Saturday, May 30, 2020

Public ICS Disclosures – Week of 5-23-20


This week we have 11 vendor disclosure for products from SWARCO Traffic Systems, Bosch, ABB (8), and Belden. There are also two updated vendor disclosures from Johnson Controls and Belden.

SWARCO Advisory


INCIBE-CERT published an advisory describing an inadequate access control vulnerability on the SWARCO LS4000 CPU. The vulnerability was reported by Martin Aman, from the company ProtectEM. SWARCO has a patch that mitigates the vulnerability. There is no indication that Aman was provided an opportunity to verify the efficacy of the fix.

Bosch Advisory


Bosch has published an advisory describing four vulnerabilities in their Bosch Recording Station (BRS). The vulnerabilities are apparently self-reported. Bosch provides generic work arounds and recommends a new product upgrade.

The four reported vulnerabilities are:

EternalBlue - CVE-2017-0144,
BlueKeep - CVE-2019-0708,
• Improper access control - CVE-2020-6774, and
• Lack of full disc encryption – (no CVE)

ABB Advisories


ABB published eight advisories dealing with the effects of the Urgent/11 vulnerabilities on specific product lines. ABB initially published a series of initial reports on the UGRGENT/11 vulnerabilities back in July of last year and those were referenced in the NCCIC-ICS URGENT/11 advisory. At that time ABB was only able to provide generic workarounds for the vulnerabilities. This week’s advisories provide more specific mitigation measures:

CI845 – new version,
FOX615 Multiservice-Multiplexer – new version,
AFS66x – new version,
NSD570 Teleprotection Equipment – new versions,
ETL600 Power Line Carrier System – new version,
REB500 – new version, and
RTU500 series – new versions

Belden Advisory


Belden published an advisory describing a buffer overflow vulnerability in the Linux Point-to-Point Protocol (PPP) daemon in the Belden Hirschman OWL devices. This vulnerability is apparently self-reported. Belden has a new version that mitigates the vulnerability.

NOTE: There are a number of proof-of-concept exploits (see here for example) available for this vulnerability.

Johnson Controls Update


Johnson Controls published an update for an advisory that was originally published on May 21st, 2020. The new information includes:

• Updated affected version information for the C•CURE 9000, and
• More detailed mitigation instructions

Belden Update


Belden published an update for an advisory that was originally published on February 14th, 2020 and most recently updated on February 26th, 2020. The new information includes a CVE identifier (with link) for the vulnerability.

Friday, May 29, 2020

Follow-Up to 2016 Chlorine Release Incident


Yesterday a local news story in Atchison, KS reported on the regulatory follow-up to a chemical release incident that took place in October 2016 where a large chlorine and water vapor cloud caused havoc in that city. The EPA fined each of the two companies involved (the facility owner and the chemical distributor) $1 million.

The Incident


I discussed the incident after it happened. The Chemical Safety Board completed their report [.PDF download link] on the incident in January 2018 along with an excellent video.

While the CSB investigation revealed a number of additional troubling details about this incident, the problems I identified from news reports and my experience in the chemical industry were all addressed in the CSB report. That required no great prescience on my part, anyone that has worked in chemical manufacturing for any length of time has seen the consequences of incorrect unloading operations. This case was just spectacularly evident over a wide area.

Unloading operations demand a thorough safety review and, where truck drivers conduct unloading operations, that review must include participation of the chemical distributor/vendor.

Security Implications


While this incident was purely a safety issue, this type of accident could definitely be used as an attack methodology where mutually incompatible materials are delivered to a facility. All it would take is suborning or replacing a truck driver making the delivery to turn this into an effective attack. A more complex version could entail changing delivery documentation to deliver a mismarked, incompatible material to a facility.

Security managers need to participate in all hazard reviews and process hazard analysis meetings. Identifying consequences of safety incidents that could have serious on-site or any significant off-site consequences is a good way of identifying potential targets of a terrorist attack; the more significant or dangerous the consequence the more lucrative the target may be.

This is one of the areas where the Chemical Facility Anti-Terrorism Standards (CFATS) has the same institutional blinders found at the EPA and OSHA; reactive chemistry is not seen as a major concern. Neither sodium hypochlorite nor sulfuric acid are considered to be DHS chemicals of interest (COI) so neither of these chemicals is required to be reported to DHS under the CFATS program. This means that the chemical security inspectors of the Infrastructure Security Compliance Division (ISCD) may not be aware of this potential terrorist target at a CFATS covered facility.

It is probably not reasonable to expect a revision of the CFATS COI list to include all potentially energetic incompatible chemicals, the number is just too great. What the program should include, however, is a requirement for all covered facilities to identify all potential chemical mixtures on-site that could produce a release of toxic gasses or other reaction that could compromise the security of the facility. Security vulnerability assessments and site security plans could then be required to address the prevention of those mixtures (inadvertent or otherwise) as part of the facility’s security posture.

DOD Cybersecurity Certification NPRM to OMB


Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a notice of proposed rulemaking from the Department of Defense on “Strategic Assessment and Cybersecurity Certification Requirements”. This rulemaking was not listed in the Fall 2019 Unified Agenda.

According to a recent DOD document this rulemaking:

“Implements a standard DoD-wide methodology for assessing DoD contractor compliance with all security requirements in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations and a DoD certification process, known as the Cybersecurity Maturity Model Certification (CMMC), that measures a company’s maturity and institutionalization of cybersecurity practices and processes. Partially implements section 1648 of the FY20 NDAA.”

Tuesday, May 26, 2020

2 Advisories Published – 5-26-20

Today the NCCIC-ICS published two control system security advisories for products from Johnson Controls and Inductive Automation.

Johnson Controls Advisory


This advisory describes an improper access control vulnerability in the Johnson Controls Kantech EntraPass software. This vulnerability is self-reported. Johnson Controls has a new version that mitigates the vulnerability.

