Friday, December 31, 2021

2021 is Dead, Long Live 2022

The last day of the year is a time for reflection and to think about what is to come. And I will pass on the partying tonight, I want 2022 to start with a clear head.

My Blog

It is hard to measure success for a blog such as mine. The subject matter that I cover is hardly going to attract a huge audience. But, then again, I am not writing this for fame and glory, if I was I would have quit in disgust a long time ago. No, this blog requires me to take detailed looks at thing that I think are important, cogitate on potential consequences and make predictions about how things are going to develop over time. Oh, and ultimately, periodically allow me to utter my favorite phrase; “I told you so.”

This post marks 762 posts made on Chemical Facility Security News this year. According to Google, I have had more than 319,000 ‘hits’ to date on those posts. With 2.36 million hits over the last 10 years, it seems that readership is up this year. That is certainly good for the ego, but it does not pay any bills, so I work part time in a grocery store. Writers frequently need day jobs; it is just that kind of profession.

I did start CFSN Detailed Analysis this year over on Substack in an attempt to monetize my writing. It is too early to tell how successful that will be, but I am earing money from my writing so I can justify calling myself a professional writer with less emphasis on the ‘free’ part of freelance. That new format means that I am shortening the average post length here. That has not yet adversely impacted readership here, so it looks like my original blog is going to wither away anytime soon.

My Life

I am fast approaching 70 years old, a milestone that amazes me as I never thought about actually reaching that august age. I am relatively healthy, actually much healthier than I was in my youth. I mainly attribute that to two things, stopping smoking and good genes. And that is a good commentary on life in general, you cannot control everything, but you do have some measure of control if you choose to take it.

The Future

As Doris Day (YES, I am an old fogey after all) once sang: “The future is not ours to see…”. But predicting the general range of the future is all part of a writer’s life. There will be fires and floods and great calamities. Computers will get faster and more ubiquitous and crooks will find more and different ways to capitalize on those facts. Chemical processing will continue on an ever-larger industrial scale and accidents and attacks will continue to happen and cause death and destruction. And the youth will point at the problems that continue to arise and blame them on their parents. And the parents will lament about the lost ‘good-old-days’ and blame the youth for being shallow and disrespectful. And politicians will stand on both sides of every issue and proclaim the other side to be crooks and bigots. And the earth will keep spinning around the sun and rotating about its axis. And this too shall pass.

But, then again, spring will come, flowers will bloom, and babies will be born. Life goes on. We each as individuals can only try to do better than we did yesterday and learn from our mistakes. And the same can be said for communities, cities, states and countries. The future is coming whether we want it or not. So, smile, pickup your load and let’s go see what comes next.

Thursday, December 30, 2021

Review - S 2016 Reported in Senate – Surface Transportation Investment

Earlier this month, the Senate Commerce, Science, and Transportation Committee reported (without written report) S 2016, the Surface Transportation Investment Act of 2021. The Committee adopted substitute language in a markup hearing on June 16th, 2021. The reported version of the bill contains 19 new sections including §2425, Requirements for railroad freight cars placed into service in The United States. That section contains language restricting the sourcing of sensitive electronic components of freight railcars.

As I mentioned in my earlier post, this bill was included in the substitute language for HR 3684 that was considered by the Senate and subsequently the House and then signed into law by the President. The provision described above was included in that bill as §22425. I overlooked that section in my discussions of the Senate action on HR 3684.

In any case, there will be no further action on this bill.

For more details on the provisions of §2425, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-2016-reported-in-senate  - subscription required.

Wednesday, December 29, 2021

Review - ChemLock Training

In addition to the chemical security fact sheets that I discussed last week, CISA’s new voluntary ChemLock program also provides chemical facilities with free chemical security training. These are designed to help chemical facilities not covered by the Chemical Facility Anti-Terrorism Standards (CFATS) program to establish a voluntary chemical security program. The list of free training programs now includes:

ChemLock: Introduction to Chemical Security, and

ChemLock: Secure Your Chemicals Security Planning

These two programs are designed to help facilities begin the development of their voluntary ChemLock facility security program. Future training programs may address other components of that security program.

Not Security Awareness Training

Neither of these two courses address chemical security awareness training for chemical facility personnel. There is a training course offered by FEMA via their Center for Domestic Preparedness. The 1-hour on-line course is primarily set up for independent study and requires an easy to obtain FEMA Student ID number. Facilities developing a ChemLock voluntary security program or are covered under the CFATS program may find that this training program for individuals would provide a good starting point for a facility chemical awareness training program.

Moving Forward

Facilities wishing to participate in these two ChemLock training programs should complete the ChemLock Services Request Form. Facilities wishing further information about these training programs or other facets of the ChemLock program should contact OCS by email at ChemLock@cisa.dhs.gov.

For more details about the training programs being offered by CISA, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/chemlock-training - subscription required.

 

Tuesday, December 28, 2021

Review - 12-28-31 Siemens Log4Shell Advisories

Today Siemens published a new Log4j advisory and updated their original advisory.

New Advisory - Siemens published an advisory discussing a new Log4j vulnerability that affects Log4j versions through 17.0.

Update - Siemens published an update for their original Log4Shell advisory that was originally published on December 12th, 2021 and most recently updated on December 27th, 2021.

The new Log4j vulnerability almost certainly reflects the additional attention that is being focused on this no longer obscure but much used tool. Very few pieces of ‘modern’ software are apparently able to stand up to that sort of attention without yielding vulnerabilities. With no currently available exploits, nor a current Base Score, for the new vulnerability, owners will be forgiven for not paying as much attention to this new vulnerability. Unfortunately, I expect that exploits will be forthcoming more quickly than normal; the Log4j attention also attracts the ‘bad guys’.

For more details on the new advisory and update, see my article on CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/12-28-31-siemens-log4shell-advisories - subscription required.

