Tuesday, October 17, 2017

Committee Hearings – Week of 10-15-17

With just the Senate in session this week most of the congressional hearings concern nominations. There is one cybersecurity hearing that may be of interest to readers of this blog.

The Senate Armed Services Committee will be holding a hearing on Thursday looking at “Roles and Responsibilities for Defending the Nation from Cyber Attack”. This is an open hearing, but there may be a closed (classified) session at the end. The witness list includes:

• Rob Joyce, National Security Council
• Kenneth P. Rapuano, Department of Defense
• Scott Smith, Federal Bureau Of Investigation
• Christopher C. Krebs, Department Of Homeland Security

There is a distinct possibility that control systems security issues associated with the electric grid may be discussed at this hearing, but at a policy level not a technical discussion given the participants.

Sunday, October 15, 2017

ISCD Updates CSAT 2.0 Web Site

Last week the DHS Infrastructure Security Compliance Division (ISCD) updated their Chemical Security Assessment Tool (CSAT) web page; this is part of the extensive web site for the Chemical Facility Anti-Terrorism Standards (CFATS) program. The only change to the CSAT page was the addition of a link to the new CFATS Site Security Plan (SSP) Submission Tips web page.

This new web page is part of the on-going ISCD outreach program to the CFATS regulated community. It is not a substitute for the SSP manual and the Risk Based Performance Standards (RBPS) Guidance manual, but rather a highlight of those types of things that have apparently been found lacking in many SSP submissions in the past. It highlights four major areas of concern:

• Consider what security measures to address;
• Detail current security measures;
• Describe planned security measures; and
• Specify facility-wide or asset-specific security measures

 What Security Measures

Of course, facilities are going to need to address security measures in each of the 18 RBPS that are applicable to the DHS chemicals of interest (COI) identified on the facility tiering letter. This section of the web page addresses five “overarching objectives” of the SSP:

• Detection;
• Delay;
• Response;
• Cyber; and
• Security Management

These are covered in short (one paragraph) discussions and links to the four RBPS fact sheets that ISCD began issuing earlier this year:

RBPS 8, Cyber Fact Sheet  
RBPS 9, Emergency Response Fact Sheet  
RBPS 12, Personnel Surety Program Fact Sheet  
RBPS 18, Records Fact Sheet 

Current Security Measures

This section briefly covers two rather broad topics:

• Be as detailed as possible; and
• Don’t overlook safety and environmental measures already in place that contribute to security.

In my conversations with folks in the field the first point is probably the most important for a successful SSP submission. This new web page says it well and succinctly:

“The text boxes in the Chemical Security Assessment Tool’s (CSAT) (/chemical-security-assessment-tool) SSP application have been included so that facilities can more fully describe current security measures, including how the measures address the relevant RBPS. The better DHS can conceptualize and understand your approach to security measures, the better DHS can evaluate whether they meet the applicable RBPSs.”

Facility-Wide vs Asset-Specific

The discussion here is important, though more than a little simplified (to be expected in a short document like this). It boils down to this. Security measures can be quite expensive, especially as the size of a facility increases. Since different types of COI may require different types of security measures, a facility may be able to significantly reduce costs by confining certain security measures to just those areas where their listed COI are stored or handled. Provisions are made in the CFATS to allow facilities to do this.


Again, ISCD has consistently tried to reach out to the CFATS community and provide the necessary information to successfully comply with the program requirements. This is part of that outreach. It is not (nor was it intended to be) the ultimate word in developing a successful SSP submission. It is just part of the process.

Facility security personnel will find this helpful only if they are familiar with the RBPS Guidance document and the SSP manual. Another source of useful information in this matter are two of the recently published presentations from the 2017 Chemical Sector Security Summit:

In fact, the CSSS web site has links to additional presentations from previous years that will also be helpful. The whole CSSS program is helpful for anyone interested in chemical facility security issues.

One final point, cybersecurity continues to pop up regularly in any discussions about the CFATS program. ISCD is certainly taking great pains to mention the topic whenever they discuss site security plans or compliance inspections. They have taken particular care to ensure that they try to communicate that ‘cybersecurity’ is not only important for the control systems that touch on the handling and/or storage of covered COI, but also includes cybersecurity measures to protect security controls (surveillance, intrusion detection, and access control systems) as well as business systems that affect the handling (ordering, selling or transporting), or storage of covered COI.

