Thursday, October 31, 2019

4 Advisories Published – 10-31-19


Today the CISA NCCIC-ICS published four control system security advisories for products from Honeywell (3) and Advantech.

Cameras and Recorder Advisory


This advisory describes an authentication bypass by capture-replay vulnerability in the Honeywell equIP series and Performance series IP cameras and recorders. The vulnerability is self-reported. Honeywell has a firmware update that mitigates the vulnerability.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerability to result in unauthenticated access.

NOTE: I briefly reported on this vulnerability on September 14th, 2019.

Cameras Advisory


This advisory describes a missing authentication for critical function vulnerability in the Honewell equIP series and Performance series IP cameras. The vulnerability is self-reported. Honeywell has a firmware update that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to could result in unauthenticated access.

 

equip Advisory


This advisory describes an improper input validation vulnerability in the Honeywell equIP series IP cameras. This vulnerability is self-reported. Honeywell has a firmware update that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to result in a denial of service.

NOTE: I briefly reported on this vulnerability on September 14th, 2019.

Advantech Advisory


This advisory describes four vulnerabilities in the Advatech WISE-PaaS/RMM IoT device remote monitoring and management platform. The vulnerabilities were reported by rgod of 9sg Security Team and trendytofu via the Zero Day Initiative (ZDI). The product is out-of-support and Advantech recommends replacing the product with EdgeSense and DeviceOn.

The four reported vulnerabilities are:

Path traversal - CVE-2019-13551;
Missing authorization - CVE-2019-13547;
Improper restriction of an XML external entity reference - CVE-2019-18227; and
SQL injection - CVE-2019-18229

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow information disclosure, remote code execution, and compromise system availability.

Bills Introduced – 10-30-19


Yesterday with both the House and Senate in session there were 54 bills introduced. One of those bills may receive future consideration in this blog:

HR 4915 To amend the Small Business Act to provide loan guarantees for the acquisition of cybersecurity technology and services by eligible small businesses, and for other purposes. Rep. Schneider, Bradley Scott [D-IL-10] 

I will be watching this bill for language and definitions that would specifically allow loans for control system cybersecurity or medical device cybersecurity.

S 2607 Introduced – Local UAS Control


Earlier this month Sen Lee (R,UT) introduced S 2607, the Drone Integration and Zoning Act of 2019. The bill would provide for State and authority over ‘civil unmanned aircraft systems’ within 200-ft above the ground. Currently, sole jurisdiction over US airspace rest with the Federal Aviation Administration.

Definitions


Section 2 of the bill provides ten definitions to be used in the bill; most reference existing definitions in either the United States Code (USC) or the Code of Federal Regulations (CFR). Two new definitions are of specific interest: ‘immediate reaches of airspace’ and ‘unmanned aircraft take-off and landing zone’:

‘Immediate reaches of airspace’ “means, with respect to the operation of a civil unmanned aircraft system, any area within 200 feet above ground level” {§2(4)}.

‘Unmanned aircraft take-off and landing zone’ “means a structure, area of land or water, or other designation for use or intended to be used for the take-off or landing of civil unmanned aircraft systems operated by a commercial operator” {§2(10)}

This section uses the broad definitions of the terms ‘unmanned aircraft’ and ‘unmanned aircraft systems’ form 49 USC40101 Note (pg 869). The terms would include commercial UAS, small UAS, hobby UAS, and recreational  UAS.

Immediate Reaches of Airspace


Section 3 of the bill would amend the definition of ‘navigable airspace’ found in 49 USC 40102(32) by adding at the end: “In applying such term to the regulation of civil unmanned aircraft systems, such term shall not include the area within the immediate reaches of airspace (as defined in section 2(4) of Drone Integration and Zoning Act of 2019).’’ {§3(a)}.

Subsection (b) would then require the FAA to conduct a rulemaking to “to update the definition of ‘navigable airspace’” {§3(b)(1)}. The rulemaking would also designate the area between 200-ft and 400-ft above ground level for the operation of “civil unmanned aircraft systems under the exclusive authority of the Administrator”. The final rule would be required to be published within one year of the enactment of this bill.

Restrictions on Federal Actions


Section 4 of the bill starts out with a listing of congressional findings and deduced set of ‘sense of Congress’ elements that delineate the areas of responsibility for control of the ‘immediate reaches of airspace. The final conclusion is that: “the Federal Government lacks the authority to intrude upon a State’s sovereign right to exercise reasonable time, manner, and place of operations of unmanned aircraft systems operating within the immediate reaches of airspace” {§4(a)(2)(C)}.

The bill then goes on to further clarify the meaning of ‘immediate reaches of airspace’ in so far as it limits the FAA’s authority to regulate civil unmanned aircraft around buildings that are over 200-ft in height. It extends that area to 50-ft above the building and to within 200-ft (or the property line of the owner) laterally of the building. Those limits to not apply to UAS flying “directly within or above an authorized public right of way” {§4(b)(2)(C)}.

The bill then proceeds to outline what would be considered to be “reasonable restrictions on the time, manner, and place of operation of a civil unmanned aircraft system” {4§(b(3)}:

Specifying limitations on speed of flight over specified areas.
Prohibitions or limitations on operations in the vicinity of schools, parks, roadways, bridges, moving locations, or other public or private property.
Restrictions on operations at certain times of the day or week or on specific occasions such as parades or sporting events, including sporting events that do not remain in one location.
Prohibitions on careless or reckless operations, including operations while the operator is under the influence of alcohol or drugs.
Other prohibitions that protect public safety, personal privacy, or property rights, or that manage land use or restrict noise pollution.

Section 4(c) of the bill provides the FAA with the authority to designate ‘authorized commercial routes’ for civil unmanned aircraft with the limitation that such routes would be above 200-ft above ground level.

UAS Takeoff and Landing Zones


Section 5 of the bill outlines the limits of the authority of State and local governments to regulate the “designation, placement, construction, or modification of an unmanned aircraft take-off and landing zone” {§5(a)}. While most of the limitations are procedural limits on the zoning process, the section does provide a general limit on discrimination. Section 5(b) provides that the “regulation of the designation, placement, construction, or modification of an unmanned aircraft take-off and landing zone by any State, local, or Tribal government may not—
“(1) unreasonably discriminate among commercial operators of unmanned aircraft systems; or
“(2) prohibit, or have the effect of prohibiting, a commercial operator from operating an unmanned aircraft system.”

