Wednesday, March 31, 2021

DHS Publishes Regulatory Agenda Semiannual Update – 3-31-21

Today DHS (along with all other major federal agencies and departments) published their latest semiannual regulatory agenda in the Federal Register (86 FR 16906-16914). According to the document summary this “regulatory agenda is a semiannual summary of projected regulations, existing regulations, and completed actions of the Department of Homeland Security (DHS) and its components.” All of the rulemaking descriptions and forecast activity action dates are based upon entries in the Fall 2020 Unified Agenda published by the Trump Administration in December.

Chemical Security Rulemakings

There are two separate chemical security related rulemakings mentioned in today’s document. Under the ‘Proposed Rule Stage’ for CISA is the “Ammonium Nitrate Security Program” (RIN 1670-AA00); no description verbiage or time frame data is included.

The second is under the CISA ‘Long Term Actions’ heading; “Chemical Facility Anti-Terrorism Standards (CFATS)” (RIN 1670-AA01). This is not the ‘explosives removal ANPRM’ that was published in January; rather it is the EO 13650 mandated rulemaking that was published (as an ANPRM) back in 2014. The ‘Abstract’ printed in today’s Notice comes straight from the RIN entry in the Fall 2020 Unified Agenda. That explains the very dated “Once the comment period closes” phrase in the final sentence. That comment period closed on September 19th and there were only four comments submitted on that retrospective analysis of the 2007 CFATS interim final rule.

Commentary

At first glance, it seems odd that there is no discussion of the ANSP rulemaking when it is listed as being in the ‘Proposed Rule Stage’. The Trump Administration looked forward to withdrawing the “current” (2011) notice of proposed rulemaking and publishing a new NPRM. Both actions were “expected” to occur in this month. CISA (or rather its predecessor NPPD) concluded (long before Trump came into office) that it was not possible to construct a cost-effective set of security rules under the requirements of 6 USC Part J. Apparently the Trump Administration intended to write a new regulatory scheme without regards to the Congressional requirements of Part J.

I suspect that the Biden Administration will attempt, with its nominal (read ‘mostly ficticious’) control of Congress, to rewrite the requirements of Part J and then propose supporting regulations. I expect that CISA will continue to work with Congressional Democrats (as they have been behind the scenes for the last four years) to change the statute to reflect the regulations that they have been working on. Since, Rep Thompson (D,MS) was the sponsor and vocal supporter of the Part J legislation (HR 1860) and he is (again) the Chair of the House Homeland Security Committee, so he will have to be an important part of revising Part J.

But, since this is a Biden interpretation of the Trump Agenda, this Semiannual Regulatory Agenda is more of a compliance exercise than an aspirational report. Do not hold your breath waiting for anything mentioned in today’s notice to happen.

Tuesday, March 30, 2021

S 914 Introduced - Drinking Water and Wastewater Infrastructure Act of 2021

Last week Sen Duckworth (D,IL) introduced S 914, the Drinking Water and Wastewater Infrastructure Act of 2021. The bill reauthorizes drinking water and wastewater treatment programs. While, it does not include any specific cybersecurity programs, it does add addressing cybersecurity concerns to a number of existing programs.

Cybersecurity Mentions

Section 101 amends 42 USC 300j-1(b) adding “(including an emergency situation resulting from a cybersecurity event)” after “emergency situation”; would allow providing technical assistance and grants.

Section 107 adds §1459F, the Midsize and Large Drinking Water System Infrastructure Resilience and Sustainability Program, to the Safe Drinking Water Act, which includes:

In (b) - “shall award grants to eligible entities for the purpose of increasing resilience to natural hazards, cybersecurity threats [emphasis added], and extreme weather events”,

In (c) - “may only use grant funds received under the resilience and sustainability program to assist in the planning, design, construction, implementation, operation, or maintenance of a program or project that increases resilience to natural hazards, cybersecurity threats [emphasis added], or extreme weather events”

In (c)(6) - “the development and implementation of measures to increase the resilience of the eligible entity to natural hazards, cybersecurity threats [emphasis added], or extreme weather events”,

In (d)(2) - “an identification of the natural hazard risk or potential cybersecurity threat [emphasis added], as applicable, to be addressed by the proposed program or project”,

In (d)(3) - “documentation prepared by a Federal, State, regional, or local government agency of the natural hazard risk, potential cybersecurity threat [emphasis added], or risk for extreme weather events”,

In (d)(4) - “a description of any recent natural hazards, cybersecurity events, or extreme weather events that have affected the community water system of the eligible entity”,

In (d)(5) - “a description of how the proposed program or project would improve the performance of the community water system of the eligible entity under the anticipated natural hazards, cybersecurity threats [emphasis added], or extreme weather events”,

In (d)(6) - “an explanation of how the proposed program or project is expected to enhance the resilience of the community water system of the eligible entity to the anticipated natural hazards, cybersecurity threats, or extreme weather events”.

