Monday, January 31, 2022

Committee Hearings – Week of 1-30-22

This week, with both the House and Senate in Washington, there is a moderately heavy committee schedule in both houses of congress. Of interest here will be two mark-up hearings that include cybersecurity bills and a hearing on automated vehicles.

Cybersecurity Markups

On Wednesday, the Senate Homeland Security and Governmental Affairs Committee will hold a business meeting that will include consideration of 13 pieces of legislation. It will include S 2483, the Improving Cybersecurity of Small Organizations Act of 2021.

On Wednesday, the House Oversight and Reform Committee, will be holding mark-up hearing that will look at five bills. It will include HR 6497, the Federal Information Security Modernization Act of 2022. I have not yet written my review of this bill, but it is an update of the FISMA statute and it does not appear to include any changes that would include operational technology within the purview of that Act.

Automated Vehicles

On Wednesday, the Highways and Transit Subcommittee of the House Transportation and Infrastructure Committee will hold a hearing on: “The Road Ahead for Automated Vehicles”. The witness list for the hearing includes:

Martha Castex-Tatum, Vice Mayor, Houston, TX,

Scott Marler, Iowa DOT,

John Samuelsen, Transport Workers Union of America,

Catherine Chase, Advocates for Highway and Auto Safety

Nat Beuse, Aurora,

Doug Bloch, Teamsters Joint Council 7,

Nico Larco, University of Oregon,

Ariel Wolf, Autonomous Vehicle Industry Association

Since none of these witnesses seems to have any particular background in cybersecurity, I do not expect that this probably lengthy hearing will address the topic in any major way. Though, I do suspect that there will be some related questions asked.

On the Floor

There is nothing scheduled in the House this week that I will be particularly following. It is interesting, however, to note that of the eleven bills on the schedule to be considered under the House suspension of the rules process, ten are postal naming bills (bills that honor locals of significance by naming a postal station or other federal building after them). It will be interesting to see if Republican bomb throwers demand votes on any of these non-controversial bills.

Saturday, January 29, 2022

Review - Public ICS Disclosures – Week of 1-22-22

This week we have eight vendor disclosures from Bosch, CODESYS, Dell, GE Gas Power, Hitachi, HPE (2), Phoenix Contact. We have seven vendor updates from Dell, ABB (2), Honeywell, QNAP, Siemens, and VMware. We also have 17 researcher reports for products from Reolink (14), Moxa (2), and WAGO.

NOTE: This week’s post includes a number of Log4Shell updates and one new advisory. As I mentioned last week, there will probably not be any more stand-alone Log4Shell posts.

Bosch Disclosure - Bosch published an advisory describing an HTML code injection vulnerability in their Android Application, Bosch Video Security.

CODESYS Advisory - CODESYS published an advisory describing a NULL pointer dereference vulnerability in their CODESYS PROFINET.

Dell Advisory - Dell published an advisory describing two vulnerabilities in their Wyse Windows Embedded System.

GE Gas Power Advisory - GE Gas Power published an advisory discussing the Log4Shell vulnerabilities.

Hitachi Advisory - Hitachi published an advisory discussing 83 vulnerabilities in their Disc Array Systems.

HPE Advisory #1 - HPE published an advisory describing a buffer overflow vulnerability in their FlexNetwork 5130 EL Switch Series.

HPE Advisory #2 - HPE published an advisory describing an unquoted search path vulnerability in their Agentless Management Service for Windows product.

Phoenix Contact Advisory - Phoenix Contact published an advisory describing an incorrect privilege assignment vulnerability in their FL SWITCH 2xxx series products.

Dell Update - Dell published an update for their general Log4Shell advisory.

ABB Update #1 - ABB published an update for their BadAlloc advisory that was originally published on August 19th, 2021.

ABB Update #2 - ABB published an update for their Log4Shell Advisory.

Honeywell Update - Honeywell published an update for their Log4Shell advisory.

QNAP Update - QNAP published an update for their QTS and QuTS hero that was originally published on January 13th, 2021.

Siemens Update - Siemens published an update for their Log4Shell advisory.

VMware Update - VMware published an update for their VMware Workstation, Fusion and ESXi advisory that was originally published on January 4th, 2022.

Reolink Reports - Talos published 14 reports about 76 vulnerabilities in the Reolink RLC-410W camera.

Moxa Reports - Korelogic published two reports about vulnerabilities in the Moxa TN-5900 secure routers.

WAGO Report - SEC Consult published a report about four vulnerabilities in the WAGO 750-8xxx PLC.

 

For more details on these disclosures, including links to 3rd party advisories and individual researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-1-e17 - subscription required.

Thursday, January 27, 2022

HR 6499 Introduced – Rail Car Coverings

Earlier this week, Rep Meng (D,NY) introduced HR 6499, the Train Coverings for Community Safety Act. The bill would require DOT to “prescribe regulations requiring materials transported by rail to be completely covered while in transit, including while being held, delayed, or transferred.”

Neither Meng, nor her sole cosponsor {Rep. Suozzi (D,NY)}, are members of the House Transportation and Infrastructure Committee to which this bill was assigned for consideration. This means that there is little chance that this bill will be considered by that Committee. If the bill were considered, I suspect that unless it was significantly revised, there would not be adequate support for it to pass.

This appears to be one of those not unusual bills that are introduced from time to time to respond to the concerns of a small number of influential constituents. I cannot find any news reports, but suspect that there is a rail line that runs through the adjacent districts of Meng and Suozzi on Long Island that routinely transports some product in open hopper cars that causes some concerns to nearby residents who have complained to their congresscritters. This bill would be ‘proof’ that their representative had ‘done something’.

This very short (one effective sentence) bill has a number of problems. First it provides for directed rulemaking which essentially cuts the public out of the process. Second it vaguely requires “materials transported by rail to be completely covered”. While this would certainly cover open hopper cars (pun intended), it would also apply to anything transported on flat cars, or auto transport cars. Most of the freight on those cars causes no problem that would be addressed by ‘covering’ the freight. It would appear that little thought and no railroad experience went into the crafting of this bill.

Review – 2 Updates Published – 1-27-22

Today, CISA’s NCCIC-ICS updated one control system security advisories for products from Mitsubishi and a medical device security advisory for products from Fresenius Kabi.

Mitsubishi Update - This update provides additional information on an advisory that was originally published on November 30th, 2021.

Fresenius Update  - This update provides additional information on an advisory that was originally published on December 21st, 2021.

For more details about these updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-updates-published-1-27-22 - subscription required.

Wednesday, January 26, 2022

Review – S 2305 Reported in Senate – Cybersecurity Education Grants

Earlier this month, the Senate Homeland Security and Governmental Affairs Committee published their report on S 2305, the Cybersecurity Opportunity Act. The Committee met on August 4th, 2021 to consider the bill. Substitute language was offered and amended before the Committee adopted the new language. The bill would now require at least 50% of  grant funds released under this program to go to “historically Black colleges and universities and minority-serving institutions” and added a five year sunset provision for the grant program. No spending authorization was added to the bill.

