Tuesday, February 28, 2023

Short Takes – 2-28-23

CDC warns of drug-resistant stomach bug amid rise in cases. TheHill.com article. Pull quote: ““If your diarrhea lasts longer than usual or if it’s bloody or accompanied with severe stomach cramping, get to the doctor to determine whether it’s a run-of-the-mill norovirus or if it’s shigellosis,” Hill explained.”

Fighting toxic air pollution. TheHill.com article. Look at activists taking on ethylene oxide facilities. Pull quote: “Asked why these plants were still in operation, an EPA spokesperson said that its authority to shut down facilities is limited. But, the spokesperson said, the agency is working with state authorities to reduce emissions while developing a new regulation.”

Quieter Senate gives Fetterman recovery room. TheHill.com article.  Pull quote: “With Fetterman out, Democrats still have a 50-49 majority that allows unilateral confirmation of nominees — without a vice presidential tie-breaker. The chamber has no immediate plans to consider legislation that would require 60 votes to break a filibuster.”

12 exotic bacteria found to passively collect rare earth elements from wastewater. NewsWise.com article. Pull quote: “In Frontiers in Bioengineering and Biotechnology, German scientists showed that the answer is yes: the biomass of some exotic photosynthetic cyanobacteria can efficiently absorb REEs [Rare earth elements] from wastewater, for example derived from mining, metallurgy, or the recycling of e-waste. The absorbed REEs can afterwards be washed from the biomass and collected for reuse.”

One is bad enough: climate change raises the threat of back-to-back hurricanes. NewsWise.com article. Pull quote: “The researchers said it is important for community planners and regional emergency officials to recognize this emerging threat. Improvements in both resilience and response are required to meet the increasing hazard. For resilience, communities will need to deal with increased flooding threats and harden systems that remove floodwater and protect critical infrastructure such as transportation, water systems and power grids. Emergency response teams will have to be prepared to handle multiple storms in relatively quick succession. On the state and federal level, this could mean being ready to dispatch resources to many stricken communities at the same time.” An emergency planning nightmare.

Telling time on the Moon. ESA.int article. Pull quote: “The international team working on the subject will face considerable technical issues. For example, clocks on the Moon run faster than their terrestrial equivalents – gaining around 56 microseconds or millionths of a second per day. Their exact rate depends on their position on the Moon, ticking differently on the lunar surface than from orbit.” SciFi missed this as a plot driver.

A new economic engine for culture. On.Substack.com article. Substack explained. Pull quote: “In the months ahead, we will work with writers to explore how we can give them more power to publish in whatever formats they want and to find new audiences on their own terms. We will also work with readers to help them be part of conversations that add to, rather than subtract from, their lives, and to reclaim control of their attention.”

Shortly before liftoff, SpaceX cancels a crew launch due to igniter issues. ArsTecnica.com article. Pull quote: “This is useful for igniting rocket engines, which turns out to be a rather tricky thing to do, at least when it comes to precisely starting engines at a certain time, in a carefully controlled manner. For the Merlin 1D engines inside the Falcon 9, oxygen is pumped into the engines' combustion chambers to meet up with TEA-TEB. After combustion begins, kerosene is injected into the chamber, and the flow of the TEA-TEB igniter fuel is turned off. Then, to increase thrust, the flow of oxygen and kerosene is increased.”

The Dream of Mini Nuclear Plants Hangs in the Balance. Wired.com article. Pull quote: “The price jump was not rooted in the arcana of nuclear physics, but the mundane details of big construction projects: copper wire up 32 percent, steel piping up 106 percent. Higher interest rates made everything more expensive over the course of construction, which is scheduled to wrap up in 2030. Without extra subsidies from the new Inflation Reduction Act—on top of $1.4 billion already committed to the project by the US Department of Energy—the price to energy users in places like Los Alamos would have doubled.”

Democrats unveil bill to tighten regulations for trains with hazardous materials. TheHill.com article. Pull quote: “The Decreasing Emergency Railroad Accident Instances Locally (DERAIL) Act — introduced by Reps. Ro Khanna (D-Calif.) and Chris Deluzio (D-Pa.) — would direct the Transportation secretary to amend the definition of a “high-hazard flammable train” to increase the number of trains subject to stricter regulations. Those regulations include slower speeds, newer cars, better breaking equipment and required reporting.”

DHS Oversight Plan Hearing – 2-28-23

Today the House Homeland Security Committee held a business meeting to approve their Oversight Plan for the 118th Congress. After considering and adopting two amendments, the Committee approved the amended Oversight Plan.

Rep Thompson (D,MS) offered an amendment that would have added a Domestic Terrorism section to the portion of the Plan dealing with the Subcommittee on Counterterrorism, Law Enforcement, and Intelligence. A subsequent amendment was offered by Rep Guest (R,MS) that proposed modifications to Thompson’s amendment. The Guest amendment was approved by a vote of 17 to 14. The modified Thompson amendment was then approved by a vote of 16 to 15. The amended Oversight Plan was approved by a vote of 17 to 14.

No further action needs to be taken on the approved Plan.

OCS Publishes Updated FAQ Responses – 2-28-23

Today, CISA’s Office of Chemical Security (OCS) published an updated response a FAQs on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center. The revised FAQ response was for FAQ #1275.

FAQ #1275 What needs to be done with the facility ID in the Chemical Security Assessment Tool (CSAT) when a covered chemical facility is bought or sold?

NOTE: The links provided for the FAQs in this post were copied from the CFATS Knowledge Center but may not work when followed from your machine. This is an artifact of that web site. If the links do not take you to the referenced FAQ, you will have to use the ‘Advanced Search’ function on the page to link to the FAQ or download the ‘All FAQs’ document at the bottom of the ‘Advanced Search’ page.

I cannot find any difference between this new version and the version that was updated on February 17th, 2023.

NOTE: Corrected date in Title, 06:26 EST 3-1-23

NOTE: Corrected cut/paste errors in first paragraph, 22:07 EST 3-1-23

Review - FHWA Publishes Electric Vehicle Infrastructure Final Rule

Today, the DOT’s Federal Highway Administration (FHWA) published a final rule in the Federal Register (88 FR 12724-12757) for the “National Electric Vehicle Infrastructure Standards and Requirements”. The rule “establishes regulations setting minimum standards and requirements for projects funded under the National Electric Vehicle Infrastructure (NEVI) Formula Program”. This rule establishes physical security and cybersecurity standards for NEVI funded projects as one of the six major areas of the new regulations.

Cybersecurity Overview

The executive summary of today’s rule notes that:

“This final rule outlines network connectivity requirements for charger-to-charger network communication, charging network-to-charging network communication, and charging network-to-grid communication. These requirements address standards meant to allow for secure remote monitoring, diagnostics, control, and updates. These requirements will help address cybersecurity concerns while mitigating against stranded assets (whereby any provider abandons operations at any particular charging station).”

