Thursday, January 30, 2020

2 Updates Published – 1-30-20


Today the CISA NCCIC-ICS published two updates for previously published medical device security advisories from Medtronic.

CareLink Update


This device provides additional information on an advisory that was originally published on February 27th, 2018 and most recently updated on October 11th, 2018. The new information includes announcing:

• The availability of a patch to mitigate the vulnerabilities; and
• Medtronic has re-enabled the network-based software update mechanism.

Conexus Update


This device provides additional information on an advisory that was originally published on March 21st, 2019. The new information includes adding two new affected products:

• Brava CRT-D (all models); and
• Mirro MRI ICS (all models)

NOTE: NCCIC-ICS sent out two emails today announcing these updates as they usually do. Unfortunately, the email about the Conexus update included an email header describing an update to last week’s GE CARESCAPE advisory. The details in the body of the email were correct; just a little bit confusing…. Fortunately, no confusion in the @ICS-CERT TWEETS®.

HR 5667 Introduced – CISA Information Clearinghouse


Last week Rep Underwood (D,IL) introduced HR 5667, the Safe Communities Act. The bill would amend 6 USC 652(c), adding requirements for the DHS Cybersecurity and Infrastructure Security Agency (CISA) to “maintain a clearinghouse for owners and operators of critical infrastructure and other relevant stakeholders to access security guidance, best practices, and other voluntary content developed by the Agency” {new §652(c)(6)}.

Outreach Strategy


Section 3 of the bill would require CISA to develop and publish a “strategy to improve stakeholder outreach and operational engagement that includes the Agency’s strategic and operational goals and priorities for carrying out the stakeholder engagement activities” {§3(a)} as well as a plan to implement that strategy. The strategy would include {§3(b)}:

• A catalogue of the stakeholder engagement activities and services delivered by protective security advisors and cybersecurity advisors of CISA;
• An assessment of the capacity of programs of the Agency to deploy protective security advisors and cybersecurity advisors, including the adequacy of such advisors to meet service requests and the ability of such advisors to engage with and deliver services to stakeholders in urban, suburban, and rural areas;
• Long-term objectives of the protective security advisor and cybersecurity advisor programs, including cross-training of the protective security advisor and cybersecurity advisor workforce to optimize the capabilities of such programs and capacity goals;
• A description of programs, policies, and activities used to carry out such stakeholder engagement activities and services;
• Resources and personnel necessary to effectively support critical infrastructure owners and operators and other entities, as appropriate, based on current and projected demand for Agency services.
• Guidance on how outreach to critical infrastructure owners and operators in a region should be prioritized;
• Plans to ensure that stakeholder engagement field personnel of the Agency have a clear understanding of expectations for engagement within each critical infrastructure sector and subsector, whether during steady state or surge capacity;
• Metrics for measuring the effectiveness of stakeholder engagement activities and services;
• Plans for awareness campaigns to familiarize owners and operators of critical infrastructure with security resources and support offered by CISA.

Section 5 of the bill provides for establishing a one-year pilot program for protective security advisors to provide training for State and local enforcement agencies in “carrying out security vulnerability or terrorism risk assessments of facilities” {§5(a)}.

Moving Forward


Both Underwood and her cosponsor {Rep Katko (R,NY)} are members of the House Homeland Security Committee, one of the two committees to which this bill was assigned for consideration. This means that there is a good chance that this bill will be considered in Committee. It is odd, however, that the Committee did not take up this bill in their markup hearing yesterday.

There is nothing in this bill that should engender any significant opposition and I suspect that it will garner significant bipartisan support when considered by the Committee. The lack of a sponsor on the House Energy and Commerce Committee could easily mean that this bill would fail to move beyond the Homeland Security Committee because of inter-committee politics. If this bill does make it to the floor of the House it will be considered under the suspension of the rules process and should pass with bipartisan support.

Commentary


The main import of this bill is that it would require CISA to undertake a review of its use of both the Protective Security Advisor (PSA) and Cyber Security Advisor (CSA) programs. The PSA program is fairly well established and quite active. The same cannot be said for the CSA program. The latest information that I can find (from a now defunct Coast Guard web page from October 2018) would seem to show that there were only nine CSA deployed across eight regional offices with a similar number of open vacancies. I think that part of the strategy to be developed by CISA should include an evaluation of both programs to determine what resources should be made available to the two programs to assure an effective implementation of the strategy. To that end I would suggest adding the following to the end of §3(b)

(10) Determine the resources necessary for full implementation of the strategy, including the manpower needs for both protective security advisors and cyber security advisors.

There is another resource within CISA that could be utilized for this outreach strategy, the chemical security inspectors of the Chemical Facility Anti-Terrorism Standards (CFATS) program under the Infrastructure Security Compliance Division of CISA. Their unique perspective and training on assessing chemical facility risk and evaluating chemical facility security programs could be used to address the much larger chemical community beyond the 3,000+ facilities currently covered under the CFATS program. I would suggest a further addition to§3(b):

(11) Determine how the chemical security inspectors from the Chemical Facility Anti-Terrorism Standards (CFATS) program could be integrated into the outreach program.

Wednesday, January 29, 2020

HR 5669 Introduced – SBA Cybersecurity Marketplace


Last week Rep Finkenauer (D,IA) introduced HR 5669, the Strengthening and Enhancing Cybersecurity Usage to Reach Every (SECURE) Small Business Act. This bill is very similar to S 3205 earlier this month. The differences between to two bills are mostly formatting (definitions in §4 in this bill and §2 in the Senate version) and minor changes in wording that are only of interest to lexicographers and lawyers.

Moving Forward


Finkenauer is a member, as is one of her cosponsors {Rep Joyce(R,PA)}, of the House Small Business Committee to which this bill was assigned for consideration. This means that it is possible that this bill could be considered in Committee. There may be some Republican opposition to this bill because this type of marketplace could be considered to be an entrepreneurial activity more suited to the public sector, but I suspect that the bill would receive at least some bipartisan support. There could be enough bipartisan support to allow this bill to be considered in the full House under the suspension of the rules process.

Commentary


My comments on the Senate version of this bill equally apply to this bill.

