Tuesday, June 30, 2020

2 Advisories and 2 Updates Published – 6-30-20


Today the CISA NCCIC-ICS published two control system security advisories for products from Mitsubishi Electric and Delta Industrial. They also updated two advisories for products from Treck and Inductive Automation.

Mitsubishi Advisory


This advisory describes two vulnerabilities in the Mitsubishi Factory Automation Engineering Software Products. The vulnerabilities are self-reported. Mitsubishi has new versions that mitigate the vulnerabilities.

The two reported vulnerabilities are:

• Improper restriction of XML external entity reference - CVE-2020-5602, and
• Uncontrolled resource consumption - CVE-2020-5603

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow a local attacker to send files outside of the system as well as cause a denial-of-service condition.

NOTE: NCCIC-ICS did not provide a link to the Mitsubishi advisory.

Delta Advisory


This advisory describes two vulnerabilities in the Delta Industrial Automation DOPSoft HMI editing software. The vulnerabilities were reported by Natnael Samson (@NattiSamson) via the Zero Day Initiative. Delta expects to have a new version to mitigate these vulnerabilities available next month (July).

The two reported vulnerabilities are:

• Out-of-bounds read - CVE-2020-10597, and
• Heap-based buffer overflow - CVE-2020-14482

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit these vulnerabilities to allow an attacker to read/modify information, execute arbitrary code, and/or crash the application.

Treck Update


This update provides new information on an advisory that was originally published on June 16th, 2020 and most recently updated on June 18th, 2020. The new information includes the addition of links to two new affected vendors’ advisories:

CareStream and
Eaton

NOTE: I briefly mentioned the Eaton advisory last Saturday.

Inductive Update


This update provides new information on an advisory that was originally published on May 26th, 2020 and most recently updated on June 2nd, 2020. The new information includes:

• The addition of a new vulnerability – missing authentication for critical function - CVE-2020-14479, and
• A note that it will be corrected in an expected future version update.


NOTE: There is no mention of the two updates listed above on either the CISA Industrial Control Systems landing page or the associated Recently Published page. Fortunately ICS-CERT (ics-cert@ncas.us-cert.gov) sent out email notifications and TWEETS® on the two updates.

Retrospective CFATS Cost Analysis – Other Missing Costs


This is the third post in a series on the recently published “Retrospective Analysis of the 2007 Chemical Facility Anti-Terrorism Standards”. The two earlier posts were:


Missing Cost Identification Methodology


While the analysis is certainly a valuable and commendable effort CISA is looking for an identification of costs that they may have missed. Using a similar process to the one I used in my analysis of missing cyber costs, I looked at each of the Risk Based Performance Standards in the RBPS Guidance document and identified the ‘security measures’ discussed for each RBPS. I then compared those to the security measures identified in the CISA analysis.

Since I have not implemented any of these security measures in an actual facility, I have no way of estimating their cost. For many of them, CISA would be able to use the same cost estimation methodology that they used in their analysis to identify reasonable cost estimates for the security measures. For security measures like ‘product stewardship’ and ‘inventory controls’, I think that CISA is going to need direct input from affected facilities.

RBPS Missing Costs


RBPS #1 – Restrict area perimeter – extensive data,

            Missing costs: security lights and protective force,

RBPS #2 – Secure site assets – overlap with RBPS #1,

            Missing costs: Security lighting and protective force

RBPS #3 – Screen and control access – not specifically addressed,

Missing costs: Personnel identification, hand carried item and vehicle inspections, and parking security

RBPS #4 – Deter, detect and delay – overlap with RBPS #1,

Missing costs: Security lighting and protective force

RBPS #5 – Shipping, receipt and storage – not specifically addressed,

Missing costs: Product stewardship and inventory control

RBPS #6 – Theft or diversion – not specifically addressed,

Missing costs: Inventory controls, procedural measures and physical measures

RBPS #7 – Sabotage – not specifically addressed but some overlap with RPBS #2 and #8,

Missing costs: Covered elsewhere

RBPS #8 – Cyber – not specifically addressed,

            Missing costs: see earlier blog post

RBPS #9 – Response – not specifically addressed,

Missing costs: Emergency plans and processes, emergency response equipment

RBPS #10 – Monitoring – not to be confused with ‘monitoring’ in RBPS #1 and #2 – covered,

RBPS #11 – Training – covered,

RBPS #12 – Personnel surety – covered,

RBPS #13 – Elevated threats – not specifically addressed,

RBPS #14 – Specific threats, vulnerabilities or risks – not specifically addressed,

RBPS #15 – Reporting of significant security incidents – not specifically addressed,

RBPS #16 – Significant security incidents and suspicious activities – not specifically addressed,

Missing costs: incident investigation

RBPS #17 – Officials and organization – covered,

Missing costs: cybersecurity officer

RBPS #18 – Records – covered

Public Comments


Once again, I would like to emphasize that CISA is soliciting public comments on this effort. Comments on CISA cost estimates, methodology and missing costs may be submitted via the Federal eRulemaking Portal (www.regulations.gov; Docket #DHS-2014-0016). Comments should be submitted by September 21st, 2019. Note: this is the 2014 CFATS advanced notice of proposed rulemaking docket.

I will be revising the format for the data in this and the earlier cybersecurity cost blog post for my own comment to be submitted.

