Wednesday, September 30, 2020

House Passes 3 DOE Cybersecurity Bills – 9-29-20

Yesterday the House considered three Department of Energy cybersecurity related bills under the suspension of the rules process. All three bills passed by voice vote.

The three bills were:

HR 359, the Enhancing Grid Security through Public-Private Partnerships Act,

HR 360, the Cyber Sense Act of 2019, and

HR 362, the Energy Emergency Leadership Act

I have not covered HR 362 here in this blog. It would amend 42 USC 7133(a); specifically adding ‘cybersecurity’ as one of the functions which would be assigned to one of more of the eight Assistant Secretaries in the Department.

Moving Forward

These three bills now move to the Senate for possible consideration. None of the bills is important enough in the grand scheme of things to be considered on the floor of the Senate under normal order (debate, amendment and multiple votes), especially this late in a COVID-19, election-year limited session. The only hope that these bills have for action in the Senate would be consideration under the unanimous consent process. The voice votes yesterday would seem to indicate that that could be possible.

Unfortunately, unanimous consent motions can be stopped by the objection of a single Senator. That objection would not necessarily have anything to do with the provisions of the bill but could be used as a lever for one or more Senators to have their way on some other legislative priority. I will be pleasantly surprised if any of these bills are considered in the Senate

Commentary

Of the three bills, only HR 360 has the potential of accomplishing anything in the cybersecurity realm. The other two bills are Congressional ‘we did something’ bills that essentially reaffirm actions already taken by DOE.

But even HR 360 will be of limited effect since it is a voluntary program for vendors and utilities. The only real mandate is the prohibition on information sharing by DOE about vulnerabilities discovered during testing. Since vendors could still continue to sell the vulnerable devices (especially outside of the utility market), this could actually increase the risks for end users, even within the ‘protected’ electric sector.

Of course, the biggest drawback to HR 360 is that the lack of funding for the proposed Cyber Sense program.

Bills Introduced – 9-29-20

Yesterday, with both the House and Senate in session, there were 65 bills introduced. One of those bills may receive additional coverage in this blog:

HR 8408 To direct the Administrator of the Federal Aviation Administration to require certain safety standards relating to aircraft, and for other purposes. Rep. DeFazio, Peter A. [D-OR-4]

I will be watching this bill for language and definitions that would include cybersecurity provisions in the safety standards. I am not holding my breath.

ISCD Update 8 FAQ Responses – 9-29-20

Yesterday the CISA Infrastructure Security Compliance Division (ISCD) updated the responses to eight frequently asked questions (FAQs) on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center web page. None of the changes were substantive nor did they reflect policy changes.

The following FAQ responses were revised:

FAQ #1557 What should a facility do if it believes the risk-based tier determination that the Cybersecurity and Infrastructure Security Agency (CISA) has assigned it no longer reflects the actual security risk posed to the facility?

FAQ #1579 How does a facility define itself if it has multiple buildings, yet only a few select buildings possess chemicals of interest (COI) that are subject to being regulated by the Chemical Facility Anti-Terrorism Standards (CFATS) regulation?

FAQ #1612 What type of nitrocellulose is reportable as a chemical of interest (COI)?

FAQ #1735 How can a corporation with multiple facilities regulated under the Chemical Facility Anti-Terrorism Standards (CFATS) request the corporate approach and what benefits does this provide the corporation?

FAQ #1754 Does a facility have to report temporary holdings of chemicals of interest (COI) at or above the screening threshold quantity (STQ)?

FAQ #1765 What does a facility need to do to comply with the Chemical Facility Anti-Terrorism Standards (CFATS) Personnel Surety Program (PSP) requirements that are in effect now that the program has been implemented?

FAQ #1787 How have covered chemical facilities generally complied with 6 CFR § 27.230(a)(12)(iii), which requires facilities to verify an affected individual is legally authorized to work?

FAQ #1793 When does a covered facility under the Chemical Facility Anti-Terrorism Standards (CFATS) program need to submit a revised or updated Top-Screen?

NOTE: The links provided for the FAQs in this post were copied from the CFATS Knowledge Center but may not work when followed from your machine. This is an artifact of that web site. If the links do not take you to the referenced FAQ you will have to use the ‘Advanced Search’ function on the page to link to the FAQ or download the ‘All FAQs’ document at the bottom of the ‘Advanced Search’ page.

The following changes were made in the referenced responses:

#1557 Corrected typography error is question.

#1579 Editorial corrections and removes reference to CFATS final rule.

#1612 Replaces URLs with reference links.

#1735 Makes two paragraphs out of first paragraph.

#1754 Provides links to references and adds paragraph discussing fluctuating inventories.

#1765 Updated response to reflect the addition of Tier III and Tier IV facilities to Personnel Surety Program.

#1787 Replaces URLs with reference links.

#1793 Replaced ‘DHS’ with ‘CISA’ and removed red highlighting from last paragraph.

Tuesday, September 29, 2020

3 Advisories Published – 9-29-20

Today the CISA NCCIC-ICS published three control system security advisories for products from B&R Automation, Yokogawa, and MB Connect.

B&R Advisory

This advisory describes six vulnerabilities in the B&R SiteManager and GateManager products. The vulnerabilities were reported by Nikolay Sokolik and Hay Mizrachi. B&R has new versions that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• Path traversal - CVE-2020-11641,

• Uncontrolled resource consumption - CVE-2020-11642,

• Information exposure - CVE-2020-11643,

• Improper authentication - CVE-2020-11644,

• Uncontrolled resource consumption - CVE-2020-11645, and

• Information disclosure - CVE-2020-11646

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to  allow for arbitrary information disclosure, manipulation, and a denial-of-service condition.

Yokogawa Advisory

This advisory describes a buffer copy without checking size of input vulnerability in the Yokogawa WideField3 PLC programming tool. The vulnerability was reported by Parity Dynamics. Yokogawa has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to  terminate the program abnormally.

NOTE: I briefly discussed this vulnerability last Saturday.

MB Connect Advisory

This advisory describes four vulnerabilities in the MB Connect mymbCONNECT24, mbCONNECT24 products. The vulnerabilities were reported by Otorio. MB Connect has newer versions that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• SQL injection (2) - CVE-2020-24569 and CVE-2020-24568,

• Cross-site request forgery - CVE-2020-24570, and

• Command injection – no CVE has been assigned.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow a remote attacker to gain unauthorized access to arbitrary information or allow remote code execution.

NOTE: I briefly discussed these vulnerabilities last Saturday.

Monday, September 28, 2020

House to Take Up 5 Cybersecurity Bills

This week the House is scheduled to take up 50 bills under the suspension of the rules process. Five of those bills are related to cybersecurity. The suspension of the rules process calls for limited debate and no amendment of the bill to be accepted from the floor. Bills are required to get a supermajority vote to pass.

