Review - FCC Publishes Final Rule for Cybersecurity Labeling Administrator (CLA) Applications

Today, the Federal Communications Commission (FCC) published a final rule in the Federal Register (89 FR 84086-84096) announcing “a 15-business day filing window for applications from entities seeking designation as a Cybersecurity Labeling Administrator (CLA) and Lead Administrator and also adopt additional requirements for CLA and Lead Administrator applications as well as responsibilities that must be met by the selected Lead Administrator and CLAs.” This includes a 30-day ICR notice for the associated information collection requirements of this final rule.

Applications

Today’s final rule is a summary of the Commission's document in PS Docket No. 23-239. That document, dated September 10^th, 2024, announced the 15-day window for applications for LA and CLA’s. That window closed on October 1^st, 2024.

Burden Estimate

Appendix D of PS Docket 23-289 provides the burden estimate for the LA and CLA application process, OMB control number 3060-1328. It reports that the FCC expects that each LA application will take 10 hours and each CLA application will take 20 hours. There is no estimate provided for the number of applications that the Commission expects to receive, so a full burden estimate is not provided.

The FCC is soliciting comments on the new information collection request supporting these applications. Comments may be mailed to the FCC at PRA@fcc.gov. Comments should be submitted by November 20^th, 204.

 

For more information on this rulemaking, including a background look at the roles of LA and CLAs in the FCC IoT Label Program, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/fcc-publishes-final-rule-for-cybersecurity - subscription required.

Review – Public ICS Disclosures – Week of 10-12-24 – Part 2

For Part 2 we have 18 additional vendor disclosures from Moxa, SEL (2), Splunk (13), TAI Smart Factory, and VMware. There are also four vendor updates from FortiGuard (2), Mitsubishi Electric, and Palo Alto Networks. There are also two researcher reports for vulnerabilities in products from ABB and Rittal. Finally, we have an exploit for products from WatchGuard.

Advisories

Moxa Advisory - Moxa published an advisory that describes two vulnerabilities in their Cellular Routers, Secure Routers, and Network Security Appliances.

SEL Advisory #1 - SEL published a new version notice that describes cybersecurity enhancements for their SEL-5703 Synchrowave Monitoring product.

SEL Advisory #2 - SEL published a new versions notice that describes cybersecurity enhancements for their SEL-5702 Synchrowave Operations product.

Splunk Advisory #1 - Splunk published an advisory that describes an arbitrary file write vulnerability in their Enterprise for Windows product.

Splunk Advisory #2 - Splunk published an advisory that describes a missing authorization vulnerability in their SplunkDeploymentServerConfig app.

Splunk Advisory #3 - Splunk published an advisory that describes a deserialization of untrusted data vulnerability in their Enterprise on Windows product.

Splunk Advisory #4 - Splunk published an advisory that describes an improper access control vulnerability in their Classic Dashboard product.

Splunk Advisory #5 - Splunk published an advisory that describes an improper access control vulnerability in their Secure Gateway App.

Splunk Advisory #6 - Splunk published an advisory that describes an uncontrolled resource consumption vulnerability in their Daemon product.

Splunk Advisory #7 - Splunk published an advisory that describes a cross-site request forgery vulnerability in their Enterprise and Cloud Platform products.

Splunk Advisory #8 - Splunk published an advisory that describes an insertion of sensitive information into a log file vulnerability in their Enterprise product.

Splunk Advisory #9 - Splunk published an advisory that describes an insertion of sensitive information into a log file vulnerability in their Enterprise product.

Splunk Advisory #10 - Splunk published an advisory that describes a cross-site scripting vulnerability in their Enterprise product.

Splunk Advisory #11 - Splunk published an advisory that describes a cross-site scripting vulnerability in their Enterprise product.

Splunk Advisory #12 - Splunk published an advisory that discusses 68 vulnerabilities in their Enterprise product.

Splunk Advisory #13 - Splunk published an advisory that discusses four vulnerabilities (one with publicly available exploit) in their Add-on for Office 365 product.

TAI Advisory - Incibe-CERT published an advisory that describes an SQL injection vulnerability in the TAI Smart Factory's QPLANT plant data management product.

