Friday, December 3, 2021

S 2629 Reported in Senate - Cybercrime Reporting

Earlier this week the Senate Judiciary Committee reported S 2629, the Better Cybercrime Metrics Act favorably without a written report. The Committee met on November 18th, 2021, to consider the bill and ordered it reported at that time without amendment. The bill is now cleared for possible consideration by the full Senate.

The bill would require DOJ to establish a taxonomy for classifying cybercrime in the National Incident-Based Reporting System (NIBRS) and would require the reporting of cybercrimes according to that taxonomy. The bill provides for $1 million to support the development of the taxonomy, including a study on the topic by the National Academy of Sciences. It would have no effect on cybercrime reporting by victims.

Reporting a bill without a written report is usually an indication that an effort is going to be made to bring the bill to the floor for consideration. With the strong bipartisan support seen for this bill in Committee, it is possible that the bill could be offered under the Senate’s unanimous consent process.

Thursday, December 2, 2021

House and Senate Pass HR 6119 – FY 2022 CR

 The House and Senate both took up and passed HR 6119 (Rules Committee print), the Further Extending Government Funding Act, that will extend the current FY 2022 spending through February 18th, 2022. The bill is a ‘clean’ continuing resolution. The only additional spending included in the bill concerns Operation Allies Welcome, the re-settlement activities for the Afghanistan refuges that were evacuated when the US withdrew US military support from that country this summer.

The House took up the bill this afternoon. After little more than two hours of debate, the bill passed by a near party-line vote of 221 to 212. Rep Kinzinger (R,IL) was the only person to ‘switch sides’ by voting to pass the bill.

After the Senate leadership agreed to a straight up vote on an amendment to defund the President’s vaccine mandate, the Senate took up HR 6119. The anti-vaccine amendment fell on a straight party-line vote of 48 to 50, with a simple majority required for passage. The final bill passed on a partially bipartisan vote of 69 to 28, with 60 ayes required for passage.

President Biden will likely sign the bill tomorrow avoiding a shutdown of the federal government, at least through February.

Review - 8 Advisories Published – 12-2-21

Today, CISA’s NCCIC-ICS published eight control system security advisories for products from Hitachi Energy (5), Distributed Data Systems, Johnson Controls, and Schneider Electric.

RTU500 Advisory #1 - This advisory discusses three vulnerabilities in the Hitachi Energy the RTU500 series. These are third-party vulnerabilities.

NOTE: The Hitachi Energy advisory for these vulnerabilities is actually an update from an advisory that was originally published on November 17th, 2021. That update provided mitigation measures for RTU500 series CMU.

PCM600 Advisory - This advisory describes an improper certificate validation vulnerability in the Hitachi Energy PCM600 Update Manager.

NOTE: I briefly described this vulnerability on October 31st, 2021.

APM Edge Advisory - This advisory describes a using components with known vulnerabilities vulnerability in the Hitachi Energy Transformer Asset Performance Management (APM) Edge product. NOTE: The Hitachi advisory upon which this was based is actually an update of an advisory that was originally published on November 2nd, 2021. The update removed eight CVE’s from the original list (CVE-2017-18258, CVE-2018-14404, CVE-2018-14567, CVE-2020-7595, CVE-2019-1543, CVE-2019-1552, CVE-2021-3450, and CVE-2019-19956).

Relion Advisory - This advisory describes an insecure default initialization of resource vulnerability in the Hitachi Energy Relion 670/650/SAM600-IO series products.

NOTE: I briefly reported this vulnerability on November 6th, 2021.

RTU500 Advisory #2 - This advisory describes an improper input validation vulnerability in the Hitachi Energy RTU500 series Bidirectional Communication Interface (BCI).

NOTE: I briefly reported this vulnerability on November 20th, 2021.

Distributed Data Systems Advisory - This advisory describes two vulnerabilities in the Distributed Data Systems WebHMI.

Johnson Controls Advisory - This advisory describes an exposure of sensitive information to an unauthorized actor vulnerability in the Johnson Controls (Kantech subsidiary) EntraPass security management software.

Schneider Advisory - This advisory describes an insufficient entropy vulnerability in the Schneider Electric Software Update (SESU) application.

NOTE: I briefly reported on this vulnerability on November 14th, 2021.

For more details about these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/8-advisories-published-12-2-21 - subscription required.

Wednesday, December 1, 2021

Review - 2021 Chemical Security Seminars – ChemLock Breakout Session

Today was the first day of the three weekly Chemical Security Seminars that are once again taking the place of the annual Chemical Security Summit because of the health restrictions related to Covid 19. Because of other commitments I was only able to make one of today’s virtual sessions, so I selected the Voluntary Chemical Security Initiatives presentation by CISA’s Annie Hunziker Boyer. This was the first public presentation about the new ChemLock program.

Sometime next month the CISA folks will publish the slides from all of today’s presentations, including the ChemLock slides. I will provide links when they become available. The highlight’s of today’s presentation included:

• ChemLock Background,

• Four Pillars of ChemLock,

• ChemLock and CFATS, and

• The Future of ChemLock

Program Note: CISA has a new version of the ‘preliminary’ agenda for the Seminars. It provides a more detailed description of the presentations. The next seminar is on December 8th, 2021. Two interesting looking cybersecurity presentations.

Moving Forward

I think that this program is an exciting next step for the folks at OCS. I will be digging into the web site and associated documents in the same way that I have been looking at the CFATS program over the years. At this point, however, it looks like a win-win situation for facilities. Even if a facility does little more that request an assistance visit to see if they have security issues that need addressing, the ChemLock program could provide facility management with a leg up on improving their security posture.

While this is a ‘free program’ in that CISA is providing assistance and information at no cost to the facility, security programs are never free. Effective security is resource intensive, getting help from people who have been dealing with chemical facility security for more than a decade could be a resource multiplier.

For more details about what I heard today and how I think that applies to folks in the chemical facility security field, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2021-chemical-security-seminars - subscription required.

Review - OMB Approves TSA Cybersecurity ICR for Surface Transportation

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had issued an emergency approval for an information collection request from the TSA for “Cybersecurity Measures for Surface Modes” (1652-0074). According to the abstract for the new ICR: “TSA intends to publish Security Directives (SD), which will be mandatory, and Information Circular (IC), which will be non-mandatory recommendations, to various surface transportation mode operators to address the ongoing cybersecurity threat using a risk-based approach to transportation security.

The information provided in yesterday’s ICR approval document is sketchy and incomplete at best. TSA is required within the next 90 days to publish a standard 60-day ICR notice in the Federal Register. Given TSA’s history of incomplete and misleading ICR notices, I do not expect to see any useable details in that notice.

