Monday, August 2, 2021

Committee Hearings – Week of 8-1-21

With just the Senate in Washington this week (and looking forward to their Summer Recess), there is a limited number of hearings being held. Two markup hearings may be of interest here.

Spending Bill Markup

The full Senate Appropriations Committee is scheduled to meet on Wednesday for a markup hearing on “FY 22 Energy and Water, Agriculture, and MilCon VA Appropriations Bills”. This is interesting since eight spending bills, including “Energy and Water Development and Related Agencies” (Title III) and “Agriculture, Rural Development, Food and Drug Administration, and Related Agencies” (Title I) were included in Division J of the substitute language for HR 3684.

Homeland Security Markup

On Wednesday the Senate Homeland Security and Governmental Affairs Committee will hold a markup hearing for nine bills. These include

S 2305, the Cybersecurity Opportunity Act,

S 2439, DHS Industrial Control Systems Capabilities Enhancement Act of 2021,

S 2520, the State and Local Government Cybersecurity Act.

NOTE: S 2520 was just published, I plan on publishing my review on that bill tomorrow.

Review - Senate Substitute Language for HR 3684 – Invest in America Act

Last night the Senate leadership finally came to an agreement on the substitute language that will be considered in the Senate for HR 3684. This was offered as amendment SA 2137 (pg S 5255) with an easier to read Committee Print available. The consideration process on the floor starts in earnest today and we will be seeing a number of amendments offered and considered.

As was expected, there are many cybersecurity provisions included in this bill. They include the incorporation of five bills that have been introduced in the House or Senate. The bill also includes five sections that provide detailed cyber security requirements and 27 instances of cybersecurity mentions in passing.

The amendment process for this bill was actually started on Friday with four amendments submitted, none of which are of interest here. There were no amendments proposed on Saturday, but there seven other amendments submitted yesterday. There will certainly be other amendments submitted in the coming days. The Democrats hope to finish the consideration of this bill by Friday so that the Senate can proceed with their scheduled Summer Recess, but there are reports that Sen Schumer is prepared to hold the Senate in session until the bill is passed.

For more details on the cybersecurity provisions in the substitute language, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/senate-substitute-language-for-hr - subscription required.

Sunday, August 1, 2021

S 2439 Introduced - DHS ICS Capabilities Enhancement

Last month, Sen Peters (D,MI) introduced S 2439, the DHS Industrial Control Systems Capabilities Enhancement Act. The bill is nearly identical to the version of HR 1833 which passed in the House on July 20th, 2021. The bill is currently scheduled to be considered by the Senate Homeland Security and Governmental Affairs Committee on Wednesday.

I made the following point in my post on HR 1833 that is also applicable to this bill:

“First off, it should be obvious to those that follow the control system security activities of CISA that this bill does not actually cause the Agency to undertake any new actions. It merely codifies the authority of CISA to do what it has been doing for quite some time. That could, however, be important in any period of budget constraint; agencies would be more likely to cut back programs and processes that have not been specifically authorized by Congress.”

I also made comment about my favorite topic definition of terms:

“As I was with HR 5733 [version of this bill in the 116th Congress, link added], I am concerned that the bill did not modify the subsection (c), Functions, portion of §659 to specifically address the industrial control system support outlined in the new subsection (p). While there are numerous mentions of similar cybersecurity responsibilities, all of the mentions include using terms defined in §659(a) that rely on the IT restrictive definition of information systems. If Congress is not going to address those definitional issues (and that is probably considered by the crafters of this bill as being beyond the scope of the legislation) then they should have included adding a subsection to §659(c) like this:

“(12) supporting the cybersecurity operations of industrial control systems as outlined in (p).”

Review - S 2292 Introduced – Cyber-Attack Response

Back in June, Sen Daines (R,MT) introduced S 2292, the Study on Cyber-Attack Response Options Act. The bill would require DHS to conduct a study on the potential consequences and benefits of amending the Computer Fraud and Abuse Act to allow private companies to take proportional actions in response to an unlawful network breach. No funding is authorized by this bill.

Neither Daines or his sole cosponsor {Sen Whitehouse (D,RI)} are members of the Senate Homeland Security and Governmental Affairs Committee to which this bill was assigned for consideration. This means that it is unlikely that there would be enough influence to see this bill be considered in Committee. While this is only a study and report bill, I believe that this hacking back concept is controversial enough that there might be bipartisan opposition to the bill for a variety of ideological reasons. I do not think that there would be sufficient support to favorably report the bill out of the Committee.

For more details on the bill and a discussion of ‘hacking back’, see my article on CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-2292-introduced - subscription required.

Saturday, July 31, 2021

S 2305 Introduced - Cybersecurity Opportunity

Last month, Sen Ossoff (D,GA) introduced S 2305, the Cybersecurity Opportunity Act. The bill would require DHS to award grants to Historically Black Colleges and Universities (HBCU) and other minority serving institutions to “expand cybersecurity education opportunities, cybersecurity technology and programs, cybersecurity research, and cybersecurity partnerships with public and private entities.” No monies are authorized in the bill to support these grants.

Ossoff is a member of the Senate Homeland Security and Governmental Affairs Committee to which this bill was assigned for consideration. This means that there may be enough influence available to see this bill considered in Committee. I see nothing in this bill that would engender any specific opposition, especially since no new funds are being authorized.

This bill will not make it to the floor of the Senate as a stand-alone measure. The only way that Ossoff can see this bill make it to the President’s desk is to see it included in a larger spending or authorization bill. We will be able to see how important this bill is to Ossoff by watching for it as an amendment for one or more bills where open amendments are encouraged.

Review - CISA Announces VDP Platform

Earlier this week CISA announced the establishment of their Vulnerability Disclosure Policy Platform (VDP Platform). According to the announcement: “The VDP Platform provides a single, centrally managed online website for agencies to list systems in scope for their vulnerability disclosure policies, enabling security researchers and members of the general public to find vulnerabilities in agency websites and submit reports for analysis.”

According to the CISA fact sheet on the VDP Platform, the Platform is being offered as a software-as-a-service program to support individual department and agency VDPs. CISA’s Cyber Quality Services Management Office (QSMO) provides platform oversight, and the Platform is currently operated by BugCrowd. Supported agencies will retain responsibility for vulnerability confirmation and remediation. While the platform is designed to support bug bounty programs, there does not appear to be any agency that is currently sponsoring such a program.

The OMB’s Office of Information and Regulatory Affairs (OIRA) approved an emergency information collection request expansion to cover this VDP Platform back in March. CISA was required to update that ICR by September 30th, 2021.

For more detailed information, including links to agency VDP sites, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/cisa-announces-vdp-platform - subscription required. 

Review - Public ICS Disclosures – Week of 7-24-21

This week we have five PrintNightmare disclosures from Boston Scientific, Carestream, PEPPERL+FUCHS, Draeger, and Spacelabs Healthcare. There were four other vendor disclosures from CODESYS. We also have two updates from CODESYS.

