Review – 4 Advisories and 2 Updates Published – 6-30-22

Today, CISA’s NCCIC-ICS published four control system security advisories for products from Distributed Data Systems, Emerson, Yokogawa, Exemys. They also updated advisories from CODESYS and Mitsubishi Electric.

Distributed Data Systems Advisory - This advisory describes two vulnerabilities in the Distributed Data Systems WebHMI.

Emerson Advisory - This advisory discusses the OT:ICEFALL vulnerabilities in the Emerson DeltaV Distributed Control System.

NOTE: There are still 15 Emerson OT:ICEFALL vulnerabilities that have not been covered by NCCIC-ICS in Emerson products including: Ovation, OpenBSI, ControlWave, and FANUC.

Yokogawa Advisory - This advisory describes a use of insufficiently random values vulnerability in the Yokogawa Wide Area Communication (WAC) Router.

Exemys Advisory - This advisory describes an improper authentication vulnerability in the Exemys RME1 analog acquisition module.

CODESYS Update - This update provides additional information on an advisory that was originally published on September 15^th, 2015.

Mitsubishi Update - This update provides additional information on an advisory that was originally published on December 16^th, 2021.

 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/4-advisories-and-2-updates-published - subscription required.

HR 8239 Introduced – FY 2023 ARD Spending

Earlier this week, Rep Bishop (D,GA) introduced HR 8239, the Agriculture, Rural Development, Food and Drug Administration, and Related Agencies Appropriations Act, 2023. The House Appropriations Committee has marked up the bill and published their Report. There is one minor mention of cybersecurity in the bill itself and a separate discussion in the Committee’s report about agricultural cybersecurity.

Cybersecurity Mentions

The cybersecurity mention in the bill is found on page 5, under this heading of “Office of the Chief Information Officer”. It provides for Department of Agriculture cybersecurity spending ($77,428,000) for internal support.

On page 26 of the Report the Committee discusses agricultural cybersecurity:

“The Committee remains concerned about the rising cybersecurity threats to our nation’s agricultural systems. The Committee requests that the Secretary report to the Committee on the research needed to identify, assess, and mitigate cybersecurity gaps within the agricultural spectrum, from seed, crop, and livestock production to distribution supply chains, with the goal of creating a national research network of regional academic cybersecurity centers in collaboration with industry partners, cooperatives, government authorities, and other stakeholders to strengthen security, data privacy, and resiliency, bolster the interdependent networks, and develop a skilled workforce for this critical area.”

Moving Forward

While there was no action taken on last year’s ARD spending bill (it was lumped into a consolidated bill in December), I suspect that, since this is an election year, this bill will be considered in the House next month and passed along mostly party lines. It is unlikely, however, that the bill will be taken up by the Senate before the end of September.

Bills Introduced – 6-27-22

On Monday, with neither the House nor Senate in session, there were two bills introduced. One of those bills may receive additional coverage in this blog:

HR 8239 Agriculture, Rural Development, Food and Drug Administration, and Related Agencies Appropriations Act, 2023 Rep. Bishop, Sanford D., Jr. [D-GA-2]

I will be watching this bill for language and definition in both the bill and the Committee Report that includes reference to control system cybersecurity issues.

I missed these on Tuesday when they (HR 8248, the Military Construction, Veterans Affairs, and Related Agencies Appropriations Act, 2023, was the other bill) were available on Congress.gov. Yesterday’s Daily Digest noted that the Appropriations Committee had published a report on these two bills, but they were not included in the list of bills introduced yesterday in the House pro forma session. It is very unusual for bills to be officially introduced with neither house in session. When it does happen, it usually involves an ‘important’ bill like these spending bills.

OMB Approves EPA TSCA Reporting ICR Revision – 6-27-22

On Monday, the OMB’s Office of Information and Regulatory Affairs (OIRA) approved the EPA’s revision request for their information collection request (ICR) “Toxic Chemical Release Reporting” (RIN 2070-0212). The 30-day ICR notice for this ICR was published on June 15^th, 2022. While the revision was based on changes in the TRI reporting requirements that took place last December and thus probably beyond comment, OIRA approved this ICR is record fashion without allowing public comment on the 30-day ICR notice for the full comment period. That comment period was set to expire on July 15^th, 2022.

Review - HR 8236 Introduced – FY 2023 DOD Spending

Last week Rep McCollum introduced HR 8236, the Department of Defense Appropriations Act, 2023. The Appropriations has already marked-up the bill and have published their Report on the Legislation. This bill may make it to the floor of the House next month, but it is unlikely (based upon recent history) to be considered in the Senate. The report will be made part of the supporting documentation for the final spending bill passed later this year that includes coverage of DOD spending.

There is language in the bill addressing cyberoperations by various agencies within the Department, but nothing of particular interest to the control system cybersecurity community. There is one mention of note in §8140 of the bill. That section provides special authorization for DOD to reprogram cyber program funding to support new and or expanded operations by the United States Cyber Command.

There are numerous references in the Report about cybersecurity operations within the Department and in support of cybersecurity efforts in the larger government. There are also provisions that address increasing the cybersecurity workforce of the Department that would also impact the greater cybersecurity workforce pool for government and civilian operations.

For more details about specific provisions within the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-8236-introduced - subscription required.

Review – 6 Advisories Published – 6-28-22

Today, CISA’s NCCIC-ICS published six control system security advisories for products from Motorola Solutions (3), Advantech, Omron, and ABB.

