Short Takes – 10-31-22

Dark Reading Launches New Section Dedicated to ICS/OT Security. DarkReading.com announcement. Pull quote: “Dark Reading's new ICS/OT Security section will help cybersecurity professionals navigate the challenges and trends unique to OT security, as well as the security implications of the convergence of IT and OT networks, including the relationship between the teams that manage securing the business network and those who manage securing the industrial one.”

You’ve decided to quit Twitter. Here’s what you can use to replace it. WashingtonPost.com article. Pull quote: “Even if all of Twitter agrees to relocate, there is no one exact copy or one app that will hit all the same spots. As with Facebook, ditching Twitter can mean scattering your online presence across multiple other apps. Leaving Twitter could also mean cutting things out of your online life permanently, like late-night doomscrolling or arguing with strangers online for sport. And maybe, just maybe, that’s okay.”

Seriously low diesel supply threatens to worsen inflation. TheHill.com article. Pull quote: ““The refinery fire in Northwest Indiana and now the … shutdown of BP’s Toledo refinery (see today’s CSB update on incident), those are refineries that produce a lot of diesel fuel because they process a lot of heavy Canadian oil, so that is not helping the situation at all,” he said.”

China launches 3rd and final space station component. Phys.org article. Pull quote: “Following Mengtian's arrival, an additional uncrewed Tianzhou cargo craft is due to dock with the station next month, with another crewed mission scheduled for December, at which time crews may overlap as Tiangong has sufficient room to accommodate six astronauts.”

A GOP Showdown Over the Debt Limit Could Grip Congress and the Nation Next Year. GovExec.com article. One possible outcome of a GOP controlled House next session. Pull quote: “One result of a stalemate over government spending could be a government shutdown at some point in 2023, a move the GOP has used in the past to try to get its way.”

Frackers Jockey With Potash Miners for Space to Grow in Top U.S. Oil Field. WSJ.com article. Pull quote: “The Delaware basin is a rare location where oil companies conduct high-pressure fracking near miners working underground to extract potash and other minerals. Frackers have had the upper hand for years, pushing deeper into the nearly 500,000 acres of New Mexico’s U.S.-designated potash territory, following a 2012 order by the Interior Department that effectively enabled far more oil and gas drilling there.”

Bird flu infects Iowa egg farm with 1 million chickens. ABCNews.go.com article. Pull quote: ““We have been preparing for the possibility of additional outbreaks and are working closely with USDA and producers to eradicate this disease from our state," said Iowa Secretary of Agriculture Mike Naig. "With migration ongoing, we continue to emphasize the need for strict biosecurity on poultry farms and around backyard flocks to help prevent and limit the spread of this destructive virus.”” No mention of potential effect on egg and chicken prices.

Reader Comment – Fail Open Valves

A long-time reader, and former CSB insider, Rosearray posted a comment to my blog post about the publication of the CSB report on the PES fire and explosions. He was kind enough to post my discussion to the AIChE Engage Discussion Central (not a site to which I have direct access), and he noted that it received an interesting comment (Rosearray quoted it in his comment here). The comment from a PE addressed my suggestion that the control valves for the HF deluge system should have been designed to ‘fail open’. He noted (in part) that:

“The preference for making the deluge valves fail open may seem obvious when viewed through the lens of one particular scenario. But one must also consider the consequences in other circumstances, such as during normal operation in cold weather. If the deluge valve failed open for any reason, the entire area could be coated in a thick layer of ice, and that may also create conditions adverse to process and personal safety.”

And he is absolutely correct. That is one of the reasons that process safety reviews of any sort always (hopefully anyway) include more than one person, with multiple backgrounds. This way, problems with a ‘perfectly good’ solution can be identified and corrected before someone has to figure out how to chip ice away from a manual valve that just has to be closed right now.

Needless to say, I recommend that readers interested in process safety read the entire comment.

Mastodon Coverage

With the potential changes being made to TWITTER, I have decided to set up presence on an alternative site for advertising my blog posts and tracking various news feeds. You can now follow me @Pjcoyle on Mastodon. I will continue posting on TWITTER pending further evaluation of changes on that site.

CSB Update on Toledo Refinery Fire

This morning, the Chemical Safety Board published an updateon their ongoing investigation of a September 20^th, 2022, chemical release and fire at the BP-Husky Refining LLC (BPHR) Toledo refinery in Ohio. While access to the incident scene is still restricted because of the presence of asbestos fibers in the area, the CSB is conducting interviews and records reviews. BP, OSHA and local union officials are all cooperatively investigating the incident with the CSB.

Review – Public ICS Disclosures – Week of 10-22-22

This week we have six vendor disclosures from Aruba Networks, HP, InHand Networks, Sick, and Wireshark (2). We also have a vendor update from VMware. Then there are two researcher reports for products from Delta Electronics. Finally, we have an exploit for products from Siemens.

 

Aruba Advisory - Aruba published an advisory describing sixteen vulnerabilities in their ArubaOS.

HP Advisory - HP published an advisory that describes a denial-of-service vulnerability in a number of their printers.

InHand Advisory - InHand published an advisory that describes six vulnerabilities (with proof-of-concept code available) in their Industrial Router IR302.

Sick Advisory - Sick reportedly published an advisory that describes a password recovery vulnerability in the SIMs products, but a problem with their PSIRT web page does not allow access to the link to the advisory.

VMware Advisory - VMware published an advisory that discusses two vulnerabilities (one with known exploit) in the Cloud Foundation product.

Wireshark Advisory #1 - Wireshark published an advisory that describes a code injection vulnerability in their OPUS dissector.

Wireshark Advisory #2 - Wireshark published an advisory that describes a code injection vulnerability in their USB-HID dissector.

Delta Report #1 - Tenable published a report (with proof of concept code) describing two SQL injection vulnerabilities in the Delta DIAEnergie product.

NOTE: These appear to be separate from the three SQL injection vulnerabilities reported by NCCIC-ICS earlier this week.

Delta Report #2 - AWESEC published a report describing an SQL injection vulnerability in the Delta DIAEnergie product.

NOTE: This appears to be separate from the three SQL injection vulnerabilities reported by NCCIC-ICS earlier this week.

Siemens Exploit - RoseSecurity published a Metasploit module for an authentication bypass vulnerability in the Siemens APOGEE PXC BACnet Automation Controllers and TALON TC BACnet Automation Controllers.

 

For more details on these disclosures, including links to 3^rd party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-10-89e - subscription required.

Bills Introduced – 10-28-22

 

Yesterday, with the House meeting in pro forma session, there were 20 bills introduced. One of those bills will receive additional consideration in this blog:

HR 9245 To amend the Federal Fire Prevention and Control Act of 1974 to authorize appropriations for the United States Fire Administration and firefighter assistance grant programs. Golden, Jared F. [Rep.-D-ME-2]

Short Takes – 10-28-22

Governments bought Chinese telecom gear despite warnings. Axios.com article. And how many private companies? Pull quote: “Chinese telecom equipment is generally less expensive than gear from non-Chinese companies, making it an appealing procurement option for cash-strapped local U.S. agencies.”

