Saturday, February 29, 2020

DHS Guidance Portal – 2-29-20


A reader from DHS alerted me to the fact the DHS has also set up their guidance document web site yesterday. While similar in effect to the EPA site that I mentioned earlier today, there are some interesting differences. As with the EPA site, the DHS site provides separate pages for the following DHS components:


The DHS landing page includes an interesting discussion about what constitutes a ‘guidance document’. Unusually for a government agency it looks like DHS has taken a very proactive and expansive look at both the letter and intent of EO 13891. DHS has also taken the extra step of providing a procedure (described on the page) for addressing citizen complaints or questions about these guidance documents. Nice touch.

CISA Documents


The CISA Guidance page provides an interesting look at how much work the Cybersecurity and Infrastructure Security Agency has done in providing guidance to the private sector. There are two subdivisions on the page; Chemical Security and Protected Critical Infrastructure Information (PCII). The Chemical Security section lists a large number of documents from the Chemical Facility Anti-Terrorism Standards (CFATS) program. Almost all of them are listed on the CFATS web site but are scattered across a number of different pages on that site.

There is only document listed in PCII section of the page, the PCII Program Procedures Manual.

Interestingly, the main DHS cybersecurity agency has no publicly available cybersecurity guidance publications.

CFATS Sodium Chlorate Exemption


There is one CFATS related document that I have never seen before; Clarification for Sodium Chlorate Contained in Specific Products. That document includes a 2015 letter from Director Wulf {Director of the CISA Infrastructure Security Compliance Division (ISCD)} that notes:

“It has come to our attention that, due to their chemical composition, certain sodium chlorate mixtures may not present the same hazards as pure sodium chlorate and that further review of the issue is necessary.”

He then goes on to provide an indefinite exemption for reporting the following products on Top Screens “further review of the issue”:

• Defol 5
• Defol 750
• Pramitol 5 PS
• BareSpot Monobor-Chlorate
• BareSpot Weed and Grass
• BareSpot Ureabor
• BareGround Ultra

I am going to look into this in a little more depth in a future blog post.

TSA Documents


The TSA sub-site is a completely different format from the CISA site; at DHS is agency has it’s own website generation folks with their own unique styles. Instead of listing different agencies with TSA with separate listing of guidance documents, TSA has opted for a search style organization that has a pull-down menu for ‘Topics’. Selecting the ‘Surface’ topic results in 4 pages of documents, many of which should obviously also show up for other ‘Topics’.

Under the ‘Surface’ document listing I found “Counterterrorism Guide (CT) Freight Railroad (FR)”. This document is marked ‘For Official Use Only’ (FOUO). As such, it probably could have been left off of this site as a Sensitive But Unclassified (SBU) document. The other interesting thing about the document is that it is prominently marked as being privately (QUICKSERIES PUBLISHING) copywrite protected.

The TSA does have a ‘Cybersecurity’ topic listed on their search tool. That returns a single publication; “Counterterrorism Guide (CT) Cybersecurity”. It is also marked FOUO and copywrite protected by the same company.

EPA Guidance Portal – 2-29-20


The EPA Guidance Portal that I discussed briefly yesterday is now up. The web site provided yesterday by the EPA is actually just a landing site for Guidance Document pages for each of the following EPA offices:


Each page uses a common format with a little descriptive blurb and then a table of guidance documents. There is an interesting little disclaimer in that descriptive blurb: “The agency may not cite, use, or rely on any guidance that is not posted on this website, except to establish historical facts.” That certainly means that keeping up with changes on these pages could be important.

There are some interesting apparent start-up glitches on some of these pages. The page for the Office of Air and Radiation, for instance, had some problems listing the ‘Original Issue Date’ information for their documents; all of them are in 2020 (“2020-12-05” for the first document; hmmm, and that link does not go anywhere). In another instance, on the page for Office of Chemical Safety and Pollution Prevention, the first document listed is apparently a new guidance document issued yesterday: “Manufacturer Requests for Risk Evaluation, Information for Submitters”. Unfortunately the link just takes you to the “Assessing and Managing Chemicals under TSCA” page with no mention of the guidance document.

Hopefully the EPA will get the bugs worked out in their system fairly quickly.

Public ICS Disclosures – Week of 2-22-20


This week we have two vendor disclosures for products from Phoenix Contact and Moxa and an update from Belden. We also have a researcher disclosure for products from Honeywell.

Phoenix Contact Advisory


Phoenix Contact published an advisory [.PDF download link] describing two of the Urgent/11 vulnerabilities in their FL Switch GHS articles. These vulnerabilities are self-reported. Phoenix Contact provides generic workarounds to mitigate the vulnerabilities.

Moxa Advisory


Moxa published an advisory describing twelve vulnerabilities in their AWK-3131A Series Industrial AP/Bridge/Client. The vulnerabilities were reported by Talos Intelligence (CVE links below to individual Talos reports with proof of concept code). Moxa has a security patch to mitigate the vulnerabilities. There is no indication that Talos has been provided an opportunity to verify the efficacy of the fix.

The twelve reported vulnerabilities are:

• Improper access control (2) - CVE-2019-5136 and CVE-2019-5162;
• Use of hard-coded cryptographic key - CVE-2019-5137;
• Improper neutralization of special elements used in an OS command (4) - CVE-2019-5138, CVE-2019-5140, CVE-2019-5141, and CVE-2019-5142;
• Use of hard-coded credentials - CVE-2019-5139;
• Buffer copy without checking size of input - CVE-2019-5143;
• Out-of-bounds read - CVE-2019-5148;
• Stack-based buffer overflow - CVE-2019-5153; and
Authentication bypass using alternate path or channel - CVE-2019-5165

Belden Update


Belden published an update to their HiOS advisory that was originally published on February 14th. The new information includes:

• Revised list of affected products;
• Revised list of available updates; and
• Added workaround

Honeywell Report


Applied Risk published their report on the Honeywell vulnerabilities that were reported earlier this month.

