Bills Introduced – 1-30-18

With both the House and Senate getting ready to leave Washington following the State of the Union address, there were 35 bills introduced. Of those, one may be of specific interest to readers of this blog:

S 2360 A bill to provide for the minimum size of crews of freight trains, and for other purposes. Sen. Heitkamp, Heidi [D-ND]

I am not concerned with the crew size requirements of this bill, but I will be watching the ‘for other purposes’ to see if it includes and chemical transportation provisions.

ICS-CERT Publishes 2 Advisories and Updates Meltdown Alert

Yesterday the DHS ICS-CERT published two control system security advisories for products from Siemens and Phoenix Contact. They also updated their control system alert for the Meltdown and Spectre chip vulnerabilities.

Siemens Advisory

This advisory describes multiple vulnerabilities in the Siemens TeleControl Server Basic monitoring platform. The vulnerabilities were apparently self-reported by Siemens. Siemens has produced a new version that mitigates the vulnerabilities. Siemens has also produced work arounds to reduce the risks.

The three reported vulnerabilities are:

• Authentication bypass using an alternate path or channel - CVE-2018-4835;

• Permissions, privileges and access controls - CVE-2018-4836; and

• Uncontrolled resource consumption - CVE-2018-4837

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow for escalation of privileges to perform administrative actions. The Siemens security advisory notes that an attacker would require authenticated network access to exploit these vulnerabilities.

NOTE: This is the advisory I mentioned last week.

Phoenix Advisory

This advisory describes an improper validation of integrity check value vulnerability in the Phoenix mGuard network devices. This vulnerability was apparently self-reported. Phoenix has developed firmware updates to mitigate the vulnerability.

ICS-CERT reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to modify firmware update packages.

Meltdown Update

This update provides additional information on a control system alert that was originally published on January 11^th, 2018 and updated on January 16^th, 2018 and on January 17^th, 2018. The update provides links to new vendor reports for products from:

• Medtronic: http://www.medtronic.com/us-en/product-security/security-updates.html

The following previously published links to vendor sites contain new information:

• ABB – The updated page provides links to product specific information for System 800xA and  Symphony Plus;

• Medtronic – “no evidence suggests that Medtronic products are directly impacted”;

• Rockwell – linked document (log in required) provides updated Microsoft patch compatibility information;

• Schneider – Added Appendix A to security notification to provide product specific information;

ISCD Publishes Updated and New Fact Sheets

Today the DHS Infrastructure Security Compliance Division (ISCD) updated the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center. The ‘Documentation’ section of the page now includes links to four new CFATS fact sheets for industries that are not normally considered chemical industries. They have also updated their two inspection fact sheets.

Industry Fact Sheets

The four new industry fact sheets are for:

• Pools and Water Parks;

• Wineries;

• Breweries; and

• Fisheries and Hatcheries.

Sharp eyed readers will note that three of these are included in the list of fact sheets that I mentioned in my earlier blog post about the CFATS Outreach Implementation Plan FY 2018. The last three fact sheets were reportedly released in 2017, but that I had not seen them published on the CFATS web site. The pools and water parks sheet was not mentioned in the earlier document. The lab factsheet that I had also mentioned earlier as not having been seen was not included in today’s link publication.

Much of the information provided in the four fact sheets is identical. Not surprisingly, the lists of ‘typical’ DHS chemicals of interest (COI) used by the facilities is slightly different in each case. Three of the factsheets (not the one for breweries) listed included brief comments about the agricultural exemption; mainly for fertilizers applied to land associated with the facility. The fisheries factsheet however, notes that fisheries and hatcheries are not included in that exception.

Inspection Fact Sheet Updates

The two new inspection updates deal with preparing for:

• Authorization Inspection; and

• Compliance Inspection

These are both complete re-writes of fact sheets written in 2014 and 2016 respectively. As with the previous versions, neither of these documents real information valuable for passing of the respective inspections, but they both provide valuable information that will be helpful in preparing for the conduct of the inspections.

One interesting piece of information is included in the compliance inspection fact sheet and it relates to the scheduling of those inspections. It notes that:

“ISCD compares eight factors (seven static and one dynamic) in an automated calculation to schedule CIs. Facilities with a higher score are prioritized. Static factors included in this calculation are a facility’s tier, number of planned measures [emphasis added], the time since the last inspection, and compliance history. The eighth factor changes based on new and emerging requirements.”

The issue of planned measures has been an issue since compliance inspections were started in the CFATS program. ISCD gave facilities credit for security measures that could not be implemented immediately for some reason; usually dealing with capital expenditure, long lead time equipment and the such. As long as the facility had budgeting in place and a firm schedule for completion documented, credit was given for those measures in the approval of the facility’s site security plan. During a large number of the initial compliance inspections chemical security inspectors found that facilities were not complying with their planned implementation schedules. While mitigation measures had to be in place for these planned measures to be approved by ISCD, facilities would not be fully secured until those planned measures were completed. ISCD is obviously taking these planned security measures very seriously.

To my disappointment the Expedited Approval Program appears to have been short changed in its mention in these two documents. It is briefly mentioned in a footnote in the authorization inspection document (mentioning that an authorization inspection is not required), but it is completely missed in the compliance inspection fact sheet. The consequences for a failed compliance inspection for EAP facilities is completely different from those for a facility that has gone through the standard site security plan approval process and should have been mentioned in the compliance inspection fact sheet.

OIRA and Flash Player

Okay, I did not complain for over a year about the OMB’s Office of Information and Regulatory Affairs becoming a shill for Adobe Flash Player. When you logged on to the OIRA web page you were forced to click through three times (I always ‘x’ed out) of a pop-up box before you could access any more of the site. That pop-up read: “You need Adobe Flash Player 8 (or above) to view the charts. It is a free and lightweight installation from Adobe.com. Please click on Ok to install the same.”

But, now I am complaining; last week OIRA/AdobeShill went too far. They took out the ‘x out’ option. Now you have to either click “Okay” or “Cancel” three times to get to work on the site. What is next? Will they take away the “Cancel” button as well? Just to look at some meaningless charts?