Motorola Advisory #1 - This advisory discusses the OT:ICEFALL vulnerabilities in the Motorola ACE1000. 

Motorola Advisory #2 - This advisory discusses the OT:ICEFALL vulnerabilities in the Motorola MDLC protocol parser.

Motorola Advisory #3 - This advisory discusses the OT:ICEFALL vulnerabilities in the Motorola MOSCAD IP Gateway and ACE IP Gateway.

Advantech Advisory - This advisory describes seven vulnerabilities in the Advantech iView management software.

Omron Advisory - This advisory discusses the OT:ICEFALL vulnerabilities in the Omron YSMAC CS/CJ/CP Series and NJ/NX Series PLCs.

ABB Advisory - This advisory describes two incorrect default permissions vulnerabilities in the ABB e-Design engineering software.

NOTE: I originally reported on these vulnerabilities on May 28^th. Interestingly, ZDI has not yet published DePlante’s advisories.

Commentary

It has been a week since NCCIC-ICS started their reporting on the OT:ICEFALL vulnerabilities. We still have not seen reports for the vulnerabilities in products from:

• Bentley Nevada (2),

• Emerson (21), and

• Honeywell (9)

In the last week many commentors in the OT space have noted that there is nothing really new here. In the broad scope, that is certainly true, most of the insecure by design problem was well understood when the Project Basecamp disclosures looked at the issues ten years ago. Given that, it is surprising that today is the first time that I have seen a specific recommendation by a vendor of an available upgrade to a more secure product.

 

For more details on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/6-advisories-published-6-28-22 - subscription required.

Committee Hearings – Week of 6-26-22

With the House conducting remote hearings and the Senate in their two-week 4^th of July weekend, there is a very light hearing scheduled. There will be three spending bill markups by the House Appropriations Committee.

FY 2023 Spending Bills

Tuesday- EWR – House – Appropriations Committee,

Wednesday – State – House – Appropriations Committee,

Thursday – THUD – House – Appropriations

None of these bills are likely to make it to the President’s desk; there will almost certainly be a consolidated spending bill of some sort passed in December. The committee reports will have significant direction from the Appropriations Committee to the various government agencies. How well those agencies will follow those directions remains to be seen.

Review - DOT Spring 2022 Unified Agenda – LNG by Rail

Last week the Biden Administration published their Spring 2022 Unified Agenda, outlining the regulatory actions that the various agencies of the Federal Government were considering. Under the DOT section of the Agenda there are two rulemakings from their Pipeline and Hazardous Material Safety Administration (PHMSA) that deal with the shipments of liquified natural gas by rail:

Final Rule Stage	Hazardous Materials: Suspension of HMR Amendments Authorizing Transportation of Liquefied Natural Gas by Rail	2137-AF55
Proposed Rule Stage	Hazardous Materials: Improving the Safety of Transporting Liquefied Natural Gas	2137-AF54

Both of these rulemakings first showed up in the Spring 2021 Unified Agenda, the first Agenda published by the Biden Administration.

PHMSA projects the publication of a final rule for the first rulemaking in December of this year. A notice of proposed rulemaking is planned for January of next year, but PHMSA has yet to receive the second part of a report by the National Academy of Sciences that is supposed to inform that rulemaking. Depending on the conclusions and recommendations made by the final report, PHMSA could have a very rough time meeting that projected date.

Commentary

The war in Ukraine and the resulting sanctions against Russia have increased the political pressure for the United States to begin large scale exporting of LNG to Europe, preferably before this winter’s heating season begins. That combined with the recent explosion at the Freeport, TX LNG shipping facility which has shutdown the largest domestic LNG shipping port, further complicates the issue. Establishing rail shipping networks for shipping LNG by rail, while much quicker than installing new pipelines, will take time. These two ongoing rulemakings are making it difficult for LNG producers and shippers to commit to the construction of new railcars and handling facilities.

 

For more details on these two rulemakings, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/dot-spring-2022-unified-agenda-lng - subscription required.

CSB Investigator Positions Open – 6-24-22

Yesterday, the Chemical Safety Board posted notices on USAJOBS.gov for three Chemical Incident Investigator position in grades GS11/GS12. According to the Summary on the job listing (US government employees or private sector) pages:

“The Chemical Incident Investigator position is located in the Office of Investigations. The incumbent serves as an expert in industrial chemical safety and nationwide incident investigation and analysis of major incidents involving the accidental release of hazardous materials and, developing and presenting reports with safety recommendations for adopting by the Board.”

These are job positions that are important to increasing the safety of chemical manufacturing operations in this country. Having said that, the CSB is an agency in transition and there are some well known (and other less obvious) problems that may or may not be getting better. Accident investigators are unlikely to have a major impact on that agency transition, but this is important work that needs well qualified people to take hard looks at some nasty accident scenes.

Positions close on July 11^th, 2022.

GAO Reports – Response to Catastrophic Cyber Attack

This week the Government Accounting Office published a report looking at potential responses to address the financial fallout from a catastrophic cyberattack on critical infrastructure. It concludes that there are some major shortcomings in current insurance programs. It recommends that DHS and the Treasury Department take a concerted look at the situation and come up with potential program suggestions.

Specifically, the report notes (pg 1):

“Cyber insurance and the Terrorism Risk Insurance Program (TRIP)—the government backstop for losses from terrorism—are both limited in their ability to cover potentially catastrophic losses from systemic cyberattacks. Cyber insurance can offset costs from some of the most common cyber risks, such as data breaches and ransomware. However, private insurers have been taking steps to limit their potential losses from systemic cyber events. For example, insurers are excluding coverage for losses from cyber warfare and infrastructure outages. TRIP covers losses from cyberattacks if they are considered terrorism, among other requirements. However, cyberattacks may not meet the program’s criteria to be certified as terrorism, even if they resulted in catastrophic loss.”

