Friday, September 30, 2022

Short Takes – 9-30-22

Dragos outlines threat perspective of cyber threat activities targeting water and wastewater systems in GCC region. IndustrialCyber.co article. Reads like an intel agency report. Pull quote: “Dragos said that the continued growth in the WWS [water and wastewater systems] sector, reaching around 6 percent annual growth as of 2009, along with desalination plants under construction promoting future growth, will likely attract cyber criminals and other adversaries to increase their activities, especially against small- to medium-size WWS organizations.”

NASA May Let Billionaire Astronaut and SpaceX Lift Hubble Telescope. NYTimes.com article. This is what commercial space industry looks like. Pull quote: “NASA announced on Thursday that it and SpaceX had signed an agreement to conduct a six-month study to see if one of SpaceX’s Crew Dragon capsules could be used to raise the altitude of the Hubble Space Telescope, potentially further extending the lifetime of the 32-year-old instrument.”

Exquisitely thin membranes can slash energy spent refining crude oil into fuel and plastic. NewsWise.com article. Lots of work still to be done but looks like it may be a less hazardous process. Pull quote: “Membrane technology that can separate the molecules in crude oil by their different sizes and classes could be a far more energy efficient process, consuming 90% less energy than distillation columns. Exceptionally thin nanomembranes have proved successful for extracting fresh water from sea water by rejecting the salt while allowing the water to permeate through reverse osmosis (RO) process. The researchers sought to separate hydrocarbons from crude oil by a parallel method.”

Methane Emissions From Oil and Gas Wells Are Much Higher Than Thought, Study Shows. WSJ.com article. Problems with flare operations. Pull quote: “The study showed that about 500,000 metric tons of methane a year were bypassing flares at U.S. facilities. Worldwide, flares at oil and gas wells released eight million tons of methane into the atmosphere in 2021, the International Energy Agency said in a report issued in August.”

House sends stopgap funding bill to avoid government shutdown to Biden’s desk. TheHill.com article. Pull quote: “More than 200 Republicans voted against the bill on Friday as GOP leaders accuse Democrats of not doing more to address border security, supply chains and inflation. Republicans in both chambers have also taken issue with the length of the continuing resolution, with many pushing to put off working out spending levels for the coming fiscal year until January, when the next Congress begins.”


S 4166 Passed in Senate – Technological Hazards

On Wednesday (late reporting due to Congressional Record delay at Congress.gov) the Senate passed S 4166, the Technological Hazards Preparedness and Training Act by unanimous consent. There was no debate and no vote.

The bill would expand the operations of the FEMA Technological Hazards Division, allowing FEMA to provide support communities that surround CBRN research facilities, nuclear enrichment facilities, or chemical manufacturing facilities.

I expect that we may see action in the House under the suspension of the rules process, but not until after the election as the House will not return to Washington until November 14th.


Thursday, September 29, 2022

Short Takes – 9-29-22

Bird flu virus out of control warn farmers in East of England. BBC.com article. Pull quote: “"So even with the very best biosecurity in the world you can't necessarily prevent it. If there's a bit of bird poo on the concrete and you happen to walk it into your building, it's devastating." 

NASA’s DART spacecraft just smashed into an asteroid — on purpose. ScienceNews.org article. Pull quote: “DART’s impact is expected to shove Dimorphos into a closer, shorter orbit around Didymos. Telescopes on Earth can clock the timing of that orbit by watching how the amount of light from the double asteroid system changes as Dimorphos passes in front of and behind Didymos.”

I've been capturing video from this webcam in Fort Myers all day and I've put it into a Timelapse. Check out the storm surge rushing in! TWITTER post.

NATO warns of ‘united and determined response’ amid pipeline damage investigation. TheHill.com article. Attribution problems anyone? Pull quote: ““All currently available information indicates that this is the result of deliberate, reckless, and irresponsible acts of sabotage,” wrote the council, representing the 30 countries affiliated with NATO.”

McConnell cozies up to Sinema ahead of next Congress. TheHill.com article. Pull quote: “Having a good relationship with her will be key to getting bills passed with bipartisan support if Republicans win back the Senate majority on Election Day, GOP lawmakers say.”

Manchin push faces uncertain future after Senate flop. TheHill.com article. On CR obstacle out of the way. Pull quote: “Democrats on Tuesday pulled the package out of the stopgap measure amid opposition from both conservatives and progressives.”

Webb, Hubble Capture Detailed Views of DART Impact. NewsWise.com article. Pull quote: “Observing the impact across a wide array of wavelengths will reveal the distribution of particle sizes in the expanding dust cloud, helping to determine whether it threw off lots of big chunks or mostly fine dust. Combining this information, along with ground-based telescope observations, will help scientists to understand how effectively a kinetic impact can modify an asteroid’s orbit.”

New Infectious Threats Are Coming. The U.S. Probably Won’t Contain Them. NYTimes.com article. Pull quote: “The coronavirus was a sly, unexpected adversary. Monkeypox was a familiar foe, and tests, vaccines and treatments were already at hand. But the response to both threats sputtered and stumbled at every step.”

Guidance for the Clean Hydrogen Production Qualifications. Federal Register notice. Pull quote: “The U.S. Department of Energy (DOE) announces the notice of availability (NOA) and invites public comment on its Clean Hydrogen Production Standard (CHPS) Draft Guidance. The draft guidance contains the initial proposal for the CHPS, as required by the Infrastructure Investment and Jobs Act (IIJA).” Comment deadline October 20th, 2022.

On the Money — Congress one vote away from averting a shutdown. TheHill.com article. The problems have been worked out. Pull quote: " Senators voted 72-25 to advance the bill, sending the must-pass legislation to the House, where it is expected to pass swiftly before heading to President Biden’s desk for signature.”

The Nord Stream blasts are Putin’s warning shot to the West. Spectator.co.uk opinion piece. Pull quote: “With the expected annexations of the occupied regions, he [Putin] has less room to manoeuvre than before, as he hardly wants to go down in history as the tsar who surrendered 'Russian lands.' The Nord Stream blasts are a shot across our bows, and he must be hoping – almost certainly in vain – that it makes us change course.”

S 4900 Passed in House – SBIR Reauthorization

 Today, the House passed S 4900, the SBIR and STTR Extension Act of 2022 by a strongly bipartisan vote of 415 to 9. The bill was debated yesterday under the House suspension of the rules process. The debate (pgs H8132-6) lasted an unusual 32 minutes (20 minutes allotted), but not a single voice was raised in opposition to the reauthorization of the Small Business Innovation Research Program (SBIR) and Small Business Technology Transfer Program (STTR).

The bill reauthorizes the two Small Business Administration programs through 2025. . A number of changes were made to the programs to prohibit the programs’ awarding funds to companies receiving significant support from the Chinese government. There is one minor cybersecurity provision in the bill. The bill was passed in the Senate without debate under the unanimous consent process.

The bill now goes to the President for signature. It will probably be signed this weekend.

Review – 2 Advisories and 4 Updates Published – 9-29-22

Today CISA’s NCCIC-ICS published two control system security advisories for products from Hitachi Energy. They also updated four advisories for products from Baxter, ARC, and Delta Electronics (2).