Today, I will rather address the proposed marketplace as an entrepreneurial activity. It would seem to me that there are many online marketplaces where owners are making money providing connections between sellers and buyers; eBay® is the most obvious example. I am not sure that government agencies ought to be in the business of directly competing with the private sector.

Of course, there does not appear to be a marketplace currently available that fulfills the intent of either of these two bills. I suspect that the reason is that it has just not occurred to anyone yet. So, is this current lack of a commercial cybersecurity marketplace justification for the establishment of a government run enterprise? I do not think so. Should Congress consider some means of encouraging the formation of such a commercial enterprise? To my mind, that is less clear.

The increasing rate of ransomware attacks and the ever-present specter of data breaches in the commercial sector are certainly affecting small businesses as well as large. The financial impact on small businesses probably has more of a chilling impact on the success of those businesses than it does on large concerns. The question is, is this impact on small businesses large enough to allow for congressional action under the interstate commerce clause of the constitution. If we look at just individual businesses, almost certainly not; the failure of a single mom-and-pop enterprise has an inconsequential effect on interstate commerce. If we look at small businesses in the aggregate, that almost certainly changes the response.

The question then becomes, what should be the government’s role in addressing the impact of cyberattacks on small businesses? Should the government be regulating how individual small business protect their cyber assets? Probably not; writing effective cybersecurity regulations that would adequately address cybersecurity processes at all types of small businesses would be nearly impossible and certainly the compliance costs would be high.

Should the government be responsible for smoothing the way for small businesses and cybersecurity vendors to work together? Possibly, but I think that providing a political appointee with the power to decide which vendors are ‘legitimate’ {§2(c)(2) in this bill} is fraught with the potential for the illegitimate use of political influence. No, such legitimacy issues are much better dealt with in a marketplace by user feedback and mediation processes.

No, I think that a government run marketplace like that proposed in these two bills is probably a bad idea. I think that small businesses would be better served by a commercial enterprise (obviously starting out as it’s own small business). I think Congress would better serve the small business community by figuring out how to encourage the establishment of such an enterprise rather than have the Federal government run one.

Bills Introduced – 1-28-20


Yesterday with the House in session and the Senate sitting in the impeachment process there were 44 bills introduced. One of those bills may receive additional coverage in this blog:

HR 5695 To require operators of offshore oil and gas facilities to report failures of critical systems to the Secretary of Interior, and for other purposes. Rep. McEachin, A. Donald [D-VA-4]

I will be watching this bill for specific language and definitions that specifically include requirements for reporting cyber attacks and incidents. I am not holding my breath.

NOTE: This is the first time since the second day of the impeachment process in the Senate where there have been any bills introduced by Senators.

Tuesday, January 28, 2020

HR 5680 Introduced – CISA Subpoena Authority


Today Rep Langevin introduced HR 5680, the Cybersecurity Vulnerability Identification and Notification Act of 2020. The bill would provide the DHS Cybersecurity and Infrastructure Security Agency (CISA) with the authority to issue subpoenas to identify owners of critical infrastructure identified as having cybersecurity vulnerabilities. The bill is similar to S 3045 that was introduced in the Senate last month.

Definitions


There are some significant differences in the definitions used in this bill and S 3045. First it moves the definition of ‘enterprise device or system’ from the new paragraph (n) of 6 USC 659 to paragraph (a), ensuring that the definition is of more general use in that section.

Then HR 5680 changes two existing definitions in (a):

Adds a reference to ‘cybersecurity purpose’: the terms ‘cyber threat indicator’, ‘cybersecurity purpose’ and ‘defensive measure’ have the meanings given those terms in section 102 of the Cybersecurity Act of 2015 [6 U.S.C. 1501];


Changes the definition of ‘information system’: the term ‘‘information system’’ has the meaning given that term in section 3502(8) of title 44; and terms ‘information system’ and ‘security vulnerability’ have the meanings given those terms in section 102 of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501);

Other Changes from S 3045


The language in HR 5680 is a significant re-write of S 3045, but it is mainly due to the removal of the definition portion of the paragraph. However, in developing a subpoena procedure under (n)(8) the House bill adds a new requirement to include {new §659(n)(8)(A)(v)}:

The process for tracking engagement with each party that is subject to such a subpoena and the entity at risk identified by information obtained pursuant to such a subpoena.

At the end of (n)(8) HR 5689 adds a new congressional notification requirement:

(B) CONGRESSIONAL NOTIFICATION.— The Director shall brief the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate upon establishment of internal procedures and associated training required under this subsection.

Finally, this bill adds a new requirement under new §659(n):

(10) RESOURCE ASSESSMENT.—Not later than 120 days after the date of the enactment of this subsection, the Director shall submit to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate an assessment regarding whether additional resources are required to—

‘‘(A)(i) ensure timely notifications to entities at risk pursuant to paragraph (6); and

‘‘(ii) provide such entities at risk with timely support to mitigate security vulnerabilities; and

‘‘(B) provide associated training applicable to employees and operations of the Agency to comply with internal procedures established pursuant to paragraph (8).

Moving Forward


This bill is being considered in the House Homeland Security Committee tomorrow. I suspect that it will be adopted by a significant bipartisan majority. The bill will probably move forward to the House floor later this year under the suspension of the rules process. It will likely pass with similar bipartisan support. The Senate has yet to take action on S 3045. It is not clear whether or not the Senate will accept this version or insist on their own.

Commentary


I applaud Langevin’s addressing my pet peeve, the IT restrictive definition of ‘information system’ used in §659. The addition of the definition of ‘enterprise device’ would currently only apply to this subpoena authorization portion of §659, but it will be available for future changes to CISA authority.

The other changes in this bill do little to address my concerns about S 3045.

OMB Approves DOE CEII Final Rule


Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved the DOE’s final rule on Critical Electric Infrastructure. This rule was submitted to OIRA in October 2019. The notice of proposed rulemaking (NPRM) was published in October of 2018. Interestingly, there was one meeting at OIRA concerning this bill where environmental activists expressed their concerns about the rule.

This rule addresses the DOE internal procedures for approving and restricting access to Critical Electric Infrastructure Information (CEII).

