Review - 1 Advisory and 1 Update Published – 8-31-21

Today CISA’s NCCIC-ICS published a new control system security advisory for products from Sensormatic (Johnson Controls). They also published an update for a medical device security advisory for products from Philips.

Sensormatic Advisory - This advisory describes the use of unmaintained third-party components (Windows CE 6.0).

Philips Update - This update provides additional information on an advisory that was originally published on September 10^th, 2020.

 

For more detailed information on these advisories, including information about an earlier release of the Sensormatic advisory, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-and-1-update-published - subscription required.

Review - S 2491 Introduced – Defense of US Infrastructure

Review - Sen King (I,ME) introduced S2491, the Defense of United States Infrastructure Act of 2021. The bill would establish a cyber resilience assistance fund and take other measures to improve the resilience and cybersecurity of critical infrastructure. Funding is authorized in the bill.

Those other measures include:

• A government-wide, cloud-based, information sharing environment,

• The establishment of up to three cybersecurity-focused critical technology security centers,

• A requirement for the Homeland Security Advanced Research Projects Agency to conduct connected industrial control system security testing,

• The establishment of a National Cybersecurity Certification and Labeling Authority,

• The establishment of a Bureau of Cybersecurity Statistics within DHS, and

• The designation of Systemically Important Critical Infrastructure.

While King is not a member of the Senate Homeland Security and Governmental Affairs Committee, to which this bill was assigned for consideration, one of his three cosponsors {Sen Rosen (D,NV)} is a member. This means that there may be enough influence to see this bill considered in Committee. I suspect that there would be some significant Republican opposition to this bill because of the use of mandatory reporting and security requirements included in the bill. The lack of the terms ‘voluntary’ and ‘consensus standards’ will make it hard for many Republicans to support this measure.

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-2491-introduced - subscription require.

Review - HR 4357 Introduced – DHS Reform

Last month Rep Thompson (D,MS) introduced HR 4357, the DHS Reform Act of 2021. The bill makes a number of changes to DHS management and operations, including changes to State and local government coordination, reporting requirements for the cyber talent management system, and the status of the Countering Weapons of Mass Destruction Office. The bill also includes five cybersecurity mentions in passing.

Moving Forward

Thompson is the Chair of the House Homeland Security Committee, the committee to which this bill was referred for consideration, so he certainly has the influence necessary to have this bill considered in Committee. Unfortunately, the fact that all 15 of his cosponsors are Democrats would indicate that there is significant oppositions by the Republicans in the Committee for provisions in this bill (though probably not the ones discussed above). That is not surprising since this bill is Thompson’s effort to counteract what he considers to be many of the excesses of the Trump Administration’s DHS.

This bill would certainly be able to pass in Committee on a strictly party-line vote. This would, in turn, require that the bill be considered under regular order in the House. Again, a party-line vote would result in the bill’s passage. And the bill would die there, it would not be able to muster the 60-votes for a cloture vote in the Senate.

For more details about the bills provisions, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-4357-introduced  - subscription required.

S 2377 Introduced - Energy Infrastructure Act

Back in July Sen Manchin (D,WV) introduced S 2377, the Energy Infrastructure Act. This bill is an authorization bill for many DOE programs. It also incorporates six separate cybersecurity related bills previously proposed in the Senate and includes seven cybersecurity mentions in passing.

This bill was later added as Division D of the Senate substitute language for HR 3684 that was passed in the Senate last month. The House is scheduled to take up HR 3684 on or before September 27^th.

Committee Hearings – Week of 8-30-21

This week with the House (technically) and Senate still in their summer recess (the House is in a ‘Committee Hearing Week’) there are three hearings being held in the House. One of those hearings is a markup of HR 4350, the FY 2022 NDAA, and the other is a hearing on cybersecurity incident reporting. More hearings could be announced later this week.

HR 4350 Markup

Before the Summer Recess began the subcommittees of the House Armed Services Committee had all completed their markups of HR 4350. On Wednesday, the full Committee will meet to meld those markups into a complete bill ready for reporting to the Full House.

A copy of the markup from the Subcommittee on Cyber, Innovative Technologies, and Information Systems is available. There is only one cybersecurity provision of note in that markup: SEC. 1511 – Legacy Information Technologies and Systems Accountability. While ‘legacy systems’ are a common issue in control system operations the Subcommittee has an unconventional definition of ‘legacy systems’. It is operationally defined in §1511(b)(1) as being “applications, software, and information technologies that are considered active or operational, but which are judged to no longer be required by the respective Department.” I suspect that that could be more of a security problem than just being out of support.

Cyber Incident Reporting

On Wednesday the Cybersecurity, Infrastructure Protection, & Innovation Subcommittee of the House Homeland Security Committee will hold a hearing on “Stakeholder Perspectives on the Cyber Incident Reporting for Critical Infrastructure Act of 2021”. The witness list includes:

• Ronald Bushar, Mandiant,

• Heather Hogsett, Bank Policy Institute (BPI),

• John Miller, Information Technology Industrial Council (ITI),

• Robert Mayer, USTelecom.

I suspect we will hear lots of ‘voluntary’ and ‘information sharing’ from the witnesses. It will be interesting to see what questions the Members will be asking about reporting mandates.

I have not yet seen a House bill of this title introduced. I suspect that the Subcommittee is in the process of crafting such a bill along the general lines of S 2407.

Review - CTMS Rule – Key Definitions

Today I published an article (subscription required) as part of an ongoing series looking at the new DHS Cybersecurity Talent Management System interim final rule. Today’s article looks at the key definitions used in the rule. I discussed three cybersecurity related terms as well as the following terms used in the new rule:

• Qualified position,

• DHS Cybersecurity Service (DHS-CS),

• Qualifications,

• CTMS qualifications,

• Work level, and

• Work valuation.

Review - Public ICS Disclosures – Week of 8-21-27

This week we have six vendor disclosures from B&R, OPC Foundation, HPE, Red Lion, VMware (2). We also have one update from Mitsubishi. We also have one researcher report for products from Braun.

B&R Advisory - B&R published an advisory discussing the INFRA:HALT vulnerabilities.