Friday, February 28, 2020

EPA Guidance Portal – 2-28-20


Today the Environmental Protection Agency (EPA) published a notice in the Federal Register (85 FR 11986-11987) announcing the establishment of the EPA Guidance Portal (Not yet in service as of 8:45 EST 2-28-20). The Portal was established in accordance with EO 13891, Promoting the Rule of Law Through Improved Agency Guidance Documents. The announcement states that the Portal should be available today, but as of this writing it is no online.

The Portal will have the following information available about each active guidance document:

• A concise name for the guidance document;
• The date on which the guidance document was issued;
• The date on which the guidance document was posted to the web portal
• An agency unique identifier;
• A hyperlink to the guidance document;
• The general topic addressed by the guidance document; and
• A summary of the guidance document's content.

The notice states the EPA’s intent to keep this Portal current, but it does not explain how changes to the information will be made public.

Other agencies are also supposed to be establishing similar public access to guidance documents.

Bills Introduced – 2-27-20


Yesterday with the House and Senate preparing to leave Washington for the weekend there were 83 bills introduced. Two of those bills may receive additional coverage in this blog:

H Res 875 Expressing the sense of the House of Representatives that domain name registration information, referred to as "WHOIS" information, is critical to the protection of the United States national and economic security, intellectual property rights enforcement, cybersecurity, as well as the health, safety, and privacy of its citizens, and should remain readily accessible. Rep. Latta, Robert E. [R-OH-5] 

S 3343 A bill to amend the Federal Food, Drug, and Cosmetic Act to provide enhanced security for the medical supply chain. Sen. Hawley, Josh [R-MO]

I will be watching S 3343 for language and definitions that would address cybersecurity issues related to medical device supply chain issues. Unfortunately, I suspect that this bill is probably focused more on issues related to medical supplies (gloves, masks, etc.) and drug precursor chemicals. This would due to the problems that have arisen in conjunction with the supply interruptions from Chinese manufacturers due to the COVID 19 virus outbreak. This is, of course, a serious issue, but not one that I expect to cover in this blog.

H Res 875


I do not normally spend much time covering House or Senate resolutions. Typically, they are proforma statements about broad policy issues that have no practical effect. H Res 875 certainly fits that description, but I think that it is worth mentioning in passing. Brian Krebs has described this issue well and has a personal interest in the preservation (actually restoration) of an open WHOSIS record. He has effectively used the open version of WHOSIS for many years in his investigative reporting on cybersecurity issues.

Since the GDPR is beyond the control or influence of the House of Representatives, this really is tilting at windmills, but such efforts still need to be made from time to time. Kudos to Latta for taking up this issue.

Thursday, February 27, 2020

OMB Approves TSA Surface Security Employee Training Final Rule


Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved the final rule from the Transportation Security Administration (TSA) on “Security Training for Surface Transportation Employees”. This final rule was submitted to OIRA back in July. The NPRM was published in December 2016. I did a series of blog posts on the provisions of the NPRM.

This rulemaking was mandated by Congress in the Recommendations of the 9/11 Commission Act of 2007 (PL 110-53) and codified at (6 USC 1137; 6 USC 1167; and 6 USC 1184). That mandate required that these rulemakings be completed by 2008. Needless to say this provides an interesting lesson in the efficacy of congressional mandates.

There was some thought in the industry when the NPRM was published that the Trump Administration would quash this rulemaking or at least fail to act on it. It will be interesting to see what changes have been made by an administration that is reluctant to regulate at best. This could be another rulemaking that makes it into the court system if this final rule deviates too far from the Congressional mandate.

Wednesday, February 26, 2020

HR 5942 Introduced – DHS Cybersecurity Training


Last week Rep Jackson-Lee introduced HR 5942, the DHS Cybersecurity On-the-Job Training and Employment Apprentice Program Act. The bill would require DHS to establish a cybersecurity on-the-job training and apprenticeship program with the Cybersecurity and Infrastructure Security Agency (CISA) to fill cybersecurity vacancies within the Agency.

The Program


The bill would amend the Homeland Security Act of 2002 to include a new §2215, DHS Cybersecurity on-the-Job Training and Employment Apprentice Program. CISA would be required to {new §2215(b)}:

• Submit to the Secretary a monthly report on the status of vacancies in cybersecurity positions throughout the Department;
• Identify diagnostic tools that can accurately and reliably measure an individual’s capacity to perform cybersecurity related jobs or serve in positions associated with network or computing security;
• In consultation with relevant Department component heads, identify a roster of positions that may be a good fit for the Program and make recommendations to the Secretary relating to such identified positions;
• Develop a curriculum for the Program, which may include distance learning instruction, in classroom instruction within a work location, on-the-job instruction under the supervision of experienced cybersecurity staff, or other means of training and education as determined appropriate by the Secretary;
• Recruit individuals employed by the Department to participate in the Program;
• Determine the best means for training and retention of Department employees enrolled in the Program;
• Maintain an accurate numeration and description of all filled and unfilled cybersecurity positions within the Department by office and component;
• Keep up-to-date a roster of open positions relating to cybersecurity, as determined and approved by the Secretary, and the skills applicants must attain to qualify to fill such positions;
• Maintain information on individuals enrolled in the Program; and
• Annually submit to Congress a report containing information relating to the duties specified in this subsection.’’.

Moving Forward


Johnson-Lee is an influential member of the House Homeland Security Committee to which this bill was assigned for consideration. It is very likely that this bill will be considered in Committee. I do not see anything in this bill that would engender any significant opposition and I suspect that the bill will receive significant bipartisan support both in the Committee and on the floor of the House. If it makes it to the floor, it will be considered under the suspension of the rules process; with limited debate, no floor amendments and requiring a supermajority for passage.

