Chemical Facility Security News

New ICS-CERT Vulnerability Record Set

2012-02-17T07:03:00.000-05:00

In the last couple of days ICS-CERT has published a generic control system alert and an advisory that sets a new record for the number of multiple vulnerabilities listed in a single control system. That advisory combines information from two different alerts published last fall along with information from at least two separate coordinated vulnerability disclosures.

Generic Control System Alert

The alert issued late Wednesday, entitled “Increasing Threat to Industrial Control Systems” combines a reiteration of the data covered in the three alert updates issued on Valentine’s Day for the Basecamp tools released by Digital Bond with information about increased interest in attacking control systems. The last includes a valuable piece of threat intelligence. The Alert explains:

“ICS-CERT has recently seen a marked increase in interest shown by a variety of malicious groups, including hacktavist and anarchist groups, toward Internet accessible ICS devices. This increased activity includes the identification of Internet facing ICS devices and the public posting of IP address to various websites. In addition, individuals from these groups have posted online requests for others to visit or access the identified device addresses.”

I have previously noted that I thought that one of the main threats to control systems at high-risk chemical attacks would be from radical environmental activist groups. Recent physical break-ins at a Duke Energy coal-fired electrical power generation facility by Greenpeace activists aimed at stopping the use of coal show an increasing trend for high-profile actions to bring public attention to their cause. Spreading such actions into the cyber sphere is certainly to be expected.

ICS-CERT is to be commended for sharing this cyber-intelligence information with the control system security community. The inclusion of a listing of generic mitigation measures that system managers can use to help protect their control systems against these kinds of attacks increases the value of the information. I would also like to suggest that owners should directly contact their system vendors to see what additional actions can be taken to protect their specific system.

Record Vulnerabilities

It looks like ICS-CERT has decided to decrease the number of advisories that it has to produce by combining information from multiple disclosure sources whenever possible. The latest example of this is yesterday’s release of an Advisory about the Advantech BroadWin Access application. This advisory addresses two earlier alerts and coordinated disclosures from apparently at least two different sources (the earlier alerts pre-date the change in policy where ICS-CERT began identifying security researchers responsible for uncoordinated disclosures). Five separate researchers are identified in this advisory.

The Advisory reports 18 separate vulnerabilities in four general categories. That breaks the recently set record of 11 vulnerabilities reported in a Siemens advisory issued just last month. The categories are:

• Cross-site scripting (XSS);

• SQL injection;

• Cross-site report forgery (CSRF); and

• Authentication issues.

The advisory notes that all of the vulnerabilities are remotely exploitable with publicly available exploits for many of them. Attackers with low to moderate skills can exploit these vulnerabilities resulting in effects ranging from a DOS to running arbitrary code.

Advantech has released an updated version of WebAccess (ver. 7.0) to address these vulnerabilities. As in the Siemens advisory ICS-CERT reports varied successes with actually mitigating the problems. They note:

• ICST, iSIGHT, and ICS-CERT have validated that the new version mitigates Vulnerabilities 1 and 5−16.

• For Vulnerabilities 2 [SQL Injection] and 3 [Cross-Site Request Forgery], the patched version fixes the issue for unauthenticated users; however, the problem still remains for nonadmin project users.

• Vulnerability 4 [Information Leakage] was not patched, because Advantech does not consider it to be a security risk.

• Neither ICS-CERT nor independent researchers have validated that the new version resolves Vulnerabilities 17 [ActiveX Buffer Overflow] and 18 [SQL Injection].

The ‘non-security’ risk designation for vulnerability 4 is interesting. ICS-CERT describes the vulnerability this way:

“An unauthenticated user can access restricted information using specific URL addresses.”

From the point of view of the vendor, I suppose that since this does not directly alter the way the system behaves, it could be considered to be a fairly minor administrative issue. From the point of view of the facility owner that restricted information could be very valuable intellectual property about their manufacturing process. To decide not to patch this vulnerability sends a very bad message to current owners and potential customers.

Reader Comment – Questions about Language

2012-02-16T20:18:00.000-05:00

A reader, Ragnar Schierholz, posted an interesting comment to today’s post about S 2150. He wondered if my detailed language analysis was really necessary to understand the intent of this bill. And he made a very good point that any real serious control system relies on a certain amount of information infrastructure to be effective. In short his entire comment is thoughtful and well worth reading

That being said, I still stand by my comments that, as currently written, the bill does not cover industrial control system security. A point that I did not make clearly in my earlier post was that many facilities and even whole industries will be covered by this legislation due to their potential physical effects on the surrounding community. Unfortunately, it will be their IT systems not their control systems that will have to be protected.

Unnecessary Cost Avoidance

The reason that language is important is that many (probably most) industrial control system owners still do not really believe that their systems are vulnerable to cyber-attack. Thus, in their view, any substantial amounts of money that they would have to spend to comply with this regulation would be money wasted. In current economic environment sending money down a regulatory hole without expectation of positive return appears to be a sure route to economic suicide.

Even in good economic times, the cost of setting up the necessary protocols to document compliance with a brand new Federal regulatory scheme can be high enough to have a negative impact on growth. Especially when the regulations will not be allowed to specify how compliance will be achieved; the learning curve for both the regulators and the regulated community is quite steep.

Given that, companies will find any legitimate way that they can avoid being covered by the regulations. One of the easiest ways is to object that the regulatory agency is overstepping their legislative mandate. In this particular case, since control systems are never specifically mentioned in the bill and the language that might indicate an unstated intention to regulate control systems is so wishy-washy, it will not be hard to convince either the folks at OMB or a federal judge that DHS has no legal justification to regulate the security of privately owned control systems.

Supposed to Cover Control Systems

Now, I am hearing that the crafters of this bill did really intend to include industrial control systems in covered critical infrastructure requirements of this bill. Basically I think that that would probably be a good thing, though I do have some minor reservations that I’ll discuss in a later blog.

If I were to revise the current language so that it unequivocally addressed control systems in covered critical infrastructure I would probably make three basic changes. First I would rewrite the definition of ‘cyber risk’ in §101(a)(1) to include risk to industrial control systems (and I would take out the second reference to ‘information infrastructure’.

Second I would make a change to §102(a)(2)(C) in sub-paragraphs ii, iii, and iv. In each instance I would change ‘access to critical infrastructure’ to read ‘access to critical infrastructure industrial control systems’.

Finally I would modify the language in §103(b)(1)(C) outlining the guidelines for designating critical infrastructure. I would combine §103(b)(1)(C)(i) and §103(b)(1)(C)(i)(II) into a single comment. Then I would promote §103(b)(1)(C)(i)(I) to §103(b)(1)(C)(ii) and add ‘, or serious injuries’ after the word ‘fatalities’.

Those three minor changes should suffice to make it abundantly clear that the bill would authorize the Secretary to develop regulations concerning the security of control systems in covered critical infrastructure.

House Committee Objects to EPA Information Sharing

2012-02-16T07:45:00.002-05:00

Readers will probably remember that back in early January I wrote about the EPA’s plans to restore public internet access to certain risk management program (RMP), access that was removed shortly after the 9/11 attacks. Last week the leadership of the House Energy and Commerce Committee finally got around to formally objecting to the plan as it could “compromise the security of manufacturing facilities by handing over sensitive information to terrorists”.

The Committee letter to Administrator Jackson is a long delayed (they were notified of this plan back in December) knee-jerk reaction that completely overlooks the fact that this information has already been posted to a number of environmental web sites. It compounds their delay by demanding that EPA responds by February 24^th (two weeks) on its “plans to fulfill its responsibilities to protect non-OCA information”.

The letter notes three current laws that require the sharing of this information with State and local agencies. The Clean Air Act provision cited provides a requirement to share the information, but includes no mechanism to ensure that it is shared or acted upon. The Emergency Planning and Community Right to Know provisions are also toothless, especially since there is a not surprising dearth of local emergency planning commissions (no funding has been made available for them). And the third is a permissive clarification on allowing the sharing of sensitive but unclassified information with law enforcement and first responder personnel.

None of those provisions have had any serious effect on ensuring that individuals living or working near chemical facilities holding significant quantities of dangerous chemicals have access to the information that could save their lives or protect their financial investments in their homes. Nor do they ensure that local activists have the information they need to force local government agencies into the emergency planning process that Congress has only given lip service to.

I’m sorry, I am a strong advocate for chemical facility security, but this planned action by the EPA will do more to increase chemical safety at the community level than it will to increase the risk of a terrorist attack on those facilities. An intelligent risk-benefit analysis (an idea foreign to Congress) would support the EPA’s planned information sharing.

Cybersecurity Act of 2012 and ICS Security

2012-02-16T00:02:00.000-05:00

Tuesday Sen. Lieberman (I,CT) {along with co-sponsors Collins (R,ME), Rockefeller (D,WV) and Feinstein (D,CA)} introduced S 2105, the Cybersecurity Act of 2012; the long awaited and much anticipated comprehensive cybersecurity bill. In no surprise to anyone that has been paying attention; the bill never mentions industrial control systems or any of their components. There are provisions, however, that may have an impact on how the Federal government deals with control system security issues.

Large portions of this bill specifically deal with security of governmental information systems, principally Federal information systems. While these efforts are certainly important in the grand scheme of things, I am going to ignore them for all intents and purposes. There are two titles of this bill that will be of specific interest to the control system security and the chemical-facility security communities. They are: Title I, Protecting Critical Infrastructure, and Title VII, Information Sharing. In this posting I will look at the Title I provisions.

To Cover or Not To Cover?

Again there is no specific mention of control systems or their components in this bill. In fact the definition of ‘cyber risk’ in the list of opening definitions would seem to specifically exclude control systems from consideration in this bill. That definition {§101(a)(1)} reads:

“The term ‘‘cyber risk’’ means any risk to information infrastructure [emphasis added], including physical or personnel risks and security vulnerabilities, that, if exploited or not mitigated, could pose a significant risk of disruption to the operation of information infrastructure [emphasis added] essential to the reliable operation of covered critical infrastructure.”

While that definition is relatively restrictive the requirements in the next section of Title I seem to be much more expansive in what would be considered when the Secretary of DHS completes his initial cybersecurity risk assessment. That assessment, to be conducted within the first 90 days after the Act is passed (a time limit that is sure to be missed) will be “a top-level assessment of the cybersecurity threats, vulnerabilities, risks, and probability of a catastrophic incident across all critical infrastructure sectors to determine which sectors pose the greatest immediate risk” {§102(a)(1)}. The inclusion of the undefined term ‘catastrophic incident’ would seem to be included specifically to address systems with effects in the physical realm; a realm much more in keeping with control systems than with information systems.

Later in the same section the bill lists those items that the Secretary is to consider in making this initial threat assessment. It specifically includes the consideration of “the extent and likelihood of death, injury, or serious adverse effects to human health and safety caused by damage or unauthorized access to critical infrastructure” {§102(a)(2)(C)(ii)}; again a specific reference to operations in the physical realm.

Having apparently expanded the area of concern into the physical realm the next paragraph again specifically limits this assessment to information systems. In discussing the methodologies to be employed in making the required assessment the Secretary is specifically directed to “develop repeatable, qualitative, and quantitative methodologies for assessing information security risk [emphasis added]” {§102(c)(1). No other type of security risk is mentioned.

Covered Critical Infrastructure

While control systems may or may not be covered in the Secretaries assessment of relative cybersecurity risk, there is no doubt that industries and facilities and even specific assets within facilities that may employ control systems will be covered by regulations called for in this bill. Section 103 of this bill requires the Secretary to establish procedures to designate ‘covered critical infrastructure’ at “the system or asset level” {§103(b)(1)(A)} with no specific definition of ‘system or asset level’.

The Secretary is only allowed to designate a covered critical infrastructure if it falls within three broad categories. The categories are operationally defined and the one of most concern to the control system community is the first; if damage or unauthorized access to that system or asset could reasonably result in the interruption of life-sustaining services sufficient to cause {§103(b)(1)(C)(i)}:

“(I) a mass casualty event that includes an extraordinary number of fatalities; or

“(II) mass evacuations with a prolonged absence;”

Again, there is some significant confusion in the wording of this section. The ‘interruption of life-sustaining services’ would seem to mean the delivery of food, water, power and medical care for instance. The interruption of those services would hardly result in ‘an extraordinary number of fatalities’ unless they were interrupted over a very wide area over an extremely long period of time. On the other hand damage or unauthorized access to a large chemical facility or nuclear power generation facility could clearly cause a ‘mass casualty event’ or prolonged ‘mass evacuations’.

Cyber Security Regulations

This title requires the Secretary to develop cybersecurity regulations within one year to “enhance the security of covered critical infrastructure against cyber risks [emphasis added]” {§105(a)}. Again, the term ‘cyber risks; only applies to information systems.

In fact, the regulations would require the implementation of ‘risk-based cybersecurity performance requirements’ outlined in §104. Actually the only positive guidance the bill provides for these ‘performance requirements’ is found in §104(b)(1): “require owners to remediate or mitigate identified cyber risks [emphasis added] and any associated consequences identified under section 102(a) or otherwise.

The other requirements for these performance requirements are all negative or restrictive. Section 104(b)(2) does not allow the government to:

• Regulate commercial information technology products;

• Require or forbid the use of commercial information technology products; or

• Regulate the design, development, manufacturing, or attributes of commercial information technology products.

So while §102 and §103 appear to equivocate on the matter of whether or not control systems might be addressed in this bill, §104 and §105 are fairly adamant in their declaration that the systems covered are information technology systems only.

No Effective Enforcement

While it is apparent that the drafters of this bill have ignored a very important part of cyber security, there is an even bigger problem with the critical infrastructure cybersecurity provisions of this bill; there is no effective enforcement mechanism provided for the required regulations. In fact, DHS is specifically prohibited from having an effective enforcement effort.

First off there is no funding for, or establishment of an agency within DHS with responsibility for enforcing the required regulations. Of course, in the current funding environment any money going to a new enforcement agency would have to come out of some other agency’s already depleted budget. The crafters of this bill, instead rely on a tried and failed method of regulatory enforcement; they provide for self-certification of compliance.

Section 105(c)(1)(A)(i) allows each covered critical facility owner to “certify, on an annual basis, in writing to the Secretary and the head of the Federal agency with responsibilities for regulating the security of the covered critical infrastructure whether the owner has developed and effectively implemented security measures sufficient to satisfy the risk-based security performance requirements established under section 104”.

Now if the owner lies, or is even just mistaken, about the adequacy of their cybersecurity efforts, the bill does make provisions for civil penalties for anyone who gets caught violating the regulations and “fails to remediate such violation in an appropriate timeframe” {§105(c)(1)(B)(ii)}. Since no right of inspection is provided for in the bill, the only way that anyone is going to get caught in a violation is if they fall victim to a cyber-attack serious enough to be reported to the Federal government. But that’s kind of too late, isn’t it?

No ICS Coverage

While there will almost certainly be a lot of consternation over various provisions of this bill, the one thing that is abundantly clear, there will be no regulation of control systems under the bill. Control systems might contribute to a facility being designated a covered critical infrastructure, but all of the regulations required by Title I of the bill are solely targeted on information technology systems.

S 2105 Available for Download on SHSGAC Web Site

2012-02-15T14:52:00.002-05:00

The Senate Homeland Security and Governmental Affairs Committee has a Committee Draft version of S 2105 available for download on their web site. It’s a 205 page document and I just got it, so it will be a while before I have a chance to review it in depth. Hopefully I’ll have a blog post on it this evening.

More Info on Cybersecurity Hearing

2012-02-15T08:31:00.002-05:00

Yesterday the Senate Homeland Security and Governmental Affairs Committee published the witness list for tomorrows hearing on their new cybersecurity legislation. There will be three panels; Sen. Rockefeller (D,WV), Secretary Napolitano, and a panel of four private sector (IT not ICS) representatives.

The actual bill was introduced yesterday as well (S 2105) but a copy of it is not yet available from either the GPO or the Committee web site. There is a lot of general discussion in the press about the provisions of the bill, but no clear indication that anyone has yet seen an actual copy (no direct quotes of legislative language that I have seen). Sen. Lieberman (I,CT) is listed as the author with Senators Collins (R,ME), Feinstein (D,CA) and Rockefeller as co-sponsors.

Interestingly, Feinstein has introduced a separate cybersecurity bill (S 2102, also not yet available at the GPO site) that she reportedly intends to offer as an amendment to S 2105 at some point in the legislative process.

More DHS Budget Request Information

2012-02-15T07:11:00.000-05:00

Yesterday, in the lead up to Secretary Napolitano’s appearance before two separate House budget hearings today, the Department of Homeland Security published a 3134 page budget justification document. A quick review (boy I’m glad I took a speed reading course in High School) provides some budget numbers for two important (for readers of this blog anyway) programs and a lot of interesting details about the work of DHS that are not normally readily available to the public.

NOTE: All page numbers are Adobe Reader® page numbers.

Budget Numbers

This document provides program level budget numbers not normally seen in this stage of the budget process. Of particular interest to members of the chemical security and cybersecurity communities it provides numbers for the Infrastructure Security Compliance Program (ISCD) and the Control Systems Security Program (ICS-CERT).

ISCD (pages 2096 and 2103) has no changes to the manpower positions included in the budget request from the FY 2012 budget authorization, but it does have a decrease in funding from $93.348 Million to $74.544 Million. No explanation is given in how the program savings will be achieved.

The ICS-CERT funding request (page 2118), on the other hand, shows an increase in the full-time equivalent manpower positions from the FY 2012 authorized levels from 9 to 12. There is also a very slight funding increase from $28.297 Million to $28.929 Million for the program. Presumably this covers the increased manpower costs.

