Thursday, August 17, 2017

ICS-CERT Publishes an Advisory and Three Updates

Today ICS-CERT published a medical device security advisory for products from Philips. Three previously published industrial control system security advisories for products from Siemens (2) and Marel were updated with new information.

Philips Advisory

This advisory describes two vulnerabilities in the Philip DoseWise Portal (DWP) web application. The vulnerability was self-reported by Philip. ICS-CERT is reporting that Philip will be supplying a new product version later this month to mitigate the vulnerability.

ICS-CERT reports that an uncharacterized attacker could remotely exploit these vulnerabilities to gain access to the database of the DWP application, which contains patient health information (PHI). Potential impact could therefore include compromise of patient confidentiality, system integrity, and/or system availability.

NOTE: the Philips security page notes that the discovery of these vulnerabilities was based upon the findings of a customer submitted complaint and vulnerability report.

Marel Update

This update provides additional information on an advisory that was originally published on March 4th, 2017. The new information includes:
• Clarification of affected equipment;
• Adds a notice of an upcoming (10-1-17) update for the Pluto based systems;
• Explains that the M3000 terminal based products reached the end of their supported life in 2012;
• Added a new improper access control vulnerability to the advisory; and
• Added a link to the recently published Marel security notification

Comment: In the original advisory, the stand-alone statement “Marel has not produced an update to mitigate these vulnerabilities” seemed to indicate that Marel was not being cooperative. It now seems more that they were being slow to move forward and perhaps did not understand the need to communicate with ICS-CERT. Either that, or the publication of the ICS-CERT advisory was a slap in the corporate face that woke Marel up and got them to work on the vulnerability. I cannot tell which (properly so) from the ICS-CERT publication. In either case mitigations appear to be on the way.

It might be helpful if ICS-CERT had some sanction available that could provide some sort of intermediate push between doing nothing and publishing a zero-day that could put system owners at risk. The goal is to get a mitigation in place as soon as practicable and ICS-CERT has no authority to provide impetus to require recalcitrant vendors to do something.

PROFINET 1 Update

This update provides additional information on an advisory that was originally published on May 9th, 2017 and updated on June 15th, 2017, on June 20th, 2017, on July 6th, 2017, and again on July 25th, 2017. The update provides new affected version information and mitigation links for:

• STEP 7 - Micro/WIN SMART: All versions prior to V2.3;
• SIMATIC Automation Tool: All versions prior to V3.0; and
• SINUMERIK 808D Programming Tool: All versions prior to V4.7 SP4 HF2

PROFINET 2 Update

This update provides additional information on an advisory that was originally published on May 9th, 2017 and updated on June 15, 2017, and again on July 25th, 2017. The update provides new affected version information and mitigation links for:

• SIMATIC CP 1543SP-1, CP 1542SP-1 and CP 1542SP-1 IRC: All versions prior to  V1.0.15,
• SIMATIC ET 200SP: All versions prior to  V4.1.0,
• SIMATIC S7-200 SMART: All versions prior to V2.3,
• SINUMERIK 828D – V4.5 and prior: All versions prior to V4.5 SP6 HF2

Missing Siemens Updates and Advisories


ICS-CERT has yet to publish update or advisory for the following TWITTER® announcements from Siemens:

An advisory has been updated: SSA-286693: Vulnerabilities in Laboratory Diagnostics Products from Siemens; Aug 7th, 2017;


A new advisory has been published: SSA-131263: SMBv1 Vulnerabilities in Mobilett Mira Max from Siemens Healthineers; Aug 7th, 2017

NHTSA Sends Automated Vehicle Guidance to OMB

Yesterday the DOT’s National Highway Transportation Safety Administration (NHTSA) sent their Voluntary Guidance on Automated Driving Systems document to the OMB’s Office of Information and Regulatory Affairs (OIRA) for review. Guidance documents are not normally described in the Unified Agenda, so there is no public indication about what DOT will be including in this guidance document.


NHTSA hosted a series of public discussions on the topic last year. They also published an automated vehicles technology guidance document and a vehicle-to-vehicle notice of proposed rulemaking (NPRM) last year. The later document did include cybersecurity requirements.

