Review – S 1044 Introduced – Railway Accountability Act

Last month, Sen Fetterman (D,PA) introduced S 1044, the Railway Accountability Act. The bill would address seven different rail safety issues. No spending is authorized by the legislation. The seven covered safety issues are:

• Broken rim derailments,

• Train consist,

• Brake inspections,

• Safety waivers,

• Proper functioning of emergency break symbols,

• Confidential close call reporting system,

• Required warning equipment and lookouts.

Moving Forward

Fetterman is not a member (nor are his two cosponsors) of the Senate Commerce, Science, and Transportation Committee to which this bill was assigned for consideration. This means that there is probably not enough influence to see this bill considered in Committee. While this is probably the least burdensome bill introduce after the East Palestine derailment, there are still provisions to which the railroads would probably object. This means that there would be some level of opposition to the bill were it to be considered in Committee. I suspect the bill would receive some level of bipartisan support, maybe even enough to pass in Committee, but probably not enough to allow for sixty votes on a cloture motion.

 

For more details about the provisions of the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-1044-introduced - subscription required.

CSB Publishes Release Reporting 30-day ICR Renewal Notice

The Chemical Safety Board published a 30-day information collection request renewal notice in Monday’s (available on line today) Federal Register (88 FR 26520-26521) for “Accidental Release Reporting Form”. The 60-day ICR notice was published on March 2^nd, 2023. No comments were received, allowing this quick turnaround for the follow-up notice.

In this first revision of the ICR, CSB is reducing the burden estimate based upon the data from the first two years of operation of the reporting program.

The CSB is soliciting comments on this ICR notice. Comments may be submitted to OMB’s Office of Information and Regulatory Affairs via email (OIRA_submission@omb.eop.gov). Comments should be submitted by May 30^th, 2023.

Chemical Incident Reporting – Week of 4-22-23

NOTE: See here for series background.

Hackberry, LA – 4-16-23

News reports here, here, and here.

Crude Oil collection tank fire apparently caused by a lighting strike, no injuries reported.

Probably not a CSB reportable.

 

Lemont, IL – 4-25-23

News reports here, here, and here

Refinery explosion in an asphalt storage tank, 1 contractor dead, several injured

CSB reportable

Review – Public ICS Disclosures – Week of 4-22-23

This week we have eighteen vendor disclosures from BD, Belden (2), Bosch (2), GE Gas Power (2), Genetec, Hitachi Energy (4), HPE, Mitsubishi, Moxa, Omron, Schneider, and VMware. There are two vendor updates from HPE, and Mitsubishi. Finally, we have an FDA report on the Illumina vulnerabilities.

Advisories

BD Advisory - BD published an advisory that describes a credential sharing incident that could affect their BD Kiestra product.

Belden Advisory #1 - Belden published an advisory that discusses an integer overflow or wraparound vulnerability in their HiSecOS and Cellular Router products.

Belden Advisory #2 - Belden published an advisory that discusses two vulnerabilities in their Hirschmann product line.

Bosch Advisory #1 - Bosch published an advisory that describes an incorrect authorization vulnerability in their B420 Ethernet communication module.

Bosch Advisory #2 - Bosch published an advisory that discusses a use of obsolete function vulnerability in their SLC-0-GPNT00300 interface module.

GE Gas Power Advisory #1 - GE published an advisory that discusses a path traversal vulnerability in multiple products.

GE Gas Power Advisory #2 - GE published an advisory that discusses a buffer underflow vulnerability in multiple products.

Genetec Advisory - Genetec published an advisory that discusses three vulnerabilities in the Security Center product.

Hitachi Energy Advisory #1 - Hitachi Energy published an advisory that discusses eight vulnerabilities in their Modular Switchgear Monitoring product.

Hitachi Energy Advisory #2 - Hitachi Energy published an advisory that discusses four vulnerabilities in their RTU500 series product.

Hitachi Energy Advisory #3 - Hitachi Energy published an advisory that discusses two vulnerabilities in their RTU500 series product.

Hitachi Energy Advisory #4 - Hitachi Energy published an advisory that discusses two vulnerabilities in their AFS65x, AFS67x, AFR67x and AFF66x series Products.

HPE Advisory - HPE published an advisory that describes an arbitrary code execution vulnerability in their ProLiant RL300 Gen11 Server.

Mitsubishi Advisory - Mitsubishi published an advisory that discusses nine vulnerabilities in their FA product line.

Moxa Advisory - Moxa published an advisory that discusses two Trusted Computing Group TPM2.0 implementation vulnerabilities.

Omron Advisory - Omron published an advisory that describes a heap-based buffer overflow vulnerability in their CX-drive support tool.

Schneider Advisory - Schneider published an advisory that discusses a recently published exploit for vulnerabilities in their KNX building automation systems.

VMware Advisory - VMware published an advisory that describes four vulnerabilities in their Workstation and Fusion products.

Updates

HPE Update - HPE published an update for their IceWall advisory that was originally published on March 9^th, 2018 and most recently updated on January 27^th, 2023.

Mitsubishi Update - Mitsubishi published an update for their Ethernet port of MELSEC and MELIPC Series advisory that was originally published on November 30^th, 2021 and most recently updated on November 24^th, 2022.

Reports

Illumina Report - The Federal Drug Administration (FDA) published a letter to healthcare providers on the Illumina vulnerabilities reported this week by CISA.

 

For more details on these disclosures, including links to 3^rd party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-4-b33 - subscription required.

Bills Introduced – 4-28-23

Yesterday, with just the House in session, there were 58 bills introduced. One of those bills will receive additional attention in this blog: 

HR 2999 To authorize the declaration of a hazardous train event, and for other purposes. Deluzio, Christopher R. [Rep.-D-PA-17]

Short Takes – 4-28-23

Railroads warned about the problems long trains can cause. TheHill.com article. Pull quote: ““All stakeholders – the FRA, railroads, and elected officials – share the same goal of continuously enhancing rail safety, minimizing adverse impacts to surrounding communities and keeping the goods that power our economy flowing,” AAR spokeswoman Jessica Kahanek said. “The recommendations within this advisory align closely with the prudent steps railroads already take to do just that.”” As I said yesterday, minimal effect on operational safety.

Lawmakers demand accountability for DC Health Link breach. TheHill.com article. Pull quote: ““We’re going to have a lot of information on when the server was misconfigured, why it was misconfigured, why it wasn’t caught and all of the steps that led to this event,” Kofman said, referring to the ongoing investigation.” Unusual congressional attention on this breach, but what about all the other healthcare breaches that do not affect congresscritters directly?

Denied a Gun License Over School Threat, Accused Leaker Jack Teixeira Later Got Top-Secret Clearance. WSJ.com article. Pull quote: “The Defense Counterintelligence and Security Agency, which approves clearances for the U.S. military, said its vetting regularly “cleared individuals’ background to ensure they continue to meet security clearance requirements.” The process “does not include automated checks of social media or chat rooms.””

NSF Federal Cyber Scholarship-for-Service Program (CyberCorps® SFS). Federal Register NSF 30-day ICR notice. Would support new NSF rule that is pending review at OMB.

