Tuesday, September 27, 2022

Review – 3 Advisories Published – 9-27-22

Today, CISA’s NCCIC-ICS published three control system security advisories for products from Rockwell Automation and Hitachi Energy.

 

Rockwell Advisory - This advisory describes a heap-based buffer overflow vulnerability in the Rockwell ThinManager ThinServer, a thin client and remote desktop protocol (RDP) server management software.

NOTE: I briefly discussed this vulnerability on Saturday.

Hitachi Advisory #1 - This advisory discusses two vulnerabilities (one with known exploit) in the Hitachi Energy Lumada Asset Performance Management (APM) Edge product.

NOTE: I briefly discussed these vulnerabilities on July 30th, 2022.

Hitachi Advisory #2 - This advisory discusses an improper input validation vulnerability in the Hitachi Energy AFS660/AFS665 industrial switches.

NOTE: I briefly discussed these vulnerabilities on July 30th, 2022.

 

For more details on these advisories, including links to third-party advisories and exploits, see my Article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/3-advisories-published-9-27-22 - subscription required.


MARAD Sends Tanker Security Program Interim Final Rule to OMB

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received from DOT’s Maritime Administration (MARAD) an interim final rule for “Tanker Security Program”. This rule supports the requirements of §3511 of the FY 2021 NDAA (PL 116-283, 134 STAT 4408). The new 46 USC Chapter 534 set forth in that legislation requires DOT, in coordination with DOD, to establish a ‘Tanker Security Fleet’ somewhat akin to the air reserve fleet that DOD can call upon in the event of a national emergency for airlift support. The TSP would provide for a fleet of tanker vessels that DOD could call upon for emergency fuel transport.


Monday, September 26, 2022

Short Takes – 9-26-22

Ian continues on perilous path toward Florida. WashingtonPost.com article. Headed for eastern Gulf Coast, still unsure where. Pull quote: “The uncertainty in the forecast stems from an approaching trough, or dip in the jet stream, over the northern United States. Ian may or may not hitch a ride. If it does, it would be scooped north and east more quickly and come ashore as a more serious hurricane in the Florida peninsula on Wednesday.”

NASA spacecraft will slam into an asteroid Monday — if all goes right. WashingtonPost.com article. DART mission impact expected Monday evening. Pull quote: ““We’ve got to have such technology,” he said. “It would be prudent upon us to test that all out ahead of time, so we’re not trying to do it for the first time when we really need it to work.””

Shutdown threat grows as lawmakers struggle to reach final deal. TheHill.com article. CR still has contentious components to work through. Pull quotes: “However, Republicans have been less open to funding for the nation’s monkeypox and coronavirus response efforts — a sentiment that appears to have only further cemented in light of Biden’s recent comments declaring the pandemic “over.””

Five things to know about NASA’s mission to hit an asteroid. TheHill.com article. DART mission overview. Pull quote: “DART is estimated to slam into Dimorphos around 7:14 p.m. at more than 14,000 miles per hour. NASA officials will be able to estimate the results of the strike by using ground-based telescopes.”

Medics ‘flying blind’ in fight against superbugs due to patchy diagnostics. Telegraph.co.uk article. Problems with antibiotic resistant bacteria in Africa. Pull quote: “Clinics and hospitals are also relying on a narrow arsenal of antibiotics. Four drugs make up two-thirds of all the antibiotics used in healthcare, the researchers found.” Remember monkeypox problems.

The U.S. Is Running Short of Land for Housing. WSJ.com article. Land use restrictions and lack of infrastructure causing problems. Pull quote: “Land-use restrictions and a lack of public investment in roads, rail and other infrastructure have made it harder than ever for developers to find sites near big population centers to build homes. As people keep moving to cities such as Austin, Phoenix and Tampa, they are pushing up the price of dirt and making the housing shortages in these fast-growing areas even worse.”

Thinking Like a Cyberattacker to Protect User Data. HomelandSecurityNewsWire.com article. Misleading title, look at potential side channel attacks. Pull quote: “When the researchers used this model to launch side-channel attacks, they were surprised by how quickly the attacks worked. They were able to recover full cryptographic keys from two different victim programs.”

Covid-tracking program lacked bare minimum cyber protections. WashingtonPost.com article. Look at since pulled restricted-distribution IG report. Pull quote: ““Cybersecurity controls for both systems were not implemented before employment because HHS officials prioritized deploying the systems for operational use to achieve the agency’s mission of combating the covid-19 pandemic over meeting all the federal requirements before deployment.”” Raise your hand if you are surprised…. No hands????

NASA strikes asteroid with spacecraft in historic planetary defense mission. TheHill.com article. DART hit the asteroid moon. Pull quote: “The DART team estimated they would have a full assessment on the collision in about two months, including details of how much the spacecraft pushed the asteroid out of its orbit. NASA and APL were hoping to change the orbit of Dimorphos by several minutes.”


CSB Deploys Team to Fatal Refinery Incident in Ohio

The Chemical Safety Board announced today that it is deploying an investigation team to the BP Toledo Refinery in Oregon, OH for a fire and explosion that occurred nearly a week ago on September 20, 2022. Initial news reports (here and here) reported that two brothers were killed in the explosion and fire at the refinery. The CSB announcement adds that there was an associated release of sulfur dioxide and hydrogen sulfide.

The CSB has been having problems completing their open investigations, recently reporting on the planned schedule for completing 16 open investigations. While working through these problems the CSB has not initiated any new investigations since July 2021 when the started the investigation into the acetic acid release at the LyondellBasell facility in La Porte, TX.

It is more than a little unusual for the CSB to take six days to decide to investigate a chemical incident. The late start means that they have to rely on other agencies to preserve the scene of the incident for investigators. All sorts of people have probably been at the accident scene. It is surprising how much stuff non-investigators pick up as souvenirs at explosion sites, no telling how much evidence has walked of the site since the fire/explosion last Tuesday.

This raises an interesting question. Did CSB receive additional information (the newly reported chemical release) that made an investigation a higher priority than completing reports? Or was there political pressure applied to the CSB to get them to get back in the investigation game?


Review - HR 8806 Introduced – Healthcare Cybersecurity

Earlier this month, Rep Crow (D,CO) introduced HR 8806, the Healthcare Cybersecurity Act of 2022. The bill would require CISA to work with the Department of Health and Human Services (HHS) to improve cybersecurity in the Healthcare and Public Health Sector. No additional spending is authorized in this bill.

Moving Forward

Neither Crow nor his single cosponsor {Rep Fitzpatrick (R,PA)} are members of the House Homeland Security Committee to which this bill was assigned for consideration. This means that it is unlikely that the bill will be considered in Committee. I see nothing in the bill that would engender any organized opposition. I suspect that the bill would receive broad bipartisan support if it were considered in either Committee or on the floor of the House.

