Wednesday, April 29, 2020

Bills Introduced – 04-28-20


Yesterday with the House meeting in pro forma session, there were 22 bills introduced. One of those bills may receive additional attention in this blog:

HR 6642 To authorize video teleconferencing and telephone conferencing of proceedings during the COVID-19 emergency period, and for other purposes. Rep. Quigley, Mike [D-IL-5]

It is not clear from the title if this is about congressional or court remote operations during the COVID-19 pandemic. If this is about court proceedings, it will not be covered here. If it is about congressional proceedings, I may watch it because of my interest in congressional actions on any number of important bills that need to be addressed in the coming months.

Neither Quigley nor his two cosponsors are members of the House Judiciary Committee to which this bill was assigned for consideration. This means that the bill would be unlikely to move forward. But with “Zoom bombing” becoming a thing, it will be interesting to see how (if?) cybersecurity concerns addressed in this bill.

Tuesday, April 28, 2020

1 Advisory Published – 4-28-20


Today the CISA NCCIC-ICS published a control system security advisory for products from LCDS.

LCDS Advisory


This advisory describes two vulnerabilities in the LCDS LAquis SCADA. The vulnerabilities were reported by Natnael Samson via the Zero Day Initiative. LCDS has a new version that mitigates the vulnerabilities. There is no indication that Samson was provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Exposure of sensitive data to an unauthorized actor - CVE-2020-10618; and
• Improper input validation - CVE-2020-10622.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to allow unauthorized attackers to view sensitive information and create files in arbitrary locations.

OMB Approves CISA CI Workers Denied Movement Reporting ICR


Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved an emergency information collection request (ICR) from the Cybersecurity and Infrastructure Security Agency to collect information on Critical Infrastructure Workers Denied Movement Reporting. An on-line form would be used by CISA designated Essential Critical Infrastructure Workers (ECIW) to report incidences where local law enforcement agencies denied their movement to or from designated critical infrastructure facilities.

According to the Supporting Document submitted to OIRA by CISA (pg 1, section 1):

“As part of our routine monitoring or our programs, we have heard anecdotal evidence that even though our non-mandatory guidance [See Version 3.0 of the Essential Critical Infrastructure Workers list] has been adopted, local Law Enforcement are not fully following this guidance and have restricted entities that are excepted by local rules. CISA has a duty to evaluate the risk of this behavior. The proposed collection will not attempt to rigorously validate or measure the prevalence of these incidents, but represents an important first step in better understanding the issue.”

CISA will post a copy of the proposed form [.PDF download link] on its web site for ECIW to use in reporting these incidents.

OIRA approved the emergency collection for six months. OIRA noted in their ‘Terms of Clearance’ that:
“The agency will not use the anecdotal information collected for statistical purposes to form the basis of a justification for further guidance or rulemaking efforts.”

The emergency ICR approval process allowed CISA to submit the ICR to ORIRA without going through the normal 30-day and 60-day ICR publication process.

Commentary


This is an odd little ICR. I am not sure how much of an issue this ‘problem’ is (and apparently neither does CISA), but I suspect that CISA will not have an easy time reaching their target audience to collect this data. Since my day job is in one of the ECIW positions, I will be watching for messaging about this collection effort.

One added thing about this ICR is that the submission must have been something of a rush effort at CISA. Whom ever prepared the submission paperwork did a simple (and quick) cut and paste effort. The submitted Supporting Statement (.PDF download link) contains a number of references [See page 6, section 16 for instance] to ‘NPPD’, the agency which pre-dated the formation of CISA.

Monday, April 27, 2020

Op Centers and Control Rooms Guide for Pandemic Response


Last week CISA published a new guidance document addressing the operations of Op Centers and Control Rooms during the COVID-19 pandemic. The document provides planning considerations and mitigation measures for the continued operation of these facilities while taking into account the need for protecting critical personnel.

The Guide provides an overview of items to be considered along with links additional information. The topics discussed include:

• Coordination with federal, state, and other authorities.
• Communication and information sharing.
• Key mitigation measures – protecting personnel.
• Key mitigation measures – protecting equipment.
• Key mitigation measures – workforce planning.
• Key mitigation measures – in the event of exposure.

As a footnoted reference, the Guide provides a link to Electric Subsector Coordinating Council’s (ESCC) “Assessing and Mitigating the Novel Coronavirus (COVID-19)” which discusses many of the same topics in more detail.

Commentary


While hindsight is 20:20, this document would have been timelier if it had been issued two-months ago. This would have provided management with some time for planning for and then executing the recommended actions. Implementing them now is going to be problematic without methods in place for identifying personnel that have been exposed to the underlying COVID-19 virus or have successfully fought off the disease. Having said that, I still think this is a worthwhile document.

There is one item in the recommendations in this document to which I take exception. Under “Key mitigation measures – protect personnel” the Guide includes:

“Create greater physical separation of operations center and control room operator workstations, increase ventilation or utilize adjacent rooms where possible, and reduce or eliminate interactions across shifts (emphasis added).”

I completely understand the need for as much internal isolation as possible to restrict the possible spread of the COVID-19 virus, anything that hampers the communication between shifts at shift change increases the chance of misunderstanding the current state of the process and on-going measures to control or monitor that state. I would have worded the final phrase to read:

“… and reduce or eliminate the physical interactions across shifts while ensuring the effective sharing of shift-change information.”

The more detailed information in the ESCC document provides an important discussion about personal protective equipment. It notes that full- and half-face respirators are acceptable substitutes for the N-95 respirator protections. Since these respirators are more readily available at many process facilities and personnel have already been trained on their wear and care, this is probably a more useable protective device for those organizations.