The five cybersecurity bills are:

HR 359 – Enhancing Grid Security through Public-Private Partnerships Act, as amended (Rep. McNerney – Energy and Commerce)

HR 360 – Cyber Sense Act of 2020, as amended (Rep. Latta – Energy and Commerce)

HR 5760 – Grid Security Research and Development Act (Rep. Bera – Science, Space, and Technology)

HR 5780 – Safe Communities Act of 2020, as amended (Rep. Underwood – Homeland Security)

HR 5823 – State and Local Cybersecurity Improvement Act, as amended (Rep. Richmond – Homeland Security)

Only one of these bills as being considered this week have been changed since they were adopted in committee. HR 359 has had the phrase “and other Federal agencies” removed from language requiring the DOE to consult with various organizations as “the Secretary determines appropriate”. This means that Congress does not want to even suggest that DOE might want to consult with CISA. This is an odd change.

The other oddity in this list is the inclusion of HR 5760. The language from this bill was mostly included in the recently passed HR 4447. That bill has little to no chance of being considered by the Senate. That means that taking up this bill in a stand-alone version would increase its chances of making it to the President’s desk for signature. It makes one wonder why it was added to HR 4447 in the first place; it might have been an attempt to politically buy the vote of Rep Weber (R,TX) who was a cosponsor of HR 5760. If so, it did not work; Weber was not one of the 7 Republicans to vote for the bill.

The House leadership expects each of these bills to pass this week with substantial bipartisan support. This means that there is some chance that the bills could be taken up by the Senate under their unanimous consent process. We will have to wait and see what kind of votes these bills actually get before we can assess what those chances might actually be.

Saturday, September 26, 2020

Public ICS Disclosures – Week of 9-19-20

This week we have two vendor disclosures about the CodeMeter vulnerabilities from Bosch and 3S. There are four vendor disclosures for products from Mitsubishi (2), Yokogawa, and Eaton. We also have two researcher reports for vulnerabilities in products from Siemens and Aveva.

CodeMeter Advisories

Bosch published an advisory describing the CodeMeter vulnerabilities in their Rexroth Products. Bosch recommends updating the CodeMeter software. One Bosch update is available to mitigate the vulnerabilities.

3S published an advisory [.PDF download link] describing the CodeMeter vulnerabilities in a number of their products. 3S has new versions of CODESYS V3 that mitigates the vulnerability.

NOTE: This advisory would seem to indicate that the universe of vulnerable products is much larger than previously thought. Vendors using CODESYS products would not have known to check for the CodeMeter vulnerability in their systems.

Mitsubishi Advisories

Mitsubishi published an advisory describing a TCP/IP stack session management vulnerability in a number of their products. The vulnerabilities were reported by Ta-Lun Yen of Trend Micro via the Zero Day Initiative. Mitsubishi has new versions that mitigate the vulnerability in many of the affected products. There is no indication that Ta-Lun has been provided an opportunity to verify the efficacy of the fix.

Mitsubishi published an advisory describing the Ripple20 vulnerabilities in the WiFi interface for a number of their products. Mitsubishi provides generic workarounds for the vulnerabilities.

NOTE: There is no overlap in the product lists for the two advisories which would indicate that two different TCP/IP stacks are being used.

Yokogawa Advisory

Yokogawa published an advisory describing a classic buffer overflow vulnerability in their  FA-M3 Programming Tool. The vulnerability has been reported by Parity Dynamics. Yokogawa has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Eaton Advisory

Eaton published an advisory describing an uncontrolled search path element vulnerability in their 9000x programing and configuration software. The vulnerability was reported by Yongjun liu. Eaton has a new version that mitigates the vulnerability. There is no indication that Yongjun has been provided an opportunity to verify the efficacy of the fix.

Siemens Report

Otorio published a blog post describing two vulnerabilities in the Siemens PCS 7 products. According to the post Siemens will provide instruction to avoid the vulnerabilities in the “next update of SIMATIC PCS 7 Compendium Part F”.

The two reported vulnerabilities are:

• A WinCC configuration flaw, and

• A PCS 7 configuration flaw.

NOTE: I cannot find a Siemens advisory that addresses similarly described vulnerabilities, but without a CVE number I cannot really be sure that Siemens has not addressed them.

Aveva Report

Talos published a report describing three vulnerabilities in the Aveva Enterprise Data Management Web data management platform. These vulnerabilities were previously disclosed by Aveva. The Talos report includes proof-of-concept code.

Friday, September 25, 2020

House Amends and Approves HR 4447 – Energy Bill

Yesterday the House completed their second day of deliberations on HR 4447, the revised and expanded version of the Expanding Access to Sustainable Energy Act of 2019. The amended bill passed by a largely partisan vote of 220 to 185 (18 Democrats voting Nay, 7 Republicans voting Yeah). The bill included grid cybersecurity provisions taken in large part from HR 5760.

The one cybersecurity related amendment that was considered, Amendment 12, offered by Rep. Burgess (R,TX) was included as part of en bloc #3. It would have required DOE to “report to Congress on the effect of variable and distributed energy resources on the reliability of the electric grid, specifically pertaining to natural disasters and physical or cyber-attacks on the grid infrastructure” {H Rept 116-528 pg 7; text of amendment at page 56}. The six amendments considered in that vote failed by a voice vote.

With the bill passing on party lines, it is extremely unlikely that it will be taken up by the Senate.

Bills Introduced – 9-24-20

Yesterday, with both the House and Senate in session, there were 107 bills introduced. Two of those bills may receive additional coverage in this blog:

HR 8379 To require the Director of the Cybersecurity and Infrastructure Security Agency to establish cybersecurity guidance for small organizations, and for other purposes. Rep. Eshoo, Anna G. [D-CA-18]

S 4731 A bill to require the Director of the Cybersecurity and Infrastructure Security Agency to establish cybersecurity guidance for small organizations, and for other purposes. Sen. Rosen, Jacky [D-NV]

I suspect that these are companion measures with nearly identical language. I will be watching both bills for definitions and language that would include requirements for guidance on control system security, but I am not holding my breath.

Thursday, September 24, 2020

1 Update Published – 9-24-20

 Today the CISA NCCIC-ICS published an update for a control system security advisory for products from 3S.

CODESYS Update

This update provides additional information on an advisory that was originally published on January 11th, 2013. The new information includes:

• Adding CODESYS Control RTE to list of affected products,

• For CVE-2012-6068, replaced the ‘CVSS v2 base score of 10.0’ with the ‘CVSS v3 base score of 9.8’ along with the associated changes in CVSS vector string, and

• For CVE-2012-6069, replaced the ‘CVSS v2 base score of 10.0’ with the ‘CVSS v3 base score of 10.0’ along with the associated changes in CVSS vector string.

The update is a bit more complicated than that as NCCIC-ICS partially updated the format of the advisory to reflect a number of editorial changes made in the last seven years.