PrintNightmare Advisories

Boston Scientific published an advisory discussing the PrintNightmare vulnerabilities.

Carestream published an advisory discussing the PrintNightmare vulnerabilities.

CERT-VDE published an advisory discussing the PrintNightmare vulnerabilities in products from PEPPERL+FUCHS.

Draeger published an advisory discussing the PrintNightmare vulnerabilities.

Spacelabs published an advisory discussing the PrintNightmare vulnerabilities.

Other Disclosures

CODESYS published an advisory describing a files or directories accessible to external parties vulnerability in their CODESYS V3 web server.

CODESYS published an advisory describing a null pointer dereference vulnerability in their CODESYS Gateway V3.

CODESYS published an advisory describing seven vulnerabilities in their CODESYS Development System V3.

CODESYS published an advisory describing a null pointer dereference vulnerability in their CODESYS EtherNetIP.

CODESYS published an update for their CODESYS V3 web server advisory that originally published on May 19th, 2021.

CODESYS published an update for their CODESYS V3 Runtime Toolkit for VxWorks advisory that was originally published on May 19th, 2021.

For more details on these advisories and updates, including links to proof-of-concept code, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-28e - subscription required.

Bills Introduced – 7-30-21

Yesterday, with both the House and Senate in Washington and the House leaving for their Summer Recess, there were 55 bills introduced. One of those bills may receive additional coverage:

HR 4863 To establish the Foundation for Energy Security and Innovation, and for other purposes. Rep. Stansbury, Melanie Ann [D-NM-1]

I will be watching this bill for language and definitions that would include control system cybersecurity within the scope of the bill. I am not really sure if the use of the term ‘energy security’ in this bill includes cybersecurity of any sort.

Friday, July 30, 2021

Review Filing Comments on 30-day ICR Notices

Yesterday I published a short notice about the 2nd revision to an information collection notice (ICR) for the Chemical Facility Anti-Terrorism Standards (CFATS) program. In addition to the change in the end of comment date that was presumably the reason for the 2nd revision, there was also a change in the language describing how to submit comments on the ICR. This online submission of comments on the 30-day ICR notices is a change from the old method of emailing the comments to the action officer at OMB’s Office of Information and Regulatory Affairs. Comments for 60-day ICRs are still posted (except for TSA) to www.Regulations.gov.

Of course, it was easier still when you just had to email the comments to the OIRA action officer for the ICR. I suspect, however, that this on-line process was initiated to weed out ‘letter writing’ campaigns that many activist organizations use to ‘influence’ the OIRA approval process. Those quotes are because those organizations know that OIRA (nor any other federal agency) is actually influenced by being inundated with multiple duplicate comments. No the organizations are usually using those campaigns for fund raising efforts.

For a detailed description on how to actually follow those instructions, or an easier way that I found, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/filing-comments-on-30-day-icr-notices - subscription required.

Bills Introduced – 7-29-21

Yesterday, with both the House and Senate in Washington, and the House preparing to depart for their Summer Recess, there were 132 bills introduced. One of those bills may receive additional attention in this blog:

HR 4818 To amend title 5, United States Code, to establish a National Digital Reserve Corps to help address the digital and cybersecurity needs of Executive agencies, and for other purposes. Gonzales, Tony [R-TX-23]

While I will be watching this bill for control system related definitions and language, I typically follow most bills that tend to increase the nation’s cybersecurity workforce.

Thursday, July 29, 2021

Review - Reader Comment – ICS Cybersecurity Initiative

Yesterday I published a brief piece on President Biden’s “National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems”. A long time reader of my blog, Jake Brodsky, posted a comment to that post that should be read by anyone interested in the ongoing move of the Administration to improve cybersecurity in critical infrastructure. One point that Jake made is worth discussing here:

“I have a lot of respect for what CISA does. However, they cannot be the ones to enforce security on industries that they are not responsible for in any other capacity. That should come from the EPA in water, FERC in Energy, and so on. I would vastly prefer to see CISA become a research, integration, and intelligence distribution agency --much as they're doing now.”

Jake makes a good point, CISA is not really set up to be a regulator. With the exception of the Chemical Facility Anti-Terrorism Standards (CFATS) program that does fall under CISA, CISA does not have the personnel, or background to be a regulatory agency. Regulating cybersecurity takes more than just writing regulations or Security Directives. Without the people to go out into the field and check that the regulated entities are doing, or even can do, what is written in the CFR, writing regulations is an empty effort.

In process industries, cybersecurity of control systems should be intimately tied to process safety. I do not care how many security controls you have in place, someone, if they are determined enough, will find a way around those controls. What should be more important for operational cybersecurity is ensuring that there are process safety controls in place that will make cyber systems fail in a safe mode.

If we try to get too detailed in our ‘cybersecurity goals’ we will make them too expensive and too complex for them to be applied to all of the facilities where they are needed. Each facility is going to have to determine what tools are most appropriate for their operations to achieve the general cybersecurity goals. But we must keep in mind that cybersecurity must be tied back into the safety and business case of each individual facility. If we fail to do that, cybersecurity will continue to take a back seat to getting product out the front door.

For a more detailed look at the problems with CISA as a regulator, and my look at what the cybersecurity goals should look like, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/reader-comment-ics-cybersecurity - subscription required. 

Review - 2 Advisories and 1 Update Published – 7-29-21

Today, CISA’s NCCIC-ICS published two control system security advisories for products from WIBU and Hitachi ABB Power Grids. They also published an update for an advisory for products from Mitsubishi.

WIBU Advisory - This advisory describes two buffer over-read vulnerabilities in the WIBU CodeMeter Runtime Server.

Hitachi ABB Advisory - This advisory describes an insufficiently protected credentials vulnerability in the Hitachi ABB Power Grids eSOMS product.

Mitsubishi Update - This update provides additional information on an advisory that was originally published on February 18th, 2021 and most recently updated on May 27th, 2021.

For more detail on the advisories, including links to proof-of-concept code, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-advisories-and-1-update-published-809 - subscription required.

Senate Begins Debate on HR 3684 – Invest in America Act

Yesterday the Senate voted to close debate on the motion to proceed to the debate on HR 3684, the INVEST in America Act. The Senate is using that bill as the vehicle for consideration of the bipartisan infrastructure bill upon which an agreement was reached yesterday. There were no amendments filed yesterday, so the final details of the (actually writing the lengthy bill) of the legislation has not yet been completed. It looks like that amendment will be submitted today, probably with a long list of amendments to that language.

