Friday, August 7, 2020

Bills Introduced – 8-6-20

 

With just the Senate in session (and preparing to leave for the weekend) there were 67 bills introduced. One of these bills may receive additional coverage in this blog:

 

S 4473 A bill to amend title 17, United States Code, to address circumvention of copyright protection systems with respect to the maintenance or repair of critical medical infrastructure, and for other purposes. Sen. Wyden, Ron [D-OR]

 

This sounds like it may be a ‘right-to-repair’ bill. If so, I will be watching the language and definitions for security related impacts.

Beirut and Ammonium Nitrate Regulations

 

The videos (see here for example) this week of the catastrophic explosion in Beirut, Lebanon have captured the attention of the world. While it is still way too early to say for certain what caused this explosion, the size of the blast and the sequence of events leading up to the explosion seem to confirm that an improperly stored mass of ammonium nitrate was involved in the incident. Videos show what appears to be a large fire in the vicinity of a warehouse where 2,750 tons of ammonium nitrate (AN) was apparently stored.

 

As we saw with the much smaller and less catastrophic (apologies to the folks who lived through it, but Beirut is a wholly different level of catastrophe in size and effect) explosion at the West Fertilizer facility in Texas, this explosion is raising calls for the regulation of the security of AN. While neither of the two incidents (West certainly and Beirut apparently) was caused by an attack on the storage facility, the only agency in the US government that currently regulates ammonium nitrate is DHS, as part of the Chemical Facility Anti-Terrorism Standards (CFATS) program. And there is a law on the books requiring DHS to regulate the security of the commercial sale and transfer of ammonium nitrate.

 

AN and CFATS

 

Straight ammonium nitrate fertilizer (without any added organic material such as diesel fuel, which makes it ANFO, an  explosive) is listed as a DHS chemical of interest (COI) in Appendix A to 6 CFR 27. Under the CFATS regulations any facility that possesses 2,000-lbs of AN must complete a Top Screen notification to DHS describing how much AN they have on hand and providing information about their facility that would allow CISA (through the Infrastructure Security Compliance Division - ISCD) to conduct an assessment of the facility’s risk of terrorist attack. If ISCD notifies the submitting facility that they are at high-risk of terrorist attack (and thus ‘covered’ under the CFATS program), the facility must complete a security vulnerability assessment and a site security plan (SSP). Once ISCD approves the SSP, the facility is subject to periodic security compliance inspections by CISA chemical security inspectors.

 

The closest thing to a ‘safety’ requirement in the CFATS program is the mandate for facilities to have “an active outreach program to the community and local law enforcement and emergency responders”. This is found in Metric 9.4 (pg 86) of the Program’s Risk Based Performance Standards (RBPS) Guidance manual. This requirement, if it had been in effect at West Fertilizer, would not have prevented the explosion, but it may have resulted in fire fighters pulling back and conducting local evacuations.

 

AN Security Program

 

Back in 2007 Congress enacted a requirement for DHS to formulate a new security program targeted at the commercial sale and transfer of ammonium nitrate, the Ammonium Nitrate Security Program (ANSP). DHS published their advanced notice of proposed rulemaking (ANPRM) for the ANSP in 2008. The notice of proposed rulemaking (NPRM) for the ANSP was finally published in 2011.

 

Last year, as part of a blog post about DHS meetings on explosive precursors, I discussed the cost/benefit problems with the ANSP. I noted:

 

“The big problem with the proposed ammonium nitrate security regulations is that they were going to involve a large number of people and would be very costly. DHS estimated that the ten-year cost for the program would be between “$364.2 million to $1.3 billion with a primary (mean) estimate of $814 million”. Balancing this against a cost of a Murrah Building attack estimated by DHS to be $1.35 billion. This would mean that the regulation cost would break even if the regulations prevented one Murrah scale attack every 14 years. Since there has not been such an attack in the 24 years since the Murrah attack, the cost of the program is not outweighed by the attack prevention. This calls into question whether or not ammonium nitrate regulation is cost effective, especially since ammonium nitrate no longer seems to be a favored precursor for terrorist explosive devices.”

 

Security and Safety of AN

 

So why the big push for ammonium nitrate security regulations after major AN accidents like Beirut and West Texas? Those accidents were related to unsafe storage of AN, not security issues. In fact, the Chemical Safety Board has open recommendations from their West Texas investigation for three Federal Agencies related to the safe storage of AN:

 

• FEMA (2013-02-I-TX-9 and 2013-02-I-TX-10),

• EPA (2013-02-I-TX-2), and

• OSHA (2013-02-I-TX-5)

 

None of these agencies have taken action on the CSB recommendations because of the lack of Congressional authorization. Congress is loath to act because of the strength of the agricultural lobby. The cost of adding OSHA and/or EPA safety rules to agricultural facilities would be quite high. Rep Thompson (D,MS) was able to push the ANSP legislation through only by attaching it to the 2007 DHS spending bill; no one was going to hold up that bill for a relatively minor program like ANSP.

 

So, if your only tool is a hammer, that is what you are going to use. Thompson, and many others, strongly believe that ammonium nitrate needs to be regulated to protect people and facilities. The only law available is the ANSP, so that is what he has to call for.

 

Moving Forward

 

Nothing is going to happen this year in response to Thompson’s letter to DHS about finalizing the ANSP or brining a recommendation to Congress on regulating explosive precursors. The ANSP as described by Congress is dead because of the cost-benefit problem. And no agency of the Trump Administration is going to propose new rules regulating explosive precursors no matter how much the folks on the ground think that regulation is necessary.

 

January 1st brings a new year, a new Congress and perhaps a new Administration. If, as most folks believe, the Democrats come into control in Washington, things on the AN safety/security front are likely to change. Thompson will continue to push for the ANSP security program, perhaps he will be able to modify the mandate so that DHS can lower the cost of the program. Or maybe a new DHS will be able to tweak the program, fiddle with the cost estimates, or change the benefit calculation to make the ANSP cost effective and move it into practice.

