Wednesday, November 30, 2022

Bills Introduced – 11-29-22

Yesterday, with both the lame duck House and Senate in session, there were 27 bills introduced. Three of those bills may receive future coverage in this blog:

HR 9361 To establish criminal penalties for failing to inform and warn of serious dangers. Scanlon, Mary Gay [Rep.-D-PA-5].

HJ Res 100 To provide for a resolution with respect to the unresolved disputes between certain railroads represented by the National Carriers' Conference Committee of the National Railway Labor Conference and certain of their employees. Payne, Donald M., Jr. [Rep.-D-NJ-10]

H Con Res 119 Providing for a correction in the enrollment of H.J. Res. 100. DeFazio, Peter A. [Rep.-D-OR-4]

Okay, I am not sure what “serious dangers” will trigger my coverage of HR 9361, but I will be watching the language for this bill.

I have been covering HJ Res 100 and H Con Res 119.


House to Consider Two Rail Strike Resolutions

The House is scheduled to take up two resolutions today concerning the potentially impending railroad strike; HJ Res 100 and H Con Res 119. The first would make binding the agreements reached by railroad managements and labor union leaders earlier this year, whether or not the union membership approved those deals. The second would amend the first, effectively adding 7-days paid sick leave to those agreements. A vote on that amendment is believed to be necessary to placate a large number of Democrats that are loath to force union membership to accept labor deals. 

If passed, the Senate would be expected to take up HJ Res 100 next week.


EPA Publishes Final Rule Adding 12 Chemicals to TRI List

Today, the EPA published a final rule in the Federal Register (87 FR 73475-73488) for “Addition of Certain Chemicals; Community Right-to-Know Toxic Chemical Release Reporting”. The Toxic Release Inventory (TRI) list change is the result of a petition from the Massachusetts Toxics Use Reduction Institute (TURI) to add 25 chemicals to the list.

The chemicals added to the TRI include:

• Dibutyltin dichloride; 683-18-1,

• 1,3-Dichloro-2-propanol; 96-23-1,

• Formamide; 75-12-7,

• 1,3,4,6,7,8-Hexahydro-4,6,6,7,8,8-hexamethylcyclopenta[g]-2-benzopyran; 1222-05-5,

• N-Hydroxyethylethylenediamine; 111-41-1,

• Nitrilotriacetic acid trisodium salt; 5064-31-3,

• p-(1,1,3,3-Tetramethylbutyl)phenol; 140-66-9,

• 1,2,3-Trichlorobenzene; 87-61-6,

• Triglycidyl isocyanurate; 2451-62-9;

• Tris(2-chloroethyl) phosphate; 115-96-8,

• Tris(1,3-dichloro-2-propyl) phosphate; 13674-87-8, and

• Tris(dimethylphenol) phosphate; 25155-23-1.

 

The effective date for this new rule is November 30th, 2022. It will apply to the reporting year beginning January 1, 2023 (reports are due July 1, 2024).


Review - TSA Publishes Surface Transportation Cybersecurity ANPRM

Today the TSA published an advanced notice of proposed rulemaking (ANRM) in the Federal Register (87 FR ) for “Enhancing Surface Cyber Risk Management”. In this rulemaking the TSA “is seeking input regarding ways to strengthen cybersecurity and resiliency in the pipeline and rail (including freight, passenger, and transit rail) sectors.”

ANPRM Questions

TSA has listed a series of specific questions that it is looking for input on from industry and the public in this ANPRM. These questions cover the following topics (number of questions in each topic):

Identifying current baseline of operational resilience and incident response (6),

Identifying how CRM is implemented (6),

Maximizing the ability for owner/operators to meet evolving threats and technologies (25),

Identifying opportunities for third-party experts to support compliance (3),

Cybersecurity maturity considerations (3), and

Incentivizing cybersecurity adoption and compliance (3).

Public Comments Solicited

TSA is soliciting public comments on this ANPRM. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # TSA-2022-0001). Comments should be submitted by January 17th, 2023 (I expect that there will be several requests for an extension of this deadline due to the holidays).

 

For more details on the ANPRM, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/tsa-publishes-surface-transportation - subscription required.


Tuesday, November 29, 2022

Short Takes – 11-29-22

Russia Firing Old and Empty Missiles as Putin Runs out of Weapons: U.K. MSN.com article. Pull quote: “Former British military intelligence officer Philip Ingram told Newsweek said Russia's defense industrial base will have difficulty replenishing their Kaliber and other native missiles "through poor manufacturing capability made worse by years of corrupt practices and western sanctions."”

McConnell holds the cards in spending fight. TheHill.com article. Pull quote: ““If you go back to 2013, we had a Republican House — with a larger margin — and a Democratic Senate and a Democratic president and we employed the [government] shutdown as the leverage and we got absolutely nothing out of that,” said Grover Norquist, a prominent conservative activist and president of Americans for Tax Reform.”

How close were House races? A few thousand votes could have swung control. TheHill.com article. Shows the importance of actually voting. Pull quote: “TargetSmart’s Tom Bonier calculated Sunday that Democrats could have held the House if just 3,340 Republican voters instead cast their ballots for Democrats in the five closest House races won by Republicans.”

EXPLAINER: What hazards are posed by Hawaii's Mauna Loa? ABCNews.go.com article. Pull quote: “Mauna Loa is spewing sulfur dioxide and other volcanic gases. They form volcanic smog, or vog, when they mix with vapor, oxygen and dust in sunlight. As a result, state health officials are urging people to cut back on outdoor exercise and other activities that cause heavy breathing.” And, of course, small rivers of lava are the most visible problem.

Cyber Insurers Turn Attention to Catastrophic Hacks. WSJ.com article. Pull quote: “Still, the biggest risk hasn’t yet materialized: a cyberattack against a company or information services system so important to an economy, or to society as a whole, that it reaches systemic levels. One so big, perhaps, it might take down carriers.” No mention of attacks on OT systems that caused catastrophic physical damage.

Inspectors general from Commerce and Treasury present a tale of two testing regimes. NextGov.com article. Pull quote: “The Commerce IG conducted the test in reaction to a January 2020 attack on the Census Bureau in which outside malicious hackers successfully exploited security holes. During the more recent exercise, the Commerce IG’s “red team” was able to avoid detection while gaining access to personally identifiable information, or PII, stored by the Census Bureau.”

Biden, Congress race to avert economy-shaking railroad strike. TheHill.com article. Update on potential congressional action. Pull quote: “The proposal has been panned both by liberals, who said it doesn’t go far enough to help rail workers, particularly when it comes to sick leave benefits, and by conservatives, who are attacking the very notion that the federal government would “meddle” in a private sector dispute. And Hoyer stopped short of saying it has the votes to pass.”


