Sunday, October 31, 2021

Review - Public ICS Disclosures – Week of 10-23-21 – Part 2

In Part 2 we have an additional eleven vendor disclosures from GPSD, Ingeteam, Hitachi ABB Power Grids, HPE (2), QNAP, Tanzu (4), and Yokogawa. We have an updated disclosure for OMRON products. Finally we have two exploits for products from Hikvision and SonicWall,

GPSD Advisory - Incibe CERT published an advisory discussing the GPS Daemon Rollover Bug (CISA published a short advisory on the same topic).

Ingeteam Advisory - Incibe CERT published an advisory describing an exposure of sensitive information to an unauthorized actor vulnerability in the Ingeteam INGEPAC DA AU ring main unit.

Hitachi ABB Advisory - Hitachi ABB published an advisory describing a certificate verification vulnerability in their PCM600 Engineering Tool.

HPE Advisory #1 - HPE published an advisory describing a directory traversal vulnerability in their iLO Amplifier Pack.

HPE Advisory #2 - HPE published an advisory describing a local bypass of security restrictions vulnerability in their HPE ProLiant products.

QNAP Advisory - QNAP published an advisory describing a command injection vulnerability in their Media Streaming Add-On.

Tanzu Advisory #1 - Tanzu published an advisory discussing a shared interface vulnerability in their Spring by VMware products.

Tanzu Advisory #2 - Tanzu published an advisory describing a security bypass vulnerability in their Spring Data REST products.

Tanzu Advisory #3 - Tanzu published an advisory describing a deserialization of a maliciously constructed java.util.dictionary object in their Spring-AMQP product.

Tanzu Advisory #4 - Tanzu published an advisory describing a log injection vulnerability in their Spring Framework.

Yokogawa Advisory - Yokogawa published an advisory discussing an unsupported Microsoft XML version vulnerability in many of their products.

OMRON Update - JP CERT published an update for the OMRON CS-Supervisor advisory that was originally published on October 15th, 2021.

Hikvision Exploit - Bashis published an exploit for a command injection vulnerability in the Hikvision web server.

Sonic Wall Exploit - The Vulnerability Lab published an exploit for a cross-site scripting vulnerability in the Sonicwall SonicOS.

For more details on the advisories, updates and exploits, including links to 3rd party advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-10-a7c - subscription required.

Saturday, October 30, 2021

Review - S 658 Amended in House Committee – Cybersecurity Consortia

On Tuesday the House Homeland Security Committee conducted a markup hearing that included the consideration of S 658, the National Cybersecurity Preparedness Consortium Act of 2021. The Committee adopted substitute language offered by Rep Thompson (D,MS) and ordered the bill reported by a voice vote.  The new language places more emphasis on including minority serving institutions in the consortia. The bill was passed in the Senate in July by unanimous consent.

Once the Committee report on this bill is published this bill will probably move to the floor of the House for consideration under the suspension of the rules process. This will mean limited debate, no floor amendments and would require a supermajority for passage. The bill will receive substantial bipartisan support.

For more details about the changes made in Committee, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-658-amended-in-house-committee   - subscription required. 

Review - Public ICS Disclosures – Week of 10-23-21 – Part 1

This week is busier than normal for a week that does not include 2nd Tuesday, so we are going with a two-part listing. For Part 1 we have ten vendor disclosures from B&R Automation (3), PEPPERL+FUCHS, MB Connect, CODESYS (4), and Dell.

B&R Advisory #1 - B&R published an advisory describing a DLL hijacking vulnerability in their Automation Studio product.

B&R Advisory #2 - B&R published an advisory discussing the ZipSlip directory traversal vulnerability in their Automation Studio Project Import program.

B&R Advisory #3 - B&R published an advisory describing a file handling vulnerability in their Automation Studio program.

PEPPERL+FUCHS Advisory - CERT VDE published an advisory discussing an improper restriction of XML external entity reference vulnerability in the PEPPERL+FUCHS DTM and VisuNet product lines.

MB Connect Advisory - CERT VDE published an advisory describing an observable response discrepancy vulnerability in the MB Connect mbCONNECT24 and mymbCONNECT24 products.

CODESYS Advisory #1 - CODESYS published an advisory describing three vulnerabilities in their V2 runtime systems product line.

CODESYS Advisory #2 - CODESYS published an advisory describing four vulnerabilities in their V2 Web Server.

CODESYS Advisory #3 - CODESYS published an advisory describing an improper handling of exceptional conditions vulnerability in their V2 runtime systems containing the CODESYS TCP/IP communication driver.

CODESYS Advisory #4 - CODESY published an advisory describing two vulnerabilities in their Control V2 product line.

Dell Advisory - Dell published an advisory discussing an out-of-bounds read vulnerability in their Dell Wyse Device Agent for Windows 10 IoT Enterprise product.

For additional information on these advisories, including links to third-party advisories and researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-10-d18 - subscription required.

Friday, October 29, 2021

Senate Amendments to HR 4350 – 10-28-21

While the Senate still has not officially started the consideration of HR 4350, the FY 2022 NDAA, there were 126 amendments proposed yesterday. Six of those amendments may be of interest here:

SA 3943 – Sen Heinrich (D,NM): SEC. 906. Chief digital recruiting officer. [pg S7469]

SA 3954 – Sen Blackburn (R,TN): SEC. xxxx. Study on national laboratory consortium for cyber resilience. [pg S7472]

SA 4028 – Sen Bennet (D,CO):  SEC. xxx. National Digital Reserve Corps. [pg S7505] Similar to HR 4813

SA 4042 – Sen Rosen (D,NV): SEC. xx. National Cyber Exercise Program. [pg S7513] Similar to S 2993.

SA 4062 – Sen Ossoff (D,GA): SEC. xx. Dr. David Satcher Cybersecurity Education Grant Program. [pg S7518] Similar to S 2305.

SA 4067 – Sen Ossoff:  SEC. xxx. Report on cyber education diversity initiative. [pg S7520]

Bills Introduced – 10-28-21

Yesterday, with both the House and the Senate preparing to leave Washington for the weekend, there were 70 bills introduced. While none of the bills will receive future coverage in this blog, I do want to mention one in passing:

HR 5763 To provide an extension of Federal-aid highway, highway safety, and transit programs, and for other purposes. Rep. DeFazio, Peter A. [D-OR-4]

This bill provides a short-term extension of the various surface transportation programs that would normally be covered by a surface transportation authorization bill, one of the annual must-pass bills that Congress is supposed to deal with every year. This year, the surface transportation bill is HR 3684, the large spending bill that has been intertwined with the so-called build back better bill (HR 5376). There has still not been an agreement reached on the wording of the BBBB (though it looks like a scope of the bill may have been ironed out).

HR 5763 was necessary because the previous short-term extension (HR 5305) is due to expire on Sunday. This bill extends the deadline for passage of HR 3684 until December 3rd, the same date set for the passage of a spending bill for the federal government. So, December 3rd will become an even more important date for political pundits to point at with concern.

