Friday, March 31, 2023

Short Takes – 3-31-23

Do You Really Need Remote Access? SCADAmag.Infracritical.com blog post. Pull quote: “This is why, if you must use remote access, you have to convey strict policies and technical measures to ensure that there is some coordination. If there are operators on duty, you must call them and discuss what you’re going to do before and after you access the system. If anything doesn’t go as expected, STOP and then call them to coordinate. The operator on duty is responsible for everything that happens. Did you let the operator know that you’re there? Did you discuss what you were going to do and ensure that nothing you were going to do would cause excessive problems if it doesn’t go according to plan? Probably not.”

Contracts Identify Cyber Operations Projects from Russian Company NTC Vulkan. Mandiant.com article. Interesting, but limited, behind the scenes look at Russian state level hacking enterprise. Pull quote: “NTC Vulkan is a Russian IT contractor based in Moscow, which publicly advertises working on contracts with large companies and government agencies within Russia. The company’s website cites compliance with Russian government standards but does not publicly state working with Russian state contractors, such as research institutes or Russian intelligence services. Based on our analysis of the leaked documentation, NTC Vulkan has held contracts with Russian intelligence services on projects to enable cyber and IO operations, potentially in tandem with cyber operations against OT targets.”

Egad! 7 key British PCs of the 1980s Americans might have missed. ArsTechnica.com article. I owned one of the Timex Sinclair machines. Pull quote: “In 1982, after a brief stint under its original name in the 'States, the ZX81 re-emerged in the US as the Timex-Sinclair 1000, which the company marketed as "the first personal computer under $100."”

20-Years of S&T. DHS.gov retrospective. Pull quote: “The White House appoints Dr. Penrose (Parney) C. Albright to help develop the founding legislation for the Department and establish the Science and Technology Directorate (S&T). Dr. Albright and a cadre of scientists set up shop at the Transition Planning Office for the Department of Homeland Security at 8th & G Streets in Washington, DC, to stand up S&T with support from the Office of Management & Budget.”

‘Hurry Up and Get It Done’: Norfolk Southern Set Railcar Safety Checks at One Minute. WSJ.com article. An unusually pro-labor slant. Pull quote: “Whether PSR [precision-scheduled railroading] was a factor in the Ohio derailment hasn’t been determined. Current and former employees say that the changes haven’t improved safety and in some cases have been harmful. Broadly, industry executives and employees are divided on whether PSR contributes to accidents.”

Antarctic ocean currents heading for collapse – report. BBC.com article. Pull quote: “"The other larger implication that it could have is a feedback on how much of Antarctica melts in the future. It opens a pathway for warmer waters which could cause increased melt, which would be a further feedback, putting more meltwater into the ocean and slowing down circulation even more," she [Dr Adele Morrison] added.”

A president has faced arrest before Trump — for carriage speeding, 150 years ago. NPR.org article. Pull quote: “Grant was released on a $20 bond, which equates to just under $500 in 2023. He didn't contest the fine or arrest and expressed respect for West's decision to arrest him. The Memorial Fund reported that former MPD Chief Cathy Lanier said Grant had been issued three citations for speeding in his carriage during his time as president.”

Republicans want to cut $1 trillion in spending — and instead of introducing 1 bill, they've introduced 500 to do just that. BusinessInsider.com article. Should read “Republican extremists….” Pull quote: “The bill names included in the drop encompass everything from limiting funding for wildland fire management to the Kennedy Center. One bill says it would put a "limitation on availability of funds for Independent Agencies, Office of Government Ethics," while another similarly limits funds for "Allowances and Office Staff for Former Presidents." Similarly, yet another bill seems poised to limit funds for the "Supreme Court, Salaries and Expenses." Still no text on any of the bills.

OMB Approves TSA Top 100 Pipeline ICR Revision

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved the revision to the TSA’s information collection request (ICR) for “Critical Facility Information of the Top 100 Most Critical Pipelines”. The revision request had been submitted by the TSA on October 14th, 2021. The revision was a follow-up to the emergency change made to the ICR in May 2021 for the first TSA pipeline security directive and included adding the pipeline cybersecurity self-assessment document.

The reason for the delay was that OIRA required TSA to resubmit their supporting document after making clarification changes.

Bills Introduced – 3-30-23

With the House leaving, and the Senate preparing to leave, Washington for their two week Easter Recess, there were 190 bills introduced. There were no further bills introduced providing for limitation on availability of funds by Rep Biggs (R,AZ). There were two bills that may receive additional attention in this blog:

S 1099 A bill to support research, development, and other activities to develop innovative vehicle technologies, and for other purposes. Peters, Gary C. [Sen.-D-MI]

S 1123 A bill to ensure computer programming, coding, and artificial intelligence capabilities in the Armed Forces, and for other purposes. Duckworth, Tammy [Sen.-D-IL]

I will be watching S 1099 for language and definitions that would specifically include vehicle cybersecurity research and development in the scope of the coverage to the bill.

I will be watching S 1123 for language and definitions that would specifically cybersecurity capabilities in the scope of the coverage of the bill.

A further note on Wednesday’s ‘limitation on availability of funds’ bills. The Congressional Record for Wednesday contains the usual “Constitutional Authority and Single Subject Statements” section that provides a listing by the sponsor for each bill introduced. The ‘Single Subject Statement’ for HR 1844 (the first of 521 ‘limitation’ bills) reports that: “The single subject of this bill is providing for a limitation on funding for a discretionary spending item.” These 521 bills do not address all of the discretionary spending in the annual budget (missing at least items from DOT, DOE, DHS and DOD), so I still suspect that further bills might be offered after the Easter break (or in the pro forma sessions during the break).

I am still waiting for the GPO to get around to printing the language of these bills to see what is actually going on here. We may see them during the Easter break, but I suspect that there are planned vacations at the GPO scheduled for these well-known congressional breaks, so maybe not. 

Thursday, March 30, 2023

Short Takes – 3-30-23

New wind, solar are cheaper than costs to operate all but one US coal plant. ArsTechnica.com article. Pull quote: “One of the key points when comparing coal and renewables, she said, is that coal plants need to pay for fuel, which includes paying to transport it. The fact that solar and wind plants don’t need to pay for fuel gives them an edge in terms of not only having lower costs but also having more predictable costs as plant operators look ahead to decades of operation.”

The Graveyard of Command Posts. ArmyUpress.Army.mil (Military Review) article. Pull quote: “Specifically, command posts are targeted because they have become easily targetable. Contemporary tented command posts—with their radio frequency emitting antennas, dozens of generators and vehicles, and extensive support requirements—are easily targetable to even the untrained eye. During large-scale combat operations, these command posts can be easily seen by an ever-expanding array of sensors and just as easily struck by complementary effects throughout the depth and breadth of the battlefield. For anything as ostentatious as a modern command post, no true sanctuary exists.”

