Liquid Nitrogen Leak in GA Kills 6 – CSB Investigating

Earlier this week there was a liquid nitrogen leak at a chicken processing plant in Georgia that killed six people. Yesterday, Dr. Katherine Lemos, Chair of the Chemical Safety Board, held a press conference near the site to outline what the CSB knows at this point very early in their investigation. The New York Times has a good article on the incident.

The Incident

According to Lemos’ statement, the facility uses liquid nitrogen to flash freeze processed chickens on Line 4 at the facility. Somewhere (yet to be determined) between the liquid nitrogen (LN) storage tank and the cryogenic freezer where the LN is used, a leak occurred on Thursday. Upon release the LN warmed and converted to nitrogen gas, an asphyxiant. The plant was evacuated, but five people were apparently overcome and died on site. One was later pronounced dead at a local hospital. Twelve people were hospitalized and 130 people were evacuated from the plant site for medical evaluation.

CSB has identified the vendor that supplied the LN tank and presumably supplies the LN. It would appear from the Lemos statement that someone else designed and installed the supply lines to line 4 and the cryogenic freezer on that line. That equipment was installed and commissioned in the last 4-6 weeks according to Lemos. There are indications (tools on the ground near the equipment) that some sort of maintenance activity was on going when the leak occurred.

Lemos reported that the facility was receiving 2-3 truck loads of LN per day.

Liquid Nitrogen Background

LN is cryogenically stored N₂. Stored at less than -325˚F, the liquid boils when it is released to the atmosphere. During conversion to gas it expands to 640 times its original volume. The expanding gas will displace air (which is already mostly nitrogen gas), reducing the oxygen content in the area of leak to next to nothing. The size of the area affected by oxygen displacement will depend on the amount of LN released.

Moving LN through a facility requires specially designed and maintained piping and pumps. The extreme low temperature makes metals brittle. The contraction of piping due to the drop in temperature as LN moves through the piping and re-expansion after the movement is complete, will put stress on joints and elbows. Pressure will increase in piping as the temperature rises after LN movement stops, this requires well designed pressure venting systems.

Physical contact with LN by the human body will lead to injuries ranging from frostbite to flash freezing and potentially shattering of severely frozen body parts.

Commentary

I have never worked with LN for flash freezing. It has been used at chemical facilities where I worked as a source of nitrogen gas to make inert atmospheres above flammable liquids. In those cases, the vendor typically owns the LN storage tank and the evaporators that convert the LN to N₂ gas. They designed, oversaw the installation and were responsible for the maintenance of the LN tanks and conversion systems. The facility was only responsible for the gas system past the first output valve from the evaporators.

LN is tough stuff to work with, particularly with systems that are not always in contact with LN, presumably like piping and pumps. Having said that, this is not cutting-edge technology; the engineering and maintenance issues have been identified and solved. So have the safety aspects of monitoring and training response personnel and personnel that work around the system.

The thing of concern to me from the Lemos statement was the implication that some sort of maintenance work was being done on the LN system around the area of the leak. There is not much maintenance work that can be done on an LN line while it is delivering LN. If a line-break had been considered as an option during that work, the line would have been emptied and purged and that building would (should!) have been evacuated before such break should have been made.

It will be interesting what the CSB finds in their investigation. With all of the bad press that the meat processing industry has been receiving about working conditions during the pandemic, incidents like this immediately cause me to think the worst, and that is probably (hopefully) unfair.

First Month of 117th Congress

At heart, I am a process person. I like to look at production rates and the numbers affecting them. It is almost a compulsion. So, with that in mind, lets look at the production rates of legislators in the 117^th Congress. NOTE: all numerical data in this post comes from using the ‘Advanced Search’ tool on Congress.gov.

The Data

The best production measure for congresscritters and their staffs, particularly in the first month of the session is the number of bills written. This month we had a total of 884 bills introduced: 719 in the House and 165 in the Senate. To better understand what that means we have to look at the historical record for the last seven sessions of congress, spanning now three administrations.

Congress	Session Bills	January Bills	House Bills	Senate Bills
117th Biden’s 1st	TBW	884	719	165
116th	17,886	1,463	1,093	370
115th Trump’s 1st	9,423	1,272	954	318
114th	14,604	1,171	730	441
113th	12,328	759	521	238
112th	14,762	904	618	286
111th Obama’s 1st	15,724	1,385	954	431

The ‘Session Bills’ provides the total number of bills written during that session of congress, that’s a null data set for the 117^th for obvious reasons. The ‘January Bills’ column provides the total number of bills introduced in Congress in the first January of the session. The ‘House Bills’ and ‘Senate Bills’ provides those number for each of the respective houses of congress.

The Analysis

The 116^th Congress was hands down the most prolific bill writing congress that we have seen. Having said that, statistically it is not an outlier; it is well within three standard deviations (actually, only 1.41σ) of the other six congresses we are looking at in the table. To be sure, the percent standard deviation for the total number of bills written is very high (18.9%), so we have a bill-writing ‘process’ that is not very well ‘in control’.

We see something interesting in the first-January bills number in comparison to the total bills written by that Congress. If bill production were equally spread out across the 24 months that a congress was in session, we would expect to see about 4.2% of the total bills written introduced in that first-January. What we actually see is somewhere between 6.l1% and 13.5%. That ‘13.5%’ is 2.04σ above the average of 8.5%, so it is not technically an outlier, but the average value would be significantly different without it being included: 7.5%. In any case, there are two reasons that the first-January numbers would be expected to be higher; new congresscritters getting their first priority bills written and the reintroduction of bills from the previous congress.

Another thing that stands out is the relatively low number of bills that were introduced in the Senate. The number for the House bills is within 0.42σ of the average while the Senate bills is 1.67σ from the average. If we look at the ratio of House bills to Senate bills (remember that there are 435 Representatives to 100 Senators) the lack of production in the Senate is even more apparent. This year’s ratio is 4.4 versus an average of 2.6 (yes, Senators are more prolific bill writers Representatives, if this were not so we would expect a ratio of 4.35); that is 2.07σ above average and the %Standard Deviation for this set of data is 31.16%, the highest of all the data points being looked at.