Commentary

The requirement in §6(a)(3) to evaluate the “best practices for the deployment of trained Cyber Security Advisors and Cybersecurity State Coordinators of the Agency into Healthcare and Public Health Sector assets before, during, and after data breaches or cybersecurity attacks” is going to have to include a detailed look at the number of Cybersecurity Advisors available in each region versus the history of the number of healthcare sector cyber attacks. CISA has only limited information available on the number of Cyber Security Advisors that it has on staff, but it is no more than 2 or 3 for each of their ten regional offices. This certainly will not be enough to handle every healthcare cyberattack in the healthcare sector, much less the 15 critical infrastructure sectors.

If CISA is going to be an incident response agency for private sector organizations, they are going to have to dramatically increase the number of IR personnel they have in their regional offices, and I do not think that that is doable.

 

For more details about the bill’s requirements, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-8806-introduced - subscription required.


Saturday, September 24, 2022

Short Takes – 9-24-22

Immediate Action is Needed to Protect the Homeland from Drone Threats. HSToday.us article. Discussion about provisions of S 4687. Pull quote: “But more is needed and more is needed now. To ensure that drones don’t disrupt or harm our way of life, we must provide federal, state, and local authorities with the complete set of tools to mitigate drone threats while maintaining the civil rights and liberties of responsible unmanned aircraft operators.” 

The Elusive Future of San Francisco’s Fog. NYTimes.com article. If you have ever spent time in San Francisco, you know about fog… Pull quote: “Every summer, fog breathes life into the Bay Area. But people who pay attention to its finer points, from scientists to sailors, city residents to real estate agents, gardeners to bridge painters, debate whether there is less fog than there used to be, as both science and general sentiment suggest.”


Unusual ‘Chlorine’ Incident in Rhode Island

A local TV station in Pawtucket, RI published a report yesterday about a chlorine gas incident at a residential building. It seems that a contractor was emptying a sewage (septic?) tank at the building, and during the process added ‘chlorine tablets’ (sodium hypochlorite, pool chlorine tablets probably) to the tank as part of some sort of disinfection process. An unusually high number of tablets were apparently used, and two residents were taken to the hospital for treatment for breathing problems because of chlorine gas exposure.

Sodium hypochlorite when dissolved in water produces ‘bleach’. Bleach is very reactive with a number of different chemicals and frequently releases chlorine gas as part of many of those reactions. Chlorine is detectable by smell at very low concentrations, and I would suspect that there should not have been enough chlorine gas released into the building to be a serious health hazard for healthy individuals. Unfortunately, any number of pre-existing diseases could make people susceptible to breathing problems with even very low concentrations of chlorine gas.

Interestingly, this incident probably triggers a requirement to report the incident to the CSB. We certainly had a chemical release (chlorine gas) which caused serious injuries (2 hospital admissions). This was not a transportation related event, so the incident occurred at a ‘fixed site’. Since the contractor doing the work routinely handles the ‘chlorine tablets’ for the chemical treatment of sewage tanks, they would be expected to be aware of chemical hazards involved and should know about the CSB reporting requirements. I do not expect that the CSB will be sending an investigation team to an incident like this, even if they were fully staffed and not three years behind on completing accident investigation reports. But the incident still falls within the regulatory reporting requirements.


Review - GAO Reports NNSA Cybersecurity Concerns

This week the Government Accountability Office published a report on the cybersecurity efforts at the National Nuclear Security Administration. According to the web site for this report: “The National Nuclear Security Administration (NNSA) and its contractors have not fully implemented six foundational cybersecurity risk practices in its traditional IT environment. NNSA also has not fully implemented these practices in its operational technology and nuclear weapons IT environments.”

The GAO report recommends (pgs 42-3) that NNSA should:

• Promptly finalize its planned revision of Supplemental Directive 205.1, Baseline Cybersecurity Program, to include the most relevant federal cybersecurity requirements and review the directive at least every 3 years.

• Direct NNSA’s Office of Information Management, and the site contractors that have not done so, to develop and maintain cybersecurity continuous monitoring strategies that address all elements from NIST guidance.

• Direct NNSA’s Office of Information Management, and the site contractors that have not done so, to identify and assign all risk management roles and responsibilities called for in NIST guidance.

• Direct that the site contractors that have not done so maintain a site-wide cybersecurity risk management strategy that addresses all elements from NIST guidance and perform periodic reviews at least annually.

• Direct the Office of Information Management to identify the needed resources to implement foundational practices for the OT environment, such as by developing an OT activity business case for consideration in NNSA’s planning, programming, budgeting, and evaluation process.

• Establish a cybersecurity risk management strategy for nuclear weapons information technology that includes all elements from NIST guidance.

• Clarify and reinforce to the M&O contractors, such as by a policy flash or other communication, that they are required to monitor subcontractor’s cybersecurity measures.

Include performance criteria evaluating contractor oversight of subcontractor cybersecurity measures in the annual M&O contractor performance evaluation process.

• Direct Information Management and the Office of Acquisition and Project Management to ensure that Supplemental Directive 205.1 contains language requiring third-party validation of contractor and subcontractor cybersecurity measures.

 

For a more detailed look at the GAO Report, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/gao-reports-nnsa-cybersecurity-concerns - subscription required.


GAO Publishes Federal Building Security Report

This week, the Government Accountability Office published a report looking at the effectiveness of the Federal Protective Services in providing physical security oversight over, and federal law enforcement support to federally owned and leased offices. The GAO reports that, while Agencies are generally satisfied with the assessments, they do not implement many of the resulting recommendations.

The report notes:

“FPS conducts facility security assessments and recommends security measures—such as security cameras, physical access control systems, and x-ray screening equipment. These measures are aimed at preventing security incidents.”

Interestingly, there is no discussion about the assessment of, and recommendations for, the cybersecurity of the electronic systems being suggested by the FPS. This would be especially problematic where these systems are networked to centralized security stations or where remote access to the systems are allowed.


Review – Public ICS Disclosures – Week of 9-17-22

This week we have seventeen vendor disclosures from Bosch, Festo, HPE (3), Insyde (7), PcVue (2), Rockwell, Tanzu, and Western Digital. We also have an update from PcVue.

Bosch Advisory - Bosch published an advisory that describes an information disclosure vulnerability in their VIDEOJET Decoder VJD-7513.

Festo Advisory - CERT-VDE published an advisory that describes an improper privilege management vulnerability in the Festo Festo control block CPX-CEC-C1 and CPX-CMXX.

HPE Advisory #1 - HPE published an advisory that discusses an information disclosure vulnerability in their Edgeline Servers.

HPE Advisory #2 - HPE published an advisory that discusses a privilege escalation vulnerability in their Edgeline Servers.

HPE Advisory #3 - HPE published an advisory that discusses 28 vulnerabilities in their SAN switches.

