Saturday, November 30, 2019

Public ICS Disclosures – Week of 11-23-19


This week we have two vendor disclosures from Drager and Moxa. We also have two possible 0-day exploits for products from AVEVA.

Drager Advisory


Drager published an advisory describing two vulnerabilities in their SC Monitoring product line. The vulnerabilities were reported by Jeroen Slobbe and Max Grim. The products have reached end-of-life and no mitigation measures are being offered by Drager.

The two reported vulnerabilities are:

• Denial of service; and
• Hard-coded credentials

Moxa Advisory


Moxa published an advisory concerning the URGENT/11 vulnerabilities. They report that none of their products are affected.

AVEVA Exploits


Chuyreds published exploit code for a denial of service vulnerability in the AVEVA InTouch Machine. There is no report of a CVE number or vendor coordination in the document so this may be a 0-day vulnerability.

Chuyreds published exploit code for a denial of service vulnerability in the AVEVA InduSoft Web Studio. There is no report of a CVE number or vendor coordination in the document so this may be a 0-day vulnerability.

NOTE: The exploits look very similar, so this probably reflects a common vulnerability in the two products. I do not see an AVEVA advisory for the two products with a similar vulnerability.

Wednesday, November 27, 2019

Bills Introduced – 11-26-19


Yesterday with both the House and Senate meeting in pro forma session (just the absolute bare minimum of congresscritters present – 2 or 3 per chamber) there were 13 bills introduced. Two of those bills may receive additional coverage in this blog:

HR 5274 To Making continuing appropriations for the Coast Guard. Rep. Van Drew, Jefferson [D-NJ-2] 

HR 5275 To make continuing appropriations for the Federal Aviation Administration for fiscal year 2020. Rep. Van Drew, Jefferson [D-NJ-2]

Well, since Van Drew is not on the House Appropriations Committee, these bills will probably go nowhere. Even so, these two bills are symbols of the continuing problem with the appropriations process. Controversies in a relatively small portion of the spending process are holding up the approval of the spending for the remaining portions of the government.

Tuesday, November 26, 2019

2 Advisories Published – 11-26-19

Today the CISA NCCIC-ICS published two control system security advisories for products from ABB.

ABB Advisory #1


This advisory describes a path traversal vulnerability in the ABB Relion 670 series. The vulnerability was reported by Kirill Nesterov of Kaspersky Lab. ABB has new versions that mitigate the vulnerability. There is no indication that Nesterov has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to read and delete files on the device.

ABB Advisory #2


This advisory describes an improper input validation vulnerability in the ABB  Relion 650 and 670 Series. The vulnerability was reported by Ilya Karpov, Evgeniy Druzhinin, and Victor Nikitin of ScadaX. ABB has new versions that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to reboot the device, causing a denial of service.

NOTE: I briefly reported on both of these vulnerabilities and a third that was also reported by ABB on the same day back in October. The third advisory dealt with OpenSSL vulnerabilities.

Monday, November 25, 2019

Bills Introduced – 11-22-19


On Friday with both the House and Senate meeting in pro forma sessions (Congress left Washington a little early for their Thanksgiving holidays) there were 18 bills introduced. One of those bills may receive additional coverage in this blog:

HR 5260 To improve understanding and forecasting of space weather, and for other purposes.  Rep. Perlmutter, Ed [D-CO-7] 

Actually, the term ‘space weather’ covers a broad array of solar related events that are not typically mentioned here. In this blog I would only be interested in space weather events that resulted in geomagnetic storms as those can have potential safety and security consequences, particularly for the electric grid. So this bill will only receive coverage here if it specifically addresses geomagnetic storm forecasting.

Saturday, November 23, 2019

Public ICS Disclosures – Week of 11-16-19


This week we have four vendor disclosures for products from 3S, Moxa (2) and Johnson Controls. There are also three exploit reports for products from Emerson, FlowChief, and GE.


3S Advisory


3S published an advisory describing a heap-based buffer overflow vulnerability in their CODESYS V3 web server. The vulnerability was reported by an OEM customer and Tenable, Inc. 3S has a new version that mitigates the vulnerability. There is no indication that Tenable was provided an opportunity to verify the efficacy of the fix.

NOTE 1: The Tenable report provides proof-of-concept exploit code.

NOTE 2: A reminder that 3S (Codesys) software is included in product from a large number of vendors (including the unnamed ‘OEM vendor’ who reported the vulnerability to 3S). Other vendors will have to fix the problem in their systems.

Moxa Advisories


Moxa published an advisory describing a denial of service vulnerability in the PROFINET implementation in their Moxa’s EDS-G508E, EDS-512E, and EDS-516E Series Ethernet Switches. The vulnerability was reported by Yuval Ardon and Matan Dobrushin of Otorio. Moxa has a patch available that mitigates the vulnerability. There is no indication that the researchers were provided an opportunity to verify the efficacy of the fix.