Section 111 adds §1459H, Advanced Drinking Water Technologies, to the Safe Drinking Water Act,  which includes:

In (a)(1) - “the Administrator shall carry out a study that examines the state of existing and potential future technology, including technology that could address cybersecurity threats [emphasis added], that enhances or could enhance the treatment, monitoring, affordability, efficiency, and safety of drinking water provided by a public water system”, and

In (b)(1)(A)(iii) - “has expressed an interest in the opportunities in the operation of the public water system to employ new or emerging, yet proven, technologies, including technology that could address cybersecurity threats [emphasis added]”,

Section 205 adds §222, Clean Water Infrastructure Resiliency and Sustainability Program, to the Federal Water Pollution Control Act, which includes:

In (b) - “the Administrator shall establish a clean water infrastructure resilience and sustainability program under which the Administrator shall award grants to eligible entities for the purpose of increasing the resilience of publicly owned treatment works to a natural hazard or a cybersecurity threat [emphasis added]”,

In (c) - “shall use the grant funds for planning, designing, or constructing projects (on a system-wide or area-wide basis) that increase the resilience of a publicly owned treatment works to a natural hazard or a cybersecurity threat [emphasis added]”,

In (d)(2) - “an identification of the natural hazard risk or potential cybersecurity threat [emphasis added], as applicable, to be addressed by the proposed project”,

In (d)(3) - “documentation prepared by a Federal, State, regional, or local government agency of the natural hazard risk or potential cybersecurity threat [emphasis added], as applicable, of the area where the proposed project is to be located”,

In (d)(4) - “a description of any recent natural hazard events or cybersecurity threats [emphasis added] that have affected the publicly owned treatment works”,

In (d)(5) - “a description of how the proposed project would improve the performance of the publicly owned treatment works under an anticipated natural hazard or cybersecurity threat [emphasis added]”,

In (d)(6) - “an explanation of how the proposed project is expected to enhance the resilience of the publicly owned treatment works to an anticipated natural hazard or cybersecurity threat [emphasis added]”,

Section 213, Water Data Sharing Pilot Program, which includes:

In (a)(1) - “the Administrator may award grants to eligible entities under subsection (b) to establish systems that improve the sharing of information concerning water quality, water infrastructure needs, and water technology, including cybersecurity technology [emphasis added]”.

Moving Forward

The bill was considered by the Senate Environment and Public Works Committee last Wednesday. Substitute language (not currently publicly available) and adopted (pg 27) by the Committee by a unanimous vote. This clears the bill (once the Committee Report is published) for consideration by the full Senate, where it is likely to be considered under the unanimous consent process, meaning no debate, no amendments and no actual vote. Of course, a single Senator could stop that consideration process, and the reasons for that ‘objection’ could have nothing to do with anything in this bill.

Commentary

This is the type of ‘cybersecurity’ language that I expect to see more frequently in this session of Congress. Instead of standing up any new cybersecurity program, I suspect that there will be more language adding cybersecurity concerns to authorization bills by tacking ‘cybersecurity’ to existing safety and security measures already in place. This will give existing regulatory agencies more authority to address cybersecurity issues. Unfortunately, this will seldom come with increased funding to address those issues.

The one problem with this approach is that there are typically no cybersecurity related definitions included in the authorization statutes for these programs. On one hand, this does give regulators the maximum amount of leeway in how they address the cybersecurity issues, but on the other hand, it does not insure that the full gamut of issues will be addressed.

The major shortcoming in this bill is that, while it addresses information sharing about cybersecurity technology, it does not specifically establish a program for sharing information about cybersecurity threats or system vulnerabilities. There is a Water Information Sharing and Analysis Committee (WaterISAC), but that is a voluntary organization without any specific government support or authority.

Monday, March 29, 2021

HR 1251 Introduced – Cyber Diplomacy Act of 2021

Last month Rep McCaul (R,TX) introduced HR 1251, the Cyber Diplomacy Act of 2021. The bill would establish an international cyber policy “to work internationally to promote an open, interoperable, reliable, unfettered, and secure Internet governed by the multi-stakeholder model” {§4(a)}.

Definitions

Section 3 of the bill establishes the definitions for three key terms used in the bill, the most important of which is ‘information and communications technology’ (ICT). That term is defined as “hardware, software, and other products or services primarily intended to fulfill or enable the function of information processing and communication by electronic means, including transmission and display, including via the Internet” {§3(2)}.

Policy Objectives

In implementing this policy, the bill requires the President to pursue the following objectives {§4(b)}:

• Clarifying the applicability of international laws and norms to the use of ICT.

• Reducing and limiting the risk of escalation and retaliation in cyberspace, damage to critical infrastructure, and other malicious cyber activity that impairs the use and operation of critical infrastructure that provides services to the public,

• Cooperating with like-minded democratic countries that share common values and cyberspace policies with the United States, including respect for human rights, democracy, and the rule of law, to advance such values and policies internationally,

• Encouraging the responsible development of new, innovative technologies and ICT products that strengthen a secure Internet architecture that is accessible to all,

• Securing and implementing commitments on responsible country behavior in cyberspace based upon accepted norms, and

• Advancing, encouraging, and supporting the development and adoption of internationally recognized technical standards and best practices.