Saturday, April 25, 2020

ISCD Publishes April 2020 CFATS Quarterly


Yesterday the CISA Infrastructure Security Compliance Division (ISCD) published an link on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center for their April 2020 CFATS Quarterly. This somewhat periodic publication provides timely information on the CFATS program. Included in this issue are short articles on:

• Short term CFATS reauthorization;
• CFATS Requirements During COVID-19;
• Maintaining Your Facility’s Security During COVID-19;
• In Development: Additional Voluntary Chemical Security Resources;
• Personnel Surety Program: Uploading Affected Individuals Under Option 1 and Option 2;
• Compliance Close-up: Resubmitting Your Top-Screen; and
• New and Updated CFATS Resources

Public ICS Disclosure – Week of 4-18-20


This week we have 8 vendor advisories for products from ABB (4), Johnson Controls, Rockwell, BD and Eaton; as well as 3 updated advisories for products from ABB. There are also 3 researcher disclosures for products from P5, Rockwell and Siemens.

ABB Advisories


ABB published an advisory describing a path traversal vulnerability in their UPS Adapter CS141. The vulnerability was reported by Eduardo CataƱo Conde. ABB has a new version that mitigates the vulnerability. There is no indication that Conde has been provided an opportunity to verify the efficacy of the fix.


ABB published an advisory describing five vulnerabilities in their ABB Central Licensing System. The vulnerabilities were reported by William Knowles at Applied Risk. ABB will be preparing product specific advisories for these vulnerabilities.

The five reported vulnerabilities are:

• Information disclosure - CVE-2020-8481;
• XML external entity injection - CVE-2020-8479;
• Denial of service - CVE-2020-8475;
• Privilege elevation - CVE-2020-8476; and
• Weak file permissions - CVE-2020-8471


ABB published an advisory describing the impact of their Central Licensing System Vulnerabilities (see above) on their System 800xA, Compact HMI and Control Builder Safe products. A new version of the Central Licensing System is available that mitigates some of the vulnerabilities. There is no indication that Knowles has been provided an opportunity to verify the efficacy of the fix.


ABB published an advisory describing Inter process communication vulnerability in System 800xA. The vulnerabilities were reported by William Knowles at Applied Risk. ABB has provided generic workarounds to mitigate the vulnerability while working on product updates. NOTE: ABB has requested separate CVE numbers for each affected product based upon varying levels of risk in the products.


NOTE: The ABB Alerts and Notifications page also lists two advisories for products from B&R. I have not covered them here because they were covered when they were released by B&R.

Johnson Controls Advisory


Johnson Controls published an advisory describing an XML external entity injection vulnerability in their BCPro Workstation and Building Configuration Tool (BCT) software. The vulnerability is self-reported. Johnson Controls has a patch that mitigates the vulnerability.

Rockwell Advisory


Rockwell published an advisory describing eight third-party vulnerabilities in their FactoryTalk product. The vulnerabilities are in the Gemalto Sentinal LDK Runtime Environment. The Sentinal LDK vulnerabilities were reported by Kaspersky in January of 2018. Rockwell has a new version that mitigates the vulnerabilities.

BD Advisory


BD published an advisory describing a third-party vendor outdated certificate vulnerability in a large number of their products. The problem was identified by ESET in some of their legacy products. BD is working on validating the ESET update.

Eaton Advisory


Eaton published an advisory describing a third-party vendor stack-based buffer overflow vulnerability in their products  supporting DNP3 Protocol. The Triangle MicroWorks vulnerability was reported by NCCIC-ICS (ICSA-20-105-02) last week. Eaton provided generic workarounds while it is evaluating the vulnerability and its effects on their products.

ABB Updates


ABB published an update for their System 800xA Weak File Permissions advisory that was originally published on April 2nd, 2020. The new information includes an added FAQ question on functional safety.


ABB published an update for their System 800xA Information Manager advisory that was originally published on April 2nd, 2020. The new information includes an added FAQ question on functional safety. (NOTE: includes statement that: “Under certain conditions exploits of this vulnerability may affect the integrity of safety functions in System 800xA.”)


ABB published an update for their System 800xA Weak Registry Permissions advisory that was originally published on April 2nd, 2020. NOTE: The ABB Alerts and Notifications page says that this advisory was updated on “2020-04-21” like the previous 2, but the link takes one to the original advisory with no changes. I suspect that the update should include the same added FAQ question seen in the two updates described above. The difference would be in the answer to that FAQ.


Researcher Disclosures


Zero Science published a report describing a stored cross-site scripting vulnerability in the P5 FNIP-8x16A eight channel relay module. The report includes links to an exploit published by LiquidWorm. Zero Science has attempted to contact P5 but has received no response.

Applied Risk published a report describing an insecure registry permissions vulnerability in the Rockwell RSLinx Classic. This vulnerability was reported by NCCIC-ICS on April 9th, 2020.

Applied Risk published a report describing an insecure file permissions vulnerability in the Siemens TIA Portal. This vulnerability was reported by NCCIC-ICS on January 14th, 2020 and subsequently updated on April 14th.

Thursday, April 23, 2020

1 Update Published – 4-23-20


Today the CISA NCCIC-ICS published an up date for a control system security advisory for products from Sierra Wireless. I also take a brief look at CISA cyber issue reporting processes. 

Sierra Wireless Update


This update provides additional information on an advisory that was originally published on May 2nd, 2019 and most recently updated on August 20, 2019. The new information includes updated version data and mitigation measures for LS300, GX400, GX440, and ES440 products.