 

In any case, the new year may actually bring changes….

Thursday, August 6, 2020

4 Advisories Published – 8-6-20

Today the CISA NCCIC-ICS published four control system security advisories for products from Delta Industrial, Geutebruck, Advantech and a variety of trailer and brake manufacturers.

 

Delta Advisory

 

This advisory describes five vulnerabilities in the Delta Industrial TPEditor. The vulnerabilities were reported by Kdot, kimiya of 9SG Security Team, Justin Taft and Chris Anastasio via the Zero Day Initiative. Delta Industrial has a new version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

 

The five reported vulnerabilities are:

 

• Out-of-bounds read - CVE-2020-16219,

• Stack-based buffer overflow - CVE-2020-16221,

• Heap-based buffer overflow - CVE-2020-16223,

• Write-what-where condition - CVE-2020-16225, and

• Improper input validation - CVE-2020-16227

 

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to  allow an attacker to read/modify information, execute arbitrary code, and/or crash the application.

 

Geutebrück Advisory

 

This advisory describes an OS command injection vulnerability in the Geutebruck G-Cam and G-Code cameras. The vulnerability was reported by Davy Douhine of RandoriSec. Geutebruck has a new firmware version that mitigates the vulnerability. There is no indication that Douhine has been provided an opportunity to verify the efficacy of the fix.

 

NCCIC-ICS reports that a relatively low-skilled attacker using publicly available code could remotely exploit the vulnerability to allow remote code execution as root.

 

Advantech Advisory

 

This advisory describes six vulnerabilities in the Advantech WebAccess HMI Designer. The vulnerabilities were reported by kimiya and Natnael Samson via ZDI. Advantech has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

 

The six reported vulnerabilities are:

 

• Heap-based buffer overflow - CVE-2020-16207,

• Out-of-bounds read - CVE-2020-16211,

• Out-of-bounds write - CVE-2020-16213,

• Access of resource using incompatible type - CVE-2020-16229,

• Stack-based buffer overflow- CVE-2020-16215, and

• Double free - CVE-2020-16217

 

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to read/modify information, execute arbitrary code, and/or crash the application.

 

Trailer Advisory

 

This advisory describes an exposure of sensitive information by sent data vulnerability in Power Line Communications Bus / PLC4TRUCKS / J2497 (see here for system description) from multiple trailer and brake manufacturers. The vulnerability was reported by Ben Gardiner of NMFTA, and Dan Salloum, Chris Poore, and Eric Thayer of Assured Information Security.

 

NOTE: This is not a standard NCCIC-ICS advisory. It identifies an RF communication’s security vulnerability in the Power Line Communications (PLC; I know this acronym is going to cause all sorts of issues for security researchers) on 18-wheeler trailers. It apparently affects all trailer manufacturers using PLC’s. A link to the actual research by the National Motor Freight Traffic Association (NMFTA) and Assured Information Security (AIS) research report would have been helpful.

 

Ben Gardiner will be talking about this vulnerability at Defcon28 Car Hacking Village tomorrow.


S 4226 Introduced - Cyber State of Distress

Last month Sen Peters (D,MI) introduced S 4225, the Assessing a Cyber State of Distress Act of 2020. The bill would require DHS to conduct two studies in support of the implementation of a key recommendation of the Cyber Solarium Commission Report (CSCR) regarding responses to serious cyber incidents. CSCR key finding 3.3 recommends that Congress should codify a cyber state of distress tied to a cyber response and recovery fund to ensure sufficient resources and capacity to respond rapidly to significant cyber incidents.

 

Cyber State of Distress

 

Section 3 of the bill would require DHS to “conduct an assessment of the feasibility and advisability of establishing an authority for the declaration of a cyber state of distress” {§3(a)}. This assessment would address the recommendations in the CSCR (pgs 61-3) and would include the discussion of additional areas to include {§3(b)(2)}:

 

• The determinations that the DHS should make and any other actions that should be taken before the Secretary is authorized to declare or renew a cyber state of distress, including whether the declaration or any renewal should require congressional oversight or approval,

• The definition of the term ‘‘significant cyber incident’’, which shall include a consideration of the threat and scope or magnitude of the impact of such an incident,

• The authority for the coordination, including the extent and type of coordination, of the response of Federal, State, local, and Tribal governments (including the National Guard) and private entities

• The appropriate duration of a cyber state of distress and any renewal of a cyber state of distress,

• Whether there should be a limitation on the number of renewals of a cyber state of distress, with or without congressional oversight or approval,

• Appropriate exemptions from applicable legal requirements necessary to facilitate activities during a cyber state of distress,

• The scope of any allowable activities in preparation for, during, or immediately following the termination of the cyber state of distress,

• The scope of any other interaction between Federal entities and between Federal and non-Federal entities, and

• Any other aspects of a cyber state of distress that the Secretary of Homeland Security determines relevant.

 

Cyber Response and Recovery Fund

 

Section 4 of the bill would require DHS to “conduct an assessment of the feasibility and advisability of establishing a Cyber Response and Recovery Fund” {§4(a)). Again the assessment would include an analysis of the recommendations in the CSCR (pgs 62-3) and would also address {§4(b)(2)}:

 

• The administration of a Cyber Response and Recovery Fund,

• The eligibility of entities that may receive direct or indirect support under a Cyber Response and Recovery Fund,

• Allowable expenses for a Cyber Response and Recovery Fund, and

• Whether any entity receiving funds from the Cyber Response and Recovery Fund should be required to match funds or reimburse any funds to the Cyber Response and Recovery Fund.