Wednesday, August 16, 2017

Make America Secure and Prosperous Appropriations Act, 2018

The House Rules Committee announced today that is working on massive, multi-department spending bill to be considered when the House returns from summer recess. It is a move to cut short the spending process so that there may be a chance to pass a government spending bill before the September 30th deadline. The Rules Committee is calling for submission of amendments by 10:00 am on August 25th.

The combined bill is a complete re-write of HR 3354, the Department of the Interior, Environment, and Related Agencies Appropriations Act, 2018. The draft language incorporates most of the language from that bill and:

HR 3268 – Agriculture, Rural Development, Food and Drug Administration, and Related Agencies Appropriations Act, 2018;
HR 3267 – Commerce, Justice, Science, and Related Agencies Appropriations Act, 2018;
HR 3280 – Financial Services and General Government Appropriations Act, 2018;
HR 3355 – Department of Homeland Security Appropriations Act, 2018;
HR 3358 – Departments of Labor, Health and Human Services, and Education, and Related Agencies Appropriations Act, 2018;
HR 3362 – Department of State, Foreign Operations, and Related Programs Appropriations Act, 2018; and
HR 3353 – Transportation, Housing and Urban Development, and Related Agencies Appropriations Act, 2018

The House has already passed a combined spending bill for the other four spending bills not covered above. That bill, HR 3219, included the following spending bills:

• The Department of Defense Appropriations Act, 2018;
• The Legislative Branch Appropriations Act, 2018;
• The Military Construction, Veterans Affairs, and Related Agencies Appropriations Act, 2018; and
• The Energy and Water Development and Related Agencies Appropriations Act, 2018.


Combining eight spending bills into one big package could greatly reduce the amount of time required on the floor of the House for debate. I expect the Rules Committee would come up with a structured rule, with a few hundred floor amendments. The bill would almost certainly be passed in the House in a single week. The big question is whether or not the Senate would be allowed to take up the giant bill. Depending on what riders make it into the House passed version, I could almost expect to see an unusual amalgam of liberals and conservatives combining to block the moderate majority from considering and passing the bill.

ICS-CERT Publishes Two Advisories

Yesterday the DHS ICS-CERT published a medical device security advisory for products from BMC Medical and 3B Medical (one advisory). They also published a control system security advisory for products from Advantech

BMC Medical Advisory


This advisory describes an improper input validation vulnerability in the Luna continuous positive airway pressure (CPAP) therapy machine produced jointly by BMC Medical and 3B Medical. The vulnerability was reported by MedSec. Newer versions (after July 2017) have had the problem corrected; ICS-CERT reports that the company’s do not plan on providing mitigation measures for ‘older’ (before July 2017) machines.

ICS-CERT reports that a relatively low skilled attacker with adjacent network access could exploit the vulnerability to cause a crash of the device’s Wi-Fi module resulting in a denial-of-service condition affecting the Wi-Fi module chipset. This does not affect the device’s ability to deliver therapy.

NOTE: Buyers of CPAP devices should take careful note of the lack of post-production cybersecurity support demonstrated for this brand of devices.

Advantech Advisory


This advisory describes a heap-based buffer overflow vulnerability in the Advantech WebOP operator panels. The vulnerability was reported by Ariele Caltabiano (kimiya) via the Zero Day Initiative. ICS-CERT reports that Advantech was unable to verify the validity of this vulnerability. (NOTE: this obviously means that no mitigation measures appear to be forthcoming.)

ICS-CERT reports that a relatively low skilled attacker with uncharacterized access could use publicly available exploits to exploit this vulnerability to cause the target device to crash and may allow arbitrary code execution.


NOTE: There are a large number of ‘pending’ vulnerability reports on Advantech products currently listed on the ZDI web site.

Tuesday, August 15, 2017

ISCD Updates CFATS Knowledge Center

Today the DHS Infrastructure Security Compliance Division (ISCD) updated the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center by adding a link to a new CFATS fact sheet for colleges and universities and revised four frequently asked questions (FAQ) (according to the ‘Latest News’ blurb posted today on the Knowledge Center).

