Cybersecurity Students in the Real World

Interesting article over on KTVB.com about a program at a Boise State where cybersecurity students are being paired up with small rural government agencies and businesses to give the students real world experience and the small entities valuable cybersecurity assistance, that even if they could afford it, would have a hard time finding people to do the work. Great idea that with the right mentoring support may prove to be very valuable. The article is well worth the read.

I do have a couple of small problems…

The first, I have already mentioned on TWITTER®: Who assumes liability for the work being done by the student? Students make errors, it’s a valuable part of the learning process. Who takes financial responsibility for the stuff inevitably ‘broken’ by the students. I suspect that it is the system owner, they get what they pay for after all.

The bigger problem is not with the program, but, well here’s the pull quote:

“"If an individual is graduating with a certificate or a degree in cybersecurity and they have no practical experience, if I were in the CEO seat or a chief technology officer, I'd have a hard time letting them start working on my live network and company assets," Secrist said.”

Now I understand that attitude in a shop where they are hiring a one-person cybersecurity department. That one person has to be CISO, Incident Response, Help Desk, System Integrator and whatever else needs to be done. But, here is the thing, that one-person shop cannot possibly work; too much stuff, not enough time. And the person with all of that knowledge and experience is going to be working somewhere with an adequate staff. Small businesses hire accountants to handle payroll and taxes, they need to hire cybersecurity services as well.

Now if I were a cybersecurity pro (I am not; I’m a cyber user, an out-of-date programmer and a gadfly, and increasingly a curmudgeon) who was getting burnt out on the cybersecurity highway, I think that I would take all that ‘big money’ (I know) I had been stashing away and would start up a small cybersecurity shop about a hundred miles away from the nearest big city. I would hire a bunch of tech school grads and provide cybersecurity services to the local government and business community at a reasonable price. The kids would get to go to one Bsides on the company dime each year, and I would catch up on some fishing.

Review – Public ICS Disclosure – Week of 7-23-22 – Part 2

For Part 2 this week we have three additional vendor disclosures from FileWave, OPCLabs, and Unified Automation. We also have nine vendor updates from CODESYS, HP, Mitsubishi (3), VMware, and Yokogawa (3). We also have four researcher reports for products from DD-WRT, Asuswrt, FreshTomato, and Nuki. Finally, we have two exploits for products from Dingtian, and Roxy-WI.

FileWave Advisory - FileWave published a blog post that describes two vulnerabilities in their FileWave Management Suite.

OPC Labs Advisory - OPC Labs published an advisory that describes a deserialization of untrusted data vulnerability in their QuickOPC Connectivity Explorer.

Unified Automation Advisory - Incibe CERT published an advisory that describes two vulnerabilities in the Unified Automation's OPC UA C++ Demo Server.

CODESYS Update - CODESYS published an update for their Development System V3 advisory that was originally published on July 15^th, 2021 and most recently updated on June 3^rd, 2022.

HP Update - HP published an update for their NVIDIA GPU Display Driver advisory that was originally published on June 2^nd, 2022 and most recently updated on June 23^rd, 2022.

Mitsubishi Update #1 - Mitsubishi published an update for their Multiple FA Products advisory that originally published on July 30^th, 2020 and most recently updated on May 27^th, 2021.

NOTE: NCCIC-ICS did not update their advisory (ICSA-20-212-03) for this information.

Mitsubishi Update #2 - Mitsubishi published an update for their Multiple FA Engineering Software Products advisory that was originally published on February 18^th, 2021 and most recently updated on May 24^th, 2022.

NOTE: NCCIC-ICS did not update their advisory (ICSA-21-049-02) for this information.

Mitsubishi Update #3 - Mitsubishi published an update for their Multiple FA Engineering Software Products advisory that originally published on July 30^th, 2020 and most recently updated on May 24^th, 2022.

NOTE: NCCIC-ICS did not update their advisory (ICSA-20-212-04) for this information.

VMware Update - VMware published an update for their vCenter Server advisory that was originally published on July 12^th, 2022.

Yokogawa Update #1 - Yokogawa published an update for their Wide Area Communication Router advisory that originally published on June 30^th, 2022.

NOTE: NCCIC-ICS did not need to update their advisory (ICSA-22-181-02) for this information.

Yokogawa Update #2 - Yokogawa published an update for their CAMS for HIS advisory that was originally published on May 27^th, 2022.

Yokogawa Update #3 - Yokogawa published an update for their OT:ICEFALL advisory that was originally published on June 21^st. 2022. The new information includes adding fix for FCN/FCJ basic software.

NOTE: NCCIC-ICS did not update their advisory (ICSA-22-174-01) for this new information.

