduced to show that the congresscritters were concerned about a controversial topic, but with no intention of further working the legislative process. There were two bills introduced yesterday that will receive additional coverage on this blog:

S 2297 A bill to authorize appropriations for the Coast Guard, and for other purposes. Sen. Sullivan, Dan [R-AK] 

S 2299 A bill to amend title 49, United States Code, to enhance the safety and reliability of pipeline transportation, and for other purposes. Sen. Fischer, Deb [R-NE] 

The House version of the Coast Guard authorization bill, HR 3409, passed earlier this week by a voice vote in the House.

S 2299 is probably the Senate version of the PHMSA pipeline safety program reauthorization.

Thursday, July 25, 2019

Bills Introduced – 07-24-19


Yesterday with the House and Senate in session there were 55 bills introduced. One of those bills will receive future attention in this blog:

HR 3931 Making appropriations for the Department of Homeland Security for the fiscal year ending September 30, 2020, and for other purposes. Rep. Roybal-Allard, Lucille [D-CA-40]


The budget deal reached this weekend apparently allowed this bill to move forward. It will not be considered before the summer recess at the end of the week.

Wednesday, July 24, 2019

TSA Sends Security Training Final Rule to OMB


Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a final rule for review from the Transportation Security Administration (TSA) concerning security training for surface transportation personnel. The Notice of Proposed Rulemaking was published in December 2016. I did a series of blog posts on that NPRM.

The Obama Administration was careful to be as non-prescriptive as possible in the NPRM except where there were specific requirements in the statutory language. It will be interesting to see what changes have been made by the Trump Administration.

Bills Introduced – 07-23-19


Yesterday with both the House and Senate in session there were 102 bills introduced. Two of those bills may see future coverage in this blog:

HR 3907 To amend the Homeland Security Act of 2002 to establish the Insider Threat Program, and for other purposes. Rep. King, Peter T. [R-NY-2] 

S 2234 A bill to establish a consortia of universities to advise the Secretary of Defense on cybersecurity matters, and for other purposes. Sen. Rounds, Mike [R-SD] 

I will be watching HR 3907 for any requirements for establishing an insider threat program outside of government agencies.

As with the similar sounding bill in the House (HR 3840), I will be watching this bill for any language specifically mentioning control system security.

2 Advisories and 1 Update Published – 07-23-19


Yesterday the DHS NCCIC-ICS published two control system security advisories for products from National Renewable Energy Laboratory (NREL) and Mitsubishi Electric. They also updated a previously published medical device advisory from GE Healthcare.

NREL Advisory


This advisory describes a stack-based buffer overflow vulnerability in the NREL EnergyPlus Energy simulation program. The vulnerability was reported by Karn Ganeshen. NREL has an update available that mitigates the vulnerability. There is no indication that Ganeshen has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to execute arbitrary code or cause a denial-of-service condition.

NOTE: There is nothing on the DOE’s EnergyPlus web site about this vulnerability, nor do I see any POC for reporting cybersecurity concerns. DOE, really?

Mitsubishi Advisory


This advisory describes two vulnerabilities in the Mitsubishi Electric FR Configurator. The vulnerability was reported by Applied Risk. Mitsubishi has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

Improper restriction of an XML external entity reference - CVE-2019-10976; and
Uncontrolled resource consumption - CVE-2019-10972

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to enable arbitrary files to be read or cause a denial-of-service condition.

GE Update


This update provides additional information on an advisory that was originally reported on July 9th, 2019. The new information is the addition of more covered products.

NOTE: I briefly reported on GE’s update last Saturday.

Monday, July 22, 2019

HR 3409 Introduced – FY 2020 CG Authorization


Last month, Rep. DeFazio (D,OR) introduced HR 3409, the Coast Guard Authorization Act of 2019. The bill contains one cybersecurity provision and one emergency response provision. The bill is currently scheduled to be considered in the House this week.

Cybersecurity


Section 414 of the bill would require the CG to expand its current Insider Threat Program to include monitoring of “all Coast Guard devices, including mobile devices”. No definition of terms ‘devices’ or ‘monitoring’ is provided.

Emergency Response


Section 309 of the bill would modify two separate sections of 46 USC:

§70107, security plan implementation grants; and
§70132, Credentialing standards, training, and certification for State and local support for the enforcement of security zones for the transportation of especially hazardous cargo

In both sections the term ‘emergency response providers’ would be substituted for the existing term ‘law enforcement personnel’ or ‘law enforcement agency personnel’ where they are used in those sections. The definition of ‘emergency response providers’ is taken from 6 USC 101(6) and still includes ‘law enforcement’ personnel.

Moving Forward


DeFazio is the Chair of the House Transportation and Infrastructure Committee to which this bill was assigned for consideration. That Committee has already amended and adopted the bill in a hearing last month, though the record of which amendments were adopted and the final committee action on the bill is missing from the Committees hearing page.