Better Regulating Drone Use Requires Communication, Not Surveillance. EFF.org article. A contrarian look at counter-UAS rules. Pull quote: “In some circumstances, the government may have legitimate reasons for engaging drones that pose an actual, imminent, and narrowly defined “threat.” But what the Administration is asking for is beyond reasonable. Whatever threat private drones may pose to public safety does not require handing the government, as well as contractors and private businesses, unfettered authority to destroy, commandeer, or eavesdrop on private drones.”

Readout of Cybersecurity Executive Forum on Electric Vehicles and Electric Vehicle Charging Infrastructure Hosted by the Office of the National Cyber Director. WhiteHouse.gov statement. Pull quote: “All participants emphasized the need to accelerate construction and deployment of this critical [electric vehicle charging] infrastructure while ensuring that, as Americans increasingly rely on it, we are confident in its security and resilience. There was also discussion about how the Administration’s implementation of the Build America, Buy America Act could improve the supply chain security of components that all of the companies rely on.”

Updated Report Release Schedule. CSB.gov notice. Three more reports due this year: Kuraray EVAL, TX (5-9-18), TPC Group, TX (11-27-19), and Husky Energy Refinery, WI (4-26-18).

Shanghai district orders mass COVID-19 testing, lockdown. TheHill.com article. More disruptions to occur. Pull quote: “China has shown no sign of backing away from its hardline “zero-COVID” policy since a major congress of the ruling Communist Party that concluded this week by awarding authoritarian leader Xi Jinping a third five-year term in power and packed top bodies with his loyalists.”

Cyber officials prioritizing securing critical sectors, foreign partnerships amid rising threats. TheHill.com article. Pull quote: “Neuberger said that over the past year there’s been a “relentless focus” on securing critical sectors and helping them improve their security systems and cyber hygiene. She said the focus is on services and sectors that could bring hazard if disrupted, such as hospitals, the oil and gas industry, and companies that transport chemicals.”

CSB Releases PES Incident Safety Video

Yesterday, the Chemical Safety Board released a new safety video covering the fire and explosions at the PES refinery in Philadelphia in 2019. This new video provides an audio-visual look at the CSB findings recently published about the incident. Another very well done, and thorough review of the incident.

As expected, the video does specifically address the issue of inherently safer technology as related to the use of hydrofluoric acid as a refinery alkylation catalyst. As did the CSB’s incident report, the video suggests that refineries using HF Alkylation units be required to periodically conduct a feasibility study about conversion to less hazardous alkylation processes. The EPA is considering including such a requirement in their proposed revisions to the Risk Management Plan regulations.

Partially in response to the EPA’s RMP revision NPRM, and potentially in pre-sponse to the expected release of the CSB video, the American Fuel & Petrochemical Manufacturers (AFPM) released their own video about the use of HF alkylation units and current best practices employed by industry to protect those units.

Review - Cybersecurity Performance Goals for CI

Today, CISA announced the publication of “New Cybersecurity Performance Goals for Critical Infrastructure” which include “voluntary practices that outline the highest-priority baseline measures businesses and critical infrastructure owners of all sizes can take to protect themselves against cyber threats.” While this document {Cross-Sector Cybersecurity Performance Goals (CPG)} was produced by CISA, they have been working with a variety of private sector organizations and individuals (an impressive list on the last page of the document) in developing these voluntary practices.

Commentary

CISA is continuing to try to treat cybersecurity as something that they can convince critical infrastructure to accomplish if they just provide enough guidance. This continues the admittedly good work that NIST did with developing the Cybersecurity Framework. Where the CSF was at heart a cyber threat management document, these CPG attempt to provide more emphasis on the cybersecurity activities that would help organizations reduce the cyber threat currently facing critical infrastructure.

The problem remains that, of necessity, the recommended actions are broadly enough written that it may not be clear to non-technical managers whether or not they have actually been adequately applied. Nor is it going to be easy for even technical managers to ensure that they have been even inadequately applied to all of the potentially affected devices in an organization.

Of course, the same problems would apply if this were a cybersecurity mandate instead of a voluntary program. CISA certainly does not have enough personnel (forget trained personnel) to conduct an adequate compliance inspection team. Even requiring third-party compliance verification would require a workforce that would cut into the personnel necessary to implement the requirements. So much for easy answers.

The problem could be made more manageable if CISA were able to designate a small set of especially critical infrastructure organizations who would, in-turn, identify mission critical resources that would be subject to mandatory cybersecurity controls.

 

For more details about the CPG and supporting documentation see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/cybersecurity-performance-goals-for - subscription required.

Review – 4 Advisories Published – 10-27-22

Today, CISA’s NCCIC-ICS published four control system security advisories for products from Trihedral, Rockwell Automation (2), and SAUTER.

Trihedral Advisory - This advisory describes an improper input validation vulnerability in the Trihedral VTScada.

Rockwell Advisory #1 - This advisory discusses nine vulnerabilities (one with a known exploit) in the Rockwell Stratix Devices.

Rockwell Advisory #2 - This advisory describes an improper access control vulnerability in the Rockwell FactoryTalk Alarm and Events Server.

SAUTER Advisory - This advisory describes a cross-site scripting vulnerability in the SAUTER moduWeb.

 

For more details about these advisories, including links to 3^rd party advisories and exploits, see my article in CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/4-advisories-published-10-27-22 - subscription required.

OMB Approves Update for FAA ICR for Drone Operations in Restricted Airspace

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a revision to the DOT’s Federal Aviation Administration’s information collection request (ICR) for “Airspace Authorizations in Controlled Airspace under 49 U.S.C. 44809(a)(5) [link added]”. This supports the FAA’s requirement for unmanned aircraft system operators to request permission to fly UAS in certain controlled airspaces. Changes were made to the burden estimate based upon actual usage during the first three years of operations under this ICR.

Commentary

Dramatic changes in burden estimates are not unusual for the first update of an ICR. The agency has to guess how many folks will be using the new system and may not have a strong basis for making that guess. So, a radical decrease, based upon three years of actual data makes a certain amount of sense. But…

There is no indication here that the FAA has gone back and done a study to see if the actual data reflects full compliance with the coordination requirements of the regulation, or if there are substantial instances of non-compliance. And to be fair, ICR notices are not really the place to discuss compliance investigations in any sort of detail, but it would be nice to see some notification that the FAA was investigating potential non-compliance issues as a response to those instances of non-compliance may have an impact on future burden estimates.

 

For more details about the ICR revision, including new burden estimates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/omb-approves-update-for-faa-icr-for - subscription required.

Review - OMB Approves Emergency Revision of TSA Surface Cybersecurity ICR

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved an emergency revision for the Transportation Security Agency’s information collection request (ICR) for “Cybersecurity Measures for Surface Modes”. The update for that ICR was just approved by OIRA the day before yesterday. The emergency approval document shows an increased burden estimate and the addition of three new information collections in the ICR. This emergency ICR approval is in support of TSA’s updated “Enhancing Rail Cybersecurity” security directive directives (SD 1580-2021-01A).

OIRA provides these emergency approvals for only six months. TSA will be required to go through the 60-day and 30-day notification process to formalize these changes. Only then will we (and OIRA) be able to determine the true scope of the changes involved.