Effective Date

March 30th, 2023 is the effective date for this regulation.

 

For more details about the security provisions (physical and cyber) of this final rule, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/fhwa-publishes-electric-vehicle-infrastructure - subscription required.

Review – 2 Advisories and 1 Update Published – 2-28-23

Today, CISA’s NCCIC-ICS published two control system security advisories for products from Hitachi. They also updated an advisory for products from Mitsubishi.

Advisories

Hitachi Advisory #1 - This advisory describes three vulnerabilities in the Hitachi Gateway Station (GWS).

NOTE: I briefly reported on these vulnerabilities on February 18th, 2023.

Hitachi Advisory #2 - This advisory describes two vulnerabilities in the Hitachi Gateway Station (GWS).

NOTE: I briefly reported on these vulnerabilities on February 18th, 2023.

Updates

Mitsubishi Update - This update provides additional details on an advisory that was originally published on May 19th, 2022 and most recently updated on May 31st, 2022.

NOTE: NCCIC-ICS published an ‘Update A’ for this advisory back on May 31st, 2022, making most of the same corrections marked in today’s ‘Update A’.

 

For more details on these advisories, including discussions about other vendor advisories from the same vendors, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-advisories-and-1-update-published-879 - subscription required.

Review – DHS Congressional Oversight

As I noted yesterday, the House Homeland Security Committee are holding a hearing this afternoon looking their oversight plan for the Department of Homeland Security. DHS covers a wide range of activities, but thee of are particular interest here, chemical security, cybersecurity, and surface transportation security. All are covered in the Oversight Plan draft published by the Committee.

The chemical security portion of the Plan includes (pg 9):

“An act to extend the Chemical Facility Anti-Terrorism Standards Program of the Department of Homeland Security, and for other purposes, (Pub. L. 116-150), conveys CFATS statutory authority until July 27, 2023, at which point the Committee will rely on these oversight activities and findings to consider improvements or modifications to the CFATS program which can be achieved through reauthorization.”

The wide-ranging cybersecurity discussion includes an interesting congressional initiative (pg 8):

“The Committee will lead quarterly meetings of relevant House Committees to conduct oversight, coordinate, and recommend changes to facilitate a whole of government approach to cybersecurity.”

The surface transportation provisions include (pg 15):

“The Committee will also review the extent to which TSA effectively coordinates with its federal, state, local, and private sector partners to secure the Nation’s transportation systems and to help prevent conflicting or unnecessarily redundant regulations. Finally, the Committee will assess the effectiveness of TSA’s efforts to secure the Nation’s pipeline systems through TSA’s oversight and inspection activities.”

Commentary

With just under five-months left until the current CFATS authorization runs out, there is not much time for oversight hearings, formulating reauthorization legislation and passing it through the legislative process before July 27th. Compounding the problem is that the Committee shares oversight of the CFATS program with the Energy and Commerce Committee. Thus, legislation needs to be coordinated before it can come to the floor of the House. The Republican leadership of the ECC is concentrating on energy matters and will have little time for CFATS oversight, this will complicate the reauthorization process.

I suspect that these problems will require Congress to kick the problem down the road by authorizing a short-term (one to two years) extension of the program. CISA would probably push to see that such an extension would include specific authorization for the ChemLock program to avoid funding problems.

 

For more details about the Oversight Plan, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/dhs-congressional-oversight - subscription required.

Monday, February 27, 2023

Short Takes – 2-27-23

Last-minute problem keeps SpaceX rocket, astronauts grounded. TheHill.com article. Pull quote: “Officials said the problem involved ground equipment used for loading the engine ignition fluid. The launch team could not be sure there was a full load. A SpaceX engineer likened this critical system to spark plugs for a car.”

Periodic Graphics: Mucus, tears, and saliva. CEN.ACS.org article. A look at natural chemistry.

'Brain-eating' amoeba case in Florida potentially tied to unfiltered water in sinus rinse. LiveScience.com article. Pull quote: “The organism, an amoeba called Naegleria fowleri, typically lives in soil and warm fresh water and can sometimes grow in water tanks, heaters and pipes, according to the Centers for Disease Control and Prevention(opens in new tab) (CDC). In rare instances, it can infiltrate the human body and cause a disease of the brain and spinal cord called primary amebic meningoencephalitis (PAM), the CDC(opens in new tab) says. People can't develop PAM by swallowing N. fowleri or by interacting with an already-infected person; rather, the amoeba enters the brain through the nose, by traveling through the nerve that relays information about smells from the nose to the brain.”

Digital Twin-Based Cyber-Attack Detection Framework for Cyber-Physical Manufacturing Systems. IEEEExplore.IEEE.org paper. Abstract pull quote: “Digital twin (DT) technology emerges as a promising solution for providing additional insights into the physical process (twin) by leveraging run-time data, models, and analytics. In this work, we propose a DT framework for detecting cyber-attacks in CPMS during controlled transient behavior as well as expected anomalies of the physical process. We present a DT framework and provide details on structuring the architecture to support cyber-attack detection. Additionally, we present an experimental case study on off-the-shelf 3D printers to detect cyber-attacks utilizing the proposed DT framework to illustrate the effectiveness of our proposed approach.” Paywall protected.

Can You Tell Whether a “Bomb Train” Is Coming to Your Town? It’s Complicated. Pull quote: “The troika of hazard communications, according to the agency [PHMSA], contains the following: There is a listing of all cars with hazardous material on each train; signage detailing which car is carrying what material; and the use of AskRail, an electronic application used by first responders that gives up-to-the-minute details on a train’s location and contents.”

Review - HR 1160 Introduced – DOE Cybersecurity Reporting

Last week Rep Walberg (R,MI) introduced HR 1160, the Critical Electric Infrastructure Cybersecurity Incident Reporting Act. The bill would make DOE the designated agency to receive cybersecurity incident reports from critical electric infrastructure. It would also require DOE to publish regulations covering those reporting requirements. No spending is authorized in the bill.

The bill amends 16 USC 824o–1, Critical electric infrastructure security.

Moving Forward

As I reported earlier today, the Subcommittee on Energy, Climate, and Grid Security of the House Energy and Commerce Committee will hold a markup hearing that includes this bill. This indicates that the Committee leadership considers this an important bill. It is likely that there will be at least some level of bipartisan support for this bill. Moving this bill to the floor of the full House may be difficult because these reporting requirements conflict with the requirements of Cyber Incident Reporting for Critical Infrastructure Act of 2022 (Division Y of PL 117-103) that designate CISA as the agency to receive cybersecurity incident reports and sets a 72 hour reporting standard.

