Wednesday, June 30, 2021

Review - S 1917 Introduced - K–12 Cybersecurity Act of 2021

Last month Sen Peters (D,MI) introduced S 1917, the K–12 Cybersecurity Act of 2021. The bill would require CISA to conduct a study on the specific cybersecurity risks facing K–12 educational institutions and develop an online cybersecurity training toolkit designed for officials at K–12 educational institutions. No funding is authorized by this bill.

Within 120 days of the passage of this bill, CISA would be required to “conduct a study on the specific cybersecurity risks facing K–12 educational institutions”. A report to Congress would be required on the results of the study. Additionally, CISA would be required to develop recommendations that include voluntary cybersecurity guidelines designed to assist K–12 educational institutions in facing the cybersecurity risks identified.

Section 3(d) of the bill would require CISA, within 120 days of completing the recommendations described above, to “develop an online training toolkit designed for officials at K–12 educational institutions”.

Peters, and two of his three cosponsors {Sen Scott (R,FL) and Sen Rosen (D,NV)}, are members of the Senate Homeland Security and Governmental Affairs Committee to which this bill was assigned for consideration. Since Peters is the Chair of that Committee, he certainly has the influence to see this bill considered in Committee. I see nothing in this bill that would engender any specific opposition. I suspect that this bill would receive substantial bipartisan support in Committee.

For a more detailed look at the requirements of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-1917-introduced - subscription required.

House to Begin Consideration of HR 3684 – INVEST in America Act

The House is scheduled to begin consideration of HR 3684, the INVEST in America Act, today. Consideration will start with 90 minutes of general debate on the bill, followed by the offering of Amendments. The final vote on the bill will probably come tomorrow.

The rules for the consideration of this bill allow 149 of the amendments proposed for this bill to be offered on the floor. That includes only two of the amendments that I discussed on Sunday (subscription required):

33. Garamendi (CA) #2 Requires the Secretary of Transportation, in consultation with the Federal Energy Regulatory Commission to enter into an agreement with National Academy of Sciences to study and report on the threats to pipeline safety due to seismicity (i.e. earthquakes and seismic-induced landslides or land subsidence, etc.) (10 minutes), and

94. Steil (WI), Auchincloss (MA), Houlahan (PA) #178 (REVISED) Directs the GAO to study and report to Congress the vulnerabilities that the United States transportation system has from ransomware and other cybersecurity threats. (10 minutes)

The rule does provide for en bloc consideration of amendments. I suspect that both of the amendments listed above will be considered as part of an en bloc vote. That will almost certainly ensure that there will be no actual discussion about the bills in the Congressional Record during the debate.

Tuesday, June 29, 2021

HR 2225 Passed in House - the National Science Foundation for the Future Act

Yesterday the House considered HR 2225, the National Science Foundation for the Future Act, under the suspension of the rules process. The bill passed by a bipartisan vote of 345 to 67. Even though 67 Republicans voted against the bill, there was no negative comment uttered on the floor of the House during the debate on the bill.

It is unlikely that the Senate will take up the version of this bill that was passed in the House. The Senate passed S 1260 earlier this month and that bill also provided authorization for the National Science Foundation, and much more. Even where the two bills do the same thing, authorizing funding for the NSF for instance (see HR 2225, §4 and S 1260, §2116) there are significant differences between the two bills.

What the Senate is likely to do (if) when they consider this bill is to substitute the language from S 1260 for the House version and then pass the bill. The House would be unlikely to accept the Senate language. This would lead to a conference committee working out the many differences between the two bills. I expect that we will receive the combined language sometime this fall. It will be interesting to see what cybersecurity language comes out in that bill.

Review - 6 Advisories Published - 6-29-21

 

Today CISA’s NCCIC-ICS published six control system security advisories for products from Claroty, Aveva, JTEKT, Panasonic and Johnson Controls (2).

 

Claroty Advisory - This advisory describes an authentication bypass using an alternative path or channel vulnerability in the Claroty Secure Remote Access Site.

Aveva Advisory - This advisory describes two vulnerabilities in the Aveva System Platform. The vulnerability was reported by Sharon Brizinov of Claroty.

JTEKT Advisory - This advisory describes an improper restriction of operations withing the bounds of a memory buffer vulnerability in the JTEKT TOYOPUC PLCs.

Panasonic Advisory - This advisory describes an improper restriction of XML external entity reference vulnerability in the Panasonic FPWIN Pro programming control software.

exacqVision Advisory #1 - This advisory describes a cross-site scripting vulnerability in the Johnson Controls exacqVision Enterprise Manager.

exacqVision Advisory #2 - This advisory describes a cross-site scripting vulnerability in the Johnson Controls exacqVision Web Service.

For more detailed information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/6-advisories-published - subscription required.

Review - HR 3262 Introduced – GUARD Act

Last month Rep Upton (R,MI) introduced HR 3262, the Guarding against Unauthorized Attacks Related to Driving (GUARD) Act. The bill would require DOT to submit to Congress a report on cybersecurity risks to motor vehicle safety.

Study and Report Required

Section 2 of the bill requires DOT to “conduct a study on the state of cybersecurity regarding motor vehicles”. In the process of conducting the study, DOT is required to address eight wide-ranging vehicle cybersecurity tasks, including:

• Identify each regulation, guideline, mandatory standard, voluntary standard, and other policy implemented by each Federal agency identified under this subsection and each guideline, mandatory standard, voluntary standard, and other policy implemented by industry-based and recognized international bodies,

• Review the technology, measures, guidelines, or practices used across the motor vehicle industry as of the date of the enactment of this Act to identify, protect, detect, respond to, or recover from cyber security incidents affecting the safety of a motor vehicle, focusing on the most advanced vehicle security solutions such as AI-driven vehicle security software,

• Identify existing cybersecurity resources to assist individuals in maintaining awareness of cybersecurity risks associated with motor vehicle safety and mechanisms for alerting a human driver or operator regarding cybersecurity vulnerabilities; and

• Identify means to protect vehicle occupants from cybersecurity incidents affecting safety that may arise while the motor vehicle is operating.

Moving Forward

Upton is a member of the House Energy and Commerce Committee to which this bill was assigned for consideration. This means that he likely has sufficient influence to see the bill considered in Committee.

I see nothing in the language of this bill that would engender any specific opposition. Given the importance that Congress is increasingly putting on cybersecurity issues, I suspect that this bill will receive significant bipartisan support, both in Committee and on the Floor of the House.

For a more detailed analysis of the provisions of the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-3262-introduced - subscription required.

CISA Publishes ICR Correction Notice – 6-29-21

Today CISA published a correction notice in the Federal Register (86 FR 34267) correcting errors in their ICR revision notice published on June 23rd, 2021. Today’s notice corrects the comment submission deadline to be July 29th, 2021. It also changes the comment submission address to www.reginfo.gov/​public/​do/​PRAMain; that address also appears to be incorrect, it should be dhsdeskofficer@omb.eop.gov.