Commentary

Okay, a little background is in order on this ancient (in cyber years, but not as ancient in control system years) advisory. The CVE-2012-6068 vulnerability was initially reported by Reid Wightman at AppSec DC in April 2012. Dale Peterson has an excellent write up of the importance of this vulnerability over on DigitalBond. ICS-CERT published an Alert about the vulnerability on April 6th, 2012 and then updated that Alert on October 26th, 2012 to reflect the publication of two exploit tools by Reid. Eventually (January 11th, 2013) ICS-CERT upgraded the Alert to the Advisory that was updated today. Oh, BTW, the 3S advisory for these vulnerabilities is no longer on their Security Reports web page; they only go back to February 14th, 2017.

It seems a little more than odd that 3S would add a product to the affected product list seven+ years later. They either just now realized that the product was affected even though it was apparently ‘fixed’ at the same time as the other two affected products were, or they knew all along and just did not want to tell anyone about the problem in that product since it had not been identified by Reid. In either case it just emphasizes the apparent lack of concern at 3S about device security. And that is very disconcerting given the number of other vendors that use these affected products.

Bills Introduced – 9-23-20

 Yesterday, with both the House and Senate in session, there were 51 bills introduced. One of those bills may receive additional coverage in this blog:

HR 8350 To amend title 49, United States Code, regarding the authority of the National Highway Traffic Safety Administration over highly automated vehicles, to provide safety measures for such vehicles, and for other purposes. Rep. Latta, Robert E. [R-OH-5]

I will be watching this bill for language and definitions that address cybersecurity issues with automated vehicles. There is a short news article on this legislation on TheHill.com.

Wednesday, September 23, 2020

Bills Introduced – 9-22-20

 Yesterday, with both the House and Senate in session, there were 46 bills introduced. Of those, one will receive additional coverage in this blog:

HR 8337 Making continuing appropriations for fiscal year 2021, and for other purposes. Rep. Lowey, Nita M. [D-NY-17]

This bill effectively replaces HR 8319 that I described yesterday as the FY 2021 continuing resolution (CR). The bill was taken up by the House under the suspension of the rules process and passed by a strongly bipartisan vote of 359 to 57 with one Democrat voting present. It will extend federal government spending through December 11th, 2020.

A quick look at the table of contents of the bill shows only one change; in Division D there was added a Title VI, Nutrition and Commodities Programs. Nothing that I can see in that title provides additional spending authority for the Commodity Credit Corporation (CCC) which was a White House priority. It does extend authorities for the SNAP program and COVID-19 modified school lunch programs. It also limits Commodity Credit Corporation payments to oil and gas providers.

A closer look at the document shows that the bill passed yesterday has an added §173 in Division A that provides authority for the Department of Agriculture to “reimburse the Commodity Credit Corporation for net realized losses sustained, but not previously reimbursed, as of September 17, 2020.”

These two changes should ensure that the bill will be taken up and passed by the Senate in abbreviated processes. There are no indications that the White House has any objections to this version of the Continuing Resolution.

Tuesday, September 22, 2020

2 Advisories Published – 9-22-20

 Today the CISA NCCIC-ICS published two control system security advisories for products from GE.

Reason S20 Advisory

This advisory describes two cross-site scripting vulnerabilities in the GE Reason S20 Ethernet Switch. The vulnerability was reported by IOActive. GE has newer firmware versions that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow unauthorized accounts manipulation and allow for remote code execution.

APM Advisory

This advisory describes two vulnerabilities in the GE Digital APM Classic data analysis tool. The vulnerability was reported by Guido Marilli of Accenture Security. GE has a new version that mitigates the vulnerabilities. There is no indication that Marilli has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Authorization bypass through user-controlled key - CVE-2020-16240, and

• Use of a one-way hash without a salt - CVE-2020-16244

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow access to sensitive information. The GE Digital advisory states that “GE believes exploitation of the Vulnerabilities is only possible if an attacker was first authenticated.”

Bills Introduced – 9-21-20

 Yesterday, with both the House and Senate in session, there were 29 bills introduced. One of those bills will receive additional attention in this blog:

HR 8319 Making continuing appropriations for fiscal year 2021, and for other purposes. Rep. Lowey, Nita M. [D-NY-17]

The House Rules Committee met yesterday to formulate the rule for the consideration of this bill (and 3 others). The rule provided for a closed debate on the bill with 1 hour of debate and no floor amendments. The bill will almost certainly pass in the House if it is actually brought to the floor.

Billed as a ‘clean CR’ this is a complex bill that includes language extending a number of programs that would expire on September 30th. There are news reports that Sen. McConnel opposes the bill because it does not include continued funding for the Commodity Credit Corporation (CCC), a White House priority. Rep. Conway (R,TX) attempted to add language for that funding in the Rules Committee hearing on the bill, but the amendment was defeated.

There is a remote possibility that additional negotiations could result in that language being added to the bill during the floor consideration via a motion to recommit.

Monday, September 21, 2020

House to Consider Amended Version of HR 4447 – Grid Cybersecurity Additions

 The House Rules Committee approved a substitute language amendment for HR 4447, the Expanding Access to Sustainable Energy Act of 2019, today. The new language is a greatly expanded version of the bill that was approved by the House Energy and Commerce Committee on September 9th. What was a 10 page bill reported by the Committee will be an 894 page bill that will be debated and amended on the floor of the House later this week. The new pages include, among a lot of other things, some minor grid cybersecurity provisions.

Cybersecurity Additions

Among the additions to the bill is Title V, Subtitle C, Part 3, Grid Security Research and Development. The new Part 3 includes three sections:

§5341. Amendment to Energy Independence and Security Act of 2007.

§5342. Critical infrastructure research and construction.

§5343. Conforming amendment.

Section 5341 is very similar to a provision in HR 5760 that would have required DOE to carry out “a research, development, and demonstration program to protect the electric grid and energy systems, including assets connected to the distribution grid, from cyber and physical attacks” {new §1313(a)}.

One apparently minor difference between the different versions of the proposed amendment to EISA is found in outline of research areas of interest to be funded by the new research program in the new paragraph (b)(1). In the reported version of the bill it says:

“identify cybersecurity risks to the electricity sector, energy systems, and energy infrastructure;”

In the substitute language it was changed to read:

“identify cybersecurity risks to information systems within, and impacting, [emphasis added] the electricity sector, energy systems, and energy infrastructure;”

This actually brings the language more in line with the frequent references in the remainder of the sub-paragraph in both versions to ‘information systems’.

Section 5341 would also add the following sections to the EISA (similar to sections added by 5760)

§1314. Grid resilience and emergency response,

§1315. Best practices and guidance documents for energy sector cybersecurity research,

§1316. Vulnerability testing and technical assistance to improve cybersecurity,

§1317. Education and workforce training research and standards,

§1318. Interagency coordination and strategic plan for energy sector cybersecurity research,

§1319. Report to congress, and

§1320. Definitions.

Finally §5241 ends by authorizing appropriations for the program outlined in the section at the same levels as HR 5760 would have authorized.

Section 5342 is very similar to the provisions an amendment that was made in Committee to HR 5760. It would require DOE to “establish and operate an Energy Sector Critical Infrastructure Test Facility” {§5342(c)}.