HR 5763 passed yesterday in both the House and Senate. The President will probably sign it while he is out-of-town for the global climate conference.


Thursday, October 28, 2021

Review - 1 Advisory and 2 Updates Published – 10-28-21

Today, CISA’s NCCIC-ICS published a control system security advisory for products from Johnson Controls. They also updated two advisories for products from Delta Electronics and Mitsubishi Electric.

Johnson Controls Advisory - This advisory discusses a use of hard-coded credentials vulnerability in the Johnson Controls (American Dynamics) victor Video Management System.

Delta Update - This update provides additional information on an advisory that was originally published on August 26th, 2021.

Mitsubishi Update - This update provides additional information on an advisory that was originally published on October 7th, 2021.

For more details on the advisory and updates, including a link to an exploit and a discussion about the naming of Johnson Control advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-and-2-updates-published - subscription required.

Review - HR 5658 Introduced – Cybersecurity Roles

Last week, Rep Bacon (R,NE) introduced HR 5658, the DHS Roles and Responsibilities in Cyber Space Act. The bill would require DHS to prepare “a report on the roles and responsibilities of the Department and its components relating to cyber incident response.” The bill was marked-up in Committee this week and was amended and ordered reported favorably.

Once the Committee Report on the bill is published, this bill is likely to move to the floor of the House under the suspension of the rules process and the bill will almost certainly be approved by a bipartisan majority.

For more details about the report, and the Committee markup of the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-5658-introduced - subscription required.

Senate Amendments to HR 4350 – 10-27-21

While the Senate still has not officially started the consideration of HR 4350, the FY 2022 NDAA, there were 26 amendments proposed yesterday. One of those amendments may be of interest here:

SA 3935 - Sen Rosen (D,NV) - §1064. United States-Israel cybersecurity cooperation enhancement [pg S7429]

This amendment is essentially S 1193 that was introduced by Rosen in May. There has been no action on the bill since it was introduced and referred to the Senate Foreign Relations Committee.

Review - S 2993 Introduced – Cyber Exercise Program

Earlier this month, Sen Rosen (D,NV) introduced S 2993, the CISA Cyber Exercise Act. The bill would amend the Homeland Security Act of 2002 by adding a new §2220A, National cyber exercise program. It would formally establish an existing exercise program to evaluate the National Cyber Incident Response Plan, and other related plans and strategies. No funding is authorized by this bill.

Rosen is a member of the Senate Homeland Security and Governmental Affairs Committee to which this bill was assigned for consideration. This means that there should be adequate influence available to see this bill considered in Committee. I see nothing in the bill that would engender any organized opposition. I suspect that the bill would receive significant bipartisan support in Committee. The bill is not important enough to be considered under regular order in the Senate, but it might be able to survive the unanimous consent process since it is simply codifying and existing program in DHS.

Commentary

The alert reader will have noticed that §2220A has been used by a number of bills for different proposed amendments to the Homeland Security Act of 2002. This is because this is the next section available in that Act. When any of these bills is finally passed and ready to send to the President for signature, the clerk for whichever body is the last to take action will be authorized to make ‘make such changes as necessary’ to the section numbering. If this happens the way it should, we will not see the ongoing renumbering scrambling that we see in §2(b) in this bill (as we have seen in almost every bill that proposes to add a new §2220A).

For more details about the proposed program requirements, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-2993-introduced - subscription required.

Wednesday, October 27, 2021

Senate Amendments to HR 4350 – 10-26-21

While the Senate still has not officially started the consideration of HR 4350, the FY 2022 NDAA, there were 36 amendments proposed in the Senate yesterday. One of those amendments may be of interest here:

SA 3903 – Sen Warnock - SEC. 1601. Matters concerning cyber personnel requirements. [pg S7385]

The amendment requires DOD to look at the education and training requirements for ‘cyber operation, information operation, and software engineering military personnel’ and prepare a report to Congress on those requirements. The amendment specifically includes a requirement to determine if a graduate level education program on the lines of the current war colleges run by the three services is necessary.

Reader Comment – Clandestine Labs

A reader, Rosearray, left a comment on yesterday’s post about the Hash Oil Extraction Fire in Los Angeles. He notes that there are a large number of fire and explosion incidents associated with clandestine labs and makes the comment that:

“I doubt that any of these incidents are reported by the "proprietors" to any authorities, much less to DHS.”

Richard is, of course, correct. Lab safety, along with quality control and regulatory affairs, are not usually strong points for these illegal labs. What makes the incident in Canoga Park different is that according to the Los Angeles Fire Department reporting on the incident, the fire took place at a legitimate business and the only reason that the lab was illegal was because “it did not adhere to established permitting processes and safety requirements.” This may still fall within the definition of a ‘clandestine lab’ under the ACS reporting system, but I think that the increasing number of these extraction labs supporting legitimate businesses need to be brought under regulatory oversight.

I do not think that this necessarily requires new legislative efforts. Facilities handling dangerous chemicals already fall under regulatory programs at CSB, DHS, EPA and OSHA. What may be more appropriate than new legislation would be a proactive outreach program by existing regulating entities to educate these businesses about their process safety and reporting responsibilities. I know that the CFATS program has an active outreach program, but I suspect that these types of facilities have not yet shown up on their radar.

BTW: Thanks Richard for pointing out the work being done by the ACS Division of Chemical Health & Safety in tracking chemical safety incidents. As a lapsed ACS member I do not have access to this work, but I would love to hear more about the program.

PHMSA Sends Coastal Pipeline Safety IFR to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received an interim final rule for review from DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) on “Pipeline Safety: Coastal Ecological Unusually Sensitive Areas”. This rulemaking is bypassing the notice and comment process because it was mandated by Congress.

According to the abstract for this rulemaking in the 2021 Spring Unified Agenda:

“As mandated by section 120 of the Protecting Our Infrastructure of Pipelines and Enhancing Safety (PIPES) Act of 2020 (Pub. L. 116-260) and section 19 of the PIPES Act of 2016 (Pub. L. 114-183), PHMSA will amend the definition of unusually sensitive area (USA) to explicitly include the Great Lakes, coastal beaches, and certain coastal waters as USA ecological resources for the purposes of determining whether a pipeline is in a high consequence area (HCA), as defined by 49 CFR 195.450. A hazardous liquid pipeline that could affect these newly-designated areas must be included in an operators' integrity management program.”

This rulemaking is not directly in response to the recent oil pipeline leak off the coast of California.

Bills Introduced – 10-26-21

Yesterday, with both the House and Senate in session, there were 43 bills introduced. One of those bills may receive additional attention in this blog:

S 3067 A bill to amend titles 23 and 49, United States Code, to provide for new and emerging technologies in transportation, and for other purposes. Sen. Cortez Masto, Catherine [D-NV]

I will be watching this bill for language and definitions that would include automated transportation cybersecurity within the scope of the legislation.

