Three CSB Nominations Sent to Senate

Yesterday the Senate received three nominations for Board Members for the Chemical Safety and Inspection Board (CSB). The CSB is supposed to have five Board Members, but Dr. Katherine A. Lemos, the Board Chair, has been serving as the sole Board Member since she was confirmed in 2020.

The three new nominees are:

• Stephen A. Owens, of Arizona, to be a Member of the Chemical Safety and Hazard Investigation Board for a term of five years.

• Jennifer Beth Sass, of Maryland, to be a Member of the Chemical Safety and Hazard Investigation Board for a term of five years.

• Sylvia E. Johnson, of North Carolina, to be a Member of the Chemical Safety and Hazard Investigation Board for a term of five years.

The White House web site provides brief biographies for the three nominees. Owns is a lawyer with regulatory experience at both the US EPA and the Arizona Department of Environmental Quality. Dr Sass currently works for the Natural Resources Defense Council advocating for regulations that are consistent with science, health policy, and environmental law. Dr Johnson currently works for the National Education Association working on COVID-19 related issues, but she does have a background in Biomedical Engineering and Industrial Hygiene.

It is not unexpected that two of the Biden nominees have backgrounds that include environmental activism. Nor is this necessarily a bad thing. The mandate of the CSB is to investigate significant chemical accidents, analyze the results of those investigations to detect systemic issues that could affect the wider chemical infrastructure and to advocate for changes to rectify those shortcomings. Environmental activists have a unique perspective that could provide interesting solutions to the problems that their investigators find.

I know that industry would rather have members with more of a manufacturing background so that they would understand the problems and limitations that industry needs to work with in pursuing their chemical safety goals. Trump, an industry friendly President, had a chance to pack the CSB with five people from that background; he only nominated Lemos. Instead of advocating for the disbanding of the Board, he could have ensured that more people with an industry background were on the Board. Too late now.

S 914 Passed in Senate – Water Systems Authorization

Yesterday, after adopting the substitute language I described earlier this week by a voice vote, and adopting two other amendments, the Senate passed S 914, the Drinking Water and Wastewater Infrastructure Act of 2021, by a strongly bipartisan vote of 89 to 2. The cybersecurity provisions in the substitute language made it through to the final bill without modification.

Commentary

I think we are going to see additional authorization bills that are not strictly cybersecurity related containing cybersecurity provisions. While I had some concerns about definitions and such, I am glad to see this bill pass with the cybersecurity provisions that it contained. This reflects a growing recognition within the Congress that cybersecurity will have to be a component of much of what we do in this country and around the world.

Reader Comment – Other RTOs Affected?

I had an interesting comment pop up over on LinkedIn about the RTOS advisory I discussed last night. Monty Grindy added:

“Interesting. Didn’t see QNX on that list.”

And he is, of course, correct QNX did not make the list. And, looking at the Wikipedia list of RTOS, there were an awful lot of other RTOS that were not listed. Does this mean that they were not affected? Not sure, but my guess is maybe???

If you read the Microsoft report on BadAlloc you run across some interesting comments. The first that impacts on the above question is:

“The vulnerabilities exist in standard memory allocation functions spanning widely used real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations [emphasis added]. These findings have been shared with vendors through responsible disclosure led by the Microsoft Security Response Center (MSRC) and the Department of Homeland Security (DHS), enabling these vendors to investigate and patch the vulnerabilities.”

Thus, any RTOS developers that utilized the same SDKs or libc implementations could have ended up with similar vulnerabilities in their RTOS’s. This is not surprising from looking at the NCCIC-ICS advisory. Each of the 23 vulnerabilities listed use similar naming conventions for the affected operation.

Microsoft also noted that:

“These remote code execution (RCE) vulnerabilities cover more than 25 CVEs [emphasis added] and potentially affect a wide range of domains, from consumer and medical IoT to Industrial IoT, Operational Technology (OT), and industrial control systems.”

NCCIC-ICS only reported on 25 CVE’s (VxWorks and FreeRTOS both received two CVE’s). If we take that ‘more than’ statement seriously, and I do not expect that MS used it lightly, then there may be additional RTOS that MS found vulnerabilities in. If those vendors were able to convince MS and NCCIC-ICS that they were still vigorously working on correcting the problems, then NCCIC-ICS may have held off in their disclosure.

Finally, the Wikipedia entry on ‘Realtime Operating Systems’ lists a lot more than 25 entries into the category. I would be very surprised if Microsoft’s Section 52, the Azure Defender for IoT security research group, had enough time or incentive to try to test all of those RTOSs. They certainly made their point with the research that they did do.

I would also be surprised if they found this type of memory allocation vulnerability in all of the RTOS’s that they tested. Certainly, someone was using a different set of tools and libraries to set up their RTOS. It would have been helpful if Microsoft would have provided a list of systems that they tested that were not vulnerable to this particular type of vulnerability.

One final note. I am sure that now that MS has pointed the way to these common vulnerabilities in 25 different operating systems, that other researchers will be looking for other common cause vulnerabilities. Iot and OT cybersecurity is just going to continue to get more and more interesting.

4 Advisories Published – 4-29-21

Today, CISA’s NCCIC-ICS published control system security advisories for products from multiple RTOS vendors, Johnson Controls, Cassia Networks, and Texas Instruments.

RTOS Advisory

This advisory describes 23 [corrected typo '13' to '23', 4-30-21 0853 EDT] different integer overflow or wraparound vulnerabilities in multiple real-time operating systems (RTOS). The vulnerabilities were discovered by Microsoft’s Section 52, the Azure Defender for IoT security research group and are collectively named BadAlloc. The advisory provides links to updated versions for most of the affected products.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to result in unexpected behavior such as a crash or a remote code injection/execution.

NOTE: NCCIC-ICS has updated their remote access – VPN guidance:

“When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.”

Johnson Controls Advisory

This advisory describes an off-by-one error vulnerability in Johnson Controls exacqVision Network Video Recorder running on unpatched versions of the Ubuntu operating system. This is a third-party (Sudo) vulnerability and there are exploits reported (here, here, and here for example). Johnson Controls recommends updating the Ubuntu operating systems to mitigate the vulnerability.

NCCIC-ICS reports that an uncharacterized attacker with local access could exploit the vulnerability to  obtain “Super User” access to the underlying Ubuntu Linux operating system.

Cassia Advisory

This advisory describes a path traversal vulnerability for the Cassia Networks Access Controller. The vulnerability was reported by Amir Preminger and Sharon Brizinov of Claroty. Cassia has a patch that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker with uncharacterized access could exploit this vulnerability to allow an attacker to read any file from the Access Controller server.

TI Advisory

This advisory describes five vulnerabilities in the Texas Instruments SimpleLink Wi-Fi products. The vulnerabilities were reported by David Atch and Omri Ben Bassat from Microsoft. TI has software versions that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

• Integer overflow or wraparound (4) - CVE-2021-22677, CVE-2021-22675, CVE-2021-22679, and CVE-2021-22671, and

• Stack-based buffer overflow - CVE-2021-22673

CISA Webinar on Protecting Against UAS

Earlier this week the Cybersecurity and Infrastructure Security Agency announced that the Interagency Security Committee (ISC) would be holding a webinar on “Protecting Against the Threat of Unmanned Aircraft Systems” next Thursday. The webinar is based upon their publication from last November of the same name.

