Saturday, December 30, 2023

Short Takes – 12-30-23

Logistics: Agema UGV in Ukraine. StrategyPage.com article. Pull quote: “The demand is out there for UGVs that can reliably carry payloads autonomously. For Israel such vehicles are a matter of life and death, and need is constant and continuous. That’s why even the less successful UGVs found work in Israel. American UGV developers followed Israeli progress in this area and developed smaller UGVs that met an urgent need for Western armies that have overloaded their infantry with useful new gear that has the troops, and their commander, desperately seeking a solution to carrying all that useful stuff into the combat zone without exhausting the infantry. Rook and MUTT are not the final word in UGVs that do their job, but demonstrate the worth or continuous improvement of the tech.”

Studying combustion and fire safety. Phys.org article. Pull quote: “Microgravity dramatically influences flames and provides a unique environment for studying combustion. For example, on Earth, hot gases from a flame rise and gravity pulls cooler, denser air to the bottom of a flame, creating the classic shape and flickering effect. In microgravity, this flow doesn't occur and on the space station, low-momentum flames tend to be rounded or even spherical. By removing the effects of buoyancy, microgravity provides researchers a better understanding of specific flame behaviors.”

The Secret Foreign Roots of Tech Titans’ New California City. WSJ.com article. Pull quote: “That pressure dissipated in August when the project’s backers unveiled the plan for a new city. A New York Times article reported the venture’s ambitions and noted its A-list investors, including LinkedIn co-founder Reid Hoffman, former Sequoia Capital partner Michael Moritz and philanthropist Laurene Powell Jobs."

Nebraskans Are Sitting on Strategic Metals. Is Mining a Patriotic Duty? NYTimes.com article. Pull quote: “As the hunt for more materials used in batteries continues, energy officials predict more scenes across America like the one in Nebraska, a state with abundant cornfields and cattle but no operating mines. In Utah, a mine has begun producing tellurium. A new cobalt mine in Idaho is expected to be operational this year. New lithium mining is planned for North Carolina, and in California companies are trying out new technology to extract lithium from geothermal brines.”

2022 Liquid Chemical Categorization Updates. Federal Register CG rule correction. Technical corrections to rule published on November 21st, 2023.

Schools and Libraries Cybersecurity Pilot Program. Federal Register FCC NPRM. Summary: “In this document, the Federal Communications Commission (Commission) proposes a three-year pilot program within the Universal Service Fund (USF or Fund) to provide up to $200 million available to support cybersecurity and advanced firewall services for eligible schools and libraries.”

Marjorie Taylor Greene creates multiple headaches for new Speaker. TheHill.com article. Pull quote: ““Mike Johnson comes in and first thing he starts talking about is passing another CR, and I’m like, wait a minute, what? You just voted against it. That was the whole reason why Kevin McCarthy got ousted, was working with Democrats and passing a clean CR. And you know, for me I was like, what a hypocrisy,” Greene told The Hill.”

Review - CSB Updates Recommendations Response Status – 12-20-23

Yesterday, the Chemical Safety Board updated their Recent Recommendation Status Updates page, closing one recommendation and updating the ‘open’ status of six other recommendations. These recommendations were made in the final reports for three separate incidents:

Optima Belle Explosion and Fire,

Loy Lange Box Company Pressure Vessel Explosion, and

Kuraray Pasadena Release and Fire

Commentary

Presumably, the board members of the CSB met, had a discussion about these changes and then voted (formally or otherwise) to approve these changes. In the distant pass, the Board would have conducted this meeting in public and announced the changes in a press release. Now we have to wait a week or more to see these changes reflected in a back page of the web site. While this is ‘open governance’ for some levels of open, it does little to inspire public confidence or further public awareness of chemical safety issues.

 

For more details about the changes made to the recommendation statuses, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/csb-updates-recommendations-response - subscription required.

CRS Reports – Week of 12-23-23 - Agency Nonacquiescence

This week the Congressional Research Service (CRS) published a report on “Agency Nonacquiescence: An Overview of Constitutional and Practical Considerations”. The report looks at the various ways that federal agencies have or may respond to adversarial judgments in Federal Courts. The report provides (pg 4) a hypothetical situation that provides a broad look at the scope of the issue:

“Imagine that a federal agency promulgates a new regulation that establishes a uniform process for adjudicating certain federal benefits. The U.S. Court of Appeals for the Eleventh Circuit, which has jurisdiction over three U.S. states, invalidates a benefits decision under that regulation, holding that the agency must use a different process. Now, the agency faces some choices: Should it avoid using its new adjudication process altogether, even in the other 47 states? Should it continue to use its new process in other states and defend that process in different courts? Can it apply that process to other benefits claimants in the Eleventh Circuit who may not have been a party to the original case?”

As always with a CRS report, it is important to remember that these reports are targeted at members of Congress with a view to informing potential congressional action. This report notes (pg 25):

“Congress has the authority to limit or bar agencies from engaging in nonacquiescence of any kind. Under its constitutional power to define the powers and authority of administrative agencies, Congress can define in what situations (if any) nonacquiescence is permissible. Agencies are “creatures of statutes,” and, accordingly, Congress retains the power to limit or prohibit agencies engaging in nonacquiescence regardless of the inapplicability of collateral estoppel [prevents a party from re-litigating an issue that was already decided in another legal action] to the federal government and regardless of the lack of intercircuit stare decisis [a legal principle that requires courts to follow previous judgments when resolving cases with similar facts] across the federal court system.”

Chemical Incident Reporting – Week of 12-23-23

NOTE: See here for series background.

Disneyland, CA – 12-28-23

Local news reports: Here, here, and here.

Mixing cleaning chemicals results in small chlorine cloud. 2 injured, 1 transported to hospital.

Possible CSB reportable, if individual was admitted to hospital.

Review – Public ICS Disclosure – Week of 12-23-23

This week we have two vendor disclosures from Moxa and SEL.

Advisories

Moxa Advisory - Moxa published an advisory that discusses five vulnerabilities in the web application of their OnCell G3150A-LTE Series products.

SEL Advisory - SEL announced that they have a new version of their SEL-5030 acSELerator QuickSet Software which fixes a security vulnerability.


For more details about these disclosures, including links to third party advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosure-week-of-12-505 - subscription required.

Thursday, December 28, 2023

Short Takes – 12-28-23

Speaker Johnson enters 2024 with warring GOP factions. TheHill.com article. Pull quote: ““He’s also challenged by a House majority that hasn’t shown a concerted commitment to do the things we ran on — to force border security upon the Senate and the White House, to force spending reductions upon the Senate and the White House, and just stand with him in fighting for those by being willing to withstand a potential partial government shutdown to try to force the Democrats to negotiate,” Good [R,VA] said.”

The First Secret Asteroid Mission Won’t Be the Last. NYTimes.com article. Pull quote: “So far AstroForge has raised $13 million from investors. A full mining mission would require a much larger investment. But there are riches to be made if the company is successful. On Earth, the metals that may be on M-type asteroids can be difficult and expensive to mine. Iridium, for example, sells for thousands of dollars per ounce.”

Russia, NASA agree to continue joint ISS flights until 2025. Phys.org article. Pull quote: “ISS partners—the United States, Russia, Europe, Canada and Japan—are for the moment only committed to operate the orbiting laboratory until 2024, though US officials have stated they want to continue until 2030.”

