Witness List for Thursday Cybersecurity Hearing

The witness list for the hearing on transportation cybersecurity that I described yesterday is now available on the House Transportation and Infrastructure Committee’s hearing web site. The list of witnesses includes:

• Cordell Schachter, DOT,

• Larry Grossman, FAA,

• Victoria Newhouse, TSA,

• Rear Admiral John W. Mauger, USCG,

• Kevin Dorsey, DOT IG, and

• Nick Marinos, GAO

This is a very interesting line up. I suspect that this will be two different panels. The first three witnesses would look at pending TSA cybersecurity regulations for the aviation sector. The last two witnesses would be there to talk about potential DOT oversight of cybersecurity. But that leaves Admiral Mauger as the odd man out.

The CG has become more and more proactive about cybersecurity matters as part of their Maritime Transportation Security Act programs. I suspect that the Admiral is being included to show that the safety folks are capable of handling cybersecurity and do not need interference from TSA. I am not sure the CG’s point of view really supports that since security is part of their military mission.

This hearing also points out the cybersecurity oversight issue (okay, any kind of security oversight) in Congress. Transportation and Infrastructure has (obviously) transportation oversight responsibilities. Since the TSA impacts transportation, they share some oversight of TSA with the House Homeland Security Committee. T&I wants more cybersecurity responsibility (okay… authority) and if they can keep TSA out and make cybersecurity a modal agency responsibility, they will get that authority.

It should be an interesting hearing.

Review - 5 Advisories and 2 Updates Published – 11-30-21

Today, CISA’s NCCIC-ICS published five control system security advisories for products from Hitachi Energy, Johnson Controls, Delta Electronics, Mitsubishi Electric, and Xylem. They also updated two advisories for products from multiple RTOS and InHand Networks.

Hitachi Energy Advisory - This advisory describes an improper access control vulnerability in the Hitachi Energy Retail Operations and Counterparty Settlement and Billing (CSB) Product.

NOTE: I briefly discussed the two supporting Hitachi Energy advisories along with five others on November 6^th, 2021.

Johnson Controls Advisory - This advisory discusses an off-by-one error vulnerability in the Johnson Controls Controlled Electronic Management Systems Ltd. CEM Systems AC2000.

Delta Electronics Advisory - This advisory describes a stack-based buffer overflow vulnerability in the Delta Electronics CNCSoft software management software.

Mitsubishi Advisory - This advisory describes three vulnerabilities in the Mitsubishi MELSEC CPU module and MELIPC Series software management platform.

Xylem Advisory - This advisory describes an SQL injection vulnerability in the Xylem Aanderaa GeoView web-based data display.

Multiple RTOS Update - This update provides additional information on an advisory that was originally published on April 29^th, 2021 and most recently updated on August 17^th, 2021.

NOTE 1: I briefly discussed the reported Hitachi Energy RTU500 advisory on November 20^th.

NOTE 2: I briefly discussed the reported Hitachi Energy MSM advisory on August 21^st, 2021.

InHand Networks Update - This update provides additional information on an advisory that was originally published on October 7^th, 2021.

NOTE: InHand went from a notation of “InHand Networks has not responded to requests to work with CISA to mitigate these vulnerabilities” to having a vendor security advisories page with vulnerability reporting contact information and PGP public key listing. I hope they keep it up; it has been added to my weekly checklist.

For more details on these advisories and updates, including links to 3^rd party vendors and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/5-advisories-and-2-updates-published - subscription required.

Senate Amendments to HR 4350 – 11-29-21

Yesterday, the Senate resumed their consideration of HR 4350, the FY 2022 National Defense Authorization Act (NDAA). There were 25 new amendments proposed for the Senate’s consideration, none were of particular interest here. The Senate held a cloture vote to close debate on the substitute language amendment (SA 3867), the vote failed by a vote of 45 to 51 (60 votes required for passage) with liberal Democrats joining most Republicans in voting against closing the debate.. The vote failed because of the lack of an agreement on what amendments to SA 3867 would be considered before the final vote on the substitute language was held. The Senate will continue consideration of HR 4350 today.

Note: Sen Schumer’s (D,NY) ‘nay’ vote was made after cloture failed and did not reflect opposition to the cloture move. It was made to allow him (under Senate rules) to request reconsideration of the cloture vote, which he did. No word yet on when that vote will occur.

Review - ChemLock – Secure Your Chemicals – Delay

NOTE: On November 18^th, 2021, CISA announced their new voluntary chemical security program, ChemLock. This post is part of a deep dive into that program. Earlier posts in this series include:

CISA Announces ChemLock – Voluntary Chemical Facility Security (short version)

ChemLock and the Chemical Security Summit

ChemLock – On-Site Assessments and Assistance (short version)

ChemLock – Secure Your Chemicals – Overview (short version)

ChemLock – Secure Your Chemicals – Detect (short version)

While early detection of an attack on the chemical facility is certainly important, the longer an attacker is delayed from reaching their chemical targets the more time the facility and its security response have react appropriately to the attack. This is the reason behind Chapter 4 of the ChemLock Secure Your Chemicals manual, ‘Delay’. This chapter provides a brief overview of:

• Perimeter and asset barriers

• Physical locking mechanisms

• Access control

• Inspections

• Screenings

• Know-your-customer program

As I mentioned in the previous post in this series, the discussions in this section fall far short of providing facility security officers with all of the knowledge necessary to implement delay features in their facility security plans. It provides an overview of considerations to help FSO’s ask the right questions of CSI, vendors and integrators.

Committee Hearings – Week of 11-28-21

This week, both the House and the Senate are back in Washington after their Thanksgiving recess. The hearing schedule is light, with the Senate committees concentrating on nomination considerations. There will be one cybersecurity hearing in the House. The Senate will continue debate of HR 4350, the FY 2022 NDAA. And, of course, midnight Friday is the deadline for passing a spending bill.

Cybersecurity Hearing

On Thursday the House Transportation and Infrastructure Committee will hold a hearing on “The Evolving Cybersecurity Landscape: Federal Perspectives on Securing the Nation's Infrastructure”. There is no witness list currently available for this hearing.

On the Floor

The Senate resumes consideration of HR 4350, the FY 2022 National Defense Authorization Act (NDAA). There has been no announcement of an agreement on what amendments may make it to the floor of the Senate.

The House schedule currently includes 24 bills to be considered under the suspension of the rules process. This includes three cyber related bills that I have not covered in this blog:

HR 2685 – Understanding Cybersecurity of Mobile Networks Act, as amended,

HR 4045 – FUTURE Networks Act, as amended, and

HR 4055 – American Cybersecurity Literacy Act, as amended.

