Short Takes – 4-25-24

Dairy Cows Transported Between States Must Now Be Tested for Bird Flu. NYTimes.com article (free link). Pull quote: “While testing more cows is critical, so is reducing the risk of infection among dairy workers regularly exposed to fresh milk now thought to contain extensive virus, said Seema Lakdawala, a virologist at Emory University.”

GPT-4 Can Exploit Most Vulns Just by Reading Threat Advisories. DarkReading.com article. Pull quote: “With only their security advisories to go on, the AI agent was tasked with exploiting each bug in turn. The results of this experiment painted a stark picture. Of the 10 models evaluated — including GPT-3.5, Meta's Llama 2 Chat, and more — nine could not hack even a single vulnerability. GPT-4, however, successfully exploited 13, or 87% of the total.”

Boeing and NASA decide to move forward with historic crewed launch of new spacecraft. CNN.com article. Pull quote: ““This is an important capability for NASA. We signed up to go do this, and we’re gonna go do it and be successful at it,” Nappi said Thursday. “I don’t think of it in terms of what’s important for Boeing as much as I think of it as in terms of what’s important for this program.””

Macron’s Olympics terror nightmare. Politico.eu article. Pull quote: “The worst-case scenario, according to Regul, would be a coordinated cyber and terror attack, with the digital attack taking out crucial security or surveillance systems.”

CG Report for 2023 Cyber Trends in Maritime Environment

I ran into an interesting article over on IndustrialCyber.co looking at the recently released report from the Coast Guard Cyber Command. That report, “2023 Cyber Trends and Insights in the Marine Environment Report”, takes a look at last years trends in maritime cybersecurity. It is a 60-page report with lots of detail, so it is well worth reading. And Anna Ribeiro’s article provides a good overview.

The report includes a fairly detailed discussion (pgs 16-20) about the techniques that Cyber Protection Team (CPT) members used to gain entry to systems during their cybersecurity assessments. Nothing really fancy, certainly no 0-day exploits; just solid application of cybersecurity knowledge.

The discussion about strengthening OT networks (pgs 24-28), while short is illuminative. The Cyber Command authors identify the “three common vulnerabilities present in almost every OT network” the CPT assessors looked at:

• Improperly segmented networks,

• End-of-life software, and

• Use of legacy protocols.

The OT hardening discussion then focuses on how to fix those issues first. Not a bad idea for any OT system.

The final thing I want to point out in the report is Appendix C, “Known Exploitable Vulnerabilities Detected on Cpt Missions”. This appendix lists the vulnerabilities found during CPT missions that are listed in CISA’s Known Exploited Vulnerability (KEV) Catalog. The number of KEV’s found is remarkably small, but that is more than made up for how old some of them are. The oldest KEV reported by the CPT’s in the wild is an “Apache HTTP Server-Side Request Forgery (SSRF)” - CVE-2012-1823. Even being over a decade old, the CG cyber personnel found two incidences of this vulnerability available for attack.

This is a unique look at cybersecurity in the wild, well worth the read even if you have nothing to do with the maritime domain. 

Review – 4 Advisories and 4 Updates Published

Today, CISA’s NCCIC-ICS published four control system security advisories for products from Honeywell, Siemens and Hitachi Energy (2). They also updated advisories for products from Mitsubishi (2), Rockwell and Chirp Systems.

Advisories

Honeywell Advisory - This advisory describes 16 vulnerabilities in multiple Honeywell products.

Siemens Advisory - This advisory discusses a command injection vulnerability {that is listed on CISA’s Known Exploit Vulnerabilities (KEV) Catalog} in the Siemens RUGGEDCOM APE1808 application hosting platform.

Hitachi Energy Advisory #1 - This advisory describes two vulnerabilities in the Hitachi Energy MACH SCM product.

Hitachi Energy Advisory #2 - This advisory describes two unrestricted upload of files with dangerous type vulnerabilities in the Hitachi Energy RTU500 Series.

Updates

Mitsubishi Update #1 - This update provides additional information on the MELSEC Series CPU Module advisory that was originally published on May 23^rd, 2023 and most recently updated on March 14^th, 2024.

Mitsubishi Update #2 - This update provides additional information on the MELSEC iQ-R Series/iQ-F Series advisory that was originally published on June 6^th, 2023.

Rockwell Update - This update provides additional information on the 5015-AENFTXT advisory that was originally published on April 11^th, 2024.

Chirp Systems Update - This update provides additional information on the Chirp Access advisory that was originally published on March 7^th, 2024 and most recently updated on April 23^rd, 2024.

 

For more information on the these advisories, including a brief commentary on the Chirp Systems update, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/4-advisories-and-4-updates-published - subscription required. 

Review - S 4045 Introduced – East Palestine Health Monitoring

Last month, Sen Vance (R,OH) introduced S 4045, the East Palestine Health Impact Monitoring Act of 2024. The bill would require HHS to conduct a study on the health effects of the 2023 East Palestine, OH train derailment. The bill would authorize $2 million per year through 2028 for the study.

