Wednesday, February 19, 2020

EO 13905 – Responsible Use of PNT Services


Yesterday the President published a new executive order in the Federal Register (85 FR 9359-9361) on “Strengthening National Resilience Through Responsible Use of Positioning, Navigation, and Timing (PNT) Services”. EO 13905 will require actions by various agencies of the Federal Government to “foster the responsible use of PNT services by critical infrastructure owners and operators”.

Definitions:


Section 2 of the order provides a listing of the critical definitions used; they include:

PNT services – any system, network, or capability that provides a reference to calculate or augment the calculation of longitude, latitude, altitude, or transmission of time or frequency data, or any combination thereof.

Responsible use of PNT services – the deliberate, risk-informed use of PNT services, including their acquisition, integration, and deployment, such that disruption or manipulation of PNT services minimally affects national security, the economy, public health, and the critical functions of the Federal Government.

PNT profile – a description of the responsible use of PNT services—aligned to standards, guidelines, and sector-specific requirements—selected for a particular system to address the potential disruption or manipulation of PNT services.

PNT Profiles


Section 4 of the Order requires the Department of Commerce (DOC) to develop PNT profiles. Those profiles will {§4(a)}:

• Enable the public and private sectors to identify systems, networks, and assets dependent on PNT services;
• Identify appropriate PNT services;
• Detect the disruption and manipulation of PNT services; and
• Manage the associated risks to the systems, networks, and assets dependent on PNT services

PNT profiles will be referenced in the Coast Guard’s Federal Radionavigation Plan.

DHS will develop a plan to “test the vulnerabilities of critical infrastructure systems, networks, and assets in the event of disruption and manipulation of PNT services.” The results of the tests will be used to update PNT profiles.

Where appropriate, PNT profiles will be referenced in Federal acquisition contracts “with the goal of encouraging the private sector to use additional PNT services and develop new robust and secure PNT services.”

DOT, DOE and DHS will develop pilot programs “to engage with critical infrastructure owners or operators to evaluate the responsible use of PNT services.” These pilot programs will help inform efforts by the Director of The White House Office of Science and Technology Policy (OSTP) to develop a national plan “for the R&D and pilot testing of additional, robust, and secure PNT services that are not dependent on global navigation satellite systems (GNSS).” In support of this effort, the DOC will “make available a GNSS-independent source of Coordinated Universal Time, to support the needs of critical infrastructure owners and operators”.

Commentary


This is not the first presidential policy on PNT issues. In 2004, President Bush updated the 1996 based policy document on U.S. Space-Based Positioning, Navigation, and Timing Policy. That effort, however, was based upon optimizing the use of the GPS based GNSS. Since that time, it has become obvious that spoofing the satellite signals has become an operational reality, posing a potential danger to the continued use of GNSS based PNT. This potential danger was publicly recognized as early as 2014 by the PNT Advisory Board. In 2015 DOT started looking at the use of the eLoran system as an alternative to GNSS PNT.

It will be interesting to see how DOC and the rest of the government deals with the PNT profiles mandated in this EO. The large the number of ‘profiles’ developed the more useful they will be for private sector use in the internal evaluation of the use of PNT services. On the other hand, minimizing the number of profiles developed will make things easier for government agencies to develop broad, minimally specific guidance documents.

Of particular usefulness would be detailed information on how to ‘detect the disruption and manipulation of PNT services’. Again, user/operators will be best served by the most detailed information available. Government agencies, however, may feel better served by providing only the most generic information.

Tuesday, February 18, 2020

4 Advisories and 1 Update Published – 2-18-20


Today the CISA NCCIC-ICS published two control system security advisories for products from Emerson and Honeywell, two medical device security advisories for products from GE and Spacelabs, and 1 update for products from Interpeak.

Emerson Advisory


This advisory describes a heap-based buffer overflow vulnerability in the Emerson OpenEnterprise SCADA Server. The vulnerability was reported by Roman Lozko of Kaspersky ICS CERT. Emerson has an upgrade that mitigates the vulnerability. There is no indication that Lozko has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit this vulnerability to allow an attacker to execute code on an OpenEnterprise SCADA Server.

Honeywell Advisory


This advisory describes a clear-text storage of sensitive information vulnerability in the Honeywell INNCOM INNControl 3 energy management platform. The vulnerability is self-reported. Honeywell has an upgrade available to mitigate the vulnerability.

NCCIC reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to escalate user privileges within the INNControl application.

GE Advisory


This advisory describes a protection measure failure vulnerability in the GE Ultrasound Products. The vulnerability was reported by Marc Ruef and Rocco Gagliardi of scip AG. GE has provided generic workarounds to mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker with local access could exploit the vulnerability to allow an attacker to gain access to the operating system of affected devices.

Spacelabs Advisory


This advisory describes the BlueKeep vulnerability in the Spacelabs Xhibit Telemetry Receiver. Spacelabs has an updated version that mitigates the vulnerability.

NOTE: A number of other vendors in both the control system and medical device realms issued advisories on this vulnerability (see my blog post here for example) beginning in May of last year. This is the first acknowledgement of vendor actions on this vulnerability from NCCIC-ICS though there was an obscure advisory on the vulnerability published by NCCIC-ICS.

Interpeak Update


This update provides additional information on the Urgent/11 advisory that was originally published on October 1st, 2019 and most recently updated on December 10th, 2019. The new information includes a link to a vendor advisory from Mitsubishi.

Pipeline Safety and Cybersecurity


The Pipeline and Hazardous Material Safety Administration (PHMSA) has increasingly begun to require technological solutions to on going safety problems with both gas transmission and hazardous material pipelines. A good example of that reliance can be found in the notice of proposed rulemaking (NPRM) that PHMSA issued earlier this month requiring the use of automated valves to limit the damage caused when pipelines rupture. Unfortunately, PHMSA’s failure to address cybersecurity issues related to the sensors and control systems associated with such technological solutions reduces the effectiveness of those measures.