EPA Directs 29 Facilities to Begin TRI Reporting for Ethylene Oxide

Today the EPA published a notice of availability in the Federal Register (86 FR 73764-73766) of the “EPA Administrator Determination Extends TRI Reporting Requirements to Certain Contract Sterilization Facilities.” Under the discretionary authority provided to the EPA under 42 USC 11023(b)(2) the EPA has decided “to extend the [Toxic Release Inventory – TRI] reporting requirements for ethylene oxide releases and other waste management activities to 29 contract sterilization facilities; and to extend the reporting requirements for ethylene glycol to 16 of those facilities.”

The facilities identified in the Notice have all been directly contacted by the EPA about their new reporting requirements, so why the interest here? Well, ethylene oxide is a DHS chemical of interest with a screening quantity threshold of 10,000 lbs. The EPA made mention in their notice that they believe “that these facilities are likely to exceed the 10,000 pounds per year “otherwise used” TRI reporting threshold for ethylene oxide.” Thus, these facilities would also be expected to submit a Top Screen report to CISA’s Office of Chemical Security for evaluation for potential inclusion in the Chemical Facility Anti-Terrorism Standards (CFATS) program.

I would suspect that, because of the cooperation between EPA, OSHA and CISA on all matters related to chemical safety and security (most recently evidenced here), OCS has already been made aware of these facilities and has contacted them if a Top Screen has not already been completed. This does, however, point out another industry that CISA may want to add to their CFATS outreach program. I would not be surprised to see a ‘Sterilization Facility Fact Sheet’ added to the CFATS Resources page.

 

Monday, December 27, 2021

Review - 12-27-21 Siemens Log4Shell Advisory

Today, Siemens published another update to their original Log4Shell advisory that was originally published on December 12th, 2021 and most recently updated on December 23rd, 2021.

I have been asked why I follow Siemens advisories on a daily basis and follow everyone else just once a week? There are two reasons. First, Siemens is proactive about pushing their information out to the public, Tweeting® for each advisory and update (for today’s Tweet). The second, and more important reason, is that tracking down each of the 80 Log4Shell advisories that I reported on last Sunday takes up too much time to do on a daily basis.

For more details about the changes announced in today’s update, see my article in CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/12-27-21-siemens-log4shell-advisory - subscription required.

Review - S 3408 Introduced – Cloud Risk Management

Earlier this month, Sen Ossoff (D,GA) introduced S 3408, the Federal Cloud Risk Management Improvements Act. The bill amends 44 USC Chapter 36, Management and Promotion of Electronic Government Services, adding a new §3607, Reporting regarding security of cloud computing products and services. It would add an annual FedRAMP reporting requirement on the security measures being employed to protect federal cloud computing usage.

Ossoff is a subcommittee chair in the Senate Homeland Security and Governmental Affairs Committee to which this bill was referred for consideration. This means that there should be sufficient influence to see this bill considered in Committee. I see nothing that would engender any organized opposition to the bill. I suspect that there would be substantial bipartisan support for the bill. There is a good chance that this could be offered on the Floor of the Senate under the unanimous consent process where it would be subject to the political vagaries of the moment.

The definition of ‘cloud computing’ in SP 800-145 is certainly wide enough to encompass any number of operational technology offerings, including access control, video monitoring and environmental control systems.

The bill does not specify any specific security measures; actually, it does not even require any security provisions be applied to cloud-computing resources. The FedRAMP reporting requirement simply assume that there will be security measures implemented. It remains for Congress to review the reports and consider legislative measures to address any short comings. If this bill were passed, it would be another instance of Congress kicking the can down the proverbial road.

For more details about the reporting requirements in the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-3408-introduced - subscription required.

PHMSA Publishes Unusually Sensitive Areas Interim Final Rule

Today the DOT’s Pipeline and Hazardous Materials Safety Administration (PHMSA) published a pipeline safety interim final rule (IFR) in the Federal Register (86 FR 73173-73186) for “Unusually Sensitive Areas for the Great Lakes,  Coastal Beaches, and Certain Coastal Waters”. The IFR amends “the pipeline safety regulations to explicitly state that certain coastal waters, the Great Lakes, and coastal beaches are classified as unusually sensitive areas for the purpose of compliance with the hazardous liquid integrity management regulations.”

The rule makes two changes to 49 CFR 195.6, Unusually Sensitive Areas (USAs), pursuant to the requirements of §120 of the PIPES Act of 2020 (PL 116-260). First, in paragraph (b) it adds “A coastal beach” and “Certain coastal waters” to the definition of an unusually sensitive area. Then in paragraph (c) it adds definitions of those two terms. These additions to the USA definition expand the coverage of PHMSA’s integrity management rules as these areas now become high consequence areas (HCAs) as defined in 49 CFR 195.450.

The effective date for this IFR is February 25th, 2022. PHMSA is soliciting public comments on the IFR. Those comments will not affect the application of the IFR, but may be considered in the development of the final rule. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; docket #PHMSA-2017-0152).

Sunday, December 26, 2021

Review - Public ICS Disclosures - Log4Shell Advisories – Week of 12-18-21

 

This is effectively Part 2 of my weekly public ICS disclosure post. It is a follow-up to last week’s post. There are now 80 vendor notifications listed. As I did last week, I am making the article on my CFSN Detailed Analysis site a free-access article so as to avoid a lengthy duplication here.

Saturday, December 25, 2021

Review - Public ICS Disclosure – Week of 12-18-21 – Part 1

Merry Christmas. This has been another busy week for ICS disclosures. Part 1 today will be normal vulnerabilities and Part 2 (probably tomorrow) will be Log4Shell disclosures.

This week we have six vendor disclosures from ABB, IDEC Corporation, QNAP, Hitachi Energy (2), and Johnson Controls. We also have twelve researcher reports for products from Garrett (7) and Open Design Alliance (5).

ABB Advisory - ABB published an advisory describing an MMS file transfer vulnerability in their Distribution Automation products.