OPC Foundation Advisory - The OPC Foundation published an advisory describing an access of memory location after end of buffer vulnerability in their Local Discovery Server (LDS).

HPE Advisory - HPE published an advisory describing five vulnerabilities in their FlexNetworking, Flexfabric, and MSR switches and routers.

Red Lion Advisory - Red Lion published an advisory describing an SSH port forwarding vulnerability in their DA50A and DA70A modular gateways.

VMware Advisory #1 - VMware published an advisory describing a cross-site scripting vulnerability in their vRealize Log Insight.

VMware Advisory #2 - VMware published an advisory describing six vulnerabilities in their vRealize Operations product.

Mitsubishi Update - Mitsubishi published an update for their TCP Protocol Stack advisory that was originally published on September 1^st, 2020 and most recently updated on May 18^th, 2021

Braun Report - McAffee published a report describing five vulnerabilities in the B Braun Infusomat Space Large Volume Pump.

 

For more details on these advisories, including links to third-party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-9fc - subscription required.

Review – TSA Publishes 60-day ICR Notice for Pipeline CSRP – 8-27-21

Today the Transportation Security Administration published a 60-day information collection request (ICR) revision notice in the Federal Register (86 FR 48239-48240) for their “Pipeline Corporate Security Review Program” (1652-056). This is the same ICR for which the OMB’s Office of Information and Regulatory Affairs (OIRA) published an emergency approval last week. Today’s notice supports the TSA’s two recent pipeline security directives (SDO).

Today’s notice provides a revision to the burden estimate for this ICR. These changes are necessary because of the changes to the PCSR made by the two SDO’s. This is the first time that TSA has provided estimates for the burden associated with these changes.

The TSA is soliciting comments on this ICR Notice. Comments should be emailed to TSAPRA@tsa.dhs.gov. Comments should be submitted by October 26^th, 2021.

For more details on the burden estimate, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/tsa-publishes-60-day-icr-notice-for - subscription required.

Review - 4 Advisories Published – 8-26-21

Today CISA’s NCCIC-ICS published four control system security advisories for products from Delta Electronics (2), Annke, and Johnson Controls.

Delta Advisory #1 – This advisory describes a stack-based buffer overflow vulnerability in the Delta DOPSoft product.

Delta Advisory #2 - This advisory describes eight vulnerabilities in the Delta DIAEnergie product.

Annke Advisory - This advisory describes a stack-based buffer overflow vulnerability in the Annke N48PBB network video recorder.

Johnson Controls - This advisory describes an improper authorization vulnerability in the Johnson Controls CEM Systems AC2000 product.

 

For additional information on these advisories, including links to vendor advisory and researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/4-advisories-published-8-26-21 - subscription required.

TSA Publishes Base Cybersecurity 30-day ICR Notice

Today the Transportation Security Administration published a 30-day information collection request notice in the Federal Register (86 FR 47653-47654) for their Baseline Assessment for Security Enhancement (BASE) Program. The revision would add questions to the Assessment that cover all five core functions of the National Institute of Standards and Technology cybersecurity framework. This is a follow-up to the 60-day ICR notice published on June 4^th, 2021.

There is no new information included in this notice, not even a mention of the comments received to date on the earlier notice (including mine). In the coming days, the TSA will submit an information packet to the OMB’s Office of Information and Regulatory Affairs (OIRA) that will contain more of the details that would have made public comments on this ICR more effective, something that the TSA apparently has no stomach for.

Review - DHS Publishes Cybersecurity Talent Management System Rule

Today the Department of Homeland Security published an interim final rule in the Federal Register (86 FR 47840-47913) establishing the Department’s “Cybersecurity Talent Management System”. The regulation is mandated by 6 USC 658(b)(6). According to the Executive Summary §658 “authorizes DHS to create a new approach to talent management exempt from major portions of existing laws governing talent management for much of the Federal civil service.”

Authority for Rule

Section 658(b)(1)(A) specifically authorizes DHS to:

• Establish, as positions in the excepted service, such qualified positions in the Department as the Secretary determines necessary to carry out the responsibilities of the Department relating to cybersecurity,

• Appoint an individual to a qualified position, and

• Fix the compensation of an individual for service in a qualified position

More importantly, §658(b)(1)(B) provides the authority for DHS to take these actions “without regard to the provisions of any other law relating to the appointment, number, classification, or compensation of employees.”

Effective Date and Comments

This rule goes into effect on November 15^th, 2021. Since this is an interim final rule, DHS is soliciting comments on the rule. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # DHS-2020-0042). Comments should be submitted by December 31^st, 2021.

Commentary

Strictly speaking, this is a rule about government workforce management, and it has no direct impact on any person or organization outside of DHS, not even contractors. In a larger sense, however, since DHS will continue to be a major competitor for cybersecurity talent for the foreseeable future, this rule is going to have a major impact on cybersecurity talent management across the country. Companies across the globe that rely on large numbers of cybersecurity employees are going to have to be able to compete with DHS for the high-end of that talent pool. This new regulation provides DHS with some new tools to increase their level of competitiveness. Those measures that prove to be the most helpful to DHS will end up becoming new employment norms across the industry.

 

For more details on the philosophy behind the new rules and the scope of the rulemaking, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/dhs-publishes-cybersecurity-talent - subscription required.

Review - HR 4818 Introduced - National Digital Reserve Corps

 Last month, Rep Gonzales (R,TX) introduced HR 4818, the National Digital Reserve Corps Act. The bill would establish within the General Services Administration (GSA) a ‘National Digital Reserve Corps’, to help address the digital and cybersecurity needs of Executive agencies. The bill would add a new Chapter 103 to 5 USC. The bill would authorize $30 million for this new program. This bill would establish a more extensive organization than the one envisioned in either HR 2894 or S 1324.

While Gonzales is not a member of the House Oversight and Reform Committee to which this bill was assigned for consideration, one of his five cosponsors {Rep Kelly (D,IL)} is a member. That means that it is possible that there is sufficient influence to see this bill considered in Committee. While I see nothing in this bill that would engender any specific organized opposition, it seems to me that there could be a lack of support for the bill due to some missing critical provisions (see my commentary). I am not sure if this bill could pass, as written, in Committee.