Tuesday, October 26, 2021

Review - 1 Advisory Published – 10-26-21

Today, CISA’s NCCIC-ICS published a control system security advisory for products from Fuji Electric.

Fuji Advisory - This advisory describes six vulnerabilities in the Fuji Tellus Lite V-Simulator, and V-Server Lite products.

For more details about the advisory, including my discussion about how 20 vulnerabilities reported by kimiya via the Zero Day Initiative became 6 vulnerabilities in today’s advisory, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-published-10-26-21 - subscription required. [Link added - 10-26-21, 22:50 EDT]

Hash Oil Extraction Fire in Los Angeles

Last week there was a fire at an unusual chemical processing facility in Canoga Park, CA. Two people died and two others were hospitalized in a fire that appears to have been related to the chemical processing of either marihuana or hemp to produce more valuable organic products, possibly CBD or hash oil. The Los Angeles Times is reporting that the facility was possibly a marihuana growing facility. The Los Angeles Fire Department reports finding process equipment used in the butane extraction of hash oil that could also be used to extract CBD from hemp.

As medicinal marihuana and recreational marihuana becomes more widely legalized and the use of generally legal CBD products becomes more popular, we are going to be seeing an increase in the number of chemical manufacturing facilities being established to prepare the more profitable refined products from hemp and/or marihuana. Many of the chemical processes involve use flammable chemicals like butane, ethanol, or isopropanol. While many of these facilities are legitimate and legal businesses, their relatively small size will frequently mean that there will be a dearth of safety and regulatory expertise available to the organizations.

There are some interesting potential regulatory issues here. First, if a facility does use the butane extraction technique, the facility could fall under the purview of the Chemical Facility Anti-Terrorism Standards (CFATS) program because butane is on the list of DHS chemicals of interest. I wonder if the folks at the CISA Office of Chemical Security have added these types of facilities to their outreach program?

The second deals with chemical incident reporting requirements. Since there were two deaths involved in this particular incident, the Chemical Safety Board was supposed to have been notified by the facility owners within eight hours of the incident occurring. I have no way of knowing if that reporting requirement has been met with respect to this incident, but I would suspect not. Again, many if not most facilities of this type are small, closely held organizations without a great deal of regulatory support.

Bills Introduced – 10-25-21

Yesterday, with both the House and Senate in Washington, there were 28 bills introduced. Two of those bills will receive additional coverage in this blog:

S 3058 A bill making appropriations for the Department of Homeland Security for the fiscal year ending September 30, 2022, and for other purposes. Sen. Murphy, Christopher [D-CT]

S 3062 A bill making appropriations for the Departments of Labor, Health and Human Services, and Education, and related agencies for the fiscal year ending September 30, 2022, and for other purposes. Sen. Murray, Patty [D-WA]

Again, neither of these spending bills will be seen on the floor of the Senate. FY 2022 spending has been punted to December 3rd and will almost certainly take the form of an omnibus spending bill or two. The important part of these two bills will the reports from the Senate Appropriations Committee which provide spending and program directives to the affected agencies that have just short of the power of law.

Monday, October 25, 2021

Review - HR 5616 Introduced – DHS Basic Training

Last week, Rep Demings (D,FL) introduced HR 5616, the DHS Basic Training Accreditation Improvement Act of 2021. The bill would require periodic reporting to Congress by DHS on the accreditation status of various basic training programs for law enforcement positions within the Department. No funding authorization is provided in the bill.

As I noted earlier today, this bill is scheduled for consideration tomorrow by the House Homeland Security Committee. I expect that the bill will receive broad bipartisan support. The bill will almost certainly move to the full House under the suspension of the rules process. This would provide limited debate, no floor amendments and would require a super majority to pass.

Most of the DHS training programs are operated out of Federal Law Enforcement Training Centers (FLETC). Those initial training programs that lead to law enforcement positions in the Department are being targeted by this bill. I know that in the early days of the CFATS program, CSI were trained at FLETC. While most of the early class of CSI came from federal law enforcement programs, the CSI positions are not considered to be law enforcement positions, so the CSI training program is not likely to be covered by this bill. I am not sure about the status of TSA’s surface inspectors.

For more details about the reporting requirements in the bill, and S&T research support requirements, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-5616-introduced - subscription required.

Committee Hearings – Week of 10-24-21

This week, with both the House and Senate in Washington, there will be a full slate of hearings in both bodies. There are two hearings of note here; a markup hearing and a hearing on transportation cybersecurity.

Markup Hearing

On Tuesday, the House Homeland Security Committee will hold a markup hearing looking at 12 pieces of legislation.

HR 5616, “DHS Basic Training Accreditation Improvement Act of 2021”,

HR 5658, “DHS Roles and Responsibilities in Cyber Space Act”, and

S 658, "National Cybersecurity Preparedness Consortium Act of 2021",

I have not yet published reviews of HR 5616 and HR 5658. While HR 5616 does not appear to affect chemical security inspector training, it could have future impact on cybersecurity law enforcement teams that could be developed within CISA or TSA. HR 5658 is a ‘report to Congress’ bill that may inform future cybersecurity legislative efforts. S 658 passed in the Senate in July and I do not expect any significant amendments in this week’s hearing.

Transportation Cybersecurity

On Tuesday the Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation of the House Homeland Security Committee will hold a hearing on “Transportation Cybersecurity: Protecting Planes, Trains, and Pipelines from Cyber Threats.” The witness list includes:

• Suzanne Spaulding, Center for Strategic & International Studies,

• Patricia F.S. Coswell, Guidehouse,

• Jeffrey L. Troy, Aviation Information Sharing and Analysis Center, and

• Scott Dickerson, Maritime Transportation System Information Sharing and Analysis Center

Commentary - It is disappointing to see this industry only panel without having the TSA Administrator providing some insight into what that agency is trying to do with the limited resources it currently has available.

On the Floor

According to the House Majority Leader’s web site, we may actually see a vote on HR 3684, the Infrastructure Investment and Jobs Act. There is a lot of new cybersecurity program language and funding tied up in that bill. This is still tied up in the negotiations over the Build Back Better bill, so do not hold your breath waiting on the vote.

As I noted yesterday, we may see the Senate take up HR 4350, the FY 2022 NDAA, this week. The amendment process for that bill may see additional cybersecurity language added.

Sunday, October 24, 2021

Review - HR 5440 Introduced – Cyber Incident Reporting

Last month, Rep Clarke (D,NY) introduced HR 5440, the Cyber Incident Reporting for Critical Infrastructure Act of 2021. Similar to S 2875, this bill establishes the Cyber Incident Review Office in CISA and establishes requirements for cyber incident reporting. It amends the Homeland Security Act of 2002 by adding a new §2220A, Cyber Incident Review Office. No new funding is provided in the bill.