Finally, they did acknowledge a comment on their 60-day ICR notice. I think that they can be forgiven for that oversight, the comment was more than a little odd and did not appear to address any of the issues outlined in the ICR. For perspective’s sake, here is that comment in its entirety:

“This is a Particular case, and You find out in which way it is when you read these couple of lines: Putting together around this issue: How many questions were asked V/S How many answers were received - Substrate The Question / Answered by the same person, rounding those responses to null. Sum up how many respondents are left: in case the Quota of "respondents only" is smaller than the "Asking the Question and Answering it" one: You will find out by yourselves which is more reliable: The Question or The answer?”

CSB Hiring Chemical Incident Investigators

Yesterday the U.S. Chemical Safety and Hazard Investigation Board (CSB) posted a blurb on the ‘Recent News’ section of their web site announcing that they were hiring chemical incident investigators. The link in the blurb takes you to a .PDF document. That document is a high-quality flyer briefly describing the job. A link in the flyer is provided for the USAJOBS.gov page for the positions (four of them). The closing date is July 6th, 2021.

Job Duties

Both the flyer and the USAJOBS.gov page list the following duties:

• Participates in surveying the site, determining the scope of the investigation; and works with local jurisdictional officials to secure the scene and assure that evidence is not jeopardized.

• Collects and records factual incident data, interviews witnesses, collects physical evidence, arranges for testing and/or examination of physical evidence, machinery and/or equipment.

• Evaluates and analyzes the significance of evidence collected, the methods used to collect the evidence, and the sources providing the evidence for validity, reliability, and substance.

• Conducts safety advocacy activities by representing the Board at meetings of national and international public and private organizations.

Other Interesting Information

The USAJOBS.gov page provides more detailed information for the job. Some interesting points include:

• Salary - $72,750 to $113,362 per year,

• Location negotiable after selection,

• Occasional travel - You may be expected to travel for this position,

• Security clearance – not required,

• Drug test required – no,

Commentary

I think that the ‘you may be expected to travel’ statement is more than disingenuous. There are not a lot of investigations conducted by the Board, but all would require multiple trips to the incident site.

The CSB has had numerous problems over the years, generally due to the lack of support provided by various administrations. Morale has been described as ‘low’ and ‘problematic’. But this is an important job. The CSB and industry needs skilled investigators looking at the incidents. If you have the necessary skills and background and are willing/able to put up with the hiring process (that is not a problem unique to the CSB), then please think hard about applying for one of these positions.

Monday, June 28, 2021

Review - Securing Our Networks and Supply Chains Hearing – Bill Summaries

As I mentioned earlier, the Subcommittee on Communications and Technology of the House Energy and Commerce Committee will be holding a hearing on “A Safe Wireless Future: Securing Our Networks and Supply Chains”. It lists nine bills that will be considered, but it is not clear whether the Subcommittee will be holding a markup of these bills.

The four cybersecurity bills that will be considered in the hearing are:

HR 3919 - Secure Equipment Act of 2021,

HR 4028 - Information and Communication Technology Strategy Act,

HR 4032 - Open RAN Outreach Act, and

HR 4055 - American Cybersecurity Literacy Act

For a more detailed review of these bills, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/securing-our-networks-and-supply - (subscription required).

Committee Hearings – Week of 6-27-21

With just the House in session this week (the Senate takes a 2-week 4th of July recess), there is still a long list of hearings being held. Appropriations bills are being marked up, there is also a DOD cybersecurity hearing and a markup of several cybersecurity bills.

Appropriations Markup Hearings

6-28-21 House – Subcommittee - Interior, Environment, and Related Agencies (IER),

6-30-21 House – Subcommittee – DOD,

6-30-21 House – Subcommittee – DHS,

6-30-21 House – Committee - Agriculture, Rural Development, Food and Drug Administration (ARF)

Cybersecurity Hearing

On Tuesday the Subcommittee on Cyber, Innovative Technologies, and Information Systems of the House Armed Services Committee will hold a hearing on “Department of Defense Information Technology, Cybersecurity, and Information Assurance for Fiscal Year 2022”. The sole witness will be John Sherman, CIO, DOD.

Cybersecurity Markup

On Wednesday the Subcommittee on Communications and Technology of the House Energy and Commerce Committee will be holding a hearing on “A safe wireless future: securing our networks and supply chains.” There is no witness list and there is a list of cybersecurity and communications security related bills, so I am kind of assuming that this is a markup hearing, but it is not listed as such on the Committee web site. The following bills are listed:

HR 4029, the Timely Evaluation of Acquistions, Mergers or Transactions with External, Lawful Entities to Clear Owners and Management (TEAM Telecom) Act,

HR 4045, the Future Uses of Technology Upholding Reliable and Enhanced Networks Act" or the "FUTURE Networks Act,

HR 4046, the NTIA Policy and Cybersecurity Coordination Act,

HR 4055, the American Cybersecurity Literacy Act,

HR 4067, the Communications Security Advisory Act of 2021,

HR 2685, the Understanding Cybersecurity of Mobile Networks Act,

HR 3919, the Secure Equipment Act of 2021,

HR 4028, the Information and Communication Technology Strategy Act,

HR 4032, the Open RAN Outreach Act

The GPO has only published one of these bills (HR 2685) and it is not one that I would cover. The links above are to committee prints of the bills. I will be doing a quick review of these bills before Wednesday.

On the Floor

Today the House is scheduled to take up HR 2225, the National Science Foundation for the Future Act, under the suspension of the rules process. The way the Republicans have been playing delaying games with such bills, a vote will be demanded and there will be a mass vote on all 11 suspension bills on Tuesday.

As I mentioned yesterday, sometime later in the week the House will take up HR 3684, the INVEST in America Act. I will have more on what amendments will actually be considered after the two Rules Committee hearings today and tomorrow.

Sunday, June 27, 2021

Review - HR 3684 Amendments Submitted – INVEST in America Act

As I mentioned last week the House is currently scheduled to take up HR 3684, the INVEST in America Act this coming week. The House Rules Committee called for amendment submissions last week and 230 amendments have been offered to the revised version of the bill that will be considered. They include four HAZMAT transportation amendments and six cybersecurity amendments. The Rules Committee will meet on Monday to formulate the rule for the consideration of the bill and Tuesday to finalize the list of amendments that will be considered on the floor of the House.

There are two pipeline security amendments reflecting different Committee approaches. They are based upon HR 3078 and HR 3243. The pipeline safety amendment would require a National Academy of Sciences study and report on the threats to pipeline safety due to seismicity. Finally, an amendment would block the bill’s attempt to delay indefinitely the shipment of LNG by rail.

Three amendments would address cybersecurity issues with vehicle charging stations. Two would require reports on connected vehicle and intelligent vehicle cybersecurity issues. Finally, there is an amendment that would authorize DHS to support DOT's development of guidance related to weather disasters, natural disasters, acts of terrorism, and cyberattacks.

For a more detailed look at the amendments and processes, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-3684-amendments-submitted - (subscription required).

HR 2894 Introduced - Civilian Cyber Security Reserve Act

Back in March, Rep Panetta (D,CA) introduced HR 2894, the Civilian Cyber Security Reserve Act. “The bill would authorize DOD and DHS to each establish a separate Civilian Cyber Security Reserve pilot project “to address the cyber security needs of the United States with respect to national security”. This bill is very similar to S 1324 (subscription required) that was introduced earlier in March.

