Saturday, December 9, 2017

NIST Publishes 2nd Draft for CSF 1.1 for Comment

This week the National Institute of Standards and Technology (NIST) published their second draft of version 1.1 of the Cybersecurity Framework (CSF) and a fact sheet that broadly outlines the changes made to the CSF.

The fact sheet makes the point that the revised CSF is applicable to information technology, operational technology, cyber-physical systems, and internet of things. Since the original CSF core already provided references to ISA 62443-2-1:2009 and ISA 62443-3-3:2013 that are found in this revision it does not seem that the new version changes much with respect to OT/IOT security.

OT/IOT Changes

In fact, if you look at the list of changes made to the CSF (starting at page 50) there are only four references to OT/IOT changes:

• Section 1.0 (pg 7): ‘Framework Introduction’ was updated to reflect security implications of a broadening use of technology (e.g. ICS/CPS/IoT) and to more clearly define Framework uses;
• Appendix C (pg 53): ‘Acronyms’ - was modified to include CPS - Cyber-Physical Systems;
• Appendix C (pg 53): ‘Acronyms’ – was modified to include IoT - Internet of things;
• Appendix C (pg 53): ‘Acronyms’ - was modified to include OT - Operational Technology

The introduction section discussion referenced above addresses OT/IOT security issues this way:

“The critical infrastructure community includes public and private owners and operators, and other entities with a role in securing the Nation’s infrastructure. Members of each critical infrastructure sector perform functions that are supported by the broad category of technology, including information technology (IT), industrial control systems (ICS), cyber-physical systems (CPS), and connected devices more generally, including the Internet of Things (IoT). This reliance on technology, communication, and interconnectivity has changed and expanded the potential vulnerabilities and increased potential risk to operations. For example, as technology and the data it produces and processes is increasingly used to deliver critical services and support business decisions, the potential impacts of a cybersecurity incident on an organization, the health and safety of individuals, the environment, communities, and the broader economy and society should be considered.”

Unfortunately, the terms ‘CPS’ and IoT are not used in the revised CSF Core. In short, the CSF does not specifically address the specific cyber-physical consequences of security breaches in OT/IoT systems.

Suggested OT/IOT Changes

Unfortunately, this revision to the CSF still does not adequately address the potential cyber-physical consequences of a cybersecurity incident. At a minimum, the core should have an additional subcategory under Risk Assessment:

ID.RA-X: Worst-case cyber-physical events need to be identified that effect either on-site operations and/or the off-site community.

This would then lead to requiring an additional Risk Management Strategy subcategory:

ID.RM-X: Appropriate emergency response agencies are notified of potential off-site community effects of cyberphysical incidents.

The on-site effects on operations would be addressed by the current IR.RM-4. To clarify that addition, I would reword the subcategory title to read: “Potential business impacts (including on-site and off-site effects of cyber-physical incidents) and likelihoods are identified.”

Broadening Information Security Focus

While the verbiage in the introduction to the CSF would indicate that NIST intends to broaden the focus of CSF to include OT/IoT security, there are still a number of references to ‘information security’ in the CSF core that really should be revised to indicate that broadened focus. For example ID.GV-1 still refers to ‘information security’ when the intent should reflect a broader ‘cybersecurity’; the words should be changed to reflect this. Similar wording changes need to be made to ID.GV-2, ID.SC-3, PR.AT, and PR.AT-5,

Public Input

NIST is asking for public input on this second draft for CSF 1.1. Comments need to be submitted by January 19th, 2018. Comments can be submitted by email to

NOTE: A copy of this blog post was submitted as a comment to NIST on 12-9-17 14:50 EST.

Public ICS Vulnerability Disclosures – Week of 12-03-17

Yesterday Joel Langill pointed out a vulnerability report from ABB that was published over two weeks ago. The report addresses an authentication vulnerability in the ABB Ellipse 8 products. The ABB report notes that the vulnerability exists in the implementation of the Lightweight Directory Access Protocol (LDAP) that would allow an attacker with local network access to sniff the unsecured authentication credentials sent between the Ellipse device and the LDAP/AD server.

As with any vulnerability that is found to exist in an implementation of an industry-wide standard, the question arises; what other vendors are using this vulnerable implementation?

NOTE: The ABB report states that the vulnerability was reported in a “responsible disclosure”, but does not name the researcher making the disclosure.

Friday, December 8, 2017

Senate Sends CR to President

Yesterday, shortly after action was complete in the House, the Senate passed HJ Res 123, Further Continuing Appropriations Act, 2018, by a largely bipartisan vote of 82 to 14. The 14 Nays included 6 Republicans and 7 Democrats (and 1 Independent). The CR would extend the current spending (at FY 2017 rates) until December 22nd, 2017.