Could New Chemistries, Retooled Production Strategies Prevent the Next East Palestine Spill? ChemicalProcessing.com article. Interesting perspectives on inherently safer technologies. Pull quote: “I was chair of the Green Chemistry Institute Advisory Board at ACS for three years, and our mantra, like the OECD (Organization for Economic Co-operation and Development) mantra, was efficient, effective, safe and benign. And if you're talking about making substitutions that don't touch those four things, then you're substitute chemistry isn't going to get used. If it costs way more — and I’m not saying it has to cost less — if it doesn't do the job, if it's not markedly safer than what you're using and, also relatively safe in the environment, then it's just not going to succeed.”

Notice of Availability of Software and Documentation for Licensing. Federal Register USAF notice. Summary: “Pursuant to the provisions of section 801 of Public Law 113–66 (2014 National Defense Authorization Act); the Department of the Air Force announces the availability of WIFI Distinct Native Attribute (DNA) Fingerprinting Demonstration Code, V23, dated 15 Nov 2023, to include source code (MATLAB m-files), experimentally collected WIFI data (MATLAB mat-files), and operation checking (Ops Check) documentation software and related documentation for to illustrate some basic elements of Distinct Native Attribute (DNA) fingerprinting. DNA fingerprints are extracted from radio frequency device emissions and used to discriminate (uniquely identify) specific hardware devices using machine learning (ML) techniques.”

Promoting Public Engagement in OIRA’s Regulatory Review Process. WhiteHouse.gov press release. Pull quote: “Today, the Office of Information and Regulatory Affairs (OIRA) is issuing guidance to promote greater public engagement in OIRA’s regulatory review process. The guidance is being issued after receiving input from members of the public through a comment process and listening session. In Executive Order 14094, Modernizing Regulatory Review, President Biden called on OIRA to consider changes to its process for meeting with members of the public regarding regulatory actions under OIRA’s review—known as “E.O. 12866 meetings” after the Executive Order that sets forth the process for regulatory review—with the goals of expanding the range of stakeholders OIRA hears from, including those from underserved communities, while also increasing the effectiveness and transparency of those meetings. This guidance is part of a broader effort by OIRA to encourage public engagement from those that have not historically engaged with the regulatory process.”

DOT Publishes Civil Penalty Increase Rule – 2024

Today, the Department of Transportation published a direct final rule in the Federal Register (88 FR 89551-89568) on “Revisions to Civil Penalty Amounts, 2024”. This rule makes adjustments to the civil penalties that DOT and its modal agencies may levy for violations of various and sundry transportation regulations. These annual updates are required by the Federal Civil Penalties Inflation Adjustment Act of 1990 (PL 101-41). The adjustments were made using a multiplicative factor of 1.03241.

Agencies of potential interest here include:

Office of the Secretary,

FAA,

NHTSA,

FMCSA,

FRA, and

PHMSA

The effective date of the regulation is December 28th, 2023. The preamble notes that:

“The Department emphasizes that this rule adjusts penalties prospectively, and therefore the penalty adjustments made by this rule will apply only to violations that take place after this rule becomes effective. This rule also does not change previously assessed or enforced penalties that DOT is actively collecting or has collected.”

Reader Comment – New CSB Investigation

Earlier (shortly before yesterday’s post) Rosearray posted a comment to last week’s post on the KMCO CSB report. He noted that the CSB had published their gas well blowout report and then went on to say:

“Now there are still two current investigations: https://www.csb.gov/investigations/current-investigations/?Type=1. I was not aware of one of these, at the Martinez, CA refinery, which was opened in November 2023.”

Now, if you have read yesterday’s post, I commented that there was one open investigation. When I opened the Current Investigations (same link) page that morning, it only showed the BP investigation. And I have been watching the CSB web site daily for some time and I have seen no mention of the Board sending investigators to the California incident. In fact, I just finished looking at the CSB News Releases page and the latest announcement of a team deployment is to the BP incident.

So, a quick news search, and sure enough, I found two news reports about the CSB investigation of the incident:

Federal Agency Probes Marathon’s Martinez Refinery After Two Large Fires Last Month, December 5th, 2023, and

Chemical Safety Board Investigates Martinez Renewables Fire; Burn Victim Needs Our Support, November 26th, 2023.

The first article reported:

““The CSB is sending investigators to Martinez,” Hillary Cohen, a spokesperson for the federal agency charged with investigating industrial chemical accidents, said in an email to KQED.”

The two articles provide brief descriptions of the incidents, and it certainly sounds like this is a worthwhile target of the CSB’s efforts. Looking forward to hearing more about this incident.

Wednesday, December 27, 2023

Review - CSB Publishes Well Blowout Incident Report

Yesterday, the Chemical Safety Board published their final report on an oilwell blowout incident that occurred in Burleson County, Texas, on January 29th, 2020. The flash fire that occurred as a result of that blowout killed three workers and injured another. The report identified four key safety issues that contributed to the severity of the incident and made four recommendations that would help prevent the reoccurrence of this type of incident.

The four identified safety issues were:

• Well planning,

• Well control for completed wells in underpressured reservoirs,

• Ignition source management, and

• Federal safety regulatory requirements

Recommendations

The CSB included four recommendations in this report:

• 2020-04-I-TX-1 - Chesapeake Operating, LLC - Develop or revise policies incorporating the recommendations of API RP 59 regarding well planning, specifically the inclusion of well history review in conjunction with workover well control planning,

• 2020-04-I-TX-2 - American Petroleum Institute (API) - Publish specified information in an appropriate document such as API RP 59 Recommended Practice for Well Control Operations,

• 2020-04-I-TX-3 - Occupational Safety and Health Administration (OSHA) – Remove the exemption for oil and gas drilling and well servicing from the Control of Hazardous Energy standard (29 CFR 1910.147) and expand its applicability to cover oil and gas production and workover operations, and

• 2020-04-I-TX-4 - Occupational Safety and Health Administration (OSHA) - Promulgate a new standard with prescriptive requirements, similar to the Control of Hazardous Energy Standard, as well as a performance-based safety management system framework, similar to the OSHA Process Safety Management (PSM) Standard, that applies to the drilling, production, and servicing/workover activities surrounding onshore oil and gas wells.

As a result of this investigation, the CSB is closing 2018-01-I-OK-1 as it is now being superseded by 2020-04-I-TX-3. This now leaves the CSB with 177 open recommendations.

Commentary

With the publication of this report, the CSB has cleared their backlog of investigations. This has been a long road and it has impeded the ability of the Board to initiate new investigations. There is only one active investigation on the books (BP - Husky Oregon Chemical Release and Fire). It dates back to 2022, so this investigation should be close to done (we hope). It will be interesting to see how aggressive the CSB is in initiating new investigations.

 

For more details about the investigation report, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/csb-publishes-well-blowout-incident - subscription required.

Tuesday, December 26, 2023

Short Takes – 12-26-23

Doctors found a way to 3D print inside the human body. BGR.com article. Pull quote: “It’s an amazing breakthrough that could allow for a ton of medical applications, including mending broken bones, stopping leaky organs, and more. The development of this new option builds off the past creation of photosensitive ink that hardens when exposed to light.”

