Saturday, July 22, 2017

Trump Administration Updates Unified Agenda – DHS

This week the Trump Administration’s Office of Information and Regulatory Affairs (OIRA) published an Update to the Unified Agenda. This provides a look at the results of the review of on-going regulatory actions previously addressed by the Obama Administration and new regulatory initiatives started by the new administration. The last Obama update of the Unified Agenda (Fall 2016 Unified Agenda) took place in November, 2016.

Trump’s OIRA described the current Unified Agenda this way:

“The Agenda represents ongoing progress toward the goals of more effective and less burdensome regulation and includes the following developments:
“Agencies withdrew 469 actions proposed in the Fall 2016 Agenda;
“Agencies reconsidered 391 active actions by reclassifying them as long-term (282) and inactive (109), allowing for further careful review;
“Economically significant regulations fell to 58, or about 50 percent less than Fall 2016;
“For the first time, agencies will post and make public their list of "inactive" rules-providing notice to the public of regulations still being reviewed or considered.”

DHS Active Rulemaking


As usual, I have gone through the list of active DHS rulemaking activities and came up with a list that may be of specific interest to readers of this blog. Table 1 lists those rulemaking activities.

OS
Proposed Rule
Chemical Facility Anti-Terrorism Standards (CFATS)
USCG
Proposed Rule
Revision to Transportation Worker Identification Credential (TWIC) Requirements for Mariners
TSA
Proposed Rule
Surface Transportation Vulnerability Assessments and Security Plans
Table 1: Items on Current Unified Agenda

This is down from eight that were on the Fall 2016 Agenda. One (1601-AA56) action has been completed with the final rule being published last December. Four items (1601-AA76, 1625-AB94, 1652-AA55, and 1652-AA69) have been moved to the long-range portion of the Agenda (see below).

The pages for each of the rulemakings have been substantially changed in this update. This version does not include a regulatory history (listing of when various stages of the rulemaking process have been completed including a link to the Federal Register for each publication noted). The update also does not provide an expected date for the publication of the next stage in the rulemaking process. In the past those have proven to be grossly inadequate guesses, so there is really not much lost by not including that information.

Long-Term Actions


The long-term action section of the Unified Agenda contains the listing of on-going rulemaking efforts that the Administration does not expect to see reach the next publication stage for at least 12 months. The long-term action section for DHS is quite lengthy. The list includes the rulemakings shown in Table 2 that may be of specific interest to readers of this blog.


OS
Ammonium Nitrate Security Program
OS
Homeland Security Acquisition Regulation: Safeguarding of Controlled Unclassified Sensitive Information (HSAR Case 2015-001)
OS
Updates to Protected Critical Infrastructure Information
USCG
Amendments to Chemical Testing Requirements
USCG
2013 Liquid Chemical Categorization Updates
Maritime Security--Vessel Personnel Security Training
TSA
Protection of Sensitive Security Information
TSA
Security Training for Surface Transportation Employees
TSA
Vetting of Certain Surface Transportation Employees
Table 2: Long-Term Actions for DHS

This list is longer than the one found in the Fall 2016 Unified Agenda. I have already noted that three items were moved here from the active agenda. Additionally, the Trump Administration added a new rulemaking (1625-AC36) that has been placed on the long-term action list. Finally, OIRA removed a rulemaking (1625-AB21) that had actually been completed (final rule published) well prior to the publication of the Fall 2016 Unified Agenda. The Obama OIRA apparently kept it on the list because the effective date was not until 2018.

Inactive Items


It is interesting to see the Trump Administration introduce the concept of the ‘Inactive Items’ list; rulemakings that have dropped off the Unified Agenda, but are still in the working files of the agency involved and action could possibly be expected at some future date. This list is also odd in that it is a .PDF document rather than an HTML table.

There are four rulemakings on the DHS portion of the list that may be of specific interest to readers of this blog. I have included in the list below a link to the last time that the rulemaking showed up in the Unified Agenda. It is very clear that the administration officials took their mandate to identify such latent rulemakings very seriously.

• 1625-AA12 – USCG – Marine Transportation--Related Facility Response Plans for
Hazardous Substances (Fall 2013);
• 1625-AA13 – USCG – Tank Vessel Response Plans for Hazardous Substances (Fall 2013);
• 1652-AA16 – TSA – Transportation of Explosives from Canada to the United States Via Commercial Motor Vehicle and Railroad Carrier (Fall 2011)
• 1652-AA50 – TSA – Drivers Licensed by Canada or Mexico Transporting Hazardous Materials to and Within the United States (Fall 2015)

Commentary


While Trump vociferously campaigned on a stand against new regulations, this publication of the Unified Agenda update makes it clear that we can still expect to see regulatory actions being taken by this administration. In fact, with respect to those types of regulations that would be of specific interest here, there has been absolutely no indication of a reduction in the change in the number of regulatory actions being undertaken.


It is not entirely clear at this point that the one new rulemaking added to the Unified Agenda Long-Term Agenda in this update (1625-AC36) is really a new regulatory action initiated by the Trump Administration. This has been an on-going issue since the 2010 amendments to the Standards of Training, Certificate, and Watchkeeping Convention and Code, but this is the first time that it has been officially noted in the Unified Agenda.

NIST Cybersecurity Workforce RFI Comments – 07-22-17

This is the first in a series of blog posts looking at the comments that NIST has received on their request for information (RFI) on cyber workforce development. The comments are posted to the NIST National Initiative for Cybersecurity Education (NICE) web site. Comments posted this week came from:


 One commenter specifically responded to questions posed by NIST in their RFI. The others were long form explications of viewpoints about specific issues. One was a copy of an article published on CIODive.com addressing some different non-traditional cybersecurity-training activities that have been tried. Another suggested that we need to start looking at specialization training for cybersecurity personnel rather than generalist training. And the last one addressed the need for rapid changes in cybersecurity training programs to reflect changes in the environment.