The webinar web page makes an important point about UAS mitigation issues:

“Although most agencies do not have the authority to disable, disrupt, or seize control of an unmanned aircraft, there are other effective risk reduction measures they may implement. This webinar will provide best practices from the ISC’s UAS publication that any organization or facility can use to mitigate UAS threats.”

The ISC is a collaborative organization that provides leadership to the nonmilitary federal community supporting physical security programs that are comprehensive and risk based, though much of their work would be applicable to critical infrastructure facilities. I was a little concerned that this webinar might be somewhat restricted, but my registration was approved without apparent question.

Anyone interested in watching the webinar (which should be anyone with security responsibilities that may include protecting against UAS incursions and attacks) can register for the webinar here.

S 1012 Introduced – Protecting LNG by Rail

Last month, Sen Cruz (R,TX) introduced S 1012, a bill to prohibit the Secretary of Transportation from prohibiting the transportation of liquefied natural gas by rail, and for other purposes. The bill would stop DOT from modifying last summer’s final rule allowing the shipment of LNG by rail. A similar bill, HR 2100 was introduced in the House.

The Language

The bill is a short piece of legislation, only one section and no fancy title. It would not only stop DOT from initiating rulemakings to prohibit the transportation of LNG by rail, it would also prevent any rulemakings that “restricts or contracts the scope of allowance provided by the final rule of the Pipeline and Hazardous Materials Safety Administration, titled “Hazardous Materials: Liquefied Natural Gas by Rail”, which was published in the Federal Register on July 24, 2020 (85 Fed. Reg. 44994)” {§1(a)(2)}. It would, however, allow DOT “to issue short-term emergency orders related to the transportation of liquefied natural gas by rail” {§1(b)}.

Moving Forward

Cruz is a member of the Senate Commerce, Science, and Transportation Committee to which this bill was assigned for consideration. This could mean that there would be enough influence to have this bill considered in Committee. In this case, however, I think that opposition for Democrats would be sufficient to stop the bill from being considered. If it were considered it would fail on a party line vote or maybe even have one or two Republicans vote against it. It could never make it to the floor of the Senate for consideration.

Commentary

Cruz and his two cosponsors {Sen Kennedy (R,LA) and Sen Cramer (R,ND)} are all from natural gas producing states. They are very aware of the general opposition in the Democratic Party to the shipment of natural gas by rail, and really, almost anything to do with natural gas in general. It is very likely that DOT will start some sort of rulemaking limiting LNG shipments or flatly overturning the Trump Administration’s rule allowing such shipments.

The three Senators know that there is no possible way for this bill to move forward in the Senate in this session. Even in a narrowly Republican Senate, this bill would face too much stiff opposition from Democrats to be able to get anywhere. The same will hold true on HR 2100 in the House. This bill and it’s House counterpart were introduced just to show the member’s constituents that they were trying to do something to protect the interests of natural gas shippers, the two bills are political gestures, nothing more.

Frankly, I am surprised that we have not seen a bill directing DOT to vacate the LNG by rail rule; something along the lines of §8202 of HR 2, the INVEST in America Act in the 116^th Congress. Such a bill would be very unlikely to be considered in a split Senate, but it would be an important notice to environmental activists and chemical safety supporters of the Democratic Party.

One thing is for sure, this is not the last we have heard about LNG by rail in the 117^th Congress.

Bills Introduced – 4-28-21

Yesterday, with both the House and Senate in session, there were 101 bills introduced. Five of those bills may receive additional coverage in this blog:

HR 2885 To require the Secretary of Energy to establish an electric grid resilience grant program and an electric grid resilience research and development program. Rep. Johnson, Eddie Bernice [D-TX-30] 

HR 2894 To establish a Civilian Cyber Security Reserve as a pilot project to address the cyber security needs of the United States with respect to national security, and for other purposes. Rep. Panetta, Jimmy [D-CA-20]

S 1400 A bill to amend the Federal Power Act to provide energy cybersecurity investment incentives, to establish a grant and technical assistance program for cybersecurity investments, and for other purposes. Sen. Murkowski, Lisa [R-AK] 

S 1407 A bill to enhance the early warning reporting requirements for motor vehicle manufacturers, and for other purposes. Sen. Markey, Edward J. [D-MA]

S 1419 A bill to require the Secretary of Defense to support and provide incentives for domestic manufacturing of printed circuit boards, to identify national security risks in printed circuit boards imported from certain foreign countries, and for other purposes. Sen. Hawley, Josh [R-MO] 

I will be watching HR 2885 for language and definitions that would include cybersecurity in the grid resilience programs; probably will not be any.

I will be covering both HR 2894 and S 1400 for rather obvious reasons.

I will be watching S 1407 for language and definitions that would include cybersecurity issues as part of the enhanced early warning reporting requirements; probably will not be any.

I will be watching S 1409 since there are obvious cybersecurity implications here, but I do not expect this bill to go anywhere given Hawley’s reputation.

OCS Publishes Chemical Security Quarterly – March 2021

Today CISA’s Office for Chemical Security published a link to the March 2021 Chemical Security Quarterly on their Chemical Security Facility Anti-Terrorism Standards (CFATS) Knowledge Center. As I noted earlier this month this newsletter had already been sent out as an email to personnel that have signed up for distribution.

There is a minor problem with the links on the right-side .PDF document. Instead of taking one to the article within the newsletter it tries to connect with https://admin.govdelivery.com/accounts/USDHSCISA/bulletins.

Many of the articles are somewhat dated, though the information provided still has value. Many of the topics have already been covered here in this blog. The topics listed below have not been addressed here in this blog in some time.

• Global Congress on Chemical Security and Emerging Threats Update,

• How to Report Suspicious Activity and Security Incidents,

• Compliance Corner: PSP Rollout Continues, and

• Request for Technical and On-Site Assistance

Senate Starts Consideration of S 914 – Water Systems Authorization

Yesterday, by a vote of 92 to 3, the Senate agreed to begin consideration of S 914, the Drinking Water and Wastewater Infrastructure Act of 2021. Ten amendments were offered, including S 1460 (pgs S2229 to S2242) which is the substitute language that the Senate will consider instead of the language reported by the Senate Environment and Public Works Committee earlier this month. S 1460 includes additional changes to the cybersecurity provisions in the bill. None of the other amendments offered to this bill yesterday contain cybersecurity language.

Minor Language Changes

There were some minor formatting changes to the cybersecurity language that was found in the reported version of the bill. The only substantive revision was the removal of language that was originally found in §101 that specifically included ‘cybersecurity event’ as a potential cause for the emergency situations that could trigger the provision of technical assistance or grants under 42 USC 300j-1.

New Cybersecurity Support Language

S 1460 would add a new §113, Cybersecurity support for public water systems, to the bill. That section would add §1429A to the Safe Drinking Water Act. That section would require the EPA, in coordination with CISA, to “develop a prioritization framework to identify public water systems (including sources of water for those public water systems) that, if degraded or rendered inoperable due to an incident, would lead to significant impacts on the health and safety of the public” {§1429A(b)(1)(A), pg S2235}.