Turning plastic trash into chemistry treasure. Newswise.com article. Pull quote: “The reuse of waste plastic was demonstrated by adding plastic shreds of a common grocery bag to the ball mill jar and successfully carrying out the reaction. The team also showed their method could be applied to the treatment of highly toxic polyhalogenated compounds, which are widely used in industry. Polyethylene was employed to initiate a radical reaction that removed multiple halogen atoms from a compound commonly used as a flame retardant, thus reducing its toxicity.”

NASA asteroid sampling mission renamed OSIRIS-APEX for new journey. “OSIRIS-APEX will arrive at the asteroid [Apophis] on April 13, 2029 [just before the asteroid’s closest approach to Earth], and operate in its proximity for about the next 18 months. In addition to studying changes to Apophis caused by its Earth encounter, the spacecraft will conduct many of the same investigations OSIRIS-REx did at Bennu, including using its instrument suite of imagers, spectrometers, and a laser altimeter to closely map the surface and analyze its chemical makeup.”

New Nuclear Deflection Simulations Advance Planetary Defense Against Asteroid Threats. HomelandSecurityNewswire.com article. Pull quote: “This model will allow researchers to build upon the insights gained from NASA’s recent Double Asteroid Redirection Test (DART) mission, where, in September 2022, a kinetic impactor was deliberately crashed into an asteroid to alter its trajectory. However, with limitations in the mass that can be lifted to space, scientists continue to explore nuclear deflection as a viable alternative to kinetic impact missions.”

4,4′-Methylene bis(2-chloroaniline); Request Under the Toxic Substances Control Act (TSCA) for Records and Reports of Significant Adverse Reactions to Health or the Environment. Federal Register EPA adverse reaction notice. Summary: “Through this notice, the Environmental Protection Agency (EPA) is requiring manufacturers (including importers) and processors of the chemical substance 4,4′-methylene bis(2-chloroaniline) to submit the records and reports of allegations that this chemical substance causes significant adverse reactions to health or the environment that they are required to maintain and submit to EPA when requested under the Toxic Substances Control Act (TSCA). Information submitted to the Agency in response to this notice will help inform future EPA activities regarding this chemical, including aiding EPA activities related to this chemical substance having been identified as a candidate for designation as a High-Priority Substance for TSCA risk evaluation.”

Finally, a good reason to travel to space. WashingtonPost.com article. Pull quote: “Instruments themselves might also be adapted for space. In recent years, a few people have experimented with bringing music-makers on parabolic flights — where astronauts train for missions and scientists carry out experiments in spurts of zero gravity that last about 20 to 25 seconds. DJ and music producer Marc Marzenit found it tiring to play a keyboard in this environment and said he could imagine wanting a vertical piano for low gravity.”

GOP seeks upper hand as prospect of automatic budget cuts stirs fears. TheHill.com article. Pull quote: “Experts and congressional aides are now warning that nondefense funding could wind up seeing a harder hit from the threat of the automatic 1 percent cut. This is because the new scoring by the Congressional Budget Office (CBO) shows funding for nondefense is over $30 billion higher than its recorded levels initially set by lawmakers for fiscal 2023.” Spending bill just get more confusing.

NASA Issues New Space Security Best Practices Guide. NASA.gov article. Pull quote: “As space missions and technologies grow increasingly interconnected, NASA has released the first iteration of its Space Security Best Practices Guide to bolster mission cybersecurity efforts for both public sector and private sector space activities.”

Review – DOD Publishes CMMC NPRM and Guidance

Today, the Department of Defense published a notice of proposed rulemaking (NPRM) in the Federal Register (88 FR 89058-89138) for the “Cybersecurity Maturity Model Certification (CMMC) Program”. This rulemaking would “establish requirements for a comprehensive and scalable assessment mechanism to ensure defense contractors and subcontractors have, as part of the Cybersecurity Maturity Model Certification (CMMC) Program, implemented required security measures to expand application of existing security requirements for Federal Contract Information (FCI) and add new Controlled Unclassified Information (CUI) security requirements for certain priority programs”. Separately, the DOD published a notice in the Federal Register (88 FR 89139-89140) that provides links to a series of guidance documents that would support the CMMC.

This rulemaking would modify the current CMMC program established by an interim final rule in September 2020. This new version (CMMC 2.0) would have three key features:

• Tiered model,

• Assessment requirement, and

• Implementation through contracts.

Public Comments

The DOD is soliciting public comments on this NPRM. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # DoD-2023-OS-0063. Comments should be submitted by February 26th, 2024. I suspect that efforts will be made to get DOD to extend the comment period because of the holidays.

 

For more details about this proposed rule, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/dod-publishes-cmmc-nprm-and-guidance - subscription required.

Saturday, December 23, 2023

GAO Reports – Week of 12-16-23 – Medical Device Cybersecurity Oversight

This week the Government Accountability Office (GAO) published a report on “Medical Device Cybersecurity”. The report was required by last year’s consolidated spending bill (§3305 of PL 117-328, 136 STAT. 5832). That section added §524B, Ensuring Cybersecurity of Devices, to the Federal Food, Drug, and Cosmetic Act. Subsection (g) of that new section required the GAO to examine:

Challenges for device manufacturers, health care providers, health systems, and patients in accessing Federal support to address vulnerabilities across Federal agencies,

How Federal agencies can strengthen coordination to better support cybersecurity for devices, and

Statutory limitations and opportunities for improving cybersecurity for devices.

The report identifies the agencies of the Federal government that share some level of responsibility for oversight of medical device cybersecurity with the Food and Drug Administration. In addition to various HHS agencies, these include CISA and the FBI.

While a number of agencies are named in this report, the GAO is only making recommendations to two agencies in this report. While there are two recommendations, they are actually two sides of the same one, for the FDA and CISA “to update the agencies’ agreement to reflect organizational and procedural changes that have occurred” since the current agreement was signed in 2018. 

Chemical Incident Reporting – Week of 12-16-23

NOTE: See here for series background.

Rockford, IL – 12-19-23

Local News Reports: Here and here.

Pool chemical leak at school. No injuries, no damage. Not clear from the reporting if this was a chlorine gas leak or a spill of chlorine analogs like sodium hypochlorite.

Not CSB reportable.

Greenville, TN – 12-20-23

Local News Reports: Here, here, and here.

Two separate anhydrous ammonia refrigerant leaks at food factory. 29 people hospitalized. The second leak was discovered after the first was fixed and the lines reopened. Most of the injuries were associated with the second leak. Not clear if the problem was people failing to respond quickly to the second leak, if the leak was in a different location, or if the amount of the second leak was larger.

CSB Reportable.

Review – Public ICS Disclosures – Week of 9-16-23

This week we have 18 vendor disclosures from Broadcom (3), Eaton (2), GE Gas Power, Hitachi, Hitachi Energy (2), Honeywell, HPE (4), Mitsubishi, Moxa, and SEL (2). There are five vendor updates from Cisco (2) and Hitachi Energy (3). Finally, we have 29 researcher reports for vulnerabilities in products from Honeywell (7), Inductive Automation, and Voltronic Power (21).

Advisories

Broadcom Advisory #1 - Broadcom published an advisory that discusses a path traversal vulnerability in their Brocade Fabric OS.

Broadcom Advisory #2 - Broadcom published an advisory that discusses a path traversal vulnerability in their Brocade Fabric OS.

Broadcom Advisory #3 - Broadcom published an advisory that discusses a missing authentication vulnerability in their Brocade Fabric OS.

Eaton Advisory #1 - Eaton Advisories - Eaton published an advisory that describes an access control vulnerability in their User Management System.