Misleading Metrics

The document leads off with a number of measures of the effectiveness of the various programs covered in the DHS budget. Of special interest is the one metric mentioned for the CFATS program. On page 13 it notes that ISCD had a FY 2011 target of having 10% of the CFATS facilities “in compliance with the Chemical Facility Anti-terrorism Standards” but only 9.1% achieved that standard. It also noted that they are shooting for 20% compliance in FY2012 and 35% compliance in FY 2013.

No details are given about what constitutes ‘in compliance’ but it certainly cannot be having an authorized site security plan since only four facilities (about 0.1% of the CFATS facilities) have achieved even that standard and all of those were authorized since October 1^st. I certainly hope that Secretary Napolitano is questioned about this detail today. I also wonder how many of the other metrics are this misleading.

BTW: The reason that ISCD missed the FY 2011 target was missed was “attributable to scheduled authorization inspections in September 2011 being postponed due to Hurricane Irene”. I don’t recall that being one of the problems mentioned in the ISCD report about program deficiencies.

TSA Surface Security Programs

We don’t typically hear much about the TSA surface security programs as the agencies main focus (in terms of both manpower and money spent) is passenger air travel security. This document does list an number of interesting projects that TSA has worked on over the last year. Not much is provided in the way of detail so I will only list the projects here with the page reference.

• TSA Surface Transportation Rule Making, page 1445;

• Toxic Inhalation Hazard (TIH) Transportation Risk Reduction, page 1450;

• TIH Dispersion Modeling, page 1451; and

• TIH Tank Car Vulnerability, page 1451

The actual test results for the last three items will almost certainly be classified, but they should make their way into the regulatory process over the next decade or so; based upon TSA’s past rulemaking record.

WMD Markup Postponed

2012-02-15T06:24:00.000-05:00

The House Homeland Security Committee posted a brief note on their web page yesterday that the markup hearing scheduled for today has been postponed to a date and time to be announced. Readers will recall that this hearing was supposed to include a markup of HR 2356, the WMD Prevention and Preparedness Act of 2011. No reason has been given for the postponement.

ICS-CERT Updates Three S4 Alerts

2012-02-14T23:02:00.000-05:00

With the folks at Digital Bond releasing more of their Basecamp SCADA tools today, the DHS ICS-CERT was forced to update their alerts for three of the systems that were addressed in the Basecamp exercise. Those alerts directly affect the Koyo ECOM100 Ethernet Module, the Schneider Electric Modicon Quantum PLC, and the Rockwell Automation ControlLogix PLC.

When I first read the updates (a paragraph added to each existing alert) I was impressed by the fact that ICS-CERT acknowledged that the Rockwell vulnerabilities also applied to other PLC’s besides those manufactured by Rockwell. That Alert states:

“As this exploit does not specifically target a system and is aimed at a protocol employed by many PLC vendors, this release could impact many additional vendors.”

Unfortunately when I went back and read the announcement on Digital Bond I was more impressed about the whopping understatement that was provided by that ICS-CERT remark. Reid Wightman explains the extent of the term ‘many PLC vendors’ this way:

“About 300 vendors belong to the organization responsible for the EtherNet/IP CIP specification, so the list of affected devices is going to be…large. This vulnerability should include some systems by Schneider Electric, WAGO, Omron, Opto 22, Phoenix Contact, and ABB, just as examples.”

NOTE: The ‘300 vendors’ link takes you to the directory of ODVA members. I’m not sure how many of these vendors actually produce PLC’s. The links on that page do not take you to vendor web sites, just a pop-up of the street address of the vendor.

Of course, complicating this further is that many manufacturing systems come as complete packages with PLC’s pre-installed. In many cases the owner has no idea which vendor supplied the PLC in the system.

We all knew that that Project Basecamp was blowing the lid off of industry’s ability to ignore the PLC security issue. Even so the scope of the problem is becoming even more mind blowing as more information comes out of the project.

Another interesting question comes to mind. How is ICS-CERT going to deal with the multiple vendor issue for the Rockwell alert? Are they just going to coordinate with Rockwell to resolve the vulnerability? Rockwell is undoubtedly big, but are they big enough to pull the entire ODVA membership into accepting a change to the communications protocol to secure access to the PLCs? Or is ICS-CERT going to cajole the ODVA directly or is it going to try to deal with each of the vendors involved?

What is certain is that it is going to be quite a while before we have a resolution to these three alerts.

Reader Email – ICS Security

2012-02-14T08:44:00.000-05:00

I got an interesting email this morning from a long time reader and fellow blogger, John C.W. Bennet from MPSINT.com. As a reader John is well aware of my interest in cyber security issues as they relate to control systems. He forwarded me an interesting article from EWeek.com that summarizes a bunch of the discussion surrounding the current state of ICS security; nothing that most of us interested in ICS security haven’t seen before, but a nice summary article.

Coming from John though this article struck a completely different cord in my thought processes. You see John’s blog, Maritime Transportation Security News & Views, is one of my two main sources for MTSA information updates. With John’s maritime background my thoughts naturally turned to ships and I realized that modern shipping is based upon a whole slew of industrial control systems to manage operations on board. Certainly, I thought, those control systems have many of the same components as those we’ve been looking at the last couple of years or so in regards to ICS security issues. Therefore, one would expect that they would share many of the vulnerabilities that we have been discussing here.

At first glance one would assume that ships at sea were even more isolated than the proverbial (and nearly non-existent) air-gapped SCADA system. But, in the age of satellite communications, I’m sure that most of these ships (especially the modern ones) have internet access and are thus less air-gapped (sea-gapped?) than they might seem.

So my question to the ICS security community, has anyone looked at the security of onboard ship control systems?

Semiannual Regulatory Agenda Published

2012-02-14T06:49:00.000-05:00

Yesterday the various departments of the Executive Branch published their Semiannual Regulatory Agenda’s in the Federal Register. This agenda includes their Regulatory Plan (a listing “of the most important significant regulatory actions that the agency reasonably expects to issue in proposed or final form in that fiscal year”) and the regulatory flexibility agenda (a listing of the rules that are “likely to have a significant economic impact on a substantial number of small entities”). The DHS portion of the Semiannual Regulatory Agenda can be found at 77 FR 7960-7965.

Unified Agenda Listings

As I noted in an earlier blog post the Unified Agenda (a listing of all “current and projected rulemakings, as well as actions completed since the publication of the last regulatory agenda”) was published sometime earlier this year at www.reginfo.com. Before I discuss the Agenda published yesterday it may be helpful to look at the Unified Agenda items of principal concern to the chemical security community. The two tables below (Proposed Rule Stage and Final Rule Stage) list all of the current rule making efforts and the date of their next expected action.

Proposed Rule Stage

Agency	Next Action	Title	RIN #
DHS/OS	Final Rule – No date	Secure Handling of Ammonium Nitrate Program	1601-AA52
DHS/OS	NPRM – 06-12	Petitions for Rulemaking, Amendment, or Repeal	1601-AA56
DHS/USCG	NPRM – 07-12	Transportation Worker Identification Credential (TWIC); Card Reader Requirements	1625-AB21
DHS/USCG	NPRM – 09-12	Updates to Maritime Security	1625-AB38
DHS/USCG	NPRM – 06-12	Top Screen Information Collection from MTSA-Regulated Facilities Handling Chemicals	1625-AB64
DHS/USCG	Final Rule – No date	Reconsideration of Letters of Recommendation for Waterfront Facilities Handling LNG and LHG	1625-AB67
DHS/TSA	NPRM – 06-12	Sensitive Security Information: Disclosure in Federal Civil Court Proceedings	1652-AA54
DHS/TSA	NPRM – 05-12	Freight Railroads, Public Transportation and Passenger Railroads, and Over-the-Road Buses--Security Training of Employees	1652-AA55
DHS/TSA	NPRM – 09-12	Freight Railroads and Passenger Railroads--Vulnerability Assessment and Security Plan	1652-AA56
DHS/TSA	NPRM – 08-12	Standardized Vetting, Adjudication, and Redress Services	1652-AA61

Final Rule Stage

Agency	Next Action	Title	RIN #
DHS/USCG	Final Rule – 04-12	Revision to Transportation Worker Identification Credential (TWIC) Requirements for Mariners	1625-AB80
DHS/TSA	Notice – 06-12	Air Cargo Screening	1652-AA64

The only significant changes from the previous Unified Agenda are that DHS has issued the NPRMs for the Ammonium Nitrate Security Program and the LNG Letter of Recommendation Program. Oh, and of course the dates of the next expected action have slipped again as DHS continues to miss its regulatory mandates. One should be surprised if any of the dates listed above are actually met; really surprised.

Regulatory Plan

Only two of the rulemaking efforts listed in the tables above made it to the DHS Regulatory Plan; the Ammonium Nitrate Security Program (ANSP) and the Update to Maritime Security (MTSA II). One might expect from the listing in yesterday’s Federal Register that these would be the two rulemaking efforts most likely to be completed in the next six months or so before the next Regulatory Plan is issued, but I doubt it.

The MTSA revision is most likely to be published since it is fairly well along the regulatory process, but this has not yet been submitted to the OMB for approval. With the international implications of expected provisions of this rule the OMB approval process could be quite lengthy.

Since the public comment period on the Ammonium Nitrate Security Program NPRM was just closed in December I expect that it will be some time yet before we see a final rule published. This is especially true since this rule will have a significant impact on the agricultural community and they have the most powerful lobbying team in Washington.

I really expect that we might see some other rules from the above lists make it into the Federal Register before the AMNSP (certainly) or the MTSA II (likely) rules are published. I would think that since the Coast Guard has informally implemented some of their revisions to the TWIC requirements that the Final Rule for the TWIC Requirements for Mariners would have a high chance of getting published.

I also expect that the TSA will finally get around to publishing their very long overdue rules on security training. The only impediment to this is the fact that they have combined what used to be three separate rule making efforts (freight rail, passenger rail, and bus operators) into one rule. Even so, this should not be difficult to get published.

DHS FY 2013 Budget Request Released

2012-02-13T13:19:00.000-05:00

Today the Administration released their budget request for FY 2013. This is a high-level document (the DHS portion is only six pages long) describing spending in broad categories. It certainly doesn’t mention CFATS or MTSA or ICS-CERT. But it does provide a broad overview of how the Administration wants to spend our hard earned tax dollars.

The table below shows the discretionary spending numbers from the DHS budget that will primarily affect chemical and cyber security issues. The FY 2012 numbers are estimates for the spending for this year.

Discretionary Spending (in Millions of $) FY 2011 FY 2012 FY 2013

Discretionary budget authority 41,885 39,649 39,462

National Protection and Programs Directorate 1,165 1,214 1,217

Transportation Security Administration 5,384 5,425 5,106

United States Coast Guard 8,622 8,656 8,319

Of the three the only one that would not see a budget cut under the Obama plan would be NPPD. This is the Directorate that contains both the CFATS and ICS-CERT programs. This does not mean however that either of those programs will necessarily receive an increase in funding. Likewise the TSA funding decrease would not necessarily mean a decrease in the funding for their freight rail security program, nor would the decrease in Coast Guard funding mean that the MTSA program would receive a decrease in funding.

More details about the DHS budget will almost certainly come out in the two budget hearings on Wednesday.

HR 2356 Substitute Language

2012-02-13T06:37:00.000-05:00

As I noted in my congressional hearing blog post this weekend the House Homeland Security Committee will be marking up HR 2356, the WMD Prevention and Preparedness Act of 2011. The Committee Chair, Rep King (R,NY), will be offering an amendment in the nature of a substitute and that will be the basis for the bill that will ultimately be approved by the Committee.

I have now had a chance to take a fairly close look at the substitute language. As is typical with these amendments, the vast majority of the changes are fine tuning the wording of the bill. There were some wholesale deletions of material, a few minor additions and one section was entirely re-written. None of the changes substantially change the almost paranoid focus of the bill on countering biological attacks on the United States. The bill still essentially ignores the most probable form of WMD attack, an assault on chemical facilities that would unleash a toxic chemical attack on the local community.

Deletions

The following sections were deleted from the original bill:

§2104. Export enforcement for counterproliferation.

§2124. Laboratory biosecurity information sharing.

§2136. Federal law enforcement training to investigate biological threats.

There is no explanation given for any of these changes so we can only guess at the reasons. The deletion of the first section is due to the re-write of §2103 that establishes the National Export Enforcement Coordination Center. The last section deleted is almost certainly due to the inability to come up with the necessary funding to support a realistic law enforcement training effort. For the life of me, I can’t imagine why the information sharing section was deleted.

Additions

The following sub-paragraphs were added:

§2101(a)(4) “support homeland security-focused risk analysis and risk assessments of the homeland security hazards described in paragraphs (2) and (3), by providing relevant quantitative and nonquantitative threat information;”

§2102(c)(2) “allocation of resources for research and development for chemical, biological, radiological, and nuclear attack prevention, protection, response, and recovery;”

It doesn’t appear that either of these are substantive changes to the language of the bill. I would be interested in having someone explain to me what ‘quantative threat information’ is.

Technical Error

The technical error that I identified in my post last summer on the introduction of the bill remains in the substitute language. The error is found in §2142 in the discussion of responsibilities for recovery from a CBRNE attack or incident. Paragraph (b) provides a listing of items that should be included in guidance to be developed for “for clean-up and restoration of indoor and outdoor areas, including subways and other mass transportation facilities, that have been exposed to chemical, biological, radiological, or nuclear materials” {§2142(a)}.

Sub-paragraph (5) reads “maintenance of negative air pressure in buildings”. That requirement only makes sense in labs or facilities where CBRNE materials are stored or released so that the release will remain contained in the building. All other buildings in an affected area will want to maintain positive air pressure to keep the CBRNE materials out of the building.

For locations where a CBRNE attack takes place within a public building, this provision makes some sort of sense during the decontamination process, but that purpose is not made clear in the wording of this section. Even in this case building ventilation would be the most effective and safest decontamination for many toxic chemical agents as long as proper precautions are taken.

Major Shortcoming

The major shortcoming of this bill, and every WMD bill that I have seen to date, is that it does not address the easiest WMD attack mode, attacks on chemical facilities or transportation assets that release toxic chemicals into the community. While the CFATS program addresses security measures to help prevent such attacks on facilities and TSA rail security regulations work to prevent attacks on rail cars containing toxic materials (and no one is looking at protecting truck-load shipments of these materials), there are no provisions in either of those programs for community planning for response to successful attacks on those chemical assets.

At the very least the Metropolitan Medical Response System Program (MMRS) outlined in §2136 of this bill should require facilities that maintain significant inventories of toxic inhalation hazard chemicals to provide local medical facilities with material safety data sheets for those chemicals. Potentially affected medical facilities should be required to have a plan for responding to a mass casualty event involving those specific chemicals, including outlining initial and follow-up treatment regimens for the injuries expected from exposure to those specific toxic chemicals found in local industries.

Congressional Hearings – Week of 2-13-12

2012-02-12T07:39:00.000-05:00

This week starts to heat up the happenings on Capitol Hill. President Obama will finally publish his FY 2013 Budget Request Monday, and a long parade of political appointees will start to appear in congressional hearing rooms; Secretary Napolitano starts the DHS parade with two appearances this week. The Senate Homeland Security and Governmental Affairs Committee will finally debut their new cybersecurity legislation. Finally the House Homeland Security Committee will markup a WMD bill.

FY 2013 Budget

Secretary Napolitano will make two trips to the House committee rooms on Wednesday to explain the President’s request for spending in FY 2013. In the morning she will start with the hearing before the Homeland Security Subcommittee of the House Appropriations Committee. In the afternoon she will repeat her statement at the House Homeland Security Committee.

There will be a lot of questions about pet projects from committee members, but nothing of substance will be agreed to in this round of discussions. CFATS might come up, but it will be a high level discussion, again no details. The most interesting thing for CFATS will be to see if the Administration again requests a two year extension of the program’s authorization.

Cyber Security

The Senate Homeland Security Committee Staff has been working hard with other committee staffs to develop a comprehensive cybersecurity bill that address the major concerns of all of the cyber players in the Senate. It will be introduced this week and Chairman Lieberman’s Committee will hold the first hearing on the bill on Thursday. There is little likelihood that control systems will receive any major attention in the bill, but we can always hope.

WMD Markup

The full House Homeland Security Committee will meet Wednesday morning to markup four separate bills, a sure sign that Chairman King doesn’t expect much in the way of opposition to any of the bills. The last of the four to be listed for consideration (though that does not mean it will be the last to be taken up at the hearing) is HR 2356, the WMD Prevention and Preparedness Act of 2011. I discussed the provisions of this bill back in July when it was introduced and am quite surprised that it took this long for the Committee to take it up; its a favorite topic of Rep. King. Substitute language will be offered by Chairman King, but at first glance it doesn’t seem to change much about the areas I previously discussed. I’ll look at it more closely before the hearing.

HR 4005 Introduced – Port Security Report

2012-02-11T08:17:00.002-05:00

This week Rep. Hahn (D,CA) introduced HR 4005, the Gauging American Port Security (GAPS) Act. The bill is short and to the point. It requires the Secretary of DHS to conduct a classified study of the gaps in the current port protections programs and propose methods to correct the current deficiencies.

One small problem with this bill; this study does not technically fall within the requirements for it to be classified. ‘Sensitive Security Information’ (SSI) certainly, but not classified. Oh well so much for technicalities, if this bill is passed the report will certainly be classified.

