Review - 1 Advisory Published – 9-30-21

Today CISA’s NCCIC-ICS published one medical device security advisory for products from Boston Scientific.

Boston Scientific Advisory - This advisory describes five vulnerabilities in the Boston Scientific ZOOM LATITUDE Programmer/Recorder/Monitor Model 3120.

For more details on the advisory, including a brief look at the researchers that discovered the vulnerabilities, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-published-9-30-21 - subscription required.

Critical Economic Assets and CFATS – Part 3

This is part of an on-going series of posts looking at the potential for an expansion of the effort of the Chemical Facility Anti-Terrorism Standards (CFATS) program to cover facilities that produce critical economic asset chemicals. The current CFATS regulations specifically allow CISA to declare a facility to be a high-risk facility covered by the CFATS program if they are a producer of critical economic asset chemicals.

The first post in the series looked at the historic background of this type coverage in the CFATS program and how DHS tried to look at the process.

The second post in the series looked at how CISA might go about identifying potential chemicals of economic interest (CEI) for the water treatment sector.

CEI List

With the list of critical water treatment chemicals provided by the request for information (RFI) mentioned in the previous post in the series, CISA would develop a list of CEI. The first step in that list development process would be the removal of any chemicals that were already on the DHS list of chemicals of interest in Appendix A to 6 CFR; chlorine comes immediately to mind.

Next, CISA would identify the minimum concentration for each of the chemicals on the list. Since these treatment facilities would be using commercial grades of material, CISA should have little problem in identifying the minimum concentration. In fact, I suspect that for many of the chemicals on the list, there will be just one or two concentrations that are used by the water treatment industry. Where this is obvious from the data provided in the RFI, CISA might find it useful to define chemicals with both minimum and maximum concentrations. For example, while caustic soda (NaOH) solutions may be used by water treatment facilities for pH adjustment, those facilities would have little use for solid NaOH (100%) because of the material handling requirements.

CEI Top Screen

For the CEI list CISA will not be concerned about the inventory levels of the chemicals on the list. Instead, CISA would be interested only in facilities that produce or distribute the CEI identified above. CISA would determine that by means of a CEI Top Screen.  The reason for a separate Top Screen is that CISA would be using the on-line data collect tool to access different types of information. In addition to the standard location and facility information included in the current CFATS Top Screen, the CEI Top Screen would ask questions about:

• The CEI produced at or distributed from the facility,

• The amount of CEI produced or shipped through the facility,

• The amount of CEI shipped to water treatment facilities, and

• The water treatment facilities to which the CEI are shipped.

Risk Assessment

The whole point of the CEI Top Screen (as with the current CFATS Top Screen) is to provide CISA with the information necessary to complete a facility risk assessment. While the CFATS risk assessment is designed to determine the risk of a facility being attacked by terrorists based upon three specific security issues (release, theft/diversion, or sabotage), the new risk assessment would be based upon a new security issue; denial of chemical use. While this risk could still be based upon a terrorist attack, the risk assessment needs to consider the ultimate target, the water treatment facility.

A future post in the series will take a more detailed look at the risk assessment process.

House Passes S 1917 – K-12 Cybersecurity

Yesterday the House took up S 1917, the K–12 Cybersecurity Act of 2021, under the suspension of the rules procedures. There was limited debate, with no one speaking in opposition to the bill. The bill was passed by a voice vote. The bill now goes to the President for signature.

Bills Introduced – 9-29-21

Yesterday, with both the House and Senate in session, there were 52 bills introduced. Two of those bills may receive additional coverage in this blog:

HR 5412 To authorize appropriations for fiscal year 2022 for intelligence and intelligence-related activities of the United States Government, the Community Management Account, and the Central Intelligence Agency Retirement and Disability System, and for other purposes. Rep. Schiff, Adam B. [D-CA-28]

S 2902 A bill to modernize Federal information security management, and for other purposes. Sen. Peters, Gary [D-MI] 

I will be covering HR 5412.

The title for S 2902 is more vague than normal. If this is a cybersecurity bill, I will be watching for definitions and language that would include control system security within its coverage. If this bill addresses classified or sensitive but unclassified information protection, then I will be watching for language or definitions that would impact programs affecting chemical, transportation, or critical infrastructure information sharing processes.

Review - S 2676 Introduced - Unmanned Aircraft Attacks

Earlier this month, Sen Lee (R,UT) introduced S 2676, the Enhanced Protection from Unmanned Aircraft Attacks Act. The bill would authorize DOD, DHS, DOJ and DOE to enter into contracts to carry out currently authorized counter-drone activities. The Federal Acquisition Regulatory Council is given 180-days to prepare implementing regulations. No spending is authorized by this bill.

Lee is not a member of the Senate Homeland Security and Governmental Affairs Committee to which this bill was assigned for consideration. This means that there is not likely to be sufficient influence to see this bill considered in Committee. I see nothing in the bill that would engender any organized opposition. I suspect that if it were considered in Committee that it would receive bipartisan support.

This bill, however, is probably not important enough to make it to the floor of the Senate for consideration under regular order. The most likely way for this bill to proceed would be for it to be considered as an amendment to the National Defense Authorization Act when it is considered in the Senate.

For more details about the bills provisions including links to the US Code sections authorizing the counter-drone activities, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-2676-introduced  - subscription required.

 

NMSAC to Look at Maritime Cybersecurity Efforts

Today, the Coast Guard published a meeting notice in the Federal Register (86 FR 53973-53974) for a teleconference of the National Maritime Security Advisory Committee (NMSAC) on October 28^th, 2021. The meeting will include the presentation of two new cybersecurity tasks for consideration by NMSAC.

NOTE: There are currently some problems with the CG Homeport web site and the links to the NMSAC page are returning a ‘Cannot Be Found’ message as of this writing.

The two new cybersecurity taskings are:

• Provide feedback on cyber vulnerability assessments that are being conducted within the industry, and

• Provide input to support further development of the Maritime Cyber Risk Assessment Model.

To register to join the teleconference or provide public comments during the meeting, contact Mr. Ryan Owens (telephone 202-302-6565 or email ryan.f.owens@uscg.mil).

Bills Introduced – 9-28-21

 Yesterday, with both the House and Senate in session, there were 44 bills introduced. One of those bills will receive additional coverage in this blog:

S 2875 A bill to amend the Homeland Security Act of 2002 to establish the Cyber Incident Review Office in the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security, and for other purposes. Sen. Peters, Gary [D-MI]

Review - HR 5376 Introduced – Build Back Better

Yesterday, Rep Yarmuth (D,KY) introduced HR 5376, the latest reconciliation bill (popularly known as the Build Back Better bill). This is the long-awaited Democrat program spending bill that will not be subject to cloture requirements if/when it makes it to the Senate. The 2,468 page bill contains four sections with substantial cybersecurity spending and program requirements and three sections with cybersecurity mentions in passing. There are no chemical security or safety mentions in the bill. And beyond some fee establishment or increase provisons there are no pipeline safety or security mentions either.

The four sections with substantial cybersecurity provisions are:

§31102. Establishment of next generation 9–1–1 cybersecurity center (pg. 732).