Differences

There are three differences between this and the Senate bill. The first is a purely editorial difference; definitions in the Senate bill are found in §2(a) and in this bill they are found in §2(i). The two remaining differences are found in the two paragraphs that were left out of the House bill.

In the Senate bill §2(b)(4) would ensure that they ‘reservists’ appointed to temporary positions were not replacing current employees performing cybersecurity duties. This would prevent future budget cutting efforts from replacing full time employees with lower cost temporary employees.

Finally, the Senate version included §2(b)(5) that would have required the Department of Labor to publish appropriate employment rules to protect cyber reservists called up for federal service in much the same way that 38 USC Chapter 43 protects the civilian employment rights of military reservists.

Moving Forward

Panetta is a member of the House Armed Services Committee, one of the two committees to which this bill was assigned for consideration. He may have enough influence to see this bill considered in Committee. The main problem for this bill is the potential for it to undercut the recruitment of departing military personnel for National Guard and Reserve cybersecurity units. Thus I suspect that there might be some significant opposition in that Committee to this bill moving forward.

There are no sponsors for this bill from the House Homeland Security Committee, to which this bill was also assigned. That Committee would be more likely to overlook the military’s recruiting problems to enhance the surge capacity of DHS. If this bill is going to move forward, Panetta is going to have to get cosponsors from that Committee to see the bill considered and potentially moved to the floor for consideration. Even that bypass may not be effective if the leadership of the Armed Services Committee objects to this bill.

Commentary

I think that the idea of a non-military cybersecurity reserve organization for DHS has more than a little merit. Having said that, the two missing provisions that I described above would ill serve anyone signing up for such service if the House version of this bill is advanced.

Saturday, June 26, 2021

Review - Public ICS Disclosures – Week of 6-19-21

This week we have 16 vendor disclosures from ABB, Aveva, Weidmueller, Draeger, Phoenix Contact (7), QNAP, Sick, SonicWall, and VMware (2). There are exploit reports for products from VMWare and HPE.

Miscellaneous Advisories

ABB Advisory - ABB published an advisory discussing CodeMeter vulnerabilities in their Automation Builder, Drive Application Builder and Virtual Drive products.

Aveva Advisory - Aveva published an advisory describing five vulnerabilities in the AutoBuild service of their System Platform.

Weidmueller Advisory - CERT-VDE published an advisory describing twelve vulnerabilities in the Weidmueller Industrial WLAN devices.

Draeger Advisory - Draeger published an advisory describing an integer overflow or wraparound vulnerability in their Clinical Assistance Package.

QNAP Advisory - QNAP published an advisory describing a command injection vulnerability in their NAS running legacy versions of QTS.

Sick Advisory - Sick published an advisory describing an inadequate SSH configuration vulnerability in their Visionary-S CX product.

SonicWall Advisory - SonicWall published an advisory describing a buffer overflow vulnerability in their SonicOS.

Phoenix Contact Advisories

Phoenix Contact published an advisory describing an undocumented access vulnerability in their AXL F BK and IL BK products.

Phoenix Contact published an advisory describing a denial of service vulnerability in their ILC1x1 Industrial controllers.

Phoenix Contact published an advisory describing a file parsing memory corruption vulnerability in their Automation Worx Software Suite.

Phoenix Contact published an advisory describing a race condition vulnerability in their r PLCNext, SMARTRTU AXC, CHARX control modular and EEM-SB37x products.

Phoenix Contact published an advisory describing two vulnerabilities in their PLCNext, ILC 2050 BI, FL MGUARD DM UNLIMITED, TC ROUTER und CLOUD CLIENT products.

Phoenix Contact published an advisory describing three vulnerabilities in their FL SWITCH SMCS series.

VMware Advisories

VMware published an advisory describing a local privilege escalation vulnerability in their VMware Tools, VMRC and VMware App Volumes products.

VMware published an advisory describing an authentication bypass vulnerability in their Carbon Black App Control product.

Exploits

CHackA0101 published an exploit for an improper privilege management vulnerability in the VMware vCenter Server.

Jeremy Brown published an exploit for a denial of service vulnerability in the HPE Remote Device Access product.

For more detailed information on the advisories see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-73d  (subscription required)


Friday, June 25, 2021

OMB Approves CISA SLTT Incident Collection ICR

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced the emergency approval of an information collection request (ICR) for the new State, Local, Tribal and Territorial (SLTT) Incident Collection. According to the supporting document provided to OIRA, CISA established the pilot SLTT Cyber Reporting and Threat Information Sharing Pilot in September 2019.

That supporting document explains the program this way:

“The SLTT Incident Collection Form is a voluntary form that will be posted on fraudsupport.org which is a public facing website operated by the Cybercrime Support Network (the organization awarded a cooperative agreement to conduct the Pilot). Respondents can fill out the form for each instance where they believe they have been victim of a cyber incident, including ransomware. The collection of the cyber threat incident data is critical to the work of the pilot as it ensures that citizens and SMBs receive tailored responses to help them understand what has occurred. CSN will provide detailed incident data to the appropriate state agencies for investigation and to assist SMBs, local governments and other critical infrastructure facilities recover from the cyber attacks. These victims would largely otherwise go without assistance without the information captured through this effort.”

The form for this collection will be maintained on fraudsupport.org which is a public facing website operated by the Cybercrime Support Network (the organization awarded a cooperative agreement to conduct the Pilot).

As part of the emergency approval OIRA is requiring CISA to publish the normal 60-day and 30-day ICR notices.

Bills Introduced – 6-24-21

Yesterday, with both the House and Senate in Washington (and the Senate preparing to leave for their 2-week 4th of July recess), there were 176 bills introduced. Five of those bills will receive additional coverage in this blog:

S 2269 A bill to secure the bulk-power system in the United States. Sen. Scott, Rick [R-FL] 

S 2274 A bill to authorize the Director of the Cybersecurity and Infrastructure Security Agency to establish an apprenticeship program and to establish a pilot program on cybersecurity training for veterans and members of the Armed Forces transitioning to civilian life, and for other purposes. Sen. Hassan, Margaret Wood [D-NH]

S 2292 A bill to require the Secretary of Homeland Security to study the potential consequences and benefits of amending the Computer Fraud and Abuse Act to allow private companies to take proportional actions in response to an unlawful network breach. Sen. Daines, Steve [R-MT]

S 2302 A bill to amend the Department of Energy Organization Act to assign certain functions to the Assistant Secretaries of Energy relating to energy emergencies and energy security, and for other purposes.

S 2305 A bill to enhance cybersecurity education. Sen. Ossoff, Jon [D-GA]

Thursday, June 24, 2021

2 Advisories Published – 6-24-21

Today CISA’s NCCIC-ICS published a control system security advisory for products from FATEK and a medical device security advisory for products from Philips

FATEK Advisory

This advisory describes three vulnerabilities in the FATEK WinProladder. The vulnerabilities were reported by Michael Heinzl. FATEK is working on mitigation measures.