Saturday, October 14, 2017

Common Chemical Accident Causes Building Evacuation

Yesterday a 49-story office building in downtown Chicago was evacuated when a common chemical accident occurred on the roof of the building resulting in the release of chlorine gas. Six people were injured severely enough to be transported to local hospitals.

The Incident

Very little information is available in the news reports on the incident (here, here, here and here). The common thread is that “chlorine and acid were accidentally mixed on the roof of the building”. Based upon that this is likely what happened.

A maintenance crew was cleaning/disinfecting the water side of the cooling tower for the building HVAC system. These systems have been implicated in a number of Legionnaire outbreaks, so the cleaning/disinfection of these roof top systems is a fairly normal maintenance task. The ‘acid’ was likely muriatic acid (dilute hydrochloric acid); it is commonly used for pH adjustment, and cleaning metal or concrete. The ‘chlorine’ was almost certainly a solution of sodium hypochlorite (bleach); it is commonly used as a disinfectant and cleaning solution.

In disinfecting a small body of water the muriatic acid is added to lower the pH of the water. Then the chlorine is added to kill off bacteria. With adequate mixing or an appreciable time between adding the two chemicals to the water there is no problem. If the two chemicals are added in close physical or temporal proximity the they remain concentrated enough to allow a very quick exothermic action to occur. A byproduct of that reaction is the release of chlorine gas.

Unless someone is really stupid in the amount of bleach added to the water, there will not be enough chlorine gas released to kill anyone unless they are in a small, confined space above the surface of the water. Relatively small, non-fatal, amounts of chlorine gas will cause severe irritation to the eyes, nose and respiratory tract. Prompt medical evaluation is routinely recommended for anyone experiencing eye pain or difficulty breathing after relatively minor chlorine gas exposures.


In hind sight, there was almost certainly no need to evacuate the building. The amount of chlorine gas released would not have been medically significant beyond the immediate are of the release on the roof. I suspect that enough gas got into one of the HVAC air intakes to allow some people to detect the odor of chlorine (detectable by the average person at very low levels). Complaints of a strange chemical odor reported in the building coupled with the report of a chemical incident on the roof would be sufficient, however, to make any emergency response incident commander order a precautionary evacuation.

One of the reasons for this is that the same reaction between hypochlorite and muriatic acid make for a pretty interesting improvised chemical munition in closed quarters like a building. Without the diluting effect of a small body of water, the fast and strong exotherm results in low order explosion (no flame but and expanding gas cloud) that releases chlorine gas. Both chemicals are easy to buy and the only difficulty in constructing these bombs is how to keep the two chemicals apart until you want the reaction to take place. Again, unless the ‘bomb’ is really large, there is little real danger outside of the immediate area of ‘detonation’, but the loud bang and chlorine odor will do a nice job of starting a panic in a crowded building.

I expect that the investigation of this incident will ultimately place the blame for this incident on ‘human error’ and inadequate training of the maintenance personnel. People really can handle these two relatively innocuous industrial chemicals safely with just a modicum of training and supervision. But, the reason that this is such a common accident is that the process looks so simple and the chemicals look very common, so no one really takes the safety issues seriously until it is too late.

DHS Publishes 2017 CSSS Presentations

Yesterday DHS updated the 2017 Chemical Sector Security Summit (2017 CSSS) web page with links to some of the presentations that were made at this year’s Summit. Unfortunately, even with the Summit including web casts of several of the presentations, the links provided only provide copies of the slides used in the presentations.

The presentations available (in .PDF format) include:

How Vulnerable Are You? - Effective Strategies for Assessing Cybersecurity Risk
Global Partnerships: International Chemical Security Efforts
CTRA 4.0 – Chemical Terrorism Risk Assessment
When Disaster Strikes: Security Roles during a Disaster
A New Frontier: Unmanned Aircraft Systems (UAS)
Chemicals on the Move: Updates in Transportation Security

As I have mentioned a number of times, just providing copies of the slides, while better than nothing, are frequently frustrating. For example: in the ‘Chemicals on the Move’ presentation from the Coast Guard slide #2 is down-right cruel. In the discussion of the TWIC Reader Rule it lists one of the issues with that rule as being “Unintended consequences of Final Rule”. It would have been real interesting to hear what those consequences are as I am sure that people who attended the Summit did.

