Monday, January 22, 2018

Committee Hearings – Week of 01-21-18

This week, with the House finally getting back home for their ‘District Work’ week after ‘restarting’ the government, we have a rather short list of Senate hearings this week. Only one of those hearings may be of specific interest to readers of this blog; surface transportation security.

On Tuesday, the Transportation and Merchant Marine Infrastructure, Safety and Security Subcommittee of the Senate Commerce, Science, and Transportation Committee will hold a hearing on “Surface Transportation Security: Addressing Current and Emerging Threats”. The witness list is short:

• David Pekoske, Administrator, Transportation Security Administration; and
• John Kelly, Acting Inspector General, Department of Homeland Security

While there are a great many topics that could be discussed at such a hearing, I expect that what ever short comings the IG report has identified in the much-overlooked Surface Transportation Security wing of the TSA will be the main focus of the hearing. I was hoping that a copy of that report would have been available today, but with the short Federal Financial Fiasco 2018…… (that will be the oft stated excuse for a week or two).

ISCD Outreach and Shutdown

Today, the first day of the Federal Funding Fiasco 2018, the folks at DHS Infrastructure Security Compliance Division {the DHS division operating the Chemical Facility Anti-Terrorism Standards (CFATS) program} published two notes in the ‘Latest News’ section of the CFATS Knowledge Center web site. The first is a brief note about the ‘funding hiatus’ and the second is a blurb about the publication of the CFATS Outreach Implementation Plan for FY18.

Funding Hiatus

While the current federal funding authorization actually stopped at midnight last Friday, today (as the start of a ‘normal’ work week) was effectively the first day of the ‘funding hiatus’; which I prefer to call the Federal Funding Fiasco 2018. The Knowledge Center page provided the following information:

“Due to the current federal funding hiatus, some DHS personnel [emphasis added] will not be able to return emails or telephone calls until the conclusion of the funding hiatus. We appreciate your patience at this time.”

There is no specific outline of which ‘DHS Personnel’ are out of contact due to the FFF. I would have guessed that that would have included Chemical Security Inspectors, but I heard complaints during the first FFF that some inspectors were expected to work regardless. I guess the best way to tell is to try to contact folks and if they do not respond they are probably part of the ‘some DHS personnel’.

This is more information than was provided on this page during the ‘first FFF’ in 2013, however. There is a banner on the CFATS landing page (and other DHS pages) nearly identical to the one in the first FFF. Similarly, the DHS Blog entry to which that banner is linked has almost identical verbiage to the 2013 post (the dates have been changed to protect the innocent).

One significant difference on the CFATS web site this time around is that there in no notice that the CSAT system is off-line on either the Registration Page or the CSAT Portal page. Presumably this means that the automated CSAT tools remain up and running.

NOTE: After writing the above, I received news that the FFF has been at least temporarily suspended until February 8th. We will have to wait to see if we have a Part Deux. 

Outreach Program

The second note is about the publication of the “CFATS Outreach Implementation Plan FY 2018”. This is apparently (I have not seen any of the earlier documents) the third update of a plan by ISCD that was required by the current CFATS authorization {6 USC 629}. It provides an interesting summary of the outreach efforts that ISCD has undertaken to reach out chemical facilities that may be covered by the CFATS program, but that have not filed a Top Screen report that would allow DHS to make an actual determination whether or not they are covered by the program.

The lengthy (8 pages) Executive Summary of the program includes a multipage table that briefly outlines the activities included in the original FY 2015 outreach plan and where those efforts stand three years later. Some interesting data points taken from that table include:

• DHS analyzed 217 chemical incidents; identified 54 potential CFATS sites; had 19 Top Screens submitted, and designated 5 new CFATS covered facilities;
• Of the 27,000 or so facilities that submitted Top Screens under CSAT 2.0 1,900 were facilities that had not submitted Top Screens previously; of those, 270 were designated covered facilities;
• In FY17, DHS identified 519 facilities as potentially non-compliant; and
• Since 2014 DHS officials have contacted 1400 Local/Tribal Emergency Planning Committees (LEPC).

Appendix A of this document provides a list of materials that ISCD has published to support this outreach mission. Most of the documents have been covered in this blog. There are four exceptions to that coverage; I have not seen and thus have not reported on the following:

• CFATS Information for Laboratories (factsheet);
• CFATS Information for Wineries (factsheet);
• CFATS Information for Breweries (factsheet); and
• CFATS Information for Fisheries and Hatcheries (factsheet).

These factsheets were not mentioned on the Knowledge Center and, contrary to the claim at the top of Appendix A, I have not been able to find them on the Critical Infrastructure: Chemical Security web site. I do not expect that there was much to miss here, but it would have been interesting to see how ISCD tired to ‘personalize’ the CFATS program for these industries.

Friday, January 19, 2018

DOT Publishes Two Automated Driving Requests for Comment

Earlier this week the Department of Transportation published two separate requests for comments in the Federal Register; one from the Federal Highway Administration (FHWA; 83 FR 2719-2721) and one from the National Highway Transportation Safety Administration (NHTSA; 83 2607-2614). Both deal with automated driving systems (ADS).