Hitachi Energy Advisory # 1 - This advisory describes five vulnerabilities in the Hitachi Energy MicroSCADA Pro/X SYS600. The vulnerabilities are self-reported.

NOTE: I briefly discussed these vulnerabilities on September 10th, 2022.

Hitachi Energy Advisory #2 - This advisory describes a reliance on uncontrolled component vulnerability in the MicroSCADA Pro/X SYS600.

NOTE: I briefly discussed these vulnerabilities on September 10th, 2022.

Baxter Update - This update provides additional information on an advisory that was originally published on September 8th, 2022.

ARC Update - This update provides additional information on an advisory that was originally published on August 23, 2022.

NOTE: I briefly discussed these changes in the PcVue update.

Delta Update #1 - This update provides additional information on an advisory that was originally published on September 1st, 2022.

Delta Update #2 - This update provides additional information on an advisory that was originally published on July 1st, 2021 and most recently updated on July 27th, 2021 (not 2022).

 

For more details about these advisories, including links to third-party advisories and a brief description of changes made in the updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-advisories-and-4-updates-published-0a1 - subscription required.


Review - Treasury Publishes RFI for Cyber Incident Financial Risk Assessment

Today, the Treasury Department published a request for comment in the Federal Register (87 FR 59161-59163) concerning “Potential Federal Insurance Response to Catastrophic Cyber Incidents”. This action is being taken in response to a GAO recommendation to “to produce a joint [with CISA] assessment for Congress on the extent to which the risks to the nation's critical infrastructure from catastrophic cyberattacks, and the potential financial exposures resulting from these risks, warrant a federal insurance response.”

The request for comments is looking for responses to questions in the following areas:

Catastrophic cyber incidents,

Potential federal insurance response for catastrophic cyber incidents, and

Other information.

Public Comments

The Treasury is soliciting public comments on these topics. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov). Unfortunately, today’s notice does not include a docket number for this request and the Portal does not currently list this information request, based upon past experiences it should show up there tomorrow. Alternatively, comments may be snail mailed to:

Federal Insurance Office

Attn: Richard Ifft, Room 1410 MT

Department of the Treasury

1500 Pennsylvania Avenue NW

Washington, DC 20220

Comments should be submitted by November 14th, 2022.

 

For more details about the information that the Treasury is looking for, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/treasury-publishes-rfi-for-cyber - subscription required.

CSB Publishes Sunoco Oil Terminal Investigation Report

Yesterday, the Chemical Safety Board published their report on the investigation on the 2016 flash fire and explosion at the Sunoco Nederland, Texas crude oil terminal. This was a ‘hot work’ incident where maintenance activities (welding) took place on a pipe that contained flammable liquids (crude oil). While there was an isolation device between the welding activity and the crude oil still in the pipe, the pipe volume where the crude oil was contained was not inerted (nitrogen purged for example).

Commentary

Interesting discussion about hot work practices, but the upshot is that the contractor did not follow well established hot work safety practices. Interesting point here, the post-accident OSHA inspection (see section 1.8 on pages 25-6) found the same issue and fined the company appropriately. While I have previously noted that post accident investigations by OSHA (and EPA, not applicable in this case) almost always find violations of safety regulations, they are seldom related specifically to the accident, that was certainly not the case in this incident.

On page 7 of the report, CSB notes that they conducted a “limited scope investigation”. What that means here is that there is no determination in this report what caused the ignition of the flammable gases behind the isolation device. While the isolation device ultimately failed, it should have certainly been adequate to prevent sparks and flame from coming in contact with the isolated crude oil.

It appears to me (with the standard caveat that I was not there, and only know what is contained in the CSB report) that probably happened is that the isolation device failed because of increased pressure in the isolated section of pipe due to conduction heating of the crude oil from the welding, not ignition of the material as described in the CSB report. If the pressure in the sealed pipe was sufficiently higher than the 25 psi used to seal the pipe (see the discussion about the CARBER isolation device on page 17) to cause that seal to fail then the flammable gas would have blown the device through the welding area providing an ignition source for the flash fire that resulted. This would have required some sort of failure of the pressure relief system CSB briefly described on diagram on  page 24.

I would have expected that a full investigation by the CSB would have determined how much pipeline pressure would have been required to cause the isolation device to move out of the pipe and then determine if the welding related heating of the pipe could have caused that pressure rise in the isolated section of pipe given the amount of crude oil present. That information would have been helpful because it would have also meant that inerting the atmosphere as required by OSHA regulations would not have prevented the incident. But the CSB only did a ‘limited scope inspection’ that uncovered nothing more than was discovered more quickly by OSHA. I am severely disappointed in this report.


Bills Introduced – 9-28-22

Yesterday, with both the House and Senate in session, there were 82 bills introduced (the homestretch of campaign season is starting). Of those bills there is one that may receive additional coverage in this blog:

HR 9022 To support research, development, demonstration, and other activities to develop innovative vehicle technologies, and for other purposes. Stevens, Haley M. [Rep.-D-MI-11]

I will be watching this bill for definitions and language that includes cybersecurity requirements within the legislation’s scope.

Mentions in Passing

There are four bills that I will mention in passing. I noticed references to all four in the national news yesterday. Following the link on the bill number would allow you to set up tracking of the bill’s progress at Congress.gov if you were so interested.

HR 8891 To direct the Administrator of the Environmental Protection Agency to conduct a measurement-based national methane research pilot study to quantify methane emissions from certain oil and gas infrastructure, and for other purposes. Johnson, Eddie Bernice [Rep.-D-TX-30]

HR 8892 To require a Federal methane super-emitter detection strategy, and for other purposes. Beyer, Donald S., Jr. [Rep.-D-VA-8]

HR 8893 To provide for methane emission detection and mitigation, and for other purposes. Casten, Sean [Rep.-D-IL-6]

S 4985 A bill to amend the Cybersecurity Information Sharing Act of 2015 to include voluntary information sharing of cyber threat indicators among cryptocurrency companies, and for other purposes. Blackburn, Marsha [Sen.-R-TN]


Wednesday, September 28, 2022

Short Takes – 9-28-22

Finding statistics about APT’s? It’s complicated. Scadamag.Infracritical.com opinion piece. A look at APT threats vs ICS. Pull quote: “In the past 12 years it has been the state APT or state supported threat actor that has attempted with various levels of success to take away the view and control of critical physical processes from the operators of critical infrastructure. These efforts have succeeded in causing unauthorized changes to IACS/ICS that have threatened or have caused physical damage to people, equipment and the environment.”

Executive Order on Advancing Biotechnology and Biomanufacturing Innovation for a Sustainable, Safe, and Secure American Bioeconomy. WhiteHouse.gov post. A number of cybersecurity mentions. Pull quote: “It is the policy of my Administration to coordinate a whole-of-government approach to advance biotechnology and biomanufacturing towards innovative solutions in health, climate change, energy, food security, agriculture, supply chain resilience, and national and economic security.  Central to this policy and its outcomes are principles of equity, ethics, safety, and security that enable access to technologies, processes, and products in a manner that benefits all Americans and the global community and that maintains United States technological leadership and economic competitiveness.”

