CFATS Knowledge Center Update – 06-02-12

Yesterday the folks at the CFATS Help Desk updated the CFATS Knowledge Center web page adding a news item concerning contact information and updating the responses to a number of frequently asked questions on the site.

Contact Information

Under the ‘Latest News’ column on the page is the following brief note:

“The NEW CSAT Help Desk email address is csat@hq.dhs.gov. We are in the process of revising all FAQs/Articles and other CFATS materials to reflect this new address.”

There’s no explanation of why the change is being made, but it looks like it has something to do with a general re-organization of the email system at DHS; no big deal. Well, actually it is a bit of something since a huge number of address books will have to get updated; so there is going to be some confusion.

There is no indication if/when the old address (cfats@dhs.gov) will die. I just sent an email to that address and I did not get the standard immediate ‘unable to deliver’ message back. But, since it is Saturday, I also wouldn’t expect to get a reply to that email and its question of how long that email will remain functional. If/when I get a reply, problematic at best considering my apparent negative status at ISCD, I’ll post that information here.

FAQ Update

There were nine FAQ responses updated on the site yesterday as well. I suppose that one would be forgiven for assuming that these were the first installment of the ‘revising all FAQs/Articles’ mentioned earlier. In fact the email change was the sole revision made in only three of the responses (#657, #1390, and #1557). Three other FAQ responses (#1274, #1447, and #1642) had changes made that included the email change along with other relatively minor editorial changes. The remaining responses (#56, #168, and #329) had changes that did not include any reference to the new email address.

The only real change in information provided in the six updated FAQ responses dealt with the actual provision of links to some documents referenced in the text of the response. Only one of those links is actually ‘new’ (FAQ #329) and that is for the EPA’s RMP*Comp tool (http://www.epa.gov/osweroe1/content/rmp/ rmp_comp.htm). Unfortunately, the link on the bottom of the CFATS Knowledge Center page to this ‘RMP*Comp Download’ (http://www.epa.gov/oem/content/rmp/rmp_comp_download.htm) was not updated and it does return an ‘Error – File Not Found’ message.

The link in one of the other revised FAQ responses is about useless. The newly provided link in FAQ #168 is supposed to go to the CSAT Top-Screen Survey Application User Guide on the DHS website; it doesn’t. Where it does take you is right back to the CFATS Knowledge Center. You can find a link to that document on that site by clicking on the ‘Top Screen’ button but that is not readily intuitive to someone who is not familiar with this site. A better link would have been to the Top Screen web page on the Chemical Security Assessment Tool web site.

Personnel Rumors

Sharp eyed readers will note that one of the FAQ’s listed above has already been changed twice this year. FAQ #1557 was previously changed because of changes in the position of Assistant Secretary, Infrastructure Protection; which leads to an interesting rumor (I have heard it from a single ‘normally reliable source’; an old Army source reliability measure, the highest reliability standard).

That source told me that: “they [DHS] announced yesterday [May 31^st] that Penny Anderson is being removed as Director. She is being replaced by her deputy (Dave Wulf) as of July 21”. This would put Wulf in charge of ISCD before the Chemical Sector Security Summit (CSSS) at the end of July.

I will bet that this is the only place where we hear the term ‘removed’ used. I would expect to hear that she ‘resigned’ in any official announcement.

I never had any opportunity to talk with, or correspond with, Ms. Anderson. The one time that I saw her before a Congressional committee she appeared to be fully fluent in Congress-speak. The current problems at ISCD are hardly her fault. Even failing to make substantial progress at fixing them in her year at ISCD speaks more to her background at TSA and FAA and lack of a working knowledge of much of anything chemical manufacturing, rather than to any failing as an administrator.

HR 2764 – WMD Intelligence – Passes in House

Yesterday the House considered HR 2764, the WMD Intelligence and Information Sharing Act of 2011, under a suspension of the rules. The bill passed without apparent opposition by a voice vote.

The entire process took just a little over six minutes to complete; using much less than the authorized 40 minutes for debate. The ‘debate’ consisted of short speeches in favor of the bill by just three members; the Homeland Security Chairman, Rep. King (R,NY); the Ranking Member, Rep. Thompson (D,MS); and Rep. Jackson-Lee (D, TX).

If the Senate gets around to taking up this bill, and that will become less likely as we get closer to election season, it will probably pass with similar bipartisan support. There is no indication that there will be any significant attempts to amend the bill to expand its coverage beyond the bio-security concerns found in its present version.

ICS-CERT Publishes Advisory and sKyWIper JSAR

Yesterday the folks at DHS ICS-CERT published an advisory on multiple vulnerabilities on a number of Emerson products as well as a Joint Security Awareness Report (JSAR) on sKyWIper/Flame.