DD-WRT Report - Talos published a report that describes a memory corruption vulnerability in the httpd unescape functionality of DD-WRT Revision 32270 - Revision 48599.

Asuswrt Report - Talos published a report that describes a memory corruption vulnerability in the httpd unescape functionality of Asuswrt prior to 3.0.0.4.386_48706 and Asuswrt-Merlin New Gen prior to 386.7.

FreshTomato Report - Talos published a report that describes a memory corruption vulnerability in the httpd unescape functionality of FreshTomato 2022.1

Nuki Report - NCC Group published a report that describes nine vulnerabilities in the Nuki smart locks.

Dingtian Exploit - Victor Hanna published an exploit for an authentication bypass vulnerability in the Dingtian-DT-R002 2Channel relay board.

Roxy-WI Exploit - Nuri Cilengir published a Metasploit module for a command injection vulnerability in the Roxy-WI web interface.

 

For more information on these disclosures, including summaries of changes made in updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosure-week-of-7-23-9aa - subscription required.

Review - OMB Approves Yet Another TSA Pipeline Cybersecurity Emergency ICR – 7-29-22

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved an emergency information collection request (ICR) revision for the TSA’s “Pipeline Corporate Security Review”. This is the same ICR (1652-0056) for which OIRA had just approved a three-year extension earlier this week. TSA submitted this emergency ICR revision to support another change to the pipeline security directive (Security Directive Pipeline-2021-02C) that was published this week.

Change in Burden Estimate

Unusually for an emergency ICR revision, the approved revision does include a change in burden estimate. According to the Supporting Document submitted to OIRA, the revised ICR includes three new information collection requirements. The table below shows all five elements of the revised ICR burden estimate.

Collection Requirements	Responses	Hrs/Resp	Burden
Pipeline Corporate Security Review (PCR) Initial Interviews	20	8	160
PCR Re-interview	20	3	60
Cybersecurity Implementation Plan (new)	100	400	40,000
Cybersecurity Incident Response Plan	100	80	8,000
Audits Plans of Cybersecurity Measures (new)	100	40	4,000
Compliance Documentation (new)	100	80	8,000
Totals	440	N/A	60,220
Old Estimate	331	N/A	12,830

Moving Forward

As with most emergency ICR revision requests, OIRA is only approving the revised data for six months. TSA will be required to go through the normal publish and comment process for that extension. Additionally, OIRA noted:

“Given that this is an emergency approval that does not have the benefit of public input prior to implementation, the agency will brief OIRA on the comments it has received and lessons learned as it implemented this package when this package is resubmitted during the next six months following the normal notice and comment procedures. TSA will also work toward allowing as much time for comment as possible on its emergencies to avoid new aspects of its collections going into effect without the benefit of public input.”

 

For more information about the revised ICR approved by OIRA, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/omb-approves-yet-another-tsa-pipeline - subscription required.

Review - CSB Releases Chemical Incident Data from Reporting Rule - 7-29-22

Yesterday, coincident with their July 2022 quarterly meeting, the Chemical Safety Board (CSB) released the latest tranche of data resulting from their Chemical Incident Data reporting rule. The spread sheet released by the Board shows an additional eight serious chemical release incidents since the Board last made this information public in May. The new data brings the total to 162 reported incidents since March 2021 with 25 involving at least one fatality, 92 involving serious injury, and 68 involving substantial property damage.

An interesting difference between the two data releases is how the announcement was made. The first data release was done with a very limited press release; just a couple of dry explanatory paragraphs and the link. Yesterday’s press release is bit more of an activist announcement. It includes separate quotes from both Board Members, Steve Owens (recently nominated to fill the Chair position) and Sylvia Johnson.

Both comments pointed to community’s right to know about chemical incidents in their backyard. Unfortunately, I do not think that the information provided to the Board is generally much more useful for communities than that found in the local press. That is not what the reporting rule was intended to do after all. What will be more important as these two new Board members put their mark on the CSB will be how they allocate their investigation resources. If they want to help chemical facility neighbors, they will be concentrating on more incidents with off-site consequences.

 

For more details about the new information included in the data release, see my article in CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/csb-releases-chemical-incident-data - subscription required.

Review – Public ICS Disclosure – Week of 7-23-22- Part 1

It is a fairly busy summer week for disclosures.  In Part 1 this week we have thirteen vendor disclosures from ABB, Aruba Networks, Broadcom (2), CONTEC, Dell, Hitachi Energy (2), HPE, Meinberg, Software Toolbox, Western Digital, and Yokogawa. We will have vendor updates, researcher reports, and new exploits in Part 2.