CSB Releases Final Investigation Report on 2016 Sunoco Oil Terminal Fire and Explosion in Texas. CSB.gov news release. Link to investigation report. News release pull quote: “Both Sunoco and L-Con developed plans and procedures to provide employees with guidance on how to safely conduct hot work operations, but the CSB found that guidance was inadequate to prevent the fire and explosion. Specifically, the investigation found that the pipe involved in the incident contained residual flammable crude oil which was not adequately cleaned or inerted prior to commencing hot work.”

British police fear weapons from Ukraine war could reach the UK and terrorists. Independent.co.uk article. No actionable information. Pull quote: “Speaking at the International Security Expo in London on Tuesday, he added: “Whatever the outcome of this awful conflict, it is clear that over the medium term there will be huge amounts of weapons and ammunition in the region, which will take some time to stabilise and normalise [British spelling] when the phase of outright war ends.”


HR 7900 Amendments Proposed – FY 2023 NDAA – 9-27-22

Yesterday, with the Senate still not officially considering HR 7900, the FY 2023 National Defense Authorization Act, there were 98 amendments proposed to the substitute language (SA 5499) for that bill. Three of those amendments may be of interest here:

SA 5663. Mr. KENNEDY - At the appropriate place, insert the following: SEC. xxx. Foreign State Computer Intrusions.

SA 5713. Mr. ROUNDS - At the appropriate place in title XVI, insert the following: SEC. 16xx. Additional Amount for Cyber Partnership Activities.

SA 5733. Mr. - At the appropriate place in subtitle G of title X, insert the following: SEC. 10xx. Institute a 5-Year Term for the Director of Cybersecurity and Infrastructure Security.


S 4673 Passed in Senate – NCFI Reauthorization

Yesterday, the Senate discharged the Senate Judiciary Committee from the responsibility of considering S 4673, the National Computer Forensics Institute Reauthorization Act of 2022, and passed the bill under the Senate’ unanimous consent process. There was no debate and no formal vote. The House passed an entirely different version of the reauthorization, HR 7174 back in June.

It will be interesting to see if the House takes up S 4673 and if they then amend the bill by substituting the language from HR 7174. With the Senate ignoring HR 7174 and taking up a bill that was introduced two months after HR 7174 was passed, I do not expect that the Senate would agree to a version of the bill amended in that manner. Insisting on the Senate version of the language would require a conference committee.

Since the major difference between the two bills in the expansion of the definition of information systems to include industrial control systems, I suspect that it is that expansion of coverage that the Senate leadership objects to. If that is the case, working out a compromise might be a problem.


Committee Hearings Week of 9-25-22

This week with both the House and Senate in session (and the FY spending deadline approaching quickly), there is a relatively light hearing schedule, particularly on the House side of the Hill. We do have a markup hearing of interest, and a hearings on UAS integration.

Homeland Security Markup

The Senate Homeland Security and Governmental Affairs Committee will be holding a business meeting today. It will include nine nomination votes, 22 pieces of legislation and four facility naming bills. Of particular interest here:

S ___, Strengthening Agency Management and Oversight of Software Assets Act of 2022,

S 4913, Securing Open Source Software Act of 2022,

S 4882, Fire Grants and Safety Act,

S ___, Protecting the Border from Unmanned Aircraft Systems Act,

HR 7777, Industrial Control Systems Cybersecurity Training Act,

HR 6824, President’s Cup Cybersecurity Competition Act, and

HR 6873, Bombing Prevention Act of 2022

UAS Integration

The Subcommittee on Aviation Safety, Operations and Innovation of the Senate Commerce, Science, and Transportation Committee will be holding a hearing on “FAA Reauthorization: Integrating New Entrants into the National Airspace System”. The witness list includes:

• Lisa Ellman, Commercial Drone Alliance,

• Gregory Davis, Eviation,

• Stephen P. “Lux” Luxion, FAA Center of Excellence for Unmanned Aircraft Systems (ASSURE),

• Stéphane Fymat, Honeywell Aerospace, and

• Edward M. Bolen, National Business Aviation Association

Counter drone operations may come up in the discussion.

On the Floor

The 900-lb gorilla this week is the spending bill, or rather a continuing resolution that ‘must’ pass by midnight on Friday. A weekend final vote is not beyond possible.

The House is scheduled to take up 32 bills in this short week under the suspension of the rules process. With spending bill pending, we can expect Republican bomb throwers to demand votes on many if not most of these bills, just to gum up the process. Bills of potential interest here include:

S 4900 – SBIR and STTR Extension Act of 2022,

• HR 8956 – FedRAMP,


Review - S 4913 Introduced – CISA and Open-Source Software

Last week, Sen Peters (D,MI) introduced S 4913, the Securing Open Source Software Act of 2022. The bill establishes several areas of responsibility for CISA regarding open source software security. No funding is authorized in the bill. The Senate Homeland Security and Governmental Affairs Committee is scheduled to take up the bill today.

Moving Forward

Peters is the Chair of the Senate Homeland Security and Governmental Affairs Committee to which this bill was assigned for consideration. This explains why that Committee is taking up the bill tomorrow in a markup hearing. The bill is one of 24 that will be considered in that hearing, so little discussion is expected. Amendments may be considered, with most having been worked out in advance so that the Committee will be able to adopt most of the amendments proposed.

I do not see anything in this bill that should engender any organized opposition. I suspect that there will be bipartisan support for the bill since it provides the appearance of doing something about open-source software security. The big problem is that there is little time to move this bill beyond the Committee markup, unless the bill can be successfully considered under the unanimous consent process or added to one of the must pass bills that have yet to be taken up.

Commentary

The unique problem with open-source software is not that it is ‘poorly written' (the multiple vulnerabilities from poor coding practices are found in software from ‘closed sources’ as well as open-sourced software). No, the problem with many of the smaller libraries that are source for so many vulnerabilities, is that there is little support for correcting the problems when they are identified.

What might be more helpful is that if CISA were given the authority to fund internships with open-source creators of selected critical open-source components that have minimal support available. Identifying the critical components will become easier as SBOM requirements become more common but identifying the authors that would be willing to accept government sponsored interns might be a challenge. Oversight of such internships would also be a challenge. But this could provide immediate support for challenged authors, as well as broadening the scope of those familiar with the details of the critical software.

For more details about the provisions of the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-4913-introduced - subscription required.


Bills Introduced – 9-27-22

Yesterday, with just the Senate in session (House starts today), there were 25 bills introduced. Three of those bills may receive additional coverage in this blog:

S 4959 A bill to amend section 11101 of title 49, United States Code, to ensure that rail carriers provide transportation or service in a manner that fulfills the shipper's reasonable service requirements. Baldwin, Tammy [Sen.-D-WI]

S 4963 A bill to require the Secretary of Homeland Security to implement a strategy to combat the efforts of transnational criminal organizations to recruit individuals in the United States via social media platforms and other online services and assess their use of such platforms and services for illicit activities, and for other purposes. Sinema, Kyrsten [Sen.-D-AZ]

S 4968 A bill to create an Active Shooter Alert Communications Network, and for other purposes. Padilla, Alex [Sen.-D-CA] 

I will be covering S 4959 as it would almost certainly have a bearing on chemical transportation safety and security.

I will be watching S 4963 for language and definitions that would specifically apply to transnational cyber criminals in the scope of the coverage. A relatively thin possibility to be sure.

