Saturday, August 29, 2020

DOD Sends NISP Operating Manual to OMB for Review


Yesterday the OMB’s Office of Information and Regulatory Affairs announced that it had received from DOD the “National Industrial Security Program Operating Manual (NISPOM)” for review.

According to the abstract for this action in the Spring 2020 Unified Agenda:

“This rule will codify the National Industrial Security Program Operating Manual (NISPOM) which prescribes specific requirements, restrictions, and other safeguards that are necessary to preclude unauthorized disclosure and control authorized disclosure of Federal Government classified information to contractors, licensees, or grantees. The NISPOM applies to the release of classified information during all phases of the contracting process, including bidding, negotiation, award, performance, and termination of contractors, the licensing process or the grant process, with or under the control of departments or agencies.”

Commentary


No, I am not going to start digging into the ins and outs of NISP. The publication, however, of this manual will probably serve as a good, informational guide to any organization that is considering trying to get routine access to classified cyber-threat intelligence information from the government.

Public ICS Disclosures – Week of 8-29-20


This week we have a Ripple20 vendor update from Carestream.

Carestream Update


Carestream published an update of their Ripple20 advisory that was originally published on June 16th, 2020 and most recently updated on July 16th, 2020. The updated information includes the note that, after careful review, no Carestream products are affected.

Thursday, August 27, 2020

1 Advisory and 1 Update Published – 8-27-20


Today the CISA NCCIC-ICS published a control system security advisory for products from Red Lion and updated a medical device security advisory for products from OpenClinic GA.

Red Lion Advisory


This advisory describes five vulnerabilities in the Red Lion N-Tron 702W series products. The vulnerabilities were reported by Thomas Weber from SEC Consult Vulnerability Lab. These products went out of support in 2018 and cannot be updated.

The five reported vulnerabilities are:

• Cross-site scripting - CVE-2020-16210 and CVE-2020-16206,
• Cross-site request forgery - CVE-2020-16208,
• Backdoor - CVE-2020-16204, and
• Use of unmaintained third-party components - CVE-2017-16544

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to gain unauthorized access to sensitive information, execute system commands, and perform actions in the context of an attacked user.

NOTE: There are multiple proof-of-concept exploits available for the last vulnerability, actually multiple vulnerabilities. Some of those exploits of the BusyBox vulnerabilities can be found here, here and here.

OpenClinic Update


This update provides additional information on an advisory that was originally published on July 2nd, 2020. The new information includes three CVE numbers for vulnerabilities covered under the single listed ‘use of unmaintained third-party components vulnerability’; those CVE’s are

CVE-2014-0114 (Apache Struts, improper input validation, multiple exploits)
CVE-2016-1181 (Apache Struts, insufficient information, multiple exploits), and
CVE-2016-1182 (Apache Struts, improper input validation, multiple expoits)


BIS Publishes Foundational Technologies Control ANPRM


The DOC’s Bureau of Industry and Security (BIS) published an advanced notice of proposed rulemaking (ANPRM) in today’s Federal Register (85 FR 52934-52935) on the “Identification and Review of Controls for Certain Foundational Technologies” as required by 50 USC 4817 (Note: This cite was incorrectly listed in the ANPRM as 50 USC 4801).

Under the Export Control Reform Act of 2018 (ECRA) BIS is required {§4817(a)} to identify foundational technologies and establish controls for those technologies under the Export Administration Regulations (EAR; 15 CFR 730 et seq). The term ‘foundational technologies’ is not defined in either the ECRA or EAR. The summary to this ANPRM provides the following broad description of the term:

“Foundational technologies essential to the national security are those that may warrant stricter controls if a present or potential application or capability of that technology poses a national security threat to the United States.”

The BIS is looking for comments on:

• How to further define foundational technology to assist in identification of such items,
• Sources to identify such items,
• Criteria to determine whether controlled items identified in AT level Export Control Classification Numbers (ECCNs), in whole or in part, or covered by EAR99 categories, for which a license is not required to countries subject to a U.S. arms embargo, are essential to U.S. national security,
• The status of development of foundational technologies in the United States and other countries,
• The impact specific foundational technology controls may have on the development of such technologies in the U.S.,
• Examples of implementing controls based on end-use and/or end-user rather than, or in addition to, technology-based controls,
• Any enabling technologies, including tooling, testing, and certification equipment, that should be included within the scope of a foundational technology, and
• Any other approaches to the issue of identifying foundational technologies important to U.S. national security, including the stage of development or maturity level of a foundational technology that would warrant consideration for export control.

BIS is soliciting public comments on this ANPRM. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # BIS-2020-0029). Comments should be submitted by October 26th, 2020.