No procedural votes preceded the consideration of the bill indicating that a strong deal had been achieved to ensure passage of the bill. The 30 minutes of debate allocated for the bill only drew two speakers; one of which spent the time praising his home State of Alaska; 8 minutes of the ‘debate’ went unused.

The Congress now has an additional two weeks to try to come up with a final spending deal for FY 2018. There has been some discussion in the press of potentially seeing an additional CR carrying the current spending over until January.

Thursday, December 7, 2017

House Approves Short Term CR

This afternoon the House approved HJ Res 123, the Further Continuing Appropriations Act, 2018 by a very slightly bipartisan (18 Republicans voted Nay and 14 Democrats voted Aye) vote of 235 to 193. This short-term continuing resolution will extend the current spending bill until December 22nd.

The 14 Democrats voting for the measure may be an indication that enough Democrats will vote at least procedurally for the bill tomorrow in the Senate to allow it to come to a final vote. Congress has until Friday night at midnight to get a CR to the President to continue government operations.

A lot of details and deals have to be worked out before the final FY 2018 spending is approved.

ICS-CERT Publishes 3 Advisories and 1 Alert

Today the DHS ICS-CERT published three control system security advisories for products from Phoenix Contact, Rockwell and Xiongmai Technology. The also published a control system security alert for a WAGO programable logic controller (PLC).

Phoenix Contact Advisory

This advisory describes a cross-site scripting vulnerability in the Phoenix Contact FL COMSERVER, FL COM SERVER, and PSI-MODEM/ETH industrial networking equipment. The vulnerability was reported by Maxim Rupp. Phoenix Contact has released new firmware versions to mitigate the vulnerabilities. There is no indication that Rupp was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to change configuration variables on the device. The VDE-CERT advisory notes that network access is required to exploit the vulnerability.

Rockwell Advisory

This advisory describes an improper input validation vulnerability in the Rockwell FactoryTalk Alarms and Events component of the Factory Talk Services Platform. The vulnerability was reported by an unnamed major oil and gas company. ICS-CERT reports that newer versions or existing patches mitigate the vulnerability.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to cause a denial of service condition in the in the history archiver service running on FactoryTalk Alarms and Events.

QUESTIONS: Does it seem odd to anyone else that a ‘major oil and gas company’ would be using an out-of-date version of this product? Or is this a problem that is endemic to the ICS user community? Did Rockwell notify their customers (or even just their major customers) when they discovered and fixed this vulnerability? (It does not sound like it.)

Xiongmai Technology Advisory

This advisory describes a stack-based buffer overflow vulnerability in the Xiongmai IP Cameras and DVRs. The vulnerability was reported by Clinton Mielke. ICS-CERT reports that has not responded to requests to coordinate with NCCIC/ICS-CERT.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to cause the device to reboot and return to a more vulnerable state in which Telnet is accessible.

WAGO Alert

This alert describes an unconfirmed improper authentication vulnerability in the WAGO PFC200 PLC. This is the vulnerability that I discussed almost a week ago. SEC Consult reported that they had coordinated with CODESYS and that the vendor was planning on issuing a patch next month.

I am not sure why ICS-CERT issued an alert for the WAGO vulnerability and an advisory for the Xiongmai vulnerability. It would seem to me that those reporting formats probably should have been reversed.

NOTE: There is still no word on the Hikvision vulnerability that I reported in the same blog post as this WAGO vulnerability.

Bills Introduced – 12-06-17

Yesterday with both the House and Senate in session, there were 35 bills introduced. Of those, one may be of specific interest to readers of this blog:

HR 4569 To require counterterrorism information sharing coordination, and for other purposes. Rep. Gallagher, Mike [R-WI-8]

I will be watching this bill to see if it addresses the problems associated with trying to share classified information with the private sector.

Wednesday, December 6, 2017

Rule Approved for Short Term CR

This afternoon the House Rules Committee met, in part, to approve the rule for the consideration of HJ Res 123, the Further Continuing Appropriations Act, 2018, a short term continuing resolution extending the current CR (PL 115-56) until December 22nd, 2017. The Committee approved a closed rule with one hour of debate and no amendments.

I had noted in an earlier post that the extension date might be extended to December 30th, but that was not done. This means that there will only be two weeks before Congress will have to take action again on the FY 2018 spending. At this point, it looks like that next bill will be another CR until sometime early next year. If that happens, Congress will likely take a two-week recess for Christmas.
/* Use this with templates/template-twocol.html */