Saturday, September 28, 2019

Public ICS Disclosures – Week of 09-21-19


This week we have four vendor disclosures for products from ABB, Schneider, Sick, and Yokogawa  and one vendor update for products from Schneider.

ABB Advisory


ABB published an advisory reporting that two of the Wind River URGENT/11 vulnerabilities affected their AC 800M controllers. ABB provides generic work arounds while it is working on new versions to mitigate the vulnerabilities.

Schneider Advisory


Schneider published an advisory describing the Microsoft Windows® DejaBlue vulnerabilities in a list of Schneider products. Schneider recommends applying the appropriate Windows updates for some products and provides generic workarounds for others.

Schneider Update


Schneider published an update for their advisory on the effect of the BlueKeep {Microsoft® RDP vulnerability (CVE-2019-0708)} on a list of their products. They added “Conext Control” to list of affected products.

Sick Advisory


Sick published an advisory describing a buffer overflow vulnerability in the Sick FX0-GENT00000 and FX0-GPNT00000 safety controllers. The vulnerability was reported by the security-testlab team of Fraunhofer IOSB. Sick has a new firmware version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Yokogawa Advisory


Yokogawa published an advisory describing an unquoted service path vulnerability in a list of their products. This vulnerability is self-reported. Yokogawa has new versions and patches to mitigate the vulnerability.

Bills Introduced – 09-27-19


Yesterday, with just the House still in session (and on its way out the door for a two-week recess), there were 51 bills introduced. One of those may receive additional coverage in this blog:

HR 4552 To amend title 46, United States Code, to provide for the issuance of provisional transportation security cards to veterans who have been honorably discharged from the Armed Forces. Rep. Babin, Brian [R-TX-36] 

Friday, September 27, 2019

HR 3710 Passed in House – Cybersecurity Vulnerabilities


Yesterday the House passed HR 3710, the Cybersecurity Vulnerability Remediation Act, by a voice vote. While there was 12 minutes of debate on the bill, no one spoke against the measure. The bill now goes to the Senate where, if it is taken up, it will probably be considered under their unanimous consent process. No further amendments are expected to this legislation.

HR 4378 Passed in Senate – FY 2020 CR


Yesterday the Senate passed HR 4378, the Continuing Appropriations Act, 2020, and Health Extenders Act of 2019 by a bipartisan vote of 81 to 16. The Senate first took action on an amendment proposed by Sen. Paul (R,KY). That amendment would have reduced the spending rate during the duration of the CR by 2%. That amendment failed by a slightly closer margin of 24 to 73. The bill now goes to the President for signature.

There is an interesting article over at TheHill.com about the current prospects for getting spending bills done before this CR runs out on November 21st, 2019. With the impeachment process having begun, I see little hope that an agreement can be reached on the more controversial programs (the Wall and immigration) so that a DHS spending bill can be passed. I suspect that we will go into 2020 facing a similar situation to that we saw earlier this year. The only question in my mind, how much of the government will be included in the shutdown this time.

Pundits have been pontificating that the impeachment move by Rep. Pelosi (D,CA) will put an end to legislative efforts in Congress. That is a gross, oversimplification {that is what pundits do, as opposed to gadflys like myself (GRIN)}. Controversial legislation will suffer (DHS spending would be a good example), but much of the legislative effort in Congress deals with either uncontroversial matters or matters where little actual action is being taken. Those measures will continue to make their way to the President’s desk.


Bills Introduced – 09-26-19


Yesterday with both the House and Senate preparing to leave Washington for a two-week recess, there were 114 bills introduced. Four of these bills may see additional coverage in this blog:

S 2556 A bill to amend the Federal Power Act to provide energy cybersecurity investment incentives, to establish a grant and technical assistance program for cybersecurity investments, and for other purposes. Sen. Murkowski, Lisa [R-AK]

S 2580 An original bill making appropriations for the Department of the Interior, environment, and related agencies for the fiscal year ending September 30, 2020, and for other purposes. Sen. Murkowski, Lisa [R-AK]

S 2582 An original bill making appropriations for the Department of Homeland Security for the fiscal year ending September 30, 2020, and for other purposes. Sen. Capito, Shelley Moore [R-WV]

S 2584 An original bill making appropriations for the Departments of Commerce and Justice, Science, and Related Agencies for the fiscal year ending September 30, 2020, and for other purposes. Sen. Moran, Jerry [R-KS]

Thursday, September 26, 2019

HR 4402 Introduced – Inland Waterways Threats


Last week Rep. Lesko (R,AZ) introduced HR 4402, the Inland Waters Security Review Act. The bill would require DHS to report to Congress on the current and potential threats to the United States posed by individuals and groups seeking to enter the US via inland waterways.

Threat Analysis


In preparing for the report to Congress, DHS would be required to conduct a threat analysis that includes {§3(a)}:

Current and potential terrorism and criminal threats posed by individuals and groups;
Security challenges at United States inland waters ports;
Security mitigation efforts with respect to the inland waters; and
Vulnerabilities related to cooperation be13 tween State, local, Tribal, and territorial law enforcement, or international agreements, that hinder effective security, counterterrorism, anti-trafficking efforts, and the flow of legitimate trade with respect to inland waters.

Moving Forward


Lesko is the Ranking Member of the Transportation and Maritime Security Subcommittee of the House Homeland Security Committee to which this bill was assigned for consideration. This means that she is likely influential enough to have this bill considered in Committee. Since this is a ‘report to Congress’ bill, there is nothing in the bill that should engender any significant opposition. If the bill were considered in Committee or moved to the floor of the House, I suspect that it would receive significant bipartisan support.