Insyde Advisory #1 - Insyde published an advisory that describes an SMM arbitrary code execution vulnerability in their InsydeH2O product.

Insyde Advisory #2 - Insyde published an advisory that describes a memory leak vulnerability in their InsydeH2O product.

Insyde Advisory #3 - Insyde published an advisory that describes an arbitrary code execution vulnerability in their InsydeH2O product.

Insyde Advisory #4 - Insyde published an advisory that describes a memory corruption vulnerability in their InsydeH2O product.

Insyde Advisory #5 - Insyde published an advisory that that describes a memory corruption vulnerability in their InsydeH2O product.

Insyde Advisory #6 - Insyde published an advisory that describes a memory leak vulnerability in their InsydeH2O product.

Insyde Advisory #7 - Insyde published an advisory that describes a memory corruption vulnerability in their InsydeH2O product.

PcVue Advisory #1 - PcVue published an advisory that describes a sensitive information in log file vulnerability in their PcVue 15 product.

PcVue Advisory #2 - PcVue published an advisory that discusses an access of uninitialized pointer vulnerability in their PcVue product.

Rockwell Advisory - Rockwell published an advisory that describes a heap-based buffer overflow vulnerability in their ThinManager ThinServer software.

Tanzu Advisory - Tanzu published an advisory that describes an information disclosure vulnerability in their Spring Data REST product.

Western Digital Advisory - Western Digital published an advisory that describes a use of weak hash vulnerability in their WD Discovery products.

PcVue Update - PcVue published an update for their OAuth configuration advisory that was originally published on August 8th, 2022.

NOTE: NCCIC-ICS has not updated their advisory (ICSA-22-235-01) to reflect this new information.

 

For more details on these disclosures, including links to third-party advisories and researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/publish/post/74741456 - subscription required.

Friday, September 23, 2022

Short Takes – 9-23-22

Pipeline Security, Visibility, and Detection at the OT Edge. Synsaber.com blog post. Minimal self-advertising. Pull quote: “The threat landscape continues to evolve, now including issues such as Ransomware as a Service (RaaS) and increased mass scanning techniques, and new attacks are being developed every day. While OT networks may be more likely to be a victim of “splash damage” rather than a direct attack, the risks to critical infrastructure are not disputed. As a result of the increased threat and awareness of potential risks, organizations are looking for ways to improve their visibility and their defenses against these attacks.”

Unique Electronic Identification of Commercial Motor Vehicles. Federal Register ANPRM notice. Pull quote: “FMCSA requests public comment on whether the agency should amend the Federal Motor Carrier Safety Regulations to require every commercial motor vehicle (CMV) operating in interstate commerce to be equipped with electronic identification (ID) technology capable of wirelessly communicating a unique ID number when queried by a Federal or State motor carrier safety enforcement personnel.”

If anyone is interested in following all of the global CERTs, CIRTs, SIRTs, CSIRTs, PSIRTs, NCSCs and ISACs - I made a list. A TWITTER list from @PatrickCMiller.

What will it take to recycle millions of worn-out EV batteries? KnowableMagazine.org article. Pull quote: ““Some of the largest companies in the world are buying as much recycled battery metals as available,” he says. “The challenge, right now, is really about who can scale up the quickest.””


HR 7900 Amendments Proposed – FY 2023 NDAA – 9-22-22

While the Senate has not yet started the consideration process for HR 7900, the FY 2023 National Defense Authorization Act (NDAA), amendments continue to be proposed in the Senate for that bill. Yesterday 75 amendments were proposed. Three of those amendments may be of interest here:

SA 5615. Mrs. BLACKBURN - At the appropriate place, insert the following: SEC. xxx. Study On National Laboratory Consortium for Cyber Resilience. (Pg S4998-9)

SA 5620. Mr. MENENDEZ - At the end of the bill, add the following: DIVISION E—Department of State Authorizations (Pg S4999) which includes:

TITLE LV—Information Security and Cyber Diplomacy (Pg S5011), and

SA 5634. Mr. CARDIN - At the appropriate place, insert the following: SEC. xx. Chemical Security Analysis Center (Pg S5027)


Bills Introduced – 9-22-22

Yesterday, with the House and Senate preparing to leave for the weekend, there were 84 bills introduced. Four of those bills may receive additional coverage in this blog:

HR 8949 To amend the Homeland Security Act of 2002 to extend counter-unmanned aircraft systems authorities, to improve transparency, safety, and accountability related to such authorities, and for other purposes. Nadler, Jerrold [Rep.-D-NY-10]

HR 8956 To amend chapter 36 of title 44, United States Code, to improve the cybersecurity of the Federal Government, and for other purposes. Connolly, Gerald E. [Rep.-D-VA-11]

HR 8970 To provide funding to strengthen cybersecurity defenses and capabilities by expanding community colleges programs leading to the award of cybersecurity credentials that are in demand in government, critical infrastructure, nonprofit, and private sectors, and for other purposes. McClain, Lisa C. [Rep.-R-MI-10]

S 4919 A bill to require an interagency strategy for creating a unified posture on counter-unmanned aircraft systems (C-UAS) capabilities and protections at international borders of the United States. Lankford, James [Sen.-R-OK]

I will be covering both of the counter UAS bills.

I will be watching the two cybersecurity bills for language and definitions that would include industrial control systems within the scope of their coverage.


Thursday, September 22, 2022

Short Takes – 9-22-22

Set a calendar alert: NASA to broadcast first asteroid redirect on Monday. ArsTechnica.com article. Engineering at its most interesting – smack something and see what happens. Pull quote: “The primary one [effect] is expected to be slowing Dimorphos' orbit down by roughly 1 percent. As Chabot explained, this will have the consequence of making it more tightly bound, gravitationally, to Didymos. There's undoubtedly going to be material ejected during the collision, but that's not expected to be the main feature. "This really is about asteroid deflection, not disruption," Chabot said. "This isn't going to blow up the asteroid, it isn't going to put it into lots of pieces."”

Hackers Paralyze 911 Operations in Suffolk County, NY. DarkReading.com article. Pull quote: “Emergency lines aren't the only systems that have been impacted in Suffolk County. Police don't have access to their car computers, and even the system for title reporting is shut down, meaning no one can close real estate deals in the area.” Great system segmentation here (sigh); 911 and police car computers I can almost understand (they directly communicate with each other), but title registration???

A House hearing saw expert testimony emphasizing the need for steady funding to cybersecurity programs in water utility providers––especially in rural regions. NextGov.com article. Pull quote: “He added that underfunded federal mandates put a disproportionate amount of strain on utility companies to handle cybersecurity infrastructure without adequate support––resulting in higher utility costs.” This is the same complaint that EPA faced when post-9/11 they tried to ensure physical security at water treatment facilities.

Train Crew Size Safety Requirements – Extension of comment period. Federal Register notice. Extends the comment deadline for the notice of proposed rulemaking until December 2, 2022. Public meeting is planned before that date deadline.