Moving Forward

Clarke and all three of her cosponsors {Rep Thompson (D,MS), Rep Katko (R,NY), and Rep Garbarino (R,NY)} are influential members of the House Homeland Security Committee to which this bill was assigned for consideration. This bill will move forward in Committee, but there will almost certainly be revisions made to the language of the bill before it is approved with strong bipartisan support.

I am not convinced that the strong support in Committee will allow this bill to move to the floor of the House. There will be some inter-committee posturing trying to see more influence on these cybersecurity reporting requirements being retained by existing regulatory agencies. This would ensure that the leadership of other committees would retain their influence on both such reporting and the regulatory responses to those reports. If this bill were to make it to the floor of the House, I suspect that it would receive bipartisan support.

Commentary

I am suitably impressed with the effort that the Committee Staff took in their use of language and definitions to insure that cyberattacks on industrial control systems would be included in the regulations to be developed by CISA. There was one area, however, where that effort fell short. In the proposed §2220A(d)(5)(D) discussion of the content that would be required in the covered reports, bill requires in  clause (iv) that the report includes: “Where applicable, identification of the category or categories of information that was, or is reasonably believed to have been, accessed or acquired by an unauthorized person.” There is no corresponding requirement to report any specific information about operational technology or processes affected by the covered cyberattack. To correct this, I would suggest inserting a new clause (v):

“(v) Where applicable, identification of the operational control system, technology, or devices believed to have been accessed, modified or interrupted by an unauthorized person,”

While the language in this bill and S 2875 are not nearly identical, my comments about the weaknesses in the Senate bill also apply to this bill. To be effective these reporting regulations will have to include provisions for CISA to specifically identify covered facilities and directly notify them of that status and their reporting obligations prior to a cyber incident occurring. Otherwise, facilities will be able to argue that they were unaware that they were specifically considered to be a covered facility with reporting responsibilities under the rules.

I am not sure how CISA would go about accomplishing that task in anything approaching a comprehensive manner. This may be the best argument for letting this designation responsibility remain with other federal regulating agencies and allowing CISA to be the recipient of the required reports.

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-5440-introduced - subscription required.

Senate to Begin Consideration of HR 4350 – FY 2022 NDAA

While there is no official word that the Senate will be considering HR 4350, the FY 2022 NDAA, this week, the first amendment to that bill was offered on Thursday, the last day that the Senate was in session this week. As expected, that amendment is essentially the language from S 2972, the version of the NDAA from the Senate Armed Services Committee. While I have not done a page-by-page review of SA 3867, the list of sections in the amendment is the same as in S 2972.

I expect that the Senate will formally begin consideration of HR 4350 late this week. The amendment submission process is likely to begin a day or two before that.

Interestingly, there have been 21 amendments submitted to S 2792 since September 27th. None of those amendments are of particular interest here and it does not look like any of them have been incorporated into SA 3867. It is likely that most of those amendments will be resubmitted as amendments to the substitute language for HR 4350.

Saturday, October 23, 2021

CRS Reports - Comparison of Selected Cyber Incident Reporting Bills

This week the Congressional Research Service published at report on “Cybersecurity: Comparison of Selected Cyber Incident Reporting Bills—In Brief”. This report provides a side-by-side comparison of key provisions of four current pieces of cybersecurity reporting legislation:

• HR 5440 – the Cyber Incident Reporting for Critical Infrastructure Act,

S 2407 – the Cyber Incident Notification Act of 2021,

S 2875 – the Cyber Incident Reporting Act of 2021, and

S 2943 – the Ransom Disclosure Act

NOTE: I have not yet reviewed HR 5440.

Review - Public ICS Disclosures – Week of 10-16-21

This week we have ten vendor disclosures from ABB, Weidmueller, HMS (2), HPE (2), Meinberg, PulseSecure, QNAP, and VMware. We also have two researcher reports of vulnerabilities in products from SonicWall and RDP Manager. There were three exploits published for products from SonicWall and Mitsubishi (2).

ABB Advisory - ABB published an advisory describing an integrity check bypass in their free@home System Access Point product.

Weidmueller Advisory - CERT-VDE published an advisory discussing the INFRA:HALT vulnerabilities in the Weidmueller Remote I/O fieldbus couplers.

HMS Advisory #1 - HMS published an advisory discussing the BrakTooth vulnerabilities in their Anybus wireless products.

HMS Advisory #2 - HMS published an advisory discussing the BadAlloc vulnerabilities in their Anybus wireless products.

HPE Advisory #1 - HPE published an advisory describing an information disclosure vulnerability in their 6120XG Blade Switch.

HPE Advisory #2 - HPE published an advisory describing a cross-site scripting vulnerability in their Superdome Flex Server.

Meinberg Advisory - Meinberg published an advisory discussing the GPSD Rollover Bug.

PulseSecure Advisory - PulseSecure published an advisory describing a malformed packet request vulnerability in their Pulse Connect Secure software.

QNAP Advisory - QNAP published an advisory describing a command injection vulnerability in their QNAP NAS running the Media Streaming add-on.

VMware Advisory - VMware published an advisory describing an information disclosure vulnerability in their vRealize Operations Tenant App for VMware Cloud Director.

SonicWall Report - Vulnerability Lab published a report of a cross-site scripting vulnerability in the SonicWeb SonicOS.

RDP Manager Report - Vulnerability Lab published a report of a denial-of-service vulnerability in the RDP Manager windows software client.

SonicWall Exploit - Jacob Baines published an exploit for an improper access control vulnerability in the SonicWall SMA100 product.

Mitsubishi Exploit #1 - Hamit Cibo published an exploit for a reflected cross-site scripting vulnerability in the Mitsubishi ME RTU.

Mitsubishi Exploit #2 - Hamit Cibo published an exploit for a source code disclosure vulnerability in the Mitsubishi ME RTU.

For more details about these advisories, reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-10-c22 - subscription required.

Friday, October 22, 2021

Bills Introduced – 10-21-21

Yesterday, with both the House and Senate in session, there were 57 bills introduced. Four of those bills may receive additional coverage in this blog:

HR 5658 To require the Secretary of Homeland Security to submit a report on the cybersecurity roles and responsibilities of the Federal Government, and for other purposes.  Rep. Bacon, Don [R-NE-2]

S 3035 A bill to establish the Artificial Intelligence Hygiene Working Group, and for other purposes. Sen. Peters, Gary [D-MI]

S 3042 A bill making appropriations for the Departments of Commerce and Justice, Science, and Related Agencies for the fiscal year ending September 30, 2022, and for other purposes.

S 3045 A bill making appropriations for the Departments of Transportation, and Housing and Urban Development, and related agencies for the fiscal year ending September 30, 2022, and for other purposes.

I am not sure what to expect with S 3035. If you google ‘artificial intelligence hygiene’ you get references to the use of AI to modify/control hand washing in medical settings, but I do not think that that is the purpose of this bill. I suspect that it is cybersecurity related. If that is the case, I will be watching the bill for language and definitions that would include industrial control systems within its purview.