Commentary


It is clear from the language that Lesko is looking for information concerning persons and material entering the US via the inland waterways. For instance, in the paragraph referencing security challenges, the bill specifies {§3(a)(2)} that the analysis look at:

Terrorism and instruments of terror entering the United States; and
Criminal activity, as measured by the total flow of illegal goods and illicit drugs, related to the inland waters.

These concerns are certainly important and worthy of analysis and reporting. The bill, however, appears to ignore completely the need for analysis of the potential for attacks against inland waterway infrastructure or critical facilities existing along the shoreline of inland waterways. To be fair, there is one brief mention {§3(a)(1)(B)} of the need to look at people or groups seeking to “exploit security vulnerabilities on inland waters.” But, given all of the other references to ‘entering’ and ‘total flow’ the impression is clear that Lesko is concerned with inland waterways as a route into the country (a seriously legitimate concern) not waterways as critical infrastructure.

This could be remedied by inserting a new §3(a)(1)(B) between the two existing sub-paragraphs that would read:

“(B) attack critical infrastructure of, and/or along, inland waterways, or”

There is one odd administrative matter in this bill that provides some insight into the intra-committee conflicts in the House. In the definition of ‘appropriate Congressional Committees’ {§2(1)} three committees are listed:

The Homeland Security Committee of the House of Representatives;
The Homeland Security and Government Affairs Committee of the Senate; and
The Commerce, Science, and Transportation Committee of the Senate.

Presumably the Senate CS&T Committee was added because of it’s oversight of the Coast Guard, the agency which would presumably provide most of the information and analysis required for the report. The Committee which is responsible for that in the House is the Transportation and Infrastructure Committee. Failure to include that Committee in the definition is part and parcel of the ongoing attempt by the Homeland Security Committee (under both Republican and Democratic leadership) solidify its place as the sole arbiter of security oversight in the House. While I agree that there is just too much splitting of security oversight in both bodies, the inclusion of the Senate transportation oversight body and not the House committee is just petty.

TWIC Reader Rule Delay Rule Sent to OMB


Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received from the Coast Guard their final rule on the delay of the Transportation Workers Identification Credential (TWIC) Reader Rule for the delay of delay the effective date for certain facilities that handle certain dangerous cargoes (CDCs) in bulk or receive vessels carrying CDC in bulk. This rule has nothing to do with the current system wide delay in that rule pending a report to Congress on the effectiveness of the TWIC program.

The NPRM for this rule was published in June of 2018.

Wednesday, September 25, 2019

Senate Passes HR 1158 – Cyber Hunt Teams


Yesterday the Senate amended and then adopted HR 1158 , the DHS Cyber Hunt and Incident Response Teams Act, by unanimous consent. The amendment substituted the language from S 315 that was reported favorably by the Senate Homeland Security and Governmental Affairs Committee. The amendment restored provisions requiring an ‘entity requesting action by or technical assistance from’  the National Cybersecurity and Communications Integration Center (NCCIC) to approve the use of private sector cybersecurity specialists in the cyber hunt team providing assistance.


The bill authorizes the current US-CERT and ICSCERT action teams and provides for the use of private sector contractors on those teams.

The bill now goes back to the House for action on the amendment. I suspect that the House will agree to the slightly different wording, perhaps this week. The House passed the original version of the bill by a voice vote.

Tuesday, September 24, 2019

Committee Hearings – Week of 09-22-19


This week with both the House and Senate in session (but preparing for a 2-week break) there is a full slate of politically oriented hearings slated in the House and the Senate Appropriations Committee will try to address some additional spending bills. Two markup hearings this week (one on each side of the Capital) will look at bills covered in this blog.

Senate Spending Bills – Markups


The Senate Appropriations Committee will try to get four spending bills reported to the Senate this week:

Interior, Environment, and Related Agencies (IER) – Subcommittee – Tuesday;
Commerce, Justice, Science, and Related Agencies (CJS) – Subcommittee – Tuesday;
DHS – Subcommittee – Tuesday;
IER, CJS, DHS, and Legislative Branch – Full Committee - Thursday

I suspect that the IER and CJS bills may be successfully reported, but the DHS bill (because of ‘the Wall’ and immigration) is at the heart of the controversy holding up Senate consideration of spending bills. I really do not expect the Committee to report a DHS spending bill.

Markup Hearings


On Wednesday the House Homeland Security Committee will hold a markup hearing on three bills:

HR 1975, the Cybersecurity Advisory Committee Authorization Act of 2019
HR 4432, the Protecting Critical Infrastructure Against Drones and Emerging Threats Act
HR ____, the National Commission on Online Platforms and Homeland Security Act

HR 4432 has not yet been published, either by the GPO or the Committee and the final bill has not yet been introduced (expected today?).

With only three bills on the agenda, we may see some amendments offered and very briefly discussed, but none have yet been published on the hearing page.

On Wednesday the Senate Energy and Natural Resources Committee will hold a markup hearing covering 21 bills.

S 2095, the Enhancing Grid Security through Public-Private Partnerships Act;
S 2333, the Energy Cybersecurity Act of 2019; and
HR 1420, the Energy Efficient Government Technology Act

On the Floor


As I mentioned yesterday, the House is scheduled to take up HR 3710, the Cybersecurity Vulnerability Remediation Act on Wednesday. It will likely pass with significant bipartisan support, but I will be surprised if it is taken up in the Senate this year.

