Saturday, August 31, 2019

Public ICS Disclosures – Week of 08-24-19


This week we have vendor updates for products from Schneider and Rockwell.

Schneider Update


Schneider published an update for their advisory on Wind River Urgent/11 vulnerabilities. The update adds the list of affected energy management products.

Rockwell Update


Rockwell published an update for vulnerabilities in their Allen-Bradley PowerMonitor™ 1000 monitors. The update provides a link to patch that mitigates the vulnerabilities.

Bills Introduced – 08-30-19


Yesterday with both the House and Senate meeting in proforma session (almost no one present) there were 15 bills introduced. One of these bills will receive future consideration in this blog:

HR 4217 To amend the Homeland Security Act of 2002 to develop tools to help State and local governments establish or improve cybersecurity, and for other purposes.  Rep. Katko, John [R-NY-24]

This bill would (text has already been published) would establish three separate cybersecurity grant programs for State and local governments.

Interesting side note: While Congresscritters are not in Washington, staffs certainly are. The House Homeland Security Committee filed six committee reports in yesterday’s session. Two of those (HR 3318 and HR 3710) will likely be addressed here in more detail when the reports are actually published next week.

Thursday, August 29, 2019

2 Advisories Published – 08-29-19


Today the DHS NCCIC-ICS published two medical device control system security advisories for products from Philips and Change Healthcare.

Philips Advisory


This advisory describes a use of obsolete function vulnerability in the Philips HDI 4000 Ultrasound Systems. The vulnerability was reported by Check Point. Philips has provided generic measure to mitigate the vulnerability and reports that the devices reached end-of-support in December of 2013. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker with access to the local subnet could use publicly available exploits to exploit the vulnerability to lead to exposure of ultrasound images (breaches of confidentiality) and compromised image integrity.

Change Healthcare Advisory


This advisory describes an incorrect default permissions vulnerability in the Change Healthcare Cardiology Devices. The vulnerability was reported by Alfonso Powers and Bradley Shubin of Asante Information Security. Change Healthcare has a patch to mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker with authenticated access can exploit the vulnerability to allow a locally authenticated user to insert specially crafted files that could result in arbitrary code execution.

NIST Sends Security Plan Guide Update to OMB


Yesterday the OMB’s Office of Information and Regulatory Affairs announced that it had received a proposed revision for NIST SP 800-18, Guide for Developing System Security Plans, for review. This guide for federal information-system security planners was originally published in 1998 and updated in 2006. It will be a while before OIRA approves this document and we see an official version.


A lot has changed in the IT security world since 2006; new technologies and vulnerabilities. This should be a major re-write. The (okay 'a') big question is: will they address OT security for building control systems and security systems for data centers?

Tuesday, August 27, 2019

2 Advisories Published – 08-27-19


Today the DHS NCCIC-ICS published two control system security advisories for products from Datalogic and Delta Controls.

Datalogic Advisory

This advisory describes an authentication bypass using an alternate path or channel vulnerability in the Datalogic AV7000 Linear Barcode Scanner. The vulnerability was reported by Tri Quach and Blake Johnson of Amazon’s Customer Fulfillment Technology Security (CFTS) group. Datalogic has a new firmware version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to remotely execute arbitrary code.

Delta Controls Advisory

This advisory describes a buffer overflow vulnerability in the Delta Controls enteliBUS Controllers. The vulnerability was reported by Douglas McKee @fulmetalpackets and contributing researcher Mark Bereza @ROPsicle of McAfee Advanced Threat Research. Delta Controls has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to remotely execute arbitrary code.

ISCD Updates a Number of CFATS Information Documents


Recently the DHS Infrastructure Security Compliance Division (ISCD) provided links to a number of new and updated information documents related to the Chemical Facility Anti-Terrorism Standards (CFATS) program. Links were provided on either the CFATS Knowledge Center page or the CFATS Resources page.

The new or revised documents I found are:


I have not done (and probably will not do) a detailed review of the revised documents. These are ‘fact sheets’ and those are seldom (if ever) used to announce new policy. If new policy were involved, we would have seen a more formal announcement of the revised documents. I suspect that this was mainly a branding exercise for the new Cybersecurity and Infrastructure Security Administration (CISA).

The odd one on the list above was the EAP guidance document. It was not rebranded with the CISA format or logo. There is no date on the document, so I am not even sure that it was revised. It was listed on the top of the ‘User Manuals’ column of the CFATS Knowledge Center, so ISCD is apparently attempting to at least call attention to the manual. The EAP program was mandated by Congress in the first re-write of the CFATS legislation and may not survive the second re-write. It has not been used by more than a handful of facilities, but that is more because it was introduced after the vast majority of facilities had already submitted proposed Site Security Plans under the existing program than it was because of any problems with the EAP.

Most of the documents listed above have dates back in May. I am not sure when they were actually published or the links made available. A couple of years ago DHS generally stopped putting date of change notices on their web pages. With web sites that are as voluminous as the CFATS program this makes it very difficult to keep up with the changes. I had hoped with the rise of CISA (and the fall of NPPD, its predecessor) that we would see a change in this policy. Every once-in-a-while a ‘last published date’ slips in (see here), but I have not seen any indication that this is more than the action of isolated web-scriptors trying to do right.