FHWA Request for Comments

The FHWA is looking for comments on a range of issues related to assessing the infrastructure requirements and standards that may be necessary for enabling safe and efficient operations of ADS. After a brief introduction to the topic, the FHA notice asks for responses to several specific questions, including:

• What roadway characteristics are important for influencing the safety, efficiency, and performance of ADS? Are there certain physical infrastructure elements (e.g., lane markings, signage, signals, etc.) that are necessary for ADS?
• What challenges do non-uniform traffic control devices present for ADS technologies?
• How does the state of good repair (e.g., pavement and road markings quality) impact ADS?
• How should FHWA engage with industry and automation technology developers to understand potential infrastructure requirements?
• What is the role of digital infrastructure and data (including cybersecurity) in enabling needed information exchange between ADS and roadside infrastructure?
• What concerns do State and local agencies have regarding infrastructure investment and planning for ADS, given the level of uncertainty around the timing and development of this technology?
• Are there existing activities and research in the area of assessing infrastructure-ADS interface needs and/or associated standards?
• What are the priority issues that road owners and operators need to consider in terms of infrastructure requirements, modifications, investment, and planning, to accommodate integration of ADS?
• What variable information or data would ADS benefit from obtaining and how should that data be best obtained?
• What issues do road owners and operators need to consider in terms of infrastructure modifications and traffic operations as they encounter a mixed vehicle fleet (e.g., fully-automated, partially-automated, and non-automated; cooperative and unconnected) during the transition period to a potentially fully automated fleet?

Public comments on the FHWA request may be submitted via the Federal eRulemaking Portal (; Docket # FHWA-2017-0049). Comments should be submitted by March 5th, 2018.

NHTSA Request for Comments

The NHTSA request document is much more extensive and targets information necessary to help the agency to avoid impeding progress with unnecessary or unintended regulatory barriers to motor vehicles that have Automated Driving Systems (ADS). The preamble comments address automotive automation revolution, changes in vehicular design, initial agency attempts to address testing, certification and compliance issues, as well as providing an executive summary of the Volpe Report on Review of Federal Motor Vehicle Safety Standards (FMVSS) for Automated Vehicles: Identifying Potential Barriers and Challenges for the Certification of Automated Vehicles Using Existing FMVSS.

The questions for which NHTSA is seeking public feedback are also much more extensive, and fall into two major categories:

• Barriers to Testing, Certification and Compliance Verification; and
• Research Needed to Address Those Barriers and NHTSA's Role in Conducting it.

Some of the questions on barriers to testing, certification and compliance verification include:

• What are the different categories of barriers that the FMVSS potentially create to the testing, certification and compliance verification of a new ADS vehicle lacking manual driving controls?
• Do you agree (or disagree) that the FMVSS provisions identified in the Volpe report or Google letter as posing barriers to testing and certification are, in fact, barriers?
• What research would be necessary to determine how to instruct a vehicle with ADS but without manual means of control to follow a driving test procedure? 
• Is there a safety need for the telltales and other displays in Table 1 and 2 of FMVSS 101 to be visible to any of the occupants in vehicles without manual driving controls?
• Would the informational safety needs of the occupants of vehicles with ADSs differ according to whether the vehicle has a full set of manual driving controls, just an emergency stop button or no controls whatsoever?
• If vehicles with ADSs have emergency controls that can be accessed through unconventional means, such as a smart phone or multi-purpose display and have unconventional interiors, how should the Agency address those controls?

The some of the research questions include:

• For issues about FMVSS barriers that NHTSA needs research to resolve, do commenters believe that there are specific items that would be better addressed through research by outside stakeholders, such as industry or research organizations, instead of by NHTSA itself?
• Are there industry standards, existing or in development, that may be suitable for incorporation by reference by NHTSA?

Public comments on the NHTSA request may be submitted via the Federal eRulemaking Portal (; Docket # NHTSA-2018-0009). Comments should be submitted by March 5th, 2018.


While both the FHWA and the NHTSA request for comments raise important and very interesting issues, there is a strange dearth of mention of the topic of cybersecurity. In fact, the only mention of the topic was in Question #5 on the FHWA request, and it looked like the mention was almost an afterthought.

The failure of NHTSA to even mention cybersecurity in their lengthy discussions and questions about federal motor vehicle safety standard seems to reflect an agency failure to recognize that all levels of automotive automation (including those currently in widespread use on the road) pose a potential safety risk due to inadequate and mostly missing cybersecurity standards.

In most of the NHTSA questions about the barriers to testing, certification and compliance, we could easily add specific questions about cybersecurity issues. Here are some of the questions that could have been asked:

• In question 1: How can NHTSA confirm that test methods developed for certification purposes have not been gamed by the manufacturer (see the EPA-VW testing issues on diesel exhaust emissions)?
• In question 12: How can NHTSA ensure that the data from various automated sensor provided to the ADS have not been tampered with?
• In question 13: Should the automated driving system cybersecurity controls provide information to vehicle occupants about identified or suspected attempts to gain unauthorized access to the vehicle automation systems?
• In question 17: What cybersecurity protections should be included for remote access to safety controls?