I will have to wait and see how the bill performs (and/or is amended) in Committee before I can make any prognostications on how it might move to the floor of the House for consideration.

 

For more details about the bill, as well as my analysis of its shortcomings and possible fixed, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-4818-introduced - subscription required. 

Review - S 2629 Introduced - Better Cybercrime Metrics

Earlier this month, Sen Schatz introduced S 2629, the Better Cybercrime Metrics Act. The bill would require DOJ to establish a taxonomy for classifying cybercrime in the National Incident-Based Reporting System (NIBRS) and would require the reporting of cybercrimes according to that taxonomy. The bill provides for $1 million to support the development of the taxonomy, including a study on the topic by the National Academy of Sciences.

While Schatz is not a member of the Senate Judiciary Committee to which this bill was assigned for consideration, his three co-sponsors {Sen Tillis (R,NC), Sen Cornyn (R,TX), and Sen Blumenthal (D,CT)} are members. This means that there is a good chance that there is enough influence to see this bill considered in Committee. Other than the relatively small funding authorized by this bill, I do not see anything that would engender significant opposition to this bill. The bill would probably be approved by a significantly bipartisan majority in Committee.

I suspect that the bill would receive sufficient bipartisan support to allow it to pass the cloture process if the bill were considered by the Senate. Having said that, I cannot see the Senate leadership taking up limited legislative time for the consideration of this bill. The most likely path forward for this legislation is to be included as an amendment in a spending or authorization bill.

For more details about the provisions of the bill, and my analysis of its shortcomings, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-2629-introduced - subscription required.

Review - 3 Advisories and 1 Update Published – 8-24-21

Today CISA’s NCCIC-ICS published three control system security advisories for products from Delta Electronics and Hitachi ABB (2). They also updated an advisory for products from Advantech.

Delta Advisory - This advisory describes a heap-based buffer overflow vulnerability in the Delta TPEditor.

Hitachi ABB Advisory #1 - This advisory describes an insufficiently protected credential vulnerability in the Hitachi ABB Retail Operations and Counterparty Settlement Billing products.

Hitachi ABB Advisory #2 - This advisory discusses the FragAttacks WiFi vulnerabilities in the Hitachi ABB TropOS Product.

Advantech Update - This update provides additional information on an advisory that was originally reported on June 17^th, 2021.

 

For more details on the advisories, see my article on CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/3-advisories-and-1-update-published-e37 - subscription required.

Critical Economic Assets and CFATS – Part 1

When the crafters of the Chemical Facility Anti-Terrorism Standards (CFATS) regulations back in 2007 published 6 CFR Part 27, they envisioned that DHS would regulate facilities that produced critical economic assets as well as the DHS chemicals of interest (COI) listed in Appendix A of those regulations. DHS never did classify any facilities as high risk under the CFATS program for the possession of critical economic assets and the issue died due to lack of interest. With the critical chemical supply issues that we have seen lately, perhaps it is time to rethink that issue.

Definitions

There are two definitions in §27.105 that are key to this discussion:

Present high levels of security risk and high risk shall refer to a chemical facility that, in the discretion of the Secretary of Homeland Security, presents a high risk of significant adverse consequences for human life or health, national security and/or critical economic assets [emphasis added] if subjected to terrorist attack, compromise, infiltration, or exploitation.

Security Issue shall refer to the type of risks associated with a given chemical. For purposes of this part, there are four main security issues:

(1) Release (including toxic, flammable, and explosive),

(2) Theft and diversion (including chemical weapons and chemical weapons precursors, weapons of mass effect, and explosives and improvised explosive device precursors),

(3) Sabotage and contamination, and

(4) Critical to government mission and national economy [emphasis added].

The First Top Screen

In 2007 I did a series of blog posts about the initial Top Screen reporting requirements for chemical facilities under the CFATS program. The last post in that series dealt with the questions on the Top Screen about Mission Critical Chemicals and Economically Critical Chemicals. There was also a follow-up post about Critical Chemicals that addressed additional information provided in the Top Screen User Manual at the time.

As I noted in those earlier posts, one of the problems with the data collected by the critical chemical questions on those early Top Screens was that the only facilities that submitted data were those facilities that had reportable quantities of COI on hand and were thus required to submit Top Screens. That, combined with the fact that facilities had every incentive to determine that they produced less than “20% of the domestic production” of a given chemical as that is not a standard reportable data point, and one can see why DHS dropped that particular data collection and took no actions to identify facilities as a covered facility under the CFATS program.

Water Treatment Critical Mission Chemicals

We have had two news reports (here and here) in the last two weeks about critical chemical shortages in the water treatment industry. If either supply situation were much worse, we would have had news reports of unsafe drinking water in major cities. If that situation were to be the result of ransomware attacks or worse a terrorist attack, the public and political blowback would be intense.

So, maybe it is time for CISA’s Office for Chemical Security (OCS) to start to look at using their existing regulatory authority to determine if there are chemical companies that are supplying mission critical chemicals into the water treatment industry that are not currently covered by the CFATS program.

I will be looking at how such a program expansion could be effected by OCS and how it could work in actual practice in a series of articles on CFSN Detailed Analysis over the next couple of weeks.

Review - HR 4549 Introduced – FY 2022 EWR Spending

Last month, Rep Kaptur (D,OH) introduced HR 4549, the Energy and Water Development and Related Agencies (EWR) Appropriations Act, 2022. The House Appropriations Committee marked-up the bill before it was introduced. The Committee Report on the bill is also available. The only mention of cybersecurity in the bill refers to the funding of the DOE’s Office of Cybersecurity, Energy Security, and Emergency Response on page 27. The Committee sets funding for five programs under CESER in the Report.

I do not expect that this bill will make it to the floor of the House as a standalone bill. I am pretty sure that we are going to see what has become the standard for spending bill consideration again this year. There will be a continuing resolution before midnight on September 30^th moving the deadline for a combined spending bill until sometime in December. If the Democrats get their larger infrastructure bill passed, there will be little need for them to try to force through spending measures that the Republicans will not accept. They should be able to craft a bill that would allow 10 Republicans in the Senate to vote yeah.

