Monday, February 28, 2022

Review - HR 6824 Introduced – Cybersecurity Competition

Last week, Rep Luria (D,VA) introduced HR 6824, the President’s Cup Cybersecurity Competition Act. The bill would allow CISA “to hold an annual cybersecurity competition to be known as the ‘Department of Homeland Security Cybersecurity and Infrastructure Security Agency’s President’s Cup Cybersecurity Competition’” {§2(a)} across offensive and defensive cybersecurity disciplines. No new monies are being authorized to support this competition.

Moving Forward

As I mentioned this morning, the House Homeland Security Committee will take up this bill on Wednesday. As of 9:30 pm EST today, there are no amendments proposed for this bill. I see nothing that would draw any organized opposition to the bill. I suspect that it will be adopted by the Committee with significant bipartisan support. This bill could be considered by the Full House later in March.

Commentary

The way this bill is set up we could see multiple Department wide competitions or a single government wide competition. Or not competitions, if CISA decides it is just not worth the effort. In any case, if this bill passes, Congress gets credit for doing something for cybersecurity, even if no one holds a single competition.

Committee Hearings – Week of 2-27-22

This week with both the House and Senate returning to Washington, there is a pretty routine number of Committee hearings currently scheduled. They include a hearing on DOE related bills in the Senate and a markup hearing in the House that includes cybersecurity measures.

DOE Hearing

Tomorrow, the Senate Energy and Natural Resources Committee will conduct a hearing on pending legislation. They list seven DOE related bills that about which they will receive testimony. The witness list is currently limited to Geraldine Richmond, DOE. One of the bills touches on responsibilities for cybersecurity incident response at DOE, S 2302.

Cybersecurity Markup

On Wednesday, the House Homeland Security Committee will hold a markup hearing looking at 12 pieces of legislation. There are three bills that may be of interest here, two were introduced last Friday and one will be introduced this week, probably today.

HR 6824, “President’s Cup Cybersecurity Competition Act” [PDF]

HR 6825, "Nonprofit Security Grant Program Improvement Act of 2022" [PDF]

HR____, "Cybersecurity Grants for Schools Act of 2022" [PDF]

I have not yet had a chance to do a detailed review of any of these bills since they have not been published by the GPO. I will be looking at the Committee drafts (links provided above) for the bills before Wednesday.

Saturday, February 26, 2022

Bills Introduced – 2-25-22

Yesterday, with the House meeting in pro forma session, there were 40 bills introduced. Two of those bills may receive additional coverage in this blog:

HR 6824 To authorize the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security to hold an annual cybersecurity competition relating to offensive and defensive cybersecurity disciplines, and for other purposes. Rep. Luria, Elaine G. [D-VA-2]

HR 6825 To amend the Homeland Security Act of 2002 to enhance the funding and administration of the Nonprofit Security Grant Program of the Department of Homeland Security, and for other purposes. Rep. Thompson, Bennie G. [D-MS-2] 

I will be watching HR 6825 for language and definitions that would allow cybersecurity spending to be covered under the Nonprofit Security Grant Program.

I will be covering HR 6824.

CRS Reports – Ukraine Invasion – 2-26-22

This week the Congressional Research Service (CRS) published two early reports on the US and allied response to the Russian invasion of the Ukraine:

Russia’s Invasion of Ukraine: Overview of U.S. and Allied Responses, and

Russia’s Invasion of Ukraine: NATO Response

This is still very early in the conflict so the information in these documents is certainly subject to modification as the situation develops.

Review - Public ICS Disclosures – Week of 2-19-22

This week we have twelve vendor disclosures from Aruba, GE Gas Power (2), Hitachi, Insyde (3), HPE, PulseSecure, QNAP, Siemens, and VMware. We have five vendor updates from Aruba, Dell, HPE, Johnson Controls, and Milestone. We also have 19 researcher reports for products from WECON (15), Fuji Electric (3), and Industrial Control Links (ICL). Finally we have three exploits reported for products from ICL and WebHMI (2).

Aruba Advisory - Aruba published an advisory describing 16 vulnerabilities in their AOS-CX Switches. Some of these are third-party vulnerabilities.

GE Gas Power Advisory #1 - GE published an advisory discussing the GE CIMPLICITY vulnerabilities reported earlier this week.

GE Gas Power Advisory #2 - GE published an advisory discussing the Blackberry QNX Neutrino Kernel vulnerability.

Hitachi Advisory - Hitachi published an advisory discussing 20 recently reported Microsoft vulnerabilities affecting their Hitachi Disk Array Systems.

Insyde Advisory #1 - Insyde published an advisory describing a privilege escalation vulnerability in their SysPasswordDxe driver.

Insyde Advisory #2 - Insyde published an advisory describing a buffer overflow vulnerability in their VariableEditSmm driver.

Insyde Advisoyr #3 - Insyde published an advisory describing a plain-text storage of sensitive information vulnerability in their HddPasswordPei driver.

HPE Advisory #1 - HPE published an advisory describing two vulnerabilities in their OneView Global Dashboard.

PulseSecure Advisory - PulseSecure published an advisory describing an integer overflow or wrap around vulnerability in multiple product lines.

QNAP Advisory - QNAP published an advisory describing two cross-site scripting vulnerabilities in their NAS running Proxy Server.

Siemens Advisory - Siemens published an advisory discussing 23 vulnerabilities in their Industrial Products.

VMware Advisory - VMware published an advisory describing a cross-site scripting vulnerability in their Workspace ONE Boxer.

Aruba Update - Aruba published an update for their PwnKit advisory that was originally published on February 1st, 2022.

Dell Update - Dell published an update for their generic Log4Shell  advisory.

HPE Update - HPE published an update for their PwnKit advisory that was originally published on February 1st 2022.

Johnson Controls Update - Johnson Controls published an update for their Log4Shell advisory.

Milestone Update - Milestone published an update for their Log4Shell advisory.

WECON Reports - The Zero Day Initiative published 15 reports of vulnerabilities in the WECON LeviStudioU.

Fuji Reports - ZDI published 3 reports of vulnerabilities in the Fuji Electric Alpha5 servo amplifiers.