Review – 5 Advisories and 2 Updates Published – 11-29-22

Today, CISA’s NCCIC-ICS published five control system security advisories for products from Mitsubishi (2), Moxa, and Hitachi Energy (2). They also updated advisories for products from Omron and Mitsubishi.

Mitsubishi Advisory #1 - This advisory describes ten vulnerabilities in the Mitsubishi FA Engineering software.

NOTE: I briefly discussed these vulnerabilities on Saturday.

Mitsubishi Advisory #2 - This advisory describes an improper input validation vulnerability in the GOT2000 series. The vulnerability was self-reported. Mitsubishi has new versions that mitigate the vulnerability.

NOTE: I briefly discussed this vulnerability on Saturday.

Moxa Advisory - This advisory describes an improper physical access control vulnerability in the Moxa UC Series, industrial internet-of-things (IIoT) gateway devices.

Hitachi Energy Advisory #1 - This advisory describes an improper input validation vulnerability in the Hitachi Energy MicroSCADA Pro/X SYS600 products.

NOTE: I briefly discussed this vulnerability on November 19th.

Hitachi Energy Advisory #2 - This advisory discusses a cleartext storage of sensitive information vulnerability in the Hitachi Energy IED Connectivity Packages and PCM600 products.

NOTE: I briefly discussed this vulnerability on November 19th.

Omron Update - This update provides additional information on an advisory that was originally published on December 12th, 2019.

Mitsubishi Update - This update provides additional information on an advisory that was originally published on November 30th, 2021 and most recently updated on July 26th, 2022.

NOTE: I briefly discussed this vulnerability on November 19th.

 

For more information on these advisories and updates, including links to 3rd party advisories and summaries of changes in updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/5-advisories-and-2-updates-published-dfb - subscription required.


PHMSA Announces 3-day Pipeline Safety Meeting – 12-13-22

Today, DOT’s Pipeline and Hazardous Materials Safety Administration (PHMSA) published a meeting notice in the Federal Register for a pipeline safety informational meeting on December 13th, 14th and 15th, 2022 in Houston, TX. The meeting is open to the public and it will be webcast.

The meeting agenda includes:

• Recent and Potential Safety Advisories (Geohazard/Land Movement, Maritime Issues, Hard Spots, Flow Reversals),

• The Future: Technology and New Regulatory Requirements (Technology Transfer: Innovative Tools That Can Be Used by Industry and PHMSA's New Regulation Implementation Process),

• Failure Investigation Forum (Overview of Recent Accidents/Incidents and Common Enforcement Items Found During Incidents),

• Potential Impact Radius (Discussion of Incident and NTSB Recommendation), and

• The Future: Climate and Energy Transformation (Reducing Methane Emissions, Hydrogen and Hydrogen Blending, Carbon Dioxide/Carbon Capture, Utilization, and Storage.)

Personnel wishing to attend the meeting need to register by December 7th. Registration instructions are available here. The meeting information page reports that written comments on the agenda topics may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket #PHMSA-2022-0161).


Monday, November 28, 2022

Short Takes – 11-28-22

Bird flu outbreak drives Nebraska to cull 1.8 million more chickens. NPR.org article. No human illness threat. Pull quote: “The bird flu outbreak has also contributed to the rise in consumer prices for eggs and poultry meat, on top of hiked-up costs from inflation.”

China rocket taking 3 to space station to blast off Tuesday. Phys.org article. Pull quote: “After the Shenzhou-15 spaceship makes an automated docking with the Tianhe core modules' front port, the station will be expanded to its maximum size, with three modules and three spaceships for a total mass of nearly 100 tons, Ji said.”

Biden calls on Congress to intervene to avert rail shutdown. TheHill.com article. Pull quote: “In response to Biden’s call, Speaker Nancy Pelosi (D-Calif.) said in a statement, “This week, the House will take up a bill adopting the Tentative Agreement — with no poison pills or changes to the negotiated terms — and send it to the Senate.””

Workplace killers: people kill their colleagues for different reasons than other shooters. TheConversation.com article. New terminology – “Workplace mass shootings (WMS) are undertaken by attackers who either work or worked for an organisation where the attack occurs.” Pull quote: “Workplace attacks are quite homogeneous in motive. They are mostly attributed to revenge and often derived from attackers’ perceptions of being denied “organisational justice” and being treated unfairly. Figures show that more than half of WMS are perpetrated by current employees with less than 25% of attackers having been in post less than a year. In almost 50% of cases, attackers left employment but returned months later to “settle scores”.”

Probable Maximum Flood Events Will Significantly Increase Over Next Decades. HomelandSecurityNewswire.com article. Pull quote: “University of Melbourne lead collaborator Professor Rory Nathan said: “No country in the world has yet updated the operational procedures used to estimate PMPs to account for climate change, and this research provides the first evidence that these procedures need to be reviewed.”

Giant Wind Farms Arise Off Scotland, Easing the Pain of Oil’s Decline. NYTimes.com article. Pull quote: “Many people who honed their skills on the offshore oil platforms that dot the waters off Scotland find it relatively easily to switch to the wind industry. “What we have got is a very ambidextrous community that will turn their hand to anything that needs doing,” said Willie Watt, a retired oil services executive and former chairman of the Wick Harbour Authority board.”


Review - HR 9349 Introduced – NextGen Pipelines

Earlier this month, Rep Weber (R,TX) introduced HR 9349, the Next Generation Pipelines Research and Development Act. The bill would require the Department of Energy to establish a new grant program to “carry out demonstration projects on low- to mid-technology readiness level subjects to achieve deployment of technologies”. It would also require DOE and DOT to conduct a joint R&D program to carry out basic research projects. Finally, the bill would require DOE to establish the National Pipeline Modernization Center. The bill would authorize $50-million, $30-million and $15-million through 2027 for the three new programs.

Moving Forward

Weber, and all six of his cosponsors {Rep Lucas (R,OK), Rep LaTurner (R,KS), Rep Carey (R,OH), Rep Obernolte (R,CA), Rep Kim (R,CA), Rep Babin (R,TX)} are members of the House Science, Space, and Technology Committee to which this bill was assigned for consideration. Even without any Democratic sponsors, this bill could have been considered in Committee earlier in the session, but it is certainly too late for this bill to be considered in this session. It will probably be re-introduced next session.