The bill is now cleared for consideration by the full Senate. This bill is unlikely to come to the floor under regular order, it is just not politically important enough to consume that type of time. There is a possibility that this bill could be considered under the Senate’s unanimous consent process, but a single Senator could block that consideration. A more likely possibility would be for the bill to be added to some larger, more important bill as part of the amendment process. If the bill were to be considered on its own under regular order, I would expect the bill to receive significant bipartisan support.

For more information about the changes made in the language of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-2305-reported-in-senate - subscription required.

Bills Introduced – 1-25-22

Yesterday, with just the House meeting in pro forma session, there were 37 bills introduced. Two of those bills may receive additional attention in this blog:

HR 6497 To modernize Federal information security management and improve Federal cybersecurity to combat persisting and emerging threats, and for other purposes. Rep. Maloney, Carolyn B. [D-NY-12]

HR 6499 To enhance rail safety and provide for the safe and covered transport of materials in railroad cars, and for other purposes. Rep. Meng, Grace [D-NY-6] 

I do not generally cover cybersecurity legislation that covers just federal agencies, but I will be watching this bill for language and definitions that may include operational technology in the coverage of its provisions.

I will be watching HR 6499 for language and definitions that would cover shipping of chemicals in the coverage of its provisions.

Tuesday, January 25, 2022

Review - ChemLock Exercises – Vehicle-Borne IED

 

NOTE: This is part of a series of blog posts looking at various CISA Tabletop Exercises Packages (CTEP) offered to chemical facility managers by the new CISA ChemLock program, a voluntary chemical security program run by the Office of Chemical Security (the CFATS folks). CTEP administrative documents can be found here. The scenario manuals can be found here. Earlier posts in the series include:

Overview,

Chemical Sector IED (short version), and

Chemical Sector Active Shooter (short version)

The Situation Manual for this vehicle-borne improvised-explosive (VBIED) exercise bills it as a review of “emergency preparedness plans and response procedures for an attack at a chemical sector facility.” It follows the same format as the two earlier exercises that I have discussed in some detail in the IED exercise post. Using the same format will make it easier for facilities to run subsequent exercises as they will already be familiar with the exercise processes.

The scenario for this module starts with a missing vehicle on the day before the exercise. On the day of the exercise a truck approaching the loading dock at the facility crashes into the dock and explodes. The provided discussion questions address:

• Plans that are in place to prevent or deter an attack at your facility,

• How security and personnel are trained,

• Standard operating procedures (SOPs) for incident response roles and responsibilities for staff,

• Assets onsite to immediately respond to an incident,

• Evacuation procedures for an incident of this type,

• Notification methods facility uses to send alert information,

• Incident command processes,

• Mutual aid agreements in place with other organizations,

• Notification of state or federal agencies of the incident,

• Law enforcement conduct of the response and address the threat,

• Medical response,

Commentary

While this is billed as a ‘Chemical Sector’ exercise, there is nothing in the scenario or discussion questions that would apply specifically to a chemical facility. The scenario could be applied to any manufacturing facility or warehouse in the country. There are no mentions of chemicals or chemical consequences in any of the discussion questions. This does not reduce the usefulness of the exercise, as the response discussion questions do identify areas of concern at chemical facilities, they just do not address the unique problems associated with a VBIED attack on a chemical facility.

For more details about the exercise, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/chemlock-exercises-ca9 - subscription required.

Review - 1 Advisory Published – 1-25-22

Today, CISA’s NCCIC-ICS published a control system security advisory for products from GE Gas Power.

GE Advisory - This advisory describes two vulnerabilities in the GE Gas Power ToolBoxST software platform.

GE Gas Power also published a Log4Shell advisory on the day they published the base advisory for these vulnerabilities. I will have further details on my Public ICS Disclosure post this weekend.

For more details about the advisory, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-published-1-25-22 - subscription required.

EPA Sends Spill Response Planning NPRM to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received from the EPA a draft notice of proposed rulemaking (NPRM) for “Clean Water Act Hazardous Substance Worst Case Discharge Planning Regulations”. The rule would fulfill the requirements of 33 USC 1321(j)(5)(A) to require facilities and vessels to submit for approval “a plan for responding, to the maximum extent practicable, to a worst case discharge, and to a substantial threat of such a discharge, of oil or a hazardous substance.”

A March 12th, 2020, consent decree requires this NPRM to be published by March 12th, 2022 and a final rule to be published by September 30th, 2024.

Monday, January 24, 2022

Review - CISA’s Exploited Vulnerabilities Catalog – 1-21-22

Last Friday, CISA sent out an email to registered individuals announcing that they had added four new vulnerabilities to their Known Exploited Vulnerabilities Catalog. This catalog supports the requirements of Binding Operational Directive 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities, for Federal agencies to take remediation actions to protect federal computer systems against cyber-attacks.

The four new entries are:

CVE-2012-0391 – Apache Struts 2,

CVE-2021-35247 – SolarWinds Serv-U,

CVE-2006-1547 – Apache Struts 1, and

CVE-2018-8453 – Microsoft Win32k

Commentary

The idea of prioritizing vulnerabilities for mitigation based upon not the potential threat but on the occurrence of real-world exploitation makes a certain amount of sense. According to a study published by the Software Engineering Institute at Carnegie Mellon University (referenced by CISA on their BOD 21-01 page) it would seem that just about 4% of published vulnerabilities have exploits published within 365 days of the vulnerability being made public. That study did not look at exploits being used in real-world attacks, just exploits being published. Thus, it would probably be safe to assume that an even smaller percentage of vulnerabilities were actually exploited in the wild.

The only problem is that this methodology has is that it does not make mitigating the identified vulnerabilities a priority until exploitation has been seen and exploits typically occur well before the exploits are detected. Thus, it would almost seem inevitable that there would be some number of federal facilities that were affected before the listing occurred. CISA hopes to reduce this problem by their scanning of federal internet-facing IP addresses for known vulnerabilities and then notifying affected agencies of required remediation of those vulnerabilities under BOD 19-02.

What would be helpful though would be for CISA to include with their listing of vulnerabilities in the Catalog would be the publication of indicators of compromise for the exploit of the listed vulnerabilities. This would allow agencies (and the public that uses this tool) to check to see if they are already compromised by the identified exploits.

 

For more details about the Catalog, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/cisas-exploited-vulnerabilities-catalog - subscription required.

Reader Comments – Alternatives to FERC INSM NOPR

An interesting discussion this weekend over on LinkedIn about my post on FERCs INSM notice of proposed rulemaking. Lots of good information in that discussion. One point worth mentioning here; Richard Brooks provided a link to an article in which he is quoted as saying:

“The NOPR will “not provide cybersecurity improvements because many entities already implement these cybersecurity best practices, such as anti-malware, but the FERC Order will increase the workload on entities subject to NERC compliance, because they will also have to meet all of the NERC compliance requirements, usually in the form of paperwork, in addition to managing cybersecurity,” Brooks added.”