IDEC Advisory - JPCERT published an advisory [link added 18:40 EST 1-6-22] for four vulnerabilities in the IDEC PLCs.

QNAP Advisory - JPCERT published an advisory describing two vulnerabilities in the QNAP VioStar series NVR.

Hitachi Energy Advisory #1 - Hitachi Energy published an advisory describing four vulnerabilities in their LinkOne product.

Hitachi Energy Advisory #2 - Hitachi Energy published an advisor discussing seven vulnerabilities in their Data Manager (SDM600) product.

Johnson Controls Advisory - Johnson Controls published an advisory describing an unspecified vulnerability in their American Dynamics VideoEdge NVR.

NOTE: It looks like this has been reported to NCCIC-ICS, so we may see an advisory from them next week

Garrett Reports - Talos published seven reports covering nine vulnerabilities in the Garrett Metal Detectors used for security screening.

ODA Reports - The Zero Day Initiative published five reports covering vulnerabilities in the ODA Drawings Explorer product.

For more details on these advisories, including links to third-party advisories, see my report at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosure-week-of-12 - subscription required.

Friday, December 24, 2021

Review - ChemLock Fact Sheets

Back in November, CISA established a new voluntary chemical security program called ChemLock. Based on the experience that the Office of Chemical Security had developed overseeing the Chemical Facility Anti-Terrorism Standards (CFATS) program, the ChemLock program provides a number of free resources that chemical facilities can use to help protect chemicals produced, used, or stored at their facilities from use in a terrorist attack. The simplest of these are the seven fact sheets that provide brief looks at various aspects of a chemical security program. Those fact sheets include:

CISA ChemLock Overview,

ChemLock: Chemical Product Stewardship,

ChemLock: Chemical Security Considerations for No-Notice Events,

ChemLock: Chemical Security on a Budget,

ChemLock: Conducting a Chemical Security Self-Assessment,

ChemLock: Drone Activity, and

ChemLock: Reporting Suspicious Activities and Security Incidents

These two-page fact sheets are not comprehensive educational materials. They provide facilities with some basic information and links to additional resources. CISA can be expected to add additional fact sheets to the ChemLock Resources page as time passes.

For a description of each of the fact sheets, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/chemlock-fact-sheets - subscription required.

Thursday, December 23, 2021

Review - 12-23-21 Siemens Log4Shell Advisories

Today, Siemens updated two Log4Shell advisories.

Siemens published an update for their original Log4Shell advisory that was originally published on December 12th, 2021 and most recently updated on December 22nd, 2021.

Siemens published an update for their Sensformer Log4Shell advisory that was originally published on December 21st, 2021.

For more details on the changes made in these updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/12-23-21-siemens-log4shell-advisories - subscription required.

Review - 2 Advisories Published – 12-23-21

Today, CISA’s NCCIC-ICS published two control system security advisories for products from Johnson Control and Moxa.

Johnson Controls Advisory - This advisory discusses the original Log4Shell vulnerability in the Johnson Control Exacq Technologies Enterprise Manager.

NOTE: It is interesting that nowhere does the NCCIC-ICS advisory mention the Apache vulnerabilities except by the CVE #. This would have been a good place to publish a reference to yesterday’s CISA, et al, advisory on “Mitigating Log4Shell and Other Log4j-Related Vulnerabilities”, especially since this is the first NCCIC-ICS advisory on Log4Shell.

Moxa Advisory - This advisory describes a clear-text transmission of sensitive information vulnerability in the Moxa MGate MB3180/MB3280/MB3480 Series Protocol Gateways.

NOTE: It looks like NCCIC-ICS is reporting the wrong CVE number for this advisory.

For more details about these advisories, see my article at CFSN Detailed Analysis - - subscription required.

Review - TSA Publishes 60-day ICR Renewal Notice for Surface Cybersecurity

Today the TSA published a 60-day information collection request (ICR) notice in the Federal Register (86 FR 72988-72990) for “Cybersecurity Measures for Surface Modes” (1652-0074). This is the mandated follow-up ICR renewal for the emergency approval for the ICR provide by the OMB’s Office of Information and Regulatory Affairs (OIRA) on November 30th, 2021.

Cybersecurity Security Directives

This ICR supports two cybersecurity related Security Directives and an Information Circular issued by the TSA earlier this month:

SD-1580-21-01 – Enhancing Rail Cybersecurity, and

SD-1582-21-01 – Enhancing Public Transportation and Passenger Railroad Cybersecurity, and

Surface-IC-2021-01 – Enhancing Surface Transportation Cybersecurity

The IC is a set of voluntary recommendations made by the TSA for surface transportation organizations not covered by the two Security Directives.

Burden Estimate

The Notice provides a generic burden estimate of 781 respondents and a total of 96,163 burden hours. The support document submitted last month by the TSA to OIRA for the emergency ICR appoval included the burden estimates shown in the table below. Since the total numbers are the same, I would expect that they reflect the current burden estimate.

 

Responses

Hours

Burden

Designate a Cybersecurity Coordinator

831

1

831

Report cybersecurity incidents to CISA

50

1

50

Develop a cybersecurity incident response plan

781

80

62,480

Complete a cybersecurity vulnerability assessment

781

42

32,802

Total

2,443

 

96,163

TSA will be providing a form for the completion of the vulnerability assessment. That form will be based upon the NIST Cybersecurity Framework. The Notice does not provide a link to the form. Normally, I would expect such a form to be included in the Notice docket on www.Regulations.gov, but TSA is not using that service and does not provide a docket number for this notice to be used on that site. The TSA’s Surface Transportation Cybersecurity Toolkit web site does not include a copy of the vulnerability assessment form.

Public Comments

TSA is soliciting public comments on this ICR. Comments may be emailed to TSA (TSAPRA@tsa.dhs.gov). Comments should be submitted by February 22nd, 2022.