NCCIC-ICS reports that an relatively low-skilled attacker with uncharacterized access to allow an authorized low-privileged user to gain full system-level privileges.

Inductive Automation Advisory


This advisory describes three vulnerabilities in the Inductive Automation Ignition. The vulnerabilities were reported by Pedro Ribeiro, Radek Domanski, Chris Anastasio (muffin), and Steven Seeley via the Zero Day Initiative. Inductive Automation has a new version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Missing authentication for critical function - CVE-2020-12004, and
• Deserialization of untrusted data (2) - CVE-2020-10644 and CVE-2020-12000

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an attacker to obtain sensitive information and perform remote code execution with SYSTEM privileges.

Monday, May 25, 2020

OMB Approves PHMSA Gas Pipeline Deregulation NPRM


On Friday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a notice of proposed rulemaking (NPRM) from the DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) on “Gas Pipeline Regulatory Reform”. The NPRM was submitted for review last October.

According to the Fall 2019 Unified Agenda abstract for this rulemaking:

“This rulemaking would amend the Pipeline Safety Regulations to adopt a number of actions that ease regulatory burdens on the construction and operation of gas transmission, gas distribution and gas gathering pipeline systems. These amendments include regulatory relief actions identified by internal agency review, existing petitions for rulemaking, and public comments on the Department of Transportation Regulatory Review and Transportation Infrastructure notices.”

The only change to this abstract since the rulemaking was added to the Unified Agenda in the Spring of 2017 is the addition of the addition of the  “and gas gathering pipeline systems”.

The ‘Regulatory Review’ reference is to a 2017 Federal Register notice published by DOT in June of 2017. Comments to that notice can be found on the Federal eRulemaking Portal (www.regulations.gov; Docket # OST-2017-0057). Just 202 comments were received across the entire DOT regulatory universe; few were specifically targeted at PHMSA pipeline regulations.

Saturday, May 23, 2020

Public ICS Disclosures – Week of 5-16-20


This week we have two vendor disclosures for products from HMS and BD. There is also a researcher report on previously disclosed vulnerabilities from OSIsoft.

HMS Advisory


HMS published an advisory describing a certificate verification vulnerability in their eCatcher product. The vulnerability was reported by TÜV Rheinland. HMS has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

BD Advisory


BD published an advisory describing two Windows Adobe Type Manager Library vulnerabilities in various BD products. BD is currently working to test and validate the appropriate Microsoft patch for these vulnerabilities.

OSIsoft Report


Applied Risk published a report on vulnerabilities in the OSIsoft PI System. These vulnerabilities were previously disclosed by NCCIC-ICS. This report provides links to the OSIsoft report on the vulnerabilities, but that report is behind a customer registration wall.

Thursday, May 21, 2020

2 Advisories Published – 5-21-20


Today the CISA NCCIC-ICS published two control system security advisories for products from Schneider Electric and Johnson Controls.

Schneider Advisory


This advisory describes five vulnerabilities in the Schneider EcoStruxure Operator Terminal Expert. The vulnerabilities were reported by Sharon Brizinov and Amir Preminger of Claroty Research (via the Zero Day Initiative), Steven Seeley and Chris Anastasio of Incite Team (via ZDI), and Fredrik Østrem, Emil Sandstø, and Cim Stordal of Cognite. Schneider has an update that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

• SQL Injection - CVE-2020-7493,
• Path traversal (3) - CVE-2020-7494, CVE-2020-7495 and CVE-2020-7497, and
• Argument injection - CVE-2020-7496

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could use publicly available code to exploit the vulnerabilities to allow unauthorized write access or remote code execution.

NOTE: I briefly discussed these vulnerabilities last Saturday.

Johnson Controls Advisory


This advisory describes a cleartext storage of sensitive information vulnerability in Sensormatic Electronics (subsidiary of Johnson Controls) video management systems. The vulnerability is self-reported. Johnson Controls has new versions that mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to access credentials used for access to the application.

CISA Updates CFATS Landing Page – 5-20-20


Yesterday the Cybersecurity and Infrastructure Security Administration (CISA) updated the Chemical Facility Anti-Terrorism Standards (CFATS) landing page. No substantive changes were made, but some interesting language changes may provide some insight into the program.

Changes were made in two specific areas of the page, the opening paragraph and the ‘CFATS Overview’ section.

The opening description of the program now reads:

“CFATS is the nation’s first regulatory program focused specifically on security at high-risk chemical facilities. Managed by the Cybersecurity and Infrastructure Security Agency (CISA), the CFATS program identifies and regulates high-risk facilities to ensure they have security measures in place to reduce the risk that certain hazardous chemicals are weaponized by terrorists.”

The final sentence of that paragraph used to read: “The Cybersecurity and Infrastructure Security Agency (CISA) manages the CFATS program by working with facilities to ensure they have security measures in place to reduce the risks associated with certain hazardous chemicals and prevent them from being [emphasis added] weaponized by terrorists.

I think that CISA is trying to emphasize to certain House Democrats that the CFATS program is an anti-terrorism program not a chemical safety program. One of the problems holding up the reauthorization of this program (and it has been an ongoing problem with Congress since before the program was established) is that many Democrats see the CFATS program as a way to address chemical safety issues that the EPA and OSHA have not addressed. These include such things as emergency response planning, hazard communication with local neighbors, and reducing the use of hazardous chemicals. While the CFATS program does lightly (and legitimately) touch on these issues, it should not be the primary route for regulation in these areas.

The final change is an even more subtle change to the middle sentence in the ‘CFATS Overview’ section of the page:

“These facilities must report their chemical holdings chemicals to CISA via an online survey, known as a Top-Screen”

I believe that CISA is trying to ensure that potentially regulated facilities know that CISA understands the frequently transient nature of chemical inventories at many chemical facilities, especially in the specialty chemical manufacturing sector. Even though the DHS chemicals of interest (COI) may only be on site for relatively short periods of time (frequently just long enough for them to be consumed in the manufacture of some other, non-regulated chemical or object), the CFATS program requires notification to CISA. CISA expects facilities with such transient COI inventories to have security measures in place while they are present at the facility and site security plans need to reflect that.

