Tuesday, January 31, 2023

Short Takes – 1-31-23

US Navy suspends work at four West Coast dry docks over seismic risks. DefenseNews.com article. Pull quote: “This time, however, more modern scientific techniques and technologies cued the Navy to concerns of which they were previously unaware. So-called Level 1 and Level 2 seismic events “could potentially cause dry dock structural failures that pose a risk to our sailors and workforce and damage to our submarines,” an official explained.”

US Department of Labor revises OSHA's Combustible Dust National Emphasis Program. HazardExOnTheNet.net article. Pull quote: “This revised NEP directive replaces the March 2008 directive and remains in effect until OSHA issues a cancellation notice. This revised directive does not replace another similar OSHA directive referred to as the grain handling facility directive but it may cover operations involving grain processing that are outside the scope of the grain handling directive.” OSHA document.

‘Run, hide, fight’ tactic in active shootings may be outdated, security experts say. CNN.com article. I have been watching a quarterly ‘run, hide, fight’ training video for the last five years at the grocery store where I work. Pull quote: “But given how often mass shootings now erupt and the firearms employed, “the time is now to rethink how we prioritize what we’re telling people who might find themselves in a mass shooting,” Kayyem said, noting she’s “not saying everyone has it in them to engage a gunman, but … not sure that that should be the last option.”

“Bragg-a-docious”. StatusKuo.Substack.com post. Interesting look at NY grand jury for Stormy Daniels case. Pull quote: “All that said, if there is a case against Trump and his cronies for felony falsification of business records around the Stormy Daniels matter, then it should be brought, however tardy. But it may soon become just one among many criminal cases pending against Trump as he faces potential federal espionage and document theft charges, conspiracy and fraud charges over January 6, state election interference charges in Georgia, and possible further financial disclosure or tax fraud allegations in New York.”

Review – 1 Advisory Published – 1-31-23

Today, CISA’s NCCIC-ICS published one control system security advisory for products from Delta Electronics.

Delta Advisory

This advisory describes two vulnerabilities in the Delta DOPSoft human machine interface.

 

For more information on this advisory, and on my down-the-rabbit-hole look at CVEs, see my article at CFSN Detailed Analysis - - subscription required. 

Monday, January 30, 2023

Short Takes – 1-30-23

FBI Disrupts ‘Hive’ Ransomware Group. WSJ.com article. “In an operation that began in the summer in Tampa, Fla., Federal Bureau of Investigation agents infiltrated Hive’s network and used the access to identify victims and provide them keys with which to take back control of their networks, officials said. The effort blocked some $130 million in demanded ransoms, department officials said.”

Who would work for Rep. Santos? Capitol Hill is watching closely. WashingtonPost.com article. Another side of the Santos’ story. Pull quote: “Even as he has had to answer — or not answer — those myriad questions, Santos has been assembling a staff for his Washington and district offices, the No. 1 priority for first-term representatives. That means interviewing job candidates, vetting résumés, running background checks and finding people willing to work for a member who appears allergic to truth-telling.”

‘Flying with one engine’: why global food supplies are at risk despite falling crop prices. FT.com article. Pull quote: “Last year’s Black Sea grain deal between Moscow and Kyiv played a crucial role in subduing prices, along with plentiful supplies from Russia, while lower natural gas prices have calmed fertiliser markets. However, analysts warn the grain deal could unravel, while volatile energy prices and climate change also threaten to undermine crop production.”

What three hard-line conservatives plan to do with their seats on the Rules Committee. TheHill.com article. Pull quote: ““We just need to make sure that we’re applying the rules, the germaneness rules, the, you know, single-subject rules, and then figure out how that’s all gonna get down to the floor under the right rules. Is it going to be a structured rule, an open rule?” Roy said.”

Infrastructure Companies Say Suppliers Pose a Growing Cyber Threat. WSJ.com article. Pull quote: “During her tenure at Rockwell, she said, manufacturing companies struck by ransomware would be unable to produce parts Rockwell needed to build its products, sometimes for weeks or months at a time.”

Committee Hearings – Week of 1-29-23

This week, with the House and Senate both in session, there is a very light committee hearing schedule; ten hearings in the House and eight in the Senate. These are mostly organizational hearings and a few fact-finding hearings, nothing of specific import here.

There will be two House Rules Committee hearings (here and here) to formulate rules for the consideration of bills before the House.  Again, none of the bills to be considered is of specific interest here, but it will be interesting to see how the new Rules Committee deals with these formulaic bills. Typically, party statement bills like these are considered under closed rules with limited debate, the whole point being making a political statement not legislating.

Last week, however, a similar type bill (HR 21, the Strategic Production Response Act) was considered in the House last week with a modified open rule (set by the Republican leadership, the House Rules Committee did not meet on that bill). A big deal was made about the round of floor amendments from anyone interested in submitting an amendment in advance of the bills coming to the floor. This ended up consuming two long-days of House business for a bill that will not be considered in the Senate.

There has been no ‘call for amendments’ from the Rules Committee for any of the bills they will consider this week, but they could use the same ‘submit to the Congressional Record’ standard that was used last week to allow for floor amendments to any, all (or none) of these bills. It will be interesting to see how participative the Rules Committee will expect the House to be.

Saturday, January 28, 2023

CRS Reports – Non-Profit Security Grant Program

This week the Congressional Research Service published a report on “Nonprofit Security Grant Program: Summary and Potential Issues for Congress”. The report looks FEMA’s Non-Profit Security Grant (NPSG) program authorized under 6 USC 609a. The grant program provides funds to nonprofit organizations for “target hardening and other security enhancements to protect against terrorist attacks” {§609a(a)}. Cybersecurity enhancements, specifically {§609a(c)(3)} including “cybersecurity resilience activities” are permitted uses for the funds in this program.

This report raises two important program transparency issues:

• DHS does not publicly announce specific NSGP awards due to the sensitivity and classification of that information, and

• Once the annual grant award cycle begins, Congress and other policy stakeholders are unable to determine which nonprofits are receiving NSGP funding.

Not mentioned in the report is a requirement in §609a(e) for FEMA to prepare an annual report to Congress (the Homeland Security Committees) “on the expenditure by each grant recipient of grant funds made under this section.”

With spending allocation a ‘major concern’ of Republicans in the House, this issue may be raised in the House Homeland Security Committee (and perhaps in legislation) during the session.

Review – Public ICS Disclosures – Week of 1-21-23

This week we have an OpenSSL 3.0 advisory from Dell. We have seven vendor disclosures from Carrier, Contec, GE Grid Solutions, Meinberg, Omron, and PulseSecure (2). We also have three vendor updates from CODESYS, HPE, and PcVue. Finally, we have 16 researcher reports for products from Siretta (14), Zyxel, and Delta Electronics.