OMB Approves PHMSA Class Location NPRM


Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a notice of proposed rulemaking (NPRM) for DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) rule on “Pipeline Safety: Class Location Requirements”. PHMSA submitted this NPRM to OIRA on July 7th, 2020. The advanced notice of proposed rulemaking for this action was published in July 2018.

According to the abstract in the Spring 2020 Unified Agenda listing for this rulemaking:

“This rulemaking regards existing class location requirements for natural gas transmission lines, specifically as they pertain to actions operators are required to take following class location changes due to population growth near the pipeline. Operators have suggested that performing integrity management measures on pipelines where class locations have changed due to population increases would be an equally safe but less costly alternative to the current requirements of either reducing pressure, pressure testing, or replacing pipe. The ANPRM requested public comment to inform future regulatory or deregulatory efforts related to this topic.”

This NPRM moved fairly quickly through the review process, so we may see faster than normal publication in the Federal Register, maybe even next week.

Interesting side note: with the approval of this NPRM there are only four DOT rulemakings under consideration at OMB. All of them are from the FAA. Three relate to overseas Flight Information Region restrictions in conflict areas and one deals with commercial space launch licensing requirements.

Wednesday, August 26, 2020

ISCD Updates 3 FAQ Responses – 8-26-20


Today the CISA Infrastructure Security Compliance Division (ISCD) updated the responses to three frequently asked questions (FAQs) on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center. The changes were minor, non-substantive editorial changes dealing with the provision of links to official documents.

The three updated FAQs were:


NOTE: The links provided above were copied from the CFATS Knowledge Center but may not work when followed from your machine. This is an artifact of that web site. If the links do not take you to the referenced FAQ you will have to use the ‘Advanced Search’ function on the page to link to the FAQ or download the ‘All FAQs’ document at the bottom of the ‘Advanced Search’ page.

The following changes were made in the referenced FAQs:

• #1398 Added link for ‘40 CFR 261.33’
• #1481 Added link for ‘49 CFR § 171.8’
• #1673 Added link for ‘(73 FR 1640)’

Bills Introduced – 8-25-20


Yesterday with both the House and Senate meeting in pro forma session there were 22 bills introduced. Two of those bills may receive additional coverage in this blog:

HR 8103 To amend section 3553 of title 44, United States Code, to strengthen Federal networks, and for other purposes. Rep. Green, Mark E. [R-TN-7] 

HR 8115 To ensure appropriate prioritization, spectrum planning, and interagency coordination to support the Internet of Things. Rep. Welch, Peter [D-VT-At Large] 

HR 8103 will almost certainly be an IT-centric piece of legislation, but I will be watching it for language that may include ICS security impacts.

I will be watching HR 8115 for cybersecurity language and definitions.

Tuesday, August 25, 2020

3 Advisories Published – 8-25-20


Today the CISA NCCIC-ICS published three control system security advisories for products from WECON, Emerson, and Advantech.

WECON Advisory


This advisory describes a stack-based buffer overflow vulnerability in the WECON LeviStudioU. The vulnerabilities (see note below) were reported by Natnael Samson via the Zero Day Initiative. WECONis working on mitigation measures.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit this vulnerability to allow an attacker to execute code under the privileges of the application.

NOTE: As I noted last Saturday, Samson reported 22 separate (ZDI-20-1055 thru ZDI-20-1076) stack-based buffer overflow vulnerabilities in this product. NCCIC-ICS lumped the ‘multiple buffer overflow vulnerabilities’ into a single CVE CVE-2019-16243. Samson’s ZDI reports provide the name of each of the affected modules of the program. The ZDI advisories also note that in order to exploit the vulnerabilities an authenticated user must “visit a malicious page or open a malicious file”, presumably this would require a social engineering attack.

Emerson Advisory


This advisory describes an inadequate encryption strength vulnerability in the Emerson OpenEnterprise SCADA Software. The vulnerability was reported by Roman Lozko of Kaspersky. Emerson has a new service pack that mitigates the vulnerability. There is no indication that Lozko has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker access to credentials held by OpenEnterprise used for accessing field devices and external systems.

Advantech Advisory


This advisory describes a path traversal vulnerability in the Advantech iView device management application. The vulnerability was reported by KPC via ZDI. Advantech has a new version that mitigates the vulnerability. There is no indication that KPC has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to read/modify information, execute arbitrary code, limit system availability, and/or crash the application.

OMB Approves ‘Foundational Technology’ ANPRM


Yesterday the OMB’s Office of  Information and Regulatory Affairs (OIRA) announced that it had approved an advance notice of proposed rulemaking (ANPRM) for a Department of Commerce rule on “Identification and Review of Controls for Certain Foundational Technologies”. The ANPRM could be expected to be published in the coming weeks.