I expect that we will see the release of the two security directives either today or tomorrow. With the information provided in this ICR, I expect these will be similar to the first SD issued to pipeline operators and that the information will be made public. We will have to wait and see if TSA plans on issuing a restricted distribution follow-on security directive like they did with the pipeline folks.

For more details about the ICR and the security directives that it supports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/omb-approves-tsa-cybersecurity-icr - subscription required.

Continuing Resolution to be Considered in House?

 

The House Majority Leaders web site notes that the House may consider “Legislation Making Further Appropriations for FY22” today. No such legislation was introduced yesterday and there is nothing on the House Rules Committee web site so this would have to be a second continuing resolution for the FY 2022 spending bill, no surprise there. At this late date this will almost certainly be a clean CR without policy riders that would unnecessarily upset most Republicans. The only real question is how long the CR will last; before Christmas, February/March or remainder of fiscal year?

 

And, of course (for the 116th Congress anyway), the Republicans continue their delaying tactics in the House. Seven suspensions from yesterday still require votes (including the three cyber related bills I mentioned yesterday). These bills will eventually pass with substantial bipartisan support, but the mechanics of voting slows down the House processes.

Bills Introduced – 11-30-21

Yesterday, with both the House and Senate in session, there were 36 bills introduced. Four of those bills may received additional attention in this blog:

HR 6084 To require the Federal Energy Regulatory Commission to certify an Energy Product Reliability Organization which shall, subject to Commission review, establish and enforce energy product reliability standards, and for other purposes. Rep. Rush, Bobby L. [D-IL-1] 

HR 6088 To amend the Safe Drinking Water Act to authorize grants for smart water infrastructure technology, and for other purposes. Rep. Gallego, Ruben [D-AZ-7]

S 3282 A bill to amend the Federal Water Pollution Control Act and the Safe Drinking Water Act to authorize grants for smart water infrastructure technology, and for other purposes. Sen. Kelly, Mark [D-AZ]

S 3288 A bill to reauthorize and reform the National Telecommunications and Information Administration, and for other purposes. Sen. Wicker, Roger [R-MS] 

I will be watching all four bills for language and definitions that would include control system cybersecurity within the scope of their coverage.

NOTE: I would like to congratulate Rep Gallego and Sen Kelly for continuing the historic tradition of State delegations cooperating to introduce companion legislation in the House and Senate. We do not see much of this type of coordination on the Hill any longer.

Tuesday, November 30, 2021

Witness List for Thursday Cybersecurity Hearing

The witness list for the hearing on transportation cybersecurity that I described yesterday is now available on the House Transportation and Infrastructure Committee’s hearing web site. The list of witnesses includes:

• Cordell Schachter, DOT,

• Larry Grossman, FAA,

• Victoria Newhouse, TSA,

• Rear Admiral John W. Mauger, USCG,

• Kevin Dorsey, DOT IG, and

• Nick Marinos, GAO

This is a very interesting line up. I suspect that this will be two different panels. The first three witnesses would look at pending TSA cybersecurity regulations for the aviation sector. The last two witnesses would be there to talk about potential DOT oversight of cybersecurity. But that leaves Admiral Mauger as the odd man out.

The CG has become more and more proactive about cybersecurity matters as part of their Maritime Transportation Security Act programs. I suspect that the Admiral is being included to show that the safety folks are capable of handling cybersecurity and do not need interference from TSA. I am not sure the CG’s point of view really supports that since security is part of their military mission.

This hearing also points out the cybersecurity oversight issue (okay, any kind of security oversight) in Congress. Transportation and Infrastructure has (obviously) transportation oversight responsibilities. Since the TSA impacts transportation, they share some oversight of TSA with the House Homeland Security Committee. T&I wants more cybersecurity responsibility (okay… authority) and if they can keep TSA out and make cybersecurity a modal agency responsibility, they will get that authority.

It should be an interesting hearing.

Review - 5 Advisories and 2 Updates Published – 11-30-21

Today, CISA’s NCCIC-ICS published five control system security advisories for products from Hitachi Energy, Johnson Controls, Delta Electronics, Mitsubishi Electric, and Xylem. They also updated two advisories for products from multiple RTOS and InHand Networks.

Hitachi Energy Advisory - This advisory describes an improper access control vulnerability in the Hitachi Energy Retail Operations and Counterparty Settlement and Billing (CSB) Product.

NOTE: I briefly discussed the two supporting Hitachi Energy advisories along with five others on November 6th, 2021.

Johnson Controls Advisory - This advisory discusses an off-by-one error vulnerability in the Johnson Controls Controlled Electronic Management Systems Ltd. CEM Systems AC2000.

Delta Electronics Advisory - This advisory describes a stack-based buffer overflow vulnerability in the Delta Electronics CNCSoft software management software.

Mitsubishi Advisory - This advisory describes three vulnerabilities in the Mitsubishi MELSEC CPU module and MELIPC Series software management platform.

Xylem Advisory - This advisory describes an SQL injection vulnerability in the Xylem Aanderaa GeoView web-based data display.

Multiple RTOS Update - This update provides additional information on an advisory that was originally published on April 29th, 2021 and most recently updated on August 17th, 2021.

NOTE 1: I briefly discussed the reported Hitachi Energy RTU500 advisory on November 20th.

NOTE 2: I briefly discussed the reported Hitachi Energy MSM advisory on August 21st, 2021.

InHand Networks Update - This update provides additional information on an advisory that was originally published on October 7th, 2021.

NOTE: InHand went from a notation of “InHand Networks has not responded to requests to work with CISA to mitigate these vulnerabilities” to having a vendor security advisories page with vulnerability reporting contact information and PGP public key listing. I hope they keep it up; it has been added to my weekly checklist.

For more details on these advisories and updates, including links to 3rd party vendors and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/5-advisories-and-2-updates-published - subscription required.

Senate Amendments to HR 4350 – 11-29-21

Yesterday, the Senate resumed their consideration of HR 4350, the FY 2022 National Defense Authorization Act (NDAA). There were 25 new amendments proposed for the Senate’s consideration, none were of particular interest here. The Senate held a cloture vote to close debate on the substitute language amendment (SA 3867), the vote failed by a vote of 45 to 51 (60 votes required for passage) with liberal Democrats joining most Republicans in voting against closing the debate.. The vote failed because of the lack of an agreement on what amendments to SA 3867 would be considered before the final vote on the substitute language was held. The Senate will continue consideration of HR 4350 today.

Note: Sen Schumer’s (D,NY) ‘nay’ vote was made after cloture failed and did not reflect opposition to the cloture move. It was made to allow him (under Senate rules) to request reconsideration of the cloture vote, which he did. No word yet on when that vote will occur.