Reader Comment – Hold off Blaming King

2012-02-10T22:02:00.000-05:00

There was an almost immediate response today to my posting about how the Chairman of the House Homeland Security Committee is apparently ignoring the problems at ISCD in favor of pursing a personal agenda. While I barely mentioned reauthorization, an anonymous reader took me to task for my criticism of Rep King (R,NY); not because of a disagreement with King’s lack of focus on CFATS, but because a hearing next week might allow King to show his true resolve.

The Politics of Reauthorization

There are a couple of things wrong with that comment. Ignore for the moment that I was focusing on the issue of the problems at ISCD not reauthorization. King’s focus on reauthorization (as well as Rep Upton’s (R,MI) as Chairman of the House Energy and Commerce Committee) has not been on reauthorizing CFATS but on aggrandizing power to their respective committee. The HHSC bill (HR 901) would clearly provide CFATS oversight to HHSC, while HR 908 (the HECC bill) would continue to provide at least a portion of that oversight authority to the Energy and Commerce Committee.

The reason that neither bill has made it to the floor of the House is that the Republican leadership has not figured out which chairman it wants to piss off. If it never comes to the floor they won’t piss off either too much.

Secondly, the only hearing next week that could affect this discusson currently on the schedule for the House Homeland Security Committee is an appearance by Secretary Napolitano to answer questions about the FY 2013 budget (which apparently will be released, late as has become usual with the Obama Administration, on Monday). If CFATS comes up in that hearing at all it will be to have Ms Napolitano explain the de rigueur 1 year or 2 year extension of CFATS in the budget request. The answer will be short, sweet and essentially meaningless; explaining that the Administration expects Congress to enact a long term authorization bill, but just in case….

Besides, the Administration has made it clear in a number of hearings that they would prefer to see an expansion of the CFATS program to include water treatment facilities, some sort of IST provision and a number of slightly less contentious addendums that the current Republican Congress will never support.

The President would probably sign HR 901 (or HR 908, or S 473), but he would never actually come out in support of any them; it would anger too many already alienated members of his base. Besides it would be extremely impolitic for him to insert himself into the congressional committee power fight.

So Anonymous has me completely baffled as to why my criticism should wait until next week. Unless of course he/she knows about a hearing that is not currently on the public schedule; which is entirely possible.

It’s about Ignoring ISCD Problems

But, I wasn’t really upset about the reauthorization process in my earlier blog post (I’ve reconciled myself to the fact that until one side or the other controls both the House and has a Super Majority in the Senate, we will continue to see political posturing and routine approval of the CFATS program as part of the budget process. It could conceivably continue in this manner until someone blows up a chlorine tank somewhere; killing hundreds.

No what concerns me is that Chairman King has not made one public utterance about the problems at ISCD that I have seen. And that is not because he is reticent about sharing his opinions. He spends more time on conservative talk radio than Rush Limbaugh. It just appears that he has no interest in the CFATS program (beyond personal power over the program).

Now I understand that he is hampered by the fact that the Committee recently lost their CFATS expert (Dr. Diane Berry, whom I would love to hear from). And no one really expects a Congressman to understand the detailed workings of a program as small as the CFATS program. But for King to put getting to the bottom of the current ISCD fiasco behind getting a few soldiers a purple heart because they were targeted by some small minded coward is political grandstanding of the worst sort.

The security at the Olympic Games in London this summer is important, but it is the responsibility of the British government, not HHSC.

There are tens of thousands of people that live in the immediate danger zones of high-risk chemical facilities. The CFATS program is supposed to protect them against terrorist attacks on those facilities. Congress is supposed to ensure that their programs are implemented effectively and efficiently. The end stages of the CFATS implementation have been neither.

Representative King get your priorities in order.

House Homeland Security Chairman Ignores CFATS Problems

2012-02-10T07:30:00.000-05:00

Yesterday Rep. King (R,NY), Chairman of the House Homeland Security Committee, published a listing of the priorities for the Committee for 2012. Surprisingly (or maybe not) CFATS does not make the list; not moving a CFATS authorization bill forward nor investigating the current problems at ISCD that have slowed the implementation of the CFATS program.

Now I understand that in the great scheme of thing the CFATS program is a relatively minor program within the Department of Homeland Security. It doesn’t even show up as a line item in the budget documents submitted to the Congress. But, here is a list of things that King considers more important to the security of the Homeland:

• Obtaining for the military victims of the 2009 Islamist terror attacks on the homeland, at Little Rock, Arkansas and Fort Hood, Texas, the Purple Heart Medals they deserve;

• Studying security preparations for the 2012 Summer Olympics in London; and

• Ensuring the protection of U.S. security contractors in Afghanistan and Iraq (many of whom are veterans, reservists, or National Guardsmen) who have been illegally detained by the governments in Kabul and Baghdad;

I accept that these are legitimate items of inquiry (though maybe not the purview of the Homeland Security Committee), but it would be nice for Rep. King to explain how these items are more important than ensuring that high-risk chemical facilities are adequately protected against terrorist attack.

ICS-CERT Publishes new Advantech BroadWin Alert

2012-02-10T06:25:00.000-05:00

Yesterday the DHS ICS-CERT published a new alert for the Advantech BroadWin RPC Server. The missing authentication vulnerability reported by ‘amisto0x07 and Z0mb1E’ could lead to a DOS attack or the remote execution of arbitrary code.

This vulnerability is very similar to one reported by Ruben Santamarta back in March of last year, but ICS-CERT maintains that this reported vulnerability deals with a separate issue on the same port (and an additional report), justifying the separate alert.

Another Cybersecurity Issue – Video Security Systems

2012-02-09T23:35:00.000-05:00

Security managers at high-risk chemical facilities already have to be concerned about cyber security in two different (and unfortunately probably interconnected) computer systems; the industrial control system that provides access to and controls on processes that use the DHS chemicals of interest (COI) on site, and the information systems that support the business side of the facility. Today I saw an article over at IPVM.com that raises concerns about another separate (but perhaps interconnected) system, the security management system protecting the facility.

The article describes a vulnerability in Trednet IP cameras that allows anyone with network access to the camera to view the images from the camera. While this vulnerability may only be limited to a number (at least 7 according to the original Console Cowboys blog post which is the basis for this article) of cameras from a single vendor, it is extremely likely that there are similar vulnerabilities in other cameras out there.

Now we have all seen the Hollywood burglar’s (both good guys and bad) who break into a secure facility by substituting a loop of no change from a video camera to hide their activities from the security guards watching the video displays. If we think about what the Stuxnet authors did to PLC programing to hide changes in the operation of the PLC and combine that with this type of camera vulnerability, then the Hollywood plot line becomes much more plausible.

If there are vulnerabilities this easy to detect and exploit in cameras, what other vulnerabilities exist in other components of these security control systems? Maybe we need a video security system cyber emergency response team (VSS-CERT) at DHS to keep track of these vulnerabilities and help and help security managers deal with compromises of their VSS. Or maybe we just need to bit the bullet and form the SS-CERT (SS for security system, not the other thing) to cover the complete security system with all of its supporting devices and software.

NSTAC Teleconference Notice

2012-02-09T13:02:00.000-05:00

Today the President’s National Security Telecommunications Advisory Committee (NSTAC) published a notice in today’s Federal Register (77 FR 6813) announcing that they would be holding a public teleconference on February 28^th, 2012.

The meeting will include:

• A quarterly update on NSTAC Recommendations;

• An update on the Cloud Computing Subcommittee; and

• An update on the National Public Safety Broadband Network scoping.

The NSTAC invites the public to participate in this teleconference. Access to the conference bridge may be obtained by contacting Ms. Deirdre Gallop-Anderson (deirdre.gallop-anderson@dhs.gov) by February 21^st. The intention to make an oral statement during the teleconference (3 minute limit) must be registered with Ms. Gallop-Anderson at that time. Written comments on the topics to be discussed may be submitted via the Federal eRulemaking Portal (www.regulations.gov; Docket # DHS-2012-0004) by March 14^th, 2012.

PHMSA Announces Pipeline Safety Workshops

2012-02-09T07:11:00.000-05:00

Today’s Federal Register (FR 77 6857-6858) includes an announcement by the Pipeline and Hazardous Material Safety Administration (PHMSA) about two public workshops on pipeline safety issues that will be held on March 27^th, 2012 and March 28^th, 2012. The meeting will help PHMSA complete several reports required by the recently passed Pipeline Safety, Regulatory Certainty, and Job Creation Act of 2011 (PL 112-90 or HR 2845).

The March 27^th meeting will cover Improving Pipeline Leak Detection System Effectiveness and it will address three topics:

• Informing the public about state-of-the-art leak detection systems and the practical considerations involved with deploying and maintaining these systems;

• Identifying the constraints and issues with deploying systems on existing and new construction pipelines; and

• Collecting public input that will help guide a PHMSA study investigating and documenting detection system challenges and considerations.

The March 28^th meeting will cover Understanding the Application of Automatic Control and Remote Control Valves and it will address three topics:

• Gathering information on the state-of-the-art of automatic/remote control valve operations on the practical considerations involved with installing, operating and maintaining these valves;

• Identifying the constraints with deploying systems on existing versus new construction pipelines; and

• Collecting public input that will help guide a PHMSA study investigating and documenting automatic control and remote control valve challenges and considerations.

PHMSA is encouraging public participation at both meetings. Updated registration information is available on the web. Both meetings will be webcast with information about logging into those to be posted to that site at a later date.

BTW: Both of these topics address topics that will inherently involve both industrial control systems and communications between remote devices in those systems. One would like to think that the security aspects of that will be addressed at these meetings; I’m not holding my breath.

ICS-CERT Publishes two more HMI Advisories

2012-02-08T22:47:00.000-05:00

Yesterday afternoon and today DHS ICS-CERT published two advisories for vulnerabilities in two separate SCADA human-machine-interface (HMI) programs. Both were identified through coordinated disclosures. The affected systems are the xenon HMI (from Ing. Punzenberger COPA-DATA GmbH) and Wonderware HMI Reports (from Invensys).

Punzenberger Advisory

The twin DOS vulnerabilities for this advisory were reported by Kuang-Chun Hung of the Security Research and Service Institute – Information and Communication Security Technology Center (ICST). They would allow attackers to remotely execute a denial of service attack or possibly remotely execute arbitrary code.

Punzenberger has made available an update to this system that resolves the reported vulnerabilities. They also recommend disabling their ZenSysSrv.exe service except when it is actually needed.

Invensys Advisory

Rios and McCorkle reported these twin vulnerabilities on the Wonderware Report HMI from Invensys. The cross-site scripting vulnerability could allow a low skilled attacker to remotely execute a DOS attack or allow data leakage from the system. The write access violation would require a skilled attacker to execute arbitrary code via a social engineering initiated attack.

Invensys has a new version of this program available that removes the vulnerabilities from the system. It gets a little more complicated though since the owner-operator will also have to migrate the report definitions into the new Quick Reports 2012 format and request a permanent license from the distributor.

BTW: It would be interesting to know if these vulnerabilities were part of the ‘100 vulnerabilities in 100 days’ project that Rios and McCorkle did last year. The timing could be right and it would interesting to see how long it takes all 100 vendors to get their vulnerabilities systems under control. Or how many actually get the problems corrected.

HR 3834 Adopted by Voice Vote

2012-02-08T08:12:00.002-05:00

Yesterday the House Science, Space and Technology Committee adopted an amended version of HR 3834, the Advancing America’s Networking and Information Technology Research and Development Act of 2012, by a voice vote. A voice vote is a sure sign of bipartisan support, or at least lack of significant opposition.

The sole amendment adopted (actually the only one considered) was an editorial housekeeping amendment submitted by Chairman Hall (R,TX). The only thing of significance to this amendment was that this sort of cleaning up of the language of the bill is normally done with an amendment in the form of a substitute. That significance is only of interest to the connoisseurs of congressional procedures.

As I noted on Monday, this bill is a cybersecurity R&D bill of limited significance to the ICS community.

FRA Publishes Safety Training NPRM

2012-02-07T07:25:00.001-05:00

Today the Federal Railroad Administration published a notice of proposed rulemaking (NPRM) in the Federal Register (77 FR 6412-6461) concerning safety training of railroad employees. This rule would establish minimum training standards for each category and subcategory of safety-related railroad employee. It would also require each railroad to develop and submit a training program to FRA for approval. Each railroad would also be required to evaluate and designate the qualification of each such employee.

No, I don’t intend to expand the coverage of this blog to railroad safety matters (except, as always, where it may specifically address chemical safety or security matters). I’m looking at this NPRM today because it could have a significant impact on another long-awaited railroad training rule (this rule was statutorily required to have been completed by October 2009), the TSA railroad security training rule that was to have been completed by February 2008.

Public-Private Partnership

As a person who has spent much time in the military and in industry preparing and conducting training, I am very surprised (and pleased) to see such detailed training management requirements being proposed in a Federal Regulation. This is especially true since industry had a very major part in developing these regulations. The Railroad Safety Advisory Committee worked closely with the FRA in their development. This partnership between government, industry and labor should be a model for regulatory development across the government.

This partnership allowed for a reasonable process for dealing with the extensive training requirements for existing employees. It allows employers to designate current employees as ‘trained’ but still requires them to undergo refresher training within three years. It also provides for the development of a formal on-the-job training program as a reasonable alternative to hiring outside trainers.

Chemical Safety Training

Nothing in this rule directly addresses the training requirements for the OSHA HAZCOM program or the PHMSA HAZMAT training program. The rule does provide that other training plan submission requirements ‘found elsewhere in this chapter’ (Chapter II of 49 CFR) may simply be referred to in the safety training program required in this rule, but neither of those training requirements fall within this chapter. Of course neither of those training programs requires approval of the training program by their respective oversight agencies.

Since the FRA has no control over the requirements of those programs they really can’t review a railroads implementation of those requirements. There could, however, be a requirement to document that those training requirements have been met as part of the safety training program for railroad employees.

TSA Security Training

While safety certainly does affect security (and security should be a positive reinforcer of safety) the requirements of the two training programs are going to be significantly different. For one thing, since they will be regulated (sooner or later) by different agencies in different departments of the Federal government, one would expect to see certain philosophical differences in the training and documentation regimes required. For example I would be very surprised if TSA requires the railroads to submit their security training program for approval.

Another area where there will almost certainly be a difference in the two programs is the intensity of the training required. The crane operation safety training outlined in this NPRM will be much more intensive, and thus expensive, than the security training that will be required in the TSA NPRM when it is published.

One area where there will be an inevitable overlap in the two programs is in training management. Each railroad is going to have to fit both of these programs into their training management systems. Since §243.203 of this proposed rule sets out a rather detailed set of requirements for training records, one would like to think that any subsequent training program requirements for the same personnel would take those records requirements into consideration.

Of course if the TSA comes out with their security training program in May as currently planned (and based upon past history, I have my doubts), the requirements of this section will not actually be established in a final rule. One way TSA could deal with that would be to refer to any records management requirements to be broadly in accordance with §243.203 in their NPRM and then modify that as necessary when they go to publish their final rule (which presumably will come out after the FRA final rule).

Public Comments

As with any rulemaking effort, the FRA invites public comments on this proposed rule. Such comments should be submitted by April 9^th, 2012 and may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # FRA-2009-0033).

HR 3834 Introduced – Cyber Security Research

2012-02-06T05:40:00.000-05:00

Late last month Rep Hall (R,TX), the Chair of the House Science, Space and Technology Committee, introduced HR 3834, the Advancing America’s Networking and Information Technology Research and Development Act of 2012. This bill amends the High-Performance Computing Act of 1991 to authorize activities for support of networking and information technology research.

Cyber-Physical Systems

While the bill spends a great deal of time substituting the words ‘networking and information’ for the term ‘high-performance computing’ there are some changes made to the research priorities outlined in the original act. One of those changes deals with the introduction of a new research topic, cyber-physical systems. That is defined in §2(f)(1) as:

“physical or engineered systems whose networking and information technology functions and physical elements are deeply integrated and are actively connected to the physical world through sensors, actuators, or other means to perform monitoring and control functions”.

I cannot find anywhere in the bill where the term ‘industrial control system’ is used, but this ‘cyber-physical system’ certainly sounds like the definition, in the broadest sense, of an industrial control system.

Sec 4(a)(3) amends Section 101(a)(1) of the High-Performance Computing Act of 1991 (15 U.S.C. 5511) calling for a collaborative research and development effort that provides “for increased understanding of the scientific principles of cyber-physical systems and improve the methods available for the design, development, and operation of cyber-physical systems that are characterized by high reliability, safety, and security”.

Finally §4(b) requires the establishment a temporary university-industry task force “to explore mechanisms for carrying out collaborative research and development activities for cyber-physical systems, including the related technologies required to enable these systems, through a consortium or other appropriate entity with participants from institutions of higher education, Federal laboratories, and industry. The task force would prepare a report to Congress on its findings and then disband.

No Funding

The bill does not provide any specific authorization for funding this collaborative research and development effort. The existing 15 USC 5511 language calls for the President’s budget to allocate funding for the National High-Performance Computing Program (to be renamed by this bill as the Networking and Information Technology Program) from the various agencies that support the Program.

The only hope that the research activities outlined for cyber-physical systems would get some specific future funding would be if a future Congress were to provide that funding after receiving, reviewing and acting on the task force recommendations called for above. So hold your breath and hope for the best.

Congressional Hearings – Week of 02-06-12

2012-02-05T23:47:00.002-05:00

Congress won’t be anywhere near as interesting this week with only three hearings that might be of interest to the chemical security and cyber security communities. The one hearing deals with port security issues and the other two deal with cyber security issues.