 

For more details about the ICR revision, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/omb-approves-emergency-revision-of - subscription required.

OMB Approves 2nd TWIC Reader Delay NPRM

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a Coast Guard notice of proposed rulemaking (NPRM) on “TWIC--Reader Requirements; Second Delay of Effective Date”. This rule would extend the implementation delay of the TWIC reader requirements for facilities handling or receiving vessels carrying Certain Dangerous Cargo that was set in place in the 2020 TWIC reader rulemaking.

There are three categories of facilities related to CDC issues for the purposes of the TWIC reader requirements outlined in 33 CFR 105.253(a). These facilities are currently slated to be required to implement the TWIC reader requirements on May 8^th, 2023. The Coast Guard is still waiting for the congressionally mandated review of those requirements. That study by the Homeland Security Operational Analysis Center (HSOAC), once published, will have to be subject to public review and comments before the TWIC reader requirement can be implemented at these facilities. This new rulemaking would extend the current exemption through 2026 to allow that process to continue.

The Coast Guard will probably publish this rulemaking later this week.

Car Safety – Gun Safety – Cybersecurity?

An interesting TWEET this morning from Director Easterly pointing at an article over on 99PercentInvisible.org. That article starts out as a look at automotive safety and the importance of collecting data on auto accidents to improve the safety of automobiles, then it morphs into an article about how gun safety issues are actively ignored. Kind of an odd article for the CISA Director to be pointing at, right? But read her TWEET:

“READ THIS & consider today’s tech ecosystem. As much of critical infra is underpinned by networked technologies, ensuring products & software are #SecureByDesign & “cybersafe at ALL speeds” is imperative for national security & the safety of every user.”

The article points out the importance of the accident reporting Fatality Analysis Reporting System. Cybersecurity has its CVE database that records cyber vulnerabilities, but it seems that few researcher are scouring that database for information to make IT and OT technology more secure. Part of the reason may be that the database is incomplete, even agencies like CISA rarely provide updates to CVE’s and frequently do not provide information to populate the database once a CVE number is reserved.

Even so, vulnerability reports are not the same as accident reports. They do not point at what is killing systems in actual practice. For that kind of information, we would need to have a reporting system that provides data on actual cyberattacks and attempted attacks. But wait, CISA was finally given authority to begin to collect just such data, and in a year or two (or three, or four) we will be seeing such a database being populated with useful data, right?

That remains to be seen. Go back and read the article again. It makes the point that what made the accident data valuable is that lots of folks were able to look at it and analyze it; car manufacturers, designers, government agencies, lawyers, and activists. Each of those had a part to play in bringing about the changes to automobiles and their supporting infrastructure that so drastically improved vehicle safety. Will there be that level of access to the data in CISA’s cyberattack database? Probably not, security you know.

Now go back and re-read the article one last time, it was not the database that improved automobile safety. It certainly helped, but it was a government agency (the National Highway Transportation Safety Administration) that was given the power to set minimum standards for safety performance for all automobiles that paved the way. Yes, in many cases manufacturers have gone beyond the minimum standards, but it was arguably those standards that paved the way for car companies to begin to brag about safety innovation.

Perhaps it is time for us to pressure Congress to provide some new government agency with the authority to set cybersecurity standards, standards not guidelines, standards not frameworks, standards that say to be able to sell a computer or piece of automated machinery, or piece of communications gear in the United States it must meet these minimum cybersecurity requirements.

Is that what you were saying Ms Easterly? If so, I am right there with you.

Short Takes – 10-26-22

Commercial building owners fretting over cyber risk should check the fine print on their insurance. SCMagazine.com article. Interesting look at building control systems and cyber insurance. Pull quote: “Earlier this year, Intelligent Buildings, an advisory and managed service for real estate owners, said a Chinese-speaking threat actor was targeting building automation systems across several Asian countries using the Microsoft Exchange ProxyLogon vulnerabilities. In 2019, researchers at ForeScout developed proof of concept malware code exploiting 10 different vulnerabilities capable of worming through different building automation systems.”

Biden-⁠Harris Administration Expands Public-Private Cybersecurity Partnership to Chemical Sector. WhiteHouse.gov statement. Brief. Pull quote: “The majority of chemical companies are privately owned, so we need a collaborative approach between the private sector and government. The nation’s leading chemical companies and the government’s lead agency for the chemical sector – the Cybersecurity and Infrastructure Agency (CISA) – have agreed on a plan to promote a higher standard of cybersecurity across the sector, including capabilities that enable visibility and threat detection for industrial control systems.”

The 5 D's of Cyber Sabotage. LinkedIn.com article by Tony Turner. 5 D’s, Deny, Disrupt, Deceive, Degrade and Destroy. Pull quote: “These kinetic consequences are not new, but through the connection of technology, become far more accessible to our adversaries. Vulnerability advisories will not talk about them and will paint a picture of bits and bytes affected, with no real-world consequence. It is extremely important that we start connecting the consequences of failure to the esoteric scenarios that keep security folks up at night but are largely lost on the operator and the business. Its time we start thinking about cyber sabotage as part of a robust safety culture. It’s time we take cyber security seriously.”

Fatal Blender Explosion: It does not have to be this way. StoneHouseSafety.com blog post. Metal dust explosions, special problems. Pull quote: “Dust fires and explosions in blending operations do happen. Performing a Dust Hazards Analysis (DHA) is the starting point to establish a basis of safety for your blending operations, as per NFPA 652 (Standard on Fundamentals of Combustible Dust), NFPA 484 (for metal dusts) and other industry-specific NFPA standards.”

A second railroad union votes down Biden's tentative agreement. NPR.org article. Pull quote: “"It is the responsibility of the parties involved to resolve this issue and any idea that kicking this to Congress will result in a quick or favorable outcome is deeply misguided," Jean-Pierre said. "These unions' rejection of the current proposed contract does not mean we face an immediate rail shut down, that's not how we view it. But it does mean the unions and their employers have additional work to do."”

Review - OMB Approves TSA Surface Cybersecurity ICR – 10-26-22

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved an extension without change for an information collection request in support of the TSA’s “Cybersecurity Measures for Surface Modes” program. This is the required six-month update for the emergency approval of a new ICR for this program. There is no change from the original burden estimate, but the TSA provides additional details about the information being collected, the collection process, and the basis for the burden estimate.

Interestingly, the TSA does not include the cybersecurity-incident reporting mandated by the Security Directive in this ICR. Instead, since they are using the CISA cybersecurity-incident reporting mechanism, they would have that reporting included in the CISA ICR (1670-0037) which was last updated in October of last year. They do estimate (pg 12) that the burden for that reporting requirement will be 96,163 hours in the first year and 50 hours in each subsequent year. It will be interesting to see if CISA modifies their burden estimate to include this new requirement when they next update that ICR.

For more details about the information that TSA provided to OIRA to support this ICR update, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/omb-approves-tsa-surface-cybersecurity - subscription required.