Part of the reason that PHMSA has failed to act is that Congress has not provided PHMSA or DOT in general with specific authority to regulate the cybersecurity of pipeline infrastructure. The primary responsibility for pipeline security rests with the under funded and woefully understaffed surface transportation security folks within the Transportation Security Administration (TSA). But TSA has been both unwilling and unable to address cybersecurity issues beyond issuing broad guidelines and hoping for industry voluntary compliance with those guidelines.

The time has come for PHMSA to realize that it has an inherent responsibility to ensure that the technologies that it mandates for pipeline safety purposes are specifically protected against cyberattacks and that the failure of cybersecurity protections should trigger the same reporting requirements that accompany the failure of physical controls.

For example, in the current NPRM PHMSA could change the wording of the new §192.745(c) to read:

(c )For each valve installed under § 192.179(e) and each rupture-mitigation valve under § 192.634 that is a remote control shut-off or automatic shut-off valve, or that is based on alternative equivalent technology, the operator must:

(1) conduct a point-to-point verification between SCADA displays and the mainline valve, sensors, and communications equipment in accordance with § 192.631(c) and (e);

(2) demonstrate that the SCADA system, the mainline valve, sensors, and communications equipment are covered under a written cybersecurity plan that identifies:

(A) each of the open ports on each component and the processes, controls or devices protecting each open port against unauthorized communications attempts;

(B) procedures that are in place to ensure that all vendor security notices and advisories for each device are:

(I) reviewed in a timely manner, and
(II) the subject of a subsequent security risk assessment where appropriately adopted risk mitigation measures are implemented in a timely manner;

(C) the reporting processes that will be used to notify management of any incidents, equipment failures or loss of process view or control that might indicate a cyber intrusion or attack, and

(D) how the organization will respond to vulnerability reports from both within and outside of the organization.

NOTE: A copy of this post will be submitted as a comment on the NPRM in question.

Monday, February 17, 2020

HR 5428 Amended and Adopted in Committee – Energy Security Research


Last week the House Science, Space, and Technology Committee held a markup hearing where HR 5428, the Grid Modernization Research and Development Act of 2019, was amended and adopted by the Committee by a voice vote.  A minor amendment had been previously adopted by the Committee’s Energy Subcommittee in December.

The Amendment


The amendment was offered by Rep Fletcher (D,TX). It would insert a new paragraph (f) to the proposed §1304a. That paragraph would add a requirement for DOE to “conduct research and development on tools and technologies that improve the interoperability and compatibility of new and emerging components, technologies, and systems with existing electric grid infrastructure”.

Moving Forward


Once the Committee publishes their report on this markup the bill will be cleared for consideration by the full House. The bill would likely be taken up under the suspension of the rules process where it would pass with substantial bipartisan support.

Saturday, February 15, 2020

Public ICS Disclosure – Week of 2-7-20


This week we have eight vendor disclosures for products from Siemens (2), Schneider Electric, Phoenix Contact, HMS, ABB (2) and Moxa. We also have three advisory updates from Siemens and one from Schneider.

Siemens Advisories


Siemens published an advisory describing three vulnerabilities found in Intel chips used in Siemens products. The vulnerabilities were identified and reported (advisory links below) by Intel. Siemens has provided generic workarounds to mitigate the vulnerabilities.

The three reported vulnerabilities are:

• Insufficient memory protection (2) - CVE-2019-0151 and CVE-2019-0152; and
• Heap-based buffer overflow - CVE-2019-0169

Siemens published an advisory describing a resource allocation vulnerability in their Profinet-IO stack. The vulnerability was reported by Yuval Ardon and Matan Dobrushin from OTORIO. Siemens has updates that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Schneider Advisory


Schneider Published an advisory describing an uncontrolled search path element vulnerability in their ProSoft Configurator. The vulnerability was reported by Yongjun Liu from nsfocus. Schneider has a new version that mitigates the vulnerability. There is no indication that Yongiun has been provided an opportunity to verify the efficacy of the fix.

Phoenix Contact Advisory


Phoenix Contact has published an advisory [.PDF download link] describing a remote configuration vulnerability in their Emalytics Controllers. The vulnerability was reported by Anil Parmar. Phoenix Contact has a new firmware version that mitigates the vulnerability. There is no indication that Parmar has been provided an opportunity to verify the efficacy of the fix.

HMS Advisory


HMS has published an advisory describing a cross-site scripting vulnerability in their Flexy and Cosy products. The vulnerability was reported by Ander Martínez from Titanium Industrial Security. HMS has a new firmware version that mitigates the vulnerability. There is no indication that Martinez has been provided an opportunity to verify the efficacy of the fix.

ABB Advisories


ABB published an advisory describing a direct object reference vulnerability in their Asset Suite product. The vulnerability is self-reported. ABB has a new version that mitigates the vulnerability.

ABB published an advisory describing 14 vulnerabilities in their eSOMS product. The vulnerabilities are self-reported. ABB has a new version that mitigates the vulnerabilities.

Moxa Advisory


Moxa published an advisory describing 8 vulnerabilities in their OnCell cellular gateway. The vulnerabilities were reported by Alexander Zaytsev from Kaspersky Lab. Moxa has new firmware versions that mitigate the vulnerabilities. There is no indication that Zaytsey has been provided an opportunity to verify the efficacy of the fix.

Siemens Updates


Siemens published an update to their  Linux TCP SACK PANIC advisory for Industrial Products that was originally published on September 10th, 2019 and most recently updated on November 14th, 2019. The new information includes revised version data and mitigation links for:

• TIM 1531 IRC;
• SIMATIC CP 1242-7, CP 1243-7 LTE (EU andUS versions), CP 1243-1, CP 1243-8 IRC, CP 1543-1, CP 1542SP-1, CP 1542SP1 IRC, CP 1543SP-1; and
• SCALANCE W1700.

NOTE: NCCIC-ICS updated their advisory on February 11th, but did not list it on their web site.