I will be watching S 4968 for language and definitions that would specifically recognize the special characteristics and safety concerns of active shooter incidents at chemical facilities. I really do not expect to find any, but I will check to be sure.

In Passing Comment

One other bill caught my attention that I thought that I would mention here (and then disregard for any future consideration):

S Res 798 A resolution expressing support for the designation of the week of September 19 through September 25, 2022, as "Rail Safety Week" in the United States and supporting the goals and ideals of Rail Safety Week to reduce rail-related accidents, fatalities, and injuries.

These very common resolutions supporting various ‘Weeks’ and ‘Months’ almost always strike me as the most common political gaming types of legislation that can be found. Congressional ‘support’ for these celebrations is seldom more than allowing an organization to claim ‘congressional support’ for its activities. And here, where the support is being attempted to be offered after the ‘week’ is over shows how futile that support really is. But congresscritters continue to attempt to collect the political capital associated with providing this support.

Notice that I did not name the congresscritter associated with this particular resolution. I am not railing against a particular politician, just the fairly common political practice of trying to please constituents or interest groups on the cheap while not even caring enough to get it done in a timely manner.

Tuesday, September 27, 2022

Short Takes – 9-27-22

Insider Threats: Your employees are being used against you. TalosIntelligence.com article. Discussion of how employees get compromised. Pull quote: “Over the past six months to a year, we have seen an increasing amount of incident response engagements involving malicious insiders and unwitting assets being compromised via social engineering. As we continue to improve the ways we can detect and stop active exploitation and as macros are slowly removed from the landscape, the options for adversaries are going to dwindle.”

CISA Plans to Measure the Effect of Coming Standards on Industry’s Cybersecurity. NextGov.com article. Pull quote: “But while last July’s national security memo calling for CISA’s performance goals says the initiative is for industry’s voluntary collaboration with government, Langevin’s amendment—along with comments from White House officials—suggest an effort to link the coming performance goals to potential regulatory efforts.”

Germany Suspects Sabotage to Russia’s Nord Stream Gas Pipelines. Bloomberg.com article. No attribution claims. Pull quote: “The pressure drop on Monday at the two lines of Nord Stream and one line of Nord Stream 2 can’t impact gas supplies to Europe as the pipelines are idled amid Moscow’s invasion of Ukraine. However, markets will be watching for any indications of sabotage.”

Senate Democrats release short-term government funding bill. TheHill.com article. Substitute language for HR 6833, the vessel for the Continuing Resolution, contains Manchin’s permitting rule changes. Pull quote: “Senate sources say Manchin will have a tough time getting the dozen or so Republicans he needs to vote for the procedural motion. Two members of the Democratic caucus, Sens. Bernie Sanders (I-Vt.) and Tim Kaine (D-Va.), have said they won’t vote for Manchin’s bill.”

Five things about covid we still don’t understand at our peril. WashingtonPost.com article. Pull quote: “Still, the virus has kept many of its secrets, from how it mutates so rapidly to why it kills some while leaving others largely unscathed — mysteries that if solved might arm the world’s scientists with new strategies to curb its spread and guard against the next pandemic.”


Review – 3 Advisories Published – 9-27-22

Today, CISA’s NCCIC-ICS published three control system security advisories for products from Rockwell Automation and Hitachi Energy.

 

Rockwell Advisory - This advisory describes a heap-based buffer overflow vulnerability in the Rockwell ThinManager ThinServer, a thin client and remote desktop protocol (RDP) server management software.

NOTE: I briefly discussed this vulnerability on Saturday.

Hitachi Advisory #1 - This advisory discusses two vulnerabilities (one with known exploit) in the Hitachi Energy Lumada Asset Performance Management (APM) Edge product.

NOTE: I briefly discussed these vulnerabilities on July 30th, 2022.

Hitachi Advisory #2 - This advisory discusses an improper input validation vulnerability in the Hitachi Energy AFS660/AFS665 industrial switches.

NOTE: I briefly discussed these vulnerabilities on July 30th, 2022.

 

For more details on these advisories, including links to third-party advisories and exploits, see my Article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/3-advisories-published-9-27-22 - subscription required.


MARAD Sends Tanker Security Program Interim Final Rule to OMB

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received from DOT’s Maritime Administration (MARAD) an interim final rule for “Tanker Security Program”. This rule supports the requirements of §3511 of the FY 2021 NDAA (PL 116-283, 134 STAT 4408). The new 46 USC Chapter 534 set forth in that legislation requires DOT, in coordination with DOD, to establish a ‘Tanker Security Fleet’ somewhat akin to the air reserve fleet that DOD can call upon in the event of a national emergency for airlift support. The TSP would provide for a fleet of tanker vessels that DOD could call upon for emergency fuel transport.


Monday, September 26, 2022

Short Takes – 9-26-22

Ian continues on perilous path toward Florida. WashingtonPost.com article. Headed for eastern Gulf Coast, still unsure where. Pull quote: “The uncertainty in the forecast stems from an approaching trough, or dip in the jet stream, over the northern United States. Ian may or may not hitch a ride. If it does, it would be scooped north and east more quickly and come ashore as a more serious hurricane in the Florida peninsula on Wednesday.”

NASA spacecraft will slam into an asteroid Monday — if all goes right. WashingtonPost.com article. DART mission impact expected Monday evening. Pull quote: ““We’ve got to have such technology,” he said. “It would be prudent upon us to test that all out ahead of time, so we’re not trying to do it for the first time when we really need it to work.””

Shutdown threat grows as lawmakers struggle to reach final deal. TheHill.com article. CR still has contentious components to work through. Pull quotes: “However, Republicans have been less open to funding for the nation’s monkeypox and coronavirus response efforts — a sentiment that appears to have only further cemented in light of Biden’s recent comments declaring the pandemic “over.””

Five things to know about NASA’s mission to hit an asteroid. TheHill.com article. DART mission overview. Pull quote: “DART is estimated to slam into Dimorphos around 7:14 p.m. at more than 14,000 miles per hour. NASA officials will be able to estimate the results of the strike by using ground-based telescopes.”

Medics ‘flying blind’ in fight against superbugs due to patchy diagnostics. Telegraph.co.uk article. Problems with antibiotic resistant bacteria in Africa. Pull quote: “Clinics and hospitals are also relying on a narrow arsenal of antibiotics. Four drugs make up two-thirds of all the antibiotics used in healthcare, the researchers found.” Remember monkeypox problems.

The U.S. Is Running Short of Land for Housing. WSJ.com article. Land use restrictions and lack of infrastructure causing problems. Pull quote: “Land-use restrictions and a lack of public investment in roads, rail and other infrastructure have made it harder than ever for developers to find sites near big population centers to build homes. As people keep moving to cities such as Austin, Phoenix and Tampa, they are pushing up the price of dirt and making the housing shortages in these fast-growing areas even worse.”

Thinking Like a Cyberattacker to Protect User Data. HomelandSecurityNewsWire.com article. Misleading title, look at potential side channel attacks. Pull quote: “When the researchers used this model to launch side-channel attacks, they were surprised by how quickly the attacks worked. They were able to recover full cryptographic keys from two different victim programs.”