Review – Public ICS Disclosure – Week of 6-18-22

This week we have 27 vendor disclosures from ABB, Aruba Networks, Bosch, Broadcom (9), CODESYS, Hikvision, HPE (2), Moxa, Phoenix Contact, QNAP, Tanzu and WatchGuard (7). We also have six vendor updates from CODESYS (2), HPE (3), and Schneider. Finally, we have two exploits for products from Siemens and SolarView.

ABB Advisory - ABB published an advisory that describes an insufficient file access control vulnerability in their Relion REX640 protection and control relays.

Aruba Advisory - Aruba published an advisory that discusses the TLStorm2.0 vulnerabilities.

Bosch Advisory - Bosch published an advisory that describes 95 vulnerabilities in their PRA-ES8P2S Ethernet-Switch.

Broadcom Advisory #1 - Broadcom published an advisory that discusses a Java compromise vulnerability in their SANnav  products.

Broadcom Advisory #2 - Broadcom published an advisory that describes an insecure password storage vulnerability in the SANnav products.

Broadcom Advisory #3 - Broadcom published an advisory that discusses a Java compromise vulnerability in their SANnav  products.

Broadcom Advisory #4 - Broadcom published an advisory that discusses a Java compromise vulnerability in their SANnav  products.

Broadcom Advisory #5 - Broadcom published an advisory that describes an insecure password storage vulnerability in their SANnav products.

Broadcom Advisory #6 - Broadcom published an advisory that discusses an off-by-one error vulnerability in their SANnav  products.

Broadcom Advisory #7 - Broadcom published an advisory that discusses an observable discrepancy vulnerability in their SANnav  products.

Broadcom Advisory #8 - Broadcom published an advisory that describes a use of static key ciphers vulnerability in in their SANnav products.

Broadcom Advisory #9 - Broadcom published an advisory that discusses a Java compromise vulnerability in their SANnav  products.

CODESYS Advisory - CODESYS published an advisory that describes nine vulnerabilities in their V2 runtime systems.

Hikvision Advisory - Hikvision published an advisory that describes two insufficient input validation vulnerabilities in their Hybrid SAN/Cluster Storage products.

HPE Advisory #1 - HPE published an advisory that describes a disclosure of sensitive information vulnerability in their NonStop DSM/SCM products.

HPE Advisory #2 - HPE published an advisory that describes a weak key exchange vulnerability in their StoreOnce Software.

Moxa Advisory - Moxa published an advisory that discusses an expression language injection vulnerability in the third-party Apache Struts product.

Phoenix Contact Advisory - Phoenix Contact republished an advisory that describes a missing authentication for critical function vulnerability with a known exploit in their ProConOS/ProConOS eCLR PLC runtime system.

QNAP Advisory - QNAP published an advisory that discusses an out-of-bounds write vulnerability with a known exploit in their NAS product.

Tanzu Advisory - Tanzu published an advisory that describes an expression injection vulnerability in their Spring Data MongoDB application.

WatchGuard Advisory #1 - WatchGuard published an advisory that describes an arbitrary file read vulnerability in their Firebox and XTM appliances.

WatchGuard Advisory #2 - WatchGuard published an advisory that describes a cross-site scripting vulnerability in their Fireware OS.

Watch Guard Advisory #3 - WatchGuard published an advisory that describes a buffer overflow vulnerability in their Fireware OS.

WatchGuard Advisory #4 - WatchGuard published an advisory that describes a stack-based buffer overflow vulnerability in their Fireware OS.

WatchGuard Advisory #5 - WatchGuard published an advisory that describes an information disclosure vulnerability in their Fireware OS.

WatchGuard Advisory #6 - WatchGuard published an advisory that describes a privilege escalation vulnerability in their Fireware OS.

WatchGuard Advisory #7 - WatchGuard published an advisory that describes an argument injection vulnerability in their Fireware OS.

CODESYS Update #1 - CODESYS published an update for their V2 product advisory that was originally published on June 9^th, 2022.

CODESYS Update #2 - CODESYS published an update for their Control V2 product advisory that was originally published on June 9^th, 2022.

HPE Update #1 - HPE published an update for their ProLiant BL/DL/ML/XL/MicroServer advisory that was originally published on May 10^th, 2022 and most recently updated on May 31^st, 2022.

HPE Update #2 - HPE published an update for their Superdome Flex advisory that was originally published on June 14^th, 2022.

HPE Update #3 - HPE published an update for their Superdome Flex Server advisory that originally published on June 7^th, 2022.

Schneider Update - Schneider published an update for their IGSS advisory that was originally published on June 14^th, 2022.

Siemens Exploit - Steffen Robertz published an exploit for a cross-site scripting vulnerability in the Siemens SINEMA Remote Connect product.

 

For more details on these disclosures, including links to researcher reports, 3^rd party advisories, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosure-week-of-6-18 - subscription required.

Bills Introduced – 6-24-22

Yesterday, with the House and Senate meeting in pro forma session, there were 21 bills introduced. One of those bills will receive additional coverage in this blog:

HR 8236 Making appropriations for the Department of Defense for the fiscal year ending September 30, 2023, and for other purposes. Rep. McCollum, Betty [D-MN-4] 

One other spending bill was also introduced, HR 8237, the Legislative Branch spending bill. I will not be covering that bill, but I thought that I would mention it in passing.