Siemens published an update for their ZombieLoad advisory that was originally published on July 9th, 2019 and most recently updated on December 10th, 2019. The new information includes updated version data and mitigation links for:

• SIMATIC IPC547E;
• SIMATIC IPC347E; and
• SIMATIC IPC3000 SMART V2
Siemens published an update for their GNU/Linux subsystem vulnerabilities advisory that was originally published on November 27th, 2018 and most recently updated on January 14th, 2020. The new information includes adding the following new vulnerabilities;

• CVE-2019-5188;
• CVE-2019-11190;
• CVE-2019-19956;
• CVE-2019-20054,
• CVE-2019-20079;
• CVE-2019-20388; and
• CVE-2020-7595

Schneider Update


Schneider published an update for their U.motion Builder advisory that was originally published on April 5th, 2018. The new information includes an updated remediation section.

ISCD Publishes Hatchery Advisory Opinion


This week the DHS Infrastructure Security Compliance Division (ISCD) published their 5th advisory opinion. This one deals with fish hatcheries and the ‘temporary’ agricultural exemption for filing a Top Screen. The Opinion actually dates back to 2015 when ISCD addressed this issue in response to a letter from the California Department of Fish and Wildlife.

In short, ISCD has taken the position that fish hatcheries are not ‘agricultural facilities’ in the meaning used in their exemption (73 FR 1640). This means that fish hatcheries possessing DHS chemicals of interest (COI) at or above the screening threshold quantity are required to complete a Top Screen. ISCD tangentially addressed this issue back in December 2017 when they published “Protect Your Fishery and Hatchery Chemicals from Use in a Terrorist Attack”.

I would assume that someone has recently raised this issue and that ISCD felt it was now necessary to publicly address it by publishing this Advisory Opinion.

Friday, February 14, 2020

HR 5760 Introduced – Energy Security Research


Earlier this month Rep Bera (D,CA) introduced HR 5760, the Grid Security Research and Development Act. The bill would require DOE to fund a variety of electric sector cybersecurity research efforts. The bill would also authorize funding for such activities. The bill would amend Title XIII of the Energy Independence and Security Act of 2007 (42 USC 17381 et seq.) by adding nine new sections.

Definitions


The new §1317 would add definitions for the Smart Grid Title. Key definitions include:

• The term ‘cybersecurity’ means protecting an information system or information that is stored on, processed by, or transiting an information system from a cybersecurity threat or security vulnerability.
• The term ‘cybersecurity threat’ has the meaning given the term in section 102 of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501).
• The term ‘information system’—has the meaning given the term in section 102 of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501); and includes operational technology, information technology, and communications.
• The term ‘security vulnerability’ has the meaning given the term in section 102 of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501).
• The term ‘transient devices’ means removable media, including floppy disks, compact disks, USB flash drives, external hard drives, mobile devices, and other devices that utilize wireless connections.

R&D Program


Section 1310 would require DOE “to carry out a research, development, and demonstration program to protect the electric grid and energy systems, including assets connected to the distribution grid, from cyber and physical attacks” {new §1310(a)}. The program would include the award of research, development, and demonstration grants to {new §1310(b)}:

• Identify cybersecurity risks to information systems within, and impacting, the electricity sector, energy systems, and energy infrastructure;
• Develop methods and tools to rapidly detect cyber intrusions and cyber incidents, such as intrusion detection, and security information and event management systems, to validate and verify system behavior;
• Assess emerging cybersecurity capabilities that could be applied to energy systems and develop technologies that integrate cybersecurity features and procedures into the design and development of existing and emerging grid technologies, including renewable energy, storage, and demand-side management technologies;
• Identify existing vulnerabilities in intelligent electronic devices, advanced analytics systems, and information systems;
• Develop technologies that improve the physical security of information systems, including remote assets;
Integrate human factors research into the design and development of advanced tools and processes for dynamic monitoring, detection, protection, mitigation, response, and cyber situational awareness;
• Evaluate and understand the potential consequences of practices used to maintain the cybersecurity of information systems and intelligent electronic devices;
• Develop or expand the capabilities of existing cybersecurity test beds to simulate impacts of cyber attacks and combined cyber-physical attacks on information systems and electronic devices; and
• Develop technologies that reduce the cost of implementing effective cybersecurity technologies and tools, including updates to these technologies and tools, in the energy sector.

Additionally, DOE would be required to work with relevant entities to develop technologies or concepts that build or retrofit cybersecurity features and procedures into work with relevant entities to develop technologies or concepts that build or retrofit cybersecurity features and procedures into {new §1310(b)(5)}:

• Information and energy management system devices, components, software, firmware, and hardware, including distributed control and management systems, and building management systems;
• Data storage systems, data management systems, and data analysis processes;
• Automated- and manually-controlled devices and equipment for monitoring and stabilizing the electric grid;
• Technologies used to synchronize time and develop guidance for operational contingency plans when time synchronization technologies, are compromised;
• Power system delivery and end user systems and devices that connect to the grid
• The supply chain of electric grid management system components;

Resilience and Response


Section 1311 would require DOE to establish a separate grant program “to enhance resilience and strengthen emergency response and management pertaining to the energy sector” {new §1311(a)}. Grants would be awarded for {new §1311(b)}:

• Developing methods to improve community and governmental preparation for and emergency response to large-area, long-duration electricity interruptions;
• Developing tools to help utilities and communities ensure the continuous delivery of electricity to critical facilities;
• Developing tools to improve coordination between utilities and relevant Federal agencies to enable communication, information-sharing, and situational awareness in the event of a physical or cyber-attack on the electric grid;
• Developing technologies and capabilities to withstand and address the current and projected impact of the changing climate on energy sector infrastructure, including extreme weather events and other natural disasters;
• Developing technologies capable of early detection of deteriorating electrical equipment on the transmission and distribution grid, including detection of spark ignition causing wildfires and risks of vegetation contact; and
• Assessing upgrades and additions needed to energy sector infrastructure due to projected changes in the energy generation mix and energy demand.

Best Practices and Guidance


Section 1312 would require DOE to “coordinate the development of guidance documents for research, development, and demonstration activities to improve the cybersecurity capabilities of the energy sector through participating agencies” {new §1312(a)}. This would include updating {new §1312(a)(1)}:

• The Roadmap to Achieve Energy Delivery Systems Cybersecurity;
• The Cybersecurity Procurement Language for Energy Delivery Systems; and
• The Electricity Subsector Cybersecurity Capability Maturity Model, including the development of metrics to measure changes in cybersecurity readiness.