Neither of these issues is new and CISA and its predecessor organization have made these ideas clear to the regulated community in a number of forums over the years. This is just a part of the ongoing effort at the Agency to ensure mission clarity. Fortunately, with CISA returning to including change dates on their web pages (for the CFATS program at least), our attention is called to these relatively minor changes on the web site. Without those date markings, few would have ever noticed the changes.

Wednesday, May 20, 2020

PHMSA Withdraws Vapor Pressure Rule


The DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) published a notice in today’s Federal Register (85 FR 30673-30680) withdrawing their advanced notice of proposed rulemaking (ANPRM) on “Vapor Pressure of Unrefined Petroleum Products and Class 3 Materials”. That rulemaking was published in January of 2017.

According to the notice summary, based upon test results obtained by Sandia Laboratories:

“PHMSA is providing notice of its determination that the establishment of vapor pressure limits would not improve the safety of rail transportation of crude oil. Therefore, PHMSA is no longer considering vapor pressure limits for the transportation of crude oil by rail or any other mode. Furthermore, PHMSA is also providing notice that, after considering comments received to the ANPRM, it is no longer considering imposing vapor pressure standards for other unrefined petroleum-based products and Class 3 flammable liquid hazardous materials by any mode.”

Federal Preemption


The notice also includes a discussion of PHMSA’s observations about how this withdrawal would affect State and local attempts to regulate the transportation of crude oil based upon the vapor pressure of that material. The notice begins that discussion by stating:

“PHMSA, in issuing this withdrawal, has affirmatively determined that a national vapor pressure limit for unrefined petroleum-based products is not necessary or appropriate. As explained further below, PHMSA believes that Federal law likely preempts any non-Federal law that attempts to set a vapor pressure limit for these materials.”

PHMSA concludes that discussion by stating:

“A person directly affected by a non-Federal requirement may apply to PHMSA for a determination that the requirement is preempted by 49 U.S.C. 5125. See 49 U.S.C. 5125(d); 49 CFR 107.203-107.213. PHMSA is currently considering a preemption application filed by North Dakota and Montana with respect to Washington's vapor pressure limit, and will consider any application filed with respect to other non-Federal vapor pressure limits.”

In fact, PHMSA has already published their response to the North Dakota and Montana preemption application in last Friday’s Federal Register (85 FR 29511-29528). Unsurprisingly, PHMSA determined that the Washington State rules were preempted by the existing lack of vapor pressure standards in the Hazardous Materials Regulations. Both notices were signed on May 11th, 2019, but the publication review process apparently took longer on this notice.

Commentary


I think that PHMSA erred in the way they looked at the Sandia Labs test results. As I mentioned in my earlier post on those test results, those tests just looked at the comparative effects of a fire resulting from releases of crude oil with various vapor pressures. Any chemist or fire scientist could have easily predicted the results of those tests, a similar mass of linear hydrocarbons will generate the same amount of heat energy when burned. The fireball tests were equally uninformative because of the extremely high pressure the material was subjected to before the gases were released to the atmosphere.

The testing methodology did nothing to evaluate the effect of vapor pressure on the likelihood of a vapor release during a derailment. Determining the temperature at which a crude oil sample reached a vapor pressure of 32 psig (the pressure relief setting for railcars carrying flammable materials) would provide some measure of predictive value of a vapor release (and probable fireball result) for a given material. In a complex mixture of hydrocarbons like crude oil, that might provide important hazard classification information for regulators. Whether or not that was regulatorily feasible would depend on what transportation safety mitigation factors could be applied to materials with a relatively low temperature to achieve 32 psig.

If President Trump loses the election this November, I would suspect that a Biden controlled PHMSA might revisit this rulemaking.


Tuesday, May 19, 2020

2 Advisories Published – 5-19-20


Today the CISA NCCIC-ICS published two control system security advisories for products from Rockwell Automation and Emerson.

Rockwell Advisory


This advisory describes two vulnerabilities in the Rockwell EDS Subsystem. The vulnerabilities were reported by Sharon Brizinov and Amir Preminger (VP Research) of Claroty. Rockwell has a patch available to mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Improper restriction of operations within the bounds of a memory buffer - CVE-2020-12038, and
• SQL injection - CVE-2020-12034

NCCIC-ICS reported that a relatively low-skilled attacker on an adjacent network could exploit the vulnerabilities to  lead to a denial-of-service condition.

Emerson Advisory


This advisory describes three vulnerabilities in the Emerson OpenEnterprise SCADA Software. The vulnerabilities were reported by Roman Lozko of Kaspersky. Emerson has an upgrade that mitigates the vulnerabilities. There is no indication that Lozko has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Missing authentication for critical function - CVE-2020-10640,
• Improper ownership management - CVE-2020-10632, and
• Inadequate encryption strength - CVE-2020-10636

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an attacker access to OpenEnterprise configuration services or access passwords for OpenEnterprise user accounts.

GAO CFATS Cybersecurity Report – Outdated Guidance


Last week the Government Accountability Office published their latest report on the Chemical Facility Anti-Terrorism Standards (CFATS) program. This report specifically addresses the cybersecurity component of the CFATS program. It provides six recommendations to address cybersecurity guidance for covered facilities and cybersecurity training for chemical security inspectors (CSI).