All of the cybersecurity language that the House added to HR 3684 is now in legislative limbo. I expect that we will see some cyber security language (including whole bills that would not otherwise make it to the floor of the Senate even though they would have bipartisan support), included in the amendments and maybe even the substitute language. The final chance for the return of the cyber language will come in the almost inevitable conference committee report to work out the differences between the House and Senate language. Most of the House cyber language was not attached to spending, so putting it back in the final bill would not change the price tag.

The Senate is scheduled to be in session next week before the they leave Washington for their Summer Recess (House starts next week). There is a chance that Sen Schumer will hold the Senate until the debate on HR 3684 is completed, but that would engender some opposition from the Republicans who will want lots of chances to offer their amendments to the bill. I would not be surprised to see the final vote come after the Senate returns in September.

CISA Publishes 2nd CFATS ICR Correction

Today the Cybersecurity and Infrastructure Security Agency (CISA) published an information collection request correction notice in the Federal Register (86 FR 40866-40867) for the ICR 30-day notice for the Chemical Facility Anti-Terrorism Standards (CFATS) that was originally published on June 23rd, 2021 and subsequently corrected on June 29th, 2021. This correction extends the comment period until to August 30th, 2021, because a technical error did not allow comment submissions on the OMB’s Office of Information and Regulatory Affairs web page.

Bills Introduced – 7-28-21

Yesterday, with both the House and Senate in session, there were 93 bills introduced. Two of those bills may receive additional coverage in this blog:

HR 4741 To provide for the regulation of digital assets, and for other purposes. Rep. Beyer, Donald S., Jr. [D-VA-8] 

HR 4745 To establish a program to make grants to institutions of higher education to provide courses relating to critical legacy computer languages, and for other purposes. Rep. Cartwright, Matt [D-PA-8]

Okay, I am not really going to follow HR 4745, but I did have to mention it. Back in ’92 I had to take a Fortran class for my Chemistry BS program, because ‘many labs had legacy equipment running on Fortran’. BTW, the professor did not know why the then current version had an 80 character limit on instructions.

I will be surprised if HR 4741 has anything to do with cybersecurity, but if it does, I will be watching for language and definitions that would include industrial control systems in its coverage.

Registration for 2021 Chemical Security Seminars is Open

Yesterday, CISA’s Office for Chemical Security (OCS) published an announcement in the ‘Latest News’ section of the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center noting that the free registration is now open for the December 2021 Chemical Security Seminars. As was done last year because of the COVID-19 Pandemic, these three seminars are replacing the Chemical Sector Security Summit that is normally held in July.

 


The Chemical Security Summit web site provides additional information on the Seminars and provides links to slide presentations from last year’s Seminars and from Summits back through 2015. The Seminars will be held on December 1st, 8th, and 15th.

Last year the on-line presentations last about 4 hours each of the three days, with provisions being made to answer questions from the audience. The presentations were well done, providing a great deal of information about the CFATS program, related programs, and chemical security in general.

CISA is asking that registrations be completed by November 30th, 2021. I registered this morning.

Wednesday, July 28, 2021

Biden Issues Memorandum for Improving ICS Cybersecurity

Today, the White House published “National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems”. It notes that: “The cybersecurity threats posed to the systems that control and operate the critical infrastructure on which we all depend are among the most significant and growing issues confronting our Nation.” The Memorandum goes on to establish and outline the goals for the Industrial Control Systems Cybersecurity Initiative.

Section 2 of the memo states that: “The primary objective of this Initiative is to defend the United States’ critical infrastructure by encouraging and facilitating deployment of technologies and systems that provide threat visibility, indications, detection, and warnings, and that facilitate response capabilities for cybersecurity in essential control system and operational technology networks.”

In Section 3, it goes on to say: “We cannot address threats we cannot see; therefore, deploying systems and technologies that can monitor control systems to detect malicious activity and facilitate response actions to cyber threats is central to ensuring the safe operations of these critical systems.”

To support this initiative, the Memorandum requires DHS to issue:

By 9-22-21, preliminary goals for control systems across critical infrastructure sectors,

By 7-28-21, final cross-sector control system goals, and

By 7-28-21, sector-specific critical infrastructure cybersecurity performance goals.

 

DHS is also directed to look at whether additional legal authorities would be beneficial to enhancing the cybersecurity of critical infrastructure. 

Review - Mass Casualty Event in Texas – 7-28-21

I have had a couple of long-time readers ask me to comment on this, so here goes. Last night there was an incident at a plant outside of Houston, TX that killed at least two people. Early news reports (here, here and here) would seem to indicate that there was a release (one report says 100,000 lbs) of acetic acid, perhaps glacial acetic acid. A number of people were taken to local hospitals, and more were treated on site.

We are a long way from knowing what actually happened at the facility. There has not yet been an announcement about the Chemical Safety Board sending a team to investigate, but with two deaths, that is an almost forgone conclusion.

For a more detailed look at the limited facts available, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/mass-casualty-event-in-texas - subscription required.

Bills Introduced – 7-27-21

 Yesterday, with both the House and Senate in Washington, there were 62 bills introduced. Two of those bills may receive additional coverage in this blog:

S 2483 A bill to require the Director of the Cybersecurity and Infrastructure Security Agency to establish cybersecurity guidance for small organizations, and for other purposes. Sen. Rosen, Jacklyn [D-NV]

S 2491 A bill to amend the Homeland Security Act of 2002 to establish the National Cyber Resilience Assistance Fund, to improve the ability of the Federal Government to assist in enhancing critical infrastructure cyber resilience, to improve security in the national cyber ecosystem, to address Systemically Important Critical Infrastructure, and for other purposes. Sen. King, Angus [I-ME]

I will be watching both bills for language and definitions that would include industrial control systems within the coverage of the bill.

Tuesday, July 27, 2021

Review - 5 Advisories and 5 Updates Published – 7-27-21

Today CISA’s NCCIC-ICS published five control system security updates for products from Delta Electronics, LCDS, Geutebruck, Mitsubishi, and KUKA. They also updated five security advisories for products from Mitsubishi (2), AVEVA, Delta, and Schneider Electric.

Delta Advisory - This advisory describes two vulnerabilities in the Delta DIAScreen software.

LCDS Advisory - This advisory describes a cross-site scripting vulnerability in the LCDS LAquis SCADA.

Geutebruck Advisory - This advisory describes twelve vulnerabilities in the Geutebruck G-Cam E2 cameras and G-Code encoders.

Mitsubishi Advisory - This advisory describes a missing synchronization vulnerability in the Mitsubishi GOT2000 series and GT SoftGOT2000 when using the MODBUS/TCP Slave.

KUKA Advisory - This advisory describes two use of hard-coded credentials vulnerabilities in the KUKA KR C4 controllers.

Mitsubishi Update #1 - This update provides additional information on an advisory that was originally published on July 30th, 2020 and most recently updated on May 27th, 2021.

Mitsubishi Update #2 - This update provides additional information on an advisory that was originally published on April 22, 2021.

AVEVA Update - This update provides additional information on an advisory that was originally published on June 29th, 2021.