Open SSL 3.0 Advisories

Dell published an advisory that discusses the OpenSSL 3.0 vulnerabilities.

Vendor Advisories

Carrier Advisory - Carrier published an advisory that discusses multiple authentication bypass vulnerabilities in their WebCTRL® and i-Vu® software.

Contec Advisory - Contec published an advisory that describes an SQL injection vulnerability in the Contec CONPROSYS HMI System.

GE Grid Solutions Advisory - GE Grid Solutions published an advisory for their DS Agile Distributed Control System.

Meinberg Advisory - Meinberg published an advisory that discusses eight vulnerabilities in their LANTIME product.

Omron Advisory - JP Cert published an advisory that describes an improper restriction of an XML entity reference vulnerability in the OMRON CX-Motion Pr.

PulseSecure Advisory #1 - PulseSecure published an advisory that discusses a use-after-free vulnerability.

PulseSecure Advisory #2 - PulseSecure published an advisory that discusses a double free vulnerability.

Vendor Updates

CODESYS Update - CODESYS published an update for their Control V3 communication server advisory that was originally published on November 22nd, 2022 and most recently updated on December 14th, 2022.

HPE Update - HPE published an update for their IceWall advisory that was originally published on March 9th, 2018 and most recently updated on May 26th, 2021.

PcVue Update - PcVue published an update for their email and SMS accounts advisory that was originally published on November 25th, 2022 and most recently updated on December 20th, 2022.

NOTE: NCCIC-ICS has not updated their advisory (ICSA-22-354-03) to reflect this information.

Researcher Reports

Siretta Report #1 - Talos published a report for the Siretta QUARTZ-GOLD industrial router describing 46 stack-based buffer overflow vulnerabilities.

Siretta Report #2 - Talos published a report for the Siretta QUARTZ-GOLD industrial router describing a directory traversal vulnerability.

Siretta Report #3 - Talos published a report for the Siretta QUARTZ-GOLD industrial router describing four command injection vulnerabilities.

Siretta Report #4 - Talos published a report for the Siretta QUARTZ-GOLD industrial router describing a heap-based buffer overflow vulnerability.

Siretta Report #5 - Talos published a report for the Siretta QUARTZ-GOLD industrial router describing a file write vulnerability.

Siretta Report #6 - Talos published a report for the Siretta QUARTZ-GOLD industrial router describing a leftover debug code vulnerability.

Siretta Report #7 - Talos published a report for the Siretta QUARTZ-GOLD industrial router describing an OS command injection vulnerability.

Siretta Report #8 - Talos published a report for the Siretta QUARTZ-GOLD industrial router describing an OS command injection vulnerability.

Siretta Report #9 - Talos published a report for the Siretta QUARTZ-GOLD industrial router describing an OS command injection vulnerability.

Siretta Report #10 - Talos published a report for the Siretta QUARTZ-GOLD industrial router describing a stack-based buffer overflow vulnerability.

Siretta Report #11 - Talos published a report for the Siretta QUARTZ-GOLD industrial router describing a directory traversal vulnerability.

Siretta Report #12 - Talos published a report for the Siretta QUARTZ-GOLD industrial router describing an OS command injection vulnerability.

Siretta Report #13 - Talos published a report for the Siretta QUARTZ-GOLD industrial router describing a directory traversal vulnerability.

Siretta Report #14 - Talos published a report for the Siretta QUARTZ-GOLD industrial router describing a stack-based buffer overflow vulnerability.

Zyxel Report - Positive Technologies published a report describing an improper check for unusual or exceptional conditions vulnerability in Zyxel switches.

Delta Report - Tenable published a report describing a privilege escalation vulnerability in the Delta Electronics InfraSuite Device Master.

 

For more details about these disclosures, including links to third-party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-1-e09 - subscription required.

Friday, January 27, 2023

Review - CSB Publishes Updated Accidental Release Reporting Data – 1-25-23

As part of the preparation for yesterday’s meeting of the Chemical Safety Board, the CSB updated their published list of reported chemical release incidents. They added 35 new incidents that occurred since the previous version was published in December (with data ending in October). One incident from the previous quarter was removed from the list. These are not incidents that the CSB is investigating, these are incidents that were reported to the CSB under their Accidental Release Reporting rules (40 CFR 1604).

The CSB also published an updated version of their Investigation Closure Plan, outlining the schedule for the Board’s clearance of the investigation backlog. Six reports are expected during the first half of this year.

For more details about the updated incident information and the investigation closure report, see my article at CFSN Detailed analysis - https://patrickcoyle.substack.com/p/csb-publishes-updated-accidental - subscription required.

Thursday, January 26, 2023

Short Takes – 1-26-23

McCarthy might have a math problem in blocking Omar from panel. TheHill.com article. Pull quote: ““There’s already two Republicans that have indicated that they won’t vote to put her off, and I think others will come aboard also,” said Rep. Gregory Meeks (N.Y.), the senior Democrat on the Foreign Affairs Committee, who is lobbying Republicans on Omar’s behalf.”

Amended Trade Mission Date and Application Deadline to the Cyber Security Business Development Mission to India. Federal Register notice. Pull quote: “The International Trade Administration has determined that to allow for optimal execution of recruitment and event scheduling for the mission, the dates of the mission are postponed from May 23-27, 2022 to May 22-26, 2023. As a result of the shift of the event dates the application deadline is also revised to April 14, 2023. Applications may be accepted after that date if space remains and scheduling constraints permit.”

Lawmakers submit more than 140 amendments as House opens process for first time in seven years. TheHill.com article. Lots of duplicate and near-duplicate amendments being offered by both Republicans and Democrats. Pull quote: “Unlike structured or closed rules, which limit the number of amendments considered — as determined by the House Rules Committee for each bill — a modified-open rule allows anyone to submit an amendment as long as they do so the day before a bill is debated.”

How the US can radically improve chemical safety. TheHill.com opinion piece. Pull quote: “The “essential-use approach” is quite simple in theory: If a chemical is harmful, or suspected of being harmful, it should be restricted to only those uses that are essential — and only until safer alternatives are developed. One can hardly find fault with that logic. Are antimicrobial socks or waterproof bathing suits essential enough to risk the use of harmful chemicals? Not likely. But we may need these chemicals in some surgical gowns or firefighting gear, at least until a safer alternative is developed.”