Among the ‘accepted norms’ that the bill would require the President to support would be {§4(b)(5)(C)}:

“Countries should not conduct or knowingly support ICT activity that, contrary to international law, intentionally damages or otherwise impairs the use and operation of critical infrastructure providing services to the public, and should take appropriate measures to protect their critical infrastructure from ICT threats.”

Moving Forward

This bill was considered by the House Foreign Affairs Committee on February 25th, 2021. It was amended with substitute language (not currently available) and approved by the Committee (as part of an en bloc consideration) by voice vote. That would indicate wide bipartisan support for the bill which should carry over to the floor of the House. It is likely that the bill would be considered under the suspension of the rules process in the House.

Commentary

This is primarily an information and communications technology security bill. The new ICT terminology is an interesting expansion of the information technology concept to specifically include the necessary communications aspects that are really key to the efficacy of IT operations and security.

The one objective that seems to address industrial control system security is the oddly worded:

“Reducing and limiting the risk of escalation and retaliation in cyberspace, damage to critical infrastructure, and other malicious cyber activity that impairs the use and operation of critical infrastructure that provides services to the public,”

Parsing that out, there are two specifically operational technology related provisions that would attempt to reduce and limit:

• Damage to critical infrastructure, and

• Other malicious cyber activity that that impairs the use and operation of critical infrastructure that provides services to the public.

That, combined with the ‘accepted norm’ described above, would seem to make it clear that preventing cyber attacks on critical operational technology will be a key part of the foreign policy of the United States. How the crafters of this bill expect the President and the State Department to accomplish this by diplomatic means is unclear.

CISA’s Use of Subpoena Authority

There is an interesting article over on NextGov.com about plans that CISA has to use the subpoena authority that it was given last year (§1716 of FY 2021 NDAA, PL 116-283) to help prevent ransomware attacks on critical industrial control systems.

It appears that CISA intends to use tools like Shodan to search for industrial control system components with known security vulnerabilities that face the internet. Once those vulnerable IP addresses are found, CISA would then subpoena information from internet service providers to obtain contact information for the vulnerable IP addresses.

The article quotes the current CISA acting director as explaining:

“We're not gonna be regulating that company,” Wales said. “But we want to be able to talk directly to the owner and say you know you've got a vulnerable system, it's out on the internet, and we found it today but tomorrow, a malicious actor could have found that, exploited it, and your system could have been down, or worse.”

It looks like the Biden CISA is going to be more proactive in talking with individual companies about cybersecurity issues. We first saw this change with the letter CISA sent out to facilities covered by the Chemical Facility Anti-Terrorism Standards (CFATS) program about the Microsoft email server vulnerabilities. In that case, not only did CISA reach out to the 3,000+ facilities that are regulated under that program, but also the 33,000 plus facilities that had submitted Top Screen reports to CISA’s Office of Chemical Security (the new name for the old Infrastructure Security Compliance Division). Those facilities were not subsequently regulated under the CFATS program, but are still facilities of concern to OCS.

It will be interesting to see what happens when CISA notes a CFATS regulated company’s systems being found on their internet search. Under the cooperative regulatory scheme used in the CFATS program, OCS cannot issue a blanket instruction to ‘protect’ those vulnerable systems, but it could find after individual site review, that a particular facility was not complying with its approved site security plan.

An as-of-yet unused CFATS authority {6 CFR 27.230(a)(19) could allow DHS to establish a new risk-base performance standard (RBPS) that would apply to internet facing control systems affecting the security of the DHS chemicals of interest stored, used or produced at the facility. It is not clear whether that RBPS establishment would require the use of the rulemaking process.

There is also the potential that OCS could decide that a currently non-regulated facility with exposed industrial control systems posed a higher risk than originally determined and require them to resubmit a new Top Screen. That, in turn, could allow, under a revised risk assessment, to determine that the facility was now regulated under the CFATS program. Again, a new rulemaking might not be required for that redetermination.

Saturday, March 27, 2021

Bills Introduced – 3-26-21

Yesterday, with the House meeting in pro forma session, there were 106 bills introduced. Two of those bills may receive additional coverage in this blog:

HR 2225 To authorize appropriations for fiscal years 2022, 2023, 2024, 2025, and 2026 for the National Science Foundation, and for other purposes. Rep. Johnson, Eddie Bernice [D-TX-30] 

HR 2236 To establish a voluntary program to identify and promote internet-connected products that meet industry-leading cybersecurity and data security standards, guidelines, best practices, methodologies, procedures, and processes, and for other purposes. Rep. Lieu, Ted [D-CA-33]

I will be watching HR 2225 for cybersecurity research initiatives.

HR 2236 is probably a companion bill to S 965 that was introduced yesterday by Sen. Markey (D,MA).

Public ICS Disclosures – Week of 3-20-21

This week we have 27 vendor disclosures from BD (3), Bosch, TRUMPF, GE Grid Systems (19), Mitsubishi Electric, Moxa, and Rockwell Automation. We have a researcher report for products from Ovarro. Finally, there were two exploits published for products from VMWare and Advantech.

