Monday, November 30, 2020

Committee Hearings – Week of 11-29-20

With both the House and Senate back in Washington for the Lame Duck Session there are a limited number of hearings scheduled. One of those hearings deals with cybersecurity and COVID-19.

Cybersecurity Hearing

On Wednesday the Federal Spending Oversight and Emergency Management Subcommittee of the Senate Homeland Security and Governmental Affairs Committee will hold a hearing on “State and Local Cybersecurity: Defending Our Communities from Cyber Threats amid COVID-19”. The witness list includes:

• Brandon Wales, CISA,

• Denis Goulet, New Hampshire Department of Information Technology,

• Leslie Torres-Rodriguez, Hartford Public Schools,

• John Riggi, American Hospital Association, and

• Bill Siegel, Coveware, Inc.

Pending Legislation

The House has a series of bills that it is scheduled to consider under the Suspension of Rules process, but none are of specific interest here. The Senate is continuing to approve appointments made by President Trump.

There are two pieces of legislation that the 116th Congress still needs to send to the President. The first (and arguably most important) is the FY 2021 spending bill. Negotiations are ongoing between the House and Senate Appropriations folks. The current spending authorization ends on December 11th, 2020. The President needs to sign either a final spending bill or another continuing resolution by midnight of that date or the Federal government will shut down. While significant differences remain between the Republican and Democratic negotiators, the bigger question this year is probably will the lame duck President sign the bill agreed to by the negotiators? This bill (either solution) will probably not see the light of public scrutiny this week.

The other ‘must pass’ legislation is the FY 2021 National Defense Authorization Act which is likely to include intelligence authorization language. Again, negotiations are ongoing. There will not be any catastrophic results (like a government shutdown) if this bill is not taken up this year. It could be taken up in the 117th Congress, but it would cause all sorts of problems for continuity in DOD (and Intelligence) operations. Again, the big question is would LD Trump sign or veto a bill passed by Congress.

Saturday, November 28, 2020

Public ICS Disclosures – Week of 11-21-20

We have one vendor disclosure from VMware. There is also an exploit report for products from Ruckus Wireless.

VMware Advisory

VMware published an advisory describing two vulnerabilities in their VMware ESXi, Workstation and Fusion. The vulnerabilities were reported by Xiao Wei and Tianwen Tang (VictorV) of Qihoo 360 Vulcan Team. VMware has new versions that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Use-after-free - CVE-2020-4004, and

• Elevation of privilege - CVE-2020-4005

NOTE: These vulnerabilities were discovered as part of the 2020 Tianfu Cup Pwn Contest.

Ruckus Exploit

Juan Manuel Fernandez published an exploit [corrected link; 11-29-20 0740 EST] for the Ruckus IoT Controller (vRIoT). This vulnerability was reported earlier by Adepts of 0xCC and addressed by Ruckus.

Wednesday, November 25, 2020

PHMSA Publishes Petition Response Final Rule

Today the DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) published a final rule in the Federal Register (85 FR 7568-075717) for “Adoption of Miscellaneous Petitions To Reduce  Regulatory Burdens”. The notice of proposed rulemakings (NPRM) for this action was published in August of 2019.

Actions taken in this final rule include:

Phase-out of non-normalized tank cars used to transport PIH materials (revising §173.31),

Limited quantity shipments of hydrogen peroxide {revising Column (8A) of the HMT},

Markings on portable tanks {revising §172.302(b)(2)},

Reconditioning of metal drums {revising §173.28(c)(1)(i)},

Limited quantity harmonization {revising  Column (8A) (exceptions) of the HMT},

Mobile refrigeration units (revising §173.5b),

Incorporation by reference of CGA Standards (revising §171.7),

Special provision for explosives (revising §172.102),

Alternative reports for cargo tanks {revising §180.417(a)(3)},

Weight tolerances for paper shipping sacks (revising §178.521),

Markings on closed transport containers {revising §173.308(d)(3},

Finalization of the HM-246 tank car standard {revising §173.314(c) and revising §173.244(a)(2)},

Phase-out of non-HM-246 compliant rail tank cars (revising § 173.31),

Allow non-RCRA waste to use lab pack exception (revising § 171.8),

Incorporation of ASME Code sections II, V, VIII, and IX {revising §171.7(g)(1)},

Import of foreign Pi-marked cylinders (revising § 171.23, revising §173.302, and revising §173.304),

Placement of the word “stabilized” in shipping description {revising §172.101(c)},

Incorporation by reference of an AESC/IME standard {revising §171.7(r), and adding § 173.67},

Incorporation by reference of an updated APA Standard 87-1 {revising §171.7(f)}

PHMSA did not take action on the safety devices petition. It will be addressed in a separate rulemaking.

This final rule is effective on December 28th, 2020. A delayed compliance date of November 26th, 2021 is provided for the following changes:

• Phase-out of non-normalized tank cars used to transport PIH materials,

• Finalization of the HM-246 tank car standard, and

• Phase-out of non-HM-246 compliant rail tank cars.

ISCD Updates 7 FAQ Responses – 11-24-20

Yesterday the CISA Infrastructure Security Compliance Division (ISCD) updated the responses to seven frequently asked questions (FAQs) on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center web page. The changes were non-substantive editorial revisions.