Review – DOT Unified Agenda and UAS Regulations

In the DOT portion of the Spring 2022 Unified Agenda that was published earlier this week there are four rulemakings listed that will influence critical infrastructure’s ability to protect their facilities from attacks by unmanned aerial systems, two in the final rule stage of rulemaking and two lingering on the Long-Term Actions page.

FAA	Final Rule Stage	Registration and Marking Requirements for Small Unmanned Aircraft	2120-AK82
FAA	Final Rule Stage	External Marking Requirement for Small Unmanned Aircraft	2120-AL32
FAA	Long-Term Actions	Safe and Secure Operations of Small Unmanned Aircraft Systems	2120-AL26
FAA	Long-Term Actions	Prohibit or Restrict the Operation of an Unmanned Aircraft in Close Proximity to a Fixed Site Facility	2120-AL33

Commentary

These four rulemakings, if fully implemented, would make it easier for critical infrastructure facilities to limit the legal use of unmanned aerial systems above and in the immediate vicinity of their facilities. Unfortunately, other restrictions in 18 USC would still prohibit facility management from doing more than notifying the authorities about illegal aerial activity over or around their facilities. US law still specifically prohibits (with some very limited exceptions for national defense) interfering with the operation of an aircraft (including UAS) in US airspace. Even intercepting the communications between the UAS operator and the drone technically run afoul of several statutes.

Congress has given DOJ and DHS strictly limited authority to intercept drones, but that authority does not generally extend to privately owned facilities. Congress needs to take a hard look at the need for protecting critical infrastructure facilities from attacks like the recent attack on a Russian refinery. While that strike was probably made by the Ukrainian military, similar attacks could be executed by terrorist organizations who have become increasingly sophisticated in drone operations.

For more details on these rulemakings, see my article on CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/dot-unified-agenda-and-uas-regulations - subscription required.

Bills Introduced – 6-23-22

Yesterday, with both the House and Senate in session, there were 84 bills introduced. Of those, three may receive additional coverage in this blog:

HR 8215 To improve cybersecurity practices and improve digital literacy among veterans, and for other purposes. Rep. Slotkin, Elissa [D-MI-8] 

S 4465 A bill to establish a Countering Weapons of Mass Destruction Office and an Office of Health Security in the Department of Homeland Security, and for other purposes. Sen. Peters, Gary C. [D-MI]

S 4493 A bill to improve cybersecurity practices and improve digital literacy among veterans, and for other purposes. Sen. Klobuchar, Amy [D-MN] 

I will be watching HR 8215 and S 4493 for language and definitions that would indicate that this was a bill that would train veterans for cybersecurity positions in the industrial control system community.

I will be covering S 4465.

Review – 6 Advisories Published – 6-23-22

Today, CISA’s NCCIC-ICS published five control system security advisories for products from Elcomplus, Pyramid Solutions, Secheron, and Yokogawa (2). They also published a medical device control system security advisory for products from OFFIS.

NCCIC-ICS has now reported advisories for four of the ten vendors covered in the OT:ICEFALL report.

Elcomplus Advisory - This advisory describes three vulnerabilities in the Elcomplus SmartICS web-based HMI.

Pyramid Solutions Advisory - This advisory describes an out-of-bounds write vulnerability in the Pyramid Solutions EtherNet/IP Adapter Development Kit.

NOTE: Weidmueller is almost certainly not the only vendor that uses the affected development or DLL kits. This is sure to show up (eventually) as a third-party vulnerability in a number of products.

Secheron Advisory - This advisory describes seven vulnerabilities in the Secheron SEPCOS Control and Protection Relay.

NOTE: There is a vendor level of control over PLC’s? From the description in the advisory, it sounds like admin level access. Could someone try to explain the difference?

Yokogawa Advisory #1 - This advisory describes a violation of secure design principles vulnerability in the Yokogawa Consolidation Alarm Management Software for Human Interface Station (CAMS for HIS) software.

NOTE: I briefly reported on this vulnerability on May 28^th, 2022.

Yokogawa Advisory #2 - This advisory discusses OT:ICEFALL vulnerabilities in the Yokogawa STARDOM network control system.

NOTE: NCCIC-ICS still is not providing links to the OT:ICEFALL report or naming Forescout as the authoring agency.

OFFIS Advisory - This advisory describes three vulnerabilities in the OFFIS DCMTK libraries and software that process DICOM image files.

 

For more information on these advisories, including links to researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/6-advisories-published-6-23-22 - subscription required.

CISA Publishes Notice About OT:ICEFALL

Today CISA published a notice on their Current Activity page on “CISA Releases Security Advisories Related to OT:ICEFALL (Insecure by Design) Report”. It lists the NCCIC-ICS advisories that were published yesterday that were based upon the OT:ICEFALL report. While those advisories mentioned the Report, they did not provide links to it. This notice not only provides a link to the document but specifically mentioned that the researchers were from Forescout.

Reading this notice, it would be easy to assume that the five listed advisories provided an exhaustive list of the 56 vulnerabilities reported by Vedere Labs. It does not report that there are other vendors affected, much less list those vendors. Again, as I mentioned yesterday NCCIC-ICS should have published an OT:ICEFALL advisory that lists the known affected vendors and the full list of 56 vulnerabilities reported by Forescout.

Oh, and no one at CISA is mentioning that these 56 vulnerabilities are going to be affecting an as of yet unknown number of other ICS products as third-party vulnerabilities.

