Short Takes – 8-31-22

 Security and Cheap Complexity. Schneier.com blog post. Mass produced insecurity = low cost. Pull quote: “Today, you just grab some standard microcontroller off the shelf and write a software application for it. And that microcontroller already comes with an IP stack, a microphone, a video port, Bluetooth, and a whole lot more. And since those features are there, engineers use them.” And then try to keep up with all the various vulnerabilities that are discovered.

Graph-based JavaScript bug scanner discovers more than 100 zero-day vulnerabilities in Node.js libraries. PortSwigger.net article. New JavaScript analysis tool. Pull quote: “They expanded their test by crawling 300,000 NPM packages and applying ODGen with graph queries to detect queries. ODGen reported nearly 3,000 security bugs, of which the researchers verified 264 that belonged to libraries with more than 1,000 weekly downloads.” How many of those 264 vulnerabilities found their way into critical systems?

Chemical leak at waste disposal plant kills one, injures four in US. HazardExonthenet.net article. Contains link to article from last week on incident. Definitely a CSB reportable incident. Hydrogen sulfide is nasty stuff.

Notice of closed Federal advisory committee meeting. Federal Register Notice. HSAC meeting will include cybersecurity discussion behind closed doors.

DOT PHMSA ALERT Rail Car Training. Notice at FindlayAllHazards.com. PHMSA funded training by The Center for Rural Development and the AHTC (All Hazards Training Center) for responses to incidents that involve rail shipments of crude oil, ethanol, and other flammable liquids.

Review - EPA Publishes RMP Accidental Chemical Release NPRM

Today the EPA published a notice of proposed rulemaking (NPRM) in the Federal Register (87 FR 53556-53616) for Accidental Release Prevention Requirements: Risk Management Programs Under the Clean Air Act; Safer Communities by Chemical Accident Prevention. This is the rulemaking for which the EPA published an initial 60-day ICR notice earlier this week. The proposed revisions to the RMP regulations include several changes and amplifications to the accident prevention program requirements, enhancements to the emergency preparedness requirements, increased public availability of chemical hazard information, and several other changes to certain regulatory definitions or points of clarification.

Overview

The EPA provides a broad overview of the intent of the regulation revisions in the preamble to the rule. It provides a discussion of each of the following areas of concern:

• Prevention Program,

• Emergency Response, and

• Areas of Technical Clarification

Public Comments

The EPA is soliciting public comments on this NPRM. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # EPA-HQ-OLEM-2022-0174). Comments need to be submitted by October 31^st, 2022. I expect that there will be a number of requests for an extension of that time.

For more details about the topics that are covered in this NPRM, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/epa-publishes-rmp-accidental-chemical - subscription required. I plan on more detailed coverage of the details of this rulemaking as part of the preparation of my comments for consideration by the EPA.

CSB Guidance on Reporting Accidental Chemical Releases

Yesterday, the Chemical Safety and Hazard Investigation Board (CSB) published their promised guidance document on the reporting of accidental chemical releases under 40 CFR 1604. As with any governmental ‘guidance’ document there is a lot of superfluous verbiage setting the background of the need of, and legal justification for, the base regulation. CSB does a better job than most with making this readable, but the first seven pages of the document can be skipped by all but the most ardent infophiles.

Pages 8 and 9 of the document provide a nicely done summary of what CSB expects when an accidental chemical release occurs. An interesting pull quote from page 9 reflects an unusual amount of bureaucratic naivete about corporate interests in reporting chemical incidents:

“Under the CSB’s Accidental Release Reporting Rule, it is always safer for an owner/operator to report, rather than fail to report. Thus, it is the CSB’s position that if an owner/operator is unsure whether the incident should be reported, the owner/operator should report, rather than risk violating the rule by failing to report. There is no sanction or enforcement action associated with reporting an accidental release, which in retrospect, did not have to be reported. The opposite, however, is not true. Failure to report an accidental release when required by this rule could lead to an enforcement action brought by the EPA.”

The remainder of the document is formatted in a frequently asked questions (FAQ) format. CSB does go beyond just quoting relevant parts of the regulation. For example, at the end of the reply to FAQ 2.11 on pages 10 and 11, CSB concludes the discussion by reminding folks that the intent of the rule is to provide CSB with the necessary information to determine if an investigation is warranted and then states:

“The CSB has and will continue to investigate matters involving the accidental releases of chemicals, petrochemicals, and hydrocarbons of all types, provided that a fatality, serious injury, or substantial property damage is caused by the accidental release at issue.”

Any owner or facility manager for a facility that produces, uses, or handles hazardous chemicals of any sort, ought to have a copy of this document handy, and look at it periodically. Every EH&S manager needs to have read and understood this guidance before a chemical release incident takes place, probably before close of business yesterday.

Short Takes – 8-30-22

Mississippi’s largest city in water crisis as treatment plant fails. WashingtonPost.com article describes problems with Jackson, MS water treatment plant, but short on real details. Pull quote: “There would not even be enough water to fight fires, Reeves said, adding that the state this weekend started gathering alternative sources of water, including for firefighting. Separate sources of drinking water and non-potable water for flushing toilets would be distributed, he said.”

EO 14080 - Implementation of the CHIPS Act of 2022. Federal Register notice. EO establishes within the Executive Office of the President the CHIPS Implementation Steering Council. Pull quote: “The function of the Steering Council is to coordinate policy development to ensure the effective implementation of the Act within the executive branch.”

China’s heat wave is creating havoc for electric vehicle drivers. TechnologyReview.com article -  Heatwave brings power restrictions on public charging stations – Pull quote: “But even if it eases, building a resilient electric grid and diversifying EV charging methods will be crucial to fully support a booming domestic EV industry that experts think is unlikely to shrink even after this challenging period.” Complex issue; should inform early discussion here while EV’s are small part of current fleet.

Review – 11 Advisories and 1 Update Published – 8-30-22

Today, CISA’s NCCIC-ICS published eleven control system security advisories for products from Johnson Control, PTC Kepware, Omron, Honeywell (3), Fuji Electric, and Hitachi Energy (4). They also updated an advisory for products from Mitsubishi Electric.

Johnson Control Advisory - This advisory describes a command injection vulnerability in the Johnson Control (Tyco subsidiary) iSTAR Ultra door controller.

PTC Advisory - This advisory describes two vulnerabilities on the Kepware KEPServerEX connectivity platform.

NOTE: NCCIC-ICS reports that these vulnerabilities also affect the following products as thirdparty vulnerabilities:

• Rockwell Automation KEPServer Enterprise,

• GE Digital Industrial Gateway Server, and

• Software Toolbox TOP Server

Honeywell Advisory #1 - This advisory discusses an OT:ICEFALL vulnerability in the Honeywell Trend Controls IQ Series IC.

Honeywell Advisory #2 - This advisory discusses an OT:ICEFALL vulnerability in the Honeywell Experion LX distributed control system.

