Friday, July 31, 2020

Bills Introduced – 7-30-20

Yesterday with both the House and Senate in session there were 70 bills introduced. One of those bills will receive additional coverage in this blog:

 

HR 7856 To authorize appropriations for fiscal year 2021 for intelligence and intelligence-related activities of the United States Government, the Community Management Account, and the Central Intelligence Agency Retirement and Disability System, and for other purposes. Rep. Schiff, Adam B. [D-CA-28] 


Thursday, July 30, 2020

5 Advisories Published – 7-30-20

Today the CISA NCCIC-ICS published four control system security advisories for products from Mitsubishi Electric (3) and Inductive Automation. They also published a medical device security advisory for products from Philips.

 

Factory Automation Advisory #1

 

This advisory describes an unquoted search path or element vulnerability in the Mitsubishi Factory Automation Engineering products. The vulnerability was reported by Mashav Sapir of Claroty. Mitsubishi has new versions that mitigate the vulnerability. There is no indication that Sapir has been provided an opportunity to verify the efficacy of the fix.

 

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to obtain unauthorized information, modify information, and cause a denial-of-service condition.

 

Factory Automation Advisory #2

 

This advisory describes a path traversal vulnerability in the Mitsubishi Factory Automation products. The vulnerability was reported by Mashav Sapir of Claroty. Mitsubishi has new versions that mitigate the vulnerability. There is no indication that Sapir has been provided an opportunity to verify the efficacy of the fix.

 

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to may allow an attacker to obtain unauthorized information, tamper the information, and cause a denial-of-service condition.

 

Factory Automation Advisory #3

 

This advisory describes a permissions issue vulnerability in the Mitsubishi Factory Automation Engineering Software products. The vulnerability was reported by Younes Dragoni of Nozomi Networks, the Applied Risk research team, and Mashav Sapir of Claroty. Mitsubishi has new versions that mitigate the vulnerability. There is no indication that researchers have been provided an opportunity to verify the efficacy of the fix.

 

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerability to enable the reading of arbitrary files, cause a denial-of-service condition, and allow execution of a malicious binary.

 

Inductive Automation Advisory

 

This advisory describes a missing authorization vulnerability in the Inductive Automation Ignition 8 product. The vulnerability was reported by Mashav Sapir of Claroty. Inductive Automation has a new version that mitigates the vulnerability. There is no indication that Sapir has been provided an opportunity to verify the efficacy of the fxi.

 

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to gain access to sensitive information.

 

Philips Advisory

 

This advisory describes an insertion of sensitive information into log file vulnerability in the Philips DreamMapper mobile application. The vulnerability was reported by Lutz Weimann, Tim Hirschberg, Issam Hbib, and Florian Mommertz of SRC Security Research & Consulting. Philips plans a new release to mitigate the vulnerability by June of next year.

 

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker access to the log file information containing descriptive error messages.


Wednesday, July 29, 2020

House to Consider HR 7617 – Second FY 2021 Minibus


Tomorrow the House is scheduled to take up HR 7617, the second (and final) FY 2021 minibus. This legislation includes language from the following bills:  

• HR 7617 (DOD – Division A),
• HR 7667 (CJS – Division B),
• HR 7613 (EWR – Division C),
• HR 7668 (Financial Services – Division D),
• HR 7614 (LHH – Division E), and
• HR 7616 (THUD – Division F)

HR 7667, the FY 2021 DHS spending bill, was originally supposed to be included in this minibus, but it was removed in an amendment agreed to last night in the House Rules Committee. The Committee also approved 340 amendments to be submitted from the floor during the debate on this bill.

I will be watching for the following amendments to be considered on the floor:

83. Young (AK), Gabbard (HI), Gallego (AZ): Decreases the Defense Wide Operations and Maintenance account by $10 million and increases the Air Force Operations and Maintenance account by the same amount, for the ISR Operations Office to support the Cyber Operations for Base Resilient Architecture Pilot Program.

163. Gosar (AZ): Transfers $5 million from the Department of Energy's Departmental Administration account to the Cybersecurity, Energy Security, and Emergency Response account.

221. Bera (CA): Decreases and increases funds by $1 million in the CDC Public Health Preparedness and Response account to urge CDC to integrate early warning surveillance data, such as network-connected devices like smart thermometers and pulse oximeters or symptom surveys, into its COVID-19 syndromic surveillance to help identify potential hotspots even before individuals present to a health care facility.

338. Stauber (MN), Emmer (MN), Lipinski (IL): Increases and decreases the PHMSA authorization by $1,000,000 to highlight the need to conduct a study of corrosion control techniques for leak prevention of regulated above ground storage tanks. (10 minutes)

Commentary


The removal of the DHS spending provisions means that for the second year in a row, the Democratic leadership in the House could not work out a deal with their members for language on immigration issues that would allow for both moderates and progressives within the party to vote for the bill. Since there is little room for Republican support for the language in HR 7667, the Democrats would have to pass the legislation with only Democratic votes.

The revised minibus will almost certainly pass this week. It will not be taken up in the Senate and the Senate is unlikely to get any spending bills out of their Appropriations Committee before September 31st. There will be a continuing resolution to keep the government operating and the two Appropriations Committees will work out a compromise spending bill. Unfortunately, it may take the 117th Congress to actually pass such a bill unless the Democrats win big in November. If that happens the Republicans are likely to be more cooperative in passing a ‘compromise’ bill this year.

HR 7667 Reported in House – FY 2021 CJS Spending


Earlier this month the House Appropriations Committee published their marked-up version of HR 7667, the Commerce, Justice, Science, and Related Agencies Appropriations Act, 2021 along with their Report on the bill. There were no specific mentions of cybersecurity in the bill, but the Report did include several cybersecurity mentions, only one addressed control system security issues.