ACC Welcomes Bipartisan Trucking Reform Bill. AmericanChemistry.com press release. Pull quote: “Chemical manufacturers are concerned that constraints in the trucking industry could hinder future growth and investments. The expansion of chemical production in the U.S. is driving increased transportation demands. ACC estimates that 370 thousand additional truck shipments will be needed annually by 2032 to transport chemicals produced in the U.S.” 

Review – 7 Advisories and 1 Update Published – 1-26-23

Today, CISA’s NCCIC-ICS published seven control system security advisories for products from Landis+Gyr, Rockwell Automation, Mitsubishi Electric, Sierra Wireless, Snap One, Econolite and Delta Electronics. They also published an update for an advisory for products from Mitsubishi.

Advisories

Landis+Gyr Advisory - This advisory describes a reliance on cookies without validation vulnerability in the Landis+Gyr E850 (ZMQ200) precision meter.

Rockwell Advisory - This advisory discusses two vulnerabilities in multiple Rockwell products using the GoAhead web server.

NOTE: These vulnerabilities in the GoAhead web server from EmbedThis were originally reported by CISCO Talos in 2019.

Mitsubishi Advisory - This advisory describes an active debug code vulnerability in the Mitsubishi MELFA SD/SQ series and F-series Robot Controllers.

Sierra Wireless Advisory - This advisory describes two vulnerabilities in the Sierra Wireless AirLink routers.

Snap One Advisory - This advisory describe four vulnerabilities in the Snap One Wattbox WB-300-IP-3, a surge protector.

Econolite Advisory - This advisory describes two vulnerabilities in the Econolite EOS automated traffic control software.

Delta Advisory - This advisory describes a stack-based buffer overflow vulnerability in the Delta Electronics CNCSoft software management platform.

Updates

Mitsubishi Update - This update provides additional information on an advisory that was originally published on January 17th, 2023.

 

For more details about these advisories, including links to researcher reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/7-advisories-and-1-update-published-c83 - subscription required.

DOC Sends ICTS Supply Chain Rule to OMB

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a final rule from the Department of Commerce on “Securing the Information and Communications Technology and Services Supply Chain; Connected Software Applications”.

According to the Abstract for the rulemaking in the Fall 2022 Unified Agenda listing for the rulemaking:

“To implement Executive Order 14034, Protecting Americans’ Sensitive Data from Foreign Adversaries (EO 14034), the Department of Commerce is proposing to amend its Interim Final Rule on Securing the Information and Communications Technology and Services Supply Chain (Supply Chain IFR), that was published on January 19, 2021.  Specifically, this proposed rule would update the Supply Chain IFR to clarify that the term information and communications technology and services (ICTS) includes connected software applications. This update also would add the term connected software applications to the definition section of the Supply Chain IFR, as well as to the definition of ICTS and ICTS Transaction.  Additionally, this proposed rule would make other conforming changes to the Supply Chain IFR to explicitly state that ICTS Transactions include transactions that involve connected software applications.”

Bills Introduced – 1-25-23

Yesterday, with both the House and Senate meeting in Washington, there were 74 bills introduced. Three of those bills are worth mentioning in passing:

HR 498 To amend title V of the Public Health Service Act to secure the suicide prevention lifeline from cybersecurity incidents, and for other purposes. Obernolte, Jay [Rep.-R-CA-23]

H Res 56 Electing Members to certain standing committees of the House of Representatives. Johnson, Mike [Rep.-R-LA-4]

H Res 57 Electing Members to certain standing committees of the House of Representatives. Aguilar, Pete [Rep.-D-CA-33] 

HR 498

This is not a bill that I will be following here, it is a government system IT security bill with no specific impact on control system security. Having said that, if Congress has to go through the process of introducing legislation for each relatively minor federal program to ensure that each program has adequate cybersecurity provisions in place, we are going to see an exhaustive number of this type of legislation. I suspect, however, that this bill will see no action in the 118th Congress.

Committee Memberships

These two resolutions continue with the time consuming, but necessary administrative jobs of the new Congress. While the text of either resolution is not yet available, the lists of Committee assignments approved were printed in the Congressional Record. Both passed by unanimous consent (no vote, no debate). The lists are not necessarily exhaustive lists of the members of the respective committees.

H Res 56 provided lists of Republican members for the following Committees:

• Committee on Appropriations,

• Committee on Energy and Commerce,

• Committee on Financial Services,

• Committee on House Administration,

• Committee on Rules, and

• Committee on Ways and Means

H Res 57 provided lists of Democratic members of the following Committee:

• Committee on Energy and Commerce,

• Committee on Financial Services,

• Committee on House Administration,

• Committee on Rules, and

• Committee on Ways and Means

Wednesday, January 25, 2023

Short Takes – 1-25-23

House Oversight expected to create new IT and cybersecurity subcommittee. FedScoop.com article. Pull quote: “The responsibilities of the House Oversight Committee’s Government Operations subcommittee will now be undertaken by two separate subcommittees: one will focus on IT, cybersecurity and procurement, while the other will focus on the federal workforce, according to a Hill staffer familiar with the matter.”

Hazardous Materials: Editorial Corrections and Clarifications; Correction. FederalRegister.gov Final Rule. Pull quote: “The final rule made editorial revisions and clarifications to the hazardous materials regulations including the hazardous materials table. The corrections address several errors to the hazardous material entries in the hazardous materials table.”

Half of mass attacks sparked by personal, domestic, workplace disputes: Secret Service data. TheHill.com article. Pull quote: “The 60-page report was issued on Wednesday by the Secret Service’s National Threat Assessment Center and investigated 173 mass attacks where three or more people were harmed. While half of the attackers were motivated by disputes, 18 percent of them were motivated by ideological, bias-related or political beliefs.” 31 ideological, etc attacks is important.

McCarthy blocks Adam Schiff and Eric Swalwell from House Intel panel. NBCNews.com article. As promised. Pull quote: “In a letter to House Minority Leader Hakeem Jeffries, D-N.Y., McCarthy said that while he appreciated Jeffries’ “loyalty” to his colleagues, he could not put “partisan loyalty ahead of national security.””

Omega-3s and brain health. ChemistryWorld.com article. Pull quote: “‘We saw that people with higher omega-3 perform better in a similarities test, that basically tests for abstract thinking,’ explains Satizabal. The people being studied start by responding to questions that assess the ability to recognise patterns between objects, namely an apple and a banana. According to Satizabal, it starts with easy questions in which similarities are obvious, such as in fruits. Then the test moves on to more complex comparisons. People with higher levels of omega-3 in their blood performed better in finding these patterns and thinking logically.” Interesting that there is no discussion of Omega 3 enhanced foods or supplements.