The problem with bill introduction in the Senate has apparently been related to organizational issues. With the 50:50 split between the two parties, there has been significant wrangling going on in the Senate leadership about how that body will be working during this session. Once the organizational agreement was reached on Monday, the 25^th, the legislative pipeline in the Senate opened with 118 bills (71.5% of the total) being introduced in the last week, comparative numbers in the House were 207 bills (28.8%). It will be interesting to see if the Senate’s bill writing pace catches up to that of previous congresses.

Comments on CFATS Explosive Chemicals ANPRM – 1-30-21

On January 6^th, CISA published an advanced notice of proposed rulemaking (ANPRM) for “Removal of Certain Explosive Chemicals From the Chemical Facility Anti-Terrorism Standards”. While I posted a comment to that rulemaking on January 7^th, it was not until this week that the next two public comments were posted. So this is the first post about public comments about that ANPRM.

Comments were received this week from:

• Douglas Maggard, and

• Aerojet Rocketdyne

Comment Summary

The Maggard comment is generally supportive of the rulemaking.

The Aerojet Rocketdyne comment notes that BATFE (Bureau of Alcohol, Tobacco, Firearms and Explosives) does not regulate explosives utilized in support of government (DoD) contracts. The commentor notes that DOD may include protection requirements in contract language, but that language may have security gaps when compared to BATFE standards.

Commentary

There are two military related exemptions to 27 CFR 555 found in §555.141. The second exemption (bear with me for a second) is found in §555.141(a)(6); it applies to:

“Arsenals, navy yards, depots, or other establishments owned by, or operated by or on behalf of, the United States.”

These facilities are already exempt from coverage under the CFATS regulations under the DOD/DOE facility exemption.

The first BATFE exemption is found at §555.141(a)(5); it applies to:

“(5) The manufacture under the regulation of the military department of the United States of explosive materials for, or their distribution to or storage or possession by, the military or naval services or other agencies of the United States.”

Such facilities would not be exempt unless they were owned or operated by the Department of Defense or Department of Energy. Thus, it would seem that such facilities would, if the proposed changes to Appendix A were put into place, such facilities would not be regulated by either BATFE or CFATS regulations. This would need to be addressed by the CFATS rulemaking.

Public ICS Disclosures – Week of 1-23-21

This week we have nine vendor disclosures from Bosch, ZIV Automation (2), Emerson, GE Healthcare, Johnson Controls, Rockwell (2), and Siemens.

Bosch Advisory

Bosch published an advisory describing a stack-based buffer overflow vulnerability in their Rexroth ID 200/C-ETH using EtherNet/IP Protocol. This is a third-party (Real Time Automation) vulnerability. Bosch provides generic mitigation measures.

ZIV Automation Advisories

Incibe-CERT published an advisory describing an uncontrolled resource consumption vulnerability in the ZIV 4CCT Smart Metering Data Concentrator. The vulnerability was reported by Aarón Flecha Menéndez of S21Sec. ZIV has a patch available that mitigates the vulnerability. There is no indication that Menendez has been provided an opportunity to verify the efficacy of the fix.

 

Incibe-CERT published an advisory describing an improper authentication vulnerability in the ZIV 4CCT Smart Metering Data Concentrator. The vulnerability was reported by Aarón Flecha Menéndez of S21Sec. ZIV has a patch available that mitigates the vulnerability. There is no indication that Menendez has been provided an opportunity to verify the efficacy of the fix.

Emerson Advisory

Emerson published an advisory describing the fdtCONTAINER vulnerability in their Rosemont Transmitter Interface Software. Emerson no longer supports that software.

NOTE: This Emerson impact was previously reported by NCCIC-ICS.

GE Healthcare Advisory

GE Healthcare has published an advisory discussing undisclosed vulnerabilities in the VC150 Vital Signs Monitor that they distribute. The Innokas Medical web site simply notes in their software update note for the VC150 that it contains “Cybersecurity enhancements and bug fixes”. GE Healthcare has made the updated software available.

Johnson Controls

Johnson Controls has published an advisory discussing four vulnerabilities in their Sur-Gard System 5 receivers. They are third-party (Treck) vulnerabilities. Johnson Controls has a new version that mitigates the vulnerabilities.

NOTE: This advisory does not specifically name the four vulnerabilities identified by Treck and NCCIC-ICS, it just provides the CVE numbers; CVE-2020-25066,  CVE-2020-27336, CVE-2020-27337, and  CVE-2020-27338.

Rockwell Advisories

Rockwell published an advisory describing the fdtCONTAINER vulnerability in their FactoryTalk AssetCentre. Rockwell has a new version that mitigates the vulnerability.

 

Rockwell published an advisory describing a buffer overflow vulnerability in their MicroLogix 1400 Controller. The vulnerability was reported by Parul Sindhwad and Dr. Faruk Kazi from COE-CNDS. Rockwell provides generic mitigation measures

Siemens Advisory

Siemens published an advisory describing a missing authentication for critical function vulnerability in their SIMATIC HMI Panels. The vulnerability was reported by the Zero Day Initiative. Siemens has new versions that mitigate the vulnerability. There is no indication that the researcher has been provided an opportunity to verify the efficacy of the fix.

NOTE: The advisory acknowledges the coordination efforts of CISA, so it is likely that NCCIC-ICS will publish an advisory on this vulnerability next week.

HR 118 Introduced – Vulnerability Disclosure Reporting

Earlier this month Rep Jackson-Lee introduced HR 118, the Cyber Vulnerability Disclosure Reporting Act. The bill would require DHS to prepare “a report that contains a description of the policies and procedures developed for coordinating cyber vulnerability disclosures” {§2(a)}. This is the same language that Ms Jackson-Lee introduced as HR 43 in the 116^th Congress. No action was taken on HR 43.

The Report

The unclassified report would be submitted to Congress within 240 days of the date of enactment. The requirement for establishing the policies and procedures is found in 6 USC 659(m). That subsection provides that:

“The Secretary, in coordination with industry and other stakeholders, may develop and adhere to Department policies and procedures for coordinating vulnerability disclosures.”

The bill would require an annex to the report that would contain information on {§2(a)}:

• Instances in which such policies and procedures were used to disclose cyber vulnerabilities in the prior year; and

• The degree to which such information was acted upon by industry and other stakeholders.