The Recommendations


The GAO report recommended (and DHS concurred) that DHS should:

• Implement a documented process for reviewing and, if deemed necessary, revising its guidance for implementing cybersecurity measures at regularly defined intervals.
• Incorporate measures to assess the contribution that its cybersecurity training is making to program goals, such as inspector- or program specific performance improvement goals.
• Track delivery and performance data for its cybersecurity training, such as the completion of courses, webinars, and refresher trainings.
• Develop a plan to evaluate the effectiveness of its cybersecurity training, such as collecting and analyzing course evaluation forms.
• Develop a workforce plan that addresses the program’s cybersecurity related needs, which should include an analysis of any gaps in the program’s capacity and capability to perform its cybersecurity-related functions, and human capital strategies to address them.
• Maintain reliable, readily available information about the cyber integration levels of covered chemical facilities and inspector cybersecurity expertise. This could include updating the program’s inspection database system to better track facilities’ cyber integration levels.

Cybersecurity Guidance


The main complaint the GAO had with the cybersecurity guidance provided by the Cybersecurity and Infrastructure Security Agency’s (CISA) Infrastructure Security Compliance Division (ISCD) is that it is over ten years old. That guidance is found in the CFATS Risk Based Performance Standards (RBPS) Guidance document that was published in May 2009. Cybersecurity it addressed in RBPS number 8. The seven pages of ‘guidance’ is a broadly written overview of general cybersecurity provisions that might be appropriate to a high-risk chemical facility. It includes paragraphs addressing various topics in the areas of:

Security Policy,
Access Control,
Personnel Security,
Awareness and Training,
Cyber Security Controls, Monitoring, Response, and Reporting,
Disaster Recovery and Business Continuity,
System Development and Acquisition,
Configuration Management, and
Audits.

The RBPS Guidance then goes on to discuss (similarly briefly) security considerations associated with:

Potential Off-site Aspect of Cyber Security,
Interconnectivity of Critical and Seemingly Non-Critical Systems,
Impact of Risk Drivers,
Physical Security for Cyber Assets, and
Layered Security,

Finally, the RBPS Guidance cybersecurity section provides a series of metrics that ISCD would use in assessing whether or not a facility’s site security plan adequately addresses the cyber RBPS. Those metrics are keyed to the risk rating of each facility; generally speaking, higher risk facilities have to take more actions to protect the facility from potential terrorist cyber threats. The threat metrics address:

Cyber Security Policies,
Access Control
Personnel Security,
Awareness and Training,
Cyber Security Controls, Monitoring, Response, and Reporting,
Disaster Recovery and Business Continuity,
System Development and Acquisition,
Configuration Management, and
Audits

Guidance Problems


Beyond the age of the document, the biggest problem with the RBPS Guidance was not addressed by the GAO report and that is that the writers had to be careful not to be ‘too prescriptive’ in their discussions about security issues. I discussed this problem in some depth when the document was published, but in short DHS was dealing with a congressional restriction on providing any sort of one-size-fits-all facilities regulation. In my opinion, they bent over backwards in the RBPS Guidance document to avoid any sort of appearance of dictating security measures and the document is weak as a result.

Proposals for Additional Guidance


While the issues discussed in the RPBS Guidance are still appropriate cybersecurity considerations, they fail to address any of the emerging cybersecurity threats that face high-risk chemical facilities. An updated discussion would have to include discussions about:

Phishing,
Ransomware,
Advanced persistent threats,
Security Operations Centers,
Patching and vulnerability risk assessments, and
Vulnerability reporting.

An additional topic for inclusion would be the ISCD’s cybersecurity integration level program. This is an internal ISCD assessment of the level of integration of cyber systems into the protection and utilization of chemicals of interest. This program was described on pages 15-17 of the GAO report. ISCD uses this assessment to assign CSI with varying levels of cybersecurity expertise to the appropriate facilities. In many ways this integration assessment would more sense than just risk levels in determining which sorts of cybersecurity controls should be in place for facilities.

Problems with Changes


ISCD has a long history of being very responsive to industry concerns with the CFATS programs. They have to be to ensure continued congressional support for the program. That support, in turn, is necessary because of the continued short-term reauthorization process for the program. This does cause some problems for the CFATS program.

ISCD would almost certainly have to go through the comment and response process that it used in the original publication of the RBPS Guidance in any revision of the document. Industry would be leery of any substantive changes to that document that might cause facilities to change their existing security procedures. This is almost certainly been one of the reasons why ISCD has been reluctant to undertake a review and update of that document. On the flip side of that, is of course, if no changes in security programs would be required, why should ISCD take the effort to update the document.

Congress needs to provide cover to ISCD in this matter. As part of the impending CFATS reauthorization, Congress should include a mandate for review and update of the RBPS Guidance. To avoid additional wrangling over what to include in the bill, specifics on what to include in the update should not be provided by congress. That should be left to the review process. Congress should, however, require ISCD to include examples of what sorts of controls could be included in a site security plan to meet the metrics provided in the Guidance.

Monday, May 18, 2020

Committee Hearings – Week of 5-17-20


This week with the Senate in Washington and the House continuing to meet in pro forma sessions there are relatively few hearings scheduled. There is one markup hearing that addresses cybersecurity.

Cybersecurity Markup


The Senate Commerce, Science, and Transportation Committee will hold an executive session on Wednesday that will include markups of ten bills and 17 nominations. One of the bills, S 3712, the Cybersecurity Competitions to Yield Better Efforts to Research the Latest Exceptionally Advanced Problems (CYBER LEAP) Act of 2020, addresses cybersecurity concerns.

The official copy of the bill has yet to be published, but the Hearing website contains a link to a committee print of the bill. The bill would direct the Commerce Department to establish at least five separate “national cybersecurity grand challenges”. None of the listed challenges would address control system security issues.

Related Issues


There is one other bill being considered at the same hearing that may be of interest; S 2904, the Identifying Outputs of Generative Adversarial Networks Act. While a main focus of the bill is to direct NIST to conduct and support “research on technical tools for identifying manipulated or synthesized content” {§3(2)}, there is also similar directed interest in generative adversarial networks. The ‘adversarial networks’ would consist of competing artificial intelligence networks that would alternatively generate and detect “increasingly higher-quality artificial outputs” {§6}.