Having said that, there are some interesting bits of information included in these slides. They include:

• ‘A New Frontier’ provides a link to the “Unmanned Aircraft Systems (UAS) - Critical Infrastructure” web site;
• ‘CFATS Compliance Lessons Learned’ specifically mentions ‘cybersecurity’ as one of the things to pay attention to in the new Tiering letters being issued under CSAT 2.0;
• ‘What to Expect During a CFATS Inspection’ includes an important note: “Prepare list of attendees to the Opening Meeting. Have CVI numbers for each attendee ready.”
• ‘CTRA 4.0’ presentation notes that only 71 of the 185 chemical compounds assessed by Chemical Security Analysis Center (CSAC) are CFATS chemicals of interest (COI);
• ‘CFATS Regulatory Update’ mentions that “Will begin the Paperwork
Reduction Act process to expand [Personnel Surety Program] to Tiers 3 & 4 in the coming year”;
• ‘How Vulnerable Are You’ makes an important point: “A non-segmented network where CROWN JEWELS are not isolated will always be prone to failure from the failure of the weakest link”;

Remembering my complaint expressed above about the basic inadequacy of slides, I really do think that reviewing these presentations is worthwhile for anyone in the chemical facility security community. They do not take much time to review and there is some interesting information.

Having said that, the two most worthwhile presentations to review are the ones dealing with cybersecurity and disaster planning. As stand-alone documents, they both provide valuable and useful information. The latter is especially important (and in some ways prophetic) in light of the problems seen in the aftermath of Harvey.

One final note: The 2017 CSSS page provides a link to the page with the links to the presentation. It is odd, however, that the list of presentations is not an HTML page but rather a .PDF page. This makes loading a tad bit slow (as are the documents). And, as always, the Federal government’s reliance on .PDF documents with the attendant security issues is problematic (and more than a little ironic on a page devoted to security issues). Is there a more secure manner of presenting unalterable documents?

Friday, October 13, 2017

ISCD Publishes Personnel Surety Program Fact Sheet

Today the DHS Infrastructure Security Compliance Division (ISCD) posted a link to a new program fact sheet on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center. The fact sheet provides some basic data on the implementation of the personnel surety program, or the screening for terrorist ties portion of the Risk Based Performance Standard (RBPS) 12.

As with all of these Fact Sheets that ISCD has been publishing over the last year or so, there is no really new information provided. All of the information is already available on either the CFATS Personnel Surety Program web page, or in the Federal Register Notice that announced the implementation of the program. What has been done is a relatively simplified presentation has been made available that provides highlights of the program.

The most valuable knowledge condensation here is the basic list of security considerations that facilities need to address in their site security plan for the option(s) being used by the facility to screen personnel authorized unaccompanied access to security areas of covered chemical facilities. This information was explained in more detail here in the Federal Register Notice, but the table in this fact sheet provides the basic information.

Bills Introduced -10-12-17

Yesterday, with only the House in session and preparing to leave for a week working in their districts (fund raising, campaigning and constituent support), there were 49 bills introduced. Remembering that most bills introduced in these situations are proposed to provide talking-points back home (not serious attempts at legislating), there were six bills that may be of interest to readers of this blog:

HR 4036 To amend title 18, United States Code, to provide a defense to prosecution for fraud and related activity in connection with computers for persons defending against unauthorized intrusions into their computers, and for other purposes. Rep. Graves, Tom [R-GA-14]

HR 4038 To amend the Homeland Security Act of 2002 to reassert article I authorities over the Department of Homeland Security, and for other purposes. Rep. McCaul, Michael T. [R-TX-10]

HR 4050 To support research, development, and other activities to develop innovative vehicle technologies, and for other purposes. Rep. Dingell, Debbie [D-MI-12]

HR 4051 To direct the Secretary of Transportation to establish a bollard installation grant program, and for other purposes. Rep. Espaillat, Adriano [D-NY-13]

HR 4053 To amend the Fair Credit Reporting Act to require an independent audit of the cybersecurity practices of certain consumer reporting agencies, and for other purposes. Rep. Fortenberry, Jeff [R-NE-1]

HR 4064 To impose restrictions on the sale of binary explosives, and for other purposes. Rep. Soto, Darren [D-FL-9]

Any changes made to 18 USC 1030 are going to be of potential interest to the cybersecurity research community. This may be an attempt to carve out an exemption for ‘hacking back’. Definitions would be very important here.

