Saturday, April 30, 2022

Senate Agrees to Conference on HR 4521 – America COMPETES Act

On Thursday, the Senate considered the House message to go to conference on resolving their differences on HR 4521, the America COMPETES Act of 2022. By a final vote of 67 to 27, the Senate insisted on their amendments to the bill, agreed to a conference committee, and authorized the Chair to appoint the Senate representatives to that conference.

HR 4521 started off in the House last summer as the Bioeconomy Research and Development Act of 2021. The bill quickly morphed into a massive spending and authorization bill. When it finally passed in the House in February, it contained 19 Divisions that included everything from cybersecurity, to temporary duty suspensions and even a child care resource guide requirement.

When the bill arrived in the Senate, it looked for sure that the party-line vote in the House would prevent the bill from moving forward in the Senate. But the Leadership had a different idea, instead of considering the House version of the bill they quickly substituted language from S 1260, an equally bloated, but more bipartisan, spending and authorization bill that had passed in the Senate with a moderately bipartisan vote of 68 to 32 last June. With a few minor tweaks and amendments the substitute language was adopted in HR 4521 in a similar vote of 68 to 28 just a month ago.

With many similarities between the two bills, but even more differences, this will be an interesting backroom challenge to craft compromise language between the two massive versions. Fortunately, the one area that will see the most agreement will be in the area of cybersecurity, with most of the provisions in both bills probably making it into the final version.

Review - OMB Approves CISA Vulnerability Reporting ICR Extension

Yesterday, OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved an extension of an information collection request for “Vulnerability Discovery Program” (OMB Control Number: 1601-0028). DHS submitted the extension request for this ICR after OIRA approved a short-term revision of the ICR to allow the DHS VDP form to be used by other (undesignated) agencies of the Federal government to support those agencies in responding to the DHS Binding Operational Directive 20-01. The 60-day extension notice for this ICR was published in March 2021.

The Federal government has been using the DHS VDP reporting form for just a little over a year now. It would be interesting to see how many agencies are using the reporting form and how many have reached an agreement with DHS to have DHS manage their VDP program. This would be an interesting topic for a GAO or CRS report, if any congressional staffers are reading this.

For more details on the DHS response to public comments on their 60-day ICR notice, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/omb-approves-dhs-vulnerability-reporting - subscription required.


Review – Public ICS Disclosures – Week of 4-23-22 – Part 1 -

This is another busy week necessitating two-part coverage. In part 1 this week we have nineteen vendor disclosures from ABB, Bender, Bosch, Braun (2), DrayTek, Eaton (5), HPE, Meile, PEPPERL+FUCHS, Philips (2), and Pilz (3).

ABB Advisory - ABB published an advisory discussing six vulnerabilities in their AC 500 PLCs.

Bender Advisory - CERT-VDE published an advisory describing seven vulnerabilities in the Bender/ebee Charge Controller products.

Bosch Advisory - Bosch published an advisory discussing an infinite loop vulnerability in their FL MGUARD and TC MGUARD safety devices.

Braun Advisory #1 - Braun published an advisory discussing the NAME:WRECK vulnerabilities.

Braun Advisory #2 - Braun published an advisory discussing the Amnesia:33 vulnerabilities.

DrayTek Advisory - DrayTek published an advisory discussing an infinite loop vulnerability in their Vigor routers.

Eaton Advisory #1 - Eaton published an advisory discussing TLStorm vulnerabilities and the Havex trojan as being used by the Berserk Bear APT group against UPS systems.

Eaton Advisory #2 - Eaton published an advisory discussing the SpringShell vulnerabilities.

Eaton Advisory #3 - Eaton published an advisory discussing sixteen vulnerabilities (six with known exploits) in their Form 7 recloser control. These are third-party (CODESYS) vulnerabilities.

Eaton Advisory #4 – Eaton published an advisory discussing the INCONTROLLER ICS attack tools.

Eaton Advisory #5 - Eaton published an advisory discussing the TLStorm vulnerabilities.

HPE Advisory - HPE published an advisory discussing three vulnerabilities (one with known exploits) in their SimpliVity Omnistack for Hyper-V.

Meile Advisory - CERT-VDE published an advisory describing an improper privilege management vulnerability (with publicly available exploit) in their Benchmark Programming Tool.

PEPPERL+FUCHS Advisory - CERT-VDE published an advisory discussing a remote code execution vulnerability in VisuNet devices from PEPPERL+FUCHS.

Philips Advisory #1 - Philips published an advisory discussing a remote code execution vulnerability.

Philips Advisory #2 - Philips published an advisory discussing a denial of service vulnerability.

Pilz Advisory #1 - CERT-VDE published an advisory discussing ten vulnerabilities (one with publicly available exploit) in the Pilz PMC programming tool.

Pilz Advisory #2 - CERT-VDE published an advisory discussing 27 vulnerabilities (nine with publicly available exploits) in the Pilz PMC programming tool.

Pilz Advisory #3 - CERT-VDE published an advisory discussing 18 vulnerabilities (four with publicly available exploits) in motion controller products from Pilz.

 

For more details on these advisories, including links to 3rd party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-4-bda - subscription required.

Friday, April 29, 2022

S 4000 Introduced – DHS and Congress Info Sharing

Earlier this month, Sen Portman (R,OH) introduced S 4000, the Intragovernmental Cybersecurity Information Sharing Act. The bill would require DHS to enter into information sharing agreements with the House and Senate on cybersecurity issues. No funding authorization is included in this bill.

The Agreements

The agreements would be made with the Senate Sergeant at Arms and the House Chief Administrative Officer. The agreements could include processes for:

• Direct and timely sharing of technical indicators and contextual information on cyber threats and vulnerabilities,

• Direct and timely sharing of classified and unclassified reports on cyber threats and activities, and

• Seating of cybersecurity personnel of the Senate or the House of Representatives at cybersecurity operations centers.