This is a standard argument against almost any regulatory mandate, and it has a certain level of validity, particularly for the ‘many entities [that] already implement these cybersecurity best practices’. For those organizations, the order resulting from this rulemaking effort will certainly result in some level of increase in compliance paperwork and that increased workload will not result in any better cybersecurity for those organizations. And depending on how the rule is worded and implemented, it may impede future innovation in this security niche. But the latter is supposed to be addressed by the cooperative rulemaking process under NERC.

Unfortunately, ‘many entities’ is not ‘all entities’ and in an interconnected system like the bulk electrical system, the country cannot afford to have too many weak links in that system. Being able to get the BES to a level where most of the high and medium impact systems are effectively using internal network security monitoring systems is only going to be achieved by going this regulatory route.

Sunday, January 23, 2022

Review - S 3511 Introduced – Satellite Cybersecurity

Earlier this month, Sen Peters (D,MI) introduced S 3511, the Satellite Cybersecurity Act. The bill would require CISA to establish a commercial satellite system cybersecurity clearinghouse and to develop voluntary cybersecurity recommendations designed to assist in the development, maintenance, and operation of commercial satellite systems. No funding is authorized by this bill.

Peters is the Chair of the Senate Homeland Security and Governmental Affairs Committee the committee to which this bill was assigned for consideration. This should ensure that there is adequate influence to see this bill considered in Committee. Since the bill only requires the development of ‘voluntary’ security measures, I do not see any significant organized objections interfering with the consideration of this bill. I suspect that the bill will pass out of Committee with at least some level of bipartisan support.

Commentary

We continue to see problems with the definition used by congressional staff in the crafting of cybersecurity legislation that affects operational technology or control systems that directly affect physical systems. In this case, the two cybersecurity terms defined in §2 are IT restrictive definitions. The term ‘cybersecurity risk’ for 6 USC 659 is based upon the IT restricted definition of ‘information system’. Even the term ‘cybersecurity threat’, while based upon the control system inclusive definition of ‘information systems from 6 USC 1501, refers to actions that “adversely impact the security, availability, confidentiality, or integrity of an information system”.

These definitions would suffice if the legislation were only concerned with the information transiting commercial satellites, but the required cybersecurity recommendations from CISA are specifically required to address protecting ‘vital commercial satellite system functions’ and the ‘satellite system’s command, control, and telemetry receiver systems’. Again, the definitions just do not match the requirements.

For more information on what changes to cybersecurity definitions need to be made to adequately reflect control system and operational technology cybersecurity needs, please see my post from February 2019.

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-3511-introduced - subscription required.

Review - Public ICS Disclosures - Log4Shell Advisories – Week of 1-15-22

This is effectively Part 3 of my weekly public ICS disclosure post. It is a follow-up to last week’s post. There are now 108 vendor notifications listed. As I did last week, I am making the article on my CFSN Detailed Analysis site - https://patrickcoyle.substack.com/p/public-ics-disclosure-log4shell-week-49e - a free-access article so as to avoid a lengthy duplication here.

This looks like this will be the last week of a stand-alone report on Log4Shell advisories, the volume has dropped off sufficiently to allow new advisories and updates to be included in the standard Public ICS Disclosure posts.

Saturday, January 22, 2022

CRS Report – Cybersecurity Deterrence

This week the Congressional Research Service (CRS) published a report on “Cybersecurity: Deterrence Policy”. It looks at the potential benefits of establishing a coherent deterrence policy to reduce the threat of cyberattacks. In the ‘Options for Congress’ section of the report it discusses the following topics:

• Creating a bureau in the U.S. Department of State (nearing implementation),

• Strengthening norms of responsible state behavior in cyberspace (on track),

• Engaging in international standards setting fora (on track),

• Improving capability building and foreign assistance financing (on track),

• Developing confidence building measures (delayed),

• Leveraging sanctions and trade enforcement actions (on track), and

• Improving attribution (delayed).

Review - Public ICS Disclosures – Week of 1-15-22 – Part 1

This week we have a two-part posting with the 2nd part being a continued look at the response to the Log4Shell vulnerabilities. For Part 1, we have five vendor disclosures from Advantech, Bosch, B&R Industrial Automation, Hitachi Energy, and VMware. We also have an update from HPE. Finally, there are five researcher reports of vulnerabilities in products from OpenBMCS.

Advantech Advisory - Incibe-Cert published an advisory describing incorrect default permissions vulnerabilities in four separate Advantech products.

Bosch Advisory - Bosch published an advisory describing two vulnerabilities in their AMC2 (Access Modular Controller).

B&R Advisory - B&R published an advisory describing RCE through project upload from target vulnerability in their Automation Studio product.

Hitachi Energy Advisory - Hitachi Energy published an advisory describing nine vulnerabilities in their MicroSCADA Pro/X SYS600 Products.

VMware Advisory - VMware published an advisory describing a denial-of-service vulnerability in their VMware Workstation and Horizon Client products.

HPE Update - HPE published an update their HPE ProLiant and ProLiant Server Blades advisory that was originally published on November 10th, 2021.

OpenBMCS Reports - Zero Science published five reports about vulnerabilities in building management system products from OpenBMCS.

 

For more details on these disclosures, including links to 3rd party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-1-8d9 - subscription required.

Friday, January 21, 2022

Review - NERC-CIP and Internal Network Monitoring

Yesterday the Federal Energy Regulatory Commission (FERC) published a notice of proposed rulemaking (NOPR in the FERC jargon) on their website for “Internal Network Security Monitoring for High and Medium Impact Bulk Electric System Cyber Systems”. In this NOPR, FERC proposes to direct the North American Energy Reliability Corporation (NERC) to “to develop and submit for Commission approval new or modified Reliability Standards that require internal network security monitoring within a trusted Critical Infrastructure Protection networked environment for high and medium impact Bulk Electric System Cyber Systems.”

NOTE: Thanks to Patrick C Miller, Ampere Industrial Security [company name and link added, 8-11-22 13:24 EDT] for pointing out this NOPR on TWITTER®.

Seeking Public Comments

FERC is soliciting public comments on this NOPR. Comments may be submitted via the eFile option on www.FERC.gov for registered individuals (Docket # RM22-3-000). Others may send comments via snail mail to:

Federal Energy Regulatory Commission

Office of the Secretary

888 First Street NE

Washington, DC  20426

The deadline for submission of comments will be 60-days after the NOPR is published in the Federal Register, probably sometime next week.

Commentary

This proposed expansion of cybersecurity regulations should surprise no one. It does not appear to me to be the least bit unreasonable. I would hope that most organizations under the NERC CIP would have at least some level of view within their networks that would form part of the proposed INSM, so that this proposed requirement should not be too much of a new regulatory burden.