Covid-tracking program lacked bare minimum cyber protections. WashingtonPost.com article. Look at since pulled restricted-distribution IG report. Pull quote: ““Cybersecurity controls for both systems were not implemented before employment because HHS officials prioritized deploying the systems for operational use to achieve the agency’s mission of combating the covid-19 pandemic over meeting all the federal requirements before deployment.”” Raise your hand if you are surprised…. No hands????

NASA strikes asteroid with spacecraft in historic planetary defense mission. TheHill.com article. DART hit the asteroid moon. Pull quote: “The DART team estimated they would have a full assessment on the collision in about two months, including details of how much the spacecraft pushed the asteroid out of its orbit. NASA and APL were hoping to change the orbit of Dimorphos by several minutes.”


CSB Deploys Team to Fatal Refinery Incident in Ohio

The Chemical Safety Board announced today that it is deploying an investigation team to the BP Toledo Refinery in Oregon, OH for a fire and explosion that occurred nearly a week ago on September 20, 2022. Initial news reports (here and here) reported that two brothers were killed in the explosion and fire at the refinery. The CSB announcement adds that there was an associated release of sulfur dioxide and hydrogen sulfide.

The CSB has been having problems completing their open investigations, recently reporting on the planned schedule for completing 16 open investigations. While working through these problems the CSB has not initiated any new investigations since July 2021 when the started the investigation into the acetic acid release at the LyondellBasell facility in La Porte, TX.

It is more than a little unusual for the CSB to take six days to decide to investigate a chemical incident. The late start means that they have to rely on other agencies to preserve the scene of the incident for investigators. All sorts of people have probably been at the accident scene. It is surprising how much stuff non-investigators pick up as souvenirs at explosion sites, no telling how much evidence has walked of the site since the fire/explosion last Tuesday.

This raises an interesting question. Did CSB receive additional information (the newly reported chemical release) that made an investigation a higher priority than completing reports? Or was there political pressure applied to the CSB to get them to get back in the investigation game?


Review - HR 8806 Introduced – Healthcare Cybersecurity

Earlier this month, Rep Crow (D,CO) introduced HR 8806, the Healthcare Cybersecurity Act of 2022. The bill would require CISA to work with the Department of Health and Human Services (HHS) to improve cybersecurity in the Healthcare and Public Health Sector. No additional spending is authorized in this bill.

Moving Forward

Neither Crow nor his single cosponsor {Rep Fitzpatrick (R,PA)} are members of the House Homeland Security Committee to which this bill was assigned for consideration. This means that it is unlikely that the bill will be considered in Committee. I see nothing in the bill that would engender any organized opposition. I suspect that the bill would receive broad bipartisan support if it were considered in either Committee or on the floor of the House.

Commentary

The requirement in §6(a)(3) to evaluate the “best practices for the deployment of trained Cyber Security Advisors and Cybersecurity State Coordinators of the Agency into Healthcare and Public Health Sector assets before, during, and after data breaches or cybersecurity attacks” is going to have to include a detailed look at the number of Cybersecurity Advisors available in each region versus the history of the number of healthcare sector cyber attacks. CISA has only limited information available on the number of Cyber Security Advisors that it has on staff, but it is no more than 2 or 3 for each of their ten regional offices. This certainly will not be enough to handle every healthcare cyberattack in the healthcare sector, much less the 15 critical infrastructure sectors.

If CISA is going to be an incident response agency for private sector organizations, they are going to have to dramatically increase the number of IR personnel they have in their regional offices, and I do not think that that is doable.

 

For more details about the bill’s requirements, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-8806-introduced - subscription required.


Saturday, September 24, 2022

Short Takes – 9-24-22

Immediate Action is Needed to Protect the Homeland from Drone Threats. HSToday.us article. Discussion about provisions of S 4687. Pull quote: “But more is needed and more is needed now. To ensure that drones don’t disrupt or harm our way of life, we must provide federal, state, and local authorities with the complete set of tools to mitigate drone threats while maintaining the civil rights and liberties of responsible unmanned aircraft operators.” 

The Elusive Future of San Francisco’s Fog. NYTimes.com article. If you have ever spent time in San Francisco, you know about fog… Pull quote: “Every summer, fog breathes life into the Bay Area. But people who pay attention to its finer points, from scientists to sailors, city residents to real estate agents, gardeners to bridge painters, debate whether there is less fog than there used to be, as both science and general sentiment suggest.”


Unusual ‘Chlorine’ Incident in Rhode Island

A local TV station in Pawtucket, RI published a report yesterday about a chlorine gas incident at a residential building. It seems that a contractor was emptying a sewage (septic?) tank at the building, and during the process added ‘chlorine tablets’ (sodium hypochlorite, pool chlorine tablets probably) to the tank as part of some sort of disinfection process. An unusually high number of tablets were apparently used, and two residents were taken to the hospital for treatment for breathing problems because of chlorine gas exposure.

Sodium hypochlorite when dissolved in water produces ‘bleach’. Bleach is very reactive with a number of different chemicals and frequently releases chlorine gas as part of many of those reactions. Chlorine is detectable by smell at very low concentrations, and I would suspect that there should not have been enough chlorine gas released into the building to be a serious health hazard for healthy individuals. Unfortunately, any number of pre-existing diseases could make people susceptible to breathing problems with even very low concentrations of chlorine gas.

Interestingly, this incident probably triggers a requirement to report the incident to the CSB. We certainly had a chemical release (chlorine gas) which caused serious injuries (2 hospital admissions). This was not a transportation related event, so the incident occurred at a ‘fixed site’. Since the contractor doing the work routinely handles the ‘chlorine tablets’ for the chemical treatment of sewage tanks, they would be expected to be aware of chemical hazards involved and should know about the CSB reporting requirements. I do not expect that the CSB will be sending an investigation team to an incident like this, even if they were fully staffed and not three years behind on completing accident investigation reports. But the incident still falls within the regulatory reporting requirements.


Review - GAO Reports NNSA Cybersecurity Concerns

This week the Government Accountability Office published a report on the cybersecurity efforts at the National Nuclear Security Administration. According to the web site for this report: “The National Nuclear Security Administration (NNSA) and its contractors have not fully implemented six foundational cybersecurity risk practices in its traditional IT environment. NNSA also has not fully implemented these practices in its operational technology and nuclear weapons IT environments.”

The GAO report recommends (pgs 42-3) that NNSA should:

• Promptly finalize its planned revision of Supplemental Directive 205.1, Baseline Cybersecurity Program, to include the most relevant federal cybersecurity requirements and review the directive at least every 3 years.

• Direct NNSA’s Office of Information Management, and the site contractors that have not done so, to develop and maintain cybersecurity continuous monitoring strategies that address all elements from NIST guidance.

• Direct NNSA’s Office of Information Management, and the site contractors that have not done so, to identify and assign all risk management roles and responsibilities called for in NIST guidance.

• Direct that the site contractors that have not done so maintain a site-wide cybersecurity risk management strategy that addresses all elements from NIST guidance and perform periodic reviews at least annually.

• Direct the Office of Information Management to identify the needed resources to implement foundational practices for the OT environment, such as by developing an OT activity business case for consideration in NNSA’s planning, programming, budgeting, and evaluation process.

• Establish a cybersecurity risk management strategy for nuclear weapons information technology that includes all elements from NIST guidance.