Soaring Drone Use Requires Policymakers to Act. AmericanChemistry.com opinion piece. Pull quote: “First, the FAA must publish its Congressionally mandated drone security rule. The agency must allow facility operators to apply for airspace restrictions or drone prohibitions to help protect their site. These critical tools are needed to help prevent using drones for industrial espionage and potential terrorist attacks. As it stands now, the rule is long overdue, which is forcing the country to rely on a patchwork of state laws to address the threat and leaving a major gap in national security.”

Short Takes – 4-28-23 – Geeky Stuff Edition

Chemists think outside the box to craft tricky cubanes. CEN.ACS.org article. For chemistry geeks. Pull quote: “A cubane contains eight carbon atoms, one at each corner of the structure. It is almost the same size as benzene, and although the molecules are chemically quite different, both can bear substituents oriented at similar angles. This means that replacing a benzene group in a drug molecule with a cubane can sometimes improve the drug’s solubility or metabolic stability without affecting its biological activity.”

Out of gas in orbit? This US space company is here to help. Phys.org article. For space geeks. Pull quote: “"Our first contract with the US government is to deliver them fuel in 2025" to Space Force satellites, Faber says.” Space commerce is expanding and services like this will expand to support it.

The U.S. Military Relies on One Louisiana Factory. It Blew Up. WSJ.com article. For military geeks. Pull quote: “Sales volume is limited and that means profits can be too thin to support more than a single production facility. This type of vulnerability is so common, the Pentagon describes it as the “single source” problem. Only one foundry in the U.S. makes the titanium castings used in howitzers, and only one company makes the rocket motor used in the Javelin antitank weapon widely used in Ukraine.”

Partners Extend International Space Station for Benefit of Humanity. NASA.gov blog post. For space geeks. It’s official ISS operations extended to 2030 (2028 with Russian participation). Pull quote: ““The International Space Station is an incredible partnership with a common goal to advance science and exploration,” said Robyn Gatens, director of the International Space Station Division at NASA Headquarters in Washington. “Extending our time aboard this amazing platform allows us to reap the benefits of more than two decades of experiments and technology demonstrations, as well as continue to materialize even greater discovery to come.””

Batteries depleted. ChemistryWorld.com opinion piece. For chemistry geeks. Pull quote: “New processes could reclaim more materials ­– particularly lithium, but also graphite, electrolytes and packaging materials. Methods that reduce the number of processing steps between dismantling a battery and arriving at the materials required to make a new one should also help. But to be successful, those processes will also need to be cheap enough to provide viable returns for recyclers, as well as being compatible with diverse and evolving cell compositions as producers continue to drive for batteries that can provide superior performance.”

OFSP Aircraft Bomblet. Cat-UXO.com article. Site for EOD geeks. Pull quote: “The A133 fuze consists of a body, a pressure plate, a remote cocking mechanism, a detonator capsule safety check and a locking bolt similar to the VOG-17 VMG-M fuze mechanism.”

Second ‘Impossible’ Ring Found Around Distant Dwarf Planet. NYTimes.com article. For astonomy geeks. Pull quote: “A potential explanation for Quaoar’s distant rings is the presence of a moon, Weywot. The moon may have created gravitational disturbances that prevented the ring’s particles from accreting into additional moons. Both rings occur in locations near what are known as resonances with Weywot, and the resonances may turn out to be more important than the Roche limit for determining whether rings turn into moons or remain as rings.”

How a hypoxic environment is conducive to organic carbon storage in the coastal ecosystem. Phys.org article. For environmental geeks. Pull quote: “The researchers predict that more labile organic matter will be stored in coastal waters or buried in sediments when hypoxic regions expand due to global warming and eutrophication. The responses of microbial communities to low oxygen concentration and the effects of hypoxia on DOM composition may provide important negative feedback regulation in marine carbon cycle and global climate change.”

CSB Updates Investigation Backlog Clearance Plan – 4-27-23

Yesterday, in conjunction with their quarterly business meeting, the Chemical Safety Board updated their plan for the clearance of backlogged investigation reports. The schedule covers ten incidents dating back to May 2017, leaving just one ‘current’ investigation: BP - Husky Oregon Chemical Release and Fire which occurred in September 2022. The CSB expects to have the 10 backlogged investigations published by the end of the year.

Bills Introduced – 4-28-23

Yesterday, with both the House and Senate in session there were 139 bills introduced. One of those bills will receive additional attention in this blog:

HR 2944 To prevent the misuse of drones, and for other purposes. Gallagher, Mike [Rep.-R-WI-8] 

Short Takes – 4-27-23

There Are Too Many Generals and Admirals, a Senator Stalling Military Promotions Argues. Military.com article. Pull quote: “"I had not been aware that it was a controversial view that our military needs officers in charge of the 5th Fleet or the 7th Fleet," Warren said, alluding to two of the nominees caught in Tuberville's hold. "If the senator from Alabama thinks there should be fewer high-level leaders in the armed forces, he can advance legislation to reform our leadership structures. But blocking leaders from taking the jobs to which they've been assigned is reckless."” NOTE: Promotions passed in Senate today in single voice vote.

Prosecutors tell judge information Teixeira took ‘far exceeds’ what has been reported. CNN.com article. Pull quote: ““Not only does the Defendant stand charged with having betrayed his oath and his country but—when those actions began to surface—he appears to have taken a series of obstructive steps intended to thwart the government’s ability to ascertain the full scope of what he has obtained and the universe of unauthorized users with whom he shared these materials,” prosecutors wrote.” This all sounds just a bit over the top, making Teixeira sound like an experienced and active spook.

Powerful new obesity drug poised to upend weight loss care. TheHill.com article. Pull quote: “There are other downsides: Versions of semaglutide have been on the market for several years, but the long-term effects of taking drugs that override human metabolism are not yet clear. Early evidence suggests that when people stop taking the medications, they gain the weight back.” Major cost issues also discussed.

Reimagining Gunshot Detection for Enhanced Community Safety. DHS.gov S&T article. Pull quote: “Although gunshot detection technology is currently in use, it can only be installed at fixed locations. For outdoor public events, portable gunshot detection technology can add another layer of security to already installed security systems like cameras.”

The War on Passwords Enters a Chaotic New Phase. Wired.com article. Pull quote: ““What I want to highlight is how far we’ve come, but which problems still remain unsolved,” Brand says. “Passwords are everywhere, and they are bad, but everyone is accustomed to them. Users don’t want to be surprised, and they don’t like change. So it’s very important to think about passkeys as an augmentation. We need to kind of push users toward the thing that will be easier and more secure."”

Rightwing Edgelords Are the Real Threat to National Security. Vice.com article. Pull quote: “While it isn’t exactly clear what Teixeira’s beliefs or motivations were, the behavior on the Discord certainly bears the hallmarks of an edgelord; usually very online, young men posting mock-shocking memes and comments for lols and kudos among each other. Someone allegedly taking classified information to impress their chaos-loving online friends is yet another security threat to a defense force that military sources say has yet to even properly handle individuals with anti-government or extremist beliefs.” More than a little politically slanted to the left, but some interesting points.

Hackers Take Control of Government-Owned Satellite in Alarming Experiment. Gizmodo.com article. Pull quote: “The intrusion was a controlled hack as part of ESA’s ongoing CYSAT conference. According to a Tuesday release, a cybersecurity team from the multinational tech company Thales took up ESA’s Hack CYSAT challenge and found a way to seize control of an OPS-SAT nanosatellite originally sent up into low Earth orbit back in 2019. The intrusion allowed the hackers access to the satellite’s global positioning system, attitude control system, and even its onboard camera.”