I will be covering the three remaining bills.

Thursday, October 21, 2021

HR 5593 Introduced - Cybersecurity Opportunity

Last week, Rep Johnson (D,GA) introduced HR 5593, the Cybersecurity Opportunity Act. This bill is nearly identical in intent to S 2305 introduced by Sen. Ossoff in June. This version is legislatively more complex but it would still have required DHS to “award grants to assist institutions of higher education that have an enrollment of needy students, historically Black colleges and universities, and minority-serving institutions, to establish or expand cybersecurity programs, to build and upgrade institutional capacity to better support new or existing cybersecurity programs.”

Johnson was not a member of either the House Education and Labor or Homeland Security Committee to which this bill was assigned for consideration. Of the 40 cosponsors, however, 10 are members of the House Homeland Security Committee and five are members of the Education and Labor Committee. This should mean that there would be adequate influence to see this bill considered in Committee. I see nothing in this bill that would engender any specific opposition. I suspect that the bill would receive at least some measure of bipartisan support even without any Republican cosponsors.


Review - 4 Advisories Published – 10-21-21

Today, CISA’s NCCIC-ICS published three control system security advisories for products from ICONICS/Mitsubishi (2) and Delta Electronics. They also published a medical device security advisory for products from Braun.

ICONICS/Mitsubishi Advisory #1 - This advisory describes an uncontrolled recursion vulnerability in the ICONICS GENESIS64 and Mitsubishi Electric MC Works64 products.

Delta Advisory - This advisory describes ten vulnerabilities in the Delta DIALink industrial automation server.

ICONICS/Mitsubishi Advisory #2 - This advisory describes two vulnerabilities in the ICONICS GENESIS64, Mitsubishi Electric MC Works64 products.

Braun Advisory - This advisory describes five vulnerabilities in the B. Braun Perfusor Space, Infusomat Space, SpaceCom, Battery Pack SP with WiFi products.

For more details on the advisories, including links to 3rd-party vendor reports and researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/4-advisories-published-10-21-21 - subscription required.

Review - BIS Publishes Cybersecurity Export Controls Interim Final Rule

Today the DOC’s Bureau of Industry and Security (BIS) published an interim final rule (IFR) in the Federal Register (86 FR 58205-58216) on “Information Security Controls: Cybersecurity Items”. This interim final rule outlines the progress the United States has made in export controls pertaining to cybersecurity items and revised Commerce Control List (CCL) implementation.

According to the Summary from the preamble:

“Specifically, this rule establishes a new control on these items for National Security (NS) and Anti-terrorism (AT) reasons, along with a new License Exception Authorized Cybersecurity Exports (ACE) that authorizes exports of these items to most destinations except in the circumstances described. These items warrant controls because these tools could be used for surveillance, espionage, or other actions that disrupt, deny or degrade the network or devices on it.”

The effective date for this IFR is January 19th, 2022. BIS is soliciting public comments on this rule. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # BIS-2020-0038). Comments should be submitted by December 6th, 2021.

For more details about the IFR including changes to the existing cyber related ECCNs, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bis-publishes-cybersecurity-export - subscription required.

Bills Introduced – 10-20-21

Yesterday, with both the House and Senate in session, there were 46 bills introduced. One of those bills will receive additional coverage in this blog:

S 3023 A bill making appropriations for the Department of Defense for the fiscal year ending September 30, 2022, and for other purposes. Sen. Tester, Jon [D-MT] 

In many ways this is a symbolic bill since there will almost certainly not be a standalone DOD spending bill passed this year, we will have some sort of omnibus spending bill dropped in December. The importance of this bill will stand with the Committee Report that will provide key spending and reporting requirements directed by the Senate Appropriations Committee.

Wednesday, October 20, 2021

HR 4611 Passed in House - Software Supply Chain Risk Management

This afternoon the House voted on HR 4611, the DHS Software Supply Chain Risk Management Act of 2021. The bill passed by a near unanimous vote of 412 to 2. The bill was initially considered under the suspension of the rules process on September 29th, 2021. At the end of the debate a recorded vote was demanded by Rep Posey (R,FL).

The bill would require DHS to develop guidance for new contracts for covered information and communications technology or services for the inclusion of a planned bill of materials and a certification that each item listed in the BOM is free from all known security vulnerabilities or defects.

The bill now goes to the Senate where, if it is to be considered as a standalone bill, it will have to be considered under the unanimous consent process.

Bills Introduced – 10-19-21

Yesterday, with both the House and Senate in session, there were 54 bills introduced. Two of those bills may receive additional coverage in this blog:

HR 5616 To require reporting regarding accreditation of basic training programs of the Department of Homeland Security, and for other purposes. Rep. Demings, Val Butler [D-FL-10]

S 2993 A bill to amend the Homeland Security Act of 2002 to establish in the Cybersecurity and Infrastructure Security Agency the National Cyber Exercise Program, and for other purposes. Sen. Rosen, Jacklyn [D-NV]

I will be watching HR 5616 for language and definitions that would indicate that Chemical Security Inspectors would be covered under the provisions of the bill.

S 2993 will be covered in this blog. 

Review - OMB Approves EPA SERC Survey ICR

Yesterday, the OMB’s Office of Information and Regulatory Affairs issued a new OMB Control Number for an information collection request from the EPA. Control Number 2050-0224 provides data collection authority for “Survey of State Emergency Response Commissions (SERCs)”. The new survey form will provide the EPA with a comprehensive look at the current state of SERCS and the Local Emergency Planning Commissions (LEPCs) established under §301 of the Emergency Planning and Community Right-To-Know Act of 1986 (EPCRA) (42 USC 11001).

I hope that the response rate from the State and Tribal SERCS is much closer to 100% than the EPA’s predictions. SERCS and LEPCs form a potentially important backbone for the emergency response planning for chemical emergencies. I think that that backbone is currently weak and needs additional support. A survey like this could provide both the EPA and Congress with the information necessary to identify the extent of the current weaknesses in this important program.

For more details on the survey and EPA’s IRC, see my article at CFSN Detailed Response - https://patrickcoyle.substack.com/p/omb-approves-epa-serc-survey-icr - subscription required.

Tuesday, October 19, 2021

Review - S 2943 Introduced - Ransom Disclosure

Earlier this month, Sen Warren (D,MA) introduced S 2943, the Ransom Disclosure Act. This is very similar to S 2926 which Warren introduced two days earlier. As with the very slightly earlier bill, S 2943 would require covered individuals to report ransomware payments to DHS and require DHS to publish an annual report to Congress about such ransomware reporting.

Warren is not a member of the Senate Homeland Security and Governmental Affairs Committee to which this bill was referred. This means that there is probably insufficient influence to see this bill considered in Committee. I suspect that there would be little support for this bill in that Committee. I would not be surprised to see this bill included as a potential amendment to a larger authorization bill on the floor of the Senate.