One of the amendments that was to have been considered (and apparently was, see below) was offered by Rep. Garamendi (D,CA) concerned the application process for the Transportation Workers Identification Credential (TWIC). It would require the CG to establish a pilot program where personnel applying for a merchant mariner credential could jointly apply for a TWIC.

The Committee Report has not yet been published, nor has the amended version of the bill. I suspect that we will see both later today as this bill is supposed to be considered tomorrow under the suspension of the rules process. That would limit debate and require a supermajority for passage. The fact that the leadership is scheduling the bill under this process generally means that they expect the bill to receive substantial bipartisan support.

It is a tad bit unusual for the bill to be considered without the official publication of the reported version of the bill, but the House is trying to get a lot of ‘routine’ measures taken care of before the adjourn for their summer recess at the end of the week. The Majority Leader has provided a link to a revised version of the bill on the current Weekly Leader page; presumably this is the version being reported by the Committee, though it looks like there are additional changes. That may be misleading because of the incompleteness of the Committee’s markup hearing page.

Revised Bill


The two original provisions discussed above remain in the revised bill as does the Garamendi amendment (now §429). Two of the newly added provision need to be addressed here, one is an additional cybersecurity provision and a change to the Maritime Transportation Security Act (MTSA) program.

The cybersecurity provision in §422 would establish a “a rotational research, development, and training program” {new §846(1)} within DHS that would allow Coast Guard Academy graduates and faculty to be detailed to the Cybersecurity and Infrastructure Security Agency (CISA) and allow cybersecurity personnel from DHS to be detailed to the CG Academy.

The MTSA provision is found in a relatively short §317. It would amend 46 USC 70103(b)(3), Maritime Transportation Security Plans. It would require the Secretary to review and approve updates to Area Maritime Transportation Security Plans where the current section only requires review and approval of the original plan. A similar requirement is also put into place for extending the current review and approval of Vessel and Facility Security Plans requirements under §70103(c)(4) to include the updates for those plans.

Saturday, July 20, 2019

Public ICS Disclosures – Week of 07-13-19


This week we have one vendor disclosure from ABB, two updates of previously published advisories from GE Healthcare and BD and two researcher exploits for products from FANUC Robotics.

ABB Advisory


ABB has published an advisory describing an authentication bypass vulnerability in the ABB CCLAS and
Ellipse applications. The vulnerability is self-reported. ABB has new versions that mitigate the vulnerability.

GE Healthcare Update


GE Healthcare has updated an advisory that was originally published on July 9th, 2019. The new information expands the list of affected products.

BD Update


BD has updated an advisory that was originally published on November 1st, 2016 (this has not been reported by NCCIC-ICS). BD notes:

“As a result, BD has issued this updated security bulletin to remind customers, hospital biomedical engineering, and rental companies that Service Bulletin 597 must be followed to remove residual data on the PCU prior to re-deployment or during decommissioning. BD has carefully reviewed the misdirected data, and determined that it is de-identified based on a statistical expert opinion, and therefore, not protected health information. In addition, BD conducted a risk assessment using the HIPAA 4-factor test and concluded there was a low probability of compromise of such data.”

FANUC Robotics Exploits


Sebastian Hamann has published exploits for two vulnerabilities in the FANUC Robotics Virtual Robot Controller. Hamann has not received any response from FANUC concerning these vulnerabilities.

The reported two vulnerabilities (links provided to Hamann’s exploit reports) are:

Stack-based buffer overflow - CVE-2019-13585; and
Path traversal - CVE-2019-13584

Friday, July 19, 2019

Bills Introduced – 07-18-19


Yesterday with both the House and Senate in session, there were 81 bills introduced. Two of those bills may see additional coverage in this blog:

HR 3840 To establish a consortia of universities to advise the Secretary of Defense on cybersecurity matters, and for other purposes. Rep. Johnson, Dusty [R-SD-At Large] 

S 2181 A bill to require the disclosure of information relating to cyberattacks on aircraft systems and maintenance and ground support systems for aircraft, to identify and address cybersecurity vulnerabilities to the United States commercial aviation system, and for other purposes. Sen. Markey, Edward J. [D-MA] 

I will be watching HR 3840 for language specifically addressing control system security issues.

House Amends and Adopts HR 3494 – FY 2020 Intel Authorization


On Wednesday the House completed the amendment process and passed HR 3494, the FY 2020 Intelligence Authorization, by a bipartisan vote of 397 to 31. The Ruppersberger amendment that would establish a energy grid cybersecurity pilot program was adopted on Tuesday by a voice vote. For a more detailed discussion of that amendment see my blog posts on HR 680 and S 79 (from 115th Congress).