FRA Publishes Another Train Operations Safety Advisory – 4-27-23

Today, the DOT’s Federal Railroad Administration (FRA) published on their website a new safety advisory dealing with the operation of long trains. The instructions to railroad operators will not become official until they are published in the Federal Register, probably next week but, since these are non-regulatory instructions, that delay is not material.

Reacting to three recent long-train derailments (not including the East Palestine derailment) the advisory provides eight recommendations pending completion of two formal studies about safety issues related to the operation of long-trains. None of the recommendations is going to have an immediate impact on operational safety.

I’ll have more details when the official version is published and I can provide paragraph links in the discussion.

CISA Publishes Software Attestation 60-day ICR Notice

Today, CISA published a 60-day information collection request (ICR) notice in the Federal Register (88 FR 25670-25672) for “Request for Comment on Secure Software Development Attestation Common Form”. This is supporting requirements outlined in OMB Memorandum M-22-18 for suppliers of software for the federal agencies to “attest to conformity with secure software development practices” outlined in NIST Secure Software Development Framework (SSDF), SP 800-218, and the NIST Software Supply Chain Security Guidance.

CISA is acting as the sponsor for this new governmentwide form (not yet published), but the ICR burden data is being based solely upon DHS contracting data. Other agencies will be required to prepare separate burden estimates and publish their own associated ICR notices. CISA will provide a copy of the actual attestation form when it submits the ICR to OIRA. I suspect that it will be published in the ICR docket (see below) before the end of the comment period on this ICR Notice.

Based upon data from the DHS Federal Procurement Data System, CISA estimates that there will be 2,689 initial submissions and 1,345 resubmissions of the newly required attestation forms. Initial submissions would have a 3-hour 20-minute burden associated with each submission (8,963 total hours) and a 1-hour 50-minute burden associated with the resubmissions (2,466 total hours) for a total of $923,623.

CISA is soliciting public comments on this ICR. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # CISA-2023-0001). Comments should be submitted by June 26^th, 2023.

Review – 1 Advisory Published 4-27-23

Today, CISA’s NCCIC-ICS published a medical device security advisory for products from Illumina.

Advisories

Illumina Advisory - This advisory describes two vulnerabilities in the Illumina Universal Copy Service.

 

For more details about the advisory, including a down-the-rabbit-hole look at research networks, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-published-4-27-23 - subscription required.

Co-Sponsor Added to HR 1623 – CFATS Propane Exception

Yesterday, Rep Latta (R,OH) was added as a cosponsor to HR 1623, a bill that would add certain commercial propane storage facilities to the list of facilities excluded from the reporting requirements of the Chemical Facility Anti-Terrorism Standards (CFATS) program. Latta is a member of the House Energy and Commerce Committee to which this bill was assigned for secondary consideration. Latta is the first cosponsor of the bill to be assigned to that Committee, so there may now be sufficient influence to see the bill considered there. I still do not believe that the bill would be favorably considered by the Committee, though it is more probable in this Committee because it is less closely tied to the CFATS program.

There is still no cosponsor on the House Homeland Security Committee which has primary consideration responsibility. The Homeland Security Committee would be least likely to pass the bill because of its adverse effect on the CFATS program.

NSF Sends CyberCorps Final Rule to OMB

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a final rule from the National Science Foundation on “NSF CyberCorps Scholarship for Service Program”. According to the listing for this rulemaking in the Fall 2022 Unified Agenda:

“NSF is finalizing amendments to the CyberCorps Scholarship for Service (SFS) Program which provides scholarships for cybersecurity undergraduate and graduate (MS or PhD) education. In return for the financial support, recipients must agree to work for the U.S. Government or a State, local, or Tribal government after graduation in a cybersecurity-related position, for a period equal to the length of the scholarship. NSF, in consultation with the Secretary of Education, is finalizing regulations governing the process of converting scholarships to student loans when the scholarship recipients fail to meet their required service obligations.”

Bills Introduced – 4-26-23

Yesterday, with both the House and Senate in session, there were 102 bills introduced. One of those bills may receive additional attention in this blog:

HR 2875 To direct the North American Electric Reliability Corporation, in consultation with the Secretary of Energy, the Federal Energy Regulatory Commission, Regional Transmission Organizations, and Independent System Operators, to submit a report to Congress on the reliability of the electric grid. Balderson, Troy [Rep.-R-OH-12]

I will be watching this bill for language and definitions that specifically include cybersecurity elements in the reporting requirements outlined in the legislation.

Short Takes – 4-26-23

Used Routers Often Come Loaded With Corporate Secrets. Wired.com article. Pull quote: ““One of the big concerns I have is that, if somebody evil isn’t doing this, it's almost hacker malpractice, because it would be so easy and obvious,” Camp says.” Unfortunately this research needs to be re-one and republished periodically because this is too easy to exploit.

GOP leaders blink, makes last-minute changes to debt bill. TheHill.com article. Pull quote: “In an apparent deal with midwestern Republicans concerned about the bill’s elimination of ethanol tax credits, a manager’s amendment released during a House Rules Committee hearing that lasted into the wee hours eliminated provisions that would have eliminated tax credits for biofuels. Those tax credits were part of Democrats’ Inflation Reduction Act, the climate, energy and health-care package that Republicans opposed last year.” Still no floor amendments.

FACT FOCUS: COVID vaccines are not in the food supply. ABCNews.go.com article. Pull quote: “In widespread posts online in recent weeks, misinformation purveyors have spread an erroneous narrative that COVID-19 mRNA vaccines are being quietly added to the food supply, threatening staunch vaccine holdouts.” Did someone think that an article like this would actually have any affect on anti-vaxer conspiracy nuts???

Hazardous Materials: Adoption of Miscellaneous Petitions and Updating Regulatory Requirements. Federal Register PHMSA comment period extension. Summary: “On March 3, 2023, PHMSA published a notice of proposed rulemaking (NPRM), entitled “Hazardous Materials: Adoption of Miscellaneous Petitions and Updating Regulatory Requirements (HM–219D),” proposing changes to update, clarify, improve the safety of, or streamline various regulatory requirements. In response to a request for an extension of the comment period submitted by Worthington Industries, PHMSA is extending the comment period for the HM–219D NPRM for an additional 45 days. Comments to the HM–219D NPRM will now be due by June 16, 2023.” New deadline – June 16^th, 2023.

DHS Sends Mobile Driver’s License NPRM to OMB

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced, that it had received a notice of proposed rulemaking from DHS on “Minimum Standards for Driver's Licenses and Identification Cards Acceptable by Federal Agencies for Official Purposes; Waiver for Mobile Driver's Licenses”. According to the Fall 2022 Unified Agenda listing for this rulemaking:

“This proposal is the first rulemaking in a multi-phased project to enable Federal agencies, at their discretion, to continue accepting mobile driver’s licenses and mobile identification cards (collectively referred to as mDLs), while the Department of Homeland Security (DHS) develops comprehensive regulatory requirements for REAL ID-compliant mDLs.  This rule is proposing to add new mDL definitions to 6 CFR part 37 (REALID regulations), and to establish a process that States must follow to apply for a mDL waiver from the REAL ID regulations.  This initial rulemaking would also enable Federal agencies to accept State mDLs for official purposes from States who are issued such a waiver.  After multiple industry technical standards are finalized and published, DHS would repeal the waiver provisions and issue regulations setting the minimum technical requirements and security standards for mDLs to enable Federal agencies to accept mDLs for official purposes.”