Reporting Cyber Issues


Today CISA added a new “Report Cyber Issue” button on the Chemical Facility Anti-Terrorism Standards (CFATS) landing page. That button takes you to the CISA “Report Incidents, Phishing, Malware, or Vulnerabilities” page. This is a nice concise page with reporting criteria and links for reporting a variety of cyber issues. The URL for the page is a “us-cert.gov” URL which probably means that the site has been around for a while. Of course, since this is a CISA web site, there is no date for the last change to the page.

The next to last paragraph has a link that takes you to the “CISA Coordinated Vulnerability Disclosure (CVD) Process” web site. Low and behold, it does have an ‘originally created’ date of December 3rd, 2019. For IOT, ICS or medical device vulnerability reporting it provides an email address (NCCICCUSTOMERSERVICE@hq.dhs.gov), a link to the CISA ICS public key, and a telephone number (1-888-282-0870). For reporting IT security issues, it provides a link to the Carnegie Mellon University CERT Coordination Center.

OMB Approves CSB Release Reporting ICR


Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) approved the information collection request (ICR) for the Chemical Safety Board’s “Accidental Release Reporting” rule. That rule was published on February 20th, 2020. The ICR was received at OIRA on April 10th, 2020.

The approval included the following Terms of Clearance:

“In accordance with 1320.10(a), the agency is reminded to submit the ICR for OMB review the day of Federal Register publication for the final rule, and the agency will need to resubmit the ICR renewal on the FR publication date for the 30 day public comment period. In addition, OMB reminds the Agency, however, it should consult with up to 9 outside entities at least once every 3 years even if the collection of information has not changed. Finally, the agency is reminded to to (sic) cite the mandatory nature of the collection as required under 5 CFR 1320.8(b)(3)(iv)”

Commentary


Okay, we officially have a new bureaucratic comedy to lighten the COVID-19 exasperation. It seems that OIRA is unaware that the final rule upon which this ICR is based has already been published. Okay, since OIRA approved the publication of the final rule, they (the organization) obviously knew that the rule had been published. Or perhaps not. I just did a search for rulemakings submitted to OIRA for approval between November 1st, 2019 and February 20, 2020; no rulemaking (not a notice of proposed rulemaking nor a final rule) was submitted by the CSB.

So, with OIRA, officially unaware that the final rule had been published, approved the ICR with the caveat that the CSB would have to submit an ICR revision when the final rule was published. Does the CSB really have authority to collect the information? Interesting legal question. Does CSB have to submit an ICR revision now? I do not know for sure, but I suspect that for the purposes of dotting the regulatory i's and crossing the bureaucratic t’s, CSB will have to submit that ICR revision request.

Tuesday, April 21, 2020

1 Advisory Published – 4-21-20


The CISA NCCIC-ICS published a control system security advisory for products from Inductive Automation.

Inductive Advisory


This advisory describes an improper access control vulnerability in the Inductive Advisory Ignition 8 Gateway. The vulnerability was reported by Sharon Brizinov and Mashav Sapir from Claroty. Inductive has a new version that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to write endless log statements into the database, which could result in a denial-of-service condition.

Saturday, April 18, 2020

Public ICS Disclosures – Week of 04-11-20


This week we have five vendor disclosures for products from Schneider (4) and OPC Foundation. We also have nine updated advisories for products from Schneider (4) and Siemens (5).

Schneider Advisories


Schneider published an advisory describing an injection vulnerability in their Modicon M100/M200/M221 controllers, SoMachine Basic and EcoStruxure Machine Expert - Basic products. The vulnerability was reported by Seok Min Lim and Johnny Pan of Trustwave. Schneider has updated software and firmware that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.


Schneider published an advisory describing two vulnerabilities in their Modicon M218/M241/M251/M258 Logic Controllers, SoMachine & SoMachine Motion, and EcoStruxure Machine Expert products. The vulnerabilities were reported by Rongkuan Ma, Shunkai Zhu and Peng Cheng of 307Lab. Schneider has new versions to mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Insufficient verification of data authenticity - CVE-2020-7487; and
• Clear-text transmission of sensitive data - CVE-2020-7488



Schneider published an advisory describing an untrusted search path vulnerability in their Vijeo Designer and Vijeo Designer Basic Software products. The vulnerability was reported by Yongjun Liu of nsfocus. Schneider has a new version that mitigates the vulnerability. There is no indication that Yongjun has been provided an opportunity to verify the efficacy of the fix.


Schneider published an advisory describing four vulnerabilities in their legacy Triconex product. These vulnerabilities are self-reported. Schneider reports that newer versions corrected the vulnerabilities.

The four reported vulnerabilities are:

• Password vulnerability (2) - CVE-2020-7483 and CVE-2020-7484;
• Improper access - CVE-2020-7485; and
• Denial of service - CVE-2020-7486

OPC Foundation Advisory


OPC published an advisory describing an malformed message vulnerability in their UA .NET Standard Stack. The vulnerability was reported by Steven Seeley (mr_me) and Chris Anastasio (muffin) via the Zero Day Initiative. OPC has updates available that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Schneider Updates


Schneider has published an update for their Urgent/11 advisory that was originally published on August 2nd, 2019 and most recently updated on March 11th, 2020. The new information includes updated mitigation information for:

• ION7400 MID; and
• PM8000 MID


Schneider has published an update for their Modicon Controllers advisory that was originally published on November 12th, 2019. The new information includes the addition of a new hard-coded credentials vulnerability - CVE-2019-6859.


