Friday, May 20, 2022

HR 7777 Adopted in Homeland Security Committee – ICS Training

Yesterday, the House Homeland Security Committee held a business meeting where five DHS related bills were considered, including HR 7777, the Industrial Control Systems Cybersecurity Training Act. Without amendment, the bill was ordered favorably reported by a voice vote. Once the Committee report is published, this bill will be cleared for consideration by the Whole House. The bill will almost certainly be taken up there under the suspension of the rules process. It will likely pass with strong bipartisan support.

This bill would amend the Homeland Security Act of 2002 to establish within CISA an Industrial Control Systems Cybersecurity Training Initiative. No new funding is authorized in the bill. This, in effect, authorizes the long-standing ICS training program is CISA.

Bills Introduced – 5-19-22

Yesterday, with both the House and Senate in Washington, there were 67 bills introduced. One of those bills will receive additional coverage in this blog:

S 4268 A bill to amend the Public Health Service Act to authorize grants to health care providers to enhance the physical and cyber security of their facilities, personnel, and patients. Sen. Gillibrand, Kirsten E. [D-NY] 

This may be a companion bill to HR 7814 that was introduced yesterday.

Thursday, May 19, 2022

HR 6824 Reported in House – Cybersecurity Competition

While the House passed HR 6824 earlier this week, the Committee Report for the bill was not publicly available until after the vote was held. The Report makes the point (pgs 3-4) that the ‘President’s Cup Cybersecurity Competition’ that would be authorized by the bill have actually been held since 2019. The report concludes that discussion by saying:

“H.R. 6824 will specifically authorize the President’s Cup Cybersecurity Competition in law in a manner that provides CISA with needed authority to award cash prizes to the winners to reward their demonstrated cybersecurity skills, which can act as an important retention tool. Codifying the President’s Cup will demonstrate that both Congress is committed to addressing Federal cybersecurity recruitment and retention challenges and values the Federal cyber workforce.”

That is, perhaps, a more positive spin than I normally put on congressional efforts to authorize activities already being undertaken by the Executive Branch. In this case, I will give them credit for the effort and intent publicly stated, since they did give CISA credit for the origination of the program.

Review - 1 Advisory Published – 5-19-22

Today, CISA’s NCCIC-ICS published one control system security advisory for products from Mitsubishi. CISA also published their analysis of the risk and vulnerability assessments (RVA) that they conducted in FY 2021.

Mitsubishi Advisory

This advisory describes two improper input validation vulnerabilities in the Mitsubishi MELSEC iQ-F series CPU modules.

FY 2021 RVA Analysis

CISA reports in their analysis document that they had conducted 112 risk and vulnerability assessments (RVA) of multiple stakeholders across various sectors in FY 2021. This document utilizes data collected during those RVAs to produce a sample attack path that a cyber threat actor could take to compromise an organization, using the weaknesses identified in FY21 RVAs.

CISA also provides an infographic that delineates the top three techniques CISA was able to use to effect each of the eleven tactics of a sample attack path developed by CISA that is based loosely on the ATT&CK methods.

For more details on the advisory and the CISA RVA analysis, including my commentary on the efficacy of the recommendations made by CISA, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-published-5-19-22 - subscription required.

House Science Committee Approves HR 7569 – Cybersecurity Education

On Tuesday, the House Science, Space, and Technology Committee held a business meeting where they considered HR 7569, the Energy Cybersecurity University Leadership Act of 2022. The bill was adopted without amendment by a voice vote. The legislation would require DOE to establish an “Energy Cybersecurity University Leadership Program”.

Once the Committee’s report is prepared, the bill will be cleared for consideration by the full House. The bill would probably be considered under the suspension of the rules process. That means limited debate, no floor amendments, and would require a super majority for passage.

Review – HR7777 Introduced – ICS Training

Earlier this week, Rep Swalwell (D,CA) introduced HR 7777, the Industrial Control Systems Cybersecurity Training Act. The bill would amend the Homeland Security Act of 2002, adding a new §2220D that would establish within CISA an Industrial Control Systems Cybersecurity Training Initiative. No new funding is authorized in the bill.

Moving Forward

Swalwell is a member of the House Homeland Security Committee to which this bill was assigned for consideration. This means that there may be sufficient influence to see this bill considered in Committee. I see nothing in this bill that would engender any organized opposition. I suspect that the bill would receive substantial bipartisan support in Committee. The bill would likely pass in the House after consideration under the suspension of the rules process.

Commentary

This bill is another example of Congress authorizing a long-standing program run by the executive branch and taking credit for the idea. The description of the Industrial Control Systems Cybersecurity Training Initiative provided in §2220D(b) could have been taken from the CISA ICS training web page that I described (subscription required) on Tuesday. And the fact that the in person classes are held at DOE’s Idaho National Laboratory certainly fits with the requirements of §2220D(b)(2)(A).

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr7777-introduced - subscription required.

Bills Introduced – 5-18-22

Yesterday, with both the House and Senate in session, there were 46 bills introduced. Two of those bills will receive additional coverage in this blog:

HR 7814 To amend the Public Health Service Act to authorize grants to health care providers to enhance the physical and cyber security of their facilities, personnel, and patients. Rep. Escobar, Veronica [D-TX-16]

S 4248 A bill to enhance pipeline safety and oil spill preparedness and response, particularly in the Great Lakes Basin, and for other purposes. Sen. Peters, Gary C. [D-MI] 

Wednesday, May 18, 2022

Review - CG Announces 2-Day NCTSAC Meeting – 6-8-22

Today, the Coast Guard published a meeting notice in the Federal Register (87 FR 30242-30243) for a two-day meeting of the National Chemical Transportation Safety Advisory Committee (NCTSAC) on June 8th and 9th, 2022 in Arlington, VA. The in-person and virtual combined meeting will be public. The NCTSAC will consider the progress on Task Statement 21-01, Recommendations on Loading Limits of Gas Carriers and USCG Supplement to International Hazardous Zone Requirements and the introduction of three new potential tasks for the Committee’s consideration.