Colleges and Universities


The Colleges and Universities brochure is an update of a tri-fold brochure that was originally published in December 2010. The new brochure provides a brief overview of the CFATS program including a very brief description of the Top Screen reporting requirements. There is more detail in the new version and provides a number of important links to CFATS documents.

The one major shortcoming of the brochure is that, while it briefly describes chemicals of interest (COI) categories and explains that the list can be found in ‘Appendix A of the CFATS regulation’ there is no link to list of COI that is provided on the CFATS landing page, nor are the CFATS regulations actually listed (6 CFR 27).

New FAQs


The four ‘revised’ FAQ’s are:





The revised #1274 removes the mailing address [Infrastructure Security Compliance Division, Office of Infrastructure Protection, ATTN: CSAT, Department of Homeland Security, Building 5300, MS 6282, PO Box 2008, Oak Ridge, TN 37831-6282] and the messenger service delivery address [Infrastructure Security Compliance Division, Office of Infrastructure Protection, ATTN: CSAT, Department of Homeland Security, Building 5300, MS 6282, 1 Bethel Valley Road, Oak Ridge, TN 37831-6282] from the modes of contact for the CFATS Help Desk. I have no idea whether or not those old addresses are still good; but if they are, ISCD does not apparently want them used.

The revised #1288 adds regulatory references [§27.203(b) and §27.204(a)(2)] for the answer and a link to just the first reference. I have provided the link to the second.

FAQ #1606 is actually a new FAQ number, but the question and answer are very similar to an older FAQ (#1662) which is no longer on the current FAQ list (.PDF download). The new FAQ does not include any information (which was included in #1662) about a requirement to be CVI (Chemical-terrorism Vulnerability Information – the protocol for protecting the sensitive but unclassified information associated with the CFATS program) trained to be able to view/download the letter. Nor does the new FAQ mention that an Adobe Reader will be necessary to open the letter. NOTE: #1662 was still on the current FAQ list as of 8-4-17; the last time changes were made to the FAQ list.


FAQ #1785 is also a new FAQ number. There was an earlier article on the CFATS Knowledge Center (#1610) that addressed some of this information, but that article was prepared in 2010 and included copious descriptions of the old tiering process that was supplanted by CSAT 2.0 and the new Risk Assessment process. That article was removed sometime in early April of this year. The new FAQ very briefly mentions the tiering process and notes that facilities will be notified via the Chemical Security Assessment Tool (CSAT) that a tiering notification letter is available. It then briefly describes how to access that notification letter; and this time that discussion does include a mention of the CVI training requirements.

HR 3401 Introduced – Automated vehicles

Last month Rep. Schakowsky (D,IL) introduced HR 3401, a bill that would require the DOT’s National Highway Transportation Safety Administration (NHTSA) to establish new automotive safety standards for highly automated vehicles. This bill was introduced the same day that the House Energy and Commerce Committee  amended HR 3388 to do the same thing.

This bill is nearly identical to Section 4 of the revised HR 3388 adopted by the Committee. There is one area where the paragraph numbering is slightly different, but there are no substantive differences between the requirements. It would amend 49 USC by adding a new §30129, Updated or new motor vehicle safety standards for highly automated vehicles.

It would require DOT to “issue a final rule requiring the submission of safety assessment certifications regarding how safety is being addressed by each entity developing a highly automated vehicle or an automated driving system” {new §30129(a)(1)}.

It would also require DOT to submit to Congress a regulatory and safety priority plan designed to accommodate the development and deployment of highly automated vehicles while ensuring “the safety and security of highly automated vehicles and motor vehicles and others that will share the roads with highly automated vehicles” {new §30129(c)(1)}. That plan would include a requirement for NHTSA to “identify elements that may require performance standards including human machine interface and sensors and actuators, and consider process and procedure standards for software and cybersecurity as necessary” {new §30129(c)(2)(B)}.