Schneider has published an update for their Andover Continuum advisory that was originally published on March 10th, 2020. The updated information includes an explanation that the code injection vulnerability is a third-party MS-XML library vulnerability.


Schneider has published an update for their Modicon Controllers advisory that was originally published on December 10th, 2019. The updated information includes:

• Adding Modicon M340 and M580 to affected product list;
• Adding a hotfix link and adding further details to the mitigation measures;
• Adding updated firmware links; and
• Adding Enrique Murias FernĆ”ndez of Tecdesoft Automation to the acknowledgements.

Siemens Updates


Siemens published an update for an advisory for Intel CPUs that was originally published on February 11th, 2020 and most recently updated on March 10th, 2020. The new information includes updated version information and mitigation links for SIMATIC ET 200SP Open Controller CPU 1515SP PC2.


Siemens published an update for an advisory for Industrial Products that was originally published on January 14th, 2020. The new information includes explicitly mentioning old versions of SIMATIC NET.


Siemens published an update for their GNU/Linux subsystem vulnerabilities advisory that was originally published on November 27th, 2018 and most recently updated on February 11th, 2020. The new information includes adding the following new vulnerabilities:

• CVE-2015-5895;
• CVE-2019-19447;
• CVE-2019-19603;
• CVE-2019-19645,
• CVE-2019-19646;
• CVE-2019-19880;
• CVE-2019-19923;
• CVE-2019-19924;
• CVE-2019-19925;
• CVE-2019-19926;
• CVE-2019-19959;
• CVE-2019-20218;
• CVE-2020-8428;
• CVE-2020-8492;
• CVE-2020-9327;
• CVE-2020-10029; and
• CVE-2020-10942


Siemens published an update for their SIMATIC advisory that was originally published on July 30th, 2012. The new information includes adding SIPLUS devices to the list of affected devices.

NOTE: ICS-CERT published advisory ICSA-12-212-02 covering this vulnerability, but has not yet updated (and may not update) that advisory.


Siemens published an update for their SIMATIC advisory that was originally published on July 30th, 2012. The new information includes adding SIPLUS devices to the list of affected devices.

NOTE: This advisory was lumped into the ICS-CERT advisory described above.

Bills Introduced – 4-17-20


Yesterday with just the House meeting in pro forma session there were 4 forma session there were 47 bills introduced. One of those bills may receive additional attention in this blog:

HR 6527 To amend the Emergency Planning and Community Right-To-Know Act of 1986 to require an emergency notification meeting in the event of the release of an extremely hazardous substance from a facility, and for other purposes. Rep. Blunt Rochester, Lisa [D-DE-At Large] 

Thursday, April 16, 2020

PHMSA Publishes Pipeline Safety Reform NPRM


Today the DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) published a notice of proposed rulemaking in the Federal Register (85 FR 2114-021159) concerting “Pipeline Safety: Regulatory Reform for Hazardous Liquid Pipelines”. The proposed rule would revise the requirements for facility response plans, revise the definition for accidents, and consider repealing, replacing, or modifying other specific regulations.

The proposed rule would make changes to 49 CFR Parts 190, 194 and 195. The proposed changes would include:

Part 190 - PHMSA is proposing to clarify the requirements for producing records during an inspection or investigation and reduce the burden required to submit confidential commercial information under most circumstances;

Part 194 - PHMSA is proposing amendments that would streamline the oil spill response plan requirements and clarify or eliminate requirements that may be confusing or redundant;

Part 195 - PHMSA is proposing amendments that would relieve accident reporting burdens, allow remote monitoring of rectifier stations, and clarify integrity management (IM) guidance.

Part 190 Changes


PHMSA is proposing to make changes to two sections in Part 190;

§190.203, Inspections and Investigations, and
§190.343, Information Made Available to the Public and Request for Protection of Confidential Commercial Information.

In §190.203 PHMSA is proposing to clarify that operators may submit records electronically, provided that:

• The method used to submit information allows PHMSA to download and print non-redacted copies of records in their original format; and
• Does not impose limitations that impede PHMSA's ability to enforce the Pipeline Safety Laws.

In §190.343 PHMSA is proposing to revise the procedures for operators to request confidential treatment of commercial information to reduce the burden associated with redacting documents containing confidential information.

Part 194 Changes


PHMSA is proposing several changes to part 194 to streamline how operators of onshore oil pipelines must plan, prepare, and submit facility response plans (FRP) for a worst-case oil discharge as required by Oil Pollution Act of 1990 (OPA 90 - 33 USC 1321). The NPRM would make changes to the following sections:

§194.3, Applicability;
§194.5, Definitions;
§194.7, Operating Restrictions and Interim Operating Authorization;
§194.9, Incorporation by Reference;
§194.101, Operators Required to Submit Plans (to be removed);
§194.103, Significant and Substantial Harm - Operator's Statement;
§194.105, Worst Case Discharge;
§194.107, General Response Plan Requirements;
§194.109, Submissions of State Response Plans;
§194.113, Information Summary;
§194.115, Response Resources;
§194.119, Submission and Approval Procedures;
§194.121, Response Plan Review and Update Procedures;

Part 195 Changes


PHMSA is proposing amendments to part 195, including:

• Adjust the monetary damage criterion for reporting pipeline accidents for inflation,
• Clarifying that operators may monitor cathodic protection rectifiers remotely, and
• Correcting the organization of the IM guidance in appendix C of part 195.