Honeywell Advisory #3 - This advisory discusses an OT:ICEFALL vulnerability in the Honeywell ControlEdge PLC.

Fuji Advisory - This advisory describes two vulnerabilities in the Fuji D300win programming support tool.

Hitachi Energy Advisory #1 - This advisory describes an improper input validation vulnerability in the Hitachi Energy RTU500.

Hitachi Energy Advisory #2 - This advisory describes a reliance on uncontrolled component vulnerability in the Hitachi Energy MSM Product.

NOTE: I briefly discussed the 13 underlying vulnerabilities (3 with known exploits) on July 16^th, 2022.

Hitachi Energy Advisory #3 - This advisory describes a reliance on uncontrolled component vulnerability in the Hitachi Energy Gateway Station product.

NOTE: I briefly discussed the 7 underlying vulnerabilities (6 with known exploits) on May 8^th, 2022.

Hitachi Energy Advisory #4 - This advisory describes a reliance on uncontrolled component vulnerability in the Hitachi Energy FACTS Control Platform product.

NOTE: I briefly discussed the 7 underlying vulnerabilities (6 with known exploits) on May 8^th, 2022.

Mitsubishi Update - This update provides additional information for an advisory that was originally published on August 9th, 2022 and most recently updated on August 18^th, 2022.

 

For more details on these advisories and the update, including links to third-party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/11-advisories-and-1-update-published - subscription required.

Review – OSHA Announces PSM Stakeholders Meeting – 9-28-22

Today, DOL’s Occupational Safety and Health Administration published a meeting notice in the Federal Register (87 FR 53020-53021) for a “Process Safety Management (PSM); Stakeholder Meeting” on September 28^th, 2022. According to the notice, OSHA is inviting “interested parties to participate in an informal virtual stakeholder meeting concerning the rulemaking project for OSHA's Process Safety Management (PSM) standard, at which OSHA will provide a brief overview of its work on the PSM rulemaking project to date.”

Registration and Comments

Personnel wishing to participate in the WebEx meeting can register on-line (NOTE: the link currently returns a ‘404 – File Not Found’ message). Presumably, that link can also be used to register to provide oral comments. Personnel wishing to submit written comments may do so via the Federal eRulemaking Portal (www.Regulations.gov; Docket OSHA-2013-0020).

Commentary

When this rulemaking was initiated back in 2013, chemical manufacturing control systems were becoming much more common, even in smaller facilities. Cybersecurity for those systems, was not much of a concern because the air-gapped-systems myth was still generally accepted even though the first successful control-system cyberattack against an air-gapped system had been conducted three years earlier. OSHA needs to consider including some sort of cybersecurity language in the PSM standard. That language should include requirements to:

• Identify safety critical control systems and the electronic systems connected to them,

• Identify security controls (physical and electronic) in place to protect both of those systems,

• Identify system logging and response responsibilities, and

• Identifying processes to be used to identify and fix system vulnerabilities.

Process safety information identification standards in §1910.119(d) should include a requirement to list industrial control system equipment that controls, protects or monitors covered processes. Additionally, process hazard analysis requirements of §1910.119(e) should specifically include requirements to identify industrial control system elements that are involved in the control or monitoring of the identified process hazards associated with the covered processes; this should include a failure mode analysis (including cyberattack) and failure consequence analysis.

For more details about this meeting notice, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/osha-announces-psm-stakeholders-meeting - subscription required.

Short Takes – 8-29-22

Department of Transportation declares regional emergency following BP refinery fire in Indiana. Article on theHill.com describes FMCSA limited suspension of driver rest requirements after BP refinery shutdown. Pull quote: “Reuters reported on Wednesday that BP shut down some of its units at its Whiting, Ind., refinery due to an electrical fire. The fire was extinguished, and the company said it was deciding when the affected units would restart.”

How Energy's Cyber-Informed Engineering Strategy Fits into a Pending National Plan. NextGov.com article – Slightly misleading title – Actual article focus is on cybersecurity job training – Pull quote: “The strategy DOE is working on starts with education and workforce training initiatives which fit neatly into the Office of the National Cyber Director’s prioritization of workforce development. Corell pointed to the inclusion of the secretary of labor along with other senior cabinet officials at a recent White House summit on the issue.”

Energy Department Releases Strategy to Build Cyber-Resilient Energy Systems. NextGov.com article. Provides link to DOE report on Cyber Informed Engineering (CIE) Strategy – Article pull quote: “The strategy is broken up into five pillars: awareness, education, development, current infrastructure and future infrastructure. It supports five priority areas outlined by the DOE’s Office of Cybersecurity, Energy Security and Emergency Response, which include strengthening the visibility of cyber threats in energy systems and addressing supply chain risks.”

A Much-Hyped Effort to Help DHS Land Cyber Talent is Slow to Make Hires. GovExec.com article. Almost a year into DHS Cybersecurity Talent Management System and the hiring results are less than dramatic. Pull quote: “However, it appears from this data that DHS is unlikely to hit the goal of making offers to 150 candidates by the end of the fiscal year.”

S 4670 Introduced – FY 2023 THUD Spending

Last month, Sen Schatz (D,HI) introduced S 4670, the Transportation, Housing and Urban Development, and Related Agencies Appropriations Act, 2023. The Senate Appropriations Committee has not produced a report on this bill. The bill contains one cybersecurity funding mention, but no specific language about cybersecurity issues.

Cybersecurity Spending

On page 11, under the heading Cyber Security Initiatives, the bill provides $48.1 million for DOT “cyber security initiatives, including necessary upgrades to network and information technology infrastructure, improvement of identity management and authentication capabilities, securing and protecting data, implementation of Federal cyber security initiatives, and implementation of enhanced security controls on agency computers and mobile devices”. This is the same amount as authorized in HR 8294, the House version of this bill.

NTSB vs CSB Funding

In a post last month about problems at the Chemical Safety Board, I noted that CSB funding levels in the Committee Report (pg 132) on HR 8262 provided $14 million for the funding of CSB operations in FY 2023. The National Transportation Safety Board funding is actually listed in this bill (a measure of the increased relative importance of the NTSB over the CSB) at $129.3 million. The NTSB does conduct significantly more investigations than does the CSB (which has not initiated any new investigations in over a year), but that is probably more a measure of the amount of funding available than it is a reflection of the number of incidents worthy of investigation.

Moving Forward

HR 8294 was included in the House minibus spending bill (HR 8294) that was passed in the House before the Summer Recess. If (not really likely) the Senate takes up that bill before the end of next month, the language from this bill will likely be rolled into the substitute language that the Senate would actually consider. It is unlikely that the Senate would be able to get the 60-votes necessary to begin actual debate on the House bill, since that passed with a near party-line vote.