Industrial Control Systems


On page 24 of the Report the Committee discussed the importance of NIST’s Scientific and Technical Research and Services work on advanced manufacturing systems. They directed NIST “to prioritize
new STRS funds to achieve fundamental scientific understanding of manufacturing processes and equipment and to enable new smart manufacturing systems capabilities for high-priority metals-based additive manufacturing, manufacturing robotics, and cybersecurity for industrial control systems [emphasis added].”

Cyber Threats


On page 19 the Committee expressed their concerns about cybersecurity issues around on-line data collection efforts in the 2020 Census. They directed “the Census Bureau to prioritize cyber protections and high standards of data differential privacy”.

On page 24 the Committee discussed threats to the ‘digital economy’ and urged “NIST to address the rapidly emerging threats in this field by furthering the development of new and needed cryptographic standards and technologies”.

Cybersecurity Training


The report addressed a number of cybersecurity training initiative, including:

• National Initiative for Cybersecurity Education (pg 24),
• Cybersecurity Training for the Manufacturing Extension Partnership (MEP) program (pg 26),
• CyberCorps (pg 137),

Moving Forward


This bill will be included in second FY 2021 spending minibus, HR 7617. The House is currently scheduled to take up that minibus tomorrow.

ISCD Updates 2 FAQ Responses – 7-28-20


Yesterday the CISA Infrastructure Security Compliance Division (ISCD) updated the responses to two frequently asked question (FAQ) responses on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center. Both of these responses have recently been updated as part of the on-going editorial fine tuning of FAQ responses that has been taking part over the last couple of weeks.

The two FAQ responses that were updated yesterday were for the following FAQ:


FAQ #1778 was last revised on July 21st, 2020. The most recent change was to remove links to regulations in the question.

FAQ # 1779 was last revised on July 27th, 2020. The most recent change was to remove links to regulations in the question.

Tuesday, July 28, 2020

3 Advisories and 1 Update Published – 7-28-20


Today the CISA NCCIC-ICS published three control system security advisories for products from HMS Industrial Networks, Softing Industrial, and Secomea. They also published an update for an advisory for products from Delta Industrial Automation.

HMS Advisory


This advisory describes a stack-based buffer overflow in the HMS eCatcher VPN client. The vulnerability was reported by Sharon Brizinov of Claroty. HMS has a new version that mitigates the vulnerability. There is no indication that Brizinov has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to crash the device being accessed. In addition, a buffer overflow condition may allow remote code execution with highest privileges.

NOTE: I briefly discussed this vulnerability earlier this month.

Softing Advisory


This advisory describes two vulnerabilities in the Softing OPC. The vulnerabilities were reported by Uri Katz of Claroty. Softing has a new version that mitigates the vulnerability. There is no indication that Katz has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Heap-based buffer overflow - CVE-2020-14524, and
• Uncontrolled resource consumption - CVE-2020-14522
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to crash the device being accessed. A buffer-overflow condition may also allow remote code execution.

Secomea Advisory


This advisory describes four vulnerabilities in the Secomea GateManager VPN manager. The vulnerabilities were reported by Sharon Brizinov and Tal Keren of Claroty. Secomea has a new versin that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• Improper neutralization of null byte or null character - CVE-2020-14500,
• Off-by-one error - CVE-2020-14508,
• Use of hard-coded credentials - CVE-2020-14510, and
• Use of password hash with insufficient computational effort - CVE-2020-14512

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow a remote attacker to gain remote code execution on the device.

Delta Update


This update provides additional information on an advisory that was originally published on June 30th, 2020. The new information includes a link to a new version that mitigates the vulnerabilities.

Monday, July 27, 2020

ISCD Updates 7 FAQ Updates – 7-27-20


Today the CISA Infrastructure Security Compliance Division (ISCD) updated the responses to two frequently asked questions on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center. This is part of an on-going effort at ISCD to make FAQ editorial changes designed to: reflect changes in program management (CISA branding), to change URL’s to page links (see the similar 6-22-20 blog post) and to make the responses more helpful; rather than reflecting changes in ISCD policy.

The FAQ responses updated today include:



FAQ #1742 was last updated on July 20th, 2020. Today’s update changed the labeling and indentation of the three subparagraphs.

FAQ #1749 was last updated on July 21st, 2020. Today’s update changed the indentation of the 8 subparagraphs.

FAQ #1633 was last updated on July 20th, 2020. Today’s update changed the labeling of the three subparagraphs.

FAQ #1660 was last updated on July 16th, 2020. Today’s update changed the labeling of the three subparagraphs.

FAQ #1772 has not apparently been changed since it was last updated on July 20th, 2020.

FAQ #1779 was last updated on July 22nd, 2020. Today’s update changed the format of the quotation marks used in the question (but not in the response).

FAQ #1788 was last updated on July 16th, 2020. Today’s update removed an extraneous ‘)’ in the Question.

S 4197 Introduced – CFATS Extension


Earlier this month Sen Johnson (R,WI) introduced S 4197, a bill to extend the Chemical Facility6 Anti-Terrorism Standards (CFATS) program through July 25th, 2027. This was the third in a series of bills introduced by Johnson to extend that program without legislative changes in the program. This bill was introduced on the same day that the Senate passed S 4148, a shorter-term extension of the CFATS program that was subsequently passed by the House and signed by the President.

Bill Comparison


All three bills were ‘clean’ extensions of the program, with no policy or regulatory changes included in the language. The table shows the two areas of major differences between the three bills.