The following FAQ responses were revised:

FAQ #1653 If a facility is in a location where another entity provides certain security measures (e.g., industrial park, co-located facility, office park, etc.), can the facility include these security measures as part of its Security Vulnerability Assessment (SVA)/Site Security Plan (SSP)?

FAQ #1724 How do National Terrorism Advisory System (NTAS) Alerts and Bulletins affect a CFATS facility’s RBPS 13 compliance responsibilities?

FAQ #1769 My facility must perform background checks in accordance with the Risk-Based Performance Standard (RBPS) 12 Personnel Surety on affected individuals. Who is an affected individual?

FAQ #1770 How will the Cybersecurity and Infrastructure Security Agency (CISA) protect the data it collects? Can Chemical-terrorism Vulnerability Information (CVI) be released under the Freedom of Information Act (FOIA)?

FAQ #1782 Are there any facilities statutorily excluded from the Chemical Facility Anti-Terrorism Standards (CFATS) regulation?

FAQ #1785 How does the Cybersecurity and Infrastructure Security Agency (CISA) notify a facility of its tiering?

FAQ #1793 When does a covered facility under the Chemical Facility Anti-Terrorism Standards (CFATS) program need to submit a revised or updated Top-Screen?

NOTE: The links provided for the FAQs in this post were copied from the CFATS Knowledge Center but may not work when followed from your machine. This is an artifact of that web site. If the links do not take you to the referenced FAQ you will have to use the ‘Advanced Search’ function on the page to link to the FAQ or download the ‘All FAQs’ document at the bottom of the ‘Advanced Search’ page.

The following changes were made in the referenced responses:

#1653 Editorial change in answer – Replaced “;” with “,” between “located facility” and “office park”,

#1724 Editorial change in answer – Replaced “;” with “,” between “public safety” and “and recommended” in first paragraph,

#1769 Editorial change in question and answer – Removed “-“ between “(RBPS)” and “12”,

#1770 Editorial changes in answer – Removed unnecessary “ after “CFR § 27.400(d)"” and added space in “6 CFR §§ 27.300and 27.400(j)”,

#1782 Editorial change in question – Moved “(CFATS)” from behind “regulations” to behind “Standards”,

#1785 Editorial change in answer – Removed extra “.” After “(CFATS) regulation” in first paragraph,

#1793 Editorial change in answer – Added “,” after “every two years” in paragraph 2.

Tuesday, November 24, 2020

2 Advisories Published – 11-24-20

Today the CISA NCCIC-ICS published two control system security advisories for products from Fuji Electric and Rockwell Automation.

Fuji Advisory

This advisory describes an out-of-bounds write vulnerability in the Fuji V-Server Lite. The vulnerability was reported by Tran Van Khang - khangkito of VinCSS via the Zero Day Initiative. Fuji has a new version that mitigates the vulnerability. There is no indication that Khang has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an relatively low-skilled attacker with uncharacterized access could exploit this vulnerability to allow for remote code execution on the device.

Rockwell Advisory

This advisory describes three vulnerabilities in the Rockwell FactoryTalk Linx. The vulnerabilities were reported by Sharon Brizinov of Claroty. Rockwell has new versions that mitigate the vulnerability. There is no indication that Brizinov has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Improper input validation - CVE-2020-27253, and

• Heap-based buffer overflow (2) - CVE-2020-27251 and CVE-2020-27255

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow a denial-of-service condition, remote code execution, or leak information that could be used to bypass address space layout randomization (ASLR).

S 4795 Introduced – Cyber Sense Program

Last month Sen Rosen (D,NV) introduced S 4795, the Cyber Sense Act of 2020. This bill is very similar to HR 360 that passed in the House days before this bill was introduced. The bill would require DOE to establish “a voluntary Cyber Sense program to identify and promote cyber-secure products intended for use in the bulk-power system” {§2(b)}.

Differences Between S 4795 and HR 360

The essential components of the ‘Cyber Sense Program’ are the same in the two bills. The differences are structural (S 4795 includes a definitions sub-section {§2(a)} and editorial (HR 360 makes multiple references to the ‘Cyber Sense Program’ where S 4795 makes reference to ‘the program’). These are common stylistic differences frequently seen in House and Senate language.

Moving Forward

Rosen is not a member of the Senate Energy and Natural Resources Committee to which this bill was assigned for consideration, but her three cosponsors {Sen Hoven (R,ND), Sen King (I,NH), and Sen Risch (R,ID)} are members of that Committee. If this bill had been introduced earlier in the session there would be a good chance that the bill would be considered in Committee and adopted with bipartisan support. There probably is not enough time remaining in the session for this to happen.

Given the fact that HR 360 passed in the House by a voice vote, there remains a good chance that the Senate could directly take up this bill under the unanimous consent process, but I am not sure why they would want to take up this bill rather than HR 360. If S 4795 were passed, it would have to go back to the House for an additional vote (where it would almost certainly pass) but passing HR 360 would avoid having to take that extra step. It is probably a toss up for which would be considered.

Commentary

My two objections to the language of HR 360 also apply to this bill. The information protection language in both bills would allow vendors to continue to sell vulnerable devices without notification and it would probably stop researchers from reporting vulnerabilities to the program instead of CISA NCCIC-ICS. The bigger problem continues to be the lack of specific funding authorization in either bill. This would mean that the DOE would have to fund this program with existing monies, taking money from other programs.