The three reported vulnerabilities are:

• Out-of-bounds read - CVE-2021-32990,

• Out-of-bounds write -CVE-2021-32988, and

• Improper restriction of operations within the bounds of a memory buffer - CVE-2021-32992

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to allow for the execution of arbitrary code.

Philips Advisory

This advisory describes a clear-text transmission of sensitive information vulnerability in the Philips Interoperability Solution XDS document sharing system. The vulnerability is self-reported. Philips provides generic mitigation measures.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerability to allow an attacker to read the LDAP system credentials by gaining access to the network channel used for communication. This risk applies to configurations using LDAP via TLS and where the domain controller returns LDAP referrals.

Review - HR 3684 to be Considered in House – Invest in America Act

As I mentioned Tuesday, the House will be considering HR 3684, the INVEST in America Act, next week. The bill was amended in Committee earlier this month and according to the House Rules Committee site, it has been further modified for that consideration. The version reported on the Rules Committee site includes two HAZMAT provisions and one section that specifically addresses cybersecurity issues, as well as seven mentions of cybersecurity in passing in other provisions.

Yesterday the Rules Committee announced that it was adding two new divisions to the language of HR 3684. These new divisions come from HR 1915, HR 3291, and HR 3293. Those divisions add one additional cybersecurity mention in passing.

HAZMAT Provisions

Section 8202 would provide for a stay of authorization to transport liquified natural gas by rail until four research and evaluation conditions are met.

Section 8203 would amend 49 USC 5107  by adding a new subsection (j) creating a new grant program “to develop hazardous materials response training for emergency responders and make such training available electronically or in person”.

AMTRAK Cybersecurity

The only section in the bill that specifically addresses cybersecurity issues is §9217, Amtrak cybersecurity enhancement and resiliency grant program. That section adds a new 49 USC 24325 of the same name. It would require DOT to “make grants to Amtrak for improvements in information technology systems, including cyber resiliency improvements for Amtrak information technology assets” {new §24325(a)}.

Moving Forward

The Rules Committee is currently accepting proposed amendments to HR 3684 and its additions. As of this writing there have been 223 amendments proposed. The Committee will meet early next week to formulate the rule for the consideration of HR 3684, including which amendments will be considered on the floor. That consideration will probably take place in the latter half of next week.

For a more detailed analysis of the provisions of the revised bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-3684-to-be-considered-in-house - subscription required.

Bills Introduced – 6-23-21

Yesterday, with both the House and Senate in session, there were 63 bills introduced. Two of those bills may receive additional coverage in this blog:

S 2199 A bill to require the Secretary of Energy to establish a voluntary Cyber Sense program to test the cybersecurity of products and technologies intended for use in the bulk-power system, and for other purposes. Sen. Rosen, Jacky [D-NV] 

S 2201 A bill to manage supply chain risk through counterintelligence training, and for other purposes. Sen. Peters, Gary C. [D-MI]

I will be covering S 2199. I suspect that it is a companion measure to HR 2928.

As always, one has to be careful with the term ‘supply chain risk’. I will be watching this bill to see if that term is used in the cybersecurity sense and, if it does, whether the bill contains language and definitions that would include industrial control systems in its coverage.

Wednesday, June 23, 2021

CFATS 60-day or 30-day ICR Notice – 6-23-21

Today CISA’s Office for Chemical Security published notices on both the Chemical Facility Anti-Terrorism Standards (CFATS) landing page and the CFATS Knowledge Center about the two information collection request (ICR) revision notices that were published in today’s Federal Register. I wrote about (subscription required) these two ICR notices earlier today. Looking at the web site notices, I realized that in my reporting, I had compounded the mistake made by the folks that publish the Federal Register (or maybe the CISA folks who submitted the ICR notice, do not know for sure); the notice for ICR 1670-0014, was not a 60-day ICR notice, it was actually a 30-day ICR notice.

Actually, the notice has it listed both ways. Under the ‘Action’ heading near the top of the notice, it clearly calls it a ’30-Day notice’. And down in the ‘Summary’ it provides the date of, and a link to, the actual 60-day notice published back in March. But it does provide a comment due date of August 23, 2021; 60-days from today. To further confuse matters it calls for sending comments to the docket on the Federal eRulemaking Portal; 30-day ICR notice comments are normally sent directly to OMB’s dhsdeskofficer@omb.eop.gov.

Now I should have known better, because I did a blog post on the actual 60-day ICR revision notice back in March.

In the end, this probably is not a big deal. There were no comments submitted on the 60-day ICR revision notice, and I do not expect there to be any on this notice. There will probably be a correction published in the Federal register changing the comment due date to a date 30-days from that notice.

Review - CISA Publishes Two CFATS ICR Revision Notices – 6-23-21

Today the DHS Cybersecurity and Infrastructure Security Agency published two information collection revision notices for the Chemical Facility Anti-Terrorism Standards (CFATS) program. CISA is soliciting public feedback on each of the notices. Both ICR revisions address editorial changes such as “updating the Agency name to conform with the Agency's new designation as CISA”. Changes in the burden estimate are being proposed in both revisions.

The two ICRs being revised are:

1670-0014Chemical Facility Anti-Terrorism Standards, and

1670-0029Chemical Facility Anti-Terrorism Standards (CFATS) Personnel Surety Program

NOTE: The first link on each line is to the Current ICR and the second is to today’s ICR notice.

CISA is soliciting public comments on both of these ICR revisions. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov, Dockets CISA-2021-0009 and CISA-2021-0003). Comments should be submitted by August 23rd, 2021.

For a more detailed look at these ICR revision requests, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/cisa-publishes-two-cfats-icr-revision Subscription Required.

Bills Introduced – 6-22-21

Yesterday, with both the House and Senate in session, there were 85 bills introduced. Two of those bills may receive additional coverage in this blog:

HR 4046 To amend the National Telecommunications and Information Administration Organization Act to establish the Office of Policy Development and Cybersecurity, and for other purposes. Rep. Duncan, Jeff [R-SC-3]

HR 4055 To establish a cybersecurity literacy campaign, and for other purposes. Rep. Kinzinger, Adam [R-IL-16]

I will be watching both of these bills for language or definitions that would indicate that they could include industrial control systems in their coverage.

Tuesday, June 22, 2021

Review - Four Advisories Published – 6-22-21

 Today CISA’s NCCIC-ICS published four control system security advisories for products from CODESYS (3) and Advantech.

Linux SysFile Advisory - This advisory describes an OS command injection vulnerability in the CODESYS V2 Runtime Toolkit.

Control V2 Advisory - This advisory describes three vulnerabilities in the CODESYS CODESYS V2 Runtime Toolkit and CODESYS PLCWinNT products.

V2 Web Server Advisory - This advisory describes six vulnerabilities in the CODESYS V2 web server.

Advantech Advisory - This advisory describes three vulnerabilities in the Advantech WebAccess HMI Designer. The vulnerabilities were reported by kimiya via the Zero Day Initiative. Advantech is still working on mitigation measures.

For a more detailed look at these advisories see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/four-advisories-published Subscription Required.