There is a good chance that the Senate could take up HR 4378, the continuing resolution that was passed last week. That bill would extend the current funding rate for the federal government through November 21st. It would be taken up under the unanimous consent process and I suspect that Sen. McConnel (R,KY) would want to try to do that as soon as possible. That would leave room for the House to come up with a ‘cleaner’ CR if there is an objection to the bill in the Senate. The Senator to watch will be Sen. Paul (R,KY).

Monday, September 23, 2019

HR 3710 Reported in House – Cybersecurity Vulnerabilities


Last month the House Homeland Security Committee published their report on HR 3710, the Cybersecurity Vulnerability Remediation Act. The Committee held their markup hearing back in July and ordered the bill reported without amendment. The bill is currently scheduled for consideration under the House suspension of the rules process on Wednesday. There will be limited floor debate, no amendments may be offered from the floor and a supermajority is required for passage.

Commentary


The Committee did not deal with the copywrite issue or software ownership issue that I mentioned in my blog post on the introduction of the bill. This means that any mitigation measures that the Cybersecurity and Infrastructure Security Agency publishes as a result of this bill will have to be limited to the generic measures that CISA already includes in the control system security advisories published by NCCIC-ICS. CISA is not going to be able to publish any true ‘hacks’ of the affected software or firmware because of these issues and the bill would do nothing to provide liability protection for owners or users that would use such ‘hacks’ even if reported by CISA.

Making changes to the software, owned in most cases by the vendor not the facility in which the software operates, could be held to be a violation of 18 USC 1030(a)(5)(A) for CISA or any researcher providing a software ‘hack’ to CISA or a violation of 18 USC 1030(a)(5)(C) for facility owners that employed such a software hack to their systems.

So again, we have Congress taking action to solve a cybersecurity action that is really no action at all. There is a potential (but very unlikely) way for the House to correct this bill, even under the suspension of the rules process. Under a motion to reconsider after passage, the bill could be sent back to the Homeland Security Committee with direction to offer an amendment. That amendment would read:

On page 4, line 21; insert “(a)” before “The director”;
On page 5, line 2; delete the period after “dor” and insert a colon;
On page 5, after line 2; insert:
“(b) Not withstanding 18 USC 1030(a)(5), the publication by CISA of any mitigation measure that changes the programing of a computer or device to provide a mitigation measure as described in (a) is not considered to be a fraud related activity as defined in §1030; and
“(c) Not withstanding 18 USC 1030(a)(5), the use of a mitigation measure described in (b) by a government agency or private entity to mitigate a vulnerability defined in (a) is not considered to be a fraud related activity as defined in §1030.”
On page 6, line 15; insert “(a)” before “The Under”;
On page 6, line 23; delete the period at the end and insert “; and”
On page 6, after line 23; insert:
“(b) Not withstanding 18 USC 1030(a)(5), the submission to CISA of suggested changes to the affected software to mitigate an identified vulnerability as part of the program described in (a) is not considered to be a fraud related activity as defined in §1030.”

I do not really expect that this would happen, but I can always be surprised by congresscritters. More likely such changes would have to be undertake in the Senate Homeland Security Committee if/when they markup HR 3710 after it passes in the House, but before it is considered under the unanimous consent process in the Senate. Again, I would not really expect that to happen. It would be too much like actually trying to accomplish something.

Sunday, September 22, 2019

HR 4217 Introduced – State Cybersecurity Grants


Last month Rep. Katko (R,NY) introduced HR 4217, the State and Local Cybersecurity Improvement Act. The bill would add two grant programs for State and local government cybersecurity programs, including supporting State cybersecurity exercises.

Supporting Requirements


Section 2 of the bill would add three new sections to the Homeland Security Act of 2002 under the Cybersecurity and Infrastructure Security (CISA) part (6 USC 651 et seq). Section 2115 would require the DHS Cybersecurity and Infrastructure Security Agency, to develop a “resource guide for use by State, local, and Tribal officials, including law enforcement officers, to help such officials prepare for, protect against, respond to, recover from, and mitigate against cyber-attacks”.

Grant Programs


Section 2116 would require CISA to establish a grant program for “State and local governments to identify high value assets and critical system architecture in order to assess cybersecurity risks” {new §2116(a)}. The bill would appropriate “$5,000,000 for each of fiscal years 2020 through 2024” {new §2116(d)}.

Section 2117 would require CISA to establish a second grant program for “grants to State and local governments to conduct tabletop and live training exercises to assess the capability of the State or local government to respond to a cyberattack” {§2117(a)}. The bill would appropriate “$5,000,000 for each of fiscal years 2020 through 2024” {§2117(d)}.

Moving Forward


Katko is the Ranking Member of the Cybersecurity, Infrastructure Protection, & Innovation Subcommittee of the House Homeland Security Committee to which this bill was assigned for consideration. There is no doubt that he has enough influence to see this bill considered in Committee.

While the inclusion of new appropriations is typically a bad sign for support in legislation (the money has to come from somewhere), the recent spate of cyber attacks on cities across the country may lend a level of support necessary to overcome the reluctance to appropriate new money.

Commentary


There is a serious lack of detail in the grant programs being established in this bill. The only requirements for grant submissions is that the potential grantee provide a description of how the State or local government plans to allocate grant funds and document budget support for the program with 20% non-grant funding. Typically, grant authorization language provides a list of programs or activities that the grant monies could be applied to. The generic, one sentence, grant purposes outlined in the legislation would cover a wide variety of State and local government cybersecurity activities.