This rulemaking is targeted at the physical operations networks supporting the BES, but other organizations utilizing similar networks to conduct operations in the physical realm should take a hard look at the proposals in the NOPR as similar technology is necessary to protect operations technology in other industries as well.

For more details about the NOPR, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/nerc-cip-and-internal-network-monitoring - subscription required.

Thursday, January 20, 2022

Reader Comment – Use of Force Policies

A long time reader and expert on all things related to Maritime Transportation Security Act (MTSA), Laurie Thomas, left a comment today on my Part 2 post on ‘Armed Security at Chemical Facilities’ about the need for use of force policies and training by any facility that plans to use armed security forces. Laurie is absolutely correct and her full comment is well worth reading. To that comment I would like to add that, while I am not a layer, I feel comfortable providing this small bit of legal advice: “If you are going to employ armed security personnel at your chemical facility, get a lawyer to help you draw up your use of force policy.”

If you are going to allow armed personnel to act on your behalf at your facility, someone is going to try to hold you responsible for any death, injury or damage that results for a discharge of a firearm by such personnel. It will make little difference if you directly employed the person or they were employed by a security company under contract to your company.

And as Laurie says training must accompany any use of force policy. A pristine document, no matter how well written, will not last long as a defense in a lawsuit, if there is not adequate and well documented training conducted about the rules outlined in that policy.

For chemical facilities there is one unique idea that I would like to see added to the standard content of a use of force policy document, a clear description of any areas of the plant where safety issues would be a further constraint on the use of force. This would include areas where toxic inhalation hazard chemicals are stored, or flammable liquids or gasses are routinely handled and thus, a flammable atmosphere might be expected to exist.

Review - 1 Advisory and 3 Updates Published – 1-20-22

Today, CISA’s NCCIC-ICS published one control system security advisory for products from Mitsubishi. They also published updates for two control system advisories for products from Mitsubishi and a medical device advisory for products from Philips.

Mitsubishi Advisory - This advisory describes four vulnerabilities in the ICONICS Product Suite and the Mitsubishi Electric MC Works64.

Mitsubishi Update #1 - This update contains additional information on an advisory that was originally published on December 8th, 2020 and was most recently updated on May 11th, 2021.

Mitsubishi Update #2 - This update contains additional information on an advisory that was originally published on May 11th, 2021.

Philips Update - This update contains additional information on an advisory that was originally published on July 6th, 2021.

For more details on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-and-3-updates-published - subscription required.

Armed Security at Chemical Facilities – Part 2

Back in 2008 I looked at the issue of security guards at chemical facilities that would be covered under the then new Chemical Facility Anti-Terrorism Standards (CFATS) program. Then in 2009, once the CFATS Risk-Based Performance Standard guidance document was published, I specifically looked at the issue of armed guards at CFATS facilities. In that later piece, after noting that there is no CFATS requirement for armed guards, I opined that:

“The bottom line is that if a toxic release COI is present in large enough volumes to present a threat to a relatively large off-site population, an armed response is going to be necessary to prevent a terrorist attack aimed at that COI. If the response force is on-site, it must be armed. If the response force is off-site, it may be necessary to have an on-site security force that is armed to delay the potential attack long enough for the response force to arrive and defeat the attackers.”

My analysis that led to that conclusion, I think remains true today. But does that mean that facilities without a large ‘toxic release COI’ inventory have no need for an armed security force? That is not quite so clear, in my opinion. There is an increased, site-specific, risk associated with the discharge of a firearm at a facility where chemicals are manufactured, used, or stored, so clearly, firearm discharges are something to be avoided. But does avoidance of those discharges prevent the employment of armed guards?

If management decides that there is no conceivable situation where an armed response would be justified at the facility, then the choice is clear, there is absolutely no need for armed guards. Once, however, the decision is made that there are situations where an armed response would be justified, then an armed security force is an option that must be considered. But, one thing must be clearly understood, if the facility does not employ an armed security force, and the use of force becomes necessary, the facility has no option but to use local law enforcement as the tool to employ the use of force. At that point, facility management totally looses control over the use of firearms at the facility. They will have no control over:

• The types of weapons and ammunition that may be employed,

• Restrictions on in which areas of the facility weapons may be employed, or

• The training of the armed personnel on the hazards associated with the employment of firearms at the facility.

If facility management is willing to lose that level of control, then there is no need to consider the use of an armed security force. And an armed security force is more expensive, both in the direct cost to employ them and in the additional training costs necessary to maintain an adequate level of control to reduce the risks associated with weapons discharges. If, however, maintaining some level of control, at least in the early stages of an incident, is of importance, then management is going to have to consider the option of employing an armed security force.

Tuesday, January 18, 2022

Armed Security at Chemical Facilities – Part 1

 

Earlier this week, while writing my post about the ChemLock active shooter exercises, my first thought when I read the scenario for the exercise is that it was extremely unrealistic, because such a quick end to the shooter could only have been brought about by an armed security guard, police would not react that quickly. It was unrealistic because chemical facilities do not use armed guards. If you have not worked at chemical facilities in this country, you may not realize just how nearly universal that statement is. The big reason is SAFETY.

To give you an example of how deep this runs, let me tell you a story about the time an FBI agent visited a specialty chemical facility at which I worked to provide the initial notification that we would be inspected by Chemical Weapons Convention inspection team. The Agent was brought into the Plant Manager’s Office and introduced himself. The Plant Manager asked if the Agent was armed. When informed that he was, the Manager asked if the Agent would mind locking his weapon in his vehicle. There was no question from the Agent, he just excused himself, returned to his car and then came back into the office. No more was said. He obviously had gone through this before.

The facility was in the South and the Plant Manager was not some liberal anti-gun fanatic. He was an outdoorsman and while not much of a hunter, he owned at least a couple of guns. During dear season about half of the employee vehicles parked outside the fence line because they hunted before or after (frequently both) work. Guns were not allowed inside the facility and the hunters did not complain. That was life in a chemical facility.

Why this concern about firearms? It is not worry about active shooters, per se. It is the fact that firearms are more inherently dangerous in chemical facilities. This is for two reasons, the most obvious being the bullet flying unguided through the facility are likely to puncture things that are better off not punctured, piping, chemical storage containers, and storage tank. Those punctures are likely to result in chemicals being released into the atmosphere in places they are not supposed to be and in a manner that is not easy to stop. How bad would the leaks be from a bullet? See this video (https://youtu.be/skOdPBtm-zs).

The second reason is less easy for many folks to understand, and it is related to the fact that firearms are short range flame throwers, just watch any shooting in the dark. Open flames are allowed in chemical facilities only in tightly controlled situations and gun fights are not tightly controlled.