Bills Introduced – 6-29-20


Yesterday with both the House and Senate in session there were 32 bills introduced. One of those bills will receive additional coverage in this blog:

S 4096 A bill to extend the Chemical Facility Anti-Terrorism Standards Program of the Department of Homeland Security, and for other purposes. Sen. Johnson, Ron [R-WI] 

The current authorization for the CFATS program ends on July 23rd, 2020. The only ‘short term’ extension bill in the Senate (S 3506, extending authorization to July 18th) was bypassed by extension that was included in HR 748, the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The House passed HR 6160 that would extend the program through October 18th, so not sure why the Senate just does not take up that bill. Will have to wait for the Government Printing Office to get around to printing this bill (they are horribly COVID-19 behind on printing introduced bills) to try to figure out why Johnson introduced this bill.

Committee Hearings – Week of 6-28-20


This week with both the House and Senate in Washington there is a more normal slate of congressional hearings being held. One of interest here; the final markup of HR 6395, the House version of the FY 2021 National Defense Authorization Act (NDAA).

NDAA Markup


On Wednesday the House Armed Services Committee will be marking up HR 6395. Last week subcommittees conducted their markups. The Intelligence and Emerging Threats and Capabilities Subcommittee added some cyber provisions to the bill. We are likely to see additional provisions added in the full committee markup tomorrow.
The Subcommittee language included two cybersecurity provisions that could affect the private sector:

§1627—Assessing Private-Public Collaboration in Cybersecurity
§1628—Cyber Capabilities and Interoperability of the National Guard

Neither of those provisions were as proactive in mandating private sector actions as we saw in some of the provisions reported out on S 4049, the Senate version of the NDAA.

ISCD Updates 8 FAQ Responses – 6-29-20


Yesterday the CISA Infrastructure Security Compliance Division (ISCD) updated the responses to eight frequently asked questions (FAQ) on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center. These updates were not announced in the ‘Latest News’ section of that page because these were editorial changes designed to: reflect changes in program management (CISA branding), to URL’s to page links (see the similar 6-22-20 blog post) and to make the responses more helpful; rather than reflecting changes in ISCD policy.

The updated FAQ’s were:





It looks like ISCD is taking advantage of the relative lack of inspection work by having folks review FAQ responses. Great idea.

Monday, June 29, 2020

HR 4091 Reported in House – ARPA-E Reauthorization


Last week the House Science, Space, and Technology Committee published their report on HR 4091, the ARPA-E Reauthorization Act of 2019. The Committee hearing on this bill was held on October 17th, 2020 where the bill was amended and adopted by a voice vote.

A look at the ‘Cosponsors’ page for this bill on Congress.gov shows exactly how politically successful the changes were that were made by Chair Johnson in the substitute language for the bill. Principally, those changes were a reduction in the large increase in annual spending authorization through 2024. Republicans had objected to the very-large proposed increase and were threatening to withhold support for the bill. The reductions found in the substitute language were significant enough that 24 Republicans have since signed on as cosponsors of the bill.

This new support ensures that this bill could be considered under the suspension of rules procedure in the House and indicate that there might be enough support in the Senate to have this bill added to Energy and Water Development and Related Agencies spending bill if/when that is introduced. This bill is not important enough to be considered in the Senate on its own (particularly in a COVID-19 affected election year) and there is still enough Republican opposition to the revised spending increase to ensure that it could not be considered under the Senate’s unanimous consent rule.

Sunday, June 28, 2020

S 4049 Introduced – FY 2021 NDAA


Earlier this week Sen Inhofe (R,OK) introduced S 4049, the National Defense Authorization Act (NDAA)for Fiscal Year 2021. The bill contains many cyber provisions, but most are related to cyber warfare operations. There are seven sections however, that may have an impact on industrial cybersecurity operations.

The Senate Armed Services Committee has reported the bill, but the written report is not yet available from the Government Printing Office. The Senate has started the process for consideration of this bill with the first cloture vote scheduled for tomorrow.

Cybersecurity Items of Interest


The seven sections of potential interest are (number in parenthesis are page number in bill):

§590. Pilot programs on remote provision by National Guard to State governments and National Guards of other States of cybersecurity technical assistance in training, preparation, and response to cyber incidents. (pg 361)
§1623. Defense industrial base cybersecurity sensor architecture plan. (pg 881)
§1631. Defense industrial base participation in a cybersecurity threat intelligence sharing program. (pg 905)
§1632. Assessment on defense industrial base cybersecurity threat hunting. (pg 911)
§1635. Expansion of authority for access and information relating to cyber attacks on operationally critical contractors of the Armed Forces. (pg 915)
§1642. Assistance for small manufacturers in the defense industrial supply chain on matters relating to cybersecurity. (pg 927)
§3131. Reporting on penetrations of networks of contractors and subcontractors [of NNSA]. (pg 1044)

Section 590 is almost certainly essentially the same language that we will eventually see in S 3929 that was introduced on June 10th, 2020. That bill has not yet been published by the GPO; continuing problems there due to COVID-19 restrictions. The §590 provisions would require DOD to develop a pilot program to asses and develop National Guard capabilities to conduct remote operations to assist other States and National Guard units “with cybersecurity technical assistance in training, preparation, and response” while remaining within their home State.