Periodic reports to Congress would be required by DHS on the status of the implementation of the agreements.

Moving Forward

Portman and one of this three cosponsors {Sen Peters (D,MI)} are members of the Senate Homeland Security and Governmental Affairs Committee (Peters is the Chair), so there should be sufficient influence to see this bill considered in Committee. There is nothing in the bill that would engender any organized opposition to the legislation. I expect that the bill would receive strong bipartisan support and the bill would be a strong candidate for consideration on the floor of the Senate under the unanimous consent process.

The mere introduction of this bill could be sufficient impetus to see such agreements formalized.


Bills Introduced – 4-28-22

Yesterday, with both the House and Senate in session, there were 65 bills introduced. Two of those bills may see additional coverage in this blog:

HR 7629 To require a report on Federal support to the cybersecurity of commercial satellite systems, establish a commercial satellite system cybersecurity clearinghouse in the Cybersecurity and Infrastructure Security Agency, and for other purposes. Rep. Malinowski, Tom [D-NJ-7]

S 4109 A bill to authorize the development of a national strategy for the research and development of distributed ledger technologies and their applications, to authorize awards to support research on distributed ledger technologies and their applications, and to authorize an applied research project on distributed ledger technologies in commerce. Sen. Wicker, Roger F. [R-MS]

I will be covering HR 7629.

I will be watching S 4109 for language and definitions that specifically require the inclusion of cybersecurity research within the scope of the programs outlined in the bill.

Thursday, April 28, 2022

New Biden Domestic Counter Drone Plan

Earlier this week, the Biden Administration published a fact sheet on “The Domestic Counter-Unmanned Aircraft Systems National Action Plan”. It outlines a new Administration push to “expand where we can protect against nefarious UAS activity, who is authorized to take action, and how it can be accomplished lawfully.”

A supporting press release from the Justice Department notes that “the threat posed by the criminal use of drones is increasing and evolving, and department components cannot protect everyone, everywhere, all the time.” A shorter press release from DHS reports that: “DHS will continue to judiciously implement its C-UAS authorities, while protecting privacy, civil rights, and civil liberties.” There is no press release from the FAA about the initiative.

The White House fact sheet provides eight key recommendations for action:

• Work with Congress to enact a new legislative proposal to expand the set of tools and actors who can protect against UAS by reauthorizing and expanding existing counter‑UAS authorities for the Departments of Homeland Security, Justice, Defense, State, as well as the Central Intelligence Agency and NASA in limited situations.

• Establish a list of US Government authorized detection equipment, approved by Federal security and regulatory agencies, to guide authorized entities in purchasing UAS detection systems in order to avoid the risks of inadvertent disruption to airspace or the communications spectrum.

• Establish oversight and enablement mechanisms to support critical infrastructure owners and operators in purchasing counter-UAS equipment for use by authorized Federal entities or SLTT law enforcement agencies.

• Establish a National Counter-UAS Training Center to increase training accessibility and promote interagency cross-training and collaboration.

• Create a Federal UAS incident tracking database as a government-wide repository for departments and agencies to have a better understanding of the overall domestic threat.

• Establish a mechanism to coordinate research, development, testing, and evaluation on UAS detection and mitigation technology across the Federal government.

• Work with Congress to enact a comprehensive criminal statute that sets clear standards for legal and illegal uses, closes loopholes in existing Federal law, and establishes adequate penalties to deter the most serious UAS-related crimes.

• Enhance cooperation with the international community on counter UAS technologies, as well as the systems designed to defeat them.

There is no mention of having the Federal Aviation Administration move forward on its rulemaking on “Prohibit or Restrict the Operation of an Unmanned Aircraft in Close Proximity to a Fixed Site Facility” (RIN 2120-AL33) which was listed on the ‘Long-Term Actions’ list for the Fall 2021 Unified Agenda. That rulemaking was mandated by Congress in §2209 of the FAA Extension, Safety, and Security Act of 2016 (PL 114-190). That law required DOT to establish, by January 11th, 2017, “establish a process to allow applicants to petition the Administrator of the Federal Aviation Administration to prohibit or restrict the operation of an unmanned aircraft in close proximity to a fixed site facility.” {§2209(a)}

Review – 1 Advisory and 1 Update Published – 4-28-22

Today, CISA’s NCCIC-ICS published a control system security advisory for products from Johnson Controls and updated an advisory for products from Delta Electronics.

Johnson Controls Advisory - This advisory describes an improper privilege management vulnerability in the Johnson Controls Metasys ADS/ADX/OAS Servers.

Delta Update - This update provides additional information on an advisory that was originally published on March 22nd, 2022 and most recently updated on March 29th, 2022.

NOTE: The 14 added vulnerabilities and two of the three removed vulnerabilities are all SQL injection vulnerabilities. The odd-one-out is an uncontrolled search path element vulnerability.

 

For more details about these advisories, including details about the added and removed vulnerabilities, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-and-1-update-published-594 - subscription required.

 

EPA Sends RMP Revision NPRM to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs announced that it had received a notice of proposed rulemaking (NPRM) from the Environmental Protection Agency on “Accidental Release Prevention Requirements: Risk Management Program Under the Clean Air Act; Retrospection” (RIN: 2050-AH22). According to the Fall 2021 Unified Agenda entry for this rulemaking, the EPA is taking this action in response to an EO 13990 “to review existing regulations and take action to address priorities established by the new administration including bolstering resilience to the impact of climate change and prioritizing environmental justice.”

The Statement of Need portion of the Unified Agenda entry notes that: “The proposed rule would address the administration's priorities and focus on regulatory revisions completed since 2017.” These ‘revisions completed since 2017’ refers to the RMP rule change promulgated by the Trump Administration in December 2019.