Commentary


On-the-job training and apprenticeship programs are certainly well-established mechanisms to build a technically trained workforce. Who could possibly be against such a program where there is a well-known skill shortage as there is in the cybersecurity field? Okay, I am not against the idea, but this implementation is flawed.

First, I have to acknowledge that this bill is almost certainly deliberately lite on details for the Program. This provides maximum leeway for experts on the ground to craft a program that will provide an effective training development process; too much political control from Congress will certainly impede innovation. This is a good thing.

Having said that, there are some flaws in the approach taken in this bill. My first concern is the assignment of this program to CISA. CISA is not a training management organization nor does it have human resources authority over other agencies within DHS. If this is going to be a Department wide training effort then it needs to be run out of the Office of the Secretary, probably under the Assistant Secretary for Cyber Policy.

Any federal cybersecurity training effort that does not utilize the expertise and programs established by the National Institute of Standards is going to spend a great deal of time and effort reinventing programs, technologies and techniques already perfected by NIST. Any training program authorization should include, somewhere, “in consultation with the Director of the National Institute of Science and Technology”.

Another problem with this proposal is that it takes people out of existing positions within the Department and moves them into cybersecurity positions. This is good for the shortages in cybersecurity, but with the ongoing problems that agencies in DHS have in hiring and retaining people, this is only going to exacerbate the problems in other job categories within the agency. Provisions need to be made in a bill like this to include hire folks, probably specifically including recently released veterans, to move into these training slots.

A bill like this would also be a good place to require the development of a cybersecurity training program for personnel not working in a cybersecurity position. That may be asking a bit much, but it is becoming increasingly obvious that too many attack vectors utilize actions by inadequately trained personnel to gain a network foothold.

Finally, and you knew it was coming, I am concerned about the lack of definitions, particularly of the term ‘cybersecurity’ in this bill. Lacking definitions in this new proposed §2215, we would have to rely on definitions from 6 USC 651. There are two ‘cybersecurity’ related definitions in section; one relies on the IT restrictive definition of ‘information system’ in §659 and the other on the control system inclusive definition in §1501. That poses some potential problems down the road.

While I would prefer to see a total revamping of the cybersecurity definitions (see my rant) that would not really be appropriate here; so I would propose using the following definitions to be included in an newly inserted §2215(b):

(b) Definitions – In this section:

(1) Cybersecurity - the term ‘cybersecurity’ means actions, skills, policies or procedures that fulfill a cybersecurity purpose as that term is defined in 6 USC 1501; and

(2) Cybersecurity Position – the term ‘cybersecurity position’ means any position within the Department of Homeland Security where the principle duties include:

(A) Developing, implementing or inspecting defensive measures as that term is defined in §1501; or

(B) Directly supervising one or more personnel performing duties described in (A).

5 Advisories Published – 2-25-20


Yesterday the CISA NCCIC-ICS published five control system security advisories for products from Honeywell and Moxa (4).

Honeywell Advisory


This advisory describes three vulnerabilities in the Honeywell WIN-PAK monitoring platform. The vulnerabilities are self-reported. Honeywell has an update available that mitigates the vulnerabilities.

The three reported vulnerabilities are:

• Cross-site scripting - CVE-2020-7005;
• Improper neutralization of HTTP headers for scripting syntax - CVE-2020-6982; and
• Use of obsolete function - CVE-2020-6978

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerabilities to allow an attacker to perform remote code execution.

EDS-G516E Advisory


This advisory describes seven vulnerabilities in the Moxa EDS-G516E series, and EDS-510E series ethernet switches. The vulnerabilities were reported by Ilya Karpov and Evgeniy Druzhinin from Rostelecom-Solar, and Georgy Zaytsev of Positive Technologies. Moxa has new firmware that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The seven reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2020-7007;
• Use of broken or risky encryption algorithm - CVE-2020-7001;
• Use of hard-coded cryptographic key - CVE-2020-6979;
• Use of hard-coded credentials - CVE-2020-6981;
• Classic buffer overflow - CVE-2020-6989;
• Cleartext transmission of sensitive information - CVE-2020-6997; and
• Weak password requirements - CVE-2020-6991

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to crash the device, execute arbitrary code, and allow access to sensitive information.

PT-7528 Advisory


This advisory describes six vulnerabilities in the Moxa PT-7528 Series and PT-7828 Series ethernet switches. The vulnerabilities were reported by Ilya Karpov and Evgeniy Druzhinin from Rostelecom-Solar, and Georgy Zaytsev of Positive Technologies. Moxa has a security patch that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2020-6989;
• Use of broken or risky cryptographic algorithm - CVE-2020-6987
• Use of a hard-coded cryptographic key - CVE-2020-6983;
• Use of hard-coded credentials - CVE-2020-6985;
• Weak password requirements - CVE-2020-6995; and
• Information exposure - CVE-2020-6993

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to crash the device or allow access to sensitive information.

ioLogik 2542-HSPA Advisory


This advisory describes three vulnerabilities in the Moxa ioLogik 2542-HSPA Series Controllers and IOs, and IOxpress Configuration Utility. The vulnerabilities were reported by Ilya Karpov and Evgeniy Druzhinin from Rostelecom-Solar. Moxa has a security patch that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Clear-text storage of sensitive information - CVE-2019-18238;
• Clear-text transmission of sensitive information - CVE-2020-7003; and
• Incorrectly specified destination in a communication channel - CVE-2019-18242

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to crash the device or allow access to sensitive information.

