Short Takes – 3-22-23

State of ICS Cybersecurity and Critical Infrastructure: Half empty, Half full, or Stay Focused on the Quest? SCADAMag.Infracritical.com post. Pull quote: “If one looks back one cannot deny that we are not in the same state the community was in 2010.  We are no longer surprised, we know what is going on.  The problem has been recognized and informed measures are being taken and best practices are being made available.  The last bit of work left is to get the decision makers in the policy community to “get it”.  They cannot do it with the IT computer science bias they tend to have.  This gap can only be bridged if they start reaching out for help from the community (and vice versa).  I am not thinking of ICS security solution providers.  They are part of the community of course, but what is needed is for the engineering part to start leveraging their expertise about the physical process so we focus on things like protecting PLC’s and not baby monitors.  As I often say “…It is worrying when the engineering community that is running the power grid, petrochemical plants, and water systems is not represented.””

Emergency Escape Breathing Apparatus Standards. Federal Register FRA notice of proposed rulemaking. Summary: “FRA is proposing to amend its regulations related to occupational noise exposure in three ways. First, in response to a Congressional mandate, FRA is proposing to expand those regulations to require that railroads provide an appropriate atmosphere-supplying emergency escape breathing apparatus to every train crew member and certain other employees while they are occupying a locomotive cab of a freight train transporting a hazardous material that would pose an inhalation hazard in the event of release during an accident. Second, FRA is proposing to change the name of this part of its regulations from “Occupational Noise Exposure” to “Occupational Safety and Health in the Locomotive Cab” to reflect the additional subject matter of this SNPRM and to make other conforming amendments. Third, FRA is proposing to remove the provision stating the preemptive effect of this part of FRA's regulations because it is unnecessary.”  Comment due date – June 20^th, 2023.

Hazardous Materials: Information Collection Activities. Federal Register PHMSA 60-day ICR Renewal Notice.

Hazardous Materials Incident Reports - OMB Control Number: 2137-0039,

Cargo Tank Motor Vehicles in Liquefied Compressed Gas Service - OMB Control Number: 2137-0595, and

Inspection and Testing of Meter Provers - OMB Control Number: 2137-0620

Comment due date – May 22^nd, 2023.

Review - HR 1367 Introduced – Water System Threats

Earlier this month, Rep Schakowsky (D,IL) introduced HR 1367, the Water System Threat Preparedness and Resilience Act of 2023. The bill would require the EPA to carry out a program to support, and encourage participation in, the Water Information Sharing and Analysis Center (W-ISAC). The legislation would authorize $10-million for FY 2024 and FY 2025 to support this initiative.

Moving Forward

Schakowsky is not a member of the House Transportation and Infrastructure Committee to which this bill was assigned for primary consideration, but she is a member of the House Energy and Commerce Committee to which this bill was assigned for secondary consideration. This means that she may have sufficient influence to see the bill considered in that Committee. Unfortunately, without influence in the T&I Committee, this bill has little chance of moving forward.

I see nothing in this bill that would engender any organized opposition beyond the $10-million authorized. I would expect that there would be some Republican opposition to the additional spending, but support for local water treatment facilities will frequently overcome such philosophical opposition. This bill would probably receive some level of bipartisan support.

Commentary

While the undefined term ‘malevolent acts’ used in §2(b)(4)(B) would certainly seem to include cyber incursions or attacks, I would prefer to see cybersecurity specifically addressed. To that end, I would suggest changing subparagraph (B) to read:

“(B) enhancing the preparedness of community water systems and publicly owned treatment works to identify, protect against, detect, respond to, and recover from cybersecurity threats (as defined in 6 USC 1501), malevolent acts (within the meaning of section 1433 of the Safe Drinking Water Act (42 U.S.C. 300i–2)) or natural hazards.”

For more details about the provision of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-1367-introduced - subscription required.

Bills Introduced – 3-21-23

Yesterday, with the Senate in Washington and the House meeting in pro forma session, there were 60 bills introduced. Five of those bills will receive additional coverage in this blog:

HR 1674 To enhance safety requirements for trains transporting hazardous materials, and for other purposes. Deluzio, Christopher R. [Rep.-D-PA-17]

S 885 A bill to establish a Civilian Cybersecurity Reserve in the Department of Homeland Security as a pilot project to address the cybersecurity needs of the United States with respect to national security, and for other purposes. Rosen, Jacky [Sen.-D-NV]

S 896 A bill to authorize Counter-UAS activities on and off commercial service airport property, and for other purposes. Lee, Mike [Sen.-R-UT] 

S 903 A bill to require the Secretary of the Army to carry out a pilot project to establish a Civilian Cybersecurity Reserve, and for other purposes. Rosen, Jacky [Sen.-D-NV]

S 905 A bill to prescribe zoning authority with respect to commercial unmanned aircraft systems and to preserve State, local, and Tribal authorities and private property with respect to unmanned aircraft systems, and for other purposes. Lee, Mike [Sen.-R-UT] 

Short Takes – 3-21-23

Lots of cyber security companies are going to fail this year. Twitversation. Don’t know a lot about Andrew, but this sounds prescient. Pull quote: “All of those companies at the RSA and Blackhat vendor hall with gigantic booths that claim to solve problems that you as a security person ask constantly yourself: "is this really a problem???" have the largest targets on them and will represent the majority of companies that fail. The failures will start in earnest approximately 12 months after it became clear that money was expensive again (12 months from summer of 2022, which puts the crunch time at this summer). The failures will likely continue for at least one full year and slow down around summer of '24.”

Director Easterly Announces New Members to Join CISA's Cybersecurity Advisory Committee. CISA.gov press release. Pull quote: ““I am thrilled to welcome our newest members, who bring a wealth of experience from across government and industry,” said CISA Director Jen Easterly. “Chosen for their deep expertise in critical infrastructure, cybersecurity, and governance, these members will add important new perspectives to the CSAC’s work, particularly given this year’s additional focus on corporate cyber responsibility, technology product safety, and efforts to raise the cyber hygiene baseline of ‘target rich-cyber poor’ entities like hospitals, K-12 school districts, and water utilities. The insight and counsel to date from our existing members have been instrumental in our evolution as America’s Cyber Defense Agency, and I couldn’t be more excited for tomorrow’s meeting with our new members.””