CFATS Bills
S 4197
Extension Date
7-27-23
7-27-23
7-25-27
Cosponsors
3-R, 2-D
3-R, 2-D
3-R

As I noted in my post on S 4096, the only difference between that bill and S 4148 was the removal of some minor, unnecessary effective-date language that had been included in S 4096.

The extension date for both S 4096 and S 4148 were far enough down the road that the affected businesses were appeased because they had some regulatory certainty about the program. More importantly, this date was the soonest that Johnson and his fellow Republicans had a reasonable chance that they might yet again ‘control’ both the House and Senate. The 2027 date would, however, give a much more likely date for that to have occurred.

The extension date is important because Congress has shown little appetite for addressing the CFATS program until the program nears its expiration date. Even with an expiration date fast approaching it has been difficult to get consensus on what changes are necessary. Without the impetus of pending termination, there is little incentive for the different factions to come together on a legislatively workable revision to the program.

Sunday, July 26, 2020

HR 7617 Reported in House – FY2021 DOD Spending


Earlier this month the House Appropriations Committee published their marked-up version of HR 7617, the Department of Defense Appropriations Act, 2021, and their Report on the bill. There is only one specific cyber mention in the bill, but there are a number of mentions of cyber related topics in the report; none specifically addressing control system security issues.

Cyber in HR 7617


While cyber operations are becoming a bigger part of overall military operations there is only one mention of the term ‘cyber’ in HR 7617. In §8125(a)(7) ‘Defensive Cyber Operations Army’ are mentioned as a potential target for funding for software development funds under the Research, Development, Test and Evaluation spending authorization.

Cyber Training


Various training initiatives are addressed in the Committee Report. Most of the mentions include a requirement to report back to the Committee on the progress of the related program. These mentions include:

• Pgs 10-11 - Civilian cyber workforce,
• Pg 32 - Cybersecurity professionals,
• Pg 320 - Cyber education collaboratives, and
• Pg 322 - Women and minorities in stem pipeline.

There are three rather vanilla mentions of cybersecurity processes in the Report. They include:

• Pg 113 - Standards and protocols on countering cybersecurity incidents,
• Pg 113 - Zero trust architecture, and
• Pg 318 - Distributed ledger technology research and development.

There is only one place in the Report where specific funding is mentioned in relation to cybersecurity processes, on page 325, under Arsenal Security. It states:

“The Committee believes that maintaining security, including threats from cyber-attacks, data piracy, and other technological risks, of Department of Defense arsenals is essential. The Committee directs that of the funds included under Industrial Operations, $3,500,000 is to implement efforts to combat these types of threats.”

Moving Forward


This bill will be used as the base for the second minibus spending bill in the House. The House Rules Committee will meet on Tuesday to set the rule for the consideration of the bill on the floor of the House, to include a list of which amendments will be authorized to be submitted from the floor. There have been 110 amendments for this portion of the bill submitted to the Rules Committee.

At this point it is not yet clear that the Democrats have the votes to pass the second minibus. They certainly have a majority in the House, but it is potential ‘no votes’ from the progressive wing of the party that could disable this bill. The problem is not the DOD portion of the bill, but rather a failure to ‘adequately sanction’ ICS and CBP in the DHS portion of the bill that would be the reason for the ‘Nays’.

The Rules Committee meeting has already been delayed one-day to add time to resolve this issue. Pelosi is aware that the Party needs support of the recently elected moderates that allowed the Democrats to take control of the House, so the DHS provisions cannot be too extreme. The Progressives, on the other hand, need to have strong punitive measures in the bill to appease their supporters.

The easy solution is to follow the example of last year, leave the DHS spending bill on the Committee floor and not consider it on the floor of the House. The resolution would then be left to the conference committee that would essentially craft a compromise spending omnibus spending bill before year end. And yes, an omnibus bill is almost a foregone conclusion; the Senate has not yet even been able to craft a single spending bill in Committee and the ‘August Recess’ is fast approaching (though, to be sure that recess may still be a victim of the COVID-19 disruption).

PHMSA Publishes LNG by Rail Final Rule


On Friday the DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) published a final rule in the Federal Register (85 FR 44994-45030) for “Hazardous Materials: Liquefied Natural Gas by Rail”. The rule was sent to OMB’s Office of Information and Regulatory Affairs (OIRA) for approval on May 1st and was approved by OIRA on June 19th, 2020. The notice of proposed rulemaking (NPRM) for this action was published in October 2019.

According to the summary provided in the rulemaking:

“PHMSA, in coordination with the Federal Railroad Administration (FRA), is amending the Hazardous Materials Regulations (HMR) to allow for the bulk transport of “Methane, refrigerated liquid,” commonly known as liquefied natural gas (LNG), in rail tank cars. This rulemaking authorizes the transportation of LNG by rail in DOT-113C120W specification rail tank cars with enhanced outer tank requirements, subject to all applicable requirements and certain additional operational controls. The enhancements to the outer tank are indicated by the new specification suffix “9” (DOT-113C120W9).”

Changes in Final Rule


PHMSA received 445 comments on the NPRM for this rulemaking (see my series of blog posts about those comments here). In the preamble to this final rule PHMSA addresses those comments and notes the changes that were made as a result of those comments. Those revisions include:

Changes to DOT-113 outer shell specification,
Changes to maximum filling density,
Removes inappropriate reference to ‘Mylar’ in insulation description,
Adding additional breaking requirement for unit trains (similar to HHFT requirements), and
Adding route planning requirements,

The Final Rule


PHMSA provides a summary of the changes being made to the HMR:

§172.101,
§172.102,
§172.280,
§173.319,
§174.200,

Effective Date


The effective date for this final rule is August 24th, 2020.