Commentary

There is a cybersecurity focus outlined in §4 of the bill, but some additional language could have been added to some of the technical focus areas outlined in the Demonstration Initiative to make it clear that cybersecurity should be an integrated part of any technological solution. For example, §4(b)(5) could have been changed to read:

(5) Advanced sensor technologies and processes that enable real-time or in situ monitoring of pipeline assets to assess and mitigate leaks, both internal and external to the pipeline, including communications security processes to protect data flowing from sensors to pipeline control systems, which may include the following:”

 

For more details about the provisions of this bill see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-9349-introduced-nextgen-pipelines - subscription required.

Saturday, November 26, 2022

CRS Reports – Small Drinking Water Systems

This week the Congressional Research Service (CRS) published a report on “Small Water Systems: Selected Safe Drinking Water Act (SDWA) Provisions”. The report looks at compliance issues (including cybersecurity) facing small public drinking water systems. There is little discussion about the specific requirements, instead it focuses on the assistance programs available to help these systems achieve and maintain compliance.

Review – Public ICS Disclosures – Week of 11-19-22

This week we have twenty-one vendor disclosures from ABB, Aruba Networks, Belden (3), Bosch, B&R, HPE (2), Johnson and Johnson, Miele, Mitsubishi (2), Moxa (2), Omron, PcVue, Pilz (3), Unified Automation. We have two vendor updates from Mitsubishi and Schneider. Finally, we have three researcher reports of vulnerabilities in products from Callback Technologies.

Vendor Advisories

ABB Advisory - ABB published an advisory that discusses seven vulnerabilities (two with known exploits) in their ARM600 M2M Gateway.

Aruba Advisory - Aruba published an advisory that describes thirteen vulnerabilities in their EdgeConnect Enterprise product.

Belden Advisory #1 - Belden published an advisory that describes 23 vulnerabilities in their Hirschmann BAT-C2 product.

Belden Advisory #2 - Belden published an advisory that discusses an infinite loop vulnerability (with known exploit) in their Hirschmann HiLCOS products.

Belden Advisory #3 - Belden published an advisory that describes a command injection vulnerability in their Hirschmann BAT-C2.

Bosch Advisory - Bosch published an advisory that discusses 67 vulnerabilities (some with known exploits) in their PRA-ES8P2S Ethernet-Switch.

B&R Advisory - B&R published an advisory that discusses a link following vulnerability in a variety of their products.

HPE Advisory #1 - HPE published an advisory that discusses an information disclosure vulnerability in their IceWall Products.

HPE Advisory #2 - HPE published an advisory that describes four code execution vulnerabilities in their Cloudline CL2100/CL2200 Gen10 Servers.

J&J Advisory - J&J published an advisory that discusses the PrintNightmare vulnerability in their CARTO® 3 System.

Miele Advisory - CERT-VDE published an advisory that describes an authorization bypass through user-controlled key vulnerability in the Miele.

Mitsubishi Advisory #1 - Mitsubishi published an advisory that describes ten vulnerabilities in multiple FA Engineering Software products.

Mitsubishi Advisory #2 - Mitsubishi published an advisory that describes a denial-of-service vulnerability in their GOT2000 Series.

Moxa Advisory #1 - Moxa published an advisory that describes two vulnerabilities in multiple router products.

Moxa Advisory #2 - Moxa published an advisory that describes a privilege escalation vulnerability in their TN-5916 Series routers.

Omron Advisory - JP Cert published an advisory that describes three vulnerabilities in the Omron CX-Programmer.

PcVue Advisory - PcVue published an advisory that describes a clear-text storage of sensitive information vulnerability in PcVue product.

Pilz Advisory #1 - Pilz published an advisory that describes a path traversal vulnerability in several Pilz products.

Pilz Advisory #2 - Pilz published an advisory that describes two vulnerabilities (one with known exploit) in their PASvisu HMI solution.

Pilz Advisory #3 - Pilz published an advisory that describes two path traversal vulnerabilities (one with known exploit) in several Pilz products.

Unified Automation - Unified Automation published an advisory that discusses an incorrect permission assignment for critical resource vulnerability in their OPC UA SDK.

Vendor Updates

Mitsubishi Update - Mitsubishi published an update for their Ethernet Port advisory that was originally published on November 30th, 2021 and most recently updated on July 26th, 2022.

NOTE: NCCIC-ICS did not update their advisory (ICSA-21-334-02) for this new information, almost certainly because of the Thanksgiving holiday. I expect we will see that update this coming week.

Schneider Update - Schneider published an update for their APC Smart UPS advisory that was originally published on March 8th, 2022 and most recently updated on August 19th, 2022.

Researcher Reports

Callback Report #1 - Talos published a report describing a NULL pointer dereference vulnerability in the Callback CBFS Filter.

Callback Report #2 - Talos published a report describing a NULL pointer dereference vulnerability in the Callback CBFS Filter.

Callback Report #3 - Talos published a report describing a NULL pointer dereference vulnerability in the Callback CBFS Filter.

 

For more details on these disclosures, including links to third-party reports, researcher reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-11-6d2 - subscription required.

Friday, November 25, 2022

Short Takes – 11-25-22

Lawmakers fret over another holiday punt on government funding. Politico.com article. Includes interesting look at 118th issues. Pull quote: “The muddle carries serious stakes for a multitude of government programs, not to mention the future of congressional spending debates. Lawmakers fear that any funding bill they can agree on before 2023 might be the last one Congress passes for at least the next two years due to a slew of factors, including a slim incoming House majority that’s already splintered over federal spending and a presidential election that looms in 2024.”

Why Operational Technology Security Cannot Be Avoided. SecurityIntelligence.com article. Interesting overview of OT technology. Pull quote: “A wide variety of crucial industrial sectors utilize OT, including mining, construction, oil and gas transmissions, power and utilities, chemical plants, water treatment, industrial machinery and transportation. Settings for OT include industrial networks, industrial controls systems (ICS) and processes for operation and maintenance.”

Powerful rare-earth free magnet ‘evolved’ and refined by machine learning algorithm. ChemistryWorld.com article. Pull quote: “A rare-earth free magnetic material with similar properties to the rare-earth magnets found in everything from wind turbines to computer hard drives has been discovered by US researchers using a machine learning-guided approach. The material requires further development, but the demonstration constitutes an important step on the road to creating powerful magnets that aren’t dependent on rare earth elements.”

White House resists declaring emergency as flu, viruses surge in children. TheHill.com article. “According to Centers for Disease Control and Prevention data, the hospitalization rate in all kids for the week of Nov. 12 peaked at 17.5 out of every 100,000, a rate that was twice as high as any other season on record.”