Journalist opens USB letter bomb in newsroom. BBC.com article. Which would be worse in an USB attack, a small bomb or a worm/trojan? Pull quote: “He [Lenin Artieda] said the explosive device looked like a USB drive. He plugged it into his computer and it detonated.”

A Different Kind of Pipeline Project Scrambles Midwest Politics. NYTimes.com article. Pull quote: “But opponents are concerned about property rights and safety, and are not convinced of the projects’ claimed environmental benefits. They have forged unlikely alliances that have blurred the region’s political lines, uniting conservative farmers with liberal urbanites, white people with Native Americans, small-government Republicans with climate-conscious Democrats.”

Guidance for Implementing Federal Rotational Cyber Workforce Program. CHCOC.gov guidance document. Summary: “The Program allows for 6-month to 1-year interagency details of cyber employees to cyber rotations where they can improve and develop knowledge and skills to not only support their own professional growth but also bring new skills back to their home agency. The Program will help Federal agencies continue to enhance their cyber workforce by developing critical cyber skills and creating environments where employees have ongoing learning and development opportunities. Such rotational opportunities align with an objective in the White House National Cybersecurity Strategy to strengthen the Federal cyber workforce by developing and retaining talent. Cyber rotations help advance career opportunities and support employee engagement, satisfaction, and retention.”

Railroads pilot AskRail data to increase first responder information access. ProgressiveRailroading.com article. Pull quote: “After the Feb. 3 Norfolk Southern Railway train derailment in East Palestine, Ohio, AAR learned that lack of cell phone service and other challenges made using AskRail difficult in the early hours of the response, said AAR President and CEO Ian Jefferies in a press release.”

HR 1345 Introduced – NTIA Cybersecurity Office

Earlier this month, Rep Curtis (R,UT) introduced HR 1345, the NTIA Policy and Cybersecurity Coordination Act. The bill would amend the NTIA Organization Act, adding a new §106, Office of Policy Development and Cybersecurity. The current Associate Administrator for Policy Analysis and Development at the NTIA would be redesignated as the position of Associate Administrator for Policy Development and Cybersecurity. The new organization would be responsible for overseeing and conducting “national communications and information policy analysis and development for the internet and communications technologies.”

While NTIA is generally considered to be have more of an IT focus on communication technology, it is clear that communications technology is as much about control of systems as it is about the information that transits those systems. This is reflected in the duties for the proposed new Associate Administrator which includes the following more operationally-focused cybersecurity responsibilities:

Advocate for policies that promote the security and resilience to cybersecurity incidents of communications networks while fostering innovation, including policies that promote secure communications network supply chains,

Present security of the digital economy and infrastructure and cybersecurity policy efforts before the Commission, Congress, and elsewhere,

Develop policies to accelerate innovation and commercialization with respect to advances in technological understanding of communications technologies, and

Provide public access to relevant data, research, and technical assistance on innovation and commercialization with respect to communications technologies, consistent with the protection of classified information.

Moving Forward

Curtis is a member of the House Energy and Commerce Committee to which this bill was assigned for consideration. This means that there should be enough influence to see the bill considered in Committee. I do not see anything in the language of the bill that would engender any organized opposition. I suspect that there would be some level of bipartisan support for this bill going forward. It will be interesting to see how this bill fairs in the current anti-government focus of the Republican majority in the House.

Review – 7 Advisories and 1 Update Published – 3-21-23

Today, CISA’s NCCIC-ICS published seven control system security advisories for products from Siemens (3), Rockwell Automation, VISAM, Delta Electronics, Keysight Technologies, and Hitachi Energy.

Advisories

SCALANCE Advisory - This advisory discusses 17 vulnerabilities in the Siemens SCALANCE W-700 product line.

RADIUS Advisory - This advisory discusses an infinite loop vulnerability in the Siemens RADIUS client of SIPROTEC 5 devices.

RUGGEDCOM Advisory - This advisory discusses seven TOCTOU race condition vulnerabilities in the Siemens RUGGEDCOM APE1808 Product Family.

Rockwell Advisory - This advisory describes three vulnerabilities in the Rockwell ThinManager ThinServer.

VISAM Advisory - This advisory describes seven improper restriction of XML entity reference vulnerabilities in the VISAM VBASE Automation Base. 

Delta Advisory - This advisory describes 13 vulnerabilities in the Delta InfraSuite Device Master.

Keysight Advisory - This advisory describes a deserialization of untrusted data vulnerability in the Keysight N6854A Geolocation Sever.

Updates

Hitachi Energy Update - This update provides additional information on an advisory that was originally published on December 9^th, 2021.

 

For more details about these advisories, including links to 3^rd party advisories and exploits, as well as a brief summary of changes made in the update, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/7-advisories-and-1-update-published-541 - subscription required.

Review - S 576 Introduced – Hazmat Trains

Earlier this month, as a response to the derailment of freight train in East Palestine, OH, Sen Brown (D,OH) and Sen Vance (R,OH) introduced S 576, the Railway Safety Act of 2023. The bill provides a variety of potential improvements for the shipment of hazardous materials by rail. Various funds are authorized to support some of the program proposed.

Programs and policies mentioned in the bill include:

Safety requirements for trains transporting hazardous materials.
Rail car inspections.
Defect detectors.
Safe Freight Act of 2023(minimum crew size).
Increasing maximum civil penalties for violations of rail safety regulations.
Safer tank cars.
Hazardous materials training for first responders.
Rail safety infrastructure research and development grants.
Appropriations for tank car research and development.

Moving Forward

While Brown is not a member of the Senate Commerce, Science, and Transportation Committee to which this bill was assigned for consideration, Vance is. This means that there could be sufficient influence to see this bill considered by Committee. There is a great deal of political pressure to ‘do something’ to prevent recurrences of the East Palestine derailment, but there is still some major Republican opposition to increased regulation and government spending. There will have to be some behind the scene negotiations on modifications to this bill to get to legislation that would allow the Committee and then the Senate to move forward.