ICL Report - Zero Science published a report describing a file write/overwrite and delete vulnerability in the ICL ScadaFlex II SCADA Controllers SC-1/SC-2.

ICL Exploit - LiquidWorm published an exploit for the ICL vulnerability reported above.

WebHMI Exploit #1 - Antonio Cuomo published an exploit for a remote code execution vulnerability in WebHMI version 4.1.1.

WebHMI Exploit #2 - Antonio Cuomo published an exploit for cross-site scripting vulnerability in WebHMI 4.1.

 

For more details about these disclosures, including links to 3rd party advisories, researcher reports, and exploits – see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-2-762 - subscription required.

Friday, February 25, 2022

Review - HR 4609 Reported in House – NIST Reauthorization

Last week, the House Science, Space, and Technology Committee published their report on HR 4609, the National Institute of Standards and Technology for the Future Act of 2021. The Committee met on July 27th, 2021 and adopted substitute language along with 14 other amendments to the bill. The reported language includes eight new sections and many language changes, including some changes to the cybersecurity requirements.

New Sections

The following new sections were added to the bill:

§214. Facilitating development and distribution of forensic science standards.

§215. Sustainable Chemistry Research and Education.

§307. Standard technical update.

§308. GAO study of NIST research security policies and protocols.

§309. Premise plumbing research.

§401. Establishment of expansion awards pilot program as a part of the Hollings Manufacturing Extension Partnership.

§402. Update to manufacturing extension partnership.

§403. National supply chain database

Moving Forward

With the publication of the Committee Report, the bill is now cleared for consideration by the full House. The bill, along with all of the amendments, was adopted by voice vote. This indicates strong bipartisan support for the bill. I suspect that the bill will come before the House next month. It will likely be considered under the House suspension of the rules process. This limits debates, prohibit floor amendments, and would require a supermajority for passage. The bill will pass in the House.

 

For more details about the cybersecurity related changes to the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-4609-reported-in-house - subscription required.

Thursday, February 24, 2022

Review – 4 Advisories Published – 2-24-22

Today, CISA’s NCCIC-ICS published four control system security advisories for product from Baker Hughes, Schneider Electric, Mitsubishi Electric and FATEK Automation.

Baker Hughes Advisory - This advisory describes a use of password hash with insufficient computational effort vulnerability in the Baker Hughes Bently Nevada 3500 machinery protection system.

NOTE: This advisory was originally published to the HSIN ICS library on August 19th, 2021. This allows CISA to share the information with critical infrastructure organizations prior to making the vulnerability public. To request access to the HSIN ICS library email HSIN.HelpDesk@hq.dhs.gov.

Schneider Advisory - This advisory describes three vulnerabilities on the Schneider Easergy P5 and P3 medium voltage protection relays.

NOTE: I briefly discussed the two Schneider advisories for these vulnerabilities on January 16th, 2022.

Mitsubishi Advisor - This advisory describes nine vulnerabilities in the Mitsubishi EcoWebServerIII.

NOTE: I briefly discussed these vulnerabilities last Saturday.

FATEK Advisory - This advisory describes three vulnerabilities in the FATECK FvDesigner software tool.

 

For more information on these advisories, including links to third-party vendors, researchers and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/4-advisories-published-2-24-22 - subscription required.

PHMSA Sends Gas Pipeline Safety Final Rule to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a final rule from the DOT’s Pipeline and Hazardous Materials Safety Administration (PHMSA) for “Pipeline Safety: Safety of Gas Transmission Pipelines, Repair Criteria, Integrity Management Improvements, Cathodic Protection, Management of Change, and Other Related Amendments.”

According to the entry in the Fall 2021 Unified Agenda for this rulemaking:

“This rulemaking would amend the pipeline safety regulations relevant to gas transmission pipelines by adjusting the repair criteria in high consequence areas and creating new criteria for non-high consequence areas, requiring the inspection of pipelines following extreme events, requiring safety features on in-line inspection tool launchers and receivers, updating and bolstering pipeline corrosion control, codifying a management of change process, clarifying certain integrity management provisions, and strengthening integrity management assessment requirements.”

There was no notice of proposed rulemaking issued for this action. It first appeared in the Spring 2018 Long-Term Actions portion of the Agenda listed as a final rule. It was split off from the 2137-AE72 rulemaking that had its NPRM published on March 8th, 2016.

Wednesday, February 23, 2022

Bills Introduced – 2-22-22

Yesterday, with the House meeting in pro forma session, there were 21 bills introduced. There is one bill that will receive additional coverage in this blog:

HR 6812 To authorize appropriations for the Cybersecurity Assistance Pilot Program of the Small Business Administration for fiscal years 2023 through 2025, and for other purposes. Rep. Joyce, David P. [R-OH-14]

Review - S 3618 Introduced – Cybersecurity Exemptions

Earlier this month, Sen Wyden (D,OR) introduced S 3618, the Federal Cybersecurity Oversight Act of 2022. The bill would slightly revise the process for exempting federal agencies from select information system cybersecurity requirements outlined in 6 USC 1523 while setting a time limit for those exemptions and establishing reporting requirements for those exemptions.

Wyden is not a member of the Senate Homeland Security and Governmental Affairs Committee to which this bill was assigned for consideration. This means that there is probably not enough influence to see this bill considered in Committee. I see nothing in the bill that would engender any significant opposition. The bill would likely advance in Committee with significant bipartisan support if considered.

This bill will not move to the floor of the Senate under regular order. It is not important enough to take up that much time, particularly as the mid-term elections approach. This bill might be able to pass in the Senate if considered under the unanimous consent process.


For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-3618-introduced - subscription required.

Tuesday, February 22, 2022

HR 6588 Introduced – Cybersecurity Apprenticeships

Earlier this month, Rep Lee (D,NV) introduced HR 6588, the Cyber Ready Workforce Act. The bill would establish a grant program within the Department of Labor to support the creation, implementation, and expansion of registered apprenticeship programs in cybersecurity. The bill would authorize ‘such funds as necessary’ to be appropriated for this program. This bill is a companion bill (identical language) to S 3570, upon which I reported earlier today.