Review - HR 280 Introduced – Cyber Vulnerability Disclosures

Earlier this month, Rep Jackson-Lee introduced HR 280, the Cyber Vulnerability Disclosure Reporting Act. The bill would require DHS to prepare “a report that contains a description of the policies and procedures developed for coordinating cyber vulnerability disclosures”. No funding is authorized by this bill.

The bill is identical to HR 118 that was introduced last session. No action was taken on that bill in Committee.

Moving Forward

Jackson-Lee has not yet been assigned to any Committees, so it is difficult to determine if she has enough influence to see the bill considered in the House Homeland Security Committee to which this bill was assigned for consideration. I see nothing in the bill that would engender any organized opposition. I suspect that the bill would receive bipartisan support were it considered in Committee, and it would probably be able to be considered in the full House under the suspension of the rules process (limited debate, no floor amendments, and super-majority required for passage).

 

For more details about the provisions of the bill, including my commentary on the lack of necessity for the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-280-introduced - subscription required.

PHMSA Extends Liquified Ethane by Rail Comment Period

Today, DOT’s Pipeline and Hazardous Materials Safety Administration (PHMSA) published a notice in the Federal Register (88 FR 4881) extending the comment period on their “Notice of Application for Special Permit” (21283-N) for the transportation of cyrogenic ethane by rail which was originally published on December 5th, 2022. Today’s notice extends the originally short, 30-day, comment period that also fell over the year-end holidays. Comments should now be filed by February 21st, 2023 to be considered by PHMSA.

Fourteen comments have been received to date on this notice.

Tuesday, January 24, 2023

Short Takes – 1-24-23

Coast Guard Releases New Maritime Cybersecurity Assessment & Annex Guide. Mariners.CoastGuard.blog post. Pull quote: “This guide will not influence Captain of the Port (COTP) review of FSPs submitted for approval.  MTSA regulated facilities who have already submitted their FSP cyber annex or addendum to the Coast Guard may decide to use the MCAAG to help review effectiveness of their FSA, confirm identified vulnerabilities, and make further enhancements to their FSP.”

Russian Agents Suspected of Directing Far-Right Group to Mail Bombs in Spain. NYTimes.com article. Pull quote: “Investigators in recent weeks have focused on the Russian Imperial Movement, a radical group that has members and associates across Europe and military-style training centers in St. Petersburg, Russia, the officials said. They added that the group, which has been designated a global terrorist organization by the U.S. State Department, is believed to have ties to Russian intelligence agencies. Important members of the group have been in Spain, and the police there have tracked its ties with far-right Spanish organizations.”

Hacktivism Is a Risky Career Path. Wired.com article. The future of the IT Army of Ukraine. Pull quote: “Reports that the IT Army includes a growing number of so-called script kiddies and first-time hackers also raise the possibility that Ukraine’s call to action may have set some people on a career path. A key question in 2023 will be how to harness those skills for good.”

Why Not Cover Ugly Parking Lots With Solar Panels? Wired.com article. Pull quote: “France, though, appears to have a solution: transforming its parking lots into solar farms nationwide. The French Senate has approved a bill requiring new and existing lots with more than 80 spaces to be at least half covered with canopies of solar panels that sit over the parking spaces. Assuming the bill comes into effect later this year, parking lots with more than 400 spaces must be compliant by 2026; smaller ones with 80 to 400 spaces will be given until 2028.”

Classified Documents in the Wild. TWITTER.COM @AstroKatie twitversation. I do not normally include TWITTER exchanges here, but…. Start quote: “Over time, natural evolutionary changes have allowed classified documents to spread more effectively through their environments, with some employing burrs similar to those of burdock seed pods, specially adapted to cling to business suit fabrics.”

Review - HR 286 Introduced – Healthcare Security Grants

Earlier this month, Rep Escobar (D,TX) introduced HR 286, the Health Care Providers Safety Act of 2023. The bill would amend the Public Health Service Act by adding a new §399V-8, Grants to Health Care Providers to Enhance Security. It would allow HHS to “award grants to health care providers to pay for security services and otherwise enhance the physical and cyber security of their facilities, personnel, and patients to ensure safe access.” No funding is authorized for this proposed program.

This bill is nearly identical to HR 7814 which was introduced by Escobar last session. That bill saw no action in Committee, nor did the Senate’s companion measure, S 4268, that was introduced by Sen. Gillibrand (D,NY).

Moving Forward

Neither Escobar nor her 107 cosponsors have yet been assigned to any Committees. Normally, this would mean that it would be difficult to tell if there would be sufficient influence to see the bill considered in Committee. But, since this is, at heart, a pro-abortion bill, there is not enough influence to see the bill considered in the Republican controlled House Energy and Commerce Committee to which this bill was assigned for consideration. This bill would not be able to muster the necessary votes to pass in Committee nor on the House floor.

 

For more details about this bill, including a look at Escobar’s press release – see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-286-introduced  - subscription required.

Review - 2 Advisories Published – 1-24-23

Today, CISA’s NCCIC-ICS published two control system security advisories for products from SOCOMEC and XINJE.

SOCOMEC Advisory - This advisory a weak encoding for password vulnerability in the SOCOMEC MODULYS GP modular uninterruptable power supply (UPS).

XINJE Advisory - This advisory describes two vulnerabilities in the XINJE XD Programing Tool.

 

For more details about these advisories, and my commentary on vendors ignoring CISA’s vulnerability coordination efforts, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-advisories-published-1-24-23 - subscription required.


Monday, January 23, 2023

Short Takes – 1-23-23

Can anybody tell me? WHMurray.Blogspot.com post. Interesting set of questions. Pull quote: “Please tell me that there was a plan and that it worked as intended rather than that this was a massive failure of [FAA] management and governance.  Can anyone help me here?  These questions seem to deserve, not to say demand, an answer.” I suspect that we know the answer without asking….

Democrats reach agreement with GOP on House committee ratios. TheHill.com article. Clears the way for House votes on resolutions appointing committee members this week. Pull quote: “Some committees will also change in size, according to the letter. Membership on the House Oversight and Accountability Committee will increase by one seat from each party, Transportation will decrease by two seats from each party, and Education will decrease by four seats from each party.”

Is a discharge petition the debt default silver bullet? TheHill.com opinion piece. Explains the discharge petition process. Pull quote: “The debt limit is unlikely to stir-up sufficient popular attention or support to fuel a successful discharge campaign — as important as the issue is to the financial well-being of the country and the world. But it certainly does deserve, beginning now, the kind of hardnosed bargaining and deliberation that can bring the Congress, the president, and the country together on the same path to resolution.”