Emerson Advisory

The Emerson Advisory was published describing multiple vulnerabilities in the DeltaV, DeltaV Workstations, and DeltaV ProEssentials Scientific Graph applications. The vulnerabilities were reported in a coordinated disclosure by Kuang-Chun Hung of the Security Research and Service Institute - Information and Communication Security Technology Center (ICST). The Advisory (along with an earlier version) had been previously posted to the US-CERT secure portal.

The five reported vulnerabilities are:

• Cross-site scripting - CVE-2012-1814;

• SQL injection - CVE-2012-1815;

• Denial of service - CVE-2012-1816;

• Buffer overflow - CVE-2012-1817; and

• File Manipulation - CVE-2012-1818.

(Note: Those links are not yet active as of 06:30 EDT 5-31-12, give them a day or two)

These vulnerabilities are remotely exploitable by a moderately skilled attacker. The potential results vary from DOS to execution of arbitrary code. Emerson has distributed (no link available in ICS-CERT Advisory) notification about a hotfix to resolve these vulnerabilities, though the Advisory does not specifically state that either ICS-CERT or the originating researchers have verified the efficacy of the hotfix.

Dale Peterson made a very interesting point last night in a TWEET on this Advisory. He noted that the Emerson DeltaV applications are “very critical DCS software that's widely used in refineries & other CI [Critical Infrastructure]”. As such I am slightly disturbed that ICS-CERT did not publish a link to the Emerson notification; relying instead on a push of that information to owner-operators. I would be willing to bet that there are a number of installations where the point of contact information in the Emerson files is out-of-date.

NOTE: There is a typo in the link for this Advisory on the ICS-CERT web page. It reads http://www.us-cert.gov/control_systems/pdf/IICSA-12-138-01.pdf, but should read http://www.us-cert.gov/control_systems/pdf/ICSA-12-138-01.pdf .

sKyWIper/Flame JSAR

Over the long Memorial Day weekend the big cybersecurity news was the discovery of a new cyber-espionage ‘tool’ (no consensus yet on what to describe it as) called sKyWIper or Flame. It has been reported upon by CrySyS, Symantec, and Kaspersky. The JSAR provided by ICS-CERT provides no new information and a very weak summary of the information currently available on this malware.  It does make one important point however when it states that “no evidence exists that sKyWIper specifically targets industrial control systems”; at least yet.

If you want to read a good summary article about what is currently known about sKyWIper you can click on the link under the ‘Critical Infrastructure News’ tab on the ICS-CERT web page for the Tofino Security blog post on the topic. Eric Byres does his typical good job explaining cybersecurity information. This is an interesting bug with lots of implications. We’ll be talking about it for some time to come.

2012 CSSS Registration Open

Thanks to a TWEET from SOCMA we know that the registration is now open for the 2012 Chemical Sector Security Summit, July 30 thru August 1^st. Since SOCMA is an co-sponsor of this event it seems proper that they beat DHS to the punch in announcing the opening of registration, providing a link to the registration page, the preliminary agenda for the event and the location/accommodation information for the event.

I expect that we will see an update of the DHS CSSS page with this info later this week.

House Rules Committee Sets Rule for HR 5743

Yesterday I noted that the House Rules Committee would meet today to set up the rule for the consideration of HR 5743, the Intelligence Authorization Act for Fiscal Year 2013. I promised to look at the bill and the associated Committee Report for mentions of cybersecurity issues; and as I expected there were none; after all, most of the bill is classified. Fortunately, the nine amendments that have been cleared to be considered during the floor debate under a ‘structured rule’ are not classified, and two of them deal with cybersecurity.

Cleared Floor Amendments

Rep. Farr (D,CA) introduced an amendment that would add a rather short §306 to the bill. It would have no real force of law because it is a ‘sense of Congress’ resolution telling intelligence community leaders to “take into consideration foreign languages and cultures during the development by such element of the intelligence community of training, tools, and methodologies to protect the networks of the United States against cyber attacks and intrusions from foreign entities”. I’m not sure what the crafter of this bill intended to mean by the phrase ‘to take into consideration’. I am just as sure that it isn’t important in any case, it is after all just a ‘sense of Congress’ statement.

Rep. Myrick (R,NC) and Wolf (R,VA) introduce the last amendment that will be considered on the Floor for this bill. It required the Director of National Intelligence (DNI) to prepare a report to Congress on supply chain security issues related to foreign suppliers of “of information technology (including equipment, software, and services) that are linked directly or indirectly to a foreign government” {§502(a)(1)}. The DNI is required to assess the “vulnerability to malicious activity, including cyber crime or espionage, of the telecommunications networks of the United States due to the presence of technology produced by suppliers identified” {§502(a)(2)}. If the ‘linked directly or indirectly to a foreign government’ didn’t make the scope of this report large enough, the definition of ‘telecommunications networks’ solved the problem; it includes:

• Telephone systems;

• Internet systems;

• Fiber optic lines, including cable landings;

• Computer networks; and

• Smart grid technology

Nothing about the kitchen sink though.