Neither Lee, nor her sole cosponsor {Rep Fitzpatrick (R,PA)} are members of the House Education and Labor Committee to which this bill was assigned for consideration. This makes it unlikely that the Committee will take up the bill. I see nothing in this bill that would engender organized opposition. If the bill were to be considered in Committee, I suspect that it would receive significant bipartisan support.

Review – 3 Advisories Published – 2-22-22

Happy Twosday! Today, CISA’s NCCIC-ICS published three control system security advisories for products from WIN-911 and GE (2).

WIN-911 Advisory - This advisory describes two incorrect default permissions vulnerabilities in the WIN-911 2021 alarm notification platform.

NOTE: The WIN-911 advisory provides a good explanation of the how these two vulnerabilities work.

GE Advisory #1 - This advisory describes a clear-text transmission of sensitive information vulnerability in the GE Proficy CIMPLICITY HMI and SCADA platform.

GE Advisory #2 - This advisory describes an improper privilege management vulnerability in the GE Proficy CIMPLICITY HMI and SCADA platform.

 

For additional details about these vulnerabilities, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/3-advisories-published-2-22-22 - subscription required.

Review - S 3570 Introduced – Cybersecurity Apprenticeships

Earlier this month, Sen Rosen (D,NV) introduced S 3570, the Cyber Ready Workforce Act. The bill would establish a grant program within the Department of Labor to support the creation, implementation, and expansion of registered apprenticeship programs in cybersecurity. The bill would authorize ‘such funds as necessary’ to be appropriated for this program.

Moving Forward

Rosen is a member of the Senate Health, Education, Labor and Pensions Committee to which this bill was assigned for consideration. This means that there should be sufficient influence to see this bill considered in Committee. I see nothing in this bill that would engender any organized opposition. I suspect that the bill would pass in Committee with significant bipartisan support.

This bill is not important enough to be considered under regular order in the Senate. It is possible that it could be considered under the unanimous consent process. A more likely route to the President’s desk would be including this language from this bill in some large piece of legislation, either added in the drafting or as an amendment in the floor process for that bill.

Commentary

There is nothing in the language of this bill that would prohibit the funding from going to some cybersecurity training program that concentrated on industrial control system. I would be more comfortable, however, if some sort of control system certification program were listed in §4(b)(1).

 

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-3570-introduced - subscription required.

Monday, February 21, 2022

Review - HR 4521 Passed in House – COMPETES Act

Earlier this month the House passed HR 4521, the America COMPETES Act of 2022. While billed as a ‘bioeconomy’ bill, this legislation is another huge (3610 pages) legislative conglomeration that addresses a large number of disparate issues. It includes 10 distinct sections addressing cybersecurity issues, funding for a cybersecurity training program and 12 separate mentions in passing of cybersecurity provisions in loosely related requirements.

Spending for Cybersecurity Training

Section 10303 authorizes spending for a variety of programs through the National Science Foundation. This includes money for the Cybercorps Scholarship for Service Program:

FY 2022 - $70,000,000,

FY 2023 - $72,000,000,

FY 2024 - $78,000,000,

FY 2025 - $84,000,000, and

FY 2026 - $90,000,000

Cybersecurity Sections

The bill contains ten sections that deal specifically with cybersecurity issues. Many of these sections are essentially the same as standalone legislative proposals that have already been offered in the House and/or Senate. Most of those earlier bills have little chance of making it through the legislative process on their own. The ten cybersecurity sections are:

§10223. NIST authority for cybersecurity and privacy activities

§10224. Software security and authentication.

§20102. Understanding cybersecurity of mobile networks. [HR 2685]

§20106. NTIA policy and cybersecurity coordination [HR 4046]

§20107. American cybersecurity literacy [HR 4055]

§30127. Digital connectivity and cybersecurity partnership.

§40101. Federal Rotational Cyber Workforce Program [HR 3599 or S 1097]

§50107. Improving cybersecurity of small entities [HR 6541]

§50108. Critical Technology Security Centers.

§90601. Dr. David Satcher cybersecurity education grant program. [S 2305]

Moving Forward

The bill passed in the House by a nearly (1 Democrat and 1 Republican voted the other way) straight party-line vote of 222 to 210. This would indicate that the bill would never pass the cloture process for consideration in the Senate. Nor is it a given that if it did make it to a vote in the Senate, that there would be enough votes for it to be sent to the President.

There is one potential route forward for this bill. If the House were to vote to amend S 1260, the Endless Frontiers Act (a similar conglomeration bill) with the language from this bill, then the Senate would insist on their language and the two versions of the bill would go to conference to work out the differences. A conference version would pass in the House on a party-line vote and may make it through the Senate (with judicious paring and reduced spending).


For more details about the cybersecurity provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-4521-passed-in-house - subscription required.

Sunday, February 20, 2022

Review – Public ICS Disclosures – Week of 2-12-22 – Part 2

So, for Part 2 we start with seven more vendor disclosures from Dell (2), Sick, Texas Instruments, VMware (2), and Western Digital. There are also seven vendor updates from Dell, Eaton, HPE (3), VMware (2). We also have researcher two reports of vulnerabilities in products from KiCad. Finally, we have an exploit report for products from Emerson.

Dell Advisory #1 - Dell published an advisory describing three vulnerabilities in their Dell Wyse Device Agent.

Dell Advisory #2 - Dell published an advisory describing two vulnerabilities in their Dell Wyse Management Suite.

Sick Advisory - Sick published an advisory discussing the  Wibu Systems CodeMeter vulnerabilities in their FieldEcho product.

TI Advisory - TI published an advisory describing an information disclosure vulnerability in their SimpleLink™ CC32xx/CC31xx product line.

VMware Advisory #1 - VMware published an advisory describing five vulnerabilities in their VMware ESXi, Workstation, and Fusion products.

VMware Advisory #2 - VMware published an advisory describing a CLI shell injection vulnerability in their NSX Data Center for vSphere product.