The five sections relating to the Defense industrial base (DIB) would increase requirements and authority for DOD to oversee cybersecurity operations within the DIB. The provisions would include:

§1623 – DOD establishment of cybersecurity monitoring requirement and DOD access to the data from that monitoring,
§1631 – Mandatory 2-way information sharing about cybersecurity incidents, including incident reporting to DOD and threat analysis sharing from DOD,
§1632 – Require DOD to assess the need for DOD to conduct continuous threat hunting operations on DIB networks,
§1635 – Would amend 10 USC 391(c) to provide authority for armed forces to investigate cyber incident at facilities of ‘operationally critical contractors”, and
§1642 – Would authorize DOD grants to small manufacturers to obtain cybersecurity assistance from centers established under 15 USC 278k(a).

A unifying thread in these five sections is a gradual move from voluntary to mandatory cybersecurity activities in the DIB. A similar move is reflected in §3131 with reference to contractors for the National Nuclear Security Administration (NNSA).

Floor Amendments


The bill was opened for the submission of amendments starting on Wednesday of last week. To date there have been over 500 amendments submitted. Only a small number of these amendments will make their way to the floor of the Senate for actual consideration. Amendments that I will be watching for include (the number in the brackets is the page number in the linked document):

SA 1710. Mr. KING (I,NH) - SEC. XX. Department of Homeland Security Critical Technology Security Centers. [S3233],
SA 1711. Mr. KING - SEC. XX Cybersecurity Reporting Requirements for Publicly Traded Companies [S3233],
SA 1711. Mr. KING - SEC. XX Cyber State of Distress [S3235],
SA 1715. Mr. KING - SEC. XX Bureau of Cyber Statistics [S3236-7],
SA 1719. Mr. KING – SEC. XX Strengthening Processes for Identifying Critical Infrastructure Cybersecurity Intelligence Needs and Priorities [S3239-40],
SA 1723. Mr. KING - SEC. XX Assessing Private-Public Collaboration in Cybersecurity [S3243],
SA 1751. Mr. PETERS (D,MI) - SEC. 1643. Pilot Programs on Remote Provision by National Guard to State Governments and National Guards of Other States of Cybersecurity Technical Assistance in Training, Preparation, and Response to Cyber Incidents [S3258],
SA 1806. Mr. JOHNSON (R,WI) - SEC. XX Countering Unmanned Aircraft Systems Coordinator [S 3329],
SA 1807. Mr. JOHNSON - SEC. XX Subpoena Authority [S 3329-30],
SA 1814. Mr. RUBIO (R,FL) - SEC. XX Secure and Trusted Technology [S 3333-4],
SA 1815. Mr. RUBIO - DIVISION XX Intelligence Authorizations for Fiscal Year 2021 [S 3335-44],
SA 1816. Mr. RUBIO - DIVISION XX Intelligence Authorizations for Fiscal Year 2021 [S 3344-55],
SA 1827. Mr. WARNER (D,VA) - SEC. XX Secure and Trusted Technology [S 3362-4],
SA 1868. Mr. REED (D,NV) - SEC. XX Cybersecurity Transparency [S 3389],
SA 1892. Mr. PORTMAN (R,OH) - SEC. 240. Element in Annual Reports on Cyber Science And Technology Activities on Work with Academic Consortia to Develop a Strategy to Secure Embedded Hardware in Department of Defense Capabilities [S 3399],
SA 1910. Mr. WARNER - SEC. XX Study on Alternatives and Recommendations for Providing a Cyber Protection Program for the Defense Industrial Base [S 3407],
SA 1911. Mr. WARNER - SEC. XX Policies for Cybersecurity and Resilience for Certain Programs Developing Applications Using Artificial Intelligence or Machine Learning [S 3408],
SA 1917. Ms. HASSAN (D,NH) - SEC. ll. Cybersecurity State Coordinator Act [S 3409],
SA 1936. Mr. PETERS - SEC. 590. Pilot Programs on Remote Provision by National Guard to State Governments and National Guards of Other States of Cybersecurity Technical Assistance in Training, Preparation, and Response to Cyber Incidents [S 3415],
SA 2080. Mr. PORTMAN - SEC. 240. Element in Annual Reports on Cyber Science and Technology Activities on Work with Academic Consortia on High Priority Cybersecurity Research Activities in Department of Defense Capabilities [S 3523],
SA 2094. Mrs. FISCHER (R,NE) - SEC. XX Support and Enhancement of Defense Critical Electric Infrastructure [S 3527],
SA 2098. Mr. PERDUE (R,GA) - SEC. XX Cybersecurity Advisory Committee [S 3528],
SA 2104. Ms. HASSAN - SEC. XX National Guard Cyber Support and Cyber Services For Governmental Entities Outside the Department of Defense and Nongovernmental Entities [s 3542],
SA 2135. Mrs. FISCHER - SEC. XX Internet of Things [S 3552],
SA 2178. Mr. WICKER (R,MS) - TITLE XX Cyber Workforce Matters [S 3569-72],
SA 2195. Mr. JOHNSON - SEC. XX Subpoena Authority [S 3584-5],
SA 2209. Mrs. FISCHER - SEC. XX Internet of Things [S 3621],

Since most of these amendments will not make it to floor consideration, I will not take up any more time on the detailed analysis of the listed amendments. Two things I will mention, however. First many of these bills have similar names to bills that have been introduced in the Senate. This is not unusual. The NDAA is a ‘must pass bill’ so the attachment of other legislation to the bill that otherwise would not make it to the floor on its own is a common legislative tactic.