§50001. Cybersecurity and infrastructure security agency (pg. 896).

§90009. National aeronautics and space administration oversight and cybersecurity (pg. 1067).

§90010. National Institute of Standards and Technology research (pg. 1068).

The House Rules Committee, as of this writing, has not set a meeting for establishing the rule for the consideration of HR 5376 on the floor of the House. It would seem that the House leadership is still working with members, the Senate and the White House to come up with a final version of this bill that will be able to pass in both the House and Senate.

While this bill is a priority for both President Biden and the Congressional Democratic leadership, Speaker Pelosi (D,CA) is unlikely to bring this bill to the House floor for a vote unless she is sure that the votes are available to pass it in the House, and is reasonably certain that there is support of the full Democratic Caucus in the Senate to pass the bill there.

Additionally, it is likely that the Rules Committee will be adding the debt limit extension to this bill, now that the Republicans in the Senate effectively killed HR 5305 yesterday in a party-line vote on the first cloture vote.

For more details on the cybersecurity provisions, including the cybersecurity mentions in passing, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-5376-introduced - subscription required.

Bills Introduced – 9-27-21

Yesterday, with both the House and Senate in session there were 33 bills introduced. One of those bills may receive additional coverage in this blog:

HR 5376 To provide for reconciliation pursuant to title II of S. Con. Res. 14. Rep. Yarmuth, John A. [D-KY-3]

Knowing that at least one committee (House Science, Space, and Technology Committee) included cybersecurity spending in their portion of the bill, I will be watching this long (2,468 pages) bill for additional cybersecurity coverage.

Odd side note: Speaker Pelosi (D,CA) and the House Democratic Leadership have been calling this the ‘Build Back Better’ bill for weeks; that title is not included in the bill. We are stuck with the awkward “To provide for reconciliation pursuant to title II of S. Con. Res. 14.”. Yeah, everyone (okay, at least the supporters) is still going to call this the 'Build Back Better Bill'. "4B or not 4B, that is the questions". Sorry could not help myself.

Interestingly, the House held an unscheduled pro forma session on Sunday, presumably for the purpose of introducing this bill, but it was not apparently ready for introduction then, as the House Budget Committee held their final markup of the bill on Saturday. There was one bill introduced (HR 5374), but it was not of interest here.

BTW: I do want to mention another bill in passing that was introduced yesterday. I will probably not be following the bill in this blog, but it may have some rather interesting implications. That bill is:

HR 5388 To establish a strategic active pharmaceutical ingredient reserve to maintain a domestic supply of active pharmaceutical ingredients and key starting materials needed for the manufacturing of essential generic medicines, and to build a pipeline for domestic active pharmaceutical ingredient production. Rep. Spanberger, Abigail Davis [D-VA-7]

CFATS Voluntary Chemical Security Program Moving Forward?

There was a brief announcement over on LinkedIn about a new job that is opening tomorrow on USAJobs for work on the Chemical Facility Anti-Terrorism Standards program. I always try to mention these job openings because I strongly believe that this is an important regulatory program that needs the best people to continue to improve the program. So, if you are interested in a Program Analyst position at the GS 12-13 level, go look at this job on USAJobs. It opens tomorrow and closes when they receive 100 applications or on October 6^th, whichever occurs first.

But what really caught my attention was the comments introducing this job announcement from Annie Hunziker Boyer who is the Branch Chief for Policy, Rulemaking and Engagement in the Office for Chemical Security (OCS), otherwise known as the CFATS people. She said in her post:

“Feds and Status Candidates -- I have an opportunity for a great GS 343 12/13 position here at the Cybersecurity and Infrastructure Security Agency helping to build out our voluntary chemical security program. This is the type of job I myself love -- charting new ground, leveraging PM skills, weighing policy implications, and engaging with stakeholders. If this sounds like something you'd like, I hope you'll consider applying!”

There have been hints about OCS introducing a voluntary chemical security program for a number of years now, but the first semi-official description of the possible program was introduced last December at the virtual Chemical Security Summit. Annie provided that description in her talk, “Incentivizing Facility Security: A Nonregulatory Approach”.

It looks like the program is moving forward. It will be interesting to see how a voluntary program is implemented, particularly in the cybersecurity realm.

Committee Hearings – Week of 9-27-21

This week with both the House and Senate in session, and the end of the fiscal year at week’s end, there is a full slate of hearings on both sides of the Capitol. Of interest here are oversight hearings for TSA, the CSB and DHS. Lots of important action on the floor of both the House and Senate. It will be a busy week.

Oversight Hearings

On Wednesday, the House Homeland Security Committee will hold a hearing on “20 Years After 9/11: The State of the Transportation Security Administration”. The witness list will include David Pekoske, the current TSA Administrator and three former Administrators. While this should be a wide ranging discussion, it will probably focus on air travel security as that has been the agency’s focus over its life, but pipeline security questions will be raised.

On Wednesday, the Oversight and Investigations Subcommittee of the House Energy and Commerce Committee will hold a hearing on “Protecting Communities from Industrial Accidents: Revitalizing the Chemical Safety Board”. No witness list is currently available.

On Thursday, the Oversight, Management, and Accountability Subcommittee of the House Homeland Security Committee will hold a hearing on “20 Years After 9/11: Transforming DHS to Meet the Homeland Security Mission”. The witness list includes:

• Chris Currie, Government Accountability Office,

• Randolph “Tex” Alles, DHS,

• Angela Bailey, DHS

Looking at the witness list, I suspect that this hearing will concentrate on personnel issues. Cybersecurity workforce issues could be addressed.

On the Floor in the Senate

A cloture vote on HR 5305, the Extending Government Funding and Delivering Emergency Assistance Act (FY 2022 Spending continuing resolution plus debt limit extension), is scheduled for early this evening. If this gets the necessary 60 votes to continue debate (not likely) then the Senate will approve the bill later this week. If it fails, the ball would be tossed back to the House for a clean continuing resolution. Plenty of time before the continued government funding is required by Midnight Thursday.

On the Floor of the House

Last month, Speaker Pelosi promised the moderate Democrats a vote on the Senate version of HR 3684, the bipartisan infrastructure bill, today. Instead, it looks like all they are going to get today is a one-hour debate on the bill. The vote is apparently being slipped to Thursday to perhaps give the progressive wing of the Party a chance to vote on their expensive Build Back Better Act. HR 3684 needs to pass before Thursday Midnight as the authorization for most transportation programs expires at that time. This would not be as drastic as a government shutdown, critical programs would continue to operate (if a spending measure is in place), but regulatory enforcement efforts would face legal hurdles.

The final version of the Build Back Better Act is still not completed. The bill was marked up by the House Budget Committee on Saturday, but final changes will take place in the House Rules Committee. No hearing for that consideration is currently scheduled according to the Rules Committee website. Which indicates that horse trading is still going on behind closed doors. This bill is likely to come to the floor with limited debate and no amendments. The progressive Democrats want a floor vote on this bill before HR 3684 is considered.