Homeland Security Advisory Council Meeting – 10-6-22. Federal Register notice. Pull quote: “The Council will meet in an open session between 1:30 p.m. to 1:45 p.m. ET. During the open session, the Council will receive a progress report from the Customer Experience and Service Delivery subcommittee.”

Hazardous Materials: Adjusting Registration and Fee Assessment Program ANPRM. Federal Register notice. Request for information for rulemaking. Pull quote: “PHMSA is publishing this ANPRM to solicit feedback on potential adjustments to the statutorily mandated hazardous materials registration and fee assessment program. Actions such as the potential adjustment of fees or the addition of other entities among those required to register may be necessary to fund PHMSA's national emergency preparedness grant programs at the newly authorized level in accordance with the Infrastructure Investment and Jobs Act of 2021.”

Have you been taking pills wrong? Here’s what science says. WashingtonPost.com article. The things scientists model… Pull quote: “The bottom line: leaning to your right side after swallowing a pill could speed absorption by about 13 minutes, compared to staying upright. Leaning to the left would be a mistake — it could slow absorption by more than an hour.”


Review - CISA-NSA Publish OT Security Alert – 9-22-22

Today CISA and the NSA jointly released a Cybersecurity Advisory on Control System Defense. The document [labeled Alert (AA22-265A)] provides an overview (with footnotes) of how adversaries plan and carry out cyberattacks on industrial control systems and then outlines steps that owner/operators can take to prevent, or at least mitigate, such attacks.

Commentary

There is a great deal of valuable information in this document, but it is mostly derivative. That is adequately documented in the 16 footnotes. Given the scope of the topics being covered, the 12-page document is only able to hit the high-points of the discussion. This is fine if an organization has an inhouse process control engineering team, they will be able to digest the provided information and apply it to their unique control system needs.

This document will be less helpful to smaller organizations that have had to rely on contract integrators for the installation and maintenance of their control systems. Unless those earlier contracts included cybersecurity support, many of these smaller system owners are going to find it difficult to find the necessary support to add the discussed mitigation measures to existing systems. And the add-ons are likely to be expensive if qualified personnel can be found.

What is seriously missing from this discussion about what to do when the attack occurs. Smaller organizations may have an advantage if they can continue limited operations in the manual mode. This would allow them continue operations while they work through the process of restoring operations from backups. Interestingly, this is another topic that is strangely missing from the discussion in the CISA/NSA alert. This is a primary response tool for ransomware attacks, arguably the most common cyberattack seen by most organizations.

For a more detailed look at the CISA-NSA alert, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/cisa-nsa-publish-ot-security-alert - subscription required.


Review -1 Advisory and 2 Updates Published – 9-22-22

Today, CISA’s NCCIC-ICS published a control system security advisory for products from Measuresoft. They also updated two Mitsubishi advisories.

Measuresoft Advisory - This advisory describes an improper access control vulnerability in the Measuresoft ScadaPro Server.

Mitsubishi Update #1 - This update provides additional details on an advisory that was originally published on July 30th, 2020 and most recently updated on July 28th, 2022.

Mitsubishi Update #2 - This update provides additional details on an advisory that was originally published on September 1st, 2020 and most recently updated on May 31st, 2022.

 

For more details about these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-and-2-updates-published-284 - subscription required.


CG Publishes Liquid Chemical Categorization NPRM

Today, the Coast Guard published a notice of proposed rulemaking (NPRM) in the Federal Register (87 FR 57984-58018) for “2022 Liquid Chemical Categorization Updates”. The rulemaking would align the Liquid Chemical  Categorization tables in 46 CFR Part 30 and Part 150 with the 2020 Edition of the International Code for the Construction and Equipment of Ships Carrying Dangerous Chemicals in Bulk and the International Maritime Organization's Marine Environment Protection Committee's Circular 25.

The Coast Guard is soliciting public comments on this NPRM. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # USCG-2022-0327). Comments should be submitted by December 21st, 2022.


Bills Introduced – 9-21-22

Yesterday, with both the House and Senate in Washington, there were 46 bills introduced. Two of those bills will receive additional coverage in this blog:

S 4908 A bill to improve the visibility, accountability, and oversight of agency software asset management practices, and for other purposes. Peters, Gary C. [Sen.-D-MI]

S 4913 A bill to establish the duties of the Director of the Cybersecurity and Infrastructure Security Agency regarding open source software security, and for other purposes. Peters, Gary C. [Sen.-D-MI] 

I do not expect that either bill will directly address control system security, but they will almost certainly have longer range impacts on software security issues that will ultimately apply to control systems.

Note in Passing

I would like to point out an interesting concept found in the description of S 4914 that was also introduced yesterday. Here is how the purpose of the bill was officially described: “A bill to direct the Secretary of State to designate certain Mexican drug cartels as foreign terrorist organizations, and to submit a report to Congress justifying such designations in accordance with section 219 of the Immigration and Nationality Act.”

Now I have no problems with labeling Mexican drug cartels as ‘terrorist organizations’. The definition does not really fit, but the potential sanctions would probably be helpful. The interesting thing here is that  Congress would be directing the State Department to do something and then require the Department to justify taking that mandated action. The most obvious response would be to report: “You told us to do this, so we had to do it. We could not have done it if you had not required us to do it.”


Wednesday, September 21, 2022

Short Takes – 9-21-22

GOP faces internal rift on government spending. TheHill.com article. And the GOP radicals don’t even trust the rest of their conference. Pull quote: “In an attempt to prevent House Republican leadership from relying on Democrats to broker spending deals in the future, the Freedom Caucus has called for House GOP rules to require any legislation that passes in a GOP-controlled House to have support from a majority of the Republican conference.”

Business groups take aim at chronic rail disruptions after strike threat. TheHill.com article. Pull quote: ““Service failures are contributing to higher prices and supply chain disruptions for food, fuel, and countless other products,” the Rail Customer Coalition wrote in a recent letter to lawmakers. “The proposal [HR 8649] contains many common-sense provisions that would improve service and create a more balanced system for railroads and their customers.””

How Dangerous Is Too Dangerous? A Perspective on Azide Chemistry. Pubs.ACS.org JOC editorial. Interesting look at chemical safety at the lab scale. Pull quote: “A recent article in this journal [Journal of Organic Chemistry] authored by Gazvoda et al. describes a procedure for preparing triazoles from alkynes using stoichiometric sodium azide, stoichiometric acid, and catalytic copper, followed by a workup that may include dichloromethane. As industrial chemists with decades of experience safely scaling up azide chemistry, we feel compelled to share with the research community our three major safety concerns with this procedure.”


STB Publishes RETAC Meeting Notice – 10-26-22

Today, the Surface Transportation Board published a meeting notice in the Federal Register (87 FR 57747-57748) for a meeting of the Rail Energy Transportation Advisory Committee on October 26th, 2022 in Washington, DC.