The comments from Eric Baechle provided specific responses for the NIST questions. The views from Eric paint a very bleak picture of how cybersecurity specialists are utilized at one, unnamed agency (presumably government agency, but that is not exactly clear). Not unexpectedly they paint a picture of an agency management that does not understand the complexities of the cybersecurity problems being addressed by the specialized workforce nor the work actually being done by their cybersecurity team. While this is not directly a workforce development issue (other than apparently there is no effort in this organization being made to continue developing the skills of the team being employed) it does help to explain why there may be retention issues and employee burnout affecting cybersecurity operations.

HR 3198 Introduced – FAA R&D

Last week Rep. Knight (R,CA) introduced HR 3198, the FAA Leadership in Groundbreaking High-Tech Research and Development (FLIGHT R&D) Act. The bill sets forth the research and development agenda for the Federal Aviation Administration. It includes provisions for cybersecurity research, including:

§31. Cyber Testbed.
§32. Cabin communications, entertainment, and information technology systems
cybersecurity vulnerabilities.
§33. Cybersecurity threat modeling.
§34. National Institute of Standards and Technology cybersecurity standards.
§35. Cybersecurity research coordination.
§36. Cybersecurity research and development program.

Most of these provisions address cybersecurity for the FAA flight control system and general FAA IT systems. Two sections (§32 and §36) deal more directly with aircraft cybersecurity.

Cabin Cybersecurity


Section 32 requires the FAA to “evaluate and determine the research and development needs associated with cybersecurity vulnerabilities of cabin communications, entertainment, and information technology systems on civil passenger aircraft” {§32(a)}. The evaluation will address:

• Technical risks and vulnerabilities;
• Potential impacts on the national airspace and public safety; and
• Identification of deficiencies in cabin-based cybersecurity.

Within 9 months of passage of this bill the FAA would be required to report back to Congress on the results of the evaluation and “provide recommendations to improve research and development on cabin-based cybersecurity vulnerabilities” {§32(b)(2)}.

Future Cybersecurity Program


Section 36 directs the FAA to “establish a research and development program to improve the cybersecurity of civil aircraft and the national airspace system” {§36(a)}. There is no specific guidance as to what that plan should include beyond mandating that a study of the topic be conducted by the National Academies. A report to Congress is required in 18 months.

Moving Forward


Knight and his two co-sponsors {Rep. Smith (R,TX) and Rep. Babin (R,TX)} are members of the House Science, Space, and Technology Committee, one of the two committees to which this bill was assigned for consideration. Babin is also a member of the House Transportation and Infrastructure Committee, the other committee. This means that both committees could actually consider this bill. With Chairman Smith as a cosponsor, it will almost certainly be considered in the Science, Space and Technology Committee.

There are no monies authorized to be spent by this bill and there are no provisions (mainly due to the lack of specificity in the requirements) that would draw the specific ire of anyone, so there should be no organized opposition to the bill. I suspect that it will be recommended for adoption by the Space, Science and Technology Committee and if it makes it to the floor of the House for consideration (probably under the suspension of the rules procedures) it will pass with substantial bipartisan support.

Commentary



It is strange that the cybersecurity of avionics control systems is never mentioned in this bill. The provisions of §32 and §36 are clearly intended to address the issue, but they never directly say that. I suspect that this is done so as not to raise the specific objection from aircraft vendors (and their avionics system suppliers) that no one has ever demonstrated a vulnerability of those control systems. The weasel wording allows those concerned to ignore the specific provisions and thus not oppose the entire bill. This is politics.

Friday, July 21, 2017

HR 3191 Introduced – Russia Cybersecurity

Last week Rep. Boyle (D,PA) introduced HR 3191, the No Cyber Cooperation with Russia Act. The bill would disallow the expenditure of any federal funds for any joint US – Russian cybersecurity initiative. This is a response to the announcement by President Trump after he returned from the G20 Summit that he and Putin had discussed forming a joint cyber-security unit to protect against election hacking.

Section 2 of the bill says simply:

“No Federal funds may be used to establish, support, or otherwise promote, directly or indirectly, the formation of[,] or any United States participation in[,] a joint cybersecurity initiative involving the Government of Russia or any entity operating under the direction of the Government of Russia.”

There are no qualifying definitions or explanations.

Moving Forward


Boyle is a rather junior member of the House Foreign Affairs Committee to which this bill was assigned for consideration. Three of his 13 Democratic cosponsors are also members of that Committee. In normal circumstances, this could provide for the possibility of the bill being considered in Committee. In this case, party membership probably trumps committee membership, so there is very little possibility of this bill being considered in Committee.

Commentary


Even assuming that this is not a completely knee-jerk reaction to a “policy” announcement by Trump (as we frequently saw from Republicans during the Obama Administration) and that there are legitimate reasons to object to the specific policy proposal, the blunt wording of this proposal contains the seeds of many potential unintended consequences.

For example, if Interpol formed a task-force to take down criminal gangs operating botnets, and that unit included police from Russia (where at least some of these botnet operations are headquartered) then this bill would prohibit US participation in the effort. I highly doubt that that is what the crafters intended.


I suspect, however, that this bill (and the two others, HR 3259 and S 1544, that have not yet been printed by the GPO) was written to provide Democrats the opportunity to proclaim that they have introduced legislation opposing Trumps inopportune proposal. Even if the bill were to somehow be considered and approved by the House and Senate, it would certainly be vetoed by the President, if the unit had been a serious policy proposal in the first place (and that is an open question since the unit was proposed in a TWEET®).