The sixth asteroid impact we saw coming. ESA.int blog post. Two-hour advanced warning for 1-meter asteroid ‘impact’ (burnt up in atmosphere). Pull quote: “Small, metre-sized asteroids strike Earth every couple of weeks. They add to our understanding of asteroid populations, of fireballs and their makeup, but they aren’t a big priority when it comes to Planetary Defence because they pose no real danger.”

OMB Approves TSCA ICR Consolidation

On Wednesday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a new information collection request (ICR) from the EPA for “Section 8 of the Toxic Substances Control Act”. This ICR consolidates the reporting requirements of two active and one previous ICR covering reporting requirements under Section 8 of the Toxic Substances Control Act (TSCA). It covers the reporting requirements for:

• Allegations of Significant Adverse Reactions to Human Health or the Environment TSCA section 8(c),

• Chemical Specific Rules TSCA section 8(a),

• Health and Safety Data Reporting, Submission of Lists and Copies of Health and Safety Studies TSCA section 8(d), and

• TSCA 8a Preliminary Assessment Information Rule (PAIR)

The abstract in the announcement makes an interesting point:

“EPA is consolidating ICRs currently approved under control numbers 2070-0004, 2070-0017, and 2070-0054, and formerly approved under 2070-0067 to streamline the presentation of the paperwork burden estimates for these various activities, which will in turn facilitate and reduce the administrative burden for both the public reviewers and the Agency in terms of reviewing and updating the ICR every three (3) years as required by the Paperwork Reduction Act (PRA), 44 U.S.C. 3501 et seq., as well as allow for a better assessment of the paperwork burden and costs associated with reporting and recordkeeping activities established under TSCA section 8 for specific chemical substances.”

Any reduction in either the public or governmental paperwork burden is almost certainly a good thing.

Wednesday, November 23, 2022

Short Takes – 11-23-22

Drones over D.C.: Senators alarmed over potential Chinese spy threat. Politico.com article. Pull quote: “The officials say they do not believe the swarms are directed by the Chinese government. Yet the violations by users mark a new turn in the proliferation of relatively cheap but increasingly sophisticated drones that can be used for recreation and commerce. They also come as Congress debates extending current federal authorities and adopting new ones to track the aerial vehicles as potential security threats.” Main supplier of consumer quadcopters is DJI, a Chinese company. 

Surge in outbreaks tests China's easing of zero-COVID policy. NPR.org article. Pull quote: “"This is the typical policy dilemma that the Chinese leaders face," said Yanzhong Huang, a senior fellow for global health at the Council on Foreign Relations at Seton Hall University in New Jersey. "When you relax and open up, it will lead to chaos, and when you tighten policy, it will be too rigid to allow any flexibility."” 

What will chemists do if Twitter goes down? CEN.ACS.org article. Pull quote: “The platform has democratized the chemistry discourse, some Twitter users tell C&EN; a scientist need not be well established in their career to attract a large following. Users say that visibility on Twitter has led them to new career opportunities. Twitter-based movements like #BlackInChem have challenged the scientific community’s culture, and interactions on the platform have given people a sense of belonging.” Many (survey says 41.1%) moving to Mastodon.

DOC Submits Final Rule on ICT Supply Chain Security to OMB

Yesterday, OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a final rule from the Department of Commerce on “Securing the Information and Communications Technology and Services Supply Chain; Connected Software Applications”. 

The Spring 2022 Unified Agenda listing for this rulemaking describes its purpose as:

“To implement Executive Order 14034, Protecting Americans’ Sensitive Data from Foreign Adversaries (EO 14034), the Department of Commerce is proposing to amend its Interim Final Rule on Securing the Information and Communications Technology and Services Supply Chain (Supply Chain IFR), that was published on January 19, 2021.  Specifically, this proposed rule would update the Supply Chain IFR to clarify that the term information and communications technology and services (ICTS) includes connected software applications. This update also would add the term connected software applications to the definition section of the Supply Chain IFR, as well as to the definition of ICTS and ICTS Transaction.  Additionally, this proposed rule would make other conforming changes to the Supply Chain IFR to explicitly state that ICTS Transactions include transactions that involve connected software applications.”

Bills Introduced – 11-22-22

Yesterday, with both the House and Senate meeting in pro forma session, there were seven bills introduced. One of those bills may receive additional attention in this blog: 

HR 9356 To establish a pilot program for State, local, Tribal, and territorial government officials to be trained by the Cybersecurity and Infrastructure Security Agency regarding carrying out security vulnerability or terrorism risk assessments of critical infrastructure facilities, and for other purposes. Underwood, Lauren [Rep.-D-IL-14]

I will be watching this bill for language and definitions that would include chemical facilities within the scope of its coverage.

Tuesday, November 22, 2022

Short Takes – 11-22-22

McConnell fight with GOP opponent shifts to new battleground. TheHill.com article. Some Republicans want spending bill and NDAA pushed to next year. Pull quote: “Senate GOP critics of the proposal to postpone an omnibus spending package until next year argue that doing so could also delay the National Defense Authorization Act (NDAA), which will likely be included with the spending bills in December because of the shortage of floor time.”

GOP centrists prepare to ‘flex our muscles’. Politico.com article. Political crystal ball gazing continues. Pull quote: “The unexpectedly small majority McCarthy will be working with next year as he seeks the top gavel has undoubtedly bolstered the leverage of his right flank. But the House Freedom Caucus’ vocal criticism is drowning out clear signals from some members of his more moderate wing: They say McCarthy should know that any deal with rebellious conservatives could face resistance from centrists who see themselves as the GOP’s “majority makers.””

US senate discuss Chemical Safety Board with nominees. CEN.ACS.org article. Pull quote: “Senators also criticized Owens for staff attrition, noting staff is half of what it was a decade ago. In response, Owens pointed to a greater push for staffing and new hires that include a new chief information officer, other cybersecurity and information technology experts, an additional investigator, and other specialists. He said more hires are in the works.”

China Records First Covid-19 Deaths Since May as Cases Edge Toward Record High. Wsj.com article. China COVID response is still complicated. Pull quote: “At the same time, the central government has said it has no intention of abandoning its “zero-Covid” policy, only telling local officials to be more precise in its application to minimize damage to the country’s economy. Still, as cases surged, the mixed messaging has sown confusion as many cities order citizens to take frequent Covid tests and more residential buildings are put into sudden and frequent lockdowns.”