Delta Update - This update provides additional information on an advisory that was originally published on July 1st, 2021.

Schneider Update - This update provides additional information on an advisory that was originally published on July 13th, 2021.

For more details on these advisories and updates, including links to proof-of-concept code, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/5-advisories-and-5-updates-published - subscription required.

Review - FRA Publishes PTC Systems Final Rule

 Today the DOT’s Federal Railroad Administration (FRA) published a final rule in the Federal Register (86 FR 40154-40182) for “Positive Train Control Systems”. This regulation revises the regulations governing changes to positive train control (PTC) systems and reporting on PTC system performance. The notice of proposed rulemaking (NPRM) for this rule was published last December.

The preamble includes a brief discussion about the cybersecurity provisions of the existing PTC regulations and the rule makes one control system software related revision.

This final rule becomes effective on August 26th, 2021.

For a more detailed look at the changes in the Final Rule and links to the various discussions, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/fra-publishes-ptc-systems-final-rule - subscription required.

Review - HR 4611 Introduced - Software Supply Chain Risk Management Act

Last week, Rep Torres (D,NY) introduced HR 4611, the DHS Software Supply Chain Risk Management Act of 2021. The bill would require DHS to develop contract guidance to require that proposed contract bids would include a planned bill of materials for covered information and communications technology or service and a certification that such materials are free of known security vulnerabilities. The guidance would go into effect 180 days after the enactment of this bill.

NOTE: This review is based upon a Committee Print of the bill provided by the House Homeland Security Committee. The official GPO version has not yet been printed.

As I mentioned yesterday, this bill will be marked-up by the House Homeland Security Committee tomorrow. I expect that the bill will pass with significant bipartisan support. That would allow the bill to be considered by the full House under the suspension of the rules process.

For more details about the provisions of the bill and my look at its relation to software-bill-of-materials as defined by NIST, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-4611-introduced - subscription required.

Bills Introduced – 7-26-21

Yesterday with both the House and Senate back in Washington, there were 42 bills introduced. One of those bills will be covered in this blog:

HR 4691 To establish a K-12 education cybersecurity initiative, and for other purposes. Rep. Langevin, James R. [D-RI-2]

This is the bill that I discussed briefly yesterday which makes it similar to S 1917. Determining just how similar will have to wait for the GPO to print the bill. Meanwhile, it will be marked up by the House Homeland Security Committee tomorrow.

Monday, July 26, 2021

Review - HR 4505 Introduced – FY 2022 CJS Spending

Earlier this month, Rep Cartwright (D,PA) introduced the marked up version of HR 4505, the Commerce, Justice, Science, and Related Agencies Appropriations Bill, 2022. The Appropriations Committee Report on the bill is also available. As is usual there are no cybersecurity provisions (beyond spending amounts for internal agency cybersecurity activities), but there are seven cybersecurity comments in the Report.

Moving Forward

As I noted earlier this morning, this bill is being rolled into the second spending minibus this year along with the Legislative and State spending bills (probably under HR 4336). The House Rules Committee will meet tomorrow to establish the rule for the floor debate on the 2nd minibus. There have been 134 amendments submitted for this bill. Only one of those amendments is of concern here:

#4, Rep Langevin - Increases funding for NSF Education and Human Resources by $10,000,000. The money will be used for the CyberCorps: Scholarship for Service program in line with the funding recommendation from the Cyberspace Solarium Commission. Offset by an equal decrease to Federal Prison System – Salaries.

I suspect that the minibus will be passed along mainly party lines.

For more details about the cybersecurity comments, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-4505-introduced - subscription required.

Committee Hearings – Week of 7-26-21

With both the House and Senate in Washington and looking forward to the summer recess, there is a full slate of hearings this week. They include two Rules Committee hearings of spending bills, NDAA markups, two other mark-up hearings, CSB Nominations, and five cybersecurity related hearings.

Spending Bill Rules

In order to get the spending bills passed in the House before the summer recess, the House is, once again, combining spending bills into minibus bills. The House Rules Committee will be meeting twice this week to formulate the rules for consideration of the first two minibus bills.

Monday – HR 4452 First Minibus (LHHS, ARD, EW, FSG, IER, MC, VA, THUD), and

Tuesday – HR 4336 2nd Minibus ( Leg, State, CJS)

NDAA Markups

The various subcommittees of the House Armed Services Committee will be meeting this week to mark-up their respective portions of HR 4350, the National Defense Authorization Act for Fiscal Year 2022. The full Committee mark-up is currently scheduled for September 1st, 2021. The one subcommittee hearing of note here will be the Wednesday mark-up hearing of the Subcommittee on Cyber, Innovative Technologies, and Information Systems.

Other Mark-Up Hearings

On Tuesday the House Science, Space, and Technology Committee will be holding a mark-up hearing considering five bills. One of the bills may be (I have not seen the language yet) of interest here: HR 4609, the National Institute of Standards and Technology for the Future Act of 2021.

On Wednesday the House Homeland Security Committee will be holding a mark-up hearing considering ten bills. Two of those bills will be of interest here (based upon the committee prints available on the hearing web site):

HR 4611, The “DHS Software Supply Chain Risk Management Act of 2021

HR ____, The “K-12 Cybersecurity Act"

HR 4611 is a software bill-of-materials bill. I will try to review this in more detail before Wednesday. The K-12 cybersecurity bill will probably be introduced today. The committee print shows that it is very similar to S 1917 not the previously introduced house bill, HR 4005.

CSB Nominations

On Thursday, the Senate Environment and Public Works Committee will be holding a confirmation hearing for the three nominees for Board membership on the U.S. Chemical Safety and Hazard Investigations Board.

Cybersecurity Hearings

On Tuesday the Subcommittee on National Security of the House Oversight and Reform Committee will hold a hearing on “Defending the U.S. Electric Grid Against Cyber Threats”. The witness list includes:

• Eric Goldstein, CISA,

• Puesh M. Kumar, CESER,

• Joseph H. McClelland, FERC

On Tuesday the Senate Judiciary Committee will be holding a hearing on “America Under Cyber Siege: Preventing and Responding to Ransomware Attacks”. The witness list includes:

• Richard Downing, DOJ,

• Bryan Vorndran, FBI,

• Eric Goldstein, CISA,

• Jeremy Sheridan, Secret Service

On Tuesday the Senate Homeland Security and Governmental Affairs Committee will be holding a hearing on “Resources and Authorities Needed to Protect and Secure the Homeland”. The sole witness will be Secretary Alejandro N. Mayorkas.