Saturday, August 24, 2019

Public ICS Disclosures – Week of 08-17-19


This week we have two vendor disclosures for products from Bosch and Schneider and an update from Schneider.

Bosch Advisory


Bosch published an advisory describing three vulnerabilities in their ProSyst mBS SDK and Bosch IoT Gateway Software. The vulnerabilities are being self-reported. Bosch has new versions that mitigate the vulnerabilities.

The three reported vulnerabilities are:

Path traversal - CVE-2019-11601;
Server-side request forgery - CVE-2019-11897; and
Information exposure through an error message - CVE-2019-11602

Schneider Advisory


Schneider published an advisory for the latest Microsoft® Remote Desktop Services (DejaBlue) vulnerabilities in their products running on machines using various MS operating systems. Generic mitigations are provided. Schneider does provide the following warning about applying the MS patches that should mitigate these vulnerabilities:

“Please note that as of the date of this publication, it is unclear how Microsoft’s patches and updates will affect systems performance. Therefore, customers should proceed with caution when applying these patches to critical operating systems and/or performance-constrained systems. We strongly recommend evaluating the impact of these patches in a Test and Development environment or on an offline infrastructure.”

NOTE: This advisory has already been updated twice.

Schneider Update


Schneider published an update for their advisory on the Wind River VxWorks vulnerabilities in their products. They changed the affected products list by:

Removin Modicon M580 Ethernet / Serial RTU Module; and
Adding Modicon eX80 - BMEAHI0812 HART Analog Input Module

Tuesday, August 20, 2019

1 Advisory, 2 Updates Published – 08-20-19

Today the DHS NCCIC-ICS published a control system security advisory for products from Zebra and two updates for advisories for products from Siemens and Sierra Wireless.

Zebra Advisory

This advisory describes an insufficiently protected credentials vulnerability in the Zebra Industrial Printers. The vulnerability was reported by Tri Quach. Zebra has a new version that mitigates the vulnerability. There is no indication that Tri has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow a remote attacker to send specially crafted packets to a port on the printer, resulting in the retrieval of a front control panel passcode.

Siemens Update

This update provides new information on an advisory that was originally published on August 13th, 2019. NCCIC-ICS changed the vulnerability description from ‘uncontrolled resource consumption’ to ‘insufficient resource pool’. There was no corresponding change in the Siemens advisory; Siemens does not use CWE vulnerability titles or codes in their advisories.

Sierra Wireless Update

This update provides new information on an advisory that was originally published on May 2nd, 2019. The  update reports that the ALEOS 4.12.0 Release Note is now available.

Monday, August 19, 2019

S 2333 Introduced – Grid Security


Last month Sen. Cantwell (D,WA) introduced S 2333, the Energy Cybersecurity Act of 2019. The bill would require the Department of Energy to address electric grid cybersecurity, resiliency and risk assessment issues. This bill is essentially identical to S 2444 from last session which was also introduced by Cantwell. No action was taken on the earlier bill.

Cantwell is still a senior member of the Senate Energy and Natural Resources Committee to which this bill was assigned for consideration. That was not enough last session to ensure that the bill was considered in Committee. The problem remains the authorization for the expenditure of funds for the various programs in bill. It is unlikely that the new budget agreement reached just before the Senate left for summer recess will change the funding situation.

OMB Approves ICR for Surface Transportation Security Survey


Last Friday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved an information collection request (ICR) for a Surface Transportation Stakeholder Survey to be conducted by the TSA. The survey was mandated by Congress in §1983 of the FAA Reauthorization Act of 2018 (HR 302 from the 115th Congress, it was signed as PL115-254, but that law has not yet been published).

Stakeholder Survey


Congress required the TSA to conduct a survey of surface transportation security stakeholder “regarding resource challenges, including the availability of Federal funding, associated with securing such assets that provides an opportunity for respondents to set forth information on specific unmet needs” {§1983(a)}. TSA reports [.DOCX download link] that it will be offering the survey to 3,200 organization “with whom TSA has established working relationships” (pg 1). It only expects that about 20% of those organizations to respond during the 21-days that TSA will have the survey available on their web site. This accounts for the 641 surveys expected to be collected under this ICR.

OIRA published [.DOCX download link]  a copy of the questions that will be asked on the TSA’s Survey Monkey operated web site for the survey (the URL is not available in the ICR documents). The questions are a relatively broad look at the application of federal grant programs to support surface transportation security efforts. The last two questions directly address the congressional mandate to provide “an opportunity for respondents to set forth information on specific unmet needs.”

TSA is not going to meet the 120-day deadline for conducting the survey that was established in HR 302. Given the requirement to get OMB approval to conduct the information collection, that deadline was never reasonably set. It took TSA almost that long to put the information together necessary to publish the 60-day ICR notice in March of this year. The 30-day ICR notice quickly followed the close of the comment period on the first ICR notice and it only took OIRA a little more than 2-months to approve the ICR, a remarkably short time for ORIA approval.