Eaton Advisory #2 - Eaton published an advisory that discusses a deserialization of untrusted data vulnerability in multiple Eaton products that is listed in the CISA Known Exploited Vulnerability Catalog.

GE Gas Power Advisory - GE Published an advisory that discusses an authentication bypass vulnerability in the  Triangle Microworks SCADA Data Gateway.

Hitachi Advisory - Hitachi published an advisory that discusses two vulnerabilities in the JP1/VERITAS product.

Hitachi Energy Advisory #1 - Hitachi Energy published an advisory that describes an improper input validation vulnerability in their RTU500 series products.

Hitachi Energy Advisory #2 - Hitachi Energy published an advisory that describes an improper certificate validation vulnerability in their RTU500 scripting interface.

Honeywell Support Notice - Honeywell published a support notice for their Vindicator line of access control systems. Honeywell notes that their systems using Windows 7 and Windows XP operating systems will receive only limited support.

HPE Advisory #1 - HPE published an advisory that discusses three vulnerabilities in their Unified OSS Console.

HPE Advisory #2 - HPE published an advisory that describes a cross-site scripting vulnerability in their Unified OSS Console.

HPE Advisory #3 - HPE published an advisory that discusses a code corruption vulnerability in their IceWall Gen11 certd module.

HPE Advisory #4 - HPE published an advisory that describes an authentication bypass vulnerability in their Integrated Lights-Out 5 and 6 products.

Mitsubishi Advisory - Mitsubishi published an advisory that discusses three vulnerabilities in multiple FA products.

Moxa Advisory - Moxa published an advisory that describes two vulnerabilities in their ioLogik E1200 Series Web Server.

SEL Advisory - SEL published two software revisions notices that included fixes for cybersecurity vulnerabilities.

Updates

Cisco Update #1 - Cisco published an update for their HTTP/2 Rapid Reset Attack advisory that was originally published on October 16th, 2023 and most recently updated on December 5th, 2023.

Cisco Update #2 - Cisco published an update for their Apache Struts Vulnerability advisory that was originally published on December 12th, 2023 and most recently updated on December 15th, 2023.

Hitachi Energy Update #1 - Hitachi Energy published an update for their AFS65x, AFS67x, AFR67x and AFF66x series products advisory that was originally published on September 26th, 2023.

Hitachi Energy Update #2 - Hitachi Energy published an update for their AFF66x products advisory that was originally published on July 25th, 2023.

Hitachi Energy Update #3 - Hitachi Energy published an update for their Apache ActiveMQ advisory that was originally published on November 14th, 2023.

Researcher Reports

Honeywell Reports - ZDI published 7 advisories for individual vulnerabilities in the Honeywell Saia PG5 Controls Suite.

Inductive Automation Report - ZDI published a report that describes a deserialization of untrusted data vulnerability in the Inductive Automation Ignition product.

Voltronic Reports - The Zero Day Initiative published 21 advisories for individual vulnerabilities in the Voltronic Power ViewPower Pro.

 

For more details about these disclosures, including links to researcher reports and 3rd party advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-9-552 - subscription required.

Friday, December 22, 2023

Short Takes – 12-22-23

New Speaker Johnson’s budget strategy stretches US response in Middle East. TheHill.com article. Pull quote: “That leaves the Pentagon staring down a government shutdown should no deal get reached, or a full-year CR, with top officials in the building said to be preparing by sending out guidance to the military services to slow spending dramatically come Jan. 1, 2024, according to Eaglen.”

NASA astronauts test SpaceX elevator concept for Artemis lunar lander. Phys.org article. Pull quote: “The suited crew provided feedback on elevator controls, such as gate latches, ramp deployment interfaces for moving into and out of the elevator basket, available space for cargo, and dynamic operations while the basket moved along a vertical rail system.”

Extremely rare 'rainbow clouds' light up Arctic skies for 3 days in a row. LiveScience.com article. Pull quote: “Stratospheric temperatures in the Arctic rarely drop below the threshold needed for PSCs to form, so they are normally only spotted a handful of times every year during winter months. The extreme cold snap that led to the recent appearance of PSCs may have been triggered in part by the current El Niño event, which can impact temperatures around the poles. However, human-caused climate change could also be to blame, according to Spaceweather.com.”

Commerce in Explosives; 2023 Annual List of Explosive Materials. Federal Register ATFEB notice. Summary: “This notice publishes the 2023 List of Explosive Materials, as required by law. The 2023 list is the same as the 2022 list published by ATF, except the 2023 list adds “pyrotechnic stars.” These materials are “pyrotechnic compositions” and have long been covered under that term. ATF is adding “pyrotechnic stars” for clarity.”

Hydrogen Safety Resources Take Center Stage. Newswise.com article. Pull quote: “Now in its twentieth year, the [Hydrogen Safety] panel is led by Pacific Northwest National Laboratory (PNNL) and includes more than two dozen experts with over 700 years of accumulated experience. Together, these experts—including engineers, scientists, code officials, safety professionals, equipment providers, and others—have developed a trusted resource for best practices for hydrogen energy.”

Our ranking of top US launch companies finds a familiar name on top. ArsTechnica.com article. Pull quote: “Please note that this is a subjective list, although hard metrics such as total launches, tonnage to orbit, success rate, and more were all important factors in the decision. And our focus remains on what each company accomplished in 2023, not on what they might do in the future. Certainly there will be more reshuffling next year.”

Review - CSB Publishes KMCO Explosion and Fire Report

Yesterday, the Chemical Safety Board published their report on the 2019 incident at the KMCO facility in Crosby, TX. The report describes the release of isobutylene from a process line and the subsequent fire and explosion that killed one employee and severely burned two others. The proximate cause of the release was a brittle-metal fracture in a carbon steel y-strainer due to uncontrolled liquid thermal expansion pressure on the line.

The report outlined three safety issues identified during the investigation:

• Emergency response,

• Remote isolation, and

• Hazard evaluation

Recommendations

This report made no formal recommendations. The facility went into bankruptcy as a result of the incident and the new owners did not reinstate the isobutylene process unit. The report did, however, note (pg 70):

“Nevertheless, the CSB urges Altivia to read this report closely and understand the factors that led to the incident at the KMCO facility and the lessons stemming from it. Moreover, if hereafter Altivia reinitiates the process or any equipment involved in this incident, the company should ensure that the facts, conditions, and circumstances that caused the incident—and contributed to its severity—are not repeated.”

The report did document the numerous instances where existing safety and industry standards adequately (and in some instances exhaustively) addressed the issues leading to the incident and its outcome.

 

NOTE: There is one incident left on the CSB’s backlog of incident reports, Wendland 1H Well – Burleson County, TX – 1/29/2020. I fully expect that the CSB will publish this report before year end.

 

For more information about this report, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/csb-publishes-kmco-explosion-and - subscription required.

Reader Comment – LEPC’s and CFATS

Yesterday, David Sahm published a comment on my ‘Hydrogen and CFATS’ post. He noted, in part, that: “Hopefully, Local Emergency Planning Committees will take note and sound alarm to their reps in Congress.”  LEPCs were established under the EPA’s Emergency Planning and Community Right-to-Know Act regulations and are supposed to be the local agency that oversees emergency planning activities for chemical facilities in a locality (typically county/parish/borough level).