 

Moving Forward

 

Peters is the Ranking Member of the Senate Homeland Security and Governmental Affairs Committee to which this bill was assigned for consideration. This means that he should have sufficient influence to see this bill considered in the Committee. Unfortunately, this late in the session, especially in a Covid-19 affected presidential-election year this bill will probably not be considered ‘important’ enough to move forward through the legislative process.

 

There is a remote chance that the bill could skip the committee review process and move directly to the floor under the Senate unanimous consent process, but that could only happen with the full blessing of Sen Johnson (R,WI), the Chair of the Committee.

 

Commentary

 

Anyone interested in this bill should definitely read the CSCR section (pgs 61-3) dealing with key recommendation 3.3. This recommendation notes that there could be a class of significant cyber events (or more importantly a possible series of coordinated cyber events) that, while not reaching the level justifying the declaration of a national emergency, would justify a coordinated Federal response that could include financial support for the affected parties. There currently is no mechanism for that sort of response short of that declaration.

 

What is not clear in this bill is whether or not the assessments required would also address the six ‘enabling recommendations’ that the CSCR suggested would support the ‘Cyber State of Distress’ measures addressed in the Report. Those include:

 

3.3.1 Designate responsibilities for cybersecurity services under the Defense Production Act,

3.3.2 Clarify liability for Federally directed mitigation, response, and recovery efforts,

3.3.3 Improve and expand planning capacity and readiness for cyber incident response and recovery efforts,

3.3.4 Expand coordinated cyber exercises, gaming, and simulation,

3.3.5 Establish a biennial national cyber tabletop exercise, and

3.3.6 Clarify the cyber capabilities and strengthen the interoperability of the National Guard.

 

It would seem to me that, with the possible exception of the first and last recommendations, the list should be considered within the scope of this bill. I would like to suggest insertion of a new subparagraph in §3(b):

 

(2) the assessment of CSC recommendations should specifically include a review of the following enabling recommendations supporting key finding 3.3:

 

(A) clarify liability for Federally directed mitigation, response, and recovery efforts,

(B) improve and expand planning capacity and readiness for cyber incident response and recovery efforts,

(C) expand coordinated cyber exercises, gaming, and simulation, and

(D) establish a biennial national cyber tabletop exercise.

 

This bill does not require DHS to actually do anything beyond look at the situation and advise Congress on what actually needs to be done. This is because there will almost certainly have to be Congressional authorization for most of what is being recommended here by the Cyber Solarium Commission. That authorization will almost certainly have to include significant spending authority. The bill should also require the Government Accountability Office, once the DHS assessments are reported to Congress, to provide estimates as to the potential costs of the program.


Wednesday, August 5, 2020

HR 7856 Introduced – FY 2021 Intel Authorization

Last week Rep Schiff (D,CA) introduced HR 7856, the Intelligence Authorization Act for Fiscal Year 2021. This is the House version of the annual intel authorization bill that is typically considered ‘must pass” legislation, though that has not been the case over the last couple of years. The Senate version of this bill was included in S 4049, the FY 2021 National Defense Authorization Act. This version of the bill includes two cybersecurity threat intelligence provisions that could affect private sector entities. A third cybersecurity provision would require a study on the possibility of mandating cybersecurity standards for intelligence agency contractors.

 

Threat Intelligence

 

The two cybersecurity threat intelligence provisions are found in:

 

§605. Process for identifying cyber threat intelligence needs and priorities (pg 95), and

§606. Reviews of intelligence community cyber threat sharing posture and National Security Directive 42 (pg 99).

 

Section 605 would require the Director of National Intelligence (DNI) to “establish a formal process to solicit and compile information needs of covered entities to improve the defenses of such entities against foreign cybersecurity threats” {§605(a)(1)}. This process would be developed in coordination with DHS and those Sector-Specific Agencies deemed appropriate by the DNI.

 

There are two key definitions in for this section; ‘covered entities’ and ‘cybersecurity threat’. The term ‘covered entities’ is defined as “owners and operators of critical infrastructure” {§605(d)(2)} as that term is defined in 42 USC 5195c(e). This section uses the definition of ‘cybersecurity threat’ found in 6 USC 1501(5).

 

Based upon the information provided by the covered entities the DNI is required to identify {§605(b)}:

 

• Common technologies or interdependencies that are likely to be targeted by nation-state adversaries, and

• Identify foreign intelligence gaps regarding foreign cybersecurity threats to covered entities.

 

Additionally, the DNI is required to “identify and execute methods of empowering Sector-Specific Agencies to” {§605(b)(3)}:

 

• Identify specific critical lines of businesses, technologies, and processes within their respective sectors; and

• Coordinate directly with the intelligence community regarding sector-specific cybersecurity threat.

 

Finally, the DNI is required to “consider whether to enhance or adjust national intelligence collection and analysis priorities” {§605(b)(4)}. A report to Congress is required.

 

Section 606 addresses threat intelligence information sharing with ‘covered entities’. The definition of ‘covered entities’ is expanded from the previous section. It is defined as {§606(c)(2)}:

 

• Owners and operators of critical infrastructure; and

• Academic institutions in the United States, corporations incorporated in the United States, and corporations operating inside the United States.

 

Section 606(a)(1) requires the DNI to “conduct a review of applicable laws, policies, procedures, and resources of the intelligence community that apply to the intelligence community’s understanding of cybersecurity threats to covered entities” including an analysis of “the ability of the intelligence community to share cyber threat information with the Federal departments and agencies responsible for providing warning and indicators to covered entities to enable them to de- fend against such threats”.

 

The review would specifically include {§606(a)(2)}:

 

• The capabilities and limitations of the intelligence community in collection on foreign adversary malicious cyber activity targeting covered entities,

• The ability of the intelligence community to share cyber threat intelligence information with covered entities,

• Procedures for the sanitization and declassification of intelligence, including the efficiency of such procedures,

• Which criteria and procedures should be implemented to identify intelligence community products for expedited sharing,

• Current and projected national intelligence requirements that relate to cybersecurity threats to covered entities,

• Budgetary changes to ensure that the intelligence community is postured to provide adequate indicators and warning of cybersecurity threats to covered entities.