Western Digital Advisory - Western Digital published an advisory describing eight vulnerabilities in their My Cloud OS 5 firmware.

Dell Update - Dell published an update for their Log4Shell advisory.

Eaton Update - Eaton published an update for their Log4Shell advisory.

HPE Update #1 - HPE published an update for their HPE ProLiant, Apollo, and Synergy Servers advisory that was originally published on February 8th, 2022.

HPE Update #2 - HPE published an update for their HPE ProLiant, Apollo, Edgeline, and Synergy Servers that was originally published on February 8th, 2022.

HPE Update #3 - HPE published an update for their HPE ProLiant, Apollo, and Synergy Servers that was originally published on February 8th, 2022.

VMware Update #1 - VMware published an update for their VMware Workstation, Fusion and ESXi that was originally published on January 4th, 2022 and most recently updated on January 27th, 2022.

VMware Update #2 - VMware published an update for their Cloud Foundation advisory that was originally published on January 31st, 2022.

Emerson Exploit - Luis Martínez published an exploit for an unquoted search path vulnerability in the Emerson PAC Machine.

 

For more details about these disclosures, including links to 3rd party advisories, researcher reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-2-d6a - subscription required.

Saturday, February 19, 2022

Review - NIST RFI to Support CSF – Supply Chain Security Integration

This Monday DOC’s National Institute of Science and Technology (NIST) is publishing (available on line today) in the Federal Register (87 FR 9579-9581) a request for information on “Evaluating and Improving NIST Cybersecurity Resources: The Cybersecurity Framework (CSF) and Cybersecurity Supply Chain Risk Management.” NIST is considering aligning the CSF and the National Initiative for Improving Cybersecurity in Supply Chains (NIICS). In this RFI, NIST is requesting information that will support the identification and prioritization of supply chain-related cybersecurity needs across sectors.

NIST is looking for comments in the following areas:

Use of the Cybersecurity Framework,

Relationship of the CSF to Other Risk Management Resources, and

Cybersecurity Supply Chain Risk Management

Comments Requested

NIST is soliciting comments on this RFI. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # NIST-2022-0001). Comments should be submitted by April 25th, 2022.

Commentary

The CSF is a corporate level cyber risk management tool rather than a true cybersecurity tool. Its greatest strength has always been that NIST proactively works to keep it current and responsive to current needs. It has relied heavily on the input from the public and outside experts. This RFI continues that tradition.

 

For more details about this RFI, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/nist-rfi-to-support-csf-supply-chain - subscription required.

Bills Introduced – 2-18-22

Yesterday, with the House meeting in pro forma session, there were 62 bills introduced. One of those bills will receive additional coverage in this blog:

HR 6779 To direct the Secretary of Energy to establish a program to reduce the vulnerability of the electric grid to physical attack, cyber attack, and other events, including by ensuring that large power transformers and other critical electric grid equipment are strategically located to ensure timely replacement of such equipment as may be necessary, and for other purposes. Rep. Lamb, Conor [D-PA-17]

Review - Public ICS Disclosures – Week of 2-12-22 – Part 1

It is beginning to look like multipart reports are going to be the standard for this weekly update. This week in Part 1 we have 14 vendor disclosures from Aveva, Axis, Broadcom (2), WECON, HPE (6), Kunbus, Mitsubishi, and Moxa.

Aveva Advisory - Aveva published an advisory describing a use of clear text credential storage in their System Platform 2020.

Axis Advisory - Axis published an advisory describing a DLL hijacking vulnerability in their IP Utility.

Broadcom Advisory #1 - Broadcom published an advisory describing a use of hard-coded credentials vulnerability.

Broadcom Advisory #2 - Broadcom published an advisory describing an authenticated privilege file read vulnerability in their Fabric OS.

WECON Advisory - INCIBE-CERT published an advisory two vulnerabilities in the WECON LeviStudioU.

HPE Advisory #1 - HPE published an advisory describing a host header injection vulnerability in their Integrated Lights-Out 4.

HPE Advisory #2 - HPE published an advisory describing a buffer overflow vulnerability in their iLO Amplifier Pack.

HPE Advisory #3 - HPE published an advisory describing an information disclosure vulnerability in their Fibre Channel and SAN Switches.

HPE Advisory #4 - HPE published an advisory describing an authentication bypass vulnerability in their Fibre Channel and SAN Switches.

HPE Advisory #5 - HPE published an advisory discussing the Log4Shell vulnerabilities in their Universal IoT.

HPE Advisory #6 - HPE published an advisory describing a buffer overflow vulnerability in their Gen10 and Gen10 Plus Synergy Servers.

Kunbus Advisory - Kunbus published an advisory describing two vulnerabilities in their Revolution PI base modules.

Mitsubishi Advisory - Mitsubishi published an advisory describing nine vulnerabilities in their  Energy Saving Data Collecting Server (EcoWebServerIII).

Moxa Advisory - Moxa published an advisory describing a channel accessible by non-endpoint vulnerability in their MGate MB3170/MB3270/MB3280/MB3480 Series Protocol Gateways.

 

For more details on these disclosures, including links to third-party advisories, researcher reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-2-346 - subscription required.

 

Friday, February 18, 2022

Review - Siemens Publishes Out-of-Zone Advisories – 2-17-22

Yesterday Siemens published two control system security advisories and five updates just nine days after their regular 2nd Tuesday publication of advisories and updates.

Siemens Advisory #1 - Siemens published an advisory discussing the Wibu Systems CodeMeter vulnerabilities in their Energy Products.

Siemens Advisory #2 - Siemens published an advisory describing two vulnerabilities in their Simcenter Femap advanced simulation application.

Siemens Update #1 - Siemens published an update for their OpenSSL advisory that was originally reported on July 13th, 2021 and most recently updated on February 8th, 2022.

Siemens Update #2 - Siemens published an update for their SPPA-T3000 advisory that was originally published on December 17th, 2019 and most recently updated on March 10th, 2020.

NOTE: NCCIC-ICS did not update their advisory (ICSA-19-351-02) for these changes.