The second item of note is that there are a number of instances where the same person has proposed two (slightly) different versions of the same amendment. Typically, minor revisions have been made to make the amendment more palatable to one or more factions (or even just a single Senator) to make it easier for the bill to make into the limited consideration space.

More amendments will be submitted next week.

Commentary


This is considered to be a ‘must pass’ bill and this is the one ‘must pass’ bill that usually makes it through the legislative process. This is because the leaders of the Armed Services Committee typically do a good job of keeping the most contentious issues out of the bill, but that has been getting more difficult as the political gulf in Washington has been widening. In today’s political environment there is no guarantee that this bill will pass in regular order. Watch for the cloture vote on Monday for indications of how much of a problem this bill will be facing.

In the normal course of events, this bill would be expected to pass by the end of the week. I would not be surprised to see it held over until next week or even later. In the meantime, some amendments will be dealt with and even more will be introduced.

Saturday, June 27, 2020

Public ICS Disclosures – Week of 06-20-20


This week we have six Ripple20 advisories from vendors, one of them an update. There were also four vendor updates from Schneider, Rockwell (2) and Yokogawa. There was a researcher report for products from OSIsoft. There were also four exploits published for products from ABUS, SICK, mySCADA and Inductive Automation.

Ripple20 Advisories and Updates


HMS published a Ripple20 advisory that identifies affected products and generic mitigations.

Eaton published a Ripple20 advisory that identifies affected products and generic mitigations.

Boston Scientific published a Ripple20 advisory that admits that some (unidentified) products have the vulnerabilities but “concluded there is no increased security risk for patients who have our implantable products because of the Treck vulnerabilities”.

Schneider published a Ripple20 advisory that identifies affected products and generic mitigations.

Schneider published a Ripple20 advisory specifically for their network management card products.

Schneider updated their Ripple20 advisory that was originally published on June 16th, 2020. Refers to the first new advisory described above.

Schneider Update


Schneider published an update of their legacy Triconex advisory that was originally published on April 14th, 2020. The new information includes adding CVE numbers and descriptions and updated affected version and mitigation data.

NOTE: The revised advisory includes an interesting discussion about why Schneider decided that this update was necessary.

Rockwell Updates


Rockwell published an update for their FactoryTalk Linx Path Traversal advisory that was originally published on June 18th, 2020. The new information includes a revised list of affected products.

Rockwell published an update for FactoryTalk Linx multiple vulnerability advisory that was originally published on June 11th, 2020. The new information includes a revised list of affected products.

NOTE: The updated information is the same in both updates. See my note on the path traversal advisory in last week’s blog post.

Yokogawa Update


Yokogawa published an update for their unquoted service path advisory that was originally published on September 27th, 2019and most recently updated November 1st, 2019. The new information includes adding three new products to the affected product list and providing mitigation links for those products.

OSIsoft Report


Otorio published a report on a cross-site scripting vulnerability in the OSIsoft PI Web API 2019. The vulnerability was disclosed by OSIsoft on June 11th, 2020. The report includes a poor-quality video demonstrating an exploit of the vulnerability.

ABUS Exploit


Matthias Deeg published an exploit for a missing encryption of sensitive data vulnerability in the ABUS Secvest Wireless Control Device (FUBE50001). This was reportedly coordinated with ABUS.

SICK Exploit


Aliasrobotics published an exploit for a default credentials vulnerability in the SICK safety PLC. There is no indication that this was reported to SICK, so this is probably a 0-day exploit.

mySCADA Exploit


Emre ÖVÜNÇ published an exploit for a hard-coded credentials vulnerability in the mySCADA myPro HMI. There is no indication that this was reported to mySCADA, so this is probably a 0-day exploit.

Inductive Automation Exploit


Pedro Ribeiro and Radek Domanski published a Metasploit module for a a Java deserialization vulnerability in the Inductive Automation Ignition SCADA product. The vulnerability was disclosed by the vendor on June 2nd, 2020 and the NCCIC-ICS advisory was subsequently updated on June 11th, 2020.

Friday, June 26, 2020

OMB Approves CG Autonomous Vessel RFI


Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) approved the publication of a Coast Guard request for information on “Identifying Barriers to Autonomous Vessels”. The RFI was submitted for review on March 12th, 2020. The RFI will be published in the Federal Register sometime in the next few weeks.

According to the 2019 Fall Unified Agenda entry for this rulemaking:

“This notice solicits the public’s views on United States Coast Guard (USCG) regulations that may need to be updated, modified, or eliminated to facilitate the safe introduction of automated commercial vessels into our nation’s waterways. USCG requests comment on specific regulatory and operational requirements that are likely to be affected by increased integration of automated vessels into the maritime transportation system.”

Bills Introduced – 6-25-20


Yesterday with both the House and Senate in Washington there were 80 bills introduce. One of those bills may receive additional coverage in this blog:

HR 7331 To establish the Office of the National Cyber Director, and for other purposes. Rep. Langevin, James R. [D-RI-2]

I will be watching this bill for language and definitions that specifically apply to control system security issues.

ISCD Updates 9 CFATS FAQ Responses – 6-26-20


Today the CISA Infrastructure Security Compliance Division (ISCD) updated the responses to nine frequently asked questions (FAQ) on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center. These updates were not announced in the ‘Latest News’ section of that page because these were editorial changes designed to: reflect changes in program management (CISA branding), to URL’s to page links (see the similar 6-22-20 blog post) and to make the responses more helpful; rather than reflecting changes in ISCD policy.