Commentary

The new hazmat train requirements of §3 of the bill looks like it may have the unintended consequence of encouraging railroads to limit the transport hazmat railcars to hazmat trains that would fall under the definition of a highly hazardous flammable train (HHFT) under 49 USC 174.310. Under the proposed rules, it looks like there could be tighter restrictions on non-HHFT hazmat trains, so it would provide railroads with an incentive to concentrate hazmat shipments in HHFT’s. This might reduce the number of trains carrying hazmat railcars, but it could increase the potential consequences of an accident in such a train.

 

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-576-introduced - subscription required.

Committee Hearings – Week of 3-19-23

This week with both the House and Senate in Washington (House with a short week) there is a relatively full slate of hearings scheduled with budget hearings in full swing. There are five other hearings of potential interest here covering cybersecurity (3), Ohio derailment, and science and tech in DOD.

Budget Hearings  

Budget Hearings	House	Senate
FY 2024 Budget Request	Budget Committee
DOD	DOD Subcommittee
DOE	EWR Subcommittee
EPA		Environment Committee
DOT		THUD Subcommittee

‘Subcommittee’ hearings are for subcommittees of the respective Appropriations Committees.

Cybersecurity

On Thursday, the Senate Energy and Natural Resources Committee will hold a hearing to “Examine Cybersecurity Vulnerabilities to the United States' Energy Infrastructure”. The witness list includes:

• Puesh M. Kumar, CESER, DOE,

• Robert M. Lee, Dragos,

• Stephen L. Swick, American Electric Power

On Thursday, the Cybersecurity and Infrastructure Protection Subcommittee of the House Homeland Security Committee will hold a hearing on “CISA 2025: The State of American Cybersecurity from a Stakeholder Perspective”. A witness list is not currently available.

On Thursday, the Cybersecurity, Information Technology, and Government Subcommittee of the House Oversight and Accountability Committee will hold a hearing on “Unpacking the White House National Cybersecurity Strategy”. A witness list is not currently available.

Ohio Derailment

On Wednesday, the Senate Commerce, Science and Technology Committee will hold a hearing on “Improving Rail Safety in Response to the East Palestine Derailment”. The witness list will include:

• Jennifer Homendy, National Transportation Safety Board

• David Comstock, Ohio Western Reserve Joint Fire District

• Clyde Whitaker, Ohio State SMART-TD

• Alan Shaw, Norfolk Southern

• Ian Jefferies, Association of American Railroads

DOD Tech

On Thursday, the Cyber, Information Technologies, and Innovation Subcommittee of the Senate Armed Forces Committee will hold a hearing on “Science, Technology, and Innovation at the Department of Defense”. The witness list includes:

• Heidi Shyu, DOD,

• William LaPlante, DOD

Short Takes – 3-20-23

McConnell’s absence leaves colleagues wondering about GOP’s future.TheHill.com article.  Pull quote: “Some Republicans, however, think McConnell has performed a major service for the Senate GOP conference by absorbing so much of Trump’s wrath and taking the heat of other senators who have their own complaints and disagreements with the former president.”

Flaming Space Debris Re-entering Atmosphere Lights Up California Sky. NYTimes.com article. Pull quote: “Privateer, a company co-founded by Dr. Jah, tracks about 48,000 human-made objects, ranging in size from a cellphone to the International Space Station itself. But only about 10 percent of those are functional, he said.”

The Problem With Your Dying AirPods and Other Bluetooth Earbuds. WSJ.com article. Pull quote: “The Swap Club doesn’t offer AirPod Pros or third-generation AirPods yet. Ms. Alpert said the newer earbuds’ water resistance is hard to maintain after a battery swap. That’s the trade-off of these tiny gadgets. To be durable, they need to be water-resistant. To live in our ears, they need small batteries. Both make replacing batteries difficult.”

Rural America Grows Weary of Waiting for Its Mail. WSJ.com article. Pull quote: “The Postal Service declined to answer any questions this week but has previously cited trouble hiring staff as its primary problem across the country. Others familiar with the issue say a boom in e-commerce since the pandemic has also strained its staff. In many rural areas, USPS has agreements with Amazon.com Inc. and other carriers to provide the final phase of package delivery.”

PCAST Initiating Working Group on Cyber-Physical Resilience. WhiteHouse.gov notice. Pull quote: “The President’s Council of Advisors on Science and Technology (PCAST) has created a working group on cyber-physical resilience with the intent of consulting experts from across the public and private sectors, and academia. We will seek to amplify or rapidly advance existing ideas and efforts as well as to develop new approaches to this problem.” Seeking public input.

Oil refinery public hearing postponed, company considering alternative OK site. A new oil refinery? Pull quote: ““This a win-win partnership, as the facility would be an economic game-changer for the community,” said Ward, who cited an estimate that local taxing entities will altogether receive over $312 million in taxes from Prairie Energy in a 30-year span.”

Highway-Rail Grade Crossing and Shove Movement Accident. FRA.DOT.gov safety bulletin. Pull quote: “FRA requests that railroads review this Safety Bulletin with employees to increase awareness of the dangers of pushing and shoving movements at highway-rail grade crossings. FRA also reminds railroads of the need to ensure all individuals involved in pushing or shoving movements are: (1) properly trained and qualified on how to conduct those operations safely; and (2) understand what “track is clear” means related to a highway-rail grade crossing. Additionally, FRA reminds railroads and train crew members of the work of the Switching Operations Fatality Analysis (SOFA) Working Group, a voluntary, non-regulatory, workplacesafety partnership formed to identify commonalities among fatalities that occur during switching operations. SOFA findings are available on FRA’s website at https://railroads.dot.gov/railroadsafety/divisions/partnerships- programs/switching-operations-fatalities-analysis-sofa.” 

Review - HR 1219 Introduced – Food and Agriculture Cybersecurity

Last month, Rep Pfluger (R,TX) introduced HR 1219, the Food and Agriculture Industry Cybersecurity Support Act. The bill would require National Telecommunications and Information Administration (NTIA) to establish a food and agriculture cybersecurity clearinghouse which would include direct support by NTIA to the food and agriculture industry. It also includes an obligatory report to Congress by the GAO. No funding is authorized by this bill.