On Tuesday the Senate Commerce, Science, and Transportation Committee will be holding a hearing on “Pipeline Cybersecurity: Protecting Critical Infrastructure”. The witness list includes:

• David Pekoske, TSA,

• Polly Trottenberg, DOT,

• Leslie Gordon, GAO

On Thursday the Cybersecurity, Infrastructure Protection, & Innovation Subcommittee of the House Homeland Security Committee will be holding a hearing on “The Cyber Talent Pipeline: Educating a Workforce to Match Today’s Threats”. The witness list includes:

• Kevin Nolten, CYBER.ORG,

• Ralph Ley, Idaho National Laboratory,

• Tony Coulson, California State University, San Bernardino

Sunday, July 25, 2021

Review - HR 4550 Introduced – FY 2022 THUD Spending

Last week, Rep Price (D,NC) introduced the committee marked-up version of HR 4550, the Transportation, Housing and Urban Development, and Related Agencies Appropriations Act, 2022. The Committee Report on the bill is also available. The bill includes one pipeline provision of note and one industrial control system provision. Additional information and guidance is provided in the Report on automated vehicles, aviation safety, rail cybersecurity, and LNG by rail.

This bill is being rolled into the first FY 2022 minibus, HR 4502 as Division G. The House Rules Committee will be meeting tomorrow to formulate the Rule on that minibus, which will be considered on the floor of the House this coming week. There have been 78 amendments suggested for Division G, none of which are of particular interest here. The combined bill (because of the lack of the Hyde Amendment – abortion funding restrictions) will probably pass on a party-line vote. There is a chance that a Hyde Amendment provision will be added in a floor vote, that would probably increase the chances of this bill passing.

For more details about the bill and report, including discussions about the automated vehicles, aviation safety, rail cybersecurity, and LNG by rail, see my article on CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-4550-introduced - subscription required

Review - HR 4046 Introduced - NTIA Policy and Cybersecurity Coordination

Last month, Rep Duncan (R,SC) introduced HR 4046, the NTIA Policy and Cybersecurity Coordination Act. The bill would establish within the National Telecommunications and Information Administration (NTIA) the Office of Policy Development and Cybersecurity. The current Associate Administrator for Policy Analysis and Development would become the first Associate Administrator for Policy Development and Cybersecurity, heading the new Office.

Duncan and one of his two cosponsor {Rep Curtis (R,UT)} are members of the House Energy and Commerce Committee to which this bill was assigned for consideration. This means that there may be sufficient influence to see the bill considered in Committee. I do not see anything here that would engender any specific opposition, since this would essentially acknowledge and codify actions that are being undertaken at NTIA in any case. I suspect that the bill would receive significant bipartisan support and could be moved to the floor of the House using the suspension of the rules process; limited debate, no floor amendments and a super majority to pass.

I was surprised not to see the language in this bill as a proposed amendment to HR 4046, the FY 2022 CJS spending bill, on the House Rules Committee site. That Committee will be formulating the rule for the consideration of the spending bill on Tuesday. Since NTIA is a component of the Commerce Department, this would have been an ideal place to move this bill forward. This may mean that Duncan has not place a high priority on this bill.

For more details about the duties of this new Office, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-4046-introduced - subscription required.

Saturday, July 24, 2021

4 Sponsors Added for HR 4005 - Enhancing K–12 Cybersecurity

On Thursday, four new sponsors were added for HR 4005, the Enhancing K–12 Cybersecurity Act. Two of those sponsors {Rep Miller-Meeks (R,IA) and Rep Hayes (D,CT)} are members of the House Education and Labor Committee, the second committee to which this bill was assigned. Before this addition there were no cosponsors from that Committee. This means that there now may be enough influence for the bill to be considered in Committee.

The House Homeland Security Committee is the primary committee of jurisdiction for this bill. The bill could move to the floor of the House with just a hearing from Homeland Security if Chair Thompson (D,MS) could reach an agreement with the Chair of the Education and Labor Committee {Rep Scott (D,VA)}. Or Education and Labor could markup those portions of the bill under their purview. Or Scott could effectively kill the bill if he had strong objections to either provisions of the bill or felt slighted by a lack of coordinated effort on the bill. These two new cosponsors may indicate that the last two options have been dealt with. 

Review - Public ICS Disclosures – Week of 7-17-21

This week we have seven vendor disclosures from MB connect (3), CODESYS, Dell (2) and Ruckus. We have five researcher reports for products from Schneider Electric, Advantech, and KevinLAB (3).

MB connect Advisory #1 - CERT-VDE published an advisory describing two vulnerabilities in the MB connect mymbCONNECT24, mbCONNECT24 products.

MB connect Advisory #2 - CERT-VDE published an advisory discussing two vulnerabilities in the MB connect mymbCONNECT24, mbCONNECT24 products.

MB connect Advisory #3 - CERT-VDE published an advisory describing two vulnerabilities in the MB connect mbDIALUP product.

CODESYS Advisory - CODESYS published an advisory describing a null pointer dereference vulnerability in their EtherNetIP protocol stack.

Dell Advisory #1 - Dell published an advisory discussing a null pointer dereference vulnerability in their Wyse ThinOS product line.

Dell Advisory #2 - Dell published an advisory describing two sensitive item disclosure vulnerabilities in their Wyse ThinOS product line.

Ruckus Advisory - Ruckus published an advisory describing an improper handling of an error condition vulnerability in their SmartZone Controller.

Schneider Report - SEC Consult published a report describing two vulnerabilities in the Schneider Electric EVlink product.

Advantech Report - The Zero Day Initiative published a report describing a lack of authentication vulnerability for the Advantech WebAccess/NMS.

KevinLAB Report #1 - Zero Science published a report describing a path traversal information disclosure vulnerability in the KevinLab Building Energy Management System (BEMS) product.

KevinLAB Report #2 - Zero Science published a report describing an SQL injection vulnerability in the KevinLAB BEMS product.

KevinLAB Report #3 - Zero Science published a report describing a back-door account vulnerability in the KevinLAB BEMS product.

For more details on the vulnerability reports and links to exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-c10 - subscription required.

Friday, July 23, 2021

Review - S 2274 Introduced - Federal Cybersecurity Workforce Expansion

Last month Sen Hassan (D,NH) introduced S 2274, the Federal Cybersecurity Workforce Expansion Act. It would allow CISA to establish an apprenticeship program that would lead to cybersecurity related employment with CISA or a CISA supporting entity. The bill would also require the Veterans Administration to establish a pilot program providing cyber-specific training for eligible individuals. The CISA program is authorized ‘such funds as necessary’, but no funding is specified for the VA program.

Hassan is a member of the Senate Homeland Security and Governmental Affairs Committee to which this bill was assigned for consideration. She probably has enough influence to see this bill considered in Committee. I see nothing in the bill that would engender any specific opposition. I suspect that it would receive significant bipartisan support in committee. This bill would not be considered on the floor of the Senate under regular order, but it might make it into the DHS spending bill as an amendment.