The preliminary agenda includes a rail performance measures review, industry segment updates by RETAC members, and a roundtable discussion.

 

S 4900 Introduced and Passed in Senate – SBIR Extension

Yesterday, Sen Cardin (D,MD) introduced S 4900, the SBIR and STTR Extension Act of 2022. The bill would extend the current Small Business Innovation Research Program (SBIR) and Small Business Technology Transfer Program (STTR) through 2025. A number of changes were made to the programs to prohibit the programs’ awarding funds to companies receiving significant support from the Chinese government. There is one minor cybersecurity provision in the bill. The bill was passed in the Senate without debate under the unanimous consent process.

Cybersecurity in Passing

There is one cybersecurity mention in the bill. In the new subsection (vv) being added to 15 USC 638 the bill adds a requirement for the Small Business Administration to conduct a “due diligence program to assess security risks presented by small business concerns seeking a federally funded award.” That assessment is to include “using a risk-based approach as appropriate, the cybersecurity practices [emphasis added], patent analysis, employee analysis, and foreign ownership of a small business concern seeking an award, including the financial ties and obligations (which shall include surety, equity, and debt obligations) of the small business concern and employees of the small business concern to a foreign country, foreign person, or foreign entity”.

Moving Forward

With the bill passing in the Senate essentially unread by most members, it is perhaps premature to expect the same level of support in the House, where the bill will next be considered. I do not see, however, anything in the bill that would engender any organized opposition. The bill will most likely be considered under the House suspension of the rules process, where there would be limited debate, no floor amendments and would require a super-majority vote to pass. I suspect that there will be significant bipartisan support for the bill.


Bills Introduced – 9-20-22

Yesterday, with both the House and Senate in Washington, there were 57 bills introduce. Two of those bills may receive additional attention in this blog:

S 4888 A bill to require the President to supplement disaster response plans to account for catastrophic incidents disabling 1 or more critical infrastructure sectors or significantly disrupting the critical functions of modern society, and for other purposes. Cornyn, John [Sen.-R-TX] 

S 4900 A bill to reauthorize the SBIR and STTR programs and pilot programs, and for other purposes. Cardin, Benjamin L. [Sen.-D-MD] 

S 4888 will almost certainly be covered.

I will be watching S 4900 for language and definitions that will specifically include continued cybersecurity support for small businesses in the scope of the bill.

A similarly described bill, S 4852, ended up being a straight forward change in the authorization status of the SBIR and STTR programs without any specific discussion about cybersecurity coverage. That bill will not receive additional coverage here.


Tuesday, September 20, 2022

Short Takes – 9-20-22

Critical flaws in airplanes WiFi access point let attackers gain root access. GBHackers.com article. Pull quote: “An adversary can exploit these vulnerabilities to compromise all types of inflight entertainment systems, and also other aspects of the system.” No direct access to flight controls but may provide network access depending on configuration.

Physics Body Concedes Mistakes in Study of Missile Defense. NYTimes.com article. Pull quote: “But the two scientists found that the study group had used the wrong interceptor speed — less than 2.5 miles per second instead of the faster pace of more than 3.1 miles per second. That error might seem small, but the military upshot was not. For an interceptor flight of 195 seconds, the baseline, the correct number was seen as moving the drones more than 100 miles farther out to sea.”

Facemask can detect viral exposure from a 10-minute conversation with an infected person. NewsWise.com article. Pull quote: “Once the aptamers bind to the target proteins in the air, the ion-gated transistor connected will amplify the signal and alert the wearers via their phones. An ion-gated transistor is a novel type of device that is highly sensitive, and thus the mask can detect even trace levels of pathogens in the air within 10 minutes.” More useful for a near instant testing device?

Kazakhstan Is Breaking Out of Russia’s Grip. ForeignPolicy.com article. Pull quote: “The deeper Moscow digs itself into a confrontation with the West and the international community, the more prepared Kazakhstan is to ditch Russia where possible while trying to avoid incurring losses as a result of Moscow’s displeasure.” An interesting byproduct of Putin’s failure in Ukraine.

GhostSec Strikes Again in Israel Alleging Water Safety Breach. Otorio.com article. Swimming pool control system. Pull quote: “Once again, this incident is a rather sad example of a business maintaining a poor password policy where the default credentials simply weren’t changed. Yet even with the hotel’s failure to change the default password, the system was also exposed to the internet, making it an extremely easy target for cyber attacks.” Looks like they could have controlled chlorine levels, no telling if there were safety controls in place to prevent lethal levels in atmosphere around pool.

Officials say DHS rejected plan to shield election officials from harassment. TheHill.com article. Pull quote: “Citing multiple people familiar with the matter, the outlet reported the proposal would track foreign influence activity and increase resources for reporting misinformation and disinformation surrounding the midterm elections, but officials raised concerns about the initiative being seen as partisan.” Avoiding the appearance of partisanship may end up being partisan in reverse.

Lawmakers Are Setting a Tight Schedule to Avoid a Government Shutdown. GovExec.com article. All sorts of issues holding up agreement. Just one, pull quote: “Lawmakers are seeking to strike a delicate balance, with many hurdles that could complicate a spending bill vote. Dozens of House Republicans are planning to vote against any CR that expires during the lame-duck session of Congress, arguing Republicans should insist on a measure that lasts into January. That would allow lawmakers to take up a full-year fiscal 2023 appropriations package when Republicans may control one or both chambers of Congress. Former President Trump issued a statement over the weekend imploring his party to take that approach.”

Not-So-Safe Automated Driving: Safety Risks During Drivers’ Takeover. HomelandSecurityNewsWire.com article. Problems with human backup of automated driving systems. Pull quote: “Against the backdrop of the current findings, the promise of increased safety that is often made in connection with automated driving remains extremely questionable. The next study on automated driving is already being planned, and will examine the factor of trust in technology.”


OSHA Postpones PSM Stakeholder Meeting

Today, DOL’s Occupational Safety and Health Administration (OSHA) published a notice in today’s Federal Register (87 FR 57520-57522) announcing that it was postponing the PSM stakeholder’s meeting that was scheduled for September 28th, 2022. The new date announced today is October 12th, 2022. The deadline for submitting written comments is also being extended until November 14th, 2022.

No comments have been posted to the www.Regulations.gov website (docket # OSHA-2013-0020) for the current request for comments.


Reader Comment – CSB Hiring Problems

Earlier today, Rosearray published a comment to yesterday’s “Short Takes” post. As is usual with Richard’s comments, he provides some interesting observations about problems at the Chemical Safety Board. This time he is providing some background information about the problems the CSB has experienced with hiring chemical accident investigators. Richards comments should be read closely by anyone that is concerned about the problems at the CSB.