HR 2997 Introduced – FY 2018 FAA Reauthorization

Last month Rep. Schuster (R,PA) introduced HR 2997, the 21st Century Aviation Innovation, Reform, and Reauthorization (21st Century AIRR) Act. This is the House version of the 2018 FAA authorization bill. The Senate version is S 1405. There is one cybersecurity provision in the bill and a number of drone provisions.

Cybersecurity


Section 601 of the bill addresses the FAA’s strategic cybersecurity plan. It would require an update of the existing plan required under §2111 of PL 114-190 (130 Stat 626). It would specifically require that plan to be modified to include the establishment of the American Air Navigation Services Corporation, the vehicle for the privatization of air traffic control. The obligatory report to Congress is included.

UAS Provisions


Section 432 of the bill modifies codifies a number of current UAS provisions of US law by adding a new chapter (Chapter 455) to 49 USC. One of particular interest here is the Model Aircraft exception established in §336 of the FAA Modernization and Reform Act of 2012 (PL 1125-95, 126 Stat 77). That would be addressed in a new §45509, Operation of small unmanned aircraft. While in many ways similar to the new §44808 proposed in the Senate bill, there are some significant differences. Those difference include:

• Failure to include limitations to line-of-sight operations;
• Adds a 55-lb aircraft weight limit {§45509(a)(3)}; and
• Adds restriction on flying over amusement parks {§45509(a)(5)}.

Both bills include an obligatory reference to ‘within the programming of a community-based organization’. This bill actually provides a definition of ‘community-based organization’ and a requirement for the FAA to establish guidelines for “recognizing community-based organizations” {§45509(e)}.

Moving Forward


On June 27th the House Transportation and Infrastructure Committee held a mark-up hearing for HR 2997. A number of amendments were made (none of particular interest here) and the bill was ordered reported favorably by a nearly party-line vote (one Republican voted Nay). That report has not yet been published.

This bill will move forward to be considered by the full House at some point. Based upon the vote in Committee, this bill is not likely to be considered under the suspension of the rules process since that requires a 2/3 vote to pass the bill. This means that there will be some sort of amendment process adopted by the House Rules Committee.

Once the House and Senate pass both of their versions of the bill, a conference committee will work out the differences and a combined version will be voted upon in both houses. If recent history is any kind of guideline, the final bill will be approved in late November or early December.

Commentary


Both the House and Senate bills move to more narrowly cast the ‘model aircraft’ exemption to small UAS operation. It is becoming increasingly clearer that there never was any intention to exempt the general public from FAA UAS rules, only the relatively small group of individuals that belong to model aircraft clubs and societies. This would appear to open up a whole nest of problems for the FAA in moving forward with UAS regulations as the universe of potentially covered entities for the FAA regulations expands dramatically.

One way to avoid this general public regulation issue would be for manufacturers of small UAS destined for the consumer market to establish company sponsored UAS clubs with membership instructions included in every consumer UAS sold in the United States. Formal club rules with on-line meetings, training sessions and organized fly-ins would probably allow for recognition by the FAA. Especially since the Agency has no desire to get into consumer regulation enforcement.


I do have to admit that I was more than a little surprised and disappointed to see this bill add the amusement park restriction to the model aircraft section of the bill while continuing to ignore the potentially much more dangerous issue of the operation of UAS over critical infrastructure facilities such as chemical plants or electric grid infrastructure facilities. Critical infrastructure owners need to begin complaining vociferously about this issue.

Bills Introduced – 07-20-17

With both the House and Senate in session, there were 72 bills introduced yesterday. Of those, three may be of specific interest to readers of this blog:

S 1603 An original bill making appropriations for Agriculture, Rural Development, Food and Drug Administration, and Related Agencies programs for the fiscal year ending September 30, 2018, and for other purposes. Sen. Hoeven, John [R-ND]

S 1609 An original bill making appropriations for energy and water development and related agencies for the fiscal year ending September 30, 2018, and for other purposes.  Sen. Alexander, Lamar [R-TN]

S Con Res 22 A concurrent resolution expressing the sense of Congress on the use of the Intergovernmental Personnel Act Mobility Program and the Department of Defense Information Technology Exchange Program to obtain personnel with cyber skills and abilities for the Department of Defense. Sen. Rounds, Mike [R-SD]

The two spending bills will be watched for cybersecurity measures.


Another ‘sense of congress’ resolution on cybersecurity; I’m not sure what is going on here, but this will also be watched for definitions and wording.

Thursday, July 20, 2017

House Passes HR 2825 – DHS Authorization

Today the House passed HR 2825, the Department of Homeland Security (DHS) Authorization Act of 2017, by a substantially bipartisan vote of 386 to 41. The bill was considered under the suspension of the rules process that limited debate and did not allow any amendments to be offered. The bill easily met the 2/3 vote standard for passage under these rules.

A DHS authorization bill has yet to be introduced in the Senate during this Congress. It would be very unusual for the Senate to take up this bill without first considering an in-house version first.

The bill does include provisions addressing:

• Cybersecurity,
• Maritime security, and
• Surface transportation security

There has not been a DHS authorization bill sent to the President since the Department was originally created in 2002.

ICS-CERT Publishes an Advisory and an Update

Today the DHS ICS-CERT published a control system security advisory and an update to a previously published advisory, both for products from Schneider Electric.

Schneider Advisory


This update describes multiple vulnerabilities in the Schneider PowerSCADA Anywhere and Citect Anywhere products. The vulnerabilities are apparently being self-reported by Schneider. Schneider has developed new versions that mitigate the vulnerabilities.

The reported vulnerabilities are:

• Cross-site request forgery - CVE-2017-7969;
• Information exposure - CVE-2017-7970;
• Improper validation of certificate expiration - CVE-2017-7971; and
• Improper neutralization of expression/command delimiter - CVE-2017-7972

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerabilities to perform actions on behalf of a legitimate user, perform network reconnaissance, or gain access to resources beyond those intended with normal operation of the product.