Moving Forward

While Vance is not a member of the Senate Health, Education, Labor, and Pensions Committee to which this bill was assigned for consideration, one of his three cosponsors {Sen Casey (D,PA)} is a member. This means that there may be sufficient influence to see this bill considered in Committee. I would expect to see some Republican opposition to this bill because the results of such a study would likely be used to justify additional lawsuits against Norfolk Southern, the railroad involved in the incident. Still I expect that the bill would have sufficient bipartisan support to pass in Committee. I do not expect to see this bill reach the floor of the Senate, though its language could be expected to be offered as an amendment to the DOT spending bill or transportation authorization bill.

Commentary

This is a little bit late (but better late than never) to be starting this sort of post-accident health effects study. To be most effective, this should start within hours or days of the incident. That cannot, of course, happen if we need to rely on the local congressional delegation to put together study legislation and attempt to push it through Congress each time such accidents happen. There should be statutes in place to require the EPA, DOT, and HHS to conduct such studies any time there a significant chemical release occurs. DOT should fund studies for transportation related incidents and the EPA for fixed site accidents.

 

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-4045-introduced - subscription required.

Review - S 3773 Introduced – HHS Cybersecurity Testing

In February, Sen Rubio (R,FL) introduced S 3773, the Strengthening Cybersecurity in Health Care Act. The bill would require the Health and Human Service Department Inspector General to conduct penetration tests and other testing procedures to determine how systems processing, transmitting, or storing mission critical or sensitive data by, for, or on behalf of the Department is currently, or could be compromised. No new funding is provided by the bill.

Moving Forward

While Rubio is not a member of the Senate Health, Education, Labor, and Pensions Committee to which this bill was assigned for consideration, one of his three cosponsors {Sen Hassan (D,NH)} is a member. This means that there may be sufficient influence to see the bill considered in Committee. I do not see anything that would engender any organized opposition to the bill. I suspect that there would be some level of bipartisan support for the legislation if it were considered.

This bill is not politically important enough to consume the time necessary for consideration in the Senate under regular order. This bill might be able to pass under the Senate’s unanimous consent process, but that process always faces the potential for opposition unrelated to the provisions of the bill. This bill is well suited to being included in the annual HHS spending bill and Rubio, a member of the Senate Appropriations Committee, is well placed to see that happen.

Commentary

HHS has little in the way of internal clinics that might be affected by such testing, so it is unlikely that there will be any medical devices covered by the requirements of this bill. I really mention it here because of the unique requirement for IG cybersecurity testing. This is well within the scope of operations of inspectors general, if probably outside of the existing skill sets for those organizations. While not wishing to CISA’s prominence in government cybersecurity efforts diminished, I think that this might be a good requirement for each inspector general office in the federal government. And it might provide an interesting internal skill set that could be used in other IG investigations.

 

For more details about the provisions of the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-3773-introduced - subscription required.

Short Takes – 4-25-24 – Space Geek Edition

A NASA rover has reached a promising place to search for fossilized life on Mars. Phys.org article. Pull quote: “Mars sample return remains NASA's highest planetary science priority and is strongly supported by the planetary science community around the world. The samples from Perseverance may revolutionize our view of life in the universe. Even if they don't contain fossils or biomolecules, they will fuel decades of research and give future generations a completely new view of Mars. Let's hope NASA and the US government can live up to the name of their rover, and persevere.”

SpaceX’s Special Starship Cargo Lander Capacity Revealed By NASA Ahead Of Fourth Starship Test. WCCFTech.com article. Pull quote: “In a press release, NASA outlined that the cargo landers, part of the original HLS award will land on the Moon starting from the Artemis 7 mission. The Artemis 7 was slated to land on the Moon in 2030 according to a NASA manifest from 2022 - before the space agency moved its timeline for the Artemis 2 mission forward by a year. Artemis 2 will be the first time humans will venture to the Moon since the Apollo program, and the mission was initially slated to launch this year.”

China's Tiangong space station damaged by debris strike. Space.com article. Pull quote: “"The space station's core module Tianhe had suffered a partial loss of power supply due to the impact of the space debris on the solar wing's power cables," Xinhua reported, paraphrasing CMSA deputy director Lin Xiqiang.”

China on track for crewed moon landing by 2030, space official says. SpaceNews.com article. Pull quote: “Lin added that astronaut training for the mission includes mastering operation of the Mengzhou and Lanyue spacecraft, including in normal and emergency flight conditions. Rendezvous and docking and manually avoiding obstacles during the lander’s descent were noted as part of the training. Other activities include entering and exiting the lander, working in one-sixth of Earth’s gravity, long-range lunar roving, drilling, sampling and other scientific work on the lunar surface.”

Companies offer proposals for Apophis asteroid missions. SpaceNews.com article. Pull quote: “Scientists, though, are interested in sending additional missions to Apophis, particularly those that would fly by or orbit the asteroid before the flyby so that researchers can better the understand what impact tidal forces from the flyby might have on the asteroid. Several such mission concepts were discussed during an April 22–23 workshop at a European Space Agency center in The Netherlands.”