Sweden’s Nato application imperilled after Koran burnt outside Turkish embassy. FT.com article. Pull quote: “The latest setback in Sweden’s attempts to convince Turkey to back its application for Nato membership came on Saturday afternoon when Rasmus Paludan, a notorious Danish rightwing provocateur, set fire to the Koran outside Turkey’s embassy in Stockholm.”

Earth’s Inner Core May Be Reversing Its Rotation, Study Finds. WSJ.com article. Pull quote: ““The changes they noticed are valid although what’s actually happening isn’t so clear,” Dr. Vidale said. “They have a very good analysis and the theory they put in the papers is probably as good as anything at the moment, but there are several competing ideas as well.”” New science.

FDA Proposes Annual Covid-19 Vaccinations. WSJ.com article. Pull quote: “The annual plan would make Covid-19 vaccinations more like annual flu shots. Advisers would meet every June to select the Covid-19 shot best able to match strains they expect to circulate in the fall, similar to how influenza vaccines are chosen.”

Review - HR 285 Introduced – Vulnerability Remediation

Earlier this month, Rep Jackson-Lee introduced HR 285, the bill would amend 6 USC 659 to allow the National Cybersecurity and Communications Integration Center (NCCIC) to “identify, develop, and disseminate actionable protocols to mitigate cybersecurity vulnerabilities”. A report to Congress is also required. No funding is authorized in this bill. The language is very similar to the version of HR 2980 that was passed in the House last session.

Moving Forward

Jackson-Lee has not yet been assigned to any committees. This means that it is too early to tell if she will have sufficient influence to see the bill considered by the House Homeland Security Committee to which this bill was assigned for consideration. The bill would receive significant bipartisan support were it considered by the Committee and would again probably move to the floor of the House under the suspension of the rules process.

Commentary

The development of remediation protocols authorized by this bill is another example of Congress authorizing actions already being taken by CISA. This is, however, going to become more important because of changes made to the House rules for the consideration of spending bills. H Res 5 provides a point of order rule for spending bills to call out “for an expenditure not previously authorized by law”. It is unlikely that this particular activity by CISA would be the subject of a point of order objection, but it remains a possibility.


For more details about the provision of this bill, including differences from the previous version, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-285-introduced   - subscription required.

Sunday, January 22, 2023

Short Takes – 1-22-23

Five Rules for an Aging World. NYTimes.com article.  Pull quote: “The faster aging happens in the rich and middle-income world, the more important the fact that Africa’s population is still on track to reach 2.5 billion in 2050, and reach four billion by 2100. The movement of even a fraction of this population will probably be the 21st century’s most significant global transformation. And the balance between successful assimilation on the one hand, and destabilization and backlash on the other, will help decide whether the age of demographic decline ends in revitalization or collapse.”

The America trap: Why our enemies often underestimate us. WashingtonPost.com article. Kagan never answers the central question, but describes the result in the lead up to WWII. Pull quote: “Liberal democracy was not just losing ground. It faced a potent challenge from a vibrant and revolutionary anti-liberal doctrine that attracted followers and imitators throughout Europe and beyond. Americans, British and French during World War I and for decades afterward assumed that Bolshevism posed the greatest threat to liberal democracy. But Bolshevism proved less easily exported than both its proponents and its opponents believed. Ostracized by the rest of Europe, the Soviet Union turned inward to wrestle with the transformation of its society. When democracies fell in the 1920s and ’30s, they fell to the Right, not the Left.”

Trump team struggles to consolidate support ahead of S.C. event. WashingtonPost.com article. Small scale event for Trump. Pull quote: “Trump’s last large event in the state, a spring rally in Florence, attracted thousands of supporters, and the pre-rally reception invitation boasted 36 co-chairs — a show of force that included people like McKissick, Scott and Norman, who are not expected to be with Trump again at his event. Trump has chosen a much smaller venue this time, the inside of the State House in Columbia, which is expected to accommodate about 500 people.”

Review - CFATS Regulation Changes – Cybersecurity

NOTE: This is the second in a series of posts looking at potential changes to the Chemical Facility Anti-Terrorism Standards (CFATS) regulation that CISA may be intending to make when they issue their notice of proposed rulemaking (NPRM) later this year.

With the TSA issuing multiple security directives concerning the cybersecurity of surface transportation assets, including pipelines and railroads, and multiple news sources claiming that a new impending executive order on cybersecurity for critical infrastructure, it seems clear that we must consider that CISA may be considering changes in the existing cybersecurity requirements for the CFATS program.

Proposed Changes

CISA has not discussed in either of the two earlier advanced notices of proposed rulemaking (here and here) any particular cybersecurity revisions that it would like to see in future regulatory changes. Here are two changes that I think ought to be included.

Revise the security vulnerability assessment requirements of 6 CFR 27.215(a) to insert a new paragraph (2):

“(2) Cyber asset characterization, which includes the identification and characterization of cyber assets that support, affect, or control the critical assets identified in (1), including the programs, systems and procedures which protect such cyber assets from unauthorized access or modification;”

Revise the RBPS cyber requirement of §27.230(a)(8) to read:

(8) Cyber.

(i) Deter cyber sabotage of cyber assets identified in §27.215(a)(2), including by preventing unauthorized onsite or remote access to critical process controls, such as Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), Process Control Systems (PCS), Industrial Control Systems (ICS), critical business system, and other sensitive computerized systems; and

(ii) Prevent the unauthorized modification of business systems, order controls, and inventory systems that would allow, authorize or order unauthorized transfer of chemicals of interest identified in Appendix A;

 

 

For more details about the background and constraints on any cybersecurity regulatory changes, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/cfats-regulation-changes-9d5 - subscription required.

Saturday, January 21, 2023

Short Takes – 1-21-23

FBI warns of neo-Nazi plots as attacks on Northwest power grid spike. OPB.org article. Includes catalogue of recent attacks in NE. Pull quote: “Utilities are required to have measures in place on their most critical assets to prevent cascading or uncontrolled power outages. Utility industry officials say the recent grid attacks in the Northwest and North Carolina hit smaller substations that were unlikely to lead to any cascading outages and were not required to have defensive measures in place.”

Chainguard Trains Spotlight on SBOM Quality Problem. SecurityWeek.com article. Pull quote: ““This analysis suggests that standard SBOMs already provide a great deal of information but not enough to satisfy  the minimum [OMB required] elements. Additionally, this research implies that the push to make SBOMs “everywhere” should be accompanied by an effort to measure and improve the quality of SBOMs,” the company said.”