If that infrastructure bill fails, the fight could get ugly this year.

 

For more details about the cybersecurity provisions in the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-4549-introduced - subscription required.

Committee Hearing – Week of 8-22-21

With the House coming back to Washington for a brief 2-day session in the middle of their Summer Recess, there is only one committee hearing being held. Today the House Rules Committee will meet to formulate the rule for the consideration of three measures:

• S ConRes 14 - Setting forth the congressional budget for the United States Government for fiscal year 2022 and setting forth the appropriate budgetary levels for fiscal years 2023 through 2031.

• HR 4 - John R. Lewis Voting Rights Advancement Act of 2021

• Senate Amendment to HR 3684 - Infrastructure Investment and Jobs Act

HR 3684 is the bill of interest here as it contains a number of cybersecurity provisions including the text of at least six separate cybersecurity bills. S ConRes 14 will set up the crafting of an even larger infrastructure spending bill that could be passed in the Senate by a simple majority vote. HR 4 is a slightly more moderate voting rights bill that might be able to get 10 Republican votes in the Senate.

The vote on the Rule developed this morning will take place this evening in the whole House. It is expected to pass on a partly-line vote. A vote on HR 4 will almost certainly take place tomorrow; it is likely to pass on a party-line vote. What happens on HR 3684 and S Con Res is less certain.

As of late Saturday, Speaker Pelosi (D,CA) was promising a vote on that and the to be developed large infrastructure spending bill based on S ConRes 14 sometime before October 1^st. Moderate Democrats are demanding a vote on HR 3684 immediately (Tuesday) while Progressive Democrats are demanding that that vote be held hostage to a vote on the new infrastructure spending bill. Pelosi can only afford to lose 3 Democrat votes on S Con Res 14 and still get it passed. Without that bill passing, Democrats have no chance of getting their larger infrastructure bill to the President’s desk.

You cannot bet against Pelosi being able to pull a legislative rabbit out of the partisan hat, but it will have to be neat trick.

Another Chemical Supply Issue Hitting Water Processing Facility

I ran into an interesting statement in an article over at NYTimes.com about a chemical supply issue for water treatment plants:

Orlando Mayor Buddy Dyer and utility officials asked residents to conserve water Friday to preserve the city’s supply of liquid oxygen, which is being used to treat a surging number of Covid-19 patients.

Digging into the linked article at OUC.com I confirmed that no one is treating COVID cases with liquid oxygen (at -297˚F that would be VERY dangerous) nor are they adding it to water in water treatment plants (even in Florida it would almost instantaneously freeze water and cause ‘explosions’ as the liquid O₂ was converted to gas). But it is a real supply chain problem.

Liquid oxygen is a cost-effective way of transporting oxygen gas; it takes up smaller transportation volume. Hospitals would receive liquid oxygen deliveries and on-site systems would allow it to heat up and convert to oxygen gas that would be used in ventilators and other oxygen breathing aids.

The liquid oxygen is used to create ozone (O₃) at the drinking water treatment plant. That ozone is then used to remove hydrogen sulfide (H₂S) by oxidation. Before folks became concerned about the storage of chlorine gas at water treatment facilities, the chlorine used for disinfection would also oxidize the hydrogen sulfide. It would also kill bacteria that produce the noxious gas in some systems.

The large increase in COVID required breathing assistance support in Florida and the southeast, is cutting into the supply of cryogenic oxygen. Just another supply chain issue that needs to be dealt with.

Review - HR 4432 Introduced – FY 2022 DOD Spending

Last month, Rep McCollum (D,MN) introduced HR 4432, the Department of Defense Appropriations Act, 2022. This bill was marked up by the House Appropriations Committee prior to introduction, as is normal for spending bills. The Committee Report on the bill is available. There is one cyber operations mention of interest in the bill. There are also three cyber-workforce mentions and two cyber-earmarks in the Report.

While there is a chance that the House will take-up HR 4432 before September 30^th, it is highly unlikely to make it through the Senate. Thus, we are most likely to see yet another Continuing Resolution with some sort of omnibus spending bill(s) closer to the end of the calendar year. Typically, the Committee Reports for each of the spending bills in each chamber are made to apply to the final bill. This means that the three ‘Cyber Work Force’ comments will remain in effect. The earmarks I am not so sure about.

 

For further details about the mentions briefly described above, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-4432-introduced - subscription required.

Review - Public ICS Disclosures – Week of 8-14-21

This week we have four vendor disclosures related to the QNX RTOS vulnerability from Draeger, GE Healthcare, Medtronic, and Schneider Electric. We also have two vendor disclosures related to the PrintNightmare vulnerabilities from BD, Boston Scientific. We also have eight other vendor disclosures from BD, PEPPERL+FUCHS (2), Hitachi ABB Power Grids, Johnson Controls, Moxa, Siemens, and VMware. Finally, we have two researcher reports for vulnerabilities in products from Altus Sistemas de Automacao, and NetModule.

QNX Advisories

Draeger published an advisory discussing the QNX RTOS vulnerability.

GE Healthcare published an advisory discussing the QNX RTOS vulnerability.

Medtronic published an advisory discussing the QNX RTOS vulnerability.

Schneider published an advisory discussing the QNX RTOS vulnerability.

PrintNightmare Advisories

BD published an advisory discussing the PrintNightmare vulnerabilities.

Boston Scientific published an advisory discussing the PrintNightmare vulnerabilities.

Other Advisories

BD Advisory - BD published an advisory discussing the URGENT/11 vulnerabilities.

PEPPERL+FUCHS Advisory #1 - CERT-VDE published an advisory describing 19 vulnerabilities in the PEPPERL+FUCHS WirelessHART-Gateway products.

PEPPERL+FUCHS Advisory #2 - CERT-VDE published an advisory discussing the Ripple20  vulnerabilities in the PEPPERL+FUCHS VDM100-Distance Ethernet-IP sensors

Hitachi ABB Advisory - Hitachi ABB published an advisory discussing the BadAlloc vulnerabilities.