Moving Forward

Pfluger and his three cosponsors {Rep Veasey (D,TX), Rep Curtis (R,UT), Rep Matsui (D,CA)} are all members of the House Energy and Commerce Committee to which this bill was assigned for primary consideration. This means that their should be adequate influence to see this bill considered in Committee. Since no spending is being authorized in this bill, I see nothing that would engender any organized opposition to the bill. I suspect that it would receive substantial bipartisan support in Committee and would probably be able to move to the floor of the House under the suspension of the rules process.

The big problem facing this bill is the potential lack of support on the House Agriculture Committee which has been assigned secondary consideration responsibility. With no cosponsors of the bill on that Committee, there is no one arguing for the support of that Committee. Lack of support from the Ag Committee will kill any chances of this bill being considered on the floor of the House.

Commentary

The definition of the term ‘food and agriculture industry’ used in the bill is very technology oriented and it specifically mentions ‘information technology’ without reference to an existing definition, but it lacks any specific mention of operational or control system technology other than a reference to “computer vision algorithms for precision agriculture” which is sensor technology, not control system tech. This could be rectified by making a relatively simple change to §2(c)(4)(A):

“(A) equipment and control systems utilized in the food and agriculture supply chain, such as computer vision algorithms for precision agriculture, grain silos, and related food and agriculture storage infrastructure;”

 

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-1219-introduced - subscription required.

Michigan Foundry Explosion Injures One

An interesting and detailed article about an explosion and fire at an aluminum foundry reports that one employee was taken to the hospital and was being treated for burns. The cause of the explosion is still under investigation, but it appears to have involved one of the facility’s furnaces.

As I have noted previously, the Chemical Safety Board takes the position that an explosion at a fixed facility that causes serious injury or significant damage (it would appear that both criteria have been met here) is by definition a reportable release. I suspect that, since a foundry is not normally considered a chemical facility, that the management team may be unaware of their CSB reporting responsibilities related to this type of incident. I would not be surprised to find that this incident was not reported to the CSB.

Short Takes – 3-19-23

From bank runs to a credit crunch, the financial future looks bleak. WashingtonPost.com opinion piece. Pull quote: “At the height of the 2008 crisis, policymakers fixed the problem of capital-short banks by forcing them to accept capital injections from the government. But this semi-nationalization was hated by bank shareholders, whose ownership was diluted; and today’s market conditions are not (yet) extreme enough to warrant such radical action. The upshot is that the economy might be hobbled by zombie lenders for the next year or more. Such is the price of an inflationary bubble that the Fed was too slow to pop.”

Plant explosion leaves town with fear of lead exposure and few answers. WashingtonPost.com article. My post on the incident; no mention of lead. Pull quote: “Lead, which occurs naturally in soil at very low levels, is considered hazardous under EPA thresholds when it surpasses 400 parts per million in children’s play areas and at 1,200 ppm in non-play areas. Most of the samples fell below the play-area threshold, though two sites near the plant showed elevated lead levels, including one at 3,144 ppm, more than 2½ times the higher threshold.”

This geothermal startup showed its wells can be used like a giant underground battery. TechnologyReview.com article. Pull quote: “The results from the initial experiments—which MIT Technology Review is reporting exclusively—suggest Fervo can create flexible geothermal power plants, capable of ramping electricity output up or down as needed. Potentially more important, the system can store up energy for hours or even days and deliver it back over similar periods, effectively acting as a giant and very long-lasting battery. That means the plants could shut down production when solar and wind farms are cranking, and provide a rich stream of clean electricity when those sources flag.”

Review – Public ICS Disclosures – Week of 3-11-23 – Part 2

For Part 2 we have five additional vendor disclosures from Schneider (3) and Siemens (2). We also have 38 additional updates for disclosures from Schneider (15) and Siemens (23).

Advisories

Schneider Advisory #1 - Schneider published an advisory that describes an insufficient session expiration vulnerability in their EcoStruxure™ Power Monitoring Expert.

Schneider Advisory #2 - Schneider published an advisory that describes an improper validation of an array index vulnerability in their PowerLogic™ HDPM6000.

Schneider Advisory #3 - Schneider published an advisory that describes eight vulnerabilities in their Interactive Graphical SCADA System (IGSS).

Siemens Advisory #1 - Siemens published an advisory that discusses an infinite loop vulnerability in their RADIUS Client of SIPROTEC 5 Devices.

Siemens Advisory #2 - Siemens published an advisory that discusses 17 vulnerabilities in their SCALANCE W-700 IEEE 802.11ax devices.

Updates

NOTE: The link for the update for the Schneider advisory SEVD-2021-222-04 is not currently working.

Schneider Update #1 - Schneider published an update for their EcoStruxure™ Control Expert advisory that was originally published on January 10^th, 2023.

Schneider Update #2 - Schneider published an update for their EcoStruxure™ Control Expert advisory that was originally published on January 10^th, 2023.

Schneider Update #3 - Schneider published an update for their EcoStruxure™ Geo SCADA Expert advisory that was originally published on January 10^th, 2023.

Schneider Update #4 - Schneider published an update for their Modicon PAC Controllers advisory that was originally published on August 9^th, 2022 and most recently updated on December 13^th, 2022.

Schneider Update #5 - Schneider published an update for their Modicon PAC Controllers advisory that was originally published on August 9^th, 2022 and most recently updated on December 13^th, 2022.

Schneider Update #6 - Schneider published an update for their EcoStruxure™ Control Expert advisory that was originally published on August 9^th, 2022 and most recently updated on December 13^th, 2022.

Schneider Update #7 - Schneider published an update for their IGSS advisory that was originally published on June 14^th, 2022 and most recently updated on June 23^rd, 2023.

Schneider Update #8 - Schneider published an update for their CODESYS V3 Runtime advisory that was originally published on January 11^th, 2022 and most recently updated on January 10^th, 2023.