Commentary


As I noted in an earlier post, the House is attempting to require PHMSA to cancel this rule via §8202 of HR 2, the INVEST in America Act that passed in the House on June 26th. While it is unlikely that the Senate will take up this bill it does provide some insight into how a Democratic controlled Congress would view this rulemaking. It is very likely that a Democratic 117th Congress would introduce legislation to negate this rulemaking. As President, Biden would likely sign such legislation.

This is an important consideration. While it will be legal to ship LNG by rail as of August 24th, none of the approved DOT-113C120W9 railcars yet exist. It will take time to scale-up production of these railcars to begin significant transportation of LNG by rail. With the uncertainty about the continued existence of this shipping approval because of the uncertain outcome of the November election, I would suspect that large orders for these new railcars will not be placed until after the election.

The big question will be how much control (if any) the Democrats have in the Senate. Under current rules (subject to change) a simple majority only provides a limited measure of control of that body. A 60-vote majority would be necessary (again under changeable current rules) to be able to ensure that debate could be closed on bills with substantial opposition. A Democratic majority in the 117th Congress is certainly a possibility, but supermajority control is almost impossible.


Saturday, July 25, 2020

HR 7616 Reported in House – FY 2021 THUD Spending


Last week the House Appropriations Committee completed crafting and reporting on HR 7616, the Transportation, Housing and Urban Development, and Related Agencies Appropriations Act, 2021. The bill does not contain any specific cybersecurity or chemical transportation-safety requirements, but both areas are addressed in the Committee Report.

Cybersecurity


On page 74 the Report addresses Committee cybersecurity concerns about Amtrak train control systems and a 2019 Amtrak OIG report on those security issues. The Committee “directs Amtrak to comply with the OIG recommendations to improve the cyber security and resiliency of Amtrak’s train control systems” and to prepare a report for Congress on their actions.

On page 83 the Committee directs the Washington Metropolitan Area Transit Authority (WMATA) to work with DOT and CISA “to ensure that the agency is complying with best practices for the procurement of Industrial Control Systems.” Additionally WMATA is directed to” to include analysis of Internet of Things (IoT) and unknown and unauthorized devices in its cybersecurity plan.”

Chemical Transportation Safety


The report covers a number of issues related to liquified natural gas (LNG) transportation and handling. On pages 93 thru 94 there is an entire section related to LNG by rail transportation. The Committee requires a number of reports from the PHMSA about safety issues related to LNG by rail. The section closes out with the statement:

“Further, the Committee notes that the INVEST in America Act [HR 2; passed by the House and not likely to be taken up by the Senate] requires the Department to rescind any special permit or approval for the transportation of LNG by rail tank cars and places a stay on any regulation authorizing the transportation of LNG by rail tank cars until the Department completes a thorough evaluation of the safety, security, and environmental risks of transporting LNG by rail.”

On page 96 the Report addresses safety issues at LNG facilities (also regulated by PHMSA). It notes that the Committee “supports PHMSA’s efforts to hire 5 inspectors and engineers to help address the potential risks associated with LNG facilities.” It also expresses concerns about delays in the rulemaking efforts to update 49 CFR 193.

In two different areas the Report addresses the safe transportation of ‘energy products’. On pages 94 thru 95 addresses safety issues related to the transportation of crude oil by rail and includes a requirement for a congressional briefing “on the findings and recommendations of the Crude Oil Characterization Research Study [link added].” DOE and DOT have already sent their required report, the Report to Congress on the Crude Oil Characterization Study, to Congress.

The second area where the Report addresses ‘energy products is in pages 96 thru 97 where ‘energy products training’ is covered. It closes the short discussion by noting:

“As PHMSA’s responsibilities for the safe movement of LNG expands, the Committee directs PHMSA to enhance its training curriculum for local emergency responders to account for LNG facilities and the transportation of LNG in rail tank cars.”

Moving Forward


HR 7616 will be included in the second spending minibus, HR 7617. The House Rules Committee will meet on Tuesday to formulate the rule for consideration of this much longer and more controversial spending bill.

Public ICS Disclosure – Week of 7-18-20

This week we have two vendor disclosures from Phoenix Contact and CODESYS and an update from Rockwell.

 

Phoenix Contact Advisory

 

Phoenix Contact published an advisory [.PDF download link] describing an improper path sanitation on import of project files vulnerability in their PLCnext Engineer. The vulnerability was reported by Amir Preminger of Claroty. Phoenix Contact has a new version that mitigates the vulnerability.

 

CODESYS Advisory

 

CODESYS published an advisory [.PDF download link] describing an uncontrolled memory allocation vulnerability in their CODESYS V3 Visualization product. The vulnerability was reported by Tenable. The Tenable report includes proof-of-concept code. CODESYS has a new version that mitigates the vulnerability.

 

Rockwell Update

 

Rockwell published an update for their FactoryTalk View SE advisory that was originally published on June 18th, 2020. The new information includes updated guidance given public scripts. NCCIC-ICS should update their advisory next week.


Friday, July 24, 2020

1 Advisory Published – 7-23-20


Yesterday the CISA NCCIC-ICS published a control system security advisory for products from Schneider Electric.

Schneider Advisory

This advisory describes five vulnerabilities in the Schneider Triconex TriStation and Triconex Tricon Communication Module. The vulnerabilities were reported by Reid Wightman of Dragos, Inc. Schneider has new versions that mitigate the vulnerabilities and has pushed notification to customers.

The five reported vulnerabilities are:

• Cleartext transmission of sensitive information - CVE-2020-7483,
• Uncontrolled resource consumption - CVE-2020-7484 and CVE-2020-7486,
• Hidden functionality - CVE-2020-7485, and
• Improper access control - CVE-2020-7491

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an attacker to view clear text data on the network, cause a denial-of-service condition, or allow improper access.