The one definition that is provided in this bill (by reference) is that of ‘cybersecurity risk’. That definition is taken from the CISA authorization and is focused strictly on information systems and that definition relies on the IT restrictive definition of ‘information systems’ in 44 USC 3502(8). This means that State and local governments would not be able to use the grant monies for control systems like traffic control systems, building maintenance systems or security systems, or even for municipal water treatment, waste-water treatment or power generation systems.

This goes back to the problems with the definitions of the CISA authorization language. I addressed this problem in a detailed blog post on cybersecurity definitions last February. It would be too much to expect a bill on cybersecurity grants to address all of the definition problems from the CISA authorization. To correct the problem in this bill we can simply add a new identical subsection in each of the three sections proposed in this bill:

(a) Definitions – In this section:

(1) the term ‘control system’ means a discrete set of information resources, sensors, communications interfaces and physical devices organized to monitor, control and/or report on physical processes, including manufacturing, transportation, access control, and facility environmental controls;

(2) the term ‘cyber-attack’ means any action taken to actually or imminently jeopardizes, without lawful authority;

(A) the integrity, confidentiality, or availability of information on an information system,

(B) the timely availability of accurate process information, the predictable control of the designed process or the confidentiality of process information, or

(C) an information system or a control system;

(3) the term ‘cybersecurity risk’ means:

(A) threats to and vulnerabilities of information, information systems, or control systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of such information, information systems, or control systems, including such related consequences caused by an act of terrorism; and

(B) does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement;

Then, I would suggest the following change to the proposed §2216:

“(a) IN GENERAL.—The Director shall establish a State and local government cybersecurity initiative to make grants to State and local governments to identify high value assets and critical system architecture  value information systems and control systems in order to assess cybersecurity risks (as such term is defined in section 2209).” In identifying high value systems governments should consider identifying:

(1) Information systems that include systems that:

(A) contain large amounts of personally identifiable information (as defined in 2 USC 200.79);

(B)  are critical to operations of public safety agencies; or

(C) affect the safe operations of schools, prisons, or large public venues;

(2) Control systems that include

(I) traffic control systems;

(II) building security systems and/or building maintenance systems for government offices, schools, courts, prisons or large public venues; or

(III) operating systems for public water systems (as defined in 42 USC 300) or treatment works (as defined in 33 USC 1292).

Saturday, September 21, 2019

HR 4378 Passes in House – FY 2020 CR


On Thursday the House passed HR 4378, the FY 2020 continuing resolution by a somewhat bipartisan vote of 301 to 123. The bill was debated in the House for 42 minutes, but not a single voice was raised in opposition to the bill. The bill will probably be taken up in the Senate next week.

As I noted in an earlier post, this relatively lengthy ‘clean CR’ appears to have been negotiated to acceptance with the approval of the Senate leadership. It remains to be seen if there will be enough Republican votes for the bill in the Senate to push the bill to the floor for consideration. The lack of any speechified opposition to the bill in the House probably indicates that most of the votes were pro forma opposition to a CR and not a stand for a shut-down of the federal government.

The big question remains; will Trump sign the bill if it is presented to him. The answer to that will have to wait until he makes his final decision when the bill actually lands on his desk. Trump’s political capriciousness is becoming legendary.

Public ICS Disclosures – Week of 09-14-19


This week we have three vendor disclosures for products from WAGO and Honeywell (2).

WAGO Advisory


CERT.VDE published an advisory describing an external control of path name or file vulnerability in the WAGO Series PFC100 and Series PFC200 controllers. The vulnerabilities were reported by Nico Jansen of Fachhochschule Aachen. WAGO has new firmware to mitigate the vulnerability. There is no indication that Jansen has been provided an opportunity to verify the efficacy of the fix.

Honeywell Advisories


IP Camera DOS Advisory

Honeywell published an advisory [.PDF download link] describing a denial of service vulnerability in their equIP® Series Cameras. The vulnerability is apparently self-reported. Honeywell has a firmware update that mitigates the vulnerability.

IP Camera Replay Attack Advisory

Honeywell published an advisory [.PDF download link] describing a replay attack vulnerability in their equIP® Series Cameras, Performance Series Cameras, as well as some of their video recorders. The vulnerability is apparently self-reported. Honeywell has a firmware update that mitigates the vulnerability.

NOTE: Honeywell has an interesting feature in their advisories. They actually list the skills that an attacker would need to have in order to exploit the vulnerability.

Bills Introduced – 09-20-19


Yesterday with just the House in session, there were 34 bills introduced. Of those, one may receive additional attention in this blog:

HR 4432 To require the Department of Homeland Security to prepare a terrorism threat assessment relating to unmanned aircraft systems, and for other purposes. Rep. Richmond, Cedric L. [D-LA-2]

Friday, September 20, 2019

S 2402 Introduced – Flammable Liquids by Rail


Last month Sen. Wyden (D,OR) introduced S 2402, the Crude Oil Advance Tracking (COAT) Act. The bill would establish notification requirements for flammable liquid rail shipments, insurance requirements for those shipments. It would also establish two grant programs for emergency response planning and training first responders for accidents involving those rail shipments.

Route Notification


Section 2 of the bill would amend 49 USC 20155, adding a new subsection (c). The bill would require railroads transporting railcars containing Class 3 flammable liquids to “notify all State and tribal emergency response commissions with jurisdiction along the path through which such liquids will be transported of such transportation not later than 24 hours after the shipment is tendered” {new §20155(c)}. The report would include:

The number of gallons of each Class 3 flammable liquid;
The city and State from which the tank cars departed and the date and time of such departure;
The city and State to which the tank cars will arrive and the date and time of such anticipated arrival; and
The location, date, and time of all crew changes between those two locations.