TSA will probably not provide a notice in the Federal Register concerning the publication of the survey on a TSA web site. The congressional mandate was to collect information from “stakeholders responsible for securing surface transportation assets”, not the public, community organizations or emergency response personnel. Thus, TSA will directly contact organizations with whom it has established relationships as well as surface transportation trade associations to announce the start of the survey period and the location of the survey web site.

Commentary


I am concerned that there is no mention of cybersecurity in the survey; not even a hint that TSA was including cybersecurity challenges in the surface transportation efforts being surveyed. This is not entirely TSA’s fault, the congressional mandate for this survey did not include any mention of cybersecurity either. Hopefully, the stakeholders being surveyed will be able to read between the lines and will specifically include mention of the concerns that they have about cybersecurity efforts in protecting surface transportation assets from outsider (and insider) attacks.

Saturday, August 17, 2019

Public ICS Disclosures – Week of 08-10-19


This week we have eight vendor notifications from Schneider (7) and Siemens; updates for four previouls published advisories from Schneider (2) and Siemens (2); as well as two exploit reports for previously published vulnerabilities in products from Wind River, and Cisco.

Schneider Advisories


Magelis Advisory

Schneider published an advisory describing an improper check for unusual or exceptional conditions vulnerability in their Magelis HMI Panel products. The vulnerability was reported by VAPT Team. Schneider provides generic workarounds to mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Modicon 340 Advisory

Schneider published an advisory describing an improper check for unusual or exceptional conditions vulnerability in their Modicon M340 controllers. The vulnerability was reported by VAPT Team. Schneider provides generic workarounds to mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Modicon Advisory

Schneider published an advisory describing three improper check for unusual or exceptional conditions vulnerabilities in their Modicon Ethernet / Serial RTU Modules. The vulnerability was reported by VAPT Team. Schneider provides generic workarounds to mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

SoMachine Advisory

Schneider published an advisory describing an untrusted search path vulnerability in their SoMachine HVAC. The vulnerability was reported by Yongjun Liu of the nsfocus security team. Schneider has a new version that mitigates the vulnerability. There is no indiction that Yonguin has been provided an opportunity to verify the efficacy of the fix.

TelevisGo Advisory

Schneider published an advisory describing 22 vulnerabilities in the third party UltraVNC (remote accesss) software component embedded within the TelevisGo product. The vulnerabilities were reported by Kaspersky Labs. Schneider has a hot-fix available that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The 22 reported vulnerabilities are:

Buffer errors (9) - CVE-2019-8258, CVE-2018-15361, CVE-2019-8262, CVE-2019-8263, CVE-2019-8269, CVE-2019-8271, CVE-2019-8273, CVE-2019-8274, and CVE-2019-8276;
Resource management errors (2) - CVE-2019-8259, and CVE-2019-8277;
Out-of-bounds read (8) - CVE-2019-8260, CVE-2019-8261, CVE-2019-8280, CVE-2019-8264, CVE-2019-8265, CVE-2019-8266, CVE-2019-8267, and CVE-2019-8270;
Incorrect calculation (2) - CVE-2019-8268, CVE-2019-8272; and
Improper access control - CVE-2019-8275.

Software Update Service Advisory

Schneider published an advisory describing a deserialization of trusted data vulnerability in their Software Update (SESU) SUT Service. The vulnerability was reported by Amir Preminger of Claroty. Schneider has a new version that mitigates the vulnerability. There is no indication that Preminger has been provided an opportunity to verify the efficacy of the fix.

spaceLYnk Advisory


Schneider published an advisory describing an authentication vulnerability in their  spaceLYnk and Wiser for KNX controllers. The vulnerability was reported by Sumedt Jitpukdebodin. Schneider has new versions that mitigate the vulnreabilty. There is no indication that Jitpukdebodin has been provided an opportunity to verify the efficacy of the fix.

Schneider Updates


Modicon Controllers Update

Schneider published an update that was originally published on May 14th, 2019.  New information includes:
Added mitigation measures for M340;
Added four new vulnerabilities (links for reports w/exploits from Talos):
Denial of service vulnerability - CVE-2019-6809;
Denial of service vulnerability - CVE-2019-6828;
Denial of service vulnerability - CVE-2019-6829; and
Denial of service vulnerability - CVE-2019-6830

SCADAPack Update

Schneider published an update for an advisory that was originally published on May 24th, 2017. New information includes:

Updated researcher acknowledgement section;
Corrected CVE ID from CVE-2017-6028 to CVE-2017-6034; and
Corrected vulnerability description

Siemens Advisory


Siemens published an advisory describing two vulnerabilities in their SIMATIC S7-1200 and SIMATIC
S7-1500 CPU families.  The vulnerabilities were reported by Eli Biham, Sara Bitan, Aviad Carmel, and Alon Dankner, Uriel Malin, and Avishai Woo. Siemens has generic workarounds that mitigate the vulenrabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

Man-in-the-middle vulnerability - CVE-2019-10929; and
Code change vulnerability - CVE-2019-10943

Siemens Updates


ZombieLoad Update

Siemens published an update for an advisory that was originally published on July 9th, 2019. New information includes:

SIMATIC IPCs 427D, 477D, 627D, 627E, 647D, 647E, 677D, 677E, 827D, 847D, 847E; and
FieldPG M6

GNU/Linux Update

Siemens published an update for an advisory that was originally published on November 27th, 2019. New information includes:

Added CVE-2018-19591, CVE-2019-11360, CVE-2019-13272; and
Moved CVE2018-16862 from buildtime to runtime relevant

Cisco Exploit


Angelo Ruwantha published a Metasploit module for a vulnerability in the Cisco Adaptive Security Appliance; Cisco published an advisory on this vulnerability on June 6thy, 2018. NCCIC-ICS published an advisory for Rockwell Automation Allen-Bradley Stratix 5950 listing this vulnerability.