I am not really interested (here in this blog) in covering the REAL ID mess, but it will be interesting to see if this NPRM includes any cybersecurity requirements for these mobile driver’s license waivers.

Bills Introduced – 4-25-23

Yesterday, with both the Senate and House in session, there were 106 bills introduced. One of those bills may receive additional attention in this blog:

HR 2866 To amend the Homeland Security Act of 2002 to establish Critical Technology Security Centers in the Department of Homeland Security to evaluate and test the security of critical technology, and for other purposes. Torres, Ritchie [Rep.-D-NY-15]

I will be watching this bill for definitions and language that would specifically include control systems in the ‘critical technology’ coverage of the legislation.

Short Takes – 4-25-23

'High bio-hazard risk' in Sudan after laboratory seized, WHO says. MSN.com article. Pull quote: “There is a "high risk of biological hazard" in the Sudanese capital Khartoum after one of the warring parties seized a laboratory holding measles and cholera pathogens and other hazardous materials, the World Health Organization said on Tuesday.” Patient samples? Cultured strains? Bio-engineered? No word.

Nurse Call Systems, Infusion Pumps Riskiest Connected Medical Devices. InfoSecuity-Magazine.com article. Pull quote: “Based on the tracking of over three billion Internet of Things (IoT) and medical devices in clinical environments, the research document shows that 39% of all nurse calling systems – devices used by patients to alert caregivers when they need assistance – have critical severity unpatched Common Vulnerabilities and Exposures (CVEs). Almost half (48%) of them have unpatched CVEs.” No link to research report.

House GOP leaders hit snags as members harden ‘no’ votes on debt limit bill. TheHill.com article. Pull quote: “The critics’ opposition appears to be enough to sink the bill [HR 2811, the Limit, Save, Grow Act of 2023], which would be an embarrassing defeat for McCarthy in the first big legislative test of his young Speakership, while also weakening the Republicans’ hand in the coming fight with President Biden over how to raise the debt ceiling and prevent a government default this summer.”

HR 2741 Markup – CG Authorization Act of 2023

Today, the House Transportation and Infrastructure Committee announced a markup hearing for HR 2741, the Coast Guard Authorization Act of 2023. The Committee will consider substitute language for the bill that adds a number of new sections. The hearing web page currently lists twenty amendments that will be considered during the markup.

I have not done a detailed review of the introduced version of HR 2741, but there is nothing listed in the bill’s Table of Contents that appears to be of specific interest in this blog. The substitute language adds a new §210 that would require the Coast Guard to establish an on-line application that would be used for “notification of an oil discharge or release of a hazardous substance”. It would also add a new TITLE IV -Oil Pollution Incident Liability, that modifies existing requirements for oil spill liability.

Of the twenty proposed amendments listed, three are potentially of interest here:

• Offered by Rep Rouzer (R,NC) Amends 46 USC 70011(b). Would prohibit “a representative of a government of country that the Secretary of State has determined has repeatedly provided support for acts of international terrorism under section 620A of the Foreign Assistance Act of 1961 (22 U.S.C. 2371) from visiting a facility for which a facility [MTSA] security plan is required under section 70103(c).

• Offered by Rep Webster (R,FL) Section 337. Report on establishment of an unmanned systems capabilities office. Includes interesting language authorizing counter UAS operations.

• Offered by Rep Perry (R,PA) 104 Adds: Section 337. Exemption from coastwise laws for vessels transporting liquefied natural gas.

There are some interesting ‘culture wars’ amendments, including one that would prohibit the Coast Guard from purchasing or supporting electric vehicles.

Review – 2 Advisories Published – 4-25-23

Today, CISA’s NCCIC-ICS published two control system security advisories for products from SCADA-LTS and Keysight.

Advisories

SCADAS-LTS Advisory - This advisory discusses a cross-site scripting vulnerability in the SCADA-LTS open-source HMI.

Keysight Advisory - This advisory describes a deserialization of untrusted data vulnerabilities in the Keysight N8844A Data Analytics Web Service.

 

For more details about these advisories, including links to exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-advisories-published-4-25-23 - subscription required.

Review - CSB Publishes Louisiana Bio-Lab Investigation Report

Yesterday, the Chemical Safety Board announced the publication of their final report on the investigation of the fire and chlorine gas release at the Bio-Lab manufacturing facility in Westlake, LA immediately following the passage of Hurricane Laura in August 2020. The incident was initiated when the roof was blown off of a portion of the plant in which over 70,000 pounds of trichloroisocyanuric acid (TCCA) was stored. Subsequent water contamination of the TCCA resulted in an exothermic reaction which caused a facility fire and the release of a toxic cloud that included copious amounts of chlorine gas. An additional portion of the facility, a warehouse containing additional amounts of TCCA, was subsequently involved in the incident.

Recommendations

The CSB identified five major safety issues in their investigation:

• Extreme weather preparation,

• Process hazard analyses implementation,

• Emergency preparedness and response,

• Adherence to applicable hazardous materials codes, and

• Regulatory coverage of reactive chemical hazards.

Based upon the results of the investigation, the CSB published six new recommendations:

• 2020-05-I-LA-1 – Bio-Lab - Evaluate the hazards to the Bio-Lab Lake Charles facility from hurricanes and accompanying wind, rainwater, floodwater, or storm surge forces,

• 2020-05-I-LA-2 – Bio-Lab - Develop and implement an improved Process Hazard Analysis (PHA) action item management system,

• 2020-05-I-LA-3 – Bio-Lab - Perform process hazard analyses (PHAs) on all buildings and units processing or storing trichloroisocyanuric acid,

• 2020-05-I-LA-4 – Bio-Lab - Revise the Bio-Lab Lake Charles emergency response plan,

• 2020-05-I-LA-5 – State of Louisiana - Require the facility operators to evaluate the hazards to their facilities from hurricanes and accompanying wind, rainwater, floodwater, or storm surge forces, and

• 2020-05-I-LA-6 – EPA - Implement the five open recommendations issued in the 2022 U.S. Government Accountability Office Report titled Chemical Accident Prevention: EPA Should Ensure Regulated Facilities Consider Risks from Climate Change.

The Board also reiterated two long-standing and still open recommendations:

• 2001-01-H-R1 – OHSA - Amend the Process Safety Management Standard (PSM), 29 CFR 1910.119, to achieve more comprehensive control of reactive hazards that could have catastrophic consequences, and

• 2001-01-H-R3, EPA - Revise the Accidental Release Prevention Requirements, 40 CFR 68, to explicitly cover catastrophic reactive hazards that have the potential to seriously impact the public, including those resulting from self-reactive chemicals and combinations of chemicals and process-specific conditions.

 

For more details about the incident, including the chemicals involved, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/csb-publishes-louisiana-bio-lab-investigation - subscription required.