Now I know that a bunch of web sites (way too many) still use Flash Player for video presentations. I still have the program on my computer, but my browsers are set to only use it when I give specific (and VERY infrequent) authorization. And I hold my breath every time that I am forced to use it; the program just has too many vulnerabilities.

Please, DHS, if you are serious about the security of government computer systems, please tell every agency (and OIRA in particular) the Flash Player is not a secure program and that they are putting people at risk by requiring them to use it. Oh, and while you are at it, let’s talk about .PDF documents….

Cyber Threat Intelligence

There have been some interesting discussions on TWITTER based upon a comment made by Robert M. Lee, the Founder and CEO of Dragos. I have added my abbreviated 2-cents worth where appropriate, but I think we have been talking around a definition problem; the term ‘cyber threat intelligence’ is either being misused or poorly defined.

Information Quality

I spent some of my time in the Army working in a Battalion S-2 (intelligence) shop. As part of my on-the-job training (and some military correspondence courses) I learned the importance of the difference between information and intelligence. Information is something that someone has seen or heard. Intelligence, on the other hand, is the result of analysis based upon information,  earlier intelligence, and the knowledge and skills of the analyst. From a military point of view, the purpose of intelligence is to provide the Commander with the current best guess about the enemy’s intentions and capabilities so that the current battle plan can be adjusted accordingly.

Now the military intelligence analyst is reminded constantly about two constraints placed upon the quality of the information available. First, and foremost, the enemy is going to do their absolute best to try to deny the analyst access to high-quality, accurate information. Part of this involves hiding the enemy’s activities as long as possible, but another part frequently involves actively providing ‘access’ to inaccurate or misleading information.

The second is that information is provided to the analyst by human beings and that information is affected by any number of human foibles and failings. This is best exemplified in the five categories of ‘reliability’ assigned to human intelligence sources (the names have probably changed since I left the military, but the concept remains):

• Usually reliable;

• Somewhat reliable;

• Unknown reliability;

• Frequently unreliable; and

• Usually unreliable

For this discussion, the first and last categories are the most important. The military has long recognized that human information sources are never 100% reliable; even the best source can provide incorrect (or incomplete) information for any number of reasons. And even the worst data resource is going to provide good information every once in a while.

Thus, the intelligence analyst has to take into account both the quantity and quality of the information available when providing the commander with intelligence on the enemy’s intentions and capabilities.

Analyst Training

When the military trains an intelligence analyst, they train them about the tools of the trade and how to go about the analysis process. They also receive some training about the history of their expected adversary. That includes information about adversary equipment and training as well as training on the enemy’s social and political system which affects how the adversary will make decisions. Where possible this includes developing dossiers on the main players about which the analyst expects to be making operational decisions.

During conventional operations, the analyst has the advantage that most modern militaries have schooling on military arts that includes professional publications that discuss tactics and equipment. This provides the analyst with both information on tactics and equipment, but also with some insight into the thinking of the individuals writing the articles and the milieu in which they operate.

With the advent of technical collection means the military was forced to add an intermediate layer of intelligence analysis. It started with photo analysis, where people developed the skills and techniques to pull information from aerial (and later satellite) photos. With the increasing use of electromagnetic systems for communications and other military technologies, a whole new class of signals intercept and analysis technicians became an integral part of intelligence analysis.

Cyber Intelligence

In recent years the whole area of cyber intelligence has become an increasingly important part of military intelligence. From a military point of view, it is just another system of data collection, processing and analysis. It is just another means of providing the Commander with the best guess about another enemy capability on the modern battlefield.

Cyber Threat Intelligence

What has become a phenomenon of the later portion of the information age is the rise of cyber threat intelligence. While it is similar to the cyber intelligence used by the military, it is distinguishable from cyber intelligence by two very important characteristics. First it is being produced by private companies that are driven by profit motives and are responsible to shareholders. Second, the intelligence product is designed to be used by corporate entities that have not been trained to understand the limitations of the intelligence product and are ill-equipped to modify their business plans to respond to the potential consequences of the capabilities and intentions of poorly identified adversaries.

The commercial nature of the organizations that produce CTI has an inevitable, if variable, effect on the product offered to their customers. Because there are multiple competing players in the production of CTI there is frequently an increased urgency in producing and moving an analysis product to market to beat the competition. This can result in shortcuts being taken in information collection, data analysis and quality control. While the military has a different cause for urgency in their intelligence reporting needs, their relatively uncompetitive market allows them the luxury of putting out frequent updates of their analysis. Commercial CTI firms, on the other hand are expected to provide their customers with finished, comprehensive reports.

Most players in the CTI field have no formal training in the data collection and analysis process, the field is just too new. Even organizations where the founder has such training (Dragos comes quickly to mind) find it difficult to push that background down to the personnel actually doing the collection and analysis without a formal educational system to provide the necessary foundation. As more military cyber analysts begin to move to the private sector, this will begin to change. Even these personnel, however, will need some fundamental retraining in the differences between military and commercial operations. Hopefully, we will see the CTI field begin to be addressed in an academic setting.

Use of Cyber Threat Intelligence

The biggest difference between cyber intelligence and CTI is the user of the end-product. In the military each level of command in the hierarchy has their own information collection and analysis capability. Thus, commanders have been taught about the limitations of the collection and analysis process as they rise through the ranks. While cyber information collection and analysis has not yet been pushed down the chain of command to the tactical level, this background makes the commanders at all levels much more effective users of all sorts of intelligence.

One of the ways that military commanders increase the effectiveness of intelligence is that they are responsible for intelligence preparation of their portion of the battlefield. They provide their data collection and analysis assets with specific requirements for types of intelligence that will be expected to affect their operations. They also request similar types of information from higher (and frequently adjacent) headquarters. This makes the commander an active participant in the intelligence process.

The users of CTI typically have little or no background in either the use or production of CTI. This means that there is little likelihood that they will be effective users of the product or that they will be able to influence the production of useful CTI. It seems unlikely that many corporate entities will develop in-house cyber-information data-collection and analysis capabilities at multiple levels in the organization. Thus, there will be little or no in-house training of managers in the use of CTI as they rise thru the ranks.