EXCLUSIVE: U.S. airline accidentally exposes ‘No Fly List’ on unsecured server. DailyDot.com article. Not clear if it was ‘no fly list’ or Terrorism Screening Data Base. Name points to former, size to later.  Pull quote: ““The server contained data from a 2019 version of the federal no-fly list that included first and last names and dates of birth,” CommuteAir Corporate Communications Manager Erik Kane said. “In addition, certain CommuteAir employee and flight information was accessible. We have submitted notification to the Cybersecurity and Infrastructure Security Agency and we are continuing with a full investigation.””

Critical Manufacturing Sector in the Bull's-eye. DarkReading.com article. A good bit of technobabble. Pull quote: “"Many of these incidents have involved ransomware where the threat actor, usually in the form of a criminal group, sets out to make money through extortion," he says. "While the ransomware problem is global, we’ve seen a rising number of attacks on critical infrastructure come from nation-state actors in pursuit of various geopolitical objectives."”

Review - HR 278 Introduced – Cyber Defense National Guard

Earlier this month, Rep Jackson-Lee introduced HR 278, the Cyber Defense National Guard Act. The bill would require the Director of National Intelligence to conduct a study on “the feasibility of establishing a Cyber Defense National Guard”. No funding is authorized by this legislation.

The language of this bill is identical to HR 119 that was introduced in the 117th Congress. There was no committee action on that bill in the last session.

Moving Forward

Jackson-Lee has not yet received any Committee assignments. This means that it is too early to determine if she would have sufficient influence to see the bill considered in the House Intelligence Committee, the committee to which this bill was assigned for consideration. Since this is a report only bill, I see nothing that would engender any organized opposition. I suspect that the bill would receive some level of bipartisan support if it were considered in committee.

Commentary

While it would seem odd that the DNI is tasked with the conduct of a study on the expansion of the National Guard, I think we can see the reason for that in the language of §2(b)(8):

“(8) the impact of the effectiveness of a Cyber Defense National Guard of the possibility that the population of potential recruits may be dominated by men and women without military, intelligence, law enforcement, or government work experience;”

The organization that Jackson-Lee envisions is not directly intended to be another branch of the NG, but probably an extension of the National Security Agency/Cyber Command with some level of support for State level cybersecurity operations. That would be an interesting construct, but I think that a direct integration with the National Guard Bureau would provide for some level of administrative and logistic support that would have to be stood up for a stand-alone cyber national guard agency.

 

For more details about the study, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-278-introduced - subscription required.

GAO Reports – Cybersecurity – Week of 1-14-23

This week the Government Accountability Office (GAO) published a report on “Challenges in Establishing a Comprehensive Cybersecurity Strategy and Performing Effective Oversight”. The report summarizes previous GAO reports on the topic and looks at the recommendations that have not yet been implemented to date.

The ‘Overview’ section of the report notes that:

“This is the first in a series of four reports that lay out the main cybersecurity areas the federal government should urgently address, beginning with the need for a comprehensive strategy and effective oversight.1 We have made about 335 recommendations in public reports since 2010 with respect to this area. About 190 of these recommendations were not implemented as of December 2022. Until these are fully implemented, federal agencies will be more limited in their ability to protect private and sensitive data entrusted to them.””

CRS Reports – Cybersecurity – Week of 1-14-23

This week, the Congressional Research Service published a report on “Cybersecurity: Bureau of Cyber Statistics”. The report discusses the need for a service within CISA to provide data analytics for the cybersecurity incident reports that CISA is expected to start receiving when their cybersecurity reporting rule is finalized. Such a bureau was recommended (#4.3 pg 85) by the Cyberspace Solarium Commission.

Review – Public ICS Disclosures – Week of 1-14-23

This week we have twelve vendor disclosures from Campbell Scientific, Contec, HIMA, HP, Medtronic, and Wireshark (7). We also have two researcher disclosures for products from Mitsubishi and GE,

Vendor Disclosures

Campbell Advisory - INCIBE-CERT published an advisory that describes an exposure of sensitive information to unauthorized actor vulnerability in the Campbell dataloggers.

Contec Advisory - Contec published an advisory that describes SQL injection vulnerabilities in their CONPROSYS HMI System.

HIMA Advisory - CERT-VDE published an advisory that describes an unquoted Windows search path vulnerability in multiple HIMA X-OPC and X-OTS products.

HP Advisory - HP published an advisory that discusses eight vulnerabilities in multiple HP products.

Medtronic Advisory - Medtronic published an end-of-life notice for their superDimension™ navigation system.

Wireshark Advisory #1 - Wireshark published an advisory that describes a packet injection vulnerability in their EAP dissector.

Wireshark Advisory #2 - Wireshark published an advisory that describes a memory leak vulnerability in their NFS dissector.

Wireshark Advisory #3 - Wireshark published an advisory that describes a denial of service vulnerability in their Dissection engine.

Wireshark Advisory #4 - Wireshark published an advisory that describes a denial of service vulnerability in their GNW dissector.

Wireshark Advisory #5 - Wireshark published an advisory that describes a denial of service vulnerability in their iSCSI dissector.

Wireshark Advisory #6 - Wireshark published an advisory that describes an excessive loop vulnerability in multiple dissectors.

Wireshark Advisory #7 - Wireshark published an advisory that describes a denial of service vulnerability in their TIPC dissector.

Researcher Reports

Mitsubishi Report - CISCO Talos published a report that describes an authentication bypass vulnerability in the Mitsubishi MELSEC iQ-FX5U webserver.

GE Report - Claroty published a report that describes five vulnerabilities in the GE Proficy Historian. The report contains proof-of-concept code.

 

For more details about these disclosures, including links to third-party advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-1-6c3 - subscription required.

Thursday, January 19, 2023

Waste Transfer Explosion

Yesterday, one person was killed and three hospitalized in Guthrie, KY when an explosion occurred at a metal treatment facility (see here and here). The explosion happened during the transfer of waste from the facility into a transport vehicle that apparently already contained used cooking oil. While the incident remains under investigation by the State Fire Marshall and the Kentucky Environmental Cabinet, WKDZRadio.com provides an interesting (and detailed) description of the cause of the incident:

“The Kentucky State Fire Marshall and the Kentucky Environmental Cabinet are investigating the explosion and at this time authorities believe that for some reason an organic fat such as cooking oil became mixed with the alkaline wastewater in the tank which resulted in an exothermic saponification reaction.

“This reaction reportedly raised the temperature inside the tank causing the water portion of the solution to boil and raising the pressure inside it to a point beyond its designed strength resulting in the failure of the tank seam.”