VMware Advisory - Broadcom published an advisory that describes an SQL injection vulnerability in their HCX product.

UPDATES

FortiGuard Update #1 - FortiGuard published an update for their regreSSHion  advisory that was originally published on July 9^th, 2024, and most recently updated on September 11^th, 2024.

FortiGuard Update #2 - FortiGuard published an update for their Format String Bug that was originally published on February 8^th, 2024, and most recently updated on October 11^th, 2024.

Mitsubishi Update - Mitsubishi published an update for their GENESIS64 advisory that was originally published on June 27^th, 2024.

Palo Alto Networks Update - Palo Alto Networks published an update for their Firewall Denial of Service advisory that was originally published on October 9^th, 2024.

Researcher Reports

ABB Reports - Zero Science published five reports about individual vulnerabilities (with publicly available exploits) in the ABB Cylon Aspect building management product.

Rittal Report - SEC Consult published a report that describes three vulnerabilities in the Rittal IoT Interface & CMC III Processing Unit.

Exploits

WatchGuard Exploit - Indoushka published an exploit for a buffer overflow vulnerability in the WatchGuard XTM Firebox.

 

For more information on these disclosures, including links to 3rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-10-7cf - subscription required.

Short Takes – 10-19-24

Mechanochemistry can extract edible proteins from moor grass. ChemistryWorld.com article. Pull quote: “With a growing global population and dietary intake changes, there is a need to source edible proteins using alternative and sustainable methods. Previous studies report edible protein extraction from grasses however ‘a lot of the conventional methods use very harsh solvents or chemicals to break down the cell walls’ explains Castro-Dominguez. While these methods are often effective, ‘once you put vitamins and proteins under these harsh conditions, they tend to degrade’ he says. ‘We want to have proteins that are completely in good shape for human consumption.’”

 Trelleborg adds elastomer manway nozzle gaskets. BulkTransporter.com article. Pull quote: “The manway nozzle gaskets are made from high-grade fluoroelastomer (FKM) materials offering enhanced chemical resistance, robust mechanical strength, and a wide temperature range. Their single-piece design with a chevron profile ensures excellent sealing and simplified manufacturing. Leveraging material science and fully integrated engineering, they are developed with advanced materials and in-house manufacturing, helping to prevent non-accident releases (NARs). Produced in ISO 9001 and ISO 14001 certified facilities, they ensure consistent quality and full traceability from formulation to final product.” No endorsement implied.

The Orionids Meteor Shower Is Peaking. Here’s How to Watch. NYTimes.com article. Pull quote: “The Orionids are well-loved by meteor shower aficionados because of the bright, speedy streaks they make near the group of stars known as Orion’s Belt. Like the Eta Aquarid meteor shower, which peaked in early May, the Orionids result when Earth passes through debris from Halley’s comet.”

DHS Warns Law Enforcement Election Deniers May Attempt to Bomb Drop Boxes. Wired.com article. Pull quote: “The documents show that DHS alerted dozens of agencies this summer to online chatter indicating potential attacks on election drop boxes—secured receptacles used in more than 30 states to collect mail-in voter ballots. The text highlights the efforts of an unnamed group to crowdsource information about “incendiary and explosive materials” capable of destroying the boxes and ballots. An extensive list of household mixtures and solvents, which are said to render voter ballots “impossible to process,” was also compiled by members of the group, the report says, and openly shared online.”

OMB Approves CISA’s Notice on Cybersecurity of Bulk Personal Information Transfers

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a ‘notice’ from CISA on “Security Requirements for Restricted Transactions Under Executive Order 14117”. The notice was sent to OIRA on July 8^th, 2024.

This rulemaking was not published in the Spring 2024 Unified Agenda. This could be because this is a ‘notice’ not an actual proposed rulemaking.

As I noted in my earlier post:

“Executive Order 14117 outlines the Administration’s intent “to restrict access by countries of concern to Americans' bulk sensitive personal data and United States Government-related data when such access would pose an unacceptable risk to the national security of the United States.” Section 2(d) of that EO requires CISA to “propose, seek public comment on, and publish security requirements that address the unacceptable risk posed by restricted transactions”. Those ‘restricted transactions’ are outlined in §2(a) and are to be further defined by regulations issued by the Attorney General.”