There will be limited seating for in-person attendance at the meeting. Personnel wishing to register for in-person attendance or virtual attendance should contact Lieutenant Ethan T. Beard (Ethan.T.Beard@uscg.mil). COVID-19 safety protocols (including mask wear) will be in effect at the meeting site.

Public comment on the agenda items is being solicited. Written comments can be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # USCG-2022-0254.

For more details on LNG Tasking and the listing of the new taskings, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/cg-announces-2-day-nctsac-meeting - subscription required.

HR 6868 Passed in House – Cybersecurity Education

On Monday, the House took up HR 6868, the Cybersecurity Grants for Schools Act of 2022. The bill was considered under the suspension of the rules process. After very limited debate, with no opposition voiced, a recorded vote was demanded. That vote took place yesterday and the bill passed with a strongly bipartisan vote of 383 to30.

The bill would expand the scope of the existing the Cybersecurity Education and Training Assistance Program (6 USC 665f) by allowing CETAP grants to go to States, local governments, institutions of higher education, nonprofit organizations, and other non-Federal entities for the purposes of funding cybersecurity education or training programs.

Again, this is another bill that will probably not be considered in the Senate due to time constraints.

HR 6873 Passed in House – Bombing Prevention

On Monday the House took up HR 6873, the Bombing Prevention Act of 2022. The bill was considered under the suspension of the rules process. After limited debate and no adverse comments on the bill from the floor, a recorded vote was demanded. That vote took place yesterday and the bill passed with a strong, bipartisan vote of 388 to 26.

The bill would authorize the current Office for Bombing Prevention (OBP) and outlines the technical assistance services DHS would provide to counter terrorist explosive threats and attacks.

Multiple attempts have been made over the years to authorize the OBP. Generally, those bills have passed in the House, but were not taken up in the Senate. As with many bills, this bill is not of high enough priority to take up the legislative time necessary for consideration under regular order in the Senate. Since the program is already in existence and regularly funded in DHS spending bills, there is little incentive to consider the bill under the unanimous consent process. This version of the bill is likely to face the same fate.

Tuesday, May 17, 2022

S 2520 Passed in House – State and Local Cybersecurity

Yesterday the House took up S 2520, the State and Local Government Cybersecurity Act of 2021. The bill was considered under the suspension of the rules process. After limited debate yesterday, a recorded vote was demanded. That vote took place today and the bill passed by a strong bipartisan vote of 404 to 14.

The bill would add additional responsibilities for CISA with regards to State and local governments. It would also provide additional coordination responsibilities for CISA’s National Cybersecurity and Communications Integration Center (NCCIC). No additional funding is authorized to support these additional responsibilities.

Since no changes were made in the bill during consideration in the House, the bill now heads to President Biden for signature.

Review – 1 Advisory Published – 5-17-22

Today, CISA’s NCCIC-ICS published one control system security advisory for products from Circutor. I also take a brief look at the different types of cybersecurity training provided by CISA.

Circutor Advisory - This advisory describes a stack-based buffer overflow in the Circutor COMPACT DC-S BASIC smart metering concentrator.

CISA ICS Cybersecurity Training

Since I mentioned CISA’s control system security training in passing this morning, I thought I might take a little bit of a more detailed look at the training programs here.

On the CISA ICS landing page, CISA provides a link to their training resources. They provide two different types of training; web-based training and instructor led training.

 

For more details about the advisory and the CISA training programs, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-published-5-17-22 - subscription required.

S 658 Signed by President – Cybersecurity Consortia

Last week, President Biden signed S 658, the National Cybersecurity Preparedness Consortium Act of 2021. Yesterday, the bill was assigned the Public Law number PL 117-122 (it will be months before the PL is actually printed).

As I have noted earlier the provisions in this bill allowing NCCIC to work with a consortium of non-profit entities to “develop, update, and deliver cybersecurity training in support of homeland security” are simply acknowledgement of DHS activities that have been taking place for a number of years. Since there is no new funding authorized in this bill, Congress again takes credit for work already done by DHS without spending any money or political capital.

HR 5658 Passed in House – Cybersecurity Roles

Yesterday, the House took up introduced HR 5658, the DHS Roles and Responsibilities in Cyber Space Act. The bill was considered under the House suspension of the rules process. After minimal debate, with no dissenting voices heard, a recorded vote on the bill was requested. Later in the day, the House voted 313 to 105 to pass the bill. The bill is unlikely to be considered in the Senate.

The bill would require DHS to prepare “a report on the roles and responsibilities of the Department and its components relating to cyber incident response.” It would also specifically add CISA cross-sector responsibilities for enhancing control system cybersecurity.

Since there was no opposition voiced to the bill in yesterday’s debate, it is hard to see what caused the substantial bipartisan (32 Democrats and 73 Republicans voted Nay) opposition to this bill.

Once again, this is a relatively unimportant bill. It would be hard to justify the legislative time necessary to take up this bill in the Senate under regular order. The significant opposition to the bill seen in the House would mean that there would be little chance of this bill being passed under the unanimous consent process. Thus, the only way this bill could make it to the President’s desk would be for the language to be added to some other bill that was headed to the White House.