Thursday, July 23, 2020

HR 7668 Reported in House – FY 2021 DHS Spending


Earlier this week the House Appropriations Committee introduced HR 7669, the Department of Homeland Security Appropriations Act, 2021, and published their Report on the bill. The bill does contain one specific cybersecurity provision and the report outlines changes to the CISA spending account.

Cybersecurity


Section 314 of the bill adds a new section 2215 to the Homeland Security Act of 2012. This new section requires DHS (read CISA) to establish a Cybersecurity Advisory Committee. The language is very similar to S 4024 which was added (as §6614) to the language being considered in S 4049, the FY 2021 NDAA.

CISA Spending


As to be expected with any ‘new’ agency, especially a large one, there have been changes made to the way that the Cybersecurity and Infrastructure Security Agency (CISA) spending accounts are listed in the Committee Report.

On page 145, under the heading of Operations and Support the previous entries under ‘Cybersecurity’ are all being zeroed out. A new subheading of ‘Cyber Operations’ has been added with the following spending categories (the bill’s spending levels are in the parentheses):

• Strategy and Performance ($3,378,000),
• Threat Hunting ($163,368,000),
• Vulnerability Management ($164,064,000),
• Capacity Building ($167,240,000), and
• Operational Planning and Coordination ($68,764,000)

On page 146, under the same heading a second subheading was added “Technology Services” with the following spending categories:

• Cybersecurity Services ($ 9,944,000),
• Continuous Diagnostics ($ 111,133,000), and
• National Cybersecurity Protection System ($ 301,057,000)

For the combined ‘Operations and Support’ heading the total spending in the bill for ‘Cybersecurity’ is now $987,948,000, an increase over last year of $40 million and more than $186 million more than requested by the Trump Administration.

Similarly, changes were made to the ‘Infrastructure Protection’ account. Two subheadings were zeroed out, including ‘Infrastructure Security Compliance. This is the heading that used to include spending for the CFATS program. A new ‘Chemical Security’ subheading was added with initial spending set at $31,128 where none was requested by the Administration.

On page 147 under the ‘Integrated Operations’ sub-heading all of the previously listed categories were replaced by ‘Regional Operations’ and ‘Operations Coordination and Planning’. The ‘Regional Operations’ category includes listed spending for both ‘Security Advisors’ ($81,520,000) and ‘Chemical Inspectors ($46,147,000). I mention the ‘Security Advisors’ spending because the DHS budget had suggested that the chemical security inspectors from the CFATS program would be folded into the Protective Security Advisors program.

The total for ‘Chemical Security’ and ‘Chemical Inspectors’ ($77,275,000) is a slight increase over last year’s ‘Infrastructure Security Compliance’ spending ($75,111,000).

Moving Forward


It continues to look like HR 7669 will be included in the second minibus spending bill that will be based upon HR 7617. There have been some objections from the progressive wing of the Democratic Party. They do not think that the bill does enough to rein in ICS and CBP excesses. If the Democrats can not ensure that enough of their House members will vote for the minibus with the DHS spending bill included, they will either have to modify the bill to attract progressives without pushing away moderates in the party, or they will have to remove the DHS language from the minibus.

Wednesday, July 22, 2020

ISCD Updates 2 FAQ Responses – 7-22-20


Today the CISA Infrastructure Security Compliance Division (ISCD) updated the responses to two frequently asked questions on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center. This is part of an on-going effort at ISCD to make FAQ editorial changes designed to: reflect changes in program management (CISA branding), to change URL’s to page links (see the similar 6-22-20 blog post) and to make the responses more helpful; rather than reflecting changes in ISCD policy.

The FAQ responses updated today include:


What Now for CFATS?


Michael Kennedy has an interesting blog post about the recent passage of S 4148, extending the current CFATS program through July 27, 2023. He has been hip-deep in the reauthorization/extension process, and his insights are invaluable. As my readers would expect, I will add in my 2-cents worth.

Missed Opportunity


Any program, even one as lately successful as the Chemical Facility Anti-Terrorism Standards (CFATS) program, has room for improvement. This is the value of the congressional authorization process. It provides for a chance for legislators to take a look at a program; to see what it has accomplished, where it is going and most importantly what improvements are needed. Large and important programs like national defense need an annual review and adjustment process like the must pass National Defense Authorization Act. Smaller programs with more limited impact need to be reviewed less often; every three to five years.

In 2014 the CFATS program was reauthorized for five years. Changes were made to the program. Some were successful and others were less so. As Kennedy points out in his valuable CFATS reauthorization timeline, Congress tried unsuccessfully in 2018 to put together a reauthorization package. Interestingly the House and Senate were not nearly as far apart as they had been in the early years of the program, so the one-year extension passed in the closing days of the 115th Congress looked like it should provide enough time to put a compromise package together.

Unfortunately, neither HR 3256 nor S 3416 made it to the floor of their respective bodies, much less to the ‘other house’, for consideration. Instead, a couple of short-term extensions were enacted and then, Congress kicked the can down the road to the 118th Congress. Unfortunately, the new deadline, while early enough in the session to avoid election fever, is almost too early in the session for  potentially new committee leadership to craft bills and force them through the subcommittee and committee hearing process.

Expedited Approval Process


I do have to take exception to one of the points that Michael made in his blog post. He suggested that Congress could have: “Eliminated the Expedited Approval Process, which was rarely used.” First, the program was ‘rarely used’ (initially just a couple facilities) because the program was added when most facilities were almost through the site security plan approval process with most of the hard work already having been done. If the program had come out two-years earlier, I suspect that there would have been more facilities using the EAP.