According to Majority Leader Hoyer’s (D,MD) Weekly Leader site the House should take up two cyber security related bills (along with 10 other bills) under the suspension of the rules process. As I wrote last week, these were also potentially on the schedule last week, but were never taken up. The two bills are:

• HR 4611 – DHS Software Supply Chain Risk Management Act of 2021, and

• S 1917 – K-12 Cybersecurity Act of 2021

Review - Cybersecurity for the Manufacturing Sector – SP 1800-10 (draft)

Earlier this week the National Institute of Standards and Technology (NIST) published a draft of SP 1800-10, Protecting Information and System Integrity in Industrial Control System Environments. The new document provides a practical example solution to help manufacturers protect their Industrial Control Systems (ICS) from data integrity attacks. NIST is soliciting comments on this new document.

NIST is soliciting comments on the Draft of SP 1800-10. Comments should be submitted via email (manufacturing_nccoe@nist.gov) or by filling out the web form. Comments should be submitted by November 7^th, 2021.

Commentary

This document provides an important look at how cybersecurity can be successfully engineered into an industrial control system. How useful that example will be for actual manufacturing systems remains to be seen. Looking at this document, it would appear that a high-level of IT knowledge will be required to implement the solutions reported in the document. Whether that level of support is readily available in small manufacturing of chemical facilities remains to be seen.

What is not clear from this document is how much work is needed to implement these tools. A description of the time needed to set up the equipment for these relatively simple control systems would be helpful, but I am not sure how well that would scale to real world control systems with hundreds of control devices and sensors. It is also not clear how much response action would be required by facilities to address the error messages and log files generated by such a system. Is a security operation center necessary or will facilities have to rely on already overstressed operators to deal with these results?

For understandable reasons, these test beds to not address process safety issues that must be taken into account when assessing security risks at a facility; even the Tennessee Eastman simulation fails to address this represents a generic chemical process without considering chemical hazards. I do wish, however, that there had been some discussion about the role process safety has in any process control system risk evaluation.

One final comment. I was really pleased to see that all of the test evaluations showed that the tested systems prevented the design criteria attacks. It shows that cybersecurity controls in a control system environment are possible. I would be surprised, however, to hear that they all did so on the first attempt. It would be helpful if initial testing-failure descriptions and a discussion of remedial actions taken were presented. It would also be helpful if NCCOE were to report on a well-funded red-team attack on the platforms tested.

For more details on the document and the systems evaluated, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/cybersecurity-for-the-manufacturing  - subscription required.

Review - S 2792 Introduced – FY 2022 NDAA

Earlier this week, Sen Reed (D,RI) introduced S 2792, the National Defense Authorization Act (NDAA) for Fiscal Year 2022. This is the version of the NDAA reported by the Senate Armed Forces Committee that will probably be substituted for the House language of HR 4350 when it is considered in the Senate. As with the House bill, S 2792 has a Title on cyber operations, including a report on DOD support for CISA. It also includes authorization language for a civilian cybersecurity reserve pilot and a brief discussion about technical debt.

As I mentioned above, when the Senate begins consideration of HR 4350, the version of the NDAA that passed this week in the House, there is typically an amendment in the form of a substitute that is offered for the Senate’s consideration. This bill will form the base for that amendment. There will be a vigorous floor amendment process, though it will not include nearly as many amendments as did the House debate.

Once the Senate passes that amended version, it will go back to the House for consideration of the new language. I would expect that the House will ‘insist’ on its version and the bill will then go to conference to work out the compromise version that will get to the President for signature. I expect that most of the House cybersecurity amendments will remain in that version.

For more details about the cybersecurity provisions of the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-2792-introduced - subscription required.

GAO Publishes Grid Resiliency Overview

This week the Government Accountability Office published a report on “Electricity Grid Resilience”. This is a brief, 2-page, overview of recent GAO reports on the topic. It does highlight previous GAO recommendations that have not yet been implemented. Includes discussion of cybersecurity and physical security risks.

Review - Public ICS Disclosures – Week of 9-18-21

This week we have seven vendor disclosures from ABB, Pilz, Hitachi, Johnson and Johnson, Philips, SonicWall, and VMware.

ABB Advisory - ABB published an advisory describing an integrity check bypass vulnerability in their free@home System Access Point products.

Pilz Advisory - VDE CERT published an advisory discussing the  INFRA:HALT vulnerabilities in Pilz products.

Hitachi Advisory - Hitachi published an advisory describing an authentication bypass vulnerability in their Disk Array Systems.

Johnson and Johnson Advisory - Johnson and Johnson published an advisory discussing the BadAlloc vulnerabilities in their products.

Philips Advisory - Philips published an advisory discussing two recently reported Apple® vulnerabilities.

SonicWall Advisory - SonicWall published an advisory describing an improper limitation of a file path to a restricted directory vulnerability in their SMA 100 Series Appliances.

VMware Advisory - VMware published an advisory describing 19 vulnerabilities in their vCenter Server and Cloud Foundation products.

For more details about the advisories, including listing of VMware multiple vulnerabilities and links to researcher advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-9-7bc - subscription required.

Review - DOC Publishes IaaS Cybersecurity ANPRM – 9-24-21

Today the Department of Commerce published an advance notice of proposed rulemaking (ANPRM) in the Federal Register (86 FR 53018-53021) on “Taking Additional Steps to Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities”. This action is being taken in response to requirements in EO 13984, Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities. This ANPRM was sent to OMB’s Office of Information and Regulatory Affairs on August 6^th, and approved by OIRA on September 13^th.

DOC is soliciting responses from the public and industry on the issues raised in today’s ANPRM notice. Comments may be submitted via the Federal eRulemaking Portal (www.regulations.gov; Docket # DOC-2021-0007). Comments should be received by October 25^th, 2021.

For further details about the EO 13984 requirements and the questions for which DOC is seeking answers, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/doc-publishes-iaas-cybersecurity - subscription required.

TSOB Ratifies TSA Pipeline Security Directive #2

Today DHS published a notice in the Federal Register (86 FR 52953) announcing that the Transportation Security Oversight Board (TSOB) has ratified Transportation Security Administration (TSA) Security Directive Pipeline-2021-02. That security directive was issued on July 19^th, 2021.

This review and ratification is required under 49 USC 114(l)(2)(B). That subparagraph only allows an emergency order to last for 90-days unless ratified by the TSOB. According to today’s notice, the TSOB met on August 4^th, 2021 and ratified the Security Directive ‘in its entirety’ on August 17^th, 2021.

The TSOB was established under 49 USC 115. It consists of seven members or their designees

• The Secretary of Homeland Security,

• The Secretary of Transportation,

• The Attorney General,

• The Secretary of Defense,

• The Secretary of the Treasury,

• The Director of National Intelligence, and

• One member appointed by the President to represent the National Security Council.

HR 4350 Considered in House – 9-23-21

This evening the House completed consideration of HR 4350, the FY 2022 National Defense Authorization Act. The final vote on passage was a bipartisan vote of 316 to 113. The Democrats split 181 for and 38 against; the Republicans 135 to 75. All three En Bloc votes that I described earlier today (subscription required) were completed this evening and all three passed with bipartisan support.