The following sections would be affected:

§195.50, Reporting Accidents;
§195.52, Immediate Notice of Certain Accidents;
§195.573, What must I do to monitor external corrosion control?
Appendix C, Guidance for Implementation of an Integrity Management Program;

Information Collection Requests


This NPRM would require changes being made to two currently approved information collection requests (ICR):

• Transportation of Hazardous Liquids by Pipeline: Record keeping and Accident Reporting (2137-0047); and
• Response Plans for Onshore Oil Pipelines (2137-0589)

For the first, PHMSA estimates that due to the revised monetary damage threshold for reporting accidents operators will submit 40 fewer hazardous liquid accident reports per year.

For the second, the proposed rule would:

• Reduce burden hours associated with justifying harm categories or preparing duplicate federal facility response plans in addition to state mandated response plans; and
• Reduce reporting costs but not paperwork burden hours due to eliminating the expectation to submit paper copies of facility response plans.

Public Comments


PHMSA is soliciting public comments on this NPRM. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov: Docket # PHMSA-2018-0047). Comments need to be submitted by June 15th, 2020.

Wednesday, April 15, 2020

TSA Announces COVID-19 Related TWIC Extensions


The Transportation Security Administration (TSA) published an announcement in today’s Federal Register (85 FR 21017-21018) concerning the “Exemption To Extend the Expiration Date of Certain Transportation Worker Identification Credentials”. The TSA is providing a 180-day extension of all current TWICs that expire between April 10th, 2020 and July 31st, 2020.

The notice does reaffirm that:

“For the duration of the exemption, TSA will continue to recurrently vet the holders of the eligible TWIC®s against governmental watch lists for security threat, criminal history, and immigration status. TSA retains its full authority to suspend or immediately revoke an individual's TWIC® if the agency determines the holder is no longer eligible, in accordance with 49 CFR 1572.5(b) and 1572.19(c).”

Additional information can be found here on the TSA TWIC web site. Thanks to Laurie Thomas for pointing out this site.

NOTE: Today’s notice is very similar in wording to the notice last week giving States the authority to provide a similar extension to holders of Hazardous Materials Endorsements for commercial drivers licenses.

9 Advisories and 5 Updates – 4-14-20


Yesterday the CISA NCCIC-ICS published nine control system security advisories for products from Siemens (6), Triangle MicroWorks (2) and Eaton. They also published updates for five advisories for products from Siemens.

TIM Advisory


This advisory describes an active debug code vulnerability in the Siemens TIM communication modules. This vulnerability was self-reported. Siemens has new versions that mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an unauthenticated attacker with network access to gain full control over the device.

KTK Advisory


This advisory describes an uncontrolled resource consumption vulnerability in the Siemens KTK, SIDOOR, SIMATIC, and SINAMICS products. This vulnerability is self-reported. Siemens has updates available to mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to create a denial-of-service condition.

NOTE: This is the third-party, Interniche OS, SegmentSmack vulnerability.

SCALANCE Advisory


This advisory describes a resource exhaustion vulnerability in the Siemens SCALANCE and SIMATIC products. This vulnerability is self-reported. Siemens provided generic work arounds while they continue to work on mitigation measures.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to create a denial-of-service condition.

NOTE: This is the third-party, VX Works OS, SegmentSmack vulnerability.

SIMOTICS Advisory


This advisory describes a business logic error vulnerability in the Siemens SIMOTICS, Desigo, APOGEE, and TALON products. The vulnerability was self-reported. Siemens provided generic workarounds.

NCCIC-ICS reports that a relatively low-skilled attacker on an adjacent network could exploit this vulnerability to allow an attacker to affect the availability and integrity of the device.

Industrial Devices Advisory


This advisory describes two vulnerabilities in the Siemens IE/PB-Link, RUGGEDCOM, SCALANCE, SIMATIC and SINEMA products. The vulnerabilities are self-reported. Siemens has updates that mitigate the vulnerabilities.

The two reported vulnerabilities are:

• Resource exhaustion - CVE-2018-5390; and
• Improper input validation - CVE-2018-5391

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to  to affect the availability of the devices under certain conditions.

NOTE: This is the third-party, Linux OS, SegmentSmack vulnerability.

Climatix Advisory


This advisory describes two vulnerabilities in the Siemens Climatix product line. The vulnerability was reported by Ezequiel Fernandez from Dreamlab Technologies. Siemens has provided generic workarounds.

The two reported vulnerabilities are:

• Cross-site scripting - CVE-2020-7574; and
• Basic XSS - CVE-2020-7575

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow a remote attacker to execute arbitrary code to access confidential information without authentication.

TMW SCADA Advisory


This advisory describes three vulnerabilities in the Triangle Microworks (TMW) SCADA Data Gateway. The vulnerabilities were reported by Incite Team of Steven Seeley and Chris Anastasio, and Tobias Scharnowski, Niklas Breitfeld, and Ali Abbasi via the Zero Day Initiative. TMW has a new version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2020-10615;
• Out-of-bounds read - CVE-2020-10613; and
• Type confusion - CVE-2020-10611

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to execute arbitrary code and disclose on affected installations of Triangle Microworks SCADA Data Gateway with DNP3 Outstation channels. Authentication is not required to exploit these vulnerabilities.

TMW DNP3 Advisory


This advisory describes a stack-based buffer overflow vulnerability in the Triangle Microworks DNP3 Outstation Libraries. The vulnerability was reported by Incite Team of Steven Seeley and Chris Anastasio via ZDI. TMW has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to stop the execution of code on affected equipment.

Eaton Advisory


This advisory describes two vulnerabilities in the Eaton HMiSoft VU3. The vulnerabilities were reported by Natnael Samson (@NattiSamson) via ZDI. The HMiSoft VU3 has reached end-of-life and is no longer supported by Eaton.