The picture accompanying that article shows some superficial damage to the building adjacent to the damaged pump truck. That relatively minor damage would indicate that the ‘exploding’ tank was a plastic tank, which are not designed to contain much in the way of pressure. Flying pieces of the tank and the liquid inside could certainly cause the injuries described in the three articles.

Since the contents of the tank ‘exploded’ they were certainly an ‘extremely hazardous substance’ under the definition {40 CFR 1604.2) in the Chemical Safety Board’s ‘Reporting of Accidental Releases’ rule. Since a death was involved, this was a reportable accident under that rule.

Short Takes – 1-19-23

HDL ‘good’ cholesterol isn’t always good for heart health. ScienceNews.org article. Pull quote: “A person’s HDL cholesterol level is just one part of the story, though. Commonly reported on blood tests, the level reflects the amount of cholesterol that HDL particles have on board. HDL carries cholesterol away from the arteries to the liver to be excreted. This helps keep cholesterol from building up in artery walls, which can eventually impede blood flow.”

3 Lessons Learned in Vulnerability Management. DarkReading.com article. Pull quote: “All organizations have a responsibility when it comes to incident response and vulnerability management. Spending time educating on the technicality of how a vulnerability works and the potential exposure around technologies vulnerabilities often target can go a long way in seeing trouble before it starts.”

These are the House GOP power players in the 118th Congress. TheHill.com article. Pull quote: “Republicans can only afford to lose four members on votes, assuming all Democrats vote in opposition and all members cast a vote, meaning any group of four or more GOP lawmakers can hold up legislation brought to the House floor.” Which also means 4 Republicans can side with Democrats to pass legislation. This could get interesting.

Substation attacks may lead to new energy security rules in 2023, experts say. UtilityDive.com article. Pull quote: ““Unfortunately, with 55,000 substations nationally, there are obvious risk-based limitations on addressing physical threats that need to be managed,” Christopher said. “The industry should expect further regulatory inquiries and potential actions from the federal government in response.””


Review - 1 Advisory Published – 1-19-23

Today, CISA’s NCCIC-ICS published one control system security advisory for products from Hitachi Energy.

Hitachi Energy Advisory - This advisory discusses the OpenSSL 3.0 in Hitachi Energy PCU400 products.

 

For more details about this advisory and a look back at the OpenSSL 3.0 vulnerabilities, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-published-1-19-23 - subscription required.

CISA Updates CFATS 15th Anniversary Page – 1-18-23

Yesterday CISA’s Office of Chemical Security updated their CFATS 15th Anniversary page, celebrating the fifteen years that the Chemical Facility Anti-Terrorism Standards program has been in operation. Yesterday’s update added links to three new YouTube videos:

A Regulatory Program with Flexibility – What Makes CFATS Different,

The Global Standard for Chemical Security, and

Industry’s Perspective on the Future of CFATS.

While the links to these three videos are just now showing up on this page, they have been on the CFATS Playlist since November.

Review - HR 162 Introduced – Digital Reserve Corps

Earlier this month Rep Gonzales (R,TX) introduced HR 162, the National Digital Reserve Corps Act. The bill would establish within the General Services Administration (GSA) a ‘National Digital Reserve Corps’, to help address the digital and cybersecurity needs of Executive agencies. The bill would add a new Chapter 103 to 5 USC. The bill would authorize $30 million for this new program.

This bill is identical to HR 4818 that was introduced by Gonzales in the 117th Congress. That bill saw no committee action in the 117th. Gonzales did attempt to get the bill added to the National Defense Authorization Act (both HR 4350 and HR 7900) as a floor amendment, but the amendment was never added to the list of amendments allowed to be offered on the floor.

Moving Forward

Neither Gonzalez nor his sole cosponsor {Rep Kelly (D,IL)} have been assigned to committees yet, so it is too early to tell if they have the influence necessary to see the bill considered in the House Oversight Committee to which this bill has been assigned for consideration. While I suspect that this bill would receive bipartisan support were it considered, I am afraid that the focus of the Committee on investigations dealings with the Biden Administration will limit the number of bills that will be considered. I also suspect that the Committee leadership would not be inclined to expand federal government operations, even in the cybersecurity realm.

 

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-162-introduced - subscription required.

Wednesday, January 18, 2023

Short Takes – 1-18-23

Ionic cooling offers way to end greenhouse gas use in refrigeration. ChemistryWorld.com article. Pull quote: “In the new work, Drew Lilley and Ravi Prasher, both at UC Berkeley and Lawrence Berkeley National Laboratory, used an alternative ‘ionocaloric refrigeration’ scheme. Instead of applying a field externally, they used the electrochemical binding between the ions in a salt (in this case sodium iodide) and a solvent (ethylene carbonate). When the salt is added to the partially-frozen solvent, it begins to dissolve. To do so, however, the solvent must melt, and this requires energy. ‘[The solvent] wants to become a liquid, but it needs energy to do so, so it steals it from itself and cools down,’ explains Lilley.”

When It Comes to Cybersecurity, the Biden Administration Is Getting Much More Aggressive. Slate.com article. Pull quote: “Under the new strategy, the U.S. will “disrupt and dismantle” hostile networks as part of a persistent, continuous campaign. This campaign will be coordinated by the FBI’s National Cyber Investigative Joint Task Force working in tandem with all relevant U.S. agencies—a systematic collaboration that has rarely been attempted and never before publicized. Private companies—both firms that are frequent targets of cyberattacks and firms that specialize in cybersecurity methods—will be full partners in this effort, both to alert the government task force of intrusions and to help repel them. (In the past, many of these firms, especially in Silicon Valley, have been reluctant to be seen cooperating with the government on these issues.)”

Jackson, Mississippi’s water crisis persists as national attention and help fade away. NBCNews.com article. Pull quote: “Months before the water outage in August, residents endured a cold snap in 2021, with extremely low temperatures freezing pipes and leaving many without water. And last month, residents were yet again under a boil notice after a winter storm and broken pipes left thousands without running water.” Not all water system problems are cyber related.

Review - OCS Updates CFATS FAQ Response – 1-18-23

Today, CISA’s Office of Chemical Security updated a frequently asked question (FAQ) response on their Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center. The revision updated the information provided to FAQ #1554 to reflect recent regulatory changes:

FAQ #1554 Does the Cybersecurity and Infrastructure Security Agency (CISA) have enforcement authority to fine noncompliant facilities, to include shutting down a facility?