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-5658-introduced - subscription required.

HR 6825 Passed in House – Nonprofit Grant Program

Yesterday the House took up HR 6825, the Nonprofit Security Grant Program Improvement Act of 2022. The bill was considered under the suspension of the rules process. After limited debate, with no dissenting voices heard, the bill passed by a vote of 288 to 129. The bill is unlikely to be considered in the Senate.

The bill would amend the current Nonprofit Security Grant Program (6 USC 609a) to specifically includes the risk of “extremist attacks other than terrorist attacks and threats’ in the coverage of the grant program. It also increases the out-year funding from $75 million per year to $500 million per year. The program currently supports cybersecurity measures.

It is not clear why there was so much Republican opposition to the bill since no one spoke out during the debate. I suspect, however, that this was a combination of the increased cost and the addition of the ‘extremist attacks’ language. With Chairman Thompson (D,MS) specifically citing the racially motivated attack this weekend in Buffalo in yesterday’s debate (pg H4984), there may have been some supporters of the ‘replacement theory’ that felt some of their base might be targeted by the new funding.

This bill is unlikely to be considered in the Senate. It is not ‘important’ enough to take up the legislative time required for regular order and the significant Republican opposition would make consideration under the unanimous consent process impossible. The only hope for moving forward would be to include the language in a larger, must pass, or sure to pass, bill.

For more details about the provisions of the bill, see my article on CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-6825-introduced - subscription required.

OMB Approves BIS Marine Toxics Request for Comments

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a request for comments from the DOC’s Bureau of Industry and Security for “Commerce Control List: Proposed Controls on Certain Marine Toxins”.  According to the Fall 2021 Unified Agenda listing for this rulemaking:

“The Bureau of Industry and Security (BIS) is publishing this final rule to amend certain Export Control Classification Numbers (ECCNs) on the Commerce Control List (CCL) to reflect recent updates to the Australia Group (AG) Common Control Lists.”

As I noted when this RFC was sent to OIRA, it looks like BIS is going to continue to use these RFC’s as a substitute for ‘notices of proposed rulemaking’ where they are authorized to use a direct rulemaking process. It drags out changes to the CCL (making for some export/import coordination issues), but it should help BIS avoid some of the problems they have been having with their direct rulemaking process.

Bills Introduced – 5-16-22

Yesterday, with both the House and Senate in session, there were 33 bills introduced. One of those bills will receive future coverage in this blog:

HR 7777 To amend the Homeland Security Act of 2002 to authorize the Cybersecurity and Infrastructure Security Agency to establish an industrial control systems cybersecurity training initiative, and for other purposes. Rep. Swalwell, Eric [D-CA-15] 

I am hoping that the ‘training initiative’ is something more than just authorizing the current CISA ICS training programs, but I am not holding my breath.

Monday, May 16, 2022

HR 6824 Passed in House – Cybersecurity Competition

Today, the House took up HR 6824, the President’s Cup Cybersecurity Competition Act. The bill was considered under the suspension of the rules process. There was limited debate of the bill this afternoon and a recorded vote was requested. This evening, the House voted 386 to 31 to pass the bill.

The way this bill is set up we could see multiple Department wide competitions or a single government wide competition. Or not competitions, if CISA decides it is just not worth the effort. In any case, if this bill passes, Congress gets credit for doing something for cybersecurity, even if no one holds a single competition.

For more details about the provisions of the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-6824-introduced - subscription required.

Committee Hearings – Week of 5-15-22

This week, with both the House and Senate in session, there is a very active hearing schedule on both sides of the Hill. FY 2023 budget hearing continue, including Member Day hearings (where congresscritters not on the Appropriations Committee have a chance to plead for their favorite projects). We also have two cybersecurity markups, a health and education cybersecurity hearing, and an emergency response hearing.

Cybersecurity Markups

On Tuesday, the House Science, Space, and Technology Committee will hold a business meeting to consider four pieces of legislation. It will include:

HR 7569, the Energy Cybersecurity University Leadership Act of 2022.

On Wednesday, the Senate Small Business Committee, will hold a business meeting to consider five bills. It will include:

S 1687, the Small Business Cyber Training Act of 2021

NOTE: I have not followed this bill closely because it deals with cybersecurity training for employees of Small Business Development Center, not small businesses.

Cybersecurity Hearings

On Wednesday the Senate Health, Education, Labor and Pensions Committee will hold a hearing on “Cybersecurity in the Health and Education Sectors”. The witness list includes:

• Denise Anderson, Health Information Sharing and Analysis Center,

• Joshua Corman, I Am the Cavalry,

• Amy McLaughlin, Consortium of School Networking, and

• Helen Norris, Chapman University

I do not think that there will be any in depth discussion about medical device cybersecurity issues, but I could be wrong with Corman as a witness.

Emergency Response

On Tuesday, the Emergency Preparedness, Response, and Recovery Subcommittee of the House Homeland Security Committee will hold a hearing on “Creating a More Resilient Nation: Stakeholder Perspectives”. The witness list will include:

• Chris Currie, GAO,

• Orlando Rol√≥n, Chief of Police, City of Orlando, and

• George Dunlap, Mecklenburg County Commission

I do not think that there will be any specific discussion about response planning for chemical incidents.