The changes to the cybersecurity procurement language document would include suggestions for {new §1312(a)(1)(B)}:

• Contracting with third parties to conduct vulnerability testing for information systems used across the energy production, delivery, storage, and end use systems;
• Contracting with third parties that utilize transient devices to access information systems; and
• Managing supply chain risks.

DOE would also be required to work with the National Institute of Standards and Technology (NIST) to convene relevant stakeholders to develop consensus-based best practices to improve cybersecurity for {new §1312(b)(1)}:

• Emerging energy technologies;
• Distributed generation and storage technologies, and other distributed energy resources;
• Electric vehicles and electric vehicle charging stations; and
• Other technologies and devices that connect to the electric grid.

Section 1312(c) specifically states that none of the activities authorized by this section “shall be construed to authorize regulatory actions”.

Funding


Section 1318 authorizes funding for the programs outlined in this bill. Funding would start at $150 million in 2021 and increase each year to $182 million in 2025.

Amendments


On Wednesday the House Science, Space, and Technology Committee held a markup hearing that included consideration of HR 5760. Three amendments were offered by:

Bera;
Rep Lofgren (D,CA); and
Rep Waltz (R,FL)

All three amendments were adopted by voice vote as was the amended bill. Most of the changes made by the three amendments were relatively minor wording changes. The most significant change was made by the Waltz amendment. It would add a new §4, Critical Infrastructure Research and Construction, to the bill (not another change to the Energy Independence and Security Act of 2007).

The new §4 would require DOE to establish and operate a Critical Infrastructure Test Facility “that allows for scalable physical and cyber performance testing to be conducted on industry-scale critical infrastructure systems” {§4(d)}. The Test Facility would focus on cybersecurity test beds and electric grid test beds. The Test Facility would be authorized to operate for five years with the possibility of a single 5-year extension by DOE.

Moving Forward


This bill received bipartisan support in Committee, and I expect that it would receive similar support on the floor of the House. This bill could be brought to the floor under the suspension of the rules process or it could be added to a DOE authorization or spending bill. Because of the monies authorized for the grant programs, I suspect that this bill would receive less opposition if it were included in an authorization bill.

Commentary


You have to give the Committee Staff credit; this is a very comprehensive cybersecurity research program outlined in the bill. Unfortunately, the paltry amount of funding authorized in the bill will hardly make a start of a dent in the research program outlined. That amount of money, however, is probably about as much as Congress is going to allocate for cybersecurity research.

One thing that is interesting about this bill is the recognition by the Staff that grid security is going to be affected by not just by grid operators, but also by any number of entities that will be increasing connecting to the grid. The rise of the ‘smart grid’ is increasing the amount of cyber communication between grid operators and their customers. Those communications channels are going to be an increasingly important pathway for attackers to gain effective access to grid control mechanisms. The sooner cybersecurity research starts focusing on that process access route, the sooner defenses can begin to be appropriately arrayed to protect the grid.

Thursday, February 13, 2020

2 Advisories Published – 2-13-20


Today the CISA NCCIC-ICS published two control system security advisories for products from Schneider Electric.

Magelis HMI Panel Advisory


This advisory describes an improper check for unusual or exceptional conditions vulnerability in the Schneider Magelis HMI Panel. The vulnerability was reported by VAPT Team, C3i Center. Schneider has provided generic workarounds to mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow a denial-of-service condition.

NOTE: I briefly discussed this vulnerability last August.

Modicon Ethernet Serial RTU Advisory


This advisory describes three vulnerabilities in the Schneider Modicon BMXNOR0200H Ethernet/Serial RTU module. The vulnerability was reported by VAPT Team, C3i Center. Schneider has provided generic workarounds to mitigate the vulnerability.

The three reported vulnerabilities are:

• Improper check for unusual or exception conditions (2) - CVE-2019-6813 and CVE-2019-6831; and
• Improper access control - CVE-2019-6810

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow remote code execution or cause a denial-of-service condition.

NOTE: I briefly discussed this vulnerability last August.

Other Schneider Advisories


While NCCIC-ICS was covering these two 5-month old vulnerability reports, Schneider was publishing three new advisories this week. I will cover them this weekend.

HR 5823 Introduced – Cybersecurity Grants


Earlier this week Rep Richmond (D,LA) introduced HR 5823, the State and Local Cybersecurity Improvement Act. The bill would establish a DHS grant program to help State and local governments establish cybersecurity programs. The bill would add a new §2215 to the Homeland Security Act of 2002 (presumably 6 USC 665).

Definitions


Section 2215(p) provides the definitions to be used in the new section. Most of the critical definitions are taken from other sections of the US Code. Key definitions include:

• ‘Cyber threat indicator’ – from 6 USC 1501;
• ‘Cybersecurity risk’ – from 6 USC 659;
• ‘Incident’ – from §659;
• ‘Information system’ – from §1501;

There are two definitions provided in §2215(p) that reference ‘section 2’. There are no free standing definitions in §2; §2(a) adds the new §2215 and §2(b) amends the table of contents of the Homeland Security Act of 2002 to reflect the new §2215. The two undefined terms are:

• ‘Critical infrastructure’; and
• ‘Key resources’

Grant Program


Section 2215(a) establishes the ‘State and Local Cybersecurity Grant Program’ “to make grants to States to address cybersecurity risks and cybersecurity threats to information systems of State, local, Tribal, or territorial governments”. The new grant program would be administered under the same program office that administers the Urban Area Security Initiative (6 USC 604) and the State Homeland Security Grant Program (6 USC 605).