Insurance Reporting


Section 3 of the bill would amend 49 USC 20901, adding a new subsection (c). The bill would require railroads to perform annual reporting on their ability, “through insurance payments or other assets, to pay all costs of cleaning up a reasonable, worst-case spill, which shall be calculated by multiplying the reasonable anticipated per-barrel cleanup costs by the reasonable worst case spill volume” {new § 20901(c)(1)}.

Preparedness Training


Section 3 of the bill would amend 49 USC 5115(b)(1), inserting a new subparagraph (B). It would require DOT to “recommended course of study and emergency supplies to train public sector employees and contractors to respond to an accident or incident involving trains transporting at least 20 tank cars of flammable liquids or gases”.

Section 6 of the bill would amend 49 USC 5116, modifying the current requirements for State hazmat emergency response training grants. The bill would modify the current reference to ‘hazardous material’ in subsections (a)(1)(C) and (a)(2) to specifically include “flammable liquids or gasses”. It would then add a new subparagraph to §5116(a)(3)(C) requiring States and Indian Tribes accepting emergency response training grants to agree to make “at least 90 percent of the amount of the grant received to carry out the purpose described in subparagraph (B) [emergency response training] in fiscal years 2020, 2021, and 2022 to local emergency planning committees established under section 301(c) of the Emergency Planning and Community Right-To-Know Act of 1986 (42 U.S.C. 1101(c)) to develop emergency plans under such Act”. In subsequent years the amount would be 75%.

Emergency Response Planning Grants


Section 5 of the bill would also ament 49 USC 5116, adding a new §5116(a)(1)(D). This new subparagraph would require DOT to make grants to States and Indian Tribes to help them “develop, improve, and carry out emergency plans for communities through which railroads transport a train or trains transporting flammable liquids or gases”. It would also apply the LEPC provision described above to emergency response planning grants.

Track Relocation Grants


Section 7 of the bill would require DOT to establish a “grant program to provide financial assistance for local projects, activities, and personnel that mitigate the impacts of, and public health or environmental risks associated with, the transport of flammable liquids or gases by rail” {§7(b)}.

Authorization of Funds


Section 8 of the bill authorizes the appropriation of $15 million for the training and planning grants in 49 USC 5116(a), including the new grants described in this bill. It also authorizes $25 million for the track relocation grant program established by this bill.

Moving Forward


Wyden is not a member of the Senate Commerce, Science, and Transportation Committee to which this bill is assigned for consideration. This makes it unlikely that the bill will be taken up by that Committee. The spending authorizations included in the bill also limit the likely consideration of the bill. Finally, I would expect significant opposition from Committee Republicans to the notification requirements in the bill.

Commentary


WOW, there are just so many things wrong with the crafting of this bill that I suspect that Wyden’s staff had little to do with its development. In §2(b) of the bill, for instance, there is a requirement for DOT to publish a report using information provided by State emergency response commissions that the bill never requires the States to compile or submit. Later in the same section DOT is required to share information provided in the new 49 USC 20155(c) with State and local officials that the new language requires to railroad to supply to State and local officials not DOT. The same information sharing requirement is applied to PHMSA for a pipeline safety code section that does not include the referenced subsection {49 USC 60108(f)}. And, the track relocation grants section of the bill references 49 USC 20154 that was repealed in 2015. This is just sloppy legislative craft.

Okay, now to the substance issues.

I kind of like the idea behind the notification requirements in §2 of the bill, but LEPC’s are not really set up to be agencies dealing with real-time hazard notifications; they are planning organizations. The requirements in §2 also show that Wyden has never dealt with railroads on an operational basis as it completely ignores the fact that long distance freight rail traffic is seldom scheduled this thoroughly especially when traffic has to transit rail lines owned by multiple railroads. And the big item missing in this section is any requirement to report delays enroute where the railcars are just sitting on rail sidings waiting for the next stage of their journey. While standing railcars are a minimal derailment threat, they are an easier target for terrorist attack than moving trains.

There have been a number of attempts over the last ten years or so to set up requirements for railroads to provide emergency response personnel with timely information about hazmat rail shipments. Beyond the problems on the railroad side of the equation about advanced knowledge of where a railcar will be along the entire length of its journey, there is a bigger problem caused by the fractured nature of emergency response agencies in this country. There are just too many fire departments and too many of them do not have the full time staffing necessary to handle the notification process. And, lets face it, railroads are generally safe enough that any notifications are going to end up being ignored in any case.

The provisions in this bill for the training and planning grants are a good starting point for future discussions about this issue. Having said that, I do not see any specific need to highlight flammable liquids and gasses when there is already a generic requirement for hazardous materials. The idea of funneling emergency response planning grants through LEPCs has a certain amount justification (since there is no existing federal funding mechanisms for these agencies), but the requirements in this bill ignore the fact that not all areas have LEPCs, especially rural areas that do not have significant chemical manufacturing facilities. Even where LEPCs do exist, they may not be the most appropriate local agency to conduct emergency response planning for rail incidents.

Fortunately, this poorly crafted bill is unlikely to do more that promote Wyden’s re-election campaign.