The House schedule also includes a generic listing for “Consideration of Legislation Making Further Appropriations for FY22”, but it almost certainly does not refer to an actual spending bill. It will most likely be a continuing resolution of some length. The options being considered include before Christmas, January/February, or September 31^st, 2022. None of the options are ‘good’, all are politically fraught.

CRS Report - Cybersecurity: Selected Cyberattacks, 2012-2021

This report to Congress provides a brief overview of 53 cyberattacks conducted against either the US government of private sector entities in the last ten years. It describes attribution in cyberspace, confidence of attribution, and common types of cyberattack.

Sections in the report include:

• Attribution,

• Common cyberattack terms,

• Nation-state cyberattacks, and

• Foreign criminal cyberattacks

This is a highly generalized discussion for non-technical personnel. The definition of terms section is nicely done. The selection of attacks presented is broadly representative rather than comprehensive.

Review – Public ICS Disclosures – Week of 11-20-21

This week we have ten vendor disclosures from Advantech, Hitachi, Hitachi Energy (2), Moxa (2), QNAP (2), and VMware. There is also an update from Mitsubishi. Additionally, we have two researcher reports for vulnerabilities for products from PerFact and Philips. Finally, we have an exploit for a product from ModbusTools.

Advantech Advisory - Advantech published an advisory describing five sets of vulnerabilities (each set corresponding to a separate Talos report containing multiple vulnerabilities) in their R-SeeNet application.

Hitachi Advisory - Hitachi published an advisory discussing 24 vulnerabilities in their Disk Array Systems.

Hitachi Energy Advisory #1 - Hitachi Energy published an advisory describing two vulnerabilities in their XMC20 product.

Hitachi Energy Advisory #2 - Hitachi Energy published an advisory describing two vulnerabilities in their FOX61x product.

Moxa Advisory #1 - Moxa published an advisory describing eleven vulnerabilities in their ioLogik E2200 Series Controllers and I/Os.

Moxa Advisory #2 - Moxa published an advisory describing three vulnerabilities in their NPort IAW5000A-I/O Series Servers.

QNAP Advisory #1 - QNAP published an advisory describing an improper authentication vulnerability in their VS Series NVR.

QNAP Advisory #2 - QNAP published an advisory describing a command injection vulnerability in their VS Series NVR.

VMware Advisory - VMware published an advisory describing two vulnerabilities in their vCenter Server.

Mitsubishi Update - Mitsubishi published an update for their GENESIS64 and MC Works64 advisory that was originally published on October 21^st, 2021.

PerFact Report - Claroty published a report describing vulnerabilities in VPN products in use in industrial applications including a previously unpublished server-side request forgery vulnerability in products from PerFact.

Philips Report - Nozomi Networks published a report describing five vulnerabilities in patient monitoring products from Philips.

ModbusTools Exploit - Yehia Elghaly published an exploit for an improper restriction of operations within the bounds of a memory buffer vulnerabilty in the Modbus Slave tool from ModbusTools.

For more details on these advisories, updates, reports and exploits, including links to supporting third-party vulnerabilities, researcher reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-11-857 - subscription required.

Review - ChemLock – Secure Your Chemicals – Detection

NOTE: On November 18^th, 2021, CISA announced their new voluntary chemical security program, ChemLock. This post is part of a deep dive into that program. Earlier posts in this series include:

CISA Announces ChemLock – Voluntary Chemical Facility Security (short version)

ChemLock and the Chemical Security Summit

ChemLock - On-Site Assessments and Assistance (short version)

ChemLock – Secure Your Chemicals – Overview (short version)

The first goal of any security program is ensuring that you can detect an attack as early as possible. Thus, Chapter 3 of the ChemLock Secure Your Chemicals manual discusses ‘detection’ as it relates to the physical security of the facility (detection of cyberattacks is discussed separately). This chapter provides a brief overview of:

• Intrusion detection systems (IDS),

• Camera systems,

• Employees or on-site security personnel,

• Security lighting, and

• Inventory controls

The chapter briefly discusses the importance of detecting an attack as early as possible to allow for appropriate response measures to prevent the attack or minimize the potential consequences of the attack. The discussion mentions that: “detection needs to occur prior to an attack (i.e., in the attack-planning stages)” {pg 16} but does not provide any information on what that entails. Back in 2008 I addressed the ‘Seven Signs of Terrorism’ video which is apparently no longer available, but the New Jersey Office of Homeland Security & Preparedness has a brief presentation available that covers the concept nicely.

The discussions about detection in this manual are brief looks at potential considerations and type listings. They are hardly going to make the facility security manager a subject matter expert on any of these topics. CISA’s Office of Chemical Security is offering the services of their chemical security inspectors to help facilities get a better handle on these topics, but it is going to come down to hiring physical security experts to really make these detection systems effective.

For more details about, and discussions on, the topics covered in this chapter, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/chemlock-secure-your-chemicals-4f6  - subscription required.

S 3241 Introduced – HACT Act

Last Week Sen Kennedy (R,LA) introduced S 3241, the Homeland And Cyber Threat (HACT) Act. The bill would remove foreign state immunity from lawsuits brought for injuries incurred from computer intrusions by a foreign state. The bill is nearly identical to HR 1607 of the same title that was introduced in the House back in March and has not seen any legislative activity since it was introduced.

The only difference in the two bills is that the Senate version corrects a critical legislative oversight in the House version by inserting a subsection (b), Technical and Conforming Amendment. That subsection would amend the ‘table of sections’ for 28 USC Chapter 97 to include the section added by this bill. The absence of this subsection in the House bill calls into question the level of professionalism in the crafters of the bill in the House.

Kennedy is a member of the Senate Judiciary Committee to which this bill was assigned for consideration. He should have the influence necessary to see this bill considered by the Committee. Again, as with HR 1607, I do not believe that the bill will be considered as it directly impacts sovereign immunity, a touchy subject. I believe that we would have to see a serious cyberattack on private sector systems that has a clear attribution back to a State actor for Congress to act on either of these bills. Introducing bills such as this, however, is a good political move in many constituencies.

CISA Announces Initial Cybersecurity Advisory Committee Meeting – 12-10-15

CISA published a meeting notice in tomorrow’s (on-line today) Federal Register (86 FR 67484-67485) for the initial meeting of the Cybersecurity Advisory Committee on December 10^th, 2021. This in-person (subject to changes in COVID status) meeting will be held in McLean, VA. Portions of the meeting will be closed to the public for security reasons.