OMB Approves Rail Security ICR Revision

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved an ‘Extension without change’ for the Transportation Security Administration’s information collection request (ICR) for “Rail Transportation Security” (this ICR does not include the new cybersecurity reporting requirements). While OIRA calls this an extension without change, they report that there is a minor decrease in the number of responses and hour burden estimates. TSA does not address this minor change in their supporting documentation.

TSA does report one minor process change in this ICR. On page 4 of the Supporting Document, TSA reports that they are now providing “an additional electronic option for reporting significant security concern information” to supplement the telephonic reporting of incidents. They do not provide any specific information on that process other than noting that: “TSA does not require that a specific form be used for submitting information electronically as long as the information provided is consistent with the requirements of the information collection.” TSA reports that: “. In general, electronic reports were found to be more detailed when compared to telephonic reporting; improved ease of use and accuracy of reported data; and reduced the need for subsequent calls to address transcription errors and collect additional information, leading to expedited analysis of security concerns.”

Bills Introduced – 10-25-22

Yesterday, with the House meeting in pro forma session (Senate met on Monday), there were seventeen bills introduced. Three of those bills may receive additional coverage in this blog:

HR 9228 To amend the Public Health Service Act with respect to the information security policies and practices of the National Institutes of Health, and for other purposes. Griffith, H. Morgan [Rep.-R-VA-9]

HR 9229 To amend the Public Health Service Act to codify certain recommendations made by the Government Accountability Office with respect to the Department of Health and Human Services and cybersecurity, and for other purposes. Guthrie, Brett [Rep.-R-KY-2]

HR 9234 To direct the Secretary of Energy to promulgate regulations to facilitate the timely submission of notifications regarding cybersecurity incidents and potential cybersecurity incidents with respect to critical electric infrastructure, and for other purposes. McMorris Rodgers, Cathy [Rep.-R-WA-5] 

I will be watching HR 9228 and HR 9229 for language and definitions that would include medical device cybersecurity within the scope of the legislation.

I will be covering HR 9234.

Short Takes – 10-25-22

Microgrid Program Strategy. Federal Register notice. Pull quote: “These deliberations led to the development of seven strategic white papers, one for each of the six strategic R&D areas identified and one additional white paper on the overarching program vision, objectives, and targets. Each white paper was developed by a team of national laboratory and university members, and then reviewed by an industry advisory panel. These seven white papers constitute the DOE Microgrid Program Strategy [link added].” Public comments due by 11-25-22.

How scientists want to make you young again. TechnologyReview.com article. Pull quote: “But all the unknowns are part of what makes the reprogramming phenomenon so attractive. Klausner admits that the details of why reprogramming works remain a “complete mystery,” but that too helps explain the sudden rush to invest in the idea. If there is a fountain of youth in the genome, the first to locate it could reinvent medicine and revolutionize how we treat the myriad of diseases that plague our old age.”

Sen. Wyden urges FTC to access classified info to combat foreign hacks. TheHill.com article. FTC cannot talk with intelligence community because no one has a clearance. Pull quote: ““Most troubling, the FTC confirmed to my office that no staff in the agency’s Division of Privacy and Identity Protection, who conduct investigations into data security and privacy cases, have even a Secret clearance, which is effectively the lowest level of federal clearance,” Wyden added.”

Natural gas ban threats spark fear for restaurants. TheHill.com article. Unintended consequences. Pull quote: “The majority of implemented policies do not immediately ban the use of natural gas in commercial buildings. Instead, they’re aimed at transitioning new constructions or renovations away from using the fuel, by mandating future structures don’t include gas hookups or infrastructure. Some laws carve out exceptions for commercial restaurants.”

Review – 8 Advisories Published – 10-25-22

Today, CISA’s NCCIC-ICS published seven control system security advisories for products from Delta Electronics (2), Johnson Controls, Hitachi Energy, Siemens, HEIDENHAIN, and Haas Automation. They also published a medical device security advisory for products from AliveCor.

Delta Advisory #1 - This advisory describes ten vulnerabilities in the Delta InfraSuite Device Master.

Delta Advisory #2 - This advisory describes eight vulnerabilities in the Delta DIAEnergie.

Johnson Controls Advisory - This advisory describes a cross-site scripting vulnerability in the Johnson Controls (CKS subsidiary) CEVAS deployment management and billing system.

Hitachi Energy Advisory - This advisory describes two reliance on uncontrolled component vulnerabilities in the Hitachi Energy DMS600 integrated with MicroSCADA X.

NOTE: I briefly reported on these vulnerabilities on October 15^th, 2022.

Siemens Advisory - This advisory describes a weak authentication vulnerability in the Siemens Siveillance Video Mobile Server.

NOTE: I briefly reported on this vulnerability this last weekend.

HEIDENHAIN Advisory - This advisory describes an improper authentication vulnerability in the HEIDENHAIN TNC 640 controlling a HARTFORD 5A-65E CNC machine.

Haas Advisory - This advisory describes three vulnerabilities in the Haas Controller.

AliveCor Advisory - This advisory describes two vulnerabilities in the AliveCor KardiaMobile smartphone-based personal electrocardiogram (EKG) device.

 

For more details about these advisories, including links to third-party advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/8-advisories-published-10-25-22 - subscription required.

PHMSA Announces LNG R&D Meeting – 11-15-22

Today, the DOT’s Pipeline and Hazardous Materials Safety Administration (PHMSA) published a meeting notice in the Federal Register (87 FR 64539-64540) for a virtual 2-day meeting on “Liquefied Natural Gas (LNG) Research and Development (R&D) Public Meeting and Forum”. The meeting will be held on November 15^th, and 16^th. The PHMSA LNG research program will address LNG facility safety issues.

The agenda includes:

• LNG facility design and construction, including process, piping, and control system design; process hazard analysis; vapor handling; structural members; and construction testing requirements,

• LNG facility siting, including passive and active protection and potential safety gaps in 49 CFR 193 and industry technical standards,

• LNG facility fire protection system design, including firewater system design, fire and gas detection technology, emergency shutdown systems, and hazard controls, and

• LNG operation and maintenance, including plans and procedures (best practices), safe work practices, human factors, incident investigation and reporting, reporting requirements, inspection and testing, maintenance and repairs—including fugitive and vented methane emissions mitigation, corrosion protection, and personnel protection.

Public participation in the meeting is being solicited. Personnel wishing to participate need to sign up on the meeting web site by November 9^th, 2022. Personnel wishing to sign up to participate in a work group discussion on day 2 of the meeting need to do so by November 7^th.

Short Takes – 10-24-22

U.S. Chemical Safety Board Urges Schools to Follow Safety Guidance. CSB.gov warning. Another school chemical demonstration [well written article] injures students.  Pull quote: “While the CSB is not investigating this incident, it is similar to other serious classroom fires that have been investigated by the agency where students and teachers were injured. Those fires occurred during lab or classroom demonstrations of flames produced by burning a flammable liquid, usually methanol. In the previous cases, methanol from bulk containers was poured directly onto flames. There was a flash back to the methanol bulk containers, and the resulting fires injured students and others in the area.” Back to School Safety Alert

The main COVID symptoms have changed, research shows. TheHill.com article. More like cold and flu symptoms. Pull quote: “Researchers have found that for participants in all three groups — fully vaccinated, those who received just one dose, and unvaccinated — four of the five most commonly reported symptoms are the same: sore throat, runny nose, persistent cough, and headache.”