• Clarify and reinforce to the M&O contractors, such as by a policy flash or other communication, that they are required to monitor subcontractor’s cybersecurity measures.

Include performance criteria evaluating contractor oversight of subcontractor cybersecurity measures in the annual M&O contractor performance evaluation process.

• Direct Information Management and the Office of Acquisition and Project Management to ensure that Supplemental Directive 205.1 contains language requiring third-party validation of contractor and subcontractor cybersecurity measures.

 

For a more detailed look at the GAO Report, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/gao-reports-nnsa-cybersecurity-concerns - subscription required.


GAO Publishes Federal Building Security Report

This week, the Government Accountability Office published a report looking at the effectiveness of the Federal Protective Services in providing physical security oversight over, and federal law enforcement support to federally owned and leased offices. The GAO reports that, while Agencies are generally satisfied with the assessments, they do not implement many of the resulting recommendations.

The report notes:

“FPS conducts facility security assessments and recommends security measures—such as security cameras, physical access control systems, and x-ray screening equipment. These measures are aimed at preventing security incidents.”

Interestingly, there is no discussion about the assessment of, and recommendations for, the cybersecurity of the electronic systems being suggested by the FPS. This would be especially problematic where these systems are networked to centralized security stations or where remote access to the systems are allowed.


Review – Public ICS Disclosures – Week of 9-17-22

This week we have seventeen vendor disclosures from Bosch, Festo, HPE (3), Insyde (7), PcVue (2), Rockwell, Tanzu, and Western Digital. We also have an update from PcVue.

Bosch Advisory - Bosch published an advisory that describes an information disclosure vulnerability in their VIDEOJET Decoder VJD-7513.

Festo Advisory - CERT-VDE published an advisory that describes an improper privilege management vulnerability in the Festo Festo control block CPX-CEC-C1 and CPX-CMXX.

HPE Advisory #1 - HPE published an advisory that discusses an information disclosure vulnerability in their Edgeline Servers.

HPE Advisory #2 - HPE published an advisory that discusses a privilege escalation vulnerability in their Edgeline Servers.

HPE Advisory #3 - HPE published an advisory that discusses 28 vulnerabilities in their SAN switches.

Insyde Advisory #1 - Insyde published an advisory that describes an SMM arbitrary code execution vulnerability in their InsydeH2O product.

Insyde Advisory #2 - Insyde published an advisory that describes a memory leak vulnerability in their InsydeH2O product.

Insyde Advisory #3 - Insyde published an advisory that describes an arbitrary code execution vulnerability in their InsydeH2O product.

Insyde Advisory #4 - Insyde published an advisory that describes a memory corruption vulnerability in their InsydeH2O product.

Insyde Advisory #5 - Insyde published an advisory that that describes a memory corruption vulnerability in their InsydeH2O product.

Insyde Advisory #6 - Insyde published an advisory that describes a memory leak vulnerability in their InsydeH2O product.

Insyde Advisory #7 - Insyde published an advisory that describes a memory corruption vulnerability in their InsydeH2O product.

PcVue Advisory #1 - PcVue published an advisory that describes a sensitive information in log file vulnerability in their PcVue 15 product.

PcVue Advisory #2 - PcVue published an advisory that discusses an access of uninitialized pointer vulnerability in their PcVue product.

Rockwell Advisory - Rockwell published an advisory that describes a heap-based buffer overflow vulnerability in their ThinManager ThinServer software.

Tanzu Advisory - Tanzu published an advisory that describes an information disclosure vulnerability in their Spring Data REST product.

Western Digital Advisory - Western Digital published an advisory that describes a use of weak hash vulnerability in their WD Discovery products.

PcVue Update - PcVue published an update for their OAuth configuration advisory that was originally published on August 8th, 2022.

NOTE: NCCIC-ICS has not updated their advisory (ICSA-22-235-01) to reflect this new information.

 

For more details on these disclosures, including links to third-party advisories and researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/publish/post/74741456 - subscription required.

Friday, September 23, 2022

Short Takes – 9-23-22

Pipeline Security, Visibility, and Detection at the OT Edge. Synsaber.com blog post. Minimal self-advertising. Pull quote: “The threat landscape continues to evolve, now including issues such as Ransomware as a Service (RaaS) and increased mass scanning techniques, and new attacks are being developed every day. While OT networks may be more likely to be a victim of “splash damage” rather than a direct attack, the risks to critical infrastructure are not disputed. As a result of the increased threat and awareness of potential risks, organizations are looking for ways to improve their visibility and their defenses against these attacks.”

Unique Electronic Identification of Commercial Motor Vehicles. Federal Register ANPRM notice. Pull quote: “FMCSA requests public comment on whether the agency should amend the Federal Motor Carrier Safety Regulations to require every commercial motor vehicle (CMV) operating in interstate commerce to be equipped with electronic identification (ID) technology capable of wirelessly communicating a unique ID number when queried by a Federal or State motor carrier safety enforcement personnel.”

If anyone is interested in following all of the global CERTs, CIRTs, SIRTs, CSIRTs, PSIRTs, NCSCs and ISACs - I made a list. A TWITTER list from @PatrickCMiller.

What will it take to recycle millions of worn-out EV batteries? KnowableMagazine.org article. Pull quote: ““Some of the largest companies in the world are buying as much recycled battery metals as available,” he says. “The challenge, right now, is really about who can scale up the quickest.””


HR 7900 Amendments Proposed – FY 2023 NDAA – 9-22-22

While the Senate has not yet started the consideration process for HR 7900, the FY 2023 National Defense Authorization Act (NDAA), amendments continue to be proposed in the Senate for that bill. Yesterday 75 amendments were proposed. Three of those amendments may be of interest here:

SA 5615. Mrs. BLACKBURN - At the appropriate place, insert the following: SEC. xxx. Study On National Laboratory Consortium for Cyber Resilience. (Pg S4998-9)

SA 5620. Mr. MENENDEZ - At the end of the bill, add the following: DIVISION E—Department of State Authorizations (Pg S4999) which includes:

TITLE LV—Information Security and Cyber Diplomacy (Pg S5011), and

SA 5634. Mr. CARDIN - At the appropriate place, insert the following: SEC. xx. Chemical Security Analysis Center (Pg S5027)


Bills Introduced – 9-22-22

Yesterday, with the House and Senate preparing to leave for the weekend, there were 84 bills introduced. Four of those bills may receive additional coverage in this blog:

HR 8949 To amend the Homeland Security Act of 2002 to extend counter-unmanned aircraft systems authorities, to improve transparency, safety, and accountability related to such authorities, and for other purposes. Nadler, Jerrold [Rep.-D-NY-10]

HR 8956 To amend chapter 36 of title 44, United States Code, to improve the cybersecurity of the Federal Government, and for other purposes. Connolly, Gerald E. [Rep.-D-VA-11]

HR 8970 To provide funding to strengthen cybersecurity defenses and capabilities by expanding community colleges programs leading to the award of cybersecurity credentials that are in demand in government, critical infrastructure, nonprofit, and private sectors, and for other purposes. McClain, Lisa C. [Rep.-R-MI-10]

S 4919 A bill to require an interagency strategy for creating a unified posture on counter-unmanned aircraft systems (C-UAS) capabilities and protections at international borders of the United States. Lankford, James [Sen.-R-OK]

I will be covering both of the counter UAS bills.