Section 5343 is a housekeeping amendment adding the new provisions of the EISA table of contents.

Amendments Authorized

The Rules Committee adopted a rule for the consideration of this bill (and two others) that allows for limited debate and approved amendments to be submitted from the floor. There has only been one cybersecurity related amendment that has been authorized to be offered on the floor of the House:

12. Burgess (TX): Requires the Secretary of Energy to report to Congress on the effect of variable and distributed energy resources on the reliability of the electric grid, specifically pertaining to natural disasters and physical or cyber-attacks on the grid infrastructure. (10 minutes)

Committee Hearings – Week of 9-20-20

This week with both the House and Senate in session but looking to get back home for campaigning quickly, there will only be one hearing that addresses topics covered in this blog; that is cybersecurity.

State and Local Cybersecurity

On Tuesday the Federal Spending Oversight and Emergency Management Subcommittee of the Senate Homeland Security and Governmental Operations Committee will be holding a hearing on “State and Local Cybersecurity: Defending Our Communities from Cyber Threats amid COVID-19”. The witness list includes:

• Christopher Krebs, CISA,

• Denis Goulet, New Hampshire Department of Information Technology,

• Leslie Torres-Rodriguez, Hartford Public Schools,

• John Riggi, American Hospital Association, and

• Bill Siegel, Coveware, Inc

While State and local governments operate a wide range of operational technology, I really do not suspect that there will be much (if anything) in the way of mention of controls system cybersecurity in this hearing.

On the Floor

It is likely that the House will take up a relatively clean continuing resolution (CR) to carry the funding of the federal government (at current spending levels) through at least until early December and possibly through to next year. The White House wants some money in the bill for the agriculture industry so the House may get one of their funding priorities as well, but one that the White House will not take strong objection to.

The House Rules Committee is scheduled to take up a spending bill this afternoon, but as I write this there is no language available for review.

The House needs to pass a CR early this week to allow the Senate to take action before the end of the month to avoid a government shutdown. At this point it looks like there is no major impediment to reaching a deal; neither side wants to appear to be responsible for a shutdown this close to the election.

The House is also scheduled to take up a large number of bills under suspension of the rules. For the most part these are non-partisan bills that members on both sides want to be able to tell voters that they supported. This could lead to some late night votes this week.

Saturday, September 19, 2020

CISA Announces Chemical Security Seminars

 Sometime in the last week (can’t place it closer since CISA stopped dating web site changes) CISA updated their Chemical Security Summit web page to include a brief announcement about a planned series of Chemical Security Seminars in December. These seminars would replace the annual Chemical Security Summit that had been planned for July but was canceled due to the COVID-19 Pandemic.

The announcement is very brief. It only mentions that the current planning is for three ‘virtual’ seminars. More information, including agenda and registration links, will be forth coming.

Public ICS Disclosures – Week of 9-12-20

 This week we have four disclosures for CodeMeter vulnerabilities for products from ABB and Rockwell. There are also three vendor disclosures for products from MB Connect Line, Hi-Silicon, and B&R. There are 21 researcher reports for vulnerabilities in products from Fuji Electric (20) and Sierra Wireless.

CodeMeter Advisories

ABB published an advisory for the CodeMeter vulnerabilities in their Automation Builder product. ABB provides generic workarounds while it continues to investigate the vulnerabilities.

ABB published an update for their CodeMeter advisory for ABB Products. The new information includes providing a link to the advisory described above.

ABB published an update for their CodeMeter advisory for ABB Drives applications. The new information includes changing the recommended version of CodeMeter for Windows application to version 7.10a.

Rockwell published an update for their CodeMeter advisory for FactoryTalk Activation Manager. The new information includes:

• Updated mitigation information, and

• Updated CodeMeter version information

MB Advisory

CERT-VDE published an advisory describing four vulnerabilities in the mymbCONNECT24 and mbCONNECT24 products. The vulnerabilities were reported by Otorio. MB has new versions that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• Blind SQL injection - CVE-2020-24569 and CVE-2020-24568,

• SSRF/CSRF - CVE-2020-24570, and

• Unauthenticated RCE – no CVE assigned

HI-Silicon Advisory

Incibe-cert published an advisory describing five vulnerabilities in the IPTV / H.264 / H.265 video encoders based on HiSilicon Hi3520d hardware. The vulnerabilities were reported by Alexei Kojenov; the report contains proof-of-concept code. Affected manufacturers include:

• URayTech;

• J-Tech Digital;

• VeCASTER PRO from Pro Video Instruments.

The five reported vulnerabilities include:

• Backdoor password - CVE-2020-24215 and CVE-2020-24218,

• Path transversal - CVE-2020-24219,

• Unauthenticated file uploads - CVE-2020-24217,

• Buffer overflow - CVE-2020-24214, and

• Unauthorized access to video streaming through RTSP - CVE-2020-24216

B&R Advisory

B&R published an advisory for the Ripple20 vulnerabilities in their products. They report that none of their products are affected by these vulnerabilities.

Fuji Electric Reports

Kimiya published 20 reports (ZDI-20-1184 thru ZDI-20-1204) of vulnerabilities in the Fuji Electric Tellus Lite product. The vulnerabilities were reported to ‘ICS-CERT’ (presumably, NCCIC-ICS) by the Zero Day Initiative back in April. These are apparently separate vulnerabilities from the 14 that were reported last week. The reported vulnerabilities include:

• Stack-based buffer overflow,

• Out-of-bounds write, and

• Out-of-bounds read

Sierra Wireless Report

Ruben Santamarta published a blog post describing two vulnerabilities in Sierra Wireless Air Link Products. Sierra Wireless has published an advisory [.PDF download link] for these vulnerabilities. The blog post includes proof-of-concept code.

The two reported vulnerabilities are:

• Privilege escalation - CVE-2020-8781, and

• Remote code execution - CVE-2020-8782

Friday, September 18, 2020

ISCD Updates 2 FAQ Responses – 9-18-20

 Today the CISA Infrastructure Security Compliance Division (ISCD) updated the responses to two Frequently Asked Questions (FAQs) on their Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center. The changes were non-substantive, editorial changes.

The following FAQ responses were revised today:

FAQ #1554 Does the Cybersecurity and Infrastructure Security Agency (CISA) have enforcement authority to fine non-compliant facilities, to include shutting down a facility?

FAQ #1557 What should a facility do if it believes the risk-based tier determination that the Cybersecurity and Infrastructure Security Agency (CISA) has assigned it no longer reflects the actual security risk posed to the facility? What should a facility do if it believes the risk-based tier determination that the Cybersecurity and Infrastructure Security Agency (CISA) has assigned it no longer reflects the actual security risk posed to the facility?

NOTE: The links provided for the FAQs in this post were copied from the CFATS Knowledge Center but may not work when followed from your machine. This is an artifact of that web site. If the links do not take you to the referenced FAQ you will have to use the ‘Advanced Search’ function on the page to link to the FAQ or download the ‘All FAQs’ document at the bottom of the ‘Advanced Search’ page.