MB3xxx Advisory


This advisory describes nine vulnerabilities in the Moxa MB3170 series, MB3180 series, MB3270 series, MB3280 series, MB3480 series, and MB3660 series protocol gateways. The vulnerabilities were reported by Ilya Karpov and Evgeniy Druzhinin from Rostelecom-Solar, and Georgy Zaytsev of Positive Technologies. Moxa has new firmware that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The nine reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2019-9099;
• Integer overflow to buffer overflow - CVE-2019-9098;
• Cross-site request forgery - CVE-2019-9102;
• Use of broken or risky encryption algorithm - CVE-2019-9095;
• Information exposure - CVE-2019-9103;
• Clear-text transmission of sensitive information - CVE-2019-9101;
• Weak password requirements - CVE-2019-9096;
• Clear-text storage of sensitive information - CVE-2019-9104; and
• Incorrectly specified destination in a communication channel - CVE-2019-9097

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to crash the device, cause a buffer overflow, allow remote execution of arbitrary code, or allow access to sensitive information.

NOTE: All four of these Moxa advisories cover vulnerabilities that were originally reported by Moxa on September 25th, 2019.

Tuesday, February 25, 2020

Committee Hearings – Week of 2-23-20


Both the House and Senate are back in Washington this week after their Presidents’ Day recess. Budget hearings are the big news this week even though the President’s budget is effectively dead on arrival.

Agency
House
Senate
DOD

DHS
2-26-20 AHS
2-25-20 AHS
EPA
2-27-20 ECS

DOT
2-27-20 ATHUD

DOE
2-27-20 AEWR


AS – Armed Services Committee
AHS – Appropriations – Homeland Security Subcommittee
ECS – Energy and Commerce – Environment and Climate Change Subcommittee
ATHUD – Appropriations – THUD Subcommittee
AEWR – Appropriations – EWR Subcommittee

Sunday, February 23, 2020

CSB Publishes Accidental Release Final Rule


On Friday the Chemical Safety and Hazard Investigation Board (CSB) published a final rule in the Federal Register (85 FR 10074-10095) concerning ‘Accidental Release Reporting’. The notice of proposed rulemaking (NPRM) for this rule was published in December 2019 and I did a blog post on the public comments submitted to that NPRM.

Changes


The CSB only made a limited number of changes to the rule in the final version, they include:

Definition of serious injury – limited to “any injury or illness that results in death or inpatient hospitalization”;
Reporting time limit  - changed from 4 hours to 8 hours;
Clarifying multiple owner reporting requirements – added specific authorization for voluntarily combining reports;
Clarified term ‘immediately’ in requiring reporting NRC report number to CSB – within 30 minutes of submitting report to NRC;
Web site reporting – CSB has developed on-line .PDF form for reporting; and
Amended reporting – adds a limited authority to submit an amended report within 90-days of incident report.

Enforcement


The CSB continues in the preamble to this final rule state that it will not generally refer cases to the EPA for enforcement action for failure to report, “unless there is a knowing failure to report”. In numerous places in the preamble the CSB makes not of its intent to publish some sort of guidance document to aid owner/operators in fulfilling their reporting requirements.

Effective Date


The effective date for this new rule is March 23rd, 2020.

Commentary


With the changes that the CSB made to the ‘serious injury’ definition it is likely that the number of reports that the CSB will receive under this rule will be closer to the 200 per year estimate that the CSB has provided in their information collection request supporting this rule. I still think that they will receive significantly more than 200, but we will have to wait and see.

The CSB had to publish this final rule in a time-abbreviated manner because of the court order requiring its publication by February 4th, 2020 (Note: they did miss that date, but they were closer to meeting it than anyone anticipated). One of the problems that arise with that abbreviated schedule is that the OMB’s Office of Information and Regulatory Affairs (OIRA) has not yet had a chance to give their final approval for the ICR supporting this rule. Technically, CSB cannot require anyone to submit an accidental release report until OIRA approves that ICR. There is a good chance that OIRA will approve the ICR before the March 23rd effective date.

I cannot find any mention of the .PDF reporting form or even the reporting phone number on the CSB.gov website. I expect that between now and March 23rd we will see appropriate changes on the web site. I will be watching for those changes.

Saturday, February 22, 2020

Public ICS Disclosure – Week of 2-15-20


This week we have four vendor disclosures for products from Phoenix Contact, Philips, BD and Belden. We also have one researcher report on products from Siemens.

Phoenix Contact Advisory


Phoenix Contact published an advisory [.PDF download link] describing an unauthenticated web server access vulnerability in their Emalytics Controllers ILC 2050 BI. The vulnerability was reported by Anil Parmar. Phoenix Contact has a new version that mitigates the vulnerability. There is no indication that Parmar has been provided an opportunity to verify the efficacy of the fix.

Philips Advisory


Philips published an advisory on the SweynTooth Bluetooth vulnerabilities. Philips is looking to see if any of their products are affected.

NOTE: The 12 disclosed vulnerabilities affect the Bluetooth Low Energy chipsets sold by major SoC vendors, such as Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip,
STMicroelectronics and Telink Semiconductor.

BD Advisory


BD published an advisory describing Windows® 32K graphics vulnerabilities (CVE-2019-1458 and CVE-2019-1468) in their products using Windows operating systems. BD is currently working to test and validate the Microsoft patch for BD products. Microsoft included fixes for these vulnerabilities in their December 10th, 2019 updates.

Belden Advisory


Belden published an advisory describing a buffer overflow vulnerability in their Hirschmann HiOS and HiSecOS devices. The vulnerability was reported by Sebastian Krause and Toralf Gimpel of GAI NetConsult. Belden has updates available that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Siemens Report


Tenable published a report describing a denial of service vulnerability in the Siemens TIA Portal. Siemens published their advisory on this vulnerability earlier this month. The Tenable report includes proof of concept code.

Bills Introduced – 2-21-20


With just the House meeting in proforma session yesterday there were 25 bills introduced. Of these bills one may see additional coverage in this blog:

HR 5942 To amend the Homeland Security Act of 2002 to establish a DHS Cybersecurity On-the-Job Training and Employment Apprentice Program, and for other purposes. Rep. Jackson Lee, Sheila [D-TX-18]

I will be watching this bill for definitions and specific language that would ensure that the program will address control system security education.