Autonomous Vehicles Join the List of US National Security Threats. Wired.com article. Pull quote: “Pfluger highlights in his letter that China could use “autonomous and connected vehicles as a pathway to incorporate their systems and technology into our country's infrastructure.” The United States, like most of its allies, has already banned Chinese corporate giant Huawei from building 5G infrastructure, but these next-generation vehicles would have access to an unprecedented number of emails, messages, and phone calls, and would effectively be moving cameras, capable of photographing an array of critical infrastructure.”

Chemical Sector Coordinating Council advocates for extension of cyber-related security program. InsideCybersecurity.com article. Pull quote: “Leaders of the Chemical Sector Coordinating Council are calling on Congress to swiftly reauthorize the CISA-administered Chemical Facility Anti-Terrorism Standards program, set to expire in 2023, emphasizing its role in government-industry collaboration and preventing cybersecurity incidents.”

New report examines the ecological impact of ammonia as a shipping fuel. Lr.org article. Pull quote: “The results were then compared to previously studied habitat and species sensitivity to conventional oil-based fuels. Overall, an ammonia spill has a relatively smaller dispersion distance and lower persistence within the environment when compared to heavy fuel oil (HFO) and marine gas oil (MGO).”

Review – 5 Advisories and 3 Updates Published – 11-22-22

Today, CISA’s NCCIC-ICS published five control system security advisories for products from Moxa, GE, Phoenix Contact, Digital Alert Systems, and AVEVA. They updated two control system advisories for products from Moxa and one medical device security advisory for products from Hillrom.

Security Advisories

Moxa Advisory - This advisory describes an execution with unnecessary privilege vulnerability in the Moxa ARM-Based Computers.

GE Advisory - This advisory describes five vulnerabilities in the GE CIMPLICITY HMI/SCADA software.

Phoenix Contact Advisory - This advisory describes two vulnerabilities in the Phoenix Contact Automation Worx Software Suite.

NOTE: I briefly discussed these vulnerabilities on November 13th, 2022.

Digital Alert Advisory - This advisory describes two cross-site scripting vulnerabilities (one with known exploit) in the Digital Alert Systems DASDEC emergency messaging devices.

AVEVA Advisory - This advisory describes four vulnerabilities in the AVEVA Edge (InduSoft Web Studio).

Security Updates

Mitsubishi Update #1 - This update provides additional information on an advisory that was originally published on July 30th, 2020 and most recently updated on August 2nd, 2022.

I briefly discussed the Mitsubishi update last weekend.

Mitsubishi Update #2 - This update provides additional information on an advisory that was originally published on February 18th, 2021 and most recently updated on August 2nd, 2022.

I briefly discussed the Mitsubishi update last weekend.

Hillrom Update - This update provides additional information on an advisory that was originally published on June 1st, 2021 and most recently updated on September 8th, 2022.

DHS Announces HSAC Meeting – 12-6-22

Today, DHS published a meeting notice in the Federal Register (87 FR 71348) for a public meeting of the Homeland Security Advisory Council (HSAC) on December 6th, 2022 in Washington, DC. The pubic may participate via web conference.

The agenda includes:

• Remarks from Senior DHS leaders,

• Introduction and swearing in of new members,

• Updates from new subcommittees, and

• Receipt of and vote on the draft report from the Customer Experience and Service Delivery Subcommittee.

The ‘new subcommittees’ were announced earlier this month. They include new cybersecurity taskings.

Public wishing to participate in the meeting may register via email to HSAC@hq.dhs.gov by December 2nd, 2022. Written comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # DHS-2022-0056).

Monday, November 21, 2022

Short Takes – 11-21-22

Murphy's Law: Russian UAV Failures. StrategyPage.com article. More about Ukraine’s successes. Pull quote: “Compared to Ukraine, Russia has not used its many UAVs much during the current invasion. This is apparently due to the bad experience Russia has had using UAVs in Ukraine since 2014. In contrast Ukraine has developed its own UAV force since 2014 which has proven far superior to what the Russians have.”

Thousands of Experts Hired to Aid Public Health Departments Are Losing Their Jobs. GovExec.com article. Pull quote: “Cayenne Levorse, a CDC Foundation leader who helped organize the foundation’s response in Ohio until her contract ended in October, said her 20 employees had to set down not only COVID projects but also helping local health departments track cancer clusters, rural health disparities, and environmental health problems.”

Orion captures stunning views as it completes closest lunar flyby. TheHill.com article. Pull quote: “Snapping views of Earth and the moon, the capsule completed its flyby and one of its two biggest maneuvers of the mission, setting up for a record-setting milestone: traveling more than 40,000 miles beyond the far side of the moon. When the spacecraft reaches this distance, it will break a record set by the Apollo 13 crew and reach the furthest distance a human-rated spacecraft has ever traveled.”

Rail union rejects Biden deal, sets stage for December strike. TheHill.com article. If an agreement cannot be reached, Congress may have to act. Pull quote: “Eight of the 12 rail unions have now ratified agreements with the railroads. Three others saw their members vote down tentative deals. If just one union fails to ratify an agreement and chooses to strike, all rail workers would be set to walk out.”

Reader Comment – CSB Performance Report

Yesterday, a long time reader (and former CSB employee), Rosearray, left a comment on last week’s blog post about congressional hearings where he pointed out that “the CSB quietly posted their 2022 Performance and Accountability Report”. The 2022 report was added to the list of 19 previous annual reports on their aptly named “CSB Performance and Accountability Reports” page. Richard provides an interesting look at some of the data, well worth the read.

Ongoing Investigations

In addition to Richard’s comments on the two Bio-Labs’ investigations I would like to note that the CSB divides their investigation status into two categories:

• The investigation team is developing the final investigation report (8), and

• The investigation team is analyzing data collected during the on-scene phase of the investigation (6).

With only three understaffed investigation teams this is a lot of work remaining to be done. The CSB is currently ‘scheduled’ to release three more investigation reports before year end:

• Manufacturing Facility Explosion (Pasadena, TX),

• Chemical Facility Fire and Explosion (Port Neches, TX), and

• Refinery Fire and Explosion (Superior, WI)

That is a very tight schedule, especially given the holiday season.

Outreach Efforts

In describing their efforts to achieve organizational Goal #2, “Advocate safety and achieve change through recommendations, outreach, and Education”, this report provides three plus (pgs 8-11) pages of descriptions of activities the Board has undertaken in FY 2022. It is an interesting list, with many of the activities positively contributing to chemical safety.

There is, however, one out-reach activity that the Board has stopped doing (I have not gone back to determine when, but it was certainly before the current members were appointed) and that is the community meeting to present the findings of the investigators at the close of an investigation. These community events may not contribute to the more general chemical safety environment, but they did have an impact at the community level. I encourage the Board to resume these community meetings.