WindRiver (Urgent/11) Exploit


Zhou Yu published an exploit for an integer overflow vulnerability in the Wind River VxWorks (one of the Urgent/11 vulnerabilities).

Bills Introduced – 08-16-19


Yesterday with almost no congresscritters in Washington, the House and Senate both met in proforma session. Nine bills were introduced. One of those bills may receive future coverage in this blog:

HR 4189 To amend title 28, United States Code, to allow claims against foreign states for unlawful computer intrusion, and for other purposes. Rep. Bergman, Jack [R-MI-1]

I will be watching this bill for possible language specifically including control systems or critical infrastructure.

Friday, August 16, 2019

4 Advisories Published – 08-15-19


Yesterday the DHS NCCIC-ICS published four control system security advisories for products from Siemens (2), Fuji Electric, and Johnson Controls.

SINAMICS Advisory


This advisory describes an uncontrolled resource consumption vulnerability in the web server of the Siemens SINAMICS control units. The vulnerability is self-reported. Siemens has updates available to mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to perform a denial-of-service attack.

SCALANCE Advisory


This advisory describes two instances of an improper adherence to coding standards vulnerability in the Siemens SCALANCE products. The vulnerability is self-reported. Siemens has an update available that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to  lead to a denial of service or could allow an authenticated local user with physical access to the device to execute arbitrary commands on the device.

NOTE: There are still two advisories and an update that were published by Siemens earlier this week that have not been addressed by NCCIC-ICS. I will report further on them tomorrow.

Fuji Advisory


This advisory describes a stack-based buffer overflow in the Fuji Alpha5 Smart Loader servo  drive. The vulnerability was reported by Natnael Samson (@NattiSamson) via the Zero Day Initiative. Fuji has a new version that mitigates the vulnerability. There is no indication that Samson has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to execute code under the privileges of the application.

Johnson Controls Advisory


This advisory describes two vulnerabilities in the Johnson Controls Metasys building automation system. The vulnerability was reported by harpocrates.ghost. Johnson Controls has a new version that mitigates the vulnerabilities. There is no indication that the researcher has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

Reusing a nonce, key-pair in an encryption - CVE-2019-7593; and
Use of hard-coded cryptographic key - CVE-2019-7594

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit these vulnerabilities to decrypt captured network traffic.

Thursday, August 15, 2019

HR 3787 Introduced – UAS Coordinator


Last month Rep. Perry (R,PA) introduced HR 3787, the DHS Countering Unmanned Aircraft Systems Coordinator Act. The bill would require the DHS Secretary to designate a Counter Unmanned Aircraft Systems (UAS) Coordinator to “coordinate with relevant Department offices and components on the development of policies and plans to counter threats associated with UAS” {new §321(a)}. The bill is functionally identical to HR 6438 which was passed in the House in the 115th Congress. A related bill, S 1867, was introduced in June in the Senate.

The only difference in this bill and last years House bill is the absence of some administrative house cleaning measures in §2(b) of the bill that were addressed in Homeland Security spending bill passed earlier this year.

Moving Forward


Perry is no longer a member of the House Homeland Security Committee, the committee to which this bill was assigned for consideration. This means that, unless he gets a cosponsor for the bill who is on the Committee, there is little chance that the bill will be considered.

The bill did get bipartisan support in the 115th Congress and it almost certainly would in this session as well.

Commentary


As I mentioned last year, this bill does not provide for any exceptions to a number of federal statutes that would currently prohibit private sector organizations taking any actions to intercept, take down, or track the owner of a UAS. DOD has been provided substantial (almost sweeping) authority to take actions against UAS under 10 USC 130i, but similar authority provided to DHS and DOJ (6 USC 124n)was significantly constrained. And more importantly, no such authority has been extended to the private sector.

Interestingly, the Senate bill is closely tied to the authorizations provided in §124n and actually would terminate the authority for the position when §124n terminates on October 25th, 2022. The House bill is not tied to the DHS counter-UAS authority and has no termination provisions.