That ‘prioritization framework’ would incorporate consideration of {§1429A(b)(1)(B), pg S2236}:

• Whether cybersecurity vulnerabilities for a public water system have been identified under section 1433 [42 USC 300i–2],

• The capacity of a public water system to remediate a cybersecurity vulnerability without additional Federal support,

• Whether a public water system serves a defense installation or critical national security asset, and

• Whether a public water system, if degraded or rendered inoperable due to an incident, would cause a cascading failure of other critical infrastructure.

The ‘section 1433’ reference is to the EPA’s Risk Assessments and Emergency Response Plans requirements that I briefly described in my post about the Florida Water System Hack. The term ‘incident’ in the last bullet is defined in this section by reference to the 44 USC 3552 definition which applies specifically to information systems.

The new §1429A then goes on to require the EPA, again in coordination with CISA to develop “a Technical Cybersecurity Support Plan for public water systems” {new §1429A(b)(2)(A)} for providing voluntary support to public water systems. That Plan would {{new §1429A(b)(2)(B)}:

• Establish a methodology for identifying specific public water systems for which cybersecurity support should be prioritized;

• Establish timelines for making voluntary technical support for cybersecurity available to specific public water systems;

• May include public water systems identified by the Administrator, in coordination with the Director, as needing technical support for cybersecurity;

• Include specific capabilities of the Administrator and the Director that may be utilized to provide support to public water systems under the Support Plan, and

• Only include plans for providing voluntary support to public water systems.

The frequent use of the word ‘voluntary’ almost certainly refers to the voluntary use of the offered support by water systems and not the voluntary provision of support by EPA and CISA that the wording seems to imply. This is somewhat clarified by §1429A(c)(2), which states that nothing in this section “compels a public water system to accept technical support offered by the Administrator.”

There is no funding specifically authorized for §1429A activities. This is evidenced by the reference in means an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system;:

(A) the integrity, confidentiality, or availability of information on an information system,

(B) the timely availability of accurate process information, the predictable control of the designed process or the confidentiality of process information, or

(C) an information system or a control system;

Commentary

Let me start with my now standard diatribe about definitions. The use of the IT centric definition of ‘incident’ in the new §1429A really bothers me. It defines the term by reference to 44 USC 3552 which reads:

(2) The term ‘‘incident’’ means an occurrence that—

(A) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or

(B) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.

The attack on the Oldsmar, Florida water treatment facility would NOT be an incident under this definition. An ‘information system’ as defined under §3552 was not involved. The ‘integrity, confidentiality or availability’ of information was not involved. Only by greatly stretching ‘acceptable use policies’ could this definition of ‘incident’ be made to apply to that attack.

Unfortunately, the definition in 6 USC 659 is essentially the same except that it removes (B) provision found in §3552. That is why I proposed a revision to §659 last year that would have changed that definition. Unfortunately, this bill is not the place to try to effect a change in §659, so I would propose to change the definition in the new §1420A:

‘‘(3) INCIDENT.—The term ‘incident’ has the meaning given the term in section 3552 of title 44, United States Code means an occurrence that actually or imminently jeopardizes, without lawful authority:

“(A) the integrity, confidentiality, or availability of information on an information system,

“(B) the timely availability of accurate process information, the predictable control of the designed process or the confidentiality of process information, or

“(C) an information system or a water treatment control system;.”

With that out of the way, I would like to turn to the ‘Prioritization Framework’ outlined in the new §1429A. This requires that the EPA have some understanding of the cybersecurity risks faced by individual water treatment facilities. This is evidenced in the reference in §1429A(b)(1)(B)(i) to §1433. While the risk assessment currently required under §1433 does vaguely address cybersecurity concerns, facilities are not required to send a copy of that assessment to the EPA, instead, they are required to certify to the EPA that they have completed that assessment. For the EPA to rely on the §1433 data a revision to §1433 would be required. To accomplish this I would suggest that Section 113 of the bill would also require a (b):

(b) Section 1433(a)(4) of the Safe Water Drinking Act (44 USC § 300i–2) is amended to read:

(4) Contents of certifications

A certification required under paragraph (3) shall contain only—

(A) information that identifies the community water system submitting the certification;

(B) a listing of any cybersecurity vulnerabilities identified;

(C) the date of the certification; and

(D) a statement that the community water system has conducted, reviewed, or revised the assessment, as applicable.

I would actually think that a copy of the complete risk assessment in (B) would be very valuable, but I am only going suggest this as that is all that this section of the bill would need.

NTAS Bulletin Extended Until May 15th, 2021

According to the National Terrorism Advisory System (NTAS) web site, the current NTAS Bulletin issued January 27^th, was extended until May 15^th, 2021. The web page explains:

“National Terrorism Advisory System Bulletin - January 27, 2021; Updated April 26, 2021  |  View PDF Version (pdf, 1 page, 291.25 KB)

“The Acting Secretary of Homeland Security issued a National Terrorism Advisory System (NTAS) Bulletin, subsequently extended by the Secretary of Homeland Security, due to a heightened threat environment across the United States, which DHS believes will persist in the weeks following the successful Presidential Inauguration.  Information suggests that some ideologically-motivated violent extremists with objections to the exercise of governmental authority and the presidential transition, as well as other perceived grievances fueled by false narratives, could continue to mobilize to incite or commit violence.

“The expiration date for this Bulletin is extended from April 30, 2021 to May 15, 2021.”

No additional information was provided. For additional details about the NTAS system, see my earlier blog post.

Committee Hearings – Week of 4-25-21

This week with the Senate in session and the House only conducting hearings there are a large number of hearings with COVID-19 and budget hearings being most prevalent. Only two budget hearings of note here and nothing on cybersecurity this week.

FY 2022 Budget Hearings

4-28-21 FY 2022 EPA Budget – Senate Environment and Public Works Committee

4-29-21 FY 2022 EPA Budget – House Subcommittee on Environment and Climate Change

On the Floor

The only floor activity in the House will be Wednesday’s joint address by President Biden and because of COVID restrictions only a relatively small number of House members will be present.

As I noted last week, the Senate is taking up S 914, the Drinking Water and Wastewater Infrastructure Act. With a short opening day yesterday, they are still working through confirmations, but they may get to a vote on cloture for the bill late today or tomorrow. There were no amendments offered yesterday, but again, it was a short day.

Reader Comment – Intrinsically Safe

Long-time reader and my goto person for MTSA issues, Laurie Thomas, left a comment on today’s blog post about the introduction of HR 1539. She reminds us to be careful in the language we are using when talking with local law enforcement personnel:

“Start with this issue and move further down the continuum of facilities whose response community only loosely understands the physical constraints of response to that facility. Facility: "In that part of the plant, everything needs to be intrinsically safe". Law Enforcement: "What does 'intrinsically safe' mean?"”

I remember a conversation I had a number of years back with a police lieutenant who was responsible for immediate response at a refinery in California. I asked him if the refinery personnel had talked to him about the ‘classified areas’ at the plant. His response was that his people did not have security clearances.

I took a deep breath and then asked him if they had told him what areas of the facility that he could expect to encounter a flammable atmosphere. And got a blank look in return. Then I explained to him how leaks, spills, pressure relief valves and just opening containers could result in flammable chemicals in the air that could be ignited by sparks, electric discharges or other flame sources. A look of understanding crossed his face while he explained that a family member working at the refinery had been killed in a fire when the company vehicle she was driving entered just such an area and acted as an ignition source.