Monday, November 23, 2020

S 4833 Introduced – NG Cybersecurity Operations

Last month Sen Hassan (D,NH) introduced S 4833, bill that would authorize cybersecurity operations and missions to protect critical infrastructure by members of the National Guard.

The bill would amend 32 USC 502(f)(1) to specifically include “cybersecurity operations or missions undertaken by the member’s unit at the request of the Governor of the State concerned to protect critical infrastructure” in what actions could be included in duties to which a member of the National Guard could be assigned.

Moving Forward

Neither Hassan nor her single cosponsor Sen Cornyn (R,TX) are members of the Senate Armed Services Committee to which this bill was assigned for consideration. This means that the bill, even if it had been introduced earlier in the session, would not have been likely to have been considered by the Committee.

I see nothing in this bill that would have drawn any significant opposition. If it were considered in Committee, it would almost certainly draw significant bipartisan support.

Commentary

This is a perfect example of a piece of legislation that would authorize a government agency to do something which it was already doing. National Guard cyber units have been in active support of State agencies across the country and there have been numerous news reports of their support of cyber operations concerning critical infrastructure.

The interesting thing here is where this ‘authorization’ was placed in the United States Code. As currently constituted §502(f)(1) reads:

“(f)(1) Under regulations to be prescribed by the Secretary of the Army or Secretary of the Air Force, as the case may be, a member of the National Guard may—

(A) without his consent, but with the pay and allowances provided by law; or

(B) with his consent, either with or without pay and allowances;

be ordered to perform training or other duty in addition to that prescribed under subsection (a).”

The placement of the cyber operations language in this subsection, specifically ensures that a member of the National Guard can only be individually ordered to take part in “cybersecurity operations or missions” when those missions are “undertaken by the member’s unit”. Thus, an individual with cyber expertise in say an artillery unit could not be ordered to provide cybersecurity services for a private sector company owned by his National Guard unit commander. Not saying that that would happen….

Saturday, November 21, 2020

2020 Chemical Security Summit Registration Open

Sometime this week (CISA still is no dating their web page updates) CISA updated their Chemical Security Summit web page to provide a link to a registration page for the December 2020 on-line Summit. 

As I have noted in earlier posts (most recently here) CISA had to cancel the annual summit that was scheduled to be held in Atlanta, GA in July due to COVID-19. In its place, CISA will be hosting a three-day on-line even on consecutive Wednesday’s in December. The format looks to be generally following the format that has been used in previous summits with the exception that there will not be concurrent presentations being made. Oh, and of course, no meet-and-greats, hand shaking, card exchanging or general socializing.

I have submitted my registration.

Public ICS Disclosures – Week of 11-14-20

This week we have six vendor disclosures from Beckhoff, ENDRESS+HAUSER (2), GE Grid (2), and Medtronic. We have one Ripple20 advisory update for products from Eaton. We also have a researcher report on vulnerabilities in products from Schneider. Finally, we have reports of exploits for products from Rockwell and the Netlogon vulnerability in Microsoft products.

Beckhoff Advisory

CERT-VDE published an advisory describing an incorrect default permissions vulnerability in the Beckhoff TwinCAT XAR product. The vulnerability was reported by Ayushman Dutta. Beckhoff has provided installation instructions to mitigate the vulnerability. There is no indication that Dutta has been provided an opportunity to verify the efficacy of the fix.

ENDRESS+HAUSER Advisories

CERT-VDE published an advisory describing an exposure of sensitive information to an unauthorized actor vulnerability in the ENDRESS+HAUSER Ecograph T products. The vulnerability was reported by Maxim Rupp. ENDRESS+HAUSER has provided generic workarounds to mitigate the vulnerability.

CERT-VDE published an advisory describing an improper privilege management vulnerability in the ENDRESS+HAUSER Ecograph T products. The vulnerability was reported by Maxim Rupp. ENDRESS+HAUSER has provided generic workarounds to mitigate the vulnerability.

GE Advisories

GE published an advisory for their Reason RT430/RT434. The advisory is only available to registered customers.

GE published an advisory for their Reason RT431. The advisory is only available to registered customers.

Medtronic Advisory

Medtronic published an advisory discussing the TiYunZong vulnerabilities found in the CT900 Samsung Android tablets used to run their Clinical Programmer Applications. A Chrome browser update is available to mitigate the vulnerabilities.

NOTE: I wonder what other vendors using Android products for access devices could be susceptible to these vulnerabilities?

Eaton Update

Eaton published an update for their Ripple20 advisory that was originally published on June 23rd, 2020 and most recently updated on October 5th, 2020. The new information includes adding the Uninterrupted Power Supply (UPSs) with ModbusMS card to the list of affected products.

Schneider Report

Trustwave published a report describing their research into vulnerabilities in the Schneider EcoStruxure Machine Expert and M221 PLC. The vulnerabilities were reported by Schneider on October 10th, 2020. The report includes proof-of-concept code.

Rockwell Exploit

The Flashback team published a Metasploit module for vulnerabilities in the Rockwell FactoryTalk View SE SCADA product. These vulnerabilities were reported by CISA NCCIC-ICS on June 18th, 2020.

Netlogon Exploit

West Shepherd published a proof-of-concept exploit for the Netlogon vulnerabilities reported by Microsoft.