Short Takes – 4-24-23

The Supreme Court is about to hear a landmark online threats case. TheVerge.com article. Pull quote: “But in part because of the internet’s ubiquity and its norms of communication, the case has broad implications that make many civil liberties advocates uneasy. The case has drawn supporting briefs from the American Civil Liberties Union, the Electronic Frontier Foundation, and the Reporters Committee for Freedom of the Press, among others. They argue that threats should require a level of intent — not rely on determining whether the message is “objectively” threatening.”

SpaceX’s Starship Kicked Up a Dust Cloud, Leaving Texans With a Mess. NYTimes.com article. Pull quote: “Mr. Roesch, who runs the environmental policy blog ESG Hound, said he believed the dust and debris came largely from a giant crater formed during the rocket’s liftoff. Normally, major launch sites are engineered with a trench or water system that helps to divert the rocket’s flame away from the ground and to dampen the impact, he said.”

China’s Space Dream Is a Legal Nightmare. ForeignPolicy.com opinion piece. China is building launch facilities in Djibouti, which is not a signatory to the Outer Space Treaty. Pull quote: “As a party to most of the major space-relevant international legal instruments, China must abide by certain limitations on its behavior. For example, it is barred from stationing nuclear weapons in space, may not claim sovereignty over celestial bodies like the Moon, and must provide aid to astronauts in distress, among many other obligations. China fulfils these obligations through domestic regulation of private sector space entities, but it is not clear how these rules would apply to or be enforced on Chinese commercial operators overseas. Djibouti’s lack of experience with any form of space law does little to raise hopes for effective oversight of activities originating from its soil.”

China discovers strange glass beads on moon that may contain billions of tons of water. LiveScience.com article. Pull quote: “The tiny glass spherules, collected in lunar soil samples and brought to Earth by China's Chang'e-5 mission in December 2020, could be so abundant that they store up to 330 billion tons (300 billion metric tons) of water across the moon's surface, the new analysis, published March 28 in the journal Nature Geoscience(opens in new tab), shows.” How many tons of soil would have to be processed to obtain one ton of water?

Review - S 1050 Introduced – Bulk Power System Protection

Last month, Sen Scott (R,FL) introduced S 1050, the Protect American Power Infrastructure Act. The bill would prohibit owners of defense critical electrical infrastructure from buying covered electrical power supply equipment from companies owned or controlled by foreign adversaries. No funding is authorized by this legislation.

Moving Forward

Scott is not a member of the Senate Energy and Natural Resources Committee to which this bill was assigned for consideration, nor are his three cosponsors. This means that it is unlikely that there will be sufficient influence to see the bill considered in Committee. I suspect that there would be some industry opposition to this broadly written rule, so if the bill were considered in Committee it is unclear at this point if there would be sufficient support for the bill to be favorably reported. I do not think that there would be enough support to see the bill considered under regular order by the full Senate.

 

For more details about the provisions of the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-1050-introduced - subscription required.

Committee Hearings – Week of 4-23-23

With both the House and Senate in Washington this week, we have a relatively normal hearing schedule, with budget issues predominating. There is one cybersecurity hearing of note.

BTW: Fourteen weeks left before the current authorization for the Chemical Security Anti-Terrorism Standards (CFATS) program runs out on July 27^th, 2023. No congressional hearings have been conducted or scheduled.

Cybersecurity

On Thursday, the Subcommittee on Cybersecurity and Infrastructure Protection of the House Homeland Security Committee will hold a hearing on: “CISA 2025: The State of American Cybersecurity from CISA’s Perspective”. The sole witness will be Jen Easterly, the CISA Director.

An interesting note from the Chair of that subcommittee, Rep Garbarino (R,NY): “However, as over 80 percent of critical infrastructure is privately owned and operated, it is crucial that CISA empowers and strengthens information sharing without becoming a bureaucratic regulatory agency [emphasis added] that undermines its vital relationship with the private sector. This Subcommittee looks forward to speaking with Director Easterly on ways we can increase our cyber resiliency and strengthen our nation’s risk advisor as it faces an increasingly complex cyber threat landscape.”

Commentary: The Homeland Security Committee web site continues to run on press releases rather than web pages. The “Committee Activity” web page does not list any committee hearings, past or future, the ‘Issues’ subpage provides listings of press releases on various topics. Under the ‘Cybersecurity’ topic is a link to the ‘Media Advisory’ about this week’s hearing. Granted, congressional committees are at heart political animals, but they usually play the game and make a show of providing the public with a view of their deliberative process. The Homeland Security Committee has completely given up on that aspect of ‘information sharing’.

On the Floor

The House schedule for this week does not include anything of particular interest here in this blog. Having said that, I have to comment on one of the two bills that will be considered under a rule this week, HR____, the Limit, Save, Grow Act of 2023. This is the ‘debt limit’ bill that was being discussed over the weekend on most of the weekly political talk shows. It is the Republican’s official solution to the pending debt limit crisis. Actually, it is a 320-page political agenda bill that only addresses the debt limit in the last three pages.

Okay, the Republicans legitimately campaigned in 2022 on cutting federal spending, and this bill certainly addresses their issues. Good for them. They added their energy initiatives from HR 1 that was passed in the House last month, but will never be considered in the Senate. Again, this type of topic piling on in legislative ‘must pass’ bills has become a common ploy used by both parties. But the Republicans did promise to stop that practice….

Looking at the House Rules Committee web page for the consideration of this measure, there was no attempt to solicit amendments to this bill when its consideration was announced on Friday. And there are no amendments listed as having been submitted. So, the Republicans are going to bring their premier spending limitation bill to the floor of the House for consideration without allowing amendments to be offered or considered. So much for their vaunted efforts to make the legislative process more open for individual members.

The Republican leadership can talk the talk, but they cannot walk the walk. Granted McCarthy had to do some serious political tight walking and finger-crossed bargaining to get the Speakership. And he is going to have problems holding his very loose coalition together to get this passed. Adding an amendment process to the consideration of this bill would probably make that more difficult. But, if he is going to take the easy way out for reasons of political expediency, is he really changing the political process? Of course not. He and his ‘team’ are just continuing the decline of cooperative House politics that we have been watching over the last two decades.

And the House Republicans wonder why Biden is not willing to negotiate with them.

Short Takes – 4-22-23

Discussion about reliability of fewer big engines vs more smaller engines. Twitter.com thread. Pull quote: “It's arguably true--and James Oberg wrote about this years ago--that the success of Apollo was at least in part due to the reliability of the 5 huge Saturn V engines, as opposed to the Soviet Union's necessity to use 15-20 separate, smaller engines that had to fire simultaneously.”

FBI leak investigators home in on members of private Discord server. WashingtonPost.com article. Pull quote: “The Justice Department is unlikely to charge members of the server for viewing or sharing the classified information, based on past cases. Historically, the government has almost always charged only individuals with security clearances, which legally obligate them not to share classified information with people who aren’t authorized to see it.”

The Army Is Readying Armored Vehicles That Spy, Jam, and Hack Enemy Drones. PopularMechanics.com article. Bit of click bait title, but much more than counter-drone operations include in new EW vehicles. Pull quote: “By late 2022, sixteen brigades had stood up the new EW platoons, which are nested in the brigade’s Military Intelligence company. Until TLS is fielded, Army electronic warfare units will use Stryker and Flyer72 trucks equipped with Tactical Electronic Warfare System (TEWS). Longer-range signal intelligence is also performed by the General Dynamics AN/MLQ-44A Prophet system mounted on an M1165 up-armored Humvee. The National Guard units will receive these EW systems as they are replaced with TLS.”