Then I asked him if he understood that the muzzle flash from his weapons could ignite a flammable atmosphere. He left mumbling something about talking to his superiors about not responding to an active shooter incident at the refinery…..

CFATS and Pulse Connect

It has been nearly a week since the DHS Cybersecurity and Infrastructure Security Agency (CISA) issued their Emergency Directive 21-03, “Mitigate Pulse Connect Secure Product Vulnerabilities”. As with all such emergency directive’s CISA’s authority to require compliance extends only to agencies of the Federal government. To date, there has been no public move by CISA to expand their Alert AA21-110A: Exploitation of Pulse Connect Secure Vulnerabilities by specifically reaching out to CFATS facilities in the same way that they did with the Microsoft® Exchange server vulnerabilities.

Earlier Incident

The importance of the letter that CISA sent to CFATS registrants and covered facilities in the last incident was found in its suggestion that:

“If any evidence of threat actor activity is found, CISA recommends you reach out to CISA [emphasis added] and submit an incident report via CISA’s Incident Reporting Form. When completing the form, indicate you are “critical infrastructure” and within the chemical sector. In the “Incident Description” section of the reporting form indicate you are regulated under CFATS and include your facility identification number.”

Those response would have allowed CISA to reach out directly to affected facilities and organizations as they updated their earlier emergency directive on March 11^th and April 13th as new indicators of continuing compromise and additional mitigation measures became available.

Reach Out Again

Since CISA has repeatedly recommended that industrial control system owners and operators use VPNs like Pulse Connect when they find it necessary to remotely access their control systems, it seems to me that they have a special obligation to reach out to that community, especially that portion of the community affected by the CFATS program when a VPN is affected by vulnerabilities as egregious as these.

They may have already reached out to CFATS covered facilities and those other facilities that have submitted Top Screens as they did in the Microsoft incident. It took them five days that time to announce that they had reached out to those facilities. If they have, great. If they have not, then it is past time that they or the Office of Chemical Security should have made the notification.

Action Without Notification

Of course, non-federal facilities do not have to wait until they are specifically invited to review the CISA Alert and Emergency Directive. Once those were published, any facility, and particularly regulated facilities under either CFATS or MTSA security rules, were free to take the actions outlined in the Emergency Directive. If indicators of compromise are detected as a result, immediate regulatory notification should be made to OCS or the Coast Guard as appropriate. Just as important, however, would be to make notifications to CISA so as to ensure that as new information and mitigation measures become available, they would be sent to the affected organizations.

Expanding Outreach

When agencies of the federal government receive emergency directives like this, they should immediately consider sharing the information with entities in the private sector that they regulate if there is any reasonable chance that those entities could also be affected. This is especially true when the agency includes cybersecurity in their regulatory oversight of the entities. Perhaps, CISA ought to consider making that information sharing a requirement in their emergency directives just to make sure that there is as much information sharing as possible.

S 965 Introduced - Cyber Shield Act of 2021

Last month Sen Markey (D,MA) introduced S 965, the Cyber Shield Act of 2021. The bill would establish require the Department of Commerce to establish the Cyber Shield Program; a program for the voluntary certification and labeling of products that meet industry-leading cybersecurity and data security benchmarks to enhance cybersecurity and protect data. The bill is essentially identical to S 2664 that Markey introduced last session. No action was taken on that bill or its companion bill HR 4792.

The products referenced in the bill only apply to ‘consumer facing objects’ that {§2(3)}:

• Connect to the internet or other network; and

• Collect, send, or receive data; or

• Control the actions of a physical object or system

Moving Forward

Markey is a member of the Senate Commerce, Science and Transportation Committee to which this bill was assigned for consideration. This means that he should have enough influence to see the bill considered in Committee, but he also had that influence last session. I have to wonder if he is really interested in seeing this bill move forward.

There is likely to be some Republican opposition to this bill. Since the Cyber Shield Program would be voluntary, I suspect that there could be some bipartisan support, so this bill could be reported out favorably by the Committee.

This bill is not important enough to make it to the floor of the Senate under normal order with its time consuming debate and amendment process. The expected Republican opposition should be sufficient to ensure that it could not be considered under the unanimous consent process. There remains a possibility that Markey could offer the language as an amendment to a spending or authorization bill.

Commentary

The word ‘or’ between §2(3)(B)(i) and (ii) in the definition of ‘covered product’ could mean that the definition could be stretched to include industrial control systems as they ‘control the actions of a physical object or system’, but I think that was included to address automated transportation systems. Since DHS and specifically CISA were left out of the representation list for the Advisory Committee, there is no one to advocate for that stretching of the definition.

Of course, this bill is really intended to only apply to consumer products not industrial products, thus the ‘consumer-facing physical object’ phrase in the definition of a ‘covered product’. Perhaps we need a separate ‘Industrial Shield Program’.

HR 1539 Introduced – PROTECT Act

Last month Rep Aguilar (D,CA) introduced HR 1539, the Providing Rational Options Toward the Elimination of Catastrophic Terrorism (PROTECT) Act of 2021. The bill would require DHS to develop “guidance relating to domestic preparedness for and collective response to terrorism in order to assist in the development of emergency action and response plans for active shooter and mass casualty incidents in public and private locations, including facilities that have been identified by the Department as potentially vulnerable targets” {new §890B(a)}.

Guidance

Section 2 of the bill would amend the Homeland Security Act of 2002 by adding a new §890B. The guidance for ‘emergency action and response plans for active shooter and mass casualty incidents’ could include {new §809B(b)}:

• A strategy for properly responding to an active shooter or mass casualty incident in a public or private location, including training, evacuating, and providing care to persons in such location, with consideration given to the needs of persons with disabilities.

• A plan for establishing a unified command, including identification of casualty collection points and staging areas for law enforcement, fire response, and medical personnel.

• A schedule for regular testing of equipment used to receive communications during such an incident.

• A practiced method and plan to communicate with occupants of such location during such an incident.

• A practiced method and plan to communicate with the surrounding community regarding such an incident and the needs of Federal, State, and local officials.

• A plan for coordinating with volunteer organizations to expedite assistance for victims.

• A schedule for joint exercises and training.

• A plan for outreach to facilities that have been identified by the Department as potentially vulnerable targets.

• Other planning documents, as determined by the Secretary, including appropriate regionally focused products, plans, training, and outreach.”.

Moving Forward

Aguilar is not a member of the House Homeland Security Committee to which this bill was referred for consideration. However, four of his 21 Democratic cosponsors {Rep Clarke (D,NY), Rep Rice (D,NY), Rep Luria (D,VA), and Rep Correa (D,CA)} are members of the Committee. This means that there should be enough influence available to have the Committee consider this bill.

I do not see anything in the bill that would engender any serious opposition to the bill, especially since the guidance ‘requirements’ I have listed above are permissive not mandated. But the fact that there are no Republican cosponsors, even in this highly partisan 117^th Congress, would seem to indicate that there could be some Republican concerns that I do not see. Still, I suspect that the bill would pass out of Committee with significant bipartisan support and could be expected to move the floor of the House via the suspension of the rules process.