Commentary

Since this is essentially a new information collection, neither the TSA nor the affected parties have any direct history upon which to base an evaluation of the burden estimate provided by TSA. TSA has made their best guess of the burden. Unfortunately, without a copy of the form that TSA is requiring organizations to use for the vulnerability assessment, most organizations will some difficulty providing realistic feedback on the time necessary to complete the assessment.

For more details on the ICR notice provisions, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/tsa-publishes-60-day-icr-renewal - subscription required.

 

Wednesday, December 22, 2021

Review - 12-22-21 Siemens Log4Shell Advisory

Today Siemens published an update for their original Log4Shell advisory that was originally published on December 12th, 2021 and most recently updated on December 21st, 2021. The new information includes:

• Adding two products to the list of affected products,

• Adding nine additional products considered as not affected

For more details on this update, including the additions to the ‘affected products’ and ‘not affected products’ lists, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/12-22-21-siemens-log4shell-advisory [Added link - 10:10 pm EST, 12-22-21] - subscription required.

 

Review - ChemLock – Secure Your Chemicals – Cyber

NOTE: On November 18th, 2021, CISA announced their new voluntary chemical security program, ChemLock. This post is part of a deep dive into that program. Earlier posts in this series include:

CISA Announces ChemLock – Voluntary Chemical Facility Security (short version)

ChemLock and the Chemical Security Summit

ChemLock – On-Site Assessments and Assistance (short version)

ChemLock – Secure Your Chemicals – Overview (short version)

ChemLock – Secure Your Chemicals – Detect (short version)

ChemLock – Secure Your Chemicals – Delay (short version)

As is increasingly becoming obvious to organizations across the country, cyber assets are increasingly becoming a prime target for attacks on industrial organizations, including chemical facilities. Terrorists could leverage cyberattacks to cause chemical releases or to divert precursor chemicals to allow for the construction of chemical weapons or improvised explosives. With that in mind, Chapter 6 of the Secure Your Chemicals manual provides an overview of cybersecurity actions that can be taken by chemical facilities.

Cybersecurity Definition

The introduction to the chapter provides a very good, operational definition of cybersecurity:

“Cybersecurity is the capability to protect critical information, business, and control systems against damage, unauthorized on-site or remote access, modification, or exploitation.”

A key word in that definition is ‘critical’. While every piece of electronic equipment in the facility deserves protection, facility security managers are going to have to prioritize their activities to protect critical systems. Those could include systems that:

Monitor and/or control physical processes that contain a chemical.

Manage physical processes that contain a chemical which could be used to cause disruption or even destruction to the process and surrounding environment.

Contain business or personal information that, if exploited, could result in the theft, diversion, or sabotage of a chemical.

Missing Discussion

One critical cybersecurity area not addressed in this manual is the intersection of cybersecurity and process safety. Facilities that use industrial control system to control the handling, manufacturing and use of hazardous materials need to ensure that a key component of their cybersecurity response plan addresses the safe shutdown of chemical processes. Additionally, facilities must ensure that chemical process safety controls that rely on automated control systems have analog safety measures or manual controls in place to ensure an adequate response to safety incidents in the event of a loss of control systems due to a cyberattack.

And, as I mentioned in the previous posts in this series, the discussions in this section fall far short of providing facility security officers with all of the knowledge necessary to cyersecurity features in their facility security plans. It provides an overview of considerations to help FSO’s ask the right questions of CSI, vendors and integrators. This chapter does, however, point to CISA’s Cyber Essentials webpage for additional assistance on the topic.

For more details about the Cyber Chapter, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/chemlock-secure-your-chemicals-269 - subscription required.


Tuesday, December 21, 2021

Review - 12-21-21 Siemens Advisories for Log4Shell

Today, Siemens published another new Log4Shell advisory and updated their original advisory.

New Advisory - Siemens published an advisory discussing the three Log4Shell advisories in their Energy Sensformer (Platform, Basic and Advanced).

Update - Siemens published an update for their original Log4Shell advisory that that was originally published on December 12th, 2021 and most recently updated on December 20th, 2021.

Commentary

One thing that has become obvious during my coverage of this set of vulnerabilities is that cloud versions of control system software appear to be ideally suited to responding to vulnerabilities. It looks like (from the outside) that it takes less time to develop mitigations and it certainly gets them into actual operations much faster. The only question is, how does this affect the ‘requirement’ to test patches, updates, and new versions off-line before they are run on operational systems? Yes, the vendors like Siemens certainly do inhouse testing ‘offline’, but that testing cannot include all of the other pieces of the control system that must physically reside in the plant like sensors, valves and motors. Is this not necessary for control system software as a service products?

For more details on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/12-21-21-siemens-advisories-for-log4shell - subscription required.

Review - 5 Advisories and 1 Update Published – 12-21-21

Today, CISA’s NCCIC-ICS published four control system security advisories for products from Emerson, WECON, Horner Automation, and mySCADA. They published one medical device security advisory for products from Fresenius Kabi. They also updated a control system security advisory from Schneider.

Emerson Advisory - This advisory describes two vulnerabilities in the Emerson DeltaV distributed control system.

WECON Advisory - This advisory describes two vulnerabilities in the WECON LeviStudioU HMI programming software.

Horner Advisory - This advisory describes an improper input validation vulnerability in the Horner Cscape EnvisionRV remote viewing software.

mySCADA Advisory - This advisory describes eight vulnerabilities in the mySCADA myPRO HMI/SCADA.

Fresenius Advisory -  This medical device advisory describes thirteen vulnerabilities in the Fresenius Kabi Agilia Connect Infusion System.

Schneider Update - This update provides additional information on an advisory that was originally published on December 14th, 2021.

For more details about these advisories, including an exploit link, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/5-advisories-and-1-update-published - subscription required.

Monday, December 20, 2021

Review - 12-20-21 Siemens Advisories for Log4Shell

This afternoon Siemens published another new Log4Shell advisory and updated their original advisory.