ISRO Conducts 'Extremely Challenging' Controlled Re-Entry Experiment of Aged MT-1 Satellite. Gadgets360.com article. A little geeky. Pull quote: “Furthermore, the on-board constraints of the aged satellite, where several systems had lost redundancy and showed degraded performance, and maintaining sub-systems under harsher environmental conditions at much lower than originally designed orbital altitude added to the operational complexities, it said.”

Train carrying ethanol derails, forcing evacuations in Minnesota. TheHill.com article. Pull quote: “Lawmakers have started to punt around ideas for rail safety reforms in response to the events [recent high-profile derailments], but a compromise on a package still proves elusive.”

GOP downplays importance of budget with debt ceiling looming. TheHill.com article. GOP troubles brewing. Pull quote: ““The budget — that thing is aspirational. Like, nobody ever sticks to the budget. What matters is the appropriations process,” said Rep. Thomas Massie (R-Ky.).”

GigaGalactic Rockets: Revolutionizing Space Travel and Making the Galaxy Accessible. GigaGalacticRockets.com corporate website. Pulling your leg quote: “Welcome to GigaGalactic Rockets! We are an innovative space exploration company that is dedicated to revolutionizing space travel and making the galaxy accessible to everyone. Our commitment to pushing the boundaries of innovation, combined with a healthy dose of humor, positions GigaGalactic Rockets as the leading name in space exploration and interstellar hitchhiking.”

Enforcement of Cybersecurity Regulations: Part 2. LawfareBlog.com article. Third-party assessments. Pull quote: “Many have offered suggestions to improve the integrity of third-party monitoring. Law professor Lesley McAllister, who wrote the study for the Administrative Conference on third-party enforcement, emphasized that the government must actively oversee any third-party verification system, starting with creating and running a process to select and approve the third-party auditors. Moreover, she warned that, in the absence of objective standards, the risk of unreliability and inconsistency in the determinations of third parties becomes higher—a point especially relevant in the context of cybersecurity performance-based regulation where there may be no measurable standards.”

Review - FDA Publishes ‘Refuse to Accept’ Policy Guidance Document

The Food and Drug Administration (FDA) published a notice of availability in the Federal Register (88 FR 19148-19150) for “Cybersecurity in Medical Devices: Refuse To Accept Policy for  Cyber Devices and Related Systems Under Section 524B of the FD&C Act; Guidance for Industry and Food and Drug Administration Staff”. The actual guidance document is available here. This guidance document was sent to the OMB’s Office of Information and Regulatory Affairs (OIRA) on March 22nd, 2023, and approved by OIRA on March 27th.

The effective date of this new guidance document is March 29th, 2023.

 

For more details about this guidance document, including a commentary on its current deficiencies, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/fda-publishes-refuse-to-accept-policy - subscription required.

Review – 1 Advisory Published – 3-30-23

Today, CISA’s NCCIC-ICS published a control system security advisory for products from Hitachi Energy.

Advisories

Hitachi Advisory - This advisory describes an improper resource shutdown or release vulnerability in a large number of Hitachi products.

NOTE: I briefly discussed this vulnerability on February 18th, 2023.

 

For more details on this advisory, including a commentary on common stack-vulnerabilities, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-published-3-30-23 - subscription required.


Bills Introduced – 3-29-23

Yesterday, with both the House and Senate in session, there were 612 bills introduced. That is not a typo or misprint, 612 bills were introduced, 521 [HR 1844 thru HR 2364] of those bills were introduced by Rep Biggs (R,AZ) and five of his fellow Republican bomb-throwers. It looks like they are targeting every major spending category, if that is the case, more bills are coming as a lot of agencies have not yet been mentioned. DHS, DOE and DOD have not yet been targeted, but I do not think that they will be exempted from this attack.

 It will be a while before we see the text of these bills, but I suspect that they are another attempt to gum up the works of the House. It is certainly going to be a problem for the Government Printing Office and the Clerk of the House. I currently only plan on ‘following’ one of these bills, HR 1844, just to see what is going on, but I will mention any future additions to the list.

Of the remaining 91 bills introduced yesterday, there are two that will see additional coverage in this blog:

S 1044 A bill to improve rail safety practices and for other purposes. Fetterman, John [Sen.-D-PA]

S 1050 A bill to secure the bulk-power system in the United States. Scott, Rick [Sen.-R-FL]

OMB Approves DOD DIB Cybersecurity NPRM

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a DOD notice of proposed rulemaking (NPRM) for “Department of Defense (DoD)-Defense Industrial Base (DIB) Cybersecurity (CS) Activities”. The NPRM was submitted to OIRA on December 7th, 2022.

According to the Fall 2022 Unified Agenda entry for this rulemaking:

“The DIB CS Program currently provides cyber threat information to cleared defense contractors. Proposed revisions would allow all defense contractors who process, store, develop, or transit DoD controlled unclassified information to be eligible for the program and to  receive cyber threat information. Expanding participation will allow a broader community of defense contractors to participate in the DIB CS Program and is  in alignment with the National Defense Strategy.”

That entry further notes:

“Participation in the voluntary DIB CS Program enables DoD contractors to access Government Furnished Information and collaborate with the DoD Cyber Crime Center (DC3) to better respond to and mitigate cyber threats. In order to join the DIB CS Program, there is an initial labor burden to apply to the program and provide point of contact information which is estimated to take 20 minutes per company. In addition, there is a cost for defense contractors to voluntarily share cyber indicator information. DoD estimates that each response will take a respondent two hours to complete. The costs are under review as part of 0704-0489 and 0704-0490. For DIB participants, this program provides cyber threat information and technical assistance through analyst-to-analyst exchanges, mitigation and remediation strategies, and cybersecurity best practices in a collaborative environment for participating companies.”

This NPRM will probably be printed in the Federal Register next week.

BIS Sends Protein Synthesizer NPRM to OMB

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a notice of proposed rulemaking from the DOC’s Bureau of Industry and Security (BIS) for “Section 1758 Technology Export Controls on Instruments for the Automated Chemical Synthesis of Peptides”. The advanced notice of proposed rulemaking (ANPRM) for this action was published on September 13th, 2022.

