Friday, September 22, 2017

ICS-CERT Publishes 5 Advisories

Yesterday the DHS ICS-CERT published five control system security advisories for products from Schneider, Ctek, Digium, iniNet Solutions, and Saia Burgess Controls. The advisory for the products from Saia Burgess Controls was originally posted to the NCCIC Portal on August 22, 2017.

Saia Burgess Controls Advisory


This advisory describes an information exposure vulnerability in the Saia Burgess Controls PCD Controllers. The vulnerability was reported by Davide Fauri of Eindhoven University of Technology. The latest version of the firmware mitigates the vulnerability. There is no indication that Fauri has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to to obtain information in memory.

The SBC upgrade notes also report that the current version makes the following security changes:

• Protective functions are activated by default;
• Improved password protection associated with the role-based user management;
• Access filter using "white" and "black" lists;
• Removed hardcoded password [NOT mentioned in ICS-CERT advisory].

Similar changes were also apparently made to the SBC PG5 Controls Suite.

iniNet Solutions Advisory


This advisory describes an improper authentication vulnerability in the iniNet Solutions SCADA Webserver. The vulnerability was reported by Matthias Niedermaier and Florian Fischer, both of Augsburg University of Applied Sciences. iniNet has released a new version that allows users to implement basic authentication. There is no indication that the researchers were afforded an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability  to access human-machine interface (HMI) pages or to modify programmable logic controller (PLC) variables without authentication.

Digium Advisory


This advisory describes an OS command injection vulnerability in the Digium Asterisk GUI. The vulnerability was reported by Davy Douhine of RandoriSec. Asterisk GUI is no longer maintained and should not be used. Digium recommends affected users to migrate to Digium’s SwitchVox product.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability  to execute arbitrary code on the device.

Interesting Questions: Would owners of a control system that uses an HMI configured with Digium’s Asterix GUI even know that it had been used, particularly if the system had been designed by a contractor or vendor? Would it take a complete system redesign to change out the GUI for an HMI?

Ctek Advisory


This advisory describes an improper authentication vulnerability in the Ctek SkyRouter. The vulnerability was reported by Maxim Rupp. The latest firmware version mitigates this and “additional security requirements”. NOTE: “Ctek, Inc., reports that due to industry demand, wireless carriers are rapidly eliminating 2G and 3G CDMA service and they will not be creating any additional update releases for those products.” There is no indication that Rupp was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to view and edit settings without authenticating.

Schneider Advisory


This advisory describes a missing authentication for critical function vulnerability in the Schneider InduSoft Web Studio products. The vulnerability was reported by Aaron Portnoy, formerly of Exodus Intelligence. Schneider has created a patch to mitigate the vulnerability. There is no indication that Portnoy was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability  to remotely execute arbitrary commands with high privileges.


NOTE: The Schneider security bulletin was published last Friday. Maybe Dale Peterson was right, it looks like ICS-CERT is doing ‘ICS-vuln Thursday’.

Thursday, September 21, 2017

S 1800 Introduced – DOD Electric Grid Security

Last week Sen. Warren (D,MA) introduced S 1800, the Securing the Electric Grid to Protect Military Readiness Act of 2017. The bill is nearly identical to SA 867, Warren’s proposed amendment to HR 2810 on the same topic. It addresses efforts to protect the electrical distribution systems on military installations.

Moving Forward


Warren is a member of the Senate Armed Services Committee to which this bill was referred for consideration. This means that she may have enough influence to have the Committee consider the bill.

I do not see anything in this bill that would engender any significant opposition. If the bill were to be considered it would be likely to pass with at least some bipartisan support.

Commentary


There is nothing in this bill that directly addresses cybersecurity concerns for the industrial control system associated with military power distribution systems. A lot of the language seems to be IT-centric (for example: “to deny access to or degrade, disrupt, or destroy an information and communications technology system or network” {§2(c)(4)(A)} in the definition of ‘significant malicious cyber-enabled activities’).


I doubt that DOD would fail to address ICS security issues in the required studies and reports, but it would certainly be helpful if the bill specifically addressed requirements for ICS security considerations. I suspect that the failure to do so reflects a continued failure on the part of Congress to recognize the different issues involved with ICS security.

Wednesday, September 20, 2017

Senate Passes HR 2810 – FY 2018 NDA

On Monday the Senate passed HR 2810, the FY 2018 National Defense Authorization Act (NDAA) by a strongly bipartisan vote of 89 to 8; even the opposition was bipartisan with three Republicans, four Democrats and one Independent voting Nay.