The Unified Agenda entry concludes by noting that:

“The proposed action would address the risks associated with accidental releases of listed regulated toxic and flammable substances to the air from stationary sources. Substances regulated under the RMP program include highly toxic and flammable substances that can cause deaths, injuries, property and environmental damage, and other on- and off-site consequences if accidentally released. The proposed action would reduce these risks by potentially making accidental releases less likely, and by mitigating the severity of releases that may occur. The proposed action would not address the risks of non-accidental chemical releases, accidental releases of non-regulated substances, chemicals released to other media, and air releases from mobile sources.”

Wednesday, April 27, 2022

OMB Approves EPA’s Mercury-Cell NESHAP Final Rule

Yesterday OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a final rule from the EPA on “National Emission Standards for Hazardous Air Pollutants: Mercury Cell Chlor-Alkali Plants Residual Risk and Technology Review”. This rulemaking proceeded under a court-ordered timeline as a result of a citizen suit against the Agency. The current deadline for issuing the final rule is May 2nd, 2022 and it looks like the EPA will meet that schedule.

According to the abstract for this rulemaking in the Fall 2021 Unified Agenda:

“This action will address the agency’s residual risk and technology review (RTR) of the National Emission Standards for Hazardous Air Pollutants (NESHAP) for Mercury Cell Chlor-Alkali Plants. The Mercury Cell Chlor-Alkali Plants NESHAP, subpart IIIII, was promulgated pursuant to section 112(d) of the Clean Air Act (CAA) on December 19, 2003. The NESHAP established emission limitations and work practice requirements based on maximum achievable control technology (MACT) for controlling emissions of hazardous air pollutants (HAP) from these facilities. The HAP emitted from the mercury cell chlor-alkali operations include mercury and chlorine. This action will implement the residual risk review requirements of CAA section 112(f)(2) and the technology review requirements of CAA section 112(d)(6).”

In an interesting side-light, the judge that handled the law suit involving this rulemaking was Ketanji Brown Jackson, the most recent addition to the Supreme Court.

Tuesday, April 26, 2022

Review – 1 Advisory and 1 Update Published – 4-26-22

Today CISA’s NCCIC-ICS published a control systems security advisory for products from Hitachi Energy and updated an advisory for products from Mitsubishi Electric. Additionally, CISA revised the landing page for their Industrial Control System web site, including moving their announcements of new advisories to a similarly revised ICS Advisories web page.

Advisories

Hitachi Energy Advisory - This advisory describes seven vulnerabilities in the Hitachi Energy System Data Manager – SDM600.

NOTE: I briefly reported these vulnerabilities on December 25, 2021.

Mitsubishi Update - This update provides additional information on an advisory that was originally published on November 30th, 2021 and most recently updated on January 27th, 2022.

New Web Site

The new landing page is a complete rewrite, along with a new URL (https://www.cisa.gov/ics; the old URL redirects). It starts off with the new header: “CISA’S ROLE IN INDUSTRIAL CONTROL SYSTEMS”. Then it goes on to list four ‘core priorities’ and three goals. Finally, it provides links to four other areas of interest to the ICS community:

Report a Vulnerability,

Training,

Industrial Control Systems Joint Working Group (ICSJWG), and

ICS Advisories

What is specifically missing here is a working definition of what CISA is going to consider to be ‘Industrial Control Systems’ going forward. Advisories that have been published under this heading have included such non-industrial systems as medical devices, vehicles, IP cameras, building control systems, fire safety systems and security systems.


For more details on the advisories, including links to third-party advisories, and a discussion about the potential changes in vulnerability reporting, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-and-1-update-published-012 - subscription required.

Review - Rail Service Hearing Starts Today

Today, the Surface Transportation Board (STB) began a two-day hearing on “Urgent Issues in Freight Rail Service”. As I noted in an earlier post, the hearing will address reported “challenges include tight car supply and unfilled car orders, delays in transportation for carload and bulk traffic, increased origin dwell time for released unit trains, missed switches, and ineffective customer assistance”, specifically including agricultural and energy product shipment delays.

As of yesterday, a total of 121 documents had been submitted to the STB’s docket (EP 770) on this hearing. Thirteen chemical and energy organizations have formally registered their intent to participate in the hearing and sixteen organizations in the same category have submitted written testimony to the Board. Links to that written testimony are listed below.

Wolverine Fuels, LLC,

Dairyland Power Cooperative,

Arizona Electric Power Cooperative, Inc, et al,

Archer Daniels Midland Company,

Subsidiaries of Republic Services, Inc.,

Western Coal Traffic League,

National Association of Chemical Distributors,

Food & Beverage Issue Alliance,

Portland Cement Association,

Reichhold LLC 2,

American Coatings Association, Inc.,

Corn Refiners Association,

Olin Corporation,

Dyno Nobel Inc.,

Tronox Holdings PLC,

Renewable Fuels Association


For more details about the issues being covered at the hearing, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/rail-service-hearing-starts-today - subscription required.

Bills Introduced – 4-25-22

Yesterday, with the Senate in Washington and the House meeting in pro forma session (they will be in town today), there were 12 bills introduced. One of those bills will receive additional coverage in this blog:

HR 7569 To direct the Secretary of Energy to establish a program to provide financial assistance to graduate students and postdoctoral researchers pursuing certain courses of study relating to cybersecurity and energy infrastructure. Rep. Ross, Deborah K. [D-NC-2] 

This is certainly the bill I briefly discussed on Friday, except that Rep Carey (D,NC) is a cosponsor of the bill and Ross is the sponsor.

Monday, April 25, 2022

Committee Hearings – Week of 4-24-22

This week, both the House and Senate return to Washington from their Easter recess with a full slate of hearings. The major topic in hearing rooms this week is the FY 2023 Budget. While there will not be much detail discussed, this week is the real opening of the FY 2023 spending process.