According to the abstract for this rulemaking in the Spring 2020 Unified Agenda:

“In this advanced notice of proposed rulemaking, BIS [Bureau of Industry and Security] seeks comment on the scope of potential foundational technologies as well as on the criteria for determining which of those technologies, and therefore the related items, are essential to national security, pursuant to applicable sections of the Export Control Reform Act of 2018.”

This rulemaking would implement the requirements of 50 USC 4817 to identify emerging and foundational technologies that are essential to the national security of the United States, but not already controlled by current export control regulations.

I will be watching for this ANPRM for its potential to impact export controls on cybersecurity systems and research similar to what we saw with the 2017 Wassenaar rulemaking.

ISCD Updates 4 FAQ Responses – 8-24-20


Yesterday the CISA Infrastructure Security Compliance Division (ISCD) updated the responses to four frequently asked questions (FAQ) on their Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center web page. The changes were all relatively minor editorial changes with no change in policy or procedures.


The four revised FAQs are:


NOTE: The links provided above were copied from the CFATS Knowledge Center but may not work when followed from your machine. This is an artifact of that web site. If the links do not take you to the referenced FAQ you will have to use the ‘Advanced Search’ function on the page to link to the FAQ or download the ‘All FAQs’ document at the bottom of the ‘Advanced Search’ page.

The following changes were made in the referenced FAQs:

• #1759 adds reference and link to Federal Register notice on agricultural production facility Top-Screen extension and removes ‘APF’ abbreviation.
• #1760 removes ‘APF’ abbreviation
• #1771 replaces ‘inspector’ in FAQ with ‘Chemical Security Inspector’
• #1777 Adds link to ‘Safeguarding Information Designated as Chemical-terrorism Vulnerability Information (CVI) Revised Procedure Manual’ and removes standalone URL.

Sunday, August 23, 2020

Coastal Louisiana Expects 2 Hurricanes This Week


As if 2020 were not already crazy enough mother nature looks to be adding a new first to the mix. For the first time it looks like two different hurricanes could hit the State of Louisiana in the same week; first Marco then Laura. The forecast (for both intensity and landfall location) for both storms is a tad bit more iffy than normal for a variety of reasons, but it seems that both systems will hit the Louisiana coast this week.

TS Marco


This morning’s forecast for Marco shows the track below for a potential landfall on the coast sometime Monday afternoon as a category 1 hurricane.


Marco Track from NOAA data

According to NOAA one of the ‘key messages’ to take away from the current forecast for Marco is:

“Hurricane conditions, life-threatening storm surge, and heavy rainfall are expected from Marco along portions of the Gulf Coast beginning on Monday, and Hurricane and Storm Surge Warnings have been issued. Interests in these areas should follow any advice given by local government officials.”

TS Laura


This morning’s forecast for Laura shows the track below for a potential landfall on the coast sometime Thursday morning as a category 1 hurricane.


Laura Track from NOAA Data


Since Laura is a further from potential landfall there is much less certainty in the time, location and intensity forecast. This morning’s NOAA ‘key messages’ includes this:

“The details of the long-range track and intensity forecasts remain uncertain since Laura is forecast to move near or over portions of the Greater Antilles through Monday. However, Laura is forecast to strengthen over the Gulf of Mexico and could bring storm surge, rainfall, and wind impacts to portions of the U.S. Gulf Coast by the middle of next week. This could result in a prolonged period of hazardous weather for areas that are likely to be affected by Tropical Storm Marco earlier in the week. Interests there should monitor the progress of Laura and Marco and updates to the forecast during the next few days.”

Emergency Planning and Response


COVID-19 has already thrown a bit of a monkey wrench into the planning and response process for this hurricane season. Planners and responders have to address the normal chaos of a tropical system landfall while still being concerned about social distancing, COVID vulnerable populations and an unusual number of very sick people in the affected area.

When you add in a potential second storm within days of the first landfall, the problems multiply. While FEMA normally expects to move supplies toward the affected area before the storm and then into the affected area once the storm passes, they are going to have to consider a two-stage movement of supplies into the affected area. This could potentially put responders for the Marco landfall into harm’s way when Laura hits. FEMA’s response will hinge on how strong Laura is expected to be at landfall when Marco actually hits. The stronger Laura is expected to be, the more complicated FEMA’s decision will be.

A further complication is the two different tracks the two storms are expected to take once they make landfall. This will make the siting of prepositioning of emergency supplies more difficult. FEMA does not want to place their supplies in the way of the storm so they would typically place these sites to either side of the proposed track. With two significantly different tracks, FEMA is going to have to rely on a limited number of prepositioning sites on the Gulf Coast to the East of the storms. This will mean placing the sites further from the projected landfall and limiting the flow of supplies to the I-10 corridor. This will cause logistic nightmares that will further complicate the problems identified above.