The Fall 2022 Unified Agenda entry for this rulemaking notes:

“The Bureau of Industry and Security (BIS) has identified instruments for the automated synthesis of peptides (automated peptide synthesizers) for evaluation according to the criteria in section 1758 of the Export Control Reform Act of 2018 (ECRA) pertaining to emerging and foundational technologies. On September 13, 2022, BIS published an advance notice of proposed rulemaking (87 FR 55930) that requested public comments on the potential uses of this technology, particularly with respect to its impact on U.S. national security (e.g., whether such technology could provide the United States, or any of its adversaries, with a qualitative military or intelligence advantage). Taking into consideration the public comments on BIS's September 2022 ANPRM, this rule proposes to implement export controls on certain automated peptide synthesizers, consistent with the criteria in section 1758 of ECRA”

Wednesday, March 29, 2023

Short Takes – 3-29-23

New insights into an old drug: Scientists discover why aspirin works so well. Phys.org article. Pull quote: “New research has revealed important information about how aspirin works. Even though this drug has been available commercially since the late 1800s, scientists have not yet fully elucidated its detailed mechanism of action and cellular targets. The new findings could pave the way to safer aspirin alternatives and might also have implications for improving cancer immunotherapies.”

A new flu is spilling over from cows to people in the U.S. How worried should we be? NPR.org article. Pull quote: “For example, if you have a respiratory infection in the U.S., doctors can identify the pathogen causing the infection only about 40% of the time. There's growing evidence that the other 60% of infections could be caused by animal viruses such as a dog coronavirus found in Malaysia, Haiti and Arkansas, or even possibly the same virus Hause and his colleagues found in those pigs. Recent studies have made clear that this virus floats in the air at farms and is likely infecting people who work there.”

NASA delays flight of Boeing’s Starliner again, this time for parachutes. ArsTechnica.com article. Pull quote: “Boeing has conducted more than 20 tests of its parachute system, including dropping the vehicle from different altitudes to test their deployment sequence and how the parachutes perform in different environments to simulate returning from space. Stich said there are no issues with the parachutes, which are installed on Starliner already. Mostly, it is about reviewing all the tests Boeing has done to ensure the parachutes performed as intended.”

What can we learn from East Palestine? ChemistryWorld.com article. Pull quote: “Again, I have no good answers for the problem of ‘how do you ameliorate the spill of tonnes of vinyl chloride?’ ‘Don’t be in that situation’ is my overly facile answer. But leaks and spills happen to chemists all the time, and we can be better prepared for far more common situations. We can learn to prevent those situations, and to solve them when they happen.”

Review - S 647 Introduced – Hydrogen for Ports

Earlier this month, Sen Cornyn (R,TX) introduced S 647, the Hydrogen for Ports Act of 2023. The bill would require the Department of Transportation to establish a grant programto demonstrate hydrogen, ammonia, or fuel cell technologies in maritime and associated logistics application.” The bill would authorize $100 million per year through FY 2028 for the program.

Moving Forward

While Cornyn is not a member of the Senate Commerce, Science, and Transportation Committee, two of his seven cosponsors {Sen Hickenlooper (D,CO), Sen Lujan (D,NM)} are members of the Committee. This means that there may be enough influence to see the bill considered. I see nothing in this bill that would engender any organized opposition to the legislation. The problem comes down to money. While spending reduction is not as important in the Senate as it is in the House this session, it will still be on the minds of the Senate leadership, knowing that a Senate passed bill must still successfully traverse the House to get to the White House.

 

For more details about the provisions of the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-647-introduced - subscription required.

Review - HR 1389 Introduced – GRID Act

Earlier this month, Rep Crow (D,CO) introduced HR 1389, the Guaranteeing Resilient Installations for Defense (GRID) Act. The bill would amend 16 USC 824o–1 to specifically allow DOE to “enter into contracts and cooperative agreements to improve the resilience of defense critical electric infrastructure”. No funding is authorized in the bill. This bill is identical to HR 8053 from the last session, no action was taken on that bill.

Moving Forward

As with HR 8053, Crow is not a member of the House Energy and Commerce Committee to which this bill was assigned for consideration, though one of his two cosponsors {Rep Peters (D,CA)} is. This may mean that there is sufficient influence for this bill to be considered in Committee. There is nothing in this bill that would engender any organized opposition. If it were considered, I would suspect that it would receive at least some level of bipartisan support.

Commentary

There was no action taken last session on HR 8053. While its late introduction was at least partially responsible for that inaction, the major reason is that the assigned committee just has no real interest in defense facility electrical power reliability. This is one (out of a multitude) of the problems with the committee system in Congress. The committee (House Armed Services Committee) which would have the most interest in solving the problems dealt with in this bill, does not have the jurisdictional oversight to write bills affecting the agency (DOE in this case) that can solve those problems. And the committee which does have jurisdiction is too busy with their own political priorities to have time to deal with this relatively minor bill.

 

For more information on the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-1389-introduced - subscription required.

Tuesday, March 28, 2023

Short Takes – 3-28-23

Russian gamers race to prevent nuclear ‘war’. CNN.com article. A small dose of FUD. Pull quote: “It’s complete fantasy; just an interactive game hosted in a building in a former industrial area of the city, harking back to the fears of the Cold War.

“But amid the current tensions with Russia, in which potential nuclear confrontation with the West has again been raised, it feels a little unsettling.”

Republicans’ best hope for Wisconsin Senate is a Trump critic. Politico.com article. Pull quote: “Wisconsin Republicans close to the congressman describe him as “whip smart,” but also “incredibly risk averse” and “extremely deliberative,” sometimes to a point where he’s slow to make decisions. They expect him, however, to likely leave the House after his current or following term in Congress, given his push early in his congressional career to limit House members to six terms in office.”

Presidential Cybersecurity Education Award. Federal Register Education 30-Day ICR Notice. Summary: “The Executive Order on America's Cybersecurity Workforce (Executive Order 13870), signed on May 2, 2019, included a directive for the Secretary of Education, in consultation with the DAPHSCT and the National Science Foundation, to develop and implement an annual Presidential Cybersecurity Education Award to be presented to one elementary and one secondary school educator per year who best instill skills, knowledge, and passion with respect to cybersecurity and cybersecurity-related subjects.” Comments due April 27th, 2023.

Increasing Public Access to the Results of USDOT-Funded Transportation Research. Federal Register, DOT request for information. Background: “On August 25, 2022, the White House Office of Science and Technology Policy (OSTP) released a memorandum entitled “Ensuring Free, Immediate, and Equitable Access to Federally Funded Research” << https://www.whitehouse.gov/​wp-content/​uploads/​2022/​08/​08-2022-OSTP-Public-Access-Memo.pdf >> which establishes new guidance for improving public access to scholarly publications and data resulting from Federally supported research. This second OSTP memorandum calls on all Federal Departments and Agencies to prepare new or updated Public Access plans to ensure the Public's immediate access to the results of Federally funded research, which will further advance research transparency and advance U.S. economic competitiveness by raising awareness of new research discoveries and innovations.”