While this bill does not directly address control system security issues, increasing the cybersecurity qualified staffing of CISA is certainly of interest to the ICS security community. While the training programs established under this bill would be targeted at future CISA employment, they should result in a net increase to the nation’s cybersecurity workforce.

For a closer look at the details of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-2274-introduced - subscription required.

Bills Introduced – 7-22-21

Yesterday, with both the House and Senate in session and preparing to head home for the weekend, there were 109 bills introduced. One of those bills will receive additional coverage in this blog:

S 2439 A bill to amend the Homeland Security Act of 2002 to provide for the responsibility of the Cybersecurity and Infrastructure Security Agency to maintain capabilities to identify threats to industrial control systems, and for other purposes. Sen. Peters, Gary [D-MI]

Thursday, July 22, 2021

Review - S 2302 Introduced – DOE Organization

Last month, Sen Barrasso (R,WY) introduced S 2302 (no fancy name). The bill would amend 42 USC 7133(a), which lists the duties of the eight Assistant Secretaries of the Department of Energy. It removes some of the wording of §7133(a) and adds a paragraph (12) listing security and emergency response related duties for Assistant Secretaries.

Barrasso is the Ranking Member of the Senate Energy and Natural Resources Committee to which this bill was assigned for consideration and his sole cosponsor {Sen Risch (R,ID)} is also a member of the Committee. Normally, this would mean that Barrasso would have enough influence to see the bill considered in Committee. The fact, however, that there is no Democrat cosponsor would seem to indicate that there are conflicts within the Committee about these provisions that may mitigate against the consideration.

For a closer look at the details of the changes proposed in this bill and their potential political ramifications, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-2302-introduced - subscription required.

Review - HR 4005 Introduced - Enhancing K–12 Cybersecurity

Last month, Rep Matsui (D,CA) introduced HR 4005, the Enhancing K–12 Cybersecurity Act. The bill would require CISA to establish a school cybersecurity information exchange, a cybersecurity incident registry, and a K–12 cybersecurity technology improvement program. The bill would authorize $10 million per year through 2023 to fund such programs. This bill is not related to S 1917, K–12 Cybersecurity Act of 2021, in anyway.

Matsui is not a member of either the House Homeland Security Committee or the Education and Labor Committee to which this bill was assigned for consideration. Four of her cosponsors {Rep Katko (R,NY), Rep Langevin (D,RI), Rep Garbarino (R,NY), Rep McCaul (R,TX)} are members of the Homeland Security Committee (and Katko is the Ranking Member) so there is probably sufficient influence available to see this bill considered in Committee. I see nothing in this bill that would draw organized opposition.

I suspect that there would be sufficient bipartisan support for this bill in Committee that the House leadership would move this bill to the floor of the House under the suspension of the rules process.

For a more detailed analysis of the bill and my suggestions for its improvement, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-4005-introduced - subscription required.

Bills Introduced – 7-21-21

Yesterday, with both the House and Senate in session, there were 60 bills introduced. Four of those bills may receive additional coverage in this blog:

HR 4597 To amend the Federal Water Pollution Control Act to make certain projects and activities eligible for financial assistance under a State water pollution control revolving fund, and for other purposes. Rep. Garamendi, John [D-CA-3]

HR 4609 To reauthorize the National Institute of Standards and Technology, and for other purposes. Rep. Stevens, Haley M. [D-MI-11]

HR 4611 To direct the Secretary of Homeland Security to issue guidance with respect to certain information and communications technology or services contracts, and for other purposes. Rep. Torres, Ritchie [D-NY-15]

S 2407 A bill to ensure timely Federal Government awareness of cyber intrusions that pose a threat to national security, enable the development of a common operating picture of national-level cyber threats, and to make appropriate, actionable cyber threat information available to the relevant government and private sector entities, as well as the public, and for other purposes. Sen. Warner, Mark [D-VA] 

I will be watching HR 4597 and HR 4611 for language and definitions that would include industrial control systems within the coverage of the bill.

I will be covering HR 4609 as NIST has become an important cybersecurity standards setting organization for the US Government.

S 2407 is the long awaited and much publicized Senate Intelligence Committee bill on reporting of cyber incidents. It has an impressive list of cosponsors. See Warner’s press release of the bill here. A draft version of the bill (GPO version will be out sometime) has been provided by Warner’s office. After a quick scan I see one thing of importance (certainly there will be more as I look at it in more depth), the bill kicks down to CISA the responsibility for defining what ‘critical infrastructure’ organizations will be required to report cyber breaches. This could become the de facto list of what constitutes critical infrastructure.

Wednesday, July 21, 2021

6 Cybersecurity Bills Passed in House – 7-20-21

Yesterday the House passed six cybersecurity bills as part of an en bloc vote on 21 bills that were considered on Monday and Tuesday under the suspension of the rules process. The recorded vote was 319 to 105 with the Republican vote nearly evenly split. The six cybersecurity bills were:

HR 2928 – Cyber Sense Act of 2021

HR 1871 – Transportation Security Transparency Improvement Act,

HR 3138 – State and Local Cybersecurity Improvement Act, as amended,

HR 1833 – DHS Industrial Control Systems Capabilities Enhancement Act of 2021, as amended,

HR 2980 – Cybersecurity Vulnerability Remediation Act, as amended,

HR 3223 – CISA Cyber Exercise Act

Review - HR 4006 Introduced – Fair Repair Act

Last month, Rep Morelle (D,NY) introduced HR 4006, the Fair Repair Act. The bill would establish a requirement for original equipment manufacturers to make available “documentation, parts, and tools, inclusive of any updates to information or embedded software” for the purpose of diagnosis, maintenance or repair of equipment sold or used in the United States. It would also make the Federal Trade Commission the agency responsible for enforcement of the requirement.

Neither Morelle or his sole cosponsor {Rep Khanna (D,CA)} are members of the House Energy and Commerce Committee to which this bill was assigned for consideration. Generally, this means that the Committee is unlikely to consider this bill. If the bill were to be considered in Committee, it would almost certainly draw significant opposition from Republicans supporting manufacturers, and from some Democrats for privacy issues. There may not be enough votes to move the bill forward because of that opposition.

For more details about the provisions of the bill and my suggestions for improvements, see my article at CFSN Detailed Review - https://patrickcoyle.substack.com/p/hr-4006-introduced - subscription required.

Bills Introduced – 7-20-21

Yesterday, with both the House and Senate in Washington, there were 73 bills introduced. Three of those bills may receive additional coverage in this blog:

HR 4549 Making appropriations for energy and water development and related agencies for the fiscal year ending September 30, 2022, and for other purposes. Rep. Kaptur, Marcy [D-OH-9]

HR 4550 Making appropriations for the Departments of Transportation, and Housing and Urban Development, and related agencies for the fiscal year ending September 30, 2022, and for other purposes. Rep. Price, David E. [D-NC-4]

HR 4551 To amend the U.S. SAFE WEB Act of 2006 to provide for reporting with respect to cross-border complaints involving ransomware or other cyber-related attacks, and for other purposes. Rep. Bilirakis, Gus M. [R-FL-12]

I will be following the two spending bills (as is normal here). GPO has published the text of the bills, but I am waiting on the publication of the Committee Reports before I review these two bills. As I mentioned the other day, both of these bills are currently slated to be combined in the first mini-bus next week.