Each State applying for a grant would be required to submit to DHS a ‘Cybersecurity Plan’ for approval. The Plan would describe how the State would {new §2215(d)(1)(B)}:

• Enhance the preparation, response, and resiliency of information systems owned or operated by such State against cybersecurity risks and cybersecurity threats;
• Implement a process of continuous cybersecurity vulnerability assessments and threat mitigation practices prioritized by degree of risk to address cybersecurity risks and cybersecurity threats;
• Ensure that State, local, Tribal, and territorial governments adopt best practices and methodologies to enhance cybersecurity;
• Mitigate any identified gaps in the State, local, Tribal, or territorial government cybersecurity workforces, enhance recruitment and retention efforts for such workforces, and bolster the knowledge, skills, and abilities of government personnel to address cybersecurity risks and cybersecurity threats;
• Ensure continuity of communications and data networks in the event of an incident;
• Assess and mitigate cybersecurity risks and cybersecurity threats related to critical infrastructure and key resources, the degradation of which may impact the performance of information systems;
• Enhance capability to share cyber threat indicators and related information between such State and local, Tribal, and territorial governments; and
• Develop and coordinate strategies to address cybersecurity risks with local, Tribal, and territorial governments within the State.

The plan would also include an inventory of the information technology deployed on the covered information systems including; “legacy information technology that is no longer supported by the manufacturer” {new §2215(d)(1)(C)}.

Section 2215(h) sets limitations on how the grant monies could be spent. Grant funds could not be spent {new 2215(h)(2)}:

• To supplant State, local, Tribal, or territorial funds;
• For any recipient cost-sharing contribution;
• To pay a demand for ransom in an attempt to regain access to information or an information;
• For recreational or social purposes; or
• For any purpose that does not directly address cybersecurity risks or cybersecurity threats on information systems of such State.

Section 2215(o) would authorize $400 million for the grant program per year for 2021 through 2025.

Advisory Committee


Section 2215(m) would require the DHS Cybersecurity and Infrastructure Security Agency (CISA) to establish a State and Local Cybersecurity Resiliency Committee to “to provide State, local, Tribal, and territorial stakeholder expertise, situational awareness, and recommendations” {new §2215(m)(1)} to CISA. The advice would provide CISA information on how to:

• Address cybersecurity risks and cybersecurity threats to information systems of State, local, Tribal, or territorial governments; and
• Improve the ability of such governments to prevent, protect against, respond, mitigate, and recover from cybersecurity risks and cybersecurity threats.

Members of the Committee would include individuals recommended by {new §2215(m)(3)}:

• The Director by the National Governors Association (2);
• The Director by the National Association of State Chief Information Officers (2);
• The Director by the National Guard Bureau;
• The Director by the National Association of Counties (2);
• The Director by the National League of Cities (2);
• The Director by the United States Conference of Mayors; and
• The Director by the Multi-State Information Sharing and Analysis Center.

Strategy to Improve Cybersecurity


Section 3 of the bill would amend 6 USC 660, adding a new §660(e), Homeland Security Strategy to Improve the Cybersecurity of State, Local, Tribal, and Territorial Governments. It would give CISA 270 days to publish the Strategy to {new §660(e)(2)}:

• Identify capability gaps in the ability of State, local, Tribal, and territorial governments to identify, prepare for, detect, protect against, respond to, and recover from cybersecurity risks, cybersecurity threats, and incidents;
• Identify Federal resources and capabilities to help such governments identify, prepare for, detect, protect against, respond to, and recover from cybersecurity risks, cybersecurity threats, and incidents;
• Identify and assess the limitations of Federal resources and capabilities available to help governments identify, prepare for, detect, protect against, respond to, and recover from cybersecurity risks, cybersecurity threats, and incidents, and make recommendations to address such limitations;
• Identify opportunities to improve the Agency’s coordination to improve incident exercises, information sharing and incident notification procedures;
• Recommend new initiatives the Federal Government should undertake to help such governments identify, prepare for, detect, protect against, respond to, and recover from cybersecurity risks, cybersecurity threats, and incidents;
• Set short-term and long-term goals that will improve the ability of such governments to identify, prepare for, detect, protect against, respond to, and recover from cybersecurity risks, cybersecurity threats, and incidents; and
• Set dates, including interim benchmarks, as appropriate for State, local, Tribal, territorial governments to establish baseline capabilities to identify, prepare for, detect, protect against, respond to, and recover from cybersecurity risks, cybersecurity threats, and incidents.

Amended in Committee


This bill was taken up yesterday by the House Homeland Security Committee in a markup hearing. The bill was amended four times with amendments submitted by:

• Rep Katko (R,NY);
• Rep Langevin (D,RI);
• Richmond; and
• Rep Slotkin (D,MS)

Most of the changes made by the four amendments were relatively minor word changes. The most significant amendment was the addition of another section (§2216) included in the Slotkin amendment. That section would require CISA to “develop a resource guide for use by State, local, Tribal, and territorial government officials, including law enforcement officers, to help such officials identify, prepare for, detect, protect against, respond to, and recover from cybersecurity risks, cybersecurity threats, and incidents”.

All four amendments were adopted by unanimous consent as was the amended bill.

Moving Forward


One the Committee Report is prepared the bill will be ready to move to the floor of the House. This appears to be a high-priority bill so there is little doubt that it will make it to the floor for consideration. It will be considered under the House suspension of the rules process. This means there will be limited debate, no floor amendments and the bill will require a super majority to pass. The bill will almost certainly pass with substantial bipartisan support.

Commentary


Normally I would expect a bill with a $400 million authorization to face some opposition. That does not appear to be the case with this bill. That is almost certainly due to the large number of high-profile ransomware attacks against various city governments and local agencies. There is some significant pressure for Congress to ‘do something’ about the problem.

I am not sure that a mere $400 million spread across 50-states is going to do an awful lot to prevent future attacks. It will certainly provide a large number of congresscritter TV news spots when they get a chance to be on hand when the grant money is handed over.

Wednesday, February 12, 2020

ISCD Publishes CFATS Quarterly – 2-12-20


Today the CISA Infrastructure Security Compliance Division (ISCD) published a link to the January 2020 issue of the Chemical Security Quarterly. If you had previously signed up for Chemical Facility Anti-Terrorism Standards (CFATS) notifications from CISA you would have received an email version of this publication back on January 27th like I did.

Veteran readers of this blog know how much I hate corporate report type publications from government agencies. When I first opened my email, it looked like this Quarterly was going to be one since it started with a month-by-month year-in-review for 2019; you know, ‘hey look at what great things I done’. Actually, I must admit some of the tidbits were things that I missed or had forgotten about.