I would like to note that I pointed out each of the three major problems corrected in this version of the bill in my post about S 2926. I cannot, however, claim to have influenced Warren’s staff to make these changes; S 2943 was introduced 5-days before I wrote my ‘influential’ post. Besides, they did not correct the most important problem, the huge definitional loophole.

For more details about the differences between the two bills, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-2943-introduced - subscription required.

Review - 2 Advisories Published – 10-19-21

Today CISA’s NCCIC-ICS published two control system security advisories from products from Trane and AUVESY.

Trane Advisory - This advisory describes a cross-site scripting vulnerability in the Trane Tracer SC Building Automation Controllers.

AUVESY Advisory - This advisory describes 17 vulnerabilities in the AUVESY versiondog data management software.

For more details about the two advisories, including to link to researcher report, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-advisories-published-10-19-21 - subscription required.

OMB Approves Suspension of LNG by Rail Rule

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a notice of proposed rulemaking (NPRM) from the DOT’s Pipeline and Hazardous Materials Safety Administration (PHMSA) for “Suspension of HMR Amendments Authorizing Transportation of Liquefied Natural Gas by Rail”. This rulemaking was sent to the OIRA back in September. The NPRM could be published in the Federal Register as early as this week.

Monday, October 18, 2021

Review - S 2979 Introduced - NTIA Policy and Cybersecurity Coordination

Earlier this month, Sen Hickenlooper (D,CO) introduced S 2979, the NTIA Policy and Cybersecurity Coordination Act. The bill would amend 47 USC Chapter 8, National Telecommunications and Information Administration, adding a new §106, Office of Policy Development and Cybersecurity. The bill includes some specific cybersecurity support requirements for NTIA. The bill does not authorize any additional funds for NTIA.

Both Hickenlooper and his sole cosponsor {Sen Capito (R,WV)} are members of the Senate Commerce, Science, and Transportation to which this bill was assigned for consideration. This means that there should be sufficient influence to see the bill considered in Committee. I see nothing in the bill that would engender any specific opposition. I suspect that the Committee would approve the bill with significant bipartisan support. This bill is unlikely to make to the floor of the Senate as a stand alone bill, but it could be added to a spending or authorization bill as an amendment.

For more details on the cybersecurity taskings for the new Office, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-2979-introduced - subscription required.

Committee Hearings – Week of 10-17-21

This week, with both the House and Senate in Washington, there is a relatively light hearing schedule. There are two oversight hearings of potential interest here. There is one cybersecurity bill that may finally come up for a vote in the House.

Oversight Hearings

On Tuesday the Oceans, Fisheries, Climate Change, and Manufacturing Subcommittee of the Senate Commerce, Science and Transportation Committee will hold an oversight hearing on the Coast Guard. The witnesses include the Commandant and the senior enlisted person. According to the Committee’s web site, the hearing will look at “the Coast Guard’s role to safeguard our nation’s maritime interests to include budget oversight, oil spill response, marine safety, handling of sexual assault and harassment in the service, and diversity, equity, and inclusion.” I will be surprised if there are any cybersecurity questions raised.

On Thursday, the Senate Judiciary Committee will hold an oversight hearing on the Department of Homeland Security. The sole witness will be the Secretary. There is no information about the scope of the hearing. With this being the Judiciary Committee, I would not be surprised to see some questions on the Departments legal responsibilities with respect to cybersecurity.

On the Floor

According to the House Majority Leader’s ‘Weekly Leader’ site, we may finally see a vote on HR 4611, the DHS Software Supply Chain Risk Management Act of 2021. This bill was considered in the House on September 29th under the suspension of the rules process. At the end of the debate a recorded vote was demanded. The bill has been on the list of potential bills for a vote on a couple of instances since that debate. I expect that the bill will pass when the vote is held.

Bills Introduced – 10-15-21

On Friday, with the House meeting in pro forma session, there were 32 bills introduced. One of those bills will receive additional coverage in this blog:

HR 5593 To enhance cybersecurity education. Rep. Johnson, Henry C. "Hank," Jr. [D-GA-4] 

Normally, I would have published this post on Saturday, but there was some sort of problem over at Congress.gov. No listing of bills introduced on Friday was available until this morning.

Sunday, October 17, 2021

Public ICS Disclosures – Week of 10-9-21 – Part 2

This week we have four vendor disclosures from Schneider and three updates from Siemens.

Schneider Advisory #1 - Schneider published an advisory describing an incorrect resource transfer between spheres vulnerability in their spaceLYnk, Wiser For KNX, and fellerLYnk products.

Schneider Advisory #2 - Schneider published an advisory describing an improper input validation vulnerability in their Modicon M218 Logic Controller product.

Schneider Advisory #3 - Schneider published an advisory describing 11 vulnerabilities in their Conext™ Advisor 2 and Conext™ Control V2 products.

Schneider Advisory #4 - Schneider published an advisory discussing the Amnesia:33 vulnerabilities in their Modicon TM5 modules.

Siemens Update #1 - Siemens published an update of their GNU/Linux advisory that was originally published in 2018 and most recently updated on September 14th, 2021.

Siemens Update #2 - Siemens published an update of their Amnesia:33 advisory that was originally published on March 9th, 2021 and most recently updated on August 10th, 2021.

NOTE: NCCIC-ICS did not update their advisory (ICSA-21-068-06) for these vulnerabilities.

Siemens Update #3 - Siemens published an update of their FragAttacks advisory that was originally published on July 13th, 2021.

For additional information on these disclosures, including links to 3rd party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-10-d2a - subscription required.

Saturday, October 16, 2021

Review - TSA Publishes Top 100 Most Critical Pipelines 30-day ICR Revision Notice

This week the the TSA published a 30-day Information Collection Request (ICR) revision notice in the Federal Register (86 FR 57197-57198) for a revision to their “Critical Facility Information of the Top 100 Most Critical Pipelines” (1652-0050) ICR. The 60-day ICR notice was published on June 30th, 2021. This ICR revision is a follow-up to the approved emergency ICRs back in late May for increased cybersecurity reporting requirements in the TSA’s Pipeline Cybersecurity Directive and supporting the requirements of TSA Pipeline Security Directive #1.

There were three comments received on the 60-day notice published for this propose ICR revision. The TSA published their responses [.docx download link] to the issues raised in those comments. As required by 44 U.S.C. 3501 et seq., TSA is again requesting comments on the 30-day ICR notice published this week. Comments may be submitted directly to OIRA by accessing the ICR page for this collection and clicking on the ‘Comment’ box near the top center of the page. Comments should be submitted by November 15th, 2021.

For more details about this ICR notice, including details about the new Pipeline Cybersecurity Self-Assessment form, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/tsa-publishes-top-100-most-critical - subscription required.