The following changes were made in the referenced responses:

#1554 Changes ‘DHS’ to ‘CISA’, and substitutes document links for URLs

#1557 Changes ‘DHS’ to ‘CISA, revises ISCD mailing address, and substitutes document links for URLs

Since this address change is being made in a number of FAQ responses, I am providing the new ISCD snail mail address:

Department of Homeland Security
Cybersecurity and Infrastructure Security Agency
Infrastructure Security Division
Chemical Security
245 Murray Lane, SW Mail Stop 0610
Arlington, VA 20528

Bills Introduced – 9-17-20

Yesterday, with both the House and Senate in session, there were 75 bills introduced. One of those bills may receive additional coverage in this blog:

HR 8309 To authorize certain authorities of the Department of Homeland Security, and for other purposes. Rep. Rogers, Mike D. [R-AL-3] 

I will be watching this bill for language that addresses cybersecurity or chemical security authorities. I am not really expecting to find it, but the information provided is to vague to be sure.

Thursday, September 17, 2020

2 Advisories and 1 Update Published – 9-17-20

 Today the CISA NCCIC-ICS published one control system security advisory for products from Advantech, a medical device security advisory for products from Philips, and updated an advisory for products from WIBU-Systems.

Advantech Advisory

This advisory describes an incorrect permission assignment for critical resource vulnerability in the Advantech WebAccess Node HMI platform. The vulnerability was reported by Mat Powell via the Zero Day Initiative. Advantech has a new update that mitigates the vulnerability. There is no indication that Powell has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to escalate their privileges.

Philips Advisory

This advisory describes five vulnerabilities in the Philips Clinical Collaboration Platform. The vulnerabilities were reported by Northridge Hospital Medical Center. Philips has a patch that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

• Cross-site request forgery - CVE-2020-14506,

• Improper neutralization of script in attributes in a web page - CVE-2020-14525,

• Protection mechanism failure - CVE-2020-16198,

• Algorithm downgrade - CVE-2020-16200, and

• Configuration - CVE-2020-16247

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to allow an attacker to trick a user into executing unauthorized actions or provide the attacker with identifying information that could be used for subsequent attacks.

WIBU-Systems Update

This update provides additional information on an advisory that was originally published on September 8th, 2020. The new information includes:

• Affected version information,

• Links to additional affected vendor advisories for:

CODESYS,

PEPPERL+FUCHS,

PILZ,

Phoenix Contact, and

WAGO

NOTE: I identified all but the CODESYS advisory in a post last weekend. In addition, I also noted that ABB published four CodeMeter advisories.

HR 1668 – Review of Text Passed in House

 As I noted Tuesday night, the House passed a version of HR 1668, the Internet of Things (IoT) Cybersecurity Improvement Act of 2020, that was different from both the introduced and reported versions of the bill. Yesterday the GPO printed the version of the bill that was passed by the House. In this post I will look at the differences between the version reported out of the House Oversight and Reform Committee and the version passed in the House.

Sense of Congress

The passed bill inserted a new §2, Sense of Congress, in the bill. That new section lays responsibility for cybersecurity of the executive branch with the President working through the Director of the OMB and the Secretary of Homeland Security. It further makes the claim that “the strength of the cybersecurity of the Federal Government and the positive benefits of digital technology transformation depend on proactively addressing cybersecurity throughout the acquisition and operation of Internet of Things devices by the Federal Government” {§2(3).

Finally it provides a description of ‘Internet of Things devices’ taken from the January 7th, 2020 draft of the National Institute of Standards draft internal report 8259. The description in that report states:

“The IoT devices in scope for this publication [emphasis added] have at least one transducer (sensor or actuator) for interacting directly with the physical world and at least one network interface (e.g., Ethernet, Wi-Fi, Bluetooth, Long-Term Evolution [LTE], Zigbee, Ultra-Wideband [UWB]) for interfacing with the digital world. The IoT devices in scope for this publication [emphasis added] can function on their own and are not only able to function when acting as a component of another device, such as a processor.

Note: the text emphasized above was not included in the description provide in §2(4).

Definitions

Section 2 of the reported bill included definitions of the following terms:

• Agency,

• Covered device,

• Director of OMB,

• Director of the Institute [National Institute of Standards and Technology (NIST)], and

• Security vulnerability.

Section 3 of the passed bill does not include definitions of ‘covered device’. It adds definitions for the following terms:

• Information system [IT-limited definition from 44 USC 3502],

• National security system,

• Operational technology, and

• Secretary [of Homeland Security].

Ongoing NIST Activities

The reported bill contained a §3, Completion of Ongoing Efforts Relating to Considerations for Managing Internet of Things Cybersecurity Risks. This section included a requirement for NIST to publish a report on “the following considerations for covered devices”:

• Secure development,

• Identity management,

• Patching, and

• Configuration management.

This section was not included in the passed version of the bill.

Security Standards

Section 4(a) of the reported bill required NIST (within 6 months) to publish guidelines under 15 USC 278g-3 on {§4(a)}:

• The appropriate use and management by the agencies of covered devices owned or controlled by the agencies, and
• Minimum information security requirements for managing security vulnerabilities associated with such devices.

Section 4(b) then went on to require the Cybersecurity and Infrastructure Security Agency (CISA) to establish standards based upon those guidelines for “covered devices owned or controlled by agencies, except those considered national security systems” {§4(b)(1)(A)}.

In the passed version of the bill, NIST is required (within 90 days) to develop and publish (again under §278g-3) “standards and [emphasis added] guidelines for the Federal Government on the appropriate use and management by agencies of Internet of Things devices owned or controlled by an agency and connected to information systems owned or controlled by an agency, including minimum information security requirements for managing cybersecurity risks associated with such devices” {§4(a)(1)}.

The OMB is then (within 180-days of the establishment of the ‘standards and guidelines’) required to review “agency information security policies and principles” for IoT based upon the NIST developed standards and guidelines; again with an exception for ‘national security systems’.

Petition to Exclude Devices

Section 5 of the reported bill would have required the OMB to establish a process for agencies to petition to have devices not designated as ‘covered devices’ subject to the guidelines established by NIST or standards established by CISA.

There are no comparable requirements in the passed version of the bill.

Coordinated Disclosure

Section 6 of the reported bill would have required NIST to develop guidelines “for the reporting, coordinating, publishing, and receiving of information about” {§6(a)(1)} security vulnerabilities for a covered device owned, or controlled, by an agency (or a contractor providing a covered device to an agency) and the resolution of such vulnerabilities. The developed guidelines should align with ISO 29147 and ISO 30111 {§6(b)(2)}. The guidelines for contractors would include information on “on the type of information about security vulnerabilities that should be reported to the Federal Government, including examples thereof” {§6(a)(3)}.

