In a week that was dominated by news out of West Virginia or
budget talk, there were a number of items that slipped through the cracks of my
blog. Here is a quick look at some of the thing that I missed discussing:
Crude Oil Trains
There was lots of talk about the ongoing issue of burning
and exploding train cars in crude oil train derailments.
The Canadian government is proposing new regulations that
deal with crude oil trains. There are a couple of news articles (here
and here) and text
of the proposed
regulations.
There was more discussion about the hazard classification of
crude oil from the Bakken Shale fields. Of particular interest was a discussion
of what the industry knew about mis-identification of the hazards along with an
industry slide
presentation. We are still waiting on the final word on the PHMSA testing.
More information on the New Brunswick derailment from the
previous week
indicates that the new DOT 111 cars held up better than the older ones; not
really news, but it does confirm previous research.
There was a nice
article about why the crude trains are going to remain in operation and others
(here
and here)
about what industry is talking about doing to make them safer.
Cybersecurity
With the S4x14 control system security conference in Miami
this last week there was lots of cybersecurity stuff in the news.
I stumbled into the SANS Reading room and found an interesting
(but very lengthy) article on physical breaches of cybersecurity sites.
This is very important because almost all cybersecurity researchers note that
if you can touch a control system, you can almost certainly own it.
There was another
lengthy article this week about security of embedded devices.
Then there was the article
about firmware upgrades to the Tesla electric car that completely failed to
mention security concerns associated with remote firmware updates.
A British research institute (with government backing) is
apparently looking at ways to increase
the security of control systems. It will probably be ineffective, but it
might contribute to the knowledge base.
The S4x14 conference produced its expected level of
controversy. Dale has not yet begun posting videos of the key presentations,
but two sets of authors have posted copies of the slide they used in their
presentation. Crain-Sistrunk detailed their DNP3
research and Luigi-Donato looked at protecting
control systems, even without vendor support. The Luigi-Donato slides
include their Ecava vulnerability announcement.
If it is actually possible, remote access to control systems
became even more insecure this week when
it was noted that an Android vulnerability allowed attackers to bypass VPN
security measures.
And, as if we hadn’t heard enough nasty news about the
capabilities of the NSA, there was
an article from that tech leader, the New York Times, about how NSA has
inserted devices into a handful (85,000 to 100,000) of computers that would allow
the NSA to communicate with them even if they are not hooked up to the
internet; so much for the air gap thing.
CSB Funding
The week he convinced the CSB to take up the investigation
of the Freedom spill (even though there was no fire/explosion or people killed)
and Sen. Rockefeller (D,WV) asked the Senate Appropriations Committee to increase
the funding for the Chemical Safety Board. Rockefeller has long been a
supporter of the Board and its chemical safety efforts in West Virginia (and
the rest of the country) and as the Chair of the Senate Transportation and
Infrastructure Committee he has a clear legislative interest in the Board, but the
timing of his
letter does smell just a tad bit.
CFATS
The latest version of the Congressional Research Service (CRS) report on the CFATS
program and the legislative issues surrounding it has been published. Once
again we have to get a copy of it from the Federation of American Scientists. I
will have more on this one in later posts.
TWITTER
Click on first link for the conversation. Follow me on
TWITTER at pjcoyle.
@pjcoyle @mikko @MrMeritology "World's
trust" is a tad bit overboard. NSA job was always to spy on the rest of
the world.
@pjcoyle @i_defender In either case the
consumer ultimately pays through higher prices, reduced services, more complex
transactions
@Kenwardjr BTW
... Obama EPA is still refusing to provide anyone from their end to discuss the
WV chemical spill ... very typical for EPA I'm afraid.
@pjcoyle @isssource @SCADAhacker I hope some university
industrial hygine program doess a health study of the folks in Charleston for
MCHM exposure
@PatrickCMiller
NEWSFLASH: Critical Infrastructure [will always] have a very high target value.
Act accordingly.
@pjcoyle @Phil_Radford @ilyseh @dhlovelife It was more than a little
late, but """probably""" won't cause any long
term effects.
@pjcoyle Climate
change: The case of the missing heat http://www.nature.com/news/climate-change-the-case-of-the-missing-heat-1.14525 …
@pjcoyle @kgcrowther @ProfCharlesHaas While imprecise
to say the least, CDC had to do something or WV would still be without water.
@pjcoyle @kgcrowther @ProfCharlesHaas If MCHM use is
widespread in coal industry, maybe they should fund additional study?
@isssource Microsoft
will extend support for its antimalware software for Windows XP into 2015.
@socma Today in @ICISnews: Market outlook: US chemical
industry seeks regulatory action in 2014. http://bit.ly/1b4LJZJ
@pjcoyle @selil @johnmccumber And you're almost
always going to be wrong in hind sight, either too aggressive or not aggressive
enough
@pjcoyle An
Introduction to Cyber Intelligence - http://tinyurl.com/p8lshct
- Robert Lee article - PJC Good opening discussion of cyber intelligence -
Posts
No comments:
Post a Comment