The Cybersecurity Advisory Committee was established earlier this month. This initial meeting will include:

• An overview of CISA,

• A discussion on CISA's big challenges, priorities, and

• Potential study topics for the Committee

Personnel wishing to attend the meeting or make public comments at the meeting need to register via email (CISA_CybersecurityAdvisoryCommittee@cisa.dhs.gov) by December 8^th. Written comments may be submitted by the same date via the Federal eRulemaking Portal (www.regulations.gov; docket #CISA-2021-0017).

CG Publishes NMSAC Meeting Notice – 12-15-21

The Coast Guard has posted a meeting notice in tomorrow’s (on line today) Federal Register (86 FR 67482-67483) for a teleconference for their National Maritime Security Advisory Committee (NMSAC) on December 15^th, 2015. The Coast Guard intends to present a new tasking to the NMSAC: “Recommendations on Cybersecurity Information Sharing”. A copy of the tasking document should be on the NMSAC web site by December 13^th.

Personnel who wish to join the teleconference should contact the Ryan Owens (ryan.f.owens@uscg.mil) by December 7^th, 2021. Those wishing to submit comments for the Committee’s consideration focused on improving and enhancing the sharing of information related to cybersecurity risks that may cause a transportation security incident may submit them through the Federal eRulemaking Portal (www.Regulations.gov; Docket # USCG-2021-0824).

Review - ChemLock – Secure Your Chemicals – Overview

NOTE: On November 18^th, 2021, CISA announced their new voluntary chemical security program, ChemLock. This post is part of a deep dive into that program. ‘Short version’ links below are abbreviated posts on this blog that do not require subscriptions to my CFSN Detailed Analysis. Earlier posts in this series include:

CISA Announces ChemLock – Voluntary Chemical Facility Security (short version)

ChemLock and the Chemical Security Summit

ChemLock - On-Site Assessments and Assistance (short version)

Once a chemical facility has completed their vulnerability assessment, they are able to start preparing the facility security plan (FSP). Since the ChemLock program is a completely voluntary program, there is no requirement to involve chemical security inspectors (CSI) from CISA’s Office of Chemical Security in the development or approval of an FSP. But CSI do have years of experience in the unique security situations associated with chemical facilities and have a broad institutional knowledge of what has been tried and what works at high-risk chemical facilities. The ChemLock program makes this security plan knowledge base available to facilities that are not covered by the Chemical Facility Anti-Terrorism Standards (CFATS) program.

ChemLock Documents

The ChemLock Security Plan web page provides a starting off point for the development of facility security plan. It re-emphasizes the goals of a chemical security program that were discussed on their ChemLock Assessments page. It then provides a brief description of the process of developing an FSP and the concept of Security-in-Depth. The page also provides links to the following resources:

Secure Your Chemicals (.PDF manual),

Secure Your Chemicals Template (.docx download link), and

ChemLock Services Request Form

Moving Forward

Chemical facilities wishing assistance from CISA’s Office of Chemical Security in either establishing a new facility security plan, or having an existing plan reviewed by experienced professionals, should certainly consider contacting OCS via the new ChemLock program. I will be looking in more detail about the FSP process that ChemLock is using, as well as other support available from ChemLock, in future posts in this series.

For more details about the manuals and forms described above, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/chemlock-secure-your-chemicals - subscription required

Review - ChemLock - On-Site Assessments and Assistance

NOTE: Last week, CISA announced their new voluntary chemical security program, ChemLock. This post is part a deep dive into that program. CISA’s new ChemLock program was developed upon the realization that there are literally tens of thousands of chemical facilities that house, produce or use dangerous chemicals that could be used by terrorists to effect chemical attacks here in the United States. A small percentage of those facilities are covered by the Chemical Facility Anti-Terrorism Standards (CFATS) program, but the remaining facilities have had no government assistance to help them protect their facilities from terrorist attention. ChemLock is designed to change that.

The first step in any security planning exercise is the conduct of a security assessment. While the CFATS program utilizes a suite of on-line tools for facilities to submit information to the Office of Chemical Security to conduct such an assessment, the ChemLock program avoids the requirement for facilities to submit data to CISA. In ChemLock, a facility simply requests assistance via a rather simple on-line form, and OCS will contact the facility to coordinate a visit by chemical security inspectors.

Security Assessment

The ChemLock program envisions two different types of security assessments for which they would be providing assistance:

• Security Awareness Consultation: CISA experts work with facilities to identify potentially dangerous chemicals and the security risks that those chemicals may pose.

• Security Posture Assessment: CISA experts work with facilities to assess their current security posture and identify security enhancements that are tailored to the facility’s unique circumstances and needs.

As currently configured, the ChemLock program does not require facilities to submit any information to CISA about the chemicals stored at the facility or the security measures in place at, or planned for, the facility.

Security Goals

The whole point of the ChemLock program is to provide assistance to chemical facilities so that they can achieve the following security goals:

• DETECT an attack,

• DELAY the adversary,

• RESPOND in a timely manner, and

• SECURE your cyber assets.

Conducting an appropriate security assessment, with the help of experts from CISA is a first step in achieving those goals.

For more details about these security assessments, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/chemlock-on-site-assessments-and - subscription required.

Review - Public ICS Disclosures – Week of 11-13-21 – Part 2

For Part 2 we have six vendor disclosures from Flexera, HPE, Meinberg, QNAP, Tanzu, and VMware. There as an update from CODESYS. We also have six researcher reports about vulnerabilities in products from LibreCad (3) and Open Design Alliance (3).

Flexera Advisory - Flexera published an advisory describing an open redirect vulnerability in their FlexNet Publisher.

HPE Advisory - HPE published an advisory discussing four vulnerabilities in their Fibre Channel Host Bus Adapters.

Meinberg Advisory - Meinberg published an advisory describing six vulnerabilities in their LANTIME-Firmware.

QNAP Advisory - QNAP published an advisory describing a cross-site scripting vulnerability in their NAS running Ragic Cloud DB.

Tanzu Advisory - Tanzu published an advisory describing a code injection vulnerability in their Spring Cloud Netflix Hystrix Dashboard.

VMware Advisory - VMware published an advisory describing a privilege escalation vulnerability in their VMware Center Server.

CODESYS Update - CODESYS published an update for their Gateway V3 advisory that was originally published on March 29^th, 2021  and most recently updated on May 18^th, 2021.

LibreCad Report #1 – Talos published a report describing a use after free vulnerability in the LibreCad libdxfrw. This is a coordinated disclosure.

LibreCad Report #2 - Talos published a report describing an improper restriction of operations within the bounds of a memory buffer in the LibreCad libdxfrw.

LibreCad Report #3 - Talos published a report describing an out-of-bounds write vulnerability in the LibreCad libdxfrw.