ABB Advisory - ABB published an advisory that describes three vulnerabilities in their Ability™ Operations Data Management Zenon.

Aruba Advisory - Aruba published an advisory that describes a sensitive information disclosure vulnerability in their Aruba Virtual Intranet Access application.

Broadcom Advisory #1 - Broadcom published an advisory that describes a path traversal vulnerability in their Brocade Fabric OS.

Broadcom Advisory #2 - Broadcom published an advisory that discusses the RETbleed vulnerabilities.

CONTEC Advisory - JP CERT published an advisory that describes a file upload vulnerability in the CONTEC SolarView Compact product.

Dell Advisory - Dell published an advisory that discusses an allocation of resources without limits or throttling vulnerability in their Data Protection Advisor.

Hitachi Energy Advisory #1 - Hitachi Energy published an advisory that discusses a classic buffer overflow vulnerability in their AFF660/665 series product web server.

Hitachi Energy Advisory #2 - Hitachi Energy published an advisory that discusses two vulnerabilities (one with known exploit) in their Lumada Asset Performance Management (APM) Edge product.

NOTE: According to NVD.NIST.gov the first vulnerability is listed on CISA's Known Exploited Vulnerabilities (KEV) Catalog list.

HPE Advisory - HPE published an advisory that describes eleven vulnerabilities in their Integrated Lights-Out 5 firmware.

Meinberg Advisory - Meinberg published an end-of-life announcement for their LANTIME Operating System Version 6, effective January 1^st, 2023.

Software Toolbox Advisory - Software Toolbox published an advisory that discuses an out-of-bounds write vulnerability with known exploits.

Western Digital Advisory #1 - Western Digital published an advisory that describes four cryptographic processing vulnerabilities in their Sweet B cryptographic library.

Western Digital Advisory #2 - Western Digital published an advisory that discusses eight vulnerabilities (six with known exploits) in their My Cloud OS 5 firmware.

Yokogawa Advisory - Yokogawa published an advisory that describes a resource management error vulnerability in their CENTUM controller FCS.

 

For more details on these advisories, including links to 3^rd-party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosure-week-of-7-23 - subscription required.

CISA Sends Cyber Reporting ANPRM to OMB

YYesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a ‘Prerule’ notice (typically called an advanced notice of proposed rulemaking – ANPRM - or maybe an RFI) from CISA on “Request for Information on the Cyber Incident Reporting for Critical Infrastructure Act of 2022”. While this rulemaking was not included in the Spring 2022 Unified Agenda, it seems pretty obvious that this is the initial stages of the regulatory efforts that would support the requirements of Division Y of PL 117-203 that was signed into law in March. The actual reporting requirement mandate is found at 6 USC 681b and §681c.

CISA appears to be moving fairly quickly on their mandate. It will be interesting to see how quickly OMB approves the ANPRM/RFI.

Bills Introduced – 7-28-22

Yesterday, with both the House and Senate in Washington and looking toward the beach, there were 92 bills introduced. Fourteen of those bills may see additional coverage in this blog:

HR 8578 To amend the Federal Power Act and the Natural Gas Act with respect to the enforcement of certain provisions, and for other purposes.  Rep. Schakowsky, Janice D. [D-IL-9]

S 4659 A bill making appropriations for the Departments of Labor, Health and Human Services, and Education, and related agencies for the fiscal year ending September 30, 2023, and for other purposes. Sen. Murray, Patty [D-WA]

S 4660 A bill making appropriations for energy and water development and related agencies for the fiscal year ending September 30, 2023, and for other purposes. Sen. Feinstein, Dianne [D-CA]

S 4661 A bill making appropriations for Agriculture, Rural Development, Food and Drug Administration, and Related Agencies for the fiscal year ending September 30, 2023, and for other purposes. Sen. Baldwin, Tammy [D-WI] 

S 4662 A bill making appropriations for the Department of State, foreign operations, and related programs for the fiscal year ending September 30, 2023, and for other purposes. Sen. Coons, Christopher A. [D-DE] 

S 4663 A bill making appropriations for the Department of Defense for the fiscal year ending September 30, 2023, and for other purposes. Sen. Tester, Jon [D-MT]

S 4664 A bill making appropriations for the Departments of Commerce and Justice, Science, and Related Agencies for the fiscal year ending September 30, 2023, and for other purposes. Sen. Shaheen, Jeanne [D-NH]

S 4670 A bill making appropriations for the Departments of Transportation, and Housing and Urban Development, and related agencies for the fiscal year ending September 30, 2023, and for other purposes. Sen. Schatz, Brian [D-HI]