Bills Introduced – 1-27-20


Yesterday with the House in session and the Senate sitting on the impeachment process there were 12 bills introduced. Two of those bills may see future activity in this blog:

HR 5679 To amend the Homeland Security Act of 2002 to limit to five years the term of the Director of the Cybersecurity and Infrastructure Protection Agency of the Department of Homeland Security, and for other purposes. Rep. Katko, John [R-NY-24]

HR 5680 To amend the Homeland Security Act of 2002 to protect United States critical infrastructure by ensuring that the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security has necessary legal tools to notify entities at risk of cybersecurity vulnerabilities in the enterprise devices or systems that control critical assets of the United States, and for other purposes. Rep. Langevin, James R. [D-RI-2] 

HR 5679 would limit the CISA director to a five-year term. I probably will not do an analysis blog post on this bill (it looks pretty straight forward from the committee print), but I will watch it as it progresses thru the process for addons. The House Homeland Security Committee will take up this bill in a markup hearing tomorrow.

HR 5680 is the bill I briefly (and erroneously) described at HR 5667 in last evenings post. A copy of the bill has been published by the GPO so I will probably review the details later this morning.

Monday, January 27, 2020

Congressional Hearings – Week of 1-26-20


With the House back from their MLK break and the Senate still sitting in their impeachment proceeding there are a limited number of committee hearings this week. There is one markup hearing of interest by the House Homeland Security Committee.

Markup Hearing


On Wednesday the House Homeland Security Committee will hold a markup hearing. The bills to be reviewed include HR 5667, the Cybersecurity Vulnerability Identification and Notification Act of 2019. This bill was introduced last Friday, and the official version has yet to be printed. I have briefly reviewed the committee print and it looks to be similar to S 3045 but there are some interesting definitions related to operational technology that I look forward to reviewing in depth.

S 3207 Introduced – State Cybersecurity Coordinators


Earlier this month Sen Hassan (D,NH) introduced S 3207, the Cybersecurity State Coordinator Act of 2020. The bill would require the DHS Cybersecurity and Infrastructure Security Agency (CISA) to appoint Cybersecurity State Coordinators in each of the 50 states.

Definitions


The bill does not include any definitions. Because the bill amends 6 USC 652 and adds a new section to the same Part, the following definitions from §651 apply to the following terms used in this bill:

• Cybersecurity risk –  means threats to and vulnerabilities of information or information systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of such information or information systems, including such related consequences caused by an act of terrorism {referenced to §659(a)}.

• Cyber threat - means an action, not protected by the First Amendment to the Constitution of the United States, on or through an information system that may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system {referenced to §1501(5)}.

The following critical terms are not defined for §652 or Part A:

• Cybersecurity threat information – Nearest term defined in 6 USC is ‘cyber threat indicator’ at §1501(6);

 Non-Federal entity - §1501(14), but not incorporated by reference.

• Cybersecurity incidents –  §659(a)(3)}, but not incorporated by reference.


Responsibilities


The duties of the State Cybersecurity Coordinators would be set forth in the new section added to Part A (probably §665, so §665(b)}:

• Building strategic relationships across Federal and non-Federal entities by advising on establishing governance structures to facilitate developing and maintaining secure and resilient infrastructure;
• Serving as a principal Federal cybersecurity risk advisor and coordinating between Federal and non-Federal entities to support preparation, response, and remediation efforts relating to cybersecurity risks and incidents;
• Facilitating the sharing of cyber threat information between Federal and non-Federal entities to improve understanding of cybersecurity risks and situational awareness of cybersecurity incidents;
• Raising awareness of the financial, technical, and operational resources available from the Federal Government to non-Federal entities to increase resilience against cyber threats;
• Supporting training, exercises, and planning for continuity of operations to expedite recovery from cybersecurity incidents, including ransomware;
• Serving as a principal point of contact for non-Federal entities to engage with the Federal Government on preparing, managing, and responding to cybersecurity incidents;
• Assisting non-Federal entities in developing and coordinating vulnerability disclosure programs consistent with Federal and information security industry standards; and
• Performing such other duties as necessary to achieve the goal of managing cybersecurity risks in the United States and reducing the impact of cyber threats to non-Federal entities.

No funding is provided in the bill for the new requirements.

Moving Forward


Hassan and her three cosponsors {Sen Cornyn (R,TX), Sen Portman (R,OH) and Sen Peters (D,MI)} are all influential members of the Senate Homeland Security and Government Affairs Committee to which this bill was assigned for consideration. There is a high likelihood that this bill will be considered in Committee. I see nothing in the bill that would draw any serious opposition and it should be approved in Committee with strong bipartisan support.

This bill is not important enough to be considered in normal order on the floor of the Senate, particularly in an election year. I suspect that the bill could be approved under the unanimous consent process, but there is always the prospect of a single Senator raising an objection to that consideration for reasons unrelated to the bill’s provisions.

Commentary


This bill once again brings up the basic system discrepancy found in the definitions used in the authorizing language for CISA. The ‘cyber risk’ definition is based upon the IT restrictive definition of ‘information system’ found in §659 and the ‘cyber threat’ definition is based upon the OT inclusive definition in §1501. Again, I have addressed these definitional problems in detail in an earlier post.

For this bill a separate issue is the use of three critical undefined terms. For these terms I would recommend adding the following language to the new §665:

Insert (d):

“(d) Definitions – In this section

“(1) Cybersecurity threat information – the term ‘cybersecurity threat information’ has the meaning given to the term ‘cyber threat indicator’ in 6 USC 1501(6);

“(2) Non-Federal entity – the term ‘non-Federal entity’ has the meaning given to that term in 6 USC 1501(14);

{(3) Cybersecurity incidents – the term ‘cybersecurity incidents’ has the meaning given to the term ‘incidents’ in 6 USC 659(a)(3).”

While the above definitions, if not corrected, will still include the IT/OT confusion, they will ensure that the State Coordinators will have the authority to work with private sector organizations to coordinate cybersecurity programs. I am sure that CISA, even with the definitional confusion, would expansively interpret things to be able to include control system security issues with both governmental and private sector organizations.