FY 2023 Budget Hearings

4-27-22 DHS HS Subcommittee, House Appropriations Committee,

4-27-22 CG/MTSA House Transportation and Infrastructure Committee,

4-27-22 NSA/Cyber Command Defense Subcommittee, House Appropriations Committee (CLOSED),

4-27-22 DOD House Budget Committee,

4-27-22 DHS House Homeland Security Committee,

4-28-22 DOE House Energy and Commerce Committee,

4-28-22 CISA HS Subcommittee, House Appropriations Committee,

4-28-22 DOE EWR Subcommittee, House Appropriations Committee,

4-29-22 EPA IER Subcommittee, House Appropriations Committee,

Saturday, April 23, 2022

GAO Reports – TSA Surface Transportation Security Training

This week the Government Accounting Office published a report on “Surface Transportation: TSA Implementation of Security Training Requirement”. This report is a look at the training mandate rule for selected surface transportation organizations that was published by TSA in 2020. The compliance date for that rule was extended a couple of times because of the impact of the COVID-19 pandemic.

According to the report the TSA has identified 127 organizations subject to the training requirements of the new regulations. The ‘Highlights’ document accompanying the report notes that:

“As of December 2021, TSA had reviewed each of the 121 submitted training programs and had approved about three-fourths (88 of 121). TSA reported that it returned 84 percent of the submitted programs to owner/operators at least once for revision. The primary reason for TSA-requested revisions was that programs did not cover all the required training topics.”

This report also includes a list of public transportation and passenger railroads that are subject to the training requirements of the rule and a list of urban areas where over-the-road bus companies would be subject to those requirements.

CRS Reports – Cybersecurity Insurance and the War in Ukraine

This week the Congressional Research Service (CRS) published a report on “Insurance, Cyberattacks, and War in Ukraine”. It includes a general discussion about the potential impact of war clauses on insurance policies and how such clauses have been handled in the courts in relation to cyber insurance.

Review – Public ICS Disclosures – Week of 4-16-22

This week we have seventeen vendor disclosures from ABB, Bosch, Dell, Eaton (2), Hitachi Energy, HP, HPE (2), Moxa, QNAP (3), Siemens, Sick, Software Toolbox, and Tanzu. We also have two vendor updates from Johnson Controls and VMware. Finally, there is a researcher report on vulnerabilities in products from Jinan USR IOT.

ABB Advisory - ABB Published an advisory discussing the INCONTROLLER ICS attack tools.

Bosch Advisory - Bosch published an advisory discussing 25 3rd-party vulnerabilities (six with known exploits) in their ctrlX CORE XCR applications.

Dell Advisory - Dell published an advisory discussing two 3rd-party vulnerabilities (1 known exploit) in their Wyse Management Suite (WMS) and Dell Wyse Management Suite Repository products.

Eaton Advisory #1 - Eaton published an advisory discussing the SpringShell vulnerabilities.

Eaton Advisory #2 - Eaton published an advisory discussing the INCONTROLLER ICS attack tools.

Hitachi Energy Advisory - Hitachi Energy published an advisory describing an input validation vulnerability in their RTU500 series.

HP Advisory - HP published an advisory discussing the BrakTooth vulnerabilities in a variety of their notebook and laptop products.

HPE Advisory #1 - HPE published an advisory describing a security bypass vulnerability in their Nimble Storage flash arrays.

HPE Advisory #2 - HPE published an advisory describing an infinite loop vulnerability in their IceWall Products.

Moxa Advisory - Moxa published an advisory discussing the SpringShell vulnerability.

QNAP Advisory #1 - QNAP published an advisory discussing two vulnerabilities in their QNAP NAS products.

QNAP Advisory #2 - QNAP published an advisory discussing four recently reported Internet Services Consortium (ISC) Bend vulnerabilities.

QNAP Advisory #3 - QNAP published an advisory discussing two recently reported Apache Struts vulnerabilities.

Siemens Advisory - Siemens published an advisory discussing the SpringShell vulnerability.

Sick Advisory - Sick published an advisory discussing two 3rd-party, improper input validation vulnerabilities in their MARSIC300 ship emissions measuring device.

Software Toolbox Advisory - Software Toolbox published an advisory discussing the INCONTROLLER ICS attack tools.

Tanzu Advisory - Tanzu published an advisory describing a resource exhaustion vulnerability in their Spring Security OAuth.

Johnson Controls Update - Johnson Controls published an update for their Log4Shell advisory.

VMware Update - VMware published an update for their VMware Horizon Agent advisory that was originally published on April 6th, 2022.

Jinan USR IOT Report - Zero Science published a report on a root backdoor vulnerability (exploit available) in the Jinan USR IOT 4G LTE Industrial Cellular VPN Router.


For more details on these disclosures, including links to 3rd-party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-4-28f - subscription required.

Friday, April 22, 2022

Energy Cybersecurity Bill Did Not Make Introduction Cut

An article posted yesterday to theHill.com web site reported that Rep Carey (R,OH) and Rep Ross (D,NC) had introduced a bill in the House that would establish a “Energy Cybersecurity University Leadership Program”. While the House did meet in pro forma session yesterday, there is no record of any bill being introduced by Carey and Ross. This is probably due to the very short window for staff to get bills to the Clerk of the House when pro forma sessions are being held.

A press release was posted to Carey’s web site where he is quoted as saying:

“Establishing the Energy Cybersecurity University Leadership Program will strengthen our resilience by further developing a high-skilled workforce with energy-specific cybersecurity expertise. America must be unified in our response to foreign adversaries seeking to attack our energy networks, which is why I am proud to introduce this bi-partisan legislation with Representative Deborah Ross and look forward working together toward its passage.”

Interestingly, this would be the first bill sponsored by Carey since he joined the House in November of last year, though he has been a cosponsor on 62 pieces of legislation.

The House will be holding another pro forma session on Monday and the full House will be in session on Tuesday. This bill could be introduced in either session.

Thursday, April 21, 2022

Review – 3 Advisories Published – 4-21-22

 Today, CISA’s NCCIC-ICS published three control system security advisories for products from Hitachi Energy, Johnson Controls and Delta Electronics.