Schneider Update



This update provides new information on an advisory that was originally published on April 13th, 2017. The update provides information on a firmware update and a software update that are needed to mitigate the vulnerability.

Chemical Plants and Ransomware

There has been an interesting and on-going discussion on TWITTER® related to how chemical plants may be affected by ransomware like WannaCry. It was the result of the publication of two DHS-OCIA FOUO documents about WannaCry (here and here). They were published by PublicIntelligence.

The on-going TWITTER discussion was really based upon one entry in a chart in the second document described above; (U) Table 1—Ransomware Targeting and Susceptibility by Sector. The entry for the Chemical Sector contained the statement: “Chemical plants have manual overrides in place to ensure the safe containment of chemical processes in case cyber defenses fail. In some cases, it may be possible to run the chemical plant independently of cyber controls, otherwise the plant will most likely shut down.”

Most of the discussion has been on where the supporting data for that statement comes (short answer, no one knows) and how accurate that statement is. I cannot provide any information on the first, but a reasonable answer to the second will take more than 140 characters to explain.

Chemical Plant Automation


There is a great deal of variety in the level and sophistication of automation in chemical manufacturing processes. I have worked in a plant where there was absolutely no automation. Sensors were either analog or digital with no connections beyond a power supply. All operations are directly controlled by the operator manually operating various valves and power switches. Plants like this are unusual in this day and age. They are small plants typically running experimental processes on a shoestring budget. They are going to essentially be unaffected by ransomware except on the business process side of the house.

The most sophisticated facilities (and I have seen some of these, but never worked in one) have almost completely automated their chemical manufacturing processes. The extensive and complicated control system requires limited operator oversight; taking a wide mix of sensor data (temperature, pressure, flowrates and valve states for example) processes that data to develop (via a complex process control algorithm) commands to various operations devices (transfer valves, heating, cooling and vacuum controls for example) to control the manufacturing process. The operator actions are fairly limited to starting or stopping the process, making small manual adds of chemicals to the process and watching for process upset conditions.

Most specialty chemical manufacturing (batch processes) have a level of automation somewhere between these two extremes. An operator typically watches sensor data on a human machine interface (HMI) display and operates controls via the same HMI in response to a written set of instructions, training and experience. There may be some manual valve movements made by the operator or his assistants, but most are remotely operated via electrical or pneumatic operations.

Safety systems are in use (hopefully) in all plants regardless of the level of automation. They may be simple mechanical devices such as pressure relief valves or rupture disks. They could be process alarms that require operators to take manual corrective actions. They could be simple interlocks where a specific sensor output generates a direct command to operate a specific valve. Or they could be complex algorithmic responses to a variety of sensor readings resulting is a number of automatic operational changes to the process. These automated safety systems can reside in a stand-alone computer system with dedicated sensors and valves that are not in any way connected to the main process control system (the safest system) or various parts (or all of) the safety system could reside on the same computer system running the chemical manufacturing process.

In a perfect world, what determines the level of sophistication (and thus cost) of the safety system is the potential outcome of the process upset that it controls. The more serious the potential consequence of the process upset (again in a perfect world) the more complex and involved the safety system becomes. Where there are potential catastrophic, off-site consequences one would like to expect to see sophisticated stand-alone safety systems to prevent those catastrophic results.

Ransomware Effects


For purposes of this discussion I am going to assume that the ransomware has effected all networked controls system computers and that any stand-alone safety systems remain operational, these would include sophisticated systems, mechanical devices and most electro-mechanical interlocks (those not controlled through a PLC).

For the least automated systems the affects would be mainly cosmetic; operators would still be controlling the process, it would be more physical control with the operator going out and manually operating controls instead of using the HMI. This is assuming that there are still sensor readouts that do not go through the HMI. This would require either analog gauges or 4/20ma gauges wired to old-style displays.

Double displays with their associated wiring are a pain to maintain and frequently are considered a wasteful duplication of resources. The absence of analog gauges or non-computer sensor-output displays would mean that the operator would have no view of the key process control variables, and thus, no control of the process.

The consequences of going to full operator manual control of processes would be immense. I made the transition from full manual to semi-automated process control. We were able to add more sensors to better understand the process variables and those new sensors were in locations that were not readily accessible by the operator. Just those additional sensors decreased process times (and thus process costs) significantly as well as reducing product variability and off-spec products. We also significantly reduced the number of operators that were necessary to operate multiple processes that typically run at specialty chemical plants. Some plants would be able to operate at significantly reduced capacity, but increased product variability problem could have downstream quality effects on customer operations.

For fully automated chemical facilities (typically found in continuous process facilities like refineries) an instantaneous change to manual operation would not be possible. The lack of analog gauges and local sensor readouts and the relatively inaccessible manual controls would make it physically impossible for operators to coordinate the operation of the connected portions of the process in real time.

Safety Effects


Again, properly designed and implemented safety systems would be expected to stop any catastrophic consequences of sudden loss of control in chemical manufacturing systems. There were a number of very important qualifiers in that previous sentence. The major problem with designing safety systems is that it is very difficult to completely understand catastrophic failure modes in a manufacturing environment.

Typically, one has to use lab scale data to understand the physical parameters of those failure modes (NO ONE wants to do FULL SCALE testing of such failure modes) and then apply various models to try to scale up those test results to be able to plan for preventive actions to stop or mitigate the failures. No matter how sophisticated the modeling efforts they are, in the end, based upon educated guesses as to how the system will behave. Then systems are designed to try to best control those failure modes. And, it is not generally acceptable to really test those systems to see how they actually work in practice (in the emergency environment).

The OCIA Statement


The OCIA statement that started this discussion is almost certainly not based upon any survey of the chemical industry. It is a reasonable brief attempt by outsiders with a non-chemical manufacturing background to categorize the potential consequences of a non-chemical emergency event on generic chemical manufacturing.