Restriction on State and Local Actions


Section 6 of the bill provides limits on State and local government authority to restrict the operation of civil UAS between the ground and the 200-ft limit of the ‘navigable air space’. Generally, such governments are prohibited from taking actions that unreasonably or substantially impede {§6(a)(1)}:

The ascent or descent of an unmanned aircraft system, operated by a commercial operator, to or from the navigable airspace in the furtherance of a commercial activity; or
A civil unmanned aircraft from reaching navigable airspace where operations are permitted.

Moving Forward


Lee is a member of the Senate Commerce, Science, and Transportation Committee, the committee to which this bill was assigned for consideration. This means that there is a good chance that Lee has enough influence to see this bill considered in Committee. This is a relatively comprehensive bill and with no cosponsors it would seem likely that one or more of the provisions might draw significant opposition from various factions. I suspect that we will not be able to determine what opposition might arise until the bill makes it to Committee consideration.

This bill would almost certainly require being considered in regular order on the floor of the Senate. That provides a practical limit on its possibility of being considered. This language could, however, be included as part of an FAA reauthorization bill, if there is sufficient support in Committee.

Commentary


There is nothing in this bill that would allow an exception to the 18 USC 32 prohibitions about interfering with the actual flight of a civil unmanned aircraft.

Wednesday, October 30, 2019

DOE CEII Final Rule to OMB – 10-29-19


Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a final rule from the DOE on “Critical Electric Infrastructure” According to the Spring 2019 Unified Agenda, the rule would outline the “administrative procedures [that] are intended to ensure that stakeholders and the public understand how the Department would designate, protect, and share CEII under the Federal Power Act”. The notice of proposed rulemaking for this action was published in October 2018.

Bills Introduced – 10-29-19


Yesterday with both the House and Senate in session there were 36 bills introduced. Of those bills, two may receive additional coverage in this blog:

S 2730 A bill to establish and ensure an inclusive transparent Drone Advisory Committee. Sen. Peters, Gary C. [D-MI]

S 2731 An original bill to authorize appropriations for fiscal year 2020 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, and for other purposes. Sen. Inhofe, James M. [R-OK] 

I will only be covering S 2730 if the advisory committee is specifically authorized to address counter-drone activities.

Tuesday, October 29, 2019

1 Advisory Published – 10-29-19


Today the CISA NCCIC-ICS published a control system security advisory for products from Phoenix Contact.

Phoenix Contact Advisory


This advisory describes an improper input validation vulnerability in the Phoenix Contact Automation Worx Software Suite. The vulnerability was reported by the 9sg Security Team via the zero day initiative.
Phoenix Contact provided generic workarounds while it continues to work on an update to mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to compromise the availability, integrity, or confidentiality of an application programming workstation. Automated systems programmed using one of the affected products are not impacted.

NOTE: I briefly reported on this vulnerability on October 19th, 2019.

Bills Introduced – 10-28-19


Yesterday with both the House and Senate in session there were 48 bills introduced. Three of those bills may receive future coverage in this blog:

HR 4891 To provide for the conduct of certain water security measures in the Western United States, and for other purposes. Rep. Torres Small, Xochitl [D-NM-2]

S 2714 A bill to amend the America COMPETES Act to reauthorize the ARPA-E program, and for other purposes. Sen. Van Hollen, Chris [D-MD]

S 2718 A bill to provide for the conduct of certain water security measures in the State of New Mexico, and for other purposes. Sen. Udall, Tom [D-NM] 

I suspect that the ‘water security measures’ referenced in HR 4891 and S 2718 are related to ‘supply security’ not physical or cyber security of the water systems.

Monday, October 28, 2019

Senate Committee Reports for HR 3055 – First Senate Minibus

The version of HR 3055 that the Senate will resume considering today is based upon four spending bills proposed by the Senate Appropriations Committee. While there may be some slight differences in the language included in Senate Amendment 948 that amendment specifically adopts the four committee reports “for purposes of determining the allocation of funds provided by, and the implementation of,’ each of the four divisions in the proposed bill.

Those reports are:

S Rept 116-127 (Div A - CJS)

S Rept 116-110 (Div B – ARD)

S Rept 116-123 (Div C – IER)

S Rept 116-109 (Div D – THUD)

As is typical for spending bills, the important details are found in these reports, not in the bill language. Below I will discuss some of the more interesting details.

Cybersecurity


Every division (and most titles) of the proposed amendment contain some sort of cybersecurity language. Mostly though those references and spending allocations pertain to protecting the IT systems of the US government.

Not unexpectedly the NIST section of the Division A report deals with supporting cybersecurity workforce training. While no specific funding is outlined the Committee “directs that no less than the fiscal year 2019 level is provided for cybersecurity research, outreach, industry partnerships, and other activities at NIST, including the National Cybersecurity Center of Excellence” (pg 23). Interestingly the Committee desires to see “a priority being placed on areas with a high concentration of Department of Defense, automotive, and health care related industries”.

NIST is also called upon to address industrial cybersecurity via Industrial Internet of Things (IIoT) cybersecurity research. The report calls for spending ‘no less than’ $2 million “to improve the sustainable security of IIoT devices in industrial settings” (pg 23). The Committee calls for comprehensive strategies that would “couple computer science and engineering, psychology, economics, cryptography, and network research to deliver significant mitigations and options for industrial adoption, as well as guidance to consumers and industry on how to manage and utilize these devices consistent with best security practices” (pg 24).

The National Science Foundation ‘Education and Human Resources’ section of the Division A report also significantly addresses cybersecurity training issues. The Committee provides $55 million (pg 169) for the CyberCorps scholarship program with $7.5 million of that going to support the two year programs at NSA sponsored Center of Academic Excellence in Information Assurance 2–Year Education [CAE2Y] program community colleges.


The DOJ portion of the Division A report addresses another aspect of cybersecurity education; computer forensics and digital investigation. The State and Local Law Enforcement and Cybercrime Prevention section includes a requirement for DOJ to allocate $2 million “for a separate competitive grant program to expand a partnership with an institution for higher learning for the purposes of furthering educational opportunities for students training in computer forensics and digital investigation” (pg 130).