S 4673 A bill to reauthorize the National Computer Forensics Institute of the United States Secret Service, and for other purposes. Sen. Grassley, Chuck [R-IA]

S 4678 A bill making appropriations for the Department of Homeland Security for the fiscal year ending September 30, 2023, and for other purposes. Sen. Murphy, Christopher [D-CT] 

S 4679 A bill to amend the Federal Power Act and the Natural Gas Act with respect to the enforcement of certain provisions, and for other purposes. Sen. Cortez Masto, Catherine [D-NV] 

S 4685 A bill making appropriations for financial services and general government for the fiscal year ending September 30, 2023, and for other purposes.  Sen. Van Hollen, Chris [D-MD]

S 4686 A bill making appropriations for the Department of the Interior, environment, and related agencies for the fiscal year ending September 30, 2023, and for other purposes. Sen. Merkley, Jeff [D-OR]

S 4687 A bill to enhance the authority granted to the Department of Homeland Security and Department of Justice with respect to unmanned aircraft systems and unmanned aircraft, and for other purposes. Sen. Peters, Gary C. [D-MI]

I will probably not be covering S 4662 and S 4685; these two spending bills seldom have anything of specific interest here. I do expect to be covering the remainder of the spending bills.

I will be watching HR 8578 and S 4679 for language and definitions that specifically include cybersecurity in the covered enforcement processes.

I will be watching S 4673 for differences between it and the recently passed House version; HR 7174.

I will be covering S 4687.

CFATS-ChemLock Webinar – 8-9-22

I saw in interesting post over on LinkedIn about an upcoming webinar that looks at both the Chemical Facility Anti-Terrorism Standards (CFATS) and the ChemLock programs. This is not apparently a CISA presentation, though there will certainly be CISA folks from the Office of Chemical Security participating. I have met and worked (maybe communicated would be better) with Annie Hunziker Boyer for quite a while about both programs.

Anyway, this is part of the OCS outreach program that has now been expanded to include ChemLock. It looks like they are targeting chemical facilities (and remember just about every manufacturing facility is at least partially a chemical facility in today’s world) that are not familiar with the two chemical security programs. For facilities that may have here-to-fore unrealized CFATS initial reporting requirements, OCS wants them to recognize their responsibilities. For all chemical facilities that are not covered by the CFATS regulatory program, OCS wants them to know about the non-regulatory, voluntary ChemLock program that provides chemical security expertise to help facilities.

A copy of the flyer for the program can be found here. If Annie is part of the presentation, I highly recommend participating.

HR 4346 Passed in House – CHIPS Act

This afternoon the House took up the Senate amendment to the House amendment to the Senate amendment to HR 4346, the CHIPS Act, under a rule. The bill passed with minimal bipartisan support with a final vote of 243 to 187. Much of the Republican opposition was directed more at yesterday’s news that the Democrats finally had an agreement on a final reconciliation bill that could possibly pass without any Republican support.

The bill will probably make it to the President’s desk next week (final editing and printing takes time), where it will be signed with much fanfare.

FRA Publishes Train Crew Size NPRM

Today the DOT’s Federal Railroad Administration published a notice of proposed rulemaking (NPRM) in the Federal Register (87 FR 45564-45622) for “Train Crew Size Safety Requirements”. The regulation would establish safe minimum requirements for the size of train crews depending on the type of operation. It would also establish processes for requesting authority to operate or continue to operate trains with fewer crew members.

Hazmat Shipments

Section E of the preamble addresses the concerns that the FRA looked at in assessing how it should deal with the train crew issue when dealing with the rail transport of hazardous materials. At the end of that discussion the preamble states:

“Based on the known safety and security risks associated with operating trains transporting large amounts of hazardous materials and with the hazardous materials known to present the greatest safety and security risks, as discussed in more detail in the section-by-section analysis of proposed § 218.123 [link added] below, in this NPRM FRA is proposing to prohibit the operation of trains transporting hazardous materials subject to FRA's securement regulation [link added] or materials designated by TSA as RSSMs [rail-security sensitive materials] on trains with fewer than two crewmembers.”

The proposed §218.123(c) that deals with hazmat shipments reads:

“(c)Hazardous material two-person train crew mandate. For the purposes of this paragraph (c), a tank car containing residue of a hazardous material as defined in § 171.8 [link added] of this title is not considered a loaded car. None of the exceptions in §§ 218.125 through 218.133 [links added] are applicable when any train is transporting:

“(1) Twenty (20) or more loaded tank cars or loaded intermodal portable tanks of any one or any combination of hazardous materials identified in § 232.103(n)(6)(i)(B) [link added] of this chapter; or

“(2) One or more car loads of rail-security sensitive materials (RSSM) as defined in § 1580.3 [link added] of this title.