Moving Forward

Jackson-Lee is (as of yesterday) a member of the House Homeland Security Committee to which this bill was assigned for consideration. She should have enough influence in the Committee to ensure that this bill could be considered if she is willing to exert that influence. There is nothing in this bill that cause any organized opposition to the bill. The bill would very likely receive strong bipartisan support (as an earlier version, HR 3202  did in the 115^th Congress) both in Committee and on the floor of the House.

Commentary

It is odd that this bill was being introduced this year when there was no action taken on the bill in the previous session. Jackson-Lee did not use her significant influence in Committee last year to have the bill considered.

On the other hand, with the current concern about cybersecurity, there is a good chance that this bill will move forward early in this session, either as a standalone measure or included in some larger cybersecurity legislation.

One last item, the bill probably should have been updated to require CISA to prepare the report not DHS.

Bills Introduced – 1-28-21

Yesterday with the Senate in Washington and the House meeting in pro forma session, there were 229 bills introduced. Of those bills there were two that may receive additional coverage in this blog:

HR 579 To require the Secretary of Energy to establish a pilot competitive grant program for the development of a skilled energy workforce, and for other purposes. Rep. Norcross, Donald [D-NJ-1] 

S 121 A bill to amend the Workforce Innovation and Opportunity Act to establish demonstration and pilot projects to facilitate education and training programs in the field of advanced manufacturing. Sen. Rosen, Jacky [D-NV] 

Similar sounding bills in previous sessions of Congress included specific mention of cybersecurity workforce development efforts. If these contain similar provisions, I will follow them in this blog.

There were two resolutions introduced and passed in the House yesterday that I will mention in passing:

H Res 62 Electing Members to certain standing committees of the House of Representatives Rep. Sherman, Brad [D-CA-30] – Text https://www.congress.gov/117/bills/hres62/BILLS-117hres62eh.pdf

H Res 63 Electing Members to certain standing committees of the House of Representatives. Rep. Cheney, Liz [R-WY-At Large]  - Text https://www.congress.gov/117/bills/hres63/BILLS-117hres63eh.pdf

These resolutions set forth the Democratic and Republican (respectively) memberships in committees in the House. There have been some earlier similar resolutions for a couple of specific committees and there will be additional resolutions making adjustments to committee memberships, but passage of these two resolutions will allow for the organization of the respective committees and allow committee work in the House to commence in earnest.

1 Advisory Published – 1-28-21

Today CISA’s NCCIC-ICS published one control system security advisory for products from Rockwell Automation.

Rockwell Advisory

This advisory describes four vulnerabilities in the Rockwell FactoryTalk Linx and FactoryTalk Services Platform. The vulnerabilities were reported by Tenable. According to the Rockwell advisory, patches are available that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• Improper check or handling of exceptional conditions - CVE-2020-5801 and CVE-2020-5802, and

• Buffer copy without checking size of input - CVE-2020-5806 and CVE-2020-5807 (Note #1: the NCCIC-ICS advisory lists the -5806 CVE twice, the second CVE is listed in the Rockwell advisory)

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to result in denial-of-service conditions (NOTE #2: The Tenable report provides a GitHub link for proof-of-concept code).

NOTE #3: I first discussed these vulnerabilities back on January 2^nd, 2021 and most recently on January 16^th when Rockwell published their first update. I would expect that this NCCIC-ICS advisory is based upon the second update that Rockwell published last Friday.

HR 117 Introduced – Cybersecurity OJT

Earlier this month Rep Jackson-Lee introduced HR 117, the DHS Cybersecurity On-the-Job Training and Employment Apprentice Program Act. The bill would require DHS to establish a program to “identify Department employees for work in matters relating to cybersecurity at the Department” {new §230A(a)}. The new program would be administered by the Cybersecurity and Infrastructure Security Agency.

NOTE: Congress.gov has added a new feature to their listings for bill language. I can now provide links to specific parts of the .txt version of the bills on their web site. That is not a major asset for a short bill like this, but for longer pieces of legislation this will be a great tool.

The Program

In carrying out this program CISA would be required to {new §230A(b)} :

• Identify diagnostic tools that can accurately and reliably measure an individual’s capacity to perform cybersecurity related jobs or serve in positions associated with network or computing security,

• In consultation with relevant Department component heads, identify a roster of positions that may be a good fit for the Program and make recommendations to the Secretary relating to such identified positions,

• Develop a curriculum for the Program, which may include distance learning instruction, in- classroom instruction within a work location, on-the-job instruction under the supervision of experienced cybersecurity staff, or other means of training and education as determined appropriate by the Secretary,

• Recruit individuals employed by the Department to participate in the Program, and

• Determine the best means for training and retention of Department employees enrolled in the Program.

No funds are appropriated for the new program.

Moving Forward

While official committee assignments have not yet been made to the House Homeland Security Committee to which this bill was assigned for consideration, Jackson-Lee has been an influential member of this Committee for a number of sessions. This bill is likely to be considered by the Committee and will probably receive bipartisan support.

If the bill makes it to the floor of the House, it will almost certainly be considered under the suspension of the rules process; limited debate, no floor amendments and a supermajority required for passage. I suspect that this bill would pass with a strong bipartisan majority.

NOTE: In the 117^th Congress, that ‘supermajority’ requirement is going to be more problematic for a lot of bills. The narrower majority that the Democrats have this session combined with the larger number of more radical conservatives on Republican side will likely mean that there will be fewer bills passed under this process. Just how many fewer remains to be seen.

Commentary

This bill will only apply to federal agencies. As such I would not normally consider covering the bill in this blog. There are, however, two provisions for the OJT program that would be developed by CISA that may have practical impact on cybersecurity training in the private sector:

• Identify diagnostic tools that can accurately and reliably measure an individual’s capacity to perform cybersecurity related jobs or serve in positions associated with network or computing security, and

• Develop a curriculum for the Program, which may include distance learning instruction, in- classroom instruction within a work location, on-the-job instruction under the supervision of experienced cybersecurity staff, or other means of training and education as determined appropriate by the Secretary,

It will be interesting to see where they get (or develop in house?) “diagnostic tools that can accurately and reliably measure [emphasis added] an individual’s capacity to perform cybersecurity related jobs”. If such tools actual exist or can be developed they will be a boon hiring managers and trainers in the private sector. I would be very interested in seeing documentation supporting the contention of being able to ‘accurately and reliably’ measure this capacity in humans.