Review - Public ICS Disclosures – Week of 10-9-21 – Part 1

This week we have nine vendor disclosures from Aruba Networks, Braun, DrayTek, Omron, Hitachi, SonicWall, and VMware (3). We also have an update from Yokogawa. Finally, there are four researcher reports for products from Fuji Electric.

Aruba Advisory - Aruba published an advisory describing 18 vulnerabilities in their ClearPass Policy Manager product.

Braun Advisory - Braun published an advisory discussing the Ripple20 vulnerabilities.

DrayTek Advisory - DrayTek published an advisory describing two vulnerabilities in their VigorConnect software.

Omron Advisory - JPCERT published an advisory describing an out-of-bounds read vulnerability in the Omron CX-Supervisor.

Hitachi Advisory - Hitachi published an advisory discussing 30 vulnerabilities in their Disk Array Systems.

SonicWall Advisory - SonicWall published an advisory describing a host header redirection vulnerability in their SonicOS product.

VMware Advisory #1 - VMware published an advisory describing a server side request forgery in their vRealize Operations products.

VMware Advisory #2 - VMware published an advisory describing a CSV injection vulnerability in their vRealize Log Insight product.

VMware Advisory #3 - VMware published an advisory describing an open redirect vulnerability in their vRealize Orchestrator product.

Yokogawa Update - Yokogawa published an update for their Ripple20 advisory that was originally published on May 31st, 2021.

Fuji Reports - The Zero Day Initiative published four reports of 0-day vulnerabilities in the Alpha5 Servo Operator product from Fuji Electric.

For more details on this disclosures, including links to 3rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-10-61d - subscription required.


Friday, October 15, 2021

CISA Announces NSTAC Meeting – 11-2-21

Today, CISA published a meeting notice in the Federal Register (86 FR 57437-57438) for the President’s National Security Telecommunications Advisory Committee (NSTAC) meeting on November 2nd, 2021. While the Committee will be meeting in person in Washington, DC, members of the public wanting to participate in the meeting will join the meeting via teleconference.

According to the Notice, the following items will be on the public agenda for the meeting:

• A keynote address on fortifying the Nation's cybersecurity posture,

• An update on Administration actions to NSTAC and joint national security and emergency preparedness (NS/EP) communications,

• A deliberation and vote on the NSTAC Report to the President on Software Assurance in the Information and Communications Technology and Services Supply Chain, and

• A status update from the NSTAC Zero-Trust and Trusted Identity Management Subcommittee.

After the above agenda items are completed, the Committee will meet in private to receive a classified intelligence briefing concerning threats to NS/EP communications.

Non-Committee personnel wishing to join the teleconference need to contact NSTAC by email (NSTAC@cisa.dhs.gov) before October 26th. Public comments on the topics listed above can be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket #CISA-2021-0016). Comments should be submitted by October 18th. More information on the meeting will be available on the NSTAC web site.

New CFATS Job Opening – 10-13-21 thru 10-21-21

Yesterday Annie Hunziker Boyer, a Branch Chief in CISA, announced a new job opening in the Chemical Facility Anti-Terrorism Standards (CFATS) in CISA’s Office of Chemical Security. According the USAJobs.gov site for the opening, this is a Program Analyst (GS 12-13) position in Arlington, VA.

I asked Annie if this was the same job that I reported on a couple of weeks ago; she said it was a different position; “This one is part of the team that works on our CFATS policies, regs, and the supporting packages, like information collection requests. They're part of different teams within the branch.”

If you live in the Washington, DC area (or are willing to move there on your own dime) and are interested in working in the CFATS program, take a look at this position. The application period closes on Thursday, October 21st, 2021. Start early, the USAJobs application process has always been challenging.

OMB Approves BIS Information Security Controls Interim Final Rule

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved the interim final rule submitted by the DOC’s Bureau of Industry and Security (BIS) on “Information Security Controls: Cybersecurity Items”. This action is a continuation of the BIS attempt in 2015 to publish Export Administration Regulations (EAR) implementing export security controls on selected cybersecurity products. This rulemaking was submitted to OIRA on September 17th, 2021.

Interestingly, the OIRA announcement list this as an ‘interim final rule’ while the Spring 2021 Unified Agenda listing shows that it should be a ‘notice of proposed rulemaking’. We will have to wait for BIS to publish the rule in the Federal Register in the coming week or two.

Review – 13 Updates Published – 10-14-21

Yesterday CISA’s NCCIC-ICS published 13 updates for control system security advisories for products from Siemens. Siemens published an additional three updates on Tuesday that I will discuss this weekend.

PROFINET Update #1 - This update provides additional information on an advisory that was originally published on May 9th, 2017 and most recently updated on June 8th, 2021.

Industrial Products Update #1 - This update provides additional information on an advisory that was originally published on December 5th, 2017 and most recently updated on June 8th, 2021.

SCALANCE Update #1 - This update provides additional information on an advisory that was originally published on March 26th, 2019 and most recently updated on January 14th, 2020.

PROFINET Update #2 - This update provides additional information on an advisory that was originally published on October 10th, 2019 and most recently updated on June 8th, 2021.

Industrial Real-Time Update - This update provides additional information on an advisory that was originally published on October 10th, 2019 and most recently updated on February 9th, 2021.

PROFINET-IO Update - This update provides additional information on an advisory that was originally published on February 11th, 2020 and most recently updated on September 14th, 2021.

SCALANCE Update #2 - This update provides additional information on an advisory that was originally published on May 11th, 2021 and most recently updated on August 10th, 2021.

SIMATIC Update - This update provides additional information on an advisory that was originally published on May 11th, 2021 and most recently updated on September 14th, 2021.

Linux-based Products Update - This update provides additional information on an advisory that was originally published on May 11th, 2021 and most recently updated on September 14th, 2021.

PROFINET Update #2 - This update provides additional information on an advisory that was originally published on July 11th, 2021 and most recently updated on September 14th, 2021.

SIPROTEC 5 Update #1 - This update provides additional information on an advisory that was originally published on September 14th, 2021.

SIPROTEC 5 Update #2 - This update provides additional information on an advisory that was originally published on September 14th, 2021.

RUGGEDCOM Update - This update provides additional information on an advisory that was originally published on September 16th, 2021.

For more information on these updates, including list of items changed, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/13-updates-published-10-14-21 - subscription required.

Thursday, October 14, 2021

Review – 9 Advisories Published – 10-14-21

Today CISA’s NCCIC-ICS published nine control system security advisories for products from Siemens (6), Mitsubishi, Uffizio, and Schneider Electic. The Siemens advisories upon which the NCCIC-ICS advisories are based were published on Tuesday. NCCIC-ICS also published 13 updates that I will discuss in a later post.

SIMATIC Advisory - This advisory describes a missing authentication for critical function vulnerability in the Siemens SIMATIC Process Historian.

RUGGEDCOM Advisory - This advisory describes an uncontrolled resource consumption vulnerability in the Siemens RUGGEDCOM ROX, switches and serial-to-Ethernet devices.