The idea of competing networks certainly seems to be an interesting way of advancing capabilities. There is an important ethical problem here though. The production of advanced networks to identify ‘manipulated or synthesized content’ would certainly be an increasingly important forensic tool, but a the simultaneous improvement of manipulation and content synthesis capability will just make the problem more intractable. Even if the legislation required the generation tool research to be classified (which the bill does not even attempt to address), the recent escape of NSA hacking tools points out that security classification only provides limited protection of potential attack tools.

I do not think that I will be providing any additional coverage of S 2904.

Saturday, May 16, 2020

Public ICS Disclosures – Week of 5-9-20


This week we have five vendor disclosures for products from Schneider (4) and Rockwell as well as six vendor updates from Schneider (5) and Siemens. We also have two researcher reports of vulnerabilities in products from Advantech.

Schneider Advisories


Schneider published an advisory describing a weak password requirement vulnerability in their Pro-face GP-Pro EX Programming Software product. The vulnerability was reported by Kirill Kruglov of Kaspersky Labs. Schneider has a new version that mitigates the vulnerability. There is no indication that Krublov has been provided an opportunity to verify the efficacy of the fix.


Schneider published an advisory describing a use of hard-coded credentials vulnerability in their Vijeo Designer Basic and Vijeo Designer software products. The vulnerability was reported by Jie Chen of NSFOCUS. Schneider has a HotFix available to mitigate the vulnerability. There is no indication that Jie has been provided an opportunity to verify the efficacy of the fix.


Schneider published an advisory describing two vulnerabilities in their U.motion servers and touch panel products. The vulnerabilities were reported by Rgod and Zhu Jiaqi. Schneider has a new version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Improper access control - CVE-2020-7499, and
• SQL injection - CVE-2020-7500


Schneider published an advisory describing five vulnerabilities in their EcoStruxure™ Operator Terminal Expert product. The vulnerabilities were reported by Steven Seeley and Chris Anastasio of Incite Team, Sharon Brizinov and Amir Preminger of Claroty Research via the Zero Day Initiative (see here, here, and here), and Fredrik Østrem, Emil Sandstø, and Cim Stordal of Cognite. Schneider has a new version that mitigates four of the five vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

• SQL command injection - CVE-2020-7493,
• Path traversal (3) - CVE-2020-7494, CVE-2020-7495, and CVE-2020-7497, and
• Argument injection or modification - CVE-2020-7496

Rockwell Advisory


Rockwell published an advisory describing five vulnerabilities in multiple Rockwell Automation software products. These are third-party vulnerabilities from OSIsoft components used in the Rockwell products. These vulnerabilities are self-identified. Rockwell provides workarounds to mitigate the vulnerabilities.

The five reported vulnerabilities are:

• Local privilege escalation via uncontrolled search path element - CVE-2020-10610,
• Local privilege escalation via improper verification of cryptographic key - CVE-2020-10608,
• Local privilege escalation via incorrect default permissions - CVE-2020-10606,
• Null pointer dereference - CVE-2020-10600, and
• Use of out-of-range pointer offset may lead to remote code execution - CVE-2020-10645

NOTE: These are five of the ten vulnerabilities in the OSIsoft PI System that were reported by NCCIC-ICS earlier this week. The fact that this Rockwell Advisory was published on the same day as the NCCIC-ICS advisory indicates that there was pre-disclosure coordination between OSIsoft and Rockwell, good show.

Advantech Advisories


The Zero Day Initiative published advisories (see links below) describing two vulnerabilities in Advantech WebAccess Node. ZDI published the two advisories as 0-day notifications under their 120-day response rule. NCCIC-ICS was reported involved in the coordination of these vulnerabilities. The vulnerabilities were reported by Z0mb1E.

The two reported vulnerabilities are:

• DATACORE Stack-based Buffer Overflow Remote Code Execution Vulnerability - ZDI-20-654, and
• Incorrect Permission Assignment Privilege Escalation Vulnerability - ZDI-20-655

Schneider Updates


Schneider published an update for the Urgent/11 advisory that was originally published on August 11th, 2019 and most recently updated on April 14th, 2020. The new information includes updated mitigation information for:

• Modicon Network Option Switch,
• Modicon X80 - I/O Drop Adapters,
• Modicon Quantum 140 CRA,
• Modicon Quantum Head 140 CRP,
• Modicon Quantum Ethernet DIO network module - 140NOC78x00 (C),
• SCD6000 Industrial RTU, and
• Pro-face HMI -GP4000H/R/E Series


Schneider published an update for their Andover Continuum System advisory that was originally published on March 10th, 2020 and most recently updated on April 14th, 2020. The new information includes minor updates to overview, vulnerability details, and product information for clarification.


Schneider published an update for their Embedded Web Servers for Modicon advisory that was originally published in November 2018 and most recently updated November 27th, 2019. The new information includes a corrected CVSS vector for CVE-2018-7812.


Schneider published an update for their Modicon Controllers advisory that was originally published on May 14th, 2019 and most recently updated on December 10th, 2019. The new information includes updated fix version information for CVE-2018-7857.


Schneider published an update for their Legacy Triconex advisory that was originally published on April 14th, 2020. Unfortunately, the link on the Schneider web site takes one to the original version of the advisory.

Siemens Update


Siemens published an update for their GNU/Linux advisory that was originally published on November 27th, 2018 and most recently updated on April 14th, 2020. The new information includes the addition of the following CVE’s:

• CVE-2019-9674,
• CVE-2019-18348,
• CVE-2019-20636,
• CVE-2020-8492,
• CVE-2020-11565,
• CVE-2020-11655, and
• CVE-2020-11656

Thursday, May 14, 2020

2 Advisories and 1 Update Published – 5-14-20


Today the CISA NCCIC-ICS published two control system security advisories for products from Emerson and Opto 22. They also updated a previously issued advisory for products from 3S.