Moxa published an advisory describing an improper sanitization of special elements used in Web GUI in their EDR-810 Series Secure Routers. The vulnerability was reported by Neil Pope and Rhys Cable of Motherwell Advanced Technologies Cyber Review Team. Moxa has a new firmware version that mitigates the vulnerability. There is no indication that the researchers were provided an opportunity to verify the efficacy of the fix.

Johnson Controls Advisory


Johnson Controls has published an advisory on the BlueKeep vulnerability in their  4190 PC Annunciator product running on Windows 7® systems. The 4190 PC Annunciator is out-of-support and Johnson Controls has no replacement product.

Emerson Exploit


Luiz Martinez published an exploit for an unquoted service path vulnerability in the Emerson PAC Machine. There is no CVE number associated with this report and no information about coordination with Emerson. This may be a 0-day exploit.

FlowChief Exploit


Luiz Martinez published an exploit for a denial-of-service vulnerability in the FlowChief scadaApp for iOS. There is no CVE number associated with this report and no information about coordination with FlowChief. This may be a 0-day exploit.

GE Exploit


Luiz Martinez published an exploit for a denial-of-service vulnerability in the GE Open Proficy HMI-SCADA app. There is no CVE number associated with this report and no information about coordination with GE. This may be a 0-day exploit.

Commentary


With all three of the above exploits being potential 0-days, the question will certainly arise; why did I publish these notices? Am I not giving publicity to researchers who cannot be bothered coordinating their disclosures? My intention is to ensure that the users of the affected systems know that public exploits are available. This would be valuable information for risk assessment purposes and lacking the information that is widely available to the ‘bad guys’ is not a good way to stay safe and secure.

Now I would much rather see researchers like Martinez coordinate their disclosure with the vendor or one of any of a wide variety of disclosure coordinators (NCCIC-ICS or ZDI for instance). Lacking that, I would rather see them publishing on public forums like FullDisclosure or exploit-DB than selling the exploits on the DarkWeb.

Friday, November 22, 2019

Fall 2019 Unified Agenda Published – DHS


This week the OMB’s Office of Information and Regulatory Affairs (OIRA) published the Fall 2019 Unified Agenda. There has been one item of interest here that was removed from the DHS portion of the Unified Agenda.

Current Agenda


The table below shows the DHS rulemakings that I am following in the Current Unified Agenda. There are no new items in this list nor was there any change status in the items that are still listed here.

OS
Final Rule Stage
Homeland Security Acquisition Regulation: Safeguarding of Controlled Unclassified Sensitive Information (HSAR Case 2015-001)
OS
Final Rule Stage
Homeland Security Acquisition Regulation: Information Technology Security Awareness Training (HSAR Case 2015-002)
USCG
Prerule Stage
Identifying Barriers to Autonomous Vessels
USCG
Final Rule Stage
2013 Liquid Chemical Categorization Updates
USCG
Final Rule Stage
TWIC Reader Requirements; Delay of Effective Date
TSA
Proposed Rule Stage
Vetting of Certain Surface Transportation Employees
TSA
Final Rule Stage
Protection of Sensitive Security Information
TSA
Final Rule Stage
Security Training for Surface Transportation Employees

There are no Cybersecurity and Infrastructure Security Agency does not currently have any rulemakings on the active portion of the Unified Agenda. The one item that was on the Spring 2019 Unified Agenda (1670-AA00 - Ammonium Nitrate Security Program) was moved to the Long-Term Actions portion of the Unified Agenda.

Long-Term Agenda


The table below shows the rulemakings that I am following in the Long-Term Actions section of the Unified Agenda for DHS.

USCG
Amendments to Chemical Testing Requirements
TSA
Surface Transportation Vulnerability Assessments and Security Plans
CISA
Ammonium Nitrate Security Program
CISA
Chemical Facility Anti-Terrorism Standards (CFATS)
CISA
Updates to Protected Critical Infrastructure Information (PCII) Program

The only change to this list is the one that I noted earlier.

Commentary


I noted earlier this week on TWITTER® that a TWEET announcing the upcoming publication of the Unified Agenda: “Over states importance and accuracy of Unified Agenda. Most items on agenda predate Trump, many predate Obama.” Some of the rulemakings listed above date from as far back as 2008. No one should pay too much attention to these listings; these may get addressed but lots of rulemakings never make it onto the Unified Agenda.

Senate Passes Two Cybersecurity Bills – S 333 and S 1846


Yesterday the Senate passed two cybersecurity bills under their unanimous consent process. There was no debate and no vote. The bills now move to the House.

The two bills were:

S 333, the National Cybersecurity Preparedness Consortium Act of 2019; and
S 1846, the State and Local Government Cybersecurity Act

A companion bill (HR 1062) was introduced in the House, but no action has been taken on that bill in Committee. This bill passing in the Senate may allow that roadblock to be bypassed.

S 1846 has not received any coverage in this blog beyond its introduction because there is nothing in the language that addresses control system security issues.