Johnson Controls Advisory - Johnson Controls published an advisory discussing the impact on the out-of-support status of the Window CE OS on their Kantech KT-1 door controller.

Moxa Advisory - Moxa published an advisory describing four vulnerabilities in their EDR-810 Series secure router.

Siemens Advisory - Siemens published an out-of-zone advisory describing an external control of system or configuration setting vulnerability in their SINEMA Remote Connect Client.

VMware Advisory - VMware published an advisory describing a denial-of-service vulnerability in their Workspace ONE UEM console.

Researcher Reports

Altus Sistemas de Automacao Report - SEC Consult published a report describing three vulnerabilities in PLC products from Altus Sistemas de Automacao.

NetModule Report - SEC Consult published a report describing three vulnerabilities in the NetModule router software product.

 

For more information on the above advisories and reports, including links to exploits, see my article at CFSN Detailed analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-2e0 - subscription required.

OMB Approves Another Emergency TSA Pipeline Security ICR – 8-19-21

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved an emergency change to an information collection request (ICR) from the TSA for their “Pipeline Corporate Security Review” (1652-0056). This approval was based upon the OIRA determination that there was: “No material or nonsubstantive change to a currently approved collection.”

This is essentially the same emergency approval that the OMB approved last month. The expiration date did not change, nor did the requirement to submit a 60-day ICR notice.

Looking at the justification document [.DOCX download link] for this latest revision, there is only one significant change from the last justification submitted to OIRA. In the old version, the last sentence in Section 3 of the document reads: “Such statements can be made by e-mail or other means without required use of a specific form.” In the current ICR justification that has been changed to read:

“For convenience, TSA will also provide an optional form (TSA Security Directive Pipeline 2021-02 Statement of Completion) for each submission deadline that Owner/Operators can complete and submit via email.   This form is Sensitive Security Information and will only be shared with the Owner/Operators and others with the need to know.”

OIRA’s “Paperwork Reduction Act Change Worksheet” [.PDF download link] confirms that this is the only change approved in the collection.

Review - 1 Advisory Published – 8-19-21

Today CISA’s NCCIC-ICS published one control system security advisory for products from AVEVA.

AVEVA Advisory - This advisory describes six vulnerabilities in the AVEVA SuiteLink Server.

For more details about this advisory, and my brief look at the increased social media activity of NCCIC-ICS on TWITTER as @ICSCERT, see my article at CFSN Detailed analysis - https://patrickcoyle.substack.com/p/1-advisory-published-8-19-21 - subscription required.

Review - HR 4513 Introduced – Small Business Advanced Cybersecurity

Last month, Rep Donalds (R,FL) introduce HR 4513, the Small Business Advanced Cybersecurity Enhancements Act of 2021. The bill would amend 15 USC 648. It would require the Small Business Administration (SBA) to establish cybersecurity assistance units in each small business development center as well as a central small business cybersecurity assistance unit to inform and coordinate the activities of the regional centers. The bill would require the SBA to allocate $1 million each year from existing funding for those regional assistance units.

The House Small Business Committee held a markup hearing on July 29^th, 2021 and considered HR 4513, along with six other bills. The bill passed on a voice vote, indicating there was at least some bipartisan support for the bill. I suspect that the bill will be considered by the full House under the suspension of the rules process, and it would probably pass.

For more detailed information on the provisions of this bill, including my suggestions to ensure that the information sharing is a two-way process, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-4513-introduced - subscription required.

Sodium Hypochlorite Shortage Affects Water Treatment

I ran into an interesting article over at BoombergLaw.com (thanks to Fred Gossen on LinkedIn for pointing at the article) about the problems that a number of water treatment and wastewater treatment plants are having with getting ahold of adequate supplies of commercial grade sodium hypochlorite for their water disinfection processes. Many have, according to the article, petitioned the EPA for legal assistance in acquiring the needed chemicals.

The article pins at least part of the blame for this chemical shortage on a fire at a chemical plant last year that shutdown a major supplier of hypochlorite and a pandemic driven increase in the use of family swimming pools. Both of these have undoubtedly had an affect the availability of sodium hypochlorite, but that is not the root cause of this problem. That can be traced back to the ‘inherently safer technology’ push away from using chlorine gas as a water treatment disinfectant back in the middle 2000’s (see one of my 2008 blog posts on the topic here). A fear of a large chlorine gas release in a major city because of an industrial accident or terrorist attack caused a number of environmental activists to successfully push many treatment facilities to switch to ‘safer alternatives’ and the easiest was from chlorine gas to commercial grade liquid bleach also known as sodium hypochlorite.

The big problem with bleach is that it degrades in quality (read – decreasing concentration while releasing chlorine gas) fairly quickly, limiting how far it can practically be shipped by rail. That, combined with the NIMBY opposition to the construction of new bleach production facilities, set up a tight supply situation for commercial grade bleach that left the market susceptible to production upsets. There are a number of alternative disinfection processes available, but they are almost all more technologically challenging with lengthy lead times and high switchover costs.

One potential long-term solution for larger facilities is the on-site generation of chlorine gas. The technology is well understood and requires water, salt (common NaCl), and electrical power as the major process feeds. It is still inherently safer than railcar loads of chlorine gas because it is produced as needed with relatively small amounts of process storage required. The biggest problem is getting rid of the byproduct sodium hydroxide (caustic soda). There are, however, lots of places that use that chemical as an important feedstock or process aid.

Review - HR 4515 Introduced – SBDC Cyber Training

Last month, Rep Garbarino (R,NY) introduced HR 4515, the Small Business Development Center Cyber Training Act of 2021. The bill would amend 15 USC 648, requiring the Small Business Administration (SBA) to provide cyber strategy training to personnel working at Small Business Development Centers. The bill would authorize the SBA to reimburse training costs associated with the program up to a total of $350,000 per year.

Garbarino and five of his six cosponsors {Rep Tenney (R,NY), Rep Delgado (D,NY), Rep Evans (D,PA), Rep Houlahan (D,PA), Rep Phillips (D,MN)} are all members of the House Small Business Committee. This means that there is a good chance that there is sufficient influence to see this bill considered in Committee. I see nothing in the bill that would engender any significant opposition. I suspect that the bill would receive bipartisan support. This means that the bill would probably be considered on the floor of the House under the suspension of the rules process.