Bills Introduced – 09-19-19


Yesterday with both the House and Senate in session, there were 65 bills introduced. Four of these are likely to see further attention in this blog:

HR 4402 To require the Secretary of Homeland Security to conduct an inland waters threat analysis, and for other purposes. Rep. Lesko, Debbie [R-AZ-8]

S 2250 An original bill making appropriations for the Departments of Transportation, and Housing and Urban Development, and related agencies for the fiscal year ending September 30, 2020, and for other purposes. Sen. Collins, Susan M. [R-ME] 

S 2522 An original bill making appropriations for Agriculture, Rural Development, Food and Drug Administration, and Related Agencies for the fiscal year ending September 30, 2020, and for other purposes. Sen. Hoeven, John [R-ND]

S 2524 An original bill making appropriations for financial services and general government for the fiscal year ending September 30, 2020, and for other purposes. Sen. Kennedy, John [R-LA] 

HR 4402’s threat assessment would certainly be of interest to MTSA covered facilities located along those inland waterways.

Thursday, September 19, 2019

1 Advisory and 2 Updates Published – 09-19-19


Today the DHS NCCIC-ICS published one control system security advisory for products from Tridium and updates to two previously published advisories for products from WECON and Rockwell.

Tridium Advisory


This advisory describes two third-party vulnerabilities in the Tridium Niagara product. The vulnerabilies are in the Blackberry QNX operating system. The vulnerabilities were reported by Johannes Eger and Fabian Ullrich of Secure Mobile Networking Lab, and Francisco Tacliad. Tridium has updates that mitigate the vulnerabilities. There is no indication that the researchers have been provided the opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

Information exposure - CVE-2019-8998; and
Improper authorization - CVE-2019-13528

NCCIC-ICS reported that a relatively low-skilled attacker with local access could exploit the vulnerabilities to allow a local user to escalate their privileges.

NOTE: Blackberry has published an advisory on the first vulnerability.

WECON Update


This update provides additional information on an advisory that was originally published on February 5th, 2019. The new information includes updated affected versions and mitigation information.

Rockwell Update


This update provides additional information on an advisory that was originally published on August 1st, 2019 and then updated on 09-05-19. The new information is the addition of a new vulnerability; access of uninitialized pointer - CVE-2019-13527.

NOTE: The updated Rockwell security advisory reports that  kimiya of 9SG Security Team has reported 7 additional vulnerabilities, bringing the total to 15 for the Rockwell Arena Simulation Software.



Bills Introduced – 09-18-19


Yesterday with both the House and Senate in session there were 48 bills introduced. One of those bills will receive additional attention in this blog:

HR 4378 Making continuing appropriations for fiscal year 2020, and for other purposes. Rep. Lowey, Nita M. [D-NY-17]

This 43-page bill is the ‘clean continuing resolution’ that the House leadership is proposing to use to continue funding for the federal government (at the current funding rate) until November 21st, 2019. The House Rules Committee was originally scheduled to take up ‘the bill’ on Tuesday, but that was canceled when it became apparent to the leadership that the Senate Republicans would have significant objections to some of the provisions of the bill. Presumably, and agreement has been reached that HR 4378 is ‘acceptable’ to the Senate leadership (and the President? No one knows for sure about that).

The Rules Committee will take up the bill this morning and provisions were made in H Res 558 (§3) to allow for consideration of the bill on the same day as the rule was adopted by the Rules Committee. Same day consideration of bills is not normally allowed by House rules.

OOOPS - Corrected date in post title to reflect date the bills were introduced - 09-20-19 0630 EDT

Wednesday, September 18, 2019

S 2470 Introduced – FY 2020 EWR Spending


Last week Sen. Alexander (R,TN) introduced S 2470, the Energy and Water Development and Related Agencies Appropriations Act, 2020. Like the House bill (HR 2960), S 2470 provides specific funding for Cybersecurity, Energy Security, and Emergency Response (CESER, pg 90) and the Appropriations Committee Report includes specific DOE cybersecurity funding.

CESER and Cybersecurity


The Senate bill would fund CESER at $179 million, $29 million higher than the House bill. Of that spending the Committee targets $96 million for Cybersecurity for Energy Delivery Systems. From those monies the Committee requests DOD spend $10 million on the DarkNet project and $7 million for Consequence driven Cyber-informed Engineering.

Finally, the Report recommends continued funding for the two following programs at $3 million for each program:

DE–OE–00000807, “Improving the Cyber and Physical Security Posture of the Electric Sector”; and
DE–OE–0000811, “Improving the Cyber Resiliency and Security Posture of Public Power”

Moving Forward


Again, as with S 2474 this bill will not see consideration as a stand-alone bill. The language will be substituted for Division E of HR 2740 as it starts the consideration process today.

Tuesday, September 17, 2019

S 2474 Introduced – FY 2020 DOD Spending


Last week Sen. Shelby (R,AL) introduced S 2474, the Department of Defense Appropriations Act, 2020. The bill was reported favorably by the Senate Appropriations Committee. There are no significant mentions of cybersecurity within the bill, but the Committee does include mentions of a number of cybersecurity programs within their Report.

Cybersecurity Training


The need to ensure an adequate supply of cybersecurity expertise continues to concern the Committee. On pages 226-7 the Committee outlines spending on three initiatives to address this concern:

$12 million increase in funding for the National Centers for Academic Excellence Cyber Defense program;
$25 million for a workforce development pilot program that would offer certificate-based courses through the Centers for Academic Excellence in cybersecurity and artificial intelligence; and
$10 million for Department of Defense Cyber Institutes to award scholarships, student and research support, and a K–12 cyber education program

On page 229 the Committee expresses its disappointment with “continued weaknesses in the Department of Defense’s cyber posture, to include challenges in the recruitment and retention of qualified cyber talent”. The Committee would allocate $1.5 million “to develop a program that identifies university partners and a structure to award scholarships to build a certified cyber defense workforce.”