Fire in Pump at Chemical Manufacturing Facility

Interesting little article over at PowderBulkSolids.com talks about a chemical facility fire in LaPorte, TX that occurred in a pump. There are a few more details available over at KHOU.com (including a video of an impressive set of flames), but the TV report still says that the fire started in a pump. Local officials and the company will conduct investigations, but the fire was probably too small to report to the Chemical Safety Board, and even if reported, with no injuries/deaths or major damage, CSB is unlikely to investigate.

There are a wide variety of pumps used in the chemical process industry, but most convert electrical energy to mechanical energy to move liquids through hoses and pipelines. As with any device that converts energy to motion there is waste heat produced. Pumps generally utilize the process liquid moving through the device for cooling.

Pumps are generally sealed devices with hose connections or hard-piped connections for the intake and outflow, so ‘a fire in a pump’ is unlikely. Even with a highly oxygenated fluid flowing through the pump a source of ignition would still be required. There is on possible source that should be considered, heating the liquid to the autoignition temperature. So, if you have a highly-oxygenated liquid with a very low autoignition temperature, you might want to include temperature sensors on your pump, along with the more common pressure sensor.

Looking at the video of the fire, the fire either started outside of the pump or moved out of the pump system in short order. The flames shown by the KHOU were about the height of the nearby storage tanks. This is fairly common for a pool type fire of a flammable liquid. And pumps can be a very quick way to set up a pool fire.

Pumps are pressure vessels; they make higher pressure on the discharge side of the pump during operations, that drives the fluid out of the pump. As with any properly designed pressure vessel, pumps that can reach safety-significant pressures (not all can) will have a pressure relief valve on the output side of the pump. That PRV can discharge some of the fluid flowing through the pump to the local environment. A more common way for pumps to discharge to the environment is for the output hose (or less common, the output pipe) to fail during operation because of the output pressure. This can be caused by mismatching the output hose/pipe pressure rating to the pressure rating of the pump. Also mismatching the materials of construction with the fluid flowing through the system, which could cause chemical reactions that weaken the hose/pipe.

From a cybersecurity perspective, it is easy to see that pumps handling flammable liquids are a potential target. The easiest attack would be to shut a valve on the discharge side of the pump while the pump is operating, causing the pump (again not all pumps can do this) to buildup the discharge pressure to the point where the PRV releases or output hoses/pipes fail. Of course, a well designed system will have an interlock that prevents the pump from operating when the discharge valve is closed. If that is an analog interlock, the cyber attack would not be successful. If the PRV is vented to a collection vessel, the chance of a pool fire is reduced. If there is an excess flow valve on the output of the pump, then the potential size of a pool fire is reduced. And there are additional process controls that could be used to further mitigate a cyberattack on a pump.

It is easy to look at a pump related fire/explosion at a process facility and point the cybersecurity finger at the incident. But, a well run process safety review will note the pump as a potential safety failure mode. That review will then add mitigation measures to deal with that potential failure. Those safety mitigation measures should also serve as potential mitigation measures for a cyberattack. A cyber informed PSR will look to ensure that those safety measures are protected or isolated from a cyberattack.

HR 7777 Passed in House – ICS Cybersecurity Training

Yesterday, the House took up on HR 7777, the Industrial Control Systems Cybersecurity Training Act. The bill was considered under the suspension of the rules process and passed by a mostly bipartisan vote of 368 to 47. The debate in the House was quick, just about 10 minutes. Nary a word was heard in opposition to the bill.

As I noted yesterday, this bill just authorizes the current training programs conducted by CISA.

The bill now goes to the Senate. It is unlikely to be considered under regular order, it is not important enough to take up the time for that process. The bill might be able to be considered under their unanimous consent process, but the fairly large vote against it in the House argues against that. It is more likely to be considered as an amendment to a spending or authorization bill.

The House also took up HR 7174, the National Computer Forensics Institute Reauthorization Act of 2022, under the suspension process. A vote was also demanded and may take place today.

Review - Spring 2022 Unified Agenda – DHS

Yesterday, the Biden Administration published the Spring 2022 Unified Agenda. The Unified Agenda lays out the major regulatory measures that the Administration is considering taking action on over the next year. The listing of a rulemaking or the estimated action dates associated with a rulemaking are aspirational at best and no guarantee of agency action.

DHS Rulemakings

The DHS portion of the UA lists 96 rulemakings, eight of which will be covered here in this blog if/when any actions are taken on them. The table below shows those eight rulemakings.

OS	Final Rule	Homeland Security Acquisition Regulation: Safeguarding of Controlled Unclassified Information (HSAR Case 2015-001)	1601-AA76
OS	Proposed Rule	Homeland Security Acquisition Regulation: Information Technology Security Awareness Training (HSAR Case 2015-002)	1601-AA78
OS	Final Rule	Civil Monetary Penalty Adjustments For Inflation	1601-AB07
USCG	Proposed Rule	2021 Liquid Chemical Categorization Updates	1625-AC73
USCG	Proposed Rule	TWIC--Reader Requirements; Second Delay of Effective Date	1625-AC80
TSA	Proposed Rule	Vetting of Certain Surface Transportation Employees	1652-AA69
TSA	Proposed Rule	Surface Transportation Cybersecurity Measures	1652-AA74
CISA	Proposed Rule	Ammonium Nitrate Security Program	1670-AA00

Long Term Actions

There is a separate section of the Unified Agenda for rulemaking actions that are on the minds of agencies, but for which there is no current intention by those agencies to take action, the Long-Term Actions list. Rulemakings move back and forth between the Long-Term Actions list and the main Unified Agenda listing, sometimes without rhyme or reason. There are currently three rulemakings on the DHS list that would be covered here if the agencies were to act on those rulemakings.