For more details on the language of the bill, including suggestions to ensure control system security coverage, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-4515-introduced - subscription required.

Process Upsets and Chemical Release Reporting

I ran into a brief article on ChemicalWorld.com that caused me to thing about process upsets and the CSB’s chemical release reporting requirements. According to the article and employee was exposed to sulfur dioxide at a North Alabama chemical plant early last month. Two days after his exposure he was admitted to the hospital for breathing problems and then died from those problems last week, better than a month after the incident.

I did a quick check of the local news outlets and could find no reports about the incident. There were two articles about the employee’s death (here and here). Both articles were brief and contained second-hand accounts of the incident from the employees wife. The wife is quoted as describing the incident this way:

“There were 3 of them out there, outside, working on the towers. There are two towers that the chemicals flow through. Supposedly the excess chemicals flow into what they called the pit. When they went out that night, the smell from the pit was different than what it had been in the past.”

Rather than a classic ‘chemical release’ this sounds like some sort of chemical process upset that released unusual fumes. If the fumes were sulfur dioxide, then it would not have taken a large quantity of those fumes to cause damage to the employees lungs if he were close to the source of the fumes.

Now, according to the definitions in 40 CFR 1604.2, such fumes of sulfur dioxide would be an ‘accidental release’; “an unanticipated emission of a regulated substance or other extremely hazardous substance into the ambient air from a stationary source.” On the date of the release, it would not have been considered a reportable release under §1604.3 because it was not an “accidental release resulting in a fatality, serious injury, or substantial property damage.” Once the employee was admitted to the hospital for injuries caused by those fumes, the accidental release became a reportable release.

Interestingly, in this case, if the company had reported the release when the employee when the employee was admitted to the hospital 24 to 36 hours after the incident (the timeline is not clear in the news reports) they would already be significantly late in meeting the 8-hour reporting requirement in §1604.3. The CSB’s discussion of that reporting deadline in the preamble to the final rule last year, makes it clear that they are concerned with the clock starting at the time of the incident, not the time when the owner becomes aware that an incident has occurred.

This probably means that chemical facilities need to seriously consider submitting accidental release reports when process upsets cause even minor releases of hazardous chemicals when personnel may have been exposed to such fumes.

Review – 3 Advisories and 1 Update Published – 8-17-21

 Today CISA’s NCCIC-ICS published three control system security advisories for products from xArrow, Advantech, and ThroughTek. They also updated an advisory for products for multiple RTOS.

xArrow Advisory - This advisory describes three vulnerabilities in the xArrow SCADA/HMI.

Advantech Advisory - This advisory describes an improper authentication vulnerability in the Advantech WebAccess network management system (NMS).

ThroughTek Advisory - This advisory describes an improper access control vulnerability in their Kalay P2P software development kit (SDK).

Multiple RTOS Update - This update provides additional information for an advisory that was originally published on April 29^th, 2021 and most recently updated on May 20^th, 2021.

NOTE: CISA’s National Cyber Awareness System (NCAS) published a separate advisory for the BlackBerry BadAlloc vulnerabilities covered in this Update.

 

For more details about these advisories, including links to proof-of-concept code and plenty of editorial notes, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/3-advisories-and-1-update-published - subscription required.

Review - S 2610 Introduced – FY 2022 Intel Authorization

Earlier this month, Sen Warner (D,VA) introduced S 2610, the Intelligence Authorization Act for Fiscal Year 2022. The bill was adopted by the Senate Select Committee on Intelligence and a Committee Report on the bill has been published. While major portions of the bill are classified, both the bill and the report do include cybersecurity references.

There are three sections of the bill that address cybersecurity related matter and there are three separate sections that include cybersecurity mentions in passing. The three cybersecurity related sections are:

§343 – Report on the assessment of all-source cyber intelligence information, with an emphasis on supply chain risks,

§604 – Access by Comptroller General of the United States to certain cybersecurity records, and

§606 – Study on vulnerability of Global Positioning System to hostile actions.

This is one of those annual ‘must pass’ authorization bills and it is likely to be considered under regular order. The bill was adopted by a unanimous vote in Committee, so I expect that the bill would receive substantial bipartisan support on the floor of the Senate.

For more details about the provisions of the bill and cybersecurity mentions in the Committee Report see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-2610-introduced  - subscription required.

Review - HR 4609 Introduced – NIST for the Future Act

Last month, Rep Stevens introduced HR 4609, the National Institute of Standards and Technology (NIST) for the Future Act of 2021. This reauthorization bill includes language providing NIST with specific cybersecurity responsibilities.

On July 27^th, the House Science, Space, and Technology Committee held a markup hearing that included the consideration of HR 4609. Substitute language was offered that included minor wording changes to cyber security responsibility language. There were fourteen other amendments adopted before the substitute language was adopted by voice vote. One of those amendments would require NIST to develop tools and guidance to “enable software developers and operators to identify, assess, and manage cyber risks over the full lifecycle of software products.”

With the bipartisan support seen for this bill in Committee, and considering that this is a perennial legislative requirement, this bill will move to the full House. I suspect that it will be considered under the suspension of the rules process; limited debate, no floor amendments and requiring a supermajority to pass. It will almost certainly pass with significant bipartisan support.

For more details on the language of the bill and its amendments, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-4609-introduced - subscription required.

Review - HR 4431 Introduced – FY 2022 DHS Spending

Last month Rep Roybal-Allard (D,CA) introduced HR 4431, the Department of Homeland Security Appropriations Act, 2022. As is typical with spending bills, the bill introduced is the version reported by the House Appropriations Committee, so the Committee Report is available. There is little in the bill dealing with cyber (beyond CISA funding, of course), but the Report contains important cybersecurity language.

CISA Spending

The table below shows the overview of CISA spending included in the bill, the data is taken from the Report.