CNC Machines Vulnerable to Hijacking, Data Theft, Damaging Cyberattacks. SecurityWeek.com article. Trend Micro analyzed CNC products from Haas, Okuma, Heidenhain and Fanuc. Pull quote: “The cybersecurity firm started notifying impacted CNC vendors last year and says they have all taken steps to reduce the risk of malicious attacks, including through patches and new security features.”

Review - HR 8970 Introduced – Junior College Cybersecurity Education

Last month, Rep McClain (R,MI) introduced HR 8970, the National Community College Cybersecurity Challenge Act. The bill would provide for a challenge grant program for States to increase the number of cybersecurity programs run by Community Colleges within the State. The bill would authorize $250 million per year for the program through 2027. The bill would also authorize a workforce innovation fund with a one-time spending authorization of $150 million.

Moving Forward

McClain is a member of the House Education and Labor Committee to which this Committee was assigned for consideration. This means that there may be sufficient influence to see this bill considered in Committee. There may be some Democratic opposition to this bill because of the recission of funds provision in the bill, though it may attract Republican support. I suspect that this bill would pass in Committee with some level of bipartisan support.

Depending on the level of support in Committee, this bill may be able to move to the House floor under the suspension of the rules process. The bill is unlikely to be considered in the Senate due to time constraints in the remainder of the session and the relative unimportance of the bill.

 

For more details about the provisions of the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-8970-introduced - subscription required.

Short Takes – 10-22-22

Hurricane Ian damage leads to spontaneous combustion of EVs in Florida. TheHill.com article. And it has become a political issue. Pull quote: “The saltwater flooding of a fully charged electric battery can create a dangerous “salt bridge” between the positive anode and negative cathode. This can create the ingredients for a sudden, uncontrolled transfer of energy — creating a short circuit and, sometimes, a persistent fire.”

Biden-Harris Administration Announces $28 Million to Advance and Deploy Hydropower Technology. GovDelivery.com notice. Three hydropower grant programs. Pull quote: ““Hydropower has long provided Americans with significant, reliable energy, which will now play a crucial role in achieving energy independence and protecting the climate,” said U.S. Secretary of Energy Jennifer M. Granholm. “President Biden’s Agenda is funding critical innovations to capitalize on the promise of hydropower and ensure communities have a say in building America’s clean energy future.””

The Intelligence Community Doesn’t Warn About All Attacks Against the US Homeland. Why Not? DefenseOne.com opinion piece. Glosses over means and sources problem. Pull quote: “The duty-to-warn policy and its implementation mechanisms are governed by Intelligence Community Directive 191. The Director of National Intelligence, or DNI, has the authority to modify ICD 191. Expanding it to nonviolent threats could create a policy environment for providing intelligence as a service to the American public. This policy change could allow the DNI to signal that the IC is attempting to address the plight of the commercial and nongovernmental sectors as the targets of persistent attacks from foreign actors. The DNI could then tell intelligence analysts to nominate intelligence warning products for release to specific entities or the public at large.” Details in Rand Study.

The Promise and Peril of Guyana’s Oil Boom. HomelandSecurityNewsWire.com article. Pull quote: “He notes that for the last seven years, oil companies have discovered oil reserves off the Guyana coast which are estimated to be in the range of 11.2 billion barrels. This is almost a third of all new oil discoveries in the world since 2015.” Looks at internal political issues but ignores external sources of conflict.

Starlink signals can be reverse-engineered to work like GPS—whether SpaceX likes it or not. TechnologyReview.com article. Alternative PNT network? Pull quote: “Each [synchronization] sequence also contains clues to the satellite’s distance and velocity. With the Starlink satellites transmitting about four sequences every millisecond “that’s just wonderful for dual use of their system for positioning,” says Humphreys.” No specific discussion about timing accuracy.

Preparations for the 43rd Session of the UN Sub-Committee of Experts on the Globally Harmonized System of Classification and Labelling of Chemicals. Federal Register meeting notice.

The Emerging Cyber Threat to the American Rail Industry. LawfareBlog.com article. Pull quote: “While the elimination of these accidents will be a great leap forward in rail safety, the technology behind PTC increases the danger of a fairly new vulnerability for the rail industry: cyber threats. The first major events have already occurred—in Iran in 2021 and Belarus in 2022—both carried out by non-state actors.”

TSA Announces STSAC Meeting – 11-17-22

The Transportation Security Administration published a meeting notice in Monday’s (available online today) Federal Register (87 FR 64243-64244) for in-person meeting (with virtual participation) of the Surface Transportation Security Advisory Committee (STSAC) on November 17^th, 2022 in Springfield, VA.

The agenda includes committee and subcommittee briefings on FY 2023 activities, including:

Cybersecurity Information Sharing,

Emergency Management and Resiliency,

Insider Threat, and

Security Risk and Intelligence

The public may participate via a WebEx link. Participation (including the presentation of oral or written comments) registration should be done by contacting STSAC@tsa.dhs.gov by November 14, 2022.  

Review – Public ICS Disclosures – Week of 10-15-22

This week we have fourteen vendor disclosures from Bosch (2), Broadcom, GE Grid Solutions, HP, Meinberg, Milestone, Siemens, SonicWall, Tanzu, TRUMPF, WAGO (2), and Yokogawa Test and Measurement. We also have a vendor update from HPE. Finally, we have an exploit for products from Tanzu.

Bosch Advisory #1 - Bosch published an advisory that discusses an improper validation of integrity check value vulnerability in their Bosch DSA E2800 products.

Bosch Advisory #2 - Bosch published an advisory that describes two cross-site scripting vulnerabilities in their VIDEOJET multi 4000.

Broadcom Advisory - Broadcom published an advisory that discusses the Text4Shell vulnerability.

GE Grid Solutions Advisory - GE Grid Solutions published an advisory that describes vulnerabilities in their MS 3000 Transformers monitoring system.

HP Advisory - HP published an advisory that discusses a PCR measurement vulnerability in multiple HP products.

Meinberg Advisory - Meinberg published an advisory that discusses two vulnerabilities (both with publicly available exploits) in their LANTIME firmware.

Milestone Advisory - Milestone published an advisory that discusses an authentication bypass vulnerability in their Mobile Server.

Siemens Advisory - Siemens published an advisory that describes an authentication bypass vulnerability in their Siveillance Video Mobile Server.

SonicWall Advisory - SonicWall published an advisory that discusses the Text4Shell vulnerability.

Tanzu Advisory #1 - Tanzu published an advisory that describes an HTTP request forgery vulnerability in their Spring Data REST.

Tanzu Advisory #2 - Tanzu published an advisory that describes an information disclosure vulnerability in their Reactor Netty HTTP Server.

TRUMPF Advisory - CERT-VDE published an advisory that describes an improper access control vulnerability in multiple TRUMPF products.

WAGO Advisory #1 - CERT-VDE published an advisory that discusses fourteen vulnerabilities in the WAGO 750 series controllers and WAGO-I/O-PRO.