Major changes approved for ClearSpace-1 mission. SpaceNews.com article. Pull quote: ““On 10 August, 2023, a collision involving our original target increased the risk of capture and induced the spinning of the object,” ClearSpace CEO Luc Piguet told SpaceNews by email. “This made it more difficult to capture and added complexity to the mission as the goal is to remove debris completely.””

Short Takes – 4-24-24

E. coli engineered to become methanol addict to make industry feedstocks. ChemistryWorld.com article. A little biochem geeky stuff. Pull quote: “Lead author Julia Vorholt at ETH Zurich says the first step was to get E. coli ‘addicted’ to methanol. ‘If you make a mutation in a certain gene then [E. coli] needs to make a little bit of biomass for some specific compounds from methanol,’ she explains. Leaving the bacteria to grow in a bioreactor with just enough carbon to survive and an abundance of methanol favours those that can use alcohol. Natural selection takes over and bacteria which thrive using methanol outcompete the others until eventually E. coli has evolved the same fixation cycle seen in other methylotrophs.”

America’s crisis of repetition is hurting national security. BreakingDefense.com article. Pull quote: “Finally, the challenge of identifying obstacles to implementation is hard — and frankly, not necessarily interesting. It involves detective work: asking questions, knowing processes across government, and understanding funding streams. It requires persistence and takes time. It’s a lot less exciting than coming up with purportedly “new” ideas.”

Artemis Mission: Making NASA’s New Moon Suits. Makezine.com article. Pull quote: “This carefulness is evident when you walk into their sewing labs. The labs are filled with single needle, double needle, off-arm, post, bar-tack, serger, and zig-zag sewing machines, all used for the creation of the suits. In typical clothing factories, the buzz of machines is constant and fast. Axiom’s sewing lab is almost dead silent. Some of the sewers even turn the machines by hand to achieve the level of precision needed.”

Agency Information Collection Activities: CISA Gateway User Registration. Federal Register CISA 60-day ICR renewal/change notice. Changes: “The collection was initially approved on October 9, 2007, and the most recent approval was on December 19, 2023, with an expiration date of June 30, 2024. The changes to the collection since the previous OMB approval include; updating the title of the collection, decrease in burden estimates and decrease in costs The total annual burden cost for this collection has changed by $3,096.40, from $4,128 to $7,224.40 due to the removal of the utilization survey, and the addition of PCIIMS respondents. For the CISA Gateway, the total number of responses has increased from 350 to 700 due to the updated metrics resulting from the awareness campaign and due to the registration process changing which does not include the training registration. The annual government cost for this collection has changed by $8,340.92 from $5,723 to $14,063.92 due to the removal of the utilization survey, and the addition of PCIIMS respondents. The This is a renewal with changes of an information collection.” Comments due June 24^th, 2024.

National Security Telecommunications Advisory Committee. Federal Register DHS meeting notice. Agenda: “The NSTAC will meet in an open session on Thursday, May 23, 2024, from 3:15 p.m. to 4:30 p.m. EDT to discuss current NSTAC activities and the government's ongoing cybersecurity and NS/EP communications initiatives. This open session will include: (1) an update on the administration's cybersecurity initiatives; (2) a keynote address;(3) an update on current NSTAC activities; and (4) a status update on the NSTAC Principles for Baseline Security Offerings from Cloud Service Providers Study.”

Sorry, Little Green Men: Alien Life Might Actually Be Purple. ScientificAmerican.com article. Pull quote: “Prior to that, microorganisms generated metabolic energy by harnessing sunlight using a purple-pigmented molecule called retinal, whose origin may have predated chlorophyll. If retinal exists on other faraway worlds, scientists think the molecule's unique fingerprint would be discernible by upcoming ground- and space-based telescopes.”

Monkeypox virus: dangerous strain gains ability to spread through sex, new data suggest. Nature.com article. Pull quote: “Although mpox infections have waned globally since 2022, they have been trending upwards in the DRC: in 2023 alone, the country reported more than 14,600 suspected infections and more than 650 deaths. In September, 2023, a new cluster of suspected cases arose in the DRC’s South Kivu province. This cluster especially concerns researchers, as it has been spreading largely among sex workers, suggesting that the virus has adapted to transmit readily through sexual contact.

Remnants of bird flu virus found in pasteurized milk, FDA says. OCRegister.com article. Pull quote: “Because the detection of the bird flu virus known as Type A H5N1 in dairy cattle is new and the situation is evolving, no studies on the effects of pasteurization on the virus have been completed, FDA officials said. But past research shows that pasteurization is “very likely” to inactivate heat-sensitive viruses like H5N1, the agency added.” While I agree with the theory, I am not a big fan of ‘very likely’ as a scientific statement. And what happens if A H5N1 fragments get into someone with an active flu infection; would we see recombination?