SCALANCE Advisory - This advisory discusses 15 vulnerabilities in the SCALANCE W1750D software management platform.

Solid Edge Advisory - This advisory describes ten vulnerabilities in the Siemens Solid Edge, 3D CAD and solid modeling software.

SINEC NMS Advisory - This advisory describes 15 vulnerabilities in the Siemens SINEC NMS network management software.

SINUMERIK Advisor - This advisory describes a heap-based buffer overflow vulnerability in the Siemens SINUMERIK Controllers.

Mitsubishi Advisory - This advisory describes an authorization bypass through user-controlled key in the Mitsubishi MELSEC iQ-R Series CPU Module.

Uffizio Advisory - This advisory describes five vulnerabilities in the Uffizio GPS Tracker software.

Schneider Advisory - This advisory describes an improper privilege management vulnerability in the Schneider ConneXium Network Manager (CNM) Software.

NOTE: Schneider published four other new advisories this week. I will address those this weekend.

For more details about these advisories, including links to third-party advisories and vulnerability reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/9-advisories-published-10-14-21 - subscription required.

Wednesday, October 13, 2021

HR 5501 Introduced – Ransom Disclosure

Last week Rep Ross (D,NC) introduced HR 5501, the Ransom Disclosure Act. This is very similar to S 2926 that was also introduced last week, but two significant differences exist. One of the changes made in the House bill modifies (reduces) the overly long reporting deadline that was found in the Senate bill.

Differences

In §2(b) the House version of the bill provides for a 48-hour time-limit for reporting ransom payments where the Senate version give the ransom payer 7-days to make the same notification.

In §2(g)(1) the House version of the bill give DHS 60-days to establish a web site for voluntary reporting of ransom payments by individuals. In the Senate bill, the same paragraph used a specific date (December 21st, 2021) as the deadline for establishing the same web site. The use of a date-certain as a requirement in a piece of legislation is fraught with difficulties since no one can predict when a bill will be taken up, or what obstacle will be encountered enroute to the President’s desk.

Moving Forward

Ross is not a member of the House Energy and Commerce Committee to which this bill was assigned for consideration. As with S 2926, this means that there is probably insufficient influence to see the bill considered in Committee. I am not sure how the Committee would vote if the bill were considered as there is little history of consideration of this type of cybersecurity related bill by this Committee. Most bills of this type are referred to the House Homeland Security Committee. The Energy and Commerce Committee might just favorably report this bill just to keep a hand in the game.

NTCSAC Meeting to Look at LNG Load Limits Tasking

The Coast Guard published a meeting notice in today’s Federal Register (86 FR 56967-56968) concerning a teleconference on November 2nd, 2021 for the National Chemical Transportation Safety Advisory Committee. The meeting will include the CG presentation of a new tasking for the Committee to look at: “LNG Carrier Loading Limits and Formation of Isolated Vapor Pockets.”

Additional information on the meeting and the new tasking will be on the NTCSAC web site by October 26th. NOTE: there appears to be some problems with the NTCSAC web site and all of the other Federal Advisory Committee web sites this morning; hopefully it will be corrected by October 26th.

The meeting is open to the public and there will be a time set aside for public comments during the teleconference. For information on joining the teleconference or submitting public comments, contact Lieutenant Ethan T. Beard, telephone 202-372-1419, fax 202-372-8382 or Ethan.T.Beard@uscg.mil.

Review - HR 5412 Introduced – FY 2022 Intel Authorization

Last month, Rep Schiff (D,CA) introduced HR 5412, the Intelligence Authorization Act for Fiscal Year 2022. This is one of the annual ‘must pass’ bills, it provides authorization for the activities of the various intelligence services within the federal government. There is one cybersecurity provision this year, and there is on cybersecurity mention in passing. Funding is authorized by this bill, but the amounts are included in a classified annex.

The House Permanent Select Committee on Intelligence amended and ordered this bill reported on the 30th of September. Neither that report nor amended language have been forwarded to the GPO yet for publication. Once those are published, the House is expected to take up the bill. It will almost certainly pass. Even though the bill did pass in Committee by a voice vote, I will have to wait and see the Minority Views Section of the Committee Report before I will be willing to attempt to forecast how much bipartisan support it will receive.

For more details on the cybersecurity provision and mention in passing, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-5412-introduced - subscription required.

Tuesday, October 12, 2021

Review - 3 Advisories Published – 10-12-21

Today CISA’s NCCIC-ICS published three control system security advisories for products from Schneider and Advantech (2).

Schneider Advisory - This advisory describes four vulnerabilities in the Schneider Interactive Graphical SCADA System (IGSS).

Advantech Advisory #1 - This advisory describes two vulnerabilities in the Advantech WebAccess HMI platform.

Advantech Advisory #2 - This advisory describes a missing authorization vulnerability in the Advantec WebAccess/SCADA.

Commentary

This is the first time since Siemens joined the 2nd Tuesday Club that ICS has not published a swath of Siemens advisories and updates. I suspect that this was at least partially caused by yesterday’s holiday. I expect that NCCIC-ICS will publish their advisories on Thursday.

For more details on today’s advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/3-advisories-published-10-12-21 - subscription required.

Monday, October 11, 2021

Review - S 2926 Introduction – DHS Ransom Notification

Last week, Sen Warren (D,MA) introduced S 2926 (no formal name). The bill would require broadly defined covered individuals to report ransomware payments within 7 days of the payment being made. DHS would be required to prepare annual reports about such notifications.

Warren is not a member of the Senate Homeland Security and Governmental Affairs Committee to which this bill was referred. This means that there is probably insufficient influence to see this bill considered in Committee. I suspect that there would be little support for this bill in that Committee. I would not be surprised to see this bill included as a potential amendment to a larger authorization bill on the floor of the Senate.

Commentary

So many problems, so little space… First, the problem of definitions. The ‘covered entity’ definition is the most sweeping definition I have seen to date in this space. The inclusion of ‘an individual’ exclusion is not even that important since information systems owned by a family would not technically be included in the exception. The bigger problem is the huge loophole in the ransom definition that effectively exempts all non-federal-agency entities from any reporting requirement. This is nitpicking, but lawyers get large sums of money for picking nits, and corporate lawyers do it extremely well.

The seven-day reporting deadline is the longest that I have seen in any bill. And given the very limited nature of the information being required to be reported, it is completely unjustified. Any company making a ransomware payment would easily be able to report the required information within say 30-minutes of making the payment.

And the DHS study requirements? How much studying will it take for DHS to determine the “extent to which cryptocurrency has facilitated” ransomware attacks? Popular TV shows to the contrary, the FBI figured out how to deal with large cash drops years ago.

For more details about the provisions of the bill, including a detailed look at the problems with definitions, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-2926-introduction - subscription required.

 
/* Use this with templates/template-twocol.html */