ODA Report #1 - ZDI published a report describing a use-after-free vulnerability in the ODA ODAviewer product.

ODA Report #2 - ZDI published a report describing an out-of-bounds read vulnerability in the ODA ODAviewer product.

ODA Report #3 - ZDI published a report describing an out-of-bounds read vulnerability in the ODA ODAviewer product.

For more details about these advisories and reports, including links to third-party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-11-e7c - subscription required.

ChemLock and the Chemical Security Summit

The deadline for registering for the 2021 Chemical Security Seminars is fast approaching. In the past, the major focus of these seminars (and the pre-Covid annual Chemical Sector Security Summit) has been on the Chemical Facility Anti-Terrorism Standards (CFATS) program. Voluntary chemical security measures and resources have always been addressed, but CFATS has been the focus. That will change this year.

With this week’s announcement of the ChemLock program, the voluntary chemical facility security presentations will take on an entirely new light and importance. CISA had already proposed a one-hour presentation on “Voluntary Chemical Security Programs”, by CISA’s Annie Hunziker Boyer. I suspect that by the time her talk rolls around on December 1^st, the actual title of the presentation will reflect the new program name. Other presentations will also be of interest to facilities considering the new ChemLock program.

Management for chemical facilities that are considering participation in the ChemLock program need to sign up for the Chemical Security Seminars. These are free, virtual presentations to be held on the first three Wednesdays of December. The preliminary agenda for the Seminars is available here. Registration ends on November 30^th, just a long holiday week away.

Senate Amendments to HR 4350 – 11-19-21

Yesterday, the Senate continued their consideration of HR 4350, the FY 2022 National Defense Authorization Act (NDAA). There was no action on the bill. Cloture was filed to stop the debate on the substitute language amendment and the vote on that could happen any time after 5:30 pm on November 29^th when the Senate returns from their Thanksgiving recess. One additional amendment was proposed, but it is of no particular interest here.

Review - Public ICS Disclosures – Week of 11-13-21 – Part 1

Review - Public ICS Disclosures – Week of 11-13-21 – Part 1

This has been a very busy week for vendor disclosures, so I will be doing this as a two-part report again this week. This week we have 17 vendor disclosures from Blackberry, Braun (2), WAGO (3), Dell, Gallagher (6), and ABB (4).

Blackberry Advisory - Blackberry published an advisory describing a remote code execution vulnerability in their QNX Software Development Platform.

Braun Advisory #1 - Braun published an advisory discussing the NUCLEUS:13 vulnerabilities.

Braun Advisory #2 - Braun published an advisory discussing the INFRA:HALT vulnerabilities.

WAGO Advisory #1 - CERT-VDE published an advisory discussing six vulnerabilities in a number of WAGO PLCs.

WAGO Advisory #2 - CERT-VDE published an advisory discussing an improper handling of exceptional conditions vulnerability in a number of WAGO PLC’s.

WAGO Advisory #3 - CERT-VDE published an advisory discussing the NUCLEUS:13 vulnerabilities.

Dell Advisory - Dell published an advisory describing five vulnerabilities in their Wyse Management Suite.

Gallagher Advisory #1 - Gallagher published an advisory describing an unquoted service path vulnerability in their Controller Service.

Gallagher Advisory #2 - Gallagher published an advisory describing an improper privilege validation vulnerability in their Command Centre Server.

Gallagher Advisory #3 - Gallagher published an advisory describing an improper certificate validation vulnerability in their Command Centre Server.

Gallagher Advisory #4 - Gallagher published an advisory describing an improper validation of the cloud-certificate chain in their Mobile Connect for Android.

Gallagher Advisory #5 - Gallagher published an advisory describing an improper validation of the cloud-certificate chain in their Command Centre Mobile Client for Android.

Gallagher Advisory #6 - Gallagher published an advisory describing an incomplete comparison with missing factors vulnerability in their Gallagher Controller.

ABB Advisory #1 - ABB published an advisory discussing two vulnerabilities in their Hitachi Energy RTU500 series.

ABB Advisory #2 - ABB published an advisory discussing the BadAlloc vulnerabilities in their Hitachi Energy RTU500 series.

ABB Advisory #3 - ABB published an advisory discussing three vulnerabilities in their Hitachi Energy RTU500 Series.

ABB Advisory #4 - ABB published an advisory describing a validation error vulnerability in their Hitachi Energy RTU500 Series.

For more information on these advisories, including links to third-party advisories and exploits, see  my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-11-880 - subscription required.

Senate Amendments to HR 4350 – 11-18-21

Yesterday, the Senate continued their consideration of HR 4350, the FY 2022 National Defense Authorization Act (NDAA). No agreement had been reached about what amendments would be considered, so yesterday’s consideration of the bill consisted of speeches. Additionally, there were 150 new amendments proposed. Many of these amendments were offered earlier, but there are minor differences in language to make the amendment more acceptable to various concerned parties. Six of the amendments offered yesterday may be of interest here:

SA 4784 - Sen King (I,ME): DIVISION E: Defense Of United States Infrastructure [pg S8456] Similar to S 2491,

SA 4785 - Sen Ossoff (D,GA): SEC. xx. Dr. David Satcher cybersecurity education grant program. [pg S8458] Similar to S 2305,

SA 4799 - Sen Peters (D,MI): DIVISION E: Federal Information Security Modernization Act of 2021 [pg S8469],

DIVISION F: Cyber Incident Reporting Act Of 2021 nd CISA Technical Corrections and Improvements Act of 2021 [pg S 8482],

TITLE LXI: Cyber incident reporting act of 2021 [pg S8482],

TITLE LXII—CISA technical corrections and improvements act of 2021 [pg S8487],

SA 4802 – Sen Ossoff: SEC. xx. Dr. David Satcher cybersecurity education grant program. [pg S8491]

SA 4813 - Sen Scott (R,FL): DIVISION E: Cyber Incident Reporting Act of 2021 and CISA Technical Corrections and Improvements Act of 2021 {pg S 8500],

TITLE LI: Cyber incident reporting act of 2021 [pg S8500],

TITLE LII—CISA technical corrections and improvements act of 2021 [pg S8505]

SA 4831 - Sen Scott: DIVISION E: Federal Information Security Modernization Act of 2021 [pg S8516],

DIVISION F: Cyber Incident Reporting Act Of 2021 and CISA Technical Corrections and Improvements Act off 2021 [pg S8529],

TITLE LXI: Cyber incident reporting act of 2021 [pg S8529],

TITLE LXII: CISA technical corrections and improvements act of 2021 [pg S8534]

NOTE: Corrected Date in Title and added link for the list of amendments 11-20-21 13:50 EST

NASA Announces PNT Advisory Board Meeting – 9-12-21

Today NASA published a meeting notice in the Federal Register (86 FR 64962) for a two-day meeting of the National Space-Based Positioning, Navigation and Timing (PNT) Advisory Board on December 9^th and 10^th, 2021. The meeting will be open to the public.