The updated FAQ’s were:


NOTE: References in these, and many other recent, FAQ responses that include references to rule making documents now provide links to the quoted paragraphs instead of just the general link to the document, thus making the reference much easier to find. I have been using these paragraph links in my reporting on rulemaking publications for years now.

Thursday, June 25, 2020

4 Advisories Published – 6-25-20


Today the CISA NCIC-ICS published three control system security advisories for products from Rockwell Automation (2) and ENTTEC. They also published a medical device security advisory for products from Philips.

FactoryTalk Advisory


This advisory describes two vulnerabilities in the Rockwell FactoryTalk View SE. The vulnerabilities were reported by Ilya Karpov and Evgeny Druzhinin of ScadaX Security. Rockwell has new versions that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

Cleartext transmission of sensitive information - CVE-2020-14480, and
Weak encoding for passwords - CVE-2020-14481

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to lead to unauthorized access to server data.


FactoryTalk Services Advisory


This advisory describes an improper restriction of XML external entity reference vulnerability in the Rockwell FactoryTalk Services Platform. The vulnerability was reported by Applied Risk. Rockwell has a patch that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to lead to a denial-of-service condition and to the arbitrary reading of any local file via system level services.

NOTE: NCCIC-ICS did not publish a link to the Rockwell advisory.

ENTTEC Advisory


This advisory describes four vulnerabilities in the ENTTEC Datagate Mk2, Storm 24, Pixelator, E-Streamer Mk2 lighting control products. The vulnerabilities were reported (report includes proof-of-concept exploit code) by Mark Cross. ENTTEC has not yet offered mitigation measures for these vulnerabilities.

The four reported vulnerabilities are:

• Hard-coded cryptographic key - CVE-2019-12776,
• Cross-site scripting - CVE-2019-12774,
• Improper access control - CVE-2019-12775, and
• Improper permission assignment for critical resource - CVE-2019-12777

NCCIC-ICS reports that a relatively low-skilled attacker with remote access could use publicly available code to remotely exploit the vulnerability to allow an attacker to gain unauthorized SSH/SCP access to devices, inject malicious code, run commands with root privileges, and read, write, and execute files in system directories as any user.

Philips Advisory


This advisory describes an authentication bypass using alternate path or channel vulnerability in the Philips Ultrasound Systems. The vulnerability is self-reported. Philips has a new version that mitigates the vulnerability.

NCCIC-ICS reports that an uncharacterized attacker with uncharacterized access could exploit the vulnerability to allow a non-authenticated attacker to view or modify information. The Phillips advisory reports that it would take a relatively high-skilled attacker with local access to exploit the vulnerability.

Wednesday, June 24, 2020

2020 Hurricane Season and Chemical Facility Safety – CSB and CCPS Insights


We are now less than a month into the official 2020 Hurricane season and we have already had four named storms. With both the official season forecast and recent updates indicating that we are looking at an active hurricane season this year, owners of chemical facilities near the Atlantic or Gulf coasts need to plan for protecting their facilities from potential wind, surge or flooding events associated with tropical systems. Both the Chemical Safety Board (CSB) and the Center for Chemical Process Safety (CCPS) recently produced guidance on what types of actions facility owners need to consider.

CSB Flood Video


No discussion of modern hurricanes and chemical facilities can take place without a brief discussion of the 2017 incident at the Arkema manufacturing facility in Crosby, TX during the aftermath of Hurricane Harvey. The CSB’s Arkema investigation page summarizes the incident:

“On August 29, 2017, flooding from Hurricane Harvey disabled the refrigeration system at the Arkema plant in Crosby, TX, which manufactures organic peroxides. The following day people within a 1.5 mile radius were evacuated. As the trailers increased in temperature the peroxides spontaneously combusted on August 31. Officials ignited the remaining trailers, on Sunday, September 3, 2017. The evacuation zone was lifted on September 4, 2017.”

Yesterday the CSB released a new video about the flooding risks at chemical facilities based upon the lessons learned in their Arkema investigation.

2020 Hurricane Season Guidance


Along with that flooding video, the CSB also published “2020 Hurricane Season: Guidance for Chemical Plants During Extreme Weather Events”. This brief document starts with the introduction of a new guidance document from CCPS (more about that below). It then continues with a discussion about actions that should be taken in restarting a chemical facility after a weather event. It has sections addressing:

• Hazards of startups following an extreme weather event,
• Relying on established safety systems, and
• Checking process equipment thoroughly.

That last section contains a brief checklist of items that need to be addressed. Includes a non-exhaustive list of details to look for when examining:

• Large bulk storage tanks for evidence of floating displacement or damage,
• Pressure vessels and small storage tanks for evidence of floating displacement or damage,
• Insulation systems for piping, vessels, and tanks,
• Sewers and drains,
• Furnace systems,
• Electric motors and drives, and
• Switchgear, conduit, electrical boxes, electronic and pneumatic instrumentation, emergency warning systems, emergency equipment.

CCPS Monograph


As mentioned in both the video and the CSB guidance, the Center for Chemical Process Safety (CCPS) has published a monograph on the “Assessment of and planning for Natural Hazards”. This document was prepared in response to one of the five recommendations from the CSB Arkema incident investigation. This is a much more detailed document (as one should expect) than the CSB guidance discussed above.