Another problem with the bill is the perennial lack of funding issue. With no additional funding being authorized for these positions, CISA will theoretically need to take these new 50 coordinator positions out of their current headcount and provide the necessary office staff (at least a secretary and a driver) and office space funding out of the current authorization. Unless the spending process for the next fiscal year provides for extra money (an open question) the additional funding and headcount will come at the expense of some other CISA program.

One final issue, the bill does not address the provision of any cybersecurity coordinators for the District of Columbia, Puerto Rico or any of the Pacific territories.

Saturday, January 25, 2020

Public ICS Disclosures – Week of 1-18-20


This week we have one vendor disclosure from 3S.

CODESYS Advisory


3S published an advisory [.PDF download link] describing an uncontrolled resource allocation vulnerability in the CODESYS V3 products containing communication servers for the CODESYS communication protocol. The vulnerability was reported [NOTE: includes proof of concept code] by Tenable. 3S has a new version that mitigates the vulnerability.

3S notes that a relatively low-skilled attacker could remotely exploit this vulnerability with publicly available exploit code to cause a denial-of-service condition.

Bills Introduced – 1-24-20



Yesterday with the Senate meeting in impeachment session and the House meeting in proforma session there were 17 bills introduced. Three of those bills may receive additional attention in this blog:

HR 5667 To enhance stakeholder outreach to and operational engagement with owners and operators of critical infrastructure and other relevant stakeholders by the Cybersecurity and Infrastructure Security Agency to bolster security against acts of terrorism and other homeland security threats, including by maintaining a clearinghouse of security guidance, best practices, and other voluntary content developed by the Agency or aggregated from trusted sources, and for other purposes. Rep. Underwood, Lauren [D-IL-14]

HR 5669 To require the Administrator of the Small Business Administration to establish a program to assist small business concerns with purchasing cybersecurity products and services, and for other purposes. Rep. Finkenauer, Abby [D-IA-1] 

HR 5670 To improve the understanding and clarity of Transportation Security Administration policies, and for other purposes. Rep. Bishop, Dan [R-NC-9]

I will be watching HR 5667 for language concerning cybersecurity and chemical security issues. Similarly, I will be watching HR 5670 for surface transportation security issues related to chemical transportation.

I suspect that HR 5669 will be similar to S 3205 that I discussed earlier this week.

Thursday, January 23, 2020

1 Advisory Published – 1-23-20


Today the CISA NCCIC-ICS published a medical device security advisory for products from GE.

GE Advisory


This advisory describes six vulnerabilities in a number of GE Healthcare Monitoring platforms. The vulnerabilities were reported by Elad Luz of CyberMDX. GE has provided generic workarounds to mitigate the vulnerabilities. There is no indication that Luz has been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• Unprotected storage of credentials - CVE-2020-6961;
• Improper input validation - CVE-2020-6962;
• Use of hard-coded credentials - CVE-2020-6963;
• Missing authentication for critical function - CVE-2020-6964;
• Unrestricted upload of file with dangerous type - CVE-2020-6965; and
• Inadequate encryption strength - CVE-2020-6966

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an attacker to obtain PHI data, make changes at the operating system level of the device, with effects such as rendering the device unusable, otherwise interfering with the function of the device and/or making certain changes to alarm settings on connected patient monitors, and/or utilizing services used for remote viewing and control of devices on the network to access the clinical user interface and make changes to device settings and alarm limits, which could result in missed or unnecessary alarms or silencing of some alarms.

S 3205 Introduced – SBA Cybersecurity Marketplace


Last week Sen Cortez-Masto introduced S 3205, the Strengthening and Enhancing Cybersecurity Usage to Reach Every (SECURE) Small Business Act. The bill would require the Small Business Administration (SBA) to establish a cybersecurity cooperative marketplace (CCMP) program to assist small business concerns with purchasing cybersecurity products and services.

Definitions


Section 2 of the bill provides the definition of six terms used in the bill. Two are of particular interest here:

• Cybersecurity – means {§2(4)}:

The art of protecting networks, devices, and data from unauthorized access or criminal use; and
The practice of ensuring the confidentiality, integrity, and availability of information.

• Cybersecurity Threat – means “the possibility of a malicious attempt to infiltrate, damage, disrupt, or destroy computer networks or systems” {§2(5)}.

The Market Place


Section 3 of the bill would require the SBA to establish a marketplace web site that {§3(c)(1)}:

• Is free to use for small business concerns and covered vendors; and
• Provides a cooperative marketplace that facilitates the creation of mutual agreements under which small business concerns cooperatively purchase cybersecurity products (including cybersecurity risk insurance) and services from vendors.

The SBA would be required to adjudge the ‘legitimacy’ of both the vendors and buyers on the marketplace.

This marketplace provision would sunset on September 30, 2024.

Moving Forward


Cortez-Masto is not a member of the Senate Small Business and Entrepreneurship Committee to which this bill was assigned, though two of her cosponsors {Sen Risch (R,ID) and Sen Rosen (D,NV)} are. This means that there is a good chance that this bill would be brought up in Committee. Since there is no spending authorization in the bill, I see nothing that would draw any organized opposition to the bill’s consideration. The Committee would likely report the bill favorably with substantial bipartisan support.

This does not mean, however, that the bill would be considered on the floor of the Senate. The bill is not important enough to be considered under regular order so it would have to be considered under the unanimous consent process; which means a single Senator could block consideration of the bill. That possibility is almost impossible to predict.

Commentary


The cybersecurity definitions in the bill are very vague but tend towards information technology, not control system security. That could be easily remedied by revising the cybersecurity definition in §2(4):

(4) CYBERSECURITY.—The term ‘‘cybersecurity’’ means—

(A) the art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring:

(i) for information systems, the practice of ensuring the confidentiality, integrity, and availability of information; or

(ii) for process control systems (including building control and security control systems), the view and safe control of the affected process.

The other oddity is the that the lengthy list of ‘covered industry sectors’ does not include the chemical sector. I suspect that Cortez-Masto envisions the chemical sector to be made up of massive petrochemical process facilities. It does, however, contain a very large number of small business entities in the production, transportation and distribution sides of the business. The failure to include those small business concerns is a major problem in this bill that is not adequately remedied by the pro forma inclusion of ‘any other industry sector that the Administrator determines to be relevant’ at the end of the list.