This bill would not be considered under the normal order of business in the Senate, it is simply not important enough to take up the time required for the debate and amendment process in the Senate. If there is any significant Republican opposition in the House, the bill would almost certainly not be considered in the Senate under the unanimous consent process. The only other way this bill could make it to the President’s desk would be as an amendment to an authorization or spending bill.

Commentary

This bill does not really fall into any of the categories of bills that I normally follow here in this blog, but it is here because active shooter planning is a pet peeve of mine. I am certainly in favor of active shooter planning, but I am extremely concerned that no one seems to want take into account the unique problems the response to an active shooter incident would entail at a facility with significant storage of hazardous chemicals. Bullets from most handguns and almost all longarms would penetrate the vast majority of chemical storage tanks and almost all portable containers, resulting in leaks of potentially toxic or flammable chemicals into the incident site. And it does not matter if those bullets come from perpetrator firearms or police firearms, the release will occur and further aggravate the situation. This is one of the reasons that the chemical industry has historically been so resistant to the use of armed guards on their facilities.

Any response guidance that does not take into account this potentially catastrophic problem does a serious disservice to law enforcement and private security guards, as well as the general public. With that in mind, I would like to see the following sub-paragraph inserted in §809B(b):

“(8) A plan for facilities that store hazardous chemicals on site that would include prior notification to potential armed responders to an active shooter incident about the hazards associated with the potential release of those chemicals resulting from penetration of bullets into the storage tanks and portable containers on site.”

Public ICS Disclosures – Week of 4-17-21

This week we have two vendor NAME:WRECK disclosures from Carestream and Draeger. We also have nine other vendor disclosures from Aruba Networks (2), Bosch, Advantech, Meinberg, QNAP, VMWare, and Yokogawa (2).

NAME:WRECK Advisories

Carestream published an advisory discussing the NAME:WRECK vulnerabilities. It also addresses the Urgent/11, Ripple20, Amnesia:33, Number:Jack vulnerabilities. Carestream provides generic mitigation measures.

Draeger published and advisory discussing the NAME:WRECK vulnerabilities. Draeger reports that none of its medical devices use the affected stacks.

Aruba Advisories

Aruba published an advisory describing eleven vulnerabilities in their AirWave Management Platform. The vulnerabilities was reported by rceman and harishkumar0394 via BugCrowd, Daniel Jensen, Erik de Jong, and Vidya Bhaskar Tripathi. Aruba has a new version that mitigates the vulnerabilities. There is no indication that researchers have been provided an opportunity to verify the efficacy of the fix.

The eleven reported vulnerabilities are:

• Authentication bypass - CVE-2021-25147,

• Deserialization (2) - CVE-2021-25151 and CVE-2021-25152,

• SQL injection - CVE-2021-25153,

• Privilege escalation - CVE-2021-25154,

• Authenticated XML external entity (3) - CVE-2021-25163, CVE-2021-25164, and CVE-2021-25165,

• Authenticated remote command injection (2) - CVE-2021-25166 and CVE-2021-25167, and

• Authenticated open redirect - CVE-2021-29137

Aruba published an advisory describing ten vulnerabilities in their ClearPass Policy Manager. The vulnerabilities were reported by Luke Young, hateshape and S4thi5h via BugCrowd, Daniel Jensen, and Xavier Danest. Aruba has patches that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The ten reported vulnerabilities are:

• Unauthenticated server-side request forgery - CVE-2021-29145,

• Authenticated stored cross-site scripting (3) - CVE-2021-29139, CVE-2021-29142, and CVE-2021-29146,

• Unauthenticated XML external entities - CVE-2021-29140,

• Privilege escalation - CVE-2020-7123,

• Authenticated information disclosure - CVE-2021-29138,

• Authenticated command injection - CVE-2021-29147, and

• Authenticated retrieval of sensitive information (2) - CVE-2021-29141 and CVE-2021-29144,

Bosch Advisory

Bosch published an advisory describing 14 vulnerabilities in their Rexroth IoT Gateway and ctrlX CORE products. These are third-party (operating system libraries and the Linux kernel) vulnerabilities. Bosch has updates for one of the affected products, others are pending.

The 14 reported vulnerabilities are:

• Out-of-bounds read - CVE-2020-27815,

• Null pointer dereference - CVE-2020-27830,

• Path traversal - CVE-2020-28374,

• Release of invalid pointer or reference - CVE-2020-28941,

• Improper restriction of operations within the bounds of a memory buffer - CVE-2020-29568,

• Unchecked return value - CVE-2020-29569,

• Use after free (3) - CVE-2020-29660, CVE-2020-29661, and CVE-2021-20232,

• Incorrect default permissions (2) - CVE-2021-24031 and CVE-2021-24032,

• Incorrect conversion between numeric types (2) - CVE-2021-27218 and CVE-2021-27219 (exploit), and

• Insufficient information - CVE-2021-27803

Advantech Advisory

Incibe-CERT published an advisory describing two file parsing vulnerabilities in the Advantech WebAccess/HMI designer product. The vulnerabilities were reported (here and here) by kimiya via the Zero Day initiative. Advantech is working on mitigation measures.

NOTE: This is likely to be reported by NCCIC-ICS this coming week.

Meinberg Advisory

Meinberg published an advisory describing seven vulnerabilities in their LANTIME products. Meinberg has updated firmware versions to mitigate the vulnerabilities.

The seven reported vulnerabilities are:

• CA certificate check bypass - CVE-2021-3450 (OpenSSL),

• Null pointer dereference - CVE-2021-23840, CVE-2021-23841 (both OpenSSL),

• API overflow of output length - CVE-2021-23840 (OpenSSL),

• Heap-based buffer overflow - CVE-2021-3156 (exploits) (SUDO),

• Cross-site scripting – no CVE, and

• Command line injection – no CVE

QNAP Advisory

QNAP published an advisory describing an improper authorization vulnerability in their NAS running HBS 3 Hybrid Backup Sync. The vulnerability was reported by ZUSO ART. QNAP has a new version that mitigates the vulnerability.

VMWare Advisory

VMWare published an advisory describing a privilege escalation vulnerability in their NSX-T products. The vulnerability is self-reported. VMWare has patches available to mitigate the vulnerability.

Yokogawa Advisories

Yokogawa published an advisory discussing the Meltdown/SPECTRE vulnerabilities in their CENTUM VP Controller FCS products. Yokogawa has new versions that mitigate the vulnerabilities in some of their affected products.

Yokogawa published an advisory discussing the Microsoft® VB6 runtime vulnerabilities. Yokogawa has new versions that mitigate the vulnerabilities.

Pharma and CFATS

I had another interesting social media conversation with a new reader. This one was pointed to me by a long-time reader because of cybersecurity regulatory questions for chemical facilities. They brought up some interesting CFATS questions about foreign owned pharmaceutical facilities.

Pharma as Chemical Facility

For manufacturing facilities, the only program that I know of that regulates cybersecurity is the Chemical Facility Anti-Terrorism Standards (CFATS) program. That program is unique for now in that respect. And yes, pharmaceutical manufacturing facilities and some labs could come under the CFATS program. It would depend on the chemical inventory at the site.