It is unusual for a Republican (and a Committee Chair) to introduce a bill reasserting congressional oversight during a Republican administration. I suspect that this may be related to pending changes in the organization of National Protection and Programs Directorate (NPPD), including the move of ICS-CERT to NCCIC.

HR 4050 sounds like a research grant program for automated vehicles. It will be interesting to see if it specifically includes cybersecurity provisions.

Bollards are a common security measure to prevent vehicles from going where they are not wanted. I suspect that HR 4051 is a response to recent vehicle attacks on pedestrians, but definitions matter and this could be used by chemical facilities to fund bollards used to prevent access by vehicle borne explosives. Again, definitions will be critical.

I am certainly not going to expand this blog to include coverage of credit reporting agencies (Brian Krebs has that space covered really well), but the idea of ‘independent cybersecurity audits’, may prove to be an interesting way of regulating cybersecurity.

Congress has mixed success with establishing regulatory schemes for explosives. The ATF has a pretty robust program going, but attempts to get DHS involved in the control of the sale of ammonium nitrate are still stalled since the regulations were authorized in 2007. It will be interesting to see how HR 4064 addresses the situation for binary explosives.

Thursday, October 12, 2017

ICS-CERT Publishes 5 Advisories and 1 Update

Today the DHS publishes five control system security updates for products from ProMinent, WECON, Envitech, NXP Semiconductor, and Siemens. They also updated a previously published control system security advisory for products from Marel Food Processing Systems.

Siemens Advisory

This advisory describes two vulnerabilities in the Siemens BACnet Field Panels. The vulnerabilities are self-reported. Siemens has developed a new firmware version that mitigates the vulnerabilities.

The two reported vulnerabilities are:

• Authentication bypass using an alternate path or channel - CVE-2017-9946; and
• Path traversal - CVE-2017-9947

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to allow unauthenticated attackers with access to the integrated webserver to download sensitive information. The Siemens security advisory notes that the first vulnerability requires network access to exploit.

NXP Advisory

This advisory describes two vulnerabilities in the NXP MQX real time operating system (RTOS). The vulnerability was reported by Scott Gayou. ICS-CERT reports that NXP intends to issue a new version in January to mitigate the vulnerabilities. NXP provides a work around for the first vulnerability in the latest version (the second does not exist in that version) and recommends that users upgrade to that newer version pending the January update.

The two reported vulnerabilities are:

• Classic buffer overflow – CVE-2017-12718; and
• Out-of-bounds read – CVE-2017-12722

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerabilities to cause a buffer overflow condition that may, in turn, cause remote code execution or out-of-bounds read conditions, resulting in a denial of service.

Envitech Advisory

This advisory describes an improper authentication vulnerability in the Envitech EnviDAS Ultimate web application. The vulnerability was reported by Can Demirel and Deniz Çevik of Biznet Bilisim. Envitech has a new version that mitigates the vulnerability. ICS-CERT reports that the researchers have verified the efficacy of the fix.

ICS-CERT reports that relatively low skilled attacker could remotely exploit the vulnerability  to view and edit settings without authenticating and execute code remotely.

WECON Advisory

This advisory describes a stack-based buffer overflow vulnerability in the WECON LeviStudio HMI Editor. The vulnerability was reported by Andrea “rgod” Micalizzi, working with iDefense Labs. WECON has developed a new version that mitigates the vulnerability. There is no indication that Micalizzi was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to effect a denial of service and arbitrary code execution.

ProMinent Advisory

This advisory describes multiple vulnerabilities in the ProMinent MultiFLEX M10a Controller. The vulnerabilities were reported by Maxim Rupp. ICS-CERT reports that ProMinent has not mitigated the vulnerabilities.

The reported vulnerabilities are:

• Client-side enforcement of server-side security - CVE-2017-14013l;
• Insufficient session expiration - CVE-2017-14007;
• Cross-site request forgery - CVE-2017-14011;
• Information exposure - CVE-2017-14009; and
• Unverified password change - CVE-2017-14005

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerabilities  to bypass protection mechanisms, assume the identity of authenticated users, and change the device configuration.

Marel Update

This update provides additional information on an advisory originally published on April 4th, 2017 and updated on August 17th. This update provides information on the firewall update for the Pluto platform that Marel has released.

The advisory still states that “Marel has created an update for Pluto-based applications, which was scheduled for release in October, 2017. This update will restrict remote access by implementing SSH authentication”.
/* Use this with templates/template-twocol.html */