NOTE: The link provided for the FAQ in this post was copied from the CFATS Knowledge Center but may not work when followed from your machine. This is an artifact of that web site. If the links do not take you to the referenced FAQ, you will have to use the ‘Advanced Search’ function on the page to link to the FAQ or download the ‘All FAQs’ document at the bottom of the ‘Advanced Search’ page.

The revised information is an increase in the maximum civil penalty under 6 CFR 27.300(b)(3) from $38,139 to $41,093. This change was recently made when DHS updated their civil penalties to reflect inflation.

 

For a look at the policy changes that CISA has not made to reflect the annual inflation adjustment, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/ocs-updates-cfats-faq-response-1 - subscription required.

Tuesday, January 17, 2023

Short Takes – 1-17-23

NASA’s return to the moon is off to a rocky start. TechnologyReview.com article. Pull quote: “Artemis, like America itself, is an experiment begun years ago with good intentions. It was flawed from the outset, in part because of those good intentions and in part for more cynical reasons. It was bequeathed to hardworking people who genuinely want something good to come of it but are hamstrung by problems that predate them and may be too fundamental to ever fully fix, at least in the project’s current form. Yet it is all we have, for now. The rocket remains funded. The missions are scheduled. NASA says, “We are going.” And the moon will be waiting, indifferent to which vehicle we use to get there.”

Who Are You Calling a Great Power?  LawfareBlog.com article. Pull quote: “This is not a simple definition of what counts as a great power. There’s no litmus test or threshold—some minimum share of GDP or CINC score, though these can be helpful guides and are still part of the story. And that’s the point. Politics is relative, so the way policymakers think about the role of great powers in international politics should be, too.”

Intrinsic Safety moves forward. HazardExOnTheNet.net article. New version of IEC 60079-11 [specifies the construction and testing of intrinsically safe apparatus intended for use in an explosive atmosphere and for associated apparatus] coming. Pull quote: “The reorganisation of the standard, along with significant technical changes, has resulted in the section of the IEC Foreword, listing principal changes from the previous edition, extending to 10 pages. Most revised standards require only two or three pages. There are 13 Category “A” changes that are considered to be minor or editorial, that don’t alter compliance requirements between the editions, and 74 Category “B” changes that can be regarded as extensions of the standard, allowing new forms of construction, or relaxation of the requirement. However, there are 31 Category “C” changes, each representing some change that may cause a product compliant with the previous edition not to be compliant with the new edition.”

One day, there could be a pipeline of oxygen flowing from the moon's south pole. Phys.org article. Pull quote: “Oxygen is critical. We need it in human habitats, in vehicles, and in any life-support systems anywhere on the moon. We also need it as an oxidant for rocket fuel. Ferrying large quantities of oxygen from the south pole to the equator could be cumbersome and would require dedicated vehicles, tanks, and facilities. A pipeline would eliminate vehicles and other resources, including human work hours, from the process.”

News Release: DHS S&T Awards $1.1M to Accelerate Federal Research Across U.S. Agencies. DHS.gov press release. Some interesting projects:

• Argonne National Laboratory: Autonomous Intelligent Cyber-Defense Agent,

• Los Alamos National Laboratory: Industrial Internet of Things – Physics-Informed AI Vibe Sensor for Condition Monitoring and Cybersecurity, and

• Johns Hopkins University Applied Physics Laboratory: Out of Band Over Existing Industrial Control Communications

Review - CFATS Regulation Changes – COI Changes

I noted earlier this month that the revision of the CFATS regulations had made its way back onto the Unified Agenda. I have been able to confirm that CISA’s Office of Chemical Security (OCS) is actively working on a notice of proposed rulemaking, but no details are available. So, while we wait for the NPRM, I thought that I would take a look at some of the things that could make it into that document. First, I want to take a look at changes to Appendix A, the DHS chemicals of interest list.

Background

The Unified Agenda listing for “Chemical Facility Anti-Terrorism Standards (CFATS)” (RIN: 1670-AA01) provides the following background information on their decision to look at changes to the COI list:

“The Chemical Facility Anti-Terrorism Standards (CFATS) program regulates facilities possessing large quantities of dangerous chemicals. The particular chemicals listed and threshold quantities were established in 2007, and were based on EPA’s threshold quantities for Hazardous Substances published under its Release Management Program. In the 15 years since implementation of the program, CISA has gained extensive experience in analyzing chemical holdings and determining which facilities should be classified as high-risk and subject to further regulation. Given its experience, CISA has determined that it should adjust its list of regulated chemicals, threshold quantities, and counting methods to better reflect the security issues implicated by these chemicals.”

Appendix A Changes

Currently, Appendix A provides a list of 300+ COI along with their concentration and screening threshold quantity (STQ). It also lists the security issue of concern for each chemical, which affects the STQ that applies to that chemical. Facilities use the information in Appendix A to determine if their inventory of chemicals on the list requires the facility to submit a Top Screen to OCS. OCS, in turn uses the information provided on the Top Screen, analyzed via their threat modeling tool, to determine if the facility is at high enough risk of potential terrorist attack to be covered under the CFATS program.

There are three different kinds of changes that OCS could be considering for the Appendix A list in their pending regulatory revision:

• Adding or deleting chemicals of interest,

• Increasing the minimum concentration of concern, or

• Increasing or decreasing the STQ

More to Come

I will look at other items that we could see in the upcoming CFATS NPRM in future posts. Just a reminder, these are my thoughts on what may be coming, no one is giving me any insider information on the NPRM at this point.


For more details about potential COI changes that could be made to the CFATS regulations when CISA publishes their NPRM, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/cfats-regulation-changes - subscription required.


Review – 3 Advisories and 1 Update Published – 1-17-23

Today, CISA’s NCCIC-ICS published three control system security advisories for products from Siemens, Mitsubishi Electric, and GE Digital. They also updated an advisory for products from Contec.

Advisories

Siemens Advisory - This advisory discusses twelve vulnerabilities in the Siemens SINEC Infrastructure Network Services (INS).

NOTE: I briefly discussed these vulnerabilities on Sunday.

Mitsubishi Advisory - This advisory describes a predictable seed in the PRNG of Mitsubishi MELSEC iQ-F and iQ-R Series products.

GE Advisory - This advisory describes five vulnerabilities in the GE Digital Proficy Historian.

Update

Contec Update - This update provides additional information on an advisory that was originally published on December 13th, 2022.

NOTE: This update is based upon an update of the JP-CERT advisory that was published on January 10th.

 

For more details about these advisories, including links to third-party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/3-advisories-and-1-update-published-f4a - subscription required.

 
/* Use this with templates/template-twocol.html */