S 2818 Introduced – FLARE Act


Earlier this month Sen Markey (D,MA) introduced S 2818, the Fuel Loss Abatement and Royalty Enhancement (FLARE) Act. The bill would require the Department of the Interior to establish regulations to control the venting and flaring of gas “in oil and gas production operations on Federal land”.

The Regulations


Section 2 of the bill requires the DOI to issue regulations within 180 days “to ban the venting and flaring of gas in oil and gas production operations on Federal land onshore and offshore in the United States” {§2(a)(1)}. Exceptions would be required for:

• De minimis venting and flaring; and
• Venting and flaring that the Secretary determines is required for safety.

As a carrot to support the ban the regulations would also be designed to “promote the capture and beneficial use or reinjection of gas in the operations” {§2(a)(2)}. And as an additional ‘incentive’ the regulations would be required to “include provisions that treat gas that is flared or vented in operations under a lease under this Act as production for which royalty is required to be paid to the United States” {§2(b)}.

The bill would also require those regulations to include definitions (to be determined by DOI) for the terms:

• Vent;
• Venting;
• Flare; and
• Flaring

Report to Congress


The bill would also require the Government Accounting Office to “assess the venting and flaring of gas in oil and gas production operations on Federal land onshore and offshore in the United States” {§3(1)}. A report to Congress on that assessment would include “an estimate of the volume of gas that is vented or flared in such operations each year” {§3(2)}.

Moving Forward


Markey is not a member of the Senate Energy and Natural Resources Committee to which this bill was assigned for consideration. This means that it is unlikely that he has enough influence in that Committee to see the Bill considered. If the bill were considered, I would expect to see significant opposition from Republican members of the Committee because of the increased regulations that this bill would require.

Commentary


Presumably Markey is trying to address the climate effects caused by the release of methane gas, a large portion of most of the gas emissions from oil and gas production facilities. Methane is a ‘stronger’ greenhouse gas than CO2 and for most of the history of oil production in the United States it has been routinely vented to the atmosphere as a waste product as the economies of collecting the gas for processing and sale were poor at best. That has changed in recent years as more and more oil field production has been focused on collecting and selling natural gas.

Still, methane venting/flaring is still rather common, especially in older production areas where the gas production volume is lower and the costs of collection and transportation are still high.

Markey has taken an interesting approach to the issue with providing minimal guidance on the required regulations. While requiring a ban he does allow for the Secretary to determine what venting/flaring is required for safety. This is a major concern.

Most oil field collection tanks are ‘atmospheric tanks’. That means that they are not designed as pressure vessels. As liquid is fed into those tanks the displaced air in the tanks and any gasses in the liquid stream are automatically vented to the atmosphere to avoid rupturing the tank due to increased pressure as the gasses are compressed in the headspace of the tank. When flammable gasses are expected to be included in that venting in significant quantities an ignition device is include at the outlet of the vent to burn off the flammable gasses so that they cannot collect in the area around the tank and form a flammable vapor cloud; a very dangerous potential circumstance.

In fields where high concentrations of natural gas exist, the effort is made to collect that gas in pressurized tanks. Those tanks still have venting requirements to prevent over-pressuring the tank. Unfortunately, the installation, maintenance and collection of gas from those tanks is costly and is financially justified only when there is a commercial amount of natural gas being produced.

If Markey is, in fact, trying to prevent the release of a potent greenhouse gas this bill should be trying to reduce venting not flaring. Flaring converts the flammable gases to CO2 and water, but that CO2 would be produced if the gas were collected for commercial use. This means that flaring does not have any significant effect on CO2 production.

Markey’s inclusion of royalties’ provision in the bill would seem to be reasonable at first-glance. The gasses being flared are being ‘removed’ from federal lands after all. On closer examination, what this provision will do is to raise the price of oil extraction, especially from older fields, as gas flow measurement instruments are added to vent/flare lines. That would also require a data collection system that would also increase the cost associated with this requirement.

It is hard to tell exactly what Markey’s intentions are with this bill. On one hand it looks like he is trying to increase the costs of oil and gas extraction as ‘green’ effort to reduce that extraction. On the other hand, the total freedom given to DOI in crafting the regulation, including the ability to define all of the key terms, could mean that this is an honest effort to increase the safety and reduce he environmental footprint of this key energy production effort.

Well, we will probably never get to know; this bill is unlikely to go anywhere.

Thursday, November 21, 2019

HR 3699 Reported in House – Pipeline Security Act


Earlier this week the House Homeland Security Committee published their report on HR 3699, the Pipeline Security Act. The report reflects the changes made by the Committee to the language of the bill during a markup hearing held on July 17th, 2019. The changes and adoption were done under unanimous consent process. A revised version of the bill has also been published.

Changes to Bill


Most of the changes to the bill were to the wording of the new 6 USC 1209(d) proposed in the bill. Paragraph (1) was amended to specifically include the NIST Framework for Improvement of Critical Infrastructure Cybersecurity (CSF) as one of the consultative works to be used in developing the “guidelines for improving the security of pipeline transportation and [protecting?] pipeline facilities against cybersecurity threats”.