The table below shows the votes (data sources En Bloc #2, En Bloc #3, and En Bloc #4) on the En Bloc amendments.

Vote	Yeas	Nays
En Bloc #2	367	59
En Bloc #3	362	59
En Bloc #4	360	66

This means that all of the cybersecurity amendments that I described on Tuesday have been adopted in the House passed version of HR 4350.

The bill will now go to the Senate. While the bipartisan vote on the bill tonight would bode well for the bill to be able to make it through a cloture vote, the Senate is unlikely to take up the House language on the bill. In stead they will substitute the language from S 2792 (which I should be able to look at this weekend) from the Senate Armed Services Committee. Later this year the inevitable conference committee will work out the differences between the two bills.

Review - HR 4350 Considered in House – 9-22-21

NOTE: Corrected date in title to reflect the date of the debate and actions in the House (9-23-21 21:50 EDT)

Yesterday the House resumed consideration of HR 4350, the FY 2022 National Defense Authorization Act. Six amendments were adopted by recorded votes; none of the cyber related amendments that I identified on Tuesday were included. On en bloc listing (En Block #1) of amendments was adopted by a voice vote (including four amendments from Tuesday’s list). Three other en bloc lists (including the remainder of the amendments I identified) were considered, but recorded votes were demanded on all three. Those votes are scheduled to take place today.

The House resumed consideration of the bill today.

For more details about the amendments considered, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-4350-considered-in-house-9-23 - subscription required.

 

Review – 2 Advisories and 1 Update Published – 9-23-21

Today CISA’s NCCIC-ICS published two control system security advisories for products from Trane. They also updated an advisory for products from Ovarro.

Tracer Advisory - This advisory describes a code injection vulnerability in the Trane Tracer building automation controllers.

Symbio Advisory - This advisory describes a code injection vulnerability in the Trane Symbio 700 and Symbio 800 controllers.

Ovarro Update - This update provides additional information on an advisory that was originally published on March 23, 2021.

For more details on these advisories and the update, including some interesting oddities about the update, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-advisories-and-1-update-published-650 - subscription required.

Bills Introduced – 9-22-21

Yesterday with both the House and Senate in session there were 48 bills introduced. Two of those bills may received additional coverage in this blog:

S 2792 An original bill to authorize appropriations for fiscal year 2022 for military activities of the Department of Defense, for military construction, and for defense activities of the Department of Energy, to prescribe military personnel strengths for such fiscal year, and for other purposes. Sen. Reed, John [D-RI]

S 2803 A bill to authorize funds for Federal-aid highways, highway safety programs, and transit programs, and for other purposes. Sen. Lee, Mike [R-UT]

S 2792 will probably end up being the language substituted for the House version of HR 4350 (still under consideration in the House) when the Senate takes up that bill.

S 2803 is an alternative version of the annual surface transportation authorization. This bill will die untouched if/when HR 3684 passes in the House next week. It is still possible that that bill could fail due to intra-party fighting by the House Democrats. If HR 3684 fails, this Republican alternative still does not have much of a chance, but I will watch it none-the-less.

Bills Introduced – 9-21-21

NOTE: Corrected title to reflect date of introduction (9-23-21 0635 EDT)

Yesterday with both the House and Senate in session, there were 55 bills introduced. Three of those bills may receive additional coverage in this blog:

HR 5305 Extending Government Funding and Delivering Emergency Assistance Act Rep. DeLauro, Rosa L. [D-CT-3] 

S 2767 A bill to authorize certain Federal departments to enter into contracts to carry out existing authorities to protect United States facilities from unmanned aircraft. Sen. Lee, Mike [R-UT] 

S 2789 A bill making continuing appropriations for the fiscal year ending September 30, 2022, and for providing emergency assistance, and for other purposes. Sen. Shelby, Richard [R-AL]

HR 5305 is the Continuing Resolution adopted last night by the House in a party-line vote of 220 to 211. In addition to extending public spending at currently authorized rates, it also includes language (§3301) to extend the public debt limit, both until December 16^th, 2021. It allows the Treasury to increase the debt limit under 31 USC 3101(b) by an unspecified amount at the discretion of the Treasury Department. The debt limit provisions are the root of the Republican opposition to this bill.

This is probably the last time that I will be mentioning S 2789. This alternative to HR 5305 is doomed on two counts. First, a continuing resolution must originate in the House. Thus the only way that this bill makes it to the President’s desk is if the Senate uses the language from this bill as a substitute for the language in HR 5305. This is unlikely to occur because Shelby and his only cosponsor {Sen McConnel (R,KY)} are Republicans and the Senate is very loosely controlled by the Democrats. I have not seen the language for this bill, but I suspect that it is a ‘clean’ CR.

Oh, yes, I will be covering S 2767.

Review - Posse Comitatus and Cybersecurity

Last night during the consideration of HR 4350 in the House, Rep Schiff (D,CA) offered amendment #24 which was adopted by a voice vote. That amendment (see page 217 for the text) added a new section to subtitle C of title V of the bill which would prohibit information received in violation of the Posse Comitatus Act from being used as evidence in a court of law. While posse comitatus actions by the US military (including federalized National Guard forces) is a very nuanced part of federal law, this amendment could have unintended consequences when it comes to the use of military cyber-assets in support of critical infrastructure facilities.

No one is going to scream ‘Posse Comitatus’ when DOD cyber forces protect critical infrastructure against cyber-attacks from a foreign adversary, whether it be a country, terrorist organization or even a foreign controlled criminal organization. But, if DOD units, in the conduct of their cyber-protective role, undercover a domestic cyber-attack, provisions of both 18 USC 1385 and §275 are going to come into consideration. As long as DOD undertakes no action against the attacker and simply reports it to civilian police authorities (like the FBI) or federal cybersecurity agencies (like CISA), under the aerial photographic and visual search and surveillance doctrine, courts would probably not accept posse comitatus claims by defendants.

However, yesterday’s Schiff amendment, may open the door for such claims. Whether they would be accepted by the courts is less certain.

Both §1385 and §275 contain similar exception language for ‘unless authorized by law’ or ‘act of Congress’. Thus Congress, in authorizing the use of military cyber forces (including National Guard units) to protect critical infrastructure against cyber-attacks, could exempt such actions from the restrictions of both sections. Such authorization, for example could be proceeded in the applicable legislative authorization by the phrase “Notwithstanding 18 USC 1385…”. Such language would then insure that Schiff’s new language added to 10 USC 271 would no longer apply to information obtained by the authorized actions of the cyber-forces.

For a more detailed look at the provisions of §1385 and §275, and how they could impact the use of cybersecurity forces of the military in protecting critical infrastructure from cyber attacks, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/posse-comitatus-and-cybersecurity - subscription required.

Cybersecurity Amendments to be Offered for HR 4350

The House Rules Committee has published the Rule for the consideration of HR 5305 (Continuing Resolution), HR 4350 (FY 2022 NDAA), and HR 3755 (e Women’s Health Protection Act). The rule provides for 437 amendments to be allowed to be submitted from the floor during the debate on HR 4350. House Report 117-125 provides both a list of those amendments and the text.