Monday, November 29, 2021

Review - ChemLock – Secure Your Chemicals – Delay

NOTE: On November 18th, 2021, CISA announced their new voluntary chemical security program, ChemLock. This post is part of a deep dive into that program. Earlier posts in this series include:

CISA Announces ChemLock – Voluntary Chemical Facility Security (short version)

ChemLock and the Chemical Security Summit

ChemLock – On-Site Assessments and Assistance (short version)

ChemLock – Secure Your Chemicals – Overview (short version)

ChemLock – Secure Your Chemicals – Detect (short version)

While early detection of an attack on the chemical facility is certainly important, the longer an attacker is delayed from reaching their chemical targets the more time the facility and its security response have react appropriately to the attack. This is the reason behind Chapter 4 of the ChemLock Secure Your Chemicals manual, ‘Delay’. This chapter provides a brief overview of:

• Perimeter and asset barriers

• Physical locking mechanisms

• Access control

• Inspections

• Screenings

• Know-your-customer program

As I mentioned in the previous post in this series, the discussions in this section fall far short of providing facility security officers with all of the knowledge necessary to implement delay features in their facility security plans. It provides an overview of considerations to help FSO’s ask the right questions of CSI, vendors and integrators.

Committee Hearings – Week of 11-28-21

This week, both the House and the Senate are back in Washington after their Thanksgiving recess. The hearing schedule is light, with the Senate committees concentrating on nomination considerations. There will be one cybersecurity hearing in the House. The Senate will continue debate of HR 4350, the FY 2022 NDAA. And, of course, midnight Friday is the deadline for passing a spending bill.

Cybersecurity Hearing

On Thursday the House Transportation and Infrastructure Committee will hold a hearing on “The Evolving Cybersecurity Landscape: Federal Perspectives on Securing the Nation's Infrastructure”. There is no witness list currently available for this hearing.

On the Floor

The Senate resumes consideration of HR 4350, the FY 2022 National Defense Authorization Act (NDAA). There has been no announcement of an agreement on what amendments may make it to the floor of the Senate.

The House schedule currently includes 24 bills to be considered under the suspension of the rules process. This includes three cyber related bills that I have not covered in this blog:

HR 2685 – Understanding Cybersecurity of Mobile Networks Act, as amended,

HR 4045 – FUTURE Networks Act, as amended, and

HR 4055 – American Cybersecurity Literacy Act, as amended.

The House schedule also includes a generic listing for “Consideration of Legislation Making Further Appropriations for FY22”, but it almost certainly does not refer to an actual spending bill. It will most likely be a continuing resolution of some length. The options being considered include before Christmas, January/February, or September 31st, 2022. None of the options are ‘good’, all are politically fraught.

Saturday, November 27, 2021

CRS Report - Cybersecurity: Selected Cyberattacks, 2012-2021

This report to Congress provides a brief overview of 53 cyberattacks conducted against either the US government of private sector entities in the last ten years. It describes attribution in cyberspace, confidence of attribution, and common types of cyberattack.

Sections in the report include:

• Attribution,

• Common cyberattack terms,

• Nation-state cyberattacks, and

• Foreign criminal cyberattacks

This is a highly generalized discussion for non-technical personnel. The definition of terms section is nicely done. The selection of attacks presented is broadly representative rather than comprehensive.

Review – Public ICS Disclosures – Week of 11-20-21

This week we have ten vendor disclosures from Advantech, Hitachi, Hitachi Energy (2), Moxa (2), QNAP (2), and VMware. There is also an update from Mitsubishi. Additionally, we have two researcher reports for vulnerabilities for products from PerFact and Philips. Finally, we have an exploit for a product from ModbusTools.

Advantech Advisory - Advantech published an advisory describing five sets of vulnerabilities (each set corresponding to a separate Talos report containing multiple vulnerabilities) in their R-SeeNet application.

Hitachi Advisory - Hitachi published an advisory discussing 24 vulnerabilities in their Disk Array Systems.

Hitachi Energy Advisory #1 - Hitachi Energy published an advisory describing two vulnerabilities in their XMC20 product.

Hitachi Energy Advisory #2 - Hitachi Energy published an advisory describing two vulnerabilities in their FOX61x product.

Moxa Advisory #1 - Moxa published an advisory describing eleven vulnerabilities in their ioLogik E2200 Series Controllers and I/Os.

Moxa Advisory #2 - Moxa published an advisory describing three vulnerabilities in their NPort IAW5000A-I/O Series Servers.

QNAP Advisory #1 - QNAP published an advisory describing an improper authentication vulnerability in their VS Series NVR.

QNAP Advisory #2 - QNAP published an advisory describing a command injection vulnerability in their VS Series NVR.

VMware Advisory - VMware published an advisory describing two vulnerabilities in their vCenter Server.

Mitsubishi Update - Mitsubishi published an update for their GENESIS64 and MC Works64 advisory that was originally published on October 21st, 2021.

PerFact Report - Claroty published a report describing vulnerabilities in VPN products in use in industrial applications including a previously unpublished server-side request forgery vulnerability in products from PerFact.

Philips Report - Nozomi Networks published a report describing five vulnerabilities in patient monitoring products from Philips.

ModbusTools Exploit - Yehia Elghaly published an exploit for an improper restriction of operations within the bounds of a memory buffer vulnerabilty in the Modbus Slave tool from ModbusTools.

For more details on these advisories, updates, reports and exploits, including links to supporting third-party vulnerabilities, researcher reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-11-857 - subscription required.

Friday, November 26, 2021

Review - ChemLock – Secure Your Chemicals – Detection

NOTE: On November 18th, 2021, CISA announced their new voluntary chemical security program, ChemLock. This post is part of a deep dive into that program. Earlier posts in this series include:

CISA Announces ChemLock – Voluntary Chemical Facility Security (short version)

ChemLock and the Chemical Security Summit

ChemLock - On-Site Assessments and Assistance (short version)

ChemLock – Secure Your Chemicals – Overview (short version)

The first goal of any security program is ensuring that you can detect an attack as early as possible. Thus, Chapter 3 of the ChemLock Secure Your Chemicals manual discusses ‘detection’ as it relates to the physical security of the facility (detection of cyberattacks is discussed separately). This chapter provides a brief overview of:

• Intrusion detection systems (IDS),

• Camera systems,

• Employees or on-site security personnel,

• Security lighting, and

• Inventory controls

The chapter briefly discusses the importance of detecting an attack as early as possible to allow for appropriate response measures to prevent the attack or minimize the potential consequences of the attack. The discussion mentions that: “detection needs to occur prior to an attack (i.e., in the attack-planning stages)” {pg 16} but does not provide any information on what that entails. Back in 2008 I addressed the ‘Seven Signs of Terrorism’ video which is apparently no longer available, but the New Jersey Office of Homeland Security & Preparedness has a brief presentation available that covers the concept nicely.