But even if no facilities had ever actually used the EAP, keeping the program available would have one great benefit, it outlines in significant detail what facilities can do to meet the requirements of the Risk Based Performance Standards (RBPS). The current RBPS Guidance document is substantially deficient in this regards. This is due to DHS, in 2008/2009 when the document was written, bending over backwards to ensure that they could not be accused of trying to mandate security measures, a congressional prohibition in the original §550 authorization language.

For Tier 3 and 4 facilities the EAP guidance outlines in some detail what security measures that facilities must employ to implement a site security plan under that program. Facilities looking at potential costs of introducing their first DHS chemical of interest to a facility can use the EAP security guidance to estimate the security costs associated with that introduction. There is nothing in the RBPS Guidance that provides the same level of surety.

In the Meantime


The folks at the CISA Infrastructure Security Compliance Division (ISCD) can take a deep breath now, their program will continue for another three years. They have successfully scaled up the Personnel Surety Program to include Tier 3 and Tier 4 facilities, continued to expand their outreach efforts, and adapted to the COVID-19 enforcement environment. What new initiative can we expect to see ISCD to undertake in the absence of new congressional mandates.

First and foremost, I think, should be a rewrite of the RBPS Guidance document. It is currently over 10-years old and the GAO has already identified (and CISA acknowledged) deficiencies in the cybersecurity portions of the document. That plus old, outdated references to the old color-coded federal terrorism alert system make this document ripe for a re-write.

At this point a new feature should be added to the Guidance document; a listing of innovative techniques that companies have successfully employed to meet the RBPS standards for their site security plans. This type of information (including a modality for updating the list periodically as new information becomes available) could help to spread security innovation throughout the program.

The second thing that should be addressed is the 2014 advanced notice of proposed rulemaking (ANPRM). With no new program mandates from Congress, ISCD should be able to move this rulemaking effort to the next stage, a notice of proposed rulemaking (NPRM). There have yet to be any changes made to the CFATS regulation (6 CFR Part 27) based upon the requirements of the 2014 reauthorization bill and the ANPRM identified some interesting potential changes.

One thing that certainly needs to be addressed is some of the problems with the current mixture rules. Some of these have been addressed in an ad hoc method via 2019 letter concerning a limited number of products containing sodium chlorate. I discussed this issue in some detail. The CFATS regulations should include some process under which facilities could request and ISCD would evaluate whether specific mixtures and/or products could be exempted from Top Screen reporting requirements.

Finally, I think that ISCD should consider making public their guidance documents that they provide to chemical security inspectors that are designed to ensure equivalent enforcement processes are used around the country.

Tuesday, July 21, 2020

1 Update Published – 7-21-20


Today the CISA NCCIC-ICS published an update for a control system security advisory for products from Treck.

Treck Update


This update provides additional information on an advisory that was originally published on June 16th, 2020 and most recently updated on July 14th, 2020. The new information includes a link to the ABB advisory for the Ripple20 vulnerabilities.

NOTE: NCCIC-ICS has still not included a link to the Siemens advisory for their SPPA-T3000 Solutions distributed control system that I mentioned last Saturday.

ISCD Updates 8 FAQ Responses – 7-21-20


Today the CISA Infrastructure Security Compliance Division (ISCD) updated the responses to eight frequently asked questions on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center. This is part of an on-going effort at ISCD to make FAQ editorial changes designed to: reflect changes in program management (CISA branding), to change URL’s to page links (see the similar 6-22-20 blog post) and to make the responses more helpful; rather than reflecting changes in ISCD policy.

The FAQ responses updated today include:


FAQ #1749 was also updated yesterday. Today’s version changed the subparagraph numbering system.

The printing of FAQ #1778 question in the “Search Results” section of the CFATS Knowledge Center when searching for this FAQ has some formatting problems (printing the URL instead of the web page name). The version printed here is the correct version.

House Adopts Amendments to HR 6365 – FY 2021 NDAA


Yesterday during the considerationof HR 6365, the FY 2021 National Defense Authorization Act, the House took up all of the proposed amendments related to cybersecurity that I described in yesterday’s post. None of the twelve amendments were considered individually; they were all part of the two en bloc amendments considered by the House.

The first six cybersecurity amendments (#s 2, 15, 27, 72, 117 and 162) were included in the first en bloc consideration. This group was approved by a roll call vote of 336 to 71 at 7:08 pm EDT. The second group (#s 179, 219, 220, 319, 320, and 329) was adopted by a voice vote at 8:38 pm EDT.

The House will resume consideration of the bill this morning with votes on six amendments that were debated yesterday. The House will then move to vote on the bill. The bill is expected to pass on essentially party lines. The Senate is still considering S 4049 and it too is expected to be approved in a mainly partisan vote. The two versions of the NDAA will have to be reconciled by a conference committee.

Bills Introduced – 7-20-20

Yesterday with both the House and Senate in session there were 51 bills introduced. Two of those bills may receive additional coverage in this blog:

 

HR 7668 Making appropriations for the Department of Homeland Security for the fiscal year ending September 30, 2021, and for other purposes. Rep. Roybal-Allard, Lucille [D-CA-40] 

 

S 4226 A bill to require the Secretary of Homeland Security to conduct an assessment of the feasibility and advisability of establishing a fund for the response to, and recovery from, a cyber state of distress, and for other purposes. Sen. Peters, Gary C. [D-MI]

 

I will be watching S 4226 for language and definitions that would specifically include control system security issues in the coverage of the requirements.

Monday, July 20, 2020

ISCD Updates 9 FAQ Responses – 7-20-20


Today the CISA Infrastructure Security Compliance Division (ISCD) updated the responses to six frequently asked questions on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center. There were also two news items on today’s CFATS Knowledge page; first, a note about the 30-day ICR renewal notice published in today’s Federal Register for the Chemical-Terrorism Vulnerability Information (CVI) program. The second note is an update of information about the COVID-19 modified compliance inspection program.