 

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-1160-introduced - subscription required.

Committee Hearings – Week of 2-26-23

This week, with the House and Senate back in Washington (House just for three days), we are starting to see a ‘normal’ committee schedule with fewer ‘organizational’ hearings. This includes a markup hearing and an oversight planning hearing in the House of potential interest here.

Energy Markup

On Tuesday, the Subcommittee on Energy, Climate, and Grid Security of the House Energy and Commerce Committee will hold a markup hearing. There is one bill of potential interest here:

• HR 1160, Critical Electric Infrastructure Cybersecurity Incident Reporting Act

This bill was introduced last week and the GPO has not yet published an official copy of the bill’s language. The Committee does have a committee print available. The bill would make DOE the “designated agency within the Federal Government to receive notifications regarding cyber26 security incidents and potential cybersecurity incidents with respect to critical electric infrastructure from other Federal agencies and owners, operators, and users of critical electric infrastructure” {new 16 USC 824o–1(e)(1)}. It would also require DOE to “promulgate regulations to facilitate the submission of timely, secure, and confidential notifications regarding cybersecurity incidents and potential cybersecurity incidents” {new 16 USC 824o–1(e)(2)(A)} in support of that requirement.

I will try to have a more complete assessment of this bill completed before the hearing.

Homeland Security Oversight

On Tuesday, the House Homeland Security Committee will hold a business meeting to “Consider the Committee's Oversight Plan for the 118th Congress”. A draft of their oversight plan is available. It includes specific references to both cybersecurity and the CFATS program. The cybersecurity provisions are complex (as is to be expected), but the CFATS comments are contained in a single paragraph on page 9:

“During the 118th Congress the Committee will continue to oversee the Department’s implementation of the Chemical Facility Anti-Terrorism Standard (CFATS) program, which requires high risk chemical facility owners and operators to report chemical holdings, perform vulnerability assessments, and adopt risk-based security measures to protect against the threat of a terrorist attack. An act to extend the Chemical Facility Anti-Terrorism Standards Program of the Department of Homeland Security, and for other purposes, (Pub. L. 116-150), conveys CFATS statutory authority until July 27, 2023, at which point the Committee will rely on these oversight activities and findings to consider improvements or modifications to the CFATS program which can be achieved through reauthorization.”

I’ll discuss both topics in more depth in a subsequent post.

Saturday, February 25, 2023

Short Takes – 2-25-23

Ammonia Body to Host Webinar Examining Marine Ecosystem Impact. ShipAndBunker.com article. Pull quote: “Ammonia is widely expected to take up a significant share of the marine energy mix in future decades as the shipping industry works to eliminate its GHG emissions. But for now shipowners remain wary of its toxicity and the potential impact on shipping crews' health and the marine environment in the event of spills, and further research and development work will be needed into its safe handling as a bunker fuel.”

There are emergency plans. Hazardous materials move by train through the area. DailyStandard.com article. At another Ohio town. Pull quote: “"Mercer County response and government agencies have shown, though many situations, great cooperation and communications with each other for the good of the citizens of Mercer County," Robbins said.” Will they adjust their plans based on recent derailment?

Echoes of Alberton: '96 chlorine spill holds lessons for Ohio. Missoulian.com article. Pull quote: “Starting about a year after the Alberton [Montana] spill, Scholl began documenting Alberton residents' efforts to draw more attention to what they felt were mostly overlooked, or outright denied, long-term health effects that persisted among some people exposed to chlorine. What started as an introduction to the issue from a classmate who filmed the protests became a decades-long obsession for Scholl, who feels there's much more to the story — including lessons learned — than anyone knew. And almost no one outside the Missoula area has even heard of the Alberton spill at all, he said.”

Review - Chemical Security Quarterly - Winter 2023

Yesterday, CISA sent out an email to registered recipient (register here) on the latest version of the Chemical Security Quarterly. These periodic (mostly quarterly) updates look at chemical security issues including, the CFATS and ChemLock programs, as well as cybersecurity issues related to the same. The CFATS Knowledge Center used to post these CSQs, but stopped in 2021. Hopefully the new web site organization will include returning to the practice of publicly posting them.

Included in this issue are discussions about:

CISA Chemical Security Conducts 10,000th Compliance Inspection,

End of Windows 8.1 Support,

2023 Cyber Hygiene Reminders and Best Practices,

1993 Bombing of the World Trade Center Commemoration Presentation,

Updated CISA.gov Website,

ChemLock Service Spotlight: Assessments,

Upcoming ChemLock Trainings,

CFATS Program Statistics, and

Chemical Security Resources

 

For more details about what is included here, see my article on CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/chemical-security-quarterly-winter - subscription required.

Bills Introduced – 2-24-23

Yesterday, with the House meeting in pro forma session, there were 57 bills introduced. Two of those bills may receive additional attention in this blog:

HR 1160 To direct the Secretary of Energy to promulgate regulations to facilitate the timely submission of notifications regarding cybersecurity incidents and potential cybersecurity incidents with respect to critical electric infrastructure, and for other purposes. Walberg, Tim [Rep.-R-MI-5]

HR 1187 To modify the requirements for the registration of certain aircraft, and for other purposes. Lynch, Stephen F. [Rep.-D-MA-8]

I will be covering HR 1160.

I will be watching HR 1187 for language and definition that would specifically apply to unmanned aircraft systems. This could have nothing to do with UAS, but you cannot tell from this description.

CRS Reports – Week of 2-18-23 – Derailment FAQs

This week the Congressional Research Service published a report on “East Palestine, OH, Train Derailment and Hazardous Materials Shipment by Rail: Frequently Asked Questions”. This report “focuses on the federal safety standards, voluntary industry guidelines, railroad operating practices that may be considered in understanding how and why this derailment occurred, and how to prevent similar derailments in the future. It also provides a brief summary of past legislative responses to railroad safety issues.”

This report briefly answers the following questions:

• What caused the East Palestine derailment?

• What federal requirements apply to rail shipments of hazardous materials?

• Why was the derailed train not regulated as a High-Hazard Flammable Train?

• What safety measures does the industry recommend for Key Trains?

• What are Electronically Controlled Pneumatic Brakes?

• Could the derailment be related to Precision Scheduled Railroading?

• What actions can Congress and the Department of Transportation take in response to the derailment?

Recalling that the purpose of the CRS is to provide members of Congress with information needed to inform the legislative process, the last section of the report is probably the most important.

Review – Public ICS Disclosure – Week of 2-18-23

This week we have 30 vendor disclosures from Aruba Networks, Cisco, GE Grid Solutions (19), Generex, GigaVUE, HP, HPE, Prosys OPC, Sick, VMware (2), and Zyxel. We have four vendor updates from HPE (3), and Software Toolbox. We also have six researcher reports for products from EIP Stack Group (3), Fortinet, Netmodule, and ODA. Finally, we have an exploit for products from Kardex.