CFATS Process Overview

If the facility had one or more of the 300+ DHS chemicals of interest (COI) on site within the last 60 days in an amount in excess of the screening threshold quantity for that chemical, the facility would have to submit an on-line Top Screen survey about the facility and chemicals used there. The DHS Office of Chemical Security (OCS) would then conduct a risk assessment to determine if the facility was at high risk for terrorist attack. If it did, the facility would fall under the CFATS program and would end up having to submit a Site Security Plan (SSP) to OCS for approval. That SSP would have to address each of the Risk Based Performance Standards outlined in the CFATS regulations. Cybersecurity is one of those standards. OCS would conduct periodic compliance inspections once that SSP was approved.

Overseas Facilities

An interesting question came up in the conversation; would overseas facilities be affected by the CFATS programs. Generally speaking, CFATS is only concerned about facilities in the United States and its territories. There is potentially one exception to that and that needs some background.

Typically, the CFATS program just covers a facility that has chemicals of interest on site. Sometimes, however, off-site facilities have an impact on the covered facility’s site security plans. Records about employee background checks could be held at corporate headquarters. Security system monitoring could be conducted at a third-party facility. Or, a covered computer system could reside off-site.

A covered computer system for the purposes of the CFATS program is one that has direct impact on the protection of the COI onsite. This could include process control systems and security control systems. For COI that present a theft-diversion security issue (explosives, chemical weapons, or their precursors) the order control system for the facility would also be considered a covered computer system since it could be used to divert a shipment of the COI. The protection of those computer systems would be covered under the CFATS programs and chemical security inspectors would be expected to ensure their security measures outline in the SSP were properly implemented.

Now, I do not expect that a CSI would travel outside the United States to inspect a covered computer system. First, that could get a tad bit expensive. Second, the authority of those inspectors would stop once our border was crossed. I do, however, think that OCS would insist on having some sort of way of ensuring SSP compliance. I sure that that would be taken care of in the SSP approval process.

S 914 Being Considered in Senate

Yesterday the Senate began consideration of the motion to proceed to consideration of S 914, to amend the Safe Drinking Water Act and the Federal Water Pollution Control Act to reauthorize programs under those Acts. They will be considering the version reported by the Senate Environment and Public Works Committee last week.

A cloture motion has been filed. That motion to close debate on the motion to proceed to consideration of the bill will take place sometime early next week. According to yesterday’s Congressional Record that cloture vote will come after Kahl nomination vote, which comes after McCabe nomination vote, which comes after the Jason Scott Miller nomination vote, which should happen after 5:30 p.m., on Monday, April 26, 2021.

A reminder, there are cybersecurity provisions in the bill.

There have been no amendments proposed for S 914 yet. That process should start to flow on Monday. 

Use and Misuse of CPE’s

Yesterday’s blog post dealt with problems with the current Common Platform Enumeration (CPE) system in keeping track of vulnerabilities that affect multiple systems. In writing that post I kind of glossed over how the CPE is used and how it could be used and misused in the cybersecurity environment.

Current CPE Use

Yesterday’s post was in response to a Twitversation initiated by Ron Brash (got it right today Ron). He was complaining that when a derivative vulnerability was reported using the CVE number from the original vulnerability, the CPE for the newly identified vulnerable devices were not being attached to the original CVE. This is a problem for folks like Ron because it prevents them from effectively using the intended use of the CPE. Let me explain.

If you own just a single control system device, it may be difficult to keep up with the vulnerabilities that affect that device. Some manufacturers do a good job of posting advisories to their web sites and folks like NCCIC-ICS and other CERTS do a good job of reporting on vulnerabilities coordinated through them or are reported to them by vendors. But if the vendor for your product does not publish advisories (an awful lot do not), and if a vulnerability is not reported through a CERT that you follow, it will be easy to miss vulnerability notices. The CPE system, in that case would help you keep track of your device vulnerabilities.

If you own hundreds of devices (not unusual in a manufacturing environment) with lots of different version numbers (again not unusual as equipment is added or replaced) that system of watching vendor web sites or CERT notifications gets a tad bit tiresome. This is where the CPE system really shines (when it is working right, see Ron’s complaint). All you have to do is to have a list of all of your devices and their respective CPE’s and you can write a script (okay I can’t actually write those scripts, but there are plenty of folks who can and that would be a valuable skill set to have in your security team) to periodically search the National Vulnerability Database (NVD) for vulnerabilities that reflect your specific devices.

Now that will not get all of the identified vulnerabilities as some countries do not fully report through the CVE system. But it will get the vast majority of vulnerabilities and should keep you up to date on the available mitigation measures that affect your devices. Then ALL you have to do is figure out how to implement those security measures.

Researcher CPE Use

Now if I were a cybersecurity researcher looking for vulnerabilities, one of the tools that I would use would be the CPE/CVE system. With a list of the devices that I had available to play with, I would write up the same script that I described above to track vulnerabilities in those devices.

I would then look at the CVEs for those identified vulnerabilities for other devices that had the same vulnerabilities. The CPE’s for those devices would then be added to a new script used to look for target vulnerabilities in those other devices that might also apply to the devices in my lab. There is not going to be a 100% overlap, but by careful reading of vulnerability descriptions you should be able to develop a significant list of potential vulnerabilities to search for.

For example, let’s look at the advisory that started this whole chain of blog posts, the NCCIC-ICS advisory for the Rockwell Automation Stratix Switches. If I had one of those switches in my (nonexistent) lab I would go back to CVE-2021-1392 in the NVD and note that that vulnerability was related to the “CLI command permissions of Cisco IOS and Cisco IOS XE”. Using that information, I would look at the CPE list at the bottom of the NVD CVE listing and then search those CPE’s (probably only a handful of the 214 available CPE’s) to see if there were any other ‘CLI command’ related vulnerabilities. I would place those vulnerabilities on my priority research list for the switch I had in my lab.

Adversary CPE Use

If you think that security tools are only used by the good guys (and yes cybersecurity researchers are definitely the good guys) you should not be working in the cybersecurity field. The same techniques that I outline above can by used by the bad guys. Actually, just remember, that adversarial researchers are considered to be the good guys by their side.

Bills Introduced – 4-22-21

Yesterday, with both the House and the Senate preparing to depart Washington for the weekend, there were 168 bills introduced. Three of those bills may receive additional coverage in this blog:

S 1316 A bill to amend the Homeland Security Act of 2002 to authorize the Secretary of Homeland Security to make a declaration of a significant incident, and for other purposes. Sen. Peters, Gary C. [D-MI] 

S 1324 A bill to establish a Civilian Cyber Security Reserve as a pilot project to address the cyber security needs for the United States with respect to national security, and for other purposes. Sen. Rosen, Jacky [D-NV]

S 1359 A bill to establish the Foundation for Energy Security and Innovation, and for other purposes. Sen. Coons, Christopher A. [D-DE] 

I will be watching S 1316 for language and definitions that specifically include cybersecurity incidents in potential ‘significant incident’ declaration authority.

I will be watching S 1324 for language and definitions that would specifically include industrial control systems in the ‘cybersecurity needs’ of the United States.

I suspect that S 1359 is a green-energy bill with ‘energy security’ equating to energy supply needs. I will be watching for anything that addresses cybersecurity issues.