The paragraph (4) opening phrase was changed to read “Conducting voluntary security assessments”.

Paragraph (5) was completely rewritten to read:

“(5) Carrying out a program to inspect pipeline transportation and pipeline facilities, including inspections of pipeline facilities determined critical by the Administrator based on a risk assessment conducted in consultation with relevant Federal, State, local, Tribal, and territorial entities and public and private sector stakeholders. through which the Administrator identifies and ranks the relative risk of pipelines and inspects pipeline facilities designated by owners and operators of such facilities as critical based on the guidelines developed pursuant to paragraph (1).

A new §6 was added to the bill that would require TSA to “convene not less than two industry days to engage with relevant pipeline transportation and pipeline facilities stakeholders on matters related to the security of pipeline transportation and pipeline facilities”.

The Report


The report notes that (pg 2):

“This bill cements that both the physical and cyber security of pipelines fall within TSA’s jurisdiction at the Federal level. The bill also requires TSA to bolster its pipeline security activities and develop a strategy for staffing such efforts appropriately.”

With regards to the cost of the legislation, the report notes:

“Because TSA is already pursuing activities similar to those called for in the bill, CBO estimates that implementing H.R. 3699 would have no significant effect on spending subject to appropriation.”

Moving Forward


The strong bipartisan support seen in the Committee for this bill means that the bill will probably move forward to the full House under the suspension of the rules process. This means that there will be limited debate, no floor amendments and the bill will require a supermajority to pass.

Commentary


I was not really happy with the level of authority provided to the TSA in the original bill for pipeline security. Unfortunately, what little authority was in the original language has been significantly reduced by the changes made by the Committee. First the revised bill makes it even clearer that the security program developed under the new §1209 is voluntary. Next facility owners are now the ones that determine what facilities would be subject to the ‘voluntary’ inspections.

These changes were almost certainly made in response to concerns my industry that they might be required to incur additional costs to comply with a new security program. That the revised language was adopted by unanimous consent means that those concerns have been adequately addressed. This now begs the question of the adequacy of the security program. It would seem that the Committee’s Report is correct, this bill will not really change anything.

What will be interesting to see is that if this is passed, will Congress next year provide enough funds to support the new ‘Pipeline Security Section’ established by this bill. Probably not as we are almost certainly going to see another spending fiasco where we will have essentially a full year continuing resolution. This bill would have been more impressive (even with the new ‘voluntary’ compliance language) if it had established a minimum manning level for the Section and had authorized monies for the program. Of course, that would have killed any prospects for passing the bill.

One other sad commentary in this bill is that the Cybersecurity and Infrastructure Security Agency (CISA) has been tasked to provide the personnel to support the cybersecurity aspects of the proposed program. This probably reflects the unfortunate reality that there are too few control system security experts in the federal government to stand up a new cybersecurity program in DHS. This will mean, of course, that the ability of CISA to respond to its own mission requirements will be diminished by the reduction in its manpower resources.

OMB Approves NIST SP 800-18


Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved the publication of a revision to NIST Special Publication 800-18. This guide for federal information-system security planners was originally published in 1998 and updated in 2006. This document was submitted to OIRA back in August.

As with most guidance documents, this publication has not been listed in the Unified Agenda. It will be interesting to see if there is any mention of security for federal OT systems.

NIST should publish this document fairly quickly, certainly more quickly than most agencies publish approved rulemakings under the Trump Administration.

Wednesday, November 20, 2019

Senate ENR Amends and Approves Cybersecurity Bills – 11-19-19


Yesterday the Senate Energy and Natural Resources Committee held a business meeting to consider three nominations and markup 19 bills. Those bills included three cybersecurity bills that have been covered in this blog. All three of those bills were amended and then passed on voice votes.

S 876, DOE Vet Training


The Committee considered S 875, the Energy Jobs for Our Heroes Act of 2019. A staff amendment was adopted by the Committee rewrote the proposed §1107(f) by removing the grant funding provisions and removed (g) the spending authorization provisions of the bill. A second amendment was proposed by Sen Lee (R,UT) and it was also adopted by the Committee. The Lee amendment provided more detailed information about what was to be included in the Report to Congress required by (h) {changed to (g) by the previous amendment}.

S 2556, Cybersecurity Investment


The Committee considered S 2556, the PROTECT Act. The Committee adopted an amendment in the nature of a substitute. The substitute language:

Adds §219A(c)(2) that adds a prohibition of duplicate recovery to the rate recovery provision; and
Adds §3(a)(2)(E) that adds “an investor-owned electric utility that sells less than 4,000,000 megawatt hours of electricity per year” to the list of entities eligible for the e Rural and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance Program.

S 2714, ARPA-E Reauthorization


The Committee considered S 2714, the ARPA–E Reauthorization Act of 2019. The Committee adopted an amendment. That amendment inserted a new §2(c) and renumbered the subsequent sub-sections. The new subsection amends 42 USC 16538(f). The new language would allow DOE to consider past grant performance during the award of new grants.