Hitachi Energy Advisory - This advisory describes nine vulnerabilities (six with known exploits) in the Hitachi Energy MicroSCADA Pro/X SYS600. These are third-party vulnerabilities.

NOTE: I briefly discussed these vulnerabilities on January 22nd, 2022.

Johnson Controls Advisory - This advisory describes a server-side request forgery in the Johnson Controls Metasys SCT and SCT Pro building automation software.

Delta Advisory - This advisory describes two vulnerabilities in the Delta ASDA-Soft servo software.

 

For more details about these advisories, including links to 3rd party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/3-advisories-published-4-21-22 - subscription required.

Tuesday, April 19, 2022

Review – 5 Advisories and 1 Update Published – 4-19-22

Today, CISA’s NCCIC-ICS published five control system security advisories for products from Elcomplus (2), FANUC, and Carrier (2). They also updated their advisory for multiple RTOS products.

Elcomplus Advisory #1 - This advisory describes five vulnerabilities in the Elcomplus SmartPPT SCADA Server integrated voice and data dispatch software.

Elcomplus Advisory #2 - This advisory describes four vulnerabilities in the Elcomplus SmartPPT SCADA integrated voice and data dispatch software.

FANUC Advisory - This advisory describes five vulnerabilities in the FANUC ROBOGUIDE simulation platform software suite for FANUC Robots.

NOTE: On April 9th, 2022, I briefly reported (subscription required) on a FANUC advisory that reported two of the above CVE’s (CVE-2021-38483 and CVE-2021-43986).

Carrier Advisory - This advisory describes an open redirect vulnerability in the Automated Logic (subsidiary of Carrier) WebCtrl Server building automation software products.

Carrier Advisory #2 - This advisory describes two vulnerabilities in the Interlogix (subsidiary of Carrier) Hills ComNav remote access integration modules for the Hills Reliance security alarm system.

NOTE: The Carrier advisory lists two additional vulnerabilities.

Multiple RTOS Update - This update provides additional information on an advisory that was originally published on April 29th, 2021 and most recently updated on November 30th, 2021.

NOTE: I briefly reported on these three advisories on December 18th, 2021.

 

For more details about these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/5-advisories-and-1-update-published-995 - subscription required.

Monday, April 18, 2022

NMSAC Meeting to Include Maritime Cybersecurity Reports

On Friday, the Coast Guard published a meeting notice in the Federal Register (87 FR 22541-22542) for the National Maritime Security Advisory Committee. The NMSAC will conduct a public teleconference that will include a final report on cybersecurity taskings.  That final report will include:

• Feedback on cyber vulnerability assessments that are being conducted within the industry,

• Input to support further development of the Maritime Cyber Risk Assessment Model, and

• Recommendations on Cybersecurity Information Sharing.

Personnel wishing to participate in the teleconference should contact Ryan Owens (email ryan.f.owens@uscg.mil.). Written comments can be submitted via the Federal eRulemaking Portal (www.regulations.gov; docket # USCG-2022-0159).

Sunday, April 17, 2022

Review – Public ICS Disclosures – Week of 4-9-22 – Part 2

For Part 2 we have 2nd Tuesday vendor disclosures and updates from Siemens and Schneider that were not addressed earlier by CISA’s NCCIC-ICS. We have two vendor disclosures from Schneider (all of the Siemens original disclosures were covered by CISA this month). We also have fourteen updates from Siemens (10) and Schneider (4). Finally, we have a Schneider security bulletin addressing the INCONTROLLER ICS attack tools.

Schneider Advisory #1 - Schneider published an advisory describing a buffer copy without checking size of input vulnerability in the Data Server module for their IGSS (Interactive Graphical SCADA System) product.

Schneider Advisory #2 - Schneider published an advisory describing an improper privilege management vulnerability in their Modicon M340 Controller and Communication Modules.

Siemens Update #1 - Siemens published an update for their OpenSSL advisory that was originally reported on July 13th, 2021 and most recently updated on March 8th, 2022.

Siemens Update #2 - Siemens published an update for their SIMATIC advisory that was originally published on March 29th, 2018 and most recently updated on March 12th, 2019.

NOTE: NCCIC-ICS has not updated their advisory (ICSA-18-088-03) for this new information.

Siemens Update #3 - Siemens published an update for their TCP SACK PANIC advisory that was originally published on September 10th, 2019 and most recently updated on March 8th, 2022.

NOTE: NCCIC-ICS did update their advisory (ICSA-19-253-03) for this new information, but did not list it on their ICS Archive page to let the public know about the update.

Siemens Update #4 - Siemens published an update for their SIMATIC advisory that was originally published on March 8th, 2022.

Siemens Update #5 - Siemens published an update for their SegmentSmack advisory that was originally published on April 14th, 2020 and most recently updated on March 28th, 2022.

Siemens Update #6 - Siemens published an update for their Log4Shell Advisory that was originally published on December 13th, 2021 and most recently updated on March 8th, 2022.

Siemens Update #7 - Siemens published an update for their OpenSSH advisory that was originally published on September 14th, 2021.

Siemens Update #8 - Siemens published an update for their OpenSSL advisory that was originally published on December 10th, 2019 and most recently updated on February 17th, 2022.

NOTE: NCCIC-ICS did not update their advisory (ICSA-19-099-06) for these changes.

Siemens Update #9 - Siemens published an update for their PROFINET advisory that was originally published on February 11th, 2020 and most recently updated on February 8th, 2022.

Siemens Update #10 - Siemens published an update for their FragAttacks advisory that was originally published on July 13th, 2021 and most recently updated on February 8th, 2022.

Schneider Update #1 - Schneider published an update for their EcoStruxure advisory that was originally published on July 13th, 2021 and most recently updated on March 8th, 2022.

Schneider Update #2 - Schneider published an update for their CODESYS advisory that was originally published on January 11th, 2022 and most recently updated on February 8th, 2022.