If I were to attempt to reword this statement from a chemical manufacturing process point of view, it would read something like this:

“Chemical manufacturing facilities should have safety systems in place to contain catastrophic consequences in the event of loss of control. The efficacy of those systems and their operation in an instantaneous loss of computer control situation would have to be evaluated on a case-by-case basis. Continued commercial production without replacing/fixing affected computer based process controls could be possible is some unknown number of facilities. It would be difficult to accurately predict which facilities could continue commercially viable production.”


Bills Introduced – 07-19-17

Yesterday, with both the House and Senate in session, there were 54 bills introduced. Of these only one may be of specific interest to readers of this blog:

H Res 459 Expressing the sense of the House of Representatives that the United States should support the development of programs that better prepare students for careers in cybersecurity by actively promoting ethical hacking skills. Rep. Garrett, Thomas A., Jr. [R-VA-5]


Generally speaking, ‘sense of Congress’ resolutions are fairly meaningless political statements with no practical effect. I will be watching this one, however, to see how it is worded and what definitions, if any, it uses. I do not expect that it will actually see consideration in committee or on the floor of the House.

Wednesday, July 19, 2017

Bills Introduced – 07-18-17

Yesterday with both the House and Senate in session there were 27 bills introduced. One of those may be of specific interest to readers of this blog:

HR 3282 To amend title 49, United States Code, with respect to electronic logging devices, and for other purposes. Rep. Babin, Brian [R-TX-36]


I will only be providing additional coverage of this bill if it includes specific language addressing chemical transportation or if it contains cybersecurity provisions.

Tuesday, July 18, 2017

ICS-CERT Publishes Advisory and Updates Another

Today the DHS ICS-CERT published a new control system security advisory for products from Rockwell. They also updated another control system security advisory for products from Siemens. The Rockwell advisory was originally published in the NCCIC Portal on May 18, 2017.

Rockwell Advisory


This advisory describes an improper input validation vulnerability in the Rockwell MicroLogix 1100 Controllers. The vulnerability was reported by Mark Gondree of Sonoma State University, Francisco Tacliad and Thuy Nguyen of the Naval Postgraduate School. Rockwell has a newer firmware version that mitigates the vulnerability. There is no indication that any of the researchers have been provided an opportunity to verify the efficacy of the fix.

ICS-CERT does not provide any information on skill level or type access required to exploit this vulnerability. They just note that a successful exploit could lead to a denial of service condition.

Siemens Update


This update provides additional information on an advisory that was originally published on July 6th, 2017. The new information included updated version information for:

• Firmware variant Modbus TCP: All versions prior to V1.10.01,
• Firmware variant DNP3 TCP: All versions prior to V1.03, and
• SIPROTEC 7SJ66: All versions prior to V4.23
• SIPROTEC 7SJ686: All versions prior to V4.86
• SIPROTEC 7UT686: All versions prior to V4.01
• SIPROTEC 7SD686: All versions prior to V4.04

The only change seen in the security reporting from Siemens was affected version information and the update link for DNP3 TCP. The other updated version information was provided in the ‘Mitigation’ section of the earlier ICS-CERT version of the advisory, but not in the ‘Affected Products’ section.

Commentary


I have not done an actual tally to confirm this, but it seems to me that we see a much higher percentage of Rockwell product advisories making it to the NCCIC (or the old US-CERT) secure portal before being publicly disclosed than we do for Siemens products. Since it is not clear how this decision is made for limited disclosure, it would be unfair to say something untoward was happening; but, it does seem odd.


If the decisions are made based upon company requests for the delay, then this is a marketing call by the respective companies with no foul noted. If the decision is being made just by ICS-CERT, then the community probably deserves some process explication.

HR 3101 Introduced – Port Cybersecurity

Last month Rep. Torres (D,CA) introduced HR 3101, the Strengthening Cybersecurity Information Sharing and Coordination in Our Ports Act of 2017. The bill establishes a number of modest cybersecurity requirements for (and in support of) port operations.

Federal Requirements


Section 2 of the bill establishes federal requirements for cybersecurity risk assessments, information sharing and coordination. First it requires DHS to conduct (and subsequently evaluate) a risk assessment for maritime cybersecurity based upon the NIST Cybersecurity Framework. Next, it requires DHS to ensure that at least one maritime information sharing analysis committee (ISAC) participates in the National Cybersecurity and Communications Integration Center.

Paragraph (4) requires DHS to establish “guidelines for voluntary reporting of maritime-related cybersecurity risks and incidents (as such terms are defined in section 227 of the Homeland Security Act of 2002 (6 U.S.C. 148)) to the Center [NCCIC]”. The next paragraph then requires DHS to “to report [on] and make recommendations to the Secretary on enhancing the sharing of information related to cybersecurity risks and incidents between relevant Federal agencies and State, local, and tribal governments”.

Local Requirements


Section 3 of the bill establishes local cybersecurity requirements. First it requires each Maritime Security Advisory Committee “to facilitate the sharing of cybersecurity risks and incidents to address port-specific cybersecurity risks, which may include the establishment of a working group of members of Area Maritime Security Advisory Committees to address port-specific cybersecurity vulnerabilities” {§2(1)}. Next it requires all new maritime or facility security plan (under 46 USC 70103) to “include a mitigation plan to prevent, manage, and respond to cybersecurity risks” {§2(2)}.

Specifically §4 amends two separate provision of 46 USC {§70102(b)(1)(C) – facility and vessel assessments – and §70103(c)(3)(C) – vessel and facility security plans} by adding the word “cybersecurity” after “physical security”. It would also add a requirement for vessel and facility security plans to address the “prevention, management, and response to cybersecurity risks” {new §70103(c)(3)(C)(v)}.