NOTE: I have not seen this vulnerability reported in control system products, but it has been reported by medical device manufacturers (see for example BD).

Friday, November 20, 2020

ISCD Updates 5 FAQ Responses – 11-20-20

Today the CISA Infrastructure Security Compliance Division (ISCD) updated the responses to 5 frequently asked questions (FAQs) on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center web page. The changes were non-substantive editorial revisions.

The following FAQ responses were revised:

FAQ #1771 What documentation will I be asked to provide or make available for the Chemical Security Inspector during an Expedited Approval Program (EAP) Compliance Inspection (CI)?

FAQ #1772 Who will conduct the Chemical Facility Anti-Terrorism Standards (CFATS) Compliance Inspections for facilities in the Expedited Approval Program (EAP)?

FAQ #1773 Solid ammonium nitrate in the chemicals of interest (COI) column of Appendix A is listed as “Ammonium nitrate, solid [nitrogen concentration of 23% nitrogen or greater]” and has a minimum concentration of 33% under the Theft/Diversion security issue. In calculating whether a facility has a screening threshold quantity (STQ) of solid ammonium nitrate in a mixture, does the facility look at the percentage of the nitrogen in the mixture or the percentage of the ammonium nitrate in the mixture?

FAQ #1777 How do I determine “need to know” under Chemical-terrorism Vulnerability Information (CVI)?

FAQ #1782 Are there any facilities statutorily excluded from the Chemical Facility Anti-Terrorism Standards regulation (CFATS)?

NOTE: The links provided for the FAQs in this post were copied from the CFATS Knowledge Center but may not work when followed from your machine. This is an artifact of that web site. If the links do not take you to the referenced FAQ you will have to use the ‘Advanced Search’ function on the page to link to the FAQ or download the ‘All FAQs’ document at the bottom of the ‘Advanced Search’ page.

The following changes were made in the referenced responses:

#1771 Editorial change in answer – Replaced “compliance inspection” with “CI”,

#1772 Editorial change in answer – Added “(CISA)” after “Cybersecurity and Infrastructure Security Agency”,

#1773 Editorial change in answer – Changed “6 C.F.R. §” to read “6 CFR §”,

#1777 No apparent change,

#1782 Editorial change in question – Changed “CFATS?” to read “the Chemical Facility Anti-Terrorism Standards regulation (CFATS)?”

Bills Introduced – 11-19-20

Yesterday with just the House in session (and preparing to leave for their Thanksgiving Recess) there were 24 bills introduced. One of those bills may receive additional coverage in this blog:

HR 8791 To amend the Homeland Security Act of 2002 to make certain reforms to the Department of Homeland Security, and for other purposes. Rep. Thompson, Bennie G. [D-MS-2]

I will be watching this bill for language that touches on cybersecurity, chemical security, or chemical transportation security in TSA or CISA.

Thursday, November 19, 2020

1 Advisory Published – 11-19-20

Today the CISA NCCIC-ICS published a control system security advisory for products from Mitsubishi.

Mitsubishi Advisory

This advisory describes an uncontrolled resource consumption vulnerability in the Mitsubishi MELSEC iQ-R series. The vulnerability was reported by Xiaofei.Zhang (of China ICS-CERT according to the Mitsubishi advisory). Mitsubishi has new firmware versions that mitigate the vulnerability. There is no indication that Ziaofei has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to cause a denial-of-service condition for the affected product.

NOTE 1: This is very similar to an advisory that was published last week. It is easier to understand the differences if you look at the Mitsubishi advisories. Last week’s advisory was for “MELSEC iQ-R Series CPU Modules” and today’s advisory is for “MELSEC iQ-R Series Ethernet Port”. This advisory affects a larger number of products. That explains why different products are affected in the two advisories.

NOTE 2: Something odd about the numbering of today’s advisory; “ICSA-20-324-05”. Typically, the last two digits are the sequence numbers for the day’s advisories, meaning that there should be four other advisories for today. When advisories are held for public release after restricted publication on Homeland Security Information Network (HSIN), they have a sequence number after the publicly published documents so that they do not ‘give away’ the fact that restricted access advisories have been published. So that is not the explanation. Looking at the three-character group before the sequence number we see the Julian day for the advisory. Today is the 324th day of the year. Interestingly, the advisories that were published on Tuesday were also given advisory numbers starting with “ICSA-20-324-”. Apparently, a minor mistake was made on Tuesday. No big thing, I just like pointing out minor bureaucratic quirks.

Bills Introduced – 11-18-20

 

Yesterday, with both the House and Senate in session (and the Senate preparing to leave for their Thanksgiving Recess), there were 38 bills introduced. Three of these bills may see additional coverage in this blog:

HR 8779 To amend the Federal Cybersecurity Enhancement Act of 2015 to require Federal agencies to obtain exemptions from certain cybersecurity requirements in order to avoid compliance with those requirements, and for other purposes.  Rep. Underwood, Lauren [D-IL-14] 

S 4912 A bill to amend the Federal Cybersecurity Enhancement Act of 2015 to require Federal agencies to obtain exemptions from certain cybersecurity requirements in order to avoid compliance with those requirements, and for other purposes. Sen. Wyden, Ron [D-OR]

S 4920 A bill to improve the cybersecurity of small organizations with respect to teleworking, and for other purposes. Sen. Rosen, Jacky [D-NV] 

None of these bills has a real good chance of being addressed in the limited time remaining in the 116th Congress, but an apparent legal-housekeeping measure like HR 8779/S 4912 could make it to floor consideration depending on its provisions. I suspect that we will see Rosen’s bill in the 117th.