I think that this bill could be improved by expanding the authorized activities of DHS under §124n to include the protection of facilities covered under the Chemical Facilities Anti-Terrorism Security (CFATS) program by inserting a new §2(b) into the bill {while re-designating the current (b) as (c)}

(b) Chemical Facility Anti-Terrorism Standards Program

(1) In general – 6 USC 124n(k)(3)(C)(i) is amended by adding (IV):

“(IV) protection of facilities covered under 6 CFR Part 27;

(2) The Secretary will publish regulations amending 6 CFR part 27 providing procedures for covered facilities that report quantities of release security issue chemicals of interest as defined in Appendix A to 6 CFR Part 27 to:

(A) track UAS approaching within ¼ mile of the reported facility boundaries;
(B) intercept communications between the controller and the UAS in accordance with §124n(b)(1)(A);
(C) warn the operator in accordance with §124n(b)(1)(B); and
(D) seize or exercise control of the UAS that is in the air space directly over the reported facility boundaries in accordance with §124n(b)(1)(D) if and only if the operator has been warned as in (C) above.

Wednesday, August 14, 2019

PHMSA Publishes Petition Response NPRM – 08-14-19


Today the DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) published a notice of proposed rulemaking in the Federal Register (84 FR 41556-41594) outlining proposed changes to the Hazardous Material Regulations (HMR) resulting from petitions to reduce regulatory burdens.

The proposed changes include 20 provisions addressing:


PHMSA is soliciting public comments on these proposed changes to the HMR. Comments need to be submitted by October 15th, 2019. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket #PHMSA-2017-0120).

DOE Calls for Comments on Cybersecurity Maturity Model


Today the DOE published a request for comments in the Federal Register (84 FR 40399-40400) on version 2.0 of its Cybersecurity Capability Maturity Model (C2M2). According to the notice the “C2M2 Version 2.0 leverages and builds upon existing efforts, models, and cybersecurity best practices to advance the model by adjusting to new technologies, practices, and environmental factors.”

The development of version 2.0 includes:

Establishing a Cybersecurity Architecture domain
Separating the maturity indicator levels (MILs) from the Information Sharing and Communications domain to include sharing practices in the Threat and Vulnerability Management and Situational Awareness domains
Movement of Continuity of Operations MILs from the Incident and Event Response to the Cybersecurity Program Management domain to account for continuity activities beyond response events
Increasing the use of common language throughout the model.

Public comments are being solicited, but there are no instructions within the document on how to submit comments. It does not look like the Federal eRulemaking Portal could be used since there is no docket number provided in the notice. An email address has been provided for Timothy Kocher, who is the DOE officer who signed the notice, but it would be unusual for public comments to be sent directly to him. I have an email in route to Kocher and will update this post as more information becomes available.

Bills Introduced – 08-13-19


Yesterday with both the House and Senate meeting in proforma session (absolute minimal attendance) there were six bills introduced. One of these may receive future coverage in this blog:

HR 4187 To penalize acts of domestic terrorism, and for other purposes. Rep. Weber, Randy K., Sr. [R-TX-14]

I will be watching this bill for specific language for the definition of ‘domestic terrorism’ that includes attacks on critical infrastructure (like chemical plants) or attacks on industrial control systems. I am not holding my breath; this is probably just a knee jerk reaction to recent mass shootings.


Tuesday, August 13, 2019

1 Alert, 3 Advisories and 4 Updates Published – 08-13-19


Today the DHS NCCIC-ICS published a control system security alert for products from Mitsubishi Electric; three control system security advisories for products from Siemens, OSIsoft, and Delta Industrial; and four control system advisory updates for products from Siemens.

Mitsubishi Alert


This alert describes a report of seven vulnerabilities in the Mitsubishi smartRTU and INEA ME-RTU. The vulnerabilities were reported (with exploit code) by Mark Cross (@xerubus) (NCCIC-ICS did provide the link to the report, a first). Cross disclosed the vulnerabilities to CISA and published the public disclosure under the 45-day disclosure policy.

The seven reported vulnerabilities are:

OS command injection - CVE-2019-14931;
Unauthenticated download of configuration file - CVE-2019-14927;
Stored cross-site script - CVE-2019-14928;
Use of hard-coded cryptographic keys - CVE-2019-14926;
Hard-coded user passwords - CVE-2019-14930;
Plaintext password storage - CVE-2019-14929; and
Incorrect default permissions - CVE-2019-14925


Siemens Advisory


This advisory describes an uncontrolled resource consumption vulnerability in the Siemens SCALANCE X switches. The vulnerability was reported by Younes Dragoni from Nozomi Networks. Siemens has provided generic workarounds. There is no indication that Dragoni has been provided an opportunity to verity the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to cause a denial-of-service condition.

OSIsoft Advisory


This advisory describes two vulnerabilities in the OSIsoft PI Web API. The vulnerabilities are self-reported. OSIsoft has an update to mitigate the vulnerability.

The two reported vulnerabilities are:

Inclusion of sensitive information in log files - CVE-2019-13515; and
Protection mechanism failure.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerabilities to allow direct attacks against the product and disclose sensitive information.

Delta Advisory


This advisory describes two vulnerabilities in the Delta DOPSoft Human Machine Interface (HMI) editing software. The vulnerability was reported by kimiya of 9SG Security Team via the Zero Day Initiative. Delta has a new version that mitigates the vulnerabilities. There is no indication that kimiya has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

Out-of-bounds read - CVE-2019-13513; and
Use after free - CVE-2019-13514

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow information disclosure, remote code execution, or crash of the application.