Facility Planners


Chemical facility and energy facility owners in the area will face many of the same problems that FEMA will face in responding to the potential twin hits of Marco and Laura. There will be a limited time for response after Marco’s landfall before Laura arrives on the scene. Owners are going to have to make hard decisions on what level of response they will make for damage from Marco before a second storm arrives on scene. Any repairs made in that short time frame will be potentially damaged in the second strike, doubling the cost of repairs. But failing to shore up damage from the first storm could make damage from the second storm that much worse.

And again, the two different storm tracks are going to play havoc with the various cooperative response agreements in place across the Gulf and the prepositioning or response crews and material. The I-10 corridor is Florida is going to be a really crowded area for the next week or so.

Saturday, August 22, 2020

LNG-by-Rail Lawsuits


Earlier this week I was asked on TWITTER® to comment on an article published at Marcellus Drilling News about lawsuits that had been filed to stop the implementation of the LNG by rail final rule that was published by the DOT’s Pipeline and Hazardous Material Administration (PHMSA) last month. I am taking this time to expand on by TWEETS.

Lawsuits


The article mentioned above briefly describes the lawsuit filed by fourteen State Attorneys General and Washington, DC to block the rule. A less polarized article on the same subject can be found on TheHill.com.

According to the brief filed Tuesday, “State Petitioners seek a determination by this Court pursuant to the Administrative Procedure Act, 5 U.S.C. § 706, the Hazardous Materials Transportation Act, 49 U.S.C. § 5101 et seq., and the National Environmental Policy Act, 42 U.S.C. § 4321 et seq., that the rule is unlawful and therefore must be vacated.” The actual reasoning and facts supporting that claim of the ‘unlawful’ nature of the rulemaking will be submitted to the Court is subsequent documents and proceedings.

The article on TheHill.com, in reference to an unlinked statement by the AG’s noted that they “plan to argue that the PHMSA failed to evaluate the rule’s environmental impacts and that the rule does not contain enough safety requirements.”

Environmental Impact


The environmental impact complaints center around the fact that PHMSA, in the preamble to the final rule stated that:

“PHMSA has completed its NEPA [National Environmental Policy Act of 1969] analysis. Based on the environmental assessment, PHMSA determined that an environmental impact statement is not required for this rulemaking because it does not constitute an action meeting the criteria that normally requires the preparation of an environmental impact statement. As explained in the final EA [environmental assessment; .PDF download link added], PHMSA has found that the selected action will not have a significant impact on the human environment in accordance with Section 102(2) of NEPA.”

While the EA goes into lengthy details about the safety related issues for a release of methane during an LNG railcar incident, it only briefly discusses (pg 35) the long-term environmental hazards associated with the release of methane, a potent greenhouse gas. PHMSA concludes by stating: “PHMSA contends that these economic and practical unknowns create compounded uncertainties that would not be clarified through the preparation of an environmental impact statement.” This failure to prepare an EIS will certainly be addressed in the lawsuit.

Safety Issues


As noted above, PHMSA includes a lengthy discussion of LNG related safety issues in the EA. And the preamble to the final rule provides discussions about comments received about the notice of proposed rulemaking with regards to emergency planning. PHMSA concluded that they have adequately addressed safety issues related to the rail transportation of liquified natural gas.

The AG’s will certainly argue that adequacy determination, particularly where it concerns ongoing safety testing be conducted by PHMS and the Federal Railroad Administration (FRA). I noted in one of my posts on the NPRM comments that there were four studies underway when the NPRM was issued:

• Puncture resistance testing for DOT 113C120W railcars;
• Pool fire testing for DOT 113C120W railcars;
• FRA testing of an alternative ‘LNG tender’ design; and
• FRA testing of an alternative ISO tank design;

The first test in the list was discussed in the safety assessment I described in the EA. The others have not been mentioned and may not yet be completed. PHMSA would probably maintain that with the improvements that the final rule mandated for the DOD 113C120W9 rail cars would obviate the need for waiting for the completion of the other testing.

Political Influence


Neither of the articles mentioned earlier call attention to the possible political influence exerted by President Trump on PHMSA to adopt regulations authorizing the rail transportation of LNG. Paragraph 4(b) of EO 13868, Promoting Energy Infrastructure and Economic Growth, dated April 10th, 2019, required DOT to “finalize such [LNG by Rail] rulemaking no later than 13 months after the date of this order.” PHMSA acknowledged this requirement in the preamble to the final rule. PHMSA missed the deadline by slightly more than 2 months.