Moving Forward


These three bills had significant bipartisan support in Committee, but Lee insisted on being recorded as a Nay vote on each of the bills. This means that he would be likely to raise an objection if the bills were offered for consideration under the Senate’s unanimous consent process. If that were to happen the bills would not be adopted under those provisions and would have to be considered under regular order. None of these bills is important enough to take up the Senate’s time under regular order.

The only other way that these bills could be considered would be as part of a DOE authorization bill.

Bills Introduced – 11-19-19


Yesterday with both the House and Senate in session there were 55 bills introduced. Two of those bills may receive additional coverage in this blog:

HR 5175 To amend title 49, United States Code, to provide enhanced safety in pipeline transportation, and for other purposes. Rep. Crawford, Eric A. "Rick" [R-AR-1]

S 2893 A bill to amend the Comprehensive Environmental Response, Compensation, and Liability Act of 1980 to provide for the consideration of climate change, and for other purposes. Sen. Harris, Kamala D. [D-CA] 

House Amends and Re-Passes HR 3055 – FY 2020 CR


Yesterday the House took up the Senate amendment to HR 3055, FY 2020 spending minibus, and approved that amendment after substituting new language for the Senate amendment. The approval vote was nearly a party-line vote of 231 to 192 (10 Democrats and 12 Republicans switched sides). The bill goes to the Senate, probably today.

A party-line vote normally means that the bill will have a difficult time being considered in the Senate. It certainly would not normally be expected to be considered under the unanimous consent process; a single voice can stop that consideration. To be considered under regular order means that the bill would require a 2/3 vote on the debate cloture motion and a party-line vote normally means that there would not be sufficient vote to close debate.

Earlier this year when the House passed HR 4378, the current CR, the vote was more bipartisan; 301 to 123. The conservative members of the House generally object to continuing resolutions (especially short-term CRs) because they interfere with program changes and generally shortchange most spending programs.

That earlier CR passed in the Senate by a mostly bipartisan vote of 81 to 16. This was roughly the same percentage (about 70%) of yes votes in both the House and Senate. If that vote standard holds for this bill, HR 3055 may not pass the Senate as it would not be able to achieve cloture.

During yesterday’s debate, everyone agreed that continued funding of the Federal government was an important goal and that a full spending bill was needed. The Republican opposition to this CR, however, was outlined by Rep. Grainger (R,), Ranking Member of the Appropriations Committee (pg H9038):

“At that time [passage of HR 4378] the budget deal had just been signed into law, and the Senate had not yet started consideration of full appropriations measures for fiscal year 2020. By voting for the last CR, I argued at the time that we would provide enough time for appropriators in the House and the Senate to complete work on full-year appropriations bills.
“Unfortunately, not only has that not happened, there still has not even been an agreement reached on spending levels for those bills. No business in the world could survive on temporary funding doled out on a month-to-month basis. The uncertainty created by the habit Congress finds itself in of repeated CRs and the continual threat of a shutdown is crippling, especially for our military.”

The vote today in the Senate could go either way. And, if the bill does pass, we still have to wait for the last-minute decision by the President on whether or not he will sign the bill. Indications are that he will, but there is no telling what he will do when the time comes to act.

NOTE: The current CR expires at midnight tomorrow night.

Tuesday, November 19, 2019

1 Advisory Published – 11-19-19


Today the CISA NCCIC-ICS published a control system security advisory for products from Flexera.

Flexera Advisory

This advisory describes four vulnerabilities in the Flexera FlexNet Publisher software license manager. The vulnerabilities were reported by Sergey Temnikov of Kaspersky. Flexera has a new version that mitigates the vulnerability. There is no indication that Temnikov has been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• Improper input validation (3) - CVE-2018-20031, CVE-2018-20032 and CVE-2018-20034; and
• Memory corruption - CVE-2018-20033

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to deny the acquisition of a valid license for legal use of the product. The memory corruption vulnerability could allow remote code execution.

Previously Reported


These same four CVE#s were reported by Schneider in their Floating License Manager back in May 14th, 2019 followed by an NCCIC-ICS advisory on July 11th, 2019. NIST reported the CVE#s as being in the FlexNet Publisher on March 25th, 2019 with the following link to the Flexera advisory (registration required).

The FlexNet Publisher is fairly obviously being used by Schneider. We have seen this sort of vulnerability pairing between the two products on multiple occasions. I suspect that other vendors are also using FlexNet Publisher in their products. Should we be seeing more vulnerabilities on these 4 CVE’s? Apparently only if other researchers like Temnikov check other license managers to see if they can see the same problem.

Rules Committee to Reconsider HR 3055 as CR


Today the House Rules Committee will meet to formulate the rule to consider the Senate amendments to HR 3055, the first House minibus. The Committee will consider substitute language for the Senate amendment that will turn HR 3055 into a continuing resolution that would extend the date of the current CR until December 20th, 2019.