We will most likely see a continuing resolution (CR) passed late next month that would provide funding at current levels through some time in December. Depending on the outcome of the congressional elections in November, we could see another CR carrying over spending until January or February if Republicans manage to gain control of both the House and Senate. Otherwise, a consolidated spending bill will likely pass in late December after one or more short term CR’s are passed.

Short Takes – 8-28-22

TSA Requirements: A Snapshot of Growing Attention to Pipeline Cybersecurity. Nozomi Networks article looking at TSA pipeline security guidelines (Security Directive 2C). Pull quote: “With this latest announcement of additional requirements and potential rules for pipeline companies to implement in their operations, some industry leaders may struggle to understand the impacts of additional regulatory guidance.”

Pipeline Safety: Periodic Standards Update II. Federal Register - PHMSA notice of proposed rulemaking (NPRM) incorporate by reference all or parts of updated editions of voluntary, consensus, industry technical standards currently reference in the Pipeline Safety Regulations.

Hazardous Materials: Request for Information on Electronic Hazard Communication Alternatives. Federal Register - Extension of comment period on RFI published on July 11^th, 2022. New comment deadline – October 24^th, 2022.

Request for Comments Concerning the Imposition of Emerging Technology Export Controls on Instruments for the Automated Chemical Synthesis of Peptides. OIRA approves BIS request for information. Pull Quote from Unified Agenda: “The Bureau of Industry and Security (BIS) has identified instruments for the automated synthesis of peptides (automated peptide synthesizers) for evaluation as a potential emerging technology, consistent with the interagency process described in the Export Control Reform Act of 2018 (ECRA), and is seeking public comments on the potential uses of this technology, particularly with respect to its impact on U.S. national security”.

EPA Publishes 60-day ICR Notice for RMP Revisions

The EPA published a 60-day information collection request notice (ICR) in Monday’s (available on line yesterday) Federal Register (87 FR 52764-52765) for a new ICR for “Accidental  Release Prevention Requirements: Risk Management Programs Under Section 112(r) of the Clean Air Act, as Amended; Safer Communities by Chemical  Accident Prevention”.

The ICR notice does not provide any details about the proposed changes to the RMP regulations beyond noting:

“The proposed revisions seek to improve chemical process safety, assist in planning, preparedness, and responding to RMP accidents, and improve public awareness of chemical hazards at regulated sources. To accomplish this, these proposed provisions include several changes to the accident prevention program requirements, enhancements to the emergency preparedness requirements, increased public availability of chemical hazard information, and several other changes to certain regulatory definitions or points of clarification.”

The notice does provide the following burden estimate information without any supporting explanation:

• Estimated number of respondents - 14,226,

• Frequency of response – on occasion,

• Estimated hourly response burden - 797,642 hours (per year)

• Estimated burden cost - $79,248,522

EPA is soliciting public comments on the ICR. Comments can be submitted via the Federal eRulmaking Portal (www.Regulations.gov; Docket # EPA-HQ-OLEM-2022-0174). Comments should be submitted by October 28^th, 2022.

Commentary

I suspect that this ICR will be supporting an EPA notice of proposed rulemaking (NPRM) that was recently approved by the OMB’s Office of Information and Regulatory Affairs. That NPRM has not yet been published in the Federal Register, but there is a page on the EPA website the outlines the rulemaking and provides a link to a pre-publication version of the NPRM.

Typically, these initial ICR requests supporting new rulemakings are included in the NPRM. It will certainly be difficult for anyone to intelligently comment on this ICR notice until the NPRM is published. The pre-publication version of the NPRM does include such a section on pages 188-9, but it does not provide any additional information about how the EPA arrived at these burden estimates numbers. I will not be submitting a copy of this post complaining about that lack of information, as I do not expect that either the EPA or OIRA will do anything to correct the issue. Part of the reason for that is that it is too early in the regulatory process for the estimates to have any real meaning.

Review – Public ICS Disclosures – Week of 8-20-22

This week we have five vendor disclosures from ABB, GE Gas Power (2), HP, and VMware. There is a vendor updates from Dell. Finally, there is a researcher report for products from Omron.

ABB Advisory - ABB published an advisory that discusses a an improper restriction of operations within the bounds of a memory buffer vulnerability in their ARM600 M2M Gateway.

GE Advisory #1 - GE published an advisory that describes an HTTP request/response splitting vulnerability in their Workstation ST products.

GE Advisory #2 - GE published an advisory that describes a cross-site scripting vulnerability in their Workstation ST products.

HP Advisory - HP published an advisory that describes a denial-of-service vulnerability in their HP PageWide Pro printers.

VMware Advisory - VMware published an advisory that describes a privilege escalation vulnerability in their VMware Tools product.

NOTE: This is being reported as a third-party vulnerability on some Linux distributions by OpenWall and Debian. This may show up as a third-party vulnerability in other products.

Dell Update - Dell published an update for their Log4Shell advisory.

Omron Report - The Zero Day Initiative published a report describing a use-after-free vulnerability in the Omron CS-One CX Programmer module.

 

For more details about these disclosures, including links to third-party advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-8-9dc - subscription required.

Vacation Shorts – 8-27-22

 

Yeah, I am on vacation this week, but like last night’s post on the CISA advisories makes clear, I am still watching the news and my information sources. To keep the wife happy, I will not be writing any in depth articles (well not many….), but I will publish this short note to point at potential items of interest. This is the last day of my vacation, but I am considering continuing the periodic publication of these short posts for stuff that I don’t normally get around to covering here in the blog due to time constraints.

 

The mother of all ‘zero-days’ — immortal flaws in semiconductor chips. Interesting article over on theHill.com looking at the failure of the CHIPS Act to require cybersecurity considerations in supporting new chip manufacturing supported by that bill. Pull quote: “They [0-day chip vulnerabilities] exist because it is impossible for designers and manufacturers to test every possible combination of paths in or out of a device. Zero-days enable destructive cyberattacks on physical systems.” Not a new problem by any measure.

 

CISA's Cyber Info-Sharing Program Didn't Always Deliver, Watchdog Says. Interesting article on DefenseOne.com about DHS OIG report on CISA information sharing problems. Link to report. Pull quote: “Although CISA generally increased the number of AIS participants and number of cyber threat indicators shared and received, the quality of the cyber threat indicators was not adequate for participants to take necessary actions”.

 

OMB Approves CISA Cybersecurity Reporting ANPRM. OIRA approves ‘pre-rule’ submission by CISA. Should be in Federal Register this week.

 

NOTE: I should be publishing my weekly Public ICS Disclosure post tomorrow. It looks like it should be fairly short.

100-day Chemical Cybersecurity Sprint

I missed the Chemical Sector Summit this week because of vacation. I have been, however, receiving lots of questions about the reported 100-day cybersecurity sprint for the chemical sector that was discussed at the Summit. Fortunately, CSPAN televised portions of the day-2 presentations including the ‘fireside’ chat’ between Director Easterly and Associate Director for Chemical Security Kelly Murray.