The Quarterly then went on to review the ‘heightened geopolitical tensions’ issues surrounding the potential conflict with Iran. It is a nice recap if you missed the January 17th notice on the CFATS Knowledge Center or either of my two blog posts (here and here) on the topic.

Probably the most valuable part of this issue is the ‘Compliance Closeup’ feature dealing with CSAT 2.0. There is a good chance that many CFATS facilities may be seeing the new SVA/SSP portion of CSAT 2.0 for the first time as they implement the Tier 3 and 4 Personnel Surety Program (PSP) requirements. ISCD has done a nice job of briefly going over some of the changes with which facilities will have to deal. And there is a companion discussion about some of the resources available for implementing the PSP.

All in all, I have to continue to give ISCD points for publishing a worthwhile document than everyone associated with the CFATS program should read.

13 Advisories and 5 Updates Published – 2-11-20

Today the CISA NCCIC-ICS published 13 control system security advisories for products from Synergy Systems and Solutions, Digi International and Siemens (11). They also updated five control system security advisories for products from Siemens.

Synergy Systems Advisory


This advisory describes two vulnerabilities in the SSS HUSKY RTU. The vulnerabilities were reported by VAPT Team, C3i Center. SSS has a new version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Improper authentication - CVE-2019-20046; and
• Improper input validation - CVE-2019-20045

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to read sensitive information, execute arbitrary code, or cause a denial-of-service condition.

Digi Advisory


This advisory describes two vulnerabilities in the Digi ConnectPort LTS 32 MEI. The vulnerabilities were reported by Murat Aydemir and Fatih Kayran of Biznet Bilisim. Digi has a new release that mitigates the vulnerabilities. There is no indication that the researchers have been provided with an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Unrestricted upload of file with dangerous type - CVE-2020-6975; and
• Cross-site scripting - CVE-2020-6973

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to limit system availability.

SIPROTEC Advisory


This advisory describes an improper input validation vulnerability in the Siemens SIPROTEC 4 and SIPROTEC Compact. The vulnerability was reported by Tal Keren from Claroty. Siemens has provided generic workarounds to mitigate the vulnerability.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerability to conduct a denial-of-service attack over the network.

SIMATIC S7-1500 Advisory


This advisory describes a resource exhaustion vulnerability in the Siemens SIMATIC S7-1500 CPU family. The vulnerability is self-reported. Siemens has provided generic workarounds to mitigate the vulnerability.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerability to conduct denial-of-service attacks.

SCALANCE S-600 Advisory


This advisory describes three vulnerabilities in the Siemens SCALANCE S-600 Firewall. One of the vulnerabilities was reported by Melih Berk Ekşioğlu. Siemens has provided generic workarounds to mitigate the vulnerability.

The three reported vulnerabilities are:

• Cross-site scripting - CVE-2019-6585; and
• Uncontrolled resource consumption (2) - CVE-2019-13925 and CVE-2019-13926

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerability to conduct denial-of-service or cross-site scripting attacks. User interaction is required for a successful exploitation of the cross-site-scripting attack.

OZW Web Server Advisory


This advisory describes and information disclosure vulnerability in the Siemens OZW web server. The vulnerability was reported by Maxim Rupp. Siemens has a new version that mitigates the vulnerability. There is no indication that Maxim has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow unauthenticated users to access project files.

SIPORT Advisory


This advisory describes an insufficient logging vulnerability in the Siemens SIPORT MP. The vulnerability is self-reported. Siemens has a new version that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow the attacker to create special accounts with administrative privileges.

SCALANCE Advisory


This advisory describes a protection mechanism failure vulnerability in the Siemens SCALANCE X switches. The vulnerability is self-reported. Siemens has updates that mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to perform administrative actions.

SIMATIC PCS 7 Advisory


This advisory describes an incorrect calculation of buffer size vulnerability in the Siemens SIMATIC PCS 7, SIMATIC WinCC, SIMATIC NET PC products. The vulnerability was reported by Nicholas Miles from Tenable. Siemens has new versions that mitigate the vulnerability. There is no indication that Miles has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker with network access to cause a denial-of-service condition.

SIMATIC S7 Advisory


This advisory describes a resource exhaustion vulnerability in the Siemens SIMATIC S7 devices. The vulnerability was reported by China Industrial Control Systems Cyber Emergency Response Team. Siemens has a new version that mitigates the vulnerability. There is no indication that the researchers were provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow remote attackers to perform a denial-of-service attack by sending a specially crafted HTTP request to the web server of an affected device.

PROFINET Advisory


This advisory describes a resource exhaustion vulnerability in the Siemens PROFINET-IO Stack. The vulnerability was reported by Yuval Ardon and Matan Dobrushin of OTORIO. Siemens has updates that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to lead to a denial-of-service condition.

NOTE: OTORIO reports that this same vulnerability is found in multiple vendor products including the Moxa EDS Ethernet Switches.

SIMATIC CP Advisory


This advisory describes two vulnerabilities in the Siemens SIMATIC CP 1543-1. The vulnerabilities are self-reported. Siemens has a new version that mitigates the vulnerabilities.

The two reported vulnerabilities are:

• Improper access control - CVE-2019-12815; and
• Loop with unreachable exit condition - CVE-2019-18217

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow for remote code execution and information disclosure without authentication, or unauthenticated denial of service.

Industrial Products Advisory


This advisory describes two vulnerabilities in the Siemens SCALANCE, SIMATIC, SIPLUS products. The vulnerabilities were reported by Artem Zinenko of Kaspersky Lab. Siemens has new versions that mitigate the vulnerabilities. There is no indication that Zinenko has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Data processing errors - CVE-2015-5621; and
• Null pointer dereference - CVE-2018-18065

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow remote attackers to conduct a denial-of-service attack by sending specially crafted packets to Port 161/UDP (SNMP).

SIMOCODE Update


This update provides additional information on an advisory that was originally published on March 9th, 2019 and most recently updated on January 14th, 2020. The new information includes the addition of two affected products:

• SITOP PSU8600; and
• TIM 1531 IRC

Industrial Products w/OPC UA Update


This update provides additional information on an advisory that was originally published on April 9th, 2019 and most recently updated on January 14th, 2020. The new information includes updated affected version data and mitigation links for SIMATIC NET PC Software.