What will be interesting now is figuring out how this bill will move forward. The House passed this as a stand-alone bill, but the Senate passed their version (without debate) as two divisions (Division F – 2020 authorization and Division G 2018 and 2019 authorization) within the Senate’s version of the National Defense Authorization Act, S 1790. Neither the House nor the Senate have ‘taken action’ on the other’s version of the NDAA, the process that would start the conference committee action on one of the two bills (S 1790 or HR 2500),

What would probably be easiest (for some version of easy) would be for the House to take up S 1790 and amend it to include the language from both HR 2500 and HR 3494. That would be passed with a party-line vote similar to that received on HR 2500. The Senate would then insist on its language and call for the conference committee to be formed. The resulting compromise bill would probably come back to Congress after the summer recess.

1 Advisory Published – 07-18-19


Yesterday the DHS NCCIC-ICS published a control system security advisory for products from Johnson Controls.

The advisory describes an unquoted search path or element vulnerability in the Johnson Controls exacqVision Server. The vulnerability was reported by Gjoko Kristic of Applied Risk. Johnson Controls has a new version that mitigates the vulnerability. There are no indications that Kristic has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker with uncharacterized access could exploit this vulnerability to allow an unauthenticated user to elevate their privileges.

Wednesday, July 17, 2019

Bills Introduced – 07-16-19


With both the House and Senate in session yesterday there were 42 bills introduced. One of those bills will probably receive additional coverage in this blog:

HR 3787 To amend the Homeland Security Act of 2002 to establish in the Department of Homeland Security an Unmanned Aircraft Systems Coordinator, and for other purposes. Rep. Perry, Scott [R-PA-10]

I suspect that this bill will be similar to HR 6438 that Perry introduced in the 115th Session.

Tuesday, July 16, 2019

HR 3699 Introduced – TSA Pipeline Security


Last week Rep. Cleaver (D,MO) introduced HR 3699, the Pipeline Security Act. The bill would specifically make the Transportation Security Administration (TSA) responsible for cybersecurity and physical security oversight for gas and hazardous liquid pipelines. It would also establish a Pipeline Security Section within the TSA.

Cybersecurity Responsibility


Section 2 of the bill would amend 49 USC 114(f), Additional Duties and Powers, to add a new paragraph (16) that would provide for the TSA responsibility “relating to securing pipeline transportation and pipeline facilities (as such terms are defined in section 60101 [link added] of this title) against cybersecurity threats (as such term is defined in section 102 of the Cybersecurity Information Sharing Act of 2015 (Public Law 114– 113; 6 U.S.C. 1501 [link added])), an act of terrorism (as such term is defined in section 3077 of title 18), and other nefarious acts that jeopardize the physical security or cybersecurity of such transportation or facilities”. The reliance on the §1501 definition for ‘cybersecurity threats’ would specifically include control systems in the cybersecurity responsibilities.

Pipeline Security Section


Section 3 of the bill would amend the Implementing Recommendations of the 9/11 Commission Act of 2007, by adding a new §1209. That section establishes within TSA “a pipeline security section to carry out pipeline security programs in furtherance of section 114(f)(16) of title 49 [as added by this bill], United States Code” {new §1209(a)}. The section would oversee the security of pipeline facilities against cybersecurity threats, terrorist attacks and “other nefarious acts that jeopardize the physical security or cybersecurity of such transportation or facilities” {new §1209(b)}.

The Pipeline Security Section would be headed by someone with “knowledge of the pipeline industry and security best practices” {new §1209(c)} and it would “be staffed by a workforce that includes personnel with cybersecurity expertise.”

The Section would be tasked with {new §1209(d)}:

Developing guidelines for improving the security of pipeline transportation and pipeline facilities against cybersecurity threats, an act of terrorism, and other nefarious acts that jeopardize the physical security or cybersecurity of such transportation or facilities;
Updating such guidelines as necessary based on intelligence and risk assessments, but not less frequently than every three years;
Sharing of such guidelines and, as appropriate, intelligence and information regarding such security threats to pipeline transportation and pipeline facilities, as appropriate, with relevant Federal, State, local, Tribal, and territorial entities and public and private sector stakeholders;
Conducting security assessments based on the guidelines developed above;
Carrying out a program to inspect pipeline transportation and pipeline facilities, including inspections of pipeline facilities determined critical by the Administrator; and
Preparing notice and comment regulations for publication, if determined necessary by the Administrator.

Moving Forward


Cleaver is a member of the House Homeland Security Committee and his influence has apparently been sufficient to have this bill considered in Committee in a markup hearing tomorrow. I suspect that there will be bipartisan support for this bill in Committee. If there is sufficient bipartisan support, this bill could move to the House floor under the suspension of the rules process. The relatively strong bipartisan support would be necessary there due to the requirement for a supermajority to pass under those provisions.