Emerson Advisory


This advisory describes an improper access control vulnerability in the Emerson WirelessHART Gateways. The vulnerability is self-reported. Emerson has updated firmware that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to disable the internal gateway firewall. Once the gateway's firewall is disabled, a malicious user could issue specific commands to the gateway, which could then be forwarded on to the end user's wireless devices.

Opto 22 Advisory


This advisory describes five vulnerabilities in the  Opto 22 SoftPAC Project virtual PLC. The vulnerabilities were reported by Mashav Sapir of Claroty. Opto 22 has a new version that mitigates the vulnerabilities. There is no indication that Sapir was provided an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

• External control of file name or path - CVE-2020-12042,
• Improper verification of cryptographic signature - CVE-2020-12046,
• Improper access control - CVE-2020-10612,
• Uncontrolled search path element - CVE-2020-10616, and
• Improper authorization - CVE-2020-10620

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow arbitrary file write access with system access, start or stop service, allow remote code execution, and limit system availability.

3S Update


This update provides additional information on an advisory that was originally published on August 1st, 2019. The new information includes a link to a new version that mitigates the vulnerability. The publication of the new version was originally projected for February 2020.

Verifying Fixes


I got some interesting feedback on a phrase in yesterday’s post about advisories from NCCIC-ICS; in particular the common sentence in too many of my responses: “There is no indication that Knowles [substitute the name of the current security researcher reporting the vulnerability] has been provided an opportunity to verify the efficacy of the fix.”

First, I got a TWITTER® DM from a long-time reader associated with OSIsoft, the subject of one of the advisories discussed yesterday. That DM informed me that while NCCIC-ICS did not routinely comment on researcher verification efforts, the OSIsoft advisory did include such language in this instance. Unfortunately, I cannot see that advisory since it is behind a customer only firewall. In any case, it seems (see below) that OSIsoft was actively involved in allowing researcher verification of the fix reported in this instance and are to be commended for that.

This in turn led to a series of emails from folks at Applied Risk, the company reporting the OSIsoft vulnerabilities. They confirmed that OSIsoft had actively worked with them to allow verification of the fixes announced in Tuesday’s advisory. In fact, according to William Knowles, the researcher involved in the situation, OSIsoft went so far as to provide a temporary license for the software to help Applied Risk in their evaluation.

Knowles went on to say:

“Verification of fixes of course always a good thing, but it really depends on whether software access is still available.  As you’ll know, getting access to this software isn’t always easy (expensive price tags, no trials, etc), and initial exposure often comes through consultancy work in third party environments. That access is often very transient.  At that point it all depends on the institutional openness and willingness of the vendor, and furthermore, who you’re even dealing with at the vendor on an individual level, and if they have the capability of dishing out temporary licenses and links to software downloads.  That isn’t always easy; however, in the case of OSIsoft it was, as the process was encouraged from their side.”

We have seen a number of instances where ‘fixed’ vulnerabilities had to be re-fixed at a later date when it was determined that the vulnerability still existed. I noted yesterday that the 3S update published by NCCIC-ICS was apparently one of those situations. If more researchers were involved in fix verification, this problem would be greatly reduced. For the vendors involved it would also demonstrate their commitment to work with the independent researcher community in identifying and fixing security vulnerabilities.

I will continue to call out vendors when they do not support researchers in this manner. And, of course, I will give credit when it is due.

Bills Introduced – 05-13-20


Yesterday with the Senate in Washington and the House meeting in an unusual Wednesday pro forma session, there were 47 bills introduced. Of these two may receive additional attention in this blog:

H Res 965 Authorizing remote voting by proxy in the House of Representatives and providing for official remote committee proceedings during a public health emergency due to a novel coronavirus, and for other purposes. Rep. McGovern, James P. [D-MA-2]

S 3712 A bill to require the Secretary of Commerce to establish national cybersecurity grand challenges, and for other purposes. Sen. Wicker, Roger F. [R-MS]

The remote operations resolution would temporarily change the rules of the House to allow for proxy voting on the floor of the House and remote operations of Committee hearings. There is no cybersecurity language in the bill with regards to the remote hearing provisions, even given the rise of the new terminology ‘Zoom Bombing’. The House Rules Committee is currently scheduled to hold a live markup hearing on this bill later today.

I will be watching S 3712 for language specifically including control system security competitions.


Wednesday, May 13, 2020

Bills Introduced – 5-12-20


Yesterday with the Senate in town and the House meeting in pro forma session, there were 72 bills introduced. One of those bills will receive future coverage in this blog:

S 3688 A bill to amend the Federal Power Act to authorize the Federal Energy Regulatory Commission and the Secretary of Energy to offer assistance in securing the assets of the owners and operators of energy infrastructure against threats and increasing the security of the electric grid, and for other purposes. Sen. Murkowski, Lisa [R-AK]

I suspect that this bill may be an attempt to achieve at least a portion of what S 2657 was attempting to do in the area of grid security. That comprehensive energy security bill died on the floor of the Senate.

2 Advisories and 7 Updates Published


Yesterday the CISA NCCIC-ICS published two control system security advisories for products from OSIsoft and Eaton. They also updated previously published advisories for products from 3S, Interpeak, and Siemens (5).

OSIsoft Advisory


This advisory describes ten vulnerabilities in the OSIsoft PI System. The vulnerabilities were reported by William Knowles at Applied Risk. OSIsoft provides workarounds to mitigate the vulnerabilities. There is no indication that Knowles has been provided an opportunity to verify the efficacy of the fix. Applied Risk has verified that Knowles was provided an opportunity to verify the efficacy of the fix (see https://chemical-facility-security-news.blogspot.com/2020/05/verifying-fixes.html) [5-14-20 8:00 EDT]

The ten reported vulnerabilities are:

• Uncontrolled search path element - CVE-2020-10610,
• Improper verification of cryptographic key - CVE-2020-10608,
• Incorrect default permissions - CVE-2020-10606,
• Uncaught exception - CVE-2020-10604,
• Null pointer dereference (2) - CVE-2020-10602 and CVE-2020-10600,
• Improper input validation - CVE-2019-10768,
• Cross-site scripting (2) - CVE-2020-10600 and CVE-2020-10614, and
• Insertion of sensitive information into log file - CVE-2019-18244

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to access unauthorized information, delete or modify local processes, and crash the affected device.