BD Advisories

BD published patch advisories for the below listed products. These are the 3rd party patches that have been tested by BD on the listed products.

BD Care Coordination Engine (CCE),

Security Patches: BD Pyxis™ Products, and

Security Patches: BD Alaris™ Systems Manager

Bosch Advisories

Bosch published an advisory describing seven uncontrolled search path element vulnerabilities in multiple Bosch products. The vulnerabilities were reported by Nir Yehoshua, Dhiraj Mishra, and Eli Paz of CyberArk. Bosch has new versions that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

TRUMPF Advisory

CERT-VDE published an advisory describing an out-of-bounds write vulnerability in the TRUMPF TruControl laser control software. The vulnerability was reported by Qualys Research Labs. TRUMPF has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

GE Grid Advisories

GE published advisories for the below listed products. These may be updates for previously issued advisories, but only GE customers can access the advisories, so I do not know for sure:

C30 Controller

C60 Breaker Management Relay

C70 Capacitor Bank Protection and Control System

B30 Bus Differential Relay

B90 Bus Differential System

F35 Multiple Feeder Management Relay

F60 Feeder Management Relay

G30 Generator Management Relay

G60 Generator Management Relay

L30 Line Current Differential Relay

L60 Line Phase Comparison Relay

L90 Line Current Differential Relay

M60 Motor Management Relay

D30 Line Distance Relay

D60 Line Distance Relay

N60 Network Stability and Synchrophasor Measurement System

T35 Transformer Management Relay

T60 Transformer Management Relay

UR Family of Protection Relays

Mitsubishi Advisory

Mitsubishi published an advisory discussing a heap-based buffer overflow vulnerability in a third-party TCP/IP stack (Treck). Mitsubishi is providing generic workarounds to mitigate the vulnerability.

NOTE: Mitsubishi is only reporting one of the four TCP/IP stack vulnerabilities reported by Treck.

Moxa Advisory

Moxa published an advisory describing ten vulnerabilities in their EDR-810 Series Security Routers. The vulnerabilities were reported by the Russian BDU FSTEC. Moxa has a new version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The ten reported vulnerabilities are:

• Improper Input Validation - CVE-2014-2284 (Linux ICMP-MIB implementation),

• Resource Management Errors - CVE-2015-1788 (Open SSL),

Improper Restriction of Operations within the Bounds of a Memory Buffer - CVE-2016-10012 (Open SSH),

Exposure of Sensitive Information to an Unauthorized Actor - CVE-2015-3195 (Open SSL),

Improper Input Validation - CVE-2016-6515 (open SSH, Exploit),

Improper Input Validation - CVE-2017-17562 (EmbedThis, Exploit),

Cryptographic Issues - CVE-2013-0169 (TLS Protocol),

• Permissions, Privileges, and Access Controls - CVE-2013-1813 (BusyBox, Exploit), and

• Numeric Errors - CVE-2010-2156 (ISC DHP, Exploit)

Rockwell Advisory

Rockwell published an advisory discussing eight vulnerabilities in their Stratix Switches. These are third-party (Cisco) vulnerabilities. Rockwell has new versions that mitigate the vulnerability.

The eight reported vulnerabilities are:

• Privilege escalation (2) - CVE-2021-1392 and CVE-2021-1442,

• Cross-site web socket hijacking - CVE-2021-1403,

• Denial of service (3) - CVE-2021-1352, CVE-2021-1220, and CVE-2021- 1356, and

• Command injection (2) - CVE-2021-1452 and CVE-2021-1443,

NOTE: Links above are to the Cisco advisories.l

Ovarro Report

Claroty published a report describing the five vulnerabilities that were reported earlier this week in the Ovarro TBox RTUs.

VMWare Exploit

WVU published a Metasploit module for a remote code execution vulnerability in the VMware View Planner. This vulnerability was previously reported by VMware.

Advantech Exploit

Spencer McIntyre published a Metasploit module for a missing authentication for critical function vulnerability in the Advantech iView. This vulnerability was previously reported by Advantech.

Friday, March 26, 2021

Bills Introduced – 3-25-21

Yesterday with just the Senate in session, there were 116 bills introduced. Two of those bills will receive additional coverage in this blog:

S 965 A bill to establish a voluntary program to identify and promote internet-connected products that meet industry-leading cybersecurity and data security standards, guidelines, best practices, methodologies, procedures, and processes, and for other purposes.

S 1012 A bill to prohibit the Secretary of Transportation from prohibiting the transportation of liquefied natural gas by rail, and for other purposes.

S 965 sounds like the Cyber Shield bill that was mentioned in the news yesterday (here for instance). Similar legislation was introduced last session, but did not go anywhere.

S 1012 sounds like it may be a companion bill to HR 2100 that was introduced last week.

NOTE: There is some sort of (temporary?) glitch over at Congress.gov this morn ing that is not providing sponsor information on bills introduced yesterday.

Thursday, March 25, 2021

1 Advisory Published – 3-25-21

Today the CISA NCCIC-ICS published one medical device security advisory for products from Philips.