Eleven of the amendments covered cybersecurity issues of potential interest here. Those amendments are:

32. Langevin (D,RI): Makes a technical correction to Section 1752 of the FY21 NDAA (6 U.S.C. 1500) that will allow the Office of the National Cyber Director to accept the services of non-reimbursed detailees from departments and agencies. (text page 230)

37. Houlahan (D,PA) - Creates a cybersecurity training pilot program at the Department of Veterans Affairs for veterans and members of the Armed Forces transitioning from service to civilian life. Creates a registered apprenticeship program at the Cybersecurity and Infrastructure Security Agency (CISA) focused on cybersecurity and infrastructure security. Both programs are established in coordination with the Department of Defense. (text page 243)

107. Clarke, Yvette (D,NY) - Authorizes the CyberSentry program within the DHS Cybersecurity and Infrastructure Security Agency (CISA), a critical Industrial Control System (ICS) cybersecurity program that allows CISA to enter into strategic, voluntary partnerships with priority ICS owners and operators to provide enhanced cyber threat monitoring and detection. (text page 337)

108. Clarke, Yvette - Requires the DHS Cybersecurity and Infrastructure Security Agency (CISA) to establish requirements and procedures for covered critical infrastructure owners and operators to report covered cybersecurity incidents to a new Cyber Incident Review Office, to be established within CISA. (text page 340)

147. Garbarino (D,NY) - Creates a 5-year term for the Cybersecurity and Infrastructure Security Agency (CISA) Director and reaffirms that the position will be Presidentially appointed and Senate confirmed. (text page 436)

148. Garbarino - Establishes a Department of Homeland Security grant program to facilitate closer U.S.-Israel cybersecurity cooperation. (text page 437)

149. Garbarino – Establishes a cyber counseling certification program for Small Business Development Centers (SBDCs) assisting small businesses with planning and implementing cybersecurity measures. Authorizes the SBA to reimburse SBDCs for employee certification costs up to $350,000 per fiscal year. SBDC’s are established nationwide with nearly 1,000 local centers; given their reach, they are well positioned to assist small businesses with their cybersecurity needs. (text page 439)

150. Garbarino - Requires CISA to update its cyber incident response plan not less often then biennially, and requires CISA to consult with relevant Sector Risk Management Agencies and the National Cyber Director, to develop mechanisms to engage with stakeholders to educate them about Federal Government cybersecurity roles for cyber incident response. (text page 440)

158. Gonzales, Tony (R,TX) - Establish the National Digital Reserve Corps, a program within GSA that would allow private sector tech talent to work for the federal government for 30 days per calendar year to take on short term digital, cybersecurity, and AI projects. Reservists would report to GSA, who would then detail them to executive agencies as needed. (text page 449)

306. Neguse (D,CO) - Expands the annual report submitted by the Department of Defense on vulnerabilities of the National Technology and Industrial  Base to include the current and projected impacts of climate change and cyberattacks. (text page 714)

427. Thompson, Bennie - Adds a new title with measures related to the Department of Homeland Security (DHS), comprised of House-passed legislative provisions to strengthen and improve DHS headquarters, research and development, cybersecurity, and transportation security, among other matters. (text page 873)

Many of these amendments look (on quick review) like they have similar language to bills that have already been introduced in the House. Amendment 427 is the most obvious example of this and it runs to 111 pages. This is quickly turning into a cybersecurity bill. It will be interesting to see how many of these make it through the debate in the House.

Critical Economic Assets and CFATS – Part 2

This is part of an on-going series of posts looking at the potential for an expansion of the effort of the Chemical Facility Anti-Terrorism Standards (CFATS) program to cover facilities that produce critical economic asset chemicals. The current CFATS regulations specifically allow CISA to declare a facility to be a high-risk facility covered by the CFATS program if they are a producer of critical economic asset chemicals.

The first post in the series looked at the historic background of this type coverage in the CFATS program and how DHS tried to look at the process.

The problem with the initial effort by DHS to look at this issue was that it took a scatter fun approach to determine if a particular reporting facility was a producer of more than 20% of the domestic production of a chemical. In this blog post, I will look at an alternative of identifying facilities that are producers of critical economic asset chemicals.

Identifying Critical Chemicals

The first thing that is necessary is determining what should be considered a critical chemical that could be used to define a critical economic asset. The CFATS regulations provide a first step in this by their definition in 6 CFR 27.105 of the term ‘security issue’ as “the type of risks associated with a given chemical.” That definition then goes on to list the three security issues used found in the DHS chemicals of interest (COI) list in Appendix A to the CFATS regulations, and then adds a fourth “Critical to government mission and national economy.”

The discussion in the preamble to the Appendix A final rule about the list of COI makes it clear that the Department only considered those chemicals for listing if they were “released, stolen or diverted, and/or contaminated, have the potential to create significant human life and/or health consequences.” This would mean that critical chemicals would not necessarily be included in Appendix A. What is probably needed is a new listing of chemicals that could trigger a reporting of the production or distribution of chemicals of economic interest (CEI), an Appendix B to the CFATS regulations.

CEI Designation

DHS, in crafting the CFATS Appendix A, was aided by the fact that there are a number of different regulatory lists that identify hazardous chemicals. Thus, DHS had a large universe of chemicals pre-defined that it could whittle down to a mere 300+ chemicals divided into three security issues that could help further refine the characteristics of the chemicals that would trigger the Top Screen reporting requirement. There are not such lists for easily defined chemicals of economic interest. So, DHS is going to have to start from scratch.

First, we are going to need an operational definition of the term ‘chemical of economic interest’. I would propose that the term would be defined as ‘a chemical which, if the supply of which was interrupted, would interfere with the completion of a government mission, or create significant economic and/or health consequences’. Identifying specific chemicals that meet that definition would be the next step.

House to Consider 2 Cybersecurity Bills – 9-21-21

Majority Leader Hoyer (D,MD) announced last night that the House could be taking up five bills today under the suspension of the rules process that were not included in the weekly plan for House action this week. Those bills include two pieces of cybersecurity legislation covered here in this blog:

• HR 4611 – DHS Software Supply Chain Risk Management Act of 2021, and

• S 1917 – K-12 Cybersecurity Act of 2021

The suspension of the rules process in the House provides for limited debate, no floor amendments and requires a super-majority to pass. Bills are offered under this process when the House Leadership feels that there should be sufficient bipartisan support for a bill for it to achieve that supermajority approval.

There is a possibility that these bills will not be considered today as there is a bit of turmoil in the House. The House is also supposed to consider a continuing resolution, but the language of that bill has not yet been officially produced. That bill is supposed to be considered under a rule that was supposed to be developed yesterday, but as of this morning, the House Rules Committee web site did not have that rule published. These five bills may have been added as legislative filler material while backroom negotiations continue on the CR.