Vendor Disclosures

Aruba Advisory - Aruba published an advisory that discusses four vulnerabilities in multiple products.

Cisco Advisory - Cisco published an advisory that describes a cross-site request forgery vulnerability in their Application Policy Infrastructure Controller and Cisco Cloud Network Controller.

GE Grid Solutions Advisories - GE published 19 advisories for vulnerabilities for various products. These advisories are only available to registered customers.

Generex Advisory - Incibe CERT published an advisory that describes seven vulnerabilities in the Generex UPS CS141 adapter.

GigaVUE Advisory - Incibe CERT published an advisory that describes a reflected cross-site scripting vulnerability in the GigaVUE-FM.

HP Advisory - HP published an advisory that describes four time-of-check to time-of use (TOCTOU) vulnerabilities in their HP BIOS.

HPE Advisory - HPE published an advisory that describes three vulnerabilities in their Serviceguard on Linux products.

OPC UA Advisory - Prosys OPC published an advisory that describes a resource exhaustion vulnerability in their Simulation Server and SDK for Java products.

Sick Advisory - Sick published an advisory that describes two missing authentication for critical function vulnerabilities in their FX0-GPNT and FX0-GENT products.

VMware Advisory #1 - VMware published an advisory that describes an injection vulnerability in their Carbon Black App Control product.

VMware Advisory #2 - VMware published an advisory that describes an XML external entity vulnerability in their vRealize Orchestrator product.

Zyxel Advisory - Zyxel published an advisory that describes a misconfiguration vulnerability in their LTE3202-M437 and LTE3316-M604. 4G LTE indoor routers.

Vendor Updates

HPE Update #1 - HPE published an update for their Synergy Servers advisory that was originally published on February 14th.

HPE Update #2 - HPE published an update for their ProLiant DX Servers advisory that was originally published on February 14th, 2023.

Software Toolbox Update - Software Toolbox published an update for their TOP Server DNP3 Client Suite Drivers advisory that was originally published on August 22nd, 2013.

Researcher Reports

EIP Report #1 - Cisco Talos published a report that describes an out-of-bounds write vulnerability in the EIP Stack Group OpENer SetAttributeList.

EIP Report #2 - Cisco Talos published a report that describes an out-of-bounds write vulnerability in the EIP Stack Group OpENer GetAttributeList.

EIP Report #3 - Cisco Talos published a report that describes a use of unitialized pointer vulnerability in the Group OpENer Forward Open connection_management_entry.

Fortinet Report - Horizon3 published a report that describes an externally controlled reference to a resource in another sphere vulnerability in the Fortinet FortiNAC product.

Netmodule Report - Onekey published a report that describes two vulnerabilities in the Netmodule industrial routers. This is a coordinated disclosure.

ODA Report - The Zero Day initiative published a report that describes an out-of-bounds write vulnerability in the Open Design Alliance (ODA) Drawing SDK product.

Exploits

Kardex Exploit - Patrick Hener and Nico Viakowski published an exploit for a code injection vulnerability in the Kardex Mlog automated storage system.

 

For more details about these disclosures, including links to third-part advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosure-week-of-2-18 - subscription required.

Friday, February 24, 2023

Short Takes – 2-24-23

Dole production plants crippled by ransomware, stores run short. TheRegister.com article. No mention of control systems being affected. Pull quote: “"The Dole attack is the perfect example of how ransomware can put organizations in a pressure cooker," Miller said. "If they are locked out of their systems, they can't fulfill customer orders, they're losing more money every second that the system stays down."”

White House cybersecurity strategy to force large companies to make systems secure by design. CyberScoop.com article. Document release ‘imminent’ again. Pull quote: “By “shifting the burden back from the smaller players” and toward larger players “that can build in security by design” the strategy aims to deliver broad security gains, Stewart Gloster said. The strategy documents also looks at how to “rearchitect our digital ecosystem” so “that we are creating future resilience,” she said.”

Hacker Uncovers How to Turn Traffic Lights Green With Flipper Zero. TheDrive.com article. Pull quote: “For the record, building and using one of these transmitters as a member of the general public isn't exactly a good idea nor is it legal It's best treated like something read in The Anarchist's Cookbook unless you want to end up in prison for six months, that is. But for those in a position where they are authorized to use the devices as part of their work, Fairlie's example serves as a low-cost proof of concept for agencies that don't have tons of cash to spend on first-party transmitters.”

Four systemic safety issues the East Palestine crash report may point to. TheHill.com article. Pull quote: “Federal regulators, advocates and safety experts suggest the crashes could point to broad issues with federal regulations and the methods America’s freight railways use to detect and respond to overheating car wheels. Here are four possible problems they’ve raised.”

The Most Advanced Bay Area Earthquake Simulations to Be Publicly Available. HomelandSecurityNewswire.com article. Further advances may allow for facility level earthquake resilience planning. Pull quote: ““Particularly, data is very limited for large magnitude events. In an expected big earthquake near the San Francisco Bay Area or Los Angeles, critical infrastructure, tall buildings, and important bridges will be subjected to high magnitude ground motions, so developing such motions from simulations is essential for community safety and resilience,” said Mosalam. “The upcoming simulation-based dataset will be instrumental for facilitating deeper understanding of the hazard, performance, and overall resiliency of California, allowing officials to identify the infrastructure systems and structures that pose the largest risk in an effective and accurate manner, and properly allocate resources.””

Implementation of 2021 Wassenaar Arrangement Decisions. Federal Register BIS final rule. No new cybersecurity provisions. Summary: “This final rule implements the remaining controls agreed to during the December 2021 WA Plenary meeting by revising the CCL, as well as certain EAR provisions, including License Exception Adjusted Peak Performance (APP). This final rule also makes corrections to align the scope of Significant Item (SI) license requirements throughout the EAR and makes a revision to License Exception Strategic Trade Authorization (STA).” Effective date – today.

Review - New CISA Web Site – ICS Security

As part of the revision of the CISA web site that I briefly discussed yesterday, CISA has revamped, again, the Industrial Control System Security portion of their site. Gone are all mentions of the old US-CERT and ICS-CERT, even from the URL’s. This later change has been in the works for quite some time, with multiple changes in the past leading to yesterday’s apparent final elimination.