As the Chief Executive of the United States, it is clearly within the President’s authority to set priorities for regulatory development actions of agencies like DOT. This could only be a legal problem if the President used undue influence to have PHMSA ignore safety information or other regulatory requirements in adopting this rulemaking. It would be very unlikely that any court would find that the existence of EO 13868, in and of itself, constituted undue political influence. This is especially true since DOT went through a complete publish, comment and review cycle in the development of this final rule.

Did the EO influence the processing of this rulemaking? Almost certainly; the turnaround time between the end of the comment period and the submission of the final rule to OMB’s Office of Information and Regulatory Review (OIRA) for approval was extremely short for a rulemaking of this impact (and that submission was well within the time limit set by the EO). Additionally, the time for approval at OIRA was shorter than normal at less than 60-days. At the very least, DOT put additional administrative efforts into getting the final rule written, reviewed and published.

If called upon to defend against a charge of undue political influence, the Administration can, however, point to the unusual delay between the OIRA approval of the final rule (June 18th, 2020) and the actual publication of the final rule (July 24th, 2020) in the Federal Register over a month later. It would be argued that the Administration conducted additional reviews of the rulemaking process to ensure that all of the ‘i's’ were doted and the ‘t’s’ crossed during the shorter than normal time between the NPRM and the final rule.

Moving Forward


It is not clear at this point what effect this lawsuit will have on the start of transportation of liquified natural gas by rail. I think that the best that the plaintiff’s attorneys really hope for is a stay of the effective date of the regulation pending review in the courts. If that stay can be put into place through the first quarter of 2021, the whole lawsuit will probably be moot. I suspect that a Democratic Congress and a President Biden will overturn the rulemaking by legislative action, much as we saw the Republicans do in so many instances in the first two years of the Trump Administration.

I suspect that the simple act of initiating the lawsuit has achieved the objective of the plaintiffs, stopping the large-scale shipment of LNG by rail. Since there are no DOT 113C120W9 railcars in existence, and no other railcar is authorized by this rulemaking, LNG shippers will have to place orders for a large number of railcars and begin construction of LNG liquefaction facilities. These are both long-lead time, high-expense activities. Few shippers can be expected to put this much money on the line with the very real possibility that their shipping authorization will disappear before the facilities and railcars can be delivered.

Public ICS Disclosures – Week of 8-15-20


This week we have three vendor disclosures for products from Phoenix Contact, Moxa, and Eaton and one update from Rockwell. There are researcher reports for products from WECON. There were two control system exploits published for products from PNPSCADA and Geutebruck.

Phoenix Contact Advisory


Phoenix Contact published an advisory [.PDF download link] describing a synchronous access of remote resource without timeout vulnerability in their Emalytics, ILC 2050 BI and ILC 2050 BI-L products. This is a third-party vulnerability in the Tridium Niagara product that was reported earlier this month by NCCIC-ICS. Phoenix Contact reports that they expect to fix this vulnerability in the next firmware update in October 2020.

Moxa Advisory


Moxa published an advisory describing six vulnerabilities in their NPort IAW5000A-I/O Series Serial Device Servers. The vulnerabilities were reported by Evgeniy Druzhinin and Ilya Karpov of Rostelecom-Solar. Moxa has a new firmware version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• Session fixation,
• Improper privilege management,
• Weak password requirements,
• Cleartext transmission of sensitive information,
• Improper restriction of excessive authentication attempts, and
• Information exposure

Eaton Advisory


Eaton published an advisory describing two vulnerabilities in their Secure Connect Android Mobile app. The vulnerability was reported by Vishal Bharad. Eaton has a new version that mitigates the vulnerabilities. There is no indication that Bharad has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Information exposure, and
• Information exposure through log files

Rockwell Update


Rockwell published an update for an advisory that was originally published on July 8th, 2020 and most recently updated on July 23rd, 2020. The new information includes links to additional detections.

WECON Reports


The Zero Day Initiative has published (ZDI-20-1055 thru ZDI-20-1076) 22 reports of 0-day vulnerabilities in the WECON LeviStudioU. The vulnerabilities have been reported to ‘ICS-CERT’ (presumably CISA NCCIC-ICS) which reportedly received no response from WECON. The vulnerabilities were reported by Natnael Samson. The vulnerabilities are all stack-based buffer overflows in various components of the LeviStudioU product. NO CVEs have been reported.

PNPSCADA Exploit


Ä°smail ERKEK published an exploit for an SQL injection vulnerability in the PNPSCADA. There is no CVE for this vulnerability and there is no indication that ERKEK has contacted the vendor, so this looks like it is a 0-day vulnerability.

