Thursday, October 17, 2024

Review – 5 Advisories and 2 Updates Published – 10-17-24

Today, CISA’s NCCIC-ICS published five control system security advisories for products from Kieback&Peter, HMS, Mitsubishi Electric, LCDS, and Elvaco. They also published updates for products from goTenna.

Advisories

Kieback&Peter Advisory - This advisory describes three vulnerabilities in the Kieback&Peter DDC4000 series building automation controllers.

HMS Advisory - This advisory describes an insufficiently protected credentials vulnerability in the HMS WON FLEXY 202 industrial modular gateway.

Mitsubishi Advisory - This advisory describes an improper validation of specified quantity in input vulnerability in the Mitsubishi CNC products.

LCDS Advisory - This advisory describes a cross-site scripting vulnerability in the LCDS LAquis SCADA HMI program.

Elvaco Advisory - This advisory describes four vulnerabilities in the Elvaco CMe3100 metering gateway.

Updates

GoTenna Update #1 - This update provides additional information on the Pro ATAK Plugin advisory that was originally published on September 26th, 2024.

GoTenna Update #2 - This update provides additional information on the Pro X and Pro X2 advisory that was originally published on September 26th, 2024.

 

For more information on these advisories see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/5-advisories-and-2-updates-published-bb1 - subscription required.

Short Takes – 10-17-24 – Space Geek Edition

The quest to figure out farming on Mars. TechnologyReview.com article. Pull quote: ““Mars is six to nine months away. If you lose a food source, you may not be able to survive the wait for a resupply mission,” he says. The solution is diversity. There should be frozen food rations. Some things should be grown hydroponically. Some things should be grown in regolith. If one system fails, you still have the others to help you restart. It’s just good safety practice, he says, but more than that, if we are serious about making Mars a home, we must use the skills that make us special. Agriculture must surely be at the top of that list.”

Planning for life on Mars. Nature.com article. Pull quote: “In modern agriculture, those techniques are already used to protect crops. And research to understand how to help food grow in harsh conditions won’t be wasted if it doesn’t get to Mars. That’s because restoring infertile, degraded soil that’s been damaged by climate change, or events such as flash flooding and droughts, will become more and more important in the future.”

Out-of-This-World Simulation Key to Collecting Moon Dust. NewsWise.com article. Pull quote: “Using a virtual model of regolith can also reduce the barriers to entry for people looking to develop lunar robots. Instead of needing to invest in expensive simulants (artificial dust with the same properties as regolith), or have access to facilities, people developing lunar robots could use this simulation to carry out initial tests on their systems.”

SpaceX plans to catch Starship upper stage with 'chopsticks' in early 2025, Elon Musk says. Space.com article. Pull quote: “But SpaceX also envisions launching many Starship missions to Earth orbit — for example, to continue building out its huge Starlink broadband megaconstellation, and to help refuel other Starships that are bound for distant realms. Launch-mount landings make sense for these craft, allowing them to fly to and from Earth orbit quickly and efficiently.”

NASA weighing options for continuous human presence in LEO after ISS. SpaceNews.com article. Pull quote: ““As soon as we have that minimum capability that we need, we will deorbit the ISS,” Gatens added. That minimum capability, she said, was the USDV [US deorbit vehicle] and at least one commercial station. “Those two conditions need to be met.””

NASA further delays first operational Starliner flight. SpaceNews.com article. Pull quote: ““The timing and configuration of Starliner’s next flight will be determined once a better understanding of Boeing’s path to system certification is established,” NASA said in its statement about the 2025 missions. “NASA is keeping options on the table for how best to achieve system certification, including windows of opportunity for a potential Starliner flight in 2025.””

Wednesday, October 16, 2024

Short Takes – 10-16-24

Routine dental X-rays are not backed by evidence—experts want it to stop. ArsTechnica.com article. Pull quote: “The [American Dental Association] association's guidelines from 2012 recommended that adults who don't have an increased risk of dental caries (myself included) need only bitewing X-rays of the back teeth every two to three years. Even people with a higher risk of caries can go as long as 18 months between bitewings. The guidelines also note that X-rays should not be preemptively used to look for problems: "Radiographic screening for the purpose of detecting disease before clinical examination should not be performed," the guidelines read. In other words, dentists are supposed to examine your teeth before they take any X-rays.”

Axiom Space, Prada Unveil Spacesuit Design for Moon Return. AxiomSpace.com press release. Pull quote: “The AxEMU incorporates multiple redundant systems and an onboard diagnostic system to ensure safety for crewmembers. The suit also uses a regenerable carbon dioxide scrubbing system and a robust cooling technology to remove heat from the system. It includes advanced coatings on the helmet and visor to enhance the astronauts’ view of their surroundings, as well as custom gloves made in-house featuring several advancements over the gloves used today. The spacesuit architecture includes life support systems, pressure garments, avionics and other innovative systems to meet exploration needs and expand scientific opportunities.”