Committee Hearings – Week of 6-20-21

With both the House and Senate in Washington this week, there is a full slate of hearings scheduled. This week starts the markup of spending bills, two House Appropriations subcommittee markups of lesser (from the perspective of this blog anyway) bills scheduled for later this week. There are two cybersecurity hearings scheduled in the Senate and the House Rules Committee has set an amendment submission deadline for HR 3684.

Cybersecurity

Tomorrow the Subcommittee on Communications, Media, and Broadband for the Senate Commerce, Science, and Transportation Committee will hold a hearing “Building Resilient Networks”. The witness list includes:

• Harold Feld, Public Knowledge,

• Jonathan Adelstein, Wireless Infrastructure Association,

• Denny Law, Golden West Telecommunications, and

• Jeff Johnson, Western Fire Chiefs Association

On Thursday the Senate Energy and Natural Resources Committee will hold a hearing on examining infrastructure needs. Also on the schedule is consideration of an original bill (not yet introduced), the Energy Infrastructure Act. A quick look at the table of contents shows a cybersecurity subtitle that apparently includes language from HR 2928 and HR 2931 (subscription required for both links).

HR 3684 Amendment Process

The House Rules Committee announced that it was accepting potential amendments for HR 3684, the INVEST in America Act. The Committee will be formulating a rule for the bill’s consideration before the full House next week. The text that will form the basis for that consideration is the language marked up by the House Transportation and Infrastructure Committee earlier this month plus some modifications made since then. I will try to get that text reviewed later this week.

On the Floor

This week the House is scheduled to consider 18 bills under the suspension of the rule’s procedure. One of those bills, HR 1374, the Enhancing State Energy Security Planning and Emergency Preparedness Act of 2021, contains some passing references to energy cybersecurity.

CSB Reporting Form Drops off Landing Page

As I predicted earlier this month the news article on the Chemical Safety Board (CSB) landing page that provided a link to the CSB’s Accidental Release Reporting form has been moved off of page by the latest news about the Chemtool fire. So, as of right now, there is no place on the page for a one-click link to that form.

You can click on the right-pointing arrow on the ‘Recent News’ section to get the link back on the page, or you could click on the ‘Site Map’ link on the bottom of the page to find the link to the “Incident Reporting Rule Submission Information” page which provides links to the form, the instructions and regulations governing the reporting requirement.

IMHO (okay not so humble) the link to that page should be prominently displayed on the landing page if CSB really wants facilities to be able to find it in an emergency for prompt reporting. Any facility that holds the operationally defined hazardous substances (see 40 CFR 1604.2) should keep a link to this reporting page in their emergency reporting SOP, and everyone has one of those, RIGHT?

Bills Introduced – 6-21-21

Yesterday, with the Senate in Washington and the House meeting in pro forma session (they will be in town today), there were 21 bills introduced. One of those bills will see additional coverage in this blog:

S 2139 A bill to amend title 18, United States Code, to prevent international cybercrime, and for other purposes. Sen. Whitehouse, Sheldon [D-RI]

There has been lots of attention in the press to new proposed legislation to address cyber security issues. This bill, for example, was mentioned Friday in an article on TheHill.com:

“In a separate effort, Sens. (R-S.C.), (D-R.I.), Richard Blumenthal (D-Conn.), and (R-N.C.) on Thursday reintroduced legislation originally rolled out in 2018 that would crack down on cyber criminals.

“Their bill, the International Cybercrime Prevention Act [link added for original version of bill], would tighten consequences for hacking a critical infrastructure organization, such as a dam or a hospital, along with expanding the Justice Department’s ability to go after botnet groups.”

We will see how serious the four sponsors of this bill are by how fast this gets considered in Committee. The same goes for the other bills mentioned in Friday’s article, none of which have actually been introduced yet, maybe today?

Monday, June 21, 2021

CSB and Chemtool Fire – 6-21-21

Today the Chemical Safety Board announced that they were deploying two of its senior leadership members to Rockton, IL, the site of the June 14th Chemtool Fire. A week ago the CSB decided not to send an active investigation team while the fire was still burning; their June 15th statement said: “At this point assessments appear to indicate that the incident is a fire event and not a chemical process safety event.” The announced deployment will involve engagement “with Federal, State and local emergency responders, the Environmental Protection Agency (EPA) and others to determine the conditions and circumstances that led to the incident and to identify the cause or causes so similar incidents might be prevented.

The Incident

According to news reports (see here and here) early on Monday morning, June 14th, a fire broke out at the Chemtool plant. On the first day, the decision was made to let the fire burn itself out, rather than pour water on the fire that could lead to toxic runoff into the nearby river. This decision was reversed the next day when an industrial fire fighting company was brought in to fight the fire with heavy foam. Early foam use reportedly included the use of a fluorinated foam that might contain the controversial Perfluorooctanoic acid (PFOA).

As of June 18th, nearby residents that had been ordered to evacuate the immediate area around the plant were allowed to return home. While hotspot firefighting continues this marked the start of the cleanup process.

This is a fairly well documented incident. The local WREX web site contains a Chemtool fire coverage page that provides links to a largen number of news reports their team made over the five days of the incident. Similarly, the US EPA has a Chemtool Fire page that provides a daily summary of EPA actions with respect to the fire and environmental testing results.

Commentary

A look at the Google Satellite View of the facility shows a large industrial building with no obvious outside storage tanks. A twin rail line enters the facility for loading and unloading chemical railcars, so that extension of the building probably contains whatever tank farm the facility uses. There are no obvious diking or retention ponds outside of the building. This is why the firefighting crew on Tuesday had to resort to trenching between the facility and the river to contain any firefighting runoff.

Much is being made of a report on the sprinkler system installed at the facility. Sprinklers at a chemical facility are not nearly as effective at fire suppression as they are in residential or non-chemical industrial facilities. This is particularly true in facilities, like the Chemtool facility, that handle large quantities of liquid petrochemicals, as these are typically hydrophobic, so they do not mix well with water and are usually lighter than water. Applying water to burning petrochemicals has a tendency to move the flaming liquids about, spreading the fire. This is why the industrial fire fighting company brought in foam dispersal equipment, the foam stays on top of the flaming liquid and isolates the material from its oxygen supply.

I continue to be amazed by the lack of ponding around chemical facilities to catch firefighting runoff. In 26 years in the chemical process industry, I have been at two facilities that had off-site consequences from incidents involving firefighting water releases. One was when a deluge system released in a non-fire incident and the other was from a relatively short six-hour firefighting exercise. In both cases water left the facility grounds before anyone thought about diking or trenching.

In the first case large amounts of water with traces of relatively non-toxic chemicals resulted in a large fish-kill in a local creek with large fines. The second involved recovery of the runoff from miles of creek bed with hazardous material disposal costs larger the value of the destroyed facility. In both cases a dry pond with a closable weir would have prevented those costs from being accrued.

HR 2982 Introduced - National Guard Cybersecurity Support Act

Last month Rep Kim (D,NJ) introduced HR 2982, the National Guard Cybersecurity Support Act. The bill would specifically allow members of the Army and Air Force National Guard to conduct ‘cybersecurity operations’ to protect critical infrastructure. This is a companion bill to S 70 that was introduced in January. As I had predicted the Senate bill has not seen any action in committee.