The two reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2020-10639; and
• Out-of-bounds read - CVE-2020-10637

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to crash the device being accessed and may allow remote code execution or information disclosure.

Industrial Products Update


This update provides additional information for an advisory that was originally published on September 10th, 2019 and most recently updated on March 10th, 2020. The new information includes updated version information and mitigation links for ROX II.

PROFINET Update


This update provides additional information for an advisory that was originally published on October 10th, 2019 and most recently updated on March 10th, 2020. The new information includes updated version information and mitigation links for SIMATIC ET200MP IM155-5 PN HF.

TIA Portal Update


This update provides additional information for an advisory that was originally published on January 14th, 2020. The new information includes updated version information and mitigation links for TIA Portal V16.

SIMATIC PCS 7 Update


This update provides additional information for an advisory that was originally published on February 11th, 2020 and most recently updated on March 10th, 2020. The new information includes updated version information and mitigation links for SIMATIC WinCC (TIA Portal) V16.

SIMATIC S7 Update


This update provides additional information for an advisory that was originally published on February 11th, 2020 and most recently updated on March 10th, 2020. The new information includes adding SIMATIC WinAC RTX to the list of affected products.

Other Siemens Updates


Siemens also updated five other advisories yesterday. I expect that NCCIC-ICS will address at least two of these, probably later this week.

Saturday, April 11, 2020

CSB Resubmits Accidental Spill Reporting ICR


Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received an information collection request (ICR) submission from the Chemical Safety and Hazard Investigation Board (CSB) for the new Accidental Release Reporting requirements of 40 CFR 1604 that was approved in February. This is apparently a follow-up action to the OIRA assignment of an OMB Control number to the ICR that I reported upon yesterday.

The announcement includes a link [.PDF download link] to a draft version of the reporting form that the CSB is recommending that submitters use in the reporting process. That form also provides the phone number (202-261-7600) and email address (report@csb.gov) that can be used to complete the reporting process.

Commentary


The CSB cannot legally require submission of the reporting information until OIRA approves this ICR, but presumably would accept voluntary reports at either of those two points of contact provided in the draft reporting form.

Typically, an ICR submission like this would be proceeded by the publication of a 30-day ICR notice in the Federal Register. In yesterday’s submission, the CSB is relying on the 30-day notice that was included in the December 2020 notice of proposed rulemaking and was used as the basis for Thursday’s actions by OIRA. I am not sure that OIRA will accept that or require the CSB to resubmit this after the publication of a new 30-day ICR notice. There is also a possibility that OIRA could require the CSB to start the process from scratch with a 60-day ICR notice since (because of timing issues) there was never a 60-day ICR notice published for this collection.


ISCD Announces Possible 2020 CSSS


Sometime this week the CISA Infrastructure Security Compliance Division (ISCD) announced that it was planning to hold the 2020 Chemical Sector Security Summit (CSSS) in Atlanta, GA in July. They noted that:

“CISA is closely monitoring the evolving nature of COVID-19 and is developing contingency plans. Details and updates will be posted as soon as possible.”

Public ICS Disclosures -Week of 4-4-20


This week we have three vendor disclosures for products from B&R Automation, Moxa and Rockwell Automation. There are also two sets of researcher reports for products from Advantech and Universal Robots.

B&R Advisory


B&R published an advisory describing three vulnerabilities in their Automation Studio. The vulnerabilities were reported by Yehuda Anikster and Amir Preminger from Claroty. B&R has updates that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Privilege escalation – CVE-2019-19100;
• Incomplete communication encryption and validation CVE-2019-19101;
Zip Slip vulnerability (third-party vulnerability) CVE-2019-19102

Moxa Advisory


Moxa published an advisory on the kr00k vulnerability in their products. They report that none of their products are affected.

NOTE: Negative reports about 3rd party vulnerabilities are just as important as reporting an active vulnerability in a product.

Rockwell Advisory


Rockwell published an advisory describing a file permission vulnerability in their Current Program Updater software. The vulnerability was reported by Reid Wightman from Dragos. Rockwell has new versions that mitigate the vulnerability. There is no indication that Reid has been provided an opportunity to verify the efficacy of the fix.

NOTE: Rockwell is reporting a 2017 CVE (CVE-2017-5176) for this vulnerability. That vulnerability was reported by ICS-CERT on March 21st, 2017. If NCCIC-ICS were to pick up this advisory it would probably be as an update to that earlier advisory.

Advantech Reports


The Zero Day Initiative published five related reports (here, here, here, here, and here) for 0-day arbitrary file deletion vulnerabilities in the Advantech WebAccess program. The vulnerabilities were reported by Natnael Samson. ZDI reports that it has reported all five vulnerabilities to Advantech and ICS-CERT (their naming not mine) noting: “The vendor communicated that they will rely on existing measures and will add no amendments to the code.”

Universal Robots Reports


Aliasrobotics published four reports of vulnerabilities for products from Universal Robots. The vulnerabilities were reported by rvd-bot, bedieber and bbreilin. Aliasrobotics reportedly contacted Universal Robots about these vulnerabilities but has received no replies.

The four reported vulnerabilities are (links are to github pages which include proof-of-concept exploit code):

• Missing encryption of sensitive data - CVE-2020-10267;
• Missing authentication for critical function - CVE-2020-10265;
• Insufficient verification of data authenticity - CVE-2020-10266; and
• Exposure of sensitive information to unauthorized actor - CVE-2020-10264

Friday, April 10, 2020

S&T Announces GPS Spoofing Testing Event


Earlier this week the DHS Science and Technology Directorate announced that it would be conducting a GPS spoofing test event later this year. The event will be designed to allow manufacturers as well as critical infrastructure owner/operators to have their space-based position, navigation, and timing (PNT) equipment evaluated in a live GPS spoofing environment.