 

Cybersecurity Standards

 

Section 607 of the bill would require the DNI to “conduct a feasibility study with respect to requiring contractors (including subcontractors) of departments or agencies of the Federal Government that own or operate national security systems to implement mandatory cybersecurity policies or defensive measures” {§607(a)}. The study would include:

 

• The estimated cost to the Federal Government of deploying such mandatory cybersecurity policies or defensive measures,

• Whether there are sufficient legal and policy authorities in place to implement such mandatory cybersecurity policies or defensive measures,

• A description of enforcement mechanisms for such mandatory cybersecurity policies or defensive measures, and

• The timeline for implementation of such mandatory cybersecurity policies or defensive measures.

 

Moving Forward

 

The bill was ordered to be reported favorably by the House Permanent Select Committee on Intelligence. It is very likely that the bill will be considered by the whole House, probably after the November election. According to a Committee press release on the bill, it was adopted in Committee along party lines. Thus the bill will be considered under rule and will almost certainly pass with minimal bipartisan support.

 

The Senate is unlikely to take up the bill, both for both political and procedural issues. If the Republicans in the House will not support the bill, neither will the Republican controlled Senate. But more importantly, the Senate already passed their version of the Act as part (Division F) of HR 4049, the FY 2021 National Defense Authorization Act. Thus, the Intel Authorization Act will be resolved (probably) as part of that bill in conference. It is possible that the provisions that I have discussed here could make it into that final revised version of the NDAA.


Tuesday, August 4, 2020

1 Alert, 1 Advisory and 1 Update Published – 8-4-20

Today the CISA NCCIC-ICS published one control system security alert for robot motion servers and a control system security advisory for products from Delta Electronics. They also updated an advisory for products from Treck.

 

Robot Motion Servers Alert

 

This alert provides initial information for reported security issues in robot motion servers. This alert is based upon publicly available information from Federico Maggi and Marco Balduzzi of Trend Micro, Marcello Pogliani and Stefano Zanero of POLIMI, and Davide Quarta of POLIMI, EURECOM. The researchers have reportedly discovered an insufficient verification of data authenticity vulnerability which could allow remote code execution from an adjacent network.

 

NCCIC-ICS provides possible mitigation measures suggested by Trend Micro and ROS-I Consortium.

 

Delta Industrial Advisory

 

This advisory describes three vulnerabilities in the Delta Industrial Automation CNCSoft ScreenEditor. The vulnerabilities were reported by Anonymous and kimiya via the zero day initiative. Delta has a newer version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

 

The three reported vulnerabilities are:

 

• Stack-based buffer overflow - CVE-2020-16199,

• Out-of-bounds read - CVE-2020-16201, and

• Access of uninitialized pointer - CVE-2020-16203

 

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to read/modify information, execute arbitrary code, and/or crash the application.

 

Treck Update

 

This update provides additional information on Ripple20 advisory that was originally published on June 16th, 2020 and most recently updated on July 21st, 2020. The new information includes:

 

• A notice that the affected Treck TCP/IP stack may also be known as Kasago TCP/IP, ELMIC, Net+ OS, Quadnet, GHNET v2, Kwiknet, or AMX,

• A link to the BD advisory that I mentioned last Saturday.

 

NOTE: NCCIC-ICS still has not provided a link to the Siemens Ripple20 advisory that I discussed on July 18th.


HR 7331 Introduced – National Cyber Director Act

Back in June Rep Langevin (D,RI) introduced HR 7331, the National Cyber Director Act. The bill would establish the Office of the National Cyber Director in the White House. The Office would consist of a Director, two Deputy Directors and a staff of up to 75 personnel.

 

Definitions

 

Section 2(f) provides the definitions of key terms used in this bill. The term defined include:

 

• Cybersecurity posture,

• Cyber attacks and cyber campaigns of significant consequence,

• Incident, and

• Information security

 

Both ‘incident, and ‘information security’ are defined by reference to current definitions in 44 USC. Neither definition would include control system security within their purview.

 

The second term has the most complex definition in the bill. It would include an incident or series of incidents that have the purpose or effect of {§2(f)(2)}:

 

• Causing a significant disruption to the availability of a Federal information system,

• Harming, or otherwise significantly compromising the provision of service by, a computer or network of computers that support one or more entities in a critical infrastructure sector,

• Significantly compromising the provision of services by one or more entities in a critical infrastructure sector,

• Causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain, or

• Otherwise constituting a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.”

 

Duties of Director

 

Section 2(c) of the bill lays out the duties of the National Cyber Director. The Director would be required to:

 

• Serve as the principal advisor to the President on cybersecurity strategy and policy,

• Develop the United States National Cyber Strategy, which shall include elements related to Federal departments and agencies,

• Supervise implementation of the strategy,

• Lead joint interagency planning for the Federal Government’s integrated response to cyberattacks and cyber campaigns of significant consequence,

• Direct the Federal Government’s response to cyberattacks and cyber campaigns of significant consequence,

• Engage with private sector leaders on cybersecurity and emerging technology issues,

• Annually report to Congress on cybersecurity threats and issues facing the nation, including any new or emerging technologies that may impact national security, economic prosperity, or enforcing the rule of law, and

• Be responsible for such other functions as the President may direct “

 

Section 2(d) of the bill would amend 50 USC 3021(c)(2), adding the Director to the list of people that the President may direct “to attend and participate in meetings of the [National Security] Council.”

 

Moving Forward

 

Langevin is a member of the House Armed Services Committee, one of the committees to which this bill was assigned for consideration. With 15 bipartisan cosponsors of the bill, it is likely that the bill will be considered in one or more of those committees. The big problem for this bill is that with the House currently in their summer recess there is probably not enough time for this bill to make its way through the legislative process. It just does not have a high enough priority to compete with spending bills and Covid-19 legislation.