In recent years, CISA, through the Chemical Facility Anit-Terrorism Standards (CFATS) inspectors have been reaching out to local LEPCs as part of their inspection process to ensure that covered facilities have been coordinating with those organizations on emergency response matters. Such coordination between emergency response planners and high-risk chemical facilities should be a cornerstone of both safety and security programs at such facilities.

To the best of my knowledge, this is the only government effort that is trying to ensure that chemical facilities are participating in the LEPC process. This is yet another reason that Congress should re-instate the CFATS program as quickly as possible.

Thursday, December 21, 2023

Short Takes – 12-21-23

Millions across Southern California are under flood threat that could snarl travel ahead of the holiday weekend. CNN.com article. Pull quote: “A moderate risk for excessive rainfall, a Level 3 of 4, is also in effect Thursday for parts of Southern California, including the Los Angeles area. Rainfall totals across higher elevations northwest of the Los Angeles metro area could reach 10 inches through Thursday evening before the storm exits the region.”

NASA, Partners Continue to Advance Space Tech on Suborbital Flights. NASA.gov article. Pull quote: “Sometimes, everyday products can be the key to advancing space objectives. For example, paraffin and beeswax aren’t just for cosmetics and candles. Researchers are using this flight to evaluate these common materials to determine if they might be keys to safer and cheaper fuel for spacecraft. Researchers from the Massachusetts Institute of Technology are evaluating in-space manufacturing techniques to turn these wax-based products into alternative options for propelling small spacecraft.”

These exclusive satellite images show that Saudi Arabia’s sci-fi megacity is well underway. TechnologyReview.com article. Pull quote: “The strange gap in imagery raises questions about who gets to access high-res satellite technology. And if the largest urban construction site on the planet doesn’t appear on Google Maps, what else can’t we see?”

America has a McGonigal problem. BusinessInsider.com article. Pull quote: “Nevertheless, foreign oligarchs remain among the core clientele of otherwise respectable lawyers, lobbyists, and former US officials. McGonigal is not the end of this story, but rather, a warning. The US should be most worried about those who are still getting away with it.”

An Electrifying Improvement in Copper Conductivity. Newswise.com article. Pull quote: “For example, coiled copper wire forms are used in the core of electric motors and generators. Motors today are designed to operate within a limited temperature range because when they get too hot, the electrical conductivity drops dramatically. With the new copper-graphene composite, motors could potentially be operated at higher temperatures without losing conductivity.”

A quiet cybersecurity revolution is touching every corner of the economy as U.S., allies ‘pull all the levers’ to face new threats. Fortune.com article. Pull quote: “Every sector of the economy is under a transformative directive to fortify its digital defenses. Security posture has evolved from a superlative to a crucial factor that affects the bottom line. This isn’t just a policy change–it’s a paradigm shift, making cybersecurity compliance a legal imperative because its implications are more far-reaching than ever before.”

Review – 2 Advisories Published – 12-21-23

Today, CISA’s NCCIC-ICS published two control system security advisories for products from FXC and QNAP. The two reported vulnerabilities were also added to the CISA Known Exploited Vulnerabilities Catalog.

Advisories

QNAP Advisory - This advisory describes an OS command injection vulnerability in the QNAP VioStor NVR QVR firmware.

FXC Advisory - This advisory describes and OS command injection vulnerability in the FXC AE1021 and AE1021PE LAN routers.

Commentary

CISA needs to be more proactive about sharing credit for vulnerability discoveries. While reporting the researcher names in their advisories is important, it would be more appropriate to include links to the researcher reports that provide additional details about the vulnerabilities being reported. Links to publicly available exploits would also be helpful.

 

For more details about these advisories, including links to researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-advisories-published-12-21-23 - subscription required. 

Short Takes – 12-21-23 – Federal Register Edition

Some items of interest from yesterday’s Federal Register.

Area Maritime Security Advisory Committee (AMSC), Eastern Great Lakes, Western New York Sub-Committee Vacancy. Federal Register CG AMSC notice. Summary: “The Coast Guard requests individuals interested in serving on the Area Maritime Security Committee, Eastern Great Lakes, Western New York Region sub-committee submit their applications for membership to the U.S. Coast Guard Captain of the Port, Buffalo. The Committee assists the Captain of the Port as the Federal Maritime Security Coordinator, Buffalo, in developing, reviewing, and updating the Area Maritime Security Plan for their area of responsibility.” Filing deadline: January 15th, 2024.

Request for Information on “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software”. Federal Register CISA RFI notice. Summary: “CISA requests input from all interested parties on the white paper “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software.”” Comment deadline: February 20th, 2024.

Impact of the Implementation of the Chemical Weapons Convention (CWC) on Legitimate Commercial Chemical, Biotechnology, and Pharmaceutical Activities Involving “Schedule 1” Chemicals (Including “Schedule 1” Chemicals Produced as Intermediates) During Calendar Year 2023. Federal Register BIS RFI notice. Annual notice. Summary: “The Bureau of Industry and Security is seeking public comments on the impact that the implementation of the Chemical Weapons Convention, through the Chemical Weapons Convention Implementation Act of 1998 and the Chemical Weapons Convention Regulations, has had on commercial activities involving “Schedule 1” chemicals during calendar year 2023. The purpose of this notice of inquiry is to collect information to assist BIS in its preparation of the annual certification to the Congress on whether the legitimate commercial activities and interests of chemical, biotechnology, and pharmaceutical firms are harmed by such implementation. This certification is required under Condition 9 of Senate Resolution 75 (April 24, 1997), in which the Senate gave its advice and consent to the ratification of the Chemical Weapons Convention.” Comment due date: January 19th, 2024. 

Wednesday, December 20, 2023

Short Takes – 12-20-23

BlackCat Ransomware Raises Ante After FBI Disruption. KrebsOnSecurity.com article. Pull quote: “The DOJ says anyone with information about BlackCat affiliates or their activities may be eligible for up to a $10 million reward through the State Department’s “Rewards for Justice” program, which accepts submissions through a Tor-based tip line (visiting the site is only possible using the Tor browser).”

Photonic crystals could be exactly what Breakthrough Starshot is looking for. Phys.org article. Pull quote: “A paper recently published on the arXiv preprint server by a team led by Jin Chang explores the possibility of a new material for light sails known as nano manufactured photonic crystals. These crystals are optical nanostructures (between microscopic and molecular scales) where the refractive index changes periodically. These occur in nature in the animal kingdom for example in the reflective nature of cat and dog eyes.”

Competition: developing Europe's space cargo return service. ESA.int article. Pull quote: “With this new initiative, European industry will develop a way to bring cargo to and from space stations in low-Earth orbit before the end of this decade, providing Europe with access to space, further bartering prospects, and the opportunity for European industry to develop commercial services for cargo transportation to low-Earth orbit on the global market. This cargo service could also become a stepping stone to develop one day a crew transportation to low-Earth orbit and possibly a cargo return capability from the Gateway. This opportunity is a first step in ESA’s renewed ambitious space exploration programme supporting Europe's continued journey to low-Earth orbit and beyond to the Moon and Mars.”

Pinhole propulsion for satellites. ESA.int article. Pull quote: “The micro-fabricated ATHENA system has the advantage of highly customisable thrust, using non-toxic ‘green’ propellants with no need for pressurised tanks. And the thrusters can be clustered together freely as needed – a total of six would fit onto the 10 cm face of a single CubeSat unit. These units can then be further clustered to deliver thrust for satellites of up to 50kg in mass.”