Review - HR 4350 Reported in House – FY 2022 NDAA

HR 4350, the FY 2022 National Defense Authorization Act, was introduced as a mere framework for the final bill. Over the summer recess the subcommittees and full House Armed Services Committee did the complicated (and often politically challenging) process of fleshing out the details of that bill. A reported version of the bill is now ready for consideration by the House as are two Committee reports (original report and supplemental). The bill contains a number of cyber operational provisions, but none of particular importance here. There are three relevant cybersecurity provisions and one interesting counter-drone provision that will be covered here.

As I said earlier this morning, the House Rules Committee is meeting today to construct the rule under which this bill will be considered in the House this week. There have been over 500 amendments submitted to the Committee, but only a limited number (not that limited, probably between 100 and 200) will be allowed to be offered on the floor of the House.

A quick search of the amendments for the term ‘cyber’ revealed that just five amendments contained that term, and two of those were identical copies of S 658, the National Cybersecurity Preparedness Consortium Act of 2021, as introduced in the Senate.

The bill will almost certainly pass in the House. It will be interesting to see how many Republicans vote for the bill. In any case, the Senate will probably not consider the language produced in the House this week. While the Senate Armed Services Committee has yet to introduce their own bill, that will (when it is introduced) probably be the language considered in the Senate. Then a Conference Committee will craft a mashup of the two versions that could pass in both the House and Senate. I do not expect a final vote on this bill until December.

I will look at the Committee Report and Supplemental Report in a separate article.

For more details about the cybersecurity and counter-drone provisions in this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-4350-reported-in-house - subscription required.

Committee Hearings – Week of 9-19-21

This week with the House and Senate both in Washington, and lot of controversial stuff on the legislative agenda for the next two weeks, the hearing agenda is relatively lite. We do have two hearings on the homeland security threat, an important Rules Committee Hearing, one cybersecurity hearing, and a confirmation hearing for three CSB nominees this week.

Homeland Security Threat

On Tuesday the Senate Homeland Security and Governmental Affairs Committee will hold a hearing on “Threats to the Homeland: Evaluating the Landscape 20 Years After 9/11”. The witness list includes:

• Alejandro N. Mayorkas, DHS,

• Christopher A. Wray, FBI, and

• Christine Abizaid, National Counterterrorism Center

On Wednesday, the House Homeland Security Committee will hold a hearing on “Worldwide Threats to the Homeland: 20 Years After 9/11”. The witnesses will be the same as above.

While cybersecurity and right-wing extremists will certainly be mentioned, I expect that in both of these hearings we will see the most sound and fury in discussions about the al Qaeda threat from Afghanistan.

Rules Committee

Today the Rules Committee will meet to formulate the rule for three measures that will be taken up by the House this week, two of those will be of interest here:

• HR _____— An act making continuing appropriations for the fiscal year ending September 30, 2022, and for providing emergency assistance, and for other purposes

• HR 4350— National Defense Authorization Act for Fiscal Year 2022

There is no text currently available for the Continuing Resolution. This is coming early enough, though, that I expect that the Democrats will try to load it up some since they can always come back next week with a cleaner, less controversial version that could pass in the Senate next week and still not worry about shutting down the government.

The reported language for HR 4350 is available, and I will have more on that later today. At least 852 amendments have been submitted for consideration, I am not even going to bother trying to look at those in any detail. The Rules Committee will sort and pare that down to a more reasonable number to be considered on the floor of the House.

Cybersecurity Hearing

On Thursday, the Senate Homeland Security and Governmental Affairs Committee will hold a hearing on “National Cybersecurity Strategy: Protection of Federal and Critical Infrastructure Systems”.

The witness list includes:

• Chris Inglis, National Cyber Director

• Jen Easterly, CISA,

• Christopher DeRusha, OMB

While it will be fairly wide ranging, I expect to hear significant discussion about mandatory breach notification rules.

Confirmation Hearing

On Wednesday, the Senate Environment and Public Works Committee will hold a business meeting. The meeting will include votes on three nominations for the US Chemical Safety and Hazard Investigation Board (CSB). The nominees are:

• Stephen A. Owens,

• Jennifer B. Sass, and

• Sylvia E. Johnson

BIC Sends New Wassenaar NPRM to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a notice of proposed rulemaking from DOC’s Bureau of Industry and Security (BIS) for “Title: Information Security Controls: Cybersecurity Items”. The Spring 2021 Unified Agenda list for the rulemaking describes it thus:

“In 2013, the Wassenaar Arrangement (WA) added cybersecurity items to the WA List. On May 20, 2015, the Bureau of Industry and Security (BIS) published a proposed rule showing the public how these new controls would fit into the Export Administration Regulations (EAR) and requested information about the impact on U.S. industry. The public comments revealed serious scope and implementation issues regarding these controls and the proposed rule. Based on these comments, as well as substantial commentary from Congress, the private sector, academia, civil society, and others on the potential unintended consequences of the 2013 control, the U.S. government returned to WA to renegotiate the controls. This Notice outlines the progress the U.S. has made in this area, proposed Commerce Control List (CCL) implementation, and requests from the public information about the impact of these revised controls on U.S. industry and the cybersecurity community.”

CRS Report – Automated Vehicle Safety – 9-14-21

Last week the Congressional Research Service published a report on automated vehicle safety issues. The brief report provides an overview of the ongoing investigation by DOT’s National Highway Transportation Safety Administration into recent accidents involving Tesla electric vehicles. The report includes very little in the way of details.

Review - Public ICS Disclosures – Week of 9-11-21 – Part 2

This week we have five vendor disclosures from Siemens (3) and Schneider (2). We also have eight vendor updates from Siemens (5) and Schneider (3).

Siemens Advisory #1 - Siemens published an advisory describing an out-of-bounds write vulnerability in the Siemens Simcenter STAR-CCM+ Viewer.

Siemens Advisory #2 - Siemens published an advisory describing three vulnerabilities in their SCALANCE X-200 and X-300/X408 switch families.

Siemens Advisory #3 - Siemens published an advisory describing three vulnerabilities in their Teamcenter digital twin simulator. (NCCIC-ICS corrected their duplicate advisory - ICSA-21-257-08 - to reflect these vulnerabilities without notice)

Schneider Advisory #1 - Schneider published an advisory describing three vulnerabilities on their web server for multiple products.

Schneider Advisory #2 - Schneider published an advisory describing an insufficiently protected credentials vulnerability in their Conext™ ComBox product.

Siemens Update #1 - Siemens published an update for their GNU/Linux subsystem advisory that was  originally published in 2018 and most recently updated on August 10^th, 2021.

Siemens Update #2 - Siemens published an update for their WIBU Systems CodeMeter advisory that was originally published on July 13^th, 2021.

Siemens Update #3 - Siemens published an update for their SINEC NMS advisory that was originally published on August 10^th, 2021. (The related NCCIC-ICS advisory - ICSA-21-222-04 - was not updated).

Siemens Update #4 - Siemens published an update for their OpenSSL advisory that was originally reported on July 13^th, 2021 and most recently updated on August 10^th, 2021.

Siemens Update #5 - Siemens published an update of their INFRA:HALT advisory that was originally published on August 4^th, 2021.