	FY 2021 Funded	FY 2022 Budget	FY 2022 Bill
CISA Total	$2,024,976,000	$2,133,630,000	$2,422,348,000
Operations	$1,662,066,000	$1,691,520,000	$1,927,750,000
Procurement, Const	$353,479,000	$418,179,000	$467,167,000
Research and Development	$9,431,000	$3,931,000	$7,431,000
Cyber Response and Recovery Fund		$20,000,000	$20,000,000

The spending for cybersecurity would certainly be increased by this bill. I suspect that we may see further increases before an FY 2022 spending bill makes it to the President’s desk.

Cyber Provisions that Mimic Proposed Legislation

In the Report, the Appropriations Committee recognizes initiatives by the Administration that mimic a variety of bills that are wending their way through the legislative process. This is not an unusual process, as long as Congress is willing to provide the funds, the executive branch has a lot of leeway to standup various programs without specific legislative approval. If the programs are successful (for various meanings of that term) then Congress will, sooner or later, get around to authorizing the program.

Moving Forward

Based upon recent history, this bill is unlikely to be considered by the House as a standalone measure. Significant portions will be included in the inevitable omnibus spending bill that will probably pass later this year. Because of their control of the purse, the mandates from the Report will continue in force.

For more details on the programs and spending in this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-4431-introduced - subscription required.

Review - Public ICS Disclosure – Week of 8-7-21 – Part 2

This week we have ten vendor disclosures from Siemens (2) and Schneider (8). We also have nine vendor updates from Siemens (3) and Schneider (6).

Siemens Advisories

Siemens published an advisory describing an uncontrolled resource consumption vulnerability in their Automation License Manager software.

Siemens published an advisory describing an incorrect authorization vulnerability in their Industrial Products.

Schneider Advisories

Schneider published an advisory describing an improper limitation of a path name to a restricted directory vulnerability in their Harmony HMI Products.

Schneider published an advisory describing 12 vulnerabilities in their EcoStruxure Control Expert,

EcoStruxure Process Expert and SCADAPack RemoteConnect for x70 products.

Schneider published an advisory describing an uncontrolled search path element vulnerability in their s Pro-face GP-Pro EX HMI screen editor & logic programming software.

Schneider published an advisory describing four vulnerabilities in their Modicon PAC Controllers and PLC simulator.

Schneider published an advisory describing an exposure of sensitive data to an unauthorized actor vulnerability in their AccuSine PCSn, PCS+ and PFV+ products.

Schneider published an advisory describing three vulnerabilities in their Programmable Automation Controller (PacDrive) M products.

Schneider published an advisory describing two vulnerabilities in their NTZ Mekhanotronika Rus. LLC control panels.

Schneider published an advisory describing a remote code execution vulnerability in their NTZ

Mekhanotronika Rus. LLC SHFK-MT-104 control panels.

Siemens Updates

Siemens published an update to their GNU/Linux subsystem advisory that was originally published in 2018 and most recently updated on July 13^th, 2021.

Siemens published an update to their OpenSSL advisory that was originally reported on July 13^th, 2021.

Schneider Updates

Schneider published an update for their Embedded Web Server advisory that was originally reported on June 8^th, 2021.

Schneider published an update for their Treck HTTP Server Vulnerability that was originally reported on December 18^th, 2020.

Schneider published an update for their Treck TCP/IPv6 Vulnerabilities advisory advisory that was originally published on December 18th, 2020 and most recently updated on July 13^th, 2021.

Schneider published an update for their Web Server on Modicon M340 advisory that was originally published on December 8^th, 2020.

Schneider published an update for their Web Server on Modicon M340 advisory that was originally published on December 8^th, 2020.

Schneider published an update for their Web Server on Modicon M340 advisory that was originally published on November 10^th, 2020.

 

For more details on the advisories and updates, including links to third-party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosure-week-of-8-7 - subscription required.

Review - S 2407 Introduced – Cyber Incident Notification

Last month, Sen Warner (D,VA) introduced S 2407, the Cyber Incident Notification Act of 2021. The bill would establish CISA as the Federal agency to receive reports of cyber intrusions. It would also require CISA to initiate rulemaking to establish which private sector entities would be required to submit cyber intrusion reports. The bill would add five new sections to the Homeland Security Act of 2002 as the new Subtitle C, Cybersecurity Intrusion Reporting Capabilities. No monies are authorized in the bill to support the programs established.

The bill would designate CISA as the federal agency responsible for receiving “cybersecurity notifications from other Federal agencies and covered entities in accordance with this subtitle.” CISA would have 240 days to establish ‘Cybersecurity Intrusion Reporting Capabilities’ that would allow CISA to accept classified and unclassified ‘submissions and notifications’. It would require CISA to promulgate regulations to support that ‘reporting capability’, including defining the two key terms: ‘covered entity’ and ‘cyber intrusion’.

This bill was crafted the staff of the Senate Select Committee on Intelligence and was cosponsored almost exclusively by members of that Committee. Unfortunately, that bipartisan support does not extend to a single sponsor from the Senate Homeland Security and Governmental Affairs Committee to which this bill was assigned for consideration. This means that the bill is unlikely to receive consideration in that Committee.

The broad and largely undefined reporting requirements are sure to draw objections from most business organizations, especially given the civil penalty provisions included in the bill. That opposition would be sure to draw support from Senators on both sides of the aisle. This bill would probably not draw enough support to be able to pass cloture if the bill did move to the floor of the Senate.

For more details on the provisions of this bill, see my article at CSFN Detailed Analysis - https://patrickcoyle.substack.com/p/s-2407-introduced - subscription required.

Review - Public ICS Disclosure – 8-13-21 – Part 1

This week we have two INFRA:HALT disclosures from Pilz and Rockwell  We have seven other vendor disclosures from Aveva, TRUMPF Laser, Moxa, Philips, Pilz, Sick, and SonicWall. We also have an update from VMware. We also have 12 researcher reports affecting products from Siemens and Delta Industrial Automation (10).

 

I will address the Siemens and Schneider advisories and updates in Part 2 tomorrow.

 

INFRA:HALT Advisories

 

Pilz published an advisory discussing the INFRA:HALT vulnerabilities.

Rockwell published an advisory discussing the INFRA:HALT vulnerabilities.