Passed Over Amendments

There were three more cybersecurity related amendments offered to the Rules Committee that did not make the cut for being allowed to reach the Floor during the debate later this week. Those amendments included requirements for:

• A threat assessment for cyber threats to critical infrastructure; Clarke (D,NY);

• Each agency that deals with classified documents to report back in 1 year potential security risks associated with the acquisition of computer hardware; Cuellar (D,TX); and

• The Civil Liberties Protection Officer to review on an ongoing basis, and prepare, as necessary, privacy impact assessments on, the cybersecurity policies, programs, and activities of the Intelligence Community; Hahn (D,CA).

It is interesting that two different amendments would address the supply chain security issue.

Oh, and special kudos to Ms. Clarke. She has tried to get this amendment made to every bill that looked like it might relate to cybersecurity, both in Committee and on the floor. Readers of this blog will know that I am not a big fan of reports to Congress, but this one sure seems legitimate to me. Keep plugging Congresswoman Clarke.

Moving Forward

According to the Majority Leader’s web site this bill will come to the floor tomorrow afternoon with work carrying on until it concludes sometime tomorrow night.

TSA’s Surface Inspection Program – Hearing Witness List

The Subcommittee on Transportation Security of the House Homeland Security Committee has published the witness list for their hearing tomorrow on the effectiveness of the TSA Surface Inspection Program. I was wrong yesterday in suggesting that there would be someone from TSA testifying; all of the announced witnesses are from the private sector. The witnesses represent the railroads (freight and passenger), trucking, and bus travel.

The hearing web-site describes the purpose this way:

“Given the reality that terrorists see surface transportation as a very attractive target, we owe it to taxpayers to take a close look at TSA's inspectors program and determine whether this is a good use of limited resources, or if this funding would be better spent on other surface initiatives designed to prevent an attack.”

The currently scheduled witnesses are:

• Mr. John O’Connor, Chief of Police, Amtrak;

• Mr. Skip Elliott, Vice President of Public Safety and Environment, CSX, Testifying on behalf of the Association of American Railroads;

• Mr. Philip L. Byrd Sr., President, Bulldog Hiway Express, Testifying on behalf of the American Trucking Associations;

• Mr. William C. Blankenship,Chief Operating Officer, Greyhound Lines, Inc.; and

• Mr. Doug Morris, Director, Safety and Security Operations, Owner-Operator Independent Drivers Association

While the TSA provides counter-terrorism support to the passenger railroad industry in the form of VIPER teams, the only real surface transportation program that the TSA currently has in place that calls for inspectors is the transportation of hazardous chemicals by rail. The only other ‘inspection’ activity is the Corporate Security Reviews conducted on a voluntary basis. Of course, even if there were the congressionally mandated security programs in place it is almost certain that the small size of the surface transportation inspection force would not be able to ‘inspect’ even a statistically significant sample of the covered organizations.

It will be interesting to see what alternatives might be available to protect the vast surface transportation network in this country that so many people rely upon every day.

HR 5856 Introduced – DOD Appropriations

Just before the Memorial Day Weekend, during a proforma session, Rep. Young (R-FL) introduced HR 5856, the Department of Defense Appropriations Act, 2013. While DOD has a major measure of responsibility for cybersecurity actions, there is nothing in the bill that mentions cybersecurity or cyber operations.

Last year we saw a number of items in the Appropriations Committee report on that DOD appropriations bill, but there are no programs mentioned in the report for HR 5856. Interestingly though, there is a rather lengthy comment about the lack of mention found in the Committee report (pg 208 – Adobe 218):

“The Committee acknowledges the threat to and from the cyber realm and believes it has been well documented; however, the resources being expended against the threat have not. In order to better evaluate the planning and resourcing for Department of Defense cyber activities, the Committee directs the Commander, United States Cyber Command, in coordination with the Secretary of Defense and each of the Service Secretaries, to provide the congressional defense committees separate budget justification material, in the form of budget documents as defined in the Department’s financial management regulation, that details the year-toyear budgets, schedule, and milestone goals over the Future Years Defense Program for the individual programs that support the goals of cyber initiatives. The programs detailed must include cyberspace operations, computer network operations, information assurance, and full spectrum cyber operations for the Department of Defense and the Services. Further, the Committee suggests that the Department continue to refine what activities, budget lines, and programs should be considered cyber in order to better coordinate and track these budgets.”

With the level of DOD responsibility for defending against cyber-attacks and conducting cyber-operations, this is certainly something that should show up in the documentation for both the President’s budget request, but also in the appropriations bills written by Congress.

It still wouldn’t be surprising to see amendments offered to this bill that address specific cybersecurity or cyber operations when it comes to the floor of the House next month.