Of all of the amendments that I discussed in my series of blog posts over the last two weeks, only three were adopted:

• Reed (for Kaine) Amendment No. 1089, to establish opportunities for scholarships related to cybersecurity.
• McCain (for Portman) Amendment No. 712, to require a plan to meet the demand for cyberspace career fields in the reserve components of the Armed Forces.
• McCain (for Portman) Amendment No. 1055, to require a report on cyber applications of blockchain technology.

They were all considered as part of an en bloc amendment [pgs S5787-8] offered by Sen. McCain (R,AZ) at the end of the final debate on HR 2810. The en bloc amendment was adopted by unanimous consent [pg S5796].


Since there are significant differences between the versions of this bill passed in the House and Senate, it is very likely that there will be a conference committee appointed. There is, however, a very slight chance that the House will agree to the Senate amendment to the bill when it returns from their week working in their districts.

Tuesday, September 19, 2017

ICS-CERT Publishes PHOENIX CONTACT Advisory

Today the DHS ICS-CERT published a control system security advisory for products from PHOENIX CONTACT. They also provided a link to a British publication: “Code of Practice CyberSecurity for Ships”.

PHOENIX CONTACT Advisory


This advisory describes ten improper access control vulnerabilities in the PHOENIX CONTACT mGuard Device Manager. The vulnerabilities are related to the Oracle Java SE implementation in the product. These vulnerabilities were self-reported by PHOENIX CONTACT. They have a new version that mitigates the vulnerabilities.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to allow unauthorized remote access, modification of data, and may allow remote and local users to gain elevated privileges.

Once again, we see a vulnerability caused by third party software and there is an open question about what other software systems have the same vulnerabilities. Interesting though that these 10 Oracle vulnerabilities are all dated in 2017. Makes it even more likely that other vendors using the same Oracle software will have not discovered/mitigated the vulnerabilities in their products.

Cyber Security for Ships



The code of practice document was produced for the British Government by the Institution of Engineering and Technology. It provides a high-level overview of the topic including an interesting overview of the threat environment for the shipping industry. Appendix D provides a non-technical description of how mitigation measures can be developed and Appendix H provides a lengthy bibliography of cybersecurity standards for both IT and operational systems.

HR 3712 Introduced – Reserve Cybersecurity Units

Earlier this month Rep. Kilmer (D,WA) introduced HR 3712, the Major General Tim Lowenberg National Guard Cyber Defenders Act. The bill would provide specific authorization for military reserve component cyber civil support teams. NOTE: For more on Gen. Lowenberg see here and here.

Emergency Preparedness Programs


Section 2 of the bill amends 10 USC 12310(c) which provides for military reservists to be used in an active duty role to support of emergency preparedness programs. It would add a new subparagraph (1)(E) to add “An attack or natural disaster impacting a computer, electronic, or cyber network” to the list of covered emergencies for which the emergency preparedness programs would be appropriate.

The bill then goes on to add a new subparagraph (3)(B) that would specifically allow an individual reservist or a “a reserve component cyber civil support team” to provide emergency preparedness support for the newly added cyber-attacks or disasters.

Cyber Civil Support Team Authorization


Section 3 of the bill requires that each state will have (within 5 years) “an operational reserve component cyber civil support team composed of reserve component members of the Armed Forces” {§3(a)}. To be considered operational each Cyber Civil Support Team would be required to be able to {§3(c)}:

• Perform duties relating to analysis and protection in support of responding to emergencies involving an attack or natural disaster impacting a computer, electronic, or cyber network;
• Advise and coordinate on any incident deemed critical for the protection of life, property, and maintenance of good order for the Governor;
• Cooperate with and assist private sector owners and operators of critical infrastructure and key resources;
• Collaborate and participate in information sharing with Federal, State, and local Fusion Centers, emergency management authorities, and emergency management divisions; and
• Coordinate with elements of the Department of Homeland Security.

Section 4 of the bill ensures that these Cyber Civil Support Teams are specifically covered by the provisions of the Freedom of Information Act under 5 USC 552.

Section 5 of the bill provides for a spending authorization of $50 million for support of the requirements of this bill.

Moving Forward


Neither Kilmer nor his two cosponsors {Rep. Palazzo (R,MS) and Rep. Heck (D,WA)} are members of the House Armed Services Committee to which this bill was assigned for consideration. This means that the bill is very unlikely to be considered in that Committee; pretty much ensuring that the bill will not get to the floor of the House for a vote.

There is nothing in this bill which would engender any serious opposition to its passage. The one major drawback to the bill is the spending authorization, but that is one area where Kilmer and Palazzo have some influence, since they are both on the House Appropriations Committee. If the bill were to be considered it is quite likely that it would receive substantial bipartisan support.

Commentary


While there is a great deal of talk in Congress about protecting critical infrastructure from cyber-attacks, there does not seem to be too much that the military can do to protect the vast majority of critical infrastructure cyber-systems that are owned by the private sector. In fact, there is a very real argument that the private sector is responsible for that and should pay for that protection via activities either in-house or through a wide variety of organizations in the ever-expanding cybersecurity market place.