OMB Approves NHTSA Automated Driving ANPRM

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved an advanced notice of proposed rulemaking (ANPRM) requested by DOT’s National Highway Transportations Safety Administration (NHTSA) on “Safety Principles for Automated Driving Systems”. The ANPRM was submitted to ORIA on November 2nd, 2020.

According to the Spring 2020 Unified Agenda:

“This notice solicits comments on regulatory approaches to motor vehicles equipped with Automatic Driving System (ADS). The agency seeks public comments on the creation of a safety framework for objectively and transparently assessing and validating the success of each ADS vehicle or developer in designing safety into its vehicles. More specifically, it asks commenters about developing and establishing a regulatory approach such as amending Federal Motor Vehicle Safety Standards (FMVSS) or developing alternative safety regulations relating to ADS vehicle performance.”

This was a remarkably quick turnaround on this ANPRM for the Trump OIRA. Of course, NHTSA is rather behind the development curve on producing regulations for automated driving systems. Part of that is the lack of Congressional direction, but I suspect that even more is due to regulatory inertia from an Administration that just does not believe in regulations.

We could see the ANPRM published in the Federal Register in the next week or so.

Wednesday, November 18, 2020

HR 1668 Passed in Senate – IoT Cybersecurity

Yesterday the Senate passed HR 1668, the IoT Cybersecurity Improvement Act of 2020, by unanimous consent. The bill was passed in the House in September and alert readers will recall that the version voted upon in the House was not the version reported out of Committee. The bill now goes to the President for signature. There have been no indications from the White House about how President Trump intends to deal with this bill.

As I mentioned in my earlier post, it seems to me that this is more of an IT security bill than an IoT security bill, other than for the requirement for GAO to report on “broader Internet of Things efforts, including projects designed to assist in managing potential security vulnerabilities associated with the use of traditional information technology devices, networks, and systems” {§8(a)}.

HR 6395 Amended and Passed in Senate – FY 2021 NDAA

On Monday, the Senate adopted substitute language for, and passed, HR 6395, the National Defense Authorization Act for Fiscal Year 2021, by a voice vote. The substitute language closely tracks the language the Senate earlier adopted for S 4049, the Senate version of this bill. The Senate’s action set up today’s scheduled vote in the House to go to conference on the bill. This would allow the House and Senate to work out the differences between the two versions of the bill.

The Senate language does include a version of the FY 2021 Intelligence Authorization Act.

I would suspect that most of the cybersecurity provisions that were added during floor action in the House will remain in the approved conference version of the bill.

ISCD Updates 5 FAQ Responses – 11-17-20

Yesterday the CISA Infrastructure Security Compliance Division (ISCD) updated the responses to 15 frequently asked questions (FAQs) on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center web page. The changes were non-substantive editorial revisions.

The following FAQ responses were revised:

FAQ #1405 How will I know if the agricultural extension has been lifted and what to do next?

FAQ #1620 How does an individual report a possible security concern involving the Chemical Facility Anti-Terrorism Standards (CFATS) regulation at one’s facility or another facility?

FAQ #1756 What action is required if a facility needs to change owner and/or operator names when it is not related to a transfer of ownership?

FAQ #1768 When will the Cybersecurity and Infrastructure Security Agency (CISA) grant access to the Chemical Security Assessment Tool (CSAT) Personnel Surety Program application if a facility chooses to meet Risk-Based Performance Standard (RBPS) 12(iv) by selecting Option 1 or Option 2 in its Site Security Plan (SSP)/Alternative Security Program (ASP)?

FAQ #1769 My facility must perform background checks in accordance with the Risk-Based Performance Standard (RBPS) 12 - “Personnel Surety” on affected individuals. Who is an affected individual?

NOTE: The links provided for the FAQs in this post were copied from the CFATS Knowledge Center but may not work when followed from your machine. This is an artifact of that web site. If the links do not take you to the referenced FAQ you will have to use the ‘Advanced Search’ function on the page to link to the FAQ or download the ‘All FAQs’ document at the bottom of the ‘Advanced Search’ page.

The following changes were made in the referenced responses:

#1405 Change to URL for DHS updates page, old URL goes to new site,

#1620 No apparent changes,

#1756 Editorial change in answer – Changed “Office of Chemical Security” to “Chemical Security” in snail-mail address,

#1768 Editorial change in answer – Changed “Department” to “Agency”,

#1769 Editorial change in question and answer – Removed hyphen from “(RBPS) 12 – ‘Personnel Surety’” in both.

Tuesday, November 17, 2020

4 Advisories Published – 11-17-20

Today the CISA NCCIC-ICS published four control system security advisories for products from Schneider Electric, Real Time Automation, Paradox, and Johnson Controls.

Schneider Advisory

This advisory describes nine vulnerabilities in the Schneider Interactive Graphical SCADA System (IGSS). The vulnerabilities were reported by kimiya via the Zero Day Initiative. Schneider has a new version that mitigates the vulnerabilities. There is no indication that kimiya has been provided an opportunity to verify the efficacy of the fix.