There is an interesting control system cybersecurity provision in the Division D Report. The Federal Railroad Administration (FRA) portion of the DOT Title “urges FRA to prioritize funding to establish enhanced cybersecurity methods, standards, and best practices, especially as it relates to the implementation of PTC [Positive Train Control] technology and future versions of this technology” (pg 73). Specifically, the Committee directs the FRA to “work with industry to identify current vulnerabilities and prepare for threats that could arise from future updates and the migration to future designs.”

Chemical Safety


There is only one mention of chemical safety issues that I can find in the four reports. That deals with the continued funding of the Chemical Safety Board. While the initial Trump Administration budget proposed eliminating the CSB, this year’s budget proposed $10.2 million and the Committee recommends continuing the current funding level of $12 million. The report notes that “The Board has the important responsibility of independently investigating industrial chemical accidents and collaborating with industry and professional organizations to share safety lessons that can prevent catastrophic incidents and the Committee expects this work to continue.”

Moving Forward


It is looking more likely that the Senate will pass HR 3055 later this week. The bill would then have to go back to the House. The House is unlikely to accept the Senate version so the bill would have to go to conference. The conference report would also address the differences in allocations and implementation directions, essentially rewriting the two versions of the Committee Reports.

Saturday, October 26, 2019

Public ICS Disclosures – Week of 10-19-19


This week we have three vendor disclosures from ABB and two vendor updates from 3S and Yokogawa. There is also an exploit report for previously reported vulnerabilities in products from Moxa.

ABB Advisories


Relion® 670 series

ABB published an advisory describing a path traversal vulnerability in the MMS server included in their Relion 670 series protection and control IEDs. The vulnerability was reported by Kirill Nesterov of Kaspersky Lab. ABB has new versions that mitigate the vulnerability. There is no indication that Nesterov has been provided an opportunity to verify the efficacy of the fix.

Relion® 650 series and Relion® 670 series
ABB published an advisory describing a terminal reboot vulnerability in the SPA protocol over TCP/IP included in their Relion 650 and 670 series protection and control IEDs. The vulnerability was reported by Ilya Karpov, Evgeniy Druzhinin, Damir Zainullin of Positive Technologies and Victor Nikitin of i-Grids. ABB has updates that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Relion® 650 series and Relion® 670 series

ABB published an advisory describing four known OpenSSL vulnerabilities (CVE-2017-3737, CVE-2018-0739, CVE-2018-0737, CVE-2018-0732) in their Relion 650 and 670 series protection and control IEDs. These vulnerabilities are self-reported. ABB has updates that mitigate the vulnerabilities.

3S Update


3S published an update an advisory that was originally published on September 12th, 2019. The new information includes:

Revised affected version numbers;
Added CVE number for vulnerability; and
Revised version number for mitigation

Yokogawa Update


Yokogawa published an update for an advisory that was originally published on September 27th, 2019 and most recently updated on October 11th, 2019. The new information includes a link to the patch for the Exaquantum product.

Moxa Exploit


RANDORISEC published exploit code for two vulnerabilities in the Moxa Moxa EDR-810 Series Secure Routers. One of these vulnerabilities was addressed in an NCCIC-ICS advisory published on October 1st, 2019. The second vulnerability was reported in a Moxa advisory published on October 2nd, 2019.

Friday, October 25, 2019

LNG by Rail Suggestions


Earlier this week the DOT’s Pipeline and Hazardous Materials Safety Administration (PHMSA) published their notice of proposed rulemaking (NPRM) for authorizing the shipment of liquified natural gas (LNG) by rail. In that NPRM PHMSA specifically solicited comments on additional controls that could be added to the regulatory requirements proposed to increase the safety of the shipment of LNG by rail. In this blog post I will propose a number of those controls.

Application of HHFT Rules


A number of opponents to this NPRM and the PHMSA LNG by rail special permit have painted horrific pictures of the explosive results of accidents involving unit trains of LNG railcars. While the preamble to this NPRM provides a rebuke of the potential for explosive accidents, the experience with unforeseen safety consequences with crude oil unit trains should be fresh in the mind of regulators and emergency response planners. With that in mind it would seem prudent to include LNG rail shipments in the High Hazard Flammable Train (HHFT) requirements.

The administratively simplest way of doing this would be to revised the definition of High Hazard Flammable Train found in 49 CFR 171.8 by adding the phrase “, including Methane, Cryogenic Liquid, UN1972,” after the words “Class 3 flammable liquid” where ever that appears in the HHFT definition or the definition of ‘high hazard flammable unit trains’ in the same section.

Unfortunately, that would be a complicated solution due to the fact that the §174.310 operational requirements for HHFT pertain to the switch over from DOT 111 to DOT 117 railcars. Most of those railcar provisions clearly apply only to flammable liquids and would thus not affect LNG by rail operations. There is one exception §174.310(a)(4) that would need to be revised to read:

“(4) New tank cars. After October 1, 2015, tank cars manufactured for Class 3 flammable liquid use in a HHFT must meet:”

PRV Flaring


One of the concerns related to the shipment of LNG is that methane is a very powerful greenhouse gas and any emissions from the shipment of LNG could have a disproportionate effect on climate change. Opponents to this rulemaking will inevitably claim that this was not adequately addressed in the environmental impact portion of the preamble.

One way to address this issue would be require that the pressure relief devices required to be employed on these railcars be equipped with a flaring device. This would ignite the LNG being released and convert the methane emission to a CO2 emission. There is already such a requirement for DOT 107 specification railcars (49 CFR 179.500-12).

Pressure and Temperature Reporting


Since PHMSA recognizes that the implementation of rail shipments of LNG will require the construction of a new fleet of DOT 113 railcars, they should take the opportunity to bring safety measurement into the 21st Century. There are two key factors that should be monitored to ensure the safe shipment of LNG by rail; temperature and pressure. This is already recognized in the modification of the requirements in §179.319(d)(2).

Technology currently exists that allows for the real-time measurement, recording and reporting of these two parameters by electronic devices installed on the railcar. PHMSA should require DOT 113 railcars used to transport LNG to be equipped with such electronic pressure and temperature devices and communication between those devices and alarm systems installed in the controlling locomotive for the trains containing such railcars. This would allow train crews and emergency response personnel to have operational awareness of impending releases and would provide for appropriate pre-emergency response to those impending conditions.

PHMSA should envision requiring all hazmat railcars to have similar critical measurement capabilities, but that would require extensive and expensive refit requirements. Here, a new DOT requirement could be included in the early production of new railcars.