WAGO Advisory #2 - CERT-VDE published an advisory that describes an expected behavior violation vulnerability in multiple WAGO products.

Yokogawa Advisory - Yokogawa Test and Measurement published an advisory that describes a buffer overflow vulnerability in their WTViewerE.

HPE Update - HPE published an update for their ProLiant Servers advisory that was originally published on May 18^th, 2022.

Tanzu Exploit - Ayan Saha published a Metasploit module for a code injection vulnerability in the Tanzu Spring Cloud Gateway.

 

For more details on these disclosures, including links to third-party advisories, researcher reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-10-1b0 - subscription required.

Short Takes – 10-21-22

NCCoE rolls out draft LNG Cybersecurity Framework Profile to supplement existing directives, calls for comments. IndustrialCyber.co article. “The LNG Cybersecurity Framework Profile has been created in collaboration with the Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER). It comes as part of an inter-agency agreement with NIST’s NCCoE to research and develops tools and practices that will strengthen the cybersecurity of the systems that handle energy resources within the nation’s marine transportation system (MTS). The profile focuses on the LNG energy resource.”

First-of-its-kind Cybersecurity Grant Program Invests $1 Billion to Combat Cyber Threats. ThomasNet.com article. SLTT IT security grant program. Pull quote: “The agency officially opened the application process on Sept. 16; states and local governments have 60 days after that date to apply for a grant, which could be used to pay for either new or existing cybersecurity programs.”

Children’s hospitals, overflowing with respiratory patients, consider calling National Guard. TheHill.com article. Respiratory Syncytial Virus (RSV) not the flu (not yet). Pull quote: “Salazar said they already have two children hospitalized with the flu, which he says is very unusual for October. He expected flu cases would increase significantly in the coming weeks and over the holidays.”

Tapping hidden visual information: An all-in-one detector for thousands of colors. Phys.org article. Potential use for chemical leak detectors in small UAS or low cost fenceline detectors. Pull quote: “"With our spectrometer, we can measure light intensity at each wavelength beyond the visible spectrum using a device at our fingertips. The device is entirely electrically controllable, so it has enormous potential for scalability and integration. Integrating it directly into portable devices such as smartphones and drones could advance our daily lives.”

TSA issues cybersecurity directive for freight, passenger railroads. ProgressiveRailroading.com article. New TSA security directive. Pull quote: “The regulation was developed with "extensive input" from industry stakeholders and federal agencies, including the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Railroad Administration.”

National Maritime Security Advisory Committee; Vacancies. Federal Register notice. Looking for personnel in the following industry groups: State, local, and tribal governments; relevant public safety and emergency response agencies; relevant law enforcement and security organizations; maritime industry; port owners and operators; and terminal owners and operators.

Oops, we forgot to fix the supply chain. Vox.com article. Pull quote: “Still, the structural problems that enabled many of the delays, price hikes, and shortages over the past few years haven’t gone away. Shipping prices have not quite returned to their pre-pandemic levels, truck drivers are still in short supply, and some in the logistics industry are already predicting that there will be problems during the upcoming holiday season.”

OMB Approves BIS Final Rule for 2021 Wassenaar Agreement

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a final rule (likely an interim final rule) by the DOC’s Bureau of Industry and Security for Implementation of 2021 Wassenaar Arrangement Decisions. An earlier IFR covered four ‘emerging and foundational’ technologies that were addressed in the 2021 Wassenaar agreement, this rulemaking covers the remainder. As such it may include additional cybersecurity controls.

These Wassenaar rules are implementations of international agreements reached under the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies. BIS publishes these rules as interim final rules as they are technically exempt for the ‘publish and comment’ requirements faced by most rulemakings. The rules typically have a delayed effective date to allow for public comments and, if enough objections are raised, BIS may further delay the effective dates to make appropriate changes to the rule.

The IFR will likely be published next week in the Federal Register.

Short Takes – 10-20-22

How Card Skimming Disproportionally Affects Those Most in Need. KrebsOnSecurity.com article. Pull quote: “More critical, however, is the second way SNAP cards differ from regular debit cards: Recipients of SNAP benefits have little to no hope of recovering their funds when their EBT cards are copied by card-skimming devices and used for fraud.”

International Space Station experiments reveal risks for future human space flights. Phys.org article. Pull quote: “In their study, the team performed a direct quantitative measurement of the biological effect of space radiation by launching frozen mouse embryonic stem cells from the ground to the International Space Station, exposing them to space radiation for over four years, and quantifying the biological effect by examining chromosome aberrations. Their experiment results show, for the first time, that the actual biological effect of space radiation is in close agreement with earlier predictions based on the physical measurement of space radiation.”

Sen. Rosen requests info on cyber threats targeting aviation sector. TheHill.com article. Pull quote: “In the letter, Rosen listed several questions addressed to the agencies [DOT and CISA], including how they’re coordinating with potentially impacted companies, whether they’re mitigating cyber risks and providing technical assistance to airports and airlines and if they’re aware of additional and immediate cyber threats targeting the country’s aviation sector.”

Scientists rush to create vaccine for world’s biggest animal disease outbreak. TheGuardian.com article. Pull quote: “Researchers have received a sharp reminder of the potent virus [African swine fever] they are facing off against in this pandemic: more resilient, more complex and less understood than the coronavirus, he adds. “Covid is a really simple virus. Not like ASF.””

Researchers find 633% increase in cyber-attacks aimed at open source repositories. PortSwigger.net article. I suspect that “633%” is click-bait as no numbers offered. Pull quote: “Risky behavior is not necessarily anyone’s fault. Developers tasked with managing dependencies face more complexity in their roles than ever, with the average Java application containing 148 dependencies – 20 more than 2021’s average – and going through an average ten updates a year.”

America's new nuclear power industry has a Russian problem. Reuters.com article. Chicken vs egg problem with Russia as the only current source for high assay low enriched uranium (HALEU). Pull quote: “"Nobody wants to order 10 reactors without a fuel source, and nobody wants to invest in a fuel source without 10 reactor orders," said Daniel Poneman, chief executive of U.S. nuclear fuel supplier Centrus Energy Corp (LEU.A).”

XBB, BQ.1.1, BA.2.75.2 — a variant swarm could fuel a winter surge. SeattleTimes.com article. Pull quote: “To focus too much on any one possible variant is, many experts argue, missing the point. What matters is that all these new threats are accumulating mutations in similar spots in what’s called the receptor binding domain — a key spot in the spike protein where virus-blocking antibodies dock. If those antibodies can’t dock, they can’t block. Each new mutation gives the virus a leg up in avoiding this primary line of immune defense.”

CISA Publishes Initial ICAR 60-day ICR Notice

Today, CISA published a 60-day information collection request (ICR) in the Federal Register (87 FR 63792-63793) for the initial issue of an OMB control number for “Incident Communications Activity Report (ICAR)”. This ICR will support operations of CISA’s Emergency Communications Division (ECD) to fulfill the institutional requirements of paragraphs (9) and (10) of 6 USC 571(c). The information will be provided voluntarily by State, Local, territorial and Tribal public safety communications personnel.