The nine reported vulnerabilities are:

• Improper restriction of operations within the bounds of a memory buffer (4) - CVE-2020-7550, CVE-2020-7551, CVE-2020-7552, and CVE-2020-7554,

• Out-of-bounds write (4) - CVE-2020-7553, CVE-2020-7555, CVE-2020-7556, and CVE-2020-7558, and

• Out-of-bounds read - CVE-2020-7557

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit these vulnerabilities to result in remote code execution.

NOTE: I briefly discussed these vulnerabilities last Saturday.

Real Time Advisory

This advisory describes a stack-based buffer overflow vulnerability in the Real Time Automation (RTA) 499ES EtherNet/IP (ENIP) Adaptor Source Code. The vulnerability was reported by Sharon Brizinov of Claroty. According to the Claroty report, RTA has a version that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to cause a denial-of-service condition, and a buffer overflow may allow remote code execution.

Claroty reports that a number of vendors appear to be using the vulnerable RTA ENIP stack.

Paradox Advisory

This advisory describes two vulnerabilities in the Paradox IP150 internet module. The vulnerabilities were reported by Omri Ben-Bassat of Microsoft. NCCIC-ICS provides an email address to contact Paradox for mitigation information.

The two reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2020-25189 (3 separate overflows under this CVE#), and

• Classic buffer overflow -CVE-2020-25185 (9 separate overflows under this CVE#)

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to remotely execute arbitrary code, which may result in the termination of the physical security system.

Johnson Controls Advisory

This advisory describes an improper authorization vulnerability in the Johnson Controls (Sensormatic Electronics) American Dynamics victor Web Client,  and Software House C•CURE Web Client. The vulnerability was reported by Joachim Kerschbaumer. Johnson Controls has a new version that mitigates the vulnerability. There is no indication that Kershcbaumer has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerability to allow an unauthenticated attacker on the network to create and sign their own JSON web token and use it to execute an HTTP API method without the need for valid authentication/authorization. Under certain circumstances, this could be used by an attacker to impact system availability by conducting a denial-of-service attack.

Monday, November 16, 2020

ISCD Updates Monthly Statistics – 11-16-20

Today the CISA Infrastructure Security Compliance Division (ISCD) published their monthly update of statistics for the Chemical Facility Anti-Terrorism Standards (CFATS) for Chemical Security Inspector activities and facility status for the month of October.

CSI Activities

The table below shows the activities conducted by the CSI in October.

Inspection Data

Jul-20

Aug-20

Sep-20

Oct-20

Authorization Inspections

10

24

31

21

Compliance Inspections

76

107

131

90

Compliance Assistance

162

115

140

100

Compliance Audit

8

9

23

5

The web page does not explain the month-to-month variations in the CSI activities. While the numbers this month show a sharp drop off from the previous three months, they are slightly above the average (214.5 activities per month) number of activities that were typically undertaken in 2018 and 2019 (last data that I tabulated).

Facility Status

The table below shows the status of facilities covered under the CFATS program.

Facility Status

Jul-20

Aug-20

Sep-20

Oct-20

Tiered

139

124

108

90

Authorized

141

147

159

161

Approved

3057

3056

3053

3048

Total

3337

3327

3320

3299

This is the largest one-month drop in the number of covered facilities since 26 facilities were dropped in January 2019. ISCD does not explain why facilities are removed from the program. One ‘common’ reason for such removal would be facilities making changes in the inventory of DHS chemicals of interest (COI) that bring them below the threshold for being considered a high-risk facility. Facilities that are able to do this can avoid the regulatory costs of compliance with the Site Security Plan requirements of the program. Of course, going-out-of-business is another reason for facilities to reduce their COI inventories.

HR 7856 Reported in House – FY 2021 Intel Authorization

The House Permanent Select Committee on Intelligence recently published their Report on HR 7856, the Intelligence Authorization Act for Fiscal Year 2021. The reported version of the bill contains no significant changes to the cybersecurity provisions that were included in the introduced version and no new cybersecurity provisions. The Report only includes two discussions of cybersecurity issues.

Cybersecurity and the ABMS

The first cybersecurity discussion is found on pages 17 thru 18 under the heading “Advanced Battle Management Family of Systems”. The Committee insists that given “the sensitive nature of the intelligence information that will act as the backbone of ABMS, it is vital that ABMS use only the most secure tools and technology. To this end the Committee directs the Air Force to work with the National Security Agency to establish “minimum security standards, and build these recommendations into the requirements for ABMS” and to then vet those “technologies to ensure that they meet such standards”.

Cybersecurity and UAS

The other discussion of cybersecurity issues in this report is found on pages 26 thru 27 under the heading “Countering the Malicious Use of Unmanned Aircraft Systems (UAS) in the United States”. The Committee notes that both DHS and the FBI report that UAS can be used maliciously in a number of ways, “including kinetic attacks with payloads of firearms, explosives, or weapons of mass destruction and cyber-attacks against wireless devices or networks [emphasis added]. The Committee directs the Director of National Intelligence to prepare an assessment of the potential UAS threat and a report on potential congressional actions necessary to counteract that threat. The Committee is specifically asking the DNI to:

“Propose what the Federal Government would need—with respect to authorities, regulations, policies, protections for civil liberties and privacy, and resources—to carry out feasibility studies and pilot programs enabling U.S. airports, state and local law enforcement, and critical infrastructure owners [emphasis added] to counter the malicious use of UAS.”