Saturday, November 19, 2022

Short Takes – 11-19-22

Democrats’ first leadership shakeup in decades takes shape with no drama — almost. TheHill.com article. Pull quote: “Reps. Hakeem Jeffries (N.Y.), Katherine Clark (Mass.) and Pete Aguilar (Calif.) all declared their candidacies for the top three Democratic seats in the next Congress, respectively — a widely anticipated development that was delayed only by the long, slow counting of ballots from the Nov. 8. All three are expected to glide to power.” 

Revision of a Currently Approved Information Collection for the State, Local Tribal and Private Sector (SLTPS) Clearance Program. Federal Register 60-day ICR notice. CISA is reducing the expected number of security clearance requests from 660 per year to 550 based upon recent program request history. Public comments requested by January 20th, 2023.

The Earth now weighs 6 ronnagrams. What does that mean? WashingtonPost.com article. New scientific prefixes for 1030, 1027, 10-30, and 10-27. As our views expand so does our counting. Pull quote: “Regular use of the most recent additions to the measurement system is likely to be limited to scientists and data professionals. But the conference’s participants said that the prefixes needed to be introduced preemptively, to prevent the adoption of unofficial prefixes.”

OMB Approves MARAD Tanker Security Program

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved an interim final rule for the DOT’s Maritime Administration (MARAD) on the “Tanker Security Program”. The program is being established under authority of §3511 of the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (PL 116-283) codified at 46 USC Chapter 534. The rule was submitted to OIRA on September 26th, 2022 

The rule will support DOT requirements under Chapter 534 to establish a ‘Tanker Security Fleet’ somewhat akin to the air reserve fleet that DOD can call upon in the event of a national emergency for airlift support. The TSP would provide for a fleet of tanker vessels that DOD could call upon for emergency fuel transport. It will be interesting to see if MARAD includes any vessel cybersecurity requirements in the regulations.

Because of the holiday this week, this rule will likely be published during the first week in December.

GAO Reports – Cybersecurity Oversight Week of 11-12-22

This week the Government Accountability Office (GAO) published two reports on agency oversight of private sector cybersecurity. The reports covered DOD oversight of contractor cybersecurity and DOI’s s Bureau of Safety and Environmental Enforcement (BSEE) oversight of offshore oil facility cybersecurity. The two reports are 

DOD Cybersecurity: Enhanced Attention Needed to Ensure Cyber Incidents Are Appropriately Reported and Shared

Full Report .pdf

Highlights .pdf

Offshore Oil and Gas: Strategy Urgently Needed to Address Cybersecurity Risks to Infrastructure

Full Report .pdf

Highlights .pdf

CRS Reports – Electric Power Transformers

This week the Congressional Research Service (CRS) published a report on “Electric Power Transformers: Supply Issues”. The report provides a relatively non-technical look at the use of electrical transformers in the bulk electric and electric distribution systems. It identifies potential shortages of both large power transformers used in the bulk power transmission system and smaller transformers used in distribution systems.

The report provides a discussion about recently passed bills that were supposed to reduce those supply impacts as well as a listing of legislation that has been introduced (but not yet passed) in the 117th Congress.

Review - FDA Publishes Medical Device Cybersecurity Response Playbook

This week the Food and Drug Administration published the updated version of their Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook. Produced under contract by Mitre, the playbook presents target capabilities for medical device cyber incident preparedness and response. There are actually two parts to this playbook, the 54-page Regional Incident Preparedness and Response Playbook and the 10-page supplemental Quick Start Companion Guide.

According to the Mite web site for the publication:

“The playbook outlines how hospitals and other HDOs [Healthcare Delivery Organizations] can develop a cybersecurity preparedness and response framework. It supplements existing HDO emergency management and/or incident response capabilities with regional preparedness and response recommendations for medical device cybersecurity incidents. The revised version includes more explicit alignment with the Hospital Incident Command System for managing complex incidents, considerations for the widespread impacts and extended downtimes that are common during cyber incidents, and an appendix of resources.”

Commentary

The news almost daily reports a new healthcare delivery organization that has been impacted by some form of cybersecurity breach. It is clear that HDO’s need assistance to help them avoid the worst consequences of such attacks. Unfortunately, it does not look like either of these two documents is going to provide any timely assistance. To be fair, I do not think that any guidance document is going to be much help, as much of the problem is the lack of cybersecurity talent to support these organizations. Even if grant monies were thrown at HDO’s to improve their cybersecurity profiles, I do not think that there is a sufficient base of cybersecurity personnel to implement even minimal controls on all of the potential targets.


For more information about these two documents, including a discussion of their shortcomings, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/fda-publishes-medical-device-cybersecurity - subscription required.

Review – Public ICS Disclosures – Week of 11-12-22

This week we have two new OpenSSL 3.0 vendor disclosures from Eurotech, Ruckus Wireless. There are 24 other vendor disclosures from ABB, BD (2), Genetec, Hitachi Energy (2), HPE (2), Inductive Automation, Insyde (8), Mitsubishi, Moxa, OPC Foundation, Phoenix Contact, Sick (2), and Siemens Healthineers. There are three vendor updates from HPE, Mitsubishi (2), Palo Alto Networks. Finally, we have an exploit for products from Siemens.

OpenSSL 3.0 Vendor Disclosures

Eurotech published an OpenSSL 3.0 advisory. Eurotech reports that none of their products are affected.

Ruckus Wireless published an OpenSSL 3.0 advisory. Ruckus reports that none of their products are affected.

Vendor Disclosures

ABB Advisory - ABB published an advisory that describes a clear-text storage of credentials vulnerability in their PCM600 tool.

BD Advisory #1 - BD published an advisory that discusses an authentication bypass vulnerability with known exploit in their Kiestra products.

BD Advisory #2 - BD published a Third-Party Software Component End of Support notice for their Alaris products (products available in US are not affected).

Genetec published an advisory that discusses an improper authentication vulnerability in their Sipelia and Mission Control products (and various plugins).

Hitachi Energy Advisory #1 - Hitachi Energy published an advisory that discusses a clear-text storage of credentials vulnerability in their IED Connectivity Packages (IED ConnPacks) and PCM600 Products.

Hitachi Energy Advisory #2 - Hitachi Energy published an advisory that describes an input validation vulnerability in their MicroSCADA Pro/X SYS600 products.

HPE Advisory #1 - HPE published an advisory that describes an unauthorized access vulnerability in their NetBatch-Plus software.