Increasing CTI Effectiveness

If CTI is going to be a useful tool for corporate users, training is going to have to be an increasing portion of the CTI product. Not only are CTI producers going to have to be responsible for the bulk of the training of their collection and analysis personnel (academia is way too slow to respond to new areas of study), but they are going to have to be able to provide training to their customers in the utilization of their product.

While much of the training is going to have to (initially at least) be focused on the upper management of an organization, the truly successful CTI provider is going to be able to push training down to the operational level in organizations. Not only are they going to have to provide training on the use of CTI, but they are also going to have to push data collection and analysis training down to the lowest levels of the organization to increase the targeted effectiveness of their products.

The CTI production industry is a relatively new part of the cyber landscape. We can expect to see significant changes in the CTI landscape. Successful companies are going to be those that have active programs in place to increase the effectiveness and professionalism of their work force while making it easier for their customers to effectively utilize their products. The successful companies are going to be those that realize that training is going to be as large a part of their operation as is the collection and analysis of cyber information.

DHS Updates PCII Web Page

Earlier this week DHS updated their Protected Critical Infrastructure Information (PCII) Program web page; providing an imbedded video describing the PCII program. There appears to be a glitch in the video. It locks up at about (±15 seconds) 2-minutes in and I can no longer access (I get a “Could not Connect” warning; ERR_SPDY_PROTOCOL_ERROR) a number of .gov web sites from the open browser (CHROME) window. I can access the same web sites from either a new browser window or by restarting the browser until I run the video. The video also locks up when I view it with FIREFOX, but I do not have problems accessing those .gov sites (though I do get certificate warnings on the PCII site and other .gov sites).

You might want to be careful viewing this video.

Bills Introduced – 01-25-17

Yesterday with the Senate in full session and the House minimally present in a pro forma session there were 25 bills introduced. Of those only three may be of specific interest to readers of this blog:

HR 4877 Making appropriations for the Department of Defense for the fiscal year ending September 30, 2018, and for other purposes. Rep. Granger, Kay [R-TX-12]

HR 4881 To require the Federal Communications Commission to establish a task force for meeting the connectivity and technology needs of precision agriculture in the United States. Rep. Latta, Robert E. [R-OH-5] 

S 2343 A bill to require the Federal Communications Commission to establish a task force for meeting the connectivity and technology needs of precision agriculture in the United States. Sen. Wicker, Roger F. [R-MS]

HR 4877 appears to be an attempt to get the DOD out of the continuing resolution cycle for this fiscal year. The House passed a bipartisan DOD appropriations bill (HR 1301) last March, but it was never taken up by the Senate. According to at least one news report, this bill is also unlikely to be taken up in the Senate. The official text of this bill is available, but I have not had a chance to review it yet.

HR 4881 and S 2343 appear to be companion bills. I will be watching to see if these bills address cybersecurity issues associated with this technology; I am not holding my breath.

ICS-CERT Publishes 3 Advisories and 5 Siemens Updates

Today the DHS ICS-CERT published two control system security advisories for products from Siemens and Nari as well as a medical control system security advisory for products from Philips. They also updated five control system security advisories from Siemens.

Philips Advisory

This advisory describes an insufficient session expiration advisory for the Philips IntelliSpace Cardiovascular cardiac image and information management systems. According to the Philips product security page this vulnerability was identified based upon a customer submitted complaint. Philips plans on releasing an updated version to mitigate the vulnerability.

ICS-CERT reports that a relatively low-skilled attacker with local access could exploit the vulnerability  to gain unauthorized access to sensitive information stored on the system and modify this information.

NOTE: This vulnerability was not reported on the FDA medical device safety communications page, probably because an exploit would only reveal personally identifiable information making this more of a HIPAA problem. Unfortunately, I cannot find (after an admittedly brief search) a software vulnerability reporting page on the HHS HIPAA site.

Siemens Advisory

This advisory describes an improper authentication vulnerability in the Siemens Desigo PXC. The vulnerability was reported by Can Demirel and Melih Berk Eksioglu from Biznet Bilisim. Siemens has provided an updated version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit this vulnerability to  allow unauthenticated remote attackers to upload malicious firmware without prior authentication.

BTW: Siemens tweeted this morning about another new advisory that they have just published. That will probably show up next week on the ICS-CERT site.

Nari Advisory

This advisory describes an improper input validation vulnerability in the Nari PCS-9611 relay, a control and monitoring unit. The vulnerability was reported by Kirill Nesterov and Alexey Osipov from Kaspersky Labs. Nari has not responded to ICS-CERT about this reported vulnerability.

ICS-CERT reports that a relatively low-skilled attacker could use a publicly available exploit to remotely exploit the vulnerability to gain arbitrary read/write abilities on the system.

Industrial Products (older advisory) Update

This update provides new information for an advisory that was advisory originally issued on November 8, 2016 and then updated November 22^nd, 2016; December 23^rd, 2016; February 14^th, 2017; March 2^nd, 2017,  May 9^th, 2017, and again on June 20^th, 2017. The new information includes new affected version data and mitigation links for:

• SINEMA Remote Connect Client: All versions prior to V1.0 SP3;

NOTE: The revised Siemens security notice also changed the temporary mitigation measures for SIMATIC PCS 7 V8.1, but that was not mentioned in the ICS-CERT update.

S7-300 Update

This update provides new information for an advisory that was originally published on December 13^th, 2016 and then updated on May 9^th, 2017, July 25^th, 2017, and again on November 28^th, 2017. The new information includes the addition of two new affected products along with mitigation links:

• SIMATIC S7-400 V7 CPU family; and

• SIMATIC S7-410 V8 CPU family

NOTE: The revised Siemens security notice reports that the S7-410 V8 CPU family is only affected by the inadequate encryption strength vulnerability.