OMB Approves CISA’s ICAR ICR

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved an information collection request from CISA’s Emergency Communications Division (ECD) for their Incident Communications Activity Report (ICAR). This approval allows ECD to send incident commanders a form requesting information about the communications processes used in responding to the incident. Completion of the form is voluntary. The 60-day ICR notice was published on October 20th, 2022.

While CISA admits in the Supporting Document (pg 6) provided to OIRA that it really does not know how many respondents there will be for this ICR it uses the number of 450 for the purposes of the burden calculation. The Supporting Document provides an interesting breakdown of the types of people that ECD expects to complete their form. With an expected 5 minutes to complete the form (understated by almost an order of magnitude, I am pretty sure) this provides CISA with an annual burden estimate of 38 hours.

One comment was received in response to the ICR notices published in the Federal Register. The commentor wanted to make sure that CISA was not duplicating the FCC reporting requirements on cell phone companies and the like.

This is one of those new ICR’s where it is really hard to find fault with the estimates because of a lack of prior history. It will be interesting to see how these estimates change when the ICR is renewed in three years.

Hydrogen and CFATS

Yesterday, two additional bills were introduced in the House dealing with attempts to encourage the expansion of the use of hydrogen and anhydrous ammonia as ‘green’ fuels. Similar types of bills were introduced in the Senate back in the Spring. At that time, I wrote a piece about how the CFATS program would address the security of the new hydrogen fuel facilities. Today, with the CFATS program dead since July, and apparently un-resurrect able, there are no federal programs that would help ensure that these new fuel facilities met some minimum standards for protecting the facilities against a terrorist attack.

From today’s entry on Congress.gov for HR 6872, it would seem that Rep Porter (D,CA) might understand the problem because the description of the bill (the actual bill language is not yet available) notes that DHS would be involved in a report on the “feasibility and safety of using hydrogen-derived fuels”. Presumably, DHS would be providing expertise on the security side of safety as DHS is not really a safety agency.

Is this what we are going to be forced to endure as a country, ad hoc security measures for each different type of hazardous chemical used in commerce? If so, who will provide the Hydrogen security inspectors? Who will provide the mechanism for vetting hydrogen fuel system employees against the terrorist screening database? Who will write the hydrogen security regulations that interpret the will of Congress on protecting these facilities? Certainly not Congress, it seems.

It appears increasingly likely that Congress will not complete action on HR 4470, a relatively short-term extension of the Chemical Facility Anti-Terrorism Standards (CFATS) program. It looks like we are going to have to start looking at what a post-CFATS chemical security world is going to look like. Perhaps it is time for the GAO to produce a report that looks at how well the ‘overlapping’ security programs that Sen Paul used to justify his opposition to passing HR 4470 are actually going about protecting the citizens of this country from terrorist attacks on the Homeland. How they are ensuring that chemical facilities have security measures in place. How they are helping chemical facilities vet their employees against the TSDB. How they are providing Congress and the people information about the security of chemical facilities. And who is ensuring that facilities are not evading their security responsibilities because some (many) DHS chemicals of interest are not covered by those programs.

Bills Introduced – 12-19-23

Yesterday, with the Senate in Washington and the House meeting in pro forma session, there were 43 bills introduced. Two of those bills will receive additional attention in this blog:

HR 6871 To require the Secretary of Transportation, in consultation with the Secretary of Energy, to establish a grant program to demonstrate the performance and reliability of heavy-duty fuel cell vehicles that use hydrogen as a fuel source, and for other purposes. Porter, Katie [Rep.-D-CA-47]

HR 6872 To require the Secretary of Energy to establish a grant program to support hydrogen-fueled equipment at ports and to conduct a study with the Secretary of Transportation and the Secretary of Homeland Security on the feasibility and safety of using hydrogen-derived fuels, including ammonia, as a shipping fuel. Porter, Katie [Rep.-D-CA-47]


Tuesday, December 19, 2023

Short Takes – 12-19-23

After years of decline, the Biden administration says environmental enforcement is on the upswing. ABCNews.go.com article. Pull quote: “The agency has set climate change and environmental justice as top priorities for enforcement, along with dangerous chemicals known as PFAS that are linked to a broad range of health issues, coal ash contamination, safe drinking water, prevention of toxic air pollution and chemical accident prevention, Uhlmann said.”

DOD Kicks Off CDAO Continuous Bounty; Jennifer Hay Quoted. ExecutiveGov.gov article. Pull quote: ““We hope to set an example in DoD that running continuous bounties strengthens our assets and sets a precedent that continuous checks on vulnerabilities is achievable and scalable to support obtaining quality data,” said Jennifer Hay, director of Defense Digital Service within CDAO.”

A Major Ransomware Takedown Suffers a Strange Setback. Wired.com article. Pull quote: “In a twist Tuesday afternoon, the gang's dark-web site roared back to life with an image of a cartoon black cat in silhouette and a banner proclaiming, “THIS WEBSITE HAS BEEN UNSEIZED.” The message remained for roughly two hours before law enforcement seemed to get control of the situation and the takedown message returned.”

Trump Is Disqualified From 2024 Ballot, Colorado Court Says in Explosive Ruling. NYTimes.com article. Pull quote: “In the Colorado court’s lengthy ruling on Tuesday ordering the Colorado secretary of state to exclude Mr. Trump from the state’s Republican primary ballot, the justices there reversed a Denver district judge’s finding last month that Section 3 did not apply to the presidency. They affirmed the district judge’s other key conclusions: that Mr. Trump’s actions before and on Jan. 6, 2021, constituted engaging in insurrection, and that courts had the authority to enforce Section 3 against a person whom Congress had not specifically designated.” Supreme Court next, but serious time to start thinking about what will happen if this stands.

Review – 5 Advisories and 2 Updates Published – 12-19-23

Today, CISA’s NCCIC-ICS published five control system security advisories for products from EuroTel, Open Design Alliance, EFACEC (2), and Subnet Solutions. They also updated two advisories for products from Mitsubishi and Johnson Controls.

Advisories

EuroTel Advisory - This advisory describes three vulnerabilities in the EuroTel ETL3100 radio transmitter.

ODA Advisory - This advisory describes three vulnerabilities in the ODA Drawing SDK tool.

EFACEC Advisory #1 - This advisory describes four vulnerabilities in the EFACEC UC 500E HMI.

EFACEC Advisory #2 - This advisory describes two vulnerabilities in the EFACEC BCU 500 automation and control IED.

Subnet Advisory - This advisory describes an unquoted search path or element vulnerability in the Subnet PowerSYSTEM Center multi-function management platform.

Updates

Mitsubishi Update - This update provides additional information on the MELSEC iQ-R, Q and L Series advisory that was originally published on October 29th, 2020 and most recently updated on April 4th, 2022.

Johnson Controls Update - This update provides additional information on the Johnson Controls Metasys and Facility Explorer that was originally published on December 7th, 2023.

 

For more details about these advisories, including links to researcher reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/5-advisories-and-2-updates-published-2c9 - subscription required. 

OMB Approves OSHA Emergency Response NPRM

Yesterday, OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a notice of proposed rulemaking from DOL’s Occupational Safety and Health Administration (OSHA) for “Emergency Response”. The rule was submitted to OIRA on October 30th, 2023.

