Short Takes – 4-26-24

China's Shenzhou-18 mission docks with space station. Phys.org article. Pull quote: “They will also try and create an aquarium onboard and seek to raise fish in zero gravity, according to Xinhua.”

Operational Adjustments Resulting From Workforce Shortages. Federal Register Coast Guard request for comments. Summary: “We are requesting your comments on planned actions that will allow the Coast Guard to prioritize lifesaving missions and protection of the Marine Transportation System in light of current personnel shortages. Like other military services, the Coast Guard is facing an unprecedented workforce shortage that is impacting Service readiness. The current and forecasted extent of the shortage is prompting significant actions to best protect the American public and maintain Service readiness. If actions are not taken to adjust operations, we can anticipate longer-term impacts to mission effectiveness and increased risk to our service members, as well as to commercial mariners and private boaters. In addition to leveraging technology and enhancing recruitment and retention efforts, operational adjustments must be executed within the existing response system while maintaining standards and an adherence to core mission execution. These adjustments fall into two categories: First, in regions where multiple units could respond if they were resourced appropriately, boats and people will be consolidated at one or more units to ensure a robust response. Secondly, in areas where the Coast Guard operates limited, or seasonal units that do not have sufficient personnel to respond, operations will be temporarily paused as resources are moved to higher priority areas. These adjustments will remain in effect until the Coast Guard has sufficient personnel to reconstitute these units.” Comments due May 24^th, 2024.

A new U.S. tool maps where heat will be dangerous for your health. ScienceNews.org article. Pull quote: ““You can put in your zip code and see current heat risk and air quality levels and a seven-day heat risk forecast for your area,” Mandy Cohen, director of the Centers for Disease Control and Prevention said April 22 at a news conference unveiling the tool, called HeatRisk. “So, you can plan your day and you can plan your week with your health in mind.”” NWS HeatRisk Tool: https://www.wpc.ncep.noaa.gov/heatrisk/

Colombia becomes first country to restrict US beef due to bird flu in dairy cows. Reuters.com article. Pull quote: “To date, no U.S. beef cattle have tested positive for bird flu, government officials said.” The big question is has anyone been testing beef cattle?

Traces of bird flu are showing up in cow milk. Here’s what to know. ScienceNews.org article. Pull quote: “Because H5N1 has only recently been found in cattle, no studies have directly tested milk pasteurization’s ability to kill the virus, the FDA said in a statement April 23. But studies have shown that egg pasteurization, which is done at lower temperatures than milk pasteurization, inactivates the virus.”

Freight train derails, catches fire near US-Mexico border causing road closures. TheHill.com article. Pull quote: “The train was carrying gasoline and odorless propane at the time of the derailment near Houck, Ariz. No injuries were reported as a result of the incident, according to New Mexico State Police.”

Forecasters predict record number of hurricanes. TheHill.com article. Pull quote: “The Penn forecast predicts between 27 and 39 named tropical storms, with the best estimate at 33 storms — the most of any forecast in the 15-year history of the project. An average season usually has about half that number.” Article also quotes CSU forecast for 24 named storms. 

Review - HR 7922 Introduced – Water Risk and Resilience Organization

Earlier this month, Rep Crawford (R,AR) introduced HR 7922 (no fancy name). The bill would require the EPA to craft regulations providing for the certification of an independent Water Risk and Resilience Organization (WRRO) seemingly similar to NERC in the electric sector. The bill would authorize $5 million per year through 2025 to establish the WRRO.

Moving Forward

Crawford is a member, as is his sole cosponsor {Rep Duarte (R,CA)}, of the House Transportation and Infrastructure Committee to which this bill was assigned for primary consideration. This means that there may be sufficient influence to see it considered in Committee. I expect that any number of small communities are going to pressure their representatives to oppose this legislation as it would end up increasing the costs of maintaining their water systems. Many mid to large size water systems will also object, again because of funding issues. I suspect that there will be significant bipartisan opposition to this bill based upon those objections. I do not expect this bill to move forward, especially since there is no cosponsor on the House Energy and Commerce Committee, to which this bill has been assigned for secondary consideration. That Committee is well known for guarding their prerogatives when they have even limited oversight responsibilities.

