Wednesday, January 17, 2018

ICS-CERT Publishes Meltdown Update #2

Today the DHS ICS-CERT published their second update for their control system security alert for the Meltdown and Spectre CPU vulnerabilities. The alert was originally published on January 11th, 2018 and updated on 1-16-18. The update provides links to three new vendor notification documtents:

Emerson (account required for login);
General Electric (account required for login, reference ID 000020832); and

The Schneider security notification has probably the most reasonable guidance that I have seen to date:


“Schneider Electric is actively monitoring vendor research into these vulnerabilities to determine appropriate actions to be taken. At the time of this publication, information is being updated rapidly and the impact of proposed mitigations and patches remains unclear. Many of the initial mitigations proposed by hardware and operating system vendors indicate a high level of potential performance impact, Schneider Electric recommends caution if mitigations or patches are applied to critical and/or performance constrained systems. If you elect to apply recommended patches or mitigations in advance of further guidance from Schneider Electric, we strongly recommend evaluating the impact of those measures on a Test & Development environment or an offline infrastructure.”

Bills Introduced – 01-16-18

Yesterday, with the House and Senate back in Washington after the long Martin Luther King Holiday weekend, there were 30 bills introduced. Of these, one may be of specific interest to readers of this blog:

HJ Res 125 Making an extension of continuing appropriations for fiscal year 2018, and for other purposes. Rep. Frelinghuysen, Rodney P. [R-NJ-11]


A copy of HJ Res 125 is available on the House Rules Committee site and that Committee will hold a hearing on the continuing resolution (being considered as an amendment to HR 195 as amended by the Senate) this afternoon. The bill would extend the current continuing resolution (that expires Friday night) until February 16th. It includes a number of special funding provisions to make passage more palatable, including an extension of the Children’s Health Insurance Program (CHIP).

Tuesday, January 16, 2018

ICS-CERT Updates Meltdown Alert

Today the DHS ICS-CERT updated their Meltdown/Spectre alert that was originally published on January 11th. The new information includes links to the following additional vendor reports on the CPU vulnerabilities:

Philips; and

Additionally (and not specifically noted in this update), Becton, Dickinson, and Company have published a new security bulletin since the original ICS-CERT alert mentioned their initial report.

Commentary


Unfortunately, while providing links to the appropriate documents, ICS-CERT has not addressed the issue seen by a number of vendors, the Microsoft update may not be compatible with all control systems. That, plus the fact that Microsoft has decided to not allow the update to take effect on systems without an updated antivirus registry key, means that system owners need to pay real close attention to the final word from their vendors. Unfortunately, the information linked to in this update is mainly preliminary; most of the listed vendors are still looking at the compatibility issues.


Of course, it could be worse. We are still waiting for the initial ICS-CERT alert on the KRACK vulnerability.

HR 4773 Introduced – AV for Federal Breaches

Last week Rep. Cartwright (D,PA) introduced HR 4773, the ANecessary and Targeted Impediment to (ANTI) Viruses Act. The bill would require the General Services Administration to acquire license to an antivirus computer product to give to people whose personal identifiable information was lost in a breach of a Federal computer system. Funding for the AV product would be provided by the agency [“derived from amounts made available to the agency for operating expenses {§2(d)} whose computer system was breached.

Moving Forward


Both Cartwright and his sole cosponsor {Rep. Norton (D,DC)} are members of the House Oversight and Government Reform Committee to which this bill was assigned for consideration. This means that it is possible that this bill could receive consideration in that Committee.

There is nothing in this bill that would engender significant opposition (beyond an obvious point that I will raise in the Commentary section below). Even the funding for the measure is unlikely to raise any serious discussion. Thus, it is possible that this bill could receive bipartisan support in Committee and on the floor of the House.

Commentary


Okay, the bar has been officially and substantially raised for when it becomes necessary to determine the silliest piece of legislation offered in the 115th Congress. With almost a full year to go, I am pretty confident (and really very hopeful) that this bill will be the hands down winner.

There is nothing in the bill (no ‘findings’ section, for example) that would explain why Cartwright and Norton believe that it will provide any sort of significant relief to provide an individual with computer antivirus protection when their personally available information has been lost in the breach of any computer network. Even if we assume that network log-in information is among the data lost and further assuming that the individuals use the same log-in credentials on their home computer, an antivirus package is not going to stop someone from using that log-on information in accessing that home computer.

The only thing that could have made this more ludicrous would for the bill to have included a provision prohibiting the GSA from allowing Kaspersky Labs from submitting or being awarded a bid to provide the AV product. {Disclosure Note: I have been using the Kaspersky AV suite for quite some time now and do not see any reason to stop}.