Finally, I am not sure how any congressional staffer figures that the SBA will be able to establish this type of marketplace without any additional funding being provided to the agency. Setting up an on-line commerce site is not cheap, nor is the upkeep and operation of the site. I understand the reluctance of Senators to authorize new spending, it could be the death knell of a bill. But carving these costs out of the existing SBA budget is only going to harm current programs.

There is an alternative, make the market-place self-funding. This could be accomplished with the following addition to §3(c):

(c) the Administrator will charge the participants in Market Place a user fee to cover the costs of establishing and maintaining the Marketplace.

Wednesday, January 22, 2020

S 3175 Introduced – Smart Transportation


Earlier this month Sen. Cortez-Masto introduced S 3175, the Smart Transportation Advancement and Transition (STAT) Act. The bill would amend 23 USC 512 (Note, §5305) and require changes to the DOT’s Intelligent Transportation Systems (ITS) program to improve the “development of local smart communities”. One minor mention of cybersecurity in the bill.

Amendment


Section 2 of the bill would make amendments to §5305(h) in the note to §512, revising provisions for the establishment of an ITS program Advisory Committee. It would modify and expand the membership of the Committee and revise the duties of the Committee.

New Requirements


Section 4 of the bill would require DOT to develop a resource guide “to assist States and local communities in developing and implementing intelligent transportation technology or smart community transportation programs” {§4(b)}. The guide would be updated at least every three years.

Section 5 would require the identification and development of various ITS workforce development efforts. This would include designating “not less than 10 consortia of public institutions of higher education as a ‘Center of Excellence in Advanced Transportation Workforce Training’” {§5(e)(1)}. It is in the ‘Education and Training Requirements’ portion of §5(e) that we find the bare mention of the term ‘cybersecurity’ {§5(e)(3)(F)}.

Moving Forward


Cortez-Masto is not a member of the Senate Commerce, Science, and Transportation Committee to which this bill was assigned for consideration. This means that it is unlikely that the bill will receive consideration in that Committee. The only provision in the bill that would engender any opposition to the bill would be the $10 million annual grant authorization in §5(f)(7). It is not a lot of money, but it would have to come from somewhere.

Commentary


I continue to be amazed at the lack of congressional concern with cybersecurity issues in the ITS field. Any networked, cyber-enabled system that is designed to increase the efficiency of transportation networks is going to be a complicated amalgam of information technology and control system technology from a wide variety of vendors, owners and operators. The communications requirements for these systems ensures that they will be a major target for wide-spread ransomware attacks.

This bill is certainly not the best place to address this issue, but we could start by making the following changes:

On page 5, line 12 {revised §5305(h)(2)(A)(iii)} insert:

“(XIX) an automotive control system cybersecurity expert with knowledge of intelligent transportation system communications;”

On page 7, line 16 {revised §5305(h)(3)(B)} insert:

“(vi) how the Department is working to ensure the development of cybersecurity processes and protocols to prevent cyber-attacks on ITS components;”

On page 11, line 17 {§4(c)} insert:

“(4) cybersecurity best practices and lessons learned from smart community transportation demonstration projects, including information on inter-component communications security;”

On page 18, line 5 {§5(e)(3)(F)}, after “cybersecurity” insert”

“, including security of systems communications protocols:”

On page, line 25 {§5(f)(1)} insert:

(C) the development of a cybersecurity workforce skilled in various types of intelligent transportation technologies, components, infrastructure, and equipment.

Tuesday, January 21, 2020

1 Advisory Published – 1-21-20

Today the CISA NCCIC-ICS published a control system security advisory for products from Honeywell.

Honeywell Advisory


This advisory describes two vulnerabilities in the Honeywell MAXPRO VMS and NVR video management systems. The vulnerabilities were reported by Joachim Kerschbaumer. Honeywell has updates that mitigate the vulnerabilities. There is no indication that Kerschbaumer has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Deserialization of untrusted data - CVE-2020-6959; and
• SQL injection - CVE-2020-6960

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow elevation of privileges, cause a denial-of-service condition, or allow unauthenticated remote code execution.

Comments on CSB Spill Reporting NPRM


Last Monday the comment period closed on the Chemical Safety Board’s (CSB) notice of proposed rulemaking (NPRM) for “Accidental Release Reporting”. The CSB did not allow the Federal eRulemaking Portal to publish any of the comments until the comment period was closed. A total of 48 comments were reported as being submitted.

The number is certainly higher than that because the comments I submitted (comment tracking # 11kk33--99duee--jj77559) have not yet been posted to the Docket and it was almost certainly one of the first comments posted. I also posted a portion of those comments to the OMB’s Office of Information and Regulatory Affairs as a comment about the information collection request (ICR) included in the NPRM.

There was no evidence of any letter writing campaigns associated with this rulemaking. Instead of listing all of the agencies, corporate entities and organizations that commented on this NPRM I will list the ones that I have included reference to in this blog post. Many of the comments being made duplicate portions of other submissions, so only the first response that I see that makes that comment will receive recognition for the information here. NOTE: all links in this list are .PDF download links.

Air Alliance Houston, et al (AAH);
AFL-CIO, et al (AFL);

Extremely Hazardous Substance


USBSA noted that the term ‘extremely hazardous substance’ is undefined and unnecessarily broadens the reporting requirements. EEANY recommends using the definition “found in 40 CFR 355 [presumably §355.61] (including Appendix A and B)”.

REGFORM recommends that: “The definition should also make clear that consequences arising from the physical nature of the substance (e.g., temperature, mass, abrasive qualities) are not reportable.”

Overly Broad Definitions


USBSA notes that the definition of ‘serious injury’ is taken from the OSHA record keeping requirements [quoted 29 CFR 1904, but apparently referred to 29 CFR 1904.7(b)(vi)], not the OSHA reporting requirements [quoted 29 CFR 1904.39, but that only applies to “fatalities, hospitalizations, amputations, and losses of an eye”] .

TCI suggested that “the reporting criteria better align with internal criteria CSB uses to deploy investigative teams”. This would be accomplished by removing “‘medical treatment beyond first aid’ and ‘any injury or illness’ bullets” from the proposed §1604.2.

ACC recommends excluding “business interruption costs as a criterion for accident reporting under the rule”.