The discussions about detection in this manual are brief looks at potential considerations and type listings. They are hardly going to make the facility security manager a subject matter expert on any of these topics. CISA’s Office of Chemical Security is offering the services of their chemical security inspectors to help facilities get a better handle on these topics, but it is going to come down to hiring physical security experts to really make these detection systems effective.

For more details about, and discussions on, the topics covered in this chapter, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/chemlock-secure-your-chemicals-4f6  - subscription required.

S 3241 Introduced – HACT Act

Last Week Sen Kennedy (R,LA) introduced S 3241, the Homeland And Cyber Threat (HACT) Act. The bill would remove foreign state immunity from lawsuits brought for injuries incurred from computer intrusions by a foreign state. The bill is nearly identical to HR 1607 of the same title that was introduced in the House back in March and has not seen any legislative activity since it was introduced.

The only difference in the two bills is that the Senate version corrects a critical legislative oversight in the House version by inserting a subsection (b), Technical and Conforming Amendment. That subsection would amend the ‘table of sections’ for 28 USC Chapter 97 to include the section added by this bill. The absence of this subsection in the House bill calls into question the level of professionalism in the crafters of the bill in the House.

Kennedy is a member of the Senate Judiciary Committee to which this bill was assigned for consideration. He should have the influence necessary to see this bill considered by the Committee. Again, as with HR 1607, I do not believe that the bill will be considered as it directly impacts sovereign immunity, a touchy subject. I believe that we would have to see a serious cyberattack on private sector systems that has a clear attribution back to a State actor for Congress to act on either of these bills. Introducing bills such as this, however, is a good political move in many constituencies.

Thursday, November 25, 2021

CISA Announces Initial Cybersecurity Advisory Committee Meeting – 12-10-15

CISA published a meeting notice in tomorrow’s (on-line today) Federal Register (86 FR 67484-67485) for the initial meeting of the Cybersecurity Advisory Committee on December 10th, 2021. This in-person (subject to changes in COVID status) meeting will be held in McLean, VA. Portions of the meeting will be closed to the public for security reasons.

The Cybersecurity Advisory Committee was established earlier this month. This initial meeting will include:

• An overview of CISA,

• A discussion on CISA's big challenges, priorities, and

• Potential study topics for the Committee

Personnel wishing to attend the meeting or make public comments at the meeting need to register via email (CISA_CybersecurityAdvisoryCommittee@cisa.dhs.gov) by December 8th. Written comments may be submitted by the same date via the Federal eRulemaking Portal (www.regulations.gov; docket #CISA-2021-0017).

CG Publishes NMSAC Meeting Notice – 12-15-21

The Coast Guard has posted a meeting notice in tomorrow’s (on line today) Federal Register (86 FR 67482-67483) for a teleconference for their National Maritime Security Advisory Committee (NMSAC) on December 15th, 2015. The Coast Guard intends to present a new tasking to the NMSAC: “Recommendations on Cybersecurity Information Sharing”. A copy of the tasking document should be on the NMSAC web site by December 13th.

Personnel who wish to join the teleconference should contact the Ryan Owens (ryan.f.owens@uscg.mil) by December 7th, 2021. Those wishing to submit comments for the Committee’s consideration focused on improving and enhancing the sharing of information related to cybersecurity risks that may cause a transportation security incident may submit them through the Federal eRulemaking Portal (www.Regulations.gov; Docket # USCG-2021-0824).

Wednesday, November 24, 2021

Review - ChemLock – Secure Your Chemicals – Overview

NOTE: On November 18th, 2021, CISA announced their new voluntary chemical security program, ChemLock. This post is part of a deep dive into that program. ‘Short version’ links below are abbreviated posts on this blog that do not require subscriptions to my CFSN Detailed Analysis. Earlier posts in this series include:

CISA Announces ChemLock – Voluntary Chemical Facility Security (short version)

ChemLock and the Chemical Security Summit

ChemLock - On-Site Assessments and Assistance (short version)

Once a chemical facility has completed their vulnerability assessment, they are able to start preparing the facility security plan (FSP). Since the ChemLock program is a completely voluntary program, there is no requirement to involve chemical security inspectors (CSI) from CISA’s Office of Chemical Security in the development or approval of an FSP. But CSI do have years of experience in the unique security situations associated with chemical facilities and have a broad institutional knowledge of what has been tried and what works at high-risk chemical facilities. The ChemLock program makes this security plan knowledge base available to facilities that are not covered by the Chemical Facility Anti-Terrorism Standards (CFATS) program.

ChemLock Documents

The ChemLock Security Plan web page provides a starting off point for the development of facility security plan. It re-emphasizes the goals of a chemical security program that were discussed on their ChemLock Assessments page. It then provides a brief description of the process of developing an FSP and the concept of Security-in-Depth. The page also provides links to the following resources:

Secure Your Chemicals (.PDF manual),

Secure Your Chemicals Template (.docx download link), and

ChemLock Services Request Form

Moving Forward

Chemical facilities wishing assistance from CISA’s Office of Chemical Security in either establishing a new facility security plan, or having an existing plan reviewed by experienced professionals, should certainly consider contacting OCS via the new ChemLock program. I will be looking in more detail about the FSP process that ChemLock is using, as well as other support available from ChemLock, in future posts in this series.

For more details about the manuals and forms described above, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/chemlock-secure-your-chemicals - subscription required

Monday, November 22, 2021

Review - ChemLock - On-Site Assessments and Assistance

NOTE: Last week, CISA announced their new voluntary chemical security program, ChemLock. This post is part a deep dive into that program. CISA’s new ChemLock program was developed upon the realization that there are literally tens of thousands of chemical facilities that house, produce or use dangerous chemicals that could be used by terrorists to effect chemical attacks here in the United States. A small percentage of those facilities are covered by the Chemical Facility Anti-Terrorism Standards (CFATS) program, but the remaining facilities have had no government assistance to help them protect their facilities from terrorist attention. ChemLock is designed to change that.

The first step in any security planning exercise is the conduct of a security assessment. While the CFATS program utilizes a suite of on-line tools for facilities to submit information to the Office of Chemical Security to conduct such an assessment, the ChemLock program avoids the requirement for facilities to submit data to CISA. In ChemLock, a facility simply requests assistance via a rather simple on-line form, and OCS will contact the facility to coordinate a visit by chemical security inspectors.

Security Assessment

The ChemLock program envisions two different types of security assessments for which they would be providing assistance:

• Security Awareness Consultation: CISA experts work with facilities to identify potentially dangerous chemicals and the security risks that those chemicals may pose.

• Security Posture Assessment: CISA experts work with facilities to assess their current security posture and identify security enhancements that are tailored to the facility’s unique circumstances and needs.

As currently configured, the ChemLock program does not require facilities to submit any information to CISA about the chemicals stored at the facility or the security measures in place at, or planned for, the facility.