Control System Security


Industrial control system security gets special mention in the Committee Report. On page 228 the Report notes that: “the Committee recommends $10,000,000 for industrial control systems cyber security solutions for key Department of Defense installations critical to homeland defense and overseas operations, with special emphasis on the Cheyenne Mountain Complex.

Counter UAS Research


With the unmanned aircraft system threat reaching public notice through the reported attack on Saudi oil targets, the Committee presciently addressed the issue on page 212. They note that “countering UAS operations presents a special series of unmet communications, command and control, cyber, and computation and intelligence challenges at the tactical edge.” The Committee encourages the Air
Force Research Laboratory Information Directorate to “to continue research and development into the detection and countering of UAS using advanced technologies to facilitate geo-location detection, determine individual and swarm behavior, dissect swarms to identify critical nodes, situational awareness, and mission intent.”

While this research is directed at DOD tactical concerns, the lessons learned and at least some of the techniques, tactics and equipment will find use in domestic counter UAS operations once Congress deals with the legal issues related to those operations.

Moving Forward


This bill does not look like it will make it to the floor of the Senate as a stand-alone bill. The language will almost certainly show up as proposed amendment to HR 2740 when (IF) it is considered on the floor of the Senate.

3 Advisories Published – 09-17-19


Today the DHS NCCIC-ICS published three control system security advisories for products from Honeywell, Siemens and Advantech.

Honeywell Advisory


The advisory describes an information exposure vulnerability in the Honeywell  Performance IP Series cameras and Performance Series NVRs are affected. The vulnerability was reported by Ismail Bulbil. Honeywell has an update that mitigates the vulnerability. There is no indication that Bulbil has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to view device configuration information.

NOTE 1: The Honeywell advisory for this vulnerability was published on April 30th, 2019. Two additional advisories were published last Friday. I will discuss these on Saturday unless NCCIC-ICS publishes their advisories later this week.

NOTE 2: The link to the Honeywell advisory in this advisory does not work.

Siemens Advisory


The advisory describes four vulnerability in the Siemens SINEMA Remote Connect Server. The vulnerabilities were reported by Hendrik Derre and Tijl Deneut from HOWEST. Siemens has a new version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

Improper restriction of excessive authentication attempts - CVE-2019-13918;
Information exposure - CVE-2019-34623;
Cross-site request forgery - CVE-2019-13920; and
Use of password hash with insufficient computational effort - CVE-2019-13922

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerabilities to allow an attacker unauthorized access to the web interface, improper access to privileged user and device information, and may allow successful CSRF attacks.

NOTE: I briefly reported on these vulnerabilities last Saturday.

Advantech Advisory


The advisory describes four vulnerabilities in the Advantech WebAccess HMI platform. The vulnerabilities were reported by Peter Cheng of Elextec Security Tech. Co., and Mat Powell of the Zero Day Initiative. Advantech has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The four reported advisories are:

Code injection (2) - CVE-2019-13558, and CVE-2019-13552;
Stack-based buffer overflow - CVE-2019-13556; and
Improper authorization - CVE-2019-13550

Committee Hearings – Week of 09-17-19



This week with both the House and Senate in session and the end of the fiscal year fast approaching, spending bills are the main topic of interest. The Senate attempts to take up the first minibus while crafting spending bills and the House introduces a continuing resolution.

HR 2740 in the Senate


Yesterday the Senate began the process to begin debating HR 2740, the first minibus spending bill passed by the House. No amendments have been submitted yet (will start today) so I cannot yet tell how the Republican Senate intends to deal with the fact that they have no committee reported language to substitute for the Democratic House language for the LHHE and State portions of the bill.

The first cloture vote (to start debate on the bill) is scheduled for Wednesday. We may not see the 60 votes necessary to start that debate. If that happens it is very unlikely that we will see any of the minibus spending bills making their way to the President’s desk. In any case a CR will be necessary.

CR in the House


The House Rules Committee will meet today to take up a ‘clean’ continuing resolution that will reportedly extend the current spending until November 21st. No actual language is currently available for review.

Three Spending Bills in Committee


The Senate Appropriations Committee will take up three additional spending bills this week. The subcommittee markup hearings will be held on Tuesday:

Transportation, Housing and Urban Development, and Related Agencies (THUD);
Agriculture, Rural Development, Food and Drug Administration, and Related Agencies (ARF); and
Financial Services and General Government

On Thursday the full Committee will take up whichever spending bills are adopted by the Subcommittees. At this point, which, if any, will be reported remains a guess at best. These three bills would make up about ½ of the second minibus (HR 3055) that the House passed back in June. Presumably the Committee will take up the remaining bills (CJS, IER, Military Construction) next week.

On the Floor


Today the House will take up S 1790, the National Defense Authorization Act for Fiscal Year 2020. The House passed their version of the bill (HR 2500). The House will certainly ‘insist’ on their language and request a conference to work out the differences between the two bills.

The House will likely take up the CR discussed above on Wednesday.

Commentary


Okay, what is a ‘clean CR’? In a non-complicated world (where CR’s would never be needed anyway) a ‘clean CR’ would be just a couple of sentences extending the expiration date of the current spending authorization (in this case HJ Res 31). In the real world there are additional add-ons that would extend other expiring programs in the extension of the fiscal year.

Which programs get added is what gets interesting. Non-controversial programs do not endanger passage of the CR. The addition of controversial programs could derail the CR when it gets to the Senate. The line between the two gets more than a little fuzzy and a CR this early in the process could see the Democrats pushing the limit to see what they can get. They do, after all, have another week to come back and try again.