Philips Advisory

This advisory describes a storage of sensitive data in a mechanism without access control. The vulnerability was reported by Jean GEORGE of CHU UCL Namur. Philips has provided generic mitigation measures for the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker with physical access to the device could exploit the vulnerability to allow access to sensitive information (including patient information).

Wednesday, March 24, 2021

Bills Introduced – 3-23-21

Yesterday with the Senate in Washington and the House meeting in pro forma session (this is a ‘Committee Week’ in the House) there were 124 bills introduced. One of those bills may receive additional coverage in this blog:

S 914 A bill to amend the Safe Drinking Water Act and the Federal Water Pollution Control Act to reauthorize programs under those Acts, and for other purposes. Sen. Duckworth, Tammy [D-IL]

According to at least one news report notes that the bill would “create a grant program for projects aimed at making water systems more resilient to natural hazards, cybersecurity threats [emphasis added] and extreme weather.” There is nothing in Duckworth’s press release on the bill that confirms this, but that means little. The Senate Environment and Public Works Committee will take up the bill at their business meeting scheduled for today. No link to a committee print of the bill is available on the meeting website.

Tuesday, March 23, 2021

4 Advisories and 2 Updates Published – 3-23-21

Today the CISA NCCIC-ICS published four control system security advisories for products from Ovarro, GE Grid Solutions (2), and Weintek. They also published two updates for products from Rockwell Automation.

Ovarro Advisory

This advisory describes five vulnerabilities in the Ovarro TBox remote terminal units. The vulnerabilities were reported by Uri Katz of Claroty. Ovarro has new versions that mitigate the vulenrabilities. There is no indication that Katz has been provided an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

• Code injection - CVE-2021-22646,

• Incorrect permission assignment for critical resource - CVE-2021-22648,

• Uncontrolled resource consumption - CVE-2021-22642,

• Insufficiently protected credentials - CVE-2021-22640, and

• Use of hard-coded cryptographic key - CVE-2021-22644

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to result in remote code execution, which may cause a denial-of-service condition.

NOTE: This advisory was originally published on February 23rd, 2021 on the restricted HSIN ICS library. This limited disclosure allows critical infrastructure additional time to implement mitigation measures before the vulnerability becomes public. NCCIC-ICS does not use this limited distribution very often, the last time was on July 21st, 2020 and the time before that was on November 6th, 2018.

Reason DR60 Advisory

This advisory describes three vulnerabilities in the GE Reason DR60 digital fault recorder products. The vulnerabilities were reported by Thales OT Security Team. GE has a firmware update that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Use of hard-coded password - CVE-2021-27440,

• Code injection - CVE-2021-27438, and

• Execution with unnecessary privileges - CVE-2021-27454

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to  allow an attacker to take full control of the digital fault recorder (DFR), remotely execute code, or escalate privileges.

MU320E Advisory

This advisory describes three vulnerabilities in the GE MU320E product. The vulnerabilities were reported by Tom Westenberg of Thales UK. GE has a new firmware version that mitigates the vulnerabilities. There is no indication that Westenberg has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Use of hard-coded password - CVE-2021-27452,

• Execution with unnecessary privileges - CVE-2021-27448, and

• Inadequate encryption strength - CVE-2021-27450

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an attacker to escalate unnecessary privileges and use hard-coded credentials to take control of the device.

NOTE: Neither of these advisories appear to address any of the 17 advisories published by GE on March 17th, 2021 that I briefly mentioned Saturday.

Weintek Advisory

This advisory describes three vulnerabilities in the Weintek cMT product. The vulnerabilities were reported by Marcin Dudek from CERT.PL. Weintek has upgrades that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Code injection - CVE-2021-27446,

• Improper access control - CVE-2021-27444, and

• Cross-site scripting - CVE-2021-27442

NCCIC-ICS reports

MicroLogix 1400 Update

This update provides additional information for an advisory that was originally published on February 2nd, 2021. The new information includes:

• Adding the names of the researchers from the Veermata Jijabai Technological Institute that reported the vulnerability, and

• Adding a link to the Rockwell advisory.

CompactLogix 5370 Update

This update provides additional information for an advisory that was originally published on March 2nd, 2021. The new information includes adding a link to the Rockwell Advisory.

CISA Publishes 60-Day CFATS ICR Revision Notice

Today the Cybersecurity and Infrastructure Security Agency published a 60-day information collection request revision notice in the Federal Register (86 FR 15490-15493) for the Chemical Facility Anti-Terrorism Standards (CFATS) program. This is one of four ICRs that support the operations of the CFATS program.

Covered Instruments

This revision notice addresses changes in the following collection documents:

Request for Redetermination,

Request for Extension,

Top-Screen Update,

Compliance Assistance, and

Declaration of Reporting Status

The links above are .docx download links. They are for the currently approved form or instructions. We will not be able to see the revised documents until CISA submits the ICR to the OMB’s Office of Information and Regulatory Affairs shortly after the 30-day ICR notice is published.