Geutebruck Exploit


Davy Douhine published a Metasploit module for an authenticated arbitrary command execution vulnerability in Geutebruck G-Cam and G-Code cameras. This vulnerability was previously reported by NCCIC-ICS.

Bills Introduced – 08-21-20


Yesterday with the House and Senate meeting in pro forma session, there were 18 bills introduced. One of those bills may receive future coverage in this blog:

HR 8085 To amend title 49, United States Code, to direct the Secretary of Transportation to carry out a pipeline safety enhancement program, and for other purposes. Rep. Veasey, Marc A. [D-TX-33] 

Friday, August 21, 2020

ISCD Published Updated CFATS Statistics – 8-20-20


Yesterday the CISA Infrastructure Compliance Division (ISCD) updated their Monthly Statistics page for the Chemical Facility Anti-Terrorism Standards (CFATS) program. The update was published unusually late in the month. It did add a new COVID-19 inspection term – Compliance Audit.

ISCD Activities


The table below shows the activities conducted by the CFATS chemical security inspectors during the month of July.

Inspection Data
Apr-20
May-20
Jun-20
Jul-20
Authorization Inspections
0
0
1
10
Compliance Inspections
2
4
35
76
Compliance Assistance
0
0
198
162
Compliance Audit


27*
8
The 27 Compliance Audits listed for June
were not included in the June report.

The bottom line in the table reflects the newly reported Compliance Audits. This new term is being used to describe an abbreviated, virtual inspection that was instituted in June in response to COVID-19 visitation limitations. The ISCD page defines ‘Compliance Audits’ as:

“Compliance Audits: This metric shows the number of Compliance Audits conducted. During a Compliance Audit, CISA inspectors remotely review and then lead a discussion with facility personnel on records and documentation related to the facility’s COI and the security measures described in the facility’s security plan.”

The page also notes that:

“Based on the pilot [conducted in June], CISA is now conducting modified compliance operations, which include Compliance Audits, modified Authorization and Compliance Inspections, and high-priority compliance assistance.”

For details on what the ‘modified’ inspections entail, contact your CSI.

CFATS Status


The table below shows the status of the facilities currently (presumably as of August 1st) of the facilities in the CFATS program.

Facility Status
Apr-20
May-20
Jun-20
Jul-20
Tiered
142
158
150
139
Authorized
160
138
130
141
Approved
3033
3039
3061
3057
Total
3335
3335
3341
3337

Thursday, August 20, 2020

1 Advisory and 1 Update Published – 8-20-20


Today the CISA NCCIC-ICS published one medical device cybersecurity advisory for products from Philips and updated one control system security advisory for products from Treck.

Philips Advisory


This advisory describes three vulnerabilities in the Philips SureSigns VS4 patient monitor. The vulnerabilities were reported by Cleveland Clinic. Philips has provided generic mitigations for these vulnerabilities. There is no indication that the researchers have been provided with an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Improper input validation - CVE-2020-16237,
• Improper access control - CVE-2020-16241, and
• Improper authentication - CVE-2020-16239

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerabilities to allow an attacker access to administrative controls and system configurations, which could allow changes to system configuration items causing patient data to be sent to a remote destination.. The Philips advisory notes that: “This potential vulnerability does not impact patient safety.”

Treck Update


This update provides additional information on the Ripple20 advisory that was originally published on June 16th, 2020 and most recently updated on July 21st, 2020. The new information includes a link to a vendor advisory from Johnson Controls for their Sur-Gard System 5 receivers.

NOTE: NCCIC-ICS still has not reported the Siemens Ripple20 advisory that I discussed on July 18th, 2020

Tuesday, August 18, 2020

CSB Publishes On-Line Incident Reporting Form


Yesterday the Chemical Safety and Hazard Investigation Board (CSB) published a link to their new online chemical release reporting form. They also established a new page on their web site, that currently only provides login and registration for their incident report rule news. This form supports the chemical release incident reporting rule that was published in February and became effective on March 23, 2020.


The .PDF form would be downloaded from the site, completed in the event of an incident and then emailed to report@csb.gov.

40 CFR 1604 (not yet officially published on govinfo.gov, wording can be found here from final rule) requires that:

“The owner or operator of a stationary source must report in accordance with paragraph (b) or (c) of this section, any accidental release resulting in a fatality, serious injury, or substantial property damage [links to definitions of highlighted terms added]” {§1604.3}.

The CSB has not yet published the reporting guidance document promised in the preamble to the final rule.

Monday, August 17, 2020

ISCD Updates 1 FAQ Response – 8-17-20


Today the CISA Infrastructure Security Compliance Division (ISCD) updated their response to FAQ # 81, How do I register for the Chemical Security Assessment Tool (CSAT)?, on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center. Unlike the earlier series of FAQ response updates earlier this summer (see here for example), this update is a substantial rewrite of the response.