On the Floor

There are five cybersecurity bills scheduled for consideration in the House this week under the suspension of the rules process. They include:

HR 5658 – DHS Roles and Responsibilities in Cyber Space Act, as amended,

HR 6824 – President’s Cup Cybersecurity Competition Act, as amended,

HR 6825 – Nonprofit Security Grant Program Improvement Act of 2022, as amended,

HR 6868 – Cybersecurity Grants for Schools Act of 2022, as amended, and

S 2520 – State and Local Government Cybersecurity Act of 2021,

Review - S 4166 Introduced – Technological Hazards

Earlier this month, Sen Portman (R,OH) introduced S 4166, the Technological Hazards Preparedness and Training Act of 2022. The bill would require FEMA to “maintain the capacity to provide States and local governments with technological hazards and related emerging threats technical assistance, training, and other preparedness programming to build community resilience to technological hazards and related emerging threats.” The bill would authorize funding at $20 million per year through FY 2024.

Moving Forward

Portman is the Ranking Member of the Senate Homeland Security and Governmental Affairs Committee to which this bill was assigned for consideration. Portman certainly has the influence to see this bill considered in Committee. I would like to think that this bill would receive bipartisan support in Committee, though I am not sure that that will be the case. I suspect that there will be some Republican opposition because this sounds like it could be an environmental justice bill and would certainly be labeled as such if it had been introduced by Sen Warren or Sen Markey, both Democrats from Massachusetts.

In any case, even if this bill were moved through the Committee, it would never make it to the floor of the Senate. The bill is too small and ‘unimportant’ to be considered under regular order and there are a number of Senators that could be expected to object if offered under the unanimous consent process.

Commentary

When this bill was introduced, I noted the odd phrasing used to describe the program: “support communities containing technological hazards and emerging threats” and I commented that: “on the off chance the ‘technological hazards and emerging threats’ include cybersecurity issues, I will be watching this bill when it is published.” Boy was I off-base. Instead of cyber issues this is about CBRN hazard planning and it is about time that someone put the responsibility for that in the hands of FEMA and not the EPA.

Unfortunately, because of the odd wording, this bill is unlikely to get serious consideration. That combined with the lack of specific direction and the very small budget ($20 million for just two years???) even if this were to pass it would not even be as effective as the EPA’s LPCs and very few of those have accomplished anything.

But, the fact that it is Portman that offered this bill instead of an environmental bomb thrower, does make me stop and hope that this is a sign that perhaps chemical emergency response planning (and yes, the remainder of the CBRN panoply) may start to receive some serious attention.

 

For more details about the provisions of the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-4166-introduced - subscription required.

Sunday, May 15, 2022

Review – Public ICS Disclosures – Week of 5-7-22 – Part 2

For Part 2 we have nine additional vendor disclosures from Philips, Phoenix Contact, ProsysOPC, Rockwell Automation, Schneider (3), and Tanzu (2). We also have eleven updates from QNAP, Rockwell (2), Schneider (3), and Siemens (5). There are also researcher two reports for products from XINJE and Rockwell. Finally, we have two exploits for products from USR IOT and Spring.

Philips Advisory - Philips published an advisory that discusses the F5 BIG IP vulnerability.

Phoenix Contact Advisory - Phoenix Contact published an advisory that discusses two vulnerabilities in their RAD-ISM-900-EN-BD devices.

ProsysOPC Advisory - ProsysOPC published an advisory that describes a resource exhaustion vulnerability in their OPC UA SDK for Java that was discovered during the PWN2OWN MIAMI 2022 competition.

Rockwell Advisory - Rockwell published an advisory that discusses an infinite loop vulnerability in their ThinMan and FactoryTalk products.

Schneider Advisory #1 - Schneider published an advisory that describes six vulnerabilities in their Wiser Smart products.

Schneider Advisory #2 - Schneider published an advisory that discusses an out-of-bounds write vulnerability in their Saitel DP RTU.

Schneider Advisory #3 - Schneider published an advisory that describes an improper input validation vulnerability in their PowerLogic ION Setup product.

Tanzu Advisory #1 - Tanzu published an advisory that describes a denial-of-service vulnerability in their Spring Framework.

Tanzu Advisory #2 - Tanzu published an advisory that describes a file download vulnerability in their Spring MVC or Spring WebFlux applications.

QNAP Update - QNAP published an update for their VS Series NVR advisory that was originally published on May 6th, 2022.

Rockwell Update #1 - Rockwell published an update for their Logix Controllers advisory that was originally published on March 31st, 2022.

NOTE: NCCIC-ICS has not updated their advisory (ICSA-22-090-05) for this new information.

Rockwell Update #2 - Rockwell published an update for their Logix Designer Application advisory originally published on March 31st, 2022.

NOTE: NCCIC-ICS has not updated their advisory (ICSA-22-090-07) for this new information.

Schneider Update #1 - Schneider published an update for their APC Smart-UPS advisory that was originally published on March 8th, 2022 and most recently updated on March 24th, 2022.

NOTE: NCCIC-ICS has not updated their advisory (ICSA-21-313-01) for this new information.

Schneider Update #2 - Schneider published an update for their Network Management Card advisory that was originally published on November 9th, 2022.

Siemens Update #1 - Siemens published an update for their OpenSSL advisory that was originally reported on July 13th, 2021 and most recently updated on April 12th, 2022.

Siemens Update #2 - Siemens published an update for their GNU/Linux advisory that was  originally published in 2018 and most recently updated on April 14th, 2022.

NOTE: NCCIC-ICS did not update their advisory (icsa-22-104-13) for this information.

Siemens Update #3 - Siemens published an update for their Log4Shell advisory that was was originally published on December 13th, 2021 and most recently updated on April 12th, 2022.

Siemens Update #4 - Siemens published an update for their Mbed TLS of LOGO! advisory that was originally published on September 14th, 2021.