SIMATIC WinCC Update


This update provides additional information on an advisory that was originally reported on July 11th, 2019. The update provides new affected version information and mitigation links for:

SIMATIC WinCC V7.3;
SIMATIC PCS 7 V8.1, and
SIMATIC WinCC Runtime Professional V14

Spectrum Power Update


This update provides additional information on an advisory that was originally reported on July 9th, 2019. The update provides corrected version information for Spectrum Power 5.

SIPROTEC Update


This update provides additional information on an advisory that was originally reported on July 9th, 2019. The update provides additional mitigation information.

SIMATIC PCS7 Update


This update provides additional information on an advisory that was originally reported on July 9th, 2019. The update provides corrected version information and mitigation links for:

SIMATIC WinCC V7.3; and
SIMATIC PCS 7 V8.1
NOTE: Siemens published an additional two advisories and two updates today that were not reported by NCCIC-ICS. They may be reported on Thursday, if not, I will report on them on Saturday.

S 2095 – DOE Cybersecurity


Last month Sen. Gardner (R,CO) introduced S 2095, the Enhancing Grid Security through Public-Private Partnerships Act. The bill would require the Department of Energy (DOE) to establish a voluntary security program for electric utilities and provide a report to Congress on cybersecurity of electricity distribution systems. This bill is very similar to HR 359, which was ordered favorably reported by the House Energy and Commerce Committee last month.

Differences in the Bills


There are a number of differences between the two bills. Many of them are strictly structural; the definitions are in §2 of the Senate bill and §5 of the House bill. Others are editorial in nature; adding ‘of a State’ following ‘political subdivision’ in the Senate version. These changes are of interest only to grammarians, lawyers and judges.

Other changes are of more consequence. The senate bill does not include the section on electricity interruption information that was included as §4 in the House bill. There are two changes (an addition and a deletion) to the voluntary security program described in §3 of S 2095 (see below). Finally, the Senate bill adds a 1 year deadline for the required report to Congress on cybersecurity and distribution systems.

Security Program


The security program in this bill was originally introduced in HR 5240 in the 115th Congress. That program would have required DOE to:

• Develop, and provide for voluntary implementation of, maturity models, self-assessments, and auditing methods for assessing the physical security and cybersecurity of electric utilities;
• Provide training to electric utilities to address and mitigate cybersecurity supply chain management risks;
• Increase opportunities for sharing best practices and data collection within the electric sector;
• Assist with cybersecurity training for electric utilities;
• Advance the cybersecurity of third-party vendors that work in partnerships with electric utilities; and
• Provide technical assistance for electric utilities subject to the program.

S 2095 modifies that program by removing the requirement for DOE to assist with cybersecurity training. This bill would substitute a requirement for DOE to “to assist with threat assessment and cybersecurity training for electric utilities” {§3(a)(2)}.

Moving Forward


Neither Booker nor his single cosponsor {Sen. Bennet (D,CO)} are members of the Senate Energy and Natural Resources Committee to which this bill was assigned for consideration. With no representation on that Committee it is unlikely that this bill will receive consideration.

The House version of the bill received bipartisan support in the markup of the bill last month in the House Energy and Commerce Committee. I suspect that this bill would also receive bipartisan support if it were considered in Committee. The changes described above would have no significant bearing on the support this bill would receive.

NOTE on HR 359


In my post on the introduction of HR 359 I noted that it would be considered by the full House on January 11th, 2019 under the suspension of the rules process. This had been scheduled, along with the consideration of two other cybersecurity bills, HR 360 and HR 370. None of those bills were considered.

It looked like the new Democratic leadership was going to act quickly (if somewhat inadequately) on some critical infrastructure cybersecurity measures. It did not happen for reason which have not been made public. With that initial quick intent to pass these three cybersecurity bills, it is odd that no action was taken in Committee until a subcommittee markup (with no amendments) in May and full Committee markup in July.

The bipartisan support for these bills in Committee would seem to indicate that the bills would easily pass in the House under the suspension of the rule process. I would have thought that the initial pass on considering these bills indicated that there was an intent to revise these bills to include some sort of regulatory authority to insure that facilities complied with the ‘voluntary measures’ included in the bill. The lack of amendments in Committee would seem to indicate that the leadership has decided that such cybersecurity mandates were not going to make it to the President’s desk.

I suspect that all three House bills will be considered by the full House in September.

PHMSA Sends Underground Storage Facility Rule to OMB


Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a final rule from DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) concerning underground storage facilities for natural gas. According to the abstract for this rulemaking in the 2019 Spring Unified Agenda, this final rule is intended to finalize the interim final rule that was published in December 2016.

Interesting side note: PHMSA currently has 15 rulemakings under review at OIRA.

Monday, August 12, 2019

Tannerite and the ANSP


I had an interesting discussion last week with a reader who must remain anonymous (for professional reasons) about the technically still pending Ammonium Nitrate Security Program (ANSP) and explosive targets sold under the brand name Tannerite®. Anon was concerned that the sale of these binary explosives was not covered under the ‘proposed’ ANSP (all but dead) nor in the recently released Sandia Labs report on ammonium nitrate.