HPE Advisory #2 - HPE published an advisory that describes an authentication bypass vulnerability in their OfficeConnect network switches.

Inductive Automation Advisory - Inductive Automation published an advisory that discusses the Text4Shell vulnerability.

Insyde Advisory #1 - Insyde published an advisory that describes an untrusted pointer vulnerability in their UsbCoreDxe file.

Insyde Advisory #2 - Insyde published an advisory that describes an untrusted input vulnerability in their AhciBusDxe file.

Insyde Advisory #3 - Insyde published an advisory that describes an incorrect pointer check vulnerability in their FwBlockServiceSmm driver.

Insyde Advisory #4 - Insyde published an advisory that describes an incorrect pointer check vulnerability in their NvmExpressDxe driver.

Insyde Advisory #5 - Insyde published an advisory that describes an untrusted pointer vulnerability in their SdHostDriver and SdMmcDevice.

Insyde Advisory #6 - Insyde published an advisory that describes a race condition vulnerability in their UsbCoreDxe.

Insyde Advisory #7 - Insyde published an advisory that describes an initialization function vulnerability in their PnpSmm file.

Insyde Advisory #8 - Insyde published an advisory that describes an input address manipulation vulnerability in their PnpSmm function 0x52 file.

Mitsubishi Advisory - Mitsubishi published an advisory that discusses a denial-of-service vulnerability in multiple consumer products.

Moxa Advisory - Moxa published an advisory that describes an improper authentication vulnerability in their NE-4100T Series.

OPC Foundation Advisory - The OPC Foundation published an advisory that describes a privilege escalation advisory in their local discovery server.

Phoenix Contact Advisory - Phoenix Contact published an advisory that describes a denial-of-service vulnerability in their FL MGUARD and TC MGUARD devices.

Sick Advisory #1 - Sick published an advisory that describes an improper authorization vulnerability in their FlexiCompact products.

Sick Advisory #2 - Sick published an advisory that describes six missing authentication for critical function vulnerabilities in their SIM products.

Siemens Healthineers - Siemens published an advisory that describes seven vulnerabilities in their syngo Dynamics servers.

Vendor Updates

HPE Update - HPE published an update for their B-series SAN Switches advisory that was originally published on November 11th, 2022.

Mitsubishi Update #1 - Mitsubishi published an update for their Multiple FA Engineering Software Products advisory that was originally published on July 30th, 2020 and most recently updated on July 28th, 2022.

Mitsubishi Update #2 - Mitsubishi published an update for their Multiple FA Engineering Software Products advisory that was originally published on February 18th, 2021 and most recently updated on July 28th, 2021.

Palo Alto Networks Update - Palo Alto Networks published an update for their Cortex XSOAR advisory that was originally published on November 9th, 2022.

Exploits

Siemens Exploit - Mr me published an Metasploit module for a remote code execution vulnerability in the VMware NSX Manager XStream.


For more information on these disclosures, including links to researcher reports, 3rd party advisories, exploits, and one Russian commentary, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-11-f60 - subscription required.


Friday, November 18, 2022

Short Takes – 11-18-22

TSA administrator says new cyber requirements in the works for aviation industry. FCW.com article. Pull quote: “Speaking at the Aspen Cyber Summit, TSA chief David Pekoske said that the administration is following a similar method of developing the forthcoming cybersecurity rules as it did for the oil and gas pipeline sector, when it released a series of security guidelines in 2021 following the Colonial Pipeline ransomware attack.”

NASA launches website to keep track of Artemis I. TheHill.com article. Pull quote: “The Artemis I mission lifted off in the early morning when the Space Launch System (SLS) rocket and the Orion capsule took to the skies. In the wake of the launch, NASA has set up the Artemis Real-time Orbit Website or AROW for people to keep track of the spacecraft.” Site not working as of 0721 EST.

The End of Vaccines at ‘Warp Speed’. NYTimes.com article. Pull quote: “But as a third pandemic winter begins in the United States, its vaccine-making effort has lost steam. Efforts to test and produce next-generation Covid vaccines are bogged down by bureaucratic problems and funding shortfalls. Foreign rivals have raced ahead in approving long-awaited nasal-spray vaccines, including one invented in St. Louis, creating a scenario in which Americans would have to travel abroad for the latest in American vaccine technology.”

Contractors’ Reluctance to Work With Pentagon on Cybersecurity Is Leaving Vulnerabilities, DOD Official Says. GovExec.com article. Voluntary cybersecurity compliance still not happening. Pull quote: “McKeown listed various ways the Defense Department’s cyber experts can help its vendors, free of charge: on-site network assessments, sharing threat intelligence, shoring up email security, providing protective DNS, and more. But vanishingly few companies take advantage of the offerings: around 1 percent of DOD’s hundreds of thousands of contractors, he said.”

Offshore Oil and Gas: Strategy Urgently Needed to Address Cybersecurity Risks to Infrastructure. GAO report. Pull quote: “The Department of the Interior—which is responsible for overseeing the infrastructure—has taken few steps to address cybersecurity risks. We recommended that Interior immediately develop and implement a cybersecurity strategy.”

The US military is scrambling to build more ammo for itself and for Ukraine, but old Army paperwork could get in the way. BusinessInsider.com article. Pull quote: “"The Army faces challenges in managing the procurement and production of conventional ammunition," the Government Accountability Office warned in a study published in October.”

UConn Researcher’s Work Will Feature in International Space Station Mission. Uconn.edu article. Pull quote: “Associate Professor Yupeng Chen and his team of six graduate and eight undergraduate students will work with astronauts aboard the ISS doing experiments aimed at advancing in-space manufacturing concepts for the production of potentially marketable biomaterials for use in therapeutic and regenerative treatments here on earth for arthritis, cancer, and neurological diseases. The $1.86 million contract is one of eight winning proposals submitted in response to a NASA Research Announcement seeking space production applications for three low-Earth orbit (LEO) missions scheduled over 27 months.”

Senior Chemical Security Inspector. USAJobs.gov job listing. 4 GS-14 CFATS vacancies (Chicago, Boston, Dallas, and Seattle). Positions close 11-24-22.