The 44-page document has sections on:

• Identifying natural hazards of concern,
• Gathering data about those hazards,
• Identifying equipment to be addressed in natural hazards assessments, and
• Evaluating against design criteria.

There are also two sections addressing post incident activities: recovery and recommissioning. As with most technically oriented documents, there is an extensive list of appendices providing more detailed information on topics such as:

• Site screening for natural hazards,
• Contents of a natural hazard’s emergency response plan,
• Activity list for before, during and after a natural hazard event, a
• List of interdependencies.

Commentary


The CCSP document has a wealth of good information, but there are two points that need to be repeated loudly and often. The first is a proper identification of the equipment that needs to be specifically covered in a natural hazard’s assessment. The document makes this important distinction (pg 2):

“For example, the emergency power system may be important for continued operation during a natural disaster, but the maintenance shop equipment may not be. Any equipment or operation that is required for safe operations or that, if compromised, could lead to a process safety event, harm to personnel the community, or the environment should be identified.”

The second refers to the failing at Arkema that was identified by the CSB accident investigation, ‘common mode failure’. The CCPS document explains (pg 3):

“A challenge in natural hazards response planning is that a number of important systems and pieces of equipment may be impacted by the same hazard at the same time, or in rapid succession. This may also include the layers of protection that have been installed to protect equipment. A common mode failure may be rising flood waters. For example, as the water level continues to rise, more and more equipment may be inundated and, eventually, even the equipment on “high ground” may also be flooded.”

Unfortunately, while identifying the ‘common failure mode’ problem, the authors do nothing to provide guidance on what needs to be done to ensure that those failure modes are adequately mitigated, or at least clearly identified in any subsequent risk assessment.

The other area where this CCPS document is light in its coverage is in their discussion of emergency response planning. The information in the two ERP appendices is very good for on-site emergency response planning. What is missing is discussion of pre-incident coordination with the local emergency response planning community. Only two topics (both important, to be sure) are identified:

Communications – “It is important that regional and national Emergency Service Providers be able to communicate with the facility Emergency Response Center and the facility being impacted by the natural disaster (if it is staffed).” Pg 21

Access Credentials – “Area access may be restricted before the disaster hits. Develop a plan for emergency access credentials for employees who will be coming in to staff the plant during the emergency. Do not count on employees being able to get in just because the disaster had not yet occurred. Local emergency officials may have already closed roads to all travelers without appropriate credentials.” Pg 23

What is missing is any discussion about coordination with the Local Emergency Planning Committee (LEPC) or other local/regional emergency planners about the specifically identified natural hazards for the facility and management plans for dealing with them. More importantly, identification of any mitigation assistance the facility might need as an incident progresses, or what off-site implications may need to be dealt with if facility plans fail to adequately contain a chemical incident.

One specific lesson from the Arkema incident is not addressed at all and that is the complication that lead to criminal charges being filed against the Arkema management. During the flooding event in Crosby, TX the road that led past the facility was the only major thorough fair that remained open during the flooding. Having to close that route because of potential chemical releases, caused so much problem for local authorities that they allowed emergency responders, without adequate training or equipment, to continue to use the road while the incident progressed.

An early discussion between facility management and local emergency response personnel should have identified this as an added problem for the facility that should probably have required a pre-flooding evacuation of the peroxides that caused the problems at the facility. Relying on just onsite consequence evaluations minimized the consideration of that option.

All in all, the two documents and video identified here are worthwhile and useful. Any chemical facility management team should review them closely and take appropriate action. Weather events are not going away and seem to be getting worse over time.

Bills Introduced – 6-23-20


Yesterday with just the Senate in session there were 20 bills introduced. Two of those bills may receive additional coverage in this blog:

S 4049 An original bill to authorize appropriations for fiscal year 2021 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes.  Sen. Inhofe, James M. [R-OK]

S 4051 A bill to improve the ability of law enforcement agencies to access encrypted data, and for other purposes.  Sen. Graham, Lindsey [R-SC]

S 4051 will almost certainly not have anything to do with control systems, so this does not directly fit in with most of the stuff that I write about. There has been significant press coverage (see here for example) and it would seem that there is going to be some push for this bill by the authors to move this bill forward. I am looking forward to reading the actual language, so I am adding it to my tracking list. I just do not know if it will receive additional mention in this blog.

3 Advisories and 5 Updates Published – 6-23-20


Yesterday the CISA NCCIC-ICS published three control system security advisories for products from ABB, Honeywell and Mitsubishi Electric. They updated five medical device security advisories for products from BD and Baxter (4).

ABB Advisory


This advisory describes an insecure storage of sensitive information vulnerability in the ABB Device Library Wizard. The vulnerability was reported by William Knowles of Applied Risk. ABB has new versions that mitigate the vulnerability. There is no indication that Knowles has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to  allow a low-level user to escalate privileges and fully compromise the device.

Honeywell Advisory


This advisory describes two cleartext transmission of sensitive information vulnerabilities in the Honeywell ControlEdge PLC and RTU. The vulnerabilities were reported by Nikolay Sklyarenko of Kaspersky. Honeywell provides a document (login required) describing the mitigation measures for these vulnerabilities. There is no indication that Sklyarenko has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an attacker to obtain passwords and session tokens.