At 15:07 minutes into the video Easterly begins a discussion about the strategic priorities for CISA in the coming year. It was in this section of the talk where she noted:

“We were asked last year by the White House to focus on protection of industrial control systems. I think the chemical sector is next in line that we will kick off the 100-day plan, probably later this year. The other thing I'm excited about is cybersecurity goals that reflect both IT and OT and we will be kicking off with some work on chemical sector goals.”

NOTE: Thanks to CSPAN for providing the written text (from close captioning) to accompany the video on their website.

There is still not much information publicly available on this 100-day sprint, but I have learned that the CFATS folks at CISA are not going to be leading this effort. In some ways, that is a disappointment because of their long work with industry in this field. In a larger sense, however, it is understandable because the CFATS program is targeted at just a portion of the chemical industry. It is a large part (44,000 plus facilities have participated to at least some degree), but it is still just a part of the larger chemical picture.

Vacation Shorts – 8-26-22

Yeah, I am on vacation this week, but I am still watching the news and my information sources. To keep the wife happy, I will not be writing any in depth articles (well not many….), but I will publish this short note to point at potential items of interest. No Public ICS Disclosure post tomorrow.

How Resilient is the Natural Gas Grid? Interesting article looking at the control processes for natural gas pipeline systems. Pull quote: “The natural gas grid really is largely self-powered and engineered to keep on working no matter what.” No discussion about cyber vulnerabilities but does point out the critical systems that could be attacked to stop gas flow.

Democrats clash over Manchin side deal, raising shutdown risk. It’s August and the annual government shutdown talk is in full swing – This article looks at one potential controversy that has to be resolved for at least one continuing resolution (CR) can be passed before October 1^st. Unfortunately, it is not the only one.

Understanding The South Staffs Water Cyber Attack. Another water system attack article that shows exposure of water processing control systems. Pull quote: “Keep in mind that had they decided to, the attackers could have caused tremendous physical and financial damage, including loss of life.” Does not look at non-cyber systems that should be in place to prevent distribution of tainted water.

Operators of chemical facilities will follow those of electric utilities, gas pipelines and water treatment plants in being asked to facilitate visibility into their systems. Another look at brief discussion about a potential chemical cybersecurity sprint. Pull quote: “The NIST CSF, as it’s called, allows operators to choose which controls they implement based on the amount of risk they’re willing to accept.” Where physical risk to public exists (such as at many chemical facilities), perhaps someone other than company should be making the acceptable risk decision; see the CFATS program.

DHS rulemakings of concern currently under OMB review (oldest submissions first):

• Vetting of Certain Surface Transportation Employees - 1652-AA69,

• Request for Information on the Cyber Incident Reporting for Critical Infrastructure Act of 2022 - 1670-ZA00,

• TWIC--Reader Requirements; Second Delay of Effective Date - 1625-AC80,

• Homeland Security Acquisition Regulation: Safeguarding of Controlled Unclassified Information (HSAR Case 2015-001) - 1601-AA76

Vacation Shorts – 8-25-22

Yeah, I am on vacation this week, but I am still watching the news and my information sources. To keep the wife happy, I will not be writing any in depth articles (well not many….), but I will publish this short note to point at potential items of interest. [Corrected date in title - 8-26-22 20:42 EDT]

No Cyber Insurance Payout For Attacks By State or State-Supported Actors – Interesting Substack article – Pull Quote: “Therefore, our predilection to blame every significant cyber attack on either a nation state or a nation state sponsored, supported, or affiliated actor has continued and blossomed because there’s everything to gain and nothing to lose.”

Biden administration to address cybersecurity issues faced by chemical sector – Interesting article about ‘announcement’ out of this week’s Chemical Sector Summit (which I have missed because of this vacation) – I have had some folks asking me about this – Maybe next week if I can get some more detailed information –

Review - 1 Advisory Published – 8-25-22

Today, CISA’s NCCIC-ICS published a control system security advisory for products from FATEK. I also take a down-the-rabbit-hole look at similar vulnerabilities in the same FATEK product.

FATEK Advisory - This advisory describes an out-of-bounds write vulnerability in the FATEK FvDesigner software.

 

For more details about this advisory, and a down-the-rabbit-hole look at similar vulnerabilities in the same FATEK product – see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-published-8-25-22 - subscription required.

Vacation Shorts – 8-24-22

Yeah, I am on vacation this week, but like last night’s post on the CISA advisories makes clear, I am still watching the news and my information sources. To keep the wife happy, I will not be writing any in depth articles (well not many….), but I will publish this short note to point at potential items of interest.

Explosion injures two at oil recycling plant – Articles here, here, and here –

Interesting couple of phrases in the first article caught my attention – “a [50-gallon] recycling expansion tank” and “using a unique internal processing technology”.

CISA Announces CSAC Meeting – 9-11-22 – Federal Register Notice – Subcommittee reports - (1)

Building Resilience and Reducing Systemic Risk to Critical Infrastructure Subcommittee, (2) Transforming the Cyber Workforce Subcommittee; (3) National Cybersecurity Alert System Subcommittee; (4) Protecting Critical Infrastructure from Misinformation and  Disinformation Subcommittee; (5) Turning the Corner on Cyber Hygiene Subcommittee, (6) Transforming the Cyber Workforce Subcommittee, (7) Communications Subcommittee.

PHMSA Publishes Pipeline Safety Final Rule –  2010 San Bruno incident response – Federal Register Notice.

Industry sets cyber standards for cars and trucks and things that go (unmanned) – Articles here – Press release here – Can we agree to use something like ‘self-guided’ or ‘autonomous’ instead of ‘unmanned’.

Review – 6 Advisories and 1 Update Published – 8-23-22

Today, CISA’s NCCIC-ICS published control system security advisories for products from Hitachi Energy, Measuresoft (2), mySCADA, Delta Industrial Automation, and ARC. They also updated an advisory for products from Illumina.

Hitachi Energy Advisory - This advisory describes a stack-based buffer overflow vulnerability in the Hitachi Energy RTU500 series CMU Firmware.

NOTE: I briefly discussed this vulnerability on July 2^nd, 2022.

Measuresoft Advisory #1 - This advisory describes five vulnerabilities in  the Measuresoft ScadaPro Server and Client.

Measuresoft Advisory #2 - This advisory describes an out-of-bounds write vulnerability in the Measuresoft ScadaPro Server. The

MySCADA Advisory - This advisory describes a command injection vulnerability in the mySCADA myPRO HMI/SCADA system.

Delta Advisory - This advisory describes a use of hard-coded credentials vulnerability in the Delta DIALink server.

ARC Advisory - This advisory describes a cleartext storage of sensitive information vulnerability in the ARC PcVue OAuth web service.

NOTE: I briefly described this vulnerability on August 13^th, 2022.

Illumina Update - This update provides additional information on an advisory that was originally published on June 2^nd, 2022 (not 6-22-22 as reported in the update).