I will be watching HR 4551 for language and definitions that would tend to include industrial control systems within the coverage of the legislation.

Tuesday, July 20, 2021

Review - 1 Advisory Published – 7-20-21

 Today CISA’s NCCIC-ICS published a control system security advisory for products from Mitsubishi.

The advisory describes a null pointer dereference vulnerability in the Mitsubishi MELSEC-F Series Ethernet interface block.

CISA/Microsoft® security issue I reported last week has apparently been corrected.

For more details on both issues, see my article on CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-published-e5c - subscription required.

Review - S 2139 Introduced - International Cybercrime Prevention

Last month Sen Whitehouse (D,RI) introduced S 2139, the International Cybercrime Prevention Act. The bill would make several changes to 18 USC to provide additional legal tools to combat international cybercrime. It includes adding a new 18 USC 1030A, Aggravated Damage to a Critical Infrastructure Computer. A nearly identical bill (S 3288) was introduced by Sen Graham in the 115th Congress with no action taken.

Whitehouse is a subcommittee chair in the Senate Judiciary Committee to which this bill was assigned for consideration and his three cosponsors {Sen Graham (R,SC), Sen Tillis (R,NC), Sen Blumenthal (D,CT)} are also members of the Committee. This should mean that there is adequate influence to see this bill considered in Committee. It is hard to predict what sort of opposition this bill would draw. I would expect that this would draw some opposition from folks that oppose the current wording of §1030 as it expands rather than restricts the types of offenses under that section.

Graham introduced similar bills in the 115th, and 114th Congresses. Neither saw any action taken in the Judiciary Committee. It would be easy to assume that similar inaction would be expected in this Congress, but the leadership has changed and Whitehouse introducing the bill could mean a significant political change in the prospects for the bill. We will just have to wait and see.

The title of this bill is very misleading. There is nothing here that would target international cyber crime and the only prevention activity is the prosecution of individuals used as a deterrent, a fairly ineffective prevention activity.

For a more detailed look at the provisions of the bill and what they could mean for crimes against industrial control systems, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-2139-introduced - subscription required.

HR 2921 Passed in House – Enhanced Grid Security

Yesterday the House passed HR 2931, the Enhancing Grid Security through Public-Private Partnerships Act, by a voice vote (pg H3641). There was limited debate on the bill with no voices raised in opposition. This bill is unlikely to be considered in the Senate, certainly not through normal order. If it is taken up as stand-alone legislation it will be by the Senate’s unanimous consent process. This bill could be included in some other ‘more important’ legislation where it could be considered under regular order.

HR 2928, the Cyber Sense Act of 2021, was also taken up yesterday, but a recorded vote was demanded and action was deferred until today.

Senate Takes up HR 3684 – INVEST in America Act

Yesterday the Senate began the process for the consideration of HR 3684, the INVEST in America Act. The Senate will be using this as the vehicle for their still-being-crafted bipartisan infrastructure bill. A cloture motion for the debate on the motion to proceed to consideration of the bill was filed with a cloture vote scheduled for some time Wednesday after the Senate deals with the nomination Bonnie D. Jenkins, of New York, to be Under Secretary of State for Arms Control and International Security. That is, of course assuming that compromise can be worked out on the substitute language that will be considered for HR 3684.

The House language for the bill will not be considered in the Senate, Republican opposition to the bill would ensure that. The bill passed in the House on a party-line vote. If a Republican supported (at least 10 votes worth of support) compromise cannot be worked out, HR 3684 will die in the Senate.

It is unlikely that all (or perhaps any) of the cybersecurity provisions that were worked into HR 3684 would make it into the substitute language. They could come back in the conference language that would have to be worked out before the bill is sent to President Biden.


Bills Introduced – 7-19-21

Yesterday, with both the House and Senate back in Washington, there were 56 bills introduced. Of those there were seven bills that may receive additional coverage in this blog:

HR 4502 Making appropriations for the Departments of Labor, Health and Human Services, and Education, and related agencies for the fiscal year ending September 30, 2022, and for other purposes. Rep. DeLauro, Rosa L. [D-CT-3]

HR 4505 Making appropriations for the Departments of Commerce and Justice, Science, and Related Agencies for the fiscal year ending September 30, 2022, and for other purposes. Rep. Cartwright, Matt [D-PA-8]

HR 4513 To amend the Small Business Act to provide for the establishment of an enhanced cybersecurity assistance and protections for small businesses, and for other purposes. Rep. Donalds, Byron [R-FL-19]

 

HR 4515 To amend the Small Business Act to require cyber certification for small business development center counselors, and for other purposes. Rep. Garbarino, Andrew R. [R-NY-2]

HR 4530 To establish the Office of Technologists within the Federal Trade Commission. Rep. McNerney, Jerry [D-CA-9]

S 2377 An original bill to invest in the energy and outdoor infrastructure of the United States to deploy new and innovative technologies, update existing infrastructure to be reliable and resilient, and secure energy infrastructure against physical and cyber threats, and for other purposes. Sen. Manchin, Joseph [D-WV]

S 2382 A bill to authorize the National Cyber Director to accept details from other elements of the Federal Government on nonreimbursable basis, and for other purposes. Sen. Portman, Rob [R-OH]

The two spending bills will be rolled into the first minibus that I discussed yesterday.

I will be watching HR 4513 and HR 4515 for language and definitions that would indicate that industrial control systems would be included in their coverage.

Okay, I probably will not be covering HR 4530, but I have to see what an “Office of Technologists” is.

S 2377 is Sen Manchin’s (D,WV) infrastructure bill (counter point to the similar but unrelated HR 3684) that was marked up in the Senate Energy and Natural Resources Committee last week. The bill incorporates a number of cybersecurity bills. I am not sure that this will go anywhere, but it will be worth watching.

S 2382 is a housekeeping bill to allow the fleshing out of the Office of the National Cyber Director. I will probably be covering this even though it will almost certainly not have ICS specific language.

Monday, July 19, 2021

Committee Hearings – Week of 7-18-21

This week with both the House and Senate meeting in Washington, there will be a full slate of committee hearings. Hearings of interest include the markup of the Senate version of the FY 2022 National Defense Authorization Act, three cybersecurity hearings and the start of the consideration process for FY 2022 spending bills. And we will have an interesting slate of cybersecurity legislation being considered on the floor of the House.