One can only hope that Cartwright and Norton (and the Norton AV people cringe every time I mention her name in this post) a pandering to a specific segment of the technical ignorati in offering this bill for consideration. The only other thing that would explain this cyber-silliness is that neither of these two congresscritters (nor their staff) has any idea what an antivirus program does or how personally identifiable information is misused.

I wrote above that there was nothing in this bill that would engender any specific (‘active’ probably would have been a better work) opposition. What I meant is that there is no political, ideological or financial reason for this bill to draw opposition. The fact that there is no connection between lost PII and computer hacking (the other sequence certainly) so there is no need for providing people with AV protection is not sufficient to draw opposition to the bill.


Okay, I just thought of something. Maybe there is a useful purpose in this bill. Since the agency whose computer system was breached is responsible for paying for the AV product out of their operating budget, this bill would effectively be a fine on that agency for their lack of cybersecurity competency. This could end up being a sizeable financial incentive to have adequate cybersecurity in place. Of course, it could end up bankrupting an agency (Wouldn’t you just love to be the Bankruptcy Judge sitting on that case????) and in many cases that could be a good thing. But if that is the ‘purpose’ of this bill, please spend the money on something else; give the folks a tank of gas, or something else worthwhile, not an antivirus program.

Monday, January 15, 2018

ICS-CERT Publishes November-December 2017 Monitor

Today the DHS ICS-CERT published the last ICS-CERT Monitor (for November and December of 2017). According to the opening editorial the next issue will become the (National Cybersecurity and Communications Integration Center) NCCIC Monitor; which will be broadened to include reporting from the three divisions of the NCCIC (ICS-CERT, NCC, and USCERT).

This issue continues the ‘color glossy’, corporate report feel (with 10 full-color photographs) that I have grown to dislike and disparage. While any organization deserves to be proud of their accomplishments and government agencies have a special duty to provide information about what they are doing; the flashy graphics and photographs of industrial facilities have a tendency to make this look more like an organizational selfie that is designed to make the agency feel good about itself.

Physical Security Issues


Even when the reporting is on a topic of interest to critical infrastructure owners and operators, there are some glaring inconsistencies in the information being reported. For example, in the article on the FY 2017 Assessment Summary, the opening paragraph (pg 4) reports that: “While the assessment teams identified weakness across all control families, six categories represented roughly 33 percent of the [753] total vulnerabilities discovered across assessed CI sectors.”

The article then went on to describe the number 4 vulnerability category, physical access control. It notes that:

“Maintaining visibility in the top discoveries this year were problems related to physical access. While this is not something the ICS-CERT focuses on during assessments, the team often sees this issue during assessments. ICS components and infrastructure should only be accessible to authorized personnel as necessary to maintain the system.”

There are two disturbing aspects about that “not something the ICS-CERT focuses on during assessments”. The first is the probability that if ICS-CERT had formally included ‘physical access’ in the assessment process, they might have (probably would have) found many more disturbing instances of poor physical security of control system devices. The second (and more disturbing to my mind) is the fact that ICS-CERT found the same problems in their FY 2016 assessments, AND DID NOT FORMALLY ADDRESS THE PROBLEM IN THE ASSESSMENT PROCESS IN 2017. The first is the result of a not unusual disconnect between cyber security and physical security personnel; a problem that certainly needs to be addressed. The second is a criminally negligent level of professional malfeasance upon the part of ICS-CERT.

ICS-CERT and NCCIC


As I alluded to in the opening paragraph, the editorial leading the publication addresses the changing roles of the NCCIC and its constituent divisions. Specifically, it reports that:

“Recently, the NCCIC went through an organizational realignment to consolidate and enhance the effectiveness of its mission-essential functions, which includes changes to the structures of the ICS-CERT, NCC, and USCERT divisions. This realignment has no impact to the technical expertise and services our stakeholders rely on us to provide….”

There have been a couple of interesting social media conversations about this ‘realignment’ (see here for example). For those of us on the outside looking in, it is really hard to tell what is going on. Having said that, I would like to point to the NCCIC web site (updated on June 22nd, 2017) and its description of ICS-CERT:

“ICS-CERT works to reduce risks within and across all critical infrastructure sectors by partnering with law enforcement agencies and the intelligence community and coordinating efforts among Federal, state, local, and tribal governments and control systems owners, operators, and vendors. Cybersecurity and infrastructure protection experts from ICS-CERT provide assistance to owners and operators of critical systems by responding to incidents and helping restore services, and by analyzing potentially broader cyber or physical impacts to critical infrastructure. Additionally, ICS-CERT collaborates with international and private sector Computer Emergency Response Teams (CERTs) to share control systems-related security incidents and mitigation measures.”