Schneider Update #1 - Schneider published an update for the C-Bus Toolkit advisory that was originally published on April 15, 2021 and most recently updated on June 8^th, 2021. (The related NCCIC-ICS advisory -  ICSA-21-105-01 – was not updated)

Schneider Update #2 - Schneider published an update for their ISaGRAF advisory that was originally published on June 8^th, 2021.

Schneider Update #3 - Schneider published an update for the Treck TCP/IPv6 advisory that was originally reported on December 18th, 2020, and most recently updated on August 10^th, 2021.

Commentary

On Tuesday, I reported that NCCIC-ICS advisory ICSA-21-257-08 was a duplicate of another Siemens Teamcenter advisory published by NCCI-ICS the same day. Today I went back and checked that advisory and NCCIC-ICS has corrected that duplication and covered these three Teamcenter vulnerabilities that I described today in that advisory. That update of ICSA-21-257-08 (dated September 16^th) was not announced on either the CISA Industrial Control Systems or the ICS Archive web pages. NCCIC-ICS did not acknowledge the extent of the change on the document nor list the revised advisory as Version A.

In the flood of information that was available on Tuesday it was certainly understandable that mistakes could happen. No one is perfect. But correcting a mistake, especially a mistake of this magnitude, without public announcement is unforgivable and it cheapens the valuable work being done by NCCIC-ICS.

For more details on these advisories, including links to third-party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-9 - subscription required.

Review - Public ICS Disclosures – Week of 9-11-21 – Part 1

This week we have nine vendor disclosures from BD, HPE, Johnson and Johnson, Milestone, Moxa (2), and Ovarro (3). We have two updates from Mitsubishi. We also have four vendor reports from Tenable about vulnerabilities in GPS systems. Finally, we have an exploit for Geutebruck cameras.

BD Advisory - BD published an advisory discussing the BadAlloc vulnerabilities.

HPE Advisory - HPE published an advisory describing six vulnerabilities in their SAN Switches with Brocade Fabric OS.

Johnson and Johnson Advisory - Johnson and Johnson published an advisory discussing the PrintNightmare vulnerability.

Milestone Advisory - Milestone published an advisory describing an unsecured credential storage vulnerability in their XProtect® VMS product.

Moxa Advisory #1 - Moxa published an advisory describing nine vulnerabilities in their MXview Series Network Management Software.

Moxa Advisory #2 - Moxa published an advisory describing two uncontrolled resource vulnerabilities in their MGate MB3180/MB3280/MB3480 Series Protocol Gateways.

Ovarro Advisory #1 - Ovarro published an advisory describing a classic buffer overflow vulnerability in their MS-CPU32-S2 and LT2 products.

Ovarro Advisory #2 - Ovarro published an advisory describing a path traversal (?) vulnerability in their TWinSoft product.

Ovarro Advisory #3 - Ovarro published an advisory describing a weak encryption vulnerability in their TWinSoft product.

Mitsubishi Update #1 - Mitsubishi published an update for their WEB Functions of Air Conditioning Systems advisory that was originally published on July 1^st, 2021.

Mitsubishi Update #2 - Mitsubishi published an update for their Denial-of-Service Vulnerability in Multiple Air Conditioning Systems advisory that was originally published on July 1^st, 2021.

GPS Report #1 - Tenable published a report on five vulnerabilities in the LandAirSea Silver Cloud web site.

GPS Report #2 - Tenable published a report describing five vulnerabilities in the Spytec GPS platform web site.

GPS Report #3 - Tenable published a report describing 12 vulnerabilities in the Optimus GPS platform web site.

GPS Report #4 - Tenable published a report describing three vulnerabilities in the Tracki/Trackimo GPS platform web site.

Geutebruck Exploit - Titouan Lazard and Ibrahim Ayadhi have published a Metasploit module for a buffer overflow vulnerability in the Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx, EFD-22xx, ETHC-22xx, and EWPC-22xx devices.

For more details on these advisories and reports, including links to third party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-7ed - subscription required.

Bills Introduced – 9-17-21

Yesterday, with the House meeting in pro forma session, there were 36 bills introduced. One of those bills will receive additional coverage in this blog:

HR 5281 To amend title 10, United States Code, to require reporting on vulnerabilities due to climate change and cyberattacks in the National Technology and Industry Base, and for other purposes.

I will be watching this bill for language and definitions that would indicate coverage of control system vulnerabilities in the reporting requirements.

CFATS PSP Note Change

Today CISA’s Office of Chemical Security (OCS) changed the ‘Latest News’ entry on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center that I reported about yesterday. It no longer mentions the ‘enhancements’ to the program, that I described in my CFSN Detailed Analysis article on the topic. The document describing the improvements is still available as of this writing.

DOT Publishes Transportation Supply Chain RFI – 9-16-21

Yesterday the DOT published a request for information in the Federal Register (86 FR 51719-51720) on “America's Supply Chains and the Transportation Industrial Base” in support of the President’s EO 14017, America's Supply Chains. In this RFI, DOT is soliciting practical solutions from a broad range of stakeholders to address current and future challenges to supply chain resilience in the freight and logistics sector. DOT is specifically asking for information related to cybersecurity risks.

The RFI solicits written comments on 13 different subject areas. One of those areas specifically includes cybersecurity:

“6. Technology issues, including information systems, cybersecurity risks, and interoperability, that affect the safe, efficient, and reliable movement of goods. Would greater standardization of those technologies help address those challenges?”

Written comments may be submitted via the Federal eRulemaking Portal (www.regulations.gov; Docket Number DOT-OST-2021-0106). Comments should be submitted by October 18^th, 2021.

Review - OCS Improves Personnel Surety Program – 9-16-21

Today the CISA Office of Chemical Security (OCS) published a news item on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center announcing that they had made enhancements to the Personnel Surety Program application within the Chemical Security Assessment Tool (CSAT). They provided a link to a brief description of those enhancements and an updated PSP Instruction Manual.

As with any time that a regulatory organization changes reference documents, covered facilities need to download the new manual, even if they are ‘done’ with their initial data submission under the PSP. Old versions should be maintained to allow facilities to explain or justify what they had done before the newer manual was published.

There does not seem to be anything in this new manual that is going to require a facility to make any changes to their facility site security plan. But, if it looks like changes could be required by the new document, facilities should contact their chemical security inspector for clarification. Questions could also be submitted to the CFATS Help Desk (1-866-323-2957), but the CSI would probably be able to provide a quicker answer.

For more details on the new information, including a look at some of the changes made in the PSP manual, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/ocs-improves-personnel-surety-program - subscription required.

Review - 2 Advisories Published – 9-16-21

Today, CISA’s NCCIC-ICS published two control system security advisories for products from Schneider and Siemens. The respective company advisories for these two NCCIC-ICS advisories were published on Tuesday, so I will not now need to discuss these this weekend with the remainder of the advisories and updates these companies published that were not covered by NCCIC-ICS.

Schneider Advisory - This advisory describes a path traversal vulnerability in the Schneider EcoStruxure Control Expert, EcoStruxure Process Expert, SCADAPack RemoteConnect for x70 products.

Siemens Advisory - This advisory describes three vulnerabilities in the Siemens RUGGEDCOM ROX switches.