The Information Collection

ECD will provide an electronically submittable PDF form for the report submission (there is no link provided to the form, that typically becomes available when the agency submits the ICR to OMB after the publication of the 30-day notice). The Notice reports that: “Participants will be able to input free form information in addition to a couple drop down type questions which will be asked.” ECD estimates that it will take 5-minutes to fill out the form.

The information collected will be used to help CISA “to identify lessons learned to drive strategy and improve existing or offer new technical assistance within the scope of emergency communications activity for Incidents, Planned Events, or Exercises.”

Burden Estimate

CISA estimates that it will receive 450 reports per year. At 5-minutes per form that comes out to an annual hourly burden of 37.5 hours. There will be no respondent sunk costs and CISA expects the annual operational cost to respondents to be $2,131.15. The annual cost to CISA for supporting this reporting and subsequent analysis will be $25,563.

Public Comments

CISA is soliciting public comments on this ICR. Comments may be submitted via the Federal eRulemaking Portal (www.regulations.gov; Docket # CISA-2022-0012). Comments should be submitted by December 19^th, 2022.

Commentary

Initial ICR submissions are a problem. Generally the submitting agency does not have a strong data background upon which to base their estimates. Especially where the agency is relying on voluntary reporting, the guestimate for the annual number of responses has to be generally accepted as a guess that the agency can update when requesting their first update/renewal for the ICR. All subsequent burden estimates are based upon that number and remain guesses.

The one area that the agency should be held accountable for, however, is the estimate for the amount of time it takes to complete the report. In this case, since we do not have a copy of the submittable form, it is hard to determine how accurate the agency estimate is of the time to complete the form. Having said that, I find it hard to believe that any form that is relying mainly on ‘free form information’ inputs to provide information that will lead the agency to “identify lessons learned to drive strategy and improve existing or offer new technical assistance” will be able to be completed in 5-minutes. 

Furthermore, if an agency is going to be providing post-incident analysis designed to inform such agency actions, the reporting personnel are going to have to do some sort of post-incident analysis of what when right and what went wrong. This ICR should include that analysis in the burden estimate along with a more realistic time frame for filling out the form.

Review – 1 Advisory and 2 Updates Published – 10-20-22

Today CISA’s NCCIC-ICS published a control system security advisory for products from Bentley Systems. They also updated two medical device security advisories for products from Braun.

Bentley Advisory - This advisory describes two vulnerabilities in the Bentley MicroStation Connect.

Braun Update #1 - This update provides additional information on an advisory that was originally published on October 22^nd, 2020.

Braun Update #2 - This update provides additional information on an advisory that was originally published on October 21^st, 2021.

 

For more details about these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-and-2-updates-published-e54 - subscription required.

OMB Approves BIS 2021 Wassenaar Final Rule

Yesterday the OMB’s Office of Information and Regulatory Affairs announced that it had approved a final rule from the DOC’s Bureau of Industry and Security (BIS) for “Implementation of 2021 Wassenaar Arrangement Decisions”. The rule will revise the Commerce Control List (CCL) to implement the remaining changes made to the Wassenaar Arrangement List of Dual-Use Goods and Technologies. In August, BIS published their Emerging and Foundational Technologies rule that addressed some of the areas of the 2021 Wassenaar agreement. 

The August rule did not address any cybersecurity issues. There is no current information on whether or not this current final rule will address those issues.

Short Takes – 10-18-22

In Ukraine, trend lines point to escalation, not an endgame. NPR.org article. Pull quote: “Alperovitch says the likelihood of Putin using nuclear weapon is still low. But it can't be dismissed. He paints this possible scenario: "If he does use it, I think he's going to do a demonstration strike in a remote area, perhaps over the Black Sea, in the hopes that the West would somehow pressure Kyiv to come to the negotiations."”

Florida Coastal Living Reshaped by Hurricane Housing Codes. WSJ.com article. Interesting cover video of Ian damage. Pull quote: “Strong hurricanes and stricter building codes, arriving in succession, are changing the economic and demographic makeup of Florida’s coastal communities. Inexpensive cottages vulnerable to harsh weather are giving way to pricier homes that are more resilient—a transition that is fortifying the housing stock, but limiting who can afford to live on the coast.”

The U.S. Military’s Growing Weakness. WSJ.com opinion piece. A somewhat conventional look at military power. Pull quote: “Heritage [Foundation] rates the U.S. military as “weak” and “at growing risk of not being able to meet the demands of defending America’s vital national interests.” The weak rating, down from “marginal” a year earlier, is the first in the index’s nine-year history.”

Labor Group Highlights Conflict of Interest Issues in Cyber Workforce Legislation. NextGov.com article. Pull quote: ““This bill punts on the ethical conflict-of-interest reporting concerns, where at least the corresponding House version minimally addresses this issue by requiring private sector ‘reservists’ to be appointed as ‘special government employees,’ who have disclosure requirements,” the union wrote. “However, it is our view that non-public disclosure requirements are insufficient to ensure full compliance. Before proceeding with this ill-defined concept, Congress should consider defining the actual scope and cost of these requirements.””

Green Syngas Production Beckons. ChemicalProcessing.com article. Syngas is precursor for ammonia or methane production both have potential as fuels and feedstocks. Pull quote: ““For future development or large-scale implementation, further studies are needed to improve the efficiency and evaluate long-term stability. Moreover, the effect of CO2 impurity levels, light intensity, reaction temperature and pressure, etc., need to be thoroughly studied, evaluated, and optimized. We do not anticipate any fundamental challenge for the scalability at the materials/systems level,” Mi explains.”

Improving Recovery of Critical Systems after Cyberattacks. HomelandSecurityNewsWire.com article. Way early in the process. Pull quote: “Panda’s goal is to develop fast, accurate and efficient recovery mechanisms that, when coupled with the expeditious damage assessment techniques he has already developed, will offer an “integrated suite solution.” This will allow affected CI systems to continue running while providing as many critical functionalities as possible.”

Designer catalyst with enzyme-like cavity splits water almost as fast as plants. ChemistryWorld.com article. May be more valuable in industrial processes other than hydrogen production. Pull quote: “Extensive mechanistic analysis revealed that the macrocycle acts like a pH-controlled door, closing to form a small molecular cleft under acidic conditions. At low pH, the basic groups on the backbone of the macrocycle become protonated, resulting in the slight rotation of the axial ligands. This creates an enclosed enzyme-like cavity in which hydrogen bonds preorganise molecules of water in front of the reactive ruthenium centre, enabling rapid oxidation.”

Chemical Incident Misreporting Reporting – 10-18-22

I frequently have problems with reporting about chemical incidents and more than a little of that is my fault expecting various folks in the reporting process to be trained chemists. Looking at news reports, it is frequently difficult to tell if the misunderstanding is due to incorrect terminology being used by first responders or reporters trying to read between the lines, but usually I can figure out what was probably happening. Today, however, I came across a truly bizarre description of a chemical incident that occurred this weekend at a medical lab in Vancouver, WA.