 

For more details about these advisories and update, including link to researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/6-advisories-and-1-update-published - subscription required.

Review – Public ICS Disclosure – Week of 8-13-22

This week we have ten vendor disclosures from Aruba Networks, Aveva, Broadcom, Flexera, GE Grid Solutions, QNAP (2), Softing and WAGO (2). There are five vendor updates from B&R, Mitsubishi Electric, Palo Alto Networks, and Schneider (2). We also have a researcher report for products from Boeing. Finally, we have four exploits for products from Palo Alto Networks, FLIR (2), and Advantech.

Aruba Advisory - Aruba published an advisory that describes a sensitive information disclosure vulnerability in their Virtual Internet Access client for Windows.

Aveva Advisory - Aveva published an advisory that describes six vulnerabilities in their Edge product (formerly Indusoft Web Studio).

NOTE: Aveva reports that the vulnerabilities were coordinated through ‘ICS-CERT’ and ZDI, so I expect that there will be a NCCIC-ICS advisory next week.

Broadcom Advisory - Broadcom published an advisory that discusses an OS command injection vulnerability in their SANnav products.

Flexera Advisory - Revenera published an advisory that discusses two vulnerabilities in their FlexNet Publisher.

GE Grid Advisory - GE published an advisory for their Reason S20 product.

QNAP Advisory #1 - QNAP published an advisory that discusses seven vulnerabilities in their NAS products.

QNAP Advisory #2 - QNAP published an advisory that discusses five vulnerabilities in their NAS products.

Softing Advisory - Softing published an advisory that discusses five vulnerabilities in their OPC UA .NET SDK products.

WAGO Advisory #1 - CERT-VDE published an advisory that discusses six vulnerabilities in multiple WAGO product families.

WAGO Advisory #2 - CERT-VDE published an advisory that discusses four vulnerabilities in multiple WAGO product families.

B&R Update - B&R published an update for their Project Upload advisory that was originally published on January 20^th, 2022.

Mitsubishi Update - Mitsubishi published an update for their OpenSSL advisory that was originally published on August 2^nd, 2022.

Palo Alto Networks Update - Palo Alto Networks published an update for their PAN-OS advisory that was originally published on August 10^th, 2022.

Schneider Update #1 - Schneider published an update for their OPC UA advisory that was originally published on July 12^th, 2022 and most recently updated on August, 9^th, 2022.

Schneider Update #2 - Schneider published an update for their APC Smart-UPS advisory that was originally published on March 8^th, 2022 and most recently updated on July 12^th, 2022.

Boeing Report - Pen Test Partners published a report describing two vulnerabilities in the Boeing Onboard Performance Tool (OPT).

Palo Alto Networks Exploit - UnD3sc0n0c1d0 published an exploit for an OS command injection vulnerability in the Palo Alto PAN-OS.

FLIR Exploit #1 - Samy Younsi published an exploit for a remote command execution vulnerability in the FLIR AX8 thermal imaging camera.

FLIR Exploit #2 - Samy Younsi and Thomas Knudsen published an exploit for three vulnerabilities in the FLIR AX8 thermal imaging camera.

Advantech Exploit - Rgod, Shelby Pace, and Y4er published a Metasploit module for a command injection vulnerability in the Advantech iView NetworkServlet.

 

For more details about these disclosures, including links to 3rd party advisories, researcher reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosure-week-of-8-13 - subscription required.

CG Publishes Meeting Notice for NMSAC – 9-13-22

Today, the Coast Guard published a meeting notice in the Federal Register (87 FR 51117-51118) for a 2-day virtual meeting the National Maritime Security Advisory Committee on September 13^th and 14^th, 2022. The meeting will be open to the public.

The agenda includes a discussion of the following assigned tasks:

• Task T-2021-2: Provide input to support further development of the Maritime Cyber Risk Assessment Model,

• Task T-2022-4: Transportation Worker Identification Credential (TWIC) Reader Program, and

• Task T-2022-5: Working Group on Cybersecurity Information Sharing.

Personnel wishing to participate in the meeting may contact Ryan Owensemail at ryan.f.owens@uscg.mil. Personnel wishing to provide written comments on the topics to be discussed can submit them via the Federal eRulemaking Portal at www.Regulations.gov, Docket # USCG-2022-0574.

OMB Approves CFATS ICR Revision – 8-17-22

Yesterday the OMB’s Office of Information and Regulatory Affairs announced that it had approved an information collection request from CISA on the “Chemical Facility Anti-Terrorism Standards (CFATS)”. The 60-day ICR Notice was published on March 23^rd, 2021, and the 30-day ICR Notice was published (corrected version) on June 29^th, 2021.

This is one of four ICR’s covering various portions of the CFATS program. It addresses the following information collection documents:

• Request for Redetermination,

• Request for Extension,

• Top-Screen Update,

• Compliance Assistance, and

• Declaration of Reporting Status

The changes in burden estimate were not caused by any programmatic changes. Instead, they arose from:

• Minor revisions to all five instruments that reflect the passage of the Cybersecurity and Infrastructure Security Act of 2018, 6 U.S.C. §§ 651-74, such as updating the Agency name to conform with the Agency’s new designation as CISA, as well as provide clearer descriptions of the scope of each instrument. CISA is not proposing changes to the scope of any instrument.

• Updated the number of respondents for all instruments based on historical data collected related to these instruments between CY2018 and CY2021.

• Updated the number of responses per respondent for two instruments (i.e., Request for an Extension and Compliance Assistance) based on historical data collected between CY2018 and CY2020.

• An increase of the annual reporting and recordkeeping hour and cost burden due to an increase in the respondent wage rate from $79.75/hour to $85.82/hour, which is based on updated Bureau of Labor Statistics (BLS) data.

• An increase of the overall total annual operating cost to the Federal Government for this collection from $957,562 to $1,001,189 based on the projected costs for Government Full-time Equivalent (FTE) salaries that is reflected in the Office of Personnel Management’s (OPM) 2020 General Schedule Locality Pay Table.

Review - OMB Approves TSA Pipeline Cybersecurity ICR Update

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved an information collection request extension from TSA on “Pipeline Operator Security Information” (OMB Control Number 1652-0055). The 60-day ICR Notice was published on June 30^th, 2022 and the 30-day ICR Notice was published on October 14th, 2022.

This extension was required by OIRA’s approval of an emergency revision to this ICR back in May, 2021 supporting the changes in pipeline reporting requirements is Security Directive 1 (SD1). No changes were made in pipeline security reporting requirements in this extension; this is just a formal reporting of those program changes made in the emergency revision. There is, however, a change in the burden estimate for the changes previously made, since TSA did not provide an estimate of the burden change in their emergency revision request.

For more details on the approved ICR, including my commentary on the estimate of time necessary to collect and report the required information on cybersecurity incidents – see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/omb-approves-tsa-pipeline-cybersecurity - subscription required.