Anon is correct that the commercial sale of these targets would probably not be covered by the proposed ANSP. There is a 25-lb minimum on the amount of ammonium nitrate (AN) being sold to require buyer registration under that program. With the largest single packaging currently being sold on the Tannerite web site containing only eight ‘one-pound targets’ (containing presumably substantially less than 1-lb of AN), the company could very reasonably restrict sales enough to keep their customers from having to register).

Anon’s question is why would an ‘explosive target’ not be included in a security program designed to block the use of ammonium nitrate in improvised explosive devices (IED)? The answer to that question addresses the problem that DHS continues to have with their congressional requirement to regulate ammonium nitrate security to prevent its use in IED’s; money. And, unfortunately, we are not talking about the money lobbyists are spending to stop regulations; we are talking about the cost of regulations.

ANSP Costs


DHS estimated that the cost of their proposed Ammonium Nitrate Security Program would range somewhere between $300 million to $1.041 billion over 10 years with the actual expected cost closer to about $670.6 million. The largest variable in that overall cost estimate (and the largest part of the estimated cost) is the cost of the point-of-sale regulations.

Congress requires that potential regulators look at the cost benefit of their proposed regulations, and DHS did so with their ANSP notice of proposed rulemaking (NPRM). Using the Murrah Building attack (the only large scale AN based terrorist attack in the United States as their prevention standard, DHS calculated a payback period of 14.1 years for the ANSP. Or in plain-speak, if the ANSP prevented a Murrah scale attack every 14.1 years, the program would pay for itself. Since it has already been 24 years since that bombing, and a similar attack has not taken place, and the ANSP has not been in place, it seems like the price of the program is too large. That is, in fact, why DHS has not finalized the ANSP, it is not justified on a cost/benefit basis.

Smaller Scale Attacks


It would take a huge number of explosive targets (or medical cold-packs, another small-scale product that uses ammonium nitrate) to make up a Murrah Building scale bomb. The buyers of that type of quantity would stand out even without the ANSP and some law enforcement agency would be investigating. A huge number of small-scale purchases would not attract attention but would be logistically very difficult to accomplish.

No, binary targets and cold-packs would only be used in small-scale devices like the IEDs used in the September 2016 attacks in New York City. The one device that detonated did not kill anyone, but it did injure 29 people. The ANSP would not have prevented that attack. A federal program that would prevent that scale of IED attack by limiting the purchase of small amounts of ammonium nitrate would be significantly more expensive. It would have to prevent more than one such attack a year to be ‘cost effective’ based upon the $95 million cost per-year estimate for the ANSP program. The higher cost of the expanded program would probably require preventing an attack every couple of months to be effective.

Of course, it should be remembered that for small-scale IED’s ammonium nitrate-based weapons are fairly complicated and requires some small level of expertise to employ. There are a number of lesser skilled options available to the casual IED maker, black-powder or gunpowder pipe bombs being the most common examples in the US. And I will not even discuss the much less dangerous ‘mail-box bombs’.

This is one of the reasons that DHS has reached out to stakeholders about looking at the broader improvised explosive device issue. It is much too early to talk about this effort as being a rulemaking (especially since Congress has not specifically provided authority for an expanded rule making), but folks seem to be looking at establishing some sort of voluntary retail identification check program for some sort of list of chemicals that could be used to make IEDs (almost certainly not including mail-box bombs).

Saturday, August 10, 2019

Public ICS Disclosures – Week of 08-03-19


This week we have three new vendor disclosures concerning the VxWorks URGENT/11 vulnerabilities and three researcher announcements of vulnerabilities in products from Reliable Controls (2) and VISAM

URGENT/11 Advisories


Three new vendors have published advisories related to the VxWorks URGENT/11 vulnerabilities reported by Amis Labs; Bosch, Omron and Philips. Below I have listed links to all of the vendor disclosures that I have discovered to date:

Rockwell,
Xerox, and
Siemens (in an out-of-cycle report);
Schneider; and
• ABB, in:
AC 800PEC;
Belden
Omron (not affected)
Philips

It is great to see that Omron is reporting no exposure to the vulnerabilities. That is as valuable to their customers as the advisories being published by affected vendors.

Reliable Controls Advisories


MACH-ProWeb Advisory

Applied Risk published a report describing a relflected XSS vulnerability in the Reliable Controls MACH-ProWeb BACnet Building Controller. Applied Risk reports that they have not received a response from the vendor to their January 29th, 2019 report on this vulnerability.

Reliable Controls LicenseManager Advisory

Applied Risk published a report describing a privilege escalation vulnerability in the Reliable Controls RC-LicenseManager in the Reliable Controls RC-Studio (MACH-System) software. Applied Risk reports that they have not received a response from the vendor to their January 29th, 2019 report on this vulnerability.

VISAM Advisory


Applied Risk has publihsed a report describing five vulnerabilities in the VISAM Automation Base (VBASE) HMI / SCADA. Applied Risk reports that as of July 8th, 2019 (apparently the date of last communication from VISAM) no mitigation has been made available for these vulnerabilities.