Bills Introduced – 11-17-22

Yesterday, with both the House and Senate in session (and preparing to leave Washington for their Thanksgiving weekend) there were 80 bills introduced. Three of those bills may receive additional attention in this blog:

HR 9330 To improve the visibility, accountability, and oversight of agency software asset management practices, and for other purposes. Cartwright, Matt [Rep.-D-PA-8]

HR 9337 To amend the USA PATRIOT Act to designate critical infrastructures, and for other purposes. Jackson, Ronny [Rep.-R-TX-13]

HR 9349 To improve public-private partnerships and increase Federal research, development, and demonstration related to the evolution of next generation pipeline systems, and for other purposes. Weber, Randy K., Sr. [Rep.-R-TX-14] 

I will be watching HR 9330 for language and definitions that specifically include operational technology software (control systems, security systems, and/or building control systems) within the scope of the coverage of the bill.

I will be covering HR 9337.

I will be watching HR 9349 for language and definitions that would include cybersecurity requirements in the next generation pipeline system development supported in the bill.

CISA Announces Cybersecurity Advisory Committee Meeting – 12-6-22

Today, CISA published a meeting notice in the Federal Register (87 FR 69283-69284) for an in-person meeting of their Cybersecurity Advisory Committee on December 16th, 2022 in Cupertino, California. The public will have access to portions of the meeting by teleconference.

The agenda includes:

  • A discussion on the status of previous CISA Cybersecurity Advisory Committee recommendations,
  • A member roundtable on the CISA Cybersecurity Advisory Committee strategic focus for 2023, and
  • A discussion on the CISA Cybersecurity Advisory Committee annual report.

Members of the public that wish to participate via the teleconference need to register (via email to CISA_CybersecurityAdvisoryCommittee@cisa.dhs.gov) by December 4th. Written comments may be submitted to the Committee by the same date via the Federal eRulemaking Portal (www.Regulations.gov; Docket # CISA-2022-0008).

Thursday, November 17, 2022

Short Takes – 11-17-22

CISA Highlights Space, Bioeconomy as Possible New Critical Infrastructure Sectors. NextGov.com article. Pull quote: “ The report, obtained by Nextgov, was referenced in a Nov. 7 letter President Biden addressed to Congress, noting his intention of implementing its recommendations. The secretary of the Department of Homeland Security was required to deliver the report under the 2021 National Defense Authorization Act. The NDAA provision nudged DHS’ standing obligation under the Homeland Security Act and a 2013 presidential policy directive—PPD 21—to produce and update a national plan to secure key resources and protect critical infrastructure.”

Ukrainian Analysis Identifies Western Supply Chain Behind Iran’s Drones. WSJ.com article. Pull quote: “Ukrainian intelligence estimates that three-quarters of the components of the Iranian drones downed in Ukraine are American-made, according to documents reviewed by the Journal. The findings were made after the Ukrainian military downed several drones, including an Iranian Mohajer-6 drone that agents hacked midflight and landed intact, according to Ukrainian investigators.”

Enel to Build Massive Solar Panel Factory in U.S. WSJ.com article. Pull quote: “Enel’s plan is the latest in a rush of deals being announced after the U.S. passed legislation offering generous incentives to build up a domestic supply chain for renewables. That law, the Inflation Reduction Act, offers tax credits to companies that make everything from wind turbines to electric-vehicle batteries in the U.S., as well as bonus tax credits for power-plant developers that use domestically made components.”

Press conference of President Duda and Prime Minister Morawiecki. "Nothing indicates that it was an intentional attack on Poland". Fakt.pl article.  Pull quote (translated by Google): “Ukraine defended itself - which is obvious and understandable - also firing rockets whose task was to knock down Russian missiles. In connection with the above, we were dealing with a very serious clash caused by the Russian side, as well as the entire conflict. In fact, therefore, the Russian side is certainly to blame for yesterday's clash, said Andrzej Duda.”

US FTC Delays Safeguards Rule Deadlines by 6 Months. GovInfoSecurity.com article. Lack of infosec personnel make implementation impracticable. Pull quote: “A clutch of industry lobbyists including the National Automobile Dealers Association and ACA International, which represents debt collectors, asked the agency in July for a 12-month delay. "With every organization (not just financial institutions) vying for the same scarce talent, it is extremely difficult to fill open requisitions for positions that are crucial to an effective information security program," the associations wrote.”

Covid deaths and hospitalizations are falling in the U.S. NBCnew.com article. Pull quote: “Dr. Vin Gupta, a pulmonologist and an affiliate faculty member at the University of Washington in Seattle, attributes the decline in deaths and severe Covid cases to a level of "baked-in immunity," including vaccination, prior infection or a combination of the two. While Covid-related hospitalizations are not currently increasing, Gupta warns that they could during the winter as immunity, especially from previous infection, diminishes.”

Wray tells lawmakers that FBI conducts cyber offensive operations. TheHill.com article. Pull quote: “Although Wray did not provide specifics into the type of cyber offensive operations the agency has conducted, he did say that the department engages in other types of activities, including conducting counterintelligence operations, targeting adversaries’ infrastructure, disrupting malicious cryptocurrency schemes, and indicting cyber criminals.”

Russia supply shock forces rethink for chemicals and fertiliser groups. FT.com article. Pull quote: “Russia is the world’s principal supplier of fertilisers and their core components. It accounts for roughly 45 per cent of the global ammonia nitrate market, 18 per cent of the potash market, and 14 per cent of global phosphate fertiliser exports.”

DHS blocked vital research on domestic threats, say terrorism experts. WashingtonPost.com article. Privacy concerns stop open-source research. Pull quote: “The lack of reliable data on violent-extremist threats has persisted for years despite demands from Congress and advocacy groups for improvement. Under the Trump administration, Homeland Security released a counterterrorism report that acknowledged a growing threat, but could not offer hard numbers on attacks because “current national-level statistics on terrorism and targeted violence in all its forms are not comprehensive.””

A new tick-borne disease is killing cattle in the US. TechnologyReview.com article. Asian disease spreading in US cattle. Pull quote: “Theileria can cause cows to abort their fetuses. It can also cause anemia so severe that a cow will die. In Australia, where the disease has been spreading since 2012 and now affects a quarter of the cattle, theileria costs the beef industry an estimated $19.6 million a year in reduced milk and meat yields, according to a 2021 paper. In Japan and Korea, the combined loss is an estimated $100 million annually.”

Review - 2 Advisories Published – 11-17-22

Today CISA’s NCCIC-ICS published two control system security advisories for products from Cradlepoint and Red Lion.

Cradlepoint Advisory - This advisory describes a command injection vulnerability in the Cradlepoint NetCloud OS.

Red Lion Advisory - This advisory describes a path traversal vulnerability in the Red Lion Controls Crimson programming software.

 

For more details about these advisories, including a down-the-rabbit hole look at the Cradlepoint advisory, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-advisories-published-11-17-22 - subscription required.

 
/* Use this with templates/template-twocol.html */