OMB Approves Hazardous Liquid Pipeline Rule – 09-13-19


Last Friday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved, with change, a final rule from DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) for “Pipeline Safety: Safety of Hazardous Liquid Pipelines”. The notice of proposed rulemaking was published in October of 2015.

Once again, it is not possible to predict when DOT will get around to actually publishing this final rule; the Trump administration’s loathing of regulations apparently extends to rule which they write. I guess that you have to admire them for their consistency…..

Monday, September 16, 2019

OMB Approves TSA Rail Security ICR Revision


Last week the OMB’s Office of Information and Regulatory Affairs announced that it had approved an information collection request (ICR) from the DHS Transportation Security Agency (TSA) for their Rail Transportation Security ICR (1652-0051). The revision significantly increased the response burden estimate for the ICR and provides some broad insights into this surface transportation security program.

ICR Response Increase


This ICR covers four railroad security reporting requirements under 49 CFR 1580:

Rail Security Coordinator (RSC) information (§1580.101);
Location and shipping information (§1580.103);
Significant security concerns reporting (§1580.105); and
Chain of custody documentation (§1580.107)

The 60-day ICR Notice noted that:

“The total annual burden for this collection is approximately 112,764 hours, which is 67,320 hours higher than the current annual inventory. This change is primarily due to an increase in the number of responses of transfer of custody.”

 More detailed information is available from the Supporting Document that TSA submitted to OIRA with this ICR revision [.DOCX download] and the previous ICR update [.DOCX download]. Table 1 below shows the comparative date from the two Supporting Documents.

ICR Response Burden Information
Current ICR
Previous ICR
Rail Security Coordinator Information
475
804
Location and Shipping Information
655
330
Significant Security Concerns Reporting
4,971
5,475
Chain of Custody Documentation
107,000
78,000
Table 1: Comparative ICR Response Data

There is no information in the Supporting Documents to indicate why there is a decrease in the estimated number of RSC information submissions.

The ‘location and shipping information’ data is collected during TSA security inspections of railroads. The earlier ICR data was based upon the number of those inspections in FY 2013 (pg 7). The new ICR uses the average of the number of inspections conducted during the FY 2015 thru FY 2017 period (pg 8); that number is slightly skewed due to the high number of inspections in 2015 (876). A more appropriate number might be 544; still a significant increase (154%).

The almost 11% decrease in the estimate of ‘significant security concerns reporting’ probably does not reflect a change in the railroad security situation. The earlier ICR used an “approximately 15 reports daily” to computer the estimated number of responses. The current ICR uses the average from the last three reporting years (“reports from FY15 (4,529), FY16 (5,210), FY17 (5,145)”; pg 9) and those would average from 13 to 14 daily reports. Daily averages in that range would probably be well within the standard deviation of the data.

TSA breaks out the ‘chain of custody documentation’ down into four categories:

Shipment originations;
Placement at Hazmat receiver;
Carrier Interchange inside HTUA (high-threat urban area); and
Carrier Interchange outside HTUA w/path through HTUA

Table 2 shows the estimated reporting data for each of those categories from current and previous ICR support information submissions.

Chain of Custody Documentation
Current ICR
Previous ICR
% Increase
Shipment originations
48,000
18,000
166.7%
Placement at Hazmat receiver
12,000
10,000
20.0%
Carrier Interchange inside HTUA
18,000
6,500
176.9%
Carrier Interchange outside HTUA w/path through HTUA
29,000
4,500
544.4%
Table 2: Estimated Chain of Custody Submissions

TSA provides no data on how these estimates were prepared in either support document. Since the regulation only requires that the above listed chain-of-custody activities must be documented, but not reported to TSA, one has to assume that these estimates are taken from data obtained during TSA inspections of shippers and carriers. Shippers and carriers are only required to retain these chain-of-custody documents for 60-calendar days {§1580.107(h)}, so the TSA data upon which they base this estimate is incomplete at best and, looking at the % increase data that I calculated, statistically unlikely. What is clear, however, is that during whatever period that TSA ‘collected’ the ‘shipment origination’ data, they had stepped up their inspection activities of hazmat shippers and railroads outside of HTUA’s.

Electronic Incident Reporting


Currently ‘significant security concerns’ are required to be reported to be reported to TSA via telephone. According to the Supporting Document submitted to OIRA on the current ICR revision (pg 2): “TSA is revising the collection to include a proof of concept, to be conducted with 9 railroads, for option to submit significant security concern electronically.” No additional information about the collection format or the electronic process is provided. This electronic submission trial was not mentioned in the 60-day ICR notice, but it was briefly reported in the 30-day ICR notice.

Commentary


I have long complained about the TSA’s implementation of the ICR process. They are notorious for providing inadequate information in their ICR notices. This has made it nearly impossible for the public to reasonably comment upon revisions to the ICR. When I have formally complained about this lack of information in the past in response to TSA ICR notices I have been informed that the information would be made available when the ICR was submitted to OIRA and OIRA has accepted this explanation by approving the ICR’s in question.

This time TSA has gone one step further and failed to provide adequate information to OIRA explaining changes that have resulted in significant increases in the information collection burden. Simply reporting that increases have happened is clearly inadequate when those changes could only have happened because of the actions of the data collection agency. TSA needs to ensure that they explain why their actions have changed and whether or not that change will continue into the future.

Unfortunately, it is unlikely that anyone (any congresscritters listening?) will take TSA to task for this lack of information. The OMB certainly has demonstrated that they feel no oversight responsibility in the matter.


 
/* Use this with templates/template-twocol.html */