CRS Reports – Week of 1-28-23 – Classified Information

This week, with increasing congressional interest in the various classified document discoveries in homes of former president and vice presidents, the Congressional Research Service published two reports on the protection of classified information:

Rules and Statutes Relevant to Safeguarding Classified Materials, and

The Protection of Classified Information: The Legal Framework

The first is a three-page overview of the legal standards that apply to protecting classified information. The second is a more in depth (30 page) look at the following related topics:

• Executive Order 13,526,

• Handling of Unauthorized Disclosures by:

◦ Information Security Oversight Office,

◦ Intelligence Community,

◦ Department of Defense,

◦ Department of State,

• Penalties for Unauthorized Disclosure,

• Declassification vs. Leaks and “Instant Declassification”,

• Special Considerations for the President, and

• Insider Threat Risk Management.

Interestingly, neither report contains an ‘issues for Congress’ section. This is almost certainly due to the fact that information classification is almost purely an Executive Branch function. This is discussed in the ‘Background Information’ section of the second document:

“The Supreme Court has never directly addressed the extent to which Congress may constrain the executive branch’s power in this area. Citing the President’s constitutional role as commander in chief, the Supreme Court has repeatedly stated in dicta (i.e., language that does not constitute a legal determination) that “[the President’s] authority to classify and control access to information bearing on national security . . . flows primarily from this Constitutional investment of power in the President and exists quite apart from any explicit congressional grant.” This language has been interpreted to indicate that the President has plenary authority to control classified information.”

Review – Public ICS Disclosures – Week of 1-28-23

This week we have twelve vendor disclosures from BaiCells, B&R, Hitachi, HP, HPE, JTEKT Electronics, Moxa, Pulse Secure (2), QNAP, and VMware (2). There is also a vendor update from VMware. Finally, we have two researcher reports for products from Sierra Wireless and describing vulnerabilities in the Open Charge Point Protocol for electric vehicle charging stations.

Advisories

BaiCells Advisory - BaiCells published an advisory that describes a use of hard-coded credentials vulnerability in their Nova 227, Nova 233, and Nova 243 LTE TDD eNodeB devices.

B&R Advisory - B&R published an advisory that describes five vulnerabilities in their ARPOL database.

Hitachi Advisory - Hitachi published an advisory that discusses 60 vulnerabilities in their Disk Array Systems.

HP Advisory - HP published an advisory that describes an escalation of privilege vulnerabilities in their Factory Preinstalled Images.

HPE Advisory - HPE published an advisory that discusses a use-after-free vulnerability in their HPE OneView.

JTEKT Advisory - JP CERT published an advisory that describes seven vulnerabilities in the JTEKT Screen Creator Advance product.

Moxa Advisory - Moxa published an advisory that describes six vulnerabilities in their SDS-3008 Series web server.

Pulse Secure Advisory #1 - Pulse Secure published an advisory that discusses four OpenSSL vulnerabilities.

Pulse Secure Advisory #2 - Pulse Secure published an advisory that describes a cross-site request forgery vulnerability in their Pulse Connect Secure.

QNAP Advisory - QNAP published an advisory that describes an SQL injection vulnerability in their QTS or QuTS hero products.

VMware Advisory #1 - VMware published an advisory that describes a cross-site request forgery bypass vulnerability in their vRealize Operations (vROps).

VMware Advisory #2 - VMware published an advisory that describes an arbitrary file deletion vulnerability in their VMware Workstation product. 

Updates

VMware Update - VMware published an update for their vRealize Log Insight advisory that was originally published on January 24^th, 2023.

Researcher Reports

Sierra Wireless Report - Otorio published a report describing two vulnerabilities in the Sierra Wireless AirLink products. The report contains proof-of-concept code.

OCPP Report - SaiFlow published a report describing two vulnerabilities in the WebSocket communications used by the Open Charge Point Protocol (OCPP).

 

For more details about these disclosures, including links to researcher reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-1-768 - subscription required.

State Sends USML Technology Change Rule to OMB

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received an interim final rule from the State Department on “International Traffic in Arms Regulations: USML Technology Frontier 2022”. The Fall 2022 Unified Agenda entry for the rulemaking notes:

“The Department of State seeks public comment regarding the technology frontier, identifying specific technology capabilities that have sufficiently evolved to consider amending the International Traffic in Arms Regulations (ITAR), to revise and exclude entries on the U.S. Munitions List (USML) that no longer warrant inclusion and to add entries for critical and emerging technologies that do.”

There is a chance that cybersecurity technology could find its way into the arms trade control system as it did in earlier Bureau of Industry and Security rulemakings.