New Advisory - Siemens published an advisory discussing the Log4Shell vulnerabilities in their TraceAlertServerPLUS, a software component installed in SVC PLUS energy transmission solutions.

Updated Advisory - Siemens published an update of their original Log4Shell advisory that was originally published on December 12th, 2021 and most recently updated on December 19th, 2021.

For more details about the advisory and update, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/12-20-21-siemens-advisories-for-log4shell - subscription required.

Commentary

Nobody can claim that Siemens is not actively working on remediating this unusual set of third-party vulnerabilities. But I have to ask the uncomfortable question, is it really helpful? Fixing a vulnerability in a control system is not just taking a computer out of service long enough to install an update. Properly done it requires testing updates on a mirror system to see if there are any unusual and unexpected consequences to applying the update. Then, the live system needs to be taken out of service and the updates applied and then tested again. Only then can the facility production be resumed.

Facilities cannot afford to do this multiple times within eight days; many cannot afford to do it every year.

I am not sure what the answer is, but this particular vulnerability brings us to a perfect place in time to ask the question. Researchers, operators, red-team, blue-team need to take a moment of out their even more hectic than normal schedule to think about and discuss how problems like this really need to be dealt with.

One thing that I am sure of, this is not the last vulnerability that will affect so many so quickly.

Review - HR 6084 Introduced – Energy Product Reliability

Last month, Rep Rush (D,IL) introduced HR 6084, the Energy Product Reliability Act. The bill would require the Federal Energy Regulatory Commission (FERC) to establish an Energy Product Reliability Organization that would to for energy pipelines what NERC has done for the national electric grid. No funding is authorized by this bill.

Rust is a member of the House Energy and Commerce Committee to which this bill was assigned for consideration. This means that there should be sufficient influence to see this bill considered in Committee. I suspect that there would be substantial opposition to this bill from Republicans that generally resist comprehensive regulatory requirements such as those foreseen by this legislation. The bill could pass out of Committee because of Democratic control

I doubt that this bill would make it to the floor of the House because of opposition from two different Committee Chairs, the Homeland Security Committee and the Transportation and Infrastructure Committee. The new authority for EPRO’s would cut into their separate influence over cybersecurity and pipeline security respectively.

Commentary

The requirement for the EPRO to consult with TSA And DOE on cybersecurity standards is more than a little odd. The DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER), certainly retains the preeminent government authority (the knowledge based definition of that term) on energy cybersecurity, TSA retains the regulatory authority to oversee security (including, by default, cybersecurity). Thus the ‘consult with’ requirement of §2(e)(4) should probably be changed to a ‘coordinate with’ mandate, unless the legislation were to remove TSA responsibility for security oversight of energy pipelines. Of course, that is not likely to happen (see paragraph immediately above).

TSA has been working with the pipeline industry on voluntary physical security standards for quite some time and CESER also has a background in physical pipeline security processes. Thus, it would certainly be appropriate, at a minimum, to change that paragraph to read:

(4) CONSULTATION.—The Energy Product Reliability Organization shall consult with the Administrator of the Transportation Security Administration and the Secretary of Energy in developing energy product reliability standards relating to cybersecurity for energy pipelines.

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-6084-introduced - subscription required.

Sunday, December 19, 2021

Review - Sunday Siemens’ Advisories for Log4Shell Vulnerabilities – 12-19-21

Today (yes, on Sunday less than a week after 2nd Tuesday, talk about out-of-zone), Siemens published a new log4j advisory and updated their earlier Log4Shell advisory (for the fifth time).

New Advisory - Siemens published an advisory discussing the latest log4j vulnerability (CVE-2021-45105).

Log4Shell Update - Siemens published an update for their Log4Shell advisory that was originally published on December 12th, 2021 and most recently updated on December 18th, 2021.

For more details about these two new Siemens cybersecurity products, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/sunday-siemens-advisories-for-log4shell - subscription required.

Review - Public ICS Disclosures - Log4Shell Advisories – Week of 12-11-21

 

This is effectively Part 3 of my weekly public ICS disclosure post. It is a follow-up to Tuesday’s post for disclosures on Log4Shell vulnerabilities. For ease of finding disclosures, I will include all of those notifications from Tuesday’s post with a note of ‘no change’ if appropriate. And I will be using the same format. There are 66 vendor notifications listed in today’s post.

 

Instead of publishing abbreviated versions of the 66 entries that I have listed on my CFSN Detailed Analysis site, I am making the article on that site a free-access article.

Saturday, December 18, 2021

Review - Public ICS Disclosures – Week of 12-10-21 – Part 2

For Part 2, we have three vendor advisories from Schneider Electric. We also have six vendor updates for products from Schneider (2) and Siemens (4).

Schneider Advisory #1 - Schneider published an advisory describing two vulnerabilities in their Interactive Graphical SCADA System (IGSS) data collector.

Schneider Advisory #2 - Schneider published an advisory describing seven vulnerabilities in their EVlink City / Parking / Smart Wallbox Charging Stations.

Schneider Advisory #3 - Schneider published an advisory describing two separate input validation vulnerabilities in their EcoStruxure Power Monitoring Expert product.

Schneider Update #1 - Schneider published an update for their BadAlloc advisory that was originally published on November 9th, 2021 and most recently updated on November 17th, 2021.

Schneider Update #2 - Schneider published an update for their Web Server on Modicon M580 Controllers that was originally published on December 8th, 2020 and most recently updated on May 11th, 2021.

Siemens Update #1 - Siemens published an update for their NUCLEUS:13 advisory that was originally published on November 9th, 2021.

NOTE: NCCIC-ICS did not update their advisory (ICSA-21-313-03) to reflect this change.

Siemens Update #2 - Siemens published an update for their SIMATIC NET CP Modules advisory that was originally published on September 9th, 2021.

NOTE: NCCIC-ICS did not update their advisory (ICSA-21-257-06) to reflect this change.