Any chemical facility that uses, produces or stores flammable liquids and gasses takes a great deal of interest in preventing even the smallest of open flames or sparks. They even go to the extent of placing electronics and switches in sealed boxes filled with Nitrogen gas so that small electric sparks from those devices do not ignite flammable atmospheres.

A flammable atmosphere can form any time a flammable liquid or gas is exposed to the open air. This can happen when a container is opened, or a nearly empty hose is disconnected, or an unusual leak occurs. The vapors in the air can be ignited by a spark or flame, creating a fireball of varying sizes and consequences. Large enough, those fireballs can create an overpressure that damages other containers or connections releasing more flammable vapors.

So, you can see why chemical professionals do not like the idea of firearms on premises at chemical facilities.

Monday, January 17, 2022

Review - ChemLock Exercises – Chemical Sector Active Shooter

NOTE: This is part of a series of blog posts looking at various CISA Tabletop Exercises Packages (CTEP) offered to chemical facility managers by the new CISA ChemLock program, a voluntary chemical security program run by the Office of Chemical Security (the CFATS folks). It is a follow-up to my earlier Overview post. CTEP administrative documents can be found here. The scenario manuals can be found here. Earlier posts in the series include:

Chemical Sector IED (short version)

The Situation Manual for this exercise bills it as a review of “emergency preparedness plans and response procedures to an active shooter incident at a chemical sector facility.” It follows the same format as the IED exercise I previously discussed. Using the same format will make it easier for facilities to run subsequent exercises as they will already be familiar with the exercise processes.

The first Module is slightly more complex than that seen in the IED exercise. It provides two separate starting points for the exercise, a stolen vehicle and a disgruntled employee. Both starting points lead to an unidentified shooter arriving at the loading dock who is quickly killed by responding officers before the shooter can progress into the facility.

The exercise proceeds with the same question discussion format used int eh IED exercise. The second and third modules are nearly identical to the IED exercise in that they look at the short term and long term response to the incident. The same discussion questions are used in the second and third module as were used in the IED exercise.

Commentary

Active shooter situations are becoming much more common in the United States. With that in mind, facilities certainly need to consider running exercises such as this. This scenario, as presented, could be run at any manufacturing facility. Unfortunately, it is billed as a “Chemical Sector Active Shooter” exercise, but it does not take into account any of the unique problems that chemical facilities could face in an active shooter situation. This exercise assumes that the shooter, their bullets and the bullets of the responders that take him down never enter an area of the facility that contain chemicals. While such a limited event could occur, that is not what a “Chemical Sector Active Shooter” exercise should address.

For more details about the exercise, including my suggested additional discussion questions, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/chemlock-exercises-804 - subscription required.

Committee Hearings – Week of 1-16-22

With both the House and Senate in Washington this week, there is an unusually lite committee schedule. There is one cybersecurity hearing of interest.

Cybersecurity

On Wednesday the Energy Subcommittee of the House Energy and Commerce Committee will hold a hearing on “Securing our Energy Infrastructure: Legislation to Enhance Pipeline Reliability”. The hearing will focus on HR 6084, the Energy Product Reliability Act. According to the Hearing Memo prepared by the Committee Staff the witnesses will include:

• Richard Glick, FERC, and

• David M. Turk, DOE


Sunday, January 16, 2022

Review - Public ICS Disclosures - Log4Shell Advisories – Week of 1-8-22

This is effectively Part 3 of my weekly public ICS disclosure post. It is a follow-up to last week’s post. There are now 107 vendor notifications listed. As I did last week, I am making the article on my CFSN Detailed Analysis site - https://patrickcoyle.substack.com/p/public-ics-disclosure-log4shell-week-0c5 - a free-access article so as to avoid a lengthy duplication here.

Review - Public ICS Disclosure – Week of 1-8-22 – Part 2

For Part 2 we have 7 vendor disclosures from Schneider Electric. There are also seven updates from Schneider and Siemens (6).

Schneider Advisory #1 - Schneider published an advisory describing two vulnerabilities in their Modicon M340 controller and Communication Modules.

Schneider Advisory #2 - Schneider published an advisory describing a buffer copy without checking size of input vulnerability in their Easergy T300 RTU.

Schneider Advisory #3 - Schneider published an advisory describing two vulnerabilities in their Easergy P5 product line.

Schneider Advisory #4 - Schneider published an advisory describing a buffer copy without checking size of input vulnerability in their Easergy P3 products.

Schneider Advisory #5 - Schneider published an advisory describing six vulnerabilities in their ConneXium Tofino Firewall products.

Schneider Advisory #6 - Schneider published an advisory discussing 10 vulnerabilities in various Schneider products based upon CODESYS products.

Schneider Advisory #7 - Schneider published an advisory describing four vulnerabilities in their EcoStruxure™ Power Monitoring Expert product.

Schneider Update - Schneider published an update for their BadAlloc advisory that was originally published on November 9th, 2021 and most recently updated on December 15th, 2021.

Siemens Update #1 - Siemens published an update for their NAME:WRECK advisory that was originally published on April 13th, 2021 and most recently updated on November 9th, 2021.

NOTE: NCCIC-ICS did not update their advisory (ICSA-21-103-04) to reflect this change.

Siemens Update #2 - Siemens published an update for their WIBU CodeMeter advisory that was originally published on November 9th, 2021 an most recently updated on December 14th, 2021.

Siemens Update #3 - Siemens published an update for their NAME:WRECK advisory that was originally published on April 13th, 2021 and most recently updated on November 9th, 2021.

Siemens Update #4 - Siemens published an update for their NAME:WRECK advisory that was originally published on April 13th, 2021 and most recently updated on November 9th, 2021

NOTE: NCCIC-ICS did not update their advisory (ICSA-21-287-09) to reflect this change.

Siemens Update #5 - Siemens published an update for their OpenSSL advisory that was originally reported on July 13th, 2021 and most recently updated on December 14th, 2021.

Siemens Update #6 - Siemens published an update for their INFRA:HALT advisory that was originally published on August 4th, 2021 and most recently updated on September 14th, 2021.

For more details on these advisories and updates, including links to 3rd party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosure-week-of-1-8-503 - subscription required.

Saturday, January 15, 2022

GAO Reports – Cybersecurity Response

This week, the GAO published a report on the federal government response to the nearly concurrent SolarWinds attack and organized exploits of the Microsoft Exchange vulnerabilities. This report looks at those response activities and outlines three National Security Council recommendations for improving responses to future cyberattack. An appendix provides separate timelines for the response to both incidents.

The accompanying highlight document identifies four lessons learned by responding agencies:

• Coordinating with the private sector led to greater efficiencies in agency incident response efforts,

• Providing a centralized forum for interagency and private sector discussions led to improved coordination among agencies and with the private sector,

• Sharing of information among agencies was often slow, difficult, and time consuming, and

• Collecting evidence was limited due to varying levels of data preservation at agencies.