 

Other Advisories

 

Aveva Advisory - Aveva published an advisory describing three vulnerabilities in their SuiteLink Server.

HPE Advisory - HPE published an advisory describing an information disclosure vulnerability in their Edgeline Infrastructure Manager product.

TRUMPF Advisory - CERT-VDE published an advisory discussing eleven vulnerabilities in the TRUMPF TruControl and Peripheral Bus products.

Moxa Advisory - Moxa published an advisory describing a stack-based buffer overflow vulnerability in their EDS-405A Series Ethernet Switches.

Philips Advisory - Philips published an advisory discussing a Windows® print spooler elevation of privilege vulnerability  (CVE-2021-34481).

Sick Advisory - Sick published an advisory discussing the 2017 Windows® SMBv1vulnerability in their MEAC product.

SonicWall Advisory - SonicWall published an advisory describing a remote code execution vulnerability in their Analytics On-Prem product.

VMware Update - VMware published an update for their Workspace ONE Access advisory that was originally published on August 5^th, 2021.

 

Researcher Reports

 

Siemens Report - Adepts of 0xCC published a report describing the development of an exploit for the memory corruption vulnerability (CVE-2020-9273) in ProFTPD 1.3.7

Delta Report - The Zero Day Initiative published tenreports of 0-day vulnerabilities in the Delta DOPSoft product.

 

For more details on these advisories and reports, including links to exploits and third-party advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosure-8-13-21-part - subscription required.

OMB Approves DHS Cybersecurity Talent Management System Final Rule

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a final rule for the DHS Cybersecurity Talent Management System. That final rule had been submitted to OIRA in June 2021. This is a direct final rule with no previous ‘publish and comment’ actions being taken by DHS.

According to the abstract published in the Spring 2021 Unified Agenda for this rulemaking:

“Under 6 U.S.C. 658, the Department of Homeland Security "shall prescribe regulations” to implement Department-specific hiring and compensation flexibilities granted in section 658 to recruit and retain persons with the necessary skills to fulfill the Department’s cybersecurity responsibilities. Under this authority, the Department is establishing a new personnel system for cybersecurity personnel, the Department of Homeland Security Cybersecurity Talent Management System (CTMS).”

There are a number of specific congressional mandates in 6 USC 658 that are clear enough to justify the use of a direct final rule, including specific authority to ‘prescribe regulations’ without any reference to the publish and comment process in §658(b)(6). There are, however, a number of provisions in that section that are permissive in nature, so it will be interesting to see which (if any) of those are included in this new regulation. I suspect that we will see publication of the final rule more quickly than we saw similar rulemaking proceed to publication under the Trump Administration. I would not be surprised to see it published in the Federal Register next week.

Review - 2 Advisories and 1 Update Published – 8-12-21

Today CISA’s NCCIC-ICS published two control system security advisories for products from Horner Automation and Cognex. They also updated an advisory for products from Sensormatic Electronics (Johnson Controls).

Horner Advisory - This advisory describes three vulnerabilities in the Horner Cscape control system application programming software.

Cognex Advisory - This advisory describes a deserialization of untrusted data vulnerability in the Cognex In-Sight OPC Server.

Sensormatic Update - This update provides additional information on an advisory that was originally reported on July 1^st, 2021.

For more details on the advisories, including links to reporting researchers, see CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-advisories-and-1-update-published-1ae - subscription required.

CISA Provides ‘Red-Lined’ version of Revised CFATS Regulations

Today CISA published a notice on the Chemical Facility Anti-Terrorism Standards (CFATS) program landing page about the availability of an unofficial copy of 6 CFR Part 27 (the CFATS regulations) that included ‘red-lined’ corrections showing the result of the changes that were made in the recent direct final rule that was published earlier this month. The web page describing the .PDF document makes it very clear that this is not an official document that could be relied upon for regulatory actions.

The GPO has not yet updated the CFR to reflect the changes made by this rule. That will probably take place later this year (they are behind on lots of official publication stuff because of the COVID-19 Pandemic). Last year, however, the GPO started their semi-official eCFR project, and that is updated much more frequently. The version of eCFR Title 6 Part 27 available on-line this evening includes the corrections made by the latest rule.

If you want to see what changes were made by the rule, use the CISA document. If you want to really see what the current version looks like, use the eCFR.

Bills Introduced – 8-10-21

Yesterday, with just the Senate in Washington (and preparing to head home for their Summer Recess) and the House meeting in pro forma session, there were 50 bills introduced. One of those bills may receive additional coverage in this blog:

S 2699 A bill to establish a cybersecurity literacy campaign, and for other purposes. Sen. Klobuchar, Amy [D-MN] 

I will be watching this bill for language and definitions that would include control system security within its coverage. I am not really expecting to see it though.

Review - 9 Updates Published – 8-10-21

 

Yesterday CISA’s NCCIC-ICS published nine updates of control system security advisories for products from Siemens.

PKE Update - This update provides additional information on an advisory that was originally published on March 10^th, 2020 and most recently updated on March 20^th, 2021.

SIMATICT Update - This update provides additional information on an advisory that was originally published on November 10^th, 2020.

TCP/IP Stack Update - This update provides additional information on an advisory that was originally published on March 9^th, 2021 and most recently updated on May 11^th, 2021.

SCALANCE Update - This update provides additional information on an advisory that was originally published on May 11^th, 2021.

SINAMICS Update #1 - This update provides additional information on an advisory that was originally published on May 11^th, 2021.

SINAMICS Update #2 - This update provides additional information on an advisory that was originally published on May 11^th, 2021.

Linux-Based Products Update - This update provides additional information on an advisory that was originally published on May 11^th, 2021 and most recently updated on July 13^th, 2021.

Industrial Products Update - This update provides additional information on an advisory that was originally published on July 11^th, 2021.

PROFINET Update - This update provides additional information on an advisory that was originally published on July 11^th, 2021.

Other Siemens Updates - Siemens published three additional updates yesterday. Unless NCCIC-ICS covers them tomorrow, I will address them this weekend.

For more details on these updates, including a description of the changes made - see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/9-updates-published-8-10-21 - subscription required.