Commentary


There are a couple of problems with this bill. The first is that there is no mention of the Department of Transportation as a cooperative party in any of the provisions in the bill. DOT in general and the Pipeline and Hazardous Material Safety Administration have a major stake in the safe operation of gas and hazardous liquid pipelines. Existing federal law (6 USC 1207 for example) already requires that DHS consult with DOT on inspections, guidance development and crafting of security regulations. Those requirements should be referenced in this bill.

Safety and security go hand-in-hand, especially where emergency response activities are involved. And, that is another problem with this bill; there is no mention of emergency response planning or exercises. A security plan that does not include failure mode mitigation, is one that is going to end up doing a great deal of harm if a dedicated attacker is involved.

Furthermore, I do not understand why there is no mention of existing TSA pipeline security requirements in the §1209(d) outlining of responsibilities for the Pipeline Security Section. I have already mentioned 6 USC 1207, but 6 USC 1208 lists more existing TSA pipeline security requirements. Furthermore, §1208 already addresses the need for emergency response planning for security incidents. The new §1209 in this bill should reference these requirements as part of the responsibilities of the new Pipeline Security Section under paragraph (d).

Finally, there is no information sharing provisions in this bill. There should probably be a subparagraph in the new §1209(d) requiring the establishment of a security incident (to specifically include cybersecurity incidents) reporting system. It is probably too much to ask to make such reporting mandatory (though to be most effective it would have to be mandatory), but even voluntary information reporting with anonymized sharing of the information with other operator/owners could be valuable.

Rule Adopted for HR 3494 – FY 2020 Intel Authorization


Yesterday the House Rules Committee crafted the rule for the consideration of HR 3494, the Damon Paul Nelson and Matthew Young Pollard Intelligence Authorization Act for Fiscal Years 2018, 2019, and 2020. It provides a structured rule, allowing for the consideration of 31 amendments with limited debate. The bill will be considered by the House today.

The Ruppersberger amendment that I briefly discussed yesterday was included in the list of amendment authorized to be offered on the floor. It is amendment #6.

Monday, July 15, 2019

PSP Program – Conversation with ISCD


I had an interesting telephone conversation with Kelly Murray, the Compliance Branch Chief at the DHS Infrastructure Compliance Division (ISCD) about the Chemical Facility Anti-Terrorism Standards (CFATS) personnel surety program. She wanted to call attention to an error in my post on the expansion of the CFATS Personnel Surety Program (PSP) to Tier III and IV facilities. She was also kind enough to answer questions about the PSP and some new tools that ISCD had added since my earlier post.

Error Correction


In my earlier post I wrote:
First, once notified by ISCD that the facility will begin the implementation process (and that notice will start the 60-day clock implementation clock [emphasis added]), the facility will update their site security plan to include information about how they will implement the process at their facility.

Kelly pointed out that the initial notice triggers a 30-day clock for the submission of the facility site security plan (SSP) revision concerning the PSP. The 60-day clock is for the actual implementation of the SSP PSP provisions and it starts once ISCD notifies the facility that their SSP revision has been approved.

New PSP Tools


Later the same day as I posted about the PSP expansion, ISCD published the following notice on the CFATS Knowledge Center about additional tools that they had made available to assist facilities in dealing with the new PSP requirements:

07/11/19: CISA published a Federal Register notice (84 FR 32768) announcing the implementation of the CFATS Personnel Surety Program (PSP) at all high-risk chemical facilities—including Tier 3 and Tier 4 facilities. This implementation closes the final gap in vetting individuals with access to critical assets and restricted areas for terrorist ties.
Visit the PSP page for more details, the PSP Toolkit with new resources (e.g., updated RBPS 12(iv) fact sheet, PSP Samples Supplement, PSP Sample Bulk Upload, etc.), and a webinar demo of the PSP in the CSAT 2.0 portal.

In my opinion, one of the most valuable tools is the PSP Samples Supplement (.DOCX download link). It provides examples that facilities can use to answer the questions in the SSP Tool that relate to the PSP. It shows various ways that facilities can use the Four Options at their facilities.

Questions


There is an odd footnote at the end of the PSP Samples Supplement; footnote 1 reads:

“To date, DHS has not received any Site Security Plans selecting Option 3 and therefore the sample answers have been provided as an example but is not based on lessons learned or best practices.”

Given the clamor from industry during the development of the PSP to be able to use TWIC Readers and the subsequent demands from Congress on the same, I found this rather odd. Kelly did tell me that the footnote is no longer technically correct; since the document was approved a facility has submitted an SSP that designates Option 3 as one of the options that the facility will use to screen personnel.

I asked her why she thought facilities were not using this option and she noted that she thought it was because Option 1 (the most common option used according to her) was so easy to use/implement.

I did ask her the inevitable question; had any facilities been notified that an employee had been identified as having terrorist ties through this vetting process? As expected, she could not answer that question. An answer to a subsequent question, however, seemed to imply (not surprisingly) that such notifications had been received.