Section 5 of the passed bill includes similar language except that instead of ‘covered device’ the section refers to “information systems owned or controlled by an agency (including Internet of Things devices owned or controlled by an agency)”.  In addition to the requirement that the guidelines align with the two ISO documents mentioned in the reported bill, §5 requires that the guidelines are “consistent with the policies and procedures produced” {§5(b)(3)} under the coordinated disclosure requirements of 6 USC 659(m).The requirement for contractor reporting was not included. Finally, §5 concludes with establishing that DHS will be responsible for “the implementation of the guidelines published” under this section.

The passed version of the bill includes an additional section (§6) addressing the implementation of the coordinated disclosure guidelines. Section 6(a) requires the OMB (within 2 years) to “develop and oversee the implementation of policies, principles, standards, or guidelines as may be necessary to address security vulnerabilities of information systems (including Internet of Things devices).” Section 6(b) requires DHS to “provide operational and technical assistance to agencies on reporting, coordinating, publishing, and receiving information about security vulnerabilities of information systems (including Internet of Things devices).”

Operational Technology

Section 8 of the passed bill has no counterpart in the reported bill. It requires GAO (within one year) to brief Congress “on broader Internet of Things efforts, including projects designed to assist in managing potential security vulnerabilities associated with the use of traditional information technology devices, networks, and systems” {§8(a)} with IoT devices and operational technology devices, networks, and systems.

Moving Forward

The passage of this bill by a voice vote indicates that there is some level of bipartisan support for this bill. This is important because a bill of this sort is not ‘important’ enough to be considered under the normal debate and amendment process in the Senate. This late in the session the only way that this bill would be considered in the Senate is under the unanimous consent process. Unfortunately, the only way that a bill makes it through that process is for not one single Senator to voice opposition to the bill. I suspect that this bill could make it through such a process, but it could be blocked by a Senator making a point about, or needing support for, something completely unrelated to this bill.

Commentary

First, let me address the unusual way this was brought to the floor in the House. Rep Maloney (D,NY) was the one who actually brought the bill to the floor for consideration. She began the consideration process by saying: “Mr. Speaker, I move to suspend the rules and pass the bill (H.R. 1668) to leverage Federal Government procurement power to encourage increased cybersecurity for Internet of Things devices, and for other purposes, as amended.”

That phrase ‘as amended’ can be used to cover a wide variety situations. Typically, it is used to describe a bill that has been amended in the Committee process. It is used from time to time to include a bill that has been amended outside of the process by committee leadership when new information has become available, changes are necessary to get some additional floor support for the bill or to better reflect the intent of the leadership. I suspect that in this case the final reason was the primary driver of the changes being made to the bill. Maloney is the Chair of the House Oversight and Government Reform Committee.

Looking at the bill as passed, it is clear that Maloney is not really interested in IoT cybersecurity. The lack of a definition of the term ‘Internet of Things device’, the discussion in §2 notwithstanding, indicates how little Maloney cares about IoT. The changes to the bill, while still including multiple references to ‘IoT devices’, make this a bill about information system cybersecurity. It provides a small incremental increase in the authority of OMB and DHS to address information system cybersecurity and expands the authority for DHS to continue its recent mandate for government agencies to implement vulnerability disclosure programs.

The addition of §8 of the bill reflects Maloney’s future commitment to the authors and supporters of the bill that passed in Committee that the Committee will continue to look at IoT cybersecurity and actually adds the expanded topic of control system security to that future consideration.

Bills Introduced – 9-16-20

 Yesterday, with both the House and Senate in session, there were 47 bills introduced. One of those bills may receive additional coverage in this blog:

S 4598 A bill to provide for assistance for small manufacturers in the defense industrial supply chain on matters relating to cybersecurity. Sen. Rosen, Jacky [D-NV]

I will be watching this bill for language and definitions that would address control system cybersecurity issues.

Wednesday, September 16, 2020

CISA Changes Policy on Dating Web Pages

 Up until yesterday the CISA web pages for the Chemical Facility Anti-Terrorism Standards (CFATS) all carried ‘last published’ date information near the top of the page. Yesterday that information was removed from the CFATS web site pages.

The landing page for the CFATS program was last previously changed on September 14th, 2020. On that date the following information was included just below the page title:

“Original release date: July 06, 2009 | Last revised: September 14, 2020”

That information was removed from the page yesterday.

Now CISA ‘owns’ their web site and can put whatever information they want on their pages, presumably so long as the sites are factually correct. And this ‘dating’ information has come and gone on the CFATS web site frequently. So why this complaint?

The CFATS web site provides information to the general public and the regulated public about the CFATS program. It explains the ins and outs of the CFATS regulations and describes changes that are both being considered for the program and those that have been made. When changes are made to the web pages, they reflect changes in the program that people should be aware of.

Unfortunately, CISA does an absolutely awful job of announcing or explaining changes to their web site. For example, the change to the landing page that was made on September 14th, was the removal of the Twitter® handle for Brian Harrel (@CISAHarrell) in the second paragraph of the page. This was done because Harrell is no longer part of CISA, having returned to the private sector. Fortunately, with the change in the ‘last revised’ date, I was able to go back and compare the previous version of the page and find out what changed.

With 45 separate pages being currently listed on the CISA ‘site map’ as being associated with ‘Chemical Security’ there is no way that the average person (or even a CFATS geek like me) can keep up with each page by inspection to see when data changes. Changes to the ‘last revised’ date provides a tool that can be used to make that ‘inspection’ easier.

I really think that CISA owes it to the regulated community to provide an announcement when changes are made to the site (probably on the CFATS Knowledge Center, which, BTW, is not listed on the CISA site map since it is independently maintained by the Infrastructure Security Compliance Division). Lacking that, a return to including date of change information on each page should be the minimum standard that CISA uses for web site maintenance.

Tuesday, September 15, 2020

HR 1668 Passed in House – IoT Cybersecurity

 

Today the House took up HR 1668, the Internet of Things (IoT) Cybersecurity Improvement Act of 2019, under the suspension of rules provisions. The bill was passed by a voice vote. The House Oversight and Reform Committee amended and adopted the bill back in June, but it does not appear that that was the version of the bill that was passed by the House today.

A quick look at the version of the bill printed in the Congressional Record [pg H4351] shows some significant differences from the introduced version and the substitute language taken up by the Committee. A quick-look listing of some of the differences includes:

• Passed version contains a ‘Sense of Congress’ section 2,

• Passed version does not include a definition of ‘covered device’, and

• Passed version adds definitions for ‘operational technology’, ‘information system’.

According to yesterday’s Congressional Record, the House Oversight and Reform Committee published their Report on the bill yesterday, but an official version of the Report has not yet been published by the GPO. A reported version of the bill is, however available, and it does not look like the version passed in the House yesterday.

I will have more on this as I get more information.

1 Update Published – 9-15-20

 Today the CISA NCCIC-ICS updated one control system security advisory for products from ENTTEC.