 

An ideal way to work around that would have been to include the language of this bill as an amendment to the National Defense Authorization Act, but that was not done. There is still a chance that these provisions could be included in a consolidated spending bill after the election.

 

Commentary

 

In this bill Langevin carries on a long-standing legislative tradition of failing to distinguish between information technology and operational technology. The definitions in this bill rely on IT limited definitions of ‘information technology’ and then specify duties that should clearly involve operational technology. But, even when operational technology concerns are implied, they are only limited to economic consequences of a cyber attack (ie: ‘provision of services’) and ignore the potentially catastrophic physical consequences that could be associated with a successful cyberattack on manufacturing or transportation assets.

 

I would (as I frequently do) refer readers to my earlier blog on changing cybersecurity definitions used in legislative language. Upon further reflection I would also like to add a subparagraph (D) to the definition of ‘incident’ that I propose in that post:

 

“(D) the health or safety of the local community through the release of energy or toxic chemicals.”


Monday, August 3, 2020

Committee Hearings – Week of 8-2-20

With the House already in their summer recess (though they may be called back for a Covid-19 bill) and the Senate preparing to start their’s next week, there is a fairly light committee schedule this week. There are, however, two cybersecurity related hearings.

 

Solarium Commission Report

 

The Senate Armed Services Committee will hold a hearing on Tuesday on the “Findings and Recommendations of the Cyberspace Solarium Commission”. The witness list includes three members of the CSC:

 

• Sen Angus S. King, Jr. (I,ME),

• Rep Michael J. Gallagher (R,WI), and

• BG John C. Inglis (Ret)

 

I suspect the main focus of the hearing will be on DOD cyber operations, but cybersecurity topics will certainly be discussed, potentially including control system security issues.

 

DOE Cybersecurity

 

The Senate Energy and Natural Resources Committee will hold a hearing on Wednesday to “Examine Efforts to Improve Cybersecurity for the Energy Sector”. The witness list includes:

 

• Alexander Gates, DOE,

• Joseph McClelland, FERC,

• Steve Conner, Siemens Energy, Inc., and

• Thomas F. O'Brien, PJM Interconnection


Saturday, August 1, 2020

House Passes HR 7617 – 2nd FY 2021 Minibus

Yesterday the House approved HR 7617, the 2nd FY 2021 minibus, by a near party-line vote

 (12 Democrats voted Nay) of 217 to 184. Three of the four amendments I noted that I would be following were adopted on Thursday.

 

Amendments of Interest

 

The three of the four amendments that I was watching passed on Thursday as part of ‘en bloc’ amendment consideration:

 

83. Young (AK), Gabbard (HI), Gallego (AZ): Decreases the Defense Wide Operations and Maintenance account by $10 million and increases the Air Force Operations and Maintenance account by the same amount, for the ISR Operations Office to support the Cyber Operations for Base Resilient Architecture Pilot Program (en bloc #2, pgs H4129-34) .

 

221. Bera (CA): Decreases and increases funds by $1 million in the CDC Public Health Preparedness and Response account to urge CDC to integrate early warning surveillance data, such as network-connected devices like smart thermometers and pulse oximeters or symptom surveys, into its COVID-19 syndromic surveillance to help identify potential hotspots even before individuals present to a health care facility (en bloc #5, pgs H4150-69).

 

338. Stauber (MN), Emmer (MN), Lipinski (IL): Increases and decreases the PHMSA authorization by $1,000,000 to highlight the need to conduct a study of corrosion control techniques for leak prevention of regulated above ground storage tanks (en bloc #4, pgs H4143-50).

 

The fourth amendment was rejected as part of en bloc #3:

 

163. Gosar (AZ): Transfers $5 million from the Department of Energy's Departmental Administration account to the Cybersecurity, Energy Security, and Emergency Response account (en bloc #3, pgs H4134-9).

 

Moving Forward

 

Typically, the Senate does not directly take up spending bills from the House. While the House bill is debated in the Senate (spending bills are required by the Constitution to originate in the House)  the first item in the debate is substitute language taken from the appropriate spending bill(s) introduced by the Senate Appropriations Committee. That will not happen this year as that Committee has not been able to craft a single spending bill.

 

As I have noted before, we will be seeing a continuing resolution this year to continue current spending through into the new fiscal year, probably until sometime in December. What happens in the election in November will probably dictate what happens then. If Biden wins and the Democrats take ‘control’ of both Houses, we will likely see a second continuing resolution through to late January, dumping the problem on the Democrats. If the Democrats get 60+ seats (not completely beyond the realm of possibility this year), the Republicans in the Senate will probably try to push for a compromise spending bill before the end of the year; a filibuster proof majority would leave the Republicans without much influence in that situation.


Public ICS Disclosure – Week of 7-25-20

This week we have three new Ripple20 advisories for products from ABB, BD, and HMS; and 3 updates for products from ABB, Schneider and Eaton. There were two BootHole advisories published for products from Medtronic and BD. There were three additional vendor disclosures this week for products from SICK, Rockwell and Yokogawa.

 

Ripple20

 

ABB published a Ripple20 advisory for their distribution automation products. The advisory provides a list of affected products and the announcement that ABB intends to produce new firmware to mitigate the vulnerabilities.

 

BD published a Ripple20 advisory for their BD Kiestra and Rowa products. The advisory provides generic mitigation measures.

 

HMS published a Ripple20 advisory for their HMS LABSline SG and Anybus SG-gateways. Since the affected products are end-of-life, HMS recommends upgrading to newer products.

 

ABB updated a previously issued Ripple20 advisory that was originally published on July 11th, 2020. The new information includes a revised affected product list and provides links to the advisory described above.