Siemens Update #3 - Siemens published an update for their Wibu Systems CodeMeter Advisory that was originally published in 2018 and most recently updated on March 13th, 2021

NOTE: NCCIC-ICS did not update their advisory (ICSA-20-203-01) for these changes.

Siemens Update #4 - Siemens published an update for their Ripple20 advisory that was originally published on July 14th, 2020.

Siemens Update #5 - Siemens published an update for their OpenSSL in Industrial Products advisory that was originally published on December 10th, 2019 and most recently updated on February 8th, 2022.

NOTE: NCCIC-ICS did not update their advisory (ICSA-19-099-06) for these changes.

 

For more details about these advisories and updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/siemens-publishes-out-of-zone-advisories - subscription required.

Bills Introduced – 2-17-22

Yesterday with just the Senate in session (and preparing to leave for their President’s Day recess) there were 45 bills introduced. One of those bills may receive additional attention in this blog:

S 3699 A bill to provide guidance for and investment in the research and development activities of the Department of Energy Office of Science, and for other purposes. Sen. Manchin, Joe, III [D-WV]

I will be watching this bill for language and definitions that would include control system cybersecurity within the scope of its provisions.

NOTE: Corrected date in title - 2-19-22 0930 EST

HR 6617 Passed in Senate – FY 2022 CR

Yesterday, the Senate took up HR 6617, the Further Additional Extending Government Funding Act. After rejecting three Republican amendments which would have required that the bill go back to the House for further consideration, the bill was passed by a largely bipartisan vote of 65 to 27. President Biden is expected to sign the bill that will continue the current funding of the Federal government through March 11th, 2022.

Review - S 3542 Introduced – Criminal Drone Misuse

Earlier this month, Sen Grassley (R,IA) introduced S 3542, the Done Act of 2022. The bill would revise 18 USC to expand the coverage of the criminal code for misuse of unmanned aircraft. No funding is provided in this bill.

Moving Forward

Grassley is the ranking member of the Senate Judiciary Committee to which this bill was assigned for consideration. This means that there should be sufficient influence to see this bill considered in Committee. Since the bill has two Democrats as cosponsors, the bill should receive some level of bipartisan support, but there should be some opposition from the UAV industry. I suspect that the bill would pass in Committee, but there could be significant changes made in the process.

This bill is not important enough to move to the floor of the Senate under regular order and there should be enough opposition to prevent it from being considered under the unanimous consent process. There is a chance that the bill could be included in some larger piece of legislation or offered as an amendment to another bill.

Commentary

The new Intrusion on Protected Spaces offense includes an interesting provision. It includes ‘rules, regulations, and orders’ of DHS as types of Federal Law that could be used to establish areas where UAVs could be prohibited. There is not currently any specific authority for DHS to establish such areas beyond the very constrained authorization in 6 USC 124n(k)(3)(C)(i) limited to federal facilities protected by DHS.

The similar authority granted to the FAA could be important, if/when the FAA ever gets around to writing its regulation allowing critical infrastructure facilities to petition to be covered by a UAS-specific flight restriction as required by §2209 of PL 114-190 (120 Stat 634). Those regulations were supposed to have been done by January 11th, 2017.


For more details about the provisions of the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-3542-introduced - subscription required.


Thursday, February 17, 2022

Review - EPA Publishes EPCRA 30-Day ICR Notice

Yesterday, the EPA published a 30-day information collection request (ICR) renewal notice in the Federal Register (87 FR 8836-8837) for “Emergency Planning and Release Notification Requirements (EPCRA Sections 302, 303, and 304)”. This renewal request does not reflect any programmatic changes, just changes in the reporting history during the period covered by the currently approved ICR.

Normally, I do not pay a great deal of attention to these routine IRC renewals. They are typically just boiler plate repeats of previously submitted data. The EPA is one of the agencies that does update its burden estimates to reflect the changes in data submission over time. This time, however, a comment in the explanation for the changes in estimate portion of the notice caught my attention:

“The reduction in state and local government burden estimate of approximately 15,607 hours annually, is attributable to the reduction in the numbers of SERCs (or TERCs) and LEPCs (or TEPCs) in this ICR compared to the previous ICR (new total of 3,052 reduced from 3,556).”

The EPA does not explain the change in the number of  SERCs/LEPCs in the supporting documents for the simple reason that they have no control over those organizations. Congress established this important chemical safety program but it has provided for little to no oversight and no organizational control of the program at the Federal level. The decline in the numbers of reported organizations in this ICR notice make it clear that Congress needs to take a closer look at this program.

For more details about the changes in the numbers being reported by EPA, including a look at the history of the numbers being reported, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/epa-publishes-epcra-30-day-icr-notice - subscription required.

Wednesday, February 16, 2022

HR 5658 Reported in House – Cybersecurity Roles

Earlier this month, the House Homeland Security Committee published their report for HR 5658, the DHS Roles and Responsibilities in Cyber Space Act. The Committee considered the bill in a mark-up hearing on October 26th, 2021 where the bill was amended and adopted by a voice vote.

The revised language for the bill includes two new subsections {§2(9) and §2(12)} in the Congressional findings section of the bill. Both make references to requirements from the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (PL 116-283). Neither change affects the reporting requirements outlined in the bill.

The bill is now cleared for consideration by the Full House. The bill is likely to be taken up under the House suspension of the rules process which limits debate, prohibits floor amendments and requires a super majority for passage. The bill will almost certainly pass with strong bipartisan support.

Tuesday, February 15, 2022

HR 5616 Reported in House – DHS Training Accreditation

Earlier this month, the House Homeland Security Committee published their report on HR 5616, the DHS Basic Training Accreditation Improvement Act of 2021. The bill was approved in Committee by a voice vote on October 26th, 2022, without amendment. Equally important, the Judiciary Committee, which was also assigned to consider the bill, was discharged from consideration of the bill. The bill is now cleared to be considered by the Full House.

The report specifically clarifies that the following DHS law enforcement training programs are not currently accredited:

• U.S. Border Patrol Academy,

• CBP’s Field Operations Academy Officer Basic Training Program, and

• U.S. Citizenship and Immigration Services’ Officer Basic Training Program.