DHS/OS	Department of Homeland Security Cybersecurity Talent Management System	1601-AA84
DHS/TSA	Surface Transportation Vulnerability Assessments and Security Plans	1652-AA56
DHS/CISA	Chemical Facility Anti-Terrorism Standards (CFATS)	1670-AA01

 

For more details about these rulemakings, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/spring-2022-unified-agenda-dhs - subscription required.

Review - 6 Advisories Published – 6-21-22

Today, CISA’s NCCIC-ICS published six control system security advisories for products from Siemens, Phoenix Contact (3), JTEKT, and Mitsubishi. All but the Mitsubishi vulnerabilities reported today by NCCIC-ICS were originally reported by Forescout’s Vedere Labs in their OT:ICEFALL report.

NOTE: Phoenix Contact republished an earlier, related advisory, that I will discuss this weekend.

OT-ICEFALL Report - “Vedere Labs has identified a set of 56 vulnerabilities affecting devices from 10 operational technology (OT) vendors that we are collectively calling OT:ICEFALL [link added].”

Siemens Advisory - This advisory discusses a use of client-side authentication vulnerability in the Siemens SIMATIC WinCC OA SCADA HMI system.

NOTE: ETM, the Siemens subsidiary that developed WinCC OA, published this article on the reported vulnerability disclosure/response process.

Phoenix Contact Advisory #1 - This advisory discusses a missing authentication for critical function vulnerability in the Phoenix Contact classic line industrial controllers.

Phoenix Contact Advisory #2 - This advisory discusses an insufficient verification of data authenticity vulnerability in the Phoenix Contact ProConOS software development kit.

Phoenix Contact Advisory #3 - This advisory discusses an insufficient verification of data authenticity vulnerability in the Phoenix Contact classic line industrial controllers.

JTEKT Advisory - This advisory discusses a missing authentication for critical function vulnerability in the JTEKT TOYOPUC PLCs.

Commentary

Back in 2012 when the original Project Basecamp disclosures (note most of the 2012 links no longer work) documented some of the problems that have been lumped into the term ‘insecure by design’, I had hoped that the control system vendor community would take a hard look at the security assumptions that they had made in designing their control system products. While a great deal of progress has occurred (just look at the vendor names that are not included in OT:ICEFALL report), too many vendors still assume that owner operators will (or even can) only use their devices in ‘secure networks’.

I am disappointed that NCCIC-ICS did not produce an alert based upon the OT:ICEFALL report and call out each of the vendors to report on their response. This is what the old ICS-CERT did (reluctantly to be sure) with the original Project Basecamp reports. In many ways, that Alert, did much to amplify the work that the researchers did and ended up expanding the industry’s work on increasing the basic security of control systems. The work is not done, but today’s advisories will help.

BTW: The original, mostly uncoordinated, Project Basecamp disclosures created a bit of controversy about coordinated disclosure. See my discussion about that controversy here.

 

For more details about these advisories, including a list of the 10 vendors identified in OT:ICEFALL, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/6-advisories-published-6-21-22 - subscription required.

Committee Hearings – Week of 6-19-22

This week, with both the House and Senate in session and the Summer Recess deadline approaching, there is a moderately heavy hearing schedule. The House Armed Services Committee will markup their FY 2023 NDAA. The House is pushing ahead with spending bill markups while there are still budget hearings being held (including a bunch of closed intel agency hearings). There will also be a hearing looking at the cybersecurity of new technologies. Finally, there are a couple of cybersecurity bills scheduled for consideration in the House.

FY 2023 Spending Bill Markups

Tuesday – House – IER – Subcommittee,

Tuesday – House – EWD – Subcommittee,

Wednesday – House – State – Subcommittee,

Wednesday – House – CJS – Subcommittee,

Thursday – House – ARD – Subcommittee,

Thursday – House – THUD – Subcommittee,

Thursday – House – LHH – Subcommittee, and

Friday – House – DHS & Legislative – Full Committee

Cybersecurity Hearing

On Wednesday, the Cybersecurity, Infrastructure Protection, & Innovation Subcommittee of the House Homeland Security Committee will hold a hearing on “Securing the Future: Harnessing the Potential of Emerging Technologies While Mitigating Security Risks”. The witness list includes:

• Andrew Lohn, Georgetown University,

• Charles Robinson, IBM,

• Ron Green, Mastercard, and

• Rob Strayer, Information Technology Industry Council (ITI)

This looks like it will be concentrating on quantum technology, so I do not expect to hear much about control system security.

On the Floor

The House is scheduled to take up eleven bills today under the suspension of the rules process. They include two cybersecurity bills that I briefly discussed yesterday:

• HR 7777 – Industrial Control Systems Cybersecurity Training Act, as amended, and

• HR 7174 – National Computer Forensics Institute Reauthorization Act of 2022, as amended

Both bills are likely to pass with substantial bipartisan support, but Republican bomb-throwers are likely to demand recorded votes in their continuing campaign to slow the legislative process.

To be clear there are ‘bomb-throwers’ on both sides of the aisle. This is not a dig against Republicans in general. After all, I was a Goldwater Republican in ’64 and a member of the California Republican Assembly in 1972.