The meeting agenda includes:

• Reports and Updates from PNT Advisory Board Working Groups

• Preliminary Deliberations on any Findings and Recommendations

• Other PNT Advisory Board Business and Work Plan Schedule

There is no information available on the Advisory Board web site about the current activities of the working groups. The last time the Board met was in July 2020.

HR 5956 Introduced – DHS in NSC

Last week, Rep Katko (R,NY) introduced HR 5956, the National Security Council Membership Act of 2021. The bill would amend 50 USC 3021 to include the Secretary of DHS as member of the National Security Council. DHS has been unofficially included as part of the ‘such other officers of the United States Government as the President may designate’ portion of §101(c)(1) being amended by this bill.

Neither Katko nor his sole cosponsor {Rep Thompson (D,MS)} are members of House Armed Services, Foreign Affairs or Intelligence Committees to which this bill was assigned for consideration. This means that it is unlikely that bill will be considered by any of those committees, especially since the prestige of those committee chairs is enhanced (with respect to the Homeland Security Committee) by DHS not being on the NSC list. I suspect that there would be bipartisan support for this bill if it were to make it to the floor of the House.

Bills Introduced – 11-18-21

Yesterday, with both the House and Senate preparing to leave for their Thanksgiving recess (both houses will meet briefly today), there were 102 bills introduced. Two of those bills may receive additional coverage in this blog:

S 3241 A bill to amend title 28, United States Code, to allow claims against foreign states for unlawful computer intrusion, and for other purposes. Sen. Kennedy, John [R-LA]

S 3260 A bill to require a 20th anniversary review of the missions, capabilities, and performance of the Transportation Security Administration. Sen. Wicker, Roger [R-MS]

I will be watching S 3241 for language and definitions that would include control systems within the coverage of the bill.

I will be watching S 3260 for language that would specifically include surface security activities in the review.

TRIP 2022 Data Call Changes Cyber Insurance Information Request

Today the Treasury Department’s Federal Insurance Office (FIO) published a notice in the Federal Register (86 FR 64600-64603) concerning proposed changes to the Terrorism Risk Insurance Program’s (TRIP) 2022 Data Call. The revised data collection would include changes to the data templates used to collect information about cyber insurance.

The notice reports that:

“The cyber insurance market continues to grow and evolve, and cyber-related losses (particularly with regard to ransomware) have increased significantly over the past few years.[14] In view of recent market developments and the important role of cyber insurance in the Program, Treasury would like to obtain more detailed information relating to the availability and affordability of such coverage in the market.”

The changes in the cyber question include:

Premium and limits information for cyber coverages written in non-TRIP-eligible lines of insurance,

Premium and policy count information broken out by size of policyholder,

Specific information on the cyber extortion [ransomware] coverages provided under cyber insurance policies, and

Loss information regarding these ransomware exposures.

The FOI is requesting public comments about the proposed changes in the 2022 data call. Comments may be submitted via the Federal eRulemaking Portal (www.regulations.gov; docket # OMB Control Number 1505-0257. Comments should be submitted by January 18^th, 2022.

Review - 2 Advisories and 4 Updates Published

Today, CISA’s NCCIC-ICS published two medical device security advisories for products from Philips. They also published four updates for products from VISAM, Mitsubishi, Philips and Trane.

Patient Information Center Advisory - This advisory describes three vulnerabilities in the Philips Patient Information Center iX.

IntelliBridge Advisory - This advisory describes two vulnerabilities in the Philips IntelliBridge EC 40 and EC 80 Hub.

VISAM Update - This update provides additional information on an advisory that was originally published on March 24^th, 2021 and most recently updated on July 8^th, 2021.

Mitsubishi Update - This update provides additional information on an advisory that was originally published on July 30^th, 2020 and most recently updated on July 27^th, 2021.

Philips Update - This update provides additional information on an advisory that was originally published on September 10th, 2020 and most recently updated on August 31^st, 2021.

Trane Update - This update provides additional information on an advisory that was originally published on September 23^rd, 2021.

For additional details on these advisories and updates, see my article on CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-advisories-and-4-updates-published - subscription required –

Review - CISA Announces ChemLock – Voluntary Chemical Facility Security

Today CISA announced the launch of their new voluntary chemical facility security program for chemical facilities that are not part of the Chemical Facility Anti-Terrorism Standards (CFATS) program. The new ChemLock program is an outgrowth of the CFATS program and the realization that facilities that are not considered at ‘high-risk’ for terrorist attack are at some risk of physical or cyber attack because of the chemicals stored, used or produced at the facility. The ChemLock program allows CISA to provide assistance to those facilities, based upon the long experience that the Office of Chemical Security has in overseeing the CFATS program.

Commentary

This is a voluntary chemical facility security program run out of the same office as the CFATS program. While this is not a program for facilities covered under that program, there are information sources available through this program that could be of use to CFATS facilities. Chemical facilities that are not covered by the CFATS program will find information and assistance here to determine what security measures may be applicable to their facility and how to implement those security measures.

The web site for this new program is hitting as a nearly fully formed information source for chemical facility security. The fold from OCS have used their long CFATS experience to address the basics of chemical facility security in an easy to access format. Assistance from experienced chemical facility inspectors is going to be a major selling point for this program.

Facilities that hold inventories of DHS chemicals of interest but are not currently covered by the program should certainly take a look at this program if there is any chance that there may be inventory or process changes in their future that may push them into the CFATS program. The resources available here could give facilities a head start on setting up a security program that could be readily morphed into a CFATS program site security plan.

I will be taking a closer look at this new program in future articles.

For more details about today’s announcement, including links to various pages within the new site, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/cisa-announces-chemlock - subscription required.

Senate Amendments to HR 4350 – 11-17-21

Yesterday, the Senate voted 84-15 to close debate on whether to begin consideration of HR 4350, the FY 2022 National Defense Authorization Act (NDAA). This means that the process of considering potential amendments to that bill will begin today. Additionally, there were 49 new amendments offered for consideration; two of those amendments may be of interest there:

SA 4764 - Sen Menendez (D,NJ): DIVISION E: Federal Information Security Modernization Act of 2021 [pg S8367] Similar to S 2902, and

SA 4769 - Sen Warnock (D,GA): SEC. xxx. Report on pathways for cyber and software engineering workforce growth. [pg S8380].