PROFINET Update


This update provides additional information on an advisory that was originally published on October 10th, 2019 and most recently updated on January 14th, 2020. The new information includes updated affected version data and mitigation links for SINAMICS DCP.

Industrial Real Time Devices Update


This update provides additional information on an advisory that was originally published on October 10th, 2019 and most recently updated on January 14th, 2020. The new information includes updated affected version data and mitigation links for SINAMICS DCP.

SIMATIC Update


This update provides additional information on an advisory that was originally published on December 10th, 2019. The new information includes updated affected version data and mitigation links for:

• TIM 1531 IRC;
• SIMATIC NET PC Software

Other Siemens Advisories and Updates


Siemens also published two additional advisories and 3 updates yesterday that have not yet been addressed by NCCIC-ICS.

Additionally, on Monday Siemens published updates of 58 previously published advisories. All of these updates were adding references to the SIPLUS device variants as affected products. Siemens has been adding references to this as they have been updating advisories for the last couple of months, so it looks like they are just doing the final house cleaning on the issue. I do not expect NCCIC-ICS to update all of their applicable advisories.

Tuesday, February 11, 2020

HR 4432 Passed in House – UAS Threat Assessment


Yesterday the House passed HR 4432, the Protecting Critical Infrastructure Against Drones and Emerging Threats Act by a voice vote. There was only about six minutes of ‘debate’ on the bill with no voices heard in opposition.

The language that disappeared between the Committee Hearing and the publication of the Report stayed gone. The reported language was the version that the House adopted.

If this bill is taken up in the Senate it will be considered under the Senate’s unanimous consent process. The major draw back to that process is that a single Senator could block consideration of the bill for reasons totally unrelated to the provisions being considered.

HR 5780 Introduced – Safe Communities Act


Last week Rep Underwood (D,IL) introduced HR 5780, the Safe Communities Act of 2020. The bill is very nearly identical to HR 5667 that was introduced by Underwood last month.

Difference


There is only one difference that I can find between the two bills. In the earlier bill §3(a) reads:

“(a) STRATEGY.—Not later than 180 days after the date of the enactment of this Act, the Director of the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security shall issue a strategy to improve stakeholder outreach and operational engagement that includes the Agency’s strategic and operational goals and priorities for carrying out the stakeholder engagement activities described in paragraphs (6) and (11) of section 2202(c) of the Homeland Security Act of 2002 (6 U.S.C. 652(c)), as added and redesignated, respectively, by section 2 of this Act.”

In HR 5780 §3(a) reads the same except everything from the words ‘described in paragraphs’ to the end of the sentence has been removed.

Moving Forward


As I noted yesterday, the House Homeland Security Committee will markup this bill tomorrow. The bill is likely to receive widespread bipartisan support.

Bills Introduced – 2-10-20


Yesterday with both the House and Senate in session there were 27 bills introduce. One of those bills will receive additional attention in this blog:

HR 5823 To establish a program to make grants to States to address cybersecurity risks and cybersecurity threats to information systems of State, local, Tribal, or territorial governments, and for other purposes. Rep. Richmond, Cedric L. [D-LA-2]

This is the second bill I mentioned yesterday that will be marked up by the House Homeland Security Committee tomorrow. A copy of the bill has been published by the GPO so I may be able to review this bill before tomorrow’s hearing.

Monday, February 10, 2020

Committee Hearings – Week of 2-9-20

The President’s budget comes to Capital Hill this week, but apparently chemical safety and security (and cybersecurity) will have to wait until next week. There will be four other hearing of interest; two markups, autonomous vehicles and cybersecurity.

Markup Hearings


The House Homeland Security Committee will hold a markup hearing on Wednesday. Among the ten bills that are scheduled for consideration are:

• HR 5780, the Safe Communities Act of 2020;
• HR ____, the State and Local Cybersecurity Improvement Act

The official version of HR 5780 has not yet been published and the second has not yet been introduced (okay it probably was today, but we will not see it until tomorrow).

The House Science, Space, and Technology Committee will hold a markup hearing on Wednesday. Among the five bills that are scheduled for consideration are:

HR 5428, Grid Modernization Research and Development Act of 2019; and
• HR 5760, Grid Security Research and Development Act

HR 5760 has not yet been officially published.

Autonomous Vehicles


On Tuesday the Consumer Protection and Commerce Subcommittee of the House Energy and Commerce Committee will hold a hearing on “Autonomous Vehicles: Promises and Challenges of Evolving Automotive Technologies”. The witness list includes:

• John Bozzella, Alliance for Automotive Innovation
• Cathy Chase, Advocates for Highway and Auto Safety
• Daniel Hinkle, American Association for Justice
• Mark Riccobono, National Federation of the Blind
• Gary Shapiro, Consumer Technology Association
• Jeffrey Tumlin, San Francisco Municipal Transportation Agency

Cybersecurity


On Tuesday the Senate Homeland Security and Governmental Affairs Committee will hold a hearing on “What States, Locals and the Business Community Should Know and Do: A Roadmap for Effective Cybersecurity”. The witness list includes:

• Christopher C. Krebs, CISA;
• Amanda Crawford, Department of Information Resources, Texas;
• Christopher DeRusha, Cybersecurity and Infrastructure Protection Office, Michigan

On the Floor


The House is scheduled to take up HR 4432, the Protecting Critical Infrastructure Against Drones and Emerging Threats Act tonight or perhaps tomorrow under the suspension of the rules process. There will be limited debate, no floor amendments and the bill will require a supermajority to pass. This bill will almost certainly receive strong bipartisan support.

Sunday, February 9, 2020

DHS Publishes TWIC Assessment 30-day ICR Notice


The Department of Homeland Security published a 30-day information collection request (ICR) notice in Monday’s Federal Register (available yesterday; 85 FR 2020-02529) for conducting a an assessment of the risk-mitigation value of the Coast Guard’s Transportation Workers Identification Credential (TWIC). This assessment was required the by Transportation Worker Identification Credential Accountability Act of 2018 (PL 115-230) and it must be completed and reported to Congress before the Coast Guard can require implementation of the TWIC Reader Rule.