HR 7174 Reported in House – Cyber Forensics

Last week, the House Homeland Security Committee published their report on HR 7174, the National Computer Forensics Institute Reauthorization Act of 2022. The Committee considered the bill on May 19^th, 2022. Some relatively minor amendments were adopted, and the Committee ordered the amended bill reported favorably. The bill will be considered by the Full House tomorrow under the suspension of the rules process.

The Report provides a look at how multiple committees can work together when there is overlapping jurisdictions. In this case, the House Judiciary Committee has limited jurisdiction over some parts of the operation of the NCFI and were thus assigned to consider this bill. The Judiciary Committee held no hearings about the bill and the Chairs of the two committees were able to work together to allow the bill to move forward to consideration by the Full House. The Report contains letters between Rep Nadler (D,NY) and Rep Thompson (D,MS), the respective Chairs of the Judiciary and Homeland Security Committees.

There is no telling how much back and forth between the two chairs (and their staffs, of course) occurred to allow this cooperative action. I suspect that Thompson’s amendment to the bill may have been part of the process for moving that agreement forward.

HR 7777 Reported in House – ICS Cybersecurity Training

Last week the House Homeland Security Committee published their report on HR 7777, the Industrial Control Systems Cybersecurity Training Act. The Committee considered the bill last month and ordered the bill reported favorably without amendment. The House is scheduled take up the bill on Tuesday under the suspension of the rules process. This means limited debate, no floor amendments, and requires a super majority for passage. The House leadership expects the bill to pass with strong bipartisan support.

The Report includes an interesting discussion about the differences between IT and OT cybersecurity training needs (pg 2):

“While cybersecurity education is often focused on information technology (IT), there are unique skills required to secure ICS as it relies on both IT and operational technology (OT) that, if exploited, could result in material harm, including loss of life, and significant economic damage. In contrast to IT cybersecurity, which prioritizes ensuring confidentiality, integrity, and availability of data, ICS cybersecurity prioritizes safety, reliability, and functionality of systems. Because those working in ICS cybersecurity must understand how technology impacts industrial operations, there are additional types of training required. According to a group of industrial cybersecurity experts convened by Idaho National Laboratory and Idaho State University, there are six industrial cybersecurity knowledge domains that are not included in traditional cybersecurity education: industrial operations, instrumentation and control equipment, communications, safety, and regulation. Expanded Federal support for ICS cybersecurity training would ensure more workers have the necessary, specialized skills to protect ICS.”

The Committee Report also includes the mandatory Congressional Budget Office report on the costs associated with the bill. That CBO report notes that (pg 5):

“CISA already provides cybersecurity training courses for critical infrastructure operators; thus, the bill would codify those responsibilities and would not impose any new operating requirements on the agency. CBO estimates that implementing H.R. 7777 would cost less than $500,000 over the 2022–2027 period to prepare and deliver the required reports; such spending would be subject to the availability of appropriated funds.”

HR 7965 Introduced – Drone Misuse

Last week Rep Gallagher (R,WI) introduced HR 7965, the Drone Act of 2022. The bill would revise 18 USC to expand the coverage of the criminal code of misuse of unmanned aircraft. This is a companion (identical language) bill to S 3542 that was introduced in February.

Moving Forward

Neither Gallagher, nor any of his three cosponsors, are members of the House Judiciary Committee to which this bill was assigned for consideration. This means that there is probably not enough influence to see this bill considered in Committee. I noted in my post on S 3542 that the Senate bill would probably be opposed by the UAS industry and the same would hold true here. I would not, however, expect that opposition to be sufficient to stop this bill from receiving adequate support for passage.

I do note, however, that Grassley’s bill has received no action in the Senate Judiciary Committee to which that bill was assigned for consideration. Given that Grassley is the ranking member and there are two Democrats cosponsoring his bill, it is unusual that the bill has not been heard in Committee. This is probably due to the general reluctance of law makers to make changes to 18 USC. Changes to the criminal code have more reach than most legislation, especially since there is wide prosecutorial discretion in how the language is interpreted in its application.

S 4397 Introduced – Counter-Drone Support

Last week, Sen Lankford (R,OK) introduced S 4397, the Strengthening Counter-Unmanned Aircraft Systems Operations (C-UAS) Partnerships Act. The bill would authorized DOD to provide C-UAS support under the Foreign Assistance Act of 1961. No new spending is authorized by this bill.

The bill would amend 10 USC 333(a) adding “Counter-unmanned aircraft systems operations.” To the list of operations for which DOD could provide training and equipment to foreign national security forces.

Moving Forward

Lankford is not a member of the Senate Foreign Relations Committee to which this bill was assigned for consideration. This means that there is probably not sufficient influence to see this bill considered in Committee. I see nothing in this bill that would draw organized opposition to the bill. I suspect that the bill would receive bipartisan support in Committee.

This bill could be added to either the National Defense Authorization Act or the FY 2023 DOD spending bill as an amendment from the floor.

Commentary

I do not see this bill, even if passed, having any significant impact on developing or providing C-UAS support for critical infrastructure in the United States. This will almost certainly be the last mention of this bill in this blog.

Review – Public ICS Disclosures – Week of 6-11-22 – Part 3

Finally, for Part 3 we have 16 vendor updates from Schneider (4) and Siemens (12).

Schneider Update #1 - Schneider published an update for their BadAlloc advisory that was originally published on November 9^th, 2021 and most recently updated on May 10^th, 2022.

Schneider Update #2 - Schneider published an update for their Rapsody advisory that was originally published on January 12^th, 2021.