PROFINET Update

This update provides new information for an advisory that was originally published on May 9^th, 2017 and updated on June 15, 2017,on July 25^th, 2017, on August 17^th, 2017, on October 10^th, on November 14^th,  November 28^th, 2017, and most recently January 18^th, 2018. The new information includes new affected version data and mitigation links for:

• S7-400 PN/DP V7 Incl. F: All versions prior to V7.0.2

• SINAMICS DCP w. PN: All versions prior to V1.2 HF 1

SCALANCE Update

This update provides new information for an advisory that was originally published on November 14^th, 2017 and updated on December 5^th, 2017, and again on December 19^th, 2017. The new information includes new affected version data and mitigation links for:

• SCALANCE WLC711: All versions prior to V9.21.19.003; and

• SCALANCE WLC712: All versions prior to V9.21.19.003

Industrial Products (newer advisory) Update

This update provides new information for an advisory that was originally published on December 5th, 2017 and updated on December 19th, 2017 and again on January 23^rd, 2018. The new information includes new affected version data and mitigation links for:

• SIMATIC S7-400 PN/DP V7: All versions prior to V7.0.2; and

• SIMATIC ET 200MP: All versions prior to V4.0.2

Commentary

Even if Siemens does not issue any more multiple product advisories in the near future (not likely, they have obviously shared a bunch of code across product lines over the years) we will continue to see large numbers of these advisory updates over the next year or so. Unfortunately, while vulnerable code is relatively easy to share, fixes cannot be cut and pasted so easily; too many dependencies, loops, etc. to check and modify as necessary. These time and resource-consuming exercises being undertaken by Siemens are a good example of why secure coding practices are so important; it really is easier over the life of the product to do it right the first time.

It would really be a good cybersecurity grad-student project to look at the costs that Siemens is expending to go back and correct mistakes that should have been caught before they ever made it to market.

ICS-CERT Publishes 2 Advisories and Updates 2 Siemens Advisories

Yesterday the DHS ICS-CERT published two control system security updates for products from Siemens and Advantech. They also updated to previously published advisories for products from Siemens.

Siemens Advisory

This advisory describes an improper input validation vulnerability in the Siemens Industrial Products. The vulnerability is self-reported. Siemens has provided several firmware updates to mitigate the vulnerability in many of the affected devices; work is ongoing for the remaining devices.

ICS-CERT reports that a relatively low-skilled attacker could remotely (with access to the local Ethernet segment) exploit the vulnerability to enter a denial-of-service condition, which may require human interaction to recover the system. The Siemens security advisory notes that: “Specially crafted PROFINET DCP broadcast packets could cause a Denial-of-Service condition of affected products on a local Ethernet segment (Layer 2). Human interaction is required to recover the systems. PROFIBUS interfaces are not affected.”

Advantech Advisory

This advisory describes two vulnerabilities in the Advantech WebAccess/SCADA platform. The vulnerability was reported by rgod via the Zero Day Initiative (ZDI). Advantech has released a new version to mitigate the vulnerability. There is no indication that rgod was provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Path traversal - CVE-2018-5445; and

• SQL injection - CVE-2018-5443

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow sensitive information to be disclosed from the target or database without authentication.

Industrial Products Update

This update provides additional information on an advisory that was originally published on December 5th, 2017 and updated on 12-19-17. The update provides updated affected version information and mitigation links for:

• SINAMICS S110 w. PN: All versions prior to V4.4 SP3 HF6; and

• SINAMICS V90 w. PN: All versions prior to V1.02

PROFINET Update

This update provides additional information on an advisory that was was originally published on May 9^th, 2017 and updated on June 15, 2017,on July 25^th, 2017, on August 17^th, 2017, on October 10^th, 2017, and most recently on November 14^th, 2017. The update provides updated affected version information and mitigation links for:

• SMART PC Access V2.3;

NOTE: Siemens announced this morning on TWITTER five new vulnerability updates and a new product vulnerability. It is going to be a long week.

Follow-up on Gemalto Vulnerabilities

Last week I made a comment in my post about the Siemens announced vulnerabilities in their implementation of the Gemalto Sentinel LDK RTE about multiple vendors probably being affected. Yesterday I saw an interesting article by Eduard Kovacs at SecurityWeek which lead to the Kaspersky report on the Gemalto vulnerabilities. Kaspersky is reporting 14 separate vulnerabilities in earlier versions of the Gemalto product, not just the two Siemens reported in their implementation. They also note that the vulnerable product may be in use by as many as 40,000 vendors world-wide including at least three additional ICS vendors; ABB, General Electric, and HP.

I hate to sound repetitive (but I will bang this drum as often as necessary), but software developers that use third party products have not only got to do a better job of vetting the security of those products, but they also have a moral (and probably legal) responsibility to update their own products (and notify their customers about the vulnerabilities) when vulnerabilities are discovered in 3^rd party components.

ICS-CERT also needs to consider expanding their vulnerability coordination role to try to reach out to additional vendors when these third-party vulnerabilities are reported. Now I realize that ICS-CERT does not generally know who uses what third-party components, but there are multiple ways that they could effectively reach out to large portions of the ICS vendor community. One would be to use a mailing list approach to send out private alerts to all ICS vendors with which they have coordinated vulnerabilities in the past. Another would be for those alerts to be made public on their web site.

Committee Hearings – Week of 01-21-18

This week, with the House finally getting back home for their ‘District Work’ week after ‘restarting’ the government, we have a rather short list of Senate hearings this week. Only one of those hearings may be of specific interest to readers of this blog; surface transportation security.

On Tuesday, the Transportation and Merchant Marine Infrastructure, Safety and Security Subcommittee of the Senate Commerce, Science, and Transportation Committee will hold a hearing on “Surface Transportation Security: Addressing Current and Emerging Threats”. The witness list is short:

• David Pekoske, Administrator, Transportation Security Administration; and

• John Kelly, Acting Inspector General, Department of Homeland Security

While there are a great many topics that could be discussed at such a hearing, I expect that what ever short comings the IG report has identified in the much-overlooked Surface Transportation Security wing of the TSA will be the main focus of the hearing. I was hoping that a copy of that report would have been available today, but with the short Federal Financial Fiasco 2018…… (that will be the oft stated excuse for a week or two).