Port Security

On Tuesday the House Homeland Security Committee’s Subcommittee on Border and Maritime Security will hold the first in a series of hearings on ‘Protecting our Ports, Increasing Commerce and Security the Supply Chain’. I doubt that there will really be very much talk about security issues at chemical facilities in and around ports. There will be a GAO report issued at the hearing.

Cyber Security

The House Energy and Commerce’s Subcommittee on Communications and Technology will hold a hearing on Wednesday looking at ‘Threats to Communications Networks and Private Sector Responses’. No witness list is yet available, but I’m fairly certain that ICS networks will be overlooked at this hearing.

The House Science and Technology Committee will be marking up HR 3934, the Advancing America’s Networking and Information Technology Research and Development Act of 2012 at a hearing on Tuesday. I’ve kind of ignored this bill as being beyond the ICS realm, but I’m probably going to look at it in a separate blog because I noticed an interesting new term when I scanned it tonight; ‘cyber-physical systems’. It’s still an R&D bill not a regulatory bill, but it might be interesting none-the-less.

Update on ISCD Rumors

2012-02-05T18:28:00.002-05:00

There is apparently a memo from Under Secretary Beers to people associated with NPPD announcing the resignation of Assistant Secretary Keil as of next Friday. The Acting Assistant Secretary position is going to Deputy Assistant Secretary for IP Bill Flynn according to sources that have seen the memo. There is no official word yet about the reason for the resignation and I wouldn’t expect there to be if Keil had been asked to resign over this issue..

At least one reader has noted that my observation/question about it being related to questions at Friday’s hearing about firings was certainly off base. I have been reminded that an organization like DHS cannot possibly make that kind of decision to force a resignation that fast, even if they wanted to. Too many political and legal questions that have to be resolved before something like that could be announced.

While the timing of the resignation does appear to be suspiciously related to the ISCD problems becoming public, there could be any number of reasons for the resignation. It is not unusual in the fourth year of an administration for any number of political appointees to start looking for new jobs in the public sector.

ISCD Hearing Fallout – Act I

2012-02-05T07:09:00.000-05:00

I’m hearing rumors that Assistant Secretary Todd Keil, who heads (headed?) the DHS NPPD Office of Infrastructure Protection, has been fired (‘within hours of the hearing’). If true this would likely have been in response to questions asked by Rep. Scalise (R,LA) about why people haven’t been fired.

Keil would have been the political appointee between Under Secretary Beers and ISCD’s Director Penney Anderson. Beers made reference to him a number of times in his testimony Friday, though I can’t recall him actually using Keil’s name, just his title.

Now, if Keil was insulating Beers from the problems at ISCD, Beers would certainly be justified in removing him. Or it could be just a move to make it look like Beers had not been informed about the problems until June of last year as he testified. Only a real investigation (looking increasingly unlikely after Friday’s undersight hearing) would be able to tell for sure. Anyway he was a political appointee so he almost certainly wasn’t ‘fired’ but rather asked to resign; no big thing.

Keil was kind of late coming to the game. I can’t remember exactly when he was appointed by President Obama, but it was quite a while after Beers took over NPPD (December 2009 according to his DHS Bio). In fact, some of the problems of multiple temporary managers at ISCD were due to that delay in appointing Keil. Sue Armstrong, then the Director of ISCD, served as Acting Assistant Secretary for quite some time, leaving her Deputy, Dennis Deziel, in charge as the first in a string of acting-Directors.

I haven’t been able to confirm the rumor and Keil is still listed on the OIP web page as the head of OIP. If it is true that he has left the building who will take over OIP. Will they ‘temporarily’ promote Ms. Anderson to Acting Assistant Secretary? Then her Deputy David Wulf would then double hat as the Director. Yep, that would make solving the problems at ISCD much easier.

ISCD Problem Hearing

2012-02-04T07:55:00.000-05:00

I didn’t get a chance to watch the ISCD hearing before the Subcommittee on the Environment and the Economy either live or in real time yesterday which could have been a shame because the House Energy and Commerce Committee web site does not provide a link to the archived video (at least as of 5:30 a.m. EDT this morning). Fortunately the Minority Web site does carry a link to the video so I could see the whole disappointing mess.

We Still Don’t Know

First off, neither we the public (who are paying the bills) nor industry (who is bearing the brunt of the regulation) know much about the extent of the problems at ISCD. We do know (as I pointed out yesterday) about the poor performance of ISCD as it pertains to the completion of the reviews and authorizations of site security programs under CFATS. We don’t know why the delays have taken place and we only have vague assurances that the problems are being addressed.

Thanks to the Committee Staff memo I mentioned earlier this week, we have a listing of the five ‘programmatic challenges’ and four of the nine ‘personnel challenges’ identified in the internal ISCD report on the problem; a report that was produced within weeks of Director Anderson and Deputy Director Wulf being appointed to their positions in ISCD. Unfortunately there has been no explanation of why the Staff memo could not even list the five other personnel challenges.

To be fair there was some brief and usually vague discussion in the hearing about some of these issues. For example a number of Committee members jumped on wording in the report about inadequate controls for ordering and tracking supplies, particularly language that indicated that these lack of controls provided an environment that made fraud, waste and theft a possibility. Interestingly Under Secretary Beers made clear that an earlier NPPD report on ISCD had identified this issue and Anderson and Wulf were identifying that problem from that report. Again, we have been vaguely assured that the appropriate controls are now in place.

Poor Format for Investigation

The format for Congressional hearings is really not suited to a discovery or investigational process. Each member is allowed to make a five minute speech about their political view of the problems (including in this case two Committee Chairmen Emeritus and the Ranking Member of the Full Committee). Then there is a single round of questions limited to 5 minutes for the question and witness response from each Committee Member and hanger on.

Since most members spend much of their questioning making political speeches justifying the particular question there is little time for a real response from the witness. Yesterday, for example Rep. Capps (D,CA) stopped Beers’ response to two different questions before he could say anything so she could ask her next question. She didn’t get any information, just a couple of sound bites for local news stations back home; getting re-elected is more important than getting answers.

When Congress does conduct a real oversight hearing and asks the hard questions, the adversarial questions, it is because of investigational work by Committee Staff. It is apparent that that work was not done before yesterday’s hearing. Part of the reason is that the Staff did not get a copy of the ISCD internal report until just last week. That just doesn’t make sense; the existence of the report was made public back before Christmas. The Committee with oversight responsibility (and I still can’t believe that an environmental committee has the temerity to claim, or worse yet be allowed to claim, oversight of a purely security issue like CFATS) should have been publicly screaming for a copy of this report the day after it was identified in the Fox News story. Of course, neither Homeland Security Committee has publicly said much about the lack of information being provided to them either.

Just as obviously, the Staff had never heard about the five other reports that Beers referred to in his testimony. These were reports about NPPD reviews of the CFATS programs. It would certainly be interesting to know if those reports had even remotely identified any of the problems pointed out in the Anderson-Wulf report. It would seem to me that that would be an important oversight question to ask. If they didn’t was someone hiding actively hiding information from NPPD or were the reviews just ineffective exercises conducted by less than competent managers? If they did identify precursors to the problems then why were they allowed to get larger?

Politics

There were only three real issues that were discussed in any depth (and shallow is the operative word here); the lack of Congressional oversight and direction, the supply issue discussed above, and the ‘problem of the unionization of the chemical facility inspection force. Waxman (D,CA), Pallone (D,NJ) and Dingle (D,MI) all repeatedly made the point that the lack of comprehensive chemical security legislation like HR 2883 they ‘pushed’ through last session made it nearly impossible for ISCD to properly execute this mission in the first place. I think that is a slight exaggeration of the situation, but, as I have stated on many occasions, it has certainly contributed to the current situation.

Gardner (R, CO) and Harper (R,MS) asked a series of relatively pointed questions about the role of the CFSI unionization in causing some of the delays in the implementation of CFATS. What neither of them asked, however, was why the workforce asked for union representation in the first place. I’ve heard from a number of the inspectors that they reluctantly voted for the union because management ignored their concerns about pay and organizational issues. Congress needs to look at the unionization issue as a symptom of the problems not a cause.

NOTE: I was very surprised that neither Waxman, Dingle nor Pallone, all big time union supporters and beneficiaries of large union political donations, raised a single word of objection to the reports noting that the union was a potential part of the problem.

Oh there was one other issue that was discussed at some length, the use of TWIC as a substitute for a personnel surety program. While the report offers the currently planned (but not yet politically approved) personnel surety program as a positive step forward, both Chairman Shimkus (R,IL) and Ranking Member Green (D,TX) chastised Beers for the Department not more explicitly stating that personnel holding TWIC should not have to be screened by the personnel surety program. Beers reminded them that he didn’t own the TWIC program (it is sort of co-owned by TSA and the Coast Guard, both of which are in DHS; a fact evidently not known by the Ranking Member who kept referring to the Department of Transportation).

Disappointing Congressional Performance

All in all I was very disappointed in this hearing. I’ll take a closer look at some things that probably would have been addressed if the Committee really knew anything about the problems in DHS in future blogs.

Confirmed Rumor about ISCD Hearing

2012-02-03T08:28:00.000-05:00

I just received an anonymous email reporting that there is a rumor circulating at DHS that Director Anderson will not be a witness at today’s hearing on the problems at ISCD, but will rather send her Deputy. A quick check of the House Energy and Commerce web site this morning shows that she has in fact been replaced on the witness list by David Wolf, the Deputy Director of ISCD. According to the Committee Staff Background Memo on that site, Wolf was a co-author of the ISCD report that triggered all of the recent attention on ISCD.

While Wolf may or may not be able to answer whatever questions maybe posed by Subcommittee members today, the fact that Anderson backed out at the last minute (and I have no idea of the reason why, she may be very ill for instance) will likely antagonize some members of Congress that are currently supportive of the CFATS process.

PHMSA Extends Two Pipeline Rule Comment Periods

2012-02-03T07:07:00.002-05:00

Today the Pipeline and Hazardous Material Safety Administration published two notices in the Federal Register (77 FR 5472 and 77 FR 5472-5473) extending the comment periods on two separate pipeline safety rulemaking efforts. The first concerns the NPRM for Miscellaneaous Changes to Pipeline Safety Regulations (Docket # PHMSA-2010-0026) and the second the ANPRM for Expanding the Use of Excess Flow Valves in Gas Distribution Systems to Applications Other Than Single-Family Residences (Docket # PHMSA-2011-0009). The new end-of-comment dates are, respectively March 6^th, 2012 and March 19^th, 2012. Both extensions came after PHMSA received requests for extension from potential commenters.

Even more Information on Tomorrow’s ISCD Hearing

2012-02-03T00:04:00.001-05:00

Yesterday the House Energy and Commerce Committee took the unusual step of publishing the written testimony of the primary witness to tomorrow’s subcommittee hearing looking as the current situation in the implementation of CFATS. Typically the written testimony is provided to Committee members and staff the day before the hearing, but the testimony is not made public before the witness appears before the committee.

The Program to Date

Much of the ten page testimony by Rand Beers, Under Secretary for National Protection and Programs Directorate is the standard DHS rehash of the CFATS program; how it was started and the steps taken to get where it is at. It does provide some new numbers about the implementation. They include:

• 4,458 facilities currently covered under CFATS

• 180 preauthorization inspections have been completed

• 53 facilities have had their SSP authorized (less than ½ of Tier 1 facilities)

• 10 authorization inspections have been completed

• 0 facilities have had their SSP approved since May 2009

• 66 Administrative Orders have been issued

Very little is said in the statement about the personnel and procedural issues that have hampered the ICSD’s efforts to more effectively move forward with the SSP implementation process. Beers blames growth problems with a new agency for some of the issues and this must certainly be a contributing cause to the problems. He does use all of the current management buzz terms (“a Division mission statement, vision statement, and statement of core values”) as if establishing these window dressing tools can possibly change the culture of an organization.

The Real Questions

Here are some of the questions that I would like to see posed to Beers and Anderson (in no particular order):

• What has been the total turnover rate for all ISCD personnel since June 2008?

• What has been the turnover rate for Chemical Facility Security Inspectors (CFSI) since June 2008?

• How many people in ISCD have been with the program since June 2008?

• How long does the hiring process take from the time a job is posted on USAJobs.gov until the new employee reports to work?

• Has the site specific pay rate problem been resolved?

• Have the travel pay problems been resolved?

• How many of the 1600 facilities that have removed their COI have replaced them with nearly identical chemicals with miniscule improvements in safety/security (for example replacing 20% Aqua Ammonia with 19% Aqua Ammonia)?

• How many of the 700 facilities that have reduced their on-site inventory by increasing the number of shipments of the COI, thereby increasing the transportation security risk?

• How many of the CFSI (or ISCD staff personnel) are qualified to assesses blast protection information?

• How many of the CFSI (or ISCD staff personnel) are qualified to conduct control system security assessments?

• How many of the CFSI (or ISCD staff personnel) are qualified to assess processes for neutralizing released chemical?

• Has ISCD signed a memorandum of understanding with ICS-CERT to receive support in the evaluation of the security protections provided to critical control systems?

• Has any ISCD facility evaluation (of any sort) included contacting local emergency response personnel to see if their support for emergency response to a successful terrorist attack had been discussed with facility management?

• Has any ISCD facility evaluation (of any sort) included contacting local law enforcement personnel that would be the first armed responders on the scene have been briefed about which areas of the plant it is unsafe to discharge a firearm?

Given access to the internal report from ISCD I’m sure that I could come up with even more biting and pertinent questions to ask this panel. But, it still doesn’t appear that the Subcommittee will be asking any serious questions tomorrow. There is none of the political posturing and grandstanding preceding this hearing that would indicate that anyone seriously cares about these problems. I challenge Chairmen Shimkus (R,IL) and his Subcommittee to prove me wrong

Results of Subcommittee Markup of HR 3674

2012-02-02T08:05:00.000-05:00

Yesterday the Committee on Homeland Security’s Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies met to markup HR 3674, the Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness (PrECISE) Act of 2011, as I reported they would last weekend. Several amendments were adopted and the Subcommittee adopted the revised bill by a voice vote, a certain mark of the bipartisan support for the bill. The HR 3674 could move to a full Committee markup as early as next week.

As was expected none of the amendments to Chairman Lungren’s (R,CA) substitute language made any specific mention of industrial control systems, but there were two amendments that might impact security programs for those systems. These amendments affect the sharing of cybersecurity information and providing for civil actions against anyone inappropriately disclosing cybersecurity information provided by the private sector.

Information Sharing

Rep. Long (R,MO) introduced an amendment (which was adopted by unanimous consent) that would extend the information sharing requirements for the Secretary of Homeland Security of §228(b) by adding, among others, “appropriate private sector entities that provide cybersecurity or information security products”. The wording ‘cybersecurity or [emphasis added] information security’ could certainly include control system security products. Of course, the weasel wording of ‘appropriate [emphasis added] private sector entities’ greatly weakens this requirement.

Civil Actions

Rep. Keating (D,MA) introduced an amendment (which was adopted by voice vote) that enhanced the §250 penalties for disclosure of information by government employees, contractors or members of the National Information Sharing Organization (NISO). The §250 language provided criminal penalties (fines, up to one year in jail, and removal from office). The new §251 makes such disclosure actionable in civil court allowing for recovery of actual costs, profits of the discloser, punitive damages, and legal fees. The inclusion of profits of the discloser {§251(a)(1)} and punitive damages {§251(a)(2)} make this a potentially very serious sanction against potential disclosures.

More Reports

A couple of the other amendments will increase the report workload on DHS without significant benefit to the cybersecurity community. A McCaul (R,TX) amendment requires a report on foreign entities that pose the “the greatest cybersecurity threats to the critical infrastructure of the United States”. Another Long amendment would require an annual status report from the Board of NISO.

More Info on ISCD Hearing

2012-02-02T01:09:00.000-05:00

The House Energy and Commerce web site now has some additional information available on their hearing about the problems at ISCD. The information includes a witness list and a Committee Staff memo on the situation.

Witness List

The witness list is predictable and yet disappointing if it is the complete list. As I predicted in my earlier blog Under Secretary Beers and Director Anderson will be the (first?) panel of witnesses. This may be predictable, but it is certainly necessary. These are the two individual with the responsibility for overseeing the operations of the Infrastructure Security Compliance Division of the Office of Infrastructure Protection. Additionally, Beers was the one to direct Anderson to conduct the project review that came to our attention via the FoxNews.com report in December.

I have received a number of personal (and mainly anonymous) contacts from personnel working in the Directorate over the last year or so. There has been a lot of dissatisfaction with the way the CFATS program has been administered. To be fair most of that pre-dates Anderson’s appointment as Director. In fact I have had at least one communication from a Chemical Facility Security Inspector that praises Director Anderson’s efforts to address the issues.

Still, I think that the voices of the work force in the Department also deserve a voice in these proceedings. As one former employee noted to me it would be difficult for Anderson to have a complete understanding of the problems of the program since she is so new to the office.

Staff Memo

I had really hoped to see a copy of Anderson’s report to Beers. Instead we have a memo from the Committee Staff outlining the current situation at ISCD. There are a couple of interesting points made in this memo. First and foremost (to my mind) is the fact that the Committee was given a copy of the memo on January 30, 2012, over a month after it was shown to Fox News reporter, Mike Levine, so much for Congressional oversight.

Another interesting point in the memo is their reporting about the ‘miss-tiering’ letter that was sent out last summer. The Staff Memo reports that problems in data entry and modeling resulted in “in improper tiering of 600 facilities”; a few more than the 400 letters I had heard about. More importantly, it seems that the problem was uncovered in 2010 and covered up until Anderson took over the Directorate.