The report includes a copy of the letter from Rep Nadler (D,NY), Chair of the House Judiciary Committee, notifying Rep Thompson (D,MS), Chair of the Homeland Security Committee, that the Judiciary Committee will not take any action on the bill and would work with Thompson to see the bill passed. Such inter-committee cooperation is a prerequisite to a bill being considered by the Full House.

The bill is likely to be taken up by the House in March under the suspension of the rules process. It will almost certainly pass with a substantial bipartisan majority.

1 Advisory Published – 2-15-22

Today, CISA’s NCCIC-ICS published one control system security advisory for products from Schneider Electric.

Schneider Advisory

This advisory describes eight vulnerabilities in their Interactive Graphical SCADA System (IGSS). These are the same vulnerabilities that I covered in some detail on CFSN Detailed Analysis on Saturday evening.

Monday, February 14, 2022

Review - HR 6546 Introduced – Wireless Electric Vehicle Charging

Earlier this month, Rep Lawrence (D,MI) introduced HR 6547, the Wireless Electric Vehicle Charging Grant Program Act of 2022. The bill would require DOT to establish a grant program “for projects to construct, install, or improve existing wireless charging infrastructure and technology for electric vehicles.” The bill would authorize $50 million to support the new grant program.

Moving Forward

While Lawrence is not a member of the House Energy and Commerce Committee to which this bill was assigned for primary consideration, one of her nine cosponsors {Rep Castor (D,FL)} is a member. This means that there might be sufficient influence to see this bill considered in Committee. Three of the remaining cosponsors {Rep Titus (D,NV) and Rep Lynch (D,MA)} are members of the House Transportation and Infrastructure to which this bill was assigned for secondary consideration.

There are wage rate requirements and neutrality towards organized labor requirements in the bill that will draw nearly automatic opposition from Republicans. This bill would probably pass in Committee with party line votes, but it would not be able to pass if considered in the Full House under the suspension of the rules process due to the super majority requirement for passage. This bill is not important enough to take up the time of the House for consideration under regular order.

Commentary

There are no provisions in this bill requiring any sort of cybersecurity protections to be included in grant eligible projects. Any EV charging station is going to include cyber controls over the charging process, with communications required between the charging equipment and the vehicle being charged. Inadequate controls over the charging process could lead to damage of the vehicle up to and potentially including fire or explosion. Protecting those controls from cyber attacks should be part of the design basis for these systems. Wireless charging systems are going to be even more vulnerable to attack because the communications between the charging station and the vehicle will not be hard-wired.

Alternatively, there would also be a potential for theft of electricity from a wireless charging system if there were inadequate cybersecurity controls in place. See my recent post on Future ICS Security News for a look at how such theft might happen.

To ensure the consideration of cybersecurity controls, I would insert a new §7(a)(5):

“(5) focus on the cybersecurity of the charging control system and the secure wireless communications between the vehicles to be charged and the charging control system,”


For more information on the details of the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-6546-introduced - subscription required.

Sunday, February 13, 2022

Review - Public ICS Disclosures – Week of 2-5-22 – Part 3

Finally. We have 18 updates from Siemens.

NOTE: My copy of the Siemens advisory spreadsheet contained duplicate entries. That is what lead to the inflated count of updates in my earlier post.

NTP-Client Update - Siemens published an update for their SIMATIC NTP-Client advisory that was originally published on June 8th, 2021.

NOTE: NCCIC-ICS did not update their advisory (ICSA-21-159-11) for this information.

OPC UA Update - Siemens published an update for their OPC UA in Industrial Products advisory that was originally published on April 9th, 2019 and most recently updated on March 10th

NOTE: NCCIC-ICS did not update their advisory (ICSA-19-099-03) for this information.

Number:Jack Update - Siemens published an update for their NUMBER:JACK advisory that was originally published on September 14th, 2021.

NOTE: NCCIC-ICS did not update their advisory (ICSA-21-257-13) for this information.

Industrial Products Update #1 - Siemens published an update for their Industrial Products advisory that was originally published on December 5th, 2017 and most recently updated on October 14th, 2021

NOTE: NCCIC-ICS did not update their advisory (ICSA-17-339-01) for this information.

Industrial Products Update #2 - Siemens published an update for their Industrial Products advisory that was originally published on December 10th, 2019 and most recently updated on December 8th, 2020.

NOTE: NCCIC-ICS last updated their advisory (ICSA-19-099-06) for this product back in August 2020.

Industrial Products Update #3 - Siemens published an update for their Industrial Products advisory that was originally published on December 10th, 2019 and most recently updated on December 8th, 2020.

Industrial Realtime Products Update - Siemens published an update for their Industrial Realtime Products advisory that was  originally published on October 10th, 2019 and most recently updated on October 14th, 2021.

NOTE: NCCIC-ICS did not update their advisory (ICSA-19-283-01) for this information.

GNU/Linux Update - Siemens published an update for their GNU/Linux advisory that was originally published in 2018 and most recently updated on November 9th, 2021.

TCP Sack Panic Update - Siemens published an update for their TCP SACK PANIC advisory that was was originally published on August 13th, 2019 and most recently updated on September 14th, 2021.

NOTE: NCCIC-ICS did not update their advisory (ICSA-19-253-03) for this information.

PROFINET Update #1 - Siemens published an update for their PROFINET advisory that was originally published on October 10th, 2019 and most recently updated on October 12th, 2021.

NOTE: NCCIC-ICS did not update their advisory (ICSA-19-283-02) for this information.

PROFINET Update #2 - Siemens published an update for their PROFINET advisory that was originally published on July 11th, 2021 and most recently updated on October 12th, 2021.

NOTE: NCCIC-ICS did not update their advisory (ICSA-21-194-03) for this information.

PROFINET Update #3 - Siemens published an update for their PROFINET advisory that was originally published on February 11th, 2020 and most recently updated on October 12th, 2021.

NOTE: NCCIC-ICS did not update their advisory (ICSA-20-042-04) for this information.

SegmentSmack Update - Siemens published an update for their SegmentSmack advisory that was originally published on April 14th, 2020 and most recently updated on March 9th, 2021.