Moving Forward


The measures that I have proposed above would be relatively cost-effective measures that would increase the safety of the transportation of liquified natural gas by railcars.

Thursday, October 24, 2019

3 Advisories and 1 Update Published – 10-24-19


Today the CISA NCCIC-ICS published two control system security advisories for products from Honeywell and Rittal; a medical device security advisory for products from Philips; and an update for an advisory for products from Moxa.

Honeywell Advisory


This advisory describes a missing authentication for critical function vulnerability in the Honeywell IP-AK2 Access Control Panel. The vulnerability was reported by Maxim Rupp. Honeywell has a new firmware version that mitigates the vulnerability. There is no indication that Maxim was provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to download configuration files directly through a URL without authentication, exposing configuration and authorized visitor information.

Rittal Advisory


This advisory describes two vulnerabilities in the Rittal Chiller SK 3232-Series. The vulnerabilities were reported by Applied Risk. Rittal will only provide mitigation information via email (presumably to their customers). The Applied Risk report notes that: “There has been no fix supplied by the vendor. The vendor was contacted regarding the vulnerabilities on 2nd of January 2019, but did not provide a response.”

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to disrupt the primary operations of the affected component, shut down cooling to other equipment, and allow changes to the temperature set point.

NOTE: Applied Risk reports that the vulnerability resides in the third-party ethernet interface card, Carel pCOWeb. The website for that product provides a lengthy list of other products from multiple vendors that use the same interface card. Presumably some or all of those products may be affected by the same vulnerabilities.

Philips Advisory


This advisory describes an exposure of resources to wrong sphere vulnerability in the Philips IntelliSpace Perinatal obstetrics information management system. The vulnerability was reported by Brian Landrum of Coalfire LABS. Philips has provided generic workarounds and may provide an update next year that may address the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit this vulnerability to allow an attacker unauthorized access to system resources, including access to execute software or to view/update files, directories, or system configuration.

Moxa Update


This update provides additional information on an advisory that was originally published on February 26th, 2019. The new information includes:

• Added affected firmware version on IKS-G6824;
• Added recommend browsers information for vulnerability 7 of IKS-G6824 (CVE-2019-6561); and
• Added link to Moxa advisory (not annotated as a change on the NCCIC-ICS advisory).

PHMSA Publishes LNG by Rail NPRM


Today the DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) published a notice of proposed rulemaking (NPRM) “Hazardous Materials: Liquefied Natural Gas by Rail” in the Federal Register (84 FR 56964-56977). The rule would make changes to the Hazardous Materials Regulations to allow for the bulk transport of Methane, refrigerated liquid, commonly known as liquefied natural gas (LNG), in DOT-113C120W specification rail tank cars. The rulemaking was initiated in response to a petition for rulemaking [.PDF download link] from the Association for American Railroads (AAR).

Tank Car Specification


The AAR petition requested that PHMSA consider authorizing the use of current DOT-113C120W and a new DOT-113C140W specification tank car for the transport of LNG by rail. In this rulemaking PHMSA is only proposing to authorize the use of the DOT-113C120W specification tank car which are currently in service for the transportation of other flammable cryogenic liquids. PHMSA notes that they “anticipate that DOT-113 specification tank cars will need to be manufactured to satisfy the demand for transporting LNG as the current fleet of these tank cars is used for the transportation of ethylene and other cryogenic liquids.”

The rulemaking would amend 49 CFR 179.319(d)(2) to add the following pressure relief requirements for LNG:

Maximum pressure when offered for transportation – 15 psig;
Design service temperature – minus 216˚F; and
Maximum start to discharge pressure – 75 psig

Operational Controls


The NPRM is not proposing to impose any additional operational controls beyond those currently required for flammable cryogenic liquids. It is, however, seeking comments on whether or not the following controls should be considered in the final rule:

Incorporate by reference AAR Circular OT-55 key train and/or key route provisions;

LNG Characteristics


There is a lengthy discussion in the preamble about the characteristics of LNG; particularly the characteristics of LNG fires. The discussion of a vapor cloud fire is important:

“If an LNG vapor cloud is ignited before the cloud has been dispersed or diluted to below its lower flammability limit, a flash fire will occur. Unlike other flammable liquids and gases, a LNG vapor cloud will not ignite entirely at once. If ignited, the flash fire that forms has a temperature of about 1,330 °C (2,426 °F). The resulting ignition leads to a relatively slow (subsonic) burning vapor fire which travels back to the release point producing either a pool fire or a jet fire [emphasis added]. The radiant heat effects from such a flash fire does not extend to distances significantly larger than the width of the flammable cloud. The slow burning vapor fire will not generate damaging overpressures (i.e., explosions), if unconfined. To produce an overpressure event, the LNG vapors need to be within the flammability range and ignited, and either be confined within a structure or the travelling flame in the open encounters structural obstructions (e.g., houses, trees, bushes, pipe racks, etc.) that can increase the flame turbulence significantly when the flash fire reaches the source of vapor (boiling LNG), if there is still a liquid pool of LNG evaporating at that time, a pool fire will result.”

DOT 113 Accident History


The preamble includes a discussion of the accident history of the DOT 113 tank car. It describes only one incident in 37 years in which a fire occurred as a result of a derailment involving flammable cryogenic liquids transported in DOT 113C120 tank cars. According to a local news report the fire was relatively unremarkable.

Public Comments


PHMSA is soliciting public comments on this NPRM. Comments may be submitted via the Federal eRulemaking Portal (www.regulations.gov; Docket # PHMSA-2018-0025). Comments need to be submitted by December 23rd, 2019.

Commentary


If the public comments on PHMSA’s LNG by rail special permit are any indication (2,973 comments to date) there will be a large public outcry against this NPRM. It will come mainly from people who have not read the NPRM and particularly did not read the discussion on LNG characteristics and the accident history of the DOT 113 railcar.

We are seeing an increasing amount of natural gas being produced in oil fields in the United States. It makes no economic sense nor environmental sense to not use that methane as either a fuel or a chemical feedstock. Either of those uses will require transporting the natural gas from where it is produced to where it is used or to where it is shipped to our trading partners via ocean going vessels. The pipeline infrastructure (the safest way to ship either natural gas or LNG) is not in place to provide that transportation. Currently the only other authorized way to ship the material is by truck. That mode has more safety issues than does rail, and the dwindling supply of hazmat qualified truck drivers provides an additional impediment to transporting large quantities of LNG by truck.