Thursday, February 20, 2020

4 Advisories Published – 2-20-20


Today the CISA NCCIC-ICS published four control system security advisories for products from Auto-Maskin, Honeywell, Rockwell Automation and B&R Industrial Automation.

Auto-Maskin Advisory


This advisory describes six vulnerabilities in the Auto-Maskin RP 210E Remote Panels, DCU 210E Control Units, and Marine Observer Pro (Android App). The vulnerability is apparently self-reported. Auto-Maskin has new firmware that mitigates the vulnerability.

The six reported vulnerabilities are:

• Cleartext transmission of sensitive information (2) - CVE-2018-5402 and CVE-2018-5401;
• Origin validation error - CVE-2018-5400;
• Use of hard-coded credentials - CVE-2018-5399;
• Weak password recovery mechanism for forgotten password - CVE-2019-6560; and
• Weak password requirements - CVE-2019-6558

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow a remote attacker to gain root access to the underlying operating system of the device and may allow read/write access.

Honeywell Advisory


This advisory describes two vulnerabilities in the Honeywell NOTI-FIRE-NET Web Server (NWS-3). The vulnerabilities were reported by Gjoko Krstikj. Honeywell has a firmware update that mitigates the vulenrabilities. There is no indication that Krstiki has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Authentication bypass by capture-replay - CVE-2020-6972; and
• Path traversal - CVE-2020-6974

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to bypass web server authentication methods.

Rockwell Advisory


This advisory describes a deserialization of untrusted data vulnerability in the Rockwell FactoryTalk Diagnostics. The vulnerability was reported by rgod via the Zero Day Initiative. Rockwell has provided generic workarounds pending the development of updated software.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow a remote unauthenticated attacker to execute arbitrary code with SYSTEM level privileges.

B&R Advisory


This advisory describes an improper authorization vulnerability in the SNMP implementation in the B&R Automation Studio and Automation Runtime. The vulnerability was reported by Yehuda Anikster and Amir Preminger of Claroty. B&R is not able to fix the underlying SNMP vulnerability and has provided generic workarounds.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow a remote attacker to modify the configuration of affected devices.

Wednesday, February 19, 2020

EO 13905 – Responsible Use of PNT Services


Yesterday the President published a new executive order in the Federal Register (85 FR 9359-9361) on “Strengthening National Resilience Through Responsible Use of Positioning, Navigation, and Timing (PNT) Services”. EO 13905 will require actions by various agencies of the Federal Government to “foster the responsible use of PNT services by critical infrastructure owners and operators”.

Definitions:


Section 2 of the order provides a listing of the critical definitions used; they include:

PNT services – any system, network, or capability that provides a reference to calculate or augment the calculation of longitude, latitude, altitude, or transmission of time or frequency data, or any combination thereof.

Responsible use of PNT services – the deliberate, risk-informed use of PNT services, including their acquisition, integration, and deployment, such that disruption or manipulation of PNT services minimally affects national security, the economy, public health, and the critical functions of the Federal Government.

PNT profile – a description of the responsible use of PNT services—aligned to standards, guidelines, and sector-specific requirements—selected for a particular system to address the potential disruption or manipulation of PNT services.

PNT Profiles


Section 4 of the Order requires the Department of Commerce (DOC) to develop PNT profiles. Those profiles will {§4(a)}:

• Enable the public and private sectors to identify systems, networks, and assets dependent on PNT services;
• Identify appropriate PNT services;
• Detect the disruption and manipulation of PNT services; and
• Manage the associated risks to the systems, networks, and assets dependent on PNT services

PNT profiles will be referenced in the Coast Guard’s Federal Radionavigation Plan.

DHS will develop a plan to “test the vulnerabilities of critical infrastructure systems, networks, and assets in the event of disruption and manipulation of PNT services.” The results of the tests will be used to update PNT profiles.

Where appropriate, PNT profiles will be referenced in Federal acquisition contracts “with the goal of encouraging the private sector to use additional PNT services and develop new robust and secure PNT services.”

DOT, DOE and DHS will develop pilot programs “to engage with critical infrastructure owners or operators to evaluate the responsible use of PNT services.” These pilot programs will help inform efforts by the Director of The White House Office of Science and Technology Policy (OSTP) to develop a national plan “for the R&D and pilot testing of additional, robust, and secure PNT services that are not dependent on global navigation satellite systems (GNSS).” In support of this effort, the DOC will “make available a GNSS-independent source of Coordinated Universal Time, to support the needs of critical infrastructure owners and operators”.

Commentary


This is not the first presidential policy on PNT issues. In 2004, President Bush updated the 1996 based policy document on U.S. Space-Based Positioning, Navigation, and Timing Policy. That effort, however, was based upon optimizing the use of the GPS based GNSS. Since that time, it has become obvious that spoofing the satellite signals has become an operational reality, posing a potential danger to the continued use of GNSS based PNT. This potential danger was publicly recognized as early as 2014 by the PNT Advisory Board. In 2015 DOT started looking at the use of the eLoran system as an alternative to GNSS PNT.

It will be interesting to see how DOC and the rest of the government deals with the PNT profiles mandated in this EO. The large the number of ‘profiles’ developed the more useful they will be for private sector use in the internal evaluation of the use of PNT services. On the other hand, minimizing the number of profiles developed will make things easier for government agencies to develop broad, minimally specific guidance documents.

Of particular usefulness would be detailed information on how to ‘detect the disruption and manipulation of PNT services’. Again, user/operators will be best served by the most detailed information available. Government agencies, however, may feel better served by providing only the most generic information.

Tuesday, February 18, 2020

4 Advisories and 1 Update Published – 2-18-20


Today the CISA NCCIC-ICS published two control system security advisories for products from Emerson and Honeywell, two medical device security advisories for products from GE and Spacelabs, and 1 update for products from Interpeak.