The following description is one-third of an article I found today on Columbian.com:

“After a chlorine gas spill at the company, bleach was used in an attempt to clean up the mess. The chemical reaction between the two led to off-gassing. The building was evacuated, but four employees showed symptoms of exposure, including red eyes.”

First problem, if there had been a chlorine gas spill, there would be no one in the building until someone verified that there were no chlorine gas fumes in the building. So, there would be no chlorine remaining to react with the bleach. Second, since this is a medical lab facility, it would not be unusual for facility cleanup to include the use of bleach, but the personnel would be familiar with the chlorine odor associated with that cleaning technique. Third, if there had been serious outgassing from the use of bleach (and that could occur if the bleach came in contact with any number of chemicals, including many cleaning materials) there would have been much more serious problems than just red eyes. Finally, I am having problems figuring out what a medial testing lab would be doing with chlorine gas cylinders on site.

What I suspect happened was that there was an incident at the lab while cleaning was taking place. Either there was an unexpected reaction between a chlorine bleach cleaner and some other chemical at the lab that outgassed a small amount of chlorine gas, or there was a large amount of bleach spilled (probably the later) which includes some minor chlorine outgassing as a matter of course (bleach slowly decomposes to chlorine gas and water at room temperature). In any case, a bleach incident occurred that was significant enough that the emergency services were involved. The spill was cleaned up, the building aired out, and four people were taken to the hospital for burning in the eyes (a common exposure symptom for very low levels of chlorine gas exposure.

To be fair to the reporter who prepared this article (and all local news reporters covering the police/fire beat) the reporter almost certainly was never given access to the scene and probably never talked to a representative from the facility (facility owners are trained to give prepared statements and not talk to the press). So, the information probably came from the fire person in charge at the scene while incident cleanup was taking place. Bleach (sodium hypochlorite) is commonly referred to as ‘chlorine bleach’ and even ‘chlorine’ and this causes no end of confusion. If we could just get everyone to take a first-year chemistry course….

One final note, if any of the four treated individuals was admitted to the hospital for observation, this would have been a reportable accident under the CSB's Accidental Release Reporting Rule.

Review - HR 8625 Reported in Senate – Nonprofit Security Grant Program

Last month, the Senate Homeland Security ang Governmental Affairs Committee published their report on HR 6825, the Nonprofit Security Grant Program Improvement Act of 2022. The Committee considered the bill in business meeting on August 3^rd, 2022, and after amending and adopting substitute language, ordered the bill reported favorably. The revised language modifies the administrative requirement changes made in the House language. The Senate language reduces the House approved funding from $500 million to $360 million per year though 2028.

Moving Forward

With the publication of the Report, this bill is now cleared for consideration by the full Senate. There is a remote possibility that the bill could be considered under the Senate’s unanimous consent process. The bill is not important enough to take up the time necessary for consideration under regular order, particularly in the closing two months of the session. There is a possibility that the bill could be included in the year end spending bill, but that could end up being either the House passed or Senate committee version.

 

For more details about the revisions made in the Senate version of the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-8625-reported-in-senate - subscription required.

Review – One Advisory and One Update Published – 10-18-22

Today, CISA’s NCCIC-ICS published a control system security advisory for products from Advantech and updated an advisory for products from Hitachi Energy.

Advantech Advisory - This advisory describes three vulnerabilities in the Advantech R-SeeNet software management platform.

Hitachi Update - This update provides additional information on an advisory that was originally published on December 2^nd, 2021.

 

For more details about these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/one-advisory-and-one-update-published - subscription required.

Short Takes – 10-17-22

Utah emerges as wildcard in battle for the Senate. TheHill.com article. Can a Republican loose in Utah? Pull quote: “If McMullin manages to pull off an upset, his pledge to not caucus with either Democrats or Republicans could throw the battle for control of the Senate into turmoil.”

Faster, wetter hurricanes are on the way, say Department of Energy scientists. TheHill.com article. Pull quote: “The rates at which hurricanes have strengthened near the Atlantic Coast have surged since 1979 — a trend that is poised to continue in a future marked by continued fossil fuel dependence, according to the study.”

US warned to get ready as Europe deals with new COVID-19 rise. TheHill.com article. Pull quote: “COVID-19 cases, deaths and hospitalizations in the U.S. will likely begin going up in three to four weeks, Mokdad said, though they won’t reach the same levels seen during the omicron wave last winter. He emphasized that this projection is contingent on a situation in which new coronavirus variants that are better at escaping immunity don’t rise in dominance.”

Sup Chemical Incident Investigator. USAJobs.gov job listing. Pull quote: “The incumbent serves as the supervisor of experts in industrial chemical safety and nationwide incident investigation and analysis of major incidents involving the accidental release of regulated substances and other extremely hazardous substance and, developing and presenting reports with safety recommendations for adopting by the Board.” Opening closes on 10-31-22 or when 75 applications are received.

Cybercriminals use Hurricane Ian as lure for scams, theft of FEMA funds. TheRecord.media article. Pull quote: “But as [Hurricane Ian] recovery efforts coalesce, Cofense principal threat advisor Ronnie Tokazowski said he has seen evidence showing scammers are going after relief funds available to those in need from the Federal Emergency Management Agency (FEMA).” Online applications for government funds are an obvious target.

Review - HR 8949 Introduced – C-UAS Authority Extension

Last month, Rep Nadler (D,NY) introduced HR 8949, the Counter-UAS Authority Extension and Transparency Enhancement Act of 2022. The bill would extend the limited authority of DHS and DOJ to undertake counter-drone operations through October 1^st, 2023; that authority expired earlier this month. The bill would make other changes to the C-UAS authority provided under 6 USC 124n

Moving Forward

Nadler is a member of the House Judiciary Committee; two of his cosponsors {Rep Thompson (D,MS) and Rep Katko (R,NY)} are members of the House Homeland Security Committee; and three of his cosponsors {Rep DeFasio (D,OR), Rep Graves (R,MO), and Katko} are members of the House Transportation and Infrastructure Committee, the three committees to which this bill was assigned for consideration. This means that there should certainly be sufficient influence to see the bill considered in the committees.

While this is a complicated bill, I do not see anything that would cause any organized opposition in committee. There is, however, one minor provision that could cause problems in moving this bill to the floor of the House, a change in the definition of ‘appropriate congressional committee’ in §124n(k). Section 2(9)(A) of the bill would remove “the Committee on Energy and Commerce” from that definition. This would adversely affect the prerogatives of the Chair of that Committee and could cause problems for the Leadership. If the fix is already in, then it will not be a problem.

Commentary

I am a little bit concerned about the changes made to the ‘notwithstanding’ clause. It seems to me that removing those protective references would leave DHS and DOJ open to lawsuits by any drone operator whose UAS was interfered with by either agency using signal intercept techniques. On the other hand, I cannot believe that the legal staffs associated with the three Committees would have signed off on this bill if it would put the government at legal jeopardy.

A warrant to intercept (and interfere) with those communications would get the agencies around those legal difficulties but getting such a warrant would require some level of advanced knowledge of the UAS attack. That will likely only be possible in a limited number of cases.

 

For more details about the provisions of the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-8949-introduced - subscription required.