NOTE: NCCIC-ICS has not updated their version of this advisory (ICSA-21-012-01).

Schneider Update #3 - Schneider published an update for their EcoStructure advisory that was originally published on March 14^th, 2022.

Schneider Update #4 - Schneider published an update for their APC Smart UPS advisory that was originally published on March 8^th, 2022 and most recently updated on May 10^th, 2022.

Siemens Update #1 - Siemens published an update for their SNMP advisory that was originally published on February 11^th, 2020 and most recently updated on April 12^th, 2022.

NOTE: NCCIC-ICS has not updated their advisory (ICSA-20-042-06) for this change.

Siemens Update #2 - Siemens published an update for their OpenSSL advisory that was originally published on April 14^th, 2014 and most recently updated on May 12^th, 2022.

NOTE: NCCIC-ICS has not updated their advisory (ICSA-22-104-05) for this change.

Siemens Update #3 - Siemens published an update for their Log4Shell advisory that was originally published on December 13^th, 2021 and most recently updated on May 10^th, 2022.

Siemens Update #4 - Siemens published an update for their Industrial Products advisory that was originally published on March 20^th, 2018 and most recently updated on October 8^th, 2019.

NOTE: NCCIC-ICS has not updated their advisory (ICSA-18-079-02) to reflect this change.

Siemens Update #5 - Siemens published an update for their SIMATIC advisory that was  originally published on September 9^th, 2021 and most recently updated on December 14^th, 2021.

Siemens Update #6 - Siemens published an update for their SIMATIC Net CP advisory that was originally published on March 8^th, 2022 and most recently updated on April 12^th, 2022.

Siemens Update #7 - Siemens published an update for their Industrial Products advisory that was originally published on December 10th, 2019 and most recently updated on February 8^th, 2022.

Siemens Update #8 - Siemens published an update for their  TCP SACK PANIC advisory that was originally published on September 10^th, 2019 and most recently updated on May 10^th, 2022.

NOTE: NCCIC-ICS has not updated their advisory (ICSA-19-253-03) for this information.

Siemens Update #9 - Siemens published an update for their GNU/Linux advisory that was  originally published in 2018 and most recently updated on May 10^th, 2022.

NOTE: NCCIC-ICS did not update their advisory (ICSA-22-104-13) for this information.

Siemens Update #10 - Siemens published an update for their SpringShell advisory that was originally published on April 19^th, 2022 and most recently updated on April 27^th, 2022.

Siemens Update #11 - Siemens published an update for their OpenSSL advisory that was originally reported on July 13^th, 2021 and most recently updated on May 10^th, 2022.

Siemens Update #12 - Siemens published an update for their SegmentSmack advisory that was originally published on April 14^th, 2020 and most recently updated on May 12^th, 2022.

NOTE: NCCIC-ICS did not update their advisory (ICSA-20-105-07) for this information.

 

For more information on these updates, including links to 3^rd party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-6-b77 - subscription required.

Review – Public ICS Disclosures – Week of 6-11-22 – Part 2

For Part 2 we have nine vendor disclosures from Dell and Schneider (8). We also have four vendor updates for products from Fujitsu, Dell, HP, and HPE. We also have three researcher reports for products from Bachmann Visutec, Blynk, and Nexans. Part 3 tomorrow will cover Schneider and Siemens updates.

Dell Advisory - Dell published an advisory that discusses the SpringShell vulnerabilities.

Schneider Advisory #1 - Schneider published an advisory that describes two vulnerabilities in their EcoStruxure™ Cybersecurity Admin Expert.

Schneider Advisory #2 - Schneider published an advisory that describes an improper restriction of operations within the bounds of a memory buffer in their CanBRASS design and costing tool.

Schneider Advisory #3 - Schneider published an advisory that describes two vulnerabilities in their C-Bus Home Automation Products.

Schneider Advisory #4 - Schneider published an advisory that describes three vulnerabilities in their EcoStruxure Power Commission software.

Schneider Advisory #5 - Schneider published an advisory that describes three vulnerabilities in their Conext™ Combox communications and monitoring device.

Schneider Advisory #6 - Schneider published an advisory that describes an exposure of resource to wrong sphere vulnerability in their Geo SCADA Mobile application.

Schneider Advisory #7 - Schneider published an advisory that describes eight vulnerabilities in their Interactive Graphical SCADA System (IGSS).

Schneider Advisory #8 Schneider published an advisory that describes four vulnerabilities in their Data Center Expert product.

NOTE: This advisory was updated on June 16^th, 2022. The new information included updating affected version information and clarification of fixed versions.

Fujitsu Update - JPCert published an update for the FUJITSU Network IPCOM advisory that was originally published on  May 19^th, 2022 and most recently updated on June 10^th, 2022.

Dell Update - Dell published an update for their Log4Shell advisory.

HP Update - HP published an update for their Wireless Bluetooth advisory that was originally published on February 8^th, 2022.

HPE Update - HPE published an update for their Synergy Servers advisory that was originally published on May 10^th, 2022 and most recently updated on May 31^st, 2022.

Bachmann Report - Talos published a report describing an information disclosure vulnerability in the Bachmann Atvise SCADA registration function.

Blynk Report - Talos published a report describing a stack-based buffer overflow vulnerability in the Blynk-Library.

Nexans Report - SEC Consult published a report describing the four vulnerabilities in the Nexans FTTO GigaSwitch series due to using outdated software components.

 

For more details about these disclosures, including links to researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-6-af5 - subscription required.