Moving Forward


Ms. Schakowsky is the ranking member of the Digital Commerce and Consumer Protection Subcommittee of the House Energy and Commerce Committee. Normally this would probably allow her to have this bill considered in Committee. In this case, however, because this bill was introduced the same day that HR 3388 was, it seems as is the bill was introduced as a backup measure to ensure that the safety standards provisions of this bill could end up being considered separately from the remainder of the provisions of the larger bill if that bill was determined to be too controversial to be considered on the floor of the House.

I suspect that this bill will not see any further action until the House Leadership determines whether or not HR 3388 will make it to the floor. If it does not, this bill will likely be moved to the floor for a vote without going through a separate review by the Committee.

Commentary


I did not mention the cybersecurity requirements described above in my discussion of HR 3388 because they were duplicative of the requirements that I described but were not as expansive as the cybersecurity requirements in §5 of HR 3388.


What is important (and unusual from a cybersecurity perspective) here is that both bills would require the establishment for safety standards for HMI, sensors and actuators. It does not include any guidance on what those standards would include, but that would normally be expected to be developed by the technical experts at NHTSA. But this would end up being where the Federal government took its first crack at developing safety (and perhaps specific cybersecurity) standards for key components found in (almost by definition) these critical components of control systems. Those standards could end up being ground breaking regulatory standards for the ICS industry.

Monday, August 14, 2017

OMB Approves PHMSA Shipping Papers ICR Revision

Last Friday the OMB’s Office of Information and Regulatory Affair approved the Pipeline and Hazardous Materials Safety Administration’s (PHMSA) information collection request (ICR) revision supporting requirements for hazardous material shipping papers and emergency response information. This ICR was filed in support of the most recent international harmonization of PHMSA hazardous material shipping regulations.

According to the abstract included in the recent notice, the ICR made the following changes to the ICR burden:

“This rulemaking reduced the burden to shippers by removing the requirement to provide a lithium battery handling document when shipping smaller lithium cells and batteries. While the rulemaking decreased the burden overall, the requirement that shippers communicate prototype or low production run battery shipments on a shipping paper resulted in an increase. The rulemaking also added new marine pollutant entries in Appendix B of § 172.101.”

While OIRA did not require any changes to the approved ICR, they did put PHMSA on notice about additional requirements that would be necessary for the next renewal of this ICR next spring. They noted that:

If PHMSA has not published a regulatory notice in the Federal Register seeking public comment on paperless hazard communication by the time PHMSA must publish a 60 day notice to extend OMB approval of this collection, PHMSA should include at least the following information in the 60 and 30 day notices for extending approval of this collection, in addition to the standard information required by the PRA:

• Identification and explanation of any technical and other barriers to paperless hazard communication by mode and environment (e.g., rural, urban) if applicable, and requests for public comment on ways to address those barriers;
• Identification and explanation of any safety problems associated with paperless hazard communication that are not present with paper-based hazard communication;
• Identification of safety, business and any other benefits associated with paperless hazard communication, by mode if possible; and
• At least rough estimates of the potential burden and cost reduction from fully allowing paperless hazard communication, by mode if possible, the methodology/inputs for the estimates, and request public comment on those estimates.

PHMSA will probably have to publish the 60-day ICR notice in the next couple of months to be able to get the comment period and time to review the responses before it becomes necessary to publish the 30-day notice before April 30th, 2018.

Commentary


This is not the first time that the Trump Administration’s OIRA has provided instructions to regulators to proactively move to electronic submission of information. This continues a regulatory theme that we have been seeing for the last couple of administrations. Not only will the electronic data collection reduce the data handling costs for the government, but it should provide at least some time burden reduction for industry.

As with my earlier post this morning, I do have some concerns about the cybersecurity protections for the data exchange process. If the data is submitted via email (a not very effective form of electronic data submission), this would provide a large number of emails (with attachments) from probably unauthenticated and unknown senders; a very sure method of increasing the general attack surface at PHMSA.

If, on the other hand, the data is directly provided to the database via a public web page, the security of that data can be subverted if the cybersecurity of the database (and the submission page) has not been properly implemented. More importantly, the cybersecurity protections need to be included in the design of the application and periodically reviewed and updated. This is an additional cost associated with electronic data submission that appears to be at least some what overlooked in the discussion of paperless government innovations.
 
/* Use this with templates/template-twocol.html */