Emerson Advisory


This advisory describes a heap-based buffer overflow vulnerability in the Emerson OpenEnterprise SCADA Server. The vulnerability was reported by Roman Lozko of Kaspersky ICS CERT. Emerson has an upgrade that mitigates the vulnerability. There is no indication that Lozko has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit this vulnerability to allow an attacker to execute code on an OpenEnterprise SCADA Server.

Honeywell Advisory


This advisory describes a clear-text storage of sensitive information vulnerability in the Honeywell INNCOM INNControl 3 energy management platform. The vulnerability is self-reported. Honeywell has an upgrade available to mitigate the vulnerability.

NCCIC reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to escalate user privileges within the INNControl application.

GE Advisory


This advisory describes a protection measure failure vulnerability in the GE Ultrasound Products. The vulnerability was reported by Marc Ruef and Rocco Gagliardi of scip AG. GE has provided generic workarounds to mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker with local access could exploit the vulnerability to allow an attacker to gain access to the operating system of affected devices.

Spacelabs Advisory


This advisory describes the BlueKeep vulnerability in the Spacelabs Xhibit Telemetry Receiver. Spacelabs has an updated version that mitigates the vulnerability.

NOTE: A number of other vendors in both the control system and medical device realms issued advisories on this vulnerability (see my blog post here for example) beginning in May of last year. This is the first acknowledgement of vendor actions on this vulnerability from NCCIC-ICS though there was an obscure advisory on the vulnerability published by NCCIC-ICS.

Interpeak Update


This update provides additional information on the Urgent/11 advisory that was originally published on October 1st, 2019 and most recently updated on December 10th, 2019. The new information includes a link to a vendor advisory from Mitsubishi.

Pipeline Safety and Cybersecurity


The Pipeline and Hazardous Material Safety Administration (PHMSA) has increasingly begun to require technological solutions to on going safety problems with both gas transmission and hazardous material pipelines. A good example of that reliance can be found in the notice of proposed rulemaking (NPRM) that PHMSA issued earlier this month requiring the use of automated valves to limit the damage caused when pipelines rupture. Unfortunately, PHMSA’s failure to address cybersecurity issues related to the sensors and control systems associated with such technological solutions reduces the effectiveness of those measures.

Part of the reason that PHMSA has failed to act is that Congress has not provided PHMSA or DOT in general with specific authority to regulate the cybersecurity of pipeline infrastructure. The primary responsibility for pipeline security rests with the under funded and woefully understaffed surface transportation security folks within the Transportation Security Administration (TSA). But TSA has been both unwilling and unable to address cybersecurity issues beyond issuing broad guidelines and hoping for industry voluntary compliance with those guidelines.

The time has come for PHMSA to realize that it has an inherent responsibility to ensure that the technologies that it mandates for pipeline safety purposes are specifically protected against cyberattacks and that the failure of cybersecurity protections should trigger the same reporting requirements that accompany the failure of physical controls.

For example, in the current NPRM PHMSA could change the wording of the new §192.745(c) to read:

(c )For each valve installed under § 192.179(e) and each rupture-mitigation valve under § 192.634 that is a remote control shut-off or automatic shut-off valve, or that is based on alternative equivalent technology, the operator must:

(1) conduct a point-to-point verification between SCADA displays and the mainline valve, sensors, and communications equipment in accordance with § 192.631(c) and (e);

(2) demonstrate that the SCADA system, the mainline valve, sensors, and communications equipment are covered under a written cybersecurity plan that identifies:

(A) each of the open ports on each component and the processes, controls or devices protecting each open port against unauthorized communications attempts;

(B) procedures that are in place to ensure that all vendor security notices and advisories for each device are:

(I) reviewed in a timely manner, and
(II) the subject of a subsequent security risk assessment where appropriately adopted risk mitigation measures are implemented in a timely manner;

(C) the reporting processes that will be used to notify management of any incidents, equipment failures or loss of process view or control that might indicate a cyber intrusion or attack, and

(D) how the organization will respond to vulnerability reports from both within and outside of the organization.

NOTE: A copy of this post will be submitted as a comment on the NPRM in question.

Monday, February 17, 2020

HR 5428 Amended and Adopted in Committee – Energy Security Research


Last week the House Science, Space, and Technology Committee held a markup hearing where HR 5428, the Grid Modernization Research and Development Act of 2019, was amended and adopted by the Committee by a voice vote.  A minor amendment had been previously adopted by the Committee’s Energy Subcommittee in December.

The Amendment


The amendment was offered by Rep Fletcher (D,TX). It would insert a new paragraph (f) to the proposed §1304a. That paragraph would add a requirement for DOE to “conduct research and development on tools and technologies that improve the interoperability and compatibility of new and emerging components, technologies, and systems with existing electric grid infrastructure”.

Moving Forward


Once the Committee publishes their report on this markup the bill will be cleared for consideration by the full House. The bill would likely be taken up under the suspension of the rules process where it would pass with substantial bipartisan support.

Saturday, February 15, 2020

Public ICS Disclosure – Week of 2-7-20


This week we have eight vendor disclosures for products from Siemens (2), Schneider Electric, Phoenix Contact, HMS, ABB (2) and Moxa. We also have three advisory updates from Siemens and one from Schneider.

Siemens Advisories


Siemens published an advisory describing three vulnerabilities found in Intel chips used in Siemens products. The vulnerabilities were identified and reported (advisory links below) by Intel. Siemens has provided generic workarounds to mitigate the vulnerabilities.

The three reported vulnerabilities are:

• Insufficient memory protection (2) - CVE-2019-0151 and CVE-2019-0152; and
• Heap-based buffer overflow - CVE-2019-0169

Siemens published an advisory describing a resource allocation vulnerability in their Profinet-IO stack. The vulnerability was reported by Yuval Ardon and Matan Dobrushin from OTORIO. Siemens has updates that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Schneider Advisory


Schneider Published an advisory describing an uncontrolled search path element vulnerability in their ProSoft Configurator. The vulnerability was reported by Yongjun Liu from nsfocus. Schneider has a new version that mitigates the vulnerability. There is no indication that Yongiun has been provided an opportunity to verify the efficacy of the fix.