Moving Forward

Kelly and two of his four co-sponsors {Rep Wilson (R,SC) and Rep Kelly (R,MS)} are members of the House Armed Services Committee, the Committee to which this bill was assigned for consideration, so there could be sufficient influence to see the bill considered in Committee. I see nothing in this bill that would engender any significant opposition. The bill should receive broad, bipartisan support in Committee. If this bill moves to the House floor, it would be considered under the suspension of the rules process. This means limited debate, no floor amendments and a super majority would be required for passage.

Commentary

My comments on S 70 apply equally to this bill. I would like to add a new observation that also applies to both bills. They both rely on 42 USC 5195c(e) for their definition of ‘critical infrastructure’. That definition reads:

“In this section, the term ‘‘critical infrastructure’’ means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”

This was deliberately written as broadly as possible, and for most applications that is helpful. It provides federal officials the maximum amount of leeway in addressing security concerns or responding to incidents. But as cybersecurity attacks are increasingly becoming more widespread and costly, there will be a need for federal government agencies to limit the deployment of their resources and rely more on the growing cybersecurity industry in the country to handle the all but the most critical facility attacks.

This bill may not be the place to start considering the limitations of federal cyber response capabilities, but it is a discussion that will have to be had.

Sunday, June 20, 2021

Review - S 2016 Introduced - Surface Transportation Investment Act of 2021

Earlier this month Sen Cantwell (D,WA) introduced S 2016, the Surface Transportation Investment Act of 2021. This is the Senate version of the FY 2021 surface transportation authorization bill. The bill contains one significant cybersecurity provision and two HAZMAT response provisions of note, as well seven additional, relatively minor, cybersecurity mentions.

GAO Cybersecurity Reports

The major cybersecurity requirement of this bill is found in §5023. It gives DOT three years to address recommendations made in two separate cybersecurity related reports from the GAO:

• A risk management report (GAO–19–384), and

• A cybersecurity workforce report (GAO-19-144)

HAZMAT Response

Section 6002 (pg 565) amends 49 USC 5116 by inserting a new subsection (j), Alert Grant Program. It would require DOT to establish this new grant program to “develop a hazardous materials response training curriculum for emergency responders, including response activities for the transportation of crude oil, ethanol, and other flammable liquids by rail, consistent with the standards of the National Fire Protection Association” {new §5116(j)(1)}. DOT would be required ensure that the training was available in ‘an electronic format’.

Section 6003 (pg 568) amends §7302 of the FAST Act (PL 114-94, Page 129 STAT. 1594) by changing the deadline in §7302(a)(1) from December 5th, 2016 to December 5th 2022 for DOT to establish regulations requiring Class I railroads to “to generate accurate, real-time, and electronic train consist information” {§7302(a)(1)(A).

Minor Cybersecurity Provisions

This bill continues a recent trend for legislation to make relatively minor changes to current requirements in order to increase the emphasis on cybersecurity. This trend involves the recognition that cybersecurity should be part and parcel of much of what goes on in a modern electronic society. Those minor cybersecurity mentions have been included in the following sections of the bill:

§5001. Intelligent Transportation Systems Program Advisory Committee,

§5005. Strengthening mobility and revolutionizing transportation grant program,

§5006. Electric vehicle working group,

§5013. Advanced transportation research,

§5015. Transportation research and development 5-year strategic plan,

§5018. University transportation centers program, and

§5021. Transportation workforce development

Moving Forward

On Wednesday, the Senate Commerce, Science, and Transportation Committee held a markup hearing that included S 2016. No information on that markup is currently available on the hearing website (not unusual for Senate websites to be very slow to update), but Congress.gov site for this bill notes that the Committee: “Ordered to be reported with an amendment in the nature of a substitute favorably.” The substitute language is not currently available, but typically such substitute language adds new provisions. I will take a look at the changes when the Committee Report is published.

For a more detailed look at the provisions of this bill, see my article at CFSN Detailed Analysis https://patrickcoyle.substack.com/p/s-2016-introduced (subscription required).

Saturday, June 19, 2021

Review - Public ICS Disclosures – Week of 6-12-21

This week we have eight vendor disclosures from Digitek, EIP Stack Group, Genetec, QNAP (2), VMware, and Wibu (2). We also have two vendor updates from Dell and Mitsubishi. Finally, we have an exploit for products from Wibu.

Vendor Disclosures

Digitek Advisory - Incibe-CERT published an advisory describing an SQL injection vulnerability in the Digitek Secure 8 system.

EIP Stack Group Advisory - Incibe-CERT published an advisory describing an out-of-bounds read vulnerability in the EIP Stack Group OpENer product.

Genetec Advisory - Genetec published an advisory discussing vulnerabilities in Bosch IP cameras that may affect their Security Center, Security Center SaaS Edition, and Stratocast products.

QNAP Advisory - QNAP published an advisory describing an insecure storage of sensitive information vulnerability in their QNAP NAS products running myQNAPcloud Link.

QNAP Advisory - QNAP published an advisory describing an out-of-bounds read vulnerability in their QNAP NAS products running QTS and QuTS hero.

VMware Advisory - VMware published an advisory describing a denial-of-service vulnerability in their VMware Tools for Windows product.

Wibu Advisory - Wibu published an advisory describing a buffer over-read vulnerability in their CodeMeter Runtime Network Server.

Wibu Advisory - Wibu published an advisory describing a denial-of-service vulnerability in their CodeMeter Runtime CmWAN Server.

Vendor Updates

Dell Update - Dell published an update for their Dell Wyse Windows Embedded System that was originally published on May 11th, 2021.

Mitsubishi Update - Mitsubishi published an update for their MC Works advisory that was originally published on June 18th, 2020 and most recently updated on January 14th, 2021.

Exploits

Wibu Exploit - Brian Rodriquez published an exploit for a unquoted service path vulnerability in the Wibukey Runtime product.

 

For a more detailed look at these disclosures see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-dda (subscription required),


Friday, June 18, 2021

CISA Announces 2021 Chemical Security Seminars

CISA published a notice on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center concerning the 2021 Chemical Security Summit. Like last year, CISA and the Chemical Sector Coordinating Council have decided that the in-person Chemical Security Summit would not be practical because of the continuing COVID-19 pandemic. They will, instead, be holding Chemical Security Seminars on December 1st, 8th, at 15th from 8 am to noon Pacific Time.

More detailed information will be published on the Chemical Security Summit site.

CISA and CSCC held a similar set of seminars last December and the format was very successful.

Bills Introduced – 6-17-21

Yesterday with both the House and Senate in Washington and preparing for the new federal holiday, there were 118 bills introduced. Three of these bills may receive additional attention in this blog:

HR 4005 To direct the Director of the Cybersecurity and Infrastructure Security Agency to establish a School Cybersecurity Improvement Program, and for other purposes. Rep. Matsui, Doris O. [D-CA-6]

HR 4006 To require original equipment manufacturers of digital electronic equipment to make available certain documentation, diagnostic, and repair information to independent repair providers, and for other purposes. Rep. Morelle, Joseph D. [D-NY-25]

S 2134 A bill to establish the Data Protection Agency. Sen. Gillibrand, Kirsten E. [D-NY]

I would also like to mention in passing one Senate Resolution:

S Res 279 A resolution designating June 21, 2021 through June 25, 2021, as "National Cybersecurity Education Week". Sen. Rosen, Jacky [D-NV] 

I will be watching HR 4005 for language and definitions that would indicate that building control and/or security systems are specifically covered. I am not holding my breath.