Moving Forward


While Torres is not a member of either committee to which the bill has been assigned for consideration, two of her cosponsors are {Rep. Correa (D,CA) – Homeland Security; and Rep. Wilson (D,FL) – Transportation and Infrastructure}. This means that there is at least a chance that either or both of these committees could consider HR 3101.

I do not see anything in the bill that would engender any significant opposition. If the bill were to be considered on the floor of the House it is likely that it would pass, probably under the suspension of the rules provision.

Commentary


Once again, the provisions of this bill rely on the 6 USC 148(a)(1) definition of ‘cybersecurity risk’, a definition that is limited to information systems and does not include control systems. This would mean that the requirements of this bill would not apply to operation of any of the many critical control systems found on vessels or in maritime facilities.


I would again like to point to a solution to this definitional problem in port cybersecurity legislation that I proposed in an earlier blog post. It would still use the existing, IT-centric, definition of ‘information system’, but would add a new definition for ‘control system’ and then combine both terms in the definition of ‘cybersecurity risk’.

Committee Hearings – Week of 7-16-17

With both the House and Senate in session there is a wide slate of congressional hearings this week. Spending bills are finishing up in the House and the Senate continues to plug away on nomination hearings. There are two cybersecurity hearings of potential interest, one a markup and one addressing energy security.

Spending Bills


The House Appropriations Committee is still working on ginning out their spending bills with two more hearings being conducted during the remainder of the week:


Cybersecurity Mark-up


On Wednesday the Digital Commerce and Consumer Protection Subcommittee of the House Energy and Commerce Committee will mark-up a staff draft of a bill on highly automated vehicle testing and deployment. The Committee Draft of the bill contains a section on “Cybersecurity of automated driving systems” which I will try review later today.

Energy Security


Later this morning the Senate Energy and Natural Resources Committee will hold a hearing to examine the status and outlook for U.S. and North American energy and resource security. Cybersecurity is certainly going to be part of this discussion. The witness list includes:

• Fatih Birol, International Energy Agency;
• Stephen Cheney, American Security Project;
• Robert Coward, American Nuclear Society;
• Dan McGroarty, Carmot Strategic Group;
• Mark Mills, Manhattan Institute; and
• Jamie Webster, Center for Energy Impact

On the Floor of the House


Today the House will consider HR 3050, Enhancing State Energy Security Planning and Emergency Preparedness Act of 2017, under their suspension of the rules procedure. This means that there will be limited debate and no amendments will be considered. This usually means that the House leadership considers this to be a non-controversial bill with a high-probability of passage (which requires a super-majority). NOTE: The committee report on the bill has not yet been published, it will probably be submitted today, but will not actually be available on the Congress.gov site until later this week.


NOTE: The House Rules Committee called for amendments to HR 2997, 21st Century Aviation Innovation, Reform, and Reauthorization Act. This is the House version of the FY 2018 FAA reauthorization. I have not published a review of this bill yet because there is currently nothing of real interest included in the introduced version. It looks like that will be changing. No hearing is scheduled yet, but it may happen later this week.

Bills Introduced – 07-17-17

With both the House and Senate in session there were 20 bills introduced yesterday. Of those, three may be of specific interest to readers of this blog:

HR 3266 Making appropriations for energy and water development and related agencies for the fiscal year ending September 30, 2018, and for other purposes. Rep. Simpson, Michael K. [R-ID-2]

HR 3267 Making appropriations for the Departments of Commerce and Justice, Science, and Related Agencies for the fiscal year ending September 30, 2018, and for other purposes. Rep. Culberson, John Abney [R-TX-7]

HR 3268 Making appropriations for Agriculture, Rural Development, Food and Drug Administration, and Related Agencies programs for the fiscal year ending September 30, 2018, and for other purposes. Rep. Aderholt, Robert B. [R-AL-4]

As with all spending bills, I will be watching these for potential cybersecurity provisions.


Monday, July 17, 2017

ISCD Publishes COI Flyer for CFATS Customers

Today the DHS Infrastructure Security Compliance Division published a new flyer for its Chemical Facility Anti-Terrorism Standards (CFATS) program. They flyer is designed to be provided to customers of CFATS facilities that receive shipments of DHS chemicals of interest (COI) from the covered facility to notify those customers that they might have CFATS reporting responsibilities.

A link to the flyer can be found on the CFATS landing page. There, ISCD explains the purpose of the flyer:

“Update (July 2017): Chemical security is a responsibility that DHS shares with chemical facility owners and operators, employees, and emergency responders. DHS created a flyer for facilities shipping, selling, or distributing a CFATS Chemical of Interest (COI) to notify their customers to report their chemical holdings to DHS. Please download, print, and distribute the Receiving a COI Flyer as a resource to increase awareness of the CFATS program to new segments of the population who hold COI.”

A different link to the same flyer can be found on the CFATS Knowledge Center. ISCD announces that link with this ‘Latest News’ entry:

“ISCD has published a flyer that facilities may choose to use when selling or shipping COI to notify customers that they may need to report their holdings to DHS. Facilities are not required to share this flyer, but are encouraged to let facilities that sell, ship, or distribute COI know about this resource during the course of a normal engagement. Please contact CFATS@hq.dhs.gov with any and all questions.”

ISCD emphasizes that the use of the flyer is completely voluntary. They are just trying to expand their outreach program to ensure that all potentially covered facilities are aware of the reporting requirements for the CFATS program.

Commentary


This is a fairly straightforward one-page flyer without a lot of graphics or bells and whistles. I think, however, that ISCD has gone a little too much on the simple side. Much of the write-up assumes that the reader has some basic understanding of the ins and outs of the CFATS program. For example, in bold type (for emphasis) the flyer states: “Facilities that come into possession of screening threshold quantities of COI must report their holdings to DHS within 60 days by filing a Top-Screen survey.” There is no real explanation of why chemicals are COI or what a ‘screening threshold quantity’ is, it simply provides a link to the Appendix A table that lists the COI’s and the complex set of regulatory data that are associated with them in the CFATS program.