The memo notes that the ISCD report is marked FOUO (for official use only) and is only being made available to members (and probably their staffs). It does summarize the main points (high level summary to be sure) of the report, noting that there are 5 ‘major programmatic’ challenges and 9 ‘staffing challenges’ out lined in the report.

The programmatic challenges include:

• Inadequate training capability;

• An overreliance on hired consultants for expertise;

• Inappropriate transitions for new hires;

• Uncertainty from extremely short program authorizations; and

• Issues regarding job descriptions and the presence of an employee union.

While it is a common belief in most management, inside and outside of government, the inclusion of ‘an employee union’ as a challenge will probably not endear Ms. Anderson to the current liberal administration. I do suspect that some members of this Subcommittee will jump on that ‘challenge’ in this week’s hearing.

The memo only lists four of the 9 personnel challenges;

• Inexperienced managers;

• Personnel placed in jobs for which they are not qualified:

• Inadequate internal staff control, and

• Lack of regulatory compliance expertise

I would be interesting to know what the other five personnel challenges were. Did one include Levine’s comments about carrying weapons?

Watch this space for continued coverage of these issues.

ICS-CERT Publishes January Monthly Monitor

2012-02-01T23:07:00.000-05:00

FULL DISCLOSURE: There were some very kind comments about this blog in the January ICS-CERT Monthly Monitor (see the last page article on CFATS). Even though, for a blogger, that mention is better than money, this shouldn’t affect my review, as I have generally had good things to say about the Monthly Monitor since it began publishing.

Today the DHS ICS-CERT people published their January edition of their Monthly Monitor, a brief look at industrial control system news over the previous month. This issue highlights two ICS-CERT incident responses in December (one that you may have heard about in the news), industrial cellular security, a short 2011 cybersecurity review and the standard sections that been a major part of the Monthly Monitor’s outreach efforts on behalf of ICS-CERT.

Two Incident Responses

As you would expect, ICS-CERT can’t go into a lot of details in publicly describing any of the incidents that they have been involved in investigating or evaluating; but these two short reports provide some invaluable information about the responses from ICS-CERT and the types of problems that face the community. One dealt with a chemical facility and the other dealt with a railroad.

The chemical facility incident did not apparently involve an actual control system. Rather an advanced persistent attach had been discovered and the company was concerned that it might have involved data exfiltration. The involvement of the control systems at the company might, thus have been placed in a compromised situation.

The result was that “ICS-CERT assisted the company with identifying the scope of the infection and by providing analysis and mitigations for eradicating the threat actor from their network” (page 1). Hopefully it also provided some educational assistance at avoiding similar troubles in the future.

The second response story apparently relates to an incident that made the news earlier this month where one DHS organization announced that there had been a foreign based cyber-attack on a railroad control system. Apparently this was more of an attack than we had seen in the water system story, but it wasn’t an attack specifically directed at the railroad. The article reminds security managers that (page 1):

“This incident underscores that Critical Infrastructure Key Resource (CIKR) own-ers and operators should evaluate existing cybersecurity countermeasures they have in place against broader cybersecurity risks. Any number of non-targeted cybersecurity events can impact operations when systems are Internet accessible.”

As is usual with this newsletter, the publishing team includes links to ICS-CERT or US-CERT documents that provide additional information regarding the topic. In this case they link to a short handout about ICS-CERT incident handling procedures with emphasis on how to get ready for a fly-away team investigation.

Industrial Cellular Security

There is a full page article about security issues associated with the wide variety of cellular devices that are available for industrial control system applications. It’s a very interesting primer; well worth the read. There are two interesting outside-of-DHS documents listed in the article, unfortunately the links were corrupted in the printing process; cut-and-paste them though and they work fine.

Coordinated Disclosure Researchers

At the end of every issue, ICS-CERT makes a plug for its coordinated disclosure program. Knowing that many researchers can use the free publicity, they include a listing of researchers that are currently working with ICS-CERT to help resolve exploits that they have discovered. Their efforts are apparently succeeding as the list of names continues to grow each issue. In fact, they have expanded the effort by adding a listing of ‘Notable’ researchers, listing the specific projects that they have worked on.

An interesting note about these two lists of researchers is the inclusion of one specific name that is well known to readers of this blog; Luigi Auriemma. Readers will certainly remember that Luigi sprang full blown on the ICS scene with a large number of uncoordinated disclosures on a single day; he took a lot of heat for that from a number of people. Apparently ICS-CERT has forgiven Luigi his trespasses and brought him at least partially into the fold; welcome Luigi.

More Waxahachie Emergency Response Notes

2012-01-31T08:47:00.000-05:00

Last October I looked at the fire at the Magnablend chemical facility in Waxahachie, TX as a learning tool for emergency response planners. Recently the facility was once again in the news for emergency response activities related to the aftermath of that fire. According to a news article on WFAA.com recent rains in the area caused containment ponds that collected fire-fighting water (and subsequent rain fall that helped ‘clean’ the facility) to overflow; ponds that “were presumed to still be polluted with chemical residue” according to the article’s author Brett Shipp.

Typically these run-off collection ponds are initially put into place by emergency responders and later improved somewhat by whatever clean-up company comes in to remediate the site. The initial runoff from the firefighting effort would probably have the highest concentration of dangerous chemicals. That is presuming, of course, that teams are able to quickly get into the facility and stop whatever leaks remain.

The initial fill of these ponds is usually emptied quickly in an effort to limit any additional environmental exposure to the chemical mixture involved. Most professional site restoration companies are well experienced in the physical and legal requirements of this process. These operations should be coordinated with local emergency response personnel so that they can respond appropriately to any incidents that occur in the process.

The containment structures are typically left in place until final site clearance is received to collect any subsequent run off from facility clean-up operations or rainfall runoff. The water collected is usually less contaminated than the initial collection in these ponds, but, depending on the chemicals involved at the site, may still harbor dangerous levels of hazardous chemicals. Remember what constitutes ‘dangerous levels’ is dependent on the chemicals involved, some chemicals are still dangerous down to the part per million or even part per billion levels in the environment.

Local emergency response planners need to ensure that these collection ponds are monitored for contaminant levels and liquid level in the ponds. When heavy rains are forecast for the area consideration of draining the current contents before the rain event may prove to be beneficial. Areas of the country that experience frequent short-notice periods of heavy rainfall may want to consider requiring secondary containment facilities to catch any pond overflows.

Provisions need to be put into place to keep these ponds isolated from the community, including restricting access to the ponds. They certainly meet the definition of ‘attractive nuisance’ and may actually be potential targets for fringe elements of the radical environmental movement, particularly if the company involved is already on the hit list for whatever real or imagined environmental slights. Less radical elements may also attempt to include such sites in ‘environmental actions’ designed to call attention to the hazards.

As with all emergency response plans a formal process needs to be put into place to review these situations on an on-going basis. Initial emergency plans for all facilities housing dangerous chemicals need to include run-off management plans. Those plans need to be reviewed and modified as necessary before the incident commander turns the scene back over to the owner or the environmental remediation company designated for site clean-up.

Siemens – The Big ICS-CERT Advisory

2012-01-30T23:54:00.000-05:00

Today the DHS ICS-CERT folks published an unusual advisory. They combined reports of vulnerabilities from four separate researchers; Billy Rios, Terry McCorkle, Shawn Merdinger, and Luigi Auriemma; and combined them into one big (eleven separate vulnerabilities) advisory on the Siemens WinCC application. Not only is the big from the number of vulnerabilities, but the potential consequences of the exploitation of these vulnerabilities is really big. ICS-CERT notes that:

“Successful exploitation of these vulnerabilities could allow an attacker to log on to a vulnerable system as a user or administrator with the ability to execute arbitrary code or obtain full access to files on the system.”

Given the wide range of facilities that this Siemens application is used, an attacker would have a wide range of potential targets that could essentially be exploited at will, shutting down electrical transmission facilities, water treatment facilities, chemical plants, even automotive manufacturing facilities. Simultaneous attacks on a number of targets across a number of manufacturing and utility sectors could have a catastrophic impact on local, state, national, or even world economies.

The catalogue of vulnerabilities includes:

• Insecure authentications;

• Weak default passwords;

• Cross-site scripting;

• Header injection;

• Client-side attack;

• Lack of telnet daemon authentication;

• String stack overflow;

• Directory traversal (two separate vulnerabilities);

• Denials of Service; and

• Arbitrary memory read access.

The good news (and I’m really having to stretch here to call this ‘good news’) is that ONE of the vulnerabilities requires user interaction to exploit. Fortunately for Siemens’ customers there have been so few successful social engineering attacks over the last year or so (pardon the gross sarcasm). The bad news (and it doesn’t come much worse than this) is that there are publicly available exploits for 7 of the 11 (Oh Craps, I know, pardon the pun) vulnerabilities.

The good news (another stretch) is that Siemens has dealt with each of these vulnerabilities. They have

• Patched 5;

• Changed product documentation to explain how to correct one during set up;

• Recommended deactivation of transport mode for four others; and

• Explained that users have the option of disabling the final vulnerability.

The bad news is that no one outside of Siemens has verified if any of the above actions prevent the exploit of any of the eleven vulnerabilities included in this report.

The final good thing is that ICS-CERT put all of these vulnerabilities into a single advisory, making it easier to keep track of what has been fixed or not. It might be a good idea to do the same sort of thing for Siemen’s PLCs.

New Version of HR 3674, ‘the’ House Cybersecurity Bill

2012-01-30T07:24:00.000-05:00

As I noted in my blog post Saturday, there will be a subcommittee markup hearing for HR 3674, the Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act of 2011 (PRECISE) Act of 2011. As is usual with markups of bills like this, the hearing will start off with the Chairman, Rep Lungren (R,CA) introducing his revised language for the bill and the subsequent proposed amendments will be made to that new language. So let’s take a look at the new version of his bill.

Overview

First off nothing has been removed from the bill at this point (that could change later this week); so everything I wrote about this bill (then a draft of this bill) still pertains to this revised language.

Most of the changes have been technical wording changes that will be mainly of interest to lawyers and judges if this bill ends up being signed by the President. There were, however a couple of new sections that were added at the end of the bill. They include:

§ 4. Report on Support for Regional Cybersecurity Cooperatives;

§ 5. Pilot Program on Cybersecurity Training for Fusion Centers; and

§ 6. Assessment of Sector by Sector Cybersecurity Preparedness.

Please note that §5 provides for training fusion center personnel in IT security practices to protect their information systems, not about cyber security threat assessment. It would have been nice to see a training requirement here for instance that would direct fusion center analysts to ICS-CERT for assistance in evaluating potential control system threats or attacks.

The bulk of the remaining changes can be found in Subtitle E, National Information Sharing Organization (NISO). Most of these changes have apparently been made to ensure that the NISO is not a ‘threat’ to civil liberties or legitimate information sharing activities.

ICS Coverage?

This bill remains at heart an information system protection bill not an ICS protection bill. The new version does include an additional mention of ‘industrial control systems’. In §226(a)(7) the bill would require the Secretary of DHS to:

“establish, in coordination with the Director of the National Institute of Standards and Technology, the heads of other appropriate agencies, and appropriate elements of the private sector, guidelines for making critical infrastructure information systems and industrial control systems [emphasis added] more secure at a fundamental level, including through automation, interoperability, and privacy-enhancing authentication”.

There continue to be a number of sections of the bill that do not contain the explicit language “critical infrastructure information systems” and these may imply coverage of control systems. These are generally reporting requirements or information sharing requirements and they do not provide any regulatory authority.

For example the new §4 of the bill requires the Secretary to report on:

“the Secretary’s plan to provide support to regional, State, and local grassroots cyber cooperatives designed to decrease cyber disruptions to critical infrastructure, increase cyber workforce training efforts, increase community awareness of cybersecurity, organize community cyber-emergency preparedness efforts, build resiliency of regional, State, and local critical services, and coordinate academic technical and policy research effort”.

There is mention of potential grant program supporting these ‘cyber cooperatives’ (and that term is never defined), but there is no spending authority for such grants. This means that the grant money would have to come out of some existing grant program.

National Information Sharing Organization

The most controversial area of this bill continues to be the establishment of the National Information Sharing Organization which is also the section of the bill that sets up the conflict between this bill and HR 3523 (the bill sponsored by the House Intelligence Committee). Most changes to the NISO sections of this bill address privacy concerns.

For example §244(9) sets for the requirements for the protections of ‘privacy and civil liberties’. The new version of this bill adds subparagraphs (B) and (C) that specify that only ‘cyber threat information’ may be shared within NISO and that all “personally identifiable information not necessary to describe a cyber threat” be removed from information shared by and through NISO.

I noted in my earlier blog on this bill that the private sector board members of NISO did not include anyone from the water, chemical or transportation critical infrastructure key resources (CIKR) sectors. The revised version changes that somewhat in that it adds the water sector to those represented on the Board. The continued lack of chemical or transportation sector representation effective shuts those sectors out of NISO participation.

The new version of this bill also financially guts NISO after FY 2015. Federal funding up until then consists of $20 million each fiscal year (and that comes out of the existing DHS S&T budget, no new money). After FY 2015 the only federal money going to NISO will be the Federal membership fee for NISO. Even that will be limited by §253(b) to no more than “the fee collected from the largest private sector member of the National Information Sharing Organization”.

Since §253(a) prohibits Federal appropriations supporting NISO, that fee will have to come out of the budget of DHS or three other “Federal agencies with significant responsibility for cybersecurity” {§243(b)}. Since none of the four is required to pay the Federal governments ‘fair share’ fee I bet this gets lost in the annual budget shuffle.

There are two new terms specifically defined in the NISO sections of this bill that might increase the applicability of NISO to control system security information sharing (but don’t hold your breath); ‘cyber attack’ and ‘cyber security criminal act’. The inclusive language for ‘cyber attack’ includes the phrase “causes or attempts to cause damage and loss” {§248(f)(1)(B)}. For ‘cyber security criminal act’ the phrase is “efforts to degrade, disrupt or destroy a cybersecurity system or network” {§248(f)(2)(A)}. Neither constitutes a resounding commitment to ICS security information sharing.

Further Amendments

The subcommittee markup hearing that starts on Wednesday (and may become a multi-day hearing) will undoubtedly include many changes to the wording of this bill. Watching the hearing itself will be little help in identifying those changes as the exact wording of the changes is rarely included in the live proceedings. Usually we just get the interpretations of what the various congress critters think the language means.

We will have to wait until the actual amendment language is posted to the House Homeland Security Committee web site. The staff of that Committee usually does a pretty good job of getting that information up quickly. After that we will have the full committee markup (maybe as early as next week). Then we will have to wait for four other committees to act (or more likely fail to act) on the bill.

Congressional Hearings – Week of 01-30-12

2012-01-28T11:51:00.000-05:00

Congress has a full week (for Congress 4 days is a full week) of work ahead of them including two hearings that will certainly be of interest to readers of this blog; ISCD Problems, and Cybersecurity Legislation.

ISCD Problems

The Environment and Economy Subcommittee of the House Energy and Commerce Committee will be holding hearings on the current problems at ISCD on Friday. Actually the title of the hearing is “Evaluating Internal Operation and Implementation of the Chemical Facility Anti-Terrorism Standards program (CFATS) by the Department of Homeland Security”; and I thought that I had a tendency to get wordy.

No witness list is currently available, but I would bet that it includes on the first panel Under Secretary Beers and Director Anderson. If that is the only panel of witnesses, the hearing will be a typical Congressional waste of time. If the second panel is industry reps, it will be almost as much of a waste of time. The only way that this hearing will be meaningful is if it includes sworn testimony from people within ISCD including the facility inspection force; I’m not holding my breath.

What is disappointing is that the first hearing on this topic is by a subcommittee of the Energy and Commerce Committee. First we are certainly past the point where we should be wasting time with Subcommittee hearings since they will certainly have to be duplicated by the full committee before anything can be accomplished. Secondly it is a sign of the utterly stupid organization of oversight of DHS components in Congress that this hearing is not being held by the Homeland Security Committee. Of course Rep King (R,NY) and Thompson (D,MS) have been absolutely silent on the ISCD issue so maybe it is better that someone else does the hearings.

One last rant point here; if the hearing record does not include a public copy (redacted if absolutely necessary) of the internal NPPD report on the problems, the Subcommittee needs to be swept from office in November and the Committee Staff fired on the spot. I know, it won’t happen, but I just had to vent.

Cybersecurity

The Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies of the House Homeland Security Committee will be holding a potentially multiple day mark-up hearing on HR 3674 starting on Wednesday. I did a blog post on this bill before it was actually introduced and most of that discussion remains applicable to the bill going into this hearing.

Chairman Lungren (R, CA) will be submitting substitute language for this bill at this hearing. There are some interesting changes being proposed (including some minor but specific control system language), but that is a subject for a separate blog post.

This bill has the hallmarks of being the potential cyber-security bill for this session. The only drawback is that it was also referred to the following committees for consideration:

• House Oversight and Government Reform

• House Science, Space, and Technology

• House Judiciary

• House Intelligence (Permanent Select)

I know the Intelligence Committee has their own bill (HR 3523) that has some conflicting provisions with the current and proposed versions of HR 3674, so we can bet that they won’t hold any hearings on this bill. Similar issues may arise with the other committees as well. The House and Senate leadership are committed to passing cybersecurity legislation this session, but that doesn’t necessarily trump committee politics.

ICS-CERT Publishes OAS OPC Advisory Update

2012-01-27T19:44:00.002-05:00

Today was the day that the DHS ICS-CERT published their updated Advisory on the Open Automation Software OPC Systems.NET vulnerability. As I mentioned in an earlier blog post this update adds a second vulnerability to the one initially discovered by Luigi; the second being discovered by Digital Security Research Group (DSecRG).