In a larger sense, however, Richard is describing problems in the hiring process throughout the Federal government. Anyone who has tried to apply for a job on USAJOBS.com, should be able to recognize, from the applicant’s point of view, the problems that Richard is describing. In trying to rationalize the application process, the government (and most large companies in my experience) tries to strictly describe the duties and responsibilities of the jobs being offered and the qualifications necessary to fulfill those duties. Unfortunately, few jobs can be categorized that closely without excluding a large universe of qualified individuals.

For jobs like this, the problem is exacerbated by the fact that a chemical accident investigator, particularly a great investigator, is going to have such a wide spread knowledge base to be able to recognize and understand all of the subtle nuances of a wide range of accidents in an ever expanding universe of chemical facilities, that the job description crafters would never be able to adequately characterize the experience that would lead to that scope of knowledge.

I am not sure how the CSB is going to overcome this issue (beyond the suggestion of re-hiring investigators that quit in disgust at some of the political games that have bothered the CSB over the years), but identifying the problem is surely the first step in finding a solution.


Review – 5 Advisories and 3 Updates Published – 9-20-22

Today, CISA’s NCCIC-ICS published four control system and one medical device security advisory for products from Host Engineering, Dataprobe, Hitachi Energy (2) and Medtronic. They also published updates for three advisories for products from MiCODUS and AutomationDirect (2).

Host Engineering Advisory - This advisory describes a stack-based buffer overflow vulnerability in the Host Engineering H0-ECOM100 Communications Module.

Dataprobe Advisory - This advisory describes seven vulnerabilities in the Dataprobe Dataprobe iBoot-PDU.

Hitachi Energy Advisory #1 - This advisory discusses a stack-based buffer overflow vulnerability in the Hitachi Energy AFF660/665 Firewall.

NOTE: I briefly discussed this vulnerability on July 30th, 2022.

Hitachi Energy Advisory #2 - This advisory discusses an improper access control vulnerability, with a known exploit, in the Hitachi Energy PROMOD IV and the PROMOD-Generator energy planning systems.

I briefly discussed this vulnerability on June 18th, 2022.

Medtronic Advisory - This advisory describes a protection measure failure vulnerability in the Medtronic NGP 600 Series Insulin Pumps and accessory components.

MiCODUS Update - This update provides additional information on an advisory that was originally published on July 19th, 2022.

AutomationDirect Update #1 - This update provides additional information on an advisory that was originally published on June 16th, 2022.

AutomationDirect Update #2 - This update provides additional information on an advisory that was originally published on June 16th, 2022.

 

For more details on the NCCIC-ICS reports, including links to researcher reports, third-party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/5-advisories-and-3-updates-published - subscription required.

Bills Introduced – 9-19-22

Yesterday, with both the House and Senate in session there were 57 bills introduced. One of those bills may see additional coverage in this blog:

S 4882 A bill to amend the Federal Fire Prevention and Control Act of 1974 to authorize appropriations for the United States Fire Administration and firefighter assistance grant programs. Peters, Gary C. [Sen.-D-MI]

I will be watching this bill for language and definitions that specifically address chemical facility and chemical transportation fire safety issues.

Monday, September 19, 2022

Short Takes – 9-19-22

Deal averting railroad strike has potential to fall apart. TheHill.com article. Pre-election strike could cause problems for Democrats with swing voters. ““I would be surprised if the bargaining committee misread what the rank and file would support. That doesn’t mean that it will pass with supermajorities,” Bruno said. “That will signal a level of continuing grievance on the part of the membership. It wouldn’t surprise me if a fairly substantial number of members voted ‘no’ in part because of how genuinely abused they feel.””

China has returned helium-3 from the moon, opening door to future technology. TheHill.com opinion piece. Somewhat simplistic look at US-Chinese moon competition. Pull quote: “Many reasons exist for returning to the moon: science, commerce and the bragging rights that translate into soft political power. However, China’s return of helium-3 suggests that the moon could become the Persian Gulf of the mid to late 21st century. Clean and abundant fusion energy would change the world in ways that can barely be evaluated.”

Better Human-Machine Coordination to Thwart Growing Threats to the U.S. Power Grid. HomelandSecurityNewsWire.com article. Pull quote: “The U.S. grid is far more complicated than it was a few decades ago, something Srivastava attributes to the competitive electricity market created in the late 1990s and to the rise in small-scale power sources like home solar panels and electric vehicle charging stations, both of which have tangled the paths power takes from plant to substation to consumer.”

The Inflation Reduction Act Is the Start of Reclaiming Critical Mineral Chains. HomelandSecurityNewsWire.com article. Pull quote: “China refines 68 percent of the world’s nickel, 40 percent of its copper, 59 percent of its lithium, and 73 percent of its cobalt. More importantly, China holds 78 percent of the world’s manufacturing capacity for EV batteries, the bulk of the world’s production of solar panels, and three-quarters of the world’s lithium-ion battery factories.”

Building a Robust Drone Security Framework for Safer UAS Integration into National Airspace System. HSToday.us article. FAA puff piece. Pull quote: “The FAA continues to work extensively with our security partners to build a robust drone security framework that will enable safe and secure drone integration into the NAS, and the National Action Plan is part of that. Further, mandatory registration, remote identification, critical infrastructure protection, and drone detection and mitigation testing are vital steps forward to ensure the safe and secure integration of these systems into our nation’s airspace.”

Whisky Boom Stresses Remote Scottish Island. WSJ.com article. Pull quote: “While its thriving distilleries mean it has more jobs than many of its island neighbors, locals say young families often leave the island because they can’t afford houses. People from the British mainland can afford to pay more, while tourism—most of it whisky related—has swallowed up much of Islay’s housing stock for use as vacation rentals.” And what happens when the taste for scotch drops off for the next new fad?

Private Drillers Are Hitting Their Limits. WSJ.com article. More problems in the oil patch. Pull quote: “The constraints will likely lead many private producers to level out activity or sell themselves to larger companies that would temper their growth, executives and analysts say. A pullback could crimp overall U.S. oil production. Private producers hold around one-fifth of the Permian’s most valuable acreage, analysts say.”

EPA OIG: CSB Continues to Struggle. LinkedIn.com article. Nice, short review of CSB’s troubled past. Pull quote: “The EPA OIG’s review will serve as additional ammunition for the agency’s critics. It also will most certainly shape the early tenure of CSB Board Member Steve Owens who joined the agency earlier this year. Owens presently serves as the agency’s Interim Executive Authority. President Joseph Biden recently nominated Owens to serve as CSB Chair. If Owens is confirmed by the U.S. Senate, he will be taking the helm of an agency that profoundly struggles to carry out its important statutory mission.”


Committee Hearings – Week of 9-18-22

 

With both the House and Senate in Washington this week, we have a fairly light hearing schedule. This reflects a lot of behind-the-scenes meetings on a continuing resolution and other end-of-session priorities. There will be two hearing of peripheral interest here: federal building security and right-to-repair jurisdiction.