Eaton Advisory


This advisory describes two vulnerabilities in the Eaton Intelligent Power Manager software monitoring and management platform. The vulnerability was reported by Sivathmican Sivakumaran of Trend Micro’s Zero Day Initiative. Eaton has a new version that mitigates the vulnerability. There is no indication that Sivakumaran has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Improper input validation - CVE-2020-6651, and
• Incorrect privilege assignment - CVE-2020-6652

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to perform command injection or code execution and allow non-administrator users to manipulate the system configurations.

3S Update


This update provides additional information for an advisory that was originally reported on September 12th, 2019. The new information includes a link to an even newer version that more completely mitigates the vulnerability.

NOTE: This is part of the reason that advocate for the researchers that discovered the vulnerability being provided a specific opportunity to verify the efficacy of the reported fix.

Interpeak Update


This update provides additional information for the Urgent/11 advisory that was originally published on October 1st, 2019 and most recently updated on February 18th, 2020. The new information includes a link to the new Siemens Power Meters advisory that was published today.

SIPROTEC Update


This update provides additional information for an advisory that was originally published on July 9th, 2019 and most recently updated on December 10th, 2019. The new information includes affected version numbers and mitigation links for SIPROTEC 5 device types 7SS85 and 7KE85.

SINAMICS Update


This update provides additional information for an advisory that was originally published on August 15th, 2019 and most recently updated on December 10th, 2019. . The new information includes affected version numbers and mitigation links for SINAMICS SL150 V4.8.

SIMATIC Update


This update provides additional information for an advisory that was originally published on February 11th, 2020 and most recently updated on April 14th, 2020. The new information includes affected version numbers and mitigation links for SIMATIC NET PC Software.

KTK Update


This update provides additional information for an advisory that was originally published on April 14th, 2020. The new information includes the addition of the SIMATIC S7-400 H V6 CPU family to the list of affected products.

RUGGEDCOM Update


This update provides additional information for an advisory that was originally published on April 14th, 2020. The new information includes the removal of  IE/PB-Link V3 from the list of affected products.

Other Advisories


Siemens published one additional update that was not covered by NCCIC-ICS yesterday. I will address that on Saturday.

Schneider has also joined the 2nd Tuesday patch club. They published 3 new advisories and 4 updates that I will also address on Saturday.

Monday, May 11, 2020

PHMSA Harmonization Rule – SADT-SAPT Provisions


Yesterday I noted that the provisions of the new PHMSA harmonization rule for 49 CFR 173.21(f) would not take effect until January 2, 2023. In a limited sense, this is true, but the reality is much more complicated.

Background


There was no mention of §173.21(f) in the notice of proposed rulemaking (NPRM) for this rule.

The last change to that section was made by the previous harmonization rule that was finalized on March 30th, 2017. That change set the ‘forbidden temperature’ for both self-accelerating decomposition reactions and self-acceleration polymerization reactions at less than, or equal to 50˚ C. Earlier versions had set the ‘forbidden temperature’ for polymerization reactions at less than, or equal to 54˚ C.

That change was made to make the Hazardous Material Regulation (HMR) “consistent with existing requirements for Division 4.1 (self-reactive) and Division 5.2 (Organic peroxide) hazardous materials, as well as the 19th Revised Edition of UN Model Regulations for the transport of polymerizing substances in packages and IBCs, which requires temperature control in transport if the SAPT is 45 °C (113 °F) only for polymerizing substances offered for transport in portable tanks.”

Because PHMSA was continuing to conduct investigations to justify that harmonization change, they included a ‘expiration’ of that change set at January 2nd, 2019. The revision to the pre-2017 language was automatically reflected in the ‘current’ version of 49 CFR.

Extend the Expiration


Today’s final rule actually makes two changes to §173.21(f). First, the rule re-instates the language from the earlier rule that had subsequently expired, again harmonizing the HMR with international standards. But, PHMSA’s research is still on-going, so today’s rule also includes provisions re-instating the ‘old’ (as of today) language on January 2nd, 2023.

Commentary


If this sounds a tad bit complicated, it is because it is complicated. This is the type of problem that PHMSA frequently runs across in its efforts to keep the HMR harmonized with a variety of different international rules and standards. The international regulatory community makes every effort to keep their rules consistent, but the consensus based regulatory process ensures that a slightly different set of considerations will control the language that is adopted each time a change is made. This means that differences are certain to creep into the regulatory documents of the various entities involved.

Committee Meetings – Week of 5-10-20


With just the Senate in town this week (the House may return next week) there are only twelve hearings scheduled (one House COVID-19 hearing) with COVID-19 or nominations being the focus of all but one of those hearings. The one odd-ball hearing is on cybersecurity.

Solarium Commission Hearing


On Wednesday the Senate Homeland Security and Governmental Affairs Committee will hold a video conference on “Evolving the U.S. Cybersecurity Strategy and Posture: Reviewing the Cyberspace Solarium Commission Report”. All four witnesses are members of the Solarium Commission:

• Angus S. King, JR., Co-Chair;
• Mike Gallagher, Co-Chair;
• Suzanne E. Spaulding; and
• Thomas A. Fanning

There are currently no instructions on the hearing web site on how the public may view the video conference.

The Cyberspace Solarium Commission released their report back in March, but it has been eclipsed by the whole COVID-19 mess. It will be interesting to see how the HSGAC reacts to the recommendations made in this hearing.