Economically and environmentally this rulemaking is necessary. There are some changes that I think need to be made and I will address those in a separate blog post with subsequent submission as a comment on this NPRM.

I urge everyone with an interest in this topic (pro and con) to closely read this NPMR, consider what PHMSA is proposing (and missing) and submit well-reasoned comments to help to improve this rulemaking.

Wednesday, October 23, 2019

Senate Begins Consideration of HR 3055 – First Senate Minibus Spending Bill


Yesterday the Senate began consideration of HR 3055. This was the second FY 2020 spending minibus passed by the House back in June. As is typical for spending bills, the first amendment to be proposed for this bill in the Senate is the substitute language from the Senate Appropriations Committee; SA 948.

This amendment would only have the Senate version consider four of the five divisions included in the House version. The Military Construction, Veterans Affairs, and Related Agencies Appropriations Act will be included in a later spending bill. The Senate leadership hopes that the remaining four divisions have a low enough controversy level that they will be able to be passed and sent to the House for conference with some hope of the bill actually making its way to the President’s desk before November 21st; the end date of the current continuing resolution.

My quick review of the 43 pages this bill took up in yesterday’s Congressional Record did not turn up anything worth talking about here. Below is a quick table of contents for the bill if you are interested in looking for something in particular; please forgive the all-CAPS format, it is a simple copy and past job and I have no desire to go back and put it into a more reasonable case structure. NOTE: the 'Sxxxx numbers' are CR page numbers.

Senate Amendment 948
DIVISION A—COMMERCE AND JUSTICE, SCIENCE, AND RELATED AGENCIES APPROPRIATIONS ACT, 2020 [S5978]
DEPARTMENT OF COMMERCE [S5978]
DEPARTMENT OF JUSTICE [S5981]
SCIENCE [S5986]
RELATED AGENCIES [S5988]
DIVISION B—AGRICULTURE, RURAL DEVELOPMENT, FOOD AND DRUG ADMINISTRATION, AND RELATED AGENCIES [S5991]
AGRICULTURAL PROGRAMS [S5991]
FARM PRODUCTION AND CONSERVATION PROGRAMS [S5994]
RURAL DEVELOPMENT PROGRAMS [S5995]
DOMESTIC FOOD PROGRAMS [S5997]
FOREIGN ASSISTANCE AND RELATED PROGRAMS [S5998]
RELATED AGENCY AND FOOD AND DRUG ADMINISTRATION [S5998]
GENERAL PROVISIONS [S5999]
DIVISION C—DEPARTMENT OF THE INTERIOR, ENVIRONMENT, AND RELATED
AGENCIES APPROPRIATIONS ACT, 2020 [S6003]
DEPARTMENT OF THE INTERIOR [S6003]
ENVIRONMENTAL PROTECTION AGENCY [S6011]
RELATED AGENCIES DEPARTMENT OF AGRICULTURE [S6013]
DEPARTMENT OF HEALTH AND HUMAN SERVICES [S6015]
GENERAL PROVISIONS [S6018]
DIVISION D—TRANSPORTATION, AND HOUSING AND URBAN DEVELOPMENT, AND RELATED AGENCIES APPROPRIATIONS ACT, 2020 [S6020]
TITLE I DEPARTMENT OF TRANSPORTATION [S6020]
FEDERAL AVIATION ADMINISTRATION [S6022]
FEDERAL HIGHWAY ADMINISTRATION [S6023]
FEDERAL MOTOR CARRIER SAFETY ADMINISTRATION [S6025]
NATIONAL HIGHWAY TRAFFIC SAFETY ADMINISTRATION [S6026]
FEDERAL RAILROAD ADMINISTRATION [S6026]
FEDERAL TRANSIT ADMINISTRATION [S6027]
MARITIME ADMINISTRATION [S6028]
PIPELINE AND HAZARDOUS MATERIALS SAFETY ADMINISTRATION [S6029]
PIPELINE SAFETY [S6029]
TITLE II DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT [S6030]
TITLE III RELATED AGENCIES [S6041]

Bills Introduced – 10-22-19


Yesterday with both the House and Senate in session there were 45 bills introduced. Three of those bills may see further coverage in this blog:

HR 4792 To establish a voluntary program to identify and promote internet-connected products that meet industry-leading cybersecurity and data security standards, guidelines, best practices, methodologies, procedures, and processes, and for other purposes. Rep. Lieu, Ted [D-CA-33] 

S 2656 A bill to disclose access to election infrastructure by foreign nationals. Sen. Kennedy, John [R-LA] 

S 2664 A bill to establish a voluntary program to identify and promote internet-connected products that meet industry-leading cybersecurity and data security standards, guidelines, best practices, methodologies, procedures, and processes, and for other purposes. Sen. Markey, Edward J. [D-MA] 

It looks like HR 4792 and S 2664 may be companion bills. See this article here about these bills. As always definitions and other details will be important.

It will be interesting to see how S 2656 deals with the complex attribution issue. I expect a simplistic approach.

Tuesday, October 22, 2019

1 Advisory Published – 10-22-19


Today he CISA NCCIC-ICS published a control system security advisory for products from Schneider

Schneider Advisory


This advisory describes three vulnerabilities in the Schneider ProClima building and automation control products. The vulnerabilities were reported by Haojun Hou, Kushal Arvind Shah, Fortinet, Yongjun Liu, NSFOCUS, and Telus. Schneider has released a new version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

Code injection - CVE-2019-6823;
Improper restriction of operations within the bounds of a memory buffer - CVE-2019-6824; and
Uncontrolled search path element - CVE-2019-6825

NCCIC-ICS reported that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system.

NOTE: According to the Schneider advisory these vulnerabilities were reported on June 11th, and I briefly reported on them on June 15th. What NCCIC-ICS is actually addressing is an update to the original advisory that adjusted the CVSS Base Score and Vector for CVE2019-6823 and CVE-2019-6824.

NTIA Software Component Transparency Meeting – 11-18-19


Today the DOC’s National Telecommunications and Information Administration (NTIA) published a meeting notice in the Federal Register (84 FR 56446-56447) for a “Multistakeholder Process on Promoting Software Component Transparency” meeting to be held on November 18th, 2019 in Washington, DC.

According to the notice:

“The main objectives of the November 18, 2019, meeting are to finalize and identify next steps in this effort, including how progress can be made on extending and refining the basic model, cataloging tooling needs and resources, and promoting awareness and adoption of stakeholder work.”