I asked her about the process for correcting an inappropriate response of potential terrorist ties. The ISCD privacy documentation does provide a process for employees to question the accuracy of information submitted via the PSP tool under Option 1 or 2, but that does not address the issue of legitimate bad Terrorist Screening Database information. Kelly noted that the PSP tool for Option 1 includes provisions for providing additional information about an individual and that ISCD could ask for that additional information if there was a terrorist association result from TSA. It sounded as if these questions had been asked in some number of instances.

Additional Information


Kelly noted that facilities could expect some sort of delay between submitting the SSP revision and receiving notification that the revision had been approved and the 60-day compliance clock starting. How long a delay would depend on how many facilities had submitted their SSP updates. Facilities should not be concerned about a lengthy delay being an indication that the SSP revision would be disapproved.

One other thing that did come up was a reinforcement of a point I had made in my post. ISCD is planning for substantial support from Chemical Security Inspectors during this process.

HR 3710 Introduced – Cybersecurity Vulnerabilities


Last week Rep. Jackson-Lee (D,TX) introduced HR 3710, the Cybersecurity Vulnerability Remediation Act. The bill would amend 6 USC 659 to allow the National Cybersecurity and Communications Integration Center (NCCIC) to “identify, develop, and disseminate actionable protocols to mitigate cybersecurity vulnerabilities” {new §659(n)}.

Changes to Section 659


Section 2 of the bill first adds a definition of ‘cybersecurity vulnerability’ taken from ‘security vulnerability; in 6 USC 1501. It then goes on to modify the functions of the NCCIC in §659(c). The revisions would make that paragraph read:

(c) Functions
The cybersecurity functions of the Center [NCCIC] shall include-

•••

(5)(A) conducting integration and analysis, including cross-sector integration and analysis, of cyber threat indicators, defensive measures, cybersecurity risks, and incidents; and

(B) sharing mitigation protocols to counter cybersecurity vulnerabilities pursuant to subsection (n); and

(C) (B) sharing the analysis conducted under subparagraph (A) and mitigation protocols to counter cybersecurity vulnerabilities in accordance with subparagraph (B) with Federal and non-Federal entities;

•••

(9) sharing cyber threat indicators, defensive measures, mitigation protocols to counter cybersecurity vulnerabilities and other information related to cybersecurity risks and incidents with Federal and non-Federal entities, including across sectors of critical infrastructure and with State and major urban area fusion centers, as appropriate;

Finally, it would add a new paragraph (n):

(n) PROTOCOLS TO COUNTER CYBERSECURITY VULNERABILITIES.—The Director may, as appropriate, identify, develop, and disseminate actionable protocols to mitigate cybersecurity vulnerabilities, including in circumstances in which such vulnerabilities exist because software or hardware is no longer supported by a vendor.

Vulnerability Disclosure


Section 3 of the bill would require a report to Congress on how the Cybersecurity and Infrastructure Security Agency (CISA) on how the Agency carries out its vulnerability disclosure responsibilities described in §659(m). That report would include activities undertaken to “to disseminate actionable protocols to mitigate cybersecurity vulnerabilities” {§3(a)} outlined in this bill. That unclassified report would include:

A description of the policies and procedures relating to the coordination of vulnerability disclosures.
A description of the levels of activity in furtherance of such subsections (m) and (n) of §659;
Any plans to make further improvements to how information provided pursuant to such subsections can be shared (as such term is defined in §659) between the Department and industry and other stakeholders.
Any available information on the degree to which such information was acted upon by industry and other stakeholders; and
A description of how privacy and civil liberties are preserved in the collection, retention, use, and sharing of vulnerability disclosures.

Vulnerability Competition


Section 4 of the bill would allow CISA to “establish an incentive-based program that allows industry, individuals, academia, and others to compete in providing remediation solutions for cybersecurity vulnerabilities”. No funding is provided.

Moving Forward


As I mentioned in an earlier post, this bill will be marked up by the House Homeland Security Committee tomorrow. I do not expect any amendments will be offered and the bill will almost certainly receive bipartisan support. I expect that the bill will be considered by the full House under the suspension of the rules process; limited debate and no floor amendments. It is very likely to pass with strong bipartisan support.

Commentary


The final phrase in §659(n) is very interesting; “including in circumstances in which such vulnerabilities exist because software or hardware is no longer supported by a vendor.” This clearly recognizes that software (and of course, operating systems) is (are) quite frequently used well after the vendor stops providing support and that this significantly increases the risk associated with that continued use. And, I would assume that the ‘competition’ outlined in §4 is primarily aimed at these out-of-support systems.

There is a significant problem with this approach. While the vendors have stopped support for these systems, I do not think that most would surrender their copywrite rights or outright ownership of the ‘non-supported’ systems. This means that it would be a violation of any of a number of Federal (and probably international) laws to modify the software, firmware or operating system to mitigate any vulnerabilities found after the close of support on the product without the specific authorization of the vendor. These issues will have to be resolved by Congress.