NDAA Markup in Senate

The Senate Armed Services Committee will be marking up their version of the FY 2022 NDAA. Each subcommittee will be meeting to markup their portions of the NDAA on Monday and Tuesday. Then the full Committee will meet Wednesday and probably Thursday to complete the markup process. The subcommittee markups of interest here include:

• Monday - Subcommittee on Cybersecurity. CLOSED

• Tuesday - Subcommittee on Emerging Threats and Capabilities. CLOSED.

Cybersecurity Hearings

On Tuesday the House Small Business Committee will be holding a hearing on “Strengthening the Cybersecurity Posture of America’s Small Business Community”. This hearing is unlikely to specifically address control system security issues. The witness list will include:

• Tasha Cornish, Cybersecurity Association of Maryland, Inc.,

• Sharon Nichols, Mississippi Small Business Development Center,

• Kiersten Todt, Cyber Readiness Institute,

• Graham Dufault, The App Association,

On Tuesday the Subcommittee on Oversight and Investigations of the House Committee on Energy and Commerce will be holding a hearing on "Stopping Digital Thieves: The Growing Threat of Ransomware". This hearing is very likely to specifically address control system security issues and could get fairly technical. The witness list includes:

• Kemba Walden, Microsoft Corporation,

• Robert M. Lee, Dragos,

• Christian Dameff, M.D., M.S., Medical Director of Cybersecurity, UC San Diego Health,

• Charles Carmakal, FireEye-Mandiant

• Philip Reiner, Institute for Security and Technology

On Wednesday, the Senate Environment and Public Works Committee will be holding a hearing on “Addressing Cybersecurity Vulnerabilities Facing Our Nation’s Physical Infrastructure”. While the witness list is not yet available, there is a decent chance that there will be some discussion about control system cybersecurity issues. I would not be surprised to see witnesses from the water treatment sector.

Spending Bills

The House Rules Committee has announced that they are accepting amendments for the first spending bill for FY 2022. The House will be considering a minibus (multiple spending bills under one bill number), probably next week. The amendment deadline is Wednesday evening and the Committee is likely to hold their rulemaking hearing next Monday.

The slate for the first minibus is set to include:

Division A (Labor, Health and Human Services, Education),

Division B (HR 4356 – Agriculture, Rural Development),

Division C (Energy and Water Development),

Division D (HR 4345 – Financial Services and General Government),.

Division E (HR 4372 – Interior, Environment),

Division F (HR 4355 – Military Construction, Veterans Affairs),

Division G (Transportation, Housing, and Urban Development),

I do not typically review the FSG, or MCV spending bills, and the ARD bill contained nothing that I cover in this blog. The LHHS and THUD bills will probably be introduced today.

On the Floor

The House will be spreading their 27 bills considered under suspension of the rules over two days this week. The list includes seven cybersecurity bills:

• Monday

HR 2931 – Enhancing Grid Security through Public-Private Partnerships Act,

HR 2928 – Cyber Sense Act of 2021

• Tuesday

HR 1871 – Transportation Security Transparency Improvement Act,

HR 3138 – State and Local Cybersecurity Improvement Act, as amended,

HR 1833 – DHS Industrial Control Systems Capabilities Enhancement Act of 2021, as amended,

HR 2980 – Cybersecurity Vulnerability Remediation Act, as amended,

HR 3223 – CISA Cyber Exercise Act

Republicans have been forcing recorded votes on the suspension bills. Democrats have responded by voting on some and including the remainder in the vote on the language of the rule for consideration of bills under regular order. This may make reporting passage of these bills somewhat piece meal.

Sunday, July 18, 2021

Review - HR 3701 Introduced – PIPE Act

Last month, Rep Delgado (D,NY) introduced HR 3701, the Protecting Infrastructure and Promoting the Economy (PIPE) Act. The bill would require the EPA to establish two new discretionary grant programs; one for wastewater infrastructure and one for drinking water infrastructure. While there is no specific mention of cybersecurity, the grant projects are defined broadly enough to include coverage of cybersecurity support of projects. The bill would authorize the expenditure of $1 billion per year through 2031 for each grant program.

Delgado and two of his cosponsors {Norton (D,DC), and Cohen (D,TN)} are members of the House Transportation and Infrastructure Committee, the primary of two committees to which this bill was assigned for consideration. This means that there may be sufficient influence to see the bill considered in Committee. Because of the large amount of spending authorized by the bill, I would expect to see significant opposition to this bill from Republicans. It might not be enough to stop consideration in Committee, but it would stop the bill from being able to be considered on the floor of the House under the suspension of the rules process. It is unlikely that this bill would make it to the floor of the House under regular order.

For a more detailed review of the bill’s language and my suggestions for changes, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-3701-introduced - subscription required.

Review – Public ICS Disclosures – Week of 7-10-21 – Part 2

As has become typical for the weekend following the 2nd Tuesday, we have a Part 2 to cover the disclosures and updates from Schneider and Siemens that were not addressed by NCCIC-ICS.

Schneider advisory #1 - Schneider published an advisory describing three vulnerabilities in their Easergy T300 RTU.

Schneider advisory #2 - Schneider published an advisory describing a deserialization of untrusted data vulnerability in their SoSafe Configurable product.

Schneider advisory #3 - Schneider published an advisory describing a missing authentication for critical function vulnerability in their Easergy T200 RTU.

Schneider advisory #4 - Schneider published an advisory describing thirteen vulnerabilities in their EVlink City, Parking and Smart Wallbox products.

Siemens advisory #1 - Siemens published an advisory discussing two buffer over-read vulnerabilities in a number of their products that utilize the WIBU CodeMeter Runtime product.

Siemens advisory #2 – Siemens published an advisory discussing a null pointer dereference vulnerability in a number of their products that utilize OpenSSL.

Siemens advisory #3 - Siemens published an advisory discussing the FragAttacks WiFi vulnerabilities in their SCALANCE product line.

Schneider update #1 - Schneider published an update for their Ripple20 advisory that was originally published on June 23, 2020 and most recently updated on May 11th, 2021.

Schneider update #2 - Schneider published an update for their APC Ripple20 advisory that was  originally published on June 23, 2020 and most recently updated on January 12th, 2021.

Schneider update #3 - Schneider published an update for their EcoStructure advisory that was originally published on December 8th, 2020.

Schneider update #4 - Schneider published an update for their Triconex advisory that was originally published on May 11th, 2021.

Schneider update #5 - Schneider published an update for their Treck TCP/IPv6 advisory that was originally published on December 18th, 2020.

Schneider update #6 - Schneider published an update for their PLC Simulator advisory that was originally published on November 10th, 2020 and most recently updated on June 8th, 2021.

Siemens update - Siemens published an update for their GNU/Linux subsystem advisory advisory that was originally published in 2018 and most recently updated on May 11th, 2021.

For a more detailed look at the advisories, including links to exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-part-2 - subscription required.

 
/* Use this with templates/template-twocol.html */