On a personal note, I took an early version of such a test that was provided by ITI (a 1970’s technology training company) just before I graduated from high school in 1971. As a result of the test results, I was offered a full scholarship for their two-year computer programming course. I wanted (then) to be a lawyer and politician, so I turned them down. Anyway, I have subsequently learned programming, but lack the attention-to-detail skills necessary to really become a programmer. That early aptitude test did not even try to capture that skill requirement.

The development of an actual OJT component as described in the bill would be a valuable contribution to the resolving the problem of increasing the number of entry level cybersecurity professionals. Now if they could get hiring managers to look for entry level folks, it would be an even greater contribution.

A final note here. This bill was introduced on January 4^th. It was just published last night. The GPO is apparently still having COVID related problems processing bills. This is going to be an increasing problem as the pandemic continues to get worse and Congress writes more bills as their operations become more normalized.

OMB Approves Revision to Transportation Security ICR – 1-27-21

Yesterday the OMB’s Office of Information and Regulatory Affairs approved a revision to the information collection request (ICR) from the DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) for “Hazardous Materials Security Plans”. The changes were necessitated by the approval of PHMSA’s final rule on “: Liquefied Natural Gas (LNG) by Rail”. That rule added natural gas as a commodity is subject to routing requirements.

The supporting document [.docx download link] PHMSA provided to OIRA supporting the request to revise the ICR does a good of describing the need for the revision (para 1) and showing the calculations (para 12) for the revised burden estimates, but it does not specifically quantify the change in the burden. That is found in OIRA’s announcement; eight new annual reports are expected with a total additional burden of 680 hours. This will be borne by the railroads hauling the LNG performing their route security analysis and alternative route analysis reporting.

Interestingly, the LNG by rail final rule only estimated a 677 hour burden increase for this ICR. A minor difference to be sure, but not one explained in the data submitted to OIRA.

Bills Introduced – 1-27-21

Yesterday with just the Senate in session, there were 20 bills introduced. One of those bills will see additional coverage in this blog:

S 70 A bill to amend title 32, United States Code, to authorize cybersecurity operations and missions to protect critical infrastructure by members of the National Guard in connection with training or other duty.  Sen. Hassan, Margaret Wood [D-NH]

This sounds like it will be similar to S 4833 that was introduced by Hassan in the last session.

DHS Publishes New NTAS Bulletin – 1-27-21

Today the Department of Homeland Security published a bulletin on the National Terrorism Advisory System (NTAS) web page. According to the NTAS page:

“The Acting Secretary of Homeland Security has issued a National Terrorism Advisory System (NTAS) Bulletin due to a heightened threat environment across the United States, which DHS believes will persist in the weeks following the successful Presidential Inauguration.  Information suggests that some ideologically-motivated violent extremists with objections to the exercise of governmental authority and the presidential transition, as well as other perceived grievances fueled by false narratives, could continue to mobilize to incite or commit violence.”

Anyone responsible for facility security needs to read the bulletin and so probably should everyone else. The bulletin is expected to remain in effect through April 30^th.

NTAS System

A quick reminder about the NTAS system. It provides three different advisory levels depending on the specificity of the information available. The three different levels are:

• Bulletin - Describes current developments or general trends regarding threats of terrorism.

• Elevated Alert - Warns of a credible terrorism threat against the United States.

• Imminent Alert- Warns of a credible, specific and impending terrorism threat against the United States.

NTAS Bulletin and CFATS

There is currently nothing on either the home page for the Chemical Facility Anti-Terrorism Standards (CFATS) program or the CFATS Knowledge Center about this specific NTAS Bulletin. The CFATS Knowledge Center does have a FAQ about the NTAS system (FAQ #1724) that was most recently updated on November 24^th, 2020. The response to that FAQ notes that CFATS covered facilities would have different response requirements under alerts and bulletins. Since bulletins do not provide specific threat information, that FAQ response explains that: “CFATS facilities should monitor the system for Bulletins for situational awareness and may use their best judgement to apply the information posted as applicable to the facility.”

Earlier this month I published two blog posts that address topics discussed in the “Details” portion of today’s bulletin. Those two posts are:

CFATS and the Nashville Bombing

CFATS and the ‘Insurrection’

There is a possibility that, as more specific threat information becomes available, applicable CFATS facilities could be notified directly by the CISA’s Infrastructure Security Compliance Division (ISCD) or directly through the Chemical Security Inspector responsible for oversight at the facility.

1 Advisory and 3 Updates Published – 1-26-21

Today CISA’s NCCIC-ICS published a control system security update for products from Fuji Electric and updated three advisories for products from Mitsubishi, Treck and Eaton.

Fuji Advisory

This advisory describes five vulnerabilities in the Fuji Tellus Lite V-Simulator and V-Server Lite. The vulnerabilities were reported by Kimiya, Khangkito – Tran Van Khang of VinCSS (Member of Vingroup), and an anonymous researcher via the Zero Day Initiative. Fuji has a newer version that mitigates the vulnerabilities. There is no indication that the researchers have been provided with an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

Stack-based buffer overflow - CVE-2021-22637,

Out-of-bounds read - CVE-2021-22655,

Out-of-bounds write - CVE-2021-22653,

Access of uninitialized pointer - CVE-2021-22639, and

Heap-based buffer overflow - CVE-2021-22641

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to allow an attacker to execute code under the privileges of the application.