Interestingly, this specifically excludes the exemption for using a one-person crew for filling unit trains.

Public Comments

The FRA is soliciting public comments on the NPRM. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # FRA-2021-0032). Comments need to be submitted by September 26^th, 2022.

Review – 1 Advisory and 2 Updates Published – 7-28-22

Today, CISA’s NCCIC-ICS published a control system security advisory for products from Rockwell Automation. They also updated two advisories for products from Mitsubishi. Mitsubishi published four other updates this week, I will cover them this weekend.

Rockwell Advisory - This advisory describes a type confusion vulnerability in the FactoryTalk Software, Enhanced HIM for PowerFlex, and Connected Components Workbench.

NOTE: I briefly discussed this vulnerability on July 16^th, 2022.

Mitsubishi Update #1 - This update provides additional information on an advisory that was originally published on December 16th, 2021 and most recently updated on June 30^th, 2022.

Mitsubishi Update #2 - This update provides additional information on an advisory that was originally published on July 30^th, 2020 and most recently updated on May 31^st, 2022.

 

For more details on the advisory and update, including link to 3^rd-party advisory, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-and-2-updates-published-d3c - subscription required.

OMB Approves TSA Pipeline Security ICR Update – 7-26-22

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved an information collection request (ICR) “Extension without change of a currently approved collection” for the TSA’s “Pipeline Corporate Security Review” (1652-0056). I do not typically review ‘extension without change’ notices except that this one was TSA and it was approved with a change from OIRA.

Looking at the approval notice I quickly spotted a significant change in the approved burden (see table below); typically, a change in burden does not make an ICR update an ‘extension without change’.

	Inventory as of this Action	Requested	Previously Approved
Expiration Date	7/31/2023	36 Months From Approved	7/31/2022
Responses	331	0	20
Time Burden (Hours)	12,830	0	180

The Supporting Document for the ICR extension notes that the TSA had come back to OIRA last summer for an emergency change to this ICR to support the second security directive for pipelines. Yep, I remember that clearly. Unfortunately, the OMB Control Number History for this ICR does not list that emergency ICR revision approval. That confused me for a bit, but it’s all clear now.

It is a good thing that I did see and start investigating the situation. The ORIA file on this ICR now contains an updated copy of the Pipeline CSR Workbook that TSA surface inspectors use to conduct their corporate security reviews (CSR). The revised cybersecurity questions are found under the ‘Checklist IT’ tab in the spreadsheet. Somewhat generic questions, but that has to be expected in a questionnaire like this.

HR 7569 Passed in House – Energy Security Research

This evening, the House completed action on HR 7569, the Energy Cybersecurity University Leadership Act of 2022. The House debated the bill on Monday under the suspension of the rules process with limited debate; nary a word was heard in opposition to the legislation. At the end of the debate Monday, a vote was demanded, and the House did not take further action until today.

Earlier this afternoon, under provisions of §5 of H.Res.1254 (special dispensation to speed up proceeding to get ready to go home for summer vacation), the House attempted to take up 12 previously debated measures (including HR 7569) en bloc under a voice vote, but yet another recorded vote was demanded. At 6:15 this evening, that vote was completed, and the twelve measures passed by a vote of 336 to 90; less than half of the Republicans voting in opposition.

HR 7569 is unlikely to be taken up in the Senate under regular order, but might get included as part of a larger authorization or spending bill. There is a remote chance that it could get considered under the Senate’s unanimous consent process, but that is a politically fraught process at the best of times.

Senate Passes HR 4346 as Amended – CHIPS Act

Today, the Senate concluded their consideration of HR 4346, the vehicle for the CHIPS Act. After approving the substitute language (SA 5135) by a modestly bipartisan vote of 64 to 33, an identical vote was cast to approve the House amendment to the Senate amendment to HR 4346 as amended. The bill goes back to the House for final approval.

The House is currently scheduled to take up the bill tomorrow under a restricted rule. There will be limited debate and no amendments will be allowed from the floor. The bill is expected to pass with some Republican votes.

H Res 1289, which provides for the consideration of HR 4346 in the House, will also provide for the operation of the House during the Summer Recess “during the period from August 1, 2022, through September 12, 2022”. For those of you that have been watching my comments about resolutions of inquiry, §5 of the Resolution states: “SEC. 5. Each day during the period addressed by section 2 of this resolution shall not constitute a legislative day for purposes of clause 7 of rule XIII.” Clause 7 deals with resolutions of inquiry and provides that action must be taken within 14 legislative days in Committee, or the author may call the resolution to the floor of the House as a privileged matter. So, there will be a breather on these resolutions while the House is on their Summer Recess. But they will have to be dealt with when the House returns to work on all of their end-of-fiscal-year stuff.