ENTTEC Update

This update provides additional information on an advisory that was originally published on June 25th, 2020. The new information includes:

• Added the fact that E-Streamer Mk2 was end-of-life (and not supported), and

• Provided information on updated firmware that mitigates the vulnerabilities

No indication that Cross (the researcher reporting vulnerabilities) was provided an opportunity to verify the efficacy of the fix.

ISCD Publishes 2 New Fact Sheets – 9-15-20

Today the CISA Infrastructure Security Compliance Division (ISCD) published two the Fact Sheets on their Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center. They also revised a Frequently Asked Question (FAQ) and four responses to FAQs.

New Fact Sheets

ISCD published to new Fact Sheets as part of their outreach program. The two

• Protect Chemicals at Warehouse, Storage, and Distribution Facilities From Use in a Terrorist Attack

• CFATS: Top-Screens for Dynamic Business Operations

The warehouse fact sheet is part of the ISCD’s industry outreach program; providing information about the CFATS program and how warehousing facilities are affected by the program. This is very similar in concept and information to previously published industry outreach fact sheets. One small nit to pick with the information provided; the list of ‘common chemicals of interest (COI) includes ‘anhydrous ammonia’; probably more commonly found in warehouse operations would be ‘ammonia (concentration 20% or greater)’.

The dynamic business operations fact sheet is another look at a topic that was discussed here last week. The information provided in this new fact sheet is very similar to the information provided in the relatively new  CSAT Top Screen Submissions Tips page.

Revised FAQ – Ammonium Nitrate

While ISCD has been revising a number of FAQs over the last couple of months to make them more useful, every once-in-a-while they actually change one of the questions being asked, which generally requires a significant rewrite of the response. Such was the case today when FAQ #1228 was changed.

• Old question - How is the Screening Threshold Quantity (STQ) calculated for Ammonium Nitrate (AN)?

• New question - How is the screening threshold quantity (STQ) calculated for ammonium nitrate (AN) [with more than 0.2 percent combustible substance, including any organic substance calculated as carbon, to the exclusion of any other added substance]?

NOTE: The links provided for the FAQs in this post were copied from the CFATS Knowledge Center but may not work when followed from your machine. This is an artifact of that web site. If the links do not take you to the referenced FAQ you will have to use the ‘Advanced Search’ function on the page to link to the FAQ or download the ‘All FAQs’ document at the bottom of the ‘Advanced Search’ page.

The difference is important because there are two different listings for ‘ammonium nitrate’ in the list of DHS Chemicals of Interest (COI); ammonium nitrate, the explosive (where the ‘more than 0.2%... applies) and ammonium nitrate, the potential explosive precursor. The original FAQ did not really distinguish between the two and this made the Response a tad bit confusing. Instead of just taking the easy way out and just revising the response to address the precursor form of the AN, ISCD revised the question, expanded the answer and, in my opinion, just made the matters more confusing, but then again AN is confusing.

AN, the fertilizer is the ‘non-explosive’ form of the chemical. I know, Beirut and West, TX were big (big is a massive understatement in the case of Beirut) explosions of AN. Perhaps ISCD should skip the two listings (would take a rule change) for AN and treat both forms of the material as an explosive for security purposes. It would still have the release-explosive and theft/diversion security classifications and STQ’s, but it would clear up a lot of the confusion. And let’s face it; a smart terrorist could craft an attack on an ammonium nitrate fertilizer storage that would result in a massive explosion.

Revised FAQ Responses

ISCD revised the responses for the following FAQ’s:

FAQ #1272 Who is responsible for submitting a Top-Screen in situations where chemicals of interest are located on property that is leased by a tenant from a landlord?

FAQ #1405 How will I know if the agricultural extension has been lifted and what to do next?

FAQ #1456 Should release chemicals of interest (COI) presently in process or chemicals that are by-products be considered when calculating COI quantities toward the screening threshold quantity (STQ)?

FAQ #1541 How does a facility count the amount of a release-flammable mixture that is a fuel with a National Fire Protection Association (NFPA) rating of 1, 2, 3, or 4 if it is stored in an aboveground tank farm (including farms that are part of pipeline systems)?

For the most part these changes were non-substantive changes made for clarification purposes; no changes in policy or procedure were included. The changes were:

#1272 Added a reference link and additional explanatory language (2nd paragraph),

#1405 Changed URL to document link,

#1456 Removed reference to ‘total onsite quantity (TOQ)’, and

#1541 Added comments about the gasoline Top Screen extension (2nd paragraph).

Bills Introduced – 9-14-20

 

Yesterday with both the House and Senate in session there were 24 bills introduced. Two of those bills may receive additional coverage in this blog:

HR 8239 To facilitate the development and distribution of forensic science standards by establishing in the National Institute of Standards and Technology the Organization of Scientific Area Committees for Forensic Science, and for other purposes. Rep. Johnson, Eddie Bernice [D-TX-30] 

S 4568 A bill to facilitate the development and distribution of forensic science standards by establishing in the National Institute of Standards and Technology the Organization of Scientific Area Committees for Forensic Science, and for other purposes. Sen. Wicker, Roger F. [R-MS]

I will be watching these apparent companion bills by the two respective science committee chairs for language including cyber forensics in the list of ‘Area Committees for Forensic Science’.

Sunday, September 13, 2020

Public ICS Disclosures – Part II

 

This week also included the latest tranche of advisories and updates from Siemens. Most of those were addressed by NCCIC-ICS, but three updates from Siemens were not covered.

GNU/Linux Update

Siemens published an update for their advisory on GNU/Linux vulnerabilities in their SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP. The advisory was originally published in 2018 and most recently updated on August 11th, 2020. The new information includes adding the following CVE’s:

• CVE-2020-8620,

• CVE-2020-8621,

• CVE-2020-8622,

• CVE-2020-8623,

• CVE-2020-8624, and

• CVE-2020-16166

NOTE 1: Siemens periodically updates the firmware for this device, mitigating vulnerabilities as it does so. The advisory still shows existing vulnerabilities dating back to 2015 in the most current firmware version.

NOTE 2: NCCIC-ICS has not published an advisory for these Siemens vulnerabilities.

SIMATIC Update

Siemens published an update for their SIMATIC, SIMOCODE, SINAMICS, SITOP, and TIM advisory that was originally published on December 10th, 2019 and most recently updated on August 11th, 2020. The new information includes information about successor products for SIMATIC RF180C and RFID 181EIP.

NOTE: There is an NCCIC-ICS advisory for the vulnerability described in the Siemens update.

PROFINET-IO Update

Siemens published an update for their PROFINET-IO advisory that was originally published on February 11th, 2020 and most recently updated on August 11th, 2020. The new information includes information about successor products for SIMATIC RF180C and RFID 181EIP.

NOTE: There is an NCCIC-ICS advisory for the vulnerability described in the Siemens update.

Commentary

The last two updates had corresponding NCCIC-ICS advisories that were not updated. Both Siemens advisories included the same information:

“For SIMATIC RF180C and RF182C: migrate to a successor product within the SIMATIC RF18xC/CI family, V1.3 or later version. For details refer to the notice of discontinuation.”