Mitsubishi Update

This update provides additional information on an advisory that was originally published on September 1^st, 2020. The new information includes updated affected version and mitigation measures for:

• R12CCPU-V,

• RD55UP06-V,

• RD55UP12-V,

• RJ71GN11-T2,

• Q03UDECPU,

• QnUDEHCPU,

• QnUDVCPU,

• QnUDPVCPU

• LnCPU(-P),

• L26CPU-(P)BT,

• RnSFCPU,

• RnPCPU,

• RnPSFCPU,

• FX5-ENET,

• FX5-ENET/IP,

• FX3U-ENET-ADP,

• FX3GE-**M*/**,

• FX3U-ENET,

• FX3U-ENET-L,

• FX3U-ENET-P502,

• FX5-CCLGN-MS

• FR-A800-E Series,

• FR-F800-E Series,

• FR-A8NCG,

• FR-E800-EPA Series, and

• FR-E800-EPB Series

Treck Update

This update provides additional information on an advisory that was originally published on December 18^th, 2020. The new information includes providing the researcher names from Intel that reported the advisory.

Eaton Update

This update provides additional information on an advisory that was originally reported on January 11^th, 2021. The new information includes the announcement of the availability of a patch that mitigates the vulnerability.

Researcher Vulnerability Reporting

I had an interesting conversation today with the lead researcher for one of the increasing number of ICS cybersecurity companies. The conversation was interesting, informative, and completely off the record. One topic that did come up that I think bears some broader discussion within the community is the vulnerability reporting processes used by such companies. Not coordinated disclosures so much, but the public reporting of vulnerabilities by researchers after vendors have had a chance to address the vulnerabilities.

Research Companies

There are a number of companies in the ICS security realm that publish reports about vulnerabilities that they have discovered. The first thing that we as consumers of those reports have to remember is that these companies are not doing the vulnerability research to do this reporting. They are doing the research to support their business model of either providing threat identification for their customers and/or selling products that mitigate the effect of vulnerabilities/attacks on customer processes. This means that their reporting is as much part of their advertising as it is sharing information with the community. The balance between advertising and information sharing varies widely within the industry.

User Perspective

I told my caller today that I try to look at things, vulnerabilities in particular, from the operator perspective. And I would like to see more vulnerability reporting from the research community try to focus more on that type of reporting. I do not object to the detailed technical reporting that we see so often; with proof-of-concept code and details about how the researchers went about pulling the vulnerability apart. That is all valuable reporting, but it is more helpful to the research community and the response community than it is to the owner/operators of industrial control systems in the manufacturing world.

Vendors and various CERTs do a better job of providing user focused information in their advisories than the research community generally does, but I still think that more needs to be done at even this level. CISA’s NCCIC-ICS has the most consistent approach in this regard that I have seen. They generally provide a brief description of the skill level needed to exploit the vulnerability, the level of access needed and a brief description of the consequences. Unfortunately, the terminology they use is more than a little vague and seldom provides any useful information on how a successful attacker would implement the exploit. The main reason for that lack of detail is that NCCIC-ICS is not a research organization, but rather a coordination agency.

Researcher Advisories

Perhaps it is time for cybersecurity companies to begin preparing their own advisories in addition to their blog posts, white papers and reports. These new documents would address vulnerability disclosures from the perspective of affected owner/operators. It would include a link to more detailed information in the more typical vulnerability research reporting, but it would concentrate on describing the potential impact to organizations and would include discussion of potential mitigation measures.

The advertising wonks in these companies should jump on that mitigation measures portion of the advisory because it would provide an opportunity to explain to their customers (and potential customers) how their products would help to protect them from the vulnerabilities being described. In fact, this potential advertising advantage might lead cybersecurity organizations to provide advisories for vulnerabilities that were publicly reported by other organizations or even equipment vendors.

The preparation of these researcher advisories should not take up too many administrative resources. Much of each advisory could be pre-written as part of a standard format and most of the language could be cut and paste boiler plate; just look at the NCCIC-ICS advisories to see how much of the language is common to each advisory. Furthermore, much of the more variable wordage could be included in the more traditional reporting, making those documents more valuable as well.

Latest GAO Report on CFATS Looks at Regulatory Collaboration

Last week the Government Accountability Office (GAO) published their latest report on the Chemical Facility Anti-Terrorism Standards (CFATS) program. This report looks at how the CFATS program interacts with eight other Federal chemical safety and security programs at both the Agency and installation levels. Includes recommendation to legislate additional chemical security requirements for water treatment facilities.

Other Programs

The report looks at how much of an overlap there is in security requirements between the CFATS program and eight other Federal regulatory programs. Those programs are:

• Explosives materials Program (ATF),

• Maritime Transportation Security Act program (Coast Guard),

• Hazardous materials transportation program (DOT),

• Resource Conservation and Recovery Act program (EPA),

• Risk Management Program (EPA),

• America’s Water Infrastructure Act program (EPA),

• Pipeline Security Program (TSA), and

• Rail Security program (TSA)

Using a very broad (and loosely defined as “engage in similar activities") term ‘align’ the GAO reports that all eight programs align with “six of 18 CFATS standards regarding restricting area perimeter; securing site assets; screening and controlling access; deterring, detecting, and delaying an attack; deterring theft and diversion, and deterring insider sabotage” {pg 21, using .PDF page numbers}. A table spanning three pages outlines which CFATS risk-based performance standards (RBPS) each of the Federal programs align with.

What is clear from a detailed reading of the report is that GAO, in looking for alignment, was looking for areas where regulatory compliance with another program could be used, at least in part, to comply with CFATS security plan requirements under the RBPS. While the GAO admits that some program coordination has taken place under the EO 13650 Working Group (see their lite web page) it takes DHS to task for not continuing to work on clarifying where compliance with other programs fits into CFATS compliance. The first GAO recommendation addresses this:

“The Secretary of DHS should direct its chemical safety and security programs to collaborate with partners and establish an iterative and ongoing process to identify the extent to which CFATS-regulated facilities are also covered by other programs with requirements or guidance that generally align with some CFATS standards.” {pg 53}

More specifically, recommendation five goes on to say:

“The Director of DHS’s Cybersecurity and Infrastructure Security Agency should update CFATS program guidance or fact sheets to include a list of commonly accepted actions facilities may have taken and information they may have prepared pursuant to other federal programs, and disseminate this information.” {pg 54}

Further recommendations are made to EPA, ATF and DOT to look at how their programs interface with the CFATS program.