Looking at it from Columbus, GA it seems as if ICS-CERT is definitely continuing with its vulnerability coordination and reporting role. What is less clear is whether or not it is going to be the go-to Federal agency for incident reporting and investigation. It seems to me that with the rise in apparent nation-state attacks and economic attacks (ransomware) on control systems that it is going to be more important to have criminal investigative or federal intelligence agencies more involved in incident response rather than an agency of techno-geeks who may be more suited to understanding the nuts and bolts of an attack, but are probably less familiar with forensic reporting or courtroom testimony.


Forensics-reporting and effective testimony are more necessary for successfully prosecuting attackers than with protecting control systems from future attacks. Letting the techno-geeks muddy the waters of chain-of-custody and forensics reporting will likely make prosecutions more difficult, but will help other organizations learn how to deal with similar attacks. It is an interesting dichotomy that needs to be addressed in appropriate congressional forums.

Saturday, January 13, 2018

HR 4766 Introduced – PTC Extensions

Earlier this week Rep. DeFazio (D,NJ) introduced HR 4766, the Positive Train Control Implementation and Financing Act of 2018. It would amend 49 USC 20157, removing the discretionary authority of the Transportation Secretary to approve alternative PTC implementation plans that extend past the current PTC deadline of December 31st, 2018.

The Amendment


Section 2 of the bill removes two specific sub-paragraphs of §20157. First it removes §20157(a)(2)(B), thus removing the authority for railroads to propose alternative implementation schedules extending beyond 12-31-18. It also removes §20157(a)(3) which provides the Secretary with specific guidance on how such alternative schedules may be approved. A number of conforming amendments are also made.

Grant Program


Section 3 of the bill would add paragraph (m) to §20157 to establish a grant program administered by the Secretary to aid passenger railroads in their implementation of PTC. That grant program would be funded through December 31st and $2.6 Billion would be authorized for those grants.

New Passenger Routes


Section 4 of the bill would add a new paragraph (n) that would prohibit railroads from starting operation of new passenger line routes “unless a positive train control system is fully implemented and operational on such route”.

Moving Forward


DeFazio is a senior member of the House Transportation and Infrastructure Committee to which this bill was assigned for consideration. This means that it is possible that this bill may be considered in Committee.

Two things mitigate this bill from being positively considered. First, removing the authority for extending PTC implementation deadlines past December 31st could mean that certain passenger (and perhaps some freight rail) lines may have to suspend operations after that date if their PTC implementation has not been completed and approved by that date. This is, of course, the incentive that DeFazio intends this bill to be to drive the earliest possible implementation of PTC for passenger rail lines. Unfortunately, this also means that potentially affected railroads and their supported communities can be expected to oppose this legislation.

The second factor that by itself will almost certainly mean that the bill will not be considered in Committee is the funding of the $2.6 Billion grant program. Coming up with this new money will be a nearly impossible hurdle to overcome.

Commentary


The recent Amtrak derailment is almost certainly a major impetus for the introduction of this bill. If the timing alone was not enough of a clue, then the §4 provisions would be the final give away. Still, DeFazio is not a new comer to the expression of concerns about the ‘slow pace’ of PTC implementation. Anyone that has been paying attention over the last five years or so should not be surprised by either the provisions of §2 or the grant program in §3. Unfortunately, this bill comes too late in the game to either be effective or even pass.

PTC systems will be in place on all passenger rail lines (and many if certainly not most freight lines) in the not too distant future (just do not hold your breath for 12-31-18 on every line). It will eliminate a certain class of human-error related railroad accidents. It will not, however, signal a new, significantly safer era of railroad transportation. Mechanical problems and rail defects will still cause many (most?) accidents and I expect we will see an increase in attacks (inevitably including cyber attacks on PTC systems) by nut jobs and radicals of a number of different persuasions.


Railroads will be incrementally safer because of the costly PTC systems (and still immensely safer than our highways), but I do not believe that anyone ten years from now will claim that it was a cost-effective way to increase the safety of this transportation mode.

Friday, January 12, 2018

Bills Introduced – 01-11-18

Yesterday, with both the House and Senate in session, there were 43 bills introduced. Of these, two may be of specific interest to readers of this blog:

HR 4766 To amend title 49, United States Code, to prohibit further extension of requirement to implement positive train control beyond December 31, 2018, and for other purposes. Rep. DeFazio, Peter A. [D-OR-4]

HR 4773 To require the Administrator for General Services to obtain an antivirus product to make available to Federal agencies in order to provide the product to individuals whose personally identifiable information may have been compromised. Rep. Cartwright, Matt [D-PA-17]

It looks like HR 4766 would attempt to remove the current discretionary authority of the Department of Transportation to extend the PTC deadline.


I’m not sure that HR 4773 will get any further mention here, but I have to watch for the language of this bill to see if it really is as non-sensical as the current description would lead us to believe.
 
/* Use this with templates/template-twocol.html */