Review – BIS Publishes Security ICTS Supply Chain (UAS) ANPRM

Friday, the DOC’s Bureau of Industry and Security (BIS) published an advanced notice of proposed rulemaking (ANPRM) in the federal register (90 FR 271-279) on “Securing the Information and Communications Technology and Services Supply Chain: Unmanned Aircraft Systems”. This ANPRM is looking at implementing the securing the information and communications technology and services supply chain requirements of EO 13873 with regards to unmanned aircraft systems that are designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries.

Background

In EO 13873, President Trump declared a national emergency with respect to the “unrestricted acquisition or use in the United States of information and communications technology or services designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries augments the ability of foreign adversaries to create and exploit vulnerabilities in information and communications technology or services, with potentially catastrophic effects, and thereby constitutes an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States.”

In the EO the term ‘information and communications technology or services’ is defined as “any hardware, software, or other product or service primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means, including transmission, storage, and display”.

Potential Rule

BIS is considering developing a new regulation that could include mitigation measures and prohibitions addressing:

• Onboard computers responsible for processing data and controlling UAV flight

• Communications systems including, but not limited to, flight controllers, transceiver/receiver equipment, proximity links such as Global Navigation Satellite Systems (GNSS) sensors, and flight termination equipment,

• Flight control systems responsible for takeoff, landing, and navigation, including, but not limited to, exteroceptive and proprioceptive sensors,

• Ground control stations (GCS) or systems including, but not limited to, handheld flight controllers

• Operating software including, but not limited to, network management software,

• Mission planning software,

• Intelligent battery power systems,

• Local and external data storage devices and services, and

• Artificial intelligence (AI) software or applications.

Solicitation for Comments

BIS is soliciting public comments on these questions to advance their rulemaking process. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # BIS-2024-0058). Comments should be submitted by March 4^th, 2025.

Commentary

I am disappointed that BIS did not include any questions about cybersecurity protections for UAS, and how the applications (or absence) of such protections could mitigate the risks discussed in this ANPRM. I would like to propose two questions that could provide additional information necessary for the BIS rulemaking:

 

• What cybersecurity controls are in place that could prevent unauthorized access/control of UAS?

• What aftermarket applications are available for UAS that could mitigate unauthorized access/control of UAS?

• Could additional cybersecurity controls be developed that would prevent unauthorized access/control of UAS?

 

For more information on this ANPRM, including discussion about the information that BIS is looking for, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bis-publishes-security-icts-supply - subscription required.

OMB Approves Revised DIB Incident Reporting ICR – 1-3-24

On Friday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a revision of an information collection request from DOD on “DoD's Defense Industrial Base (DIB) Cybersecurity (CS) Activities Cyber Incident Reporting”. This ICR supports the incident reporting requirements of 10 USC 393.

The table below shows the revised burden estimate approved by OIRA:

The revised burden estimate is based upon the actual reporting conducted in 2021, 2022, and 2023.

Bills Introduced – 1-3-24

Friday, under the shadow of the election of the Speaker of the House, there were 233 bills introduced in the House and Senate. Two of those bills will receive additional coverage in this blog:

HR 108 To allow the Administrator of the National Aeronautics and Space Administration to establish a research center for deep space and interplanetary research, and for other purposes. Biggs, Andy [Rep.-R-AZ-5]

HR 128 To require the Assistant Secretary for the Countering Weapons of Mass Destruction Office of the Department of Homeland Security to treat illicit fentanyl as a weapon of mass destruction, and for other purposes. Boebert, Lauren [Rep.-R-CO-4] 

NOTE 1: Eighty of the 214 bills introduced in the House were introduced by Rep Biggs (R, AZ). This is not really surprising, because he introduced 720 bills in the 118^th Congress. Only five of those bills passed in the House, and one ended up being vetoed by President Biden (the House was unable to override that veto). Biggs is a prolific crafter of partisan legislation, but lacks the influence to see these bills become law.

NOTE 2: I am going to try to track space related bills in earnest this session under my #SpaceGeek tag.

118th Legislation Housekeeping – 1-5-24

No new reports were published this week.

Texts of two bills were published:

HR 10320 - New Space Age Act of 2024, and

HR 10333 - Defense Hackathon Act of 2024

Short Takes – 1-4-25

Space debris crash in Kenya village believed to be from leftover rocket hardware. Space.com article. Pull quote: “An early review by Inside Outer Space of the Aerospace Corporation’s Center for Orbital and Reentry Debris Studies (CORDS) Reentry Database suggested a possible link to an incoming rocket body associated with an Atlas Centaur launch back in 2004.”

NASA's Parker Solar Probe beams home 1st detailed update after record-breaking approach to the sun. Space.com article. Pull quote: “On Wednesday (Jan. 1), mission control at Johns Hopkins University's Applied Physics Laboratory in Maryland began receiving the Parker Solar Probe's first telemetry — or housekeeping data — that confirms Parker's systems and science instruments are "healthy and operating normally" after its historic rendezvous with the sun, NASA shared in an update on Thursday (Jan. 2).”

SpaceX's Starship to deploy mock satellites in next test. Reuters.com article. Pull quote: “"While in space, Starship will deploy 10 Starlink simulators, similar in size and weight to next-generation Starlink satellites as the first exercise of a satellite deploy mission," SpaceX said in a blog post on its website.”

Trains halted, FBI involved: Explosive device found on train car in Treasure Valley. IdahoStateman.com article. Pull quote: ““There was nothing discovered or disclosed by the suspect in this case that would tie him to any kind of terrorist organization,” Marshall said.”

Chemical Incident Reporting – Week of 12-28-24

NOTE: See here for series background.

Clovis, NM – 12-30-24

Local News Report: Here, here, here, and here.

There was a chemical spill at a cheese manufacturing facility which resulted in the mixture of an acid and ‘chlorine’ (most likely a bleach cleaning solution). The reaction produced chlorine gas. 20 people were transported to local hospitals. At least four were reported admitted to one hospital for observation. Two others were reported in critical condition at another hospital.

 

CSB reportable.

Review – Public ICS Disclosures – Week of 12-28-24

This week we have three vendor disclosures from HPE and Moxa (2). There are two vendor updates from Moxa and Palo Alto Networks. We have six researcher reports of vulnerabilities in products from ABB (5) and Four-Faith. Finally, we have an exploit for a vulnerability in products from Palo Alto Networks.

Advisories

HPE Advisory - HPE published an advisory that discusses seven vulnerabilities (three with publicly available exploits) in their OSS Console (UOC) and Unified OSS Console Assurance Monitoring (UOCAM) products.

Moxa Advisory #1 - Moxa published an advisory that describes two vulnerabilities in multiple Moxa products.

Moxa Advisory #2 - Moxa published an advisory that describes a cryptographic algorithm security enhancement in their TN-G4500 Series products.

Updates

Moxa Update - Moxa published an update for their VPort 07-3 Series advisory that was originally published on December 4^th, 2024.

Palo Alto Networks Update - Palo Alto Networks published an update for their Firewall Denial of Service advisory that was originally published on December 26^th, 2024.

Research Reports

ABB Reports - Zero Science published five reports about vulnerabilities (all with publicly available exploits) in the ABB Cylon Aspect.

Flour-Faith Report - VulnCheck  published a report that describes an OS command injection (which has been exploited in the wild) vulnerability in the Four-Faith industrial routers.

Exploits

Palo Alto Networks Exploit - WatchTowr published a Metasploit module for two vulnerabilities in the Palo Alto Networks PAN-OS management web interface.

 

For more information on these disclosures, including links to 3rd party vulnerabilities and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-12-a07 - subscription required.