Changes

In this revision notice CISA is making changes in the documentation to reflect the organizational change from NPPD to CISA. They are also updating the burden estimates to reflect recent collected data history and extrapolations of future activity. The burden estimates are reflected in the table below.

Revised Estimate

Current Estimate

Number

Time

Cost

Number

Time

Cost

Request for Redetermination

250

62.5

$5,364

625

156.0

$10,581

Request for Extension

400

41.7

$3,576

730

58.0

$3,955

Top-Screen Update

2,500

312.5

$26,818

1,875

150.0

$10,158

Compliance Assistance

1,600

133.3

$11,443

683

55.0

$3,698

Declaration of Reporting Status

100

25.0

$2,145

480

120.0

$8,126

The links in the table lead to the detailed discussion of the revision methodology in this revision notice.

Public Comments

CISA is soliciting public comments on this ICR revision. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # CISA-2021-0003). Comments should be submitted by May 24th, 2021.

Sunday, March 21, 2021

CISA Publishes 60-Day ICR Revision Notice for Vulnerability Discovery Program

On Friday, DHS published a 60-day information collection request (ICR) revision notice in the Federal Register (86 FR 19499-14945) for the DHS Vulnerability Discovery Program (RIN #: 1601-0028).

The Information Collection

According to the notice:

“DHS is requesting pursuant to 44 US Code 3509 [link added], that the information collection be designated for any Federal agencies ability to utilize the standardized DHS online form to collect their own agency's vulnerability information and post the information on their own agency websites.”

Each agency collecting information under this ICR would use the DHS collection form but would post it on the agency web site. The information collected will include:

• Vulnerable host(s),

• Necessary information for reproducing the security vulnerability,

• Remediation or suggestions for remediation of the vulnerability, and

• Potential impact on host, if not remediated.

DHS estimates no change in the burden due to this expansion of the coverage of the ICR.

Public Comments

 

DHS is soliciting public comment on this revision. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # DHS-2021-0009). Comments should be submitted by May 18th, 2020.

Commentary

Earlier this month the OMB’s Office of Information and Regulatory Affairs (OIRA) approved an emergency revision of this DHS ICR that would allow other Federal agencies to use the same ICR for their individual vulnerability discovery programs. That emergency approval came with the proviso that DHS submit an ICR revision in the normal manner to confirm the expanded collection effort. This is the direct response to that proviso.

In this notice DHS continues to rely on the ‘information sharing’ provisions of 44 USC 3553(l) (added by §1705(2) 1705 of PL 116-283 ). This language allows DHS to “access, use, retain, and disclose, and the head of an agency may disclose to the Secretary, information, for the purpose of protecting information and information systems from cybersecurity risks.” That does not really pertain to collecting voluntarily supplied information from outside of the government for a vulnerability discover program. A more appropriate justification would be the newly added §3553(b)(8)(B) {added by §1705(1)}: that gives DHS authority for “deploying, operating, and maintaining secure technology platforms and tools, including networks and common business applications, for use by the agency to perform agency functions, including collecting, maintaining, storing, processing, disseminating, and analyzing information [emphasis added]”.

Unfortunately, this justification and the reliance in the Notice upon 44 US Code 3509, would seem to run counter to the concept of each agency collecting, processing and analyzing data from its own vulnerability discovery program using the DHS provided form. Section 3509 does allow OMB to “designate a central collection agency to obtain information for two or more agencies”, but it specifically prohibits an agency from collecting “for itself information for the agency which is the duty of the collection agency to obtain.” Thus, under §3509, DHS would run the data collection under the multi-agency VDP and either provide the raw data to the agency for processing and analysis or would provide the processed and/or analyzed data to the client agency for action. Neither of those options were described in this 60-day ICR notice.

One final objection to the data presented in this ICR revision request, it presents inadequate information on the burden of the data collection and this is arguably one of the most important parts of the ICR process. The current burden estimate is identical with the burden estimate for the DHS only Vulnerability Discovery Program that was approved by OIRA back in August of last year; 3,000 annual responses with an estimated time spent on each response being three hours for a total burden of 9,000 hours with a total annual responder cost of $647,280. It only seems reasonable to assume that a multi-agency VDP would have a larger number of responses, burden and cost.

Granted, DHS has not been running their own VDP long enough to have a solid history to even semi-accurately estimate the number of future responses that they would expect to receive in the future, but the ICR process demands that a reasonable effort be made to project the burden and revise the estimate in future renewals based upon actual program data.

At this point, DHS is not even sure how many agencies will be utilizing this DHS ICR to support their own program. So, what DHS should have probably done is to establish a reasonable estimate for an agency VDP for agencies of different sizes {eg, small (think FDA), medium (think DHS) and large (think HHS)} and then estimate the number of each size agency that will adopt the DHS VDP, calculating the burden from there. Subsequent ICR revisions would refine the future estimates from the collected data.

NOTE: A copy of this blog post will be submitted as a comment on this ICR notice.

