Short Takes – 3-20-25 – Federal Register Edition

National Emission Standards for Hazardous Air Pollutants: Chemical Manufacturing Area Sources Technology Review; Comment Period Extension. Federal Register EPA comment extension. Summary: “On January 22, 2025, the U.S. Environmental Protection Agency (EPA) proposed a rule titled “National Emission Standards for Hazardous Air Pollutants: Chemical Manufacturing Area Sources Technology Review.” The EPA is extending the comment period on this proposed rule, which was scheduled to close on March 24, 2025. The comment period will now remain open until April 14, 2025, to allow additional time for stakeholders to review and comment on the proposal.”

EO 14236 - Additional Rescissions of Harmful Executive Orders and Actions. Federal Register.

EO 14237 - Addressing Risks From Paul Weiss. Federal Register.

EO 14238 - Continuing the Reduction of the Federal Bureaucracy. Federal Register.

Short Takes – 3-19-25

Texas, New Mexico measles outbreak grows to more than 300. TheHill.com article. Pull quote: “According to the latest update from the Texas Department of State Health Services (DSHS), 279 measles cases have been reported in the state. In neighboring New Mexico, 38 cases have been confirmed as of Tuesday, totaling 317 cases across both states.”

Private Starlab space station moves into 'full-scale development' ahead of 2028 launch. Space.com article. Pull quote: “Starlab, a joint project between the U.S. space technology firm Voyager Space and European aerospace conglomerate Airbus, will consist of a service module and a habitat large enough to host four space tourists. Currently, the station is expected to launch in 2028 aboard SpaceX's Starship megarocket.”

Hazardous Materials: Request for Feedback on Determining the Effectiveness of Pressure Relief Devices (PRDs) on Composite Overwrapped Pressure Vessels (COPVs). Federal Register PHMSA request for comments. Summary: “PHMSA is publishing this notice to solicit information to evaluate the test design for proposed bonfire tests on fully charged composite overwrapped pressure vessels (COPVs) with different pressure relief devices; seek input on how test results could inform design guidelines for COPVs; and solicit feedback on the impacts of possible updates for design guidelines.” Comments due: June 17^th, 2025.

Feral pig bacteria retire to Florida man’s implanted heart device. ArsTechnica.com article. Pull quote: “The doctors say the case should raise awareness of the potential for brucellosis in Florida, particularly in patients with implanted cardiac devices. They note that there are more than a million feral swine in the state and any hunters are at risk. Moreover, they highlighted a small study from Saudi Arabia, where Brucella is endemic, that found that the bacteria were behind 11 percent of cardiac device infections.”

Exlabs and Antares form alliance to develop nuclear-powered spacecraft. Spacenews.com article. Pull quote: ““We see a growing interest in the national security space in extended-mission vehicles which require nuclear capabilities,” Schmidgall said. “National security and cislunar infrastructure are going to require these capabilities.””

Bird flu continues spread as Trump’s pandemic experts are MIA. ArsTechnica.com article. Pull quote: “The idea was quickly bashed by experts, who noted it would be inhumane, a massive risk for farm workers, and worsen the economic hit to farmers, who would have to keep facilities closed down longer for the infection to spread naturally than if they quickly carried out controlled culls. Moreover, letting the virus spread uncontrollably in thousands or even millions of birds gives the virus countless opportunities to evolve and become more virulent.”

Chinese company targets crewed orbital spaceflight. SpaceNews.com article. Pull quote: “It [AZSpace] is not the only Chinese commercial company targeting space tourism. Launch companies CAS Space and Deep Blue Aerospace are developing suborbital spacecraft to provide services similar to those of Blue Origin and its New Shepard system. Another, younger spacecraft manufacturer, Interstellor, is also working on a spacecraft for suborbital tourism.

CISA Adds Edimax Vulnerability to KEV Catalog – 3-19-25

Today CISA announced that it had added an OS command injection vulnerability in the Edimax IC-7100 IP Camera to their Known Exploited Vulnerabilities (KEV) catalog. CISA had previously disclosed the vulnerability, noting at the time that Edimax had not responded to CISA’s coordination attempts. Akami reports that they have been seeing the vulnerability exploited in the wild since September 2024 and noting that proof-of-concept code has been available since June 2023. Apparently, the reason that Edimax has not been responding to vulnerability coordination efforts is that the IC-7100 IP Camera has been end-of-life for quite some time. Unfortunately, Akami surmises that the vulnerability exists in other IoT products from Edimax.

CISA is requiring federal agencies that have the affected Edimax camera to apply “mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.” A deadline of March 9^th, 2025 has been provided.

Review - Bills Introduced – 3-18-25

Yesterday, with the House and Senate meeting in pro forma session, there were 77 bills introduced. One of those bills may receive additional coverage in this blog:

HR 2205 To exempt the Secretary of Energy of certain prohibitions with respect to an unmanned aircraft system, and for other purposes. Lee, Susie [Rep.-D-NV-3]

For more information on these bills, including legislative history for similar bills in the 118^th, as well as a mention in passing look at five bills that would create a RIF moratorium for select federal research efforts, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-3-18-25 - subscription required.