NOTE: NCCIC-ICS did not update their advisory (ICSA-20-105-08) for this information.

Log4Shell Update #1 - Siemens published an update for their general Log4Shell advisory.

Log4Shell Update #2 - Siemens published an update for their Log4Shell in SPPA-T3000 advisory.

WIBU Codemeter Update - Siemens published an update for their WIBU Codemeter advisory that was originally published on July 13th, 2021 and most recently updated on November 9th, 2021.

OpenSSL Update - Siemens published an update for their OpenSSL advisory that was originally reported on July 13th, 2021 and most recently updated on January 11th, 2022.

Amnesia:33 Update - Siemens published an update for their Amnesia:33 advisory that was originally published on March 9th, 2021 and most recently updated on October 12th, 2021.

FragAttacks Update - Siemens published an update for their FragAttacks advisory that was originally published on July 13th, 2021 and most recently updated on October 12th, 2021.

Commentary

This month, NCCIC-ICS missed updating 11 of their advisories for changes in the respective Siemens advisories. I understand that CISA currently has a number of issues on its plate including cybersecurity fallout from the potential war in Ukraine, but updating these advisories is important business.

More disturbing than that, though, is the fact that NCCIC-ICS has ignored the effectively end-of-life messages in many of these updates and new advisories from Siemens this month. The fact that Siemens has no intention of developing mitigation measures for, in some cases, multiple vulnerabilities in a product line should weigh heavily in the decision-making process at many industrial organizations. And many organizations rely on CISA’s advisories for that type of information.

 

For more details about these updates, including lists of unsupported products, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-2-f27 - subscription required.

Saturday, February 12, 2022

Review - Public ICS Disclosures – Week of 2-5-22 – Part 2

For Part 2 we have 14 vendor disclosures from strongSwan, Wireshark (5), Yokogawa, Siemens (2), and Schneider (6). There are six vendor updates from GE Gas Power, Siemens Healthineers, and Schneider (4). Finally, we have an exploit for products from Siemens.

NOTE: Part 3 will address the remaining 30+ updates published by Siemens on Tuesday.

strongSwan Advisory - StrongSwan published a blog post describing an improper authentication vulnerability in their EAP client implementation.

NOTE: This blog post contains an interesting discussion about the EAP authentication process in VPNs.

Wireshark Advisory #1 - Wireshark published an advisory describing a CMS dissector crash vulnerability.

Wireshark Advisory #2 - Wireshark published an advisory describing a CSN.1 dissector vulnerability.

Wireshark Advisory #3 - Wireshark published an advisory describing a PVFS dissector crash vulnerability.

Wireshark Advisory #4 - Wireshark published an advisory describing ten large loop vulnerabilities in multiple dissectors.

Wireshark Advisory #5 - Wireshark published an advisory describing a RTMPT dissector infinite loop vulnerability.

Yokogawa Advisory - Yokogawa published an advisory discussing the Log4Shell vulnerabilities in their CENTUM VP Unified Gateway Station.

Siemens Advisory #1 - Siemens published an advisory describing a out-of-bounds read vulnerability in their Industrial Products.

Siemens Advisory #2 - Siemens published an advisory discussing two vulnerabilities in their SIMATIC NET CP, SINEMA and SCALANCE Products.

Schneider Advisory #1 - Schneider published an advisory describing eight vulnerabilities in their Interactive Graphical SCADA System (IGSS).

Schneider Advisory #2 - Schneider published an advisory describing two vulnerabilities in their EcoStruxure EV Charging Expert.

Schneider Advisory #3 - Schneider published an advisory describing a use of hard-coded credentials vulnerability in their Easergy P40 protection relay. Schneider also reports that the product uses an older version of OpenSSL with known vulnerabilities.

Schneider Advisory #4 - Schneider published an advisory describing four vulnerabilities in their spaceLYnk, Wiser For KNX, fellerLYnk products.

Schneider Advisory #5 - Schneider published an advisory describing four vulnerabilities in their EcoStruxure Geo SCADA Expert (ClearSCADA).

Schneider Advisory #6 - Schneider published an advisory describing an incorrect default permissions vulnerability in their Harmony/Magelis iPC Series HMI, Vijeo Designer and Vijeo Designer Basic products.

GE Gas Power Update - GE Gas Power published an update for their ToolBoxST advisory that was originally published on January 25th, 2022.

Siemens Healthineers Update - Siemens Healthineers published an update for their Log4Shell advisory.

Schneider Update #1 - Schneider published an update for their CODESYS V3 Runtime advisory that was originally published on January 11th, 2022.

Schneider Update #2 - Schneider published an update for their BadAlloc advisory that was originally published on November 9th, 2021 and most recently updated on January 13th, 2022.

Schneider Update #3 - Schneider published an update for their INFRA:HALT advisory that was originally published on August 5th, 2021.

Schneider Update #4 - Schneider published an update for their Harmony (Magelis) HMI panels that was originally published on August 13th, 2019.

Siemens Exploit - A. Ovsyannikova published an exploit for an open redirect vulnerability in the Siemens SINEMA Remote Connect Server.

 

For more details about these disclosures, including links to 3rd party advisories, researcher reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-2-ad9 - subscription required.

CISA Publishes CFATS Personnel Surety 30-day ICR

Yesterday, CISA published a 30-day information collection request (ICR) notice in the Federal Register (87 FR 8026-8027) for “Revision of a Currently Approved Information Collection for the Chemical Facility Anti-Terrorism Standards (CFATS) Personnel Surety Program”. This is a follow-up to the 60-day notice that was published on June 23rd, 2021 (I have made the linked post on CFSN Detailed Analysis free content).

The Notice indicates that CISA had received one ‘nongermane’ comment to the 60-day Notice. That ‘comment’ is hard to read with a convoluted grammar and odd word usage. I would have to agree that the comment should have no impact on the ICR consideration.

CISA has posted the full supporting statement [.docx download link] to the OIRA web site for this ICR (1670-0029). That statement contains the justification and the burden estimate for the ICR. There are no programmatic changes being made in this ICR. Changes in the burden estimate reflect the recent history of the program.