ISCD Outreach and Shutdown

Today, the first day of the Federal Funding Fiasco 2018, the folks at DHS Infrastructure Security Compliance Division {the DHS division operating the Chemical Facility Anti-Terrorism Standards (CFATS) program} published two notes in the ‘Latest News’ section of the CFATS Knowledge Center web site. The first is a brief note about the ‘funding hiatus’ and the second is a blurb about the publication of the CFATS Outreach Implementation Plan for FY18.

Funding Hiatus

While the current federal funding authorization actually stopped at midnight last Friday, today (as the start of a ‘normal’ work week) was effectively the first day of the ‘funding hiatus’; which I prefer to call the Federal Funding Fiasco 2018. The Knowledge Center page provided the following information:

“Due to the current federal funding hiatus, some DHS personnel [emphasis added] will not be able to return emails or telephone calls until the conclusion of the funding hiatus. We appreciate your patience at this time.”

There is no specific outline of which ‘DHS Personnel’ are out of contact due to the FFF. I would have guessed that that would have included Chemical Security Inspectors, but I heard complaints during the first FFF that some inspectors were expected to work regardless. I guess the best way to tell is to try to contact folks and if they do not respond they are probably part of the ‘some DHS personnel’.

This is more information than was provided on this page during the ‘first FFF’ in 2013, however. There is a banner on the CFATS landing page (and other DHS pages) nearly identical to the one in the first FFF. Similarly, the DHS Blog entry to which that banner is linked has almost identical verbiage to the 2013 post (the dates have been changed to protect the innocent).

One significant difference on the CFATS web site this time around is that there in no notice that the CSAT system is off-line on either the Registration Page or the CSAT Portal page. Presumably this means that the automated CSAT tools remain up and running.

NOTE: After writing the above, I received news that the FFF has been at least temporarily suspended until February 8^th. We will have to wait to see if we have a Part Deux. 

Outreach Program

The second note is about the publication of the “CFATS Outreach Implementation Plan FY 2018”. This is apparently (I have not seen any of the earlier documents) the third update of a plan by ISCD that was required by the current CFATS authorization {6 USC 629}. It provides an interesting summary of the outreach efforts that ISCD has undertaken to reach out chemical facilities that may be covered by the CFATS program, but that have not filed a Top Screen report that would allow DHS to make an actual determination whether or not they are covered by the program.

The lengthy (8 pages) Executive Summary of the program includes a multipage table that briefly outlines the activities included in the original FY 2015 outreach plan and where those efforts stand three years later. Some interesting data points taken from that table include:

• DHS analyzed 217 chemical incidents; identified 54 potential CFATS sites; had 19 Top Screens submitted, and designated 5 new CFATS covered facilities;

• Of the 27,000 or so facilities that submitted Top Screens under CSAT 2.0 1,900 were facilities that had not submitted Top Screens previously; of those, 270 were designated covered facilities;

• In FY17, DHS identified 519 facilities as potentially non-compliant; and

• Since 2014 DHS officials have contacted 1400 Local/Tribal Emergency Planning Committees (LEPC).

Appendix A of this document provides a list of materials that ISCD has published to support this outreach mission. Most of the documents have been covered in this blog. There are four exceptions to that coverage; I have not seen and thus have not reported on the following:

• CFATS Information for Laboratories (factsheet);

• CFATS Information for Wineries (factsheet);

• CFATS Information for Breweries (factsheet); and

• CFATS Information for Fisheries and Hatcheries (factsheet).

These factsheets were not mentioned on the Knowledge Center and, contrary to the claim at the top of Appendix A, I have not been able to find them on the Critical Infrastructure: Chemical Security web site. I do not expect that there was much to miss here, but it would have been interesting to see how ISCD tired to ‘personalize’ the CFATS program for these industries.

DOT Publishes Two Automated Driving Requests for Comment

Earlier this week the Department of Transportation published two separate requests for comments in the Federal Register; one from the Federal Highway Administration (FHWA; 83 FR 2719-2721) and one from the National Highway Transportation Safety Administration (NHTSA; 83 2607-2614). Both deal with automated driving systems (ADS).

FHWA Request for Comments

The FHWA is looking for comments on a range of issues related to assessing the infrastructure requirements and standards that may be necessary for enabling safe and efficient operations of ADS. After a brief introduction to the topic, the FHA notice asks for responses to several specific questions, including:

• What roadway characteristics are important for influencing the safety, efficiency, and performance of ADS? Are there certain physical infrastructure elements (e.g., lane markings, signage, signals, etc.) that are necessary for ADS?

• What challenges do non-uniform traffic control devices present for ADS technologies?

• How does the state of good repair (e.g., pavement and road markings quality) impact ADS?

• How should FHWA engage with industry and automation technology developers to understand potential infrastructure requirements?

• What is the role of digital infrastructure and data (including cybersecurity) in enabling needed information exchange between ADS and roadside infrastructure?

• What concerns do State and local agencies have regarding infrastructure investment and planning for ADS, given the level of uncertainty around the timing and development of this technology?

• Are there existing activities and research in the area of assessing infrastructure-ADS interface needs and/or associated standards?

• What are the priority issues that road owners and operators need to consider in terms of infrastructure requirements, modifications, investment, and planning, to accommodate integration of ADS?

• What variable information or data would ADS benefit from obtaining and how should that data be best obtained?

• What issues do road owners and operators need to consider in terms of infrastructure modifications and traffic operations as they encounter a mixed vehicle fleet (e.g., fully-automated, partially-automated, and non-automated; cooperative and unconnected) during the transition period to a potentially fully automated fleet?

Public comments on the FHWA request may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # FHWA-2017-0049). Comments should be submitted by March 5^th, 2018.

NHTSA Request for Comments

The NHTSA request document is much more extensive and targets information necessary to help the agency to avoid impeding progress with unnecessary or unintended regulatory barriers to motor vehicles that have Automated Driving Systems (ADS). The preamble comments address automotive automation revolution, changes in vehicular design, initial agency attempts to address testing, certification and compliance issues, as well as providing an executive summary of the Volpe Report on Review of Federal Motor Vehicle Safety Standards (FMVSS) for Automated Vehicles: Identifying Potential Barriers and Challenges for the Certification of Automated Vehicles Using Existing FMVSS.