Review - CFATS History and Appendix A

Yesterday, CISA published the second part of their look back at the Chemical Facility Anti-Terrorism Standards (CFATS) program on the 15^th Anniversary of the program. This installment looks at the establishment of Appendix A to 6 CFR Part 27, DHS Chemicals of Interest. My earlier posts in this series include:

CFATS 15th Anniversary – CISA Takes a Look Back

Outsider Comments

As with my earlier post in this series, here are some links below about my contemporary blog posts about Appendix A issues:

Changes to the DHS Chemical Facility Security Web Site,

First Security Vulnerability Assessments to be done soon

More changes to the DHS Web Site,

DHS responds to agriculture and propane industry complaints,

Chemical warfare agent injures over 100 in Nevada onion field,

Slow pace of CFATS implementation,

IED’s and Chemical Facilities,

DHS Revises Appendix A,

The politics behind Appendix A propane rules,

DHS increases the number of flammable chemicals regulated under CFATS,

Laboratories get some breaks in the Chemicals of Interest List,

Ammonium Nitrate Rules Tightened,

New Appendix A changes CVI Training?,

Appendix A published in Federal Register,

Chemical Security makes the DHS Leadership Blog, and

Hole in Propane Rules,

 

For more details about the importance of Appendix A, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/cfats-history-and-appendix-a - subscription required.

Bills Introduced – 7-26-22

Yesterday, with both the House and Senate in session, there were 92 bills introduced. These include one bill that may receive additional attention       in this blog:

S 4615 A bill to require the Secretary of Defense to seek to engage with the Ministry of Defence of the Kingdom of Jordan for the purpose of expanding cooperation of military cybersecurity activities, and for other purposes. Sen. Rounds, Mike [R-SD] 

I will be watching this bill for definitions and language that specifically include control system cybersecurity within the coverage of the bill.

I would like to note in passing that various Republicans in the House introduced 26 additional resolutions of inquiry yesterday, eleven more than in the previous week. That is 26 of the 69 pieces of legislation introduced in the House yesterday, or 37% of the volume processed by the Clerk. I briefly discussed this issue on Saturday. It is becoming more obvious that this is a process delay tactic designed to delay legislative action in the House. We are starting to see committee business meetings with these resolutions on the agenda. Prompt, decisive action by committee chairs could stifle this move, but I suspect that various procedural moves in Committee will be attempted to counter that action.

Review – 4 Advisories and 1 Update Published – 7-26-22

Today, CISA’s NCCIC-ICS published four control system security advisories for products from Moxa, Inductive Automation, and Honeywell (2). They also updated an advisory for products from Mitsubishi.

Moxa Advisory - This advisory describes two out-of-bounds write vulnerabilities in the MOXA NPort 5110 device server.

NOTE: I briefly discussed these vulnerabilities on June 11^th, 2022.

Inductive Automation Advisory - This advisory describes an improper restriction of XML external entity reference vulnerability in the Inductive Automation Ignition software.

Saia Burgess Advisory - This advisory discusses the OT:ICEFALL vulnerabilities in the Honeywell Saia Burgess PG5 PCD PLC.

Safety Manager Advisory - This advisory discusses the OT:ICEFALL vulnerabilities in the Honeywell Experion PKS Safety Manager.

Mitsubishi Update - This update provides additional information on an advisory that was originally published on November 30^th, 2021 and most recently updated on June 7^th, 2022.

Commentary

The OT:ICEFALL report lists vulnerabilities in three additional Honeywell Products:

• TREND controls products - CVE-2022-30312,

• Experion LS - CVE-2022-30317, and

• Control Edge - CVE-2022-30318

For more details on these advisories and update, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/4-advisories-and-1-update-published-737 - subscription required.

HR 4346 Vote Delayed in Senate – CHIPS Act

Yesterday, the Senate delayed the scheduled cloture vote on HR 4346, the vehicle for the CHIPS Act. A report on theHill.com notes that East Coast weather problems were making it difficult to get Senators into town in time enough for the scheduled vote, so the Leadership decided to postpone the vote until today. The current schedule calls for the cloture vote at 11:00 am EDT.

Interestingly, there were 23 amendments proposed yesterday to this bill, more than had been submitted since the bill considerations began last week. One of those amendments, SA 5181 is a re-write of 43 pages of the substitute language being considered. This rewrite does not affect any of the cybersecurity provisions that I discussed in article at CFSN Detailed Analysis (subscription required).