NOTE: NCCIC-ICS did not update their advisory (ICSA-21-257-20) for this new information.

Siemens published an update for their SIMATIC WinCC advisory that was originally published on November 11th, 2021 and most recently updated on April 14th, 2022.

NOTE: NCCIC-ICS did not update their advisory (ICSA-21-315-03) for this new information.

XINJE Report - Claroty published a report about two vulnerabilities in the XINJE PLC programming tool.

Rockwell Report - ZDI published a report about a sensitive information disclosure vulnerability in the Rockwell ISaGRAF.

USR IOT Exploit - LiquidWorm published an exploit for a hard-coded credentials vulnerability in the USR IOT 4G LTE Industrial Cellular VPN Router.

Spring4Shell Exploit - Vleminator published a Metasploit module for the SpringShell vulnerabilities.

 

For more details about these disclosures, including links to 3rd party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-5-34b - subscription required.

Saturday, May 14, 2022

Review – Public ICS Disclosures – Week of 5-7-22 – Part 1

Happy Saturday after 2nd Tuesday. It is another busy week in ICS disclosures. In Part 1 we have 25 vendor disclosures from Hitachi, Hitachi Energy (2), HP (7), HPE (11), InHand Networks, and Palo Alto Networks (4). There are lots of Intel vulnerabilities lurking here.

Hitachi Advisory - Hitachi published an advisory that discusses 69 vulnerabilities in their Disk Array Systems.

Hitachi Energy Advisory #1 - Hitachi Energy published an advisory that discusses an off-by-one error vulnerability (with multiple exploits available) in their TXpert Hub CoreTec 4 product.

Hitachi Energy Advisory #2 – Hitachi Energy published an advisory that describes three vulnerabilities in their TXpert Hub CoreTec 4 product.

HP Advisory #1 - HP published an advisory that discusses 28 vulnerabilities in a variety of HP products that utilize the AMD Client UEFI Firmware.

HP Advisory #2 - HP published an advisory that describes a privilege escalation vulnerability in their Jumpstart software in a variety of HP products.

HP Advisory #3 - HP published an advisory that discusses 8 vulnerabilities in a variety of HP products that utilize Intel® Solid State Drive (SSD) or Intel Optane™ SSD products.

HP Advisory #4 - HP published an advisory that discusses a privilege escalation vulnerability in a variety of HP products that utilize Intel® Boot Guard or Intel® Trusted Execution Technology (TXT).

HP Advisory #5 - HP published an advisory that discusses 15 vulnerabilities in a variety of HP products that utilize the Intel 2022.1 IPU BIOS.

HP Advisory #6 - HP published an advisory that describes two vulnerabilities in a variety of HP products that utilize the HP PC BIOS.

HP Advisory #7 - HP published an advisory that describes five vulnerabilities in their UEFI Firmware used in a variety of HP products.

HPE Advisory #1 - HPE published an advisory that describes eleven vulnerabilities in their HPE ProLiant and Apollo Servers.

HPE Advisory #2 - HPE published an advisory that discusses a disclosure of information vulnerability in their ProLiant DL/ML/MicroServer Servers.

HPE Advisory #3 - HPE published an advisory that discusses two vulnerabilities in their PE ProLiant BL/DL/ML/XL and Apollo Servers.

HPE Advisory #4 - HPE published an advisory that discusses a disclosure of information vulnerability in their HPE ProLiant ML/DL/MicroServer Servers.

HPE Advisory #5 - HPE published an advisory that discusses eleven vulnerabilities in their Synergy Servers.

HPE Advisory #6 - HPE published an advisory that discusses an improver validation of array index vulnerability (with publicly available exploit) in their Nimble Storage product.

HPE Advisory #7 - HPE published an advisory that discusses two vulnerabilities in their Synergy Servers.

HPE Advisory #8 - HPE published an advisory that discusses eleven vulnerabilities in their ProLiant DX Servers.

HPE Advisory #9 - HPE published an advisory that discusses two vulnerabilities in their ProLiant DX Servers.

HPE Advisory #10 - HPE published an advisory that discusses two vulnerabilities in various HPE storage products.

HPE Advisory #11 - HPE published an advisory that discusses eleven vulnerabilities in various HPE storage products.

InHand Advisory - InHand published an advisory that describes 17 vulnerabilities in their e Industrial Router IR302.

Palo Alto Advisory #1 - Palo Alto published an advisory that describes an improper neutralization of special elements vulnerability in their PAN-OS.

Palo Alto Advisory #2 - Palo Alto published an advisory that describes an uncontrolled search path element vulnerability in their Cortex XDR Agent.

Palo Alto Advisory #3 - Palo Alto published an advisory that describes a privilege escalation vulnerability in their Cortex XDR Agent.

Palo Alto Advisory #4 - Palo Alto published an advisory that describes an incorrect authorization vulnerability in their Cortex XSOAR.

 

For more details about these disclosures, including links to third-party advisories, researcher reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-5 - subscription required.

Friday, May 13, 2022

Review – 11 Updates Published – 5-12-22

Yesterday, CISA’s NCCIC-ICS published eleven control system security advisories for products from Siemens (10) and Mitsubishi. Siemens published five additional updates that were not covered yesterday by NCCIC-ICS. I will be covering them this weekend.

Industrial Products Update #1 - This update provides additional information on an advisory that was originally published on September 10th, 2019 and most recently updated on March 10th, 2022.

Industrial Products Update #2 - This update provides additional information on an advisory that was originally published on July 13th, 2021 and most recently updated on April 14th, 2022.