CISA is soliciting public comments on this ICR. Comments may be submitted via the ICR site via the ‘COMMENT’ button. Comments should be submitted by March 14th, 2022.

CRS Reports – Terrorism Risk Insurance Act

This week, the Congressional Research Service published a report on “The Terrorism Risk Insurance Act (TRIA)”. The report looks at the creation and reauthorization of the program that is designed to backstop insurance companies in the event of a major terrorist attack. It includes a brief discussion about the potential coverage of ‘cyberterrorism’. It specifically notes that:

“A cyberterrorist event, however, must meet all other thresholds in TRIA, which might reduce TRIA’s applicability to such cyberattacks.”

CRS Reports – Log4Shell

 This week the Congressional Research Service published a report on “Systemic Vulnerabilities in Information Technology—Log4Shell”. This report contains a brief, non-technical, overview of the vulnerability and the actions taken to date to respond to it. There is also a link-filled discussion about the range of actions that the federal government could take with respect to these types of systemic vulnerabilities.

Review - Public ICS Disclosures – Week of 2-5-22 – Part 1

 With this being the Saturday after Patch Tuesday, we have a lot to cover. In Part 1, we have 15 vendor disclosures from Carestream, Dell, Draeger (2), Eaton, GE Healthcare, HPE (4), Moxa (2), Palo Alto Networks, and QNAP (2).

Carestream Advisory - Carestream published an advisory discusses two vulnerabilities in their Image Suite systems.

Dell Advisory - Dell published an advisory discussing two vulnerabilities in their Dell Wyse Windows Embedded System.

Draeger Advisory #1 - Draeger published an advisory describing a use of an outdated operating system vulnerability in their Infinity Acute Care System workstations.

Draeger Advisory #2 - Draeger published an advisory describing an unsupported third-party (TLS 1.0) application vulnerability in their Gateway VF7.2 and VF9.0 products.

Eaton Advisory - Eaton published an advisory discussing the INFRA:HALT vulnerabilities in their easyControl EC4P PLCs.

GE Advisory - GE Healthcare published an advisory discussing the PwnKit vulnerabilities in their product line.

HPE Advisory #1 - HPE published an advisory discussing an insufficient control flow management vulnerability in their HPE ProLiant, Apollo, and Synergy Servers.

HPE Advisory #2 - HPE published an advisory describing 16 vulnerabilities in their HPE ProLiant, Apollo, Edgeline, and Synergy Servers.

HPE Advisory #3 - HPE published an advisory discussing three vulnerabilities in their HPE ProLiant, Apollo, and Synergy Servers.

HPE Advisory #4 - HPE published an advisory discussing five vulnerabilities in their Samba on NonStop products.

Moxa Advisory #1 - Moxa published an advisory describing two vulnerabilities in their MXview Series Network Management Software.

Moxa Advisory #2 - Moxa published an advisory describing a hard-coded credentials vulnerability in their  EDR-G903 Series, EDR-G902 Series, and EDR-G810 Series Secure Routers.

Palo Alto Advisory - Palo Alto Networks published an advisory describing a URL filtering vulnerability in their PAN-OS software.

QNAP Advisory #1 - QNAP published an advisory discussing three vulnerabilities in Samba.

QNAP Advisory #2 - QNAP published an advisory describing an improper authentication vulnerability in their Kazoo Server.

 

For more information on these advisories, including links to third-party advisories, researcher reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-2 - subscription required.

Friday, February 11, 2022

Review – 1 Advisory and 11 Updates Published – 2-10-22

Yesterday, CISA’s NCCIC-ICS updated 11 control system security advisories for products from Siemens. There was also a 7th advisory published yesterday which I missed because it was buried in the list of updates.

Solid Edge Advisory - This advisory describes five vulnerabilities in the Siemens Solid Edge, JT2Go, and Teamcenter Visualization products.

PROFINET Update - This update provides additional information on an advisory that was originally published on May 9th, 2017 and most recently updated on October 14th, 2021.

NOTE: The Siemens Advisory also announced that no remediation was planned for SIMATIC CP 443-1 OPC UA

SCALANCE X Update #1 - This update provides additional information on an advisory that was originally published on August 13th, 2019 and most recently updated on September 14th, 2021.

NOTE: The Siemens Advisory also announces that there is no fix planned for the newly added SCALANCE X204RNA products.

SCALANCE X Update #2 - This update provides additional information on an advisory that was originally published on January 14th, 2020.

NOTE: The Siemens Advisory also announces that there is no fix planned for the newly added SCALANCE X204RNA products.

Industrial Products Update #1 - This update provides additional information on an advisory that was originally published on February 11th, 2020 and most recently updated on April 13th, 2021.

NOTE: The Siemens Advisory also notes that no remediations are planned for SIMATIC CP 443-1 OPC UA, SIMATIC CP 343-1 Advanced, and SIPLUS NET CP 343-1 Advanced.

Industrial Products Update #2 - This update provides additional information on an advisory that was originally published on August 10th, 2021.

SCALANCE Update - This update provides additional information on an advisory that was originally published on April 14th, 2020 and most recently updated on September 14th, 2021.

TCP/IP Stack Update - This update provides additional information on an advisory that was originally published on March 9th, 2021 and most recently updated on August 10th, 2021.

LOGO! Update - This update provides additional information on an advisory that was originally published on September 14th, 2021.

SIMATIC Update - This update provides additional information on an advisory that was originally published on November 11th, 2021.

Healthineers Update - This update provides additional information on an advisory that was originally published on December 16th, 2021.

COMOS Update - This update provides additional information on an advisory that was originally published on January 13th, 2022

NOTE: The Siemens Advisory also notes that there are no plans to develop mitigation measures for versions 10.2 or 10.3.3.2.14 or later.

Other Siemens Updates - Siemens published 31 additional advisories on Tuesday. I will cover those this weekend.

 

For additional information on this updates, see my article at CSFN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-and-11-updates-published - subscription required.

 
/* Use this with templates/template-twocol.html */