Comments in Aid of Analyses of the Terrorism Risk Insurance Program. Federal Register, Treasury request for information. Summary: “The Terrorism Risk Insurance Act of 2002 (TRIA) created the Terrorism Risk Insurance Program (Program) to address disruptions in the market for terrorism risk insurance, to help ensure the continued availability and affordability of commercial property and casualty insurance for terrorism risk, and to allow for the private markets to stabilize and build insurance capacity to absorb any future losses for terrorism events. The Secretary of the Treasury (Secretary) administers the Program, with the assistance of the Federal Insurance Office (FIO). Treasury requests comments from interested parties regarding some of the issues that FIO will be analyzing in connection with its next report related to the participation of small insurers in the Program, including any competitive challenges such insurers face in the terrorism risk insurance marketplace.”

What’s next in cybersecurity. TechnologyReview.com article. Lots of interesting stuff. Pull quote: “Moreover, Ukraine, under the leadership of  Zhora and his cybersecurity agency, has been working on its cyber defenses for years, and it has received support from the international community since the war started, according to experts. Finally, an interesting twist in the conflict on the internet between Russia and Ukraine was the rise of the decentralized, international cyber coalition known as the IT Army, which scored some significant hacks, showing  that war in the future can also be fought by hacktivists.”

War on cow gas is stinky but necessary job in climate-change struggle. Reuters.com article. Pull quote: “The current regulatory push could also have some negative consequences. ‘Cow fart’ taxes will make New Zealand’s milk exports more expensive, driving consumer goods companies and retailers to seek cheaper supplies from countries like Saudi Arabia, which emits even more methane. Closing down farms will also kick small players out of a fragmented farming market.”

Did a Norfolk Southern Train Take a ‘Spill’? ChemicalProcessing.com article. Pull quote: ““Might I point out that for all the attention paid to vinyl chloride in this accident, none of those cars breached in the derailment?  There was only an issue when the decision was made to empty them and burn the material in the open air, a decision that others might have made differently.””

Review - S 646 Introduced – Hydrogen Technologies

Earlier this month, Sen Coons (D,DE) introduced S 646, the Hydrogen for Industry Act of 2023. The bill would require DOE to establish the ‘Hydrogen Technologies for Heavy Industry Demonstration Program’ to provide grants or cooperative agreements to demonstrate industrial end-use applications of hydrogen. The bill would authorize $1.2 billion for the period of fiscal years 2024 through 2028.

Moving Forward

While Coons is not a member of the Senate Energy and Natural Resources Committee to which this bill was assigned for consideration, three of his cosponsors {Sen Hickenlooper (D,CO), Sen Cassidy (R,LA), Sen Heinrich (D,NM)} are members. This means that there should be sufficient influence to see this bill considered by the Committee. Beyond the cost of the program, I see nothing that would engender any organized opposition to this bill. I suspect that the bill would receive some level of bipartisan support if ways could be found to fund this new grant program.

 

For more details about the provisions of the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-646-introduced - subscription required.

Review - S 885 Introduced – Civilian Cyber Reserve

Earlier this week, Sen Rosen (D,NV) introduced S 885, the Department of Homeland Security Civilian Cybersecurity Reserve Act. The bill would authorize DHS to establish a pilot program for a civilian cybersecurity reserve. No additional funding would be authorized by the bill.

This bill is nearly identical to the version of S 1324, the Civilian Cybersecurity Reserve Act, that was also introduced by Rosen and passed in the Senate under the unanimous consent process during the last session. No action was taken on the bill in the House.

Moving Forward

As I noted yesterday, the Senate Homeland Security and Governmental Affairs Committee is scheduled to take up this bill tomorrow along with 27 other bills. Typically, this means that there is broad support within the Committee for this bill, though there may be amendments that the Committee will consider. I suspect that there will be substantial bipartisan support for the bill. Last session, this version of the bill was able to pass the full Senate under the unanimous consent process, so it may be able to do so again.

Commentary

S 1324 passed late in the last session and never really had a chance to be taken up in the House. I suspect that if it were to make it to the floor for a vote that it would probably pass. The problem is going to be getting it to the floor because this is another unfunded program that is going to run afoul of the budgeting and spending restrictions planned for this session in the Republican controlled House. This would be another program where the spending hawks would be competing with the cybersecurity hawks in the Party and there will only be so many of those fights that either side wants to get into in the lead up to the 2024 elections. I am not sure that this would be a hill the cybersecurity hawks would want to die on.

 

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-885-introduced - subscription required.

Short Takes – 3-28-23 – Geeky Science Edition

One of the Luckiest Lightning Strikes Ever Recorded. NYTimes.com article. Great high-speed video. Pull quote: “It was not only lightning rods producing these discharges, but also various corners of the buildings and other high spots. In fact, “Any person standing in an open area can similarly launch an upward connecting discharge from their head or shoulders and be injured by lightning even when not directly struck by it,” said Marcelo M.F. Saba, a senior researcher at the National Institute for Space Research in Brazil and an author of the study.”

Periodic Graphics: Making molecular sandwiches. CEN.ACS.org graphic article. Pull quote: “The discovery of ferrocene revolutionized the field of organometallic chemistry. Here we look at the molecule’s origins, the other sandwich compounds that followed, and their applications.”

Study reveals map of moon's water near its south pole. Phys.org article. Pull quote: “This current finding, along with two previous SOFIA results about the amount and distribution of water on the moon's sunlit surface, tracks a unique light signature of water. Other missions observing wide areas of the lunar surface have studied different wavelengths of light, which can't distinguish water from similar molecules, such as hydroxyl. The moon's water is present in the soil and might be found as ice crystals, or as water molecules chemically bound to other materials.”

Mysterious aurora-like phenomenon 'STEVE' appears during strongest solar storm for more than half a decade. LiveScience.com article. Pull quote: “Instead, STEVE is caused by a river of hot plasma, or ionized gas, that breaks through Earth's magnetosphere and into the ionosphere thanks to magnetic disturbances during solar storms. This plasma travels at around 13,300 mph (21,400 km/h), which creates friction with the surrounding air and excites molecules to glow in the same way as an aurora. But the constant flow of plasma causes an unmoving visual phenomenon for an observer compared with the dancing lights of auroras.”

Climate change: trees grow for extra month as planet warms – study. BBC.com article. Pull quote: “"When we're thinking about a relatively low-cost mitigation strategy, planting a whole bunch of trees that suck CO2 out of the air is a really good strategy, but to promote those activities you also have to have evidence of the level of benefit you'd derive from it," she said.”

OMB Approves Medical Device ‘Refusal’ Rule

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a notice from the Food and Drug Administration on “Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices and Related Systems Under Section 524B of the FD&C Act”. This notice was not listed in the Fall 2022 Unified Agenda. It was submitted to OMB on March 22nd, 2023.