The new landing page retains the ‘four core priorities’ and three Goals that premiered on the previous revision of page. Following those entries, the page provides links for:

Report a Vulnerability,

ICS Advisories,

ICS Training, and

ICSJWG

The page then provides listings for ‘CISA’s ICS Offerings’ with category headings of:

• Assessment Services,

• Threat Hunting and Incident Response,

• Partnerships and Engagement,

• Technical Products and Services,

• Information Exchange,

• Vulnerability Coordination and Disclosure

Similar headings were provided on the previous landing page. Interestingly under the heading ‘Partnership and Engagement’ the page lists ‘Follow CISA ICS on Twitter’. Since CISA consolidated their TWITTER accounts this takes you to https://twitter.com/CISACyber, not any dedicated ICS account.


For more on the information available on the new ICS Security web site, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/new-cisa-web-site - subscription required.

 

Thursday, February 23, 2023

Short Takes – 2-23-23

Most young men are single. Most young women are not. TheHill.com article. Pull quote: “Social circles have been shrinking for men and women, especially since the pandemic, but men struggle more. Thirty years ago, 55 percent of men reported having six or more close friends. By 2021, that share had slipped to 27 percent.”

A Norfolk Southern Policy Lets Officials Order Crews to Ignore Safety Alerts. ProPublica.org article. Pull quote: “While some employees and outside experts say there are times in which such policies safely benefit business operations, union officials believe they are emblematic of Precision Scheduled Railroading, the most controversial — and profitable — innovation that’s come out of the country’s seven biggest railroads, the so-called Class 1s, in the last decade. It prioritizes keeping rail cars and locomotives in constant motion.”

Railroad pushback to safety regulations scrutinized amid East Palestine disaster. TheHill.com article. Pull quote: ““The NTSB’s independent investigators continue their work to identify the accident’s root cause and contributing factors,” Association of American Railroads CEO Ian Jefferies said in a statement. “That investigation must continue unimpeded by politics and speculation so NTSB’s findings can guide what additional measures may have prevented this accident.””

U-2 Spy Planes Snooped On Chinese Surveillance Balloon. TheDrive.com article. Interesting details. Pull quote: “On top of that, each U-2S can be configured to collect multiple types of intelligence simultaneously, as you can read more about here. One common sensor loadout for the Dragon Lady consists of the Senior Glass signals intelligence suite, components of which are spread between bays in the fuselage and two underwing 'Super Pods' when it is installed, together with either the Senior Year Electro Optical Reconnaissance System-2 (SYERS-2) or Advanced Synthetic Aperture Radar System-2 (ASARS-2) in the nose. SYERS-2 is a multi-spectral camera system that can produce high-resolution imagery of a target, even at night. ASARS-2 also produces images, but by using a radar operating in a synthetic aperture mode, giving it an all-weather capability.”

Homeland Security Exercise and Evaluation Program (HSEEP) Documentation. Federal Register FEMA 30-day ICR Notice. Summary: “The Federal Emergency Management Agency (FEMA) will submit the information collection abstracted below to the Office of Management and Budget for review and clearance in accordance with the requirements of the Paperwork Reduction Act of 1995. The submission will describe the nature of the information collection, the categories of the respondents, the estimated burden (i.e. the time, effort and resources used by respondents to respond) and cost, and the actual data collection instruments FEMA will use.” Comment deadline March 4th, 2023.

Notice of Public Meetings in 2023 for International Standards on the Transport of Dangerous Goods. Federal Register PHMSA meeting notice. Summary: “This notice announces that PHMSA's Office of Hazardous Materials Safety will host four public meetings during 2023 in advance of certain international meetings. For each of these meetings, PHMSA will solicit public input on current proposals.” Dates will be available on PHMSA website.

Georgia on My Mind, Once More. StatusKuo.Substack.com article. Interesting take on recent GA grand-jury foreperson comments. Pull quote: “All that said, when and if indictments do come down from the regular grand jury, these recommendations and the forewoman’s behavior will likely be forgotten as Trump and his followers direct their ire at District Attorney Fani Willis. After all, she holds the ultimate decision making authority and responsibility. In all likelihood, we will remember only that the jury forewoman gave us a pretty good heads up.”

Our Best Look Yet At The Chinese Spy Balloon’s Massive Payload. TheDrive.com article. Pull quote: “Altogether, the detail visible in this picture is remarkable for just a selfie taken with a wide-angle camera. The U-2S pilots should have been able to collect far better imagery with more capable cameras with telephoto lenses, as well as potentially the aircraft's very powerful electro-optical suite. The planes could have been able to collect valuable signals intelligence on the balloon, as well — that is if it was radiating any electromagnetic emissions at all.”

Norfolk Southern Railway Train Derailment with Subsequent Hazardous Material Release and Fires. NTSB.gov report. Preliminary data report – no findings. Pull quote: “The NTSB’s investigation is ongoing. Future investigative activity will focus on the wheelset and bearing; tank car design and derailment damage; a review of the accident response, including the venting and burning of the vinyl chloride; railcar design and maintenance procedures and practices; NS use of wayside defect detectors; and NS railcar inspection practices.”

New CISA Web Site – 2-23-23

CISA has done an extensive update of their web site. There are new web site links, changes in format, and almost certainly changes in information. Major changes of interest to this web site include the following new pages:

Industrial Control Systems,

Coordinated Vulnerability Disclosure Program,

Chemical Facility Anti-Terrorism Standards (CFATS),

Ammonium Nitrate Security Program,

Bomb-Making Materials Awareness Program (BMAP), and

ChemLock

There are a large number of other CISA programs that have new web sites as well. They are listed on six separate pages at Programs. Oh, and much to my dismay, there are no dates on any of the web pages that I have seen.

Most old links still work, but they take one to the newer sites. As I get down in the weeds more, I am sure that I will find links that still go to old sites, or no longer work. This is going to be a major source of posts on this blog for quite some time.


Review - 1 Advisory and 2 Updates Published – 2-23-23

Today, CISA’s NCCIC-ICS published a control system security advisory for products from PTC. They also updated advisories for products from Moxa and BD.

Advisories

PTC Advisory - This advisory describes two vulnerabilities in the PTC ThingWorx Edge.

NOTE: NCCIC-ICS reports that products from Rockwell Automation and GE Digital are affected by these products.

Updates

Moxa Update - This update provides additional information on an advisory that was originally published on November 29th, 2022.

BD Update - This update provides additional information on an advisory that was originally published on February 16th, 2023.

 

For more on these advisories and updates, including list of other vendors affected and a summary of changes in the updates – see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-and-2-updates-published-c38 - subscription required.

Wednesday, February 22, 2023

Review - HR 275 Introduced in House – First Responder Readiness

Last month, Rep Jackson-Lee (D,TX) introduced HR 275, the First Responder Identification of Emergency Needs in Disaster Situations (FRIENDS) Act. The bill would require GAO to conduct a study on the circumstances which may impact the effectiveness and availability of first responders before, during, or after a terrorist threat or event. No funds are authorized by this bill. A similar bill, HR 2795, was introduced in the 114th Congress where it passed in the House but was not taken up in the Senate.