Review – 5 Updates Published – 8-18-22

 Today, CISA’s NCCIC-ICS published five control system security updates for products from Siemens (3) and Mitsubishi (2).

 Siemens Update #1 - This update provides additional information on the Siemens Linux Products advisory that was originally published on May 11^th, 2021 and most recently updated on August 11^th, 2022.

NOTE: These products were added to the Siemens advisory last week, which was the same version upon which the last NCCIC-ICS update (Update H) was based.

Siemens Update #2 - This update provides additional information on the Siemens Industrial Products advisory that was originally published on July 11^th, 2021 and most recently updated on August 11^th, 2022.

NOTE: These products were added to the Siemens advisory last week, which was the same version upon which the last NCCIC-ICS update (Update C) was based.

Siemens Update #3 - This update provides additional information on the Siemens OpenSSL advisory that was originally published on June 16^th, 2022 and most recently updated on July 14^th, 2022.

NOTE: This is one of the NCCIC-ICS ‘not updated’ advisories that I discussed last Sunday.

Mitsubishi Update #1 - This update provides additional information on the Mitsubishi Multiple Factory Automation Products advisory that was originally published on August 9^th, 2022.

Mitsubishi Update #2 - This update provides additional information on the Mitsubishi MELSEC iQ-R, Q, L Series advisory that was originally published on June 21^st, 2022.

 

For more information about these updates, including a discussion of the management of change problems (not NCCIC-ICS problems) that led to two of the Siemens updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/5-updates-published-8-18-22 - subscription required.

BIS Sends Bio-Toxins NPRM to OMB

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had receive a notice of proposed rulemaking from the DOC’s Bureau of Industry and Security (BIS) for “Implementation of Australia Group Decisions (November 2021 and March 2022 Virtual Implementation Meetings; July 2022 Plenary): Controls on Marine Toxins, Plant Pathogens and Biological Equipment”.

According to the abstract in the Spring 2022 Unified Agenda:

“The Bureau of Industry and Security (BIS) has identified four naturally occurring, dual-use, biological toxins for evaluation as a potential emerging technology, consistent with the interagency process described in Section 1758 of the Export Control Reform Act of 2018 (ECRA) (50 U.S.C. 4801-4852), as codified under 50 U.S.C. 4817.  These toxins have the potential (through either accidental or deliberate release) to cause casualties in humans or animals, degrade equipment, or damage crops or the environment.  Furthermore, they are now capable of being more easily isolated and purified due to novel synthesis methods and equipment.  Consequently, the absence of export controls on these toxins could be exploited for biological weapons purposes.  To address this concern, BIS proposes to amend the Commerce Control List (CCL) by adding these toxins to Export Control Classification Number (ECCN) 1C351.  This rule requests public comments to ensure that the scope of these proposed controls will be effective and appropriate (with respect to their potential impact on legitimate commercial or scientific applications).”

Commentary

I am not planning on expanding the scope of this blog to cover bioweapons, but there are two interesting points here. First BIS talks about “more easily isolated and purified due to novel synthesis methods and equipment”. This talking about chemical manufacturing, at least where any output of meaningful scale is concerned. Finally, BIS is concerned about using these toxins to “cause casualties in humans or animals, degrade equipment, or damage crops or the environment”. Since these are not infectious agents, this would effectively be chemical warfare if done deliberately, making these toxins potential chemical agents.

So, would this make these chemicals chemical warfare agents and thus making the facilities that produce them subject to the Chemical Facility Anti-Terrorism (CFATS) standards? Technically, not unless they are added to the Appendix A list of DHS Chemicals of Interest (COI). And that is not likely unless the chemicals are added to the lists in the Chemical Warfare Treaty. Similarly, the CFATS program participation is also triggered by the holding of inventory of key chemical precursors to chemical weapons. Somewhere down the road, someone at CISA is going to need to decide if these are significant enough to trigger a revision to Appendix A. But, mark my word, if they do, this will have been the starting point for that initiative. 

Review - S 4687 Introduced – DHS-DOJ Counter UAS Authority

Last month, Sen Peters (D,MI) introduced S 4687, the Safeguarding the Homeland from the Threats Posed by Unmanned Aircraft Systems Act of 2022. The bill would replace 6 USC 124n, Protection of Certain Facilities and Assets from Unmanned Aircraft, with a new version that extends and expands the authority given to DHS and DOJ to conduct limited counter UAS operations. No funding authorization is provided in the bill.

Moving Forward

Peters is the Chair, and Sen Portman (R,OH) (one of five cosponsors) is the Rankin Member, of the Senate Homeland Security and Governmental Affairs Committee to which this bill was assigned for consideration. This certainly means that there should be sufficient influence to see this bill considered in Committee. While industry would be expected to support the expansion of the authorized counter-UAS operations, there may still be some opposition to this bill from Senators that have concerns about weakening the general protection of aircraft in the national airspace. I would expect that those concerns would be worked out before the bill is considered in Committee.

The current authority for DHS and DOJ counter-drone operations expires on October 5^th, 2022. I do not expect that this bill will make it to the President’s desk by that date. In fact, I expect that this bill will be rolled into the National Defense Authorization Act or the year-end spending bill. There may be a short-term extension of the authority in the meantime.

Commentary

The provisions in this bill about authorizing counter-UAS operations at private sector facilities is rather broad and vague. The one key restriction that should be noticed, however, is that actions can only be undertaken at facilities designated by the Secretary of DHS or the Attorney General. As an expansion of existing authority, I think that there should be an additional limitation, it should only apply to facilities which are regulated for physical security by a federal agency. This would allow closer supervision of counter-drone operations by federal authorities.

We could implement this restriction by changing the wording of §1624n(a)(5)(C)(iii)(IV) to read:

“(IV) the provision of security or protection support to critical infrastructure owners or operators upon the request of the owner or operator, for static critical infrastructure facilities and assets for which federal regulations exist to oversee the physical security of the facility; requests to the Secretary or Attorney General for such activities would be made through the oversight agency;”

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-4687-introduced - subscription required.

Review – 7 Advisories and 1 Update Published – 8-16-22

Today, CISA’s NCCIC-ICS published seven control system security advisories for products from Sequi, Emerson, B&R, Delta Industrial, Softing, LS Industrial Systems, and Yokogawa. They also updated an advisory for products from Siemens.

Sequi Advisory - This advisory describes two vulnerabilities in the Sequi PortBloque S serial Modbus firewall.

Emerson Advisory - This advisory describes six vulnerabilities in the Emerson Proficy Machine Edition.

B&R Advisory - This advisory describes an improper input validation vulnerability in the B&R Automation Studio PLC programming software.

NOTE: While this vulnerability was discussed in the Evil PLC Attack paper, it was originally reported by B&R on January 20^th, 2022 which I reported earlier. B&R updated their advisory this week, adding a reference to the Evil PLC Attack paper.