Commentary

This attempt to move cybersecurity oversight of water systems out from under the direct control of the EPA is fraught with problems. The first is funding; the two-year $5 million authorization under the bill is a pittance compared to what it is going to need to establish and operate an organization with this level of oversight. Again, based upon the NERC model, the crafters expect the WRRO to be funded from dues and fees from the covered water systems. Those fees will come on top of the costs of implementing the new cybersecurity requirements established by the WRRO. Since the vast majority of these systems are small, municipal-controlled systems, they are going to have a hard time funding required cybersecurity upgrades, much less the dues and fees assessed by the WRRO.

On a side note, this idea has some support in the water sector. In fact, the idea traces back at least as far as the American Water Works Association. You can see a brief look at their interpretation of the idea in an article on ACSH.org from May of last year. Needless to say, the AWWA will almost certainly support this bill.

 

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-7922-introduced - subscription required.

Short Takes – 4-25-24

Dairy Cows Transported Between States Must Now Be Tested for Bird Flu. NYTimes.com article (free link). Pull quote: “While testing more cows is critical, so is reducing the risk of infection among dairy workers regularly exposed to fresh milk now thought to contain extensive virus, said Seema Lakdawala, a virologist at Emory University.”

GPT-4 Can Exploit Most Vulns Just by Reading Threat Advisories. DarkReading.com article. Pull quote: “With only their security advisories to go on, the AI agent was tasked with exploiting each bug in turn. The results of this experiment painted a stark picture. Of the 10 models evaluated — including GPT-3.5, Meta's Llama 2 Chat, and more — nine could not hack even a single vulnerability. GPT-4, however, successfully exploited 13, or 87% of the total.”

Boeing and NASA decide to move forward with historic crewed launch of new spacecraft. CNN.com article. Pull quote: ““This is an important capability for NASA. We signed up to go do this, and we’re gonna go do it and be successful at it,” Nappi said Thursday. “I don’t think of it in terms of what’s important for Boeing as much as I think of it as in terms of what’s important for this program.””

Macron’s Olympics terror nightmare. Politico.eu article. Pull quote: “The worst-case scenario, according to Regul, would be a coordinated cyber and terror attack, with the digital attack taking out crucial security or surveillance systems.”

CG Report for 2023 Cyber Trends in Maritime Environment

I ran into an interesting article over on IndustrialCyber.co looking at the recently released report from the Coast Guard Cyber Command. That report, “2023 Cyber Trends and Insights in the Marine Environment Report”, takes a look at last years trends in maritime cybersecurity. It is a 60-page report with lots of detail, so it is well worth reading. And Anna Ribeiro’s article provides a good overview.

The report includes a fairly detailed discussion (pgs 16-20) about the techniques that Cyber Protection Team (CPT) members used to gain entry to systems during their cybersecurity assessments. Nothing really fancy, certainly no 0-day exploits; just solid application of cybersecurity knowledge.

The discussion about strengthening OT networks (pgs 24-28), while short is illuminative. The Cyber Command authors identify the “three common vulnerabilities present in almost every OT network” the CPT assessors looked at:

• Improperly segmented networks,

• End-of-life software, and

• Use of legacy protocols.

The OT hardening discussion then focuses on how to fix those issues first. Not a bad idea for any OT system.

The final thing I want to point out in the report is Appendix C, “Known Exploitable Vulnerabilities Detected on Cpt Missions”. This appendix lists the vulnerabilities found during CPT missions that are listed in CISA’s Known Exploited Vulnerability (KEV) Catalog. The number of KEV’s found is remarkably small, but that is more than made up for how old some of them are. The oldest KEV reported by the CPT’s in the wild is an “Apache HTTP Server-Side Request Forgery (SSRF)” - CVE-2012-1823. Even being over a decade old, the CG cyber personnel found two incidences of this vulnerability available for attack.

This is a unique look at cybersecurity in the wild, well worth the read even if you have nothing to do with the maritime domain. 

Review – 4 Advisories and 4 Updates Published

Today, CISA’s NCCIC-ICS published four control system security advisories for products from Honeywell, Siemens and Hitachi Energy (2). They also updated advisories for products from Mitsubishi (2), Rockwell and Chirp Systems.

Advisories

Honeywell Advisory - This advisory describes 16 vulnerabilities in multiple Honeywell products.

Siemens Advisory - This advisory discusses a command injection vulnerability {that is listed on CISA’s Known Exploit Vulnerabilities (KEV) Catalog} in the Siemens RUGGEDCOM APE1808 application hosting platform.