Short Takes – 3-18-25

H5N1 2.3.4.4b D1.3 in Ohio-Indiana Poultry Outbreak with Associated Undisclosed Human Sequence Data. HogVet51.Substack.com article. A tad bit geeky, but interesting discussion. Pull quote: “I don’t want to drone on. We have a relatively new zoonotic H5N1 2.3.4.4b D1.3 genotype that has killed over 19 million chickens on 84 farms in a small area in less than 2 1/2 months! It put one poultry worker in the hospital. No one has even bothered to publicly announce the new genotype to my knowledge! CDC has likely sequenced it from the hospitalized human patient yet has failed to deposit the sequence or even inform the public of its findings.”

Isar Aerospace sets date for first launch after receiving license. SpaceNews.com article. Pull quote: “The launch attempt will be a major milestone for both the company and the European space industry as it seeks to expand its launch capabilities. “In today’s geopolitical climate, our first test flight is about much more than a rocket launch: Space is one of the most critical platforms for our security, resilience and technological advancement,” Daniel Metzler, chief executive and co-founder of Isar Aerospace, said in a statement. “In the next days, Isar Aerospace will lay the foundations to regain much needed independent and competitive access to space from Europe.””

Wired is dropping paywalls for FOIA-based reporting. Others should follow. Freedom.press article. Pull quote: “We commend Wired for tipping the balance that all for-profit media outlets must strike between public interest and business more toward the public interest. We hope others will follow its lead (and shoutout to outlets like 404 Media that also make their FOIA-based reporting available for free).”

A method to assess 'forgivable' vs 'unforgivable' vulnerabilities. NCSC.gov.uk article. Pull quote: “We know many vulnerabilities are complex and hard to avoid. But vulnerabilities that are trivial to find (and that occur time and time again) are ones the NCSC are aiming to drive down at scale. These ‘unforgivable vulnerabilities', a phrase coined by Steve Christie in his 2007 MITRE paper, ‘are beacons of a systematic disregard for secure development practices. They simply should not appear in software that has been designed, developed, and tested with security in mind’.”

Europe funds inflatable satellite drag sail demonstration. SpaceNews.com article. Pull quote: “A growing number of satellites rely on onboard propulsion to maneuver and lower their altitude for deorbiting. However, this method requires the satellite to be functional at the end of its mission and consumes fuel that could otherwise be used for operational tasks.”

US reviews chemical incident prevention planning rules. ChemistryWorld.com article. Pull quote: “California-based environmental non-profit group Earthjustice voiced concerns at the review. ‘This is the second time the Trump administration targets safeguards against chemical disasters. Any rollback of health and safety protections from chemical disasters will face legal challenges.’ Earthjustice asserts that fatal or life-threatening chemical incidents occur at chemical facilities on average every 2.5 days, and over $5 billion in damages have resulted from these disasters.” Includes quotes from me.

Farewell, Blue Ghost! Private moon lander goes dark to end record-breaking commercial lunar mission. Space.com article. Pull quote: “"We battle-tested every system on the lander and simulated every mission scenario we could think of to get to this point," Blue Ghost Chief Engineer Will Coogan said in a Firefly statement today (March 17) that announced the end of the mission.”

Snubbed Vaccine Committee Members Lament FDA's Flu Shot Actions. MedPageToday.com article. Pull quote: “He told MedPage Today that an additional value of VRBPAC is that its discussions and reasoning are "open to the public" -- and that they include a "post-mortem on how we did the previous year and whether we could have done better" in terms of matching strains with those that end up circulating.”

CISA Adds FortiGuard Vulnerability to KEV Catalog – 3-18-25

Today CISA added an authentication bypass using an alternate path or channel in the FortiGuard FortiOS and FortiProxy products. FortiGuard previously reported the vulnerability on February 11^th, 2025, adding it to a previously published advisory, since the fix for the earlier vulnerability also fixed the added vulnerability. Cybersecurity Dive reports that the two vulnerabilities have been exploited by the new SuperBlack ransomware.

CISA is requiring federal agencies to apply “mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.” A deadline of April 8^th, 2025 has been provided to covered agencies.

Review – 5 Advisories and 2 Updates Published – 3-18-25

Today CISA’s NCCIC-ICS published five control system security advisories for products from Schneider (4) and Rockwell. They also updated advisories for products from Mitsubishi and Schneider.

Advisories

Schneider Advisory #1 - This advisory describes four vulnerabilities in the Schneider ASCO 5310/5350 Remote Annunciator.

Schneider Advisory #2 - This advisory describes an insertion of sensitive information into log file vulnerability in the Schneider EcoStruxure Panel Server.

Schneider Advisory #3 - This advisory describes an insecure default initialization of resource vulnerability in the Schneider EcoStruxure Power Automation System.

Schneider Advisory #4 - This advisory describes an improper authentication vulnerability in the Schneider EcoStruxure Power Automation System User Interface (EPAS-UI).

Rockwell Advisory - This advisory discusses three vulnerabilities (all listed in CISA’s Known Exploited Vulnerability catalog) in the Rockwell products using Lifecycle Services with VMware.

Updates

Mitsubishi Update - This update provides additional information on the CNC Series advisory that was originally published on October 17^th, 2024, and most recently updated on February 20^th, 2025.

Schneider Update - This update provides additional information on the Modicon advisory that was originally published on December 17^th, 2024.

 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/5-advisories-and-2-updates-published-a61 - subscription required.