I will be watching the two cybersecurity bills for language and definitions that would include industrial control systems within the scope of their coverage.


Thursday, September 22, 2022

Short Takes – 9-22-22

Set a calendar alert: NASA to broadcast first asteroid redirect on Monday. ArsTechnica.com article. Engineering at its most interesting – smack something and see what happens. Pull quote: “The primary one [effect] is expected to be slowing Dimorphos' orbit down by roughly 1 percent. As Chabot explained, this will have the consequence of making it more tightly bound, gravitationally, to Didymos. There's undoubtedly going to be material ejected during the collision, but that's not expected to be the main feature. "This really is about asteroid deflection, not disruption," Chabot said. "This isn't going to blow up the asteroid, it isn't going to put it into lots of pieces."”

Hackers Paralyze 911 Operations in Suffolk County, NY. DarkReading.com article. Pull quote: “Emergency lines aren't the only systems that have been impacted in Suffolk County. Police don't have access to their car computers, and even the system for title reporting is shut down, meaning no one can close real estate deals in the area.” Great system segmentation here (sigh); 911 and police car computers I can almost understand (they directly communicate with each other), but title registration???

A House hearing saw expert testimony emphasizing the need for steady funding to cybersecurity programs in water utility providers––especially in rural regions. NextGov.com article. Pull quote: “He added that underfunded federal mandates put a disproportionate amount of strain on utility companies to handle cybersecurity infrastructure without adequate support––resulting in higher utility costs.” This is the same complaint that EPA faced when post-9/11 they tried to ensure physical security at water treatment facilities.

Train Crew Size Safety Requirements – Extension of comment period. Federal Register notice. Extends the comment deadline for the notice of proposed rulemaking until December 2, 2022. Public meeting is planned before that date deadline.

Homeland Security Advisory Council Meeting – 10-6-22. Federal Register notice. Pull quote: “The Council will meet in an open session between 1:30 p.m. to 1:45 p.m. ET. During the open session, the Council will receive a progress report from the Customer Experience and Service Delivery subcommittee.”

Hazardous Materials: Adjusting Registration and Fee Assessment Program ANPRM. Federal Register notice. Request for information for rulemaking. Pull quote: “PHMSA is publishing this ANPRM to solicit feedback on potential adjustments to the statutorily mandated hazardous materials registration and fee assessment program. Actions such as the potential adjustment of fees or the addition of other entities among those required to register may be necessary to fund PHMSA's national emergency preparedness grant programs at the newly authorized level in accordance with the Infrastructure Investment and Jobs Act of 2021.”

Have you been taking pills wrong? Here’s what science says. WashingtonPost.com article. The things scientists model… Pull quote: “The bottom line: leaning to your right side after swallowing a pill could speed absorption by about 13 minutes, compared to staying upright. Leaning to the left would be a mistake — it could slow absorption by more than an hour.”


Review - CISA-NSA Publish OT Security Alert – 9-22-22

Today CISA and the NSA jointly released a Cybersecurity Advisory on Control System Defense. The document [labeled Alert (AA22-265A)] provides an overview (with footnotes) of how adversaries plan and carry out cyberattacks on industrial control systems and then outlines steps that owner/operators can take to prevent, or at least mitigate, such attacks.

Commentary

There is a great deal of valuable information in this document, but it is mostly derivative. That is adequately documented in the 16 footnotes. Given the scope of the topics being covered, the 12-page document is only able to hit the high-points of the discussion. This is fine if an organization has an inhouse process control engineering team, they will be able to digest the provided information and apply it to their unique control system needs.

This document will be less helpful to smaller organizations that have had to rely on contract integrators for the installation and maintenance of their control systems. Unless those earlier contracts included cybersecurity support, many of these smaller system owners are going to find it difficult to find the necessary support to add the discussed mitigation measures to existing systems. And the add-ons are likely to be expensive if qualified personnel can be found.

What is seriously missing from this discussion about what to do when the attack occurs. Smaller organizations may have an advantage if they can continue limited operations in the manual mode. This would allow them continue operations while they work through the process of restoring operations from backups. Interestingly, this is another topic that is strangely missing from the discussion in the CISA/NSA alert. This is a primary response tool for ransomware attacks, arguably the most common cyberattack seen by most organizations.

For a more detailed look at the CISA-NSA alert, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/cisa-nsa-publish-ot-security-alert - subscription required.


Review -1 Advisory and 2 Updates Published – 9-22-22

Today, CISA’s NCCIC-ICS published a control system security advisory for products from Measuresoft. They also updated two Mitsubishi advisories.

Measuresoft Advisory - This advisory describes an improper access control vulnerability in the Measuresoft ScadaPro Server.

Mitsubishi Update #1 - This update provides additional details on an advisory that was originally published on July 30th, 2020 and most recently updated on July 28th, 2022.

Mitsubishi Update #2 - This update provides additional details on an advisory that was originally published on September 1st, 2020 and most recently updated on May 31st, 2022.

 

For more details about these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-and-2-updates-published-284 - subscription required.


CG Publishes Liquid Chemical Categorization NPRM

Today, the Coast Guard published a notice of proposed rulemaking (NPRM) in the Federal Register (87 FR 57984-58018) for “2022 Liquid Chemical Categorization Updates”. The rulemaking would align the Liquid Chemical  Categorization tables in 46 CFR Part 30 and Part 150 with the 2020 Edition of the International Code for the Construction and Equipment of Ships Carrying Dangerous Chemicals in Bulk and the International Maritime Organization's Marine Environment Protection Committee's Circular 25.

The Coast Guard is soliciting public comments on this NPRM. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # USCG-2022-0327). Comments should be submitted by December 21st, 2022.


Bills Introduced – 9-21-22

Yesterday, with both the House and Senate in Washington, there were 46 bills introduced. Two of those bills will receive additional coverage in this blog:

S 4908 A bill to improve the visibility, accountability, and oversight of agency software asset management practices, and for other purposes. Peters, Gary C. [Sen.-D-MI]

S 4913 A bill to establish the duties of the Director of the Cybersecurity and Infrastructure Security Agency regarding open source software security, and for other purposes. Peters, Gary C. [Sen.-D-MI] 

I do not expect that either bill will directly address control system security, but they will almost certainly have longer range impacts on software security issues that will ultimately apply to control systems.

Note in Passing

I would like to point out an interesting concept found in the description of S 4914 that was also introduced yesterday. Here is how the purpose of the bill was officially described: “A bill to direct the Secretary of State to designate certain Mexican drug cartels as foreign terrorist organizations, and to submit a report to Congress justifying such designations in accordance with section 219 of the Immigration and Nationality Act.”

Now I have no problems with labeling Mexican drug cartels as ‘terrorist organizations’. The definition does not really fit, but the potential sanctions would probably be helpful. The interesting thing here is that  Congress would be directing the State Department to do something and then require the Department to justify taking that mandated action. The most obvious response would be to report: “You told us to do this, so we had to do it. We could not have done it if you had not required us to do it.”


Wednesday, September 21, 2022

Short Takes – 9-21-22

GOP faces internal rift on government spending. TheHill.com article. And the GOP radicals don’t even trust the rest of their conference. Pull quote: “In an attempt to prevent House Republican leadership from relying on Democrats to broker spending deals in the future, the Freedom Caucus has called for House GOP rules to require any legislation that passes in a GOP-controlled House to have support from a majority of the Republican conference.”