The questions for which NHTSA is seeking public feedback are also much more extensive, and fall into two major categories:

• Barriers to Testing, Certification and Compliance Verification; and

• Research Needed to Address Those Barriers and NHTSA's Role in Conducting it.

Some of the questions on barriers to testing, certification and compliance verification include:

• What are the different categories of barriers that the FMVSS potentially create to the testing, certification and compliance verification of a new ADS vehicle lacking manual driving controls?

• Do you agree (or disagree) that the FMVSS provisions identified in the Volpe report or Google letter as posing barriers to testing and certification are, in fact, barriers?

• What research would be necessary to determine how to instruct a vehicle with ADS but without manual means of control to follow a driving test procedure? 

• Is there a safety need for the telltales and other displays in Table 1 and 2 of FMVSS 101 to be visible to any of the occupants in vehicles without manual driving controls?

• Would the informational safety needs of the occupants of vehicles with ADSs differ according to whether the vehicle has a full set of manual driving controls, just an emergency stop button or no controls whatsoever?

• If vehicles with ADSs have emergency controls that can be accessed through unconventional means, such as a smart phone or multi-purpose display and have unconventional interiors, how should the Agency address those controls?

The some of the research questions include:

• For issues about FMVSS barriers that NHTSA needs research to resolve, do commenters believe that there are specific items that would be better addressed through research by outside stakeholders, such as industry or research organizations, instead of by NHTSA itself?

• Are there industry standards, existing or in development, that may be suitable for incorporation by reference by NHTSA?

Public comments on the NHTSA request may be submitted via the Federal eRulemaking Portal (www.REgulations.gov; Docket # NHTSA-2018-0009). Comments should be submitted by March 5^th, 2018.

Commentary

While both the FHWA and the NHTSA request for comments raise important and very interesting issues, there is a strange dearth of mention of the topic of cybersecurity. In fact, the only mention of the topic was in Question #5 on the FHWA request, and it looked like the mention was almost an afterthought.

The failure of NHTSA to even mention cybersecurity in their lengthy discussions and questions about federal motor vehicle safety standard seems to reflect an agency failure to recognize that all levels of automotive automation (including those currently in widespread use on the road) pose a potential safety risk due to inadequate and mostly missing cybersecurity standards.

In most of the NHTSA questions about the barriers to testing, certification and compliance, we could easily add specific questions about cybersecurity issues. Here are some of the questions that could have been asked:

• In question 1: How can NHTSA confirm that test methods developed for certification purposes have not been gamed by the manufacturer (see the EPA-VW testing issues on diesel exhaust emissions)?

• In question 12: How can NHTSA ensure that the data from various automated sensor provided to the ADS have not been tampered with?

• In question 13: Should the automated driving system cybersecurity controls provide information to vehicle occupants about identified or suspected attempts to gain unauthorized access to the vehicle automation systems?

• In question 17: What cybersecurity protections should be included for remote access to safety controls?

Perhaps what is really needed is a specific request for comments from both agencies on the cybersecurity regulatory needs for the safe implementation of automated driving systems.

ICS-CERT Publishes an Advisory and an Update for Siemens Products

Today the DHS ICS-CERT published a new control system security advisory and an updated advisory for products from Siemens.

Siemens Advisory

This advisory describes multiple vulnerabilities in the Siemens SIMATIC WinCC Add-On (license manager software). The vulnerabilities were reported by Sergey Temnikov and Vladimir Dashchenko from Kaspersky Lab. Siemens reports that a third party supplier (Gemalto) has released an updated installer that mitigates the vulnerabilities. The Siemens security advisory reports that SIMATIC WinCC Add-Ons released in 2015 and earlier include a vulnerable version of Gemalto Sentinel LDK RTE. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Stack-based buffer overflow (2) - CVE-2017-11496 and CVE-2017-11497; and

• Improper input validation - CVE-2017-11498

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow remote code execution or a denial of service condition.

NOTE: Looking at the Gemalto product page, it looks like they may have sold this product to multiple vendors. It will be interesting to see if other vendors come forward to recommend installing the same (or similar) updates to their systems.

Siemens Update

This update provides new information for an advisory that was originally published on May 9^th, 2017 and updated on June 15, 2017,on July 25^th, 2017, on August 17^th, 2017, on October 10^th, on November 14^th, and most recently November 28^th. The update provides new version information and mitigation links for:

• SIMOCODE pro V PROFINET: All versions prior to V2.0.0

NOTE: The latest version of this Siemens security advisory is in their new format which makes checking against previous versions potentially tedious. Fortunately, Siemens (as opposed to ICS-CERT) annotates the specific changes made (as opposed to noting the section in which the changes were made) to their advisories.

Other Siemens Notes

Siemens also published two other advisory documents today that did not make it into the ICS-CERT publication schedule. One was a new advisory and one was an update. Since tomorrow is Friday and ICS-CERT seldom publishes advisories on Friday, I suspect that we will see these two next week.

ICS-CERT Publishes Meltdown Update #2

Today the DHS ICS-CERT published their second update for their control system security alert for the Meltdown and Spectre CPU vulnerabilities. The alert was originally published on January 11^th, 2018 and updated on 1-16-18. The update provides links to three new vendor notification documtents:

• Emerson (account required for login);

• General Electric (account required for login, reference ID 000020832); and

• Schneider Electric: 

The Schneider security notification has probably the most reasonable guidance that I have seen to date:

“Schneider Electric is actively monitoring vendor research into these vulnerabilities to determine appropriate actions to be taken. At the time of this publication, information is being updated rapidly and the impact of proposed mitigations and patches remains unclear. Many of the initial mitigations proposed by hardware and operating system vendors indicate a high level of potential performance impact, Schneider Electric recommends caution if mitigations or patches are applied to critical and/or performance constrained systems. If you elect to apply recommended patches or mitigations in advance of further guidance from Schneider Electric, we strongly recommend evaluating the impact of those measures on a Test & Development environment or an offline infrastructure.”