As I noted in that earlier post, it appears that this notice is related to a recent amendment of 21 USC 331(q) making it unlawful for medical device manufacturers to fail  to comply with any requirement under §524B(b)(2). That paragraph reads:

‘‘(2) design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to the device and related systems to address—

‘‘(A) on a reasonably justified regular cycle, known unacceptable vulnerabilities; and

‘‘(B) as soon as possible out of cycle, critical vulnerabilities that could cause uncontrolled risks;”

We will probably see this notice published in the Federal Register later this week.

Monday, March 27, 2023

Short Takes – 3-27-23

Unmanned aircraft system innovation is hindered by the current regulatory framework, according to witnesses at a congressional hearing. NextGov.com article. Pull quote: “Small UAS technology development also faces regulatory barriers. For example, the government only has 15 approved platforms from which to purchase. And supply chain vulnerabilities and the inability of counter-UAS technology companies to test and perform R&D in the U.S. [emphasis added] have ultimately created national security concerns. According to the speakers, developing standards will also help, but the standards cannot be so restrictive as to hinder innovation, and it may even be too early to develop such standards.”

They fell in love with an AI chatbot. Now, they’re heartbroken. TheGlobeAndMail.com article. Pull quote: “The speed with which some users bonded with their chatbots shows how easy it would be for someone with ill-intent to manipulate or exploit users, particularly those who are vulnerable. It also raises questions about just how much anthropomorphism should be incorporated into AI applications in the first place.”

11 billion-pound mystery: The chemicals South Dakota trains carry. SDNewsWatch.org article. A periodic complaint from environmental activists, but a good summary of their point of view. Pull quote: ““Neither FRA nor any government agency can provide information that lists specific rail lines that hazardous material shipments traverse, as railroads consider such information to be proprietary, and doing so raises safety and security issues,” the office said. “In addition, as a federal safety regulator, FRA does not monitor train movements or types of cargo transported by private rail companies in real time.””

Balloon Intercepted By U.S. Air Force Over Texas. TheDrive.com article. Pull quote: “"North American Aerospace Defense Command detected an unidentified radar track over south central Texas on Mar. 25 and launched aircraft to visually investigate the situation. NORAD aircraft identified a small airborne object as likely a hobbyist Pico balloon and assessed the object posed no immediate military threat or safety of flight hazard. NORAD will continue to track and monitor the object, and is in close coordination with the U.S. Federal Aviation Administration to ensure continued flight safety."” See what the Chinese started.

Committee Hearings – Week of 3-26-23

This week, with both the House and Senate in Washington, there is a relatively heavy hearing schedule. A major focus remains on budget hearings, but we also have two cybersecurity related hearings, one oversight hearing, a markup hearing, and another look at the East Palestine derailment.

Budget Hearings

Budget Hearing

House

Senate

NSA

Intel Subcommittee

 

CISA

Appropriations Subcommittee

 

TSA

Appropriations Subcommittee

 

EPA

Appropriations Subcommittee

 

DOD

Armed Services Committee

Armed Services Committee

DHS

HS Committee

 

FDA

Appropriations Subcommittee

 

Cybersecurity

On Wednesday, the Cybersecurity Subcommittee of the Senate Armed Services Committee will hold a hearing on “To Receive Testimony on Enterprise Cybersecurity to Protect the Department of Defense Information Networks”. The witness list includes:

• John B. Sherman, DOD CIO, and

• LTG Robert J. Skinner, USAF

Probably very little discussion about operational technology issues.

On Thursday, the Cyber, Information Technologies, and Innovation Subcommittee of the House Armed Services Committee will hold a hearing on “Cyberspace Operations: Conflict in the 21st Century”. The witness list includes:

• John F. Plumb, DOD,

• Gen Nakasone, Cyber Command

Again, probably very little discussion about OT technology issues.

DHS Oversight

On Tuesday, the Senate Judiciary Committee will hold a hearing on “Oversight of the Department of Homeland Security”. No witness list is currently available, so it is hard to tell where the focus will be in this hearing.

Markup Hearing

On Wednesday, the Senate Homeland Security and Governmental Affairs Committee will hold a business meeting that will include markups of 28 bills, five of which have not yet been introduced. Bills of potential interest here include:

S. ___, Securing Open Source Software Act of 2023,

S. ___, Reporting Efficiently to Proper Officials in Response to Terrorism (REPORT) Act,

S. 885, DHS Civilian Cybersecurity Reserve,

Derailment Hearing

On Tuesday, the Environment, Manufacturing, and Critical Minerals Subcommittee of the House Energy and Commerce Committee will hold a hearing on “Government Response to East Palestine: Ensuring Safety and Transparency for the Community”. The witness list includes:

• Debra Shore, EPA,

• Wesley Vins, Columbiana County General Health District, and

• Anne M. Vogel, Ohio EPA

On the Floor

The House will be considering HR 1 this week, the Republican’s signature energy bill. While the Republicans criticized large omnibus type bills, this is a typical politically-focused conglomerate of 17 previously introduced bills that we have come to expect from the House of Representatives. 153 amendments have been proposed to the House Rules Committee. The Committee will meet today to decide which amendment will be considered on the floor. Only two of those amendments may be of potential interest here:

#102 Ocasio-Cortez (D,NY) - Prevents oil and gas companies that have been found responsible for chemical spills or environmental disasters in the past 20 years from accessing reduced royalty rates.

#147 Schiff (D,CA) - Directs the Secretary of Energy to create a task force that would work with frontline communities to examine the environmental and public health impacts of petrochemical refineries, including local, global, and cumulative impacts. Requires the task force to research alternative options for energy security and offer recommendations to improve energy security in the United States.


Westlake, LA Chlorine Leak Causes I-10 Diversion

Three local news articles (here, here, and here) about a chlorine gas leak at a pool chemical manufacturing facility in Westlake, LA that lead to local shelter in place warnings and a diversion of traffic on nearby Interstate 10. No injuries have been reported. The leak apparently occurred in a chlorine gas pipeline coming into the plant. The cause of the leak has not been reported.

A post-hurricane chlorine leak and fire at the facility almost three years ago is still under investigation by the Chemical Safety Board.

While this leak was probably (still have not heard a number for the amount of chlorine released) reportable under various EPA regulations, this incident does not appear to rise to a level that would require reporting to the chemical Safety Board under 40 CF 1604. With no serious injuries reported and no reported damage to the facility, this would not be a reportable release from the CSB’s point of view.

This type of incident calls into question the regulations reliance on ‘property damage’ as an assessment of the degree of hazard associated with a release. While there may have been some damage to the pipeline (do not know yet) that resulted in the release it is unlikely to have risen to $1-million standard for ‘substantial property damage’, there were other damages incurred both at the facility and in the surrounding community that could have risen above that target value. According to the news articles, the shelter-in-place order affected production at at least one other chemical facility and impacted homes and businesses within 1-mile of the facility. Additionally, the diversion of traffic on a major interstate (not to mention local roads in the shelter-in-place area) would have imposed some additional costs on those vehicles diverted, a minimal time and fuel cost on an individual basis, but in aggregate that could be a substantial number.