Moving Forward

This is typically considered to be one of those ‘must pass bill’ that is generally produced in a bipartisan manner in Committee and then taken up by the Whole House in a fairly collegial manner. That has not been the case this year.  The ‘Minority Views’ section of the Report (starting on page 151) lays out the Republican objections to this bill in quite some vociferous detail. This bill is likely to move to the floor of the House where it will pass on nearly party lines.

The Senate has not taken up their version of the bill (S 3905). If HR 7856 is passed in the House early enough, the Senate could take it up and substitute the language from S 3905. That language has some minor Democratic opposition {see Sen Widen’s (D,OR) short comment section on pages 18 and 19 of that Committee Report}, but probably not enough to stop the bill from being considered. There would be significant differences to be worked out in a Conference Committee, so many differences that they would probably not be able to be worked out before the 116th Congress closes next month.

I suspect that there are, however, on-going backroom negotiations that could allow for a Division in an FY 2021 spending bill to address necessary intelligence authorization issues. It is an open question on what cybersecurity provisions could make its way into such a division.

Saturday, November 14, 2020

CISA Publishes 2020 Chemical Security Webinars Agenda

Sometime this week (they still have not resumed dating web page changes) the Cybersecurity and Infrastructure Security Agency (CISA) updated their Chemical Security Summit web page to provide updated information for the 2020 Chemical Security Summit. As I had noted earlier, CISA will be holding this mostly-annual summit this year as a three-day virtual event held on consecutive Wednesday’s in December. This week’s update provides an agenda for the three-day event.

I misunderstood the previous update to mean that CISA would be holding one seminar on three-separate dates. The agenda published this week makes it clear the CISA will be holding three separate seminars, one on each day of the scheduled event. This closely parallels the organization of the Chemical Sector Security Summits that have been held over the last 10+ years.

While there are (currently?) no speaker names included in the published Agenda, there are some topics that look to be very interesting (all would appear to be worthwhile). These call-out topics include:

• Jack Rabbit III Demonstration – 12-2-20,

• Security Incidents Trends & Challenges During the COVID-19 Pandemic and Supply Chain Constraints – 12-2-20,

• Chemical Security Threat Briefing – 12-2-20,

• Hurricanes, Wildfires, Floods, and Pandemics – 12-9-20,

• TSA Surface & USCG MTSA Program Updates and Information – 12-9-20,

• Cybersecurity & Physical Security Working Together, 12-16-20, and

• Chemical Security Tools (Virtual Expo), 12-16-20

Registration information is still not available.

Public ICS Disclosures – Week of 11-07-20

This week we have eight vendor disclosures for products from Schneider (7) and Thales Group. We also have nine updates for advisories for products from Schneider (5), Siemens (2), Carestream and Rockwell.

Schneider Advisories

Schneider published an advisory describing three vulnerabilities in the web servers of their Modicon M340, Modicon Quantum and Modicon Premium Legacy products. The vulnerabilities were reported (here and here) by Kai Wang of Fortinet's FortiGuard Labs. Schneider is working on mitigation measures for those affected products that are not end-of-life.

The three reported vulnerabilities are:

• Out-of-bounds read - CVE-2020-7562,

• Out-of-bounds write - CVE-2020-7563, and

• Classic buffer overflow - CVE-2020-7564

 

Schneider published an advisory describing an improper privilege management vulnerability in their EcoStruxure™ Operator Terminal Expert runtime (Vijeo XD). The vulnerability was reported by Lasse Trolle Borup of Danish Cyber Defence. Schneider has a service pack that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

 

Schneider published an advisory describing nine vulnerabilities in their Interactive Graphical SCADA System (IGSS) product. The vulnerabilities were reported by kimiya via the Zero Day Initiative. Schneider has a new version that mitigates the vulnerabilities. There is no indication that kimiya has been provided an opportunity to verify the efficacy of the fix.

The nine reported vulnerabilities are:

• Improper restriction of operations within the bounds of a memory buffer (4) – CVE-2020-7550, CVE-2020-7551, CVE-2020-7552, and CVE-2020-7554,

• Out-of-bounds write (4) - CVE-2020-7553, CVE-2020-7555, CVE-2020-7556, and CVE-2020-7558, and

• Out-of-bounds read - CVE-2020-7557

 

Schneider published an advisory describing seven vulnerabilities in their EcoStruxure Building Operation (EBO) product offerings. The vulnerabilities were reported by Luis Vázquez, Francisco Palma, and Diego León of Zerolynx, and Alessandro Bosco, Luca Di Giuseppe, Alessandro Sabetta, Massimiliano Brolli of TIM Security Red Team Research. Schneider has a version that mitigates the vulenrabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The seven reported vulnerabilities are:

• Unrestricted upload of file with dangerous type - CVE-2020-7569,

• Cross-site scripting stored - CVE-2020-7570,

• Cross-site scripting reflected - CVE-2020-7571,

• Improper restriction of XML external entity reference - CVE-2020-7572,

• Improper access control - CVE-2020-7573,

• Windows unquoted search path - CVE-2020-28209, and

• Cross-site scripting - CVE-2020-28210

 

Schneider published an advisory describing four vulnerabilities in their Modicon M221 product. The vulnerabilities were reported by Yehuda Anikster and Rei Henigman of Claroty, and Seok Min Lim and Bryon Kaan of Trustwave (here). Schneider provides generic work arounds to mitigate the vulnerabilities.