S&T is soliciting participation of vendors and owner/operators in the test event. Requests to participate should be submitted to S&T via GPS4Critical-Infrastructure@hq.dhs.gov. More information about the event can be found here.

Commentary


While not specifically being mentioned in this announcement, this event is being conducted in support of the President’s EO 13905 – Responsible Use of PNT Services. Information from this event will almost certainly be used to update PNT profiles that are supposed to be developed by the Department of Commerce.

Participation in the free testing program certainly makes sense for PNT vendors that are concerned about the potential for cyber attacks via this type of equipment.

OMB and CSB’s New Reporting Rule – 4-9-20


Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) published a notice that it had assigned an OMB Control Number (3301-0001) for an information collection request (ICR) submitted by the Chemical Safety and Hazard Investigation Board (CSB) in support of the CSB’s rule on Accidental Release Reporting. OIRA also reported that they had filed comments on the ICR on the rulemaking docket (not yet posted as of this writing; it could take a day or two).

The ‘Terms of Clearance’ in yesterday’s notice specifically states that: “This OMB action is not an approval to conduct or sponsor an information collection under the Paperwork Reduction Act of 1995.” Thus while the CSB’s final rule has been published, OIRA has not yet approved the CSB’s collection of reports under that rule.

Commentary


There are a couple of oddities with yesterday’s notice. First, OIRA reports that the ICR paperwork was submitted to them on April 2nd, 2020. All of the data submitted was based upon the publication of the December 2019 notice of proposed rulemaking, not the final rule. Now CSB was required to submit that information as part of their NPRM processing. In the normal course of events the OIRA comments on that request would have been reviewed and acted upon as necessary by CSB as part of the preparation of the final rule. Unfortunately, the abbreviated time frame between the NPRM and the publication of the final tule would probably not have allowed for normal OIRA review and reply, but apparently the CSB never gave OIRA that chance.

I do not think that this was deliberate malfeasance on the part of CSB. This was, after all, the first ICR submission made by the Board. I suspect that CSB attempted to submit the initial ICR when they published their NPRM, but somehow failed to properly submit the documents and never made an actual connection at OIRA.

Apparently, the CSB recently realized that they had not followed proper procedures in the initial ICR submission process (probably when someone pointed out the lack of an OMB approved control number) and worked with OIRA to correct that issue. Unfortunately, this probably means that CSB will have to publish a 30-day ICR notice to complete the OIRA process.

In the meantime, until OIRA approves the ICR, the CSB cannot legally require (regardless of the publication of the final rule and the effective date – March 23rd, 2020 – having passed) anyone to provide information to the CSB under that rule.

Thursday, April 9, 2020

1 Advisory Published – 4-9-20


Today the CISA NCCIC-ICS published a control system security advisory for products from Rockwell Automation.


Rockwell Advisory


This advisory describes an incorrect permission assignment for critical resource vulnerability in the Rockwell RSLinx Classic PLC communications software. The vulnerability was reported by Applied Risk. Rockwell has a patch that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with local authenticated access could exploit the vulnerability to allow a local authenticated attacker to execute malicious code when opening RSLinx Classic.

Wednesday, April 8, 2020

TSA to Allow COVID-19 HME Extensions


Today the Transportation Security Administration published a notice in the Federal Register (85 FR 19767-19769) providing for an “Exemption From Renewal of the Hazardous Materials Endorsement
Security Threat Assessment for Certain Individuals”. This would clear the way for States to provide up to 180-day extensions of current Hazardous Material Endorsements (HME) for commercial driver’s licenses.

Today’s notice states that:

“TSA has determined that it is in the public interest to grant an exemption from certain process requirements in 49 CFR part 1572 related to STAs for HMEs, given the need for commercial drivers with an HME to continue to work without interruption during the current COVID-19 crisis. This action would not compromise the current level of transportation security resulting from the HME requirements because TSA maintains the ability to conduct recurrent security threat checks on HME holders and take action to revoke an HME if derogatory information becomes available, regardless of expiration date.”

The notice makes it clear that: “The exemption permits, but does not require, States to extend the expiration date for HMEs.”

The following conditions apply to the exemption:

• The extensions will only be available with respect to eligible individuals, ensuring that TSA has relatively current information on the individual based on their last STA (No Determination of Security Threat) and can continue to conduct recurrent-vetting;

• The extensions will be for a set, limited time, dependent on the duration and scope of the COVID-19 crisis, and subject to possible modification by TSA before the closure of the effective period; and

• TSA will continue to recurrently vet these individuals against Federal terrorism and national security-related watch lists and databases during the period of the extensions and retain its full authority to immediately revoke or suspend an individual's STA (Determination of No Security Threat) and to order a State to revoke an individual's HME.

This exemption would run through July 31st, 2020.

There is nothing in this notice that would indicate that TSA is considering a similar extension of the expiration of Transportation Workers Identification Credentials (TWIC).

COVID-19 and Facility Security


Laurie Thomas has an excellent article over on LinkedIn about COVID-19 and the Maritime Transportation Security Act (MTSA). While there are many technical and administrative details about that program that are different from the Chemical Facility Anti-Terrorism Standards (CFATS) program, many of the points that Laurie makes apply to the CFATS program as well.