Siemens Update #3 - Siemens published an update for their WIBU CodeMeter advisory that was originally published on November 9th, 2021.

Siemens Update #4 - Siemens published an update for their OpenSSL vulnerabilities advisory that was originally reported on July 13th, 2021 and most recently updated on November 9th, 2021.

For more details on the advisories and updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-12-f8e - subscription required.

CRS Reports – Systemic Vulnerabilities in Information Technology—Log4Shell

This week the Congressional Research Service published a report on the Log4Shell vulnerability (only one vulnerability at the time of the report’s preparation), Systemic Vulnerabilities in Information Technology—Log4Shell. As with most CRS reports, this is a non-technical look at a complex technical problem.

The most important portion of the report for the cybersecurity industry is the “Options for Congress” section. It outlines the generic steps that Congress could take to deal with this issue. There is not enough detail provided to actually craft a legislative response, but it does point congressional staffers in number of interesting directions.

Review - Public ICS Disclosures – Week of 12-10-21 – Part 1

This week I am going to have to do a three-part report instead of the standard two-part for the weekend following 2nd Tuesday. Part 3 will deal with just Log4Shell advisories. So, for Part 1, we have 17 vendor advisories from Braun (2), Draeger, FANUC, Hitachi Energy (4), HPE, Mitsubishi Electric, Moxa, Rockwell Automation, QNAP (3), Sick, and VMware (2).

Braun Advisory #1 - Braun (USA) published an advisory discussing the NUCLEUS:13 vulnerabilities.

Braun Advisory #2 - Braun (USA) published an advisory discussing the INFRA:HALT vulnerabilities.

Draeger Advisory - Draeger published an advisory describing a privilege escalation vulnerability in their Service Connect Gateway.

FANUC Advisory - FANUC published an advisory describing two vulnerabilities in their Robot Controllers.

Hitachi Energy Advisory #1 - Hitachi Energy published an advisory discussing the BadAlloc vulnerabilities in their PWC600 controller.

Hitachi Energy Advisory #2 - Hitachi Energy published an advisory discussing the BadAlloc vulnerabilities in their GMS600 monitoring device.

Hitachi Energy Advisory #3 - Hitachi Energy published an advisory discussing the BadAlloc vulnerabilities in their Relion REB500 intelligent electronic devices (IEDs).

Hitachi Energy Advisory #4 - Hitachi Energy published an advisory discussing the BadAlloc vulnerabilities in their Relion 670, 650 series and SAM600-IO IEDs.

HPE Advisory - HPE published an advisory describing a buffer overflow vulnerability in their HPE Gen10 and Gen10 Plus Servers.

Mitsubishi Advisory - Mitsubishi published an advisory discussing three of the INFRA:HALT vulnerabilities in their MELSEC Series Remote I/O.

Moxa Advisory - Moxa published an advisory describing a command injection vulnerability in their NPort W2150A/W2250A Series Serial Device Servers.

Rockwell Advisory - Rockwell published an advisory discussing two vulnerabilities in their 1783 network address translation router (NATR).

QNAP Advisory #1 - QNAP published an advisory describing a stack-based buffer overflow vulnerability in their Surveillance Station.

QNAP Advisory #2 - QNAP published an advisory describing a reflected XSS vulnerability in their Kazoo Server.

QNAP Advisory #3 - QNAP published an advisory describing an improper authentication vulnerability in their Qfile for Android application.

Sick Advisory - Sick published an advisory describing three vulnerabilities in their SOPAS ET software.

VMware Advisory #1 - VMware published an advisory describing a server side request forgery in their  ONE UEM console.

VMware Advisory #2 - VMware has published an advisory describing two vulnerabilities in their Workspace ONE Access product.

For more details on these advisories, including links to researcher reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-12-66f - subscription required.

Siemens Updates Log4Shell Advisory Again – 4-18-21

More on the Siemens response to Log4Shell vulnerabilities, watching as a microcosm of Log4Shell response. Yesterday Siemens updated their original advisory again.

Siemens published an update for their original Log4Shell advisory that was originally published on December 12th, 2021 and most recently updated on December 17th, 2021. The new information includes:

• Revising severity of CVE-2021-45046 and removed ineffective mitigation measures,

• Adding Comfy and Enlighted to the list of affected products,

• Adding individual Mindsphere applications,

• Removing Siveillance Viewpoint because it is not affected, and

• Adding a statement regarding Siemens Mobility solutions

Commentary

I am still publishing these updates for the Siemens advisories outside of my normal advisory reporting process because, in my opinion, the Siemens response continues to mirror the problems that the general ICS community is having with responding to this vulnerability. While Siemens has more products to deal with than anyone else in the community, they also have a larger, more experienced (from the standpoint of dealing with vulnerability updates) staff, with which to deal with the problem.

And remember, Siemens has yet to address the third log4j vulnerability, CVE-2021-4104.

Friday, December 17, 2021

PHMSA Sends Valve Installation and Rupture Detection Rule to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a final rule from DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) for “Pipeline Safety: Amendments to Parts 192 and 195 to require Valve installation and Minimum Rupture Detection Standards”.  The notice of proposed rulemaking (NPRM) for this rule was published on February 6th, 2020.

According to the abstract for this rulemaking in the Fall 2021 Unified Agenda:

“This rulemaking action would revise the Pipeline Safety Regulations applicable to most newly constructed and entirely replaced onshore natural gas transmission and hazardous liquid pipelines to improve rupture mitigation and shorten pipeline segment isolation times. The rulemaking action would define "notification of potential rupture" and outline certain performance standards related to rupture identification and pipeline segment isolation. This rulemaking action also would require specific valve maintenance and inspection requirements, and 9-1-1 notification requirements to help operators achieve better rupture response and mitigation.”

Siemens Updates Log4Shell Advisory Again – 4-17-21

More on the Siemens response to Log4Shell vulnerabilities, watching as a microcosm of Log4Shell response. Yesterday Siemens published a new advisory and today they updated their original advisory again.