It would have been much more helpful if the flyer provided links to the various parts of the CFATS web site that describe these complex topics; for example, the CFATS Covered Facility web page.


Still, I am glad to see that ISCD is continuing to look for new ways to ensure that potentially covered facilities are aware of the CFATS initial reporting requirements.

S 1405 Introduced – FY 2018 FAA Authorization

Last month Sen. Thune (R,SD) introduced S 1405, the Federal Aviation Administration Reauthorization Act of 2017. This year’s bill includes one cybersecurity provision and a large number of provisions concerning unmanned aircraft systems (UAS). The UAS related items that may be of specific interest to readers of this blog include:

§2105. Analysis of current remedies under Federal, State, and local jurisdictions.
§2123. Small unmanned aircraft safety standards.
§2126. Additional rulemaking authority.
§2128. Special rules for model aircraft.
§2129. Authority.
§2133. Airport safety and airspace hazard mitigation and enforcement.
§2151. Federal and local authorities.
§2163. Unsafe operation of unmanned aircraft.

Cybersecurity


Section 4109 of the bill would require the FAA revise existing aircraft certification regulations to include {§4109(a)}:

• To address cybersecurity for avionics systems, including software components; and
• To require that aircraft avionics systems used for flight guidance or aircraft control be secured against unauthorized access via passenger inflight entertainment systems through such means as the Administrator determines appropriate to protect the avionics systems from unauthorized external and internal access.

The new regulations would be based upon work of the Aircraft Systems Information Security Protection Working Group as directed by Congress last year in §2111 of PL 114-190 (130 Stat 626).

Model Aircraft


Section 2128 of the bill adds a new §44808 (Special rules for model aircraft) to 49 USC. That section modifies and then codifies the model aircraft rules established in §336 of the FAA Modernization and Reform Act of 2012 (PL 1125-95, 126 Stat 77).

The ‘operational parameters’ in paragraph (a) have been expanded by including the following requirements for the model aircraft exemption {new §44808(a)}:

• Not flown beyond the visual line of sight of persons co-located with the operator or in direct communication with the operator;
• The aircraft is flown from the surface to not more than 400 feet in altitude, except under special conditions and programs established by a community-based organization; and
• The operator has passed an aeronautical knowledge and safety test administered by the Federal Aviation Administration online for the operation of unmanned aircraft systems subject to the requirements of section 44809 or developed and administered by the community-based organization and maintains proof of test passage to be made available to the Administrator or law enforcement upon request.

The FAA is further provided the authority to modify the operational parameters defined in the bill ‘as appropriate’. Paragraph (b)(2) provides an expansive list of considerations that the FAA might use to change those parameters.

Paragraph (d) of the new section provides the FAA with permissive authority to “promulgate rules relating to the registration and marking of model aircraft”. Furthermore, §2129 of the bill specifically re-instates the registration and marking requirements for small unmanned aircraft published by the FAA in December, 2015 and were recently vacated by the United States Court of Appeals for the District of Columbia Circuit in Taylor v. Huerta (No. 15–1495).

Regulation of UAS Operations


Section 2105 requires the Government Accountability Office (GAO) “a review of the privacy issues and concerns associated with the operation of unmanned aircraft systems in the national airspace system”. Additionally, it tasks the GAO with identifying “specific issues and concerns that may limit the availability of existing civil or criminal legal remedies regarding inappropriate operation of unmanned aircraft systems in the national airspace system” {§2105(2)}.

Section 2123 addresses setting safety standards for UAS. It would add a new §44803 to 49 USC (Small unmanned aircraft safety standards). It would require the FAA to establish a rulemaking advisory committee to develop recommendations for regulations to establish {§44803(a)(1)}:

• Risk-based, consensus safety standards related to the safe integration of small unmanned aircraft systems into the national airspace system (referred to in this section as ‘consensus safety standards’) that can evolve or be updated as appropriate; and
• A Federal Aviation Administration process for permitting, authorizing, or approving small unmanned aircraft systems and their operations based on the safety standards to be accepted by the Administrator under this section.

The FAA would then be responsible for implementing those recommendations by establishing a process for {new §44803(d)}

• The acceptance by the Federal Aviation Administration of consensus safety standards recommended;
• Permitting, authorizing, or the approving small unmanned aircraft systems makes and models based upon the consensus safety standards; and
• The certification of a manufacturer of small unmanned aircraft systems that has demonstrated compliance with consensus safety standards.

These safety standards would also specifically apply to model aircraft {new §44803(f)}.

Mitigating Unsafe UAS Operations


Section 2133 would add a new §44810 to 49 USC. That new section would require the FAA to “develop a plan for the certification, permitting, authorizing, or allowing of the deployment of technologies or systems for the detection and mitigation of unmanned aircraft systems” {new §44810(b)(1)}. The implemented plan would “allow appropriate officials of Federal, State, or local agencies requesting to utilize such technologies or systems to take steps to detect and mitigate potential airspace safety threats posed by unmanned aircraft system operations §44810(b)(2)}.

The section goes on to clearly state that the following federal statutes would not apply the operation of these ‘technologies or systems’ {new §44810(h)}:

18 USC 32 – Destruction of aircraft or aircraft facilities;
18 USC 1030 (the bill actually says ‘1031’, an obvious error) – Fraud and related activity in connection with computers;
18 USC Chapter 119 – Wire and electronic communications interception and interception of oral communications; and
18 USC Chapter 206 – Pen registers and trap and trace devices

Section 2163 would make it a federal crime to unsafely operate an ‘unmanned aircraft’. It would add a new section 39B to 18 USC. It would make it a federal offense to operate an unmanned aircraft in a manner that “knowingly or recklessly interferes with, or disrupts the operation of, an aircraft carrying 1 or more occupants operating in the special aircraft jurisdiction of the United States, in a manner that poses an imminent safety hazard to such occupants” {new §39B(a)}.