I am not sure why NCCIC-ICS would not consider this to be a valuable piece of mitigation information for users of these devices. I hope that this was simply an oversight on the part of NCCIC-ICS that will be corrected in the coming week.

Saturday, September 12, 2020

Public ICS Disclosure – Week of 9-2-20

We have eight vendor notifications about the CodeMeter vulnerabilities reported earlier this week by NCCIC-ICS from Phoenix Contact, PEPPERL+FUCHS, WAGO, ABB, and Pilz. We also have four vendor notification from Schneider, Moxa, Medtronic, and BD. There is a vendor update from Mitsubishi. We have a researcher report of 0-day vulnerabilities for products from Fuji Electric.

CodeMeter Advisories

Phoenix Contact published an advisory for the CodeMeter vulnerabilities. They listed their affected products and announced a new version of their Activation Wizard that mitigates the vulnerabilities.

VDE-CERT published an advisory for the CodeMeter vulnerabilities in products from PEPPERL+FUCHS. It provides a list of affected products and recommends implementing the WIBU Systems update.

VDE-CERT published an advisory for the CodeMeter vulnerabilities in products from WAGO. It reports that the e!COCKPIT engineering software is bundled with the CodeMeter software. VDE-CERT notes that WAGO will update their e!COCKPIT setup routine later this year.

ABB published four CodeMeter advisories for the following products:

General information,

AC 800PEC platform,

Ability™ Operations Data Management zenon, and

ABB Drives applications

Pilz published an advisory for the CodeMeter vulnerabilities. It provides a list of affected products and recommends using the current version of CodeMeter.

Schneider Advisory

Schneider published an advisory describing five vulnerabilities in their SCADAPack remote connect and security administrator applications. The vulnerabilities were reported by Amir Preminger of Claroty. Schneider has new versions that mitigate the vulnerabilities. There is no indication that Preminger has been provided an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

• Deserialization of untrusted data - CVE-2020-7528 and CVE-2020-7532,

• Path transversal - CVE-2020-7529,

• Improper authorization - CVE-2020-7530, and

• Improper access control - CVE-2020-7531

Moxa Advisory

Moxa published an advisory for the BootHole vulnerability. Moxa reports that none of its products are affected.

Medtronic Advisory

Medtronic published an advisory describing the SweynTooth vulnerabilities in a number of their products. Medtronic reports that they remediated these vulnerabilities when they did their software update in June 2020.

BD Advisory

BD published an advisory describing the SigRed vulnerabilities in a number of their products. BD recommends ensuring that the appropriate Microsoft® patches have been applied.

Mitsubishi Update

Mitsubishi published an update for their MC Works advisory that was originally published on June 18th, 2020. The new information includes links for security patches for MC Works64 Version 4.00A - 4.02C.

Fuji Electric Reports

Kimiya published 14 reports (ZDI-20-1103 thru ZDI-20-1117) of vulnerabilities in the Fuji Electric Tellus Lite product. The vulnerabilities were reported to ‘ICS-CERT’ (presumably, NCCIC-ICS) by the Zero Day Initiative back in April.

The vulnerabilities include:

• Stack-based buffer overflow,

• Out-of-bounds write, and

• Out-of-bounds read

Bills Introduced – 9-11-20

 

Yesterday with the House meeting in pro forma session (and the Senate off for the weekend) there were 46 bills introduced. One of these bills may receive future coverage in this blog:

HR 8223 To amend the Homeland Security Act of 2002 promote evidence-based controls for defending against common cybersecurity threats and cybersecurity risks, and for other purposes. Rep. Katko, John [R-NY-24]

I will be watching this bill for language and definitions that would include industrial control systems.

Friday, September 11, 2020

CSB Addresses Combustible Dust Hazards

 

Yesterday the Chemical Safety and Hazard Investigation Board published a new document in its ongoing campaign to prevent combustible dust incidents. Not only was the document ‘new’ in a timeliness sense, but it is a new format for the CSB; a ‘Learning Review’ document.

Methodology

On October 24th, 2018 the CSB issued a ‘call to action’ “to gather comments on the management and control of combustible dust from companies, regulators, inspectors, safety training providers, researchers, unions, and the workers affected by dust-related hazards.” As a result, he CSB received comments from 57 different entities about the problems and perceptions associated the combustible dust problem.

The results were provided to Dynamic Inquiry LLC for review. That company used a relatively new investigation technique called a “learning review” to analyze the responses. There is a brief discussion of that technique here and a paper on the topic here. In short, the technique tries to avoid a linear assessment of ‘blame’, but rather tries to determine:

• Why did it make sense for those workers to do what they did at that time?

• Were their choices part of otherwise normal operation?

• How can we change those processes to make the facility safer?

In this case, instead of looking at the facts associated with a single incident, Dynamic Inquiry took the comments from the 57 ‘call to action’ responses as the database upon which they assessed the problem of how to address the combustible dust problem.

Results

The Conclusion of the study determined that (pg 29):

“Replies from this voluntary outreach revealed many industry assumptions and challenges and also offered suggestions for improvement. Important and innovative topics emerged through the sensemaking phase of the Learning Review.”

It went on to explain that what new information that various parts of the study identified, including:

• Barriers to improvement explored how individuals and organizations approach risk.

• Controls examined the efficacy of traditional approaches to risk and hazard management. Reporting identified the importance of creating psychological safety in the workforce to facilitate the open sharing of information.

• Language and Communication revealed that even the words used to describe combustible dust can introduce vulnerabilities to the system and that effective communication within and between facilities is essential for safe practices.

• Learning was shown to be a function of the willingness to share information and change assumptions and was not guaranteed through traditional training methods.

• Sharing information was found to be the most desired and valued topic from respondents.

Commentary

Anyone looking to find concrete solutions to the combustible dust problem at a given facility is not going to find a great deal of help in this document. There is some information included in Appendix B that may be helpful. Here the report takes quotes from the various responses and groups them in categories like ‘awareness’ and ‘judgement & experience’. Anyone that has perused industry responses to requests for information will realize that this categorization of comments is very helpful for analysis, but finding useable brilliant nuggets of information in those comments is very unlikely.

This is my first exposure to a ‘learning review’ type assessment and I am not sure that it is really the most appropriate way of reviewing this type of data. The ‘facts’ being used here are not necessarily factual and are certainly clouded by the agendas of the individual commentators. It would be interesting to see a parallel chemical incident investigation done using the standard CSB investigative techniques and this learning review and to compare the recommendations that came out of each. I think that this would be very informative.

One question here; how much is the issuance of this ‘new’ type report being governed by the lack of governance at the CSB? The question is not meant to be malicious or casting aspersions at anyone at the CSB, but the CSB board only has one member. As such the agency is not legally able to reach conclusions about incidents or make recommendations to improve industry safety. How much of the issuance of this report is about the CSB remaining influential while legally impotent? There is nothing the CSB can do about their lack of a quorum; that is the President’s fault.

 
/* Use this with templates/template-twocol.html */