FMPC Sues PSSOO Over Pipeline Security Directive

On Friday the Friendly Morning Pipeline Company (FMPC) filed a suit in the 14^th US District Court against the Pipeline Safety, Security and Operations Office (PSSOO) over their labeling of the most recent PSSOO pipeline security directive as Sensitive Security Information. SSI is part of the sensitive but unclassified (SBU) information protection system maintained by various agencies of the US government.

The suit claims that the PSSOO’s declaring the security directive as SSI imposed an unreasonable financial burden on the pipeline company because the SSI regulations required that the company install special computer equipment at each of its offices to store the directive and all associated files in accordance with the requirements of SP 800-171. The lawsuit also alleges that the SSI requirements are an unlawful restraint of the company’s free speech rights to discuss regulatory actions of a government agency.

Michael E. Thane, spokesperson for PSSOO, told reporters this morning that the agency had no comment on the lawsuit, explaining: “It is the policy of the Federal Government to not speak to the press about on-going litigation.”

Thane did, however, confirm that the SDO2, the most recent PSSOO cybersecurity directive for pipelines was labeled as SSI. “SDO2 contains detailed cybersecurity requirements for covered pipeline owner/operators;” Thane explained; “If adversaries of the United States had access to that information, it would allow them to bypass those security controls. That could imperil the safety and security of the United States.”

Werner Bergeron, a lawyer for StormFury, an environmental activist organization, has filed a friend of the court brief on the lawsuit. In a press release issued today, Bergeron said: “It is not often that I agree with pipeline operators, but the PSSOO clearly overstepped its authority in the classification of SDO2. We are concerned that the application of the SSI label to a purely regulatory document inhibits public discussion about the appropriateness and legality of the regulatory requirements. It prevents organizations such as ours from reviewing the directive and commenting on its efficacy in protecting the environment.”

I talked with Kate Libby, spokesperson for Dragonfire Cyber. She confirmed that the company was working with a number of pipeline operators in implementing the controls outlined in SDO2. “I cannot comment on the specific requirements of SDO2 since that document is classified as SSI,” Kate told me; “But if a regulation required all covered facilities to implement two factor authentication to access control system computers, that would be insufficient information for even a nation-state actor to bypass those controls. It would require specific information on what type of 2FA was being used and which specific software tool the facility was using to implement that requirement for an exploit to be crafted. I can tell you that SDO2 does not specify specific pieces of hardware, software or firmware.”

CAUTIONARY NOTE: This is a future news story –

Meat Plant Wastewater Treatment Facility Shut Down

This morning Horst Sinderman, facility manager for the Intershop Meat Plant in Delano GA, announced that the facility would be shut down for at least a week. “Starting with the 11 to 9 shift today we are in an unplanned maintenance shutdown through next Thursday,” Sinderman told reporters; “In accordance with our employee contracts, we will be paying all hourly employees at the standdown rate.”

When asked about the reason for the shutdown, Horst explained that the facility’s wastewater treatment plant had experienced control system issues last night and the processing systems had to be shut down. “Since we cannot process our wastewater, we cannot continue the operation of the facility,” Sinderman said. Sinderman insisted that the computer problems were not the result of a cyberattack on the facility or ransomware but would not go into details about the problem.

A team from Dragonfire Cyber was seen entering the plant early yesterday evening, but there is no comment from company spokespersons about what the team was doing. “We do have a team on site helping Intershop with their control system issues,” Kate Libby, a Dragonfire spokesperson, told reporters; “I can confirm that the problems they are experiencing are not the result of outsider actions.”

An Intershop employee who was not authorized to speak with the press told me that the problem was due to actions taken by the facility IT team in response to a Water ISAAC alert. “It was something called BadAlloc,” the employee told me; “The IT people installed an update and the whole system crashed.”

I asked Gen Turgidson about this BadAlloc problem at this morning’s press briefing at the National Critical Infrastructure Security Operations Center (CI-SOC). “I do not know anything about the specific problems at Intershop, but I can tell you that we are very concerned about the BadAlloc vulnerabilities that many control systems face.” He went on to explain that these vulnerabilities affect a number of real time operating systems. “Exploits of these vulnerabilities could lead to unexpected behavior such as a crash or a remote code injection/execution.”

Turgidson went on to explain that many of the affected operating systems do have new versions that are unaffected by the BadAlloc vulnerabilities. When I asked if installing one of these new versions could result in a system crash, Turgidson said that that would depend on a number of things. “We always suggest that updates be tested on off-line systems before being installed on operational systems,” he explained; “Every control system is a unique entity, and no one can predict the interactions between all of the active components of the system.”

CAUTIONARY NOTE: This is a future news story –

Robotron Reports Bug Bounty Program Hacked

Today Robotron reported that their bug bounty program, Robo Bug Report, had been hacked. “The unidentified hacker has had access to vulnerability reports from independent researchers for at least two months,” Erich Mielke, spokesperson for Robotron, told reporters this morning. The hack was discovered because a researcher reported a double payment for a reported vulnerability.

cYbrg0D announced on TWITTER® during the Robotron news conference that they were the researcher that reported the double payments. “Identical payments from different Robotron branded accounts from different banks – I got suspicious and reported the issue”, the TWEET read. Mielke confirmed that cYbrg0D was the researcher who initiated the investigation.

Gen Turgidson addressed the issue at the daily news conference for the National Critical Infrastructure Security Operations Center (CI-SOC) this morning. “Robotron has contacted us, and we are working with them to try to identify the extent of the problem,” Turgidson told reporters when asked about the Robotron announcement.

A CI-SOC staffer, explaining on background, told reporters that the concern here is that this was apparently a man-in-the-middle attack where whoever was responsible was seeing the reported vulnerabilities before Robotron. The problem is that the attacker has been notified of at least 20 zero-day vulnerabilities that Robotron knows of. “There is no way of knowing how many zero-day vulnerabilities the attacker received and did not allow Robotron to know about,” the staffer explained.

Mielke reported that all of the communications about vulnerabilities in the Robo Bug Report program were encrypted. cYbrg0D responded on TWITTER, “The hackers did not pay me for a report they could not read – They have the Key”. Mielke responded when informed of cYbrg0D’s TWEET: “Our communications are secure.”

At the later CI-SOC press conference Turgidson, when asked about cYbrg0D’s comment, responded: “I think she has a point.”

Turgidson is asking all researchers who have submitted vulnerability reports to Robo Bug Report in the last six months to contact the German BIS, who are conducting the criminal investigation of the attack. “Do not contact Robotron directly,” Turgidson said, “They have not yet identified the full scope of the intrusion and thus their communications system security is suspect, at best.”

CAUTIONARY NOTE: This is a future news story –