AFPA notes: “The proposed rule apparently would require a direct report to the CSB in situations where the CSB would require a report and a report to the NRC is not required by other laws.”

In reference to the definition of ‘ambient air’ in the proposed §1604.2 including ‘the atmosphere inside or outside a stationary source’ AFPA notes: “Congress made it clear in §112(r)(6)(E) of the CAA that the CSB was to conduct its activities in a way that minimizes duplication of activities conducted by OSHA”.

ISRI recommends that “The CSB must clarify that an explosion is not per se an “accidental release”, whether in the preamble of the final rule or by regulatory language.”

In order to reduce regulatory redundancy, ISRI recommends that: “The CSB needs to remove “death” from the proposed definition of “serious injury”.

Duplicative Reporting Requirements


USBSA notes that the rulemaking will require a duplicative reporting requirement if the incident requires reporting to OSHA under 29 CFR 1904.39.

TFI recommends that CSB “utilize the NRC reporting platform to satisfy the court mandate” instead of setting up a separate reporting process. Further, TAA recommends changing the NRC identification number language in the proposed §1604.3(b) to read:

“the CSB reporting requirements are satisfied by submission of the report to the NRC as upon receipt of the report, the NRC will provide the report’s NRC identification number to the CSB”

ORC HSE makes the point that:

“Finally, the CSB clearly does not have the resources needed to utilize the flood of information that they would receive from the submissions required by the proposal, nor is it likely that the Agency would receive sufficient additional resources any time in the foreseeable future.”

EEANY recommends that:

“A single reporting call-in center (at a minimum to satisfy federal requirements) that alerts all necessary authorities using a standardized template for data collection and serves to satisfy all of the existing reporting authorities is suggested, perhaps by making changes to the National Response Center system.”

Reporting Window


TCI recommends extending the proposed ‘4-hour’ reporting requirement to ’12-hour’ to allow for instances where the organization may not be cognizant of a covered incident because an employee seeks medical attention after leaving work. ACC recommends using the OSHA 8 hour and 24 hour reporting requirements of §1904.39.

Needed Definitions


TCI requests a definition of the term ‘evacuation’ used in the rule; should it cover ‘shelter-in-place’ or those denied entry into the ‘evacuation area’?

CEC requests a definition of the term ‘facility identifier’; noting that: “If it is referring to a regulatory reporting facility ID, then it is unclear which reporting ID is being referred to, as different agencies have different IDs.”

Expand the Scope of the Rule


AAH has an extended discussion of how the scope of the current rule should be expanded to increase the CSB’s ability to “permit more accurate surveillance of chemical incidents”. They also recommend that the reported data be entered into a publicly searchable database.

AFL recommends including reporting requirements for ‘near misses’.

On-Line Reporting


ISRI recommends that: “The CSB should add to proposed §1604.3(c) an option to report by web-based form established by the CSB.”

Commentary


First off, CSB is going to have a tough time meeting its February 5th court-ordered publication of the final rule on this topic. This was the reason for the short comment period as explained here [.PDF download link] by CSB. I suspect that they may have started formulating the final rule preamble as they were receiving comments; it would be the only hope that they have of meeting the deadline. Unfortunately, they will still have to get through the OMB review process before they can publish their rule.

There seems to be some confusion as the purpose of this reporting rule (beyond just satisfying a legal requirement) and CSB is at least partially to blame for that confusion. If CSB is intending to utilize these reports to establish a comprehensive database for evaluating the status of chemical incidents (as they proposed in their ANPRM preamble) the more expansive definitions involved in the NPRM make sense. If the reporting is solely to provide CSB with information with which to decide to initiate an investigation, more limited definitions would make more sense given the small agency size and budget.

The one definition that most industry commenters seized upon was that missing definition for the term ‘extremely hazardous substance’. It seems to me that the reason that CSB did not use the EPA definition or that term is that the Board is tasked with providing the Administrator with recommendations for updating the EPA’s list of such substances. This makes the operational rather than a list-based definition of the term more reasonable.

One final comment; The Houston Air Alliance, et al, comment is well worth reading even if it is more than a little adventurous in what it expects to see from any CSB reporting rule. This is what the environmental/safety advocacy community would like to see the CSB tackle, particularly their desire for a publicly searchable database of chemical incidents. Industry observers should carefully read that document to see how reasonable (in comparison) the CSB rule really is.

Sunday, January 19, 2020

Updated NTAS Bulletin – 1-18-20


Yesterday afternoon the DHS Cybersecurity and Infrastructure Security Agency (CISA) published a new Bulletin on their National Terrorism Advisory System (NTAS). The new Bulletin replaces the one issued on January 4th, which expired yesterday at 1:00 pm. While the new Bulletin continues to focus on a potential threat from Iran and its proxies, CISA is apparently expecting a narrowing the focus of that threat.

Change in Focus


The Bulletin continues to focus on two major potential threats, cyber attacks and direct action by Iranian proxies. In the earlier bulletin CISA made the following comment about the potential for cyberattacks:

“Iran maintains a robust cyber program and can execute cyber attacks (sic) against the United States. Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States.”

The new advisory changes that wording to a more focused:

“Iran maintains a robust cyber program and is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States. Based on Iran’s historic homeland and global targeting patterns, the financial services and energy sectors, maritime assets, as well as U.S. Government and symbolic targets represent consistent priorities for Tehran’s malicious operational planning.”

While the chemical sector is not included in the listed potential target list, some chemical facilities could certainly be included in the ‘energy sector’.

Both versions address the potential for direct terrorist attacks in the United States. In the earlier version CISA stated:

“Homegrown Violent Extremists could capitalize on the heightened tensions to launch individual attacks.”

The latest version narrows both the possible agents and targets of terrorist attacks in the US:

“Homegrown Violent Extremists (HVE) sympathetic to Iran could capitalize on the heightened tensions to launch individual attacks, with little or no warning, against U.S.-based Iranian dissidents, Jewish, Israeli, and Saudi individuals as well as against the U.S. Government infrastructure and personnel.”