I will probably not be covering these regulations in any depth in this blog, but I will certainly be announcing the relevant publications in the appropriate ‘Short Takes’ post.

FDA Sends HIPPA Cybersecurity NPRM to OMB

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a notice of proposed rulemaking from the Food and Drug Administration (FDA) on “Proposed Modifications to the HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information”.

According to the Spring 2024 Unified Agenda Entry for this rulemaking:

“This rule will propose modifications to the Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). These modifications will improve cybersecurity in the health care sector by strengthening requirements for HIPAA regulated entities to safeguard electronic protected health information to prevent, detect, contain, mitigate, and recover from cybersecurity threats.”

I will probably not cover this rulemaking in any detail on this blog, unless it specifically addresses cybersecurity issues of medical devices that may contain, process, or transmit protected health information (PHI). Otherwise, there will just be a notification published in the appropriate ‘Short Takes’ post when this rulemaking is published in the Federal Register.

Chemical Incident Reporting – Week of 10-12-24

NOTE: See here for series background.

Washington, NC – 9-18-24

Local News Reports: Here, here, and here.

Chlorine gas was released from a storage tank at a water treatment facility when an ammonium sulfate solution was inadvertently unloaded into a sodium hypochlorite storage tank by a delivery driver. The driver was taken to a local hospital for treatment. The remaining contents of the storage tank were hauled away for disposal as hazardous waste.

Possible CSB reportable if the driver was admitted to hospital. Possibly could be treated as a hazmat transportation incident.

A similar incident with unrelated water treatment chemicals occurred in May at a nearby water treatment plant in North Carolina.

These incidents are more common than most people realize. A gas cloud exiting a storage tank is an absolute signal that a mixing incident is occurring. Fast action shutting down the feed will minimize the potential damage and the size of the gas cloud. The problem is that frequently, the steam driven cloud (these reactions are often exothermic) frequently interferes with the driver (it is almost always a non-facility driver that is ‘responsible’ for such incidents) reaching the controls on the discharge line. This means that the cloud is larger and there is a danger of the storage tank physically failing due to the combination of overfilling and gas production.

NOTE: I missed this particular incident last month, but was pointed at it by a report at ISSSource.com.

Bills Introduced – 10-18-24

Yesterday, with the House and Senate meeting in pro forma session, there were 30 bills introduced. None of those bills are likely to receive additional coverage in this blog. There are, however, two items of interest. The first is that HR 10000 was introduced, the first time that congress has had to resort to a 5-digit bill number. That combined with the really small number of bills passed to date (106 bills) shows just how ineffective Congress has become. It would be really interesting for someone to compile a report on the legislative efficiency of the members of Congress.

The second item of interest is a bill that I would like to mention in passing:

HR 9999 To amend the Congressional Budget and Impoundment Control Act of 1974 to include timely completion of budgetary actions as an essential purpose of such Act and to establish limitations on the official travel of Members of Congress upon failure to timely adopt a concurrent resolution on the budget, and for other purposes. Arrington, Jodey C. [Rep.-R-TX-19]

There have been any number of bills introduced this session (and in sessions past, to be sure) that have purported to try to hold congresscritters to account for passing a federal budget. This is the first that I recall having used congressional travel monies as the incentive to get our elected officials to do their job.

Section 301 of the Congressional Budget and Impoundment Control Act of 1974 already requires that: “On or before April 15 of each year, the Congress shall complete action on a concurrent resolution on the budget for the fiscal year beginning on October 1 of such year.”

There is, of course, no current enforcement of that ‘shall complete’ requirement, as the Supreme Court (and not just the current packed Court) would never allow any legal action to enforce that requirement under the separation of powers standard. The only ones that could enforce that are the voters, who for the most part do not really care about the budget or most of the activities of Congress.

This bill does not have much chance of actually being considered, much less enacted into law. Even if it were, there would be any number of legislative or administrative workarounds that would still allow for official travel payments in the ‘unlikely’ (sigh) event that Congress failed to do its duty. As with most of these bills, there is little chance that they will be considered, much less voted upon, or sent to the President. This is political posturing, nothing more, and just weeks before the election.