Schneider Update #9 - Schneider published an update for their BadAlloc advisory that was originally published on November 9^th, 2021 and most recently updated on February 14^th, 2023.

Schneider Update #10 - Schneider published an update for their EcoStruxure™ Control Expert advisory that was originally published on July 13^th, 2021 and most recently updated on December 13^th, 2022.

Schneider Update #11 - Schneider published an update for their ISaGRAF Vulnerabilities advisory that was originally published on June 8^th, 2021 and most recently updated on  November 8^th, 2022.

Schneider Update #12 - Schneider published an update for their Modicon Controllers advisory that was originally published on September 26^th, 2019 and most recently updated on December 13^th, 2022.

Schneider Update #13 - Schneider published an update for their Modicon Controllers advisory that was originally published on September 26^th, 2019 and most recently updated on January 10^th, 2023.

Schneider Update #14 - Schneider published an update for their Embedded FTP Servers advisory that was originally published on March 22^nd, 2018 and most recently updated on February 14^th, 2023.

Siemens Update #1 - Siemens published an update for their Multiple LLDP Vulnerabilities advisory.

Siemens Update #2 - Siemens published an update for their Multiple SPP File Parsing Vulnerabilities advisory.

Siemens Update #3 - Siemens published an update for their Code Injection Vulnerability in RUGGEDCOM ROS advisory.

Siemens Update #4 - Siemens published an update for their Denial of Service Vulnerability in RUGGEDCOM ROS V4 advisory.

Siemens Update #5 - Siemens published an update for their OpenSSL Vulnerabilities in Industrial Products advisory.

Siemens Update #6 - Siemens published an update for their Weak Encryption Vulnerability in RUGGEDCOM ROS Devices advisory.

Siemens Update #7 - Siemens published an update for their Denial of Service Vulnerability in OpenSSL advisory.

Siemens Update #8 - Siemens published an update for their Multiple File Parsing Vulnerabilities in Teamcenter Visualization and JT2Go advisory.

Siemens Update #9 - Siemens published an update for their Denial of Service Vulnerability in the TCP Event Service of SCALANCE and RUGGEDCOM Products advisory.

Siemens Update #10 - Siemens published an update for their Privilege Escalation Vulnerability in the Web Interface of SCALANCE and RUGGEDCOM Products advisory.

Siemens Update #11 - Siemens published an update for their Siemens SIMATIC NET CP, SINEMA and SCALANCE Products Affected by Vulnerabilities in Third-Party Component advisory.

Siemens Update #12 - Siemens published an update for their Multiple Vulnerabilities in the SRCS VPN Feature in SIMATIC CP Devices advisory.

Siemens Update #13 - Siemens published an update for their Multiple File Parsing Vulnerabilities in Solid Edge advisory.

Siemens Update #14 - Siemens published an update for their Missing Immutable Root of Trust in S7-1500 CPU devices advisory.

Siemens Update #15 - Siemens published an update for their Two Vulnerabilities in Automation License Manager advisory.

Siemens Update #16 - Siemens published an update for their Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP advisory.

Siemens Update #17 - Siemens published an update for their Multiple Vulnerabilities in SCALANCE Products advisory.

Siemens Update #18 - Siemens published an update for their SAD DNS Attack in Linux Based Products advisory.

Siemens Update #19 - Siemens published an update for their Denial of Service in the OPC Foundation Local Discovery Server (LDS) in Industrial Products advisory.

Siemens Update #20 - Siemens published an update for their Third-Party Component Vulnerabilities in RUGGEDCOM ROS advisory.

Siemens Update #21 - Siemens published an update for their Multiple Vulnerabilities in SINEC NMS and SINEMA Server advisory.

Siemens Update #22 - Siemens published an update for their OpenSSL Vulnerability in Industrial Products advisory.

Siemens Update #23 - Siemens published an update for their SISCO Stack Vulnerability in SIPROTEC 5 Devices advisory.

 

For more information on these disclosures, including links to 3rd party advisories, researcher reports, and exploits, as well as a brief description of the changes in the updates, see my article at CFNS Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-3-b4a - subscription required.

Short Takes – 3-18-23

Trump suggests he will be arrested Tuesday, calls for supporters to ‘protest, take our nation back!’. TheHill.com article. Pull quote: “CNN reported that senior staff members from Bragg’s office, the New York Police Department (NYPD) and New York State Court Officers have had meetings about security needs following any possible charges being filed. The court officers are responsible for securing state court facilities, including the New York Supreme Court building in Manhattan.”

CDC and ATSDR Staff Begin Next Steps in Chemical Exposure Investigation in East Palestine, Ohio. HSToday.us article. Pull quote: “While CDC and ATSDR staff will be returning from the field, the ACE survey will remain online and data collection will continue until March 31. Over the next couple of months, CDC and ATSDR will work with the health departments to analyze data and share results. These results can be used by the states to help inform public health recommendations and lessons learned. CDC and ATSDR will continue to respond to requests for remote technical assistance for as long as needed.” ASTDR derailment web site includes links to other federal resources.

Russia’s Vladimir Putin Faces Arrest Warrant by International Court. WSJ.com article. Pull quote: “The U.S. has had a fraught relationship with the ICC, in the 1990s helping lead the movement for a permanent war-crimes tribunal but declining to ratify its charter, known as the Rome Statute, after negotiators failed to give the U.S. and the other four permanent members of the U.N. Security Council—including Russia—the power to squelch ICC prosecutions.”

In times of scarcity, California’s best new source of water? Reuse. AndTheWest.Stanford.edu article. Pull quote: “A Stanford study published in November of last year found that recycled water for potable reuse is much cleaner than conventional tap water sources. Because the source is wastewater, regulators require a more intensive treatment process to clear the water of even the smallest of contaminants that can be found in standard drinking water treatment facilities.”

The US aims to close its fermentation capacity gap. CEN.ACS.org article. Pull quote: “Biomanufacturing companies are trying to increase fermentation capacity across the US at all levels of production, from flexible pilot plants to large-scale contract manufacturing operations. Some firms are buying old fermentation facilities that once made biofuels or food ingredients and retrofitting them to support new technologies. Others hope to build brand-new biobased foundries that are versatile enough to make a variety of products.”