Communications


Communications is a key to maintaining regulatory compliance in this unusual situation. With both programs there are two different levels of important communications. The first is program level communications. For the MTSA covered facilities, Laurie notes that following the Maritime Commons blog is a good source for near real time information about program information. For the CFATS program the go-to source is the CFATS Knowledge Center. For unofficial program level news, Laurie has an excellent blog and this blog is a good source for CFATS news.

The second level is communications directed towards the regulators. For MTSA facilities this is communications directed at the Captain of the Port (COTP). For CFATS facilities this would be communication directed at the Infrastructure Security Compliance Division. In both cases, your local inspector is probably a good communications tool.

Compliance Issues


At the facility level, both programs require adherence to an approved security plan for the facility, and the COVID-19 pandemic may cause unexpected problems with those security plans. Neither the Coast Guard nor CISA is going to be surprised if your facility has some compliance issues arise during this pandemic. Personnel issues with security plans are going to be a very common concern. Neither agency has any official plans to waive compliance with the regulatory requirements of either program, but both programs will be willing to work with facilities on alternative methods of compliance.

The key here will be the early identification of problems with the current security plans and communicating those problems to the program authorities. Laurie makes an important point in her article when she says: “If something happens to bring you out of compliance, have an equivalent security measure ready at hand to replace the one that is the issue.” While the COPT or ISCD may not fully accept that ‘equivalent security measure’ it shows that you are interested in maintaining compliance and may make it easier for them to suggest a more appropriate response. Remember, they are hearing about these problems from a number of facilities and will have heard other options that may apply to your situation.

One of the most common problems that will arise during this pandemic will be a shortage of security personnel, especially at facilities that are shut down or working reduced shifts. COVID-19 quarantines are going to inevitably put some security officers off-line because of having COVID-19 symptoms or being exposed to someone with the disease. Some common mitigation measures will be:

• Increasing patrols by local law enforcement;
• Sharing patrol resources with other local facilities; or
• Using facility personnel to fill in for security officers.

Shutdown Alternative


For CFATS facilities, remember that status as a covered facility is dependent on the presence of chemicals of interest. Working down inventory levels to below the screening threshold quantity (STQ) may allow ISCD to remove the facility from the CFATS program. Even drastically reducing the on-hand levels without achieving sub-STQ levels may allow ISCD to reduce the Tier ranking for the facility or even remove the facility from the CFATS program. Talk with your chemical security inspector about this possibility. If you take this route, remember that a new Top Screen will have to be initiated when the facility goes back into operation.

Tuesday, April 7, 2020

5 Advisories and 1 Update Published


Today the CISA NCCIC-ICS published five control system security advisories for products from KUKA, Fuji Electric, HMS Networks, GE Digital and Advantech. They also updated an advisory for products from Synergy.

KUKA Advisory


This advisory describes an improper enforcement of message integrity in a communications channel vulnerability in the KUKA Sim Pro. The vulnerability was reported by Federico Maggi of Trend Micro. KUKA has an upgrade that mitigates the vulnerability. There is no indication that Maggi has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to result in a loss of integrity in external 3D models fetched from remote servers. When tested on real machines, this effect is unpredictable.

Fuji Advisory


This advisory describes a heap-based buffer overflow vulnerability in the Fuji V-Server Lite. The vulnerability was reported by kimiya via the Zero Day Initiative. Fuji has a new version that mitigates the vulnerability. There is no indication that kimiya has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reported that a relatively low-skilled attacker could remotely exploit the vulnerability to allow a remote attacker to gain elevated privileges for remote code execution.

HMS Advisory


This advisory describes a cross-site scripting vulnerability in the HMS eWON Flexy and Cosy. The vulnerability was reported by Ander MartĆ­nez of Titanium Industrial Security. HMS has a firmware update that mitigates the vulnerability. There is no indication that Martinez has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit this vulnerability to initiate a password change.

NOTE: I briefly discussed this vulnerability back in February.

GE Advisory


This advisory describes an improper privilege management vulnerability in the GE Digital CIMPLICITY HMI/SCADA product. The vulnerability was reported by Sharon Brizinov of Claroty. GE has a new version that mitigates the vulnerability. There is no indication that Brizinov has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an adversary to modify the systemwide CIMPLICITY configuration, leading to the arbitrary execution of code.

NOTE: I briefly discussed this vulnerability last weekend.

Advantech Advisory


This advisory describes eight vulnerabilities in the Advantech WebAccess/NMS network management system. The vulnerability was reported by rgod of 9sg via ZDI. Advantech has a new version that mitigates the vulnerability. There is no indication that rgod was provided an opportunity to verify the efficacy of the fix.

The eight reported vulnerabilities are:

• Unrestricted upload of file with dangerous type - CVE-2020-10621;
• SQL injection (2) - CVE-2020-10617 and CVE-2020-10623;
• Relative path traversal (2) - CVE-2020-10619 and CVE-2020-10631;
• Missing authentication for critical function - CVE-2020-10625;
• Improper restriction of XML external entity reference -CVE-2020-10629; and
• OS command injection - CVE-2020-10603

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to gain remote code execution, upload files, delete files, cause a denial-of-service condition, and create an admin account for the application.

Synergy Update


This update provides new information on an advisory that was originally published on February 11th, 2020. The new information includes:

• Four new vulnerabilities:
Missing authentication for critical function - CVE-2019-16879;
Improper check for unusual or exceptional conditions - CVE-2020-7800;
Exposure of sensitive information to an unauthorized actor - CVE-2020-7801; and
Incorrect default permissions - CVE-2020-7802
• Links to three associated advisories from SSS (here, here and here)

 
/* Use this with templates/template-twocol.html */