Schneider Update #3 - Schneider published an update for their ATT Labs Compressor advisory that was originally published on August 10th, 2021 and most recently updated on March 9th, 2022.

Schneider Update #4 - Schneider published an update for their Embedded FTP Servers advisory that was originally published on March 22nd, 2018 and most recently updated on May 11th, 2021.

Schneider Bulletin - On Wednesday, Schneider published a security bulletin discussing the INCONTROLLER ICS attack tools that target Schneider PLCs (among others).

 

For more details about these disclosures and updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-4-25e - subscription required.

Saturday, April 16, 2022

Review – Public ICS Disclosures – Week of 4-9-22 – Part 1 –

With this being the 2nd Tuesday weekend, we will need two parts to look at all of the ICS disclosures. For Part 1 we have 23 vendor disclosures from ABB (3), Bentley (8), CODESYS, GE Healthcare, HMS, HPE, Palo Alto Networks (3), Phoenix Contact (3), Tanzu, and VMware. We also have five vendor updates from GE Healthcare, Hitachi Energy (2), and Palo Alto Networks (2). Then there are four researcher reports for products from PositiveGrid, and Delta Controls (3). Finally, we have three exploits for products from Franklin Fueling, Siemens, Spring.

Part 2 will look at the Schneider and Siemens disclosures published on Tuesday.

ABB Advisory #1 - ABB published an advisory discussing two vulnerabilities (one with known exploits) in their ARM600 M2M Gateway.

ABB Advisory #2 - ABB published an advisory describing a security bypass vulnerability in their Arctic Wireless Gateway.

ABB Advisory #3 - ABB published an advisory discussing the INCONTROLLER ICS attack tools.

Bentley Advisory #1 - Bentley published an advisory describing two vulnerabilities in their MicroStation and MicroStation-based applications.

Bentley Advisory #2 - Bentley published an advisory describing four vulnerabilities in their MicroStation and MicroStation-based applications.

Bentley Advisory #3 - Bentley published an advisory describing five vulnerabilities in their MicroStation and MicroStation-based applications.

Bentley Advisory #4 - Bentley published an advisory describing two vulnerabilities in their MicroStation and MicroStation-based applications.

Bentley Advisory #5 - Bentley published an advisory describing eleven vulnerabilities in their MicroStation and MicroStation-based applications.

Bentley Advisory #6 - Bentley published an advisory describing an out-of-bounds write vulnerability in their MicroStation and MicroStation-based applications.

Bentley Advisory #7 - Bentley published an advisory describing three vulnerabilities in their MicroStation and MicroStation-based applications.

Bentley Advisory #8 - Bentley published an advisory describing two vulnerabilities in their MicroStation and MicroStation-based applications.

CODESYS Advisory - CODESYS published an advisory discussing the INCONTROLLER ICS attack tools.

GE Healthcare Advisory - GE Healthcare published an advisory discussing the SpringShell vulnerability.

HMS Advisory - HMS published an advisory discussing the INFRA:HALT vulnerabilities.

HPE Advisory - HPE published an advisory describing a denial of service vulnerability in their Integrated Lights-Out 4 (iLO 4) products.

Palo Alto Networks Advisory #1 - Palo Alto Networks published an advisory describing an improper handling of exceptional conditions vulnerability in their PAN-OS product.

Palo Alto Networks Advisory #2 - Palo Alto Networks published an advisory describing a product disruption vulnerability in their Cortex XDR Agent.

Palo Alto Networks Advisory #3 - Palo Alto Networks published an advisory describing an information exposure through log files vulnerability in their Cortex XDR agent.

Phoenix Contact Advisory #1 - Phoenix Contact published an advisory discussing 56 vulnerabilities in their AXC F x152 LTS.

Phoenix Contact Advisory #2 - Phoenix Contact published an advisory discussing an infinite loop vulnerability in their FL MGUARD, TC MGUARD, mGuard Device Manager and FL WLAN devices.

Phoenix Contact Advisory #3 - Phoenix Contact published an advisory discussing an HTTP request smuggling vulnerability in their mGuard Device Manager.

Tanzu Advisory - Tanzu published an advisory describing a data binding rule vulnerability in their Spring Framework products.

NOTE: This is related to the SpringShell vulnerability.

VMware Advisory - VMware published an advisory describing a remote code execution vulnerability in their Cloud Director product.

GE Healthcare Update - GE Healthcare published an update discussing the DirtyPipe vulnerability.

Hitachi Energy Update #1 - Hitachi Energy published an update for their XMC20 advisory that was originally published on November 23rd, 2021.

Hitachi Energy Update #2 - Hitachi Energy published an update for their FOX61x XMC20 advisory that was originally published on November 23rd, 2021.

Palo Alto Networks Update #1 - Palo Alto Networks published an update for their OpenSSL advisory that was originally published on March 31st, 2022.

Palo Alto Networks Update #2 - Palo Alto Networks published an update for their Spring Shell advisory that was originally published on March 31st, 2022.

PositiveGrid Report - Tenable published a report list six vulnerabilities in the PositiveGrid Spark API.

Delta Controls Report - Zero Science Labs published three reports about vulnerabilities in the Delta Controls enteliTOUCH building controllers.

Franklin Fueling Exploit - Momen Eldawakhly published an exploit for a local file inclusion vulnerability in the Franklin Fueling Systems Colibri Controller Module.

Siemens Exploit - Sec-consult published an exploit for two vulnerabilities in the Siemens A8000 CP-8050/CP-8031 SICAM WEB.

SpringShell Exploit - Mike Pickard published an exploit for the SpringShell vulnerability.

 

For more information on these disclosures, including links to 3rd party advisories, researcher reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-4-3c2 - subscription required.

Friday, April 15, 2022

Review – 22 Updates Published – 4-14-22

Yesterday CISA’s NCCIC-ICS published 22 control system security updates for products from Siemens. Siemens published ten additional updates on Tuesday that were not covered by CISA. I will be reporting on them this weekend.