 

Schneider updated a previously issued Ripple20 advisory that was originally published on June 23, 2020 and most recently updated on July 14th, 2020. The new information includes:

 

• Adding XUPH001 OsSense communication module, XGCS850C201 OsiSense RFID compact smart antenna, Wiser Energy IP module, and “Gateway Connector by Elko to the list of affected products, and

• Removing PowerLogic EGX100, ECI850 Sepam IEC 61850 Server, and “PowerLogic G3200 Modbus to IEC 61850 Gateway from the list of affected products.

 

Eaton updated their Ripple20 advisory that was originally published on June 23rd, 2020 and most recently updated on July 15th, 2020. The new information includes an updated affected product list and an updated

the mitigation for ePDU products.

 

BootHole

 

Medtronic published a BootHole Advisory providing a generic announcement that they were looking at the potential vulnerability in their products.

 

BD published a BootHole Advisory providing a generic announcement that they were looking at the potential vulnerability in their products.

 

NOTE: The medical device vendors are getting fairly proactive about looking at named OS vulnerabilities and announcing their concern/interest. I suspect that this is because of the regulated nature of the market and an interest in obviating any additional cybersecurity related regulatory actions.

 

SICK Advisory

 

SICK published an advisory describing two vulnerabilities in their Package Analytics products. The vulnerabilities were reported by an unacknowledged third-party. SICK has a new version that mitigates the vulnerabilities.

 

The two reported vulnerabilities are:

 

• Authentication bypass using an alternate path or channel - CVE-2020-2076, and

• Incorrect default permissions - CVE-2020-2077

 

Rockwell Advisory

 

Rockwell published an advisory describing an improper implementation of hashing algorithm for user passwords vulnerability in their FactoryTalk Services Platform. The vulnerability is being self-reported. Rockwell has a patch to mitigate the vulnerability.

 

Yokogawa Advisory

 

Yokogawa published an advisory describing two vulnerabilities in their CAMS for HIS of CENTUM products. The vulnerabilities were reported by Nataliya Tlyapova and Ivan Kurnakov, Positive Technologies. Yokogawa has patches to mitigate the vulnerability in products that are not yet at end-of-life. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

 

The two reported vulnerabilities are:

 

• Improper authentication - CVE-2020-5608, and

• Path traversal - CVE-2020-5609


Friday, July 31, 2020

Bills Introduced – 7-30-20

Yesterday with both the House and Senate in session there were 70 bills introduced. One of those bills will receive additional coverage in this blog:

 

HR 7856 To authorize appropriations for fiscal year 2021 for intelligence and intelligence-related activities of the United States Government, the Community Management Account, and the Central Intelligence Agency Retirement and Disability System, and for other purposes. Rep. Schiff, Adam B. [D-CA-28] 


Thursday, July 30, 2020

5 Advisories Published – 7-30-20

Today the CISA NCCIC-ICS published four control system security advisories for products from Mitsubishi Electric (3) and Inductive Automation. They also published a medical device security advisory for products from Philips.

 

Factory Automation Advisory #1

 

This advisory describes an unquoted search path or element vulnerability in the Mitsubishi Factory Automation Engineering products. The vulnerability was reported by Mashav Sapir of Claroty. Mitsubishi has new versions that mitigate the vulnerability. There is no indication that Sapir has been provided an opportunity to verify the efficacy of the fix.

 

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to obtain unauthorized information, modify information, and cause a denial-of-service condition.

 

Factory Automation Advisory #2

 

This advisory describes a path traversal vulnerability in the Mitsubishi Factory Automation products. The vulnerability was reported by Mashav Sapir of Claroty. Mitsubishi has new versions that mitigate the vulnerability. There is no indication that Sapir has been provided an opportunity to verify the efficacy of the fix.

 

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to may allow an attacker to obtain unauthorized information, tamper the information, and cause a denial-of-service condition.

 

Factory Automation Advisory #3

 

This advisory describes a permissions issue vulnerability in the Mitsubishi Factory Automation Engineering Software products. The vulnerability was reported by Younes Dragoni of Nozomi Networks, the Applied Risk research team, and Mashav Sapir of Claroty. Mitsubishi has new versions that mitigate the vulnerability. There is no indication that researchers have been provided an opportunity to verify the efficacy of the fix.

 

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerability to enable the reading of arbitrary files, cause a denial-of-service condition, and allow execution of a malicious binary.

 

Inductive Automation Advisory

 

This advisory describes a missing authorization vulnerability in the Inductive Automation Ignition 8 product. The vulnerability was reported by Mashav Sapir of Claroty. Inductive Automation has a new version that mitigates the vulnerability. There is no indication that Sapir has been provided an opportunity to verify the efficacy of the fxi.

 

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to gain access to sensitive information.

 

Philips Advisory

 

This advisory describes an insertion of sensitive information into log file vulnerability in the Philips DreamMapper mobile application. The vulnerability was reported by Lutz Weimann, Tim Hirschberg, Issam Hbib, and Florian Mommertz of SRC Security Research & Consulting. Philips plans a new release to mitigate the vulnerability by June of next year.

 

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker access to the log file information containing descriptive error messages.


Wednesday, July 29, 2020

House to Consider HR 7617 – Second FY 2021 Minibus


Tomorrow the House is scheduled to take up HR 7617, the second (and final) FY 2021 minibus. This legislation includes language from the following bills:  

• HR 7617 (DOD – Division A),
• HR 7667 (CJS – Division B),
• HR 7613 (EWR – Division C),
• HR 7668 (Financial Services – Division D),
• HR 7614 (LHH – Division E), and
• HR 7616 (THUD – Division F)

HR 7667, the FY 2021 DHS spending bill, was originally supposed to be included in this minibus, but it was removed in an amendment agreed to last night in the House Rules Committee. The Committee also approved 340 amendments to be submitted from the floor during the debate on this bill.