The latest vulnerability is this system is a reported buffer overflow vulnerability in the ActiveX control for the system. It would allow a moderately skilled attacker to ….. Hmm ICS-CERT doesn’t say what the vulnerability would allow an attacker to do and neither does the DSecRG report on the vulnerability. Oh well, I guess it doesn’t matter because the updated version of OPC Systems.net released to deal with the Luigi vulnerability also fixes this one. And everyone always updates their systems when a security update becomes available – don’t they?

The long history of this Advisory (dating back to the original Luigi based alert) shows how complicated ICS vulnerabilities can get. This update makes things even more interesting by noting that the new buffer overflow vulnerability in the OAS OCP Systems.NET isn’t really an OAS vulnerability. The vulnerability actually resides in the ActiveX component FlexGrid 7.1, a third-party component of OCP Systems.NET.

As I have mentioned a number of times finding a vulnerability in a third-party component automatically brings a question to my mind; what other ICS systems are using the same component and thus potentially have the same problem. Unfortunately, there is no way for anyone to know since system vendors don’t report if/when/where they use third party component software. Until, of course, a security researcher finds the same vulnerability in another system.

PHMSA Radioactive Tissue Holder Notice

2012-01-27T07:08:00.001-05:00

NOTE: This is not about chemical security, ICS security, pipeline safety, or even chemical safety. Sometimes I just have to vent about government stupidity and I own this space.

Today the Pipeline and Hazardous Material Safety Administration published a Safety Advisory Notice in the Federal Register (77 FR 4398) dealing with radioactive tissue holders; you know, facial tissues, Kleenex®. It seems that Bed Bath and Beyond ® sold some 220+ tissue holders in the United States that were contaminated with Cobalt-60 during their manufacture in India and emit low levels of radiation.

Now having read that information in the Summary section of the notice, I expected to read in the body of the notice that PHMSA was providing shipping instructions for sending these radioactive sources back to somewhere. Since most consumers would not have access to training on shipping hazardous materials or preparation of the paperwork required to accompany such shipments I really expected that PHMSA would provide notice that they were publishing an unusually special Special Permit to allow consumers to get this dangerous material into appropriate hands.

Didn’t happen. It simple tells people to contact Bed Bath and Beyond for “information about proper return procedures”. WHAT? Okay, cool down, read some more, there must be an explanation.

How dangerous is this tissue holder? Here is what the notice says:

“The highest identified radioactivity level on the surface of the tissue holders was approximately 20 mrem/hr, however most of the tissue holders showed much lower levels. A person who spends eight hours in close contact with one of these tissue holders (such as having the tissue on a bedside table next to the bed) could possibly get a maximum yearly dose of about 500-700 mrem. While no unnecessary radiation exposure is desirable, the dose from the tissue holders is not expected to cause any appreciable health effects. To put this into perspective, a person living in the United States receives a radioactive exposure of about 360 mrem/year from naturally-occurring background radiation.”

Okay, it’s really not that big a thing. People should be able to pack these up in a sturdy cardboard box and ship it to some B³ location for appropriate consolidation and disposal. B³ will have some issues to deal with and will be screaming at their Indian supplier. Consumer question, is someone actually making tissue dispensers with steel? What ever happened to plastics for gosh sakes?

Now for the big question: What the Hell is PHMSA doing publishing this notice? Wouldn’t it be more appropriate coming from the Consumer Product Safety Commission? Aren’t they the ones that are responsible for protecting us against unsafe consumer goods????? PHMSA is in the Department of Transportation. They are responsible for transportation issues related to hazardous materials, not radioactive sources sitting on the night stand. How many consumers read the damned Federal Register?

PHMSA is behind enough in their normal work. If it isn’t transportation related, let the appropriate federal agency handle public notices of this sort. Do your work not theirs.

BTW: Did anyone tell the TSA airport security screeners about these dangerous tissue holders that could be used as potential radiological devices aboard aircraft? Do they have pictures to help them identify these devices? Do they have radiological detection devices? I am being sarcastic here, let’s not get carried away.

Rail Borne Chemical Threat to Super Bowl?

2012-01-26T23:50:00.000-05:00

An Indianapolis TV station’s web site is reporting that CSX will halt rail traffic past the Lucas Oil Stadium on Super Bowl Sunday this year. The tracks run within a block of the stadium, and train traffic will not be allowed on those tracks starting about 3 hours before game time until after the Stadium is emptied after the game. The fear is, of course, that a hazardous material leak (accidental or deliberate) that close to the game site could put thousands of people at risk.

Okay, a pause to allow our friends from Green Peace and other environmental activist organizations to ask “What about the thousands of people who live and work along that same line every day?”

Accidental Releases

They are, of course, correct in that anyone living within a certain distance of a railroad track is placed at increased risk of exposure to any hazardous chemical that is being carried in any of the rail cars. The amount of increased risk is infinitesimal; railroads have a very enviable safety record either in the absolute number of fatal chemical incidents or the number of releases per ton-mile of hazardous material transported. Only pipelines have a better overall safety record.

If the risk is sooo small, why are they stopping the train traffic on game day? A small part of the reason is that even an infinitesimal risk is way too high when you are dealing with high-profile events like the Super Bowl. Even a relatively small and hardly dangerous leak of a moderately toxic chemical along the nearest point of approach to the Stadium (named after an oil company, how ironic) would result in the game being stopped and the stadium being evacuated. That would kill Indianapolis’ chance of ever getting another high profile event in their fair city.

Deliberate Attacks

The real reason has nothing to do with accidental releases. If that were the case, those trains would be stopped every time the Colts play at home. It hasn’t happened. It won’t happen. No one is concerned with accidental releases. It is a terrorist attack converting one or more of those railcars to chemical weapons, improvised explosive devices or flame weapon that keeps the CSX security people awake at night as Super Bowl Sunday approaches.

Now the risk of a successful terrorist attack (defined as resulting in a catastrophic failure of the railcar tank resulting in impressive off-site consequences; death and destruction) on a rail car is relatively low. The cars are made of very thick, welded metal, that was designed to resist damage in normal handling and low speed derailments. A portable explosive device designed to take out such hardened targets are not available via Terror-U-Online; it requires the services of an explosives engineer, lots of hands-on time with a stationary vehicle. Oh yes, they have to be large enough to be readily detectable.

Unless, of course, one were to place the device inside of the sealed and filled railcar. But that’s a topic of a completely different post.

Partially Successful Attack

Of course, a successful attack doesn’t really have to be successful to be successful, if you get my meaning (of course you don’t, I’m being entirely too cute, but I will explain). If a targeted release of a chemical (and it wouldn’t even have to be really hazardous) were visible to the news teams covering the game, the security advisors for the event would have to immediately begin evacuation procedures even before they knew the actual nature of the release. There would be wide spread panic resulting in potentially hundreds of deaths or serious injuries; all in front of the eyes of the world.

And that is the reason that CSX is stopping the flow of all rail cars by Lucas Oil Stadium on Super Bowl Sunday, but letting them flow the other 365 days of 2012.

Reader Comment: TSA Video Surveillance Report

2012-01-26T13:49:00.002-05:00

I got a real nice response to yesterday’s TSA Video Surveillance blog post from the President of SightLogix. The comment is posted to the original blog and is well worth reading. The interesting point that he makes (from my point of view) is that the un-redacted TSA video surveillance report (and others like it) is posted on the “TSA’s Secure Webboard”. This is apparently a restricted information (SSI I presume) sharing site that is accessible to registered Airport Security Coordinators; appropriate as that’s who needs this type of information about these security measures.

The interesting comment from him is that he (personally) does not have access to the un-redacted TSA report about the testing of the installation of his company’s equipment. I understand that there is a whole ‘need to know’ issue here, but business decisions and equipment recommendation need to be made based upon reports like. Oh well, I would hope that someone in his organization has access to this web site or was at least allowed to review the report before it was posted.

Now the other point; the ASC web site is great for airport people. But this is not an issue restricted just to airports. Any number of other critical infrastructure facilities have boundaries that need to be surveilled. The information from this testing would be a great piece of information for security managers at these sites as well. I would think that TSA would be able to find a way to share the information with other TSA monitored security programs (a small list to be sure) like railroad facilities.

DHS is going to have to be involved in making this information available to the rest of the non-transportation facilities that have federally mandated perimeter security requirements like CFATS and MTSA. The information about boundary security is applicable to almost any type facility.

Reader Email – Expected Alerts are not Coming

2012-01-26T00:17:00.000-05:00

In my last two ICS-CERT related blogs I noted that the Digital Security Research Group (DSecRG) web site had two additional ICS vulnerabilities reported that had not yet shown up as ICS-CERT alerts. I heard from two different sources today the reason that those alerts are probably not forthcoming. The first came from a semi-anonymous email (it came from a gaming site, but it was signed with a PGP signature) and the second was from a caller claiming to be from ICS-CERT but I didn’t catch the name as I was running between three meetings at the time.

Default Passwords

The DSecRG web site describes vulnerabilities in Tecomat PLCs and the Open Automation Software (OAS) OPC system. According to both sources (in almost identical wording, same person perhaps?) the Tecomat PLC vulnerability is really nothing more than a list of default passwords that should be changed upon system installation; anyone want to venture a semi-educated guess as to how often they are actually changed on PLC’s? I don’t know but I would suspect much less often than security folks would like to see. After all PLC’s are not connected to the internet, so why bother?

Both sources said:

“That is not a vulnerability. If they are not changed than that is a configuration issue. (We can not prevent integrators from being stupid).”

The pejorative aside, I can certainly understand why ICS-CERT and many security professionals would take that attitude. They have enough serious ICS security issues without having to worry about people not changing default passwords.

Having said that, many of these systems were installed before most organizations had even heard the term ‘cybersecurity manager’. Now most critical infrastructure facilities (at least) have a person wearing that hat (okay and maybe a couple others as well) who needs to determine if there are any unresolved vulnerabilities in their legacy systems (all new systems, as we all know, come with sophisticated cybersecurity suites; SARCASM Warning). I would expect that a real common problem in many (if not most) of those older systems is that they were installed without changing any of the default passwords.

If an energetic cybersecurity manager knew which systems came with default passwords and knew what they were, it would be a relatively easy (okay so that is a slight exaggeration, and our receptionist is just slightly pregnant) to go back and check all of those devices to ensure that the default password is not still active. Without lists like this from people like DSecRG or ICS-CERT, it would be nearly impossible to determine what the default password on legacy systems might be to verify that they had, in fact, been changed.

Well, if ICS-CERT isn’t going to worry about the problem, maybe SCADAHacker can just add that to the lists he is maintaining on various ICS security issues.

OAS OPC Advisory

Both sources told me today that ICS-CERT was going to be issuing an update on the recent OAS OPC advisory. That update (already planned apparently) will also address the vulnerabilities identified on the DSecRG web site as they are already being dealt with by OAS. If that update provides appropriate mitigation measures for the DSecRG identified vulnerabilities, that certainly sounds like an efficient way of dealing with the problem. No word on when that will be published; hopefully in the next day or two.

TSA Analysis of Video Surveillance System

2012-01-25T08:02:00.002-05:00

I typically don’t try to promote specific security systems as I am not a ‘qualified expert’ in much of anything that would allow me to make an authoritative evaluation of any particular product. Every once in a while I run across (thanks in this case to a SCADAHacker tweet) an evaluation of a system by someone or an organization that should be qualified to do such an analysis and I think it’s worthwhile to look at such evaluations. I recently ran across a TSA report on the use of a video analytics system used to secure an airport perimeter that falls into this category.

The Report

The report was prepared as part of TSA’s Airport Perimeter Security project that provides a technical evaluation of perimeter security systems currently being employed at facilities around the country. This project should provide security managers with an important independent evaluation of integrated security products to supplement claims made by manufacturers and system integrators. This is apparently the first of 15 (perhaps 21, the wording of the report is sort of vague) such reports that TSA is currently preparing.

The actual evaluation was done by the National Safe Skies Alliance, a non-profit organization formed to “support testing of aviation security technologies and processes”.

Redacted Information

One would expect that an in depth review of a security system would involve the disclosure of some sensitive information that might be useful to someone trying to compromise that system. This report is no exception. TSA has dealt with that by redacting (blacking out) certain information in the report. While protecting the security of the installation being evaluated, it does somewhat compromise the usefulness of the evaluation.

For example the report redacted a site diagram (page 3, 15 Adobe) showing the areas covered by the video system; an understandable exclusion. Partially understandable, but certainly less helpful to security managers, was the redaction of the test intrusion detection rates in reporting the test results for the four individual intrusion techniques tested (with any details of the intrusion technique redacted). What makes this somewhat confusing is that in the summary discussion of the system accuracy the report notes that over 900 intrusion scenarios were performed (four intrusion techniques performed at a variety of locations within the detection range of seven devices) and that “every alarm instance was accurately reported through the primary management software” (page 13, 25 Adobe).

So what is redacted is the rate of failure to detect; darn that could be valuable information for security managers. What is less clear is how this would compromise system security unless the detection rate is extremely poor. If the system had a high rate (say 80% for the sake of discussion) that would warn attackers to stay away since there attack would have an 80% chance of being detected at the perimeter. On the other hand, if the detection rate were low (say less than 20%) that might make the attacker more willing to risk the attack.

Missing Information

While one can understand why much of the redacted information is not available, the information that is specifically missing from the report is much more bothersome. One of the general complaints about automated surveillance systems is their relative high-rate of nuisance alarms (natural environmental movements that set off the detectors) or false alarm (inappropriate detections with no known cause) rates. Those rates are missing from this report.

In the ‘Scope’ section of the report the author notes that the evaluation period was insufficiently long to establish nuisance or false alarm rates or to determine their cause. I find this hard to believe when there was time enough to evaluate 900 intrusion attempts by two field testers. At the very least the report should have included information about the number of nuisance or false alarms observed during the test period. This may not be statistically sufficient to establish a true rate, but it would provide valuable data in any case.

What concerns me more is the fact that the report states the reason the report could not distinguish between nuisance alarms and false alarms (an important distinction) was that the causes of alarms “had not been recorded by BUF (airport security personnel) personnel” so there was no way to verify alarm type. This would seem to indicate that security personnel were not really paying attention to the alarms on their system, or at the very least were not investigating alarms sufficiently to determine if an intrusion were actually taking place. This is not a fault of the report, but rather of the security management at the facility.

Interestingly, in the discussion of the results portion of the report there is a large redacted box in the section dealing with “Nuisance and False Alarm Reporting” (page 12, 24 Adobe). It would be really nice to know what was discussed there.

Overall Report Evaluation

I’m glad to see that TSA is having this type of system evaluation done. Unfortunately the usefulness of the information presented is compromised by the redaction of evaluated data. In most cases I can understand and even agree with the reasoning for the redaction in the public presentation of this data. For this to be worthwhile, however, TSA is going to have to find a way to make the un-redacted information available to airport security managers and security managers at other critical infrastructure sites. Otherwise this report will just sit on a shelf collecting dust.

ICS-CERT – Two New Advisories but Two Alerts from Last Week still Missing

2012-01-24T23:24:00.000-05:00

This afternoon the DHS ICS-CERT published two new advisories, both with multiple vulnerabilities. The advisories are for Ocean Data Systems’ Dream Reports and MICROSYS’ Promotic systems. Strangely missing are the two alerts that I predicted this weekend for vulnerabilities publicly disclosed by the Digital Security Research Group (DSecRG).

Ocean Data Systems Advisory

Rios and McCorkle reported the two vulnerabilities addressed in this advisory. The first is a cross-site scripting vulnerability that is remotely exploitable and does not require much in the way of skills to execute. The second is a write access violation vulnerability that is a tad bit more complicated to exploit, requiring a successful social engineering attack and the creation of a specially crafted data file.

Ocean Data Systems has published a new version of the Dream Report product that has been confirmed to be free of these two vulnerabilities. Separate CVE numbers have been assigned, but are not yet active.

MICROSYS Advisory

While it is not mentioned in this advisory, it is an update of an alert issued last October for three vulnerabilities found in the Promotic HMI. Those vulnerabilities were reported by our friend Luigi. The vulnerabilities identified were:

• Directory Transversal, CVE-2011-4518;

• ActiveX Stack Overflow, CVE-2011-4519; and

• ActiveX Heap Overflow, CVE-2011-4520

All three are remotely executable by a relatively low-skilled attacker. The first could be used to cause some data leakage and the other two could be used as part of a DOS attack. The latest version of Promotic is free of these vulnerabilities and is downloadable from the MICROSYS website. The above listed CVE numbers are not yet active.

Missing Alerts

Last Sunday I noted that in addition to the WAGO vulnerability covert in an ICS-CERT alert from Friday, there were two other system vulnerability reports from DSecRG describing vulnerabilities in Tecomat PLCs and the Open Automation Software (OAS) OPC system. Both of those should have received ICS-CERT alerts on Friday or yesterday. There were still not yet posted as of 20:30 EST today; curiouser and curiouser.

Reader Comment: Basecamp Communications Devices

2012-01-24T08:22:00.000-05:00

It took me a while, but I finally got a chance to ‘moderate’ a response to this weekend’s blog post on the Basecamp disclosure process from Dale Peterson; one of the drawbacks to traveling cross country by car is that you can’t do much work on the internet. Dale explains the reasoning for including the Koyo ECOM100 and notes that the Schweitzer alert was for a wireless communications device, the SEL 2032 Communications Processor.

As Dale points out, vulnerabilities in the communications nodes between the PLCs and the control system are essentially major vulnerabilities for the control system and the PLC; they can allow protected access to both. As such they were clearly fair game for analysis.