Delta Advisory - This advisory describes an improper restriction of XML external entity reference vulnerability in the Delta DRAS controller software suite.

Softing Advisory - This advisory describes nine vulnerabilities in the Softing Secure Integration Server.

LS Industrial Advisory - This advisory describes an inadequate encryption strength vulnerability in the LS Industrial LS ELEC PLC and XG5000.

Yokogawa Advisory - This advisory describes a resource management errors vulnerability in the Yokogawa CENTUM VP/CS 3000 Controller FCS products.

NOTE: I briefly reported this vulnerability on July 30^th, 2022.

Siemens Update - This update provides additional information on an advisory that originally published on May 12^th, 2022 and most recently updated on July 12^th, 2022.

NOTE: I briefly reported this update on Sunday.

 

For more details about these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/7-advisories-and-1-update-published-589 - subscription required.

DHS Sends Safeguarding CUI HSAR Final Rule to OMB

Yesterday, OMB’s Office of Information and Regulatory Affairs announced that it had received a final rule from DHS on “Homeland Security Acquisition Regulation: Safeguarding of Controlled Unclassified Information (HSAR Case 2015-001)”. The notice of proposed rulemaking (NPRM) for this action was published on January 19^th, 2017.

According to the listing for this rulemaking in the Spring 2022 Unified Agenda:

“This Homeland Security Acquisition Regulation (HSAR) rule would implement security and privacy measures to ensure Controlled Unclassified Information (CUI), such as Personally Identifiable Information (PII), is adequately safeguarded by DHS contractors. Specifically, the rule would define key terms, outline security requirements and inspection provisions for contractor information technology (IT) systems that store, process or transmit CUI, institute incident notification and response procedures, and identify post-incident credit monitoring requirements.”

This rulemaking would be amendments to existing HSAR regulations in 48 CFR Parts 3001, 3002, 3004, and 3052. Interestingly, a recent yet separate FAR regulation NPRM updating CUI requirements for DOD, GSA, and NASA that had been sent to OMB was withdrawn.

Review - S 4664 Introduced – FY 2023 CJS Spending

 Last month, Sen Shaheen (D,NH) introduced S 4664, the Commerce, Justice, Science, and Related Agencies Appropriations Act, 2023. The Senate Appropriations Committee has not reported on the bill. The bill contains the same two internal agency cybersecurity spending provisions found in HR 8256 that was reported in the House as well as the cyberthreat assessment requirements for medium- and high-impact information systems.

Moving Forward

HR 8256 was not rolled into the HR 8294 minibus that was passed in the House last month. It is unlikely that the House will take up HR 8256 before the end of the fiscal year. Since the House is constitutionally required to ‘initiate’ spending bills, the Senate is unlikely to try to take up S 4664 without a House approval of HR 8256. The Senate Appropriations Committee will use the language of this bill as the starting point for their negotiations with the House Appropriations Committee on the CJS Division of the end-of year spending bill.

 

For more details on the provisions of the bill, see my article at CFSN Detailed 

Styrene Rail Shipping Problems

There is an interesting (and well written) article over on OCRegister.com about an ongoing incident with a styrene railcar in Southern California. The car started heating up, presumably from a self-polymerization reaction, and vented styrene fumes into the neighborhood around the railyard. Styrene is a central nervous system depressant (a ‘huffing’ problem in the 70’s) and a known carcinogen so there are potential long-term health effects. More importantly the material is flammable and the outgassing from the safety venting on the railcar poses a danger of fire and or explosion if the gas reaches an ignition source.

Styrene is an important monomer, that is a chemical that reacts with itself to form long chains of chemicals. While some monomers require the addition of a special chemical to initiate the polymerization reaction, styrene is one of a class of monomer that self-reacts so readily that the chemical has to have a chemical added to it to inhibit the reaction from taking place. Even with that chemical in place, reactions between styrene molecules continue to take place, normally at a very low rate.

The problem with this polymerization reaction is that it is exothermic, it produces heat. As the styrene temperature starts to increase, the rate of reaction begins to accelerate. The faster reaction produces more heat more quickly, reinforcing that acceleration. In a chemical manufacturing process a number of things can be done to control that reaction rate, cooling can be applied, diluents can be added, air can be introduced, and other, slower reacting monomers can be added. Unfortunately, none of this is much use in a railcar.

To protect the public from the affects of a runaway reaction in a railcar during shipment, DOT requires that there is a minimum level of inhibitor present in the styrene, that the styrene is loaded below a certain temperature, that the rail car be insulated from outside heat addition, and only allows the car to be in transit for a limited period of time. That way, there is only a very minor chance of the polymerization reaction to proceed to the point where it becomes a hazardous self-accelerating reaction.

According to the article, this railcar had been in transit for 50 days, the DOT limit is 45. There is a safety margin in the DOT rules so that should not be the sole issue driving this incident. While the tank is insulated to protect against outside heating, unusually high temperatures while in transit, could have increased the temperature in the product enough to raise the reaction rate. That needs further study as we expect to see wider spread higher temperatures in the future, DOT might need to reduce their transit time standards. Additional things that need to be looked at include the inhibitor level in the loaded styrene, the loading temperature, and the oxygenation of the material prior to loading. Similar railcars loaded at the same time and place should be checked for evidence of heating.

It will be interesting to see if the longer transit time for this shipment is the result of the railroad service issues that the Surface Transportation Safety Board has been investigating.

Another interesting issue here, who investigates the incident. It will not be the Chemical Safety Board, they only investigate incidents at stationary facilities. This falls under the purview of the National Transportation Safety Board (NTSB). I am not sure what triggers an investigation by that body, but there could be potentially systemic issues at play here, so this deserves their attention.

Review - Problems with Vulnerability Information Sharing – 8-14-22

For a couple of years now, I have been doing a weekly blog post (more frequently lately, a multi-part blog post) looking briefly at industrial control (and medical device) security vulnerability disclosures by vendors and researchers. Generally, I try to keep this separate from my highlighting vulnerabilities disclosures by CISA’s NCCIC-ICS, if for no other reason than to keep down the amount of time I spend on the post. Recently, however, I have been seeing an increasing problem with the information sharing that goes into keeping the NCCIC-ICS advisories up to date. Today the problem became egregious enough that I need to look at it in some detail to show the depth of the problem.

 

This discussion is better done on my CFSN Detailed Analysis site, but it is so important that I do not think that it belongs behind a paywall. So, I will publish this article there - https://patrickcoyle.substack.com/p/problems-with-vulnerability-information - with free public access.

Review – Public ICS Disclosures – Week of 8-6-22 – Part 2

For Part 2 we have 36 vendor updates from BD (3), CONTEC, HP, Schneider (7), and Siemens (24).

BD Update #1 - BD published an update for their BD Alaris™ 8015 PC Unit advisory that was originally published on November 12^th, 2022, and most recently updated on March 15^th, 2021.