FAQ Updates


The FAQ updates are part of an on-going effort at ISCD to make FAQ editorial changes designed to: reflect changes in program management (CISA branding), to change URL’s to page links (see the similar 6-22-20 blog post) and to make the responses more helpful; rather than reflecting changes in ISCD policy.

The FAQ responses updated today include:


Interestingly, FAQ #1742 was previously updated last week. Today’s update simply indents the three subparagraphs in the response.

CVI ICR


The first news item on today’s CFATS Knowledge Center points to today’s CISA information collection request (ICR) renewal notice in the Federal Register for the CVI program. This is the follow-up to the 60-day ICR notice published in March. There is no burden change reported in the renewal notice. CISA is soliciting comments on the ICR notice. Comments may be submitted via email to dhsdeskofficer@omb.eop.gov. All submissions must include the words “Department of Homeland Security” and the OMB Control Number 1670-0015.

Covid-19 Modified Inspections


The second news item for today notes that CISA has completed the pilot of COVID-19 modified compliance inspections that had first been announced on June 11th, and I more completely detailed two days later. Today’s notice says: “Based on the pilot, CISA is now conducting modified compliance operations and high-priority compliance assistance.” Facilities will be notified of any compliance inspection scheduled by their Chemical Security Inspector or the Infrastructure Security Compliance Division (ISCD) headquarters.

There has been no change made to the CFATS Compliance Inspection Fact Sheet since November 2019.

S 4148 Passes in House – CFATS Extension


This afternoon, shortly after 1:00 pm EDT, the House passed S 4148 to extend the Chemical Facility Anti-Terrorism Standards (CFATS) program through July 27th, 2023. The bill was considered under the seldom used (in the House) unanimous consent process. The bill now goes to the President for signature. There is currently no indication that Trump will not sign the bill.

Brian Harrell, the CISA Assistant Director for Infrastructure Protection, had this to say about the program’s continuation:

“As you have heard me say before, chemical security is national security. The CFATS program has matured over the years to what it is today- a relevant and streamlined program with the goal of making high-risk facilities more secure. Our inspectors, chemists, engineers, and HQs staff go to work everyday knowing the threat is real and they have long maintained their focus on our national security mission.”

HR 7609 Reported in House – FY 2021 VA Spending


Last week Rep Wasserman-Schultz introduced HR 7609, the Military Construction, Veterans Affairs, and Related Agencies Appropriations Act, 2021. There is nothing in this bill that addresses control system, or even medical device security. There were, however, two comments in the House Appropriations Committee Report on this bill that provide some interesting insight into how Congress still misperceives cybersecurity.

On their discussion about the VA’s implementation of electronic health records, the Committee expresses concern about the VA’s implementation of cybersecurity best practices. They then state (pg 95):

“The Committee directs the Department to identify for the Committee steps it has taken to protect data and patient records across physical, virtual, and mobile networks and the devices and systems attached to these networks. If such review warrants [emphasis added], the Department should consider a layered defensive strategy that includes perimeter security, segmentation within the data center to increase lateral security, and data and application protections.”

It seems to me that these recommended ‘layered defensive strategy’ measures are the minimum-security requirements for any information system and should not depend on whether or not a security review warrants their implementation.

On the next page, the discussion continues, and the Committee recommends that “the Department consider emerging technologies, such as blockchain technology [emphasis added], if future requirements drive a need to modify VA’s security architecture and technical solutions”.

I am surprised that there was not also a reference to the other solve-all-problems cyber-solution, artificial intelligence.

Moving Forward


This bill will be lumped into the first FY 2021 minibus that the House will take up later this week.

House to Consider HR 6395 – FY 2021 NDAA


The House is set to begin consideration of HR 6395, the FY 2021 National Defense Authorization Act, today. The bill was originally introduced with skeletal language in April. The House Armed Services Committee completed their markup of the bill earlier this month, reporting the bill on July 9th, 2020. The GPO has not yet published the reported language of the bill, but the House Rules Committee has published a copy of the language that will be considered in the House.

As expected, the cybersecurity provisions in this bill are found in Division A, Title XVI, Subtitle B, Cyberspace-Related Matters. Four provisions in that subtitle address cybersecurity matters; two addressing government cybersecurity oversight and two defense industrial-base cybersecurity matters.

Cybersecurity Oversight


Section 1630 would require DHS to submit a report to Congress “a report on Federal cybersecurity centers and the potential for better coordination of Federal cyber efforts at an integrated cyber center within the national cybersecurity and communications integration center” (NCCIC) in DHS {§1630(a)}. Potentially included in that integrated cyber center would be {§1630(b)(4)}:

• The National Security Agency’s Cyber Threat Operations Center,
• United States Cyber Command’s Joint Operations Center,
• The Office of the Director of National Intelligence’s Cyber Threat Intelligence Integration Center,
• The Federal Bureau of Investigation’s National Cyber Investigative Joint Task Force,
• The Department of Defense’s Defense Cyber Crime Center, and
• The Office of the Director of National Intelligence’s Intelligence Community Security Coordination Center.

In an unusual move for a ‘report to Congress’ mandate, the section includes a requirement for DHS to “begin establishing an integrated cyber center in the national cybersecurity and communications integration center” {§1630(e)} within one year of submitting the report to Congress. That paragraph does not specify which components will be included in the ‘integrated cyber center’.