Industrial Products Update #3 - This update provides additional information on an advisory that was originally published on April 14th, 2014.

TIA Portal Update - This update provides additional information on an advisory that was originally published on January 14th, 2020 and most recently updated on December 16th, 2021.

SIMOTICS Update - This update provides additional information on an advisory that was originally published on April 14th, 2020 and most recently updated on April 14th, 2022

SIMATIC Update #1 - This update provides additional information on an advisory that was originally published on June 8th, 2021 and most recently updated on April 14th, 2022.

SIMATIC Update #2 - This update provides additional information on an advisory that was originally published on November 11th, 2021 and most recently updated on April 14th, 2022.

Nucleus RTOS Update - This update provides additional information on an advisory that was originally published on November 11th, 2021 and most recently updated on April 14th, 2022.

Mitsubishi Update - This update provides additional information on an advisory that was originally published on April 12th, 2022.

 

For more information on these updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/11-updates-published-5-12-22 - subscription required.


Thursday, May 12, 2022

Review – 16 Advisories Published – 5-12-22

Today, CISA’s NCCIC-ICS published sixteen control system security advisories for products from Siemens (12), Cambium Networks, Inkscape, Mitsubishi Electric, and Delta Electronics.

Teamcenter Advisory - This advisory describes two vulnerabilities in the Siemens Teamcenter product lifecycle management software.

OpenV2g Advisory - This advisory describes a classic buffer overflow vulnerability in the OpenV2G open-source implementation of the ISO/IEC vehicle-to-grid communication interface (V2G CI) standard (Siemens is an initiator of OpenV2G).

Simcenter Advisory - This advisory describes an out-of-bounds write vulnerability in the Siemens Simcenter Femap advanced simulation application.

Industrial Devices Advisory - This advisory discusses two vulnerabilities (both with known exploits) in the Siemens Industrial devices.

Industrial Products Advisory #1 - This advisory discusses an improper restriction of operations within the bounds of a memory buffer in OPC Foundation Local Discovery Server of several Siemens industrial products.

Industrial Products Advisory #2 - This advisory discusses a NULL pointer dereference vulnerability (with known exploit) in the Siemens SIMATIC NET PC, SITOP Manager, and TeleControl Server Basic products.

SIMATIC Advisory #1 - This advisory describes an uncontrolled resource consumption vulnerability in the Siemens SIMATIC CP 442-1 RNA and CP 443-1 RNA communications processors.

SIMATIC Advisory #2 - This advisory describes an insecure default initialization of resource vulnerability in the Siemens SIMATIC PCS and WinCC products.

Desigo Advisory - This advisory describes eight vulnerabilities in the Siemens Desigo PXC and DXR building automation devices.

JT2GO Advisory - This advisory describes six vulnerabilities in the Siemens JT2GO and Teamcenter Visualization products.

SICAM Advisory - This advisory describes eleven vulnerabilities in the Siemens SICAM P850 and SICAM P855 electrical variable measuring devices.

Industrial PCs Advisory - This advisory discusses four vulnerabilities in the Siemens Industrial PCs and CNC devices.

NOTE: This advisory is based upon a Siemens update of an  advisory that was originally published on May 11th, 2021 and most recently updated on March 8th, 2022.

Cambium Advisory - This advisory describes seven vulnerabilities in the Cambium cnMaestro On-Premises network management system.

Inkscape Advisory - This advisory describes three vulnerabilities in the Inkscape open-source graphics editor.

NOTE: NCCIC-ICS is apparently concerned that this will be a third-party vulnerability in multiple ICS products. They provide a link to one such affected product, the Ecava SAGE eXtension SCADA animation graphic editor. The linked page only refers to the corrected version of Inkscape and does not mention these vulnerabilities.

Mitsubishi Advisory - This advisory discusses eight vulnerabilities in the Mitsubishi ELSOFT iQ AppPortal.

Delta Advisory - This advisory describes two vulnerabilities in the Delta CNCSoft software management platform.

 

For additional information on these advisories, including links to third-party advisories, researcher reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/16-advisories-published-5-12-22 - subscription required.

Review - Changes in TSA Rail Security Burden Estimation

On Tuesday, I reported that the TSA had published a 30-day ICR extension notice in the Federal Register. I noted that there was a minor discrepancy in the reported burden number. Since then, the OMB’s Office of Information and Regulatory Affairs (OIRA) has published the supporting document submitted by TSA in their extension request for this ICR. While this information explains the burden discrepancy, the total data submission to OIRA makes it clear that this is an ICR revision, not a simple extension.

The table below shows the data abstracted from Section 12 of both the submitted supporting data document and the supporting document for the currently approved ICR.

 

Proposed Estimate

Current Estimate

# Responses

Burden

# Responses

Burden

Security Coordinator

                  475

           475

                  475

           475

Location Reporting

                  327

           164

                  655

           328

Security Concerns

              4,961

       4,961

              4,961

       4,961

Chain of Custody

          214,000

   107,000

          214,000

   107,000

Total

          219,763

   112,600

          220,091

   112,764

While there is nothing nefarious about the discrepancies in the changes made in the supporting information for this information collection revision, the TSA continues to have substantial problems with their ICR documentations. While the recent Federal Register notice classified this as an extension of a currently approved collection, this is clearly a revision of the ICR. TSA has provided OIRA with an adequate explanation for the revision, but TSA continues to be sloppy and vague about their public reporting about their ICRs. Unfortunately, OIRA will undoubtedly approve the changes to this ICR, as they have so often in the past.