SIMATIC Update #1 - This update provides additional information on an advisory that was originally published on November 22nd, 2016.

SIMATIC Update #2 - This update provides additional information on an advisory that was originally published on December 10th, 2019 and most recently updated on March 10th, 2020.

SIMATIC Update #3 - This update provides additional information on an advisory that was originally published on February 11th, 2020 and most recently updated on January 12th, 2021.

SIMATIC Update #4 - This update provides additional information on an advisory that was originally published on July 9th, 2020 and most recently updated on November 11th, 2021.

SIMATIC Update #5 - This update provides additional information on an advisory that was originally published on June 8th, 2021.

SIMATIC Update #6 - This update provides additional information on an advisory that was originally published on November 11th, 2021 and most recently updated on March 10th, 2022.

SIMATIC Update #7 - This update provides additional information on an advisory that was originally published on February 10th, 2022.

OPC UA Update - This update provides additional information on an advisory that was originally published on 8-31-17 and most recently updated on August 11th, 2020.

Industrial Products Update #1 - This update provides additional information on an advisory that was originally published on April 9th, 2019 and most recently updated on March 10th, 2020.

Industrial Products Update #2 - This update provides additional information on an advisory that was originally published on February 11th, 2020 and most recently updated on February 10th, 2022.

Industrial Products Update #3- This update provides additional information on an advisory that was originally published on July 13th, 2021.

Industrial Products Update #4 - This update provides additional information on an advisory that was originally published on February 10th, 2022 and most recently updated on March 10th, 2022.

SCALANCE Update - This update provides additional information on an advisory that was originally published on April 14th, 2020 and most recently updated on February 10th, 2022.

SIMOTICS Update - This update provides additional information on an advisory that was originally published on April 14th, 2020 and most recently updated on December 16th, 2021.

PROFINET Update - This update provides additional information on an advisory that was was originally published on July 11th, 2021 and most recently updated on October 14th, 2021.

APOGEE Update - This update provides additional information on an advisory that was was originally published on November 11th, 2021 and most recently updated on December 16th, 2021.

COMOS Update - This update provides additional information on an advisory that was originally published on January 13th, 2022 and most recently updated on February 10th, 2022.

Solid Edge Update - This update provides additional information on an advisory that was originally published on February 10th, 2022 and most recently updated on March 10th, 2022.

Mendix Update - This update provides additional information on an advisory that was originally published on March 10th, 2022.

RUGGEDCOM Update #1 - This update provides additional information on an advisory that was originally published on March 10th, 2022.

RUGGEDCOM Update #2 - This update provides additional information on an advisory that was originally published on March 10th, 2022.

Polarion Update - This update provides additional information on an advisory that was originally published on March 10th, 2022.

 

For more information on these updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/22-updates-published-4-14-22 - subscription required.

Thursday, April 14, 2022

Review – 17 Advisories Published – 4-14-22

Today, CISA’s NCCIC-ICS published seventeen control system security advisories for products from Siemens (14), Red Lion, Johnson Controls, and Delta Electronics. They also published 22 updates for products from Siemens, but those will be covered in a subsequent post.

Mendix Advisory #1 - This advisory describes an improper access control vulnerability in the Siemens Mendix software platform.

Mendix Advisory #2 - This advisory describes exposure of sensitive information to an unauthorized actor vulnerability in the Siemens Mendix software platform.

TIA Administrator Advisory - This advisory describes an uncontrolled resource consumption vulnerability in the Siemens TIA Administrator.

Simcenter Advisory - This advisory describes three vulnerabilities in the Siemens Simcenter Femap simulation application.

SIMATIC Advisory #1 - This advisory describes an improper access control vulnerability in the Siemens SIMATIC STEP 7 (TIA Portal).

SIMATIC Advisory #2 - This advisory describes a lengthy list of vulnerabilities (listed in this advisory as a single ‘use of unmaintained third-party components) in the Siemens GNU/Linux subsystem of the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP.

NOTE: The Siemens version of this advisory was originally published in 2018 and most recently updated on March 8th, 2022. The list of GNU/Linux CVE’s is extensive to say the least.

SIMATIC Advisory #3 - This advisory describes an improper restriction of operations within the bounds of a memory buffer vulnerability in the Siemens SIMATIC S7-400.

SIMATIC Advisory #4 - This advisory describes three vulnerabilities in the Siemens SIMATIC Energy Manager.

SICAM Advisory - This advisory describes a missing authentication (with available proof-of-concept code) for critical function vulnerability in the Siemens SICAM A8000 products.

SCALANCE Advisory #1 - This advisory describes nine vulnerabilities in the Siemens SCALANCE X-300 switch family devices.

SCALANCE Advisory #2 - This advisory describes three vulnerabilities in the Siemens SCALANCE W1700 wireless communications device.

SCALANCE Advisory #3 - This advisory discusses the FragAttacks WiFi vulnerabilities in the Siemens SCALANCE family devices.

NOTE: The Siemens version of this advisory was originally published on July 13th, 2021 and most recently updated on February 8th, 2022.

PROFINET Advisory - This advisory describes an uncontrolled resource consumption vulnerability in the Siemens PROFINET Stack Integrated on Interniche Stack.

OpenSSL Advisory - This advisory discusses a NULL pointer dereference vulnerability in the Siemens Industrial Products.

Red Lion Advisory - This advisory describes four vulnerabilities in the unsupported Red Lion DA50N networking gateway.

Johnson Controls Advisory - This advisory describes an incomplete cleanup vulnerability in the Johnsons Controls Metasys ADS/ADX/OAS Servers.

Delta Advisory - This advisory describes an improper restriction of XML external entity reference vulnerability in the Delta DMARS, a Motion Controller program development tool.