Proposed amendments by Sen Paul (R,TN; SA 5159) and Sen Lee (R,UT; SA 5162, SA 5164, SA 5168, SA5179, and SA 5180) indicate that there may be attempts made to force votes on these unassociated amendments. Paul and Lee are unlikely to vote for the bill, so they have little leverage in this case, but they are both well known for their legislative maneuvering. This could drag out the final vote on the bill, further delaying House action.

Committee Hearings – Week of 7-24-22

With the House and Senate in session but preparing to leave on their Summer Recess at the end of the week, there is a relatively light hearing schedule. There is one cybersecurity hearing scheduled in the House.

Cybersecurity Hearing

On Thursday the Subcommittee on Space and Aeronautics of House Space, Science, and Technology Committee will hold a meeting on “Exploring Cyber Space: Cybersecurity Issues for Civil and Commercial Space Systems”. The witness list includes:

• Theresa Suloway,The MITRE Corporation,

• Matthew Scholl, NIST, and

• Brandon Bailey, The Aerospace Corporation

This discussion could get technical, it will be interesting to see how well the Staff prepares technical questions, and how well the congresscritters understand the answers.

On the Floor in the House

The last week in July is always jam packed with stuff and this week will certainly be interesting. The House is planning on taking up 27 bills under the suspension of the rules process which will mean some late-night votes on Tuesday. Those bills include:

HR 7569 – Energy Cybersecurity University Leadership Act of 2022, and

HR 4551 – RANSOMWARE Act (not covered here)

There are five bills to be considered under rules, but nothing major. They will take up legislative time while the House waits on Senate actions (see below) on HR 4346, and possible  “Consideration of Legislation Related to Public Safety”.

On the Floor in the Senate

The Senate is scheduled to take the final cloture vote on HR 4346 this morning. This would set the bill up for a final vote tomorrow or Wednesday. There was some Republican support on the first cloture vote, but the final vote may be held ransom to some last-minute Republican amendment. We will just have to wait and see.

CRS Reports – House Legislative Procedures

This week, the Congressional Research Service updated four publications that deal with legislative processes in the House. They describe the process included in the rules of the House and they ways that the leadership can revise or avoid those processes. The reports include:

• Availability of Legislative Measures in the House of Representatives (The “72-Hour Rule”),

• Considering Legislation on the House Floor: Common Practices in Brief,

• Suspension of the Rules in the House: Principal Features, and

• Resolutions of Inquiry in the House  

Resolutions of Inquiry have not been really common until the last couple of weeks in the current session. In the last week alone, there have been fifteen resolutions of inquiry introduced in the House:

• H Res 1236 Of inquiry directing the Secretary of Homeland Security to provide certain documents in his possession to the House of Representatives relating to the Disinformation Governance Board. Rep. Biggs, Andy [R-AZ-5] ,

• H Res 1237 Of inquiry requesting the President to provide certain documents to the House of Representatives relating to online censorship of political speech. Rep. Bishop, Dan [R-NC-9],

• H Res 1238 Of inquiry requesting the President to provide certain documents to the House of Representatives relating to the October 4, 2021 memorandum issued by the Attorney General entitled "Partnership Among Federal, State, Local, Tribal, and Territorial Law Enforcement to Address Threats Against School Administrators, Board Members, Teachers, and Staff". Rep. Fitzgerald, Scott [R-WI-5],

• H Res 1239 Of inquiry directing the Attorney General to provide certain documents in his possession to the House of Representatives relating to the October 4, 2021 memorandum issued by the Attorney General entitled "Partnership Among Federal, State, Local, Tribal, and Territorial Law Enforcement to Address Threats Against School Administrators, Board Members, Teachers, and Staff". Rep. Johnson, Mike [R-LA-4],

• H Res 1241 Of inquiry directing the Secretary of Homeland Security to provide certain documents in his possession to the House of Representatives relating to immigration enforcement and border security. Rep. McClintock, Tom [R-CA-4],

• H Res 1243 Of inquiry requesting the President transmit certain documents in his possession to the House of Representatives relating to the Biden family's international business schemes and related information. Rep. Comer, James [R-KY-1] ,

• H Res 1244 Of inquiry requesting the President and directing the Secretary of Health and Human Services to transmit, respectively, certain documents to the House of Representatives relating to any COVID-19 vaccine. Rep. Gosar, Paul A. [R-AZ-4],

• H Res 1246 Of inquiry directing the Secretary of the Treasury to provide certain documents in the Secretary's possession to the House of Representatives relating to recovery rebates under section 6428B of the Internal Revenue Code of 1986. Rep. Smith, Jason [R-MO-8],