OSHA Fines After Hydrogen Sulfide Death

This week the Department of Labor announced an OSHA citation for workplace safety violations discovered by OSHA after an employee was killed last September because of a hydrogen sulfide exposure while working near a sump pit at a West Texas oil and gas treatment facility. The OSHA assessed fines were slightly more than $39-thousand and included citing the company for:

• Exposing employees to inhalation hazards (H2S).

• Not training employees on hazards associated with hydrogen sulfide exposure.

• Failing to provide a quick body drench or eye flush station for employees in the immediate work area where corrosive materials were present.

• Not performing a hazard assessment to determine if personal protective equipment was needed.

• Failing to protect employees from fall hazards of more than 4 feet.

• Not protecting employees from contacting energized circuits.

Even though an employee died as a result of exposure to hydrogen sulfide at the facility, there is no record that a report was made to the Chemical Safety Board of the incident. The CSB’s database of reported chemical incident lists 12 release incidents in September of 2022, only one of which was from Texas (ExxonMobil in Houston, TX). There is no mention of this incident.

While the CSB is empowered to refer non-reporting of covered incidents to the EPA for enforcement actions under 42 USC 7413 and §7414 under 42 USC 7412(r)(6)(O), the CSB made it clear in the preamble to the final rule for 40 CFR 1604 that:

“The CSB understands that its independence from criminal and civil enforcement authorities is important to its ability to accomplish its safety mission. As noted in the preamble, the CSB's focus will be on education and compliance, not on creating traps for the unwary. Accordingly, the final language of § 1604.5 should pose no threat to the special place the CSB has historically held with industry and other stakeholders as a non-regulatory and non-enforcement agency. The CSB looks forward to working with owner/operators and other stakeholders to help ensure compliance.”

We are well past the one-year promised enforcement moratorium promised by the CSB, perhaps it is time to start considering referring companies that do not report chemical release incidents, at least the most egregious ones where deaths are a result of the release.

CRS Reports – Week of 3-11-23 – Big Tech Regulation

With the continuing interest in Congress on potential regulation of ‘Big Technology’ industry, the Congressional Research Service (CRS) published a summary document looking at the recent reports that the CRS has prepared on related topics. Those topics include:

• Antitrust issues,

• Content moderation and §230,

• Content moderation and free speech,

• Data protection and international data flow,

• Cross-border investment and commercial transactions,

• Net neutrality and common carrier classification,

There is very little actual discussion in this report, it is more of a CRS bibliography. The drawback to the document is that while it lists CRS report numbers, it does not provide direct links to the documents. A reader wishing to access one of the listed documents would have to copy the report number and conduct a search on the CRS Reports search page. The reason for this is that CRS frequently updates reports while keeping the same report number. Searching for the report number would take you to the most current information.

Review – Public ICS Disclosures – Week of 3-11-23 – Part 1

This week we have nine vendor disclosures from Aruba Networks, Carrier, Contec, Hitachi Energy, HPE (2), InHand Networks, Moxa, and Phoenix Contact. There are five vendor updates from HPE (4) and Moxa. Finally, we have three exploits for products from Eaton, Riello, and Fortinet.

In Part 2 this week I will look at disclosures from Schneider and Siemens.

Advisories

Aruba Advisory - Aruba published an advisory that describes eight vulnerabilities in their ClearPass Policy Manager program.

Carrier Advisory - Carrier published an advisory that discusses a server side request forgery vulnerability in their g LenelS2 supported platform.

Contec Advisory - Contec published an advisory that describes three vulnerabilities in their CONPROSYS M2M Gateway Series, M2M Controller Series products.

Hitachi Energy Advisory - Hitachi published an advisory that discusses a permissions, privileges, and access control vulnerability in their MicroSCADA Pro/X SYS600 Products.

HPE Advisory #1 - HPE published an advisory that discusses eight vulnerabilities in their NonStop servers.

HPE Advisory #2 - HPE published an advisory that describes a cross-site scripting vulnerability in their Integrated Lights-Out products.

InHand Advisory - InHand published an advisory that describes five vulnerabilities in their InRouter615-S industrial routers.

Moxa Advisory - Moxa published an advisory that describes two improper certificate validation vulnerabilities in their NPort 6000 Series and Windows Driver Manager products.

Phoenix Contact Advisory - Phoenix Contact published an advisory that discusses five vulnerabilities in their ENERGY AXC PU product.

Updates

HPE Update #1 - HPE published an update for their FlexNetwork and FlexFabric Switches advisory that was originally published on July 30^th, 2022.

HPE Update #2 - HPE published an update for their OneView for VMware vCenter advisory that was originally published on February 17^th, 2023.

HPE Update #3 - HPE published an update for their ProLiant Moonshot Servers advisory that was originally published on November 8^th, 2022.

HPE Update #4 - HPE published an update for their ProLiant BL/DL/ML Servers advisory that was originally published on November 8^th, 2022.

Moxa Update - Moxa published an update for their UC Series advisory that was originally published on November 29^th, 2022 and most recently updated on February 9^th, 2023.

Exploits

Eaton Exploit - Yehia Elghaly published an exploit for a denial-of-service vulnerability in the Eaton Webpower UPS.

Reillo Exploit - Ricardo Jose Ruiz Fernandez published an exploit for shell bypass vulnerability in the Riello UPS system.

Fortinet Exploit - Jheysel-r7, Zach Hanley, and Gwendal Guegniaud published a Metasploit module for an externally controlled reference to a resource in another sphere vulnerability in the FortiNAC.

 

For more details about these disclosures, including links to third-party advisories, researcher reports and summary of changes made in updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-3-d50  - subscription required.