While not all terrorist attacks employ improvised explosive devices (IED), the potential for such attacks certainly exists. HVE’s will probably not have access to weapons supplied by Iran so they will probably be forced to locally source materials for IEDs. While many IEDs use commercially available chemicals, employing larger devices will necessitate obtaining precursor chemicals from chemical facilities. Facilities maintaining inventories of such chemicals of interest (COI) will need to maintain increased vigilance.

Commentary


One other change in the versions of the Bulletin is just a little bit odd. The earlier version included the comment; “An attack in the homeland may come with little or no warning.” There is no similar phrase in the latest version. This could indicate that CISA feels that the law enforcement community and the intelligence community have a better handle on the identity of potential HVE’s. I do not really expect that that is true. Rather I think that this is a measure of how serious CISA takes the potential threat.

As more time passes between the assassination of General Qassem Soleimani, it would seem that the threat of additional retaliation measures by Iran and its proxies should decrease. The confounding issue is the increasing dissention in Iran. I believe that there is an increasing possibility of Iran’s proxies increasing pressure on the US to cause responses (including sanctions) that would allow the current Iranian regime to point to the US as a common enemy to promote unity within Iran.

Saturday, January 18, 2020

LNG by Rail Comments – 1-18-20


Comments continue to be submitted on the PHMSA liquified natural gas by rail NPRM. This week (see note in comments section below) there were a total of 233 comments submitted. I have discussed previous submissions:


As with earlier comments, most submissions were from private citizens with concerns about the safe transportation of LNG gas. Unfortunately, no new information there. The following submissions were more involved and will require PHMSA to address at least some of their comments. NOTE: All links are .PDF download links.

Transportation Division of the International Association of Sheet Metal, Air, Rail, and Transportation Workers (SMART)
New York State DOT/DEC/CHSES (NYS);
Fred Millar (FM) [.DOC download link]

Letter Writing Campaigns


We saw three different approaches to letter writing campaigns this week by environmental/safety advocacy groups. The  Clean Air Council submitted 1127 comments under a single docket submission. PennEnvironment apparently (it is no longer on their site) provided a fill in the blank web page to submit separate (and of course) identical comments for a large number of supporters. And then there is some anonymous organization (no organizational name on the comments) that provided a cut-and-paste comment for supporters to submit on their own.

Again, none of the above comments provided new information for the consideration of PHMSA and government organizations do not take into account numbers of comments in their review of comments for moving forward on a rulemaking.

Fire Safety


NJL pointed out the historic 1944 Cleveland gas explosion where an LNG leak entered sewer system and resulted in large area explosion and fire.

NYS points out the need for additional funding for fire fighter and other emergency response personnel training on LNG response requirements.

Other Safety Restrictions


NJL calls for operational limitations similar to that for HHFT along with BLEVE modeling and a requirement for a non-hazardous buffer car to protect train crew.

SMART recommends that trains containing LNG “must be restricted to a length that is no longer than the shortest siding in which it is to traverse” to ensure that trains parked on sidings do not interfere with adjacent active tracks.

Other Safety Concerns


SMART makes the following comment about current railroad safety trends:

“And while we agree the likelihood of a rail mishap is low, it should be noted that rail incidents are trending upward as a result of the advent of Precision Scheduled Railroading (PSR) and that with each-and-every derailment that occurs the probability increases with it. In other words, now is not the time to add a high-consequence commodity to a railroad industry whose safety and accident ratios are already trending in a dangerous direction without the proper study and testing performed by the Federal Railroad Administration (FRA) and PHMSA.”

FM has a lengthy discussion about the apparent inadequacies in the safety calculations that were used to support the PHMSA rulemaking.

Other Regulatory Concerns


CBD questions whether PHMSA has adequately consulted the US Fish and Wildlife Service to ensure adequate protections under the Endangered Species Act.

PF has a lengthy discussion about their opinion that PHMSA needs to do a complete Environmental Impact Assessment (EIS) before this rulemaking can move forward.

Commentary


NOTE: I said that there were 233 comments submitted this week. That is more than a little misleading. The dates on the documents indicate that they were all submitted on Monday and Tuesday. PHMSA is probably still reviewing comments before referring them back to the Regulations.gov site for posting. The comment period ends today, but I expect that there will be another large number of comments for me to report on next weekend.

Many of the commenters have expressed concerns about ‘unit trains’ of LNG impacting their communities. While the history of crude oil unit trains certainly suggests that the number and severity of derailments associated with unit trains is much higher than those associated with individual train cars of hazardous materials, it should be remembered that there is only a very small fleet of DOT 113 railcars currently in service, not even enough for a singe 100-car unit train. It will be quite some time before the potentially higher-level threat could emerge. Perhaps it would be appropriate for PHMSA to limit train consists to 20 LNG railcars, until further safety data can be gathered.

Another thing seen in many of the comments is PHMSA’s failure to take into account the potential for a terrorist attack on LNG rail shipments. First off, security of transportation is not a primary responsibility of PHMSA, the Transportation Security Administration (TSA) has that primary responsibility. We can certainly discuss the inadequacies of the surface transportation security efforts of that agency, but we cannot fairly transfer those responsibilities back to PHMSA in this rulemaking.

Having said that, early readers of this blog will recall that I had significant comments on security of toxic inhalation hazard (TIH) rail shipments from a security perspective, and I have similar concerns with LNG rail transportation. However, there is one thing clear to me, an attack on a single-tank TIH rail car would be easier than an attack on a double-hull cryogenic car. And a successful attack on any 5/8” heat treated steel tank is going to be difficult at best, especially while it is moving.

Derailing a hazmat train (of any composition) is probably going to be the most effective form of terrorist attack, and it would not require a loss-of-cargo result to achieve a terroristic affect. Having a derailed hazmat car sitting in an urban center is going to cause a large enough amount of panic in any case. Slowing traffic through High Threat Urban Areas (HTUA) will make it harder to achieve a high-profile derailment; low speed derailments are a major bother, but they do not look dangerous and seldom result in loss of hazmat cargo.

Public ICS Disclosure – Week of 1-11-20


This week we have three vendor disclosures about the Windows CryptoAPI vulnerability from Philips, GE Health and Rockwell Automation. We also have two other new vendor disclosures from Siemens and Schneider and five updates from the same vendors.