DHS concurred with both of the above recommendations and had this specific response to recommendation five:

“DHS concurred with recommendation 5, stating in its letter that, among other actions, CISA will update or create a new guidance document or fact sheet by December 31, 2021, that includes a list of commonly accepted actions CFATS-regulated facilities may have taken and information they may have prepared pursuant to other federal programs and disseminate this information.” {pg 56}

Water Treatment Facility Security

This report states that water treatment and wastewater treatment facilities that are exempt from the coverage of the CFATS program “may present attractive terrorist targets due to their large stores of potentially high-risk chemicals and their proximities to population centers” {pg 47}. They go on to note that an earlier report “found that the Risk Management Program regulates at least 1,100 public water system and 500 wastewater treatment works facilities for many of the same chemicals at the same threshold quantities as the CFATS program’s chemical release attack scenario” {pgs 47-8}.

There are significant differences in the security aligned requirements of both the Risk Management Program and Water Infrastructure Act programs, and the CFATS program. “For example, the Risk Management Program and Water Infrastructure Act programs do not contain requirements or guidance regarding security training or background checks. In addition, while the Water Infrastructure Act program contains guidance on cybersecurity, the Risk Management Program does not.” {pg 48}

Water treatment facilities are also subject to the voluntary security guidelines of the American Water Works Association’s security practices management standard. They go on to note that EPA program officials reported that “the voluntary water and wastewater standards are not as comprehensive as the CFATS program’s 18 standards, and it is unclear the extent to which public water systems and wastewater treatment works implement the standard because its use is entirely voluntary” {pg 50}. Further, the report notes that DHS officials stated that “the general alignment of Water Infrastructure Act requirements or guidance with some CFATS standards may not reflect the level of security achieved because, unlike the CFATS program, the Water Infrastructure Act program does not include verification measures” {pg 51}.

The GAO makes two similar recommendations (#6 and #7) to DHS and the EPA about working with the other agency to “to assess the extent to which potential security gaps exist at water and wastewater facilities and, if gaps exist, develop a legislative proposal for how best to address them and submit it to the Secretary of Homeland Security and Administrator of EPA, and Congress, as appropriate” {pg 54}.

Commentary

The Working Group formed under Obama’s chemical safety and security executive order kind of faded away during the Trump administration. There was certainly some ongoing coordination there was no incentive (and many political disincentives) to forge any new regulatory efforts. This is very likely to change under the Biden Administration, though it will not likely be a top priority. Congressional efforts, if the two committees in the House can better their coordination, may be more persuasive.

The one CFATS legislative initiative that I think may be possible this session may be the introduction of bills to address the water facility security issue. The chance of their passage is still rather small given the CFATS three-year extension passed last year, but significant committee work and hearings this session may bear fruit in the 118^th Congress.

Committee Hearings – Week of 1-24-21

With just the Senate in Washington this week the hearing schedule is very light. There will be Senate confirmation hearings (including DHS Secretary) and one organizational committee hearing in the House.

Energy and Commerce Organization

The House Energy and Commerce Committee will hold their organizational hearing on Friday. Nothing exciting here; just formal announcement of chairs and ranking members of the subcommittees and the adoption of committee rules and jurisdictions of the subcommittees (more on that in the Commentary section below).

Commentary

First, the Energy and Commerce subcommittee jurisdictions: It is always interesting to see how wide the scope of the responsibilities of House subcommittees is crafted. The wording in the E&C jurisdiction document is designed to be expansive rather than restrictive. The term ‘cybersecurity’ is specifically included in the description of jurisdiction in five of the six subcommittees listed; the only exception is the Subcommittee on Oversight and Investigations and their purview is wide enough to incorporate cybersecurity related topics. DHS oversight for all topics specified is included in the scope statement for all but the Consumer Protection and Oversight subcommittees.

Of particular interest in this blog is coverage for the Chemical Facility Anti-Terrorism Standards (CFATS) program. CFATS is not specifically mentioned (it is a relatively small program by federal agency standards) but it would be included in the jurisdiction of two subcommittees; Environment and Climate Change (under the ‘industrial plant security, including cybersecurity’ listing) and Communications and Technology (under the ‘; the Cybersecurity and Infrastructure Security Agency in the Department of Homeland Security’ listing).

Last topic: Senate confirmation hearings. The Senate has approved two nominations to date and will almost certainly approve a third today; all with strong bipartisan majorities. Things will start to get trickier. One of the major roadblocks ahead is the current failure to be able to reach an agreement on the organization of the Senate. With a 50-50 split Sen Schumer (D,NY) and Sen McConnel (R,TN) have yet to decide how to split the chairs of the Senate Committees and thus the number of Republicans and Democrats on those committees. Generally speaking the Committees are still operating under their 116^th Congress organization.

With non-controversial nominees (like the first three) this is not a major headache. When we start to look at potentially more problematic nominees (like Alejandro Mayorkas, for DHS) this starts to cause problems. Sen Hawley (R,MO) has placed a hold on Mayorkas nomination because of immigration issues and this will be a topic that will likely resonate in this week’s hearings. While Sen Peters (D,MI) is Chair, the Committee website still shows eight Republican members to five Democrats. I suspect that Mayorkas will be approved by the Committee, but the Hawley hold will still delay the consideration on the Senate floor.

Reader Comments – Instrument Vulnerabilities

Earlier this week Jake Brodsky left a comment on my blog post about the Thursday batch of control system security advisories. It is not a long comment, but it is certainly worth reading. He makes the point that: “If you exploit FDT [fdtCONTAINER vulnerability] on an instrument to get it to execute arbitrary code, you can also get it to report incorrect values FROM THE INSTRUMENT.”

As a person that has spent thousands of hours monitoring chemical processes in a manufacturing environment for both safety and quality issues, I can tell you that the prospect of not being able to trust the numbers being provided by your control system was what scared me most about Stuxnet and caused my interest in control system cybersecurity.

Instrument level data is probably the most critical data used in an industrial control system. That is the data the software relies upon to make process decisions. Being able to manipulate that data means that you can effectively manipulate the process (with the caveat that you must understand the process and how the control system responds to various instrument inputs if you are going to be able to drive the process in a specific upset direction). If you are just trying to disrupt the process (shut it down or adversely affect product quality) then less process knowledge would be needed.