Bills Introduced – 3-17-23

Yesterday, with both the House and Senate meeting in pro forma session, there were 60 bills introduced. Four of those bills may receive additional attention in this blog:

HR 1623 To amend the Homeland Security Act of 2002 to exclude certain propane storage facilities from certain chemical security standards under the Department of Homeland Security, and for other purposes. Finstad, Brad [Rep.-R-MN-1] 

HR 1633 To enhance safety requirements for trains transporting hazardous materials, and for other purposes. Johnson, Bill [Rep.-R-OH-6] 

HR 1648 To establish a grant program for use of "internet of things" technologies in airports, and for other purposes. Nehls, Troy E. [Rep.-R-TX-22]

HR 1665 To direct the Secretary of Transportation to establish a program to provide grants to local governments to install publicly accessible safety charging stations for electric bicycles and scooters, and for other purposes. Velazquez, Nydia M. [Rep.-D-NY-7]

I will be covering HR 1623 and HR 1633.

I will be watching HR 1648 and HR 1665 for language and definitions that would specifically include cybersecurity requirements within the scope of the requirements of the legislation.

Short Takes – 3-17-23

NIAC report finds security, resilience of critical infrastructure depends on collaboration; calls for mandatory standards. IndustrialCyber.co article. Summary of 18-page report. Pull quote: “Late last year, the National Security Council (NSC) tasked the NIAC to examine cross-cutting infrastructure policy challenges. The Cross-Cutting Infrastructure Policy Challenges Subcommittee, which was composed of 13 Subcommittee members, was formed to draft a report to address the tasking on behalf of the broader NIAC.” NIAC report.

FERC expands cybersecurity supply chain standards to low-impact assets. UtilityDive.com article. Pull quote: ““This order is the latest product of our joint cybersecurity efforts with NERC and stakeholders in support of the reliable operation of the bulk power system,” he said. “We must continue to focus on cybersecurity, physical security, extreme weather events, and the rapidly changing resource mix.””

Hands up who DIDN'T exploit this years-old flaw to ransack a US govt web server... TheRegister.com article. Pull quote: “So although the Feds don't identify the advanced persistent threat (APT) player in their alert, we'd be willing to bet it's one of President Xi Jinping's cyber-goon squads. And it's clear someone in the federal government didn't get the memo about applying security fixes in a timely manner.”

Vultures at the gate: The national security risk of Silicon Valley Bank’s failure. TheHill.com opinion piece. An interesting tank on the SVB problem. Pull quote: “The U.S. should be wary of China sweeping into the vacuum, or foothold, created by SVB’s collapse — or that of any other key player in the U.S. tech ecosystem. But if history is any guide, Beijing will try to do just that. And those efforts, if successful, will feed directly into China’s military modernization program and tech-enabled surveillance state.”

Review – HR 1238 Introduced – DERAIL Act

Last month, Rep Deluzio (D,PA) introduced HR 1238, the Decreasing Emergency Railroad Accident Instances Locally (DERAIL) Act. The bill would require DOT to change the definition of ‘high-hazard flammable train’ (HHFT) and to require reporting derailments of involving toxic inhalation hazard (TIH) rail cars. No funding is provided in the bill.

Moving Forward

Deluzio is not a member of the House Transportation and Infrastructure Committee to which this bill was assigned for consideration, but seven of his 27 Democrat cosponsors {Rep Garamendi (D,CA), Rep Ryan (D,NY), Rep Titus (D,NV), Rep DeSaulnier (D,CA), Rep Hoyle (D,OR), Rep Holmes-Norton (D,DC)} are members, so this bill could have enough influence to see it considered in Committee. I do, however, suspect that there would be near unanimous Republican objections to this bill because of the additional burdens it would place on railroads and shippers, so there is little chance that the bill would be favorably considered. Similar opposition would ensure that it would not make it to the floor of the House for consideration.

Commentary

While the wording of this bill is relatively simple on its face, this is a prime example of simple words hiding a complex result. Part of that result in this case is intended, the notification requirements (even though protected by the SSI classification) for HHFT have long been a desire for local communities for all trains carrying hazardous materials. I have never understood this desire, since most communities do not have the funds or resources to plan, staff and equip in advance for an incident like that seen last month in Ohio.

 

For more details about the provisions of this bill, and their implications for rail incident planning and reporting – see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-1238-introduced - subscription required.

Bills Introduced – 3-16-23

Yesterday, with just the Senate in session, there were 49 bills introduced. Three of those bills may received additional coverage in this blog 

S 834 A bill to amend the National Agricultural Research, Extension, and Teaching Policy Act of 1977 to reauthorize the Agriculture Advanced Research and Development Authority, and for other purposes. Bennet, Michael F. [Sen.-D-CO]

S 844 A bill to authorize the declaration of a hazardous train event, and for other purposes. Casey, Robert P., Jr. [Sen.-D-PA]

S 870 A bill to amend the Federal Fire Prevention and Control Act of 1974 to authorize appropriations for the United States Fire Administration and firefighter assistance grant programs. Peters, Gary C. [Sen.-D-MI]

I will be covering S 844.

I will be watching S 834 for language and definitions that would specifically include agricultural cybersecurity research efforts within the scope of the reauthorization. I am not, however, going to hold my breath.

Considering that the Senate Homeland Security and Governmental Affairs Committee has already considered and recommended S 559, a reauthorization for the US Fire Administration, it is odd that Peters (who is the Chair of that committee) would introduced a new bill, S 870, on the same topic. So, I will be watching this bill to see what is going on, but I am not sure that it will be anything worth mentioning here.

Short Takes – 3-16-23

Beating 'hearts on a chip' will travel to space on SpaceX's Dragon cargo ship tonight. LiveScience.com article. Pull quote: “The [beating heart] tissue will be used in two experiments — Cardinal Heart 2.0 and Engineered Heart Tissues-2 — which will test whether existing drugs can help prevent or reverse spaceflight's negative effects on the heart.”

Meltdown: Paul storms out of Homeland Security markup after clash on amendments. TheHill.com article. Pull quote: “Paul (R,KY) vented his frustration over Peters’s (D,MI) use of procedural tactics to effectively shield Democrats on the committee from voting on Republican amendments to the Fire Grants and Safety Act.” Paul was pushing amendments that would have been voted down by Democrats if allowed to come to a vote. Nothing new here, other than Paul is now the Ranking Member of the Committee.