Note: The UA lists this as a ‘Notice of Inquiry’ (much like an advanced notice of proposed rulemaking) not an ‘Interim Final Rule’. The disconnect is probably an editorial error in the OIRA announcement.

Bills Introduced – 2-2-23

Yesterday, with the House and Senate preparing to leave Washington for the weekend, there were 146 bills introduced. Three of those bills may receive additional attention in this blog:

HR 762 To establish the Supply Chain Resiliency and Crisis Response Office in the Department of Commerce, and for other purposes. Blunt Rochester, Lisa [Rep.-D-DE-At Large] 

HR 763 To establish an Office of Manufacturing Security and Resilience in the Department of Commerce, to provide for a Department of Commerce assessment and strategy to counter threats to critical supply chains, and for other purposes. Blunt Rochester, Lisa [Rep.-D-DE-At Large]

HR 774 To establish an Office of Manufacturing Security and Resilience in the Department of Commerce, and for other purposes. Dingell, Debbie [Rep.-D-MI-6]

I will be watching these bills to see if they contain language or definitions which would specifically include control system security provisions within the coverage of the proposed programs.

Short Takes – 2-2-23

Dangerous Fungi Are Spreading Across U.S. as Temperatures Rise. WSJ.com article. Pull quote: ““We keep saying these fungi are rare, but this must be the most common rare disease because they’re now everywhere,” Dr. Spec said.”

Kid-edited journal pushes scientists for clear writing on complex topics. WashingtonPost.com article. Pull quote: “Dense language sends a message “that science is for scientists; that you have to be an ‘intellectual’ to read and understand scientific literature; and that science is not relevant or important for everyday life,” according to a paper published last year in Advances in Physiology Education.”

AI model accurately classifies reaction mechanisms. ChemistryWorld.com article. Pull quote: “Marwin Segler from Microsoft Research AI4Science calls the work ‘a fantastic demonstration of how machine learning can help creative scientists to unravel nature and solve hard chemical problems’. ‘We need better tools like this to discover novel reactions to make new drugs and materials and make chemistry greener,’ he says. ‘It also highlights how powerful simulations can be to train AI algorithms, and we can expect to see more of that.’”

How arming Ukraine is stretching the US defence industry. IG.FT.com article. Extended supply chains provide multiple supply bottlenecks. “Ramping up production of the Javelins, Himars and the Guided Multiple Launch Rocket Systems (GMLRS) it fires is complex and time-consuming. Detailed mapping of the supply chains for each by the Financial Times reveals a sprawling network: Himars and GMLRS are assembled in factories across 141 different US cities, while Javelins are built in 16 states.”

Russia Sidesteps Western Punishments, With Help From Friends.  NYTimes.com article. Pull quote: “In part, that could be because many nations have found Russia hard to quit. Recent research showed that fewer than 9 percent of companies based in the European Union and Group of 7 nations had divested one of their Russian subsidiaries. And maritime tracking firms have seen a surge in activity by shipping fleets that may be helping Russia to export its energy, apparently bypassing Western restrictions on those sales.”

House Ousts Ilhan Omar From Foreign Affairs Panel as G.O.P. Exacts Revenge. NYTimes article. GOP moderates bought off cheap. Pull quote: “But the gesture was not enough for some other Republicans. Representative Ken Buck of Colorado, one of the more conservative naysayers, exacted a pledge from Mr. McCarthy to strengthen the appeals process for members facing punitive actions in the future, a commitment that won over most of the remaining holdouts.”

On "Sensitive but unclassified.". WHMurray.blogspot.com post. Short and sweet.

Pentagon: Suspected Chinese spy balloon flying over northern US. TheHill.com article. Pull quote: ““We had been looking at whether there was an option yesterday” to down the balloon “over some sparsely populated areas in Montana, but we just couldn’t buy down the risk enough to feel comfortable recommending shooting it down yesterday,” the official said.”

CSB Back to Three Board Members Again. CSB.gov release. Pull quote: “CSB Chairperson Owens said, “We are delighted to have Cathy Sandoval join us on the CSB Board, and we are looking forward to working closely with her to continue to rebuild and revitalize the CSB and protect communities, workers and the environment from chemical disasters.”  Three out of what is supposed to be a 5-member Board.

Stop Passing the Buck on Cybersecurity. ForeignAffairs.com article. Article by Jen Easterly and CISA Executive Assistant Director Eric Goldstein; part of new administration outlook on cybersecurity? Pull quote: “What the United States faces is less a cyber problem than a broader technology and culture problem. The incentives for developing and selling technology have eclipsed customer safety in importance—a trend that is not unique to software and hardware industries but one that has particularly pernicious effects because of the ubiquity of these technologies. As Americans have integrated technology into nearly every facet of their lives, they have unwittingly come to accept that it is normal for new software and devices to be indefensible by design. They accept products that are released to market with dozens, hundreds, or even thousands of defects. They accept that the cybersecurity burden falls disproportionately on consumers and small organizations, which are often least aware of the threat and least capable of protecting themselves.”