I will be watching for the following amendments to be considered on the floor:

83. Young (AK), Gabbard (HI), Gallego (AZ): Decreases the Defense Wide Operations and Maintenance account by $10 million and increases the Air Force Operations and Maintenance account by the same amount, for the ISR Operations Office to support the Cyber Operations for Base Resilient Architecture Pilot Program.

163. Gosar (AZ): Transfers $5 million from the Department of Energy's Departmental Administration account to the Cybersecurity, Energy Security, and Emergency Response account.

221. Bera (CA): Decreases and increases funds by $1 million in the CDC Public Health Preparedness and Response account to urge CDC to integrate early warning surveillance data, such as network-connected devices like smart thermometers and pulse oximeters or symptom surveys, into its COVID-19 syndromic surveillance to help identify potential hotspots even before individuals present to a health care facility.

338. Stauber (MN), Emmer (MN), Lipinski (IL): Increases and decreases the PHMSA authorization by $1,000,000 to highlight the need to conduct a study of corrosion control techniques for leak prevention of regulated above ground storage tanks. (10 minutes)

Commentary


The removal of the DHS spending provisions means that for the second year in a row, the Democratic leadership in the House could not work out a deal with their members for language on immigration issues that would allow for both moderates and progressives within the party to vote for the bill. Since there is little room for Republican support for the language in HR 7667, the Democrats would have to pass the legislation with only Democratic votes.

The revised minibus will almost certainly pass this week. It will not be taken up in the Senate and the Senate is unlikely to get any spending bills out of their Appropriations Committee before September 31st. There will be a continuing resolution to keep the government operating and the two Appropriations Committees will work out a compromise spending bill. Unfortunately, it may take the 117th Congress to actually pass such a bill unless the Democrats win big in November. If that happens the Republicans are likely to be more cooperative in passing a ‘compromise’ bill this year.

HR 7667 Reported in House – FY 2021 CJS Spending


Earlier this month the House Appropriations Committee published their marked-up version of HR 7667, the Commerce, Justice, Science, and Related Agencies Appropriations Act, 2021 along with their Report on the bill. There were no specific mentions of cybersecurity in the bill, but the Report did include several cybersecurity mentions, only one addressed control system security issues.

Industrial Control Systems


On page 24 of the Report the Committee discussed the importance of NIST’s Scientific and Technical Research and Services work on advanced manufacturing systems. They directed NIST “to prioritize
new STRS funds to achieve fundamental scientific understanding of manufacturing processes and equipment and to enable new smart manufacturing systems capabilities for high-priority metals-based additive manufacturing, manufacturing robotics, and cybersecurity for industrial control systems [emphasis added].”

Cyber Threats


On page 19 the Committee expressed their concerns about cybersecurity issues around on-line data collection efforts in the 2020 Census. They directed “the Census Bureau to prioritize cyber protections and high standards of data differential privacy”.

On page 24 the Committee discussed threats to the ‘digital economy’ and urged “NIST to address the rapidly emerging threats in this field by furthering the development of new and needed cryptographic standards and technologies”.

Cybersecurity Training


The report addressed a number of cybersecurity training initiative, including:

• National Initiative for Cybersecurity Education (pg 24),
• Cybersecurity Training for the Manufacturing Extension Partnership (MEP) program (pg 26),
• CyberCorps (pg 137),

Moving Forward


This bill will be included in second FY 2021 spending minibus, HR 7617. The House is currently scheduled to take up that minibus tomorrow.

ISCD Updates 2 FAQ Responses – 7-28-20


Yesterday the CISA Infrastructure Security Compliance Division (ISCD) updated the responses to two frequently asked question (FAQ) responses on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center. Both of these responses have recently been updated as part of the on-going editorial fine tuning of FAQ responses that has been taking part over the last couple of weeks.

The two FAQ responses that were updated yesterday were for the following FAQ:


FAQ #1778 was last revised on July 21st, 2020. The most recent change was to remove links to regulations in the question.

FAQ # 1779 was last revised on July 27th, 2020. The most recent change was to remove links to regulations in the question.

Tuesday, July 28, 2020

3 Advisories and 1 Update Published – 7-28-20


Today the CISA NCCIC-ICS published three control system security advisories for products from HMS Industrial Networks, Softing Industrial, and Secomea. They also published an update for an advisory for products from Delta Industrial Automation.

HMS Advisory


This advisory describes a stack-based buffer overflow in the HMS eCatcher VPN client. The vulnerability was reported by Sharon Brizinov of Claroty. HMS has a new version that mitigates the vulnerability. There is no indication that Brizinov has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to crash the device being accessed. In addition, a buffer overflow condition may allow remote code execution with highest privileges.

NOTE: I briefly discussed this vulnerability earlier this month.

Softing Advisory


This advisory describes two vulnerabilities in the Softing OPC. The vulnerabilities were reported by Uri Katz of Claroty. Softing has a new version that mitigates the vulnerability. There is no indication that Katz has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Heap-based buffer overflow - CVE-2020-14524, and
• Uncontrolled resource consumption - CVE-2020-14522
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to crash the device being accessed. A buffer-overflow condition may also allow remote code execution.

Secomea Advisory


This advisory describes four vulnerabilities in the Secomea GateManager VPN manager. The vulnerabilities were reported by Sharon Brizinov and Tal Keren of Claroty. Secomea has a new versin that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• Improper neutralization of null byte or null character - CVE-2020-14500,
• Off-by-one error - CVE-2020-14508,
• Use of hard-coded credentials - CVE-2020-14510, and
• Use of password hash with insufficient computational effort - CVE-2020-14512

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow a remote attacker to gain remote code execution on the device.

Delta Update


This update provides additional information on an advisory that was originally published on June 30th, 2020. The new information includes a link to a new version that mitigates the vulnerabilities.