Impressions of the U.S. National Cybersecurity Strategy of 2023. SCADAMag.Infracritical.com blog post. An OT perspective on the Strategy document. Pull quote: “My advice as someone who has worked on strategy documents for a small country to those working for a high-tech superpower:  when seeking to protect modern economic activity, national security and well-being of your society form threats emanating from cyberspace – invite the engineers.”

New Moon Suit for NASA’s Artemis Astronauts Unveiled. NYTimes.com article. Pull quote: “By turning to this private company [Axiom Space], NASA is again relying on new commercial space enterprises to provide key components faster and cheaper than it could itself develop.”

Homeland Security Advisory Council. Federal Register notice. Summary: “The Secretary of Homeland Security has determined that the renewal of the Homeland Security Advisory Council is necessary and in the public interest. This determination follows consultation with the Committee Management Secretariat, General Services Administration.” Extends HSAC thru March 11^th, 2025.

Toilet paper is an unexpected source of PFAS in wastewater. ScienceDaily.com article. Could it be that the PFAS problem is being overblown? Pull quote: “Then, the team combined their results with data from other studies that included measurements of PFAS levels in sewage and per capita toilet paper use in various countries. They calculated that toilet paper contributed about 4% of the 6:2 diPAP in sewage in the U.S. and Canada, 35% in Sweden and up to 89% in France.”

EV Charging Infrastructure Offers an Electric Cyberattack Opportunity. DarkReading.com article. Pull quote: “Consumer devices are also a problem. About 80% of charging takes place in the home, according to ChargePoint session data. But unfortunately, those devices may be easier to disrupt because consumers are not focused, nor should they need to be focused, on cybersecurity, Tonkin says.” Home charging systems have been essentially ignored in cybersecurity discussions.

Review – 7 Advisories and 1 Update Published – 3-16-23

Today, CISA’s NCCIC-ICS published seven control system security advisories for products from Rockwell Automation, Honeywell, and Siemens (5). They also updated an advisory for products from AVEVA.

Siemens published two additional advisories on Tuesday that were not addressed here. They also updated 22 advisories, but NCCIC-ICS is no longer covering updates for Siemens products. I will be covering all of those this weekend.

Advisories

Rockwell Advisory - This advisory describes an exposure of sensitive information to an unauthorized actor vulnerability in the Rockwell Modbus TCP Server AOI.

Honeywell Advisory - This advisory describes three vulnerabilities in the Honeywell OneWireless Wireless Device Manager (WDM).

Mendix Advisory - This advisory describes an incorrect implementation of authentication algorithm vulnerability in the Siemens Mendix SAML Module.

SCALANCE Advisory - This advisory discusses four vulnerabilities in the Siemens SCALANCE W1750D. 

RUGGEDCOM Advisory #1 - This advisory describes two missing authorization vulnerabilities in the Siemens RUGGEDCOM CROSSBOW.

RUGGEDCOM Advisory #2 - This advisory describes two vulnerabilities in the Siemens RUGGEDCOM CROSSBOW.

Third-Party Advisory - This advisory describes 65 vulnerabilities in the Siemens SCALANCE and RUGGEDCOM products.

AVEVA Update - This update provides additional information on an advisory that was originally published on December 8^th, 2022.

 

For more details about these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/review-7-advisories-and-1-update - subscription required.

OMB Reports Two FAR Cybersecurity NPRMS Were Withdrawn

The OMB’s Office of Information and Regulatory Affairs (OIRA) announced yesterday that the Federal Acquisition Regulation (FAR) notice of proposed rulemaking for “FAR Case 2021-017, Cyber Threat and Incident Reporting and Information Sharing” had been withdrawn from consideration. The NPRM was submitted to OIRA back in December. There is no discussion as to why it was withdrawn.

Similarly, ORIA announced that the FAR NPRM for “FAR Case 2021-019, Standardizing Cybersecurity Requirements for Unclassified Information Systems” was withdrawn. That NPRM was submitted to OIRA at the same time.

It is possible that this is related to the recent publication of the updated cybersecurity strategy and that substantial changes are being made to the requirements of the two rules. Making changes before the NPRMs were published would effectively shorten the rulemaking process from what would have been required if the government wanted to make changes subsequent to publication.

Review - S 473 Introduced – Drone Security

Last month, Sen Scott (R,FL) introduced S 473, the American Security Drone Act of 2023. The bill includes various measures to reduce the use of drones made in certain countries (primarily China) from being bought, used, or operated by agencies of the Federal government. It also outlines a ‘government-wide’ policy on drone acquisition, which includes cybersecurity language. No spending is authorized by this bill.

Moving Forward

Scott and two of his six cosponsors {Sen Blumenthal (D,CT) and Sen Hawley (R,MO)} are members of the Senate Homeland Security and Governmental Affairs Committee to which this bill was assigned for consideration. This should mean that there is sufficient influence to see this bill considered in Committee.

The main problem facing this bill is the fact that the government is finding more and more uses for non-military unmanned aircraft and the largest manufacturer of these craft is a Chinese company. Finding the requisite unmanned aircraft from non-Chinese manufacturers is currently difficult. A bill like this is needed to provide domestic manufacturers a much-needed edge to favorably compete with the Chinese, but it will take time to build up the requisite capacity.

It will be interesting to see how this bill works its way through the Committee backrooms.

 

For more details about the provisions of the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-473-introduced - subscription required. 

HR 1148 Introduced – Energy Cybersecurity Reporting

Last month, Rep Walberg (R,MI) introduced HR 1148, the Critical Electric Infrastructure Cybersecurity Incident Reporting Act. The bill would make DOE the designated agency to receive cybersecurity incident reports from critical electric infrastructure. It would also require DOE to publish regulations covering those reporting requirements. No spending is authorized in the bill.

An identical bill, HR 1160, was introduced three days later by Walberg. That version was considered by the Subcommittee on Energy, Climate, and Grid Security Markup of the House Energy, Climate, and Grid Security Committee on February 28^th, 2023. That bill was recommended to the full Committee by a voice vote.

There is no telling why identical pieces of legislation were introduced days apart by the same person. Probably some sort of administrative mix-up in Walberg’s office.