These outside costs incidental to the release would be hard for the facility owner to know in advance or calculate on the fly. If I were crafting the authority for the CSB rule today, I would require them to include a standard for off-site effects from a release beyond serious injuries or substantial property damage that take into account the size of a shelter-in-place, or evacuation order or the number of people affected by such orders.

New Explosive with New Precursor Chemicals

A short article on CEN.ACS.org talks about an ‘easy synthesis’ of a powerful new explosive, DTAT-K, that could replace current lead azide explosives. It references a geekier article on ACS Cent. Sci. 2023 which provides more details about the process for those interested in the detail. But for purposes of this discussion two things stand out. The chemical synthesis (manufacturing) process is relatively straightforward and it uses a commercially available chemical as the precursor. This means that there are potential impacts to the Chemical Facility Anti-Terrorism Standards (CFATS) regulations.

A quick refresher. The CFATS regulations established a list of DHS chemicals of interest (COI) that trigger initial Top Screen reporting requirements for facilities. Facilities that have minimum amount of any of the 300+ listed chemicals on site have to report that information to CISA and then CISA will determine if they are to be covered under the CFATS program.

Crafters of the COI list relied on various regulatory lists of chemicals that may be of use in a terrorist attack, either at the facility where the chemical is held, or off-site as a weapon or in the manufacture of improvised chemical or explosive weapons. For that off-site use the COI lists all major commercial explosives. If that list were to be compiled anew today, it would probably include DTAT-K, and the commercially available precursor would probably be included as well.

CISA is currently working on an update for that regulation. It will be interesting to see if they include updates to the COI list, adding new chemicals like DTAT-K and its precursors.

Saturday, March 25, 2023

50,000 Weaponized Drones

I ran across an interesting article today over on Forbes.com, “Russia Braces For Attack By 50,000 Ukrainian Kamikaze Drones, Seeks Shotguns”. With a title like that, it had to show up on my daily ‘Short Takes’ post and it did (see below). But, I have read the article twice, and it still worries me more than a little and I am forced to write a late night post to explain my concerns.

I have been writing about drones and chemical plants for a number of years now in this blog. To the best of my knowledge, it has all been theoretical to this point, just pointing out how dangerous drones could actually be at a chemical facility if someone was intent on causing harm. And weaponized drones have been high on my list of concerns.

But, if I am pressed to talk about real threats, drones have been kind of low on my list of real weapons of concern. Most available drones are small enough that they just cannot deliver a large enough payload to really do significant damage to process equipment. Most chemical processing equipment is rather robust since it has to deal daily with heat extremes, pressure, and employee mistreatment. There are weak points to be sure, but they would require the nemesis of security threats, process knowledge to identify and exploit.

But seeing the picture today of an RPG-7 warhead suspended from a quadcopter literally struck fear into my heart. These projectiles are designed to pierce 11 inches of armor plate. A storage tank is not going to stand a chance. The projectile does not enter the target, a jet of high-intensity flame does. That jet of flame would immediately vaporize almost any liquid that it came into contact with inside the tank. The sudden rise in pressure may be enough to make the tank catastrophically fail and spew its contents all over the tank farm. A high-pressure storage tank may be able to withstand that sudden increase, but the pressure would still be sufficient to blow the liquid contents of the tank back out of the small hole the penetrator left. That hole would be edged with molten metal that would be hot enough to ignite most hydrocarbons, even those with relatively high (safe) flashpoints. The potential for cascading effects at that point would be enough to ruin any chemical engineer’s dreams.

The Forbes articles make it clear that these weaponized drones are relatively cheap to make. They note how easy it is to master the technique of flying the drones, even encumbered by the relatively massive warhead. If, as expected, the Ukrainians have success with these expected drone swarms, it would serve as a clear advertisement for their effectiveness as a weapon of war or terror.

Short Takes – 3-25-23

CHIPS for America Incentives Program Webinar on Notice of Proposed Rulemaking for National Security Guardrails. Federal Register NIST Webinar notice. Webinar March 30th, 2023. Summary: “The CHIPS Program Office will host a public webinar in connection with the Notice of Proposed Rulemaking for national security guardrails included in the CHIPS for America Incentives Program. In this webinar, the CHIPS Program Office will review the national security measures included in the CHIPS and Science Act and the additional details and definitions outlined in the Notice of Proposed Rulemaking. The webinar will also cover how the public can submit comments on the Notice of Proposed Rulemaking.” Registration required.

Russia Braces For Attack By 50,000 Ukrainian Kamikaze Drones, Seeks Shotguns. Forbes.com article. Pull quote: ““Recently, it has become known that, in terms of drones, buyers of the Armed Forces of Ukraine have bought up almost the entire market of FPV drone components in China, according to indirect estimates, by 50-100 thousand units,” writes Russian Engineer. “They have already trained more than a thousand operators of these models. They make them into kamikaze with a shaped charge warhead from RPG-7, or with a fragmentation grenade. And they have accumulated all this before the offensive.””

Cape Congestion: World’s busiest spaceport stretched to its limits. SpaceNews.com article. Pull quote: “He noted on a SpaceCom panel that the center was already trying to juggle growing power demands at the center. That included “carving out” part of the grid that serves Exploration Park, the commercial development just outside the center’s gates, so that a local utility could set up a substation to meet the needs of Blue Origin’s New Glenn manufacturing facility there.”

Bacteria from meat may cause more than a half-million UTIs, study says. WashingtonPost.com article. Pull quote: ““We have identified the really risky strains of E. coli in animals,” Price said. “And now we can vaccinate them against these specific bacteria, resulting in a win-win for public health as well as the animal industry.””

In case involving whiskey and a dog toy, Supreme Court misses the joke. WashingtonPost.com article. Pull quote: “From there it was a blizzard of hypotheticals and assertions: references to pornography and sex toys, stirring defenses of fine photography and First Amendment rights, a dig at a famed law school and one justice’s admission that — if recasting the whiskey’s famous square bottle as a rubbery, squeaky chew toy was satirical, as its maker, VIP Products, claims — she was missing the joke.”

GAO Reports – Week of 3-18-23 – Critical Infrastructure Protection

This week the Government Accountability Office (GAO) published a report on “Critical Infrastructure Protection: Time Frames to Complete CISA Efforts Would Help Sector Risk Management Agencies Implement Statutory Responsibilities”. This report was presented as the prepared testimony of Tina Won Sherman, GAO, before a hearing of the Subcommittee on Cybersecurity and Infrastructure Protection of the House Homeland Security Committee on March 23rd, 2023. This is essentially a follow-up to a February GAO report on the same topic.