The four reported vulnerabilities are:

• Inadequate encryption strength - CVE-2020-7565,

• Small space of random values - CVE-2020-7566,

• Missing encryption of sensitive data - CVE-2020-7567, and

• Exposure of sensitive data to an unauthorized actor - CVE-2020-7568

NOTE: The Trustwave report contains proof-of-concept code.

 

Schneider published an advisory describing an improper access control vulnerability in their Easergy T300 remote terminal unit. The vulnerability was reported by Evgeniy Druzhinin and Ilya Karpov of Rostelecom-Solar. Schneider has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.


Schneider published an advisory discussing the Drovorub malware and its impact on their Q Data Radio and J Data Radio devices. Schneider is providing generic workarounds pending further work on mitigating the vulnerabilities.

Thales Advisory

Thales Group published an advisory for their Sentinel RMS License Manager. The advisory is only available to registered customers. We should expect to see various vendors incorporating the fix for this in their affected products.

Schneider Updates

Schneider published an update for their Ripple20 advisory. The new information includes adding mitigation measures for:

• eIFE Ethernet Interface for MasterPact MTZ drawout circuit breakers,

• IFE Ethernet Interface for ComPact, PowerPact, and MasterPact circuit breakers, and

• IFE Gateway

 

Schneider published an update for their EcoStruxure advisory that was originally published on May 12th, 2020 and most recently updated on June 9th, 2020. The new information includes adding mitigation measures for CVE-2020-7495 & CVE-2020-7497.

 

Schneider published an update for their Modicon M218/M241/M251/M258 Logic Controllers advisory that was originally published on April 14th, 2020. The new information includes adding mitigation measures for M258.

 

Schneider published an update for their Modicon Controllers advisory that was originally published on March 20th, 2020. The new information includes adding mitigation information for CVE-2020-7475.

 

Schneider published an update for their Modicon M580 controller advisory that was originally published on October 8th, 2019. The new information includes adding mitigation information for CVE-2019-6848 and CVE-2019-6849.

Siemens Updates

Siemens published an update for their CodeMeter advisory. The new information includes adding SICAM 230 to the list of affected versions including mitigation measures.


Siemens published an update for their GNU/Linux advisory that was originally published in 2018 and most recently updated on October 13th, 2020. The new information includes adding:

• CVE-2020-10769,

• CVE-2020-14314,

• CVE-2020-25211, and

• CVE-2020-25641

Carestream Update

Carestream published an update [.PDF download link] for their Bad Neighbor advisory. The new information includes lists of affected and unaffected products.

Rockwell Update

Rockwell published an update for their Urgent/11 advisory. The new information includes mitigation measures for ControlLogix 5580 and CompactLogix products.


Friday, November 13, 2020

EPA Publishes SERC Survey 60-day ICR

Yesterday the Environmental Protection Agency (EPA) published a 60-day information collection request (ICR) notice in the Federal Register (85 FR 71892-71893) for a new ICR for a survey of State Emergency Response Commitssions (SERCs). The proposed survey would be designed “to gather information on how EPCRA [Emergency Planning and Community Right-to-Know Act of 1986] is being implemented, best practices, challenges, and gaps in meeting the requirements”

The burden estimate provide in this ICR notice provides the following information:

• Number of expected respondents – 56,

• Frequency – 1 time,

• Burden hours – 4-hrs per response,

• Total burden hours – 224-hrs.

The EPA is soliciting public comments on this proposed ICR. Comments may be filed via the Federal eRulemaking Portal (www.Regulations.gov; Docket # EPA-HQ-OLEM-2020-0521). Comments should be submitted by January 11th, 2021.

Commentary

I have frequently taken the EPA to task in this blog for their relative lack of oversight of the emergency planning requirements of EPCRA, particularly the establishment and operation of Local Emergency Planning Committees (LEPCs). Yesterday’s notice does not provide any information on the questions that will be included in the survey of LEPCs. I would, however, like to suggest that the following questions about LEPCs be included:

• How many counties, parishes or boroughs in the State do not have active LEPCs (active means having an appointed Chair and having conducted a public meeting within the last 12 months)?

• How many active LEPCs have had a public meeting within the last calendar quarter?

• How many facilities within the State are covered by the Chemical Facility Anti-Terrorism Standards (CFATS) program?

• How many of those facilities have had a written emergency response plan prepared by the responsible LEPC?

Additionally, I would like to suggest that this survey be changed from a one-time affair into an annual activity by the EPA.

A copy of this blog post will be submitted as a comment on this Docket.

Bills Introduced – 11-12-20

Yesterday with the Senate in session and the House meeting in pro forma session, there were 34 bills introduced. One of those bills may see additional coverage in this blog:

S 4896 A bill to authorize certain Federal departments to enter into contracts to carry out existing authorities to protect United States facilities from unmanned aircraft. Sen. Lee, Mike [R-UT]

 
/* Use this with templates/template-twocol.html */