Security Goals

The whole point of the ChemLock program is to provide assistance to chemical facilities so that they can achieve the following security goals:

• DETECT an attack,

• DELAY the adversary,

• RESPOND in a timely manner, and

• SECURE your cyber assets.

Conducting an appropriate security assessment, with the help of experts from CISA is a first step in achieving those goals.

For more details about these security assessments, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/chemlock-on-site-assessments-and - subscription required.

Sunday, November 21, 2021

Review - Public ICS Disclosures – Week of 11-13-21 – Part 2

For Part 2 we have six vendor disclosures from Flexera, HPE, Meinberg, QNAP, Tanzu, and VMware. There as an update from CODESYS. We also have six researcher reports about vulnerabilities in products from LibreCad (3) and Open Design Alliance (3).

Flexera Advisory - Flexera published an advisory describing an open redirect vulnerability in their FlexNet Publisher.

HPE Advisory - HPE published an advisory discussing four vulnerabilities in their Fibre Channel Host Bus Adapters.

Meinberg Advisory - Meinberg published an advisory describing six vulnerabilities in their LANTIME-Firmware.

QNAP Advisory - QNAP published an advisory describing a cross-site scripting vulnerability in their NAS running Ragic Cloud DB.

Tanzu Advisory - Tanzu published an advisory describing a code injection vulnerability in their Spring Cloud Netflix Hystrix Dashboard.

VMware Advisory - VMware published an advisory describing a privilege escalation vulnerability in their VMware Center Server.

CODESYS Update - CODESYS published an update for their Gateway V3 advisory that was originally published on March 29th, 2021  and most recently updated on May 18th, 2021.

LibreCad Report #1 – Talos published a report describing a use after free vulnerability in the LibreCad libdxfrw. This is a coordinated disclosure.

LibreCad Report #2 - Talos published a report describing an improper restriction of operations within the bounds of a memory buffer in the LibreCad libdxfrw.

LibreCad Report #3 - Talos published a report describing an out-of-bounds write vulnerability in the LibreCad libdxfrw.

ODA Report #1 - ZDI published a report describing a use-after-free vulnerability in the ODA ODAviewer product.

ODA Report #2 - ZDI published a report describing an out-of-bounds read vulnerability in the ODA ODAviewer product.

ODA Report #3 - ZDI published a report describing an out-of-bounds read vulnerability in the ODA ODAviewer product.

For more details about these advisories and reports, including links to third-party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-11-e7c - subscription required.

Saturday, November 20, 2021

ChemLock and the Chemical Security Summit

The deadline for registering for the 2021 Chemical Security Seminars is fast approaching. In the past, the major focus of these seminars (and the pre-Covid annual Chemical Sector Security Summit) has been on the Chemical Facility Anti-Terrorism Standards (CFATS) program. Voluntary chemical security measures and resources have always been addressed, but CFATS has been the focus. That will change this year.

With this week’s announcement of the ChemLock program, the voluntary chemical facility security presentations will take on an entirely new light and importance. CISA had already proposed a one-hour presentation on “Voluntary Chemical Security Programs”, by CISA’s Annie Hunziker Boyer. I suspect that by the time her talk rolls around on December 1st, the actual title of the presentation will reflect the new program name. Other presentations will also be of interest to facilities considering the new ChemLock program.

Management for chemical facilities that are considering participation in the ChemLock program need to sign up for the Chemical Security Seminars. These are free, virtual presentations to be held on the first three Wednesdays of December. The preliminary agenda for the Seminars is available here. Registration ends on November 30th, just a long holiday week away.

Senate Amendments to HR 4350 – 11-19-21

Yesterday, the Senate continued their consideration of HR 4350, the FY 2022 National Defense Authorization Act (NDAA). There was no action on the bill. Cloture was filed to stop the debate on the substitute language amendment and the vote on that could happen any time after 5:30 pm on November 29th when the Senate returns from their Thanksgiving recess. One additional amendment was proposed, but it is of no particular interest here.

Review - Public ICS Disclosures – Week of 11-13-21 – Part 1

Review - Public ICS Disclosures – Week of 11-13-21 – Part 1

This has been a very busy week for vendor disclosures, so I will be doing this as a two-part report again this week. This week we have 17 vendor disclosures from Blackberry, Braun (2), WAGO (3), Dell, Gallagher (6), and ABB (4).

Blackberry Advisory - Blackberry published an advisory describing a remote code execution vulnerability in their QNX Software Development Platform.

Braun Advisory #1 - Braun published an advisory discussing the NUCLEUS:13 vulnerabilities.

Braun Advisory #2 - Braun published an advisory discussing the INFRA:HALT vulnerabilities.

WAGO Advisory #1 - CERT-VDE published an advisory discussing six vulnerabilities in a number of WAGO PLCs.

WAGO Advisory #2 - CERT-VDE published an advisory discussing an improper handling of exceptional conditions vulnerability in a number of WAGO PLC’s.

WAGO Advisory #3 - CERT-VDE published an advisory discussing the NUCLEUS:13 vulnerabilities.

Dell Advisory - Dell published an advisory describing five vulnerabilities in their Wyse Management Suite.

Gallagher Advisory #1 - Gallagher published an advisory describing an unquoted service path vulnerability in their Controller Service.

Gallagher Advisory #2 - Gallagher published an advisory describing an improper privilege validation vulnerability in their Command Centre Server.

Gallagher Advisory #3 - Gallagher published an advisory describing an improper certificate validation vulnerability in their Command Centre Server.

Gallagher Advisory #4 - Gallagher published an advisory describing an improper validation of the cloud-certificate chain in their Mobile Connect for Android.

Gallagher Advisory #5 - Gallagher published an advisory describing an improper validation of the cloud-certificate chain in their Command Centre Mobile Client for Android.

Gallagher Advisory #6 - Gallagher published an advisory describing an incomplete comparison with missing factors vulnerability in their Gallagher Controller.

ABB Advisory #1 - ABB published an advisory discussing two vulnerabilities in their Hitachi Energy RTU500 series.

ABB Advisory #2 - ABB published an advisory discussing the BadAlloc vulnerabilities in their Hitachi Energy RTU500 series.

ABB Advisory #3 - ABB published an advisory discussing three vulnerabilities in their Hitachi Energy RTU500 Series.

ABB Advisory #4 - ABB published an advisory describing a validation error vulnerability in their Hitachi Energy RTU500 Series.

For more information on these advisories, including links to third-party advisories and exploits, see  my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-11-880 - subscription required.