There is no mention of the required 60-day ICR notice provided in this Notice. I can find no record of such a notice being posted to the Federal eRulemaking Portal (www.regulations.gov) under docket DHS-2019-0023.

There are few details about the information that will be collected as part of this assessment by the Homeland Security Operational Analysis Center (HSOAC), a federally funded research and development center operated by the RAND Corporation. The target of the ICR is broadly described as:

“Port security subject matter experts such as Port Authority Security Managers, Facility Security Managers, Industry Security Managers, and local law enforcement; Labor, Other Industry Operation and Technology Managers.”

The Notice explains that HSOAC expects to receive responses from 400 individuals/organizations during this assessment with each response taking 60 minutes. DHS does not include a copy of the questions that will be asked. That will only become available once the OMB’s Office of Information and Regulatory Affairs (OIRA) approves the ICR.

DHS is soliciting input on this ICR notice. Comments should be submitted directly to OIRA via electronic mail to dhsdeskofficer@omb.eop.gov. Comments should be submitted by March 11th, 2020.

Trump to Eliminate CFATS?


Readers who also follow me on Twitter® (@pjcoyle) may have noticed an exchange between me and @DwightFoley about the Chemical Facility Anti-Terrorism Standards (CFATS) program extension. In that exchange Foley pointed at a document in his possession that indicated that the Trump Administration is proposing to eliminate the CFATS program. Foley provided me with a copy of the document and I have at least tentatively authenticated its authenticity (okay, it is real, it just has not yet been officially released).

The document is “FY 2021 Budget in Brief”. It is a DHS publication that outlines the DHS portion of the President’s FY 2021 budget. On page 61 under the discussion on the Infrastructure Security program it states:

“Eliminates the Chemical Facilities Anti-Terrorism Standards (CFATS) program funding while simultaneously increasing funding significantly for the Protective Security Advisors (PSA) program. This will allow CISA to provide voluntary support for chemical production facilities without the unnecessary burden of regulatory requirements, placing the chemical sector on par with all the other critical infrastructure sectors for which CISA has oversight.”

Actually, the document includes cuts to a number of programs in DHS and the elimination of a number of others. Having said that, it does not really mean much because Presidential budget documents have been a mostly meaningless exercise for a number of years now. Generally speaking Congress ignores the President’s budget request in formulating its own.

The bigger question here is does this reflect a lack of support for the CFATS program within the Administration. I do not think that this is true at the highest levels in the Administration; the program is just too small to really reach the level of awareness at that sort of level. There are those, of course in the White House that generally object to any sort of regulatory program, and those, if pressed, would probably object to the CFATS program on purely philosophical grounds.

As far as I can tell (from public utterances anyway) there is still general support for CFATS and the Infrastructure Security Compliance Division within CISA. There has to be, however, some level of concern about the lack of congressional action on the reauthorization of the program. Of course, most of that type ‘action’ would be behind the scene in any case and at this point I do not expect to see any action until April with the introduction of another short-term reauthorization bill.

This is the thing that we have to keep in mind about this program. It is a congressionally mandated and funded program. There is strong support for the program on both sides of the aisle and on both sides of the Capitol. That support extends to both the oversight committees and the spending committees. While the details of what the various parties want to see happen in the program varies, there is strong support for continuing the program.

Does this mean that the program cannot be killed? Certainly not. While there is a certain amount of inertial support for any governmental program, any program can ultimately be killed by Congress. They seldom die from lack of attention (funding exists at least until September 30th even if the program ‘expires’ on April 18th). Rather federal programs are usually killed by outright opponents of the program. At this point in time, I have seen no sign of organized opposition to the CFATS program in the halls of Congress.

Saturday, February 8, 2020

Public ICS Disclosures – Week of 2-1-20


This week we have four vendor disclosures for products from Meinberg, Johnson Controls, Eaton and Boston Scientific. There is a researcher report of vulnerabilities in products from Proscend. There are also two exploit reports for products from Wago and Schneider.

Meinberg Advisory


Meinberg published an advisory describing 21 vulnerabilities in their LANTIME firmware. The vulnerabilities were reported by  Michal Bazyli and Jakub Palaczynski. Meinberg has new firmware versions that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NOTE: Nope, not going to do it. See the advisory.

Johnson Controls Advisory


Johnson Controls published an advisory [.docx download link] describing a third-party java script vulnerability in their Metasys Server software. This vulnerability is apparently self-reported. Johnson Controls recommends removing the Kibana service.

NOTE: There are a number of other vulnerabilities reported for the same Kibana open source product on elastic web site.

Eaton Advisory


Eaton published an advisory describing three vulnerabilities in their SMP Gateway. These vulnerabilities are self-reported. Eaton has a new version that mitigates the vulnerability.

The three reported vulnerabilities are:

• Heap-based buffer overflow - CVE-2017-2780 and CVE-2017-2781; and
• Integer overflow - CVE-2017-2782

NOTE: These vulnerabilities affect the processing of x509 certificates in establishing TLS or SSL connections.

Boston Scientific Advisory


Boston Scientific published an advisory for the Windows CryptoAPI vulnerability in their products. They report that they are unaware of any of their products affected by this vulnerability.

Proscend Disclosure


xploited published a report describing a remote code execution vulnerability in the Proscend M302-L / M302-LG series are industrial-grade 4G LTE Cellular Routers. There is no indication that xploited has notified Proscend of the vulnerability, so this may be a 0-day vulnerability.

WAGO Exploit


0X483D published a Metasploit exploit for an authenticated remote code execution vulnerability in the WAGO PFC200. There is no CVE provided for the vulnerability and no indication that WAGO has been notified. This may be a 0-day vulnerability.

Schneider Exploit


COSMIN CRACIUN published an exploit for an authenticated command injection vulnerability in the Schneider U.Motion Builder. This vulnerability was reported by Schneider in April 2018.

 
/* Use this with templates/template-twocol.html */