However, where cyber breaches have a physical impact on the community beyond the boundaries of critical infrastructure, there is certainly a need for the kind of support outlined in this bill. What concerns me about the approach taken in the bill is the focus on post-incident response instead of emergency preparedness planning.

Planning for the potential consequences of broadly effective cybersecurity incidents is a pre-requisite for effective responses to such wide scale incidents. In fact, the §12310(c) program was founded on the idea that providing one or two professional planners (military folks are, after all, as much planners as they are fighters) to local government emergency-response planning agencies was a cost-effective way of helping to mitigate the consequences of terrorist attacks and natural disasters.


All but the largest local government agencies are ill prepared to plan for or respond to cyber-attacks on critical infrastructure. Most have problems enough providing for their own cybersecurity prevention efforts, much less have time or resources to plan for attacks on privately owned critical infrastructure effecting their area. Cyber Civil Support Teams under State control could provide another (though still limited) resource for local governments involved in the planning process.

Friday, September 15, 2017

Senate Amendments to HR 2810 (FY 2018 NDAA) – 9-14-17

On Thursday, after voting to close debate on the McCain substitute language amendment (SA 1003), the Senate agreed to a final vote on HR 2810, the FY 2018 National Defense Authorization Act (NDAA), at 5:30 pm EDT on Monday, September 18th, 2017. Meanwhile, more amendments continue to be proposed. In addition to the previously proposed amendments (see here, here, here, here and here) a large number of possible amendments to HR 2180 were proposed in the Senate on Thursday; only one of which may be of specific interest to readers of this blog:

SA 1089. Mr. KAINE -  SEC. 1661. Cyber Scholarship Opportunities Act of 2017 (pgs S5768-9);

Cyber Scholarships


Amendment SA 1089 is pretty nearly the same as SA 849 that Sen. Kaine (D,VA) proposed on September 7th, 2017. The only difference is that the latest version removes the section on ‘Findings’ that explains why Kaine thinks that cyber scholarships are necessary.

This amendment would require that the current Federal Cyber Scholarship-for Service program (15 USC 7442) be expanded to include a pilot program of scholarships at at least five community colleges for students who are pursuing associate degrees or specialized program certifications in the field of cybersecurity and either “have bachelor’s degrees; or are veterans of the armed forces” {§1662(a)(2)}. No additional funding is provided for the new scholarship requirements.

Commentary


Just a reminder, as of this writing, none of the amendments that I have addressed in this series of blog post (with the obvious exception of SA 1003) have even been considered on the floor of the House, much less adopted. There is a remote chance that some may be considered on Monday, but I do not really expect it.

This large number of amendments proposed for a ‘must pass’ bill like the NDAA is not unusual. With the political horse trading involved in getting enough votes to pass a bill like this, there is always the possibility that some pet bit of legislative language can be inserted via the Senate amendment process. It takes relatively little effort by a Senator’s staff to craft most of these amendments (frequently just cut and paste from a previously submitted bill), so it is kind of like buying a $1 lottery ticket when the pot is really high. A piece of legislation that might never see the light of day in the normal legislative process can become law because it was attached to an important bill.

A less well-known fact is that one of these little suspected gems may have already been added to the substitute language that was offered on this bill. I certainly did not do a full detailed analysis of every portion of the bill. Getting a new section added or a current section slightly revised can be the price of support for a bill like this. Depending on how much McCain trusts his committee staff and how significant the change was, he may not even know the details about those types of changes to the substitute language before it was proposed.

This is one of the reasons that I do not try to cover each of the potentially interesting amendments with the same level of detail as I use to cover interesting legislation. There is a very small chance of the amendments being considered or passed. The effort that I do make, reflects on bits of legislative language that I find illustrative of either poorly or well written legislative language, unique ideas, or really slick pieces of legislative legerdemain. 

Bills Introduced – 09-14-17

With both the House and Senate preparing to leave for their weekend recess, there were 64 bills introduced yesterday. Of those two may be of specific interest to readers of this blog:

HR 3776 To support United States international cyber diplomacy, and for other purposes. Rep. Royce, Edward R. [R-CA-39]

S 1821 A bill to establish the National Commission on the Cybersecurity of United States Election Systems, and for other purposes. Sen. Gillibrand, Kirsten E. [D-NY]

I am not sure what ‘cyber diplomacy’ is, but if it concerns control system security issues I will be covering HR 3776 here.


I do not really plan to expand the focus of this blog to include detailed coverage of election cybersecurity issues, but I will be watching S 1821 for the definitions it uses and the scope of coverage of the Commission.
 
/* Use this with templates/template-twocol.html */