Commentary

There has been discussion in the press (see here for example) about the possibility of a variety of cybersecurity measures being included in this bill during the amendment process, and I have certainly been documenting the wide variety of such amendments in this series of blog posts. Much of that discussion has been centered on the bipartisan nature of the support for these amendments.

While bipartisan support is generally a good thing, it is not a controlling factor in the decision to bring a proposed amendment to the floor of the Senate for consideration. As we have seen on a number of occasions, even near universal support for an amendment can be stymied by the objection of a single Senator. This is because, due to the rules of the Senate, consideration of an amendment typically requires unanimous consent. There are ways around this ‘typical’ process, but they are time consuming, and ‘time consuming’ in the Senate means a really-long time.

One Senator in particular, Sen Paul (R,WV), is well known for using this as a tactic for forcing the Senate to consider amendments of his that would not normally see a vote in the Senate. Even when he knows that there will not be near enough support in the body to approve his amendment, Paul can be counted upon to force at least one vote during the consideration of ‘must pass’ bills like this.

Senate Amendments to HR 4350 – 11-16-21

With the Senate starting the process for the consideration of HR 4350, the FY 2022 NDAA on Monday the first cloture vote will probably be held this afternoon. That vote will start the actual amendment consideration process. Meanwhile, yesterday there were 72 amendments proposed yesterday. Seven of those amendments were of potential interest here

 

SA 4662 - Sen King (I,ME): SEC. 1064. Report on cybersecurity certifications and labeling [pgs S8246-7],

SA 4673 – Sen Peters (D,MI): DIVISION E: Cyber Incident Reporting Act Of 2021 and CISA Technical Corrections and Improvements Act of 2021 [pgs S8251-2];

TITLE LI: Cyber incident reporting act of 2021 [pg S8252], Similar to S 2785,

TITLE LII: CISA technical corrections and improvements act of 2021 [pg S8257], Similar to S 2740,

SA 4674 - Sen Peters: DIVISION E: Federal Information Security Modernization Act of 2021 [pg S8260], Similar to S 2274,

SA 4676 - Sen Klobuchar (D,MN): SEC. xxx. Veterans cybersecurity and digital literacy grant program. [pg S8272],

SA 4724 – Sen King: SEC. 1064. Report on cybersecurity certifications and labeling. [pg S8297],

SA 4726 – Sen King: DIVISION E: Defense of United States Infrastructure [pg S8298], Similar to S 2491, and

SA 4732 – Sen Reed (D,RI): SEC. xxx. Cybersecurity transparency [pg S8314], Similar to S 808,

HR 5960 Introduced – SLTT Cybersecurity

Last week, Rep Neguse (D,CO) introduced HR 5960, the State and Local Government Cybersecurity Act of 2021. This bill is almost identical to the version of S 2520 recently reported in the Senate. It would codify existing outreach and support activities by CISA to support State, local, tribal, and territorial governments.

Differences from S 2520

With the exception of a couple of missing comas, the only difference between this bill and S 2520 is the addition of a run-on phrase (highlighted below) in the proposed subsection (p) for 6 USC 659. This version changes subparagraph (1)(G) to read:

“(G) provide operational and technical assistance to SLTT entities to implement tools, products, resources, policies, guidelines, controls, and standards and best practices and procedures on information security;”

Moving Forward

Neguse is not a member of the House Homeland Security Committee to which this bill was assigned for consideration. This means that there is unlikely to be adequate influence to see this bill considered in Committee. I see nothing in this bill that would engender any specific opposition. If it were considered in Committee, I would expect it to receive significant bipartisan support.

Review - 2 Advisories and 1 Update Published – 11-16-21

Today, CISA’s NCCIC-ICS published two control system security advisories for products from Mitsubishi and FATEK. They also published an update for products from Mitsubishi.

Mitsubishi updated a second advisory today. If NCCIC-ICS does not cover that update on Thursday, I will address it this weekend.

Mitsubishi Advisory - This advisory describes an input validation vulnerability in the Mitsubishi GOT2000 series, GOT SIMPLE series, and GT SoftGOT2000 HMI.

FATEK Advisory - This advisory describes two vulnerabilities in the FATEK WinProladder PLC programming software.

Mitsubishi Update - This update provides additional information on an advisory that was originally published on February 18^th, 2021 and most recently updated on July 29^th, 2021.

For additional information on these advisories and updates, see my article on CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-advisories-and-1-update-published-cbf - subscription required.

Senate Amendments to HR 4350 – 11-15-21

With the Senate starting the process for the consideration of HR 4350, the FY 2022 NDAA, there were 108 new amendments to that bill proposed in the Senate yesterday. Nine of those amendments made reference to cybersecurity issues:

SA 4560 - Sen King (I,ME): SEC. xx. Secure foundational internet protocols. [pg S8091],

SA 4561 - Sen King: DIVISION E: Defense of United States Infrastructure [pg S8091] Similar to S 2491,

SA 4580 - Sen Gillibrand (D,NY): SEC. 1601. Matters concerning cyber personnel requirements. [pg S8100] SA 3903 and SA 4181,

SA 4581 - Sen Gillibrand: SEC. xxx. Matters concerning cyber personnel education requirements. [pg S8101] SA 3903 and SA 4181,

SA 4598 - Sen Hassan (D,NV): DIVISION E: Federal Cybersecurity Workforce Expansion Act [pg S809] Similar to S 2274,

SA 4616 - Sen Warner (D,VA): DIVISION xx: Intelligence Authorization Act for Fiscal Year 2022 [pg S8128] Similar to S 2610,

SA 4624 - Sen Warner: SEC. xxx. Educational assistance for pursuit of programs of education in cybersecurity. [pg S8149],

SA 4637 - Sen Risch (R,ID): SEC. 1064. Think tank cybersecurity standards. [pg S8158], and

SA 4647 - Sen Peters (D,MI): DIVISION E: Federal Information Security Modernization Act of 2021 [pg S8179] Similar to S 2902.

Review - PHMSA Publishes Gas Gathering Lines Final Rule

Yesterday, the DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) published a final rule in the Federal Register (86 FR 63266-63299) for “Pipeline Safety: Safety of Gas Gathering Pipelines: Extension of Reporting Requirements, Regulation of Large, High-Pressure Lines, and Other Related Amendments.” The notice of proposed rulemaking (NPRM) for this action was published in April 2016.

The effective date of this final rule is May 16^th, 2022.

For more details about the changes made in the final rule, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/phmsa-publishes-gas-gathering-lines  - subscription required.