Jake also made the point that Joe Weiss has been harping on the vulnerability of sensors for quite some time now. I have talked to Joe about this on a couple of occasions and I agree with many of his concerns. But I also know that smart process engineers understand the criticality of sensor data, this is the reason that there are frequently multiple sensors measuring the same data with protocols in place to deal with disagreements in sensor data.

As a process chemist I spent a lot of my process-upset investigation time looking for sensor failures by examining other process indicators; changes in pressure when valves opened or closed, changes in tank levels when pumps started and the like. Perhaps it is time to start building such data checks into our process controls, especially when safety-critical process changes are involved.

Finally, it would be helpful if the people writing these advisories were a little clearer about the processes that could be affected by the vulnerabilities. I would be surprised if many security managers understood that the fdtCONTAINER vulnerability had specific implications for process sensors. Only a very close reading of the NCCIC-ICS advisory would point you at that fact unless you were involved in process engineering (the key tell for non-engineers like myself was the involvement of Emerson and the RTIS).

Public ICS Disclosures – Week of 1-16-21

This week we have six vendor disclosures from ABB, Bosch, Belden, WEIDMUELLER, PulseSecure, and Siemens. We have two vendor reports on products from Sela.

ABB Advisory

ABB published an advisory describing an unauthenticated crafted packet vulnerability in their AC500 V2 PLCs. The vulnerability was reported by Yossi Reuven of SCADAfence. ABB has a new firmware version that mitigates the vulnerability. There is no indication that Reuven was provided an opportunity to verify the efficacy of the fix.

Bosch Advisory

Bosch published an advisory describing two vulnerabilities in their Bosch Fire Monitoring System. The vulnerabilities are self-reported. Bosch has a patch that mitigates the vulnerabilities.

The two reported vulnerabilities are:

• Use of hard-coded credentials - CVE-2020-6779, and

• Use of password hash with insufficient computational effort - CVE-2020-6780

Belden Advisory

Belden published an advisory describing a firewall bypass vulnerability in their WLAN (HiCLOS) products. The vulnerability is self-reported. Belden has updates available that mitigate the vulnerability.

WEIDMUELLER Advisory

CERT-VDE published an advisory discussing the fdtCONTAINER vulnerability in the WEIDMUELLER WI Manager. WEIDMUELLER continues to work on mitigation measures for this vulnerability.

PulseSecure Advisory

PulseSecure published an advisory discussing a third-party (OpenSSL) null pointer dereference vulnerability in their products. They can report that their Pulse Secure vADC is not affected, but they are still looking at other products.

Siemens Advisory

Siemens published an out-of-zone advisory discussing the DNSpooq vulnerabilities in their SCALANCE and RUGGEDCOM Devices. Siemens has provided generic workarounds to mitigate the vulnerabilities pending further development efforts.

Selea Reports

Zero Science Labs has published a report describing a cross-site scripting vulnerability in the Selea CarPlateServer. Zero Science reports coordinating with Selea but is unaware of any mitigation measures developed by the company. LiquidWorm has published an exploit for this vulnerability.

 

Zero Science Labs has published a report describing a privilege escalation vulnerability in the Selea CarPlateServer. Zero Science reports coordinating with Selea but is unaware of any mitigation measures developed by the company. LiquidWorm has published an exploit for this vulnerability.

Last Trump EO’s Published – Includes UAS Order

Amid the news reports about the series of Executive Orders published this week by President Biden, reporters have missed that four new EO’s signed by President Trump on Monday were published in today’s Federal Register. Those EO’s include:

• Agency Rulemaking; Efforts To Ensure Democratic Accountability (EO 13979),

• Federal Buildings and Facilities: Building the National Garden of American Heroes (EO 13978),

• Regulatory Reform; Efforts To Protect Americans From Overcriminalization (EO 13980), and

• Unmanned Aircraft Systems; Efforts To Protect U.S. (EO 13981)

Each of these EO’s are legitimate executive orders that have almost the force of law on the incoming Biden Administration. I say ‘almost the force of law’ because President Biden can eliminate the requirements imposed by these EO’s with a stroke of his own pen as he did on Wednesday with his signature on EO 13992, Federal Regulation; Revocation of Certain Executive Orders (which will be published in Monday’s Federal Register).

None of the EO’s published today were on the list of revoked EO’s in paragraph 2 of EO 13992. That may be due (I’m guessing here) to the fact that the incoming Administration was not cognizant of these EO’s when they prepared EO 13992, but as likely (again I’m guessing), these four did not raise the same level of concern as the 7 EO’s revoked by Biden’s order.

UAS EO

According to the preamble to the EO, it was issued due to Trump’s concerns “that additional actions are necessary to ensure the security of Unmanned Aircraft Systems (UAS) owned, operated, and controlled by the Federal Government; to secure the integrity of American infrastructure, including America's National Airspace System (NAS); to protect our law enforcement and warfighters; and to maintain and expand our domestic industrial base capabilities.”

Most of the EO deals with limiting the Federal government’s use of UAS that are “manufactured by foreign adversaries or have significant components that are manufactured by foreign adversaries” {§3(a)}.

There is one section, however, that has nothing to do with the use of UAS by the Federal Government. Section 4 calls for restricting the use of UAS on or over critical infrastructure or other sensitive sites. It requires the FAA, within 270 days, to propose regulations pursuant to section 2209 of the FAA Extension, Safety, and Security Act of 2016 (Public Law 114-190, 130 STAT 634).

Those regulations were supposed to establish “a process to allow applicants to petition the Administrator of the Federal Aviation Administration to prohibit or restrict the operation of an unmanned aircraft in close proximity to a fixed site facility” {§2209(a)}. The required regulations were supposed to have already been proposed within 180 days of the bill’s enactment on July 15^th, 2016. In other words, the regulations were supposed to have all ready been written by Trump’s FAA.

It will be interesting to see how the Biden Administration deals with this portion of EO 13981.