Building Security

On Thursday, the Subcommittee on Oversight, Management, & Accountability of the House Homeland Security Committee will hold a hearing on “Federal Building Security: Examining the Risk Assessment Process”. The witness list includes:

• Richard “Kris” Cline, Federal Protective Service,

• Scott Breor, CISA,

• Catina Latham, GAO

Should be an interesting (if probably abbreviated) look at the physical security risk assessment process.

Right-to-Repair

On Wednesday, the Subcommittee on Legislative and Budget Process of the House Rules Committee will hold an original jurisdiction hearing on “Right to Repair: Legislative and Budgetary Solutions to Unfair Restrictions on Repair”. No witness list is provided at this time.

As I mentioned last week, there are a variety of congressional jurisdictional issues that must be addressed before any legislative work can move forward. This hearing is part of that determination process.

Sunday, September 18, 2022

Short Takes – 9-18-22

Hurricane Fiona Knocks Out Power in Puerto Rico, Governor Says. NYTimes.com article. Pull quote: “In Puerto Rico, rainfall totals could reach 12 to 16 inches, with local maximum totals of 30 inches, particularly across eastern and southern Puerto Rico, forecasters said. The rain threatened to cause not only flash flooding across Puerto Rico and portions of the eastern Dominican Republic but also mudslides and landslides.” And this is only a Category 1 Hurricane at this point.

White House rolls out $1 billion in cyber funding to states. CBSNews.com article. Pull quote: “Friday's official rollout of the "State and Local Cybersecurity Grant Program" marks the biggest state and local investment in cybersecurity to date. The funds – doled out by the Department of Homeland Security (DHS) – are slated for distribution over the next four years, with $185 million up for grabs that was already allocated for 2022.”

Phony document lands on court docket in Trump search case. SeatleTimes.com article. Pull quote: “The incident also suggests that the court clerk was easily tricked into believing it was real, landing the document on the public docket in the Mar-a-Lago search warrant case. It also highlights the vulnerability of the U.S. court system and raises questions about the court’s vetting of documents that purport to be official records.” And this was not a cyberattack, it was a paper document.


Review – Public ICS Disclosures – Week of 9-10-22 – Part 2

For Part 2 we have fifteen vendor updates from HPE, Schneider (12), and Siemens (2). We also have a researcher report of vulnerabilities in products from ETAP. Finally, we have an exploit reported for products from Palo Alto Networks.

HPE Update - HPE published an update for their HPE Integrated Lights-Out 5 advisory that was originally published on July 28th, 2022 and most recently updated on September 6th, 2022.

Schneider Update #1 - Schneider published an update for their Modicon Controllers advisory that was originally published on May 14th, 2019 and most recently updated on December 8th, 2020.

Schneider Update #2 - Schneider published an update for their embedded FTP servers advisory that was originally published on March 22nd, 2018 and most recently updated on September 6th, 2022.

Schneider Update #3 - Schneider published an update for their Urgent/11 advisory that was  originally published on August 2nd, 2019 and most recently updated on May 11th, 2021.

Schneider Update #4 - Schneider published an update for their Modicon Web Server advisory that was originally published on November 10th, 2020 and most recently updated on August 10th, 2021.

Schneider Update #5 - Schneider published an update for their Modicon Web Server advisory that was originally published on December 8th, 2020 and most recently updated on May 11th, 2021.

Schneider Update #6 - Schneider published an update for their Modicon Web Server advisory that was originally published on December 8th, 2020.

Schneider Update #7 - Schneider published an update for their SNMP Service advisory that was originally published on December 12th, 2020 and most recently updated on February 9th, 2022.

Schneider Update #8 - Schneider published an update for their for their INFRA:HALT advisory that was originally published on August 5th, 2021 and most recently updated on February 8th, 2022.

Schneider Update #9 - Schneider published an update for their Modicon Web Server advisory that was originally published on September 14th, 2021.

Schneider Update #10 - Schneider published an update for their for their BadAlloc advisory that was originally published on November 9th, 2021 and most recently updated on August 9th, 2022.

Schneider Update #11 - Schneider published an update for their Modicon M340 Controller advisory that was originally published on April 12th, 2022.

Schneider Update #12 - Schneider published an update for their Modicon PAC Controller advisory that was originally published on August 9th, 2022.

Siemens Update #1 - Siemens published an update for their GNU/Linux advisory that was originally published in 2018 and most recently updated on August 9th, 2022.

Siemens Update #2 - Siemens published an update for their for their JT2Go and Teamcenter advisory that was originally published on August 9th, 2022.

ETAP Report - Zero Science Lab published a report that describes a reflected cross-site scripting vulnerability (with a known exploit) in the ETAP Safety Manager.

 

For more information about these disclosures, including a summary of changes made in the updates, see my article at CFSN Detail Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-9-44d - subscription required.

Saturday, September 17, 2022

Review - CISA Incident Reporting RFI – Public Comments – 9-17-22

This is the first in a series of brief looks at public comments submitted in response to CISA’s request for information in support of the congressionally mandated Cyber Incident Reporting Rule. Since this is just the first week in the process, the limited responses are just from the following individual:

Mitchell Berger,

Anonymous,

Jasper Wyman, and

Alicia Fernandes

Comments addressed the following areas:

• Report formatting,

• Reporting limitations, and

• Who reports

 

For more information on these comments, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/cisa-incident-reporting-rfi-public - subscription required.


Senate Substitute Language for HR 7499 Proposed – FY 2023 NDAA

On Thursday, before the Senate adjourned for the weekend, Sen Reed (D,RI) proposed SA 5499 for HR 7900, the FY 2023 National Defense Authorization Act which passed in the House back in July. The amendment proposes to substitute the language from S 4543 for the language in the House bill. This is the first step in the process of the consideration of HR 7900, which should probably begin this week.


Review – Public ICS Disclosures – Week of 9-10-22 – Part 1

This is the weekend after the 2nd Tuesday disclosures so this will be a two-part report. For Part 1 we have 39 vendor disclosures from Broadcom (25), Dell, Hitachi Energy, Honeywell, HPE (2), Palo Alto Networks (4), Schneider, Red Lion, TI, and VISAM.

Broadcom Advisories - Broadcom published 25 advisories for vulnerabilities in Brocade Fabric OS.

Dell Advisory - Dell published an advisory that describes a regular expression vulnerability in the their Wyse ThinOS.

Hitachi Energy Advisory - Hitachi Energy published an advisory that discusses 48 vulnerabilities in their Disk Array products.

Honeywell Advisory - Honeywell published an advisory that announces the end-of-life status of certain OmniProx™ Clamshell Prox Card SKUs.

HPE Advisory #1 - HPE published an advisory that describes four vulnerabilities in their Integrated Lights-Out 5 products.