Saturday, March 20, 2021

Homeland Security Markups – 3-18-21

On Thursday the House Homeland Security Committee held a markup hearing on seven bills. All of the bills were passed by unanimous consent after three of the bills were amended. The four bills that I have covered here in this blog included:

HR 1833 – Amended and passed,

HR 1850 – Passed,

HR 1871 – Passed

HR 1833 – DHS ICS Capabilities Enhancement Act

There were two amendments adopted for this bill. The first was proposed by Rep Langevin (D,RI). It inserted the words ‘Sector Risk Management Agencies’ in three places in the bill, indicating the need for NCCIC-ICS to coordinate their ICS security tasks in coordination with these agencies. This brings the bill more in-line with HR 5733 that was introduced in 2018.

The second amendment was proposed by Rep Torres (D,NY). It added a requirement for a GAO report within 2 years of the passage of this bill. GAO would be specifically tasked to address {new §2(c)}:

•Any interagency coordination challenges to the ability of the Director of the CISA to lead Federal efforts to identify and mitigate cybersecurity threats to industrial control systems,

• The degree to which the Agency has adequate capacity, expertise, and resources to carry out threat hunting and incident response capabilities to mitigate cybersecurity threats to industrial control systems, as well as additional resources that would be needed to close any operational gaps in such capabilities.

• The extent to which industrial control system stakeholders sought cybersecurity technical assistance from the Agency, and the utility and effectiveness of such technical assistance.

• The degree to which the Agency works with security researchers and other industrial control systems stakeholders to provide vulnerability information to the industrial control systems community.

Moving Forward

The unanimous consent passage of these measures indicates that there is wide spread, bipartisan support for all of these bills. I expect that all these bills will move to the floor of the House under the suspension of the rules process. Typically bills will not be considered by the Full House until reports are published, but that is not a requirement. I would not be surprised to see HR 1833 move to the floor when the House returns to session after the Easter break on April 13th.

Public ICS Disclosures – Week of 3-13-21

This week we have 19 vendor disclosures from GE Grid (17), Moxa, and Philips. We have one update from BD. We have three researcher reports for products from Soyal. Finally, we have two exploits for products from QNAP and VMware.

GE Grid Advisories

GE Grid published advisories for the below listed products. The advisories are only available to GE registered customers. It is possible that these are all related to the vulnerabilities reported by NCCIC-ICS in the GE UR product earlier this week.

C30 Controller,

C60 Breaker Management Relay,

C70 Capacitor Bank Protection and Control System,

B30 Bus Differential Relay,

B90 Bus Differential System,

F35 Multiple Feeder Management Relay,

F60 Feeder Management Relay,

G30 Generator Management Relay,

G60 Generator Management Relay,

L30 Line Current Differential Relay,

L60 Line Phase Comparison Relay,

L90 Line Current Differential Relay,

M60 Motor Management Relay,

D30 Line Distance Relay,

D60 Line Distance Relay,

N60 Network Stability and Synchrophasor Measurement System,

T35 Transformer Management Relay, and

T60 Transformer Management Relay ,

Moxa Advisory

Moxa published an advisory describing three vulnerabilities in their VPort 06EC-2V Series IP Cameras. The vulnerabilities were reported by Qian Chen of Qihoo 360 Nirvan Team. Moxa has patches available to mitigate the vulnerabilities. There is no indication that Qian has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Null pointer dereference,

• Integer underflow, and

• Out-of-bounds read.

Philips Advisory

Philips published an advisory discussing the F5 Network vulnerabilities. Philips has identified the following products as being affected by the vulnerabilities:

• Clinical Collaboration Platform,

• IS PACS,

• Universal Data Manager, and

• VueByond

BD Update

BD published an update for their BD Alaris advisory that was originally published on February 6th, 2017 and most recently updated on October 19th, 2017. The new information includes:

• Updating the affected product list to include an out-of-service product,

• Adding Palo Alto Networks as the original reporter of the vulnerability,

• Adding a description of the replacement of an internal flash drive vulnerability, and

• Adding a notice that a product update is pending FDA review.

NOTE: NCCIC-ICS has not yet updated their advisory (ICSMA-17-017-02) for this updated information.

Soyal Reports

Zero Science published three reports for vulnerabilities in the SOYAL Biometric Access Control System. The vulnerability disclosures were coordinated with ZOYAL, but status of the mitigation measures is not currently available. Exploits have been published for each of the three reported vulnerabilities by LiquidWorm

The three reported vulnerabilities are:

CSRF change admin password – (exploit),

Weak default credentials – (exploit), and

Master code disclosure – (exploit)

QNAP Exploit

Luiz Martinez published an exploit for an unquoted service path vulnerability in the QNAP QVR Client. There is no CVE number provided nor is there any mention of coordination with QNAP, so this may be a 0-day exploit.

VMWare Exploit

Grant Willcox and Mikhail Klyuchnikov published a Metasploit module for an unauthenticated log file upload vulnerability in the VMwareView Planner product. This vulnerability was previously reported by VMware.