Committee Hearings – Week of 7-14-19


With both the House and Senate in Washington and looking towards their extended summer recess, there are a number of interesting hearings on the schedule for this week. In addition to the House Rules Committee hearing on HR 3494 there will be two markup hearings addressing cybersecurity bills and two other hearings that may address cybersecurity issues.

Cybersecurity Markups


On Tuesday the Senate Energy and Natural Resources Committee will conduct a markup hearing on 23 bills. Bills of interest here include:

S 174, a bill to provide for the establishment of a pilot program to identify security vulnerabilities of certain entities in the energy sector. (King/Risch); and
S 715, a bill to improve the productivity and energy efficiency of the manufacturing sector by directing the Secretary of Energy, in coordination with the National Academies and other appropriate Federal agencies, to develop a national smart manufacturing plan and to provide assistance to small- and medium-sized manufacturers in implementing smart manufacturing programs, and for other purposes. (Shaheen)

On Tuesday the House Homeland Security Committee will conduct a markup hearing on 18 bills. Bills of interest here include:

HR 3318, (Mr. Joyce) The “Emerging Transportation Security Threats Act of 2019”;
HR 3699, (Mr. Cleaver) The “Pipeline Security Act” (not yet reviewed here);
HR 3710, (Ms. Jackson Lee) The “Cybersecurity Vulnerability Remediation Act” (not yet reviewed here).

Both of these hearings are going to be dealing with a large number of bills. I do not expect much in the way of amendments and very little discussion.

Cybersecurity (?) Hearings


On Wednesday the Energy Subcommittee of the House Energy and Commerce Committee will be holding a hearing on “The Future of Electricity Delivery: Modernizing and Securing Our Nation’s Electricity Grid”. The witness list includes:

Karen Evans, DOE;
Juan Torres, National Renewable Energy Laboratory;
Kelly Speakes-Backman, Energy Storage Association; and
Katherine Hamilton, Advanced Energy Management Alliance

This is almost certainly going to focus on energy supply security, not cybersecurity, but Evans is the head of Office of Cybersecurity, Energy Security, and Emergency Response (CESER), so there will likely be some questions about grid cybersecurity.

On Thursday the House Oversight and Reform Committee will hold a hearing with Kevin K. McAleenan. There is no official indication of the topics to be discussed, but I suspect that it will focus on ‘border security issues.’ There is a slight chance that cybersecurity questions will be addressed to the Acting Secretary.

Sunday, July 14, 2019

HR 3494 Reported in House – FY 2020 Intel Authorization


This week the House Intelligence Committee reported on HR 3494, Damon Paul Nelson and Matthew Young Pollard Intelligence Authorization Act for Fiscal Years 2018, 2019, and 2020. While the bill contains some cyber operations and cyber intelligence language, it does not address any control system cybersecurity issues. There is, however, a brief discussion in the Committee Report about the development of a “cybersecurity and intelligence collection doctrine” that bears some scrutiny.

The House Rules Committee is meeting tomorrow to create the rule under which this bill will be considered on the floor later this week. A total of 46 amendments were proposed to the Committee last week. They will consider which amendments may be considered during the consideration of the bill on the floor of the House. One of those amendments addresses cybersecurity in the energy sector.

Cybersecurity and Intelligence Collection Doctrine


On page 95 of the Report, the Committee directs the Office of the Director of National Intelligence (ODNI) “to develop an analytic framework that could support the eventual creation and execution of a Government-wide cybersecurity and intelligence collection doctrine.” The framework would include:

An assessment of the current and medium-term cyber threats to the protection of the United States’ national security systems and critical infrastructure;
IC definitions of key cybersecurity concepts, to include cyberespionage, cyber theft, cyber acts of aggression, and cyber deterrence;
Intelligence collection requirements to ensure identification of cyber actors targeting U.S. national security interests, and to inform policy responses to cyberattacks and computer network operations directed against the United States;
The IC’s methodology for assessing the impacts of cyberattacks and computer network operations incidents directed against the United States, taking into account differing levels of severity of incidents;
Capabilities that the IC could employ in response to cyberattacks and computer network operations incidents, taking into account differing levels of severity of incidents;
A policy and architecture for sharing cybersecurity-related intelligence with government, private sector, and international partners, including existing statutory and other authorities which may be exercised in pursuit of that goal; and
Any necessary changes in IC authorities, governance, technology, resources, and policy to provide more capable and agile cybersecurity.

Possible Cybersecurity Amendment


Amendment #20 was submitted by Rep. Ruppersberger (D,MD) and Rep. Carter (R,TX). This amendment would authorize a pilot program identifying new classes of security vulnerabilities and researching technology to address the ever-present and changing face of cyber security threats to the energy grid. The amendment is essentially HR 680, which Ruppersberger and Carter introduced in January. No action has been taken on that bill. Nearly identical language was included (§10742) Intel Authorization Act that was included in S 1790, the FY 2020 NDAA that was passed last month.