The most important change is that ISCD is now requiring TLS 1.2 (instead of the earlier TLS 1.0) be enabled in the browser to access the CSAT User Registration website. I would suspect that TLS 1.2 will be required for access to the whole CSAT site. I have an email in to ISCD requesting clarification.

The other changes to the FAQ #81 response include revisions to the instructions for setting TLS 1.2 for Microsoft® Internet Explorer® and Mozilla® FireFox®. They also added instructions for setting TLS 1.2 in Microsoft Edge® and Google® Chrome®.

S 3045 Reported in Senate – CISA Subpoenas


Last month the Senate Homeland Security and Governmental Affairs Committee published their report on S 3045, the Cybersecurity Vulnerability Identification and Notification Act of 2019. The Committee amended and ordered the bill reported at a meeting held in March 2020. . The bill would provide the Cybersecurity and Infrastructure Security Agency (CISA) with the authority to issue subpoenas “for the production of information necessary to identify and notify the [an] entity at risk”.

Subpoenas Limited to ISP’s?


I noted in my commentary on the introduction of S 3045 that:

“Much has been made in the more popular press (see here for example) about how this bill would allow CISA to issue these subpoenas to information services providers. This would certainly be helpful where CISA has been able to identify an IP address where a vulnerable system exists, but needs point of contact information from the ISP.”

There is nothing in the bill that specifically limits the application of the new CISA subpoena authority to just ISPs. In fact, there are just two mentions in the bill that would reference statutes applicable to ISPs. In the new §659(o) being added by the bill subparagraphs (2)(B)(i) and (2)(C) both refer to 18 USC 2703, Required disclosure of customer communications or records. The first two paragraphs of §2703 deal with obtaining copies of electronic communications while paragraph (c)(2) allows, upon application of an administrative subpoena “authorized by a Federal or State statute”, a Federal agency to require a “provider of electronic communication service or remote computing service” certain limited information about a “a subscriber to or customer of such service”.

If the intent of this bill were limited to collecting information from ISP’s, the crafters of the bill would have specifically provided reference to §2703(c)(2) in the new §659(o)(2)(A), rewording the final phrase of that sub-section to read:

“the Director may issue a subpoena under 18 USC 2703(c)(2) for the production of information necessary to identify and notify the entity at risk, in order to carry out a function authorized under subsection (c)(12).”

Failing to limit the subpoena authority to the referenced subparagraph means that someone in the crafting process intended to extend the subpoena authority to obtaining information identifying owner/operators of vulnerable equipment in critical infrastructure to other entities than just ISPs. And there is nothing in the language of the report that obviate that conclusion.

Moving Forward


The publication of the Committee Report technically clears this bill for consideration by the full Senate. It is unlikely that this bill would be considered under regular order with the full debate and amendment process. The bill is just not important enough (in the grand scheme of things, it is important to CISA) to take up any of the limited time left in the session to address this bill.

This leaves two options for consideration. The first would be to take this bill up under the unanimous consent process. This bill would allow a single Senator to object to the consideration of the bill to block consideration. I suspect that there would be a number of Democrats that would object to the bill under general principles just to object to anything from DHS without a chance to debate and amend the bill.

The other path would be to add the provisions of this bill to a must pass bill. There is nothing in this bill that would cause serious enough objections to stall or even delay a must pass bill. I almost expected this to be added to the new Division E added to S 4049, the FY 2021 NDAA. Sen Johnson (R,WI) did propose similar language as two separate amendments (SA 1807 – pgs S3329-30; and SA 2195 – pgs S3584-5) to that bill. Neither were taken up by the Senate. Neither amendment was taken up on the floor of the Senate.

The only other ‘must pass bill’ that this bill could be appended to would be the DHS spending division of the final omnibus spending bill that may be taken up much later this year.

Sunday, August 16, 2020

OMB Approves Initial TSA Surface Security Training ICR


Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) approved the information collection request (ICR) from the TSA for the “Security Training Program for Surface Transportation Employees”. This new ICR (1652-0066) supports the final rule that was published last March.

The Supporting Statement [.DOCX download link] document provides more details about the ICR than was included in the preamble to the rule, including justification for each of the information collection requirements in the ICR. A separate web page provides links to the detailed information about each of the 15 information collection requirements under the rule.

Saturday, August 15, 2020

Public ICS Disclosure – Week of 8-8-20


This week we have 9 vendor disclosures for products from Schneider(6), Meinberg, B&R Automation and SICK. There were 7 updated vendor disclosures for products from Schneider (4), Siemens, GE Healthcare and Rockwell.