Phoenix Contact Advisory


Phoenix Contact has published an advisory [.PDF download link] describing a remote configuration vulnerability in their Emalytics Controllers. The vulnerability was reported by Anil Parmar. Phoenix Contact has a new firmware version that mitigates the vulnerability. There is no indication that Parmar has been provided an opportunity to verify the efficacy of the fix.

HMS Advisory


HMS has published an advisory describing a cross-site scripting vulnerability in their Flexy and Cosy products. The vulnerability was reported by Ander Martínez from Titanium Industrial Security. HMS has a new firmware version that mitigates the vulnerability. There is no indication that Martinez has been provided an opportunity to verify the efficacy of the fix.

ABB Advisories


ABB published an advisory describing a direct object reference vulnerability in their Asset Suite product. The vulnerability is self-reported. ABB has a new version that mitigates the vulnerability.

ABB published an advisory describing 14 vulnerabilities in their eSOMS product. The vulnerabilities are self-reported. ABB has a new version that mitigates the vulnerabilities.

Moxa Advisory


Moxa published an advisory describing 8 vulnerabilities in their OnCell cellular gateway. The vulnerabilities were reported by Alexander Zaytsev from Kaspersky Lab. Moxa has new firmware versions that mitigate the vulnerabilities. There is no indication that Zaytsey has been provided an opportunity to verify the efficacy of the fix.

Siemens Updates


Siemens published an update to their  Linux TCP SACK PANIC advisory for Industrial Products that was originally published on September 10th, 2019 and most recently updated on November 14th, 2019. The new information includes revised version data and mitigation links for:

• TIM 1531 IRC;
• SIMATIC CP 1242-7, CP 1243-7 LTE (EU andUS versions), CP 1243-1, CP 1243-8 IRC, CP 1543-1, CP 1542SP-1, CP 1542SP1 IRC, CP 1543SP-1; and
• SCALANCE W1700.

NOTE: NCCIC-ICS updated their advisory on February 11th, but did not list it on their web site.

Siemens published an update for their ZombieLoad advisory that was originally published on July 9th, 2019 and most recently updated on December 10th, 2019. The new information includes updated version data and mitigation links for:

• SIMATIC IPC547E;
• SIMATIC IPC347E; and
• SIMATIC IPC3000 SMART V2
Siemens published an update for their GNU/Linux subsystem vulnerabilities advisory that was originally published on November 27th, 2018 and most recently updated on January 14th, 2020. The new information includes adding the following new vulnerabilities;

• CVE-2019-5188;
• CVE-2019-11190;
• CVE-2019-19956;
• CVE-2019-20054,
• CVE-2019-20079;
• CVE-2019-20388; and
• CVE-2020-7595

Schneider Update


Schneider published an update for their U.motion Builder advisory that was originally published on April 5th, 2018. The new information includes an updated remediation section.

ISCD Publishes Hatchery Advisory Opinion


This week the DHS Infrastructure Security Compliance Division (ISCD) published their 5th advisory opinion. This one deals with fish hatcheries and the ‘temporary’ agricultural exemption for filing a Top Screen. The Opinion actually dates back to 2015 when ISCD addressed this issue in response to a letter from the California Department of Fish and Wildlife.

In short, ISCD has taken the position that fish hatcheries are not ‘agricultural facilities’ in the meaning used in their exemption (73 FR 1640). This means that fish hatcheries possessing DHS chemicals of interest (COI) at or above the screening threshold quantity are required to complete a Top Screen. ISCD tangentially addressed this issue back in December 2017 when they published “Protect Your Fishery and Hatchery Chemicals from Use in a Terrorist Attack”.

I would assume that someone has recently raised this issue and that ISCD felt it was now necessary to publicly address it by publishing this Advisory Opinion.

Friday, February 14, 2020

HR 5760 Introduced – Energy Security Research


Earlier this month Rep Bera (D,CA) introduced HR 5760, the Grid Security Research and Development Act. The bill would require DOE to fund a variety of electric sector cybersecurity research efforts. The bill would also authorize funding for such activities. The bill would amend Title XIII of the Energy Independence and Security Act of 2007 (42 USC 17381 et seq.) by adding nine new sections.

Definitions


The new §1317 would add definitions for the Smart Grid Title. Key definitions include:

• The term ‘cybersecurity’ means protecting an information system or information that is stored on, processed by, or transiting an information system from a cybersecurity threat or security vulnerability.
• The term ‘cybersecurity threat’ has the meaning given the term in section 102 of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501).
• The term ‘information system’—has the meaning given the term in section 102 of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501); and includes operational technology, information technology, and communications.
• The term ‘security vulnerability’ has the meaning given the term in section 102 of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501).
• The term ‘transient devices’ means removable media, including floppy disks, compact disks, USB flash drives, external hard drives, mobile devices, and other devices that utilize wireless connections.

R&D Program


Section 1310 would require DOE “to carry out a research, development, and demonstration program to protect the electric grid and energy systems, including assets connected to the distribution grid, from cyber and physical attacks” {new §1310(a)}. The program would include the award of research, development, and demonstration grants to {new §1310(b)}:

• Identify cybersecurity risks to information systems within, and impacting, the electricity sector, energy systems, and energy infrastructure;
• Develop methods and tools to rapidly detect cyber intrusions and cyber incidents, such as intrusion detection, and security information and event management systems, to validate and verify system behavior;
• Assess emerging cybersecurity capabilities that could be applied to energy systems and develop technologies that integrate cybersecurity features and procedures into the design and development of existing and emerging grid technologies, including renewable energy, storage, and demand-side management technologies;
• Identify existing vulnerabilities in intelligent electronic devices, advanced analytics systems, and information systems;
• Develop technologies that improve the physical security of information systems, including remote assets;
Integrate human factors research into the design and development of advanced tools and processes for dynamic monitoring, detection, protection, mitigation, response, and cyber situational awareness;
• Evaluate and understand the potential consequences of practices used to maintain the cybersecurity of information systems and intelligent electronic devices;
• Develop or expand the capabilities of existing cybersecurity test beds to simulate impacts of cyber attacks and combined cyber-physical attacks on information systems and electronic devices; and
• Develop technologies that reduce the cost of implementing effective cybersecurity technologies and tools, including updates to these technologies and tools, in the energy sector.