For more details about the change in burden estimate, as well as other changes in the information collection request, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/changes-in-tsa-rail-security-burden - subscription required.

Wednesday, May 11, 2022

HR 7077 Passed in House – Fire Investigations

Yesterday, the House began consideration of HR 7077, the Empowering the U.S. Fire Administration Act, under the House suspension of the rules process. After limited debate, a vote was demanded and subsequently postponed until today. This afternoon, the vote on the bill was held and the bill was approved by a significantly bipartisan vote of 379 to 37.

During yesterday’s debate, there was no one that spoke in opposition to the bill. In addition to the typical praise for the leadership of the House Homeland Security Committee for their bipartisan work on the bill, there were four letters in support of the bill read into the record. Those letters were from:

• Fire Department of New York City,

• International Association of Fire Chiefs,

• National Association of State Fire Marshals, and

• The International Association of Fire Fighters.

The bill now goes to the Senate for consideration. This bill will not be considered under regular order. There is a chance that it could proceed under the unanimous consent process, but it is more likely to be added to another bill as an amendment. Then again, it could suffer the same fate that so many bills fall to when they are presented to the ‘other’ house of Congress. Without an influential sponsor to move them forward they simply gather legislative dust on the desk of the Clerk.

Bills Introduced – 5-10-22

Yesterday, with both the House and Senate in session, there were 50 bills introduced. One of those bills may receive additional attention in this blog:

S 4166 A bill to authorize preparedness programs to support communities containing technological hazards and emerging threats. Sen. Portman, Rob [R-OH]

Okay, the wording of this description (‘support communities containing technological hazards and emerging threats’???) confuses me, but on the off chance the ‘technological hazards and emerging threats’ include cybersecurity issues, I will be watching this bill when it is published. But seriously, I doubt that I will mention this here again.

Tuesday, May 10, 2022

S 2201 Passed in House – Supply Chain Risk Training

Today, the House took up S 2201, the Supply Chain Security Training Act of 2021, and passed it by a voice vote with only seven minutes of ‘debate’. Since the same version of the the bill passed in the Senate, the bill now heads to President Biden for signature. There is no indication that the President has concerns about the bill, so it will probably be signed later this week.

The bill would require the General Services Administration to develop “a training program for officials with supply chain risk management responsibilities at executive agencies.” While the term ‘supply chain risk’ is not defined in the legislation, with both CISA and NIST referred to as coordination targets, I would suspect that the crafters were at least partially considering protecting hardware and software against unauthorized manipulation in transit between the manufacturer and the Federal user.

NOTE: S 1097, the Federal Rotational Cyber Workforce Program Act of 2021, also passed in the House this afternoon. Since this is purely a federal workforce issue with little or no potential effect on control system cybersecurity, I have not covered this bill. It also going to Biden for signature.

Review – Six Advisories Published – 5-10-22

Today, CISA’s NCCIC-ICS published six control system security advisories for products from Mitsubishi Electric, AVEVA, Eaton (3), and Adminer.

Mitsubishi Advisory - This advisory discusses two vulnerabilities in the Mitsubishi MELSOFT GT OPC UA Client.

AVEVA Advisory - This advisory describes an exposure of resources to wrong sphere vulnerability in the AVEVA InTouch Access Anywhere and AVEVA Plant SCADA Access Anywhere HMI products.

NOTE: I briefly reported on this vulnerability last Saturday.

Eaton Advisory #1 - This advisory describes a cross-site scripting vulnerability in the Eaton Intelligent Power Manager (IPM).

NOTE: I briefly reported on this vulnerability on March 5th, 2022.

Eaton Advisory #2 - This advisory describes three vulnerabilities in the Eaton Intelligent Power Manager Infrastructure. This product is EOL.

Eaton Advisory #3 - This advisory describes a cross-site scripting vulnerability in the Eaton Intelligent Power Protector (IPP).

NOTE: I briefly reported on this vulnerability on March 5th, 2022.

Adminer Advisory - This advisory describes a files or directories accessible to external parties vulnerability (with two known exploits) in Adminer, a PHP SQL database management tool

NOTE: Apparently CISA expects this to be potential third-party vulnerability for multiple control system products. They have started a list of affected products with a link to Advantech’s R-SeeNet product.

 

For more details on these advisories, including links to third-party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/six-advisories-published-5-10-22 - subscription required.

Review - S 1324 Reported in Senate – Civilian Cybersecurity Reserve

Last month the Senate Homeland Security Committee published their report on S 1324, the Civilian

Cybersecurity Reserve Act. Back in July of last year, the Committee held a business meeting where they adopted substitute language for the bill approved subsequent amendments. The final version of the bill was adopted by voice vote. Significant changes were made to the scope and administration of the proposed Civilian Cybersecurity Reserve pilot program. The revised bill removes authorization for appropriating funds to support the program.

The original bill would have provided authority for both DOD and DHS to establish separate pilot Civilian Cybersecurity Reserve (CCSR) programs. The changes made to the bill remove that authority for a DOD pilot and moved the DHS program to CISA. Additionally, the bill now specifically spells out the purpose of the program; “to enable the Agency to effectively respond to significant incidents.”

The bipartisan support that this bill received in Committee would seem to predict similar support in the Full Senate if this bill were to make it the floor for consideration. It is unlikely that the Senate would take up this bill under regular order as it has too many higher priority pieces of legislation to consider heading into the last seven-months of the session. There remains a possibility that this bill could make to the floor under the unanimous consent process, but it is more likely to make it to the President’s desk as part of a larger bill.