Two Men Sentenced for Conspiring to Provide Material Support to Plot to Attack Power Grids in the United States. Justic.gov press release. Pull quote: “Upon arriving in Columbus, Sawall and Cook purchased spray paint and painted a swastika flag under a bridge at a park with the caption, “Join the Front.” The defendants had additional propaganda plans for their time in Ohio, but they were derailed during a traffic stop, during which Sawall swallowed his suicide pill but ultimately survived.” Another plot by ‘serious’ terrorists.

Pipeline Safety: Safety of Gas Transmission Pipelines: Repair Criteria, Integrity Management Improvements, Cathodic Protection, Management of Change, and Other Related Amendments: Technical Corrections; Response to Petitions for Reconsideration. Federal Register PHMSA technical corrections. Summary: “PHMSA is making necessary technical corrections to ensure consistency within, and the intended effect of, a recently issued final rule titled “Safety of Gas Transmission Pipelines: Repair Criteria, Integrity Management Improvements, Cathodic Protection, Management of Change, and Other Related Amendments.” PHMSA also alerts the public to its November 18, 2022, and April 19, 2023, responses to petitions for reconsideration of this final rule.”

Airman Shared Sensitive Intelligence More Widely and for Longer Than Previously Known. NYTimes.com article. Pull quote: “In February 2022, soon after the invasion of Ukraine, a user profile matching that of Airman Jack Teixeira began posting secret intelligence on the Russian war effort on a previously undisclosed chat group on Discord, a social media platform popular among gamers. The chat group contained about 600 members.”

A Life Lost in the Maw of Counterterrorism. SpyTalk.co book review. Pull quote: “In the headlong style of a deadline journalist, [Brett] Forrest presents a tragedy of naïveté and deceit, a tale that he first published as a story in the Journal. Here, after more than a year of research, he adds context—novelistic touches of scenery, atmosphere and backstory. He explores histories of the suburbs of Detroit (sometimes called “the Arab capital of North America”), the Islamic terrorism that changed the mission of the FBI, and the unusual independence and curiosity of Billy’s family.”

Review - S 896 Introduced – SHIELD U Act

Review - Last month, Sen Lee (R,UT) introduced S 896, the Stopping Harmful Incidents to Enforce Lawful Drone Use (SHIELD U) Act. The bill would give airport operators the authority to conduct counter-drone activities at commercial airports. It would also allow State and local law enforcement personnel broad authority to conduct counter drone operations with little federal restrictions. No additional funding is authorized by this legislation.

The wording of the bill is identical to S 4801 that was introduced in the last session. No action was taken on that bill.

Moving Forward

Lee is not a member (this session) of the Senate Commerce, Science and Technology Committee to which this bill is assigned for consideration. This means that there is not enough influence to see the bill considered in Committee. I suspect that the relatively unrestricted authorization for State and local law enforcement officials to conduct counter-drone operations will draw at least some organized opposition, whether it would be enough to stall consideration of the bill remains to be seen.

Commentary

Counter-UAS operations would seem to violate a number of current federal laws, including:

49 USC 46502 (air piracy),

18 USC 32 (destruction of aircraft),

18 USC 1030 (computer fraud),

18 USC 1367 (operation of a satellite),

18 USC Chapter 119 (communications interception), and

18 USC Chapter 206 (trap and trace).

Instead of specifical exempting counter-drone operations from concerns about those statute provisions, this bill uses two broad phrases: ‘Notwithstanding any other provision of law’, and ‘in a manner consistent with the Fourth Amendment to the Constitution of the United States’. The first is so broad as to remove any legal restrictions against counter-drone operations, technically even allowing operations against military drones transiting non-military airspace. To counter that, the second requirement would seem to require the use of a search warrant to be allowed to seize a drone, but it is not clear that the language is specific enough to require a search warrant to be provided before any counter-UAS operations are undertaken, short of seizing the drone once it is forced to land.

 

For more details about the provisions of the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-896-introduced - subscription required.

CRS Reports – Week of 4-15-23 – Counter UAS

This last week, the Congressional Research Service (CRS) published a report on “Department of Defense Counter-Unmanned Aircraft Systems”. It provides a brief look at detection and interdiction tools available to the military for engaging unmanned aircraft systems. Interestingly, the report fails to provide any mention of the tactical use of UAS in the Ukraine as driver for the need for counter-UAS (c-UAS) operations. The three-page report concludes with a list of possible questions for Congress:

• Is DOD funding of C-UAS systems appropriately balanced between research and development and procurement programs?

• To what extent, if at all, has the designation of a DOD executive agent for C-UAS reduced redundancies and increased efficiencies in C-UAS procurement?

• To what extent, if at all, is DOD coordinating with other departments and organizations, such as the Department of Homeland Security, the Department of Justice, and the Department of Energy, on C-UAS development and procurement? NOTE: These are the only other agencies that are currently authorized (to a very limited extent) to conduct c-UAS operations.

• Are any changes to airspace management, operational concepts, rules of engagement, or tactics required in order to optimize the use of C-UAS systems and/or deconflict with other U.S. military operations?

• To what extent, if at all, is DOD coordinating with the Federal Aviation Administration and international civil aviation authorities to identify and mitigate C-UAS operational risks to civil aircraft?

Chemical Incident Reporting – Week of 4-15-23

NOTE: See here for series background.

SW Oklahoma City, OK  4-10-23

News articles here, here, and here. 100-lb Anhydrous Ammonia released during maintenance activities at an ice making facility. No injuries reported. Probably not a CSB reportable.

Kansas City, KS 4-11-23

News article here and here. CO and CO2 leak at meat processing plant, 26 transported to hospital with no word if any were admitted. Possible CSB reportable.

Wood River, NE  4-17-23

News article here, here, here, and here. Storage tank explosion during maintenance work at ethanol plant, 1 dead, 1 hospitalized. CSB reportable.

Commentary

I mentioned the ammonia leak even though it is almost certainly not a CSB reportable because of its contrast with the CO/CO2 leak and the lack of injuries. Anhydrous ammonia is a ‘good’ toxic gas. The odor threshold is well below the dangerous level so people are aware of the presence of the leak and tend to exit the area before they are in danger. No odor toxic chemicals like carbon monoxide require alarms and people are frequently slow to react to alarms, especially if alarms go off frequently at the facility.

Public ICS Disclosures – Week of 4-15-23

This week we have six vendor disclosures from Cisco, Draeger, Omron (2), Philips, and VMware. There are seven vendor updates from Palo Alto Networks, QNAP (5), and Schneider. Finally, we have two exploits for products from VMware.

Advisories

Cisco Advisory - Cisco published an advisory that describes two vulnerabilities in their Industrial Network Director (IND).

Draeger Advisory - Draeger published an advisory that discusses the status of TLS 1.0 which has been deprecated by Internet Engineering Task Force.

Omron Advisory #1 - Omron published an advisory that describes a missing authentication for critical function vulnerability in their CS/CJ series Programmable Controllers.

