Looking Back – 8-3-2009 – HR 3258

 Nearly every morning I start my computer time by looking at information from Google about what happened in my blog in the previous 24 hours. Google, and blogspot.com is a Google service, provides interesting pieces of analytical data about my blog readership. One item of particular interest is the top ten blog posts each day. As you would expect, most of those posts were from the last couple of days, but with 17 years of publishing this blog, every once-in-a-while, a blog post from ancient history rises into that list. 

Today, a blog post from August 3rd, 2009, “HR 3258 Analysis – Substance of Concern”, made the list. This was part of a series of posts that I did on HR 3258, the Drinking Water System Security Act of 2009. That bill was successfully reported out of the House Energy and Commerce Committee but never made it to the floor of the House. This was part of the ongoing effort by Democrats of that Committee to expand the CFATS program to include water treatment facilities. They were generally opposed in that effort by the House Homeland Security Committee, just part of the inter-committee conflict about the program. 

It is interesting to note that this post drew two comments that reflected the international interest in chemical facility security regulation. 

Review - FAA UAS Facility NPRM – UAFR Descriptions

 As I reported earlier, the proposed rule from the FAA would establish two distinct classes of unmanned aircraft flight restrictions (UAFR) for facilities to meet the section 2209 {PL 114-190 (130 STAT. 634)}} mandate; standard UAFRs and special UAFRs. In this post, I will look at some of the differences between the two UAS control schemes. 

UAFR Description  

Section 49 CFR Subpart A defines two different types of unmanned aircraft flight restrictions (UAFRs): standard UAFRs (§74.5) and special UAFRs (§74.6). Generally speaking, a standard UAFR may be requested by owner/operators of fixed facilities meeting certain requirements (see the Eligible Facilities discussion below). Special UAFRs may only be requested by a Federal security or intelligence agency, the Department of Defense, or the Department of Energy. 

Operational Differences  

The operational difference between the two types of UAFRs relates to what types of UAS operations would be allowed through the UAFR. For standard UAFRs, with limited procedural conditions, the rule would allow categorical authorization of operations of UAS under following existing UAS operational rules: 

Part 91 Operations; if the unmanned aircraft is operated under 14 CFR part 91 with an airman certificate or as a Public Aircraft Operation, 

Part 107 Operations; if the unmanned aircraft is operated under 14 CFR part 107 with an airman certificate,  

Part 108 Operations; if the unmanned aircraft is operated under proposed 14 CFR part 108 as a permitted or certificated operation,  

Part 135 Operations; if the unmanned aircraft is operated under 14 CFR part 135 with a 14 CFR part 119 certificate, or 

Part 137 Operations; if the unmanned aircraft is operated under 14 CFR part 137 with an airman certificate and a 14 CFR part 137 certificate. 

For more information on the differences between UAFRs, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/faa-uas-facility-nprm-uafr-descriptions - subscription required. 

Review - Public ICS Disclosures – Week of 5-2-26 – Part 2

 For Part 2 we have seven additional vendor disclosures from WatchGuard (4) and VEGA (3). There are eight researcher reports of vulnerabilities in products from TP-Link. Finally, we have two exploits for products from PX4 and ThingsBoard. 

Advisories  

WatchGuard Advisory #1 - WatchGuard published an advisory that describes two vulnerabilities in their WatchGuard Agent on Windows product.  

WatchGuard Advisory #2 - WatchGuard published an advisory that describes an incorrect permission assignment for critical resource vulnerability in their WatchGuard Agent on Windows product. 

WatchGuard Advisory #3 - WatchGuard published an advisory that describes a stack-based buffer overflow vulnerability in their WatchGuard Agent Discovery Service on Windows product. 

WatchGuard Advisory #4 - WatchGuard published an advisory that describes a stack-based buffer overflow vulnerability in their WatchGuard Agent Discovery Service on Windows product. 

VEGA Advisory #1 - CERT-VDE published an advisory that describes a missing authentication for critical function vulnerability in the VEGAPULS two- and four-wire products. 

VEGA Advisory #2 - CERT-VDE published an advisory that describes a missing authentication for critical function vulnerability in the VEGAPULS Air products. 

VEGA Advisory #3 - CERT-VDE published an advisory that describes a missing authentication for critical function vulnerability in the VEGAPULS Bluetooth products. 

Researcher Reports  

TP-Link Reports - Cisco Talos published eight reports describing vulnerabilities in the TP-Link Archer AX53 AX3000 Dual Band Gigabit Wi-Fi 6 Router. 

Exploits  

PX4 Exploit - Mohammed Idrees Banyamer published an exploit for a stack-based buffer overflow vulnerability in the PX4‑Autopilot flight controller. 

ThingsBoard Exploit - Tamil Mathi T published an exploit for a Server-side request forgery vulnerability in the ThingsBoard IoT Platform. 

For more information on these disclosures, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-5-338 - subscription required.