Additionally, DOE would be required to work with relevant entities to develop technologies or concepts that build or retrofit cybersecurity features and procedures into work with relevant entities to develop technologies or concepts that build or retrofit cybersecurity features and procedures into {new §1310(b)(5)}:

• Information and energy management system devices, components, software, firmware, and hardware, including distributed control and management systems, and building management systems;
• Data storage systems, data management systems, and data analysis processes;
• Automated- and manually-controlled devices and equipment for monitoring and stabilizing the electric grid;
• Technologies used to synchronize time and develop guidance for operational contingency plans when time synchronization technologies, are compromised;
• Power system delivery and end user systems and devices that connect to the grid
• The supply chain of electric grid management system components;

Resilience and Response


Section 1311 would require DOE to establish a separate grant program “to enhance resilience and strengthen emergency response and management pertaining to the energy sector” {new §1311(a)}. Grants would be awarded for {new §1311(b)}:

• Developing methods to improve community and governmental preparation for and emergency response to large-area, long-duration electricity interruptions;
• Developing tools to help utilities and communities ensure the continuous delivery of electricity to critical facilities;
• Developing tools to improve coordination between utilities and relevant Federal agencies to enable communication, information-sharing, and situational awareness in the event of a physical or cyber-attack on the electric grid;
• Developing technologies and capabilities to withstand and address the current and projected impact of the changing climate on energy sector infrastructure, including extreme weather events and other natural disasters;
• Developing technologies capable of early detection of deteriorating electrical equipment on the transmission and distribution grid, including detection of spark ignition causing wildfires and risks of vegetation contact; and
• Assessing upgrades and additions needed to energy sector infrastructure due to projected changes in the energy generation mix and energy demand.

Best Practices and Guidance


Section 1312 would require DOE to “coordinate the development of guidance documents for research, development, and demonstration activities to improve the cybersecurity capabilities of the energy sector through participating agencies” {new §1312(a)}. This would include updating {new §1312(a)(1)}:

• The Roadmap to Achieve Energy Delivery Systems Cybersecurity;
• The Cybersecurity Procurement Language for Energy Delivery Systems; and
• The Electricity Subsector Cybersecurity Capability Maturity Model, including the development of metrics to measure changes in cybersecurity readiness.

The changes to the cybersecurity procurement language document would include suggestions for {new §1312(a)(1)(B)}:

• Contracting with third parties to conduct vulnerability testing for information systems used across the energy production, delivery, storage, and end use systems;
• Contracting with third parties that utilize transient devices to access information systems; and
• Managing supply chain risks.

DOE would also be required to work with the National Institute of Standards and Technology (NIST) to convene relevant stakeholders to develop consensus-based best practices to improve cybersecurity for {new §1312(b)(1)}:

• Emerging energy technologies;
• Distributed generation and storage technologies, and other distributed energy resources;
• Electric vehicles and electric vehicle charging stations; and
• Other technologies and devices that connect to the electric grid.

Section 1312(c) specifically states that none of the activities authorized by this section “shall be construed to authorize regulatory actions”.

Funding


Section 1318 authorizes funding for the programs outlined in this bill. Funding would start at $150 million in 2021 and increase each year to $182 million in 2025.

Amendments


On Wednesday the House Science, Space, and Technology Committee held a markup hearing that included consideration of HR 5760. Three amendments were offered by:

Bera;
Rep Lofgren (D,CA); and
Rep Waltz (R,FL)

All three amendments were adopted by voice vote as was the amended bill. Most of the changes made by the three amendments were relatively minor wording changes. The most significant change was made by the Waltz amendment. It would add a new §4, Critical Infrastructure Research and Construction, to the bill (not another change to the Energy Independence and Security Act of 2007).

The new §4 would require DOE to establish and operate a Critical Infrastructure Test Facility “that allows for scalable physical and cyber performance testing to be conducted on industry-scale critical infrastructure systems” {§4(d)}. The Test Facility would focus on cybersecurity test beds and electric grid test beds. The Test Facility would be authorized to operate for five years with the possibility of a single 5-year extension by DOE.

Moving Forward


This bill received bipartisan support in Committee, and I expect that it would receive similar support on the floor of the House. This bill could be brought to the floor under the suspension of the rules process or it could be added to a DOE authorization or spending bill. Because of the monies authorized for the grant programs, I suspect that this bill would receive less opposition if it were included in an authorization bill.

Commentary


You have to give the Committee Staff credit; this is a very comprehensive cybersecurity research program outlined in the bill. Unfortunately, the paltry amount of funding authorized in the bill will hardly make a start of a dent in the research program outlined. That amount of money, however, is probably about as much as Congress is going to allocate for cybersecurity research.

One thing that is interesting about this bill is the recognition by the Staff that grid security is going to be affected by not just by grid operators, but also by any number of entities that will be increasing connecting to the grid. The rise of the ‘smart grid’ is increasing the amount of cyber communication between grid operators and their customers. Those communications channels are going to be an increasingly important pathway for attackers to gain effective access to grid control mechanisms. The sooner cybersecurity research starts focusing on that process access route, the sooner defenses can begin to be appropriately arrayed to protect the grid.

 
/* Use this with templates/template-twocol.html */