2 Advisories Published – 4-22-21

Today CISA’s NCCIC-ICS published two control system security advisories for products from Mitsubishi Electric and Horner Automation.

Mitsubishi Advisory

This advisory describes an improper authentication vulnerability in the Mitsubishi GOT products. The vulnerability is self-reported. Mitsubishi provides generic mitigation measures pending development of an updated version.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerability to allow an attacker to gain unauthorized access.

Horner Advisory

This advisory describes two vulnerabilities in the Horner Automation Cscape control system application programming software. The vulnerabilities were reported by Sharon Brizinov of Claroty. Horner has a new version that mitigates the vulnerability. There is no indication that Brizinov has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Improper input validation - CVE-2021-22678, and

• Improper access control - CVE-2021-22682

NCCIC-ICS reports that an uncharacterized attacker with uncharacterized access could exploit the vulnerability to allow code execution in the context of the current process or locally escalate privileges.

Source of CPE Numbers

There was an interesting Twitversation yesterday about CPE numbers. It started with Ron Brash complaining about the Rockwell advisory that I talked about Tuesday. I contributed a less than helpful comment because I ‘read’ his comment as being about CVE numbers not CPE’s. That misunderstanding caused me to do some research into Ron’s complaint.

What’s a CPE?

First, let’s look at the better known ‘CVE’, Common Vulnerabilities and Exposures. The CVE is actually a list of vulnerabilities maintained by MITRE. In common use ‘a CVE’ is the unique, numbered record for a specific vulnerability. The National Institute of Standards and Technology (NIST) maintains a database of the CVE list called the National Vulnerability Database (NVD).

To make it easy for organizations to determine what CVE’s apply to a particular piece of software, NIST developed the Common Platform Enumeration (CPE) Dictionary. This allows for the creation of a unique standard identifier (CPE number) for any specific version of any piece of listed software. This allows for searching of the NVD for vulnerabilities related to that specific version without having to worry about how to type in the name and version number of the software of concern with all of the I’s dotted and T’s crossed, a common problem in database searches.

NIST maintains a CPE dictionary to aid users in finding the proper CPE number for their searches.

CPE and CVE Relationship

To see how the CVE’s and CPE’s work in practice let’s look at one of the vulnerabilities Rob was complaining about. The NCCIC-ICS advisory for the Rockwell Automation Stratix Switches lists eight vulnerabilities in five separate Stratix products affecting a number of different versions of each product. The first of the eight is an insufficiently protected credentials vulnerability - CVE-2021-1392. If we look a the NVD record for that vulnerability.

Today we see that the vulnerability is in certain products from CISCO with no mention of Rockwell Automation. In the coming days we should (hopefully) see the addition of a reference to the Rockwell advisory from NCCIC-ICS under the ‘References to Advisories, Solutions, and Tools’ heading on the page.

Down towards the bottom of the page we see the ‘Known Affected Software Configurations’ section, a listing of CPE’s of individual versions of affected software. For this particular CVE there are 214 CPE’s listed. And as Rob noted in his initial TWEET yesterday, not a single Rockwell product is listed.

The Problem

The CVE Numbering Authority (CNA) reporting the vulnerability to MITRE/NVD is responsible for submitting all of the requisite information for the CVE. Presumably, this includes the affected CPE’s. In this case the CNA for CVE-2021-1392 is CISCO. While CISCO notified Rockwell of the vulnerability, they have no idea about which versions of which Rockwell products would be affected by that particular CVE, so they cannot provide the CPE’s of those affected Rockwell products. CISA’s NCCIC-ICS, the agency issuing the new advisory should be providing the Rockwell unique information including CPE’s.

Ooops. The MITRE CNA rules for CVE Entry Requirements do not say anything about CPE’s. Of course, this is because CPE’s are an NVD artifact, not technically part of the CVE process. So, somebody should be communicating with NIST/NVD and it still could not and should not be CISCO in this case. The reporting body should still be CISA’s NCCIC-ICS that published the Rockwell advisory.

I cannot tell from the outside if this is a failure of NCCIC-ICS to report information to NIST/NVD (if there even is a requirement/mechanism for such a report), or if this is a data processing backlog at NIST/NVD. Remember COVID-19 has messed up a lot of admin stuff and it will take a while to recover.

Easy Solution – New CVEs

The easy way to fix this going forward is that instead of re-using the CVE’s for the CISCO vulnerabilities, NCCIC-ICS should have just issued new CVE’s for the Rockwell vulnerabilities. The system for assigning CPE’s for new vulnerabilities appears to be working fine; simple. After all, CISCO fixing their vulnerability does not directly fix the Rockwell problem, Rockwell is going to have to make some sort of change to implement the CISCO fix.

There is a minor drawback to that solution. To understand it we need to look at my blog post from March 18^th, 2020 where I discussed another set of third-party vulnerabilities in the eSOMS product from Hitachi ABB Power Grids. Again, the NCCIC-ICS advisory used the original CVE numbers for the seven vulnerabilities in the Hitachi ABB product. Using those CVE’s, I was able to determine that there were publicly available exploits for three of the vulnerabilities, raising their potential risk. Without the link to the original CVE, I would have had a much harder time tracking down those exploits.

As Ron pointed out in a subsequent TWEET®, software bills of material will provide a longer term solution to the problem. A software vendor could provide CPE’s for each of the components that are included in their software and an owner/operator could search for both the component and end product CPE’s to remain aware of potential vulnerabilities in their software. But, again, this relies on CNA’s, MITRE and NIST/NVD all ensuring that the appropriate CPE’s get into the databases.

WARNING: My twisted mind has come up with other potential problems with CPE’s. More on that later.

NOTE: Corrected Ron's name (sigh) 4-22-21 2032 EDT

Reader Comment – IOD from the Inside

An interesting comment over on LinkedIn about yesterday’s blog post on CISA’s Integrated Operations Division. The commentor is Wade W. Gough, a senior chemical security inspector with the Chemical Facility Anti-Terrorism Standards (CFATS) program. His insider-based feedback is always welcomed. He notes:

“Great discussion on our inner workings. Having worked in more complex environments under more competing command authorities, this hasn’t been an issue to me as IOD understands very well the regulatory nature of CFATS. With that & in my experience, working in a Regional office with IOD has plusses & some neagtives but nothing I would describe as a conflict or real concern & certainly nothing that conflicts w/ the CFATS program & its ability to do its job.”

I would not read too much into his ‘plusses and some negatives’ comment. There is no such thing as a perfect organization, and it is well known that DHS as a whole has had more than its share of negative feedback from its employees over the years. It is, however, heartening to hear that he has not seen anything that “conflicts w/ the CFATS program & its ability to do its job.” He obviously cannot publicly complain too much about agency operations while being publicly identified as a CSI, but there is no reason to question his unsolicited positive comments.

I do stand by my suggestion, however, that this is an organizational situation that is ripe with potential for conflicts. While good people with honorable intentions will certainly be able to make the system work, a single person with a conflicting agenda or a need for personal power could cause all sorts of problems in this type of situation. Again, someone outside of the two agencies needs to keep a periodic eye on the situation to ensure nothing untoward happens. The CFATS program had enough management problems in its early years, it does not need any new organizational blemishes.