The hearing web site shows that three amendments have been offered on the revised language. The current proposed language is very similar to HR 4378 (the current CR) and is a relatively clean CR. Two of the offered amendments (Amash and Womack) are more than a little controversial and are unlikely to make it to the floor of the House; where they would be rejected in near party-line votes anyway. The third, Brindisi, is a study and report amendment which are generally less controversial, but I doubt that it will be included either.

Given the Thursday deadline on the current CR, I expect that the House will take up this bill tomorrow and pass it with a significant bipartisan vote. The Senate may take it up tomorrow as well and it will make it to the President’s desk before midnight Thursday in any case. According to news reports, the White House has indicated that the President will sign it, but you never can tell.

There is one bid of potential bad news with HR 3055 being used as the vehicle for this CR. HR 3055 is the only spending bill that the Senate has been able to pass. This should have been the one spending bill that could have made it out of conference. Using it for a CR would seem to indicate that the conferees could not work out a deal on this bill. That bodes ill for an omnibus bill next month. We may still end up with a full year CR.

HR 4634 Passed in House – TRI Reauthorization


Yesterday the House passed HR 4634, the Terrorism Risk Insurance Program Reauthorization Act of 2019. The vote was a strongly bipartisan vote of 385 to 22.  The bill is likely to be taken up in the Senate under their unanimous consent process; this would mean no debate and no actual vote.

The version considered by the House has yet to be published (nor has the Committee report on the amended version of the bill), but the Committee web site provides a copy of the amended language. The revised bill does make an attempt to address the cyber concerns that I expressed (okay, almost certainly not as a result of my blog post) in my introduction blog. Instead of including provisions specifically addressing potential cyberattack effects, it requires a study of the potential effects of the problem and a report to Congress on how future amendments of the bill should address those potential effects.

Rep McHenry (R,NC), the Ranking Member of the House Financial Services Committee, commented on the potential need for these provisions during yesterday’s debate:

“What I am concerned about is this: I am concerned a large-scale cyberattack could pose these same hidden risks to insurers and to the market, since we don’t fully understand the effects of a large-scale cyberattack and how that would play out today.
“Moreover, the digital capabilities of our adversaries only continue to grow. Just look at Russia. In 2015, a Russian cyberattack shut down Ukraine’s power grid for as long as 6 hours. If it is not Russia, it is China, Iran, North Korea. State sponsors of terror want to cause as much damage to the United States as they can. And that is not just the government’s fear or utilities, it is every part of our economy.
“It is our duty to make sure that this program is adaptable to respond to any event that could become a reality.”

Monday, November 18, 2019

Committee Hearings – Week of 11-17-19


This week the impeachment hearings continue to attract the main attention of politicians and, to a lesser extent, the public. There are two markup hearings this week; one in the House that will deal with a pipeline safety bill, and one in the senate that will address cybersecurity bills.

Pipeline Safety Hearings


On Tuesday the House Energy and Commerce Committee will hold a markup hearing that will consider 18 bills. One of those bills is HR 5120 that was introduced last Friday. The official version of the bill has yet to be printed, but a Committee Print is available and a summary is included in the Committee Briefing Notes. I have not yet had a chance to review the bill.

Cybersecurity Hearing


On Tuesday the Senate Energy and Natural Resources Committee will hold a business meeting that will consider 17 bills and three nominations. The list includes 3 cybersecurity related bills:

S 876, to amend the Energy Policy Act of 2005 to require the Secretary of Energy to establish a program to prepare veterans for careers in the energy industry, including the solar, wind, cybersecurity, and other low-carbon emissions sectors or zero-emissions sectors of the energy industry;

S 2556, to amend the Federal Power Act to provide energy cybersecurity investment incentives, to establish a grant and technical assistance program for cybersecurity investments;

S 2714, to amend the America COMPETES Act to reauthorize the ARPA-E program,

On the Floor


On Tuesday the House will consider HR 4634; Terrorism Risk Insurance Program Reauthorization Act of 2019 (as amended) under the suspension of the rules process. This means that there will be limited debate, no floor amendments and a super majority will be required for passage. A significant bipartisan majority is expected on this bill.

It is likely that the House Rules Committee will take up a continuing resolution some time this week to continue funding the government, probably through sometime next month.

Bills Introduced – 11-15-19


On Friday with just the House in session there were 21 bills introduced. One of those bills may see future coverage in this blog:

HR 5120 To amend title 49, United States Code, to provide enhanced safety and environmental protection in pipeline transportation, and for other purposes. Rep. DeFazio, Peter A. [D-OR-4]


Saturday, November 16, 2019

Public ICS Disclosures – Week of 11-09-19


This week we have four vendor disclosures for products from ABB, Gemalto and Schneider (2). We also have updates for products from Schneider (6) and Siemens (2). Finally, we have 26 exploits published for products from Siemens and several building access control systems.

ABB Advisory


ABB published an advisory describing an Active-X/Java Script vulnerability in the ABB Automation Builder and Drive Application Builder products. The vulnerability is in a third-party component from 3S. The vulnerability was reported by Heinz F├╝glister of WRH Walter Reist Holding AG. ABB provides generic workarounds pending development of new versions that will mitigate the vulnerability.