The only point that I was trying to make about the ECOM100 being a ‘ringer’ (and the same point should have been made about the Schweitzer device) is that the PLC vendors had clear public notice about what was going to happen with the research into their devices. Since they should have known about the disclosed vulnerabilities (especially the ones that were specifically designed into the systems), they have no cause to complain about the ‘uncoordinated disclosures’. They are the ones that put their customers at risk not Project Basecamp.

Unless the Project Basecamp team provided direct notification to Koyo and Schweitzer about their products being included in the evaluation, the same blanket dismissal of concerns does not apply. On the other hand, the process industry really does need to understand that these types of devices (and I assume that the same types of vulnerabilities will show up in many if not most of these types of devices currently in use) may provide a broad avenue of attack on control systems. This clearly needs to be recognized and addressed.

So with the caveat that the following does not apply if they received advanced notification of inclusion in the Project Basecamp investigation, I think that both Koyo and Schweitzer were poorly treated by an uncoordinated disclosure of their vulnerabilities. More importantly their customers may have been unduly put at risk by not allowing these two manufacturers a chance to correct the system defects before the vulnerabilities were made public.

Twenty lashes with an al dente noodle for each of the uncoordinated disclosures for these two manufacturers (again with an immediate pardon if they received advanced notification of inclusion in the process) to Dale Peterson for his unsportsmanlike conduct. On the other hand, I think that it is time to look at all of the devices and systems that we employ to control critical processes, so a small quiet kudo to Dale as a salve to his wounds for his efforts (and of course the hard work of the entire Project Basecamp team and supporters) to bring formal attention to this problem.

The Disclosure Debate – Basecamp Disclosures

2012-01-23T09:57:00.000-05:00

I have been asked to weigh in on the ongoing debate about the recent PLC vulnerability disclosures by Digital Bond’s Project Basecamp. The apparent assumption behind the request is that since I am not a cybersecurity researcher, but rather a chemical facility security advocate, that I might have a different set of insights into the disclosure process. As I am almost always willing to provide my opinion on just about any topic, I could hardly turndown the request.

Ground Rules

First off I have to make clear that I have a professional relationship with Digital Bond. I periodically post on their blog about cybersecurity legislative matters. Dale Peterson has asked me to do so periodically, but he does not provide any remuneration beyond the access to a wider audience for my musings. He has personally made clear to me that I would have to really work hard to piss him off enough with any Project Basecamp criticisms to harm our professional relationship. That’s good to know, but it doesn’t really influence what I would write; people who know me well realize that I will express my professional opinions almost completely regardless of who will be upset by them or impressed by them.

Second, readers of this blog will almost certainly be aware that I generally come down on the side of full and open discussion of vulnerabilities. Over the last 4½ years I have described a number of potential physical vulnerabilities for chemical targets and discussed how they could most probably be successfully attacked by terrorists. I usually leave out critical details that only a well-trained terrorist or military man would be aware of so as not to encourage wannabes, but those details are not going to affect the response of defenders in any material fashion. And that is the key to the discussion of vulnerabilities on this blog; they are provided so that owners and operators of high-risk chemical facilities might better understand the risks they face.

Finally, I am not now, never have been, nor probably ever will be the owner of a control system. I have been a user as a process chemist, but I have never been responsible for the purchase, set up or protection of an industrial control system. It may be a subtle difference, but I don’t want anyone thinking that my musings in anyway represent the opinions of any portion of the chemical security community beyond the owner of this blog.

The Vulnerabilities Exist

The vulnerabilities that were discovered by Project Basecamp exist and have existed for some time. The Project Basecamp team went looking for these specific vulnerabilities because they exist in other PLCs, specifically the Siemens PLCs. And no one was really surprised that they were able to find these particular vulnerabilities.

The designers of these PLCs knew that these vulnerabilities were there. In many cases the vulnerabilities were apparently specifically designed into the equipment. The vendors could have corrected these vulnerabilities at any time.

Finally, Project Basecamp has been in the works for some time. Dale has been talking about what the team was going to be doing for quite some time. Nobody in the vendor community or the security researcher community or in the regulatory community should have been surprised by the results or the way in which they were communicated at the end of the Project.

Systems are at Risk

The facilities that use control systems that use these PLCs are at risk for potential attacks on their facilities employing the vulnerabilities that were reported by the Project Basecamp team. They have been at risk for such attacks since they first employed these devices. There has been some incremental increase in the level of that risk since Basecamp disclosures were made; how much of an increase no one really knows for sure.

The lack of surety is due to the fact that no one knows who else has been working on discovering the details behind these vulnerabilities and has already developed specific attack vectors using these vulnerabilities. In fact, using the Stuxnet model (or even the Duqu model) we don’t know how many facilities may have already been successfully attacked using these vulnerabilities.

Dale obviously selected a good team, but I would be extremely surprised if there weren’t hundreds of security researchers out there with skills at least as good as this team. Yes, I said hundreds. Do not forget that China and Korea (and probably Russia and India and Israel and …) have specifically gone about developing offensive cyber-warfare capabilities which would require developing thousands of cyber security research specialists; many of which would of necessity be focused on industrial control systems. And that’s not even considering the cyber-criminal underground that certainly exists.

The Upside

What has certainly increased is the awareness that these specific vulnerabilities exist and the methods to exploit them are now generally available. Any cyber-security contractor, ICS owner, or government regulator can use these tools to determine if a specific ICS installation is susceptible to attack using these vulnerabilities.

There will be some installations where other security measures already in place make an outside attack very difficult or perhaps impossible (I wouldn’t hold my breath waiting on that) to attack. There will be others where the local Junior High School computer nerd can own the facility. Most will fall somewhere in the middle between these two extremes.

Knowing the specific level of vulnerability and the mode of attack that could be employed, security controls can be put into place to mitigate (though certainly not eliminate) the risk of attack using these specific vectors. Most of these are well known and understood. ICS-CERT (and Digital Bond) have been talking about them for years.

Regulators should take specific note of the tools made available via the Project Basecamp disclosures. Any security inspection at a power transmission facility or high-risk chemical facility that does not use include the use of these tools to evaluate the security of the control systems employed at that facility cannot be called a real security inspection (Congress please note that this reality should be included in any ‘comprehensive cybersecurity legislation’ being developed in this session). ICS-CERT should immediately develop a training program for Federal, State and local government security inspectors in how to utilize these readily available tools to conduct such inspections.

The Downside

Sorry Dale. Your team has significantly lowered the knowledge threshold required to design and implement an attack on any control system using these devices. You have increased the number of potential attackers with the necessary skills to effect successful attacks using the tools that your team made possible. You are going to continue to catch some heat for that and it is certainly deserved. But you all knew that going in.

The Exception

Dale did slip a ringer in on us. Project Basecamp was advertised as a look at the vulnerabilities in PLCs. Including the Koyo ECOM100 was a bit of a surprise since it is not a PLC by any stretch of the imagination. I am surprised that no one has called Dale out on including this Ethernet connection device in the Project Basecamp investigation.

If they hadn’t found so many critical vulnerabilities in the ECOM100 I would have been one of the first to cry ‘Foul’. Realistically though, the communications between the PLCs and the control system are an important part of the operation of the PLCs. The wide spread implementation of Ethernet connections have made the modern use of the PLC possible; the older method of hardwiring each PLC was just too time consuming and the source of too much system downtime.

I only wish that Dale’s team had included a wireless server instead of an Ethernet device. These are becoming more widespread. In my opinion vulnerabilities in these servers potentially pose a much higher threat to the next generation of control systems as they may provide another undocumented link to the outside world.

The Way Forward

Cyber attackers will always respond quicker than system owners. But maybe we as a society need to have a public, very visible, successful attack on a modern control system. We need to understand that every tool has inherent risks associated with the tool. We require manufacturing facilities to have guards and safety devices in place to protect the workers from the inherent dangers associated with modern manufacturing equipment. Those guards and devices are now an integral part of the machine design, installation and maintenance process at modern manufacturing facilities. We really need to get to that same point with cyber-security tools.

So, maybe Project Basecamp disclosures will become the ICS version of ‘Unsafe at Any Speed’ or ‘The Silent Spring’ or even ‘The Jungle’; making the inherent vulnerabilities in modern industrial control systems more widely known. Industry never did appreciate Nader, Carlson or Sinclair, but society owes them all a large vote of thanks.

Thanks Dale.

ICS-CERT Publishes Five S4 Based Alerts Plus Two Other Alerts

2012-01-22T12:50:00.002-05:00

On Friday the DHS ICS-CERT published 7 separate alerts, five of which referenced vulnerabilities that were publicly discussed at Digital Bond’s SCADA Security Scientific Symposium (S4) in Miami, FL. These alerts, combined with a similar alert published on Thursday, may mark just the tip of the iceberg as Dale Peterson noted on the DigitalBond.com blog that 30 students at a HMI hacking class before the actual symposium “were quickly finding 0days using ActiveX and File Format Fuzzing”.

Oh yes, the two other alerts. They were based upon uncoordinated disclosures by the Digital Security Research Group (DSecRG) for systems produced by WellinTech and WAGO.

S4 Alerts

The five S4 alerts issued Friday included a general alert for disclosures made during the Project Basecamp portion of S4. The alert notes that the reported vulnerabilities in multiple vendor products included “buffer overflows, backdoors, weak authentication and encryption, and other vulnerabilities that could allow an attacker to take control of the device and interfere or halt the process it controls” (page 1). The four other S4 related alerts dealt with specific vulnerabilities in systems from four separate vendors; those vendors were:

• Rockwell Automation

• Schneider Electric

• Koyo (Note: not a PLC vendor, but an Ethernet vendor that provides communications between PLCs and the actual control system)

• Schweitzer

Project Basecamp was a detailed search for and reporting of vulnerabilities in various PLC’s used by industrial control systems. Dale has become increasingly vocal over the last six months or so about his dissatisfaction at cybersecurity community’s disregard of the consequences of the insecure design of programmable logic controllers (PLC). In both his blog and in any other venue that would listen (or even pretend to listen) he has made it clear that everyone in the control system vendor and researcher community has known for at least 10 years that the basic PLC design has inherent cyber-security flaws that make them vulnerable to attack. These vulnerabilities were made painfully clear in the design of the Stuxnet virus.

Because the Stuxnet worm exploited vulnerabilities in the Siemens PLC, many of the Siemens security flaws have been publicly documented, while the rest of the industry breathed a sigh of relief that their systems weren’t being used by the Iran’s nuclear program. The whole point of Project Basecamp was to formally tell the world that Siemens was not alone in their ‘insecure by design’ problems.

That the world, at least the security professional side, has taken notice cannot be doubted. There has been significant discussions in a number of forums (on LinkedIn.com and on the SCADASec list for instance) and in the cyber related press. Unfortunately, most of that discussion has been about the public disclosure of the vulnerabilities (along with some Metasploit® modules published to aid in the exploit of those vulnerabilities) rather than on the potential effects of the vulnerabilities on real world control systems. Hopefully, the fait accompli provided by Dale and the Basecamp team will eventually allow for a more detailed discussion of the vulnerabilities and how to protect control systems from attack using those vulnerabilities.

ICS-CERT does make a valuable contribution (with a forgivable sideways slap at Project Basecamp) to that inevitable discussion in the general Basecamp alert. They note (page 2):

“This public release increases the potential for cyber attack on these devices, particularly if the devices are connected to the Internet. ICS-CERT reminds users that the use of readily available and generally free search tools (such as SHODAN and ERIPP) significantly reduces time and resources required to identify Internet facing control systems. In turn, hackers can use these tools combined with the exploit modules to identify and attack vulnerable control systems. Conversely, owners and operators can also use these same tools [emphasis added] to audit their assets for unsecured Internet facing devices.”

But, less anyone forget, the Iranian PLCs that were the Stuxnet target were not connected to the Internet, nor were their control systems. Many of the vulnerabilities reported by the Project Basecamp team will allow an attacker to exploit the vulnerabilities without having to target an internet connected PLC; it will require a higher skill level and more system knowledge. There are loads of attackers with the appropriate skills and system knowledge can be easily obtained via social engineering attacks. Internet-isolated control systems (if there are really such things in existence) are not safe from attacks based upon these vulnerabilities.

WellinTech Alert

The WellinTech alert provides initial information on a reported password encryption vulnerability in the KingSCADA product that could allow an attacker to read and use a user password, thus gaining user level access to a control system. Exploiting this vulnerability requires access to the SCADA server.

WAGO Alert

The WAGO alert concerns multiple vulnerabilities in the I/O System 750. The vulnerabilities include:

• Remote firmware download;

• Remote data leakage; and

• Remote access.

Interestingly a DSecRG press release notes that the WAGO disclosure of the 750 series controller vulnerabilities was made in support of Project Basecamp. Additionally the DSecRG web site notes two other control system vulnerabilities released by DSecRG on the same day. One deals with a default password vulnerability on Tecomat PLCs (more Project Basecamp fallout?) and an ActiveX vulnerability on an OPC system. I expect that we’ll see ICS-Alerts on these on Monday.

Latest Edition of CRS Report on Chemical Security

2012-01-20T09:23:00.000-05:00

Yesterday Steven Aftergood, over at Secrecy News (a publication of the Federation of American Scientists) published a link to the latest Congressional Research Service (CRS) report on Chemical Facility Security. This is a recurring report on the CFATS program providing Congress with a summary of the issues and options that Congress might have for dealing with those issues.

I’ve written about earlier versions of this report and as is usual for the CRS this latest version provides a good summary of the CFATS program and the political issues currently facing the program. Of special interest is the funding summary chart provided on page 4 (page 8 according to Adobe) and the chart describing the current number of facilities regulated under CFATS by tier on page 5 (9 Adobe). The CRS researchers provide information in these charts that is not generally and/or readily available to the public.

The report also provides the most current numbers (2011 year-end) for the inspection process at CFATS facilities. It reports (page 7 – 11 Adobe) that DHS has conducted 180 pre-authorization inspections, has approved 50 site security plans (presumably a little over half of the current Tier 1 facilities) and has yet to complete a single implementation security inspection (insuring compliance with the site security plan). I suppose that the 180 pre-authorization inspections means that these have started on the Tier 2 facilities, but it could also mean some number of multiple inspections at Tier 1 facilities.

For the first time I find that I am going to have to criticize a portion of the report, the section dealing with the current management issues. The single paragraph describing these problems the CRS report mainly relies on the FoxNews.com article that most of us have also had to rely upon. The only information received from DHS on this subject was personal communications between the report author and the “Department of Homeland Security” on January 5^th that confirmed that Under Secretary Beers had requested the report and that “DHS expects to assess the success of

the action plan and revise it as necessary” (page 8 - 12 Adobe). Obviously the CRS researcher was not given access to the DHS report, a serious DHS shortcoming in my opinion.

Given that only shortcoming (and it is certainly not the fault of the CRS author, Dana A Shea) I still recommend that anyone interested in chemical facility security or its regulation and legislation to get and read this report. Kudos to FAS for making these CRS reports readily (and freely) accessible to the public that paid for them.

EPA Sends Final Rule form 2012 Methyl Bromide Exemptions to OMB

2012-01-20T07:22:00.000-05:00

Yesterday the Office of Management and Budget (OMB) web site announced that the Environmental Protection Agency (EPA) had submitted for approval the final rule for their 2012 Critical Use Exemption From the Phaseout of Methyl Bromide.

As has been the general practice at EPA for some time now, internal delays have pushed the publication of this rule past the time when it needs to be published to allow for industry to properly plan their production and importation requirements. One would assume that once again the EPA has notified by letter the producers and importers of methyl bromide of the actual amounts that will be authorized regardless of the outcome of the rulemaking process. EPA estimates that the final rule will be published in March; I predict after June.

[Insert standard complaint about DHS not including methyl bromide in the CFATS list of chemicals of interest (COI) because EPA was supposedly phasing out the use of this chemical in 2005]

More interesting is the fact that the OMB web site provides information on this rule making progress based upon the Fall 2011 Unified Agenda of Regulatory and Deregulatory Actions. Typically OMB and the various Executive Branch Departments provides notices in the Federal Register when this updated agenda is published; hasn’t been done yet. I will be looking at the Unified Agenda items for DHS that affect chemical and cyber security in more detail in a future blog.

ICS-CERT Publishes Alert for Disclosure at Digital Bond’s S4 Conference

2012-01-19T23:30:00.000-05:00

This afternoon the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published an alert for a vulnerability that was disclosed during today’s presentations at the SCADA Security Scientific Symposium (S4) put on by Digital Bond (full disclosure; I have provided some blog posts for Digital Bond over the last year or so). The alert is based upon information presented by Reid Wightman about the GE D20ME PLCs.

The advisory mentions two vulnerabilities; data leakage and arbitrary code execution. It does not mention the password retrieval tool mentioned in Dale Peterson’s blog post this evening about the day’s presentations at S4 or in the press release from Rapid7.

It is almost certain that more vulnerability alerts will come out of these discussions and classes in Miami this week.

No Hearings on ISCD Issues – Really?

2012-01-19T08:45:00.000-05:00

Alexis Rudakewych, the Government Relations Manager at SOCMA has an interesting guest-blog post over at ChemicalProcessing.com that addresses the problems with the CFATS implementation that were made public a couple weeks back in a FoxNews.com article. In the posting she makes the very predictable (and in very many ways legitimate) argument that the current issues provide further argument for providing the CFATS program with a long term extension of the current authorization without substantial modification. Her arguments are well reasoned and certainly worth reading.