Section 9002 of the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (PL 116-238, 134 STAT. 4768) changed many of the duties of the Sector Risk Management Agencies (SRMAs) when it added §2215 to the Homeland Security Act of 2002 (6 USC 665d). This report looks at actions that CISA could be (and is planning on) taking to support those additional SRMA duties.

Chocolate Plant Explosion

Ran across this article on ABC7.com about an explosion at a West Reading, PA chocolate factory. The page includes a nearby surveillance video of the actual explosion. One building was completely leveled, surrounding buildings were damaged, one reportedly moved 4-ft. Two people have been confirmed killed, numbers injured and they are still looking through the rubble for survivors. There is no information on the cause of the explosion, but it was noted that there was an active natural gas distribution line into the building. 

Again, according to the Chemical Safety Board, an explosion that kills people, severely injures people, or causes significant property damage is a reportable chemical release under 40 CF 1604. And, once again, this being a chocolate factory and not a quintessential chemical manufacturing facility, the owner may not be aware of their CSB reporting responsibilities, so I would not be surprised to hear that the incident was not reported when the next CSB report summary is published.

CRS Reports – Week of 3-18-23 – DHS Overview

This week the Congressional Research Service (CRS) published a report on “The Department of Homeland Security: A Primer”. The report provides an overview of the structure and history of DHS. As noted in the introduction: “This report is intended to brief congressional staff on the mission, structure, staffing, and funding of DHS.”

At the program level, this report is not very deep. It does not, for instance, break out the various authorized and not authorized programs within CISA, including no mention of the Chemical Facility Anti-Terrorism Standards (CFATS) or ChemLock programs for instance. To be fair, at 32 pages, that may be a bit more information than space would allow.

Review – Public ICS Disclosures – Week of 3-18-23

This week we have nine vendor disclosures from Aruba Networks, GE Gas Power (3), HP, Meinberg, Moxa, Philips, and WatchGuard. We also have eight vendor updates from Broadcom (2), Eaton, and HPE (5). Finally, we have five researcher reports for vulnerabilities in products from Insyde (3) and WellinTech (2).

Advisories

Aruba Advisory - Aruba published an advisory that describes a remote code execution vulnerability in their CX Switches.

GE Advisory #1 - GE published an advisory that discusses unnamed security issues with the Woodward MicroNet Plus 5200 CPU.

GE Advisory #2 - GE published an advisory that describes a deserialization vulnerability in their ToolboxST product.

GE Advisory #3 - GE published an advisory that discusses a buffer underwrite vulnerability in the FortiGuard FortiOS that affects the GE NetworkST4, Remote Operations Offering, and M&D Lockbox and S3C Firewall (60F) products.

HP Advisory - HP published an advisory that discusses 16 time-of-check to time-of-use vulnerability in a variety of their products.

Meinberg Advisory - Meinberg published an advisory that discusses eleven vulnerabilities in their LANTIME product.

Moxa Advisory - Moxa published an advisory that discusses two TCG TPM2.0 implementation vulnerabilities.

Philips Advisory - Philips published an advisory that discusses two remote code execution vulnerabilities.

WatchGuard Advisory - WatchGuard published an advisory that discusses an OpenSSH double free vulnerability.

Updates

Broadcom Update #1 - Broadcom published an update for their AMI MegaRAC Baseboard Management Controller that was originally published on December 9th, 2022.

Broadcom Update #2 - Broadcom published an update for their ksmb module in the Linux kernel advisory that was originally published on December 24th, 2022.

Eaton Update - Eaton published an update for their Ripple20 advisory that was originally published on June 23rd, 2020 and most recently updated on November 11th, 2020.

HPE Update #1 - HPE published an update for their ProLiant BL/DL/ML Servers advisory that was originally published on February 14th, 2023.

HPE Update #2 - HPE published an update for their Aruba ClearPass Policy Manager advisory that was originally published on March 15th, 2023.

HPE Update #3 - HPE published an update for their StoreEasy Servers advisory that was originally published on February 14th, 2023.

HPE Update #4 - HPE published an update for their Synergy Servers advisory that was originally published on February 14th, 2023.

HPE Update #5 - HPE published an update for their Proliant DX Servers advisory that was originally published on February 14th, 2023.

Researcher Reports

Insyde Reports - BINARLY published three reports about vulnerabilities in the InsydeH2O products.

WellinTech Reports - Cisco Talos published two reports about vulnerabilities in the WellinTech KingHistorian.

 

For more details about these disclosures, including links to researcher reports, 3rd party advisories, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-3-434 - subscription required. 

Friday, March 24, 2023

Short Takes – 3-24-23

Lawmakers raised concerns that sensitive data could leak to adversaries through foreign-owned consumer technology. NextGov.com article. Pull quote: ““The widespread use of DJI drones to inspect critical infrastructure allows the CCP to develop a richly detailed, regularly updated picture of our nation’s pipelines, railways, power generation facilities and waterways,” the letter states. “This sensitive information on the layout, operation and maintenance of U.S. critical infrastructure could better enable targeting efforts in the event of conflict.””

Enforcement of Cybersecurity Regulations: Part 1. LawfareBlog.com post. Lengthy, detailed look at potential cybersecurity enforcement modes. Pull quote: “In considering what should be next for cybersecurity enforcement, I want to put aside the two approaches that so far have dominated with regard to the protection of consumer data (other than financial data held by banks): post hoc case-by-case investigations by regulators and private litigation in class actions. While both should remain part of the mix, neither one is systematic or forward-looking. Taking place after a breach, they can single out the one mistake the attackers exploited and in doing so often lose sight of the overall reasonableness of the victim’s security program. In many cases, remedial action does not come until years after the incident. And because administrative enforcement actions and private litigation almost always settle with no admission of wrongdoing, they fail to offer industry any generalizable certainty on what is required.”

Space: Roscosmos Dies In Ukraine. StategyPage.com article. Pull quote: “The current Russian government wants to eliminate all cooperation with Western nations (the United States and Europe). Roscosmos officials point out that is not economically possible or technically preferable. Cooperation with the West has increased the capabilities of the Russian space program and provided economic opportunities for Russia. A much larger space program budget would be required and the loss of Western tech and markets for satellite launch services and satellite manufacturing would hurt Russia more than the West.”

House GOP infighting is threatening their ability to get bills out the door. Politico.com article. Pull quote: “Days before that floor debate, McCarthy and his leadership team privately fielded concerns from multiple conference members about possible “poison pill” amendments, such as those relating to LGBTQ students or banning books. Some of those Republicans were under pressure from groups like the National Education Association, the nation’s largest teachers union, which opposes the “parents’ bill of rights” proposal and supports some centrist GOP lawmakers.”