According to the Fall 2023 Unified Agenda entry for this rulemaking:

“OSHA currently regulates aspects of emergency response and preparedness; some of these standards were promulgated decades ago, and none were designed as comprehensive emergency response standards.  Consequently, they do not address the full range of hazards or concerns currently facing emergency responders, and other workers providing skilled support, nor do they reflect major changes in performance specifications for protective clothing and equipment. The agency acknowledges that current OSHA standards also do not reflect all the major developments in safety and health practices that have already been accepted by the emergency response community and incorporated into industry consensus standards. OSHA is considering updating these standards with information gathered through an RFI and public meetings.”

The OSHA Emergency Response Rulemaking page has been updated with a link to the Spring 2023 Unified Agenda page for the rulemaking (replacing the Fall 2022 Unified Agenda link). The Fall 2023 Unified Agenda page has been expanded to include sections (which provide little effective information) on:

Summary of legal basis,

Alternatives,

Anticipated costs and benefits, and

Risks

We could possibly see this rulemaking appear in the Federal Register this week, but I suspect that it will come after Christmas.

Monday, December 18, 2023

Short Takes – 12-18-23

Microsoft Seized the Us Infrastructure Of The Storm-1152 Cybercrime Group. SecurityAffairs.com article. Pull quote: ““As we’ve said before, no disruption is complete in one day. Going after cybercrime requires persistence and ongoing vigilance to disrupt new malicious infrastructure. While today’s legal action will impact Storm-1152’s operations, we expect other threat actors will adapt their techniques as a result.””

Helping Ukraine Is Forcing the United States to Produce More Weapons. Hudson.org article. Pull quote: “Below are several more highlights that show how supporting Ukraine is pushing the American defense industrial base to produce high quantities of weapons in a short amount of time.” Much (most?) of the ‘military aid’ being sent to Ukraine is money spent in facilities in the US.

Voyager 1 In Trouble as Engineers Scramble to Debug Issue with Flight Data System. Hackaday.com article. Pull quote: “This situation is not unlike a similar situation on Voyager 2 back in 2010 when the returned data showed a data pattern shift. Here resetting the memory of the FDS resolved the garbled data issue and the engineers could breathe a sigh of relief. This time the fix does not appear so straightforward, as a reset of the FDS on Voyager 1 did not resolve the issue with, forcing the team to consider other causes. What massively complicates the debugging is that each transmission to and from the spacecraft takes approximately 22.5 hours each way, making for an agonizing 45 hour wait to receive the outcome of a command.”

QNAP VioStor NVR vulnerability actively exploited by malware botnet. BleepingComputer.com article. Pull quote: “Since version 5.0.0 was released nearly a decade ago, it is deduced that the Infected Slurs botnet targets legacy VioStor NVR models that never updated their firmware after initial setup.”

Americans abandoning neighborhoods due to rising flood risk, study finds. TheHill.com article. Pull quote: “That report emphasized the spreading danger of doom loops across the country, in particular as insurance companies withdraw from areas facing climate risks, leading to a cycle of declining home values, leading to fewer new loans being made to buy, build or fix up local houses.”

Congress stares down brutal January. TheHill.com article. Pull quote: “As members note, the coming political season has already created issues for lawmakers as it has truncated the 2024 congressional calendar. The Senate is set to only be in session for 29 weeks next year, compared to the 34 weeks that were slated for 2023.”

Bird Flu Is Still Causing Havoc. Here’s the Latest. NYTimes.com article. Pull quote: ““We’re worried about these viruses jumping into mammals and then maybe more specifically into humans,” Dr. Poulson said. “I just always like to point out that wildlife is important for its own sake. And this has proved to be a really devastating virus to mammalian and avian species.””

A top-secret Chinese spy satellite just launched on a supersized rocket. ArsTechnica.com article. Pull quote: “Although Chinese officials did not disclose the exact capabilities of Yaogan-41, it would almost certainly have the sensitivity to continually track US Navy ships and allied vessels across a wide swath of the Indo-Pacific. Aside from its use of the larger payload fairing, the Long March 5 rocket used to launch Yaogan-41 can haul approximately 31,000 pounds (14 metric tons) of payload mass into the orbit it reached on Friday's launch.”

After Weeks of Warnings, Iceland Volcano Erupts in Plumes of Fire. NYTimes.com article. Pull quote: “But after volcanologists had a chance to fly over the site of the eruption in the Reykjanes Peninsula, the immediate situation did not appear as dire as initially feared, though the size of the eruption was larger than anticipated and the direction of the lava’s flow still unpredictable.”

EPA Sends Ethylene Oxide Standard Final Rule to OMB

On Friday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a final rule from the EPA on “National Emission Standards for Hazardous Air Pollutants: Ethylene Oxide Commercial Sterilization and Fumigation Operations”. The notice of proposed rulemaking for this action was published on April 13th, 2023.

According to the Fall 2023 Unified Agenda entry for this rulemaking:

“The National Air Toxics Assessment (NATA) released in August 2018 identified ethylene oxide (EtO) emissions as a potential concern in several areas across the country. The latest NATA estimates that EtO significantly contributes to potential elevated cancer risks in some census tracts. These elevated risks are largely driven by an EPA risk value that was updated in December 2016. Further investigation on NATA inputs and results led to the EPA identifying commercial sterilization using EtO as a source category contributing to some of these risks. Over the past two years, the EPA has been gathering additional information to help evaluate opportunities to reduce EtO emissions in this source category through potential NESHAP revisions. In this rule, EPA will address EtO emissions from commercial sterilizers.”

That rulemaking entry suggests that the following industry sectors could be affected by this final rule:

• 311423 Dried and Dehydrated Food Manufacturing,

• 311942 Spice and Extract Manufacturing,

• 325412 Pharmaceutical Preparation Manufacturing,

• 33911 Medical Equipment and Supplies Manufacturing, and

• 561910 Packaging and Labeling Services

Review – HR 6510 Introduced – Composite Pipes for Hydrogen Pipelines

Last month, Rep Molinaro (R,NY) introduced HR 6510, the Hydrogen Safety and Environmental Responsibility Act. This bill would require DOT to “complete a study assessing the potential and existing use of pipelines constructed with composite materials to safely transport hydrogen and hydrogen blended with natural gas.” No funding is authorized by this legislation.

Moving Forward

Both Molinaro and his sole cosponsor {Rep Allred (D,TX)} are members of the House Transportation and Infrastructure Committee to which this bill was assigned for primary consideration. This typically means that there could be sufficient influence to see this bill considered in Committee. There may be some objections to this bill from pipeline safety advocates, but I do not expect that there would be sufficient opposition to block passage in Committee. I suspect that there would be enough bipartisan support for this bill to move to the floor of the House under the suspension of the rules process.

Because there is similar language in HR 6494, there will be no action on this bill while the larger PIPES Act is pending consideration. This bill will move forward, only if HR 6494 fails (unlikely) or the composite pipe study requirement is removed from the final version of the bill.

Commentary

The interest in composite materials in this bill is due to the fact that hydrogen gas is very reactive with most metals used in pipeline construction. This results in an increase in brittleness of the metal and a decrease in the strength of the pipeline. The composite material can be either a high-strength plastic pipe or a plastic lining to a conventional metal pipe.

 

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-6510-introduced - subscription required.