Omron Advisory #2 - Omron published an advisory that describes seven vulnerabilities in their Factory Interface Network Service message communications protocol.

Philips Advisory - Philips published an advisory that discusses a Windows privilege escalation vulnerability that has been exploited in the wild.

VMware Advisory - VMware has published an advisory that describes two vulnerabilities in their Aria Operations for Logs product.

Updates

Palo Alto Networks Update - Palo Alto Networks published an update for their PAN-OS advisory that was originally published on April 12^th, 2023.

QNAP Update #1 - QNAP published an update for their sudo advisory that was originally published on March 30^th, 2023.

QNAP Update #2 - QNAP published an update for their QTS, QuTS hero, QuTScloud, QVP, and QVR advisory that was originally published on March 30^th, 2023.

QNAP Update #3 - QNAP published an update for their QTS, QuTS hero, QuTScloud, and QVP advisory that was originally published on March 30^th, 2023.

QNAP Update #4 - QNAP published an update for their Buffer Overflow Vulnerability in Samba advisory that was originally published on March 30^th, 2023.

QNAP Update #5 - QNAP published an update for their Buffer Overflow Vulnerabilities in Samba advisory that was originally published on March 30^th, 2023.

Schneider Update - Schneider published an update for their Easy UPS Online Monitoring Software that was originally published on April 11^th, 2023.

Exploits

VMware Exploit #1 - Mr­­_me published a Metasploit module for an improper privilege management vulnerability in the VMware Workspace One product.

VMware Exploit #2 - Mr­­_me published a Metasploit module for three vulnerabilities in the VMware Workspace One product.

 

For more details about these disclosures, including links to 3rd party advisories and brief description of changes made in updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-4-c16 - subscription required.

Short Takes – 4-21-23

How Citizen is trying to remake itself by recruiting elderly Asians. TechnologyReview – article. Pull quote: “He says he has Citizen on his own phone and has been taken aback by how biased some user-generated comments submitted around certain incidents were. “What kind of impact does that really have on the psyche of our community?” he asks. “And it’s clear that this can get out of hand really quickly.””

What’s Perfectly Round, Made Of Metal, And Keeping Russia From Replacing the 2,000 Tanks It’s Lost In Ukraine? Forbes.com article. Pull quote: “So maybe Russia eventually ramps up tank-production by swapping good bearings for bad bearings. Having also traded modern digital optics for inferior analog optics, these tanks no longer are state-of-the-art.” For want of a nail….

DRONES4SEC files simultaneous complaints with The DutchData Protection Authority and the Bavarian Data ProtectionAuthority against DJI for lack of GDPR compliance. sUASNews.com article. Pull quote: “DJI’s apps contain hidden dangerous features that do not comply with the data protection principles of the GDPR, in particular, the principle of fairness and transparency and the principle of data protection by design and default. As an example, several mobile apps from DJI have been sending for months private data from tens to hundreds of thousands of users to a Chinese intelligence data platform, MobTech (mob.com), whose goal is to collect as much personal data as possible. This feature was hidden to final users and DJI used obfuscation techniques to prevent cybersecurity researchers to identify such collection of personal data.”

FAR App Prohibition Interim Final Rule Sent to OMB

OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a FAR regulation on “FAR Case 2023-010, Prohibition on Using a Covered Application”. This rulemaking was not listed in the Fall 2020 Unified Agenda, so there is no official listing of its purpose, but I suspect that this may just have something to do with the Tik Tok application.

Bills Introduced – 4-20-23

Yesterday, with both the House and Senate preparing to leave Washington for a long weekend, there were 108 bills introduced. Three of those bills will receive additional coverage in this blog:

HR 2741 Coast Guard Authorization Act of 2023 Graves, Sam [Rep.-R-MO-6]

HR 2745 To amend title 28, United States Code, to allow claims against foreign states for unlawful computer intrusion, and for other purposes. Bergman, Jack [Rep.-R-MI-1]

HR 2756 To direct the Secretary of Defense to seek to engage the Government of Taiwan regarding expanded cooperation with respect to military cybersecurity activities, and for other purposes. Gallagher, Mike [Rep.-R-WI-8]

The initial text of H 2741 is available. Amendments will be made in Committee that will expand the bill substantially. It will be interesting to see if the Republican leadership brings this bill to the floor or ends up including it as part of a spending bill as has been frequently done in recent history.

Short Takes – 4-20-23

New data show that an old model of the brain's motor cortex is incomplete. NPR.org article. Pull quote: “In other words, these areas integrate information from all over the body and brain in order to carry out a movement. Dosenbach says the finding, which appears in the journal Nature, contradicts a central belief about motor cortex.”

Russia Seeks to Deplete Ukraine’s Air Defenses Ahead of Kyiv’s Expected Offensive. WSJ.com article. Pull quote: “Still, a shortage of air defenses could jeopardize Ukraine’s planned offensive to drive Russia out of some occupied territories in the coming weeks, using several new reserve brigades trained and equipped by the U.S. and North Atlantic Treaty Organization partners.”

Enterprises Exposed to Hacker Attacks Due to Failure to Wipe Discarded Routers. SecurityWeek.com article. Pull quote: ““We also noted, significantly, that multiple devices were acquired following decommissioning from managed IT providers who operate networks for much larger organizations, so often the affected organizations would have no idea that they may now be vulnerable to attacks due to data leaks by some third party,” ESET said.”

Republican attorneys general ask court to overturn Biden admin’s water facility cybersecurity regulations. CNN.com article. Not an unexpected development. Pull quote: “But in their petition to the US Court of Appeals for the Eight Circuit, the Arkansas, Iowa and Missouri attorneys general argue that the new regulations circumvent state authorities and reinterpret federal statute that does not apply to cybersecurity.”

Notice of the Renewal of the Critical Infrastructure Partnership Advisory Council Charter. Federal Register DHS notice. Summary: “On November 29, 2022, the Secretary of the Department of Homeland Security (DHS) approved the renewal of the Critical Infrastructure Partnership Advisory Council (CIPAC) Charter. Through this notice, the Department is making the renewed CIPAC Charter publicly available and highlighting updated information and guidelines that have been included in the renewed charter.”

Pipeline Safety: Carbon Dioxide Pipeline Safety Public Meeting. Federal Reserve PHMSA meeting notice. May 31^st an June 1^st, 2023. Summary: “The public meeting will serve as an opportunity for pipeline stakeholders to help inform pipeline safety-related rulemaking decisions and share information surrounding CO2 pipeline safety. Key stakeholders include the public, states, tribal governments, other federal agencies, industry, and international regulators and/or organizations.”

HR 1127 Introduced – Cybersecurity Partnership

Back in February (finally published by GPO today), Rep Gonzales (R,TX) introduced HR 1127, the United States-Taiwan Advanced Research Partnership Act of 2023. The bill would specifically authorize DHS Science and Technology Directorate to enter into “cooperative research activities with Taiwan to strengthen preparedness against cyber threats and enhance capabilities in cybersecurity.” No additional funding is authorized by this bill.