Friday, November 19, 2021

Senate Amendments to HR 4350 – 11-18-21

Yesterday, the Senate continued their consideration of HR 4350, the FY 2022 National Defense Authorization Act (NDAA). No agreement had been reached about what amendments would be considered, so yesterday’s consideration of the bill consisted of speeches. Additionally, there were 150 new amendments proposed. Many of these amendments were offered earlier, but there are minor differences in language to make the amendment more acceptable to various concerned parties. Six of the amendments offered yesterday may be of interest here:

SA 4784 - Sen King (I,ME): DIVISION E: Defense Of United States Infrastructure [pg S8456] Similar to S 2491,

SA 4785 - Sen Ossoff (D,GA): SEC. xx. Dr. David Satcher cybersecurity education grant program. [pg S8458] Similar to S 2305,

SA 4799 - Sen Peters (D,MI): DIVISION E: Federal Information Security Modernization Act of 2021 [pg S8469],

DIVISION F: Cyber Incident Reporting Act Of 2021 nd CISA Technical Corrections and Improvements Act of 2021 [pg S 8482],

TITLE LXI: Cyber incident reporting act of 2021 [pg S8482],

TITLE LXII—CISA technical corrections and improvements act of 2021 [pg S8487],

SA 4802 – Sen Ossoff: SEC. xx. Dr. David Satcher cybersecurity education grant program. [pg S8491]

SA 4813 - Sen Scott (R,FL): DIVISION E: Cyber Incident Reporting Act of 2021 and CISA Technical Corrections and Improvements Act of 2021 {pg S 8500],

TITLE LI: Cyber incident reporting act of 2021 [pg S8500],

TITLE LII—CISA technical corrections and improvements act of 2021 [pg S8505]

SA 4831 - Sen Scott: DIVISION E: Federal Information Security Modernization Act of 2021 [pg S8516],

DIVISION F: Cyber Incident Reporting Act Of 2021 and CISA Technical Corrections and Improvements Act off 2021 [pg S8529],

TITLE LXI: Cyber incident reporting act of 2021 [pg S8529],

TITLE LXII: CISA technical corrections and improvements act of 2021 [pg S8534]

NOTE: Corrected Date in Title and added link for the list of amendments 11-20-21 13:50 EST

NASA Announces PNT Advisory Board Meeting – 9-12-21

Today NASA published a meeting notice in the Federal Register (86 FR 64962) for a two-day meeting of the National Space-Based Positioning, Navigation and Timing (PNT) Advisory Board on December 9th and 10th, 2021. The meeting will be open to the public.

The meeting agenda includes:

• Reports and Updates from PNT Advisory Board Working Groups

• Preliminary Deliberations on any Findings and Recommendations

• Other PNT Advisory Board Business and Work Plan Schedule

There is no information available on the Advisory Board web site about the current activities of the working groups. The last time the Board met was in July 2020.

HR 5956 Introduced – DHS in NSC

Last week, Rep Katko (R,NY) introduced HR 5956, the National Security Council Membership Act of 2021. The bill would amend 50 USC 3021 to include the Secretary of DHS as member of the National Security Council. DHS has been unofficially included as part of the ‘such other officers of the United States Government as the President may designate’ portion of §101(c)(1) being amended by this bill.

Neither Katko nor his sole cosponsor {Rep Thompson (D,MS)} are members of House Armed Services, Foreign Affairs or Intelligence Committees to which this bill was assigned for consideration. This means that it is unlikely that bill will be considered by any of those committees, especially since the prestige of those committee chairs is enhanced (with respect to the Homeland Security Committee) by DHS not being on the NSC list. I suspect that there would be bipartisan support for this bill if it were to make it to the floor of the House.

Bills Introduced – 11-18-21

Yesterday, with both the House and Senate preparing to leave for their Thanksgiving recess (both houses will meet briefly today), there were 102 bills introduced. Two of those bills may receive additional coverage in this blog:

S 3241 A bill to amend title 28, United States Code, to allow claims against foreign states for unlawful computer intrusion, and for other purposes. Sen. Kennedy, John [R-LA]

S 3260 A bill to require a 20th anniversary review of the missions, capabilities, and performance of the Transportation Security Administration. Sen. Wicker, Roger [R-MS]

I will be watching S 3241 for language and definitions that would include control systems within the coverage of the bill.

I will be watching S 3260 for language that would specifically include surface security activities in the review.

Thursday, November 18, 2021

TRIP 2022 Data Call Changes Cyber Insurance Information Request

Today the Treasury Department’s Federal Insurance Office (FIO) published a notice in the Federal Register (86 FR 64600-64603) concerning proposed changes to the Terrorism Risk Insurance Program’s (TRIP) 2022 Data Call. The revised data collection would include changes to the data templates used to collect information about cyber insurance.

The notice reports that:

“The cyber insurance market continues to grow and evolve, and cyber-related losses (particularly with regard to ransomware) have increased significantly over the past few years.[14] In view of recent market developments and the important role of cyber insurance in the Program, Treasury would like to obtain more detailed information relating to the availability and affordability of such coverage in the market.”

The changes in the cyber question include:

Premium and limits information for cyber coverages written in non-TRIP-eligible lines of insurance,

Premium and policy count information broken out by size of policyholder,

Specific information on the cyber extortion [ransomware] coverages provided under cyber insurance policies, and

Loss information regarding these ransomware exposures.

The FOI is requesting public comments about the proposed changes in the 2022 data call. Comments may be submitted via the Federal eRulemaking Portal (www.regulations.gov; docket # OMB Control Number 1505-0257. Comments should be submitted by January 18th, 2022.

Review - 2 Advisories and 4 Updates Published

Today, CISA’s NCCIC-ICS published two medical device security advisories for products from Philips. They also published four updates for products from VISAM, Mitsubishi, Philips and Trane.

Patient Information Center Advisory - This advisory describes three vulnerabilities in the Philips Patient Information Center iX.

IntelliBridge Advisory - This advisory describes two vulnerabilities in the Philips IntelliBridge EC 40 and EC 80 Hub.

VISAM Update - This update provides additional information on an advisory that was originally published on March 24th, 2021 and most recently updated on July 8th, 2021.

Mitsubishi Update - This update provides additional information on an advisory that was originally published on July 30th, 2020 and most recently updated on July 27th, 2021.

Philips Update - This update provides additional information on an advisory that was originally published on September 10th, 2020 and most recently updated on August 31st, 2021.

Trane Update - This update provides additional information on an advisory that was originally published on September 23rd, 2021.

For additional details on these advisories and updates, see my article on CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-advisories-and-4-updates-published - subscription required –

Review - CISA Announces ChemLock – Voluntary Chemical Facility Security

Today CISA announced the launch of their new voluntary chemical facility security program for chemical facilities that are not part of the Chemical Facility Anti-Terrorism Standards (CFATS) program. The new ChemLock program is an outgrowth of the CFATS program and the realization that facilities that are not considered at ‘high-risk’ for terrorist attack are at some risk of physical or cyber attack because of the chemicals stored, used or produced at the facility. The ChemLock program allows CISA to provide assistance to those facilities, based upon the long experience that the Office of Chemical Security has in overseeing the CFATS program.