Mitsubishi Advisory


This advisory describes a cleartext transmission of sensitive information vulnerability in the Mitsubishi MELSEC CPU modules. The vulnerability was reported by Shunkai Zhu, Rongkuan Ma and Peng Cheng from NESC Lab. Mitsubishi provides generic mitigation measure.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow information disclosure, information tampering, unauthorized operation, or a denial-of-service condition.

NOTE: NCCIC-ICS did not publish the link to the Mitsubishi advisory.

BD Update


This update provides additional information for an advisory that was originally reported on June 18th, 2020. The new information includes the link to the BD advisory.

Sigma Spectrum Update


This update provides additional information for an advisory that was originally reported on June 18th, 2020. The new information includes the link to the Baxter advisory.

Phoenix Update


This update provides additional information for an advisory that was originally reported on June 18th, 2020. The new information includes the link to the Baxter advisory.

PrismaFlex Update


This update provides additional information for an advisory that was originally reported on June 18th, 2020. The new information includes the link to the Baxter advisories (PrismaFlex and PrisMax).

ExactaMix Update


This update provides additional information for an advisory that was originally reported on June 18th, 2020. The new information includes the link to the Baxter advisory.

Tuesday, June 23, 2020

S 3712 Introduced – Cybersecurity Grand Challenges


Last month Sen Wicker (R,MS) introduced S 3712, the Cyber Leap Act of 2020. The bill would require the Department of Commerce to establish five cybersecurity grand challenges. The bill was approved by the Senate Commerce, Science, and Transportation Committee with two amendments on May 20th, 2020.

Grand Challenges


The bill would add a new section 205 to the Cybersecurity Enhancement Act of 2014 (15 USC 7431 et seq.). It would require DOC to establish grand challenge competitions using the processes outlined in 15 USC 3719 in order to “achieve high-priority breakthroughs in cybersecurity by 2028” {§205(a)(1)}. The challenges would address:

• Economics of a cyber-attack,
• Cyber training,
• Emerging technology,
• Reimagining digital identity, and
• Federal agency resilience

A sixth, general ‘other challenges’ category was removed in Committee by an amendment proposed by Sen Lee (R,UT).

The Department would be required to “request and accept funds from other Federal agencies, State, United States territory, local, or tribal government agencies, private sector for-profit entities, and nonprofit entities to support efforts to pursue a national cybersecurity grand challenge under this section” {§205(b)(5)}. There are no other funding provisions within the bill.

To aid in carrying out these grand challenge authorities DOC is required to establish an advisory committee. A second amendment by Lee would specifically prohibit paying committee members for anything beyond travel expenses.

Moving Forward


As mentioned above, the bill was adopted in Committee where it did receive a measure of bipartisan support with one Democratic cosponsor {Sen Rosen (D,NV)} and it was adopted by a voice vote, a sign of the lack of serious opposition to the bill. If this bill is to be considered in the Senate this session, it would have to be taken up under the unanimous consent process. With the lack of any spending authority, that remains a possibility.

Bills Introduced – 6-22-20


Yesterday with the Senate in Washington and the House meeting in pro forma session there were 41 bills introduced. Two of those bills are likely to see additional coverage in this blog:

S 4023 A bill to enhance maritime cybersecurity. Sen. Markey, Edward J. [D-MA]

S 4024 A bill to establish in the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security a Cybersecurity Advisory Committee. Sen. Perdue, David [R-GA] 

I will be watching both bills for definitions and language that specifically include control system cybersecurity issues.

Monday, June 22, 2020

ISCD Updates 2 FAQs – 6-22-20


Today the CISA Infrastructure Security Compliance Division updated the responses to frequently asked questions (FAQs) on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center. The two FAQs were:


The Minor Changes


The revised FAQ #516 changes the response from including the site name and URL for online CVI training to simply using the site name as a clickable link. Similarly in FAQ #641 the revised response removed the phrase “which can be found at https://www.dhs.gov/appendix-a-chemicals-interest-list” and making the site title “Chemical Facility Anti-Terrorism Standards (CFATS) Appendix A” a clickable link. In both instances the original URL and subsequent link go to the same web site.

Commentary


This is a change in editorial style not a change in policy or procedures. I wonder if/when ISCD will get around to changing all of the FAQs where a URL is provided for a web page, see for example FAQ #1392.

Retrospective CFATS Cost Analysis – No Cybersecurity Costs


When I wrote yesterday’s blog post about CISA’s retrospective cost analysis of the Chemical Facility Anti-Terrorism Standards (CFATS) program, I only did a cursory search for cybersecurity related measures before I noted: “The other area that is apparently short-changed in this assessment is the cost of cybersecurity measures.” I have since gone back and done a more organized search for discussion about cybersecurity costs associated with the program and can find nothing.

Search Methods


The first and most obvious search was for the term ‘cyber’. With just one exception the searche only turned up that word in association with the full name for CISA, the Cybersecurity and Infrastructure Security Agency. The one exception was found in a footnote (#3) on page on page 15:

“Each SSP consist of a series of questions for each of the following security topics: Detection; Delay; Response; Cyber; Security Management. For each of these topics, respondents are asked to provide information about a number of existing security measures. In addition to the questions about existing measures, there are questions regarding planned and proposed measures.”