Moving Forward

Jackson-Lee is not a member of the House Transportation and Infrastructure Committee to which this bill was assigned for primary consideration. She is, however, a member of the House Homeland Security Committee to which the bill was also assigned for consideration. She probably has the influence to see the bill considered in the later, but not the former. The bill cannot, generally speaking, move forward without the approval of the T&I Committee. There is nothing in this bill that would engender any organized opposition and I suspect that the bill would garner broad, bipartisan support if it were considered.


For more details on this legislation, including an additional look at its prospects in Committee, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-275-introduced-in-house - subscription required.


Bills Introduced – 2-21-23

Yesterday, with both the House and Senate meeting in pro forma session, there were 55 bills introduced. Three of those bills may receive additional coverage in this blog:

HR 1123 To direct the Assistant Secretary of Commerce for Communications and Information to submit to Congress a report examining the cybersecurity of mobile service networks, and for other purposes. Eshoo, Anna G. [Rep.-D-CA-16]

HR 1127 To allow for cooperate research activities between the Department of Homeland Security and Taiwan to strengthen preparedness against cyber threats and enhance capabilities in cybersecurity, and for other purposes. Gonzales, Tony [Rep.-R-TX-23]

HR 1148 To direct the Secretary of Energy to promulgate regulations to facilitate the timely submission of notifications regarding cybersecurity incidents and potential cybersecurity incidents with respect to critical electric infrastructure, and for other purposes. Walberg, Tim [Rep.-R-MI-5] 

I will be covering HR 1148.

I will be watching HR 1123 and HR 1127 for language and definitions that specifically include control system security within the scope of the legislation.

Tuesday, February 21, 2023

Short Takes – 2-21-23

Florida's climate exodus has already begun — and it's only going to get worse. BusinessInsider.com article. Pull quote: “The storm [Hurricane Irma] had scared many people off, but it had also destroyed a quarter of the Keys's housing stock, which drove up prices for the homes that survived. In the meantime, the Faasts saw their friends start to leave as well: one moved to Sarasota, another to Orlando, and a third friend, who had been the first-ever mayor of Marathon, talked about moving to central Florida.”

Russia is launching a mission to give stranded space station crew members a ride home. NPR.org article. Pull quote: “The spacecraft will carry roughly 948 pounds of cargo to the space station, including food and equipment for experiments. Rubio, Prokopyev and Petelin will then fly home in the MS-23 in several months. They were originally scheduled to leave by late March but NASA said in January that their missions would now last until September.”

Researchers watch and worry as balloons are blasted from the sky. NPR.org article. Pull quote: “In the past, it hasn't been a big deal if a balloon drifts near — they simply notify White Sands, and the balloon bobs by, at an altitude far above airplanes and other flying projectiles that might cause concern. But Guzik worries that fears about spying could change the rules, making it harder for peaceful balloons to fly. He can imagine airports, military bases, and many other facilities trying to restrict balloon overflights, something that can be difficult to do, since balloons tend to blow with the wind.”

Power-Grid Attacks Surge and Are Likely to Continue, Study Finds. WSJ.com article. Pull quote: ““No utility has the ability to prevent this from happening,” she [Duke Power CIO] said. “You can have all the cameras in the world, but that doesn’t necessarily mean you’re going to be able to deliver reliable power because of that.””

Short Takes – 2-21-23 – Ohio Derailment Aftermath Issue – Part 2

Ohio train derailment raises more questions. CEN.ACS.org article. Pull quote: “Some have chosen to stay at a distance, at least until they have proper testing done on their homes. “If it were me, I would want to have the proper tests done,” Johns Hopkins’s DeCarlo says. “I have seen that EPA is screening houses. But from what I’m reading, the language being used, it sounds like they are using those handheld devices, which, again, are not chemically specific and don’t necessarily give an appropriate understanding of what risks may be there.””

Four rail-borne risks moving through American communities. TheHill.com article. Pull quote: ““Local communities don’t know what’s in these trains,” said Kristen Boyle, an attorney with public interest law firm Earthjustice. “Local communities can’t find out. They can’t stop the trains from going through, and they have been unable to get safety regulations.””

U.S. urges rail industry, Congress to boost safety measures after toxic derailment. Yahoo.com article. Pull quote: “Some rail safety requirements were withdrawn under President Donald Trump. Some Republican critics of the East Palestine response who previously opposed rail regulations have now expressed openness to new rules.”

EPA to require Norfolk Southern to clean up chemicals after Ohio train derailment. TheHill.com article. Pull quote: “Under the newly announced EPA order, the agency will approve a work plan outlining the steps needed to clean up the environmental damage that the derailment caused. If Norfolk Southern doesn’t abide by the plan, the EPA will do the work and charge the company triple the cost.”

Buttigieg unveils freight rail reforms in wake of East Palestine derailment. TheHill.com article. Pull quote: “The Department of Transportation will also begin a series of inspections of routes over which trains with large amount of hazardous material travel and advance a new rule requiring that at least two railroad staff be present for most operations.”

Buttigieg pushes Norfolk Southern to support higher rail safety standards. TheHill.com article. Pull quote: “He added that Norfolk Southern and other railroad companies have spent millions of dollars in the courts and lobbying lawmakers to oppose increased safety regulation, noting several other train derailments that happened under Norfolk Southern’s watch.”

Review – One advisory and One Update Published – 2-21-23

Today, CISA’s NCCIC-ICS published a control system security advisory for products from Mitsubishi Electric. They also updated an advisory for products from Philips.

Advisories

Mitsubishi Advisory - This advisory discusses two vulnerabilities in the Mitsubishi MELSOFT iQ AppPortal.

Updates

Philips Update - This update provides new information for an advisory that was originally published on July 6th, 2021 and most recently updated on January 20th, 2022.

 

For more details on these advisories, including links to 3rd party advisories and a look at problems today with the CISA website, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/one-advisory-and-one-update-published-27b - subscription required. 

Explosions and CSB Chemical Incident Reporting

An explosion and fire at a manufacturing facility in Oakwood Village, OH yesterday raises some interesting questions about chemical release reporting requirements under Chemical Safety Board regulations, 40 CF 1604. Current news reporting (see here, here, and here for example) all state that the cause of the initial explosion that caused the resulting large scale fire at the facility and resulted in one death and 13 serious injuries is unknown at this time. Since it is not known at this time if hazardous chemicals were involved in the incident, does this mean the facility does not have to report this incident to the CSB?