Saturday, December 16, 2023

Short Takes – 12-16-23

Hazardous Materials: Information Collection Activities. Federal Register PHMSA 30-day ICR notice. Summary: “The information collection activity will garner qualitative customer and stakeholder feedback in an efficient, timely manner and in accordance with the Department's commitment to improving service delivery. Qualitative feedback is information that provides useful insights on perceptions and opinions, not statistical surveys that yield quantitative results that can be generalized to the population of study. This feedback will provide insight into customer or stakeholder perceptions, opinions, experiences and expectations, as well as an early warning of issues with service, or focus attention on areas where communication, training or changes in operations might improve delivery of products or services.” Comment deadline: January 17th, 2024.

Intelligence Researchers to Study Computer Code for Clues to Hackers’ Identities. WSJ.com article. Pull quote: ““The number of attacks is increasing far more than the number of forensic experts that are available to go after these attacks,” said Kristopher Reese, who is managing the research program at IARPA and holds a doctorate in computer science and engineering. The lack of forensic resources means hackers who target small organizations or companies that don’t fall under critical infrastructure sectors often escape identification, he said.”

US Approves New Kind of Nuclear Reactor for First Time in 50 Years. Bloomberg.com article. Pull quote: “Kairos plans to begin construction next year on its $100 million project and expects the system to be complete by the end of 2026. The goal is to demonstrate the viability of its design and the molten salt technology. Molten salts remain liquid at high temperatures and low pressure, a potential safety advantage over water-cooled systems. Laufer said the last time a design that wasn’t water-cooled was approved in the US was in 1968.”

The FAA is developing an air traffic tool built for the space age. It may need help. FedScoop.com article. Pull quote: “The language described as “Space Launch and Reentry Airspace Integration Technology” in proposed congressional reauthorization language would allow for the FAA to appropriate up to $10 million a year to speed up the development of SDI, a Transportation committee source confirmed. That’s a significant bump from its current annual budget of $4.5 million, which, the agency told FedScoop, is meant to cover maintenance, including personnel, software, licenses, hardware and security support.” 

Review – Public ICS Disclosures – Week of 12-9-23 – Part 2

For Part 2 we have nine additional vendor disclosures for products from Phoenix Contact (6), Schneider (2), and VMware. There are 18 vendor updates from Mitsubishi, Schneider, Siemens (15), and Sierra Wireless. We also have seven researcher reports for vulnerabilities in products from EisBaer, Finally, we have two exploits for products from Atos and Splunk.

Advisories

Phoenix Contact Advisory #1 - Phoenix Contact published an advisory that describes an incorrect permissions assignment for a critical resource vulnerability in their MULTIPROG Engineering tool and ProConOS eCLR SDK.

Phoenix Contact Advisory #2 - Phoenix Contact published an advisory that describes an incorrect permissions assignment for a critical resource vulnerability in their Automation Worx Software Suite and classic line industrial controllers.

Phoenix Contact Advisory #3 - Phoenix Contact published an advisory that describes an incorrect permissions assignment for a critical resource vulnerability in their PLCnext Control.

Phoenix Contact Advisory #4 - Phoenix Contact published an advisory that describes a download of code without integrity check vulnerability in their MULTIPROG Engineering tool and ProConOS eCLR SDK.

Phoenix Contact Advisory #5 - Phoenix Contact published an advisory that describes a download of code without integrity check vulnerability in their Automation Worx Software Suite and classic line industrial controllers.

Phoenix Contact Advisory #6 - Phoenix Contact published an advisory that describes a download of code without integrity check vulnerability in their PLCnext Control.

Schneider Advisory #1 - Schneider published an advisory that discusses a missing authorization vulnerability (that is listed in CISA’s Known Exploited Vulnerabilities Catalog) in their Plant iT/Brewmaxx product.

Schneider Advisory #2 - Schneider published an advisory that describes two vulnerabilities in their Trio License-Free Radio products.

VMware Advisory - VMware published an advisory that describes a privilege escalation vulnerability in their Workspace ONE Launcher.

Updates

Mitsubishi Update - Mitsubishi published an update for their FA Engineering Software advisory that was originally published on November 24th, 2022 and most recently updated on June 29th, 2023.

Schneider Update - Schneider published an update for their PowerLogic advisory that was originally published on November 14th, 2023.

Siemens Update #1 - Siemens published an update for their TIA Portal advisory that was originally published on June 13th, 2023.

Siemens Update #2 - Siemens published an update for their LOGO! Soft Comfort advisory that was originally published on April 13th, 2023.

Siemens Update #3 - Siemens published an update for their LOGO! 8 BM Devices advisory that was originally published on October 11th, 2023.

Siemens Update #4 - Siemens published an update for their SIMATIC S7-1500 TM MFP V1.0 advisory that was originally published on June 13th, 2023 and most recently updated on November 14th, 2023.

Siemens Update #5 - Siemens published an update for their SIMATIC S7-1500 TM MFP V1.0 advisory that was originally published on June 13th, 2023 and most recently updated on November 14th, 2023.

Siemens Update #6 - Siemens published an update for their LOGO! 8 BM advisory that was originally published on March 9th, 2021.

Siemens Update #7 - Siemens published an update for their OPC UA Implementations of SIMATIC Products advisory that was originally published on September 12th, 2023 and most recently updated on October 10th, 2023.

Siemens Update #8 - Siemens published an update for their n SCALANCE XB-200 advisory that was originally published on November 14th, 2023.

Siemens Update #9 - Siemens published an update for their Boot Loader of RUGGEDCOM ROS Devices advisory that was originally published on December 10th, 2019 and most recently updated on September 13th, 2022.

Siemens Update #10 - Siemens published an update for their S7-1500 CPU devices advisory that was originally published on January 10th, 2023 and most recently updated on March 14th, 2023.

Siemens Update #11 - Siemens published an update for their GNU/Linux subsystem of the SIMATIC S7-1500 advisory that was originally published on November 27th, 2018, and most recently updated on November 14th, 2023.

Siemens Update #12 - Siemens published an update for their OpenSSL X.400 Address Processing in SIMATIC Products advisory that was originally published on August 8th, 2023 and most recently updated on September 12th, 2023.

Siemens Update #13 - Siemens published an update for their OpenSSL RSA Decryption in SIMATIC Products that was originally published on August 8th, 2023 and most recently updated on November 14th, 2023.

Siemens Update #14 - Siemens published an update for their RUGGEDCOM ROS advisory that was originally published on March 8th, 2022 and most recently updated on April 11th, 2023.

Siemens Update #15 - Siemens published an update for their WIBU Vulnerability in Industrial Products advisory that was originally published on September 12th, 2023 and most recently updated on October 10th, 2023.

Sierra Wireless Update - Sierra Wireless published an update to their ALEOS Security Advisory that was originally published on November 28th, 2023 and most recently updated on December 7th, 2023.

Researcher Reports

EisBaer Researcher Report - Claroty Team88 published seven reports on individual vulnerabilities in the EisBaer Scada.

Exploits

Atos Exploit - Armin Weihbold published an exploit for an argument injection vulnerability in the Atos Unify OpenScape Session Border Controller.

Splunk Exploit - Valentin Lobstein published a Metasploit module for an XML injection vulnerability in the Splunk Enterprise product.

 

For more details about these disclosures, including a brief description of changes made in updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-12-5a1 - subscription required. 

 
/* Use this with templates/template-twocol.html */