OMB Approves Software Supply Chain NPRM

Yesterday, the OMB’s Office of Information and Regulatory Affairs announced that it had approved a Department of Commerce (DOC) notice of proposed rulemaking (NPRM) on “Securing the Information and Communications Technology and Services Supply Chain; Connected Software Applications”. This rulemaking is not listed in the Spring 2021 Unified Agenda.

As I noted when this rulemaking was sent to OMB for review, I suspect that this is related to §4 of EO 14028. This will probably appear in the Federal Register within the next week so we will know for sure what it covers then.

Review - HR 5376 to be Considered in House – Build Back Better Act

As I mentioned this morning, the House is currently scheduled to take up HR 5376, the Build Back Better Act some time this week (probably later rather than sooner). This bill has undergone a number of different revisions since it was introduced. The review in this post comes from the version being reported by the House Rules Committee. The bill includes $489 million in cybersecurity spending in three different sections and two cybersecurity mentions in passing.

It is likely that the Democrats will be able to muster adequate support from within their ranks to pass this bill in the House. They are going to need it since they are going to get no support from Republicans. It is still not clear if this bill will be able to clear the Senate.

For more details about the cybersecurity spending, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-5376-to-be-considered-in-house - subscription required.

Committee Hearings – Week of 11-14-21

With both the House and Senate back in Washington for a week between holidays, we have a nearly full slate of congressional hearings. Of interest here will be two ransomware hearings and markup of a cybersecurity bill.

Ransomware Hearings

On  Tuesday, the House Oversight and Reform Committee will hold a hearing on “Cracking Down on Ransomware: Strategies for Disrupting Criminal Hackers and Building Resilience Against Cyber Threats”. The witness list includes:

• Jen Easterly, CISA,

• Chris Inglis, National Cyber Director, and

• Bryan Vorndran, FBI

On Wednesday, two subcommittees of the House Homeland Security Committee will hold a joint hearing on “A Whole-of-Government Approach to Combatting Ransomware: Examining DHS’s Role”. The witness list includes:

• Rob Silvers, DHS,

• Jeremy Sheridan, Secret Service, and

• Brandon Wales, CISA

Neither hearing is expected to do more than mention controls system security in passing.

Cybersecurity Markup

On Thursday, the Senate Judiciary Committee is holding a business meeting. In addition to a number of nominations, it will take-up S 2629, the Better Cybercrime Metrics Act. This bill would add law enforcement cybercrime reporting requirements, but does not address private sector reporting cybercrimes to law enforcement or federal agencies.

On the Floor

This week the House is scheduled to take up HR 5376, the Build Back Better Act. I have not yet reviewed the most likely version of the bill to appear before the House, I have been awaiting last minute changes.

The Senate will likely take up HR 4350, the FY 2022 National Defense Authorization Act. The Senate will ignore the House language, taking up instead substitute language based upon S 2972. Readers will have seen my posts about the large number of amendments that have been proposed. More will likely be coming this week. It will be interesting to see which amendments actually make it to the floor for consideration. This will not be quick and the final vote may be delayed until after the Thanksgiving recess.

 

Water Cybersecurity – NERC CIP or Something Else

An interesting blog post by Patrick Miller over on Ampersec.com on the topic of using the NERC CIP as a model for cybersecurity regulation of the water treatment/wastewater treatment sector. With his long experience with NERC CIP from a number of different perspectives, Patrick makes a number of important points that should be taken into account in any discussion of how to regulate the water sector. Unfortunately, I think he missed an important question, does cybersecurity really need to be regulated in that sector?

Last February I weighed in on this topic with my post “Call for Cybersecurity Regulations”. I want to take another look at the topic here, from a slightly different perspective, a perspective well familiar to those with experience in the Chemical Facility Anti-Terrorism Standards (CFATS) program, risk-based cybersecurity.

From a regulatory perspective, the federal government has no legitimate interest in insuring that the information services at water treatment facilities are adequately protected from cyberattacks. That is a utility management issue, the purview of State and local utility oversight organizations. Similarly, the EPA is only interested in ensuring that the water leaving the facility (into drinking water distribution systems or back into the wild, depending on the type of treatment plant) meets certain quality standards. As long as output testing controls are adequately protected, the cybersecurity of upstream treatment is not a legitimate federal concern.

So, we do not need a comprehensive set of cybersecurity regulatory controls to protect water treatment facilities from cyberattacks. We need each facility to have a risk-based vulnerability assessment of what controls (manual, analog and digital) at their unique facility are critical to output quality controls and then a properly scoped security plan (physical and digital) to protect those critical controls.

The EPA has taken a poorly crafted crack at the assessment side of the equation, but they are relying on local facility management that is trained and experienced in water treatment engineering to conduct security assessments. And they are just requiring that facilities certify that those assessments have been properly done. Security planning is just an after-thought.

What is needed is an online tool like that used in the CFATS program to submit vulnerability assessment data and relatively formulaic security plans. Water facilities are going to be more similar than chemical facilities, so a water security assessment tool (WSAT) will not need to be as complicated as the CFATS chemical security assessment tool (CSAT).

As I have said before, CFATS is probably a better model to look at rather than something like NERC CIP or the nuclear facility security model.

CISA Identifying Critical Infrastructure

Earlier this week there was an interesting article over on InfoRiskToday.com. It talked about CISA’s establishing a program to identify critical infrastructure that would need to be protected from ‘global cyberthreats’. The article quotes CISA Director Jen Easterly talking about starting efforts to figure out how to identify "primary systemically important entities.” It goes on:

“"Whether this ends up in legislation or not - and I certainly hope it does - we are already thinking through the model," Easterly said. "So we're prototyping a variety of different approaches … to try and start identifying those entities that are in fact systemically important. We're doing it based on economic centrality, network centrality, and logical dominance in national critical functions.”

NOTE: the article uses the acronymized ‘Pisces’ instead of the abbreviated ‘PSIEs’ to shorten the "primary systemically important entities”. I wonder if this is a left-handed pun about fishing expeditions?

Does CISA, in fact need new legislative authority to collect and analyze this type of data? Actually, no. While congress has frequently tried to limit CISA’s private sector information collection to voluntary efforts {for example see 6 USC 659(i)(2)(C)}, it has authorized and tasked CISA (6 USC 664) with compiling a classified national asset database of each system or asset that the Secretary determines “to be vital and the loss, interruption, incapacity, or destruction of which would have a negative or debilitating effect on the economic security, public health, or safety of the United States, any State, or any local government” { §664(a)(1)(A)}.