Commentary

This month NCCIC-ICS published advisories for a couple of long-running advisories from Siemens. I am not sure where (CISA or Siemens) the housekeeping took place to see this happen, but this a small, but significant advance in information sharing that deserves mention.


For more details about these advisories, including links to third-party advisories and researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/17-advisories-published-4-14-22 - subscription required.

Wednesday, April 13, 2022

Chemical Weapons and the Ukraine

Recent reports about the possible use of chemical weapons in an attack on Mariupol (see here for example). The specter of chemical warfare always raises humanitarian concerns, but a close reading of these reports raises the potential of another concern, unintentional chemical warfare.

Background

Back in 1988 I wrote an article for the US Army Chemical Review on “Modern Chemical Warfare – Complicated by a Long List of Toxic Chemicals”. In that article I wrote about the problems associated with warfare in and around chemical facilities. Attacks on such facilities could easily result in the release of toxic chemicals that could have unintended consequences on the battlefield. The worst result, beyond the possibility of needless deaths and injuries in a combat zone, would be one side or the other mistaking an industrial chemical release for an attack with chemical weapons.

For example, by long-standing US policy dating back to Ronald Reagan, if American forces are attacked with chemical weapons, the US could consider that an attack with weapons of mass destruction and reply in kind. The only problem with that is that the only weapons of mass destruction in our arsenal are nuclear weapons. Thus, we could see a situation arise where an attack on an industrial facility defended by US forces could result in the release of toxic chemicals and the commander on the scene could assume and report that the resulting casualties were the result of a chemical weapons attack. In the fog of war, such a report could potentially result in the release of tactical nuclear weapons.

Or, say a world leader says that “if chemical weapons are used in this conflict, we will intervene…”, then an industrial chemical release could lead to a wider conflict.

The Reported Attack

The ‘attack’ that reportedly took place was described in the BBC article like this:

“One injured man described a "sweet-tasting" white smoke covering an area of the plant after an explosion. Another said he felt immediately unable to breathe and had collapsed with ‘cotton legs’.”

Obviously, both men survived the ‘chemical attack’. Now the Russian military has had a large number of problems during this attack on Ukraine, but I would be very surprised to hear that their chemical weapons did not work. They have a long history back through the Soviet days of developing and producing chemical weapons. So, if there were a Russian chemical attack on Ukrainian forces, I would expect to hear about a large number of casualties.

The attack took place at the Azovstal metals plant outside of the city. I’m not sure what kind of metals processing takes place there, but many such plants use strong acids like nitric acid and sulfuric acid for metal cleaning. White steam clouds are released when these acids react with water or even moist air. A wide variety of industrial chemicals interfere with breathing. One of the most common is cryogenic Nitrogen. Nitrogen is not toxic, but if the concentration is too high, there would not be enough oxygen present. People would pass out but would not die if the cloud blew through the area and an adequate oxygen supply became available quickly enough.

Other industries would have different chemical hazards. An interesting look at some of the chemicals associated with different industries can be found on the Chemical Facility Anti-Terrorism Standards (CFATS) website. This page provides a series of Industry Fact Sheets discussing what DHS chemicals of interest (COI) are used by various non-chemical industry groups. They are certainly not comprehensive lists of chemicals used, but they do show how wide spread chemical use is in modern manufacturing environments.

Conclusion

To my mind, with my background in both the military and chemical manufacturing, this attack does not sound like a deliberate chemical attack. It sounds like the inevitable result of an attack on an industrial facility that uses hazardous chemicals on a routine basis. Tossing artillery rounds indiscriminately at such a facility is asking for a chemical release that might be mistaken for the use of a chemical weapon.

Anyone defending such a facility had better be prepared to conduct defensive operations in a chemical environment, with all of the difficulties that that entails.

STB to Hold Rail Service Hearing – 4-26/27-22

The Surface Transportation Board (STB) published a hearing notice in today’s Federal Register (87 FR 22009-22010) for “Urgent Issues in Freight Rail Service”. The hearing will address reported “challenges include tight car supply and unfilled car orders, delays in transportation for carload and bulk traffic, increased origin dwell time for released unit trains, missed switches, and ineffective customer assistance”, specifically including agricultural and energy product shipment delays.

The Board is calling for testimony from executive-level officials, including operating and human resources officials of four Class I railroads (BNSF, CSXT, NSR, and UP) to discuss their “rail service problems and their ongoing and planned efforts to improve service, including detailed plans outlining the steps needed to improve service”. Specifically, the STB is asking those railroads to “to address the extent to which crew shortages, particularly in the context of past employment reductions and current hiring difficulties, may have contributed to these service problems, and their plans, if any, to change and improve their hiring and employee retention policies to alleviate the acute crew shortages that appear to be among the central causes of the current service issues.”

The Board is also soliciting voluntary input from other railroads about how similar issues are impacting their operations and how they have dealt with the problem. The Board is also soliciting “rail customers, shipper organizations, labor organizations, and other interested parties to appear at the public hearing to discuss their service concerns and comment on carriers' efforts toward service recovery.”

Written comments may be submitted to the STB via their website (https://www.stb.gov/proceedings-actions/e-filing/; Docket # EP 770). The requirement to directly provide copies to other participants is waived in this docket. It does not appear that filings in this document will require filing fee payments.

Commentary

Certainly, part of this problem is associated with the employment volatility related to the COVID-19 pandemic. As far as I can tell, this will be the first public hearing by a federal regulatory agency that looks at this problem. It will be interesting to see how much the railroads feel that basic pay issues contribute to these problems and how much of it is related to working conditions. In either case, personnel costs are going to rise if there is going to be any real solution to this problem. Or there is going to be some sort of increase in automation.

I will be watching the filings in this docket for comments from chemical companies about how these shipping problems impact their operations. It will be interesting to see if railroads are using this problem to avoid certain hazmat transportation issues, particularly carrying toxic inhalation hazard chemicals.

 
/* Use this with templates/template-twocol.html */