For more details on these two advisories, including information on an incorrect CVE number, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-advisories-published-9-16-21 - subscription required.

OMB Approves DHS Privacy Act Update NPRM

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a notice of proposed rulemaking (NPRM) for the Office of the Secretary at DHS for “Privacy Act of 1974”. This rulemaking showed up for the first time in the Spring 2021 Unified Agenda. According to the abstract for that listing:

“The Department of Homeland Security (DHS or Department) is proposing to amend its regulations under the Privacy Act of 1974. DHS is proposing to update and streamline the language of several provisions.”

There is not enough information available at this time to determine what sort of impacts this might have on the Chemical Facility Anti-Terrorism Standards or the cybersecurity operations at CISA.

PHMSA Sends Natural Gas by Rail NPRM to OMB – 9-16-21

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a notice of proposed rulemaking (NPRM) from DOT’s Pipeline and Hazardous Material Safety Administration (PHSMA) on “Hazardous Materials: Suspension of HMR Amendments Authorizing Transportation of Liquefied Natural Gas by Rail”. This rulemaking was included in the Spring 2021 Unified Agenda.

As I noted back in July this is part of an ongoing activity at PHMSA looking at the safety of the transportation by LNG by rail. According to the abstract in the Unified Agenda listing for the rulemaking:

“PHMSA proposes to amend the Hazardous Materials Regulations (HMR) to suspend authorization of liquefied natural gas (LNG) transportation by rail pending completion of the companion rulemaking under RIN 2137-AF54.”

That rulemaking would incorporate the results of ongoing research efforts. Those efforts include work by a committee of independent experts to study the safe transportation of LNG by rail tank car. A pre-publication version of the Phase I study report has been published. Phase II of the study began with a kick-off meeting in June.

In reality, this suspension would have little practical effect since I can find no information that anyone has produced any of the new railcars that the current LNG by rail regulations require railroads to use to transport LNG. Part of the reason for that is that I think everyone understood that the Biden Administration was going to re-look at regulation of LNG by rail, and no one was willing to invest the money in railcars that might not be able to be used for their intended purpose.

HR 5186 Introduced – CISA Leadership

Earlier this month, Rep Garbarino (R,NY) introduced HR 5186, the CISA Leadership Act. The bill would set the term of the Director of the Cybersecurity and Infrastructure Security Agency at five years and would establish the position as one requiring a presidential appointment with the advice and consent of the Senate.

CISA Director

This bill would amend 6 USC 652(b). First it would add the following at the end of paragraph (1):

“The Director shall be appointed by the President, by and with the advice and consent of the Senate.”

Then it would insert a new paragraph (2), Term. That paragraph would establish the term of appointment for the Director to be five-years.

Moving Forward

Garbarino is a member of the House Homeland Security Committee to which this bill was assigned for primary consideration as are five { Langevin (D,RI), Katko (R,NY), Clarke (D,NY), Norman (R,SC), Thompson (D,MS), and Katko (R,NY)} of his six cosponsors. With Thompson and Katko being Chair and Ranking Member respectively, there is certainly enough influence to see this bill be considered in Committee, probably at the next markup hearing. I see nothing in the bill to engender any significant opposition. I suspect that it will draw enough bipartisan support for it to be considered under the House suspension of the rules process. It would certainly pass in the House.

Commentary

It seems odd that the first part of the amendment to §652, referring to the Director being appointed by the President with the advice and consent of the Senate, was not included in the original language. The current Director, Jen Easterly, was nominated by the President and confirmed by the Senate. Everyone knew this was a requirement for the position, it just was not spelled out in the authorization language in §652.

There have been some people that thought that the second part of the §652 amendment (5-year term limit for the Director) was some sort of insult or slap at Director Easterly. With the bipartisan nature of the sponsors, that was certainly not the intent. The language proposed in this bill is nearly identical to that found in 49 CFR 114 that sets the 5-year term limit for the TSA Administrator.

The 5-year term is meant to emphasize that the CISA Director is not really a political appointee. While appointed by the President, the Director is supposed to be a cybersecurity professional with large-program administration experience.

Review - 21 Updates Published – 9-14-21

Yesterday CISA’s NCCIC-ICS published updates for 21 control system security advisories for products from Siemens (19), HCC Embedded, and Mitsubishi.

SCALANCE Update #1 - This update provides additional information on an advisory that was originally published on August 13^th, 2019 and most recently updated on February 9^th, 2021.

Industrial Products Update - This update provides additional information on an advisory that was originally published on September 10^th, 2019 and most recently updated on July 13^th, 2021.

PROFINET-IO Update - This update provides additional information on an advisory that was originally published on February 11^th, 2020 and most recently updated on March 9^th, 2021.

SCALANCE Update #2 - This update provides additional information on an advisory that was originally published on April 14^th, 2020 and most recently updated on September 8^th, 2020.

SIMATIC Update #1 - This update provides additional information on an advisory that was originally published on July 9^th, 2020 and most recently updated on June 8^th, 2021.

SCALANCE Update #3 - This update provides additional information on an advisory that was originally published on January 12^th, 2021 and most recently updated on February 9^th, 2021.

SCALANCE Update #4 - This update provides additional information on an advisory that was originally published on January 12^th, 2021 and most recently updated on February 9^th, 2021.

TIA Update - This update provides additional information on an advisory that was originally published on February 9^th, 2021.

SCALANCE Update #5 - This update provides additional information on an advisory that was originally published on March 9^th, 2021 and most recently updated on May 11^th, 2021.

Web Server Update - This update provides additional information on an advisory that was originally published on March 13^th, 2021.

SIMATIC Update #2 - This update provides additional information on an advisory that was originally published on May 11^th, 2021.

Linux-based Product Update - This update provides additional information on an advisory that was originally published on May 11^th, 2021 and most recently updated on August 10^th, 2021.

SIMATIC Update #3 - This update provides additional information on an advisory that was originally published on June 1^st, 2021.

SINUMERIK Update - This update provides additional information on an advisory that was originally published on July 13^th, 2021.

SINAMICS Update - This update provides additional information on an advisory that was originally published on July 13^th, 2021.

SIMATIC Update #4 - This update provides additional information on an advisory that was was originally published on July 13^th, 2021.

PROFINET Update - This update provides additional information on an advisory that was originally published on July 11^th, 2021 and most recently updated on August 10^th, 2021.

SIMATIC Update #5 - This update provides additional information on an advisory that was originally published on August 10^th, 2021.

JT2Go Update - This update provides additional information on an advisory that was originally published on August 10^th, 2021.

HCC Embedded Update - This update provides additional information on an advisory that was originally published on August 5^th, 2021.

Mitsubishi Update - This update provides additional information on an advisory that was originally published on November 19^th, 2020 and most recently updated on May 18^th, 2021.

Other Updates - Siemens published five additional updates yesterday that were not covered by NCCIC-ICS updates. And Schneider published three updates that have not yet been addressed by NCCIC-ICS. I will be covering them this weekend in my “ICS Public Disclosure” article.

For additional information on the updates, including lists of the fixed products, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/21-updates-published-9-14-21 - subscription required.