Business groups take aim at chronic rail disruptions after strike threat. TheHill.com article. Pull quote: ““Service failures are contributing to higher prices and supply chain disruptions for food, fuel, and countless other products,” the Rail Customer Coalition wrote in a recent letter to lawmakers. “The proposal [HR 8649] contains many common-sense provisions that would improve service and create a more balanced system for railroads and their customers.””

How Dangerous Is Too Dangerous? A Perspective on Azide Chemistry. Pubs.ACS.org JOC editorial. Interesting look at chemical safety at the lab scale. Pull quote: “A recent article in this journal [Journal of Organic Chemistry] authored by Gazvoda et al. describes a procedure for preparing triazoles from alkynes using stoichiometric sodium azide, stoichiometric acid, and catalytic copper, followed by a workup that may include dichloromethane. As industrial chemists with decades of experience safely scaling up azide chemistry, we feel compelled to share with the research community our three major safety concerns with this procedure.”


STB Publishes RETAC Meeting Notice – 10-26-22

Today, the Surface Transportation Board published a meeting notice in the Federal Register (87 FR 57747-57748) for a meeting of the Rail Energy Transportation Advisory Committee on October 26th, 2022 in Washington, DC.

The preliminary agenda includes a rail performance measures review, industry segment updates by RETAC members, and a roundtable discussion.

 

S 4900 Introduced and Passed in Senate – SBIR Extension

Yesterday, Sen Cardin (D,MD) introduced S 4900, the SBIR and STTR Extension Act of 2022. The bill would extend the current Small Business Innovation Research Program (SBIR) and Small Business Technology Transfer Program (STTR) through 2025. A number of changes were made to the programs to prohibit the programs’ awarding funds to companies receiving significant support from the Chinese government. There is one minor cybersecurity provision in the bill. The bill was passed in the Senate without debate under the unanimous consent process.

Cybersecurity in Passing

There is one cybersecurity mention in the bill. In the new subsection (vv) being added to 15 USC 638 the bill adds a requirement for the Small Business Administration to conduct a “due diligence program to assess security risks presented by small business concerns seeking a federally funded award.” That assessment is to include “using a risk-based approach as appropriate, the cybersecurity practices [emphasis added], patent analysis, employee analysis, and foreign ownership of a small business concern seeking an award, including the financial ties and obligations (which shall include surety, equity, and debt obligations) of the small business concern and employees of the small business concern to a foreign country, foreign person, or foreign entity”.

Moving Forward

With the bill passing in the Senate essentially unread by most members, it is perhaps premature to expect the same level of support in the House, where the bill will next be considered. I do not see, however, anything in the bill that would engender any organized opposition. The bill will most likely be considered under the House suspension of the rules process, where there would be limited debate, no floor amendments and would require a super-majority vote to pass. I suspect that there will be significant bipartisan support for the bill.


Bills Introduced – 9-20-22

Yesterday, with both the House and Senate in Washington, there were 57 bills introduce. Two of those bills may receive additional attention in this blog:

S 4888 A bill to require the President to supplement disaster response plans to account for catastrophic incidents disabling 1 or more critical infrastructure sectors or significantly disrupting the critical functions of modern society, and for other purposes. Cornyn, John [Sen.-R-TX] 

S 4900 A bill to reauthorize the SBIR and STTR programs and pilot programs, and for other purposes. Cardin, Benjamin L. [Sen.-D-MD] 

S 4888 will almost certainly be covered.

I will be watching S 4900 for language and definitions that will specifically include continued cybersecurity support for small businesses in the scope of the bill.

A similarly described bill, S 4852, ended up being a straight forward change in the authorization status of the SBIR and STTR programs without any specific discussion about cybersecurity coverage. That bill will not receive additional coverage here.


Tuesday, September 20, 2022

Short Takes – 9-20-22

Critical flaws in airplanes WiFi access point let attackers gain root access. GBHackers.com article. Pull quote: “An adversary can exploit these vulnerabilities to compromise all types of inflight entertainment systems, and also other aspects of the system.” No direct access to flight controls but may provide network access depending on configuration.

Physics Body Concedes Mistakes in Study of Missile Defense. NYTimes.com article. Pull quote: “But the two scientists found that the study group had used the wrong interceptor speed — less than 2.5 miles per second instead of the faster pace of more than 3.1 miles per second. That error might seem small, but the military upshot was not. For an interceptor flight of 195 seconds, the baseline, the correct number was seen as moving the drones more than 100 miles farther out to sea.”

Facemask can detect viral exposure from a 10-minute conversation with an infected person. NewsWise.com article. Pull quote: “Once the aptamers bind to the target proteins in the air, the ion-gated transistor connected will amplify the signal and alert the wearers via their phones. An ion-gated transistor is a novel type of device that is highly sensitive, and thus the mask can detect even trace levels of pathogens in the air within 10 minutes.” More useful for a near instant testing device?

Kazakhstan Is Breaking Out of Russia’s Grip. ForeignPolicy.com article. Pull quote: “The deeper Moscow digs itself into a confrontation with the West and the international community, the more prepared Kazakhstan is to ditch Russia where possible while trying to avoid incurring losses as a result of Moscow’s displeasure.” An interesting byproduct of Putin’s failure in Ukraine.

GhostSec Strikes Again in Israel Alleging Water Safety Breach. Otorio.com article. Swimming pool control system. Pull quote: “Once again, this incident is a rather sad example of a business maintaining a poor password policy where the default credentials simply weren’t changed. Yet even with the hotel’s failure to change the default password, the system was also exposed to the internet, making it an extremely easy target for cyber attacks.” Looks like they could have controlled chlorine levels, no telling if there were safety controls in place to prevent lethal levels in atmosphere around pool.

Officials say DHS rejected plan to shield election officials from harassment. TheHill.com article. Pull quote: “Citing multiple people familiar with the matter, the outlet reported the proposal would track foreign influence activity and increase resources for reporting misinformation and disinformation surrounding the midterm elections, but officials raised concerns about the initiative being seen as partisan.” Avoiding the appearance of partisanship may end up being partisan in reverse.

Lawmakers Are Setting a Tight Schedule to Avoid a Government Shutdown. GovExec.com article. All sorts of issues holding up agreement. Just one, pull quote: “Lawmakers are seeking to strike a delicate balance, with many hurdles that could complicate a spending bill vote. Dozens of House Republicans are planning to vote against any CR that expires during the lame-duck session of Congress, arguing Republicans should insist on a measure that lasts into January. That would allow lawmakers to take up a full-year fiscal 2023 appropriations package when Republicans may control one or both chambers of Congress. Former President Trump issued a statement over the weekend imploring his party to take that approach.”

Not-So-Safe Automated Driving: Safety Risks During Drivers’ Takeover. HomelandSecurityNewsWire.com article. Problems with human backup of automated driving systems. Pull quote: “Against the backdrop of the current findings, the promise of increased safety that is often made in connection with automated driving remains extremely questionable. The next study on automated driving is already being planned, and will examine the factor of trust in technology.”


 
/* Use this with templates/template-twocol.html */