Senate Republicans pump brakes on year-end omnibus. TheHill.com article. Pull quote: “If Harris defeats Trump and Democrats win the House majority, it’s unclear if Johnson would even remain as minority leader in the House. He might face less pressure, however, on the subject of the omnibus.”

Energy-thirsty indoor vertical gardens ripe for improvement. NewsWise.com article. Pull quote: “"As these systems become more mainstream, improvements in design and energy management will make them more sustainable. Transitioning to renewable energy sources would further enhance their environmental benefits,” Prof Lombi says.”

Widespread ice deposits on the moon. ScienceDaily.com article. Pull quote: “"We can't accurately determine the volume of the PSRs' ice deposits or identify if they might be buried under a dry layer of regolith. However, we expect that for each surface 1.2 square yards (square meter) residing over these deposits there should be at least about five more quarts (five more liters) of ice within the surface top 3.3 feet (meter), as compared to their surrounding areas," said McClanahan. The study also mapped where fewer, smaller, or lower-concentration ice deposits would be expected, occurring primarily towards warmer, periodically illuminated areas.” Journal article here.

The federal government is likely to receive a record number of FOIA requests again in 2024. GovExec.com article. Pull quote: “Moreover, AI can assist in maintaining the security of sensitive and confidential information, a critical concern for government agencies. Many FOIA requests involve documents that contain classified, personal, or legally protected information. AI systems can be trained to recognize these types of content and apply redactions automatically, helping ensure that sensitive information is not inadvertently released.” Let’s hope that these AI systems are not hackable.

Review – HR 9770 Introduced – Cyber PIVOTT Act

Last month, Rep Green (R,TN) introduced HR 9770, the Providing Individuals Various Opportunities for Technical Training to Build a Skills-Based Cyber Workforce (Cyber PIVOTT) Act of 2024. The bill would require CISA to “establish education and training programs and facilitate internship and post-graduation Federal job opportunities at participating institutions”. No new funding would be authorized by this legislation.

This bill would amend the Homeland Security Act of 2002 by adding a new section: §1334, CISA education and training programs and resources.

Moving Forward

On September 25th, the House Homeland Security Committee held a business meeting where they considered 21 pieces of legislation, one of which was HR 9770. The bill was amended (not currently available) and ordered to be reported favorably by a vote of 27 to 0. Once the Committee report is published, the bill will be available to be considered by the full House. The strongly bipartisan vote in Committee means that the bill will be brought to the floor under the suspension of the rules process and would be expected to pass with similar bipartisan support.

Commentary

While this bill may appear to be important for increasing the cybersecurity knowledge base of the federal government, it is lacking one major component – funding. The crafters of the bill accept no responsibility for the cost of the new program, leaving it up to the House Appropriations Committee to figure out the funding level necessary to support the new program as well as determining from where the funding will come. Given the Republicans desire to reduce federal spending, and because of how late this bill would be passed in the session (if that can in fact happen) there will almost certainly be no funding for this bill in FY 2025. If the Republicans retain control of the House after November 5th, there would likely be no funding for the legislation through FY 2027. With one of the cosponsors {Rep Guest (R,MS)} on the House Appropriations Committee, this fact is almost certainly understood by the crafters of the bill, making this a posturing bill, not a real attempt to address the cybersecurity staffing issue.

 

For more information about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-9770-introduced - subscription required. 

Tuesday, October 15, 2024

Short Takes – 10-15-24

'Shocking': Bird-Flu Infected Cattle Dumped at California Roadside. Newsweek.com article. Pull quote: “Raudabaugh added, "There are so many cattle passing away from avian influenza that the rendering trucks are backed up, which is why [the cattle] had been left there for a period of time."” Bird flu had a relatively low death rate in cows, apparently something has changed.

Photoswitch brings energy storage and a cool efficiency boost to photovoltaics. ChemistryWorld.com article. Pull quote: “They added the norbornadiene Most system to a standard commercial silicon solar cell and found that the Most system decreased the heating of the photovoltaic device under simulated sunlight by 8°C, thus increasing the efficiency from 12.4% to 12.6%. Moth-Poulsen highlights that as the efficiencies of these silicon solar cells are only around 12% in the first place these increases are significant. Furthermore, the same photoswitching that absorbs energy and keeps the solar cell cool, harvests and stores energy too, giving the hybrid system a total efficiency of 14.9%. ‘The future vision of this is that you can take a solar cell, photovoltaic, and then you could retrofit the Most system,’ Moth Poulsen tells Chemistry World.”