NOTE: NCCIC-ICS did not update their advisory (ICSMA-20-317-01) for this information.

BD Update #2 - BD published an update for their Interpeak IPNET TCP IP stack that was originally published on October 1^st, 2019.

BD Update #3 - BD published an update for their Alaris PC Unit PCU model 8015 advisory that was originally published on February 7^th, 2017 and most recently updated on March 16^th, 2021.

NOTE: NCCIC-ICS did not update their advisory (ICSMA-17-017-02) for this information.

CONTEC Update - JP-CERT published an update for the CONTEC Solar View Compact advisory that was originally published on July 27^th, 2022.

HP Update - HP published an update for their Security Manager and Web Jetadmin advisory that was originally published on January 31^st, 2022 and most recently updated on May 3^rd, 2022.

Schneider Update #1 - Schneider published an update for their Log4Shell Advisory.

Schneider Update #2 - Schneider published an update for their Embedded FTP Servers advisory that was originally published on March 22^nd, 2018 and most recently updated on April 12^th, 2022.

Schneider Update #3 - Schneider published an update for their Modicon Controllers advisory that was originally published on September 26^th, 2019 and most recently updated on April 15^th, 2021.

Schneider Update #4 - Schneider published an update for their EcoStruxure Control Expert advisory that was originally published on July 13^th, 2021 and most recently updated on July 12^th, 2022.

Schneider Update #5 - Schneider published an update for their Modicon PAC Controllers advisory that was originally published on August 10^th, 2021.

Schneider Update #6 - Schneider published an update for their BadAlloc advisory that was originally published on November 9^th, 2021 and most recently updated on June 15^th, 2022.

Schneider Update #7 - Schneider published an update for their OPC UA and X80 Advanced RTU advisory that was originally published on July 12^th, 2022.

Siemens Update #1 - Siemens published an update for their UMC Component advisory that was originally published on July 14^th, 2020 and most recently updated on July 13^th, 2021

NCCIC-ICS did not update their advisory (ICSA-20-196-05) for this information.

Siemens Update #2 - Siemens published an update for their OpenSSL advisory that was originally published on April 14^th, 2014 and most recently updated on June 14^th, 2022.

Siemens Update #3 - Siemens published an update for their RUGGEDCOM advisory that was originally published on March 10^th, 2022 and most recently updated on June 14^th, 2022.

NOTE: NCCIC-ICS did not update their advisory (ICSA-22-069-01) for this information.

Siemens Update #4 - Siemens published an update for their Libcurl advisory that was originally published on May 12^th, 2022, and most recently updated on June 14^th, 2022.

NOTE: NCCIC-ICS did update their advisory (ICSA-22-132-13) but did not list the update on their advisory page, so I did not cover it on Friday.

Siemens Update #5 - Siemens published an update for their SIMATIC WinCC advisory that was originally published on February 10^th, 2022 and most recently updated on May 10^th, 2022.

NOTE: NCCIC-ICS did update their advisory (ICSA-22-041-02) but did not list the update on their advisory page, so I did not cover it on Friday.

Siemens Update #6 - Siemens published an update for their OpenSSL advisory that was originally published on June 16^th, 2022 and most recently updated on July 12^th, 2022.

NOTE: NCCIC-ICS did not update their advisory (ICSA-22-167-14) for this information.

Siemens Update #7 - Siemens published an update for their Log4Shell advisory.

Siemens Update #8 - Siemens published an update for their SIMATIC advisory that was originally published on July 13^th, 2021 and most recently updated on July 14^th, 2022

NOTE: NCCIC-ICS did update their advisory (ICSA-21-194-06) but did not list the update on their advisory page, so I did not cover it on Friday.

Siemens Update #9 - Siemens published an update for their Industrial Products advisory that was originally published on March 20^th, 2018 and most recently updated on June 14^th, 2022.

Siemens Update #10 - Siemens published an update for their Wibu CodeMeter advisory that was originally published on November 9^th, 2021 an most recently updated on January 11^th, 2022.

Siemens Update #11 - Siemens published an update for their SIMATIC advisory that was originally published on July 12^th, 2022.

NCCIC-ICS did not update their advisory (ICSA-22-195-15) for this information.

Siemens Update #12 - Siemens published an update for their SIMATIC NET CP advisory that was originally published on March 8^th, 2022 and most recently updated on June 14^th, 2022.

Siemens Update #13 - Siemens published an update for their SIMATIC S7-300 advisory that was originally published on November 10^th, 2020 and most recently updated on August 10^th, 2021.

NCCIC-ICS did not update their advisory (ICSA-20-315-04) for this information.

Siemens Update #14 - Siemens published an update for their Industrial Products advisory that originally published on December 10th, 2019 and most recently updated on June 14^th, 2022.

Siemens Update #15 - Siemens published an update for their PROFINET advisory that was originally published on October 10^th, 2019 and most recently updated on February 8^th, 2022.

Siemens Update #16 - Siemens published an update for their PROFINET advisory that was originally published on April 14^th, 2022 and most recently updated on July 12^th, 2022.

NOTE: NCCIC-ICS did update their advisory (ICSA-22-104-06) but did not list the update on their advisory page, so I did not cover it on Friday.

Siemens Update #17 - Siemens published an update for their GNU/Linux advisory that was  originally published in 2018 and most recently updated on July 12^th, 2022.

Siemens Update #18 - Siemens published an update for their SIMATIC S7 CPU advisory that was originally published on February 11^th, 2020 and most recently updated on April 14^th, 2020.

Note: NCCIC-ICS did not update their advisory (ICSA-20-042-05) for this information.

Siemens Update #19 - Siemens published an update for their JT2Go and Teamcenter advisory that was originally published on July 12^th, 2022.

Siemens Update #20 - Siemens published an update for their Insyde Bios advisory that was originally published on February 22^nd, 2022 and most recently updated on July 12^th, 2022.

Siemens Update #21 - Siemens published an update for their OPC UA advisory that was originally published on May 12^th, 2022 and most recently updated on July 12^th, 2022.

Siemens Update #22 - Siemens published an update for their OpenSSL advisory that was originally reported on July 13^th, 2021 and most recently updated on July 12^th, 2022.

Siemens Update #23 - Siemens published an update for their SIMATIC S7-1200 advisory that was originally published on December 10^th, 2019, and most recently updated on March 12^th, 2020.

NOTE: NCCIC-ICS did update their advisory (ICSA-19-344-06) but did not list the update on their advisory page, so I did not cover it on Friday.

Siemens Update #24 - Siemens published an update for their SIMATIC S7-400 advisory that was originally published on November 13^th, 2018, and most recently updated on February 10^th, 2020

NOTE: NCCIC-ICS did not update their advisory (ICSA-18-317-02) for this information.

 

For more details about these updates, including summary of changes made, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-8-0ca - subscription required.