I then looked for the following terms related to cybersecurity measures that one would expect to see employed in a chemical facility:

• Firewall – no matches,
• Intrusion detection – only related to facility physical security measures,
• Anti-virus – no matches,
• Network segmentation – no matches,
• System boundaries – no matches,
• External Connections – no matches,
• Network – no matches,
• Control system – only related to facility physical security ‘access control system’,
• Remote access – no matches,
• Virtual Private Network – no matches,
• Least privilege – no matches,
• Information storage media – no matches, and
• Safety instrumented systems – no matches

Finally, I searched for the cybersecurity security measures recommended in the Risk Based Performance Standard (RBPS) guidance document:

• Security policy – no matches,
• Access control – only related to facility physical security measures,
• Personnel security – no matches,
• Awareness and training – no matches,
• Monitoring and incident response – no matches,
• Disaster recovery and business continuity – no matches,
• System development and acquisition – no matches,
• Configuration management – no matches, and
• Audits – multiple mentions of non-cyber specific ‘annual internal audits’

Commentary


While I acknowledge that estimating the cost of many of the standard cybersecurity measures (network segmentation for instance) would be difficult to estimate using the processes described in this document, the total failure to mention any cyber related security measures or costs throws this complete document into question.

I could understand this failure to address cybersecurity costs in assessments conducted by non-technical organizations, but the failure of the CYBERSECURTY and Infrastructure Security Agency to even mention cybersecurity is a complete travesty. It also begs the question of what other major areas of security were ignored in the development of this document?

This lack of cybersecurity coverage is even worse when taken together with the recent GAO report on cybersecurity issues in the CFATS program. Perhaps Congress needs to move forward with a one-year continuation of the CFATS program (current authorization expires next month) while taking a hard look at the cybersecurity portions of the program.

Sunday, June 21, 2020

CISA Publishes Retrospective CFATS Cost Analysis


The DHS Cybersecurity and Infrastructure Security Agency published a notice in Monday’s (available on line yesterday) Federal Register (85FR 37393-37394) announcing the availability of the “Retrospective Analysis of the 2007 Chemical Facility Anti-Terrorism Standards” for public review and comment. The review looks at the estimated costs of the CFATS program as identified in the 2006 rulemaking that established the program and the actual costs that were incurred by facilities in the first ten years of the program.

The notice makes the point that:

“The retrospective analysis updates cost estimates from the 2007 CFATS IFR [link added] with new estimates based on data observed from the implementation and operation of CFATS over the last decade. CISA intends to use the retrospective analysis: (1) To improve the accuracy of cost estimates incurred by regulated facilities since 2007; (2) as a basis for future regulatory changes to the CFATS program; and (3) to perform cumulative impact analysis on the full costs of the program as it evolves.”

CISA is soliciting public comment on this document. Comments may be submitted via the Federal eRulemaking Portal (www.regulations.gov; Docket #DHS-2014-0016). Comments should be submitted by September 21st, 2019. Note: this is the 2014 CFATS advanced notice of proposed rulemaking docket.

Commentary


This is another detailed and informative product from the CFATS folks. Well worth the read for anyone involved in the program or interested in critical facility security in any form.

The important thing here is that CISA has gone back and questioned the regulatory assumptions made before the program was started. Those of us who have watched this program since its inception know that DHS was starting a unique security program with little knowledge about the scope of industries that would ultimately be covered or the initial security level of the facilities to be regulated.

What makes this assessment possible is the online Chemical Security Assessment Tool (CSAT) and the data base (CHEMSEC) where the data from that tool is collected. The use of CSAT is nothing short of a regulatory revolution. Each potentially covered facility provides CISA with extensive information on their inventories of DHS chemicals of interest (COI) as well as information about their neighbors, local law enforcement and first responders. This information, along with the details about security measures employed at all covered facilities, allow CISA to provide a heretofore unprecedentedly detailed estimate of the actual cost of the regulatory program.

After a quick overview of the document it would seem to me that there are two areas where the CSAT information is lacking about costs of the program. The first is the cost of outside security expertise. While the largest chemical companies certainly have the in-house security expertise available to assess, plan and execute an effective CFATS security program, the same cannot be said for perhaps most covered facilities. CISA needs to consider how it should assess the extent that consultants and other outside security expertise has been used in support of covered CFATS facilities and the costs associated with that support. I do not think that those costs will have any serious impact on the overall assessment of the cost of the program, but it should still be examined.

The other area that is apparently short-changed in this assessment is the cost of cybersecurity measures. While the purchase of specific cybersecurity hardware would certainly be included in the list of planned security measures that CISA used to assess new security costs, most of the costs of improving cybersecurity would not be going into hardware. Again, for the majority of facilities, outside consultants, integrators and programmers would be doing the bulk of the work in upgrading cybersecurity tools, processes and equipment. I suspect that the universe of CFATS facilities using outside cybersecurity resources would probably be larger than those just using outside physical security expertise. Again, CISA needs to consider how it would capture these costs.

I fully encourage all past and present covered CFATS facilities, as well as the consultants, integrators and suppliers that have supported CFATS facilities for the last 14 years to take a close, critical look at this document and to provide an appropriate assessment to CISA, especially if CISA got anything dramatically wrong in their assessment process. Remember, if the cost of the program is substantially lower than originally estimated, it would be much easier for Congress to consider expanding the coverage of the facility to more facilities.

 
/* Use this with templates/template-twocol.html */