Electronic Signatures, Forms and Storage for Drug and Alcohol Testing Records. Federal Register PHMSA notice of proposed rulemaking. Summary: “DOT is required by statute to amend its regulations to authorize, to the extent practicable, the use of electronic signatures or digital signatures executed to electronic forms instead of traditional handwritten signatures executed on paper forms. This rulemaking also responds to an April 2, 2020, petition for rulemaking from DISA Global Solutions, Inc. (DISA), requesting that DOT regulations be amended to allow the use of an electronic version of the alcohol testing form (ATF) for DOT-authorized alcohol testing. The proposed regulatory amendments are expected to provide additional flexibility and reduced costs for the industry while maintaining the integrity and confidentiality requirements of the drug and alcohol testing regulations. In addition, DOT proposes to amend the Pipeline and Hazardous Materials Safety Administration (PHMSA) regulation for conformity and to make other miscellaneous technical changes and corrections.” Comments due by December 16th, 2024.

Fatal Chemical Leak at Pemex Refinery Raises Safety Concerns. ChemicalProcessing.com article. Pull quote: “Metzger said chemical companies in the region do not have much motivation to change. TCEQ, the state’s environmental agency has issued fines for about 10% of clean-air law violations annually, he said. Also, when penalties are imposed, they tend to be minimal, he added.” Hard to downplay environmentalist’s concerns when the latest incident killed 2 employees.

Cybersecurity Maturity Model Certification (CMMC) Program. Federal Register DOD final rule. Summary: “With this final rule, DoD establishes the Cybersecurity Maturity Model Certification (CMMC) Program in order to verify contractors have implemented required security measures necessary to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The mechanisms discussed in this rule will allow the Department to confirm a defense contractor or subcontractor has implemented the security requirements for a specified CMMC level and is maintaining that status (meaning level and assessment type) across the contract period of performance. This rule will be updated as needed, using the appropriate rulemaking process, to address evolving cybersecurity standards, requirements, threats, and other relevant changes.”

UK sanctions Russian troops for deploying chemical weapons in Ukraine. ChemistryWorld.com article. Pull quote: “In an announcement [link added] published on 8 October, the UK government said Russian forces had openly admitted to using hazardous chemical weapons, with widespread use of riot control agents and multiple reports of the use of the choking agent chloropicrin – a highly irritating chemical discovered in the 1840s – on the battlefield.”

Trump ground game undercut by slow internet that crashes app. TheGuardian.com article. Pull quote: “But the Trump campaign and the Elon Musk-backed America Pac, which is now doing an outsized portion of the Trump ground game, use a management app called Campaign Sidekick that struggles in areas with slow internet and means canvassers have to use an offline version [with numerous problems].” Trump’s slow play of rural internet support has come back to bite his campaign.

Guidance: Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM). CSB.gov release. Pull quote: “Today, CISA published the Framing Software Component Transparency, created by the Software Bill of Materials (SBOM) Tooling & Implementation Working Group, one of the five SBOM community-driven workstreams facilitated by CISA. CISA’s community-driven working groups publish documents and reports to advance and refine SBOM and ultimately promote adoption. This resource serves as the detailed foundation of SBOM, defining SBOM concepts and related terms and offering an updated baseline of how software components are to be represented. This document serves as a guide on the processes around SBOM creation.”

Review – 2 Advisories Published – 10-15-24

Today, CISA’s NCCIC-ICS published two control system security advisories for products from Schneider Electric and Siemens.

Advisories

Schneider Advisory - This advisory describes two vulnerabilities in the Schneider Data Center Expert product.

Siemens Advisory - This advisory discusses a classic buffer overflow vulnerability in their Siveillance Video Device Pack.

 

For more information on these advisories, including a down-the-rabbit-hole look at 3rd party vulnerabilities, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-advisories-published-10-15-24 - subscription required.

Review - HR 9769 Introduced – Chinese Cyber Threats

Last month, Rep Lee (R,FL) introduced HR 9769, the Strengthening Cyber Resilience Against State-Sponsored Threats Act. The bill would require CISA to establish an interagency task force to “detect, analyze, and respond to the cybersecurity threat posed by State-sponsored cyber actors, including Volt Typhoon, of the People’s Republic of China”. The task force would submit annual classified reports to Congress. No new funding is authorized by this legislation.

Moving Forward

On September 25th, the House Homeland Security Committee conducted a business meeting where twenty pieces of legislation were considered. Among them was HR 9769, which was passed by a voice vote. This means that there is substantial bipartisan support for the bill. This will probably clear the way for the bill to be considered by the full House under the suspension of the rules process; limiting debate, prohibiting floor amendments and requiring a super majority vote for passage.

Commentary

There is no mention of the intelligence community in either the composition of the task force or provision of intelligence information in support of the Task Force’s information collection. While CISA and the FBI will have some internally developed information on the topic of Chinese cybersecurity threats, the bulk (and widest scope) of such information will be held by the intelligence community. I suspect that this was deliberately overlooked by the crafters of the bill to avoid sharing congressional oversight with (or even surrendering it to) the House Intelligence Committee.

 

For more information on the provisions of this bill, including some additional commentary, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-9769-introduced - subscription required.

 
/* Use this with templates/template-twocol.html */