The GAO reports that the NSC identified three areas that the government could take to take to prevent and improve the response to future incidents (pg 36):

• Align technology investments with operational priorities. The review identified that the federal government should invest resources to increase its capabilities to identify, detect, protect, and respond to significant cybersecurity incidents.

• Improve public-private engagement. The federal government should improve its coordination and information sharing with the private sector.

• Improve threat intelligence acquisition, sharing, and use among federal agencies. The federal government should improve information sharing with its partners.


Review - Public ICS Disclosure – Week of 1-8-22 – Part 1

This week, as we have come to expect for the Saturday after 2nd Tuesday, we have a full slate of ICS disclosures, including more Log4Shell disclosures, that will take multiple posts to deal with. In Part 1 we have fourteen vendor disclosures from Belden, Blackberry, Dynalite, Hitachi Energy, HPE, Moxa, Palo Alto Networks (4), QNAP (3), and Yokogawa. There is also an update from HPE. There were also two researcher reports for products from IDEMIA and ODA. Finally, we have an exploit for products from SonicWall.

Part 2 of this post will address the Schneider advisories and updates that were published on Tuesday as well as the Siemens updates that were not addressed by NCCIC-ICS this week.

Belden Advisory - Belden published an advisory describing six vulnerabilities in their Tofino and Eagle products.

BlackBerry Advisory - BlackBerry published an advisory describing an elevation of privilege vulnerability in their QNX Neutrino Kernel.

Dynalite Advisory - Dynalite published an advisory discussing two vulnerabilities in their DDNG-BACnet gateway and in Niagara SOFTJACE products.

Hitachi Energy Advisory - Hitachi Energy published an advisory discussing four vulnerabilities in their e-mesh™ Energy Management System (EMS) Product.

HPE Advisory HPE published an advisory describing a remote access vulnerability in their Ezmeral Data Fabric.

Moxa Advisory - Moxa published an advisory describing four vulnerabilities in their VPort 06EC-2V Series and VPort 461A Series IP Cameras and Video Servers.

Palo Alto Advisory #1 - Palo Alto published an advisory describes an uncontrolled search path element vulnerability in their Cortex XDR Agent.

Palo Alto Advisory #2 - Palo Alto published an advisory describes an untrusted search path element vulnerability in their Cortex XDR Agent.

Palo Alto Advisory #3 - Palo Alto published an advisory describing a link following vulnerability in their Cortex XDR Agent.

Palo Alto Advisory #4 - Palo Alto published an advisory describing a file and directory information exposure vulnerability in their Cortex XDR Agent.

Phoenix Contact Advisory - Phoenix Contact published an advisory discussing the NUCLEUS:13 vulnerabilities in their BLUEMARK X1 / LED / CLED printers.

QNAP Advisory #1 - QNAP published an advisory describing a remote code execution vulnerability in their QTS and QuTS hero products.

QNAP Advisory #2 - QNAP published an advisory describing five separate classic buffer overflow vulnerabilities in their QVR Elite, QVR Pro, and QVR Guard products.

QNAP Advisory #3 - QNAP published an advisor describing two vulnerabilities in their QcalAgent.

Yokogawa Advisor - Yokogawa published an advisory discussing a link following vulnerability in the license function in Yokogawa products.

HPE Update - HPE published an update for their Integrated Lights-out 4 advisory that was originally published  on August 23rd, 2017.

IDEMIA Report - Positive Technologies published a report of a TLS bypass vulnerability in biometric identification vulnerabilities in products from IDEMIA.

ODA Report - ZDI published a report describing a JPG File Parsing Memory Corruption in the Open Design Alliance (ODA) Drawings Explorer.

SonicWall Exploit - jbaines-r7 published Metasploit module for a command injection vulnerability in the SonicWall SMA 100 Series.

For more details on the above disclosures, including links to 3rd party advisories and vulnerability exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosure-week-of-1-8 - subscription required.

Friday, January 14, 2022

Bills Introduced – 11-13-22

Yesterday, with both the House and Senate in session, there were 41 bills introduced. One of those bills will receive additional attention in this blog:

S 3511 A bill to require a report on Federal support to the cybersecurity of commercial satellite systems, and for other purposes. Sen. Peters, Gary C. [D-MI]

Thursday, January 13, 2022

OCS Updates CFATS FAQ – 1-13-22

Today, CISA’s Office of Chemical Security (OCS) updated the responses to one of the Frequently Asked Questions (FAQ) on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center. The revision updates the civil penalty that may be assessed under the CFATS program.

The FAQ is # 1554 - Does the Cybersecurity and Infrastructure Security Agency (CISA) have enforcement authority to fine noncompliant facilities, to include shutting down a facility?

NOTE: The link provided for the FAQ in this post was copied from the CFATS Knowledge Center but may not work when followed from your machine. This is an artifact of that web site. If the links do not take you to the referenced FAQ, you will have to use the ‘Advanced Search’ function on the page to link to the FAQ or download the ‘All FAQs’ document at the bottom of the ‘Advanced Search’ page.

The new version of the FAQ response lists the maximum fine that the Department may assess as $38,139 for each day the violation continues. This is an increase from the $35,486 quoted in the previous version of the FAQ response. This was increased by a DHS final rule published on January 11th, 2022. The CISA portion of that rule set the new maximum level for the CFATS program.

Review - 7 Advisories and 3 Updates Published 1-13-22

Today, CISA’s NCCIC-ICS published seven control system security advisories for products from Siemens (4), Siemens Electric, and Mitsubishi (2). They also published three updates for products from Mistusbishi, Siemens, and Trane.

SICAM Advisory #1 - This advisory describes an unquoted search path or element vulnerability in their SICAM PQ Analyzer.

SICAM Advisory #2 - This advisory describes two vulnerabilities in the Siemens SICAM A8000.

COMOS Advisory - This advisory describes four vulnerabilities in the Siemens COMOS Web unified data platform.

SIPROTEC Advisory - This advisory describes an improper input validation vulnerability in the SIPROTEC 5 products.

Siemens Energy Advisory - This advisory discusses six of the NUCLEUS:13 vulnerabilities in the Siemens Electric PLUSCONTROL gen 1 products.

MELSEC-F Advisory #1 - This advisory describes an improper initialization vulnerability in the Mitsubishi MELSEC-F Series with FX3U-ENET Ethernet-Internet block.

MELSEC-F Advisory #2 - This advisory describes a lack of administrative control over security vulnerability in the Mitsubishi MELSEC-F Series with FX3U-ENET Ethernet-Internet block.

Mitsubishi Update - This update provides additional information on an advisory that was originally published on October 29th, 2020 and most recently updated on May 18th, 2021.

Siemens Update - This update provides additional information on an advisory that was originally published on April 14th, 2021.

NOTE: Siemens published an update for their version of this advisory on November 9th, 2021.

Trane Update - This update provides additional information on an advisory that was originally published on September 23rd, 2021.