Committee Mark-Up


On June 29th the Senate Commerce, Science, and Transportation Committee held a mark-up hearing that included the mark-up of S 1405. In that hearing 57 amendments, including substitute language from Chairman Thune, were offered and presumably adopted (though there is no indication on the Committee web site of the status of actions taken). The substitute language made no changes of significance to the provisions previously discussed. There was one amendment from Sen. Johnson (R,WI) that may be of specific interest here.

Johnson’s amendment would add a new §44816 to 49 USC, Unmanned aircraft systems in restricted buildings or grounds. This amendment mirrors current restrictions found in 18 USC 1752 against unauthorized entry of the White House or other grounds where the President (or other persons protected by the Secret Service) is present. It would apply similar legal penalties for flying UAS in such areas.

The amendment further expands upon the §1752 coverage by adding the phrase “impede or disrupt the orderly conduct of Government business or official functions” {new §44816(a)} with respect to UAS operations.

Violation of the new section would be punishable under 18 USC by fines and/or up to one year in prison, unless the offense included mounting a weapon on the UAS or caused serious bodily harm. Then the maximum sentence would be fines and/or up to ten years in prison.

Moving Forward


The FAA reauthorization is one of the ‘must complete’ actions for Congress each year, though that does not specifically apply to this particular bill. A House version of this bill has yet to be offered, but will ultimately happen. Each branch of Congress will pass their own version of an FAA reauthorization bill and a conference committee will iron out the differences. There is always the possibility of short-term continuing-authorization bills being passed.

Commentary


I am very happy to see that this bill provides not only authority, but specific requirements for the FAA to regulate the cybersecurity of aircraft control systems. I am disappointed, however, in the failure to require specific rules regarding the reporting of cybersecurity attacks (with an appropriate definition of what constitutes an attack) or the discovery of security vulnerabilities in avionics software or devices. Additionally, I would have liked to have seen a specific requirement for regulated air carriers and aircraft (and avionic system) manufacturers to be members of some sort of recognized cybersecurity information sharing organization.

The bill finally addresses one of the major issues related to enforcing UAS operation regulations, the fact that any attempts to immediately stop a UAS from illegal operation (not completely defined by this bill) would almost certainly involve violation of a number of federal criminal statutes.

I am not sure, however, that offering a blanket exemption to those laws is quite the right way to proceed. I would have preferred the bill to require the FAA to establish specific ground rules where such exemptions applied. The way that §2133 is written does not just limit the use of the developed ‘technologies and systems’ to the areas around airports. They would generally apply to any counter-UAS operations conducted by “Federal departments and agencies to detect and mitigate potential threats posed by errant or hostile unmanned aircraft system operations” {new §44810(a)} or more generally by “appropriate officials of Federal, State, or local agencies requesting to utilize such technologies” {new §44810(b)(2)}.

The Johnson amendment is an overly broad extension of current presidential security rules. While arguments could certainly be made to support allowing the Secret Service to control the use of UAS around the White House and presidential functions, the inclusion of the ‘orderly conduct of Government business’ language could have a chilling effect on freedom of speech and be a broad tool to counter civil disobedience usage of UAS.


Finally, there is curiously lacking any mention of potentially applying flight restrictions to UAS operations above or around critical infrastructure or other restricted areas. Actually, what I would prefer to see would be to specifically disallow the operation of UAS over or around facilities where the federal government currently regulates security (for example: CFATS, MTSA and CIP regulated facilities) with the specific permission of the facility owners/operators. This would avoid the vague definition of ‘critical infrastructure’.

Saturday, July 15, 2017

Bills Introduced – 07-15-17

Yesterday with only the House in Washington there were 26 bills introduced. Of those only one may be of specific interest to readers of this blog:

HR 3259 To prohibit the use of Federal funds for the establishment or support of a cybersecurity unit with the Russian Federation, and for other purposes. Rep. Speier, Jackie [D-CA-14]


As with HR 3191 and S 1544 this is almost certainly more of a political statement than a viable attempt at legislation, but it will be followed here due to its potential effects on cybersecurity activities in the federal government.

ICS Public Disclosures – Week of 07-08-17

This week we have two public disclosures from vendors. The first is an interesting update of information from ABB and the second is a fresh self-disclosure from OSIsoft.

ABB Update


ABB published their security advisory for their VSN300 Wi-Fi Logger Card; these were earlier reported by ICS-CERT. There was no link to the ABB advisory in the ICS-CERT advisory because it was published two days later. The importance of the ABB advisory is that it includes exploit code for the two reported vulnerabilities; an unusual move for a vendor.

The publication of the exploit code needs to be taken into account in the risk analysis done by owners in their decision as to whether or not they will be updating the Card firmware.

It will be interesting to see if ICS-CERT updates their advisory.

Thanks to Joel Langill for pointing out the publication of this advisory.

OSIsoft Advisory


OSIsoft announced this week the publication of security updates for their PI Integrator For Business Analytics 2016, PI Integrator for Microsoft Azure 2016, and PI Integrator for SAP HANA 2016 products with new versions of all three being made available.

The new versions correct two self-identified vulnerabilities:

• Improper Neutralization of Input During Web Page Generation; and
• Improper Authorization


OSIsoft reports that: “An unauthorized user could gain privileged access to the PI Integrator application and views of PI System data. A miscreant could also store malicious script in the application database and subsequently execute it on the targeted user's machine.”
 
/* Use this with templates/template-twocol.html */