There is no resolution of the vulnerability disclosure issue  that I discussed in my post on HR 680 in either this submitted amendment to HR 3494 or in §10742 in S 1790.

Moving Forward


The House is currently scheduled to consider HR 3494 on Tuesday. With the small number of amendments be submitted to the Rules Committee, it looks like it could complete consideration of the bill on the same day. The bill is likely to pass, but I suspect it will be largely a party-line vote. The problem is going to come with how to deal with the intel authorization once the House vote is completed. Normally, there would be a conference committee to iron out the differences, but the Senate passed their intel authorization act as part of the DOD authorization act. It will be interesting to see how this procedural issue is resolved.

Saturday, July 13, 2019

House Amends and Passes HR 2500 – FY 2020 NDAA


Yesterday the House concluded the amendment process for HR 2500, the FY 2020 National Defense Authorization Act (NDAA) and passed the bill on a near party-line vote of 220 to 197 (eight Democrats voted NAY). Among the literally hundreds of amendments passed are all five of the amendments I mentioned in my post earlier in the week. As expected, they all passed by voice votes as part of en bloc amendments.

There were a number of provisions in the version of the bill considered in the House and a number of passed amendments that would not be able to pass in the Senate. The Senate already passed their version of the bill (S 1790) with a strongly bipartisan vote. A conference committee will ultimately combine the two versions into something that will subsequently pass in both the House and Senate and would ultimately be signed by the President.

Public ICS Disclosures – Week of 07-06-19


This week we have vendor disclosures from Schneider, Johnson Controls, and Siemens. We also have updates of previously issued advisories from Schneider (3) and Siemens (5).

Schneider Advisory


Schneider published an advisory that describes a buffer error vulnerability in the Schneider Modicon M580 controller product. The vulnerability is self-reported. Schneider has a new version that mitigates the vulnerability.

Schneider Updates


1. Schneider updated an advisory that was originally published on May 14th, 2019 for a vulnerability in the Schneider Modicon Controller products. The new information corrected the CVSS v3.0 Base Score from 7.4 to 7.5.

2. Schneider updated an advisory that was originally published on May 23rd, 2017 for a vulnerability in the Schneider Modicon Controllers and SCADAPack RTUs. The new information includes:

Updated affected products section to include SCADAPack RTUs;
Updated remediation section to include information for SCADAPack RTUs; and
Updated researcher acknowledgment section

3. Schneider updated an advisory that was originally published on May 14th, 2019 for multiple vulnerabilities in its Modicon Controller products.  The new information includes:

Updated to include links to M580 V2.90 Firmware and Control Expert Hot Fix V14.0; and
Updated mitigations for CVE-2019-6808

NOTE: I missed the original publication of the Schneider advisory, but I did report on the vulnerabilities when reported by Talos.

Johnson Controls Advisory


Johnson Controls published an advisory reporting an undescribed vulnerability in the Johnson Controls TrueInsight modules used to connect Simplex® Fire Alarm Control Panels to the TrueInsight Remote Service. This vulnerability is apparently self-reported. Johnson Controls has remotely disabled the modules with active customers.

Comment: Wow. This very brief advisory begs more questions than it answers. An 11-9-16 advertorial over on FacilityExecutive.com ‘reports’:

“SimplexGrinnell's True Insight Remote Service is an internet based software platform that provides SimplexGrinnell an electronic window into the operation of your entire simplex fire system 24/7.”

Remotely disconnecting the link between fire alarm control panels and this platform slams shut that ‘electronic window’. I hope that Johnson Controls notified their customers before they disconnected the system.

Siemens Advisory


Siemens published an advisory describing four microarchitectural vulnerabilities in Siemens Industrial Products. The vulnerabilities are self-reported. Siemens has produced some BIOS updates that include chipset microcode updates and recommends applying OS vendor updates that address these vulnerabilities.

The four reported vulnerabilities are:

Microarchitectural Store Buffer Data Sampling (MSBDS) - CVE-2018-12126;
Microarchitectural Load Port Data Sampling (MLPDS) - CVE-2018-12127;
Microarchitectural Fill Buffer Data Sampling (MFBDS) - CVE-2018-12130; and
Microarchitectural Data Sampling Uncacheable Memory (MDSUM) - CVE-2019-11091

Siemens Updates


1. Siemens published an update for Siemens Advanced Therapy Products from Siemens Healthineers an advisory that was originally published on May 24th, 2019. The new information includes:

Added mitigation; and
Clarified affected versions

2. Siemens published an update for Siemens RAPIDPoint® 500 Operating on Windows XP that was originally published on May 24th, 2019. The new information includes:

Removed AUWi and AUWi Pro; and
Changed patch release date

3. Siemens published an update for Siemens Laboratory Diagnostics Products from Siemens Healthineers that was originally published on May 24th, 2019. The new information includes:

Removed CS 5100 for Windows XP; and
Added patch information

NOTE: These first three Siemens updates are all for the Microsoft® RDP vulnerability.