Gemalto Advisory


Gemalto published an advisory (available to registered customers only) for undisclosed vulnerabilities in the Sentinel LDK License Manager.

Schneider Advisories


Schneider published an advisory describing a failure to preserve web page structure vulnerability in the Andover Continuum line of controllers. The vulnerability was reported by Ken Pyle, DFDR Consulting. Schneider recommends disabling the web server in this legacy product.

Schneider published an advisory describing and information exposure vulnerability in the Modicon Controllers. The vulnerability is self-reported. Schneider has provided generic workarounds to mitigate the vulnerability.

Schneider Updates


Schneider published an update for their  URGENT/11 advisory. The new information includes:

• Updated Remediations for ConneXium Industrial Firewall, Easergy Micom C264 Controller, and Modicon M262 Logic/Motion Controller;
• Enhanced product list with additional details for Modicon X80 I/O modules;
• Added Modicon Quantum Head 140 CRP and Modicon Momentum Unity; and
• Removed TMSES4 Ethernet Module from affected products

Schneider published an update for their DejaBlue advisory.  The new information includes:

• Added EcoStruxure Technology Platform (ETP) to the affected product list;
• Updated remediation for EcoStruxure Substation Operation Gateway (page 4), and
• Updated the affected product details for Conext Control

Schneider published an update for their BlueKeep advisory. The new information includes updated “Conext Control” affected products and remediation detail.

Schneider published an update for their ZombieLoad advisory. The new information includes updated affected product details for “Conext Control” product.

Schneider published an update for their ConneXium Gateway advisory that was originally published on May 14th, 2019. The new information includes updated affected products to include EGX100 and
ECI850 variants.

Schneider published an advisory for their Triconex advisory that was originally published on March 12th, 2019. The new information includes remediations updated.

Siemens Updates


Siemens published an update for their GNU/Linux advisory that was originally published on November 27th, 2018. The new information includes adding six new CVE’s:

• CVE-2017-18551;
• CVE-2018-5390;
• CVE-2018-20856;
• CVE-2019-15902,
• CVE-2019-15916; and
• CVE-2019-15921

Siemens published an update for their ZombieLoad advisory. The new information includes updated version and mitigation information for:

• SIMOTION P320-4E;
• SIMOTION P320-4S; and
• SIMATIC IPC547G

Siemens Exploit


LiquidWorm published an exploit for a previously disclosed vulnerability in the Siemens Desigo PX automation controllers.

Building Automation Exploits


LiquidWorm published a series of exploits for building automation vulnerabilities that were described in a white paper by Applied Risk in June.

Friday, November 15, 2019

New DHS SBIR Topics Published – 11-14-19


Yesterday the DHS Science and Technology Directorate (S&T) published a notice for 11 new pre-solicitation Small Business Innovation Research (SBIR) topics for possible future research programs out of the SBIR program. During pre-solicitation organizations can ask questions of the responsible S&T program managers to help those organizations understand the topic and decide if they want to try to participate in the research program. The pre-solicitation phase end on December 17th, 2019.

Overview


Nine of the topics come from S&T (topic #):

• Next Generation 9-1-1 (NG 9-1-1) Multimedia Content Analysis Engine Capability for the Emergency Communications Cyber Security Center (EC3) – (DHS201-001)
• Remote Sensor Data Protection and Anti-Spoofing – (DHS201-002)
• Digital Paging over Public Television (DHS201-003)
• Soft Targets and Crowded Places Security (DHS201-004)
• In-building Coverage Analysis System (ICAS) Using Existing First Responder’s Radio and Smartphone (DHS201-005)
• Handheld Advanced Detection/Imaging Technology System (DHS201-006)
• Enhanced Explosives and Illicit Drugs Detection by Targeted Interrogation of Surfaces (DHS201-007)
• Urban Canyon Detection Tracking and Identification of Small Unmanned Aerial Vehicles (DHS201-008)
• Machine Learning Module for Detection Technologies (DHS201-009)


Two of the topics come from the Countering Weapons of Mass Destruction (CWMD) Office:

• Innovative Technologies for Next Generation of Sample Collection Media (DHS201-010)
• Development and Evaluation of Nucleic Acid-Based Assays to Accelerate Biohazard Detection (DHS201-011)

Information on each topic as well as the point of contact information is available in this document [.PDF download link]. Each topic discussion closes with an interesting set of reference document links.

Sensor Data Protection


Topic #2, Remote Sensor Data Protection and Anti-Spoofing, is designed to address sensor issues along the US border (presumably Mexico, the Canadian border is much softer), but the topic discussion does note at least one potential commercial application; medical devices (pg 5):

“One potential commercial path is to guarantee that medical device sensor information has not been modified. This applies to implanted pacemakers or infusion pumps in particular.”

I think that this technology could be useful in a large number of other applications; anywhere that remote sensors are used to monitor and/or control operations. This would certainly include chemical manufacturing and transportation, but also access control, HVAC, automated roadways, the potential list is endless.