Bills Introduced – 01-16-18

Yesterday, with the House and Senate back in Washington after the long Martin Luther King Holiday weekend, there were 30 bills introduced. Of these, one may be of specific interest to readers of this blog:

HJ Res 125 Making an extension of continuing appropriations for fiscal year 2018, and for other purposes. Rep. Frelinghuysen, Rodney P. [R-NJ-11]

A copy of HJ Res 125 is available on the House Rules Committee site and that Committee will hold a hearing on the continuing resolution (being considered as an amendment to HR 195 as amended by the Senate) this afternoon. The bill would extend the current continuing resolution (that expires Friday night) until February 16^th. It includes a number of special funding provisions to make passage more palatable, including an extension of the Children’s Health Insurance Program (CHIP).

ICS-CERT Updates Meltdown Alert

Today the DHS ICS-CERT updated their Meltdown/Spectre alert that was originally published on January 11^th. The new information includes links to the following additional vendor reports on the CPU vulnerabilities:

Abbott;

Johnson and Johnson;

OSIsoft;

Philips; and

Smiths Medical

Additionally (and not specifically noted in this update), Becton, Dickinson, and Company have published a new security bulletin since the original ICS-CERT alert mentioned their initial report.

Commentary

Unfortunately, while providing links to the appropriate documents, ICS-CERT has not addressed the issue seen by a number of vendors, the Microsoft update may not be compatible with all control systems. That, plus the fact that Microsoft has decided to not allow the update to take effect on systems without an updated antivirus registry key, means that system owners need to pay real close attention to the final word from their vendors. Unfortunately, the information linked to in this update is mainly preliminary; most of the listed vendors are still looking at the compatibility issues.

Of course, it could be worse. We are still waiting for the initial ICS-CERT alert on the KRACK vulnerability.

HR 4773 Introduced – AV for Federal Breaches

Last week Rep. Cartwright (D,PA) introduced HR 4773, the ANecessary and Targeted Impediment to (ANTI) Viruses Act. The bill would require the General Services Administration to acquire license to an antivirus computer product to give to people whose personal identifiable information was lost in a breach of a Federal computer system. Funding for the AV product would be provided by the agency [“derived from amounts made available to the agency for operating expenses {§2(d)} whose computer system was breached.

Moving Forward

Both Cartwright and his sole cosponsor {Rep. Norton (D,DC)} are members of the House Oversight and Government Reform Committee to which this bill was assigned for consideration. This means that it is possible that this bill could receive consideration in that Committee.

There is nothing in this bill that would engender significant opposition (beyond an obvious point that I will raise in the Commentary section below). Even the funding for the measure is unlikely to raise any serious discussion. Thus, it is possible that this bill could receive bipartisan support in Committee and on the floor of the House.

Commentary

Okay, the bar has been officially and substantially raised for when it becomes necessary to determine the silliest piece of legislation offered in the 115^th Congress. With almost a full year to go, I am pretty confident (and really very hopeful) that this bill will be the hands down winner.

There is nothing in the bill (no ‘findings’ section, for example) that would explain why Cartwright and Norton believe that it will provide any sort of significant relief to provide an individual with computer antivirus protection when their personally available information has been lost in the breach of any computer network. Even if we assume that network log-in information is among the data lost and further assuming that the individuals use the same log-in credentials on their home computer, an antivirus package is not going to stop someone from using that log-on information in accessing that home computer.

The only thing that could have made this more ludicrous would for the bill to have included a provision prohibiting the GSA from allowing Kaspersky Labs from submitting or being awarded a bid to provide the AV product. {Disclosure Note: I have been using the Kaspersky AV suite for quite some time now and do not see any reason to stop}.

One can only hope that Cartwright and Norton (and the Norton AV people cringe every time I mention her name in this post) a pandering to a specific segment of the technical ignorati in offering this bill for consideration. The only other thing that would explain this cyber-silliness is that neither of these two congresscritters (nor their staff) has any idea what an antivirus program does or how personally identifiable information is misused.

I wrote above that there was nothing in this bill that would engender any specific (‘active’ probably would have been a better work) opposition. What I meant is that there is no political, ideological or financial reason for this bill to draw opposition. The fact that there is no connection between lost PII and computer hacking (the other sequence certainly) so there is no need for providing people with AV protection is not sufficient to draw opposition to the bill.

Okay, I just thought of something. Maybe there is a useful purpose in this bill. Since the agency whose computer system was breached is responsible for paying for the AV product out of their operating budget, this bill would effectively be a fine on that agency for their lack of cybersecurity competency. This could end up being a sizeable financial incentive to have adequate cybersecurity in place. Of course, it could end up bankrupting an agency (Wouldn’t you just love to be the Bankruptcy Judge sitting on that case????) and in many cases that could be a good thing. But if that is the ‘purpose’ of this bill, please spend the money on something else; give the folks a tank of gas, or something else worthwhile, not an antivirus program.

ICS-CERT Publishes November-December 2017 Monitor

Today the DHS ICS-CERT published the last ICS-CERT Monitor (for November and December of 2017). According to the opening editorial the next issue will become the (National Cybersecurity and Communications Integration Center) NCCIC Monitor; which will be broadened to include reporting from the three divisions of the NCCIC (ICS-CERT, NCC, and USCERT).

This issue continues the ‘color glossy’, corporate report feel (with 10 full-color photographs) that I have grown to dislike and disparage. While any organization deserves to be proud of their accomplishments and government agencies have a special duty to provide information about what they are doing; the flashy graphics and photographs of industrial facilities have a tendency to make this look more like an organizational selfie that is designed to make the agency feel good about itself.

Physical Security Issues

Even when the reporting is on a topic of interest to critical infrastructure owners and operators, there are some glaring inconsistencies in the information being reported. For example, in the article on the FY 2017 Assessment Summary, the opening paragraph (pg 4) reports that: “While the assessment teams identified weakness across all control families, six categories represented roughly 33 percent of the [753] total vulnerabilities discovered across assessed CI sectors.”