Bills Introduced – 1-21-21

Yesterday, with both the House and Senate in session, there were 81 bills introduced. Of those, one bill will receive additional coverage in this blog:

HR 397 To amend the Homeland Security Act of 2002 to establish chemical, biological, radiological, and nuclear intelligence and information sharing functions of the Office of Intelligence and Analysis of the Department of Homeland Security and to require dissemination of information analyzed by the Department to entities with responsibilities relating to homeland security, and for other purposes. Rep. Gimenez, Carlos A. [R-FL-26]

While Gimenez is a first term Representative, this bill sounds very much like HR 1589 from last session. That bill was introduced by Rep. Walker (R,NC) who is no longer in Congress. That bill was passed in the House in 2019 and amended/adopted by the Senate Homeland Security and Governmental Affairs Committee, but it was never taken up by the full Senate.

5 Advisories Published – 1-21-21

Today CISA’s NCCIC-ICS published five control system security advisories for products from WAGO, Mitsubishi Electric, Honeywell, and Delta Electronics (2).

WAGO Advisory

This advisory describes a deserialization of untrusted data vulnerability in the M&M Software fdtCONTAINER (M&M is subsidiary of WAGO). The vulnerability was reported by Emerson. M&M has a new version that mitigates the vulnerability (but would not be compatible with existing projects). There is no indication that Emerson has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low skilled attacker could exploit the vulnerability via a social engineering attack to allow malicious code to be executed without notice.

NCCIC-ICS reports that this vulnerability affects products from Emerson and PEPPERL+FUCHS.

NOTE: I briefly discussed this vulnerability last Saturday, but I was not aware that M&M was a subsidiary of WAGO.

Mitsubishi Advisory

This advisory describes an uncontrolled resource consumption vulnerability in the Mitsubishi MELFA product line. The vulnerability was reported by Qi An Xin Group, Inc. Mitsubishi has provided generic mitigation measures for the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to cause a denial-of-service condition.

NOTE: NCCIC-ICS provided an incorrect link for the Mitsubishi advisory (listed as ‘Mitsubishi Electric website’ in this advisory). The link should have been https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-019_en.pdf.

Honeywell Advisory

This advisory describes four vulnerabilities in the Matrikon (a subsidiary of Honeywell) OPC UA Tunneller. The vulnerability was reported by Uri Katz of Claroty. Matrikon has a new version that mitigates the vulnerability. There is no indication that Katz has been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• Heap-based buffer overflow - CVE-2020-27297,

• Out-of-bounds read - CVE-2020-27299,

• Improper check for unusual or exceptional conditions - CVE-2020-27274, and

• Uncontrolled resource3 consumption - CVE-2020-27295

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to disclose sensitive information, remotely execute arbitrary code, or crash the device.

TPEditor Advisory

This advisory describes two vulnerabilities in the Delta TPEditor. The vulnerabilities were reported by kimiya via the Zero Day Initiative. Delta has a new version that mitigates the vulnerabilities. There is no indication that kimiya has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Untrusted pointer dereference - CVE-2020-27288, and

• Out-of-bounds write - CVE-2020-27284

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit these vulnerabilities to allow an attacker to execute code under the privileges of the application.

ISPSoft Advisory

This advisory describes a use after free vulnerability in the Delta ISPSoft PLC program development tool. The vulnerability was reported by Francis Provencher via ZDI. Delta has a new version that mitigates the vulnerability. There is no indication that Provencher has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit these vulnerabilities to allow an attacker to execute code under the privileges of the application.

OMB Pauses Rule Processing

As is normal at the start of a new administration, President Biden’s Chief of Staff announced yesterday that the OMB would stop actions on all current rulemakings until they were approved by agency heads appointed by the new President. At the same time, the President appointed acting leadership for 34 agencies, including (of interest in this blog) David Pekoske for DHS and Lana Hurdle for DOT. Additionally, final rules that have been published, but have not yet gone into effect, would have the effective date extended to 60-days from yesterday to allow for further review.

It appears that OMB’s Office of Information and Regulatory Affairs (OIRA) had unofficially stopped approving rulemakings as of Monday. Through last Friday, OIRA had been approving rulemakings at the rate of five to ten per workday for the last two months. No rulemakings have been approved this week.

OMB is authorized to exempt rulemakings from this review process “for emergency situations or other urgent circumstances relating to health, safety, environmental, financial, or national security matters” {para 1}. Also exempted are rules that are “subject to statutory or judicial deadlines” {para 4}.

We can expect the Biden Administration to start the process of withdrawing rulemakings from OMB’s review with which it does not agree. That process started yesterday with three rulemakings from the State Department and one from the Department of Labor. Again, this is a typical and routine practice. The Obama Administration withdrew 31 rulemakings between their inauguration and February 1^st, 2009 and the Trump Administration withdrew 25 during the similar period in 2017.

3 Advisories Published – 1-19-21

Today CISA’s NCCIC-ICS published two control system security advisories for products from Reolink and Simon Kelley, and one medical device security advisory for products from Philips.

Reolink Advisory

This advisory describes two vulnerabilities in the Reolink P2P protocol. The vulnerabilities were reported by Nozomi Networks. Reolink has a firmware upgrade that mitigates some of the risk.

The two reported vulnerabilities are:

• Use of hard-coded cryptographic key - CVE-2020-25173, and

• Ceartext transmission of sensitive information - CVE-2020-25169

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to  permit unauthorized access to sensitive information.

Dnsmasq Advisory

This advisory describes seven vulnerabilities in the Dnsmasq maintained by Simon Kelley. The vulnerabilities were reported by JSOF Tech (named DNSpooq by JSOF). Kelley has a new version that mitigates the vulnerabilities. The JSOF report confirms that the new version adequately mitigates the vulnerabilities.

The seven reported vulnerabilities are:

• Heap-based buffer overflow (4) - CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, and CVE-2020-25687,

• Insufficient verification of data authenticity (2) - CVE-2020-25684 and CVE-2020-25686, and

• Use of a broken or risky cryptographic algorithm - CVE-2020-25685,

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to result in cache poisoning, remote code execution, and a denial-of-service condition.

NOTE: The JSOF report makes it clear that there will almost certainly a number of ICS vendors that will be affected by this set of DNS vulnerabilities. At least one vendor has already reported this vulnerability in some of their products, more will be coming.

Philips Advisory

This advisory describes an OS command injection vulnerability in the Philips Haswell workstations. The vulnerability was self-reported. Philips has a patch that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit this vulnerability to remotely shut down or restart the workstation.