Two decades after the Columbia disaster, is NASA’s safety culture fixed? ArsTechnica.com article. Pull quote: “"We have enough examples now of what not to do," Heflin said. "I don't care what it is. If you have someone who is worried, don't slough it off. Deal with it. The program manager is under all this pressure to complete a mission. But you just can't ignore someone who might just have something you really need to pay attention to. You can't allow all of these successes to blind you to things you should pay attention to." Lessons applicable to more than just space flight.

Review – 5 Advisories and 1 Update Published – 2-2-23

Today, CISA’s NCCIC-ICS published five control system security advisories for products from Delta Electronics (3), Baicells Technologies, and Mitsubishi Electric. They also updated an advisory for Mitsubishi.

Advisories

Delta Advisory #1 - This advisory describes two vulnerabilities with known exploits in the Delta DX-2100-L1-CN industrial ethernet router.

NOTE: I briefly discussed the vulnerabilities on December 10^th, 2022.

Delta Advisory #2 - This advisory describes an OS command injection vulnerability with known exploit in the Delta DVW-W02W2-E2 industrial ethernet router.

NOTE: I briefly discussed the vulnerabilities on December 10^th, 2022.

Delta Advisory #3 - This advisory describes three vulnerabilities in the Delta DIAScreen software configuration tool for Delta devices.

Baicells Advisory - This advisory describes a command injection vulnerability in the Baicells Nova LTE TDD eNodeB devices.

NOTE: Baicells recently reported another vulnerability that has not been reported by NCCIC-ICS. I will report on it this weekend.

Mitsubishi Advisory - This advisory describes two vulnerabilities in the Mitsubishi GOT Mobile Function on GOT2000 Series and GT SoftGOT2000.

Updates

Mitsubishi Update - This update provides additional information on an advisory that was originally published on August 9th, 2022 and most recently updated on November 1^st, 2022.

 

For more information on these advisories, including links to researcher reports, see my article on CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/5-advisories-and-1-update-published-0b1 - subscription required.

Short Takes – 2-1-23

Hacked Electrify America Charger Exposes Major Cybersecurity Risk. ScreenRant.com article. My future news story wasn’t so future. Pull quote: “Electrify America is already under scrutiny for bricking some EVs, and it now appears that its chargers are easy targets for cyber criminals. Twitter user The Kilowatts was able to gain access to an Electrify America charger in Kettleman City, and even posted a couple of videos showing how easy it was to breach the chargers’ security network. The first video shows the Electrify America charger’s screen displaying an image of a red Tesla Model 3. The second video shows how The Kilowatts was able to take control of the Electrify America charger using the simple TeamViewer app.”

GOP moves to stop unelectable Senate candidates. TheHill.com article. Headline a bit of an overreach. Pull quote: ““There is no more welcome sight than the committee activating again and indicating their interest in delivering success for Senate Republicans in 2024 after the cycle we just went through with a committee that seemed more interested with the chairman’s campaign for president than the GOP’s campaign for Senate,” one GOP operative involved in Senate races told The Hill. “It’s just nice to have a team in charge that puts Senate Republicans ahead of themselves.””

TEEX aims to make disaster training almost like the real thing. CEN.ACS.org article. Pull quote: “These trainers stress that TEEX wants to ingrain a clear response plan in students through real-life practice and education, avoiding or at least mitigating incidents like the one at the West warehouse, which claimed so many lives. Such knowledge may prove very important, as OSHA and the EPA chose not to implement the CSB’s recommendations to toughen FGAN regulations.”

Seawater split to produce green hydrogen. Newswise.com article. Cheaper route to hydrogen production. Pull quote: ““Our work provides a solution to directly utilise seawater without pre-treatment systems and alkali addition, which shows similar performance as that of existing metal-based mature pure water electrolyser.””

Enter the Hunter Satellites Preparing for Space War. Wired.com article. According to a recent filing with the US Federal Communication Commission (FCC), True Anomaly is now gearing up for its first orbital mission. In October, True Anomaly hopes to launch two Jackal “orbital pursuit” spacecraft aboard a SpaceX rocket to low earth orbit. The Jackals will not house guns, warheads, or laser blasters, but they will be capable of rendezvous proximity operations (RPO)—the ability to maneuver close to other satellites and train a battery of sensors upon them. This could reveal their rivals’ surveillance and weapons systems, or help intercept communications.”