Section 1631 would require DHS to develop an information collaboration environment and associated analytic tools that enable entities to identify, mitigate, and prevent malicious cyber activity” {§1631(a)}. The ‘collaborative environment’ would be designed to:

• Provide limited access to appropriate operationally relevant data about cybersecurity risks and cybersecurity threats, including malware forensics and data from network sensor programs, on a platform that enables query and analysis,
• Allow such tools to be used in classified and unclassified environments drawing on classified and unclassified data sets,
• Enable cross-correlation of data on cybersecurity risks and cybersecurity threats at the speed and scale necessary for rapid detection and identification;
• Facilitate a comprehensive understanding of cybersecurity risks and cybersecurity threats; and
• Facilitate collaborative analysis between the Federal Government and private sector critical infrastructure entities [emphasis added] and information and analysis organizations.

Section 1631(e) would also establish the Cyber Threat Data Standards and Interoperability Council, chaired by DHS. The Council would include representatives from Federal agencies and “public and private sector entities who oversee programs that generate, collect, or disseminate data or information related to the detection, identification, analysis, and monitoring of cybersecurity risks and cybersecurity threats” {1631(e)(2)}. The Council would “identify, designate, and periodically update programs that shall participate in or be interoperable with the information collaboration environment” {§1631(e)(3)} including:

• Network-monitoring and intrusion detection programs,
• Cyber threat indicator sharing programs,
• Certain government-sponsored network sensors or network-monitoring programs,
• Incident response and cybersecurity technical assistance programs,
• Malware forensics and reverse-engineering programs, and
• The defense industrial base threat intelligence program of the Department of Defense.

Defense Industrial Base Cybersecurity


Section 1632 would require DOD to establish “a threat intelligence program to share with and obtain from the defense industrial base information and intelligence on threats to national security” {§1632(b)(1)}. The program would include {§1632(b)(2)}:

• Cybersecurity incident reporting requirements,
• A mechanism for developing a shared and real-time picture of the threat environment,
• Joint, collaborative, and co-located analytics,
• Investments in technology and capabilities to support automated detection and analysis across the defense industrial base,
• Coordinated intelligence sharing with relevant domestic law enforcement and counter-intelligence agencies, in coordination, respectively, with the Director of the Federal Bureau of Investigation and the Director of National Intelligence, and
• A process for direct sharing of threat intelligence related to a specific defense industrial base entity with such entity.

Participation in the program would be required for all DOD contractors, subcontractors, and suppliers.

Section 1634 would require DOD to report to Congress on “the feasibility and resourcing required to establish the Defense Industrial Base Cybersecurity Threat Hunting Program” {§1634(b)(1)}. If determined to be feasible, DOD would be required to establish the Program “to actively identify cybersecurity threats and vulnerabilities within the information systems, including covered defense networks containing controlled unclassified information, of entities in the defense industrial base” {§1634(c)(1)}.

Section 1634(e) would allow DOD to:

• Utilize Department of Defense personnel to hunt for threats and vulnerabilities within the information systems of entities in the defense industrial base that have an active contract with Department of Defense,
• Certify third-party providers to hunt for threats and vulnerabilities on behalf of the Department of Defense, or
• Require the deployment of network sensing technologies capable of identifying and filtering malicious network traffic.

Floor Consideration of HR 6395


Last week the House Rules Committee developed the Rule for the consideration of HR 6395. It is a structured rule providing limited debate and a limited number of specific amendments that can be offered on the floor of the House.

Of the 407 amendments to be considered, the following contain cybersecurity provisions of note:

#2 – Bergman - Creates a cyber attack exception under the Foreign Sovereign Immunities Act (FSIA) to protect U.S. nationals against foreign state-sponsored cyberattacks,
#15 – Langevin - Establishes a National Cyber Director within the Executive Office of the President (similar to HR 7331),
#27 – Richmond - Implements a recommendation from the Cyberspace Solarium Commission to require the Department of Homeland Security to establish a cyber incident reporting program,
#72 – Chabot - Increases Air Force research funding by $3 million for the National Center for Hardware and Embedded Systems Security and Trust (CHEST),
#117 – DeFazio - Adds the Elijah E. Cummings Coast Guard Authorization Act of 2020,
#162 – Green - Enhances CISA’s ability to both protect federal civilian networks and provide useful threat intelligence to critical infrastructure by authorizing continuous threat hunting on the .gov domain. This will enable CISA to quickly detect, identify, and mitigate threats to federal networks from malware, indicators of compromise, and other unauthorized access,
#179 – Jackson-Lee - Implements a recommendation made by the Cyberspace Solarium Commission to require the Secretary of Homeland Security to develop a strategy to implement Domain-based Message Authentication, Reporting, and Conformance (DMARC) standard across U.S.-based email providers,
#219 – Langevin - Allows CISA to issue administrative subpoenas to ISPs to identify and warn entities of cyber security vulnerabilities (similar to HR 5680),
#220 – Langevin - Codifies the responsibilities of the sector risk management agencies with regard to assessing and defending against cyber risks,
#319 – Richmond - Implements a recommendation from the Cyberspace Solarium Commission that there be established at the Department of Homeland Security a Joint Planning Office to coordinate cybersecurity planning and readiness across the Federal government, State and local government, and critical infrastructure owners and operators,
#320 – Richmond – Implements a recommendation from the Cyberspace Solarium Commission that establishes a fixed 5-year term for the Director of the Cybersecurity and Infrastructure Security Agency and establishes minimum qualifications for the CISA Director (similar to HR 5679),
#329 – Ruppersberger - Requires the Secretary of Homeland Security to conduct a review of the ability of the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security to fulfill its current mission requirements, and for other purposes,

S 4049 Consideration


A quick reminder that the Senate will also resume consideration of their version of the NDAA (S 4049) today. The two versions will have to be reconciled at a later date by a conference committee. Many provisions adopted in either the House or Senate will not make it into the final bill or will be revised enroute.

 
/* Use this with templates/template-twocol.html */