Perhaps what is really needed is a specific request for comments from both agencies on the cybersecurity regulatory needs for the safe implementation of automated driving systems.

Thursday, January 18, 2018

ICS-CERT Publishes an Advisory and an Update for Siemens Products

Today the DHS ICS-CERT published a new control system security advisory and an updated advisory for products from Siemens.

Siemens Advisory

This advisory describes multiple vulnerabilities in the Siemens SIMATIC WinCC Add-On (license manager software). The vulnerabilities were reported by Sergey Temnikov and Vladimir Dashchenko from Kaspersky Lab. Siemens reports that a third party supplier (Gemalto) has released an updated installer that mitigates the vulnerabilities. The Siemens security advisory reports that SIMATIC WinCC Add-Ons released in 2015 and earlier include a vulnerable version of Gemalto Sentinel LDK RTE. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Stack-based buffer overflow (2) - CVE-2017-11496 and CVE-2017-11497; and
• Improper input validation - CVE-2017-11498

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow remote code execution or a denial of service condition.

NOTE: Looking at the Gemalto product page, it looks like they may have sold this product to multiple vendors. It will be interesting to see if other vendors come forward to recommend installing the same (or similar) updates to their systems.

Siemens Update

This update provides new information for an advisory that was originally published on May 9th, 2017 and updated on June 15, 2017,on July 25th, 2017, on August 17th, 2017, on October 10th, on November 14th, and most recently November 28th. The update provides new version information and mitigation links for:

• SIMOCODE pro V PROFINET: All versions prior to V2.0.0

NOTE: The latest version of this Siemens security advisory is in their new format which makes checking against previous versions potentially tedious. Fortunately, Siemens (as opposed to ICS-CERT) annotates the specific changes made (as opposed to noting the section in which the changes were made) to their advisories.

Other Siemens Notes

Siemens also published two other advisory documents today that did not make it into the ICS-CERT publication schedule. One was a new advisory and one was an update. Since tomorrow is Friday and ICS-CERT seldom publishes advisories on Friday, I suspect that we will see these two next week.

Wednesday, January 17, 2018

ICS-CERT Publishes Meltdown Update #2

Today the DHS ICS-CERT published their second update for their control system security alert for the Meltdown and Spectre CPU vulnerabilities. The alert was originally published on January 11th, 2018 and updated on 1-16-18. The update provides links to three new vendor notification documtents:

Emerson (account required for login);
General Electric (account required for login, reference ID 000020832); and

The Schneider security notification has probably the most reasonable guidance that I have seen to date:

“Schneider Electric is actively monitoring vendor research into these vulnerabilities to determine appropriate actions to be taken. At the time of this publication, information is being updated rapidly and the impact of proposed mitigations and patches remains unclear. Many of the initial mitigations proposed by hardware and operating system vendors indicate a high level of potential performance impact, Schneider Electric recommends caution if mitigations or patches are applied to critical and/or performance constrained systems. If you elect to apply recommended patches or mitigations in advance of further guidance from Schneider Electric, we strongly recommend evaluating the impact of those measures on a Test & Development environment or an offline infrastructure.”

Bills Introduced – 01-16-18

Yesterday, with the House and Senate back in Washington after the long Martin Luther King Holiday weekend, there were 30 bills introduced. Of these, one may be of specific interest to readers of this blog:

HJ Res 125 Making an extension of continuing appropriations for fiscal year 2018, and for other purposes. Rep. Frelinghuysen, Rodney P. [R-NJ-11]

A copy of HJ Res 125 is available on the House Rules Committee site and that Committee will hold a hearing on the continuing resolution (being considered as an amendment to HR 195 as amended by the Senate) this afternoon. The bill would extend the current continuing resolution (that expires Friday night) until February 16th. It includes a number of special funding provisions to make passage more palatable, including an extension of the Children’s Health Insurance Program (CHIP).

Tuesday, January 16, 2018

ICS-CERT Updates Meltdown Alert

Today the DHS ICS-CERT updated their Meltdown/Spectre alert that was originally published on January 11th. The new information includes links to the following additional vendor reports on the CPU vulnerabilities:

Philips; and

Additionally (and not specifically noted in this update), Becton, Dickinson, and Company have published a new security bulletin since the original ICS-CERT alert mentioned their initial report.


Unfortunately, while providing links to the appropriate documents, ICS-CERT has not addressed the issue seen by a number of vendors, the Microsoft update may not be compatible with all control systems. That, plus the fact that Microsoft has decided to not allow the update to take effect on systems without an updated antivirus registry key, means that system owners need to pay real close attention to the final word from their vendors. Unfortunately, the information linked to in this update is mainly preliminary; most of the listed vendors are still looking at the compatibility issues.

Of course, it could be worse. We are still waiting for the initial ICS-CERT alert on the KRACK vulnerability.
/* Use this with templates/template-twocol.html */