• H Res 1247 Of inquiry directing the Secretary of the Interior to transmit certain documents to the House of Representatives relating to the 2023-2028 five-year program for offshore oil and gas leasing. Rep. Graves, Garret [R-LA-6],

• H Res 1248 Of inquiry directing the Secretary of the Interior to transmit certain documents to the House of Representatives relating to the compliance with the obligations of the Mineral Leasing Act. Rep. Herrell, Yvette [R-NM-2],

• H Res 1249 Of inquiry directing the Secretary of the Interior to transmit certain documents to the House of Representatives relating to the impact of illegal immigration on federal or tribal lands. Rep. Moore, Blake D. [R-UT-1],

• H Res 1250 Of inquiry directing the Secretary of Homeland Security to transmit certain documents to the House of Representatives relating to the impact of illegal immigration on Federal or Tribal lands. Rep. Moore, Blake D. [R-UT-1],

• H Res 1251 Of inquiry directing the Secretary of Agriculture to transmit certain documents to the House of Representatives relating to the mineral withdrawal within the Superior National Forest. Rep. Stauber, Pete [R-MN-8],

• H Res 1252 Of inquiry directing the Secretary of the Interior to transmit certain documents to the House of Representatives relating to the mineral withdrawal within the Superior National Forest. Rep. Stauber, Pete [R-MN-8], and

• H Res 1253 Of inquiry directing the Secretary of the Interior to transmit certain documents to the House of Representatives relating to the actions of the Department of the Interior's Departmental Ethics Office. Rep. Westerman, Bruce [R-AR-4]

A quick look at the subjects makes it obvious that these requests stem from basic disagreements between the more conservative wing of the Republican Party and the current Biden Administration. It is also clear that there is little to no chance that any of these resolutions would be expected to be adopted in Committee or passed on the floor of the House.

It would seem that this is another attempt to delay operations of the House in the lead up to the end of the fiscal year, both in Committee and potentially on the floor of the House. This is because resolutions of inquiry are privileged and require action in Committee within 14 days of introduction, or it may be called to the floor by person who introduced the resolution.

Review – Public ICS Disclosures – Week of 7-16-22

This week we have ten vendor disclosures from Dell, Eaton, Flexera, Honeywell, HP, HPE (2), Rockwell, and SonicWall. We also have four vendor updates from Aruba Networks (2), Fujitsu, and HP. Finally, we have one researcher report for products from Schneider Electric.

Dell Advisory - Dell published an advisory that discusses 28 vulnerabilities (two with known exploits) in their Wyse Management Suite.

Eaton Advisory - Eaton published an advisory that describes an unrestricted file upload vulnerability in their Foreseer software.

Flexera Advisory - Flexera published an advisory that discusses the log4j remote code execution vulnerability (CVE-2021-44832).

Honeywell Advisory - Honeywell published an end-of-life notice for their equIP® Series IP Cameras, Performance Series IP and HQA Cameras, and Performance Series NVRs, and DVR.

HP Advisory - HP published an advisory that discusses seven vulnerabilities in their UEFI Secure Boot Database.

HPE Advisory #1 - HPE published an advisory that describes a disclosure of sensitive information vulnerability in their OneView product.

HPE Advisory #2 - HPE published an advisory that discusses an endless loop vulnerability in their NonStop products.

Rockwell Advisory - Rockwell published an advisory that discusses the SpringShell vulnerability in their FactoryTalk Analytics DataView product.

SonicWall Advisory - SonicWall published an advisory that describes an SQL injection vulnerability in their GMS AND Analytics products.

Aruba Update #1 - Aruba published an update for their OpenSSL advisory that was originally published on May 4^th, 2022 and most recently updated on June 1^st, 2022.

Aruba Update #2 - Aruba published an update for their Expat XML advisory that was originally published on May 17^th, 2022 and most recently updated on July 7^th, 2022.

Fujitsu Update - Fujitsu published an update for their ETERNUS CS8000 advisory that originally published on June 1^st, 2022.

HP Update - HP published an update for their Jumpstart advisory that originally published on May 10^th, 2022.

Schneider Report - Zero Science Labs published a report describing an OS command injection vulnerability in the Schneider SpaceLogic C-Bus Home Automation System.

 

For more details on these disclosures, including links to third-party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-7-c9a - subscription required.

President Nominates New CSB Chair

Yesterday, President Biden sent a nomination to the Senate for the Chair of the Chemical Safety and Hazard Investigation Board (CSB) to replace Katherine Lemos who is resigning effective today. Biden nominated Stephen A. Owens who is currently one of two members of the CSB Board. The Board is authorized to have five board members. Owens was confirmed by the Senate last year to his current position. This should allow for a quicker (not to say quick) confirmation process.