The CSB has actually addressed this type of a situation in their “CSB Guidance on 40 C.F.R. Part 1604” that was issued last summer. In response to FAQ 2.2.1 on page 15, the CSB notes that:

“An accidental release of water or air could meet the criteria of an extremely hazardous substance. The Accidental Release Reporting Rule states that the owner or operator of a stationary source must report any accidental release resulting in a fatality, serious injury, or substantial property damage. The rule’s definition of “extremely hazardous substance” includes any substance that alone, or in combination with other substances or factors, causes death, serious injury, or substantial property damages. The manner in which a substance inflicts such consequences may vary broadly (fire, explosion, effects of toxicity, asphyxiation, etc.) but what defines the substance as “extremely hazardous” is its demonstrated impact on people and the environment upon being accidentally released from a stationary source into the ambient air, as those terms are defined.”

This means that even if the explosion was a boiler explosion that only released steam (water being a chemical, H2O), if the results of that explosion includes a death(s), serious injuries, or extensive property damage, then the facility would have to report the incident. So it would seem that the facility in Oakwood Village yesterday would have been required to report this incident to the CSB within eight hours of its occurrence. I suspect, however, that the timely reporting of this incident to the CSB was probably the furthest thing from the concerns of the facility management.

An interesting hypothetical question: would a terrorist bombing of a facility trigger reporting requirements under §1604? This is not specifically addressed in the CSB guidance document, but I suspect that the CSB would probably pass on requiring reporting of a terrorist bombing incident, unless the incident resulted in the release of other chemicals that caused reportable consequences under the rule.

Sunday, February 19, 2023

Review – Public ICS Disclosures – Week of 2-11-23 – Part 2

For part two this week we have five additional vendor advisories from Beijer Electronics, Schneider (3) and Siemens. There are also sixteen vendor updates from Schneider (7) and Siemens (9).

Vendor Advisories

Beijer Advisory - Beijer published an advisory that describes two vulnerabilities in their Korenix JetWave products.

NOTE: Added link 1347 hrs on April 6th, 2023

Schneider Advisory #1 - Schneider published an advisory that describes an improper output neutralization for logs vulnerability in their s EcoStruxure Geo SCADA Expert software.

Schneider Advisory #2 - Schneider published an advisory that describes nine vulnerabilities in their StruxureWare Data Center Expert.

Schneider Advisory #3 - Schneider published an advisory that describes an improper authentication vulnerability in their Merten KNX devices.

Siemens Advisory - Siemens published an advisory that describes 19 vulnerabilities.

Vendor Updates

Schneider Update #1 - Schneider published an update for their NetBotz 4 advisory that was originally published on November 8th, 2022.

Schneider Update #2 - Schneider published an update for their Modicon M340 Controller and Communication Modules advisory that was originally published on April 12th, 2022 and most recently updated on September 13th, 2022.

Schneider Update #3 - Schneider published an update for their BadAlloc advisory that was originally published on November 9th, 2021 and most recently updated on January 10th, 2023.

Schneider Update #4 - Schneider published an update for their Web Server on Modicon M340 advisory that was originally published on September 14th, 2021 and most recently updated on September 13th, 2022.

Schneider Update #5 - Schneider published an update for their NicheStack TCP/IP Vulnerabilities advisory that was originally published on August 5th, 2021 and most recently updated on September 13th, 2022.

Schneider Update #6 - Schneider published an update for their Web Server on Modicon M340 advisory that was originally published on November 10th, 2020 and most recently updated on September 13th, 2022.

Schneider Update #7 - Schneider published an update for their Embedded FTP Servers for Modicon PAC Controllers that was originally published on March 22nd, 2018 and most recently updated on December 13th, 2022.

Siemens Update #1 - Siemens published an update for their Denial of Service Vulnerability in OpenSSL advisory that was originally published on June 16th, 2022 and most recently updated on January 10th, 2023.

Siemens Update #2 - Siemens published an update for their SegmentSmack advisory that was originally published on April 14th, 2020 and most recently updated on January 10th, 2023.

Siemens Update #3 - Siemens published an update for their SINUMERIK ONEand SINUMERIK MC advisory that was originally published on November 8th, 2022.

Siemens Update #4 - Siemens published an update for their SCALANCE W1750D advisory that was originally published on November 8th, 2022.

Siemens Update #5 - Siemens published an update for their n S7-1500 CPU devices advisory that was originally published on January 10th, 2023.

Siemens Update #6 - Siemens published an update for their PROFINET Stack Integrated on Interniche Stack advisory that was originally published on April 14th, 2022 and most recently updated on January 10th, 2023.

Siemens Update #7 - Siemens published an update for their GNU/Linux subsystem advisory that was originally published in 2018 and most recently updated on December 13th, 2022.

Siemens Update #8 - Siemens published an update for their FTP Server of Nucleus RTOS advisory that was originally published on October 13th, 2022 and most recently updated on December 13th, 2022.

Siemens Update #9 - Siemens published an update for their Insyde BIOS vulnerabilities advisory that was originally published on February 22nd, 2022 and most recently updated on October 11th, 2022.

 

For additional information on these disclosures, including links to vendor reports and exploits as well as a brief summary of changes in the updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-2-0a7 - subscription required.

Saturday, February 18, 2023

Short Takes – 2-18-23

Trump-Era Officials Were Aware of Suspected Balloons in U.S. Airspace. WSJ.com article. Pull quote: “Now it appears some intelligence officials at the Pentagon were aware of the incidents and harbored concerns that they were related to China, believing Beijing was using them to test radar-jamming systems over sensitive U.S. military sites. The data collected about the Trump-era incidents was limited to a basic assessment and therefore wasn’t shared more broadly within the government at the time.”

NIST charts proposed updates to SP 800-171 for covering controlled unclassified information. IndustrialCyber.co article. Pull quote: “There was broader stakeholder concern regarding implementation challenges for non-federal systems such as the SP 800-53 controls originally developed for federal systems. It assesses that some controls/elements of controls should not apply outside the US government (federal-centric); some controls are overly granular when applied to an ‘as-built’ contractor system; and many baseline controls are unnecessary for the protection of CUI.”

Who’s Responsible for the Toxic Train Disaster in East Palestine, Ohio? StatusKuo.substack.com blog post. Pull quote: “The scale of the disaster raises important questions about what caused the accident, who is responsible for it, and what should be done to prevent similar or even worse incidents in the future. Republicans are seeking to lay the blame on the new infrastructure bill and the Biden administration, but that’s all a smokescreen for what likely led to the accident. The real answers have big implications for how government ought to respond and act to prevent future tragedies.”

Here’s what the derailed Ohio train was carrying — and what was burned. WashingtonPost.com article (with photos and videos). Pull quote: “A security camera captured the Norfolk Southern train near Salem, Ohio, 20 miles west of the site where it later derailed. What appears to be sparks and flames can be seen underneath one of the cars. The National Transportation Safety Board (NTSB) has since said that the derailment appears to have been caused by a mechanical problem on one car, saying a wheel bearing on that car appeared to have overheated.”