4. Siemens published an update for Siemens SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP that was last updated on June 11th, 2019. The new information includes:

Added CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091, CVE-2019-11477, CVE-2019-11478, CVE-2019-11479, CVE-2019-12900; and
Changed NVD links to MITRE

Friday, July 12, 2019

7 Advisories Published – 07-11-19


Yesterday the DHS NCCIC-ICS published six industrial control system advisories for products from Schneider Electric (2), AVEVA, Siemens (3) and Delta Industrial. They also published a medical device security advisory for products from Philips.

Interactive Graphical SCADA Advisory


This advisory describes an out-of-bounds write vulnerability in the Schneider Interactive Graphical SCADA System (IGSS). The vulnerability was reported by mdm and rgod of 9SG Security Team via the Zero Day Initiative. Schneider has new versions that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker with uncharacterized access could exploit the vulnerability to  allow an attacker to achieve arbitrary code execution or crash the software.

Floating License Manager Advisory


This advisory describes four vulnerabilities in the Schneider Floating License Manager. The vulnerabilities are self-reported. According to the Schneider advisory, the vulnerabilities are in a third-party component (Flexera FlexNet Publisher) of their product. Schneider has a patch available that mitigates the vulnerability.

The four reported vulnerabilities are:

Improper input validation (3) - CVE-2018-20031, CVE-2018-20032, and CVE-2018-20034; and
Memory corruption - CVE-2018-20033

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to deny the acquisition of a valid license for legal use of the product.

NOTE: There are still three other advisories published by Schneider on Tuesday that have not been reported by NCCIC-ICS; all for Modicon controllers. I will address these on Saturday.;

AVEVA Advisory


This advisory describes the same four vulnerabilities reported above, this time in the AVEVA Vijeo Citect and Citect SCADA Floating License Manager. These vulnerabilities have not yet been reported by AVEVA. A new version is available from Schneider to mitigate the vulnerabilities.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to deny the acquisition of a valid license for legal use of the product.

SIMATIC Advisory


This advisory describes three vulnerabilities in the Siemens SIMATIC RF6XXR. The vulnerabilities are in older, third-party SSL and TLS applications still in use by these products. The vulnerabilities were reported by Wendy Parrington from United Utilities. Siemens reports that newer versions mitigate the vulnerabilities.

The three reported vulnerabilities are:

Improper input validation - CVE-2011-3389; and
Cryptographic issues (2) - CVE-2016-6329 and CVE-2013-0169

NCCIC-ICS reports that an uncharacterized attacker could use publicly available exploits (two of these are older, well recognized vulnerabilities) to remotely exploit the vulnerabilities to allow access to sensitive information.

TIA Portal Advisory


This advisory describes an improper access control vulnerability in the Siemens TIA Administrator (TIA Portal). The vulnerability was reported (with proof of concept code) by Joseph Bingham of Tenable. Siemens has an update that mitigates the vulnerability. There is no indication that Bingham has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an execution of some commands without proper authentication.

SIMATIC WinCC Advisory


This advisory describes an unrestricted upload of file with dangerous type vulnerability in the Siemens SIMATIC WinCC and SIMATIC PCS7 devices. The vulnerability was reported by Xuchen Zhu from ZheJiang Guoli Security Technology. Siemens has updates available that mitigates the vulnerability. There is no indication that Xuchen has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to cause a denial-of-service condition on the affected service or device. The Siemens advisory notes that the attacker has to be authenticated with a valid user account.

NOTE: There is still one new advisory that Siemens published on Tuesday that has not been reported by NCCIC-ICS. I will cover it tomorrow.

Delta Industrial Advisory


This advisory describes two vulnerabilities in the Delta Electronics CNCSoft ScreenEditor. The vulnerability was reported by Natnael Samson (@NattiSamson) via ZDI. Delta has a new version that mitigates the vulnerabilities. There is no indication that Samson was provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

Heap-based buffer overflow - CVE-2019-10982; and
Out-of-bounds read - CVE-2019-10992

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to cause buffer overflow conditions that may allow information disclosure, remote code execution, or crash the application.

Philips Advisory


This advisory describes a use of obsolete function vulnerability in the Philips Holter 2010 Plus, a 12-lead EKG analysis software program. The vulnerability is self-reported. Philips provides generic measures to mitigate the vulnerability.

NCCIC-ICS reports that an uncharacterized attacker with uncharacterized access could exploit this vulnerability to lead to a product feature escalation.

 
/* Use this with templates/template-twocol.html */