CryptoAPI Spoofing Vulnerability


Phillips published an advisory for the Windows CryptoAPI vulnerability. They are currently reviewing the Windows® patch. Do not apply the patch until they say so.

GE Healthcare published an advisory for the Windows CryptoAPI vulnerability. They are currently reviewing the Windows® patch. More to follow.

Rockwell published an advisory for the Windows CryptoAPI vulnerability. They have provided an initial listing of products affected, which can apply the Windows patch, and which will require the development of firmware updates.

Siemens Advisory


Siemens published an advisory describing generic ActiveX vulnerabilities in a variety of their Industrial Products. The vulnerability is self-reported. Siemens provides generic work arounds to mitigate the vulnerability.

COMMENT: I’m sorry but do not waste your time reading this advisory. This is the most incomplete and least actionable advisory that I have ever seen from Siemens.

Schneider Advisory


Schneider published an advisory describing an uncontrolled search path element vulnerability in their MSX Configurator software. The vulnerability was reported by Yongjun Liu of nsfocus. Schneider has a new version that mitigates the vulnerability. There is no indication that Yongiun has been provided an opportunity to verify the efficacy of the fix.

Siemens Updates


Siemens published an update for their advisory on GNU/Linux subsystem vulnerabilities in the SIMATIC S7-1500 CPU products. The advisory was originally published on November 27th, 2018 and most recently updated on November 12th, 2019. Ten new GNU/Linux CVE’s were added to the advisory.

Siemens published an update for their advisory on SIPROTEC 5 Ethernet plug-in communication modules and devices. The advisory was originally published on August 2nd, 2019 and most recently updated on December 10th, 2019. The new information included:

• Revised affected version and mitigation links for  SIPROTEC 5 devices; and
• Removed DHCP vulnerabilities since no products were affected.

Siemens published an update for their BlueKeep advisory. The advisory was originally published on May 24th, 2019 and most recently updated on July 9th, 2019. The new information includes the availability of a new version that mitigates the vulnerability.

NOTE: This update automatically ‘covered’ in the latest version of the NCCIC-ICS BlueKeep advisory because the link remains the same for this Siemens advisory.

Schneider Updates


Schneider published an update for their URGENT/11 advisory. The advisory was originally published on August 2nd, 2019 and most recently updated on December 10th, 2019. The new information includes adding mitigation links for:

• Modicon X80 I/O modules;
• Modicon Momentum Unity;
• Nanodac Recorder / Controller (added to affected products);
• SCADAPack 53xE RTUs; and
• Saitel DR with HU_A CPU

Schneider published an update for their DejaBlue advisory. The advisory was originally published on September 24th, 2019 and most recently updated on November 26th, 2019. The new information includes:

• Updated version information for  TelevisGO; and
• Updated remediation information for  EcoStruxure Foxboro DCS and EcoStruxure Foxboro SCADA

Friday, January 17, 2020

CISA Publishes CFATS Iranian Threat Guidance


Yesterday the Cybersecurity and Infrastructure Security Agency (CISA) published their second “Insights” publication dealing with the increased tensions between the United States and Iran; the newest one deals with “Enhancing Chemical Security During Heightened Geopolitical Tensions”. It is interesting to note that neither of the two Insight documents issued since January 6th specifically mention Iran.

CFATS Coverage


This document was issued by CISA not the Infrastructure Security Compliance Division, the office in CISA that administers the Chemical Facility Anti-Terrorism Standards (CFATS) program. While not specifically a CFATS document it does make one very important CFATS announcement:

“As of January 15, 2020, tiered CFATS facilities are not being required to implement the heightened security measures under Risk-Based Performance Standards (RBPS) 13 and 14 of their security plans. CISA is monitoring the intelligence information and will inform high-risk chemical facilities if there are changes that warrant activation of RBPS 13 or 14.”

I covered the RPBS 13 requirements under CFATS a couple of days ago. RBPS 14 covers the requirements for facilities to address new threat information provided to them by DHS. This RBPS envisions potential security issues that may arise that would not be covered by a facility’s Site Security Plan and would require emergency type planning and actions on the facility’s part to address the new issue.

As of this morning there is no reference to this document in the CFATS Knowledge Center.

Facilities of Interest Coverage


The document makes multiple references to “facilities with chemicals of interest (COI)—whether tiered or untiered”; what 6 USC 21(2) refers to as a ‘facility of interest’. What this means is that the 42,000+ facilities that have submitted Top Screens should probably pay some attention to this non-regulatory publication. And, of course, any other chemical facility that may feel it needs to pay special attention to their security during this ‘time of tension’.

One area where the ‘facilities of interest’ becomes interesting is in the next to last paragraph of the Insight:

“CISA has more than 150 Chemical Security Inspectors (CSI) around the country who are available to assist facilities possessing chemicals of interest, including non-tiered facilities. To request further information, please contact your local CSI. To find out who your local CSI is, please email [CFATS@hq.dhs.gov] the CFATS team the facility name, location, facility point of contact, contact information (i.e., phone and email), and desired meeting dates.”

The offer to make CSI available to non-regulated facilities to provide their advice on chemical facility security matters is impressive, but it is not the first time that this offer has been made. ISCD Director Wulf made the same general offer in his testimony before the House Energy and Commerce Committee last year.

The Document


The two-page document is broken down into three broad categories:

• Things to Do Today;
• Actions for Cybersecurity; and
• Actions for Physical Protection

Each of those categories is broken down into smaller bites with multiple bullet points. It could be made into a rather good PowerPoint® presentation without much effort. This could mean that there is little detail provided, but CISA has dealt with this by adding links at several points to more complete information. Still this is a broad guideline and the help of a security professional (including CSI) would certainly be desirable if a facility is really interested in responding to the increased tensions. At the very least, this provides a good set of talking points for a facility security officer to take up with management.

Commentary


The only major point that I have any disappointment with this document is the a lack of detail about IED precursor chemicals. All of the Iranian specific documents released this year by the Department highlight the potential IED threat from Hezbollah and other groups associated with Iran and their Revolutionary Guards. I suspect that this lack of specific coverage is due to the fact that the document is not specifically addressing the Iranian related threat.

 
/* Use this with templates/template-twocol.html */