She makes one comment though, that I must take exception to. She states that:

“This news could easily derail the advancement of any of the three pending CFATS bills in the House and Senate, all of which have already been approved by their respective committees, and instead redirect Congress's attention to oversight hearings on the program in lieu of a multi-year authorization.”

While the CFATS program is small potatoes in the great scheme of the federal government (so small that it isn’t even a line item in the budget) it is an important part of defending the United States against potentially serious terrorist attacks. It is arguably the single most important program defending against the terrorist use of WMD against the homeland.

We now have a situation that has developed over the last couple of years where the implementation of that program has virtually stalled because of apparent management issues. I say apparent because it appears that no one, including Alexis, has seen a copy of this internal DHS report. For Congress to continue funding this program without a serious and public look at these management issues (and the Department’s plan for resolving them) would be political malfeasance of the highest order.

Industry has spent a great deal of time, money and other resources preparing for the site security plan approval process. They are almost certainly going to have to spend even more before the process is complete. I would think that industry would want more than just the unsupported assurances of the NPPD management, the same management that apparently failed miserably in its oversight of the program in the first place, that the problems were being fixed.

If industry really wants to have long-term authorization of this program pass, they should be demanding an immediate hearing (maybe even a joint hearing) on this issue in the very near future along with a public reporting of the internal investigation. Hearings should go beyond the routine appearance of Undersecretary Bears and Director Anderson. It should include the full management team of ISCD, union reps (as the unions were apparently blamed for being part of the problems) and at least one regional commander of the chemical facility inspectors. It might not be a bad idea to also include some of the original management of ISCD to see if the current problems actually had their roots in the initial design of the program.

CFATS is too valuable a program to let it die from lack of attention. If something isn’t done soon to correct these problems industry is going to reduce its support for the CFATS program. Money budgeted for security spending will be cut back so that it can be applied to money making efforts that improve their bottom lines.

I have long maintained that the failure of both sides to come to a reasonable compromise on the IST issue has doomed this program to a year-by-year reauthorization standard. This problem is going to make it more difficult to get the necessary support necessary for the long-term reauthorization process to be completed. Failing to publicly deal with the problem will make it impossible.

ICS-CERT Upgrades Schneider Alert and Issues New Luigi Advisory

2012-01-19T00:50:00.000-05:00

Today the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published two new advisories covering vulnerabilities in two ICS systems. The first upgrades an alert from December concerning multiple credential vulnerabilities in various Schneider systems and the second addresses a vulnerability in Certec’s atvise SCADA/HMI product.

Schneider Vulnerabilities

This advisory upgrades the information on an alert on various Schneider ICS products that was published last month. As noted in that alert that there were three separate hard-coded credentials in various Schneider applications involving the Telenet port, Windriver Debug port and the FTP service. This advisory confirms the earlier report that Schneider has developed and has now made available patches to deal with the vulnerabilities in the first two services, but the FTP service remains vulnerable to attack on some portion (maybe all, it is not clear in the advisory) of the affected systems. Schneider is continuing to work on a mitigating patch for the remaining vulnerable service.

Interestingly enough, the patches now available remove the vulnerable services (more accurately two of the vulnerable services) from the products. They were apparently included to allow remote maintenance and diagnostics of the products. Again, apparently this was the reason for the hard-coded credentials; it did not allow the owner-operator to inadvertently lock-out Schneider’s access to the system. Of course it did not allow the owner-operator to deliberately lock-out Schneider either and that is a security issue; the lack of access control.

Once again, I want to raise the issue about access to critical systems at high-risk chemical facilities. CFATS requires that anyone with unaccompanied access to critical systems at high-risk chemical facilities must be vetted against the Terrorist Screening Database (TSDB) and have other unspecified background checks completed before they can be given access to the critical systems at the facility. Who is going to ensure that all of the techs at Schneider (and any other vendor with remote access to control systems) have been properly vetted in accordance with the CFATS regulations?

NOTE: The CVE file for these vulnerabilities is already available.

Certec Vulnerability

The second advisory is for a newly reported vulnerability in the Certec’s SCADA/HMI product; atvise. The unnamed vulnerability (The advisory actually calls it a “denial of service (DoS) vulnerability”, but that describes the result of an attack not the vulnerability.) was reported by our old friend Luigi. Since this is an ‘advisory’ instead of an alert and it includes a mitigation, it would appear that Luigi has completed his second or maybe third coordinated disclosure. Actually, that’s not fair; Luigi’s name appears next to a number of upcoming ZDI (Zero Day Initiative) advisories.

This Voldemort vulnerability (okay forgive the Harry Potter® reference; Lord Voldemort is most often referred to in the series as ‘he who cannot be named’ because he is soooo evil) would allow a low skill level attacker to remotely execute a DOS attack. Certec has created a new version of atvise that does not have the vulnerability; it is available on their web site.

NOTE: The CVE link for this vulnerability is provided but the file is not yet active.

The House Calendar

2012-01-18T07:22:00.002-05:00

With the House now officially back in session, they so notified the President and Senate yesterday, it is appropriate to look at the official calendar for the coming year. This document is the plan for when the House will meet in Washington and when individual members will be working back home in their district on the ‘people’s business’ and maybe some time on getting re-elected (Sarcasm alert).

As we saw last year the House plans on ‘working in their districts’ for at least one full week out of every month this year. Additionally we see the Easter recess (Mar. 30^th thru April 13^th) the Summer recess (Aug. 6^th thru Sep. 7^th) and the Election recess (Oct.8^th thru Nov. 12^th). All in all, the House plans on meeting in Washington on only 28 week this year; and only two of those will be five-day weeks (Sep. 10-14 and Oct. 1-5).

Interestingly, this being an election year, the House Majority Leader (who sets and publishes this calendar) already has plans for an extensive Lame Duck session with Washington meetings to be held thru December 14^th with a week off for Thanksgiving.

As always, circumstances alter cases. It would not be unusual for the home week at the end of September or the week before Christmas, for instance, to be interrupted for action on budget bills or continuing resolutions. It would be unusual, however, for any of the Washington days to be eliminated.

ICS-CERT Alert on Another Luigi Vulnerability

2012-01-17T23:03:00.002-05:00

Today the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published yet another alert on multiple (two) vulnerabilities reported by Luigi. This time the affected system is the Rockwell Automation FactoryTalk SCADA/HMI. Luigi reported a malformed packet vulnerability and a read access violation vulnerability. Either would allow a remote exploit that could result in a DOS attack. As always, Luigi has provided sample exploit code on his web site.

DHS is Watching – So What?

2012-01-17T07:10:00.000-05:00

Last week Mark Hosenball did an article over at Rueters.com about DHS “operating a ‘Social Networking/Media Capability’”. It seems that he had discovered a Privacy Compliance Review document on the DHS sight describing the fact that DHS was ‘monitoring’ a large number of blogs and social networking sites. A number of activist sites have picked up the story and are chastising DHS for the invasion of their privacy and Cyptome.org has provided a copy of the January 2011 version of that document on their web site.

Sorry folks, this is old news. I blogged about this back in the summer of 2010 when an alert reader notified me that I was on the list of sites monitored by DHS. I wasn’t upset about it then, I am not upset about it now. In fact, I am flattered and pleased. Readers of this blog know that I have been trying to influence DHS policy on a number of matters and I can’t do that if they don’t pay attention to what I write.

Privacy Issue???

The whole point of blogging and tweeting is to share information. Placing these ramblings on the internet is done with malice aforethought. I intend for people, as many as possible, to read and think about my thoughts, opinions and insights. I want to have people read, assimilate, think about and respond to my musings; every political writer (and make no bones about it, this is at heart a political blog) does.

Does it bother me that DHS has monitored my postings about how they are doing or not doing their jobs? Of course not; I want them to. Maybe they will make some minor (or better yet major) changes in their processes and procedures based upon my ideas. Great, I will have helped to make them a better agency.

How can I be concerned about privacy issues with the information posted in this blog? I have deliberately set this up as an open communications device, broadcasting to the world. There is no requirement to sign-up to receive approval to read this stuff. I want everyone with anything to do with chemical and cybersecurity to read this blog. If my ego weren’t so big that I thought my ideas could improve the world I wouldn’t be spending the countless hours that I do on this blog.

I have one last thing to say about privacy and the internet; there is no privacy on the internet. If you post anything on the internet anyone will be able to see it. If you don’t know that in your soul, if you don’t realize all of the potential implications of that, if you don’t accept that, please, just blow up your computer to save yourself the ultimate embarrassment. It will come back to bite you in the most uncomfortable way possible.

Grow up people. This is not Orwell’s 1984 this is Social Media 2012. Even DHS gets that.

ICS-CERT Publishes Two Advisories

2012-01-16T23:53:00.000-05:00

Today the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published two new advisories for vulnerabilities in control system programs from 7-Technologies (7T) and Cogent Real-Time Systems. These are not the common, run-of-the mill HMI vulnerabilities that we have become accustomed to over the last year or so. Security researchers are digging a little deeper into these systems.

7T Advisory

This advisory is for the 7T Interactive Graphical SCADA System. It is an unsafe search path vulnerability that would require a social engineering attack to allow a relatively low skilled attacker to gain user privileges on the system via a DLL hijack. The vulnerability was reported by Kuang-Chun Hung of the Security Research and Service Institute – Information and Communication Security Technology Center (ICST).

7T has produced a patch to resolve this vulnerability. It is available on their web site. A CVE number has been assigned to this vulnerability, but it is not yet available.

Cogent Advisory

The same security researcher also discovered two vulnerabilities in the Cogent Data Hub application. Both vulnerabilities (a cross-site scripting vulnerability and an HTTP header injection vulnerability) would require a social engineering attack to effectively exploit either vulnerability. A successful attack would principally affect the user’s web browser which could open doors for other attacks.

Cogent has a patch available on their web site. Separate CVE numbers have been assigned to the cross-site scripting vulnerability and the HTTP header injection vulnerability. Both CVE files are currently available.

WinCC vs MS Security Patches

2012-01-16T07:45:00.000-05:00

I ran across an interesting Tweet today from @siemensindustry about Microsoft security patch compatibility with WinCC. It points us at a page on the Siemens web site that is kind of scary at first glance, but is actually quite valuable for owner/operators of Siemens WinCC control systems.

The Scary

The article on this Siemens page starts out with a warning:

“In response to current events (new Trojan horse / virus), [emphasis added] we recommend consulting the Microsoft Security Bulletin MS10-046 - Critical.”

Now I don’t keep up with MS security bulletins real closely (I do automatic updates on my personal computer to avoid that necessity), but that number did seem kind of familiar. I clicked on the link provided and it became obvious why I remembered that particular bulletin number; the title of the bulletin is “Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198)” and is dated August 24^th, 2010. Yes, it is the update for one of the Stuxnet ‘0-day’ vulnerabilities.

The date for this page is 2012-01-09 (translated from European to American – 01-09-12) so I immediately jumped to the conclusion that Siemens was just now dealing with this basic Stuxnet related vulnerability. A little closer reading would seem to indicate that this is a long standing Siemens page that has just been updated for the latest (December) Microsoft Windows patches.

I would like to think that all Siemens WinCC owner/operators have already installed this particular security patch, making this confusing note on this Siemens page superfluous. That is probably a dangerous assumption on my part and Siemens is playing it safe, but I do wish they would re-word that opening paragraph to make it seem less timely. Oh, and Siemens could at least mention the name of the Trojan (Stuxnet).

The Valuable

Siemens does provide a valuable service to their customers on this web page (and there is a similar page for their PCS 7 system. There is a link to a spread sheet that provides a list of the Microsoft security patches that Siemens has tested for compatibility with their WinCC system. This is important because a minor incompatibility problem between a Windows update and a control system program can shut a manufacturing facility down or even damage equipment.

The latest Microsoft release covered on this spread sheet is the December 13^th release and the earliest is 6-8-2004. At first glance it looks like all of the patches are compatible, but close examination shows some problems (See MS11-025). Siemens does note that a newer version of the patch does work on their system.

Siemens is to be commended on providing this service to their customers and I’m glad to see that they are also using TWITTER to help push this information out to the user community.

I do have a minor concern about the delay (December 13^th to January 9^th) in the publication of the compatibility information, but I do realize that the type of comprehensive system testing that is required takes some time. It would be nice if Siemens and Microsoft could work out some sort of arrangement where Microsoft could give Siemens some type of advance notification on their patches to allow Siemens to begin the testing process earlier.

A Concern

There is a link on this Microsoft Patch Compatibility page to a separate page entitled: “Why should you not install the Microsoft security patches KB2467174, KB2467175, KB2465361 and KB2465367 in WinCC, PCS 7 and WinCC Professional V11?” This is apparently a follow-up to the incompatible patches (MS11-025) that I mentioned above. The page explains that:

“Installation of one of the Microsoft security patches KB2467174, KB2467175, KB2465361 or KB2465367 causes a massive drain on resources (increase in handles) in WinCC Runtime (OS Runtime, WinCC Runtime Professional V11). This consumption of resources can lead to a standstill of WinCC Runtime.”

That certainly is not a good thing for a control system and owner/users would apparently be well advised not to install these patches.

Unfortunately, the vulnerabilities corrected by these patches would still exist in the Windows operating systems and thus make the Siemens control systems vulnerable to attack through those Windows problems (See Stuxnet). There is nothing on this page that indicates what other mitigating steps an owner/operator could take to protect their control systems from the vulnerabilities now made public by Microsoft.

Since Siemens does make the information available on their spread sheet, it is not a total loss, but a mention here would be appropriate. Also there must have been some lag time before those newer patches became available. There must have been some sort of partial mitigation steps that could have been employed to protect the control systems in the interim.

Congress Comes Back to Washington

2012-01-15T23:06:00.002-05:00

While the second session of the 112^th Congress technically started in their pro-forma meetings last week, the practical start will be on Tuesday when the House will return to an abbreviated session that will elect a Sergeant-at-Arms for the Chamber. The only other action on the agenda for the House this week will be consideration of HJ Res 98, opposing the President’s announced intention to raise the National Debt Limit.

There are some House Committee meetings scheduled for this week, but nothing of particular interest to the chemical security or cybersecurity communities.

No word yet on Senate activities on any of the web sites, but they don’t usually do any business until the State of the Union Address, which happen on January 24^th this year. The committees that I typically track don’t even have any hearings listed on their sites yet. Nothing unusual here; it’s just the way the Senate operates.

Updated 112th Congress Legislation Page

2012-01-14T15:19:00.000-05:00

Today I caught up on a large back log of updates to the status of legislation in the 112^th Congress that might be of interest to the various audiences of this blog. Here is a copy of the change notification log for the 112th Legislation page:

“Updated 12-26-11 Added HR 3523 under Cyber; Added 1966 Under Homeland; Added HR 3671, and HR 2055 under Budget; Added S 1952 under Hazmat; Updated HR 908 under CFATS; Updated HR 1540, HR 1892, HR 2112 and S 1867 under Budget; Updated HR 1411, HR 2764 and HR 2838 under Homeland; Updated HR 2845 under Hazmat; Updated HR 2906 under Cyber”

It’s been a busy couple of weeks here with my new job and all. That, plus I’ve been trying to wait for links to a number of bills that were signed at the end of the year. The GPO is still having problems with a couple of the spending bills (I can’t imagine why), but I’ve decided to go forward with what we’ve got. Besides Congress comes back to work next Tuesday and we get to start the second-half.

Electrical Transformer Attack

2012-01-13T08:49:00.000-05:00

It has been a while since I addressed an incident at a chemical facility and the lessons that it might have for security planners, but a brief news article on TheState.com brought to mind a couple of security related thoughts that I want to share.

The Incident

The article reports that a ‘massive transformer’ caught fire at a Finnchem USA chlorine production facility in Richland County, SC. It’s too early to tell what caused the fire, but there is certainly no mention of ‘terrorism’. The 2,000 gallons of oil in the transformer resulted in a very smoky fire, but there is no apparent damage to the plant and no injuries reported.

The economic effects on the chlorine production unit were described as $1.5 million, but I suspect that the longer term consequences will raise that cost substantially. The production of chlorine requires substantial amounts of electricity which was undoubtedly the reason for the oversized transformer being on-site in the first place. This transformer being destroyed effectively shuts down chlorine production for weeks perhaps months; these transformers are not easy to replace.

The Terror Potential

Forget for the moment this as a possible attack mode designed to ultimately release chlorine gas. Chlorine producers take safety very seriously and have certainly taken a hard look at what the sudden loss of their high-voltage power supply would do to process safety. Automatic shutdown processes are certainly in place and the stand-alone safety systems just as certainly have alternative power sources and probably were not served by that power network in the first place.

So why worry about this as a terror target? First off, one needs to remember that the term ‘terrorist’ loosely describes people of a wide variety of backgrounds and motivations. These, in turn, are going to shape target selection and attack methodologies. An al Qaeda type terrorist, for instance, would be more likely to go after a large chlorine release with a resulting large death toll and wide spread panic in their planning of an attack on a facility like this.

Such an attack would more likely be an anathema to an environmental terrorist; the harm to local flora, fauna and innocent humans would far outweigh any potential political advantage gained by the attack. An economic attack on the producer, on the other hand, would certainly be an encouragement to stop the production of the targeted chemical. This would make a ‘massive electrical transformer’ a relatively clean target for such a terrorist.

Potential Attackers Guide Security

Security managers and regulators alike have to remember that the ‘terrorist community’ is truly heterogeneous in its motivations, skills and political objectives. All of these are going to affect target selection and attack methodologies. Likewise the proper identification of the facility’s potential adversaries will go a long way in determining what the facility will need to protect and how it should be best protected.