Moving Forward

Gonzales is a member of the House Homeland Security Committee to which this bill was assigned for consideration. This means that there may be enough influence to see this bill considered in Committee. There will be some opposition to this bill because it violates the long standing one China policy initiated by President Nixon. There is increasing support for Taiwan standing up to China, so that opposition would probably not be sufficient to stop approval of the bill if it is considered, but it will at least delay consideration of the bill. I suspect that there may be sufficient bipartisan support for the bill to be considered by the full House under the suspension of the rules process.

Commentary  

The crafters of the bill use 6 USC 195c as the authority for conducting these cooperative research programs. Unfortunately, that section deals with international cooperation activities for anti-terrorism research. There is an exception for cybersecurity research activities authorized under subsection (g), but that only applies to research with Israel. The crafters of the bill could have solved this problem by adding an amendment to §195c by inserting a new subsection 2(c) to the bill:

(c) Section 317(g) of the Homeland Security Act of 2002 (6 U.S.C. 195c) is amended by, after the word “Israel” inserting “, Taiwan, or other nations identified by the Secretary in consultation with the Secretary of State,”.

Short Takes – 4-20-23 – SpaceX Geek Edition

Starship Flight Test. SpaceX.com article. Pull quote: “At 8:33 a.m. CT, Starship successfully lifted off from the orbital launch pad for the first time. The vehicle cleared the pad and beach as Starship climbed to an apogee of ~39 km over the Gulf of Mexico – the highest of any Starship to-date. The vehicle experienced multiple engines out during the flight test, lost altitude, and began to tumble. The flight termination system was commanded on both the booster and ship. As is standard procedure, the pad and surrounding area was cleared well in advance of the test, and we expect the road and beach near the pad to remain closed until tomorrow.”

So what was that? Was Starship’s launch a failure or a success? ArsTechnical.com article. Pull quote: “Fortunately for SpaceX, the company can afford to "fail." It can do so because it has already built three more Super Heavy rockets that are nearly ready to fly. In fact, SpaceX can build 10 Super Heavy first stages in the time it takes NASA to build a single SLS rocket. If the first five fail but the next five succeed, which is a better outcome? How about in two or three years, when SpaceX is launching and landing a dozen or more Super Heavy rockets while NASA's method allows it a single launch a year?”

Highlights From SpaceX’s Explosive Starship Rocket Test Launch. NYTimes.com article. Pull quote: “Starship didn’t reach its goal of mastering the going-up portion of spaceflight on Thursday, but assuming its builders achieve that goal on the next try, they will still have to sort out the other part of its revolutionary approach: Getting all parts of the spacecraft on the ground safely so they can be reused. It is not clear when SpaceX will schedule its next test flight — Elon Musk, founder of SpaceX suggested it will be several months — but if it follows the same plan as Thursday’s test, it will not include an attempt to land the Super Heavy booster or the Starship vehicle.”

SpaceX giant rocket explodes minutes after launch from Texas. SeattleTimes.com article. Pull quote: “The Federal Aviation Administration said it would oversee the accident investigation, noting that no injuries or public property damage were reported. The agency also said that until it determines that there is no threat to public safety, Starships are grounded.”

Powerful Blast from SpaceX’s Starship Damages Launch Pad and Wrecks Nearby Minivan. Gizmodo.com article. Pull quote: “SpaceX was forced to destroy Starship at the 3:59 mark of the mission, the result of the rocket entering into a hopeless tumble. The Elon Musk-led company said that, at a bare minimum, it wanted to see the rocket take flight and not cause too much damage to the launch site. It’s still too early to tell, but the acquired footage does point to some harm at the site—such as a gigantic crater that formed directly beneath the Orbital Launch Mount.”

SpaceX’s Starship lifts off successfully, but explodes in first flight. WashingtonPost.com article. Pull quote: “Before the test, SpaceX warned that an explosion — or what it calls a “rapid unscheduled disassembly” — was a likely outcome, given the size and complexity of the vehicle and the fact that it had never flown before. The vehicle is outfitted with an “automated flight termination system” that is designed to blow up the vehicle if it starts going off course.”

Review - BIS Publishes Peptide Synthesis Export Controls NPRM

Today, the DOC’s Bureau of Industry and Security (BIS) published a notice of proposed rulemaking (NPRM) in the Federal Register (88 FR 24341-24346) for “Section 1758 Technology Export Controls on Instruments for the Automated Chemical Synthesis of Peptides”. The advanced notice of proposed rulemaking was published (this post is now open to the public without subscription) on September 13^th, 2022.

Public Comments

BIS is soliciting public comments on this proposed rulemaking. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # BIS–2022–0023). Comments should be submitted by May 22^nd, 2023. This short, 30-day response time, is probably going to be appealed by commentors as being inadequate for many organizations.

 

For more details about the provisions of the NPRM, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bis-publishes-peptide-synthesis-export - subscription required.

Review - 1 Advisory Published – 4-20-23

Today, CISA’s NCCIC-ICS published a control system security advisory for products from INEA.

Advisories

INEA Advisory - This advisory describes an OS command injection vulnerability in the INEA ME RTU.

 

For more details about this advisory, including a down-the-rabbit-hole look at a possible connection to the Mitsubishi smartRTU, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-published-4-20-23 - subscription required.

CISA Publishes CFATS CSAT 30-day ICR Revision/Renewal Notice

Today, CISA published a 30-day information collection request (ICR) revision and renewal notice in the Federal Register (88 FR 24435-24437) for the “Request To Revise and Extend the Chemical Security Assessment Tool (CSAT) Information Collection Under the Paperwork Reduction Act”. The 60-day ICR notice was published (post is now public instead of subscription only) on December 27^th, 2022.

The ‘revisions’ portion of this ICR notice updates burden estimates based on recent program history. There are no notices of significant programmatic changes. Having said that, today’s notice does not include the level of explanatory detail that was provided in the 60-day notice. Specifically, it does not provide any information on the possible change to SSP/SVA collection tool that would require facilities to report “internet Protocol (IP) address(es) and Domain Name System (DNS) information”.

CISA is soliciting public comments on this ICR notice. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # CISA-2022-0018). Comments should be submitted by May 22^nd, 2023.

Short Takes – 4-19-23

Enforcement of Cybersecurity Regulations: Part 3. LawFareBlog.com post. Pull quote: “As cybersecurity assumes the role in economic stability that integrity of the banking system or the reliability of the stock exchanges have long had, regulators will need to expand their inspections or examinations capability. The TSA and other sector-specific regulators will be hard pressed to find personnel capable of performing meaningful cybersecurity inspections. But that is no reason not to start…. In all those sectors, the government has built up extensive inspections or monitoring capabilities, with undeniable benefits to reliability, safety, and economic development. So too it can—and must—for critical infrastructure cybersecurity.”

As counterspace weapons ‘proliferate,’ the new cold war for space races forward: studies. BreakingDefense.com article. Pull quote: ““If you’ve got a constellation of a couple thousand satellites or you’ve got hundreds of commercial imaging satellites, destructive weapons are not all that useful in countering those because if you take out one or two, it doesn’t really have an effect,” he said.”

China readies supersonic spy drone unit, leaked document says. WashingtonPost.com article. Pull quote: “A secret document from the National Geospatial-Intelligence Agency, which has not previously been reported, shows the Chinese military is making technological advances that could help it target American warships around Taiwan and military bases in the region.” So, maybe the US Air Force needs to re-field the YF-12.