Bills Introduced – 3-19-21

Yesterday, with just the House in session, there were 53 bills introduced. One of those bills will receive additional coverage in this blog:

HR 2100 To prohibit the Secretary of Transportation from prohibiting the transportation of liquefied natural gas by rail, and for other purposes. Rep. Nehls, Troy E. [R-TX-22] 

As a side note (and the only mention here) H Res 260 was introduced yesterday to expel Rep. Greene (R,GA) from the House under article I, section 5, clause 2 of the United States Constitution. That clause reads:

“Each House may determine the Rules of its Proceedings, punish its Members for disorderly Behaviour, and, with the Concurrence of two thirds, expel a Member.”

There is nothing in the language of the bill that would explain what specific ‘disorderly behavior’ would be the basis for the expulsion.

Friday, March 19, 2021

Reader Comments – SSI and Contractors

Long-time reader and frequent cogent commentor Laurie Thomas left a comment on my recent blog post about the introduction of HR 1871. That bill would bill would require the TSA to review procedures and guidelines for the use of the Sensitive Security Information (SSI) designation of information. Laurie points out that government contractors would certainly be affected by changes in the SSI program. Her comment is certainly worth reading, particularly by the staff at the House Homeland Security Committee responsible for this legislation.

Just a reminder to anyone concerned about changes to the SSI program, TSA is VERY slow to make changes to the program. There has been a rulemaking in place since 2004 when TSA published the interim final rule establishing the program. According to the Fall 2020 Unified Agenda, the final rule was expected to be published in August of this year, but that has slipped so many times it is no longer an even aspirational forecast.

Bills Introduced – 3-18-21

Yesterday, with the House and Senate in session (and the Senate preparing to leave for the weekend), there were 150 bills introduced. Three of those bills may received additional coverage in this blog:

HR 2046 To enhance the security of the United States and its allies, and for other purposes. Rep. Miller, Carol D. [R-WV-3]

S 819 A bill to enhance the security of the United States and its allies, and for other purposes. Sen. Barrasso, John [R-WY]

S 860 A bill to develop and deploy firewall circumvention tools for the people of Hong Kong after the People's Republic of China violated its agreement under the Joint Declaration, and for other purposes. Sen. Lankford, James [R-OK]

I do not really think that HR 2046 or S 819 will be of interest here, but the ‘enhance security’ claim in the title is so broad that it could encompass just about anything. As always I will be watching for language related to cybersecurity or chemical security issues.

The description of S 860 just jumped off the page and slapped me in the face this morning. While I understand the impetus for helping the people of Hong Kong (and essentially flipping off the ‘Communist’ Chinese government) this bill is fraught with so many potential unintended consequences that I just have to watch it; like standing around and watching a house burn down in the neighborhood.

Thursday, March 18, 2021

3 Advisories and 1 Update Published – 3-18-21

Today the CISA NCCIC-ICS published three control system security advisories for products from Hitachi ABB Power Grids (2) and Johnson Controls. They also published an update for an advisory for products from Rockwell Automation.

eSOMS Telerik Advisory

This advisory describes seven vulnerabilities in the Hitachi ABB eSOMS using Telerik (3rd party) software. The vulnerabilities are self-reported. Hitachi ABB has a new version that mitigates the vulnerabilities.

The seven reported vulnerabilities are:

• Path traversal - CVE-2019-19790,

• Deserialization of untrusted data - CVE-2019-18935 (2 publicly available exploits, here and here),

• Improper input validation - CVE-2017-11357 (1 publicly available exploit)

• Inadequate encryption strength - CVE-2017-11317,

• Insufficiently protected credentials - CVE-2017-9248 (1 publicly available exploit),

• Path traversal - CVE-2014-2217, and

• Path traversal - CVE-2014-4958

NOTE 1: Links are to the original Telerik advisory or blog post.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to upload malicious files to the server, discover sensitive information, or execute arbitrary code.

NOTE 2: Telerik apparently publicly acknowledged these vulnerabilities years ago (almost 7 years in one case). Why is it taking Hitachi ABB so long to address them? I guess the question is, did Telerik directly notify them of the vulnerability or just rely on the publication? I suspect that it was the latter.

eSOMS Advisory

This advisory describes an exposure of sensitive information to an unauthorized actor vulnerability in their eSOMS product. The vulnerability is self-reported. Hitachi ABB has new versions that mitigate the vulnerability.

NOTE: The Hitachi ABB advisory says they were notified of the vulnerability “through responsible disclosure”.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to gain access to unauthorized information.

Johnson Controls Advisory

This advisory describes an exposure of sensitive information to an unauthorized actor vulnerability in the Exacq Technologies (Johnson Controls) exacqVision Web Service. The vulnerability was reported by Milan Kyselica. Johnson Controls has a new version that mitigates the vulnerability. There is no indication that Kyselica has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to  allow an unauthenticated attacker to view system-level information about the exacqVision Web Service and the operating system.

Rockwell Update

This update provides additional data on an advisory that was originally reported on February 25, 2021. The new information includes:

• Adding FactoryTalk Security to the list of affected products,

• Rewriting the mitigation section (to include noting that this is not a patchable vulnerability).

NOTE: I briefly discussed the updated Rockwell advisory back on March 6th, 2021.

 
/* Use this with templates/template-twocol.html */