The Stakeholders and a number of working groups have been conducting meetings on this topic since the first meeting was announced in 2018. The NTIA Software Component Transparency web page contains detailed information and presentations from those meetings.

The meeting will be open to the public on a first-come seating basis. It does not appear that the meeting will be web cast.

Gas Pipeline Deregulation NPRM to OMB


Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a notice of proposed rulemaking from the DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) on “Gas Pipeline Regulatory Reform”.

The Spring 2019 Unified Agenda describes the rulemaking this way:

“This rulemaking would amend the Pipeline Safety Regulations to adopt a number of actions that ease regulatory burdens on the construction and operation of gas transmission, gas distribution and gas gathering pipeline systems. These amendments include regulatory relief actions identified by internal agency review, existing petitions for rulemaking, and public comments on the Department of Transportation Regulatory Review and Transportation Infrastructure notices.”

This rulemaking was initiated by the Trump Administration; first appearing in the Spring 2018 Unified Agenda.

Monday, October 21, 2019

Committee Hearings – Week of 10-20-19


This week with both the House and Senate in session the big news is impeachment or spending. There are two House hearings of potential interest; cybersecurity threats and a homeland security markup hearing.

Cybersecurity Threats


On Tuesday the Cybersecurity, Infrastructure Protection, and Innovation Subcommittee of the House Homeland Security Committee will hold a hearing, “Preparing for the Future: An Assessment of Emerging Cyber Threats”. The witness list includes:

Ben Buchanan, Georgetown University;
Ken Durbin, Symantec Corporation;
Niloofar Razi Howe, New America; and
Robert Knake, The Council on Foreign Relations

Homeland Security Markup


On Wednesday the House Homeland Security Committee will hold a markup hearing looking at a dozen bills. Bills of interest include:

HR 3787, the DHS Countering Unmanned Aircraft Systems Coordinator Act; and
HR 4402, the Inland Waters Security Review Act

On the Floor


Last week Sen. McConnel (R,KY) announced that the Senate would try to take up two spending bills this week; HR 3055 and HR 2740. Neither of these minibus spending bills will be considered as passed in the House. No amendments were filed last week, so it is not clear exactly what language will be included in the bill as there was significant Democratic opposition to the bills that came out of the Senate Appropriations Committee. But then again, there is no guarantee that either bill will actually be considered. Politics is getting increasingly iffy.

Saturday, October 19, 2019

CFATS and a Small-Town Road Closure


It is not often that security measures under the Chemical Facility Anti-Terrorism Standards (CFATS) program make the newspaper, but they did this week in the El Dorado News-Times in El Dorado, AR. The issue was a meeting of the Union County Quorum Court where the owner of a local oil refinery was asking the County to close a portion of a public road that runs through the refinery. The owner cited the CFATS program as the reason that the road needed to be closed. According to the article:

“Ratcliff [lawyer representing the refinery] said safety standards imposed by the United States Department of Homeland Security in response to the Sept. 11, 2001 attacks on the United States are not able to be met by Lion Oil/Delek because the road is open.”

The author of the article noted that Ratcliff was referring to the CFATS program.

Security Issues


Looking at the Satellite view from Google Maps® it is easy to see what ‘security issues’ come into play with this public road. First it divides the large storage tank farm on the west side of the refinery in two. It also divides a flammable gas storage tank area just north of the larger tank farm. And many of the storage tanks (liquid and gas) are well within the blast radius of a reasonably sized vehicle-borne explosive device. There is also a tank-wagon marshalling area and a tank-wagon loading area along the road.

It is hard to tell what chemicals are stored in the large tank farm, but, given that this is a petrochemical refinery, I would reasonably assume that most of the tanks contain some sort of flammable hydrocarbon. The horizontal pressure tanks on either side of the tank farm contain some sort of flammable gas; the give away is the ‘4’ in the upper diamond on the hazard placard on the tanks.

CFATS Considerations


Neither of these tank farms are very close to any residential areas or schools. There are two small churches that the refinery is using to define the road closure limits, but I doubt that either attracts more than a couple hundred parishioners at most. What that means is that the Infrastructure Security Compliance Division (the CISA group that administers the CFATS program) probably bases their high-risk determination for this refinery on the close proximity of the operations area of the facility further to the East to residential areas of El Dorado.

ISCD give facilities a great deal of leeway in defining facility boundaries for the purposes of determining what is a covered facility. There might be a chance that, if the refinery were to be divided into two parts with the boundary between them being the creek that runs north-south through the facility, the western potion of the facility that includes Hinson Road (the road being proposed to be closed) might not be determined to be a high-risk facility and thus out of the scope of the CFATS program.

Similarly, if the western half of the facility were to be determined to be a high-risk facility, the facility could manage the large tank farm in such a way that the three tanks closest to Hanson Road would not be used for storage of chemicals that were on the list of DHS chemicals of interest (COI). This would allow the facility to exclude those three tanks from the restricted-access portion of the facility. This would leave just the flammable-gas tanks as areas of concern along the road. Security measures could be designed to specifically protect those tanks from VBIED attacks.

CFATS and RBPS Guidance


The author of the article about the situation made note about the “Dept. of Homeland Security’s Chemical Facility Anti-Terrorism Standards Risk-Based Performance Standards. She picked up on the following repetitive statement in that guidance document:

“Note: This document is a “guidance document” and does not establish any legally enforceable requirements. All security measures, practices, and metrics contained herein simply are possible, nonexclusive examples for facilities to consider as part of their overall strategy to address the risk-based performance standards under the Chemical Facility Anti-Terrorism Standards and are not prerequisites to regulatory compliance.”

What most people who have not worked with the CFATS program do not understand is that the CFATS regulations (6 CFR 27.230) set 12 broadly worded risk-based performance standards (RBPS). The guidance document provides information about how facilities can meet those broad requirements. The facility and ISCD reach an understanding about what the facility will include in its site security plan (SSP) to meet the statutory requirements for that particular facility; each facility would have its own unique methods to deal with the specific security situation at that facility. Once that SSP is approved by ISCD, the requirements of that SSP are the regulatory requirements for that facility.