Bills Introduced – 4-20-21

Yesterday, with both the House and Senate in session, there were 100 bills introduced. Two of those bills may receive additional coverage in this blog:

HR 2685 To direct the Assistant Secretary of Commerce for Communications and Information to submit to Congress a report examining the cybersecurity of mobile service networks, and for other purposes. Rep. Eshoo, Anna G. [D-CA-18] 

HR 2697 To establish a task force on developing a 21st century surface transportation workforce, and for other purposes. Rep. Langevin, James R. [D-RI-2]

I will be watching HR 2685 for language and definitions that would require the report to address 5G communications used to support IoT and IIoT devices.

I will be watching HR 2697 for language and definitions that would specifically address transportation security and/or cybersecurity training requirements.

House Passes HR 397 - CBRN Intelligence and Information Sharing Act of 2021

Today the House finished their consideration of HR 397, the CBRN Intelligence and Information Sharing Act of 2021, in an unusual ‘bulk’ vote on 15 bills that were debated yesterday under the House suspension of the rules process. The bulk vote required a 2/3 super majority for passage and was passed with a significantly bipartisan 355 to 69. That is the same 2/3 majority that would have been required on a typical suspension of the rules vote on HR 397.

Elements of the Republican party demanded votes on each of the bills when they were considered yesterday. This has been a common occurrence in the 117^th Congress as more radical elements of the minority party have made a concerted effort to slow the operation of the House to keep the Democrats from completing their agenda.

The one vote for 15 bills process was outlined as a one-time effort by the House Rules Committee in their rule (H Res 330) for the consideration of three other bills being considered under normal order. That resolution passed by a straight party-line vote as do most rule resolutions when the bills to be considered under the rule are partisan bills.

While the Democrats have demonstrated a readily repeatable technique to counter the radical Republican delay tactics, the protestors countered with another unusual parliamentary delaying tactic. When the proforma motion to ‘reconsider’ the vote was offered, the standard reply to table the motion was made. Normally that motion to table is agreed to in a voice vote, but in this case Rep Biggs (R,AZ) demanded a recorded vote. That recorded vote was postponed until tomorrow. Technically, that vote could lead to invalidating today’s vote on the 15-bills, but it is highly unlikely. But, it will take up time on the floor of the House tomorrow, and that was the point of the exercise.

HR 397 will be sent to the Senate. It could be considered there under the Senate’s unanimous consent process with no debate and no amendments. One Senator, could stop that proceeding by objecting to the consideration of the bill, and that objection would not have to have anything to do with the provisions in the bill. The bill would not make it to the floor of the Senate under regular order; it is not important enough to take up the Senate’s time with debate and an amendment process.

7 Advisories and 3 Updates Published – 4-20-21

Today CISA’s NCCIC-ICS published seven control system security advisories for products from Siemens, Eaton, Delta Electronics (2), Delta Industrial, Rockwell Automation, and Hitachi ABB Power Grids. They also published three control system security updates for products from Siemens, Mitsubishi and Hitachi ABB.

Siemens Advisory

This advisory describes an improper privilege management vulnerability in the Siemens sold Mendix products. This is a third-party (Mendix) vulnerability. Siemens has new versions for some of their affected products.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to  allow a non-administrative user to gain administrative privileges.

NOTE: I reported on this out-of-zone advisory by Siemens last Thursday.

Eaton Advisory

This advisory describes six vulnerabilities in the Eaton Intelligent Power Manager (IPM). The vulnerabilities were reported by Amir Preminger from Claroty. Eaton has a new version that mitigates the vulnerabilities. There is no indication that Preminger has been provided an opportunity to verify the efficacy of the fix.

The six vulnerabilities reported are:

• SQL injection - CVE-2021-23276,

• Eval injection - CVE-2021-23277,

• Improper input validation (2) - CVE-2021-23278 and CVE-2021-23279,

• Unrestricted upload of file with dangerous type - CVE-2021-23280, and

• Code injection - CVE-2021-23281

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow attackers to change certain settings, upload code, delete files, or execute commands.

CNCSoft-B Advisory

This advisory describes two vulnerabilities in the Delta Electronics CNCSoft-B. The vulnerability was reported by Natnael Samson via the Zero Day Initiative. Delta has an updated version that mitigates the vulnerability. There is no indication that Samson has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Out-of-bounds read - CVE-2021-22660, and

• Out-of-bounds write - CVE-2021-22664

NCCIC-ICS reports that an uncharacterized attacker with uncharacterized access could exploit the vulnerability to lead to arbitrary code execution.

CNSSoft Advisory

This advisory describes an out-of-bounds read vulnerability in the Delta Electronics CNCSoft ScreenEditor. The vulnerability was reported by Natnael Samson via ZDI. Delta has an updated version that mitigates the vulnerability. There is no indication that Samson has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker with uncharacterized access could exploit the vulnerability to allow arbitrary code execution.

Delta Industrial Advisory

This advisory describes a stack-based buffer overflow vulnerability in the Delta Industrial Automation COMMGR communication management software, and accompanying PLC simulators. The vulnerability was reported by Peter Cheng from CyberSpace Non-Attack Research Institute of Elex CyberSecurity. Delta has a new version that mitigates the vulnerability. There is no indication than Cheng has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulenrabilty to allow for remote code execution or cause the application to crash, resulting in a denial-of-service condition in the application server.

Rockwell Advisory

This advisory describes eight vulnerabilities in the Rockwell Stratix Switches. These are third-party vulnerabilities (Cisco). Rockwell has new versions that mitigate the vulnerabilities.

The eight reported vulnerabilities are:

• Insufficiently protected credentials - CVE-2021-1392,

• Insufficient verification of data authenticity - CVE-2021-1403,

• Use of out-of-range pointer offset - CVE-2021-1352,

• Insertion of sensitive information into log file - CVE-2021-1442,

• OS command injection - CVE-2021-1452,

• Command injection - CVE-2021-1443, and

• Improper input validation (2) - CVE-2021-1220 and CVE-2021-1356

NOTE 1: Links above are to the Cisco advisories.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to result in denial-of-service conditions, unauthorized privilege escalation, web socket hijacking, relative path traversal, or command injection.

NOTE 2: I briefly reported on these vulnerabilities back in March.

Hitachi ABB Advisory

This advisory describes a cross-site scripting vulnerability in the Hitachi ABB Ellipse APM. The vulnerability is self-reported. Hitachi ABB has new versions that mitigate the vulnerabilty.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an authenticated user or integrated application to inject malicious data into the application that can then be executed in a victim’s browser.

Siemens Update

This update provides additional information on an advisory that was originally published on March 10^th, 2020. The new information includes:

• Adding a partial solution for SiNVR/SiVMS Video Server, and

• Removing information for Control Center Server (CCS), which is now addressed in SSA-761844

NOTE: I briefly reported on the Siemens update on Sunday.

Mitsubishi Update

This update provides additional information on an advisory that was originally published on June 9^th, 2020 and most recently updated on November 5^th, 2020. The new information includes clarifying in the vulnerability overview that the resource exhaustion is effected at the Ethernet port by sending a

specially crafted packet.

Hitachi ABB Update

This update provides additional information on an advisory that was originally published on April 6^th, 2021. The new information includes updating affected versions and providing mitigation measures for Relion 670 series version 2.0. Hitachi ABB updated their advisory.