HPE Advisory #2 - HPE published an advisory that discusses an infinite loop vulnerability in their Integrated Lights-Out 5 (iLO 5), and Integrated Lights-out 4 products.

Palo Alto Networks Advisory #1 - Palo Alto Networks published an advisory that describes a link following vulnerability in their Cortex XDR Agent.

Palo Alto Networks Advisory #2 - Palo Alto Networks published an advisory that discusses a Windows® registry vulnerability in their Cortex XDR Agent.

Palo Alto Networks Advisory #3 - Palo Alto Networks published an advisory that discusses an improper input validation vulnerability in the NVIDIA Dataplane Development Kit.

Palo Alto Networks Advisory #4 - Palo Alto Networks published an advisory that discusses a file access vulnerability in their Cortex XDR Agent.

Schneider Advisory - Schneider published an advisory that describes a deserialization of untrusted data vulnerability in their EcoStruxure Machine SCADA Expert and Pro-face BLUE Open Studio products.

Red Lion Advisory - Red Lion published an advisory that describes a path traversal vulnerability in their Crimson software.

TI Advisory - TI published an advisory that describes a flash memory vulnerability in their SimpleLink MSP432EXX SDK.

VISAM Advisory - Incibe-CERT published an advisory describing a credential disclosure vulnerability in the VISAM VBASE.

 

For more details about these disclosures, including links to third-party vulnerabilities and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-9-8df - subscription required.


Friday, September 16, 2022

Review - FAA Publishes Special Class Airworthiness Criteria for UAS

Yesterday DOT’s Federal Aviation Administration published an airworthiness criteria in the Federal Register (87 FR 56743-56749) for Special Class Airworthiness Criteria for the MissionGO MGV100 Unmanned Aircraft. While these specific requirements only apply to the listed UAS, they do reflect how the FAA currently views the airworthiness criteria for commercial UAS. The criteria address cybersecurity issues.

Public Comment

The FAA is soliciting public comments on this airworthiness criteria. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; docket #FAA-2022-0353). Comments should be submitted by October 17th, 2022.

Commentary

It looks to me that there are two shortcomings in the cybersecurity requirements in this airworthiness criteria. First, both the software and cybersecurity sections of the document address issues and concerns with the software (presumably including firmware) in the aircraft, there is no mention of the software in the AE (allied equipment), or as it is more commonly called, the flight controller. Remote access vulnerabilities in the flight controller could have just as serious a set of consequences for flight safety as vulnerabilities in the aircraft.

Second, in keeping with the intent of EO 14078, D&R110 should include a requirement to track vulnerabilities in third-party components of the UAS and allied equipment software. I would have said ‘publish and maintain a software bill of materials’, but the FAA is trying to specify outcomes not processes.

For more details about the requirements of the airworthiness criteria, including the cybersecurity provisions, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/faa-publishes-special-class-airworthiness - subscription required.


TSA Publishes Temporary HME Renewal Exemption

Yesterday, the Transportation Security Administration published a notice in the Federal Register (87 FR 56692-56693) concerning “Exemption From Renewal of the Hazardous Materials Endorsement Security Threat Assessment for Certain Individuals”. This is a temporary renewal exemption for HME’s expiring before December 27th, 2022.

According to the notice Summary:

“TSA has determined it is in the public interest to grant the exemption at this time to ensure that the HME renewal process does not exacerbate the current difficulties with the transfer and movement of cargo nationwide and at the ports. TSA may extend this exemption depending on HME enrollment volumes and supply chain challenges.”

TSA notes that enrollments for HMEs have increased from approximately 15,000 per month to 20,000 per month in calendar years 2021 and 2022. “The increased demand for HMEs, as well as other credentialling requiring STAs conducted by TSA, has increased processing times for some individuals with potential disqualifying factors. Some applications require 60 days for TSA to complete the adjudication of potential disqualifying factors and make an eligibility determination.”

TSA explains that: “This exemption permits states to extend the expiration date for an HME for up to 180 days for eligible individuals with an HME that expires between July 1, 2022 and December 27, 2022, even if the individual did not initiate or complete submission of required information for an STA at least 60 days before expiration of the HME.”

Thursday, September 15, 2022

Short Takes – 9-15-22

Long-distance passenger trains and grain shipments to be stopped, as rail strike looms. WashingtonPost.com article. Pull quote: “Still, political pressure is mounting on Democrats to agree to end the standoff. White House aides have in recent days examined the potentially drastic impact on the nation’s drinking water and energy supplies that could come from a shutdown.” This is complicated and Washington does not do complicated well on a deadline.

Tentative Rail Strike Deal Could Avert New England Winter Energy Crisis. Forbes.com opinion piece. Interesting look at energy transportation situation in Northeast.

Manufacturing defect, ineffective cathodic protection led to fatal 2019 pipeline explosion. HazardExOnTheNet.Net article. Pull quote: “The report said Enbridge underestimated the risk posed by hard spots because its processes and procedures were inconsistent with PHMSA guidance and industry knowledge of hard spot threat interaction.” NTSB report link.

McConnell, Rick Scott on collision course over spending deal. TheHill.com article. CR until December or after New Year? Pull quote: “McConnell allies say any omnibus package that passes next year in a Republican-controlled Congress will still have to be negotiated with Democrats — even if Republicans win back the Senate and House — because the legislation must overcome a 60-vote threshold in the Senate.”

Nation warned to brace for a difficult flu season. TheHill.com article. Pull quote: “Amesh Adalja, senior scholar at the Johns Hopkins Center for Health Security at the Bloomberg School of Public Health, said the flu season for the past two years has essentially been “nonexistent” and added that this trend was always bound to end once social distancing became less practiced.”

EU Proposes Strict Cybersecurity Rules for Digital-Product Makers. WSJ.com article. Would include 5-year update support and SBOM requirements. Pull quote: “The draft rules include a list of 38 critical technology products required to obtain cybersecurity assessments from an independent body. Those products, which include software such as password managers and firewalls, and hardware such as microcontrollers, industrial internet-of-things devices and smart meters, were deemed critical in part because of the potential impact if they were hacked, the EU official told reporters last week. Still, the official said, around 90% of companies will likely be able to self-certify.”

Biden Tells Microsoft, Other Government Software Suppliers to Boost Cyber Defenses. Bloomberg.com article. New OMB guidance memo. Pull quote: “But the OMB rules immediately drew criticism from some cybersecurity experts who regard the requirements as too weak. Under the memo, producers of critical software must “self-attest” to federal agencies that they are in compliance with the new development standards.”

NHTSA: Uniform Procedures for State Highway Safety Grant Programs. Federal Register NPRM notice.

OSTP: Request for Information; Draft National Strategy on Microelectronics Research. Federal Register RFI Notice. Draft strategy document

 
/* Use this with templates/template-twocol.html */