Other Siemens Updates - Siemens published six other updates yesterday that have not been covered by NCCIC-ICS. I will be covering them this weekend.

For more details on these advisories see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/7-advisories-and-3-updates-published - subscription required.

Review - NIST Announces Formation of IoTAB

Today, the National Institute of Standards and Technology published a notice in the Federal Register (87 FR 2138-2139) announcing the “Establishment and call for nominations to serve on the Internet  of Things Advisory Board.” The Advisory Board is established under the requirements of §9204(b)(5) of the FY 2021 National Defense Authorization Act (PL 116-283).

Those members would include representatives from:

• Information and communications technology manufacturers, suppliers, service providers, and vendors,

• Subject matter experts representing industrial sectors other than the technology sector that can benefit from the Internet of Things, including the transportation, energy, agriculture, and health care sectors,

• Small, medium, and large businesses,

• Think tanks and academia,

• Nonprofit organizations and consumer groups,

• Security experts, and

• Rural stakeholders.

The IoTAB will consist of 16 members appointed by the Secretary with the Chair be selected from that number by the Secretary. According to the Notice, Board Members will serve a two-year term unless the Board terminates earlier. Board Members will not be paid, though travel and per diem may be provided.

The Board will meet at least twice a year in a virtual format. Those meetings will be open to the public.

NIST is soliciting nominations for the initial 16 positions on the Board and will be accepting 2nd party nominations and self-nominations. Nominations, including resume, may be sent to Alicia Chambers, the Committee Liaison Officer by email (alicia.chambers@nist.gov). Nominations should be submitted by February 25th, 2022.

For more details about the IoTAB and the background for the groups formation, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/nist-announces-formation-of-iotab - subscription required.

Wednesday, January 12, 2022

S 2520 Passed in Senate – SLT Cybersecurity

Yesterday the Senate took up S 2520, the State and Local Government Cybersecurity Act of 2021 under the Senate’s unanimous consent process. The reported version of the bill was withdrawn and the Senate took up an amendment (SA 4898) in the form of a substitute. In this case the language considered was very close to the reported version of the bill. The bill was passed with no debate and no vote.

The only revision of significance (and not much of that here) is found in the proposed amendment to 6 USC 659. In §659(p)(1)(E)(vii) the new language adds at the end of the clause: “including, as appropriate, information produced by other Federal agencies;” in describing the additional information to be shared with State, local and Tribal governments.

As with S 2201 that I described earlier in the day, this bill is now in the hands of the House. If the bill is taken up (no guarantees of that), it is likely to be considered under the House suspension of the rules process. It would likely pass with strong bipartisan support.

S 2201 Passed in Senate – Supply Chain Security Training

Yesterday the Senate took up S 2201, the Supply Chain Security Training Act of 2021. The reported version of the bill was withdrawn and the Senate considered an amendment (SA 4899) in the form of a substitute. The amendment and the bill were adopted by unanimous consent without debate.

The substitute language in SA 4899 was nearly identical to the substitute language that was reported by the Senate Homeland Security and Governmental Affairs Committee. The only difference in the new language was the addition of the phrase “and the Director of the National Institute of Standards and Technology” at the end of §2(c)(2).

The bill now goes to the House for consideration. If/when the bill makes it to the floor for consideration it will likely be taken up under the suspension of the rules process. This would mean limited debate and the bill would require a supermajority to pass. Based upon the action in the Senate, I would suspect to see the bill receive substantial bipartisan support.

It is interesting to see that there is no definition of ‘supply chain security’ included in this bill. With both CISA and NIST referred to as coordination targets, I would suspect that the crafters were at least partially considering protecting hardware and software against unauthorized manipulation in transit between the manufacturer and the Federal user. It could also mean ensuring that there were backup suppliers vetted and approved in the event the primary provider is unable to keep supplies moving due to conditions (like Covid for example) beyond their immediate control.

BIS Delays Effective Date of Information Security Controls IFR

The DOC’s Bureau of Industry and Security (BIS) published a notice in today’s Federal Register (87 FR 1670-1671) establishing a delay of the effective date of their interim final rule IFR, “Information Security Controls: Cybersecurity Items”, that was published in October 2021. The new effective date will be March 7th, 2022.

Today’s notice reports that public comments on the IFR indicated that many organizations would require additional time to set up compliance procedures to bring their export operations inline with the new requirements. BIS is providing that time in the notice as well as providing notice that they will be issuing additional guidance on implementing the IFR.

Tuesday, January 11, 2022

Review – 1 Advisory Published – 1-11-22

Today, CISA’s NCCIC-ICS published a control system security advisory for products from Johnson Controls.

Johnson Controls Advisory - This advisory describes an improper handling of syntactically invalid structure vulnerability in the Johnson Controls (American Dynamics) VideoEdge network video recorder.

NOTE: I briefly described this vulnerability on December 25th, 2021. Johnson Controls updated their advisory to add the NCCIC-ICS advisory number and link.

Log4Shell Update - While on the Johnson Controls advisory page looking at the original notice for today’s NCCIC-ICS advisory, I noticed that they had updated their Log4Shell advisory for the 15th time yesterday.

2nd Tuesday Advisories - For the third month in a row, NCCIC-ICS has not addressed any of the 2nd Tuesday advisories that were published by Siemens and Schneider today.

For more details about these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-published-1-11-22 - subscription required.

Review - S 3451 Passed in Senate – Cyber Permitting

Yesterday, the Senate passed S 3451, a bill to include certain computer-related projects in the Federal permitting program under title XLI of the FAST Act. The bill was passed on the same day it was introduced. It was considered under the Senate’s unanimous consent process with no debate and no vote. It adds a variety of computer related projects to the potential oversight and coordination of the Federal Permitting Improvement Council.

Provisions

The very short bill (1 section, eight lines) amends the definition of the term ‘covered project’ in 42 USC 4370m(6). It inserts the phrase: “semiconductors, artificial intelligence and machine learning, high-performance computing and advanced computer hardware and software, quantum information science and technology, data storage and data management, cybersecurity,” in paragraph (A).

Moving Forward

With the quick movement of this bill through the Senate, it would seem that this bill has a large measure of bipartisan support. If the bill is taken up quickly in the House, it would likely be considered under the suspension of the rules process. There would be limited debate and it would require a supermajority for passage. Unless something develops between now and the time it is taken up in the House it is likely to pass.

Of course, priorities in the House are not the same as the priorities in the Senate, even when both are ‘controlled’ by the same party. It will be interesting to see if this bill makes its way to the floor of the House.

Commentary

It is unusual for a bill to be introduced and passed on the same day. This typically means that there is widespread consensus on both the provisions of the bill and quick movement to passage. What is unusual here is that I have seen no indication of any ‘large scale critical infrastructure’ cyber project that has been held up by the federal environmental permitting process. While I could imagine a new, and very large, semiconductor manufacturing facility running into such problems, that type of facility would have already been covered by the ‘manufacturing’ provision in the existing language.