Sunday, May 10, 2020

PHMSA Publishes Harmonization Final Rule – 5-10-20

PHMSA is publishing their latest final rule on harmonizing the Hazardous Material Regulations with various international standards and rules. The rule is being published in Monday’s Federal Register (85 FR 27810-27901) which was available yesterday. The notice of proposed rulemaking (NPRM) for this action was published in November 2018.

This is a lengthy, technical and complicated rulemaking. Trying to summarize this rule in a single blog post (over even a couple of blog posts) is not worth the effort. Anyone shipping hazardous materials is going to have to dig into this document to see if any of the changes being made will affect their operations.

I will mention that there are a wide variety of changes being made to the Hazardous Material Table (49 CFR 172.101). These include:

New entries (mainly new ‘N.O.S’ entries),
Amendments to Column (2) Hazardous Materials Descriptions and Proper Shipping Names,
Amendments to Column (5) Packing Group,
Amendments to Column (7) Special Provisions (2 pages worth of changes),
Amendments to Column (10) Vessel Stowage Requirements (even more extensive), and
Appendix B to § 172.101—List of Marine Pollutants

This final rule is effective May 11th, 2020 except for the changes to 49 CFR 173.21(f) [corrected section number, 5-11-20 08:50 EDT] which take effect on January 2nd, 2023.

Saturday, May 9, 2020

CISA Postpones 2020 CSSS


The Cybersecurity and Infrastructure Security Agency (CISA) announced this week that it was postponing the 2020 Chemical Sector Security Summit (CSSS) that had been planned to be held in Atlanta, GA this July. Not surprisingly, concerns around the COVID-19 pandemic are behind this action.

An alternate (almost certainly an on-line) event is being considered.

Public ICS Disclosure – Week of 5-2-20


This week we have one vendor disclosure from 3S and one researcher report for products also from 3S. I also look at a series of Zero Day Initiative reports on the Advantech vulnerabilities that were reported by NCCIC-ICS earlier this week.

3S Advisories


3S published an advisory [.PDF download link] describing a privilege escalation vulnerability in their CODESYS visualization application. The vulnerability is self-reported. 3S has new version that mitigates the vulnerability.

Talos published a report describing an insufficient verification of data authenticity vulnerability in the 3S Control SoftPLC runtime system. Talos reports that this is a coordinated disclosure, but there is currently no advisory for this vulnerability on the 3S Security Advisory list. The Talos report includes proof-of-concept exploit code

Advantech Advisories


Earlier this week NCCIC-ICS published an advisory that reported eight vulnerabilities in the Advantech Web Access Node. All of those vulnerabilities were reported to NCCIC-ICS by Natnael Samson and Z0mb1E via the Zero Day Initiative. Later this week ZDI published their supporting reports. ZDI published multiple reports for the two buffer-overflow vulnerabilities that NCCIC-ICS reported under a single CVE#s: CVE-2020-12002 and CVE-2020-10638. For both CVE’s, NCCIC-ICS reported that there were ‘multiple’ individual vulnerabilities.

For the Stack-based buffer overflows, CVE-2020-12002, ZDI reports the following individual vulnerabilities:

DATACORE IOCTL 0x00005241 Stack-based Buffer Overflow Remote Code Execution Vulnerability,
DATACORE IOCTL 0x0000791e Directory Traversal Remote Code Execution Vulnerability,
DATACORE IOCTL 0x00005227 Stack-based Buffer Overflow Remote Code Execution Vulnerability,
BacNetDrvJ Stack-based Buffer Overflow Remote Code Execution Vulnerability,
GpsET200 Stack-based Buffer Overflow Remote Code Execution Vulnerability,
OPCUA Stack-based Buffer Overflow Remote Code Execution Vulnerability,
SyntecUA Stack-based Buffer Overflow Remote Code Execution Vulnerability,
BwBacNetJ Stack-based Buffer Overflow Remote Code Execution Vulnerability, and
BwBacNetJ Stack-based Buffer Overflow Remote Code Execution Vulnerability

For the Heap-based buffer overflows, CVE-2020-10638, ZDI reports the following individual vulnerabilities:

DATACORE IOCTL 0x0000791c Heap-based Buffer Overflow Remote Code Execution Vulnerability,
DATACORE IOCTL 0x0000791e Integer Overflow Remote Code Execution Vulnerability,
DrawSrv IOCTL 0x00002723 Heap-based Buffer Overflow Remote Code Execution Vulnerability,
BwWebSvc IOCTL 0x00013c77 Heap-based Buffer Overflow Remote Code Execution Vulnerability,
BwTCPIP Heap-based Buffer Overflow Remote Code Execution Vulnerability, and
ViewSrv IOCTL 0x00002723 Heap-based Buffer Overflow Remote Code Execution Vulnerability

ZDI also published advisories for the same product that were not covered by any of the CVE’s listed in the NCCIC-ICS advisory. They include:

IOCTL 0x2711 bwscrp Stack-based Buffer Overflow Remote Code Execution Vulnerability,
DATACORE IOCTL 0x5217 Heap-based Buffer Overflow Remote Code Execution Vulnerability,
DATACORE IOCTL 0x5218 Heap-based Buffer Overflow Remote Code Execution Vulnerability,
DATACORE IOCTL 0x521B Heap-based Buffer Overflow Remote Code Execution Vulnerability,
DATACORE IOCTL 0x520B Heap-based Buffer Overflow Remote Code Execution Vulnerability,
DATACORE IOCTL 0x5213 Heap-based Buffer Overflow Remote Code Execution Vulnerability,
DATACORE IOCTL 0x5208 Heap-based Buffer Overflow Remote Code Execution Vulnerability,
DATACORE IOCTL 0x5209 Heap-based Buffer Overflow Remote Code Execution Vulnerability, and
DATACORE IOCTL 0x520B Heap-based Buffer Overflow Remote Code Execution Vulnerability

With the listing of the individual affected file names it looks like some of the vulnerabilities may be from third-party vendor supplied files.

 
/* Use this with templates/template-twocol.html */