Simple synthesis produces environmentally friendly energetic material. CEN.ACS.org article. Pull quote: “Guangbin Cheng and Hongwei Yang at Nanjing University of Science and Technology and Chuan Xiao at Norinco led the researchers who discovered DTAT-K. The chemists were simply trying to substitute azides for the chlorides on 4,6-dichloro-5-nitropyrimidine—an inexpensive and commercially available starting material. But they were surprised to find that after the substitution occurred, the molecule spontaneously cyclized to form the [5,6,5]-tricyclic bistetrazole-fused motif and appended an additional azide group.” So we have a new explosive precursor chemical to worry about 4,6-dichloro-5-nitropyrimidine.

ORNL malware ‘vaccine’ generator licensed for Evasive.ai platform. NewsWise.com article. Pull quote: “Drawing on more than 35 million malware samples — some publicly available and others never before seen — AMIGO generates optimally evasive malware in tandem with the training information needed for a security system to detect it in the future.”

S 660 Introduced – Water System Threats

Earlier this month, Sen Markey (D,MA) introduced S 660, the Water System Threat Preparedness and Resilience Act of 2023. This is a companion bill (identical wording) to HR 1367 that was introduced earlier this month in the House. The legislation would require the EPA to carry out a program to support, and encourage participation in, the Water Information Sharing and Analysis Center (W-ISAC). The legislation would authorize $10-million for FY 2024 and FY 2025 to support this initiative.

Moving Forward

Markey is a member of the Senate Environment and Public Works Committee to which this bill was assigned for consideration. This means that there should be sufficient influence to see the bill considered in committee. I see nothing in this bill that would engender any organized opposition, and the spending issue is less of a problem in the Senate than in the House. At this point, this bill is more likely to move forward in committee than is the House bill.

Commentary

While the undefined term ‘malevolent acts’ used in §2(b)(4)(B) would certainly seem to include cyber incursions or attacks, I would prefer to see cybersecurity specifically addressed. To that end, I would suggest changing subparagraph (B) to read:

“(B) enhancing the preparedness of community water systems and publicly owned treatment works to identify, protect against, detect, respond to, and recover from cybersecurity threats (as defined in 6 USC 1501), malevolent acts (within the meaning of section 1433 of the Safe Drinking Water Act (42 U.S.C. 300i–2)) or natural hazards.”

 

For more information about the provisions of this bill, see my article on HR 1367 at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-1367-introduced - subscription required.


OMB Approves TSA Surface Transportation Employee Vetting NPRM

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a TSA notice of proposed rulemaking for the “Vetting of Certain Surface Transportation Employees”. This rulemaking was mandated by the 9/11 Act (PL 110-53, Sections 1411, 1414, 1512, 1520, 1522, and 1531) and was supposed to have been completed by August 3rd, 2008.

The Fall 2022 Unified Agenda entry for this rulemaking notes:

“The 9/11 Act requires vetting of certain railroad, public transportation, and over-the-road bus employees.  Also, 6 U.S.C. 469 requires TSA to collect fees to recover the costs of the vetting services.  Through this rulemaking, the Transportation Security Administration (TSA) intends to propose the standards and procedures to conduct the required vetting and recover costs.  This regulation is related to 1652-AA55, Security Training for Surface Transportation Employees.”

There will be industry (and probably labor) opposition to this rulemaking as there was when MTSA and CFATS programs implemented their employee vetting programs. I suspect that TSA will take the easy route here and require/allow an expansion of the Transportation Workers Identification Credential (TWIC) program to cover these surface transportation workers.

Thursday, March 23, 2023

Short Takes – 3-23-23

Remote hacking of Samsung, Google and Vivo smartphones: the problem and the solution. Kaspersky.com blog post. Pull quote: “Since the BRP handles all communication with the cellular network, malicious code can be used for a whole range of spying purposes: from tracking the victim’s geolocation to listening in on calls or stealing data from the smartphone memory. At the same time, because it’s a black box, the BRP is virtually impossible to diagnose or disinfect, except by reflashing.”

The pressing threat of Chinese-made drones flying above U.S. critical infrastructure. CyberScoop.com article. Pull quote: “The urgency around this threat could not be greater given the mission-critical roles of infrastructure owners and operators and public safety organizations. We therefore ask lawmakers and policymakers not only to revisit the issue, as Sens. Mark Warner, D. Va., Marsha Blackburn, R. Tenn., and a bi-partisan group of their colleagues urged in a letter to CISA last week, but also to work with industry, as well as state, local, tribal and territorial governments, to outline and implement a comprehensive approach to enable the elimination of all drones manufactured by companies with ties to the Chinese Communist Party from critical infrastructure and public safety inventories and supply chains.”

Preventing the Improper Use of CHIPS Act Funding. Federal Register NIST NPRM.  Pull quote: “To protect national security and the resiliency of supply chains, CHIPS Incentives Program funds may not be provided to a foreign entity of concern, such as an entity that is owned by, controlled by, or subject to the jurisdiction or direction of a country that is engaged in conduct that is detrimental to the national security of the United States. This proposed rule incudes a detailed explanation of what is meant by foreign entities of concern, as well as a definition of “owned by, controlled by, or subject to the jurisdiction or direction of.”” Comments to be submitted by May 22nd, 2023.

Advisory Committee for Cyberinfrastructure; Notice of Meeting. Federal Register NSF meeting notice. 2-day meeting April 17th/18th, 2023. Purpose of Meeting: “To advise NSF on the impact of its policies, programs and activities in the OAC [Office of Advance Cyberinfrastructure] community. To provide advice to the Director/NSF on issues related to long-range planning.”

Getting Ahead of the Ransomware Epidemic: CISA’s Pre-Ransomware Notifications Help Organizations Stop Attacks Before Damage Occurs. CISA.gov blog post. Neat new term – ‘Pre-Ransomware Notification’. Pull quote: “Although we’re in the early days, we’re already seeing material results: since the start of 2023, we’ve notified over 60 entities across the energy, healthcare, water/wastewater, education, and other sectors about potential pre-ransomware intrusions, and we’ve confirmed that many of them identified and remediated the intrusion before encryption or exfiltration occurred.”

Chinese firm invents lockdown-inspired kissing machine for remote lovers. Reuters.com article. Okay, this is just gross. Pull quote: “The MUA - named after the sound people commonly make when blowing a kiss - also captures and replays sound and warms up slightly during kissing, making the experience more authentic, said Beijing-based Siweifushe.”

Periodic Graphics: The chemistry of plant flowering. CEN.ACS.org graphic. A look at the chemicals of spring.

 
/* Use this with templates/template-twocol.html */