I will be watching HR 4006 for language and definitions that could have cybersecurity implications.

I will be watching S 2134 for definitions and language that might indicate that control system information would be covered. I am not really expecting to find it.

I will not be covering HR 2885 – Grid Resilience Grants

A frequent feature of this blog is the Bills Introduced post. For each day that either the House or Senate is in session Congress.gov publishes, generally the next day, a listing of the bills that were introduced. I look at the brief descriptions of those bills and make a preliminary determination of whether the bills address a topic that I will be covering here in this blog. If it is, I make a brief announcement of the fact in a ‘Bills Introduced’ post for that day.

I did one of those posts for April 28th, 2021. In that post I listed five bills that I might be covering, including HR 2885:

"HR 2885 To require the Secretary of Energy to establish an electric grid resilience grant program and an electric grid resilience research and development program. Rep. Johnson, Eddie Bernice [D-TX-30] ."

I listed that bill based upon the description provided above since cybersecurity is increasingly becoming a resiliency issue. For HR 2885 I noted:

“I will be watching HR 2885 for language and definitions that would include cybersecurity in the grid resilience programs; probably will not be any.”

Once the bill is actually printed, increasingly months later, I make a determination of whether or not I will be covering the bill, generally based upon the criteria that I list in the Bills Introduced post. If the bill does not meet those self-imposed criteria, I just generally never mention it again. Every once-in-a-while, however, I just have to mention a bill that I will not be covering in this blog. Yesterday, the text for HR 2885 was printed and it contained a provision that I just have to mention.

HR 2885 establishes both a grid-resilience grant program and a grid-resilience research and development program. As I expected, there is no language in the bill that includes cybersecurity in either program. What I did not expect to see, however, was specific language in the bill that prohibited the use of funds in the grant program from being used for cybersecurity purposes. But, there it is in §2(c)(2)(ii), under ‘prohibited uses’, cybersecurity.

Now, I understand that this bill is trying to address resiliency issues related to extreme weather events. That is clearly spelled out in §2(c)(1). And cybersecurity is clearly not specifically related to extreme weather events, again, I understand that. What I do not understand is why Rep Johnson (D,TX) felt it necessary to specifically spell out that cybersecurity expenditures were not covered by the grant program.

But, my understanding is not necessary. What I do understand is that this will be the last mention of HR 2885 in my blog. Weather resiliency of the grid is just not a topic that I intend on covering at this time. But Johnson had to specifically exclude cybersecurity issues so I had to specifically exclude her bill.

Thursday, June 17, 2021

Review - 3 Advisories and 2 Updates Published – 6-17-21

Today CISA’s NCCIC-ICS published three control system security advisories for products from Advantech, Softing, and Schneider electric. They also published updated advisories for products from Rockwell Automation and WAGO.

Advantech Advisory - This advisory describes two vulnerabilities in the Advantech WebAccess/SCADA.

Softing Advisory - This advisory describes an improper restriction of operations within the bounds of a memory buffer vulnerability in the Softing OPC-UA C++ Software Development Kit.

Schneider Advisory - This advisory describes an improper privilege management vulnerability in the Schneider Enerlin'X Com’X 510 energy server.

Rockwell Update - This update provides additional information on an advisory that originally published on January 21st, 2021 and most recently updated on February 16th, 2021.

WAGO Update - This update provides additional information on an advisory that originally published on January 21st, 2021 and most recently updated on February 16th, 2021.

For more detailed look at the advisories and updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/3-advisories-and-2-updates-published (subscription required).

Review - S 1260 and Cybersecurity

With the recent publication of the engrossed version (passed in the Senate) of S 1260, the United States Innovation and Competition Act of 2021, I have now had a chance to go back and look at the cybersecurity related provisions that were included in the massive, 2375 pages, bill. In addition to the new sections added in the substitute language that I briefly mentioned earlier, there were a number of provisions added in passing that are worthy of mention.

Protecting research from cyber theft

Section 2305 amends 15 USC 272(e)(1)(A) by adding ‘institutions of higher education’ to the list of considerations NIST has to address in developing consensus-based cybersecurity standards. Additionally, §2305(b) requires NIST to “disseminate and make publicly available resources to help research institutions and institutions of higher education identify, protect the institution involved from, detect, respond to, and recover to manage the cybersecurity risk of the institution involved related to conducting research.”

NASA Cybersecurity

Section 2676 (pg 690) would amend 51 USC 20301 by adding a requirement for the NASA Administrator to “up-date and improve the cybersecurity of NASA space assets and supporting infrastructure” {new §20301(c)}. NASA would also be required to establish a Cyber Security Operations Center. Finally, it would authorize NASA to “implement a cyber threat hunt capability to proactively search NASA information systems for advanced cyber threats that otherwise evade existing security tools” {§2676(c)(1)}.

Cyber Response and Recovery

Section 4252 (pg 1238) is the Cyber Response and Recovery Act. It is essentially the language of S 1316, which I have previously described in detail.

Federal Rotational Cyber Workforce Program

Division D of the bill includes Title II, Cyber and Artificial Intelligence. Subtitle B (pg 1257) of that Title is the Federal Rotational Cyber Workforce Program Act of 2021. It is essentially the language of S 1097 which the Senate Homeland Security and Governmental Affairs Committee ordered reported favorably last month.

Commentary

Almost all of the cybersecurity provisions in this bill are limited to information technology because of the language or definitions involved. It is not clear that that was the intention of the crafters of this bill, but it is certainly the effect.

For a more detailed look at the cyber provisions of S 1260, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-1260-and-cybersecurity (subscription required).

Bills Introduced – 6-16-21

Yesterday with both the House and Senate in session, there were 66 bills introduced. One of those bills may receive additional coverage in this blog:

HR 3933 To amend title 49, United States Code, to provide for the installation of ground-based augmentation systems, and for other purposes. Rep. Fitzpatrick, Brian K. [R-PA-1]

I think that this bill may be related to a ground-based backup to the satellite-based GPS system. If it is, I will be watching for language that includes requirements for a timing signal in that system.

Wednesday, June 16, 2021

2 Sponsors Added for S 652 – Moving FIRST Act

Yesterday two new sponsors for S 652, the Moving and Fostering Innovation to Revolutionize Smarter Transportation (Moving FIRST) Act, were announced. The new sponsors are both members of the Senate Commerce, Science and Transportation Committee, the Committee to which this bill was assigned for consideration. This increases the chances of the bill being considered in Committee.

The two new sponsors are:

• Sen Rosen (D,NV), and

• Sen Warnock (D,GA)

S 658 Reported in Senate - National Cybersecurity Preparedness Consortium Act of 2021

Yesterday, the Senate Homeland Security and Governmental Affairs Committee published their report on S 658, the National Cybersecurity Preparedness Consortium Act of 2021. The Committee met on March 17th, 2021, and ordered the bill reported as introduced by a voice vote.