Commentary

This is a voluntary chemical facility security program run out of the same office as the CFATS program. While this is not a program for facilities covered under that program, there are information sources available through this program that could be of use to CFATS facilities. Chemical facilities that are not covered by the CFATS program will find information and assistance here to determine what security measures may be applicable to their facility and how to implement those security measures.

The web site for this new program is hitting as a nearly fully formed information source for chemical facility security. The fold from OCS have used their long CFATS experience to address the basics of chemical facility security in an easy to access format. Assistance from experienced chemical facility inspectors is going to be a major selling point for this program.

Facilities that hold inventories of DHS chemicals of interest but are not currently covered by the program should certainly take a look at this program if there is any chance that there may be inventory or process changes in their future that may push them into the CFATS program. The resources available here could give facilities a head start on setting up a security program that could be readily morphed into a CFATS program site security plan.

I will be taking a closer look at this new program in future articles.

For more details about today’s announcement, including links to various pages within the new site, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/cisa-announces-chemlock - subscription required.

Senate Amendments to HR 4350 – 11-17-21

Yesterday, the Senate voted 84-15 to close debate on whether to begin consideration of HR 4350, the FY 2022 National Defense Authorization Act (NDAA). This means that the process of considering potential amendments to that bill will begin today. Additionally, there were 49 new amendments offered for consideration; two of those amendments may be of interest there:

SA 4764 - Sen Menendez (D,NJ): DIVISION E: Federal Information Security Modernization Act of 2021 [pg S8367] Similar to S 2902, and

SA 4769 - Sen Warnock (D,GA): SEC. xxx. Report on pathways for cyber and software engineering workforce growth. [pg S8380].

Commentary

There has been discussion in the press (see here for example) about the possibility of a variety of cybersecurity measures being included in this bill during the amendment process, and I have certainly been documenting the wide variety of such amendments in this series of blog posts. Much of that discussion has been centered on the bipartisan nature of the support for these amendments.

While bipartisan support is generally a good thing, it is not a controlling factor in the decision to bring a proposed amendment to the floor of the Senate for consideration. As we have seen on a number of occasions, even near universal support for an amendment can be stymied by the objection of a single Senator. This is because, due to the rules of the Senate, consideration of an amendment typically requires unanimous consent. There are ways around this ‘typical’ process, but they are time consuming, and ‘time consuming’ in the Senate means a really-long time.

One Senator in particular, Sen Paul (R,WV), is well known for using this as a tactic for forcing the Senate to consider amendments of his that would not normally see a vote in the Senate. Even when he knows that there will not be near enough support in the body to approve his amendment, Paul can be counted upon to force at least one vote during the consideration of ‘must pass’ bills like this.

Wednesday, November 17, 2021

Senate Amendments to HR 4350 – 11-16-21

With the Senate starting the process for the consideration of HR 4350, the FY 2022 NDAA on Monday the first cloture vote will probably be held this afternoon. That vote will start the actual amendment consideration process. Meanwhile, yesterday there were 72 amendments proposed yesterday. Seven of those amendments were of potential interest here

 

SA 4662 - Sen King (I,ME): SEC. 1064. Report on cybersecurity certifications and labeling [pgs S8246-7],

SA 4673 – Sen Peters (D,MI): DIVISION E: Cyber Incident Reporting Act Of 2021 and CISA Technical Corrections and Improvements Act of 2021 [pgs S8251-2];

TITLE LI: Cyber incident reporting act of 2021 [pg S8252], Similar to S 2785,

TITLE LII: CISA technical corrections and improvements act of 2021 [pg S8257], Similar to S 2740,

SA 4674 - Sen Peters: DIVISION E: Federal Information Security Modernization Act of 2021 [pg S8260], Similar to S 2274,

SA 4676 - Sen Klobuchar (D,MN): SEC. xxx. Veterans cybersecurity and digital literacy grant program. [pg S8272],

SA 4724 – Sen King: SEC. 1064. Report on cybersecurity certifications and labeling. [pg S8297],

SA 4726 – Sen King: DIVISION E: Defense of United States Infrastructure [pg S8298], Similar to S 2491, and

SA 4732 – Sen Reed (D,RI): SEC. xxx. Cybersecurity transparency [pg S8314], Similar to S 808,


HR 5960 Introduced – SLTT Cybersecurity

Last week, Rep Neguse (D,CO) introduced HR 5960, the State and Local Government Cybersecurity Act of 2021. This bill is almost identical to the version of S 2520 recently reported in the Senate. It would codify existing outreach and support activities by CISA to support State, local, tribal, and territorial governments.

Differences from S 2520

With the exception of a couple of missing comas, the only difference between this bill and S 2520 is the addition of a run-on phrase (highlighted below) in the proposed subsection (p) for 6 USC 659. This version changes subparagraph (1)(G) to read:

“(G) provide operational and technical assistance to SLTT entities to implement tools, products, resources, policies, guidelines, controls, and standards and best practices and procedures on information security;”

Moving Forward

Neguse is not a member of the House Homeland Security Committee to which this bill was assigned for consideration. This means that there is unlikely to be adequate influence to see this bill considered in Committee. I see nothing in this bill that would engender any specific opposition. If it were considered in Committee, I would expect it to receive significant bipartisan support.

Tuesday, November 16, 2021

Review - 2 Advisories and 1 Update Published – 11-16-21

Today, CISA’s NCCIC-ICS published two control system security advisories for products from Mitsubishi and FATEK. They also published an update for products from Mitsubishi.

Mitsubishi updated a second advisory today. If NCCIC-ICS does not cover that update on Thursday, I will address it this weekend.

Mitsubishi Advisory - This advisory describes an input validation vulnerability in the Mitsubishi GOT2000 series, GOT SIMPLE series, and GT SoftGOT2000 HMI.

FATEK Advisory - This advisory describes two vulnerabilities in the FATEK WinProladder PLC programming software.

Mitsubishi Update - This update provides additional information on an advisory that was originally published on February 18th, 2021 and most recently updated on July 29th, 2021.

For additional information on these advisories and updates, see my article on CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-advisories-and-1-update-published-cbf - subscription required.