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-3451-passed-in-senate - subscription required.

Bills Introduced – 1-10-22

Yesterday, with both the House and Senate in session, there were 36 bills introduced. One of those bills may receive additional attention in this blog:

S 3451 A bill to include certain computer-related projects in the Federal permitting program under title XLI of the FAST Act, and for other purposes. Sen. Hagerty, Bill [R-TN]

I will be watching this bill for definitions and language that would specifically include transportation control systems within the coverage of its provisions.

Monday, January 10, 2022

Committee Hearings – Week of 1-9-22

This week, with both the House and Senate meeting in Washington, there is a light hearing schedule. Most of the Senate hearings deal with confirmations. There is one cybersecurity hearing scheduled in the House.

Cybersecurity Hearing

On Tuesday the House Committee on Oversight and Reform will hold a hearing on “Cybersecurity for the New Frontier: Reforming the Federal Information Security Modernization Act”. The witness list includes:

• Gordo Bitko, Information Technology Industry Council (formerly CIO FBI),

• Jennifer Franks, GAO,

• Ross Nodurft, Alliance for Digital Innovation (formerly OMB Cybersecurity Team Chief),

• Grant Schneider, Vanable, (formerly NSC Cybersecurity Policy Director),

• Renee Wynn, RP Wynn Consulting LLC (formerly NASA CIO)

This hearing is about FISMA so it will contain little or no discussion about operation technology issues. It will, however, be the first chance for congresscritters to ask questions about the various log4j vulnerabilities (pg4) that are causing so many problems. It will be interesting to see how good the staff work is on Log4Shell by seeing how intelligent the questions are.

On the Floor

Lite schedule on the floor of the House this week. Interestingly, there are no scheduled bills to be considered under the suspension of the rules process. This may be due to the large number of  congressional Covid cases reported this weekend. The House is tightening down of Covid restrictions again. Unfortunately, no one is reporting on member or committee staffer infections, I suspect that those numbers are quite high.

Sunday, January 9, 2022

Review - ChemLock Exercises – Chemical Sector IED

NOTE: This is the first in a series of blog posts looking at various CISA Tabletop Exercises Packages (CTEP) offered to chemical facility managers by the new CISA ChemLock program, a voluntary chemical security program run by the Office of Chemical Security (the CFATS folks). It is a follow-up to my earlier Overview post. CTEP administrative documents can be found here. The scenario manuals can be found here.

This post looks at the Chemical Sector IED (docx download link) (BTW: someone needs to talk with CISA about the hazards of links that automatically download MS Office or .PDF documents) scenario. For those of you who have played wargames or D&D, this scenario is going to be a bit of a disappointment. There is no dungeon master script and there are no unit markers with strength points and movement allowances. More importantly, there are no winners. These scenarios provide a brief generic description of an attack and its aftermath with a series of discussion questions about what should have been done, what should be done, and who had responsibility for the various actions.

The Scenario Document

The basic scenario document downloaded from the Physical Security Scenario page consists of a Word® document that facilities can customize for their situation. It contains three modules:

• Incident and Response,

• Sustained Response, and

• Short-Term Recovery.

Each module contains a brief and rather generic description of the each phase of the incident and a series of questions to guide a discussion between the exercise participants about actions that could have been taken before during and after each phase of the incident to mitigate the effects. Some of the questions will not be appropriate for smaller scale exercises with limited (or no) outside participation. Those questions should just be ignored during the exercise. Management may want to raise those questions, though, with the Local Emergency Planning Committee (LEPC).

Alternate Use

While these questions were designed to be discussed after a facility has had a chance to develop a site security plan (SSP), an enterprising security manager would do well to look at these questions while developing that SSP. The questions, while not exhaustive, are comprehensive and provide a good look at what the site security plan should include for this particular scenario. They provide an informed look at some of the issues that the plan should be expected to address.

For more details, including the major discussion questions, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/chemlock-exercises - subscription required.


Review - Public ICS Disclosures - Log4Shell Advisories – Week of 1-1-22

This is effectively Part 2 of my weekly public ICS disclosure post. It is a follow-up to last week’s post. There are now 99 vendor notifications listed. As I did last week, I am making the article on my CFSN Detailed Analysis site - https://patrickcoyle.substack.com/p/public-ics-disclosure-log4shell-week-b51 - a free-access article so as to avoid a lengthy duplication here.

Saturday, January 8, 2022

Review - Public ICS Disclosures – Week of 1-1-22 – Part 1

This was a relatively light week for ICS disclosures, but because of the continuing response to the  Log4Shell vulnerabilities, this will be a two part report.

This week we have ten vendor disclosures from Draeger, Hitachi, Kunbus, Moxa (2), QNAP (2), Texas Instruments, VMware, and Yokogawa. There was an update for an advisory for products from IDEC. There are also nine researcher reports for products from Siemens (8) and VMware. Finally, we have one exploit published for products from Siemens.

Draeger Advisory - Drager published an advisory discusses the use of the out-of-support TLS 1.0 and TLS 1.1.

Hitachi Advisory - Hitachi published an advisory discussing 27 vulnerabilities in their Disc Array Systems.

Kunbus Advisory - Kunbus published an advisory describing two vulnerabilities in their Revolution Pi base modules.

Moxa Advisory #1 - Moxa published an advisory discussing the DNSpooq vulnerabilities in their AWK-3131A/4131A/1137C/1131A Series of products.

Moxa Advisory #2 - Moxa published an advisory describing a memory leak vulnerability in their EDR-G903, EDR-G902, and EDR-810 Series Secure Routers.

QNAP Advisory #1 - QNAP published an advisory describing a code execution vulnerability in their NAS running QVPN Service product.

QNAP Advisory #2 - QNAP published an advisory describing cross-site scripting vulnerability in their TFTP Server.

TI Advisory - TI published an advisory discussing the BrakTooth vulnerabilities in their dual-mode Bluetooth products.

VMware Advisory - VMware published an advisory describing a heap overflow vulnerability in their Workstation, Fusion and ESXi products.

Yokogawa Advisory - Yokogawa published an advisory describing seven vulnerabilities in their CENTUM and Exaopc products.

IDEC Update - JPCERT published an update for their IDEC PLC advisory that was originally published on December 24th, 2021.

Siemens Reports - The Zero Day Initiative published eight reports about vulnerabilities in the Siemens JT2Go products.

VMware Report - USD HeroLab published a report describing a hidden functionality vulnerability in the VMware Workspace ONE Intelligent Hub.

Siemens Exploit - RoseSecurity published an exploit for a denial of service vulnerability in the Siemens S7 Layer 2 product.

For more details about these disclosures, including links to 3rd party advisories, see my article at CFSN Detailed analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-1 - subscription required.

 
/* Use this with templates/template-twocol.html */