Public Decisions and CVI


The big problem for the refinery going forward with the road closure process is providing enough information about their security issues to the County without running afoul of the restrictions on sharing Chemical-terrorism Vulnerability Information (CVI). Security information about CFATS covered facilities are considered to be controlled unclassified information (CUI) with specific rules about how that information can be shared with local government officials; for CVI that includes requiring individuals that are being given access to have completed on-line training in how to protect CVI information.

The County rules, in this case, requiring a 3-person panel to review the information for a contested road closure seem well suited to the CVI requirements. The three people assigned to the panel could take the relatively brief training and then receive the security information from the refinery’s lawyer to consider in the road closure petition. They could then make their recommendation without including any of the specific security information.

The big problem with that is that the 3-member panel is supposed to hold public hearings to get both sides of the issue. The public is specifically excluded from having access to CVI so the refinery would be required to make their arguments without providing any of the pertinent security information. Those sanitized arguments may be inadequate to support the request.

Commentary


I would be very surprised if a large refinery were just starting the CFATS process, but I suppose that it could happen. If the facility has not yet had its SSP authorized, there are still alternatives available to closing the road through the facility. I have discussed some of them above, but there are other, probably more expensive, security measures that could be employed that would obviate the need for the road closure.

If the facility SSP has been authorized, it would seem that the facility had included as a proposed security measure the closure of the road. If that is the case the facility made a commitment to ISCD that the road would be closed. Failure to get the County to effect the closure would require the facility to renegotiate their SSP; ISCD would be upset, but I suspect that they would understand that the facility had no control over the actions of the County government.

What I suspect is happening is that the original facility SSP was negotiated by the previous owners and authorized and subsequently approved by ISCD. It would have included some expensive planned compensating controls to allow the road to remain open. Those controls would have been proposed because the owners knew that getting the County to close the road was going to be difficult at best. The new owners have no desire to spend the money necessary to implement the controls. ISCD would be in the process of threatening noncompliance sanctions and the new owners are trying hard to get the financially easier security measures in place as an ‘appropriate response’ to the non-compliance actions.

It will be interesting to see how this turns out.

CG Cybersecurity at MTSA Facilities Guidance to OMB


Yesterday the OMB’s Office of Information and Regulatory Affairs reported that it had received from the Coast Guard a guidance document, “Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act (MTSA) Regulated Facilities”, for review. As with most guidance documents there is no related description of this document in the Spring 2019 Unified Agenda.

Public ICS Disclosures – Week of 10-12-19


This week we have four vendor disclosures for products from Phoenix Contact, ABB, Gemalto and Eaton. We also have an updated disclosure from Schneider and a report of a cyberattack from Pilz.

Phoenix Contact Advisory


Phoenix Contact published an advisory [.PDF download link] for an out-of-bounds read vulnerability in their Automationworx Suite. The vulnerability was reported by the 9sg Security Team via the Zero Day Initiative. Phoenix Contact has provided generic workarounds pending publication of a new version.

NOTE: The vulnerability was reportedly coordinate through NCCIC-ICS so an advisory from them should be forthcoming.

ABB Advisory


ABB published an advisory describing an improper authentication vulnerability in their UnoDM. The vulnerability was reported by Maxim Rupp. ABB has updates that mitigate the vulnerability. There is no indication that Maxim has been provided an opportunity to verify the efficacy of the fix.

Gemalto Advisory


Gemalto announced that they have published an advisory (customer registration required for access) for a vulnerability in their Sentinel LDK License Manager when installed as a service.

NOTE: I suspect that owners of systems from other vendors that use the LDK License Manager will have to wait for notification from those vendors before they will be able to learn about this vulnerability and fixes available for it.

Eaton Advisory


Eaton published an advisory describing an undisclosed vulnerability in their CGLine+ when connected to CGVision. The vulnerability is self-reported. Eaton has a new version that mitigates the vulnerability.

Schneider Update


Schneider published an update of their URGENT/11 advisory. The new information includes updated version information and mitigation links for:

SCADAPack 57x RTUs; and
SAGE RTU

Pilz Cyberattack


Pilz is currently reporting that: “Since Sunday, October 13, 2019, all server and PC workstations including the communication network of the automation company have been affected worldwide. The website is currently only partially functional.”

They also note that: “Data sent to us by partners and customers have not been lost or misappropriated by third parties. At the current time, however, we cannot completely exclude this.”

NOTE: Both quotes are Google Translations from German.

Friday, October 18, 2019

HR 4091 Amended and Adopted in Committee – ARPA-E Reauthorization


Yesterday the House Science, Space and Technology Committee marked up HR 4091, the ARPA–E Reauthorization Act of 2019. Two amendments were offered, one was adopted, and the bill was adopted by a voice vote.

Amendments


Rep Foster (D,IL) proposed an amendment creating the position of Chief Evaluation Officer. The amendment was withdrawn.

Rep. Johnson (D,TX) proposed a manager’s amendment that made three relatively minor changes to the bill:

Added a provision to the annual report requirement;
Amended the ‘Coordination and Non-Duplication; requirements of 42 USC 16538(i)(1); and
Decreased the authorized ARPA-E spending for 20210 thru 2024.

Moving Forward


Once the Committee Report for the bill is published, this bill will almost certainly move to the floor of the House under the suspension of the rules process. There would be limited floor debate, no amendments from the floor and a super-majority would be required for passage. The bill will receive sufficient bipartisan support to pass in the House.

Thursday, October 17, 2019

HR 4634 Introduced – TRIA Reauthorization


Last week Rep Waters (D,CA) introduced HR 4634, the Terrorism Risk Insurance Program Reauthorization Act of 2019. The bill is a clean, 10-year reauthorization of the TRIA program.

The bill would amend §108(a) of the Terrorism Risk Insurance Act of 2002 (15 USC 6701 note) by substituting ‘2030’ for ‘2020’ in the termination date. Extensions are also provided for the recoupment provisions of §103(e)(7)(E)(i).

Moving Forward


Waters is the Chair of the House Financial Services Committee to which this bill was assigned for consideration. The bill is currently scheduled for markup in Committee tomorrow. With three Committee Republicans on the list of cosponsors of the bill, it is almost certain that the bill will pass in Committee with substantial bipartisan support. The bill would be likely to be considered in the full House under the suspension of the rules process; limited debate, no floor amendments and a super-majority required for passage.

The last reauthorization of the TRIA program (PL 114-1) passed in both the House and the Senate with bipartisan support.