New Advisory

Siemens published a new advisory discussing the Log4Shell vulnerabilities in their SPPA-T3000 SeS3000 Security Server. It lists two of the Log4Shell vulnerabilities:

• Deserialization of untrusted data (original) - CVE-2021-44228 (exploits here and here),

• Deserialization of untrusted data - CVE-2021-45046

Siemens is currently providing generic workarounds pending development of mitigation measures.

Update

Siemens published an update for their original Log4Shell advisory that was originally published on December 12th, 2021 and most recently updated on December 16th, 2021. The new information includes:

• Adding additional affected products, remediation or mitigation measures, and products under investigation,

• Removing LOGO! Soft Comfort from the list of affected products,

• Expanding the Teamcenter product listing, and

• Updating the information for Desigo CC and Cerberus DMS.

NOTE 1: Siemens is still not reporting the new CVE-2021-4104 that has been mentioned by Adolus. Nor have they mentioned active exploitation of the vulnerabilities they are reporting (I have not seen any specific mentions of exploits in Siemens products).

NOTE 2: NCCIC-ICS has still not published an ICS related advisory for these vulnerabilities. They also did not cover the original Siemens advisory in their list of new advisories published yesterday.

Review - 7 Updates Published – 12-16-21

Yesterday, CISA’s NCCIC-ICS published seven control system security updates for products from Siemens (4), Mitsubishi Electric, HCC, and Delta Electronics.

TIA Portal Update - This update provides additional information on an advisory that was originally published on January 14th, 2020 and most recently updated on January 12th, 2021.

SIMOTICS Update - This update provides additional information on an advisory that was originally published on April 14th, 2020 and most recently updated on January 12th, 2021.

Linux Based Products Update - This update provides additional information on an advisory that was originally published on May 11th, 2021 and most recently updated on November 11th, 2021.

Nucleus RTOS Update - This update provides additional information on an advisory that was originally published on November 11th, 2021.

Other Siemens Updates - Siemens published four other updates. I will be addressing those this weekend.

Mitsubishi Update - This update provides additional information on an advisory that was originally published on November 19th, 2020 and most recently updated on September 14th, 2021.

HCC Update - This update provides additional information on an advisory that was originally published on August 5th, 2021 and most recently updated on September 14th, 2021.

Delta Update - This update provides additional information on an advisory that was originally published on August 26th, 2021.

For more details about these updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/7-updates-published-12-16-21 - subscription required.

Thursday, December 16, 2021

Review - 20 Advisories Published – 12-16-21

Today, CISA’s NCCIC-ICS published 20 control system security advisories for products from Siemens (15), Mitsubishi Electric (2), Wibu Systems, Delta Electronics, and Xylem. They also published six updates; I will cover these in a separate post. All of the new advisories that Siemens published on Tuesday were covered today by NCCIC-ICS.

JTTK Advisory #1 - This advisory describes two vulnerabilities in the Siemens JTTK and JT Utilities.

NOTE: The Siemens advisory reports ZDI-Canada reference numbers for these two vulnerabilities. Those, in turn point to Bentley CVE’s; CVE-2021-34878, CVE-2021-34898, and CVE-2021-34937 (links are to ZDI reports, CVE’s are still ‘Reserved’). There are a total of 77 ZDI reports for a variety of vulnerabilities in the Bentley View CAD product.

SiPass Advisory - This advisory describes three separate exposure of resources to wrong sphere vulnerabilities in the Siemens SiPass Integrated.

Teamcenter Advisory - This advisory describes a path traversal vulnerability in the Siemens Teamcenter Active Workspace.

JT Utilities Advisory - This advisory describes 16 vulnerabilities in the Siemens JT Utilities, JT Open Toolkit.

Healthineers Advisory - This advisory describes two separate out-of-bounds write vulnerability in the Siemens Healthineers syngo fastView.

NOTE: This should be a medical device security advisory; syngo fastView is a standalone viewer for DICOM2 images.

Simcenter Advisory - This advisory describes an out-of-bounds write vulnerability in the Siemens Simcenter STAR-CCM+ Viewer.

Siveillance Advisory - This advisory describes three separate exposure of resource to wrong sphere vulnerabilities in the Siemens Siveillance Identity self-service portal.

Questa Advisory - This advisory describes an insufficiently protected credential vulnerability in the Siemens Questa Simulation and ModelSim Simulation integrated circuit simulators.

NOTE: The research paper reporting this vulnerability is entitled: “How Not to Protect Your IP – An Industry-Wide Break of IEEE 1735 Implementations”. This vulnerability is not limited to these two Siemens products.

SIMATIC ITS Advisory - This advisory describes a using components with (19) known vulnerabilities vulnerability in the Siemens IMATIC ITC Products.

SIMATIC Advisory - This advisory describes a path traversal vulnerability in the Siemens SIMATIC eaSie PCS 7 Skill Package.

JT2Go Advisory - This advisory describes 16 vulnerabilities in the Siemens JT2Go and Teamcenter Visualization products.

SINUMERIK Advisory - This advisory describes an improper certificate validation vulnerability in the Siemens SINUMERIK Edge platform.

JTTK Advisory #2 - This advisory describes three vulnerabilities in the Siemens JTTK and JT Utilities.

Power Meter Advisory - This advisory describes a stack-based buffer overflow vulnerability in the Siemens POWER METER SICAM Q100.

Capital VSTAR Advisory - This advisory discusses the NUCLEUS:13 vulnerabilities in the Siemens Capital VSTAR.

FA Engineering Advisory - This advisory describes two vulnerabilities in the Mitsubishi FA Engineering Software.

GX Works2 Advisory - This advisory describes an improper handling of length parameter inconsistency vulnerability in the Mitsubishi GX Works2 engineering software suite.

NOTE: Mitsubishi published another advisory and 1 update today. I will address those this weekend.