Schneider Advisories


Schneider published an advisory describing an improper privilege management vulnerability in their Modbus Serial Driver Component. The vulnerability was reported by Nicolas Delhaye of Airbus Cybersecurity. Schneider has a new version that mitigates the vulnerability. There is no indication that Delhaye has been provided an opportunity to verify the efficacy of the fix.

Schneider has published an advisory describing an improper restriction of excessive authentication attempts vulnerability in their spaceLYnk and Wiser for KNX products. The vulnerability was reported by Ismail Tasdelen. Schneider has a new version that mitigates the vulnerability. There is no indication that Tasdelen has been provided an opportunity to verify the efficacy of the fix.

Schneider has published an advisory describing an out-of-bounds write vulnerability in their Modicon M218 Logic Controller product. The vulnerability is self-reported. Schneider has a new firmware version that mitigates the vulnerability.

Schneider has published an advisory describing an improper input validation vulnerability in their PowerChute Business Edition software. The vulnerability was reported by Mateus Riad. Schneider has new versions that mitigate the vulnerability. The is no indication that Riad has been provided an opportunity to verify the efficacy of the fix.

Schneider has published an advisory describing the SweynTooth  Bluetooth vulnerabilities in their Harmony® eXLhoist product. Schneider has a new base station firmware version that mitigates the vulnerability.

Schneider has published an advisory describing an incorrect default permission vulnerability in their SoMove application. The vulnerability was reported by Luis Alvernaz. Schneider has a new version that mitigates the vulnerability. There is no indication that Alvernaz has been provided an opportunity to verify the efficacy of the fix.

Meinberg Advisories


Meinberg published an advisory describing nine vulnerabilities in their LANTIME product including third-party vulnerabilities in ntp (4: Sec 3592, Sec 3596, Sec 3610, and Sec 3661) and OpenSSL (2: CVE-2019-1551 and CVE-2020-1967) services. The vulnerabilities are self-reported. Meinberg has new firmware that mitigates the vulnerabilities.

NOTE: There is publicly available exploit code for one of the OpenSSL vulnerabilities.

B&R Automation Advisory


B&R Automation published an advisory describing a TFTP Service DoS vulnerability in their  Automation Runtime products. The vulnerability is self-reported. B&R has new versions that mitigate the vulnerability.

SICK Advisory


SICK published an advisory describing the Microsoft® SMB/RCE vulnerability in their MEAC central emission monitoring computer (EPC). SICK recommends implementing the appropriate Microsoft patch.

Schneider Updates


Schneider published an update for their Ripple20 advisory that was originally published on June 23, 2020 and most recently updated on July 29th, 2020. The new information includes updated affected version data and mitigation measures for Uninterruptible Power Supply (UPS) using NMC2.

Schneider published an update for their Vijeo Designer and Vijeo Designer Basic Software advisory that was originally published on May 12th, 2020. The new information includes updated mitigation measures for Vijeo Designer.

Schneider published an update for their Vijeo Designer and Vijeo Designer Basic that was originally published on April 14th, 2020 and most recently updated on April 30th, 2020. The new information includes updated mitigation measures for Vijeo Designer V6.2 SP10.

Schneider published an update for their Modicon Controllers that was originally published on May 14th, 2019 and most recently updated on May 12th, 2020. The new information includes:

• Additional fixes available for M580 v3.10
• Quantum & Premium previous fix is not enough to correct the CVE and requires the additional mitigations proposed

Siemens Update


Siemens published an update for their GNU/Linux subsystem advisory that was originally published on November 27th, 2018 and most recently updated on July 14th, 2020. The new information includes adding the following CVE’s:

• CVE-2019-19462,
• CVE-2019-20812,
• CVE-2019-20907,
• CVE-2020-0305,
• CVE-2020-10690,
• CVE-2020-10720,
• CVE-2020-10766,
• CVE-2020-10767,
• CVE-2020-10768,
• CVE-2020-12062,
• CVE-2020-12826,
• CVE-2020-13434,
• CVE-2020-13435, and
• CVE-2020-13871

NOTE: At this point it looks like Siemens is just adding new CVE’s to this advisory without providing any information about fixes to the underlying product (SIMATIC S7-1500 CPU).

GE Healthcare Update


GE published an update for their SigRed  advisory that was originally reported on July 16th, 2020. The new information is a note that GE Healthcare will provide a workaround for affected versions of products  using unsupported versions of Windows Server.

Rockwell Update


Rockwell published an update for their Studio 5000 Logix Designer advisory that was originally published on July 8th, 2020. The new information includes a new version of the product that mitigates the vulnerability.

 
/* Use this with templates/template-twocol.html */