Monday, July 27, 2020

ISCD Updates 7 FAQ Updates – 7-27-20


Today the CISA Infrastructure Security Compliance Division (ISCD) updated the responses to two frequently asked questions on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center. This is part of an on-going effort at ISCD to make FAQ editorial changes designed to: reflect changes in program management (CISA branding), to change URL’s to page links (see the similar 6-22-20 blog post) and to make the responses more helpful; rather than reflecting changes in ISCD policy.

The FAQ responses updated today include:



FAQ #1742 was last updated on July 20th, 2020. Today’s update changed the labeling and indentation of the three subparagraphs.

FAQ #1749 was last updated on July 21st, 2020. Today’s update changed the indentation of the 8 subparagraphs.

FAQ #1633 was last updated on July 20th, 2020. Today’s update changed the labeling of the three subparagraphs.

FAQ #1660 was last updated on July 16th, 2020. Today’s update changed the labeling of the three subparagraphs.

FAQ #1772 has not apparently been changed since it was last updated on July 20th, 2020.

FAQ #1779 was last updated on July 22nd, 2020. Today’s update changed the format of the quotation marks used in the question (but not in the response).

FAQ #1788 was last updated on July 16th, 2020. Today’s update removed an extraneous ‘)’ in the Question.

S 4197 Introduced – CFATS Extension


Earlier this month Sen Johnson (R,WI) introduced S 4197, a bill to extend the Chemical Facility6 Anti-Terrorism Standards (CFATS) program through July 25th, 2027. This was the third in a series of bills introduced by Johnson to extend that program without legislative changes in the program. This bill was introduced on the same day that the Senate passed S 4148, a shorter-term extension of the CFATS program that was subsequently passed by the House and signed by the President.

Bill Comparison


All three bills were ‘clean’ extensions of the program, with no policy or regulatory changes included in the language. The table shows the two areas of major differences between the three bills.

CFATS Bills
S 4197
Extension Date
7-27-23
7-27-23
7-25-27
Cosponsors
3-R, 2-D
3-R, 2-D
3-R

As I noted in my post on S 4096, the only difference between that bill and S 4148 was the removal of some minor, unnecessary effective-date language that had been included in S 4096.

The extension date for both S 4096 and S 4148 were far enough down the road that the affected businesses were appeased because they had some regulatory certainty about the program. More importantly, this date was the soonest that Johnson and his fellow Republicans had a reasonable chance that they might yet again ‘control’ both the House and Senate. The 2027 date would, however, give a much more likely date for that to have occurred.

The extension date is important because Congress has shown little appetite for addressing the CFATS program until the program nears its expiration date. Even with an expiration date fast approaching it has been difficult to get consensus on what changes are necessary. Without the impetus of pending termination, there is little incentive for the different factions to come together on a legislatively workable revision to the program.

Sunday, July 26, 2020

HR 7617 Reported in House – FY2021 DOD Spending


Earlier this month the House Appropriations Committee published their marked-up version of HR 7617, the Department of Defense Appropriations Act, 2021, and their Report on the bill. There is only one specific cyber mention in the bill, but there are a number of mentions of cyber related topics in the report; none specifically addressing control system security issues.

Cyber in HR 7617


While cyber operations are becoming a bigger part of overall military operations there is only one mention of the term ‘cyber’ in HR 7617. In §8125(a)(7) ‘Defensive Cyber Operations Army’ are mentioned as a potential target for funding for software development funds under the Research, Development, Test and Evaluation spending authorization.

Cyber Training


Various training initiatives are addressed in the Committee Report. Most of the mentions include a requirement to report back to the Committee on the progress of the related program. These mentions include:

• Pgs 10-11 - Civilian cyber workforce,
• Pg 32 - Cybersecurity professionals,
• Pg 320 - Cyber education collaboratives, and
• Pg 322 - Women and minorities in stem pipeline.

There are three rather vanilla mentions of cybersecurity processes in the Report. They include:

• Pg 113 - Standards and protocols on countering cybersecurity incidents,
• Pg 113 - Zero trust architecture, and
• Pg 318 - Distributed ledger technology research and development.

There is only one place in the Report where specific funding is mentioned in relation to cybersecurity processes, on page 325, under Arsenal Security. It states:

“The Committee believes that maintaining security, including threats from cyber-attacks, data piracy, and other technological risks, of Department of Defense arsenals is essential. The Committee directs that of the funds included under Industrial Operations, $3,500,000 is to implement efforts to combat these types of threats.”

Moving Forward


This bill will be used as the base for the second minibus spending bill in the House. The House Rules Committee will meet on Tuesday to set the rule for the consideration of the bill on the floor of the House, to include a list of which amendments will be authorized to be submitted from the floor. There have been 110 amendments for this portion of the bill submitted to the Rules Committee.

At this point it is not yet clear that the Democrats have the votes to pass the second minibus. They certainly have a majority in the House, but it is potential ‘no votes’ from the progressive wing of the party that could disable this bill. The problem is not the DOD portion of the bill, but rather a failure to ‘adequately sanction’ ICS and CBP in the DHS portion of the bill that would be the reason for the ‘Nays’.

The Rules Committee meeting has already been delayed one-day to add time to resolve this issue. Pelosi is aware that the Party needs support of the recently elected moderates that allowed the Democrats to take control of the House, so the DHS provisions cannot be too extreme. The Progressives, on the other hand, need to have strong punitive measures in the bill to appease their supporters.

The easy solution is to follow the example of last year, leave the DHS spending bill on the Committee floor and not consider it on the floor of the House. The resolution would then be left to the conference committee that would essentially craft a compromise spending omnibus spending bill before year end. And yes, an omnibus bill is almost a foregone conclusion; the Senate has not yet even been able to craft a single spending bill in Committee and the ‘August Recess’ is fast approaching (though, to be sure that recess may still be a victim of the COVID-19 disruption).

 
/* Use this with templates/template-twocol.html */