Commentary


The TRIA was designed to protect insurance companies from severe financial upsets from a major, 9/11 scale terrorist attack. The idea was that without this sort of federal protection that insurance companies would be forced to write their policies with terrorism riders that would disallow policies from paying out for terrorist attacks.

The one thing that Congress ought to consider with this bill is adding language that would specifically allow the TRIA to include a cyber-attack of the same magnitude as intended for physical terrorist attacks. This could be done by modifying the following portions of §102, Definitions:

(1) ACT OF TERRORISM.—
(A) CERTIFICATION.—The term ‘act of terrorism’ means any act that is certified by the Secretary, in consultation with the Secretary of Homeland Security, and the Attorney General of the United States—
(i) to be an act of terrorism;
(ii) to be a violent act, or an act that is dangerous to—
(I) human life;
(II) property; or
(III) infrastructure; or
(iii) to be a cyber threat (as defined in 6 USC 1501) that threatens and or effects a large scale disruption of:
(I) of power, fuel or water distribution;
(II) food supply;
(III) financial markets; or
(IV) healthcare; and
 (iv) to have resulted in damage within the United States, or outside of the United States in the case of—
(I) an air carrier or vessel described in paragraph (5)(B); or
(II) the premises of a United States mission; and
(v) to have been committed by an individual or individuals, as part of an effort to coerce the civilian population of the United States or to influence the policy or affect the conduct of the United States Government by coercion.



2 Advisories Published – 10-17-19


Today the DHS NCCIC-ICS published two control system security advisories for products from Horner Automation and AVEVA.

Horner Advisory


This advisory describes two vulnerabilities in the Horner Cscape control system application programming software. The vulnerabilities were reported by Francis Provencher of Protek Research Lab via the Zero Day Initiative. Horner has a new version that mitigates the vulnerabilities. There is no indication that Provencher has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

Improper input validation - CVE-2019-13541; and
Out-of-bounds write - CVE-2019-13545

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to crash the device being accessed, which may allow the attacker to access information and execute arbitrary code.

AVEVA Advisory


This advisory describes a stack-based overflow vulnerability in the AVEVA Vijeo Citect and Citect SCADA. The vulnerability is in the IEC870IP driver. The vulnerability was reported by VAPT Team, C3i Center. AVEVA has a new version of the driver that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to cause a server-side crash.

Bills Introduced – 10-16-19


Yesterday with both the House and Senate in session there were 44 bills introduced. Two of those bills may see further coverage in this blog:

HR 4700 To amend title 49, United States Code, to reauthorize pipeline safety programs, and for other purposes. Rep. Upton, Fred [R-MI-6]

S 2607 A bill to prescribe zoning authority with respect to commercial unmanned aircraft systems and to preserve State, local, and Tribal authorities and private property with respect to unmanned aircraft systems, and for other purposes. Sen. Lee, Mike [R-UT]

Wednesday, October 16, 2019

Siemens Restricting Access to Healthineers Cybersecurity Advisories?


It looks like Siemens is taking the unusual (for Siemens) step of limiting access to cybersecurity advisories for their Healthineer products by publishing those advisories on a customer restricted access web site. Previously issued advisories are still publicly available on the Siemens CERT web page. It is not clear if future Healthineer advisories will continue to be published in that public forum.

The Announcement


Yesterday Siemens announced on TWITTER® that: “Starting by October 15 all topics related to the Siemens Healthineers Cyber Security (including security advisories) will be published at the Siemens Healthineers Cyber Security webpage”. The link provided takes you to the following statement:

“Security publications Siemens Healthineers Security Advisories: All current Siemens Healthineers reports of security issues and Security Advisories for validated security vulnerabilities that directly involve our products and require applying an update, performing an upgrade, or other customer action can be found at the Siemens Healthineers LifeNet customer online portal.”

That LifeNet customer online portal is currently accessible only to registered users. I attempted to register and received the following in an email from Suzanne Blevins, Siemens Medical Solutions USA, Inc., LifeNet Support Team:

“We are only able to provide LifeNet to customers that own Siemens equipement. I am not able to find any equipment owned by your company.”

I have sent an email to Siemens Medical Solutions requesting clarification.

Commentary


Okay, let me start by saying that Siemens (and any other company) can publish their cybersecurity advisories in whatever venue they deem most appropriate, as long as users of the affected equipment can reasonably be expected to be able to access that information in a timely manner to make appropriate risk assessment decisions about the disclosed vulnerabilities.

I suspect that this is an issue of protecting the safety of patients, and one is hard pressed to find a group more worthy of protection; especially since many (vast majority?) of the patients have nothing to do with the selection, operation, maintenance or security of the devices into which their care is placed.

One just has to look at the most recent Healthineers advisory concerning the DejaBlue vulnerabilities in Healthineer products. The advisory was published on August 9th, 2019. The advisory notes that most of the affected products can be fixed by applying Microsoft® patches available when the advisory was published. But it also noted that at least two of the affected products would need Siemens patches that would not be available for months, and for another product Siemens recommended disabling the RDP functionality of the device. Arguably, the publication of this advisory may have increased the risk for some of the patients using the currently unfixable products.

While this is type of risk problem is also found in many of the industrial product advisories published by Siemens (as we can see in the large number of periodic updates published providing mitigation measures for yet another covered product on the original vulnerability list), the situation is a tad bit different. One should expect owners of industrial control system devices to be better masters of their cybersecurity environment than are patients hooked up to medical devices.

I am concerned, however, about how well Siemens will be able to communicate their advisories to the medical device owners. While Siemens may be able to push advisories to registered owners (and I do not know that they will be pushing advisories as opposed to just statically publishing them on their LifeNet web site) the reality of the situation is that Siemens has no way to track who is using their devices once they are sold to the initial customer (see for example this  2005 Siemens 1.5T Magnetom Espree for sale on Ebay). How is Siemens going to deal with ensuring that owners of devices sold in the aftermarket get these advisories?

Siemens has been proactive in publicly publishing cybersecurity advisories across their entire product line. Not only do they publish advisories for vulnerabilities reported by independent security researchers (directly reported or coordinated through a variety of CERTS), but they also self-disclose vulnerabilities in many of their advisories. I expect that this will continue. But if Siemens is restricting access to their Healthineer advisories to just registered owners gadflies like myself and security researchers are not going to be able to monitor their security efforts to make sure that they are taking all appropriate steps to protect the patients from undue cybersecurity risks.

 
/* Use this with templates/template-twocol.html */