The five reported vulnerabilities are:

• Information disclosure via directory traversal;
• Insecure file permissions privilege escalation;
• Password protection security bypass;
• Cryptographic key disclosure; and
• Buffer overflow

Friday, August 9, 2019

S 2181 Introduced – Aircraft Cybersecurity


Last month Sen. Markey (D,MA) introduced S 2181, the Cybersecurity Standards for Aircraft to Improve Resilience (Cyber AIR) Act of 2019. This bill is very similar to S 2764 that Markey introduced in the second half of the 114th Congress.

Differences


The major difference between the two bills is that the reporting congressional reporting requirements found in §5 of the earlier bill have been removed from the current version. That would have required annual reports to Congress on the attacks reported to the FAA by air carriers and manufacturers under provisions of §3.

Two other changes are found in §5 of the current bill. The formatting is changed from §6 of S 2764 and the last subparagraph {§6(c)(2)} from the earlier bill has been deleted in S 2181. That subparagraph would have required that the report to Congress from the FAA-FCC Leadership Group would have been required to be “submitted in unclassified form, but may include a classified annex”.

Moving Forward


Markey is still a member of the Senate Commerce, Science, and Transportation Committee and he has added a cosponsor {Sen. Blumenthal (D,CT)} who is a senior Democrat on that Committee. This increases the likelihood that this bill would see consideration in Committee. In the 114th Congress. I suspect that the bill, if considered, would receive substantial opposition from Republicans, thus killing any chances that the bill would move to the floor of the Senate.

Commentary


There is no reference in this bill to cooperation with the DHS Cybersecurity and Infrastructure Security Agency. CISA was not in existence when the earlier version of the bill was introduced, but I would have expected this version to be updated to substitute CISA for generic references to cooperation or coordination with ‘the Secretary of Homeland Security'. CISA is, of course, supposed to be the Federal government’s expert on all thing’s cybersecurity.

Over the years I have been a strong proponent of actively involving ICS-CERT and now CISA in anything involving Federal oversight of control system security in all of its guises. Mainly, I have asserted that the limited availability of control system security expertise in government (and to a somewhat lesser extent in the private sector) meant that that the localization of that talent in a single agency would probably make a great deal of sense. I am starting to rethink that proponency (hmmm, that may be a new word according to spell check).

First, it appears that DHS in general, and CISA in particular, has ‘deemphasized’ the importance of control system security expertise with the effective elimination of ICS-CERT. This has always been the problem of putting all of your ‘eggspertice’ in one administrative basket; bureaucratic adjustments in the size of that basket have unintended consequences outside of the agency’s mandate.

More importantly, not requiring safety regulatory agencies (like the FAA in this case) to have cybersecurity expertise in general, and control system expertise in particular, fails to recognize the impact of cybersecurity on safety. Safety regulators are going to increasingly become control-system cybersecurity regulators as more and more safety systems rely on interconnected control-system components. Safety regulatory agencies are going to have to be forced by Congress to formalize and grow their cybersecurity capabilities.

With that in mind, I would like to suggest an addition to §3 of the bill:

(c) The Secretary will establish within the FAA an Aviation Cybersecurity Office (ACO) to receive the cyberattack reports described in (a) and develop recommendations for, and implement, regulatory actions described in (b). The Director of the ACO will be familiar with avionics control systems and cybersecurity of such systems. Additionally, the ACO will:

(1) Receive cybersecurity incident reports from covered air carriers and covered manufacturers;
(2) Prepare anonymized reports on such incidents that would identify security vulnerabilities (as defined in 6 USC 1501) that could affect other carriers and manufacturers and coordinate the disclosures of those security vulnerabilities;
(3) Establish procedures and processes by which security researchers can report security vulnerabilities for further coordinated disclosure; and
(4) Coordinate with the National Cybersecurity and Communications Integration Center on sharing security vulnerability information.

Thursday, August 8, 2019

1 Update Published – 08-08-19


Today the DHS NCCIC-ICS published an update for a previously issued control system security advisory for products from Wind River.

The update provides additional information on an advisory that was originally published on July 30th, 2019. The new information is the addition of two new vendor advisories concerning the VxWorks vulnerabilities:

Draeger (advisory not published on Draeger site?)

I reported the Schneider advisory last Saturday, along with advisories from Siemens, ABB, and Belden that were not included in this update.

Wednesday, August 7, 2019

Bills Introduced – 08-06-19


Yesterday with both the House and Senate meeting in proforma sessions (almost everyone was back home or on the road, raising money or connecting with local voters) there were 15 bills introduced. Two of those may receive future attention in this blog:

HR 4166 To improve technology and address human factors in aviation safety, and for other purposes. Rep. DeSaulnier, Mark [D-CA-11]

HR 4170 To preempt State data security vulnerability mandates and decryption requirements. Rep. Lieu, Ted [D-CA-33] 

Both are a bit of a stretch for coverage here, but they may contain specific language relating to control system security issues.

I will note in passing that it seems odd for a Democrat to introduce federal preemption language; that is usually a ploy to limit the ability of States to be more proactive and business constricting. I may cover this bill even if it does not include ICS language.

 
/* Use this with templates/template-twocol.html */