The article then went on to describe the number 4 vulnerability category, physical access control. It notes that:

“Maintaining visibility in the top discoveries this year were problems related to physical access. While this is not something the ICS-CERT focuses on during assessments, the team often sees this issue during assessments. ICS components and infrastructure should only be accessible to authorized personnel as necessary to maintain the system.”

There are two disturbing aspects about that “not something the ICS-CERT focuses on during assessments”. The first is the probability that if ICS-CERT had formally included ‘physical access’ in the assessment process, they might have (probably would have) found many more disturbing instances of poor physical security of control system devices. The second (and more disturbing to my mind) is the fact that ICS-CERT found the same problems in their FY 2016 assessments, AND DID NOT FORMALLY ADDRESS THE PROBLEM IN THE ASSESSMENT PROCESS IN 2017. The first is the result of a not unusual disconnect between cyber security and physical security personnel; a problem that certainly needs to be addressed. The second is a criminally negligent level of professional malfeasance upon the part of ICS-CERT.

ICS-CERT and NCCIC

As I alluded to in the opening paragraph, the editorial leading the publication addresses the changing roles of the NCCIC and its constituent divisions. Specifically, it reports that:

“Recently, the NCCIC went through an organizational realignment to consolidate and enhance the effectiveness of its mission-essential functions, which includes changes to the structures of the ICS-CERT, NCC, and USCERT divisions. This realignment has no impact to the technical expertise and services our stakeholders rely on us to provide….”

There have been a couple of interesting social media conversations about this ‘realignment’ (see here for example). For those of us on the outside looking in, it is really hard to tell what is going on. Having said that, I would like to point to the NCCIC web site (updated on June 22^nd, 2017) and its description of ICS-CERT:

“ICS-CERT works to reduce risks within and across all critical infrastructure sectors by partnering with law enforcement agencies and the intelligence community and coordinating efforts among Federal, state, local, and tribal governments and control systems owners, operators, and vendors. Cybersecurity and infrastructure protection experts from ICS-CERT provide assistance to owners and operators of critical systems by responding to incidents and helping restore services, and by analyzing potentially broader cyber or physical impacts to critical infrastructure. Additionally, ICS-CERT collaborates with international and private sector Computer Emergency Response Teams (CERTs) to share control systems-related security incidents and mitigation measures.”

Looking at it from Columbus, GA it seems as if ICS-CERT is definitely continuing with its vulnerability coordination and reporting role. What is less clear is whether or not it is going to be the go-to Federal agency for incident reporting and investigation. It seems to me that with the rise in apparent nation-state attacks and economic attacks (ransomware) on control systems that it is going to be more important to have criminal investigative or federal intelligence agencies more involved in incident response rather than an agency of techno-geeks who may be more suited to understanding the nuts and bolts of an attack, but are probably less familiar with forensic reporting or courtroom testimony.

Forensics-reporting and effective testimony are more necessary for successfully prosecuting attackers than with protecting control systems from future attacks. Letting the techno-geeks muddy the waters of chain-of-custody and forensics reporting will likely make prosecutions more difficult, but will help other organizations learn how to deal with similar attacks. It is an interesting dichotomy that needs to be addressed in appropriate congressional forums.

HR 4766 Introduced – PTC Extensions

Earlier this week Rep. DeFazio (D,NJ) introduced HR 4766, the Positive Train Control Implementation and Financing Act of 2018. It would amend 49 USC 20157, removing the discretionary authority of the Transportation Secretary to approve alternative PTC implementation plans that extend past the current PTC deadline of December 31^st, 2018.

The Amendment

Section 2 of the bill removes two specific sub-paragraphs of §20157. First it removes §20157(a)(2)(B), thus removing the authority for railroads to propose alternative implementation schedules extending beyond 12-31-18. It also removes §20157(a)(3) which provides the Secretary with specific guidance on how such alternative schedules may be approved. A number of conforming amendments are also made.

Grant Program

Section 3 of the bill would add paragraph (m) to §20157 to establish a grant program administered by the Secretary to aid passenger railroads in their implementation of PTC. That grant program would be funded through December 31^st and $2.6 Billion would be authorized for those grants.

New Passenger Routes

Section 4 of the bill would add a new paragraph (n) that would prohibit railroads from starting operation of new passenger line routes “unless a positive train control system is fully implemented and operational on such route”.

Moving Forward

DeFazio is a senior member of the House Transportation and Infrastructure Committee to which this bill was assigned for consideration. This means that it is possible that this bill may be considered in Committee.

Two things mitigate this bill from being positively considered. First, removing the authority for extending PTC implementation deadlines past December 31^st could mean that certain passenger (and perhaps some freight rail) lines may have to suspend operations after that date if their PTC implementation has not been completed and approved by that date. This is, of course, the incentive that DeFazio intends this bill to be to drive the earliest possible implementation of PTC for passenger rail lines. Unfortunately, this also means that potentially affected railroads and their supported communities can be expected to oppose this legislation.

The second factor that by itself will almost certainly mean that the bill will not be considered in Committee is the funding of the $2.6 Billion grant program. Coming up with this new money will be a nearly impossible hurdle to overcome.

Commentary

The recent Amtrak derailment is almost certainly a major impetus for the introduction of this bill. If the timing alone was not enough of a clue, then the §4 provisions would be the final give away. Still, DeFazio is not a new comer to the expression of concerns about the ‘slow pace’ of PTC implementation. Anyone that has been paying attention over the last five years or so should not be surprised by either the provisions of §2 or the grant program in §3. Unfortunately, this bill comes too late in the game to either be effective or even pass.

PTC systems will be in place on all passenger rail lines (and many if certainly not most freight lines) in the not too distant future (just do not hold your breath for 12-31-18 on every line). It will eliminate a certain class of human-error related railroad accidents. It will not, however, signal a new, significantly safer era of railroad transportation. Mechanical problems and rail defects will still cause many (most?) accidents and I expect we will see an increase in attacks (inevitably including cyber attacks on PTC systems) by nut jobs and radicals of a number of different persuasions.

Railroads will be incrementally safer because of the costly PTC systems (and still immensely safer than our highways), but I do not believe that anyone ten years from now will claim that it was a cost-effective way to increase the safety of this transportation mode.