Hitachi Energy Advisory #1 - This advisory describes two vulnerabilities in the Hitachi Energy MACH SCM product.

Hitachi Energy Advisory #2 - This advisory describes two unrestricted upload of files with dangerous type vulnerabilities in the Hitachi Energy RTU500 Series.

Updates

Mitsubishi Update #1 - This update provides additional information on the MELSEC Series CPU Module advisory that was originally published on May 23^rd, 2023 and most recently updated on March 14^th, 2024.

Mitsubishi Update #2 - This update provides additional information on the MELSEC iQ-R Series/iQ-F Series advisory that was originally published on June 6^th, 2023.

Rockwell Update - This update provides additional information on the 5015-AENFTXT advisory that was originally published on April 11^th, 2024.

Chirp Systems Update - This update provides additional information on the Chirp Access advisory that was originally published on March 7^th, 2024 and most recently updated on April 23^rd, 2024.

 

For more information on the these advisories, including a brief commentary on the Chirp Systems update, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/4-advisories-and-4-updates-published - subscription required. 

Review - S 4045 Introduced – East Palestine Health Monitoring

Last month, Sen Vance (R,OH) introduced S 4045, the East Palestine Health Impact Monitoring Act of 2024. The bill would require HHS to conduct a study on the health effects of the 2023 East Palestine, OH train derailment. The bill would authorize $2 million per year through 2028 for the study.

Moving Forward

While Vance is not a member of the Senate Health, Education, Labor, and Pensions Committee to which this bill was assigned for consideration, one of his three cosponsors {Sen Casey (D,PA)} is a member. This means that there may be sufficient influence to see this bill considered in Committee. I would expect to see some Republican opposition to this bill because the results of such a study would likely be used to justify additional lawsuits against Norfolk Southern, the railroad involved in the incident. Still I expect that the bill would have sufficient bipartisan support to pass in Committee. I do not expect to see this bill reach the floor of the Senate, though its language could be expected to be offered as an amendment to the DOT spending bill or transportation authorization bill.

Commentary

This is a little bit late (but better late than never) to be starting this sort of post-accident health effects study. To be most effective, this should start within hours or days of the incident. That cannot, of course, happen if we need to rely on the local congressional delegation to put together study legislation and attempt to push it through Congress each time such accidents happen. There should be statutes in place to require the EPA, DOT, and HHS to conduct such studies any time there a significant chemical release occurs. DOT should fund studies for transportation related incidents and the EPA for fixed site accidents.

 

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-4045-introduced - subscription required.

Review - S 3773 Introduced – HHS Cybersecurity Testing

In February, Sen Rubio (R,FL) introduced S 3773, the Strengthening Cybersecurity in Health Care Act. The bill would require the Health and Human Service Department Inspector General to conduct penetration tests and other testing procedures to determine how systems processing, transmitting, or storing mission critical or sensitive data by, for, or on behalf of the Department is currently, or could be compromised. No new funding is provided by the bill.

Moving Forward

While Rubio is not a member of the Senate Health, Education, Labor, and Pensions Committee to which this bill was assigned for consideration, one of his three cosponsors {Sen Hassan (D,NH)} is a member. This means that there may be sufficient influence to see the bill considered in Committee. I do not see anything that would engender any organized opposition to the bill. I suspect that there would be some level of bipartisan support for the legislation if it were considered.

This bill is not politically important enough to consume the time necessary for consideration in the Senate under regular order. This bill might be able to pass under the Senate’s unanimous consent process, but that process always faces the potential for opposition unrelated to the provisions of the bill. This bill is well suited to being included in the annual HHS spending bill and Rubio, a member of the Senate Appropriations Committee, is well placed to see that happen.

Commentary

HHS has little in the way of internal clinics that might be affected by such testing, so it is unlikely that there will be any medical devices covered by the requirements of this bill. I really mention it here because of the unique requirement for IG cybersecurity testing. This is well within the scope of operations of inspectors general, if probably outside of the existing skill sets for those organizations. While not wishing to CISA’s prominence in government cybersecurity efforts diminished, I think that this might be a good requirement for each inspector general office in the federal government. And it might provide an interesting internal skill set that could be used in other IG investigations.

 

For more details about the provisions of the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-3773-introduced - subscription required.