An important point is made in this report (pg 2):

“As a means to address these challenges, DHS has partnered since 2004 with the National Cybersecurity Preparedness Consortium (NCPC), an organization of five university partners that ‘‘provide research-based, cybersecurity-related training, exercises and technical assistance to local jurisdictions, counties, states and the private sector.’’ As of October 2020, NCPC members have trained more than 107,861 participants on topics such as cyberterrorism, critical infrastructure protection, and malware prevention. By leveraging the expertise of a consortium, DHS can better ensure that its partners in the private sector and state and local governments are prepared to assist the Federal Government in its efforts to combat cyber threats. S. 658 codifies an existing DHS practice and helps strengthen DHS’s efforts to partner with the private sector and academia to secure our nation’s cyber infrastructure.

In other words, passing this bill will have no new material effect on the cybersecurity situation in the country. But Congress will claim credit for doing something.

Review - HR 2225 Amended and Adopted in Committee – NSF Authorization

Yesterday the House Science, Space, and Technology Committee held a markup hearing that included consideration of HR 2225, the National Science Foundation for the Future Act. The Committee adopted substitute language for the bill after considering thirteen additional amendments. All amendments and the substitute language were adopted by voice vote. Additional cybersecurity language was included. The Committee ordered the bill favorably reported to the House.

Substitute Language

From a cybersecurity perspective there were three significant changes made to the bill in the substitute language. There was a change in funding for the FY 2022 Cybercorps Scholarship for Service Program. There was new language added addressing cyber workforce development research and protecting research from cyber theft.

Cybersecurity Amendments

 

An amendment offered by Rep Waltz (R,FL) would amend the Federal Cyber Scholarship-for-Service Program (15 USC 7442) by adding at the end of §7442(b)(1) “and cybersecurity-related aspects of other related fields as appropriate, including artificial intelligence, quantum computing and aerospace”. This would expand the cybersecurity areas that could be supported by the Program.

The second cybersecurity related amendment was offered by Rep Posey (R,FL). It would add a new subsection (g) to §5 of the bill. That subsection would require NSF to establish a cybersecurity workforce data initiative.

Moving Forward

This bill will almost certainly move forward to the full House. It is likely to be considered under regular order with a rule providing for consideration of at least some amendments from the floor. The bill is likely to receive bipartisan support and will certainly pass in the House.

For more details on the revised language and amendments, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-2225-amended-and-adopted-in-committee (subscription required).

Tuesday, June 15, 2021

2 Advisories and 1 Update Published – 6-15-21

Today CISA’s NCCIC-ICS published two control system security advisories for products from Automation Direct and ThroughTek. They also updated a medical device security advisory for products from OpenClinic.

Automation Direct Advisory

This advisory describes five vulnerabilities in the Automation Direct CLICK PLC CPU modules. The vulnerabilities were reported by Irfan Ahmed and Adeen Ayub of Virginia Commonwealth University and Hyunguk Yoo of the University of New Orleans. Automation Direct has new version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

• Authentication bypass using alternate path or channel - CVE-2021-32980, CVE-2021-32984, and CVE-2021-32986,

• Clear-text transmission of sensitive information - CVE-2021-32982, and

• Unprotected storage of credentials - CVE-2021-32978

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to log in as a currently or previously authenticated user or discover passwords for valid users.

ThroughTek Advisory

This advisory describes a clear-text transmission of sensitive information vulnerability in the ThroughTek P2P Software Development Kit (SDK). The vulnerability was reported by Nozomi Networks. ThroughTek has a new version that, along with certain setting manipulations, mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to permit unauthorized access to sensitive information, such as camera audio/video feeds.

OpenClinic Update

This update provides additional information on an advisory that was  originally published on July 2nd, 2020 and most recently updated on August 27th, 2020. The new information includes adding new version that mitigates the vulnerabilities.

NOTE: NCCIC-ICS forgot to refer to the previous update instead of the original version of the advisory in Section 2.

Is something going on with ZOLL Defibrillators?

Okay, this probably does not mean anything, but something odd is going on with the recent advisory about the vulnerabilities in the ZOLL Defibrillator Dashboard. As I reported last week CISA’s NCCIC-ICS published a medical device security advisory describing five vulnerabilities in the Defibrillator Dashboard from ZOLL.

According to the advisory from NCCIC-ICS, ZOLL has new versions available to mitigate the vulnerability. On the surface the only odd thing about the advisory was that the vulnerabilities were reported to CISA by an anonymous researcher. One could speculate about why the researcher wanted to remain anonymous, but at this point it would be just speculation. In any case, NCCIC-ICS reported the vulnerabilities to ZOLL, ZOLL corrected the problems, NCCIC-ICS published the advisory. Nothing unusual here.

Then, yesterday, CISA published an advisory about the same vulnerabilities, pointing at the NCCIC-ICS advisory. No new information, just the point and a recommendation that:

“CISA encourages users and administrators to review the ICS Medical Advisory ICSMA-21-161-01 and apply the recommended mitigations.”

I thought that that was a little bit odd, CISA issuing an advisory pointing at an earlier CISA advisory with no new information, but I did not really start to get curious until I saw the following TWEET® from @ICS-CERT this morning:

“ICYMI

@CISAgov recently released an #ICS Medical Advisory on multiple vulnerabilities in the ZOLL Defibrillator Dashboard. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

#VulnerabilityManagement #OT #IoT #Healthcare”

Obviously, someone at CISA thinks that these vulnerabilities are unusually important. So, maybe there are exploits in the wild? I search both cve.mitre.org and nvd.nist.gov for the six reported CVEs and get nothing; the CVE has been reserved, but no data has been given to either organization yet. This is not really unusual, it may take as much as a week from the time NCCIC-ICS publishes an advisory for the CVE information to make it into the National Vulnerability Database.

Okay, so next I do a Google® search for the ZOLL Defibrillator Dashboard to see if there are any news articles about problems. No problems found there. But I did see almost nine pages of reference to unrelated articles on Homeland Security Today, dating back to January. Why? Because each article currently has the same ‘You Might Be Interested’ text box at the bottom:

“JUNE 14, 2021

CISA Releases Advisory on ZOLL Defibrillator Dashboard

“CISA has released an Industrial Controls Systems (ICS) Medical Advisory on multiple vulnerabilities in the ZOLL Defibrillator Dashboard. A remote…”

That text box refers back to the short article on the site that refers back to yesterday’s CISA advisory. Except that most of those pages no longer have that text box; Homeland Security Today keeps changing what boxes show up on the bottom of their pages to keep people flowing back to their web site. Good internal SEO work.

Oh, nothing on the FDA’s medical device cybersecurity page, but they have not reported on a vulnerability since 2019, so nothing new there (in both ways of looking at that phrase). And nothing on the ZOLL webpages, but lots of companies ignore their cyber vulnerabilities, so nothing too unusual with that.

In any case, I still cannot tell why CISA is so concerned about the ZOLL Defibrillator Dashboard…. If you have one, just update it, please.

 
/* Use this with templates/template-twocol.html */