Senate Amendments to HR 4350 – 11-15-21

With the Senate starting the process for the consideration of HR 4350, the FY 2022 NDAA, there were 108 new amendments to that bill proposed in the Senate yesterday. Nine of those amendments made reference to cybersecurity issues:

SA 4560 - Sen King (I,ME): SEC. xx. Secure foundational internet protocols. [pg S8091],

SA 4561 - Sen King: DIVISION E: Defense of United States Infrastructure [pg S8091] Similar to S 2491,

SA 4580 - Sen Gillibrand (D,NY): SEC. 1601. Matters concerning cyber personnel requirements. [pg S8100] SA 3903 and SA 4181,

SA 4581 - Sen Gillibrand: SEC. xxx. Matters concerning cyber personnel education requirements. [pg S8101] SA 3903 and SA 4181,

SA 4598 - Sen Hassan (D,NV): DIVISION E: Federal Cybersecurity Workforce Expansion Act [pg S809] Similar to S 2274,

SA 4616 - Sen Warner (D,VA): DIVISION xx: Intelligence Authorization Act for Fiscal Year 2022 [pg S8128] Similar to S 2610,

SA 4624 - Sen Warner: SEC. xxx. Educational assistance for pursuit of programs of education in cybersecurity. [pg S8149],

SA 4637 - Sen Risch (R,ID): SEC. 1064. Think tank cybersecurity standards. [pg S8158], and

SA 4647 - Sen Peters (D,MI): DIVISION E: Federal Information Security Modernization Act of 2021 [pg S8179] Similar to S 2902.

Review - PHMSA Publishes Gas Gathering Lines Final Rule

Yesterday, the DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) published a final rule in the Federal Register (86 FR 63266-63299) for “Pipeline Safety: Safety of Gas Gathering Pipelines: Extension of Reporting Requirements, Regulation of Large, High-Pressure Lines, and Other Related Amendments.” The notice of proposed rulemaking (NPRM) for this action was published in April 2016.

The effective date of this final rule is May 16th, 2022.

For more details about the changes made in the final rule, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/phmsa-publishes-gas-gathering-lines  - subscription required.

OMB Approves Software Supply Chain NPRM

Yesterday, the OMB’s Office of Information and Regulatory Affairs announced that it had approved a Department of Commerce (DOC) notice of proposed rulemaking (NPRM) on “Securing the Information and Communications Technology and Services Supply Chain; Connected Software Applications”. This rulemaking is not listed in the Spring 2021 Unified Agenda.

As I noted when this rulemaking was sent to OMB for review, I suspect that this is related to §4 of EO 14028. This will probably appear in the Federal Register within the next week so we will know for sure what it covers then.

Monday, November 15, 2021

Review - HR 5376 to be Considered in House – Build Back Better Act

As I mentioned this morning, the House is currently scheduled to take up HR 5376, the Build Back Better Act some time this week (probably later rather than sooner). This bill has undergone a number of different revisions since it was introduced. The review in this post comes from the version being reported by the House Rules Committee. The bill includes $489 million in cybersecurity spending in three different sections and two cybersecurity mentions in passing.

It is likely that the Democrats will be able to muster adequate support from within their ranks to pass this bill in the House. They are going to need it since they are going to get no support from Republicans. It is still not clear if this bill will be able to clear the Senate.

For more details about the cybersecurity spending, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-5376-to-be-considered-in-house - subscription required.

Committee Hearings – Week of 11-14-21

With both the House and Senate back in Washington for a week between holidays, we have a nearly full slate of congressional hearings. Of interest here will be two ransomware hearings and markup of a cybersecurity bill.

Ransomware Hearings

On  Tuesday, the House Oversight and Reform Committee will hold a hearing on “Cracking Down on Ransomware: Strategies for Disrupting Criminal Hackers and Building Resilience Against Cyber Threats”. The witness list includes:

• Jen Easterly, CISA,

• Chris Inglis, National Cyber Director, and

• Bryan Vorndran, FBI

On Wednesday, two subcommittees of the House Homeland Security Committee will hold a joint hearing on “A Whole-of-Government Approach to Combatting Ransomware: Examining DHS’s Role”. The witness list includes:

• Rob Silvers, DHS,

• Jeremy Sheridan, Secret Service, and

• Brandon Wales, CISA

Neither hearing is expected to do more than mention controls system security in passing.

Cybersecurity Markup

On Thursday, the Senate Judiciary Committee is holding a business meeting. In addition to a number of nominations, it will take-up S 2629, the Better Cybercrime Metrics Act. This bill would add law enforcement cybercrime reporting requirements, but does not address private sector reporting cybercrimes to law enforcement or federal agencies.

On the Floor

This week the House is scheduled to take up HR 5376, the Build Back Better Act. I have not yet reviewed the most likely version of the bill to appear before the House, I have been awaiting last minute changes.

The Senate will likely take up HR 4350, the FY 2022 National Defense Authorization Act. The Senate will ignore the House language, taking up instead substitute language based upon S 2972. Readers will have seen my posts about the large number of amendments that have been proposed. More will likely be coming this week. It will be interesting to see which amendments actually make it to the floor for consideration. This will not be quick and the final vote may be delayed until after the Thanksgiving recess.

 

Sunday, November 14, 2021

Water Cybersecurity – NERC CIP or Something Else

An interesting blog post by Patrick Miller over on Ampersec.com on the topic of using the NERC CIP as a model for cybersecurity regulation of the water treatment/wastewater treatment sector. With his long experience with NERC CIP from a number of different perspectives, Patrick makes a number of important points that should be taken into account in any discussion of how to regulate the water sector. Unfortunately, I think he missed an important question, does cybersecurity really need to be regulated in that sector?

Last February I weighed in on this topic with my post “Call for Cybersecurity Regulations”. I want to take another look at the topic here, from a slightly different perspective, a perspective well familiar to those with experience in the Chemical Facility Anti-Terrorism Standards (CFATS) program, risk-based cybersecurity.

From a regulatory perspective, the federal government has no legitimate interest in insuring that the information services at water treatment facilities are adequately protected from cyberattacks. That is a utility management issue, the purview of State and local utility oversight organizations. Similarly, the EPA is only interested in ensuring that the water leaving the facility (into drinking water distribution systems or back into the wild, depending on the type of treatment plant) meets certain quality standards. As long as output testing controls are adequately protected, the cybersecurity of upstream treatment is not a legitimate federal concern.

So, we do not need a comprehensive set of cybersecurity regulatory controls to protect water treatment facilities from cyberattacks. We need each facility to have a risk-based vulnerability assessment of what controls (manual, analog and digital) at their unique facility are critical to output quality controls and then a properly scoped security plan (physical and digital) to protect those critical controls.

The EPA has taken a poorly crafted crack at the assessment side of the equation, but they are relying on local facility management that is trained and experienced in water treatment engineering to conduct security assessments. And they are just requiring that facilities certify that those assessments have been properly done. Security planning is just an after-thought.

What is needed is an online tool like that used in the CFATS program to submit vulnerability assessment data and relatively formulaic security plans. Water facilities are going to be more similar than chemical facilities, so a water security assessment tool (WSAT) will not need to be as complicated as the CFATS chemical security assessment tool (CSAT).

As I have said before, CFATS is probably a better model to look at rather than something like NERC CIP or the nuclear facility security model.

 
/* Use this with templates/template-twocol.html */