Wibu Advisory - This advisory describes an improper privilege management vulnerability in the Wibu CodeMeter.

NOTE: I briefly discussed this vulnerability in early October 2021.

Delta Advisory - This advisory describes an out-of-bounds read vulnerability in the Delta CNCSoft industrial automation software.

Xylem Advisory - This advisory describes a use of hard-coded credentials vulnerability in the Xylem AquaView SCADA system.

For more details on these advisories, including links to third-party advisories, exploits and researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/20-advisories-published-12-16-21 - subscription required.

Reader Comment – Log4Shell Do Something Now

Yesterday I received a DM from a long-time reader and ICS influencer as part of an ongoing discussion about software updates for ICS products for the Log4Shell problem. It said:

“Patrick we need to shake up the ICS vendors they are not doing justice to the seriousness of this vulnerability .... (sic) they and their customers are all likely to be impacted .... (sic)”

My first inclination was to agree; this is certainly a problem, and something needs to be done about it now. But I recognized that response as being an emotional response and I have learned over the years that I need to let such responses simmer, so that I don’t say something that I later regret. And, this morning, I am glad that I did.

The Siemens Example

Siemens was one of the first ICS companies to respond to Log4Shell. This is to be expected. They have lots of experience dealing with newly discovered vulnerabilities. They published their advisory on December 13th, and their first update on December 15th. Part of the reason for the quick update was the discovery of a second Log4J vulnerability and the ineffectiveness of the first workaround. Then there was a second update on the same day. More affected products were listed, and one was removed. Now that there is a third Log4J vulnerability, I suspect that a third update is probably in the works.

Fixing Means Stopping Production

If an owner/operator started working on the first suggestions from the initial advisory, they may have had to start anew with the later information. The problem, however, is that to ‘fix’ and ICS system, you have to take that system out-of-service for some amount of time to apply the fix. That means that production must stop. If an owner/operator tried to do that for each of the Siemens’ updates, that would quickly begin to impact the bottom line.

Oh, and if you had taken the system down to ‘fix’ a device that was not really affected by Log4Shell after all, the cost would have come without any benefit.

Risk Notification

Okay, so maybe we really do want to have vendors to get a good fix made before the owner/operator tries to fix their systems. And remember, the fixes really need to be tested and evaluated in a mirror of the deployed system to make sure the fix does not cause even more problems. But we should be able to expect quick notification about the vulnerabilities from the vendors, right?

To be fair, the response that I reported upon earlier this week is the most comprehensive (far from perfect, but the best yet) set of vendor responses that I have seen since I started reporting on vendor advisories. It is far from complete, and many of the reports were of the ‘we are looking at the problem’ sort, but that is still much more than what we typically see for library vulnerabilities.

SBOM

The big problem here is that the Lib4J library is much more pervasive that first thought. This has grown beyond just a vendor or 3rd party provider problem; we are starting to see that this is a 4th or 5th party provider problem. It certainly points out the need for software bill of materials, but it also points out how complex the SBOM issue is becoming in modern software development.

But SBOM is not a be all and end all. It must be accompanied by a vulnerability notification system that pushes those notifications down the line. This is the only way that vendors and end users will know to look at the vulnerabilities in the first place.

Bills Introduced – 12-15-21

Yesterday, with just the Senate in session, there were 15 bills introduced. Two of those bills will receive additional coverage in this blog:

S 3396 A bill to improve the position of the Principal Cyber Advisor, and for other purposes. Sen. Rounds, Mike [R-SD] 

S 3408 A bill to amend chapter 36 of title 44, United States Code, to require reporting regarding the security of cloud computing products and services. Sen. Ossoff, Jon [D-GA]

Wednesday, December 15, 2021

Siemens Updates Log4Shell Advisory Again – 4-15-21

Today, Siemens published an update for their Log4Shell advisory that was originally published on December 12th, 2021 and most recently updated on December 14th, 2021. The new information includes:

• Adding additional affected products, remediation or mitigation measures, and products under investigation, and

• Removing SIMATIC WinCC V7.4 because it is not affected.

The new affected products include:

• Advantage Navigator Energy & Sustainability,

• Advantage Navigator Software Proxy,

• Energy Engage,

• EnergyIP,

• SENTRON powermanager V4,

• Siveillance Viewpoint,

• Solid Edge CAM Pro,

• Solid Edge Harness Design,

• Xpedition Enterprise,

Commentary

I would not be surprised to hear that other vendors have updated their advisories, but it is time consuming to go back and look at all of those web sites to see which changes have been made. I will be doing that in the not-distant future. I am keeping up with the Siemens updates more closely for two reasons. First, Siemens in the 800 lb gorilla in the ICS vendor arena; watching how they respond provides some insights into how the situation is changing (that’s how I learned about the second Log4Shell vulnerability, see this morning’s post).

The second reason may be more important to me. Siemens is easy to track; they post a Tweet® (today for example) when they update their advisories. I wish more vendors were that proactive with their communications.

S 1605 Passed in Senate – FY 2022 NDAA

Today the Senate took up the House amendment to S 1605 that would change that bill into the FY 2022 National Defense Authorization Act. The Senate concurred with the House amendment by a bipartisan vote of 88 to 11. Three of the ‘nay’ votes were recorded by Republicans, so it was bipartisan on both sides of the issue. The President is expected to sign the bill.

As I explained in my Substack article (subscription required) about the House version of this bill, Title XIV, Cyberspace Related Matters, contains two subtitles of DOD related cyber provisions which are generally not of interest to people outside of DOD or the Defense Industrial Base. Subtitle C of that Title, however, contains 12 sections related to federal cybersecurity. Those sections include language similar to the following pieces of legislation that I have previously described:

§1541 - HR 1833,

§1542 - HR 2980,

§1543 - HR 118,

§1547 - HR 3223, and

§1551 - HR 2659

 
/* Use this with templates/template-twocol.html */