DHS Announces HSAC Meeting – March 16th, 2023

DHS published a meeting notice in Tuesday’s (available on line today) Federal Register (88 FR 10529) for a meeting of the Homeland Security Advisory Council on March 16th, 2023. The meeting will be open to the public via a web conference.

Agenda

The agenda for the meeting includes receipt, discussion and votes on four draft reports:

• Intelligence and Information Sharing Subcommittee,

• Openness and Transparency Subcommittee,

• Homeland Security Technology and Innovation Network Subcommittee, and

• Supply Chain Security Subcommittee

Public Participation

Public wishing to participate in the meeting via web cast needs to contact Rebecca Sternhell of the Council via email to HSAC@hq.dhs.gov by March 15th, 2023. Personnel wishing to submit written comments on the agenda items may submit them via the Federal eRulemaking Portal (www.Regulations.gov; DHS-2023-0008) by March 14th, 2023.

Review – Public ICS Disclosures – Week of 2-11-23 – Part 1

While the Saturday after the 2nd Tuesday is typically a heavy day for reporting control system security advisories, this particular Saturday is the worst that I have seen. To be able to get through all of the reporting I am going to have to resort to bulk listing of advisories for some vendors instead of my normal digest. I hope this will still be helpful.

This week we have 125 vendor disclosures from B&R (2), FortiGuard (40), Fujitsu, GE Gas Power, Hitachi Energy (12), HP (2), HPE (50), Insyde (12), Moxa, Phoenix Contact, Splunk (2), and WAGO.

In Part 2 I will look at this week’s Schneider and Siemens advisories that were published on Tuesday as well as two exploits that were published this week.

Vendor Advisories

B&R Advisory #1 - B&R published an advisory that describes a cross-site scripting vulnerability in their Automation Runtime product.

B&R Advisory #2 - B&R published an advisory that discusses 22 vulnerabilities in their APC, PPC, and MPC product lines.

FortiGuard Advisories - FortiGuard published 40 advisories for multiple vulnerabilities in multiple products.

Fujitsu Advisory - Fujitsu published an advisory that discusses 12 vulnerabilities in multiple Fujitsu products.

GE Advisory - GE Gas Power published an advisory that discusses an out-of-bounds write vulnerability in their NetworkST4 and M&D Lockbox products.

Hitachi Advisory #1 - Hitachi Energy published an advisory that discusses two vulnerabilities in their Gateway Station (GWS) Product.

Hitachi Advisory #2 - Hitachi published an advisory that discusses four improper input validation vulnerabilities in their Gateway Station (GWS) product.

Hitachi Advisories #3-12 - Hitachi Energy published ten advisories that describe an IEC 61850 MMS-Server vulnerability in multiple Hitachi product lines.

HP Advisory #1 - HP published an advisory that discusses an out-of-bounds read vulnerability in multiple product lines.

HP Advisory #2 - HP published an advisory that discusses five vulnerabilities in multiple product lines.

HPE Advisories - HPE published 50 advisories for multiple vulnerabilities in multiple product lines. Most of the reported vulnerabilities are third-party vulnerabilities.

Insyde Advisories - Insyde published 12 advisories for separate vulnerabilities in various libraries and services provided by Insyde.

Moxa Advisory - Moxa published an advisory that discusses a DNS cache poisoning vulnerability in the uClibc-ng libraries.

Phoenix Contact Advisory - Phoenix Contact published an advisory that discusses 64 vulnerabilities in their PLCnext Firmware.

Splunk Advisory #1 - Splunk published an advisory that discusses the Text4Shell vulnerability.

Splunk Advisory #2 - Splunk published an advisory that discusses nine vulnerabilities in the their Enterprise Package.

WAGO Advisory - CERT VDE published an advisory that describes a hidden functionality vulnerability in the WAGO Unmanaged Switch.

 

For more details on these disclosures, including list of affected products, links to researcher reports, 3rd party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-2-47f - subscription required.

Friday, February 17, 2023

Short Takes – 2-17-23

Availability of the Protocol for the Ethylbenzene IRIS Assessment. Federal Register EPA notice. Summary: “The Environmental Protection Agency (EPA) is announcing a 30-day public comment period associated with release of the document, Protocol for the Ethylbenzene IRIS Assessment. This document communicates the rationale for conducting the Integrated Risk Information System (IRIS) assessment of ethylbenzene, describes screening criteria to identify relevant literature, outlines the approach for evaluating study quality, and describes the methods for dose-response analysis.” Comment deadline: March 20, 2023.

Periodic Graphics: Baking soda versus baking powder. CEN.ACS.org ‘periodic graphic’. For the cooking geek. “Chemical educator and Compound Interest blogger Andy Brunning explains how chemical leavening agents make cookies and other baked goods rise.”

Request for Information-Foundation for Energy Security and Innovation (FESI). Federal Register DOE Notice. Summary: “The U.S. Department of Energy (DOE) publishes the following questions regarding potential engagement with the Foundation for Energy Security and Innovation (FESI), directed to be established under the CHIPS and Science Act. The purpose of this RFI is to seek input on how DOE stakeholders may engage with the FESI directly, and how DOE may engage with the FESI and the communities it will serve. Interested parties are requested to answer some or all of the questions at their discretion.” Comment deadline: March 27th, 2023.

New Protections for Food Benefits Stolen by Skimmers. KrebsOnSecurity.com article. Pull quote: “On December 29, 2022, President Biden signed into law the Consolidated Appropriations Act of 2023, which — for the first time ever — includes provisions for the replacement of stolen EBT benefits. This is a big deal because in 2022, organized crime groups began massively targeting EBT accounts — often emptying affected accounts at ATMs immediately after the states disperse funds each month.”

OCS Publishes 2 New FAQs and 3 Updated FAQ Responses – 2-17-23

Today, CISA’s Office of Chemical Security (OCS) published two new frequently asked questions (FAQs) and updated the responses to three other FAQs on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center. The three revised FAQ responses were for FAQs, #1275, #1557 and #1756; the first deals with facility ID changes, the second addresses Tier assignment appeals, and the third is about owner name changes. In all three cases, the change to each of the responses was to reverse the recent change in mailing addresses. The current address for all three FAQs is:

Chemical Security, Associate Director

CISA – CHR STOP 0609

Cybersecurity and Infrastructure Security Agency

1310 N. Courthouse Rd.

Arlington, VA 20598-0609


NOTE: Corrected the date in the title at 10:02 pm EST 2-17-23 

 
/* Use this with templates/template-twocol.html */