Small UAS in the Urban Canyon


Topic # 8 starts out with an excellent discussion of the problem (pg 18):

“The commercial use of unmanned aerial systems (UAS) in urban environments for applications such as package deliveries and surveying are expected to start soon. Nefarious uses of UAS in the urban environment will follow. Current technology for UAV detection, tracking, and identification is problematic. The detection and tracking of UAVs (both singular and swarms) is a critical task complicated by low flight height, small radar cross sections, and a complex background that include birds, insects, and flying debris. The problems for this task increase further with complex structures and high buildings that for urban canyons that block lines of sight.”

This topic is clearly not a weapon development solicitation, but instead for a detection and tracking tool. The author clearly intends, however, for this to possibly become part of a future weapon system development effort. See bullet point 3 in the ‘demonstration’ requirements: “Performs within timelines useful for completing a fire control loop [emphasis added] needed for mitigating nefarious UAVs”.

Bills Introduced – 11-14-19



Yesterday with both the House and Senate in session there were 75 bills introduced. One of those bills may receive additional coverage in this blog:

S 2877 A bill to reauthorize the Terrorism Risk Insurance Act of 2002, and for other purposes. Sen. Tillis, Thom [R-NC]

6 Advisories and 2 Updates Published – 11-14-19


Yesterday the CISA NCCIC-ICS published five control system security advisories for products from ABB, Omron and Siemens (3); and one medical device security advisory for products from Philips. They also updated two previously published advisories for products from Siemens.

ABB Advisory


This advisory describes an authentication bypass using an alternate path or channel vulnerability in the ABB Power Generation Information Manager (PGIM) and Plant Connect monitoring platforms. This vulnerability was reported by Rikard Bodforss. ABB reports that PGIM will transition to a limited support phase in January 2020, and Plant Connect is already obsolete.

NCCIC reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow a remote attacker to bypass authentication and extract credentials from the device.

NOTE: I briefly reported on this vulnerability earlier this month.

Omron Advisory


This advisory describes a use of obsolete function vulnerability in the Omron CX-Supervisor. The vulnerability was reported by Michael DePlante of the Zero Day Initiative. Omron has a new version that mitigates the vulnerability. There is no indication that DePlante has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to result in information disclosure, total compromise of the system, and system unavailability.

Desigo PX Advisory


This advisory describes an external control of assumed immutable web parameter vulnerability in the Siemens Desigo PX automation controllers. The vulnerability was reported by Gjoko “LiquidWorm” Krstic from Zero Science Lab. Siemens has updates that mitigate the vulnerability. There is no indication that Kristic has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to cause a denial-of-service condition on the device’s web server, requiring a reboot to recover the web interface.

S7-1200 Advisory


This advisory describes an exposed dangerous method or function vulnerability in the Siemens S7-1200 CPU. The vulnerability was reported by Ali Abbasi from Ruhr University of Bochum. Siemens has provided generic workarounds for this vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit this vulnerability to  expose additional diagnostic functionality to an attacker with physical access to the UART interface during boot process. The Siemens advisory notes that the attacker must have physical access to the UART interface during boot process to exploit the vulnerability (feature).
NOTE: I briefly discussed this vulnerability last weekend.

Mentor Nucleus Advisory


This advisory describes an improper input validation vulnerability in the Siemens Mentor Nucleus Networking Module. The vulnerability was reported by Armis. Siemens has updates that mitigate the vulnerability. There is no indication that Armis was provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to affect the integrity and availability of the device. According to the Siemens advisory adjacent network access (but no authentication and no user interaction) is required to exploit the vulnerability

Philips Advisory


This advisory describes an inadequate encryption strength vulnerability in the Philips IntelliBridge EC40 and EC80 data transfer devices. The vulnerability was reported by The Medical Technology Solutions team of NewYork-Presbyterian Hospital. Philips has provided generic workarounds while developing formal mitigation.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit this vulnerability to allow an attacker unauthorized access to the IntelliBridge EC40/80 hub and may allow access to execute software, modify system configuration, or view/update files, including unidentifiable patient data.

PROFINET Update


This update provides additional information on an advisory that was originally published on October 10th, 2019. The new information includes new affected version information and mitigation measures for:

• SINAMICS S120 V4.7;
• SINAMICS S150;
• SINAMICS G130 V4.7;
• SINAMICS G150; and
• SINAMICS SL150 V4.7

Industrial Products Update


This update provides additional information on an advisory that was was originally published on September 10th, 2019 and most recently updated on October 8th, 2019. The new information includes:

• Updated version information and mitigation link for SIMATIC MV500; and
• Removed SIMATIC RF166C from affected products.

Other Siemens Updates


On Tuesday Siemens also published two other advisory updates that have not yet been addressed by NCCIC-ICS, nor do I expect them to be addressed as the underlying vulnerabilities have not been reported by NCCIC-ICS. I will report on them tomorrow.

 
/* Use this with templates/template-twocol.html */