Furthermore, §664(a)(1)(2) requires CISA to prepare a “n a single classified prioritized list of systems and assets included in the database under paragraph [§664(a)](1) that the Secretary determines would, if destroyed or disrupted, cause national or regional catastrophic effects.” So, Easterly is already required to maintain the PSIE list referenced in the article.

In general, CISA is supposed to use the State homeland security officials to collect the data, but §664(c)(2) specifically requires CISA to “identify and evaluate methods, including the Department’s Protected Critical Infrastructure Information Program, to acquire relevant private sector information for the purpose of using that information to generate any database or list, including the database established under subsection (a)(1) and the list established under subsection (a)(2).”

Currently, CISA is only authorized to use this database to formulate its plans and policies. It has not been given any regulatory authority to mandate security requirements (including reporting) on any of the listed private sector entities. The sole exception to this is that CISA is the regulatory agency for the Chemical Facility Anti-Terrorism Standards (CFATS) program. So, CISA can set forth cybersecurity mandates for facilities covered under that program.

Review - Public ICS Disclosures – Week of 11-6-21 – Part 2

For Part 2 this week there was an unusual cybersecurity bulletin from Schneider. We also had six advisories from Siemens and Schneider (5). Finally, there were nine updates from Siemens (6) and Schneider (3).

Schneider Bulletin - Schneider published a security bulletin announcing that there had been a number of attacks reported against g KNX home and building automation systems.

Siemens Advisory - Siemens published an advisory discussing a denial-of-service vulnerability in multiple products.

Schneider Advisory #1 - Schneider published an advisory describing an improper check for exceptional or unusual conditions vulnerability in their SCADAPack 300E Series RTU products.

Schneider Advisory #2 - Schneider published an advisory describing an insufficient entropy vulnerability in their Software Update product.

Schneider Advisory #3 - Schneider published an advisory discussing the PrintNightmare vulnerabilities in their EcoStruxure Process Expert product.

Schneider Advisory #4 - Schneider published an advisory discussing the BadAlloc vulnerabilities in multiple products.

Schneider Advisory #5 - Schneider published an advisory for unenumerated vulnerabilities (with no CVE listings) in their TelevisAir V3.0 Dongle BTLE.

Siemens Update #1 - Siemens published an update for their NAME:WRECK advisory that was originally published on April 13^th, 2021.

Siemens Update #2 - Siemens published an update for their Nucleus RTOS advisory that was originally published on February 9^th, 2021.

Siemens Update #3 - Siemens published an update for their GNU/Linux advisory that was originally published in 2018 and most recently updated on October 12^th, 2021.

Siemens Update #4 - Siemens published an update for their WIBU systems advisory that was originally published on July 13^th, 2021 and most recently updated on September 14^th, 2021.

Siemens Update #5 - Siemens published an update for their NAME:WRECK advisory that was originally published on April 13^th, 2021.

Siemens Update #6 - Siemens published an update for their OpenSSL advisory that was originally reported on July 13^th, 2021 and most recently updated on September 14^th, 2021.

Schneider Update #1 - Schneider published an update for their ISaGRAF advisory that was originally published on June 8^th, 2021 and most recently updated on September 14^th, 2021.

Schneider Update #2 - Schneider published an update for their Ripple20 advisory that was  originally published on June 23, 2020 and most recently updated on August 10^th, 2021.

Schneider Update #3 - Schneider published an update for their Modicon Controllers advisory that was originally published on May 18^th, 2019 and most recently updated on June 8^th,2021.

For more details on these bulletins, advisories and updates, including links to third-party advisories and exploits, see my article at - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-11-8ae - subscription required.

GAO Reports – K-12 Cybersecurity

This week the Government Accountability Office published a report on their audit of federal programs to ensure the safety and security of K-12 educational institutions. They found that the most recent guidance from the Department of Education dates back to 2010 and that guidance minimizes the importance of cybersecurity in the protection of K-12 education facilities. The report makes two recommendations:

• The Secretary of Education should initiate a meeting with the Director of CISA to determine how to update its sector-specific plan (SSP) for the Education subsector. The plan should assess and prioritize federal actions to assist K-12 schools in protecting themselves from cyberattacks.

• The Secretary of Education should make a determination, in consultation with the Director of CISA and based on current cybersecurity risks, on whether subsector-specific guidance is needed for the Education subsector.

Review - Public ICS Disclosures – Week of 11-6-21 – Part 1

This week we have twelve vendor disclosures from Blackberry, Draeger, Open Design Alliance, HPE (4), Milestone, Phoenix Contact, QNAP, and VMware (2). There is also an update from CODESYS. Finally, we have a research report from Forescout on the plethora of TCP/IP vulnerability disclosures.

I will cover the remaining Siemens and Schneider advisories and updates that were published Tuesday, but not yet covered by NCCIC-ICS in Part 2.

Blackberry Advisory - Blackberry published an advisory describing three vulnerabilities in their Protect for Windows product.

Draeger Advisory - Draeger published an advisory discussing the NUCLEUS:13 vulnerabilities.

ODA Advisory - Incibe Cert published an advisory describing nine vulnerabilities in the ODAViewer.

HPE Advisory #1 - HPE published an advisory describing an arbitrary code execution vulnerability in their ProLiant Gen10 Plus Servers.

HPE Advisory #2 - HPE published an advisory describing 15 vulnerabilities in their ProLiant and Apollo Gen10 and Gen10 Plus servers.

HPE Advisory #3 - HPE published an advisory discussing  three vulnerabilities in their ProLiant, Apollo, Synergy Gen10 and Gen10 Plus Servers.

HPE Advisory #4 - HPE published an advisory discussing an escalation of privilege vulnerability in their ProLiant, Apollo, Edgeline, and Synergy Servers.

Milestone Advisory - Milestone published an advisory describing an arbitrary file access vulnerability in their XProtect DLNA server.

Phoenix Contact Advisory - Phoenix Contact published an advisory describing two vulnerabilities in their FL MGUARD 1102/1105 products.

QNAP Advisory - QNAP published an advisory describing a cross-site scripting vulnerability in their NAS running QmailAgent.

VMware Advisory #1 - VMware published an advisory describing a privilege escalation vulnerability in their vCenter Server.

VMware Advisory #2 - VMware published an advisory discussing a denial-of-service vulnerability in their Tanzu Application Service for VMs.

CODESYS Update - CODESYS published an update for their V2 web server advisory that was originally published on October 25, 2021.

TCP/IP Vulnerability Report - Forescout published an overview report on the recent spate of TCP/IP stack vulnerability reports.

For more details on these advisories and updates, including links to 3^rd party reports, researcher reports and exploits, see my article at CSFN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-11 - subscription required.