For more details about the changes made to the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-1324-reported-in-senate - subscription required.

TSA Publishes Rail Security 30-day ICR Extension Notice

Today the Transportation Security Administration published a 30-day information collection request extension notice in the Federal Register (87 FR 28029-28030) for “Rail Transportation Security” (OMB ID# 1652-0051). The 60-day ICR notice was published on December 23, 2021. There are no substantive changes from the previously approved version.

This ICR was first approved back in 2009 and covers the following information collections:

Chain of Custody Documentation,

Location and Shipping Information Reporting,

Railroad Security Coordinator Information, and

Significant Security Concerns Reporting

NOTE: The links above are to the collection descriptions provided in the 60-day ICR notice. Those descriptions are not usually included in the 30-day ICR notice.

There is one minor oddity about this notice. It reports that the annual burden for the ICR is 112,600 hours, but the 60-day notice (and the currently approved ICR) reported a burden estimate of 112,764 hours. This could be a typo or a very minor correction in calculations. I’ll be able to tell better when the supporting document is posted to the OMB’s website, probably later this week.

The TSA is soliciting comments on this ICR. Comments should be submitted through the OMB’s website by June 9th, 2022.

Monday, May 9, 2022

Committee Hearings – Week of 5-8-22

This week, with both the House and Senate back in Washington, there is a heavy committee hearing schedule with a major focus on the FY 2023 budget. We also have one cybersecurity hearing and a hearing on the reauthorization of the Surface Transportation Board.

FY 2023 Budget Hearings

Tuesday – DOT – THUD Subcommittee, House Appropriations Committee,

Wednesday – DOD – DOD Subcommittee, House Appropriations Committee,

Wednesday – NSF – CSJ Subcommittee, House Appropriations Committee,

Wednesday – DOC – CSJ Subcommittee, Senate Appropriations Committee,

Thursday – DOC – CSJ Subcommittee, House Appropriations Committee,

Thursday – Coast Guard – Homeland Security Subcommittee, House Appropriations Committee,

Thursday – DOE Science & Energy – EWD Subcommittee, House Appropriations Committee,

Cybersecurity Hearing

On Wednesday two subcommittees of the House Science, Space, and Technology Committee will be holding a hearing on “Securing The Digital Commons: Open-Source Software Cybersecurity”. The witness list includes:

• Brian Behlendorf, Open Source Security Foundation, and

• Andrew Lohn, Georgetown University

I do not expect much specific focus on operational technology issues.

STB Reauthorization

On Thursday, the Subcommittee on Railroads, Pipelines, and Hazardous Materials of the House Transportation and Infrastructure Committee will hold a hearing on “Board Member Views on Surface Transportation Board Reauthorization”. The witness list will include:

• Martin Oberrman, Chair, STB,

• Patrick Fuchs, Member STB,

• Robert Primus, Member STB,

• Michelle Schultz, Member STB, and

• Karen Hedlund, Member STB

I suspect that there will be a number of questions about the Board’s views on the current railroad service issues and potential future actions by the Board.

On the Floor

The House plans to consider the following bills of interest here this week under the suspension of the rules process:

HR 7077 – Empowering the U.S. Fire Administration Act, as amended,

S 2201 – Supply Chain Security Training Act of 2021,

Sunday, May 8, 2022

Reader Comment – Why Cover STB Issues

I had a good friend ask me the other day why I was covering Surface Transportation Board issues in my blog on chemical security. The flip answer is simple, its my blog and I cover what I want. A more helpful answer is that the current railroad service problems are a chemical security issue. In fact, it raises two separate security issues; toxic inhalation hazard chemical security and chemical facility sabotage.

TIH Transit Security

Testimony from the National Association of Chemical Distributors submitted to the docket for the recent rail service hearing included a description of the following incident with two chlorine railcars:

“Chlorine cars ECLX 8116 & PROX 28043 were sitting in Winnipeg for four days when Hawkins entered a service log with CP, pointing out the Federal Railroad Administration violation code regarding toxic by inhalation materials. Per this code, a carrier must forward each shipment of hazardous materials promptly and within 48 hours after acceptance at the originating point or receipt at any yard, transfer station, or interchange point. CP saw the service log, pushed the estimated arrival time (ETA) out another two days and closed it, stating the revised movement date. Hawkins demanded that CP reopen the log and not close it until the issue was resolved. CP did just that and the cars departed after dwelling for a total of six days. It took another three days for the cars to be placed once they arrived in the town of their final destination.”

Chlorine (or any other toxic inhalation hazard – TIH – chemical) railcars are potentially rolling chemical weapons. While railcars in transit are very hard to secure, they are difficult (from a planning and execution point of view) to attack while they are moving. When they are parked for any length of time, it becomes easier to plan and execute an effective attack. In transit delays due to train crew staffing issues, mis-coordinated deliveries resulting in hand-off issues, and general inept management of rail planning all create opportunities for attacks on these railcars. TSA surface security inspectors should be increasing their surveillance of TIH rail shipments while these service problems continue.

Facility Security Issues

These service issues pose an even larger issues for less dangerous hazardous chemical shipments. Since there are no security regulations over these chemicals in transit, the railroads are almost certainly taking even fewer efforts to ensure the security of these railcars when they are not rolling. This would make it easier to sabotage these cars with improvised explosive devices. This combined with the coordination issues being reported on deliveries of railcars to facilities would make it more likely such sabotaged railcars would be adequately inspected prior to its being moved on site.

Since these service issues have potential chemical security issues associated with them, I will continue to cover this situation.

 
/* Use this with templates/template-twocol.html */