Short Takes – 5-31-23

Discord Admins Hacked by Malicious Bookmarks. KrebsOnSecurity.com post.  Pull quote: “While bookmarklets can be useful and harmless, malicious Javascript that is executed in the browser by the user is especially dangerous. So please avoid adding (or dragging) any bookmarks or bookmarklets to your browser unless it was your idea in the first place.”

Axiom crew splashes down in a SpaceX capsule after doing space station science. GeekWire.com article. Pull quote: “Axiom Space’s next commercial crew is due to launch as soon as November, and could include the first Turkish astronaut to go to space. Among others have been mentioned as potential future fliers are Hollywood actor Tom Cruise and the winner of a TV contest called “Space Hero.””

Webb maps surprisingly large plume jetting from Saturn’s moon Enceladus. ESA.int article. Pull quote: “The length of the plume was not the only characteristic that intrigued researchers. The rate at which the water vapour is gushing out, about 300 litres per second, is also particularly impressive. At this rate, you could fill an Olympic-sized swimming pool in just a couple of hours. In comparison, doing so with a garden hose on Earth would take more than 2 weeks.”

New Nontoxic Powder Uses Sunlight to Disinfect Contaminated Drinking Water. Stanford.edu article. Pull quote: “The study focused on E. coli, which can cause severe gastrointestinal illness and can even be life-threatening. The U.S. Environmental Protection Agency has set the maximum contaminant-level goal for E. coli in drinking water at zero. The Stanford and SLAC team plans to test the new powder on other waterborne pathogens, including viruses, protozoa and parasites that also cause serious diseases and death.” In college I did similar research with TiO2.

Review – HR 3169 Introduced – Foreign Crane Inspections

Earlier this month, Rep Gimenez (R,FL) introduced HR 3169, the Port Crane Security and Inspection Act of 2023. The bill would require new port cranes to be inspected by DHS for potential security risks before they were placed into operation. It would also prohibit new foreign (read Chinese) cranes and require existing foreign cranes to switch to non-foreign software within five years. No new funding is authorized by this bill.

Moving Forward

Gimenez and one of his six cosponsors {Rep Higgins (R,LA)} are members of the House Homeland Security Committee to which this bill was assigned for consideration. This means that there could be sufficient influence to see the bill considered in Committee. While there will be some bipartisan support for this bill based on the China bashing provisions inferred in the bill, I do not expect that it will pass in its current form in Committee. That is because the sharp line drawn in prohibiting the future installation of foreign (read Chinese) cranes section 3 of the bill does not reflect the reality on the ground. That flat prohibition will draw opposition of many port operators, shippers, and (less important to be sure) the Chinese government. If the bill is considered in Committee it will almost certainly involve substitute language crafted by the Committee staff.

Commentary

Section 2 of the bill probably needs to be rewritten to better clarify how DHS/CISA is supposed make the decision about what constitutes a security threat. For example, does the presence of programmable logic controllers (PLCs) that can be reprogrammed by anyone with access to the network constitute a security threat. If so, CISA can probably determine that all foreign cranes pose a security threat, but then again so would most domestic cranes. The question that needs to be answered before CISA can really make these decisions is when is something a security threat for Chinese cranes but not for US (or South Korean, or German) cranes? This needs to be spelled out before Chinese manufacturers sue CISA in US Courts.

 

For more details about the provisions of this bill, including an expanded commentary, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-3169-introduced - subscription required.

HR 3746 Rule Published – Debt Limit Bill

Yesterday, the House Rules Committee met to craft the rule for the consideration of HR 3746, the Fiscal Responsibility Act of 2023. As expected, the Committee crafted a closed rule, with limited debate (1 hour) and no amendments to be offered on the floor. The Committee did approve (and incorporated into the version of the bill to considered on the floor) one amendment that made a variety of technical changes to the bill.

There were 81 amendments submitted to the Committee, while would have made relatively minor changes to the language of the bill, most would have made significant changes to the deal crafted over the weekend. If almost any of the 80 other amendments had been incorporated into the final bill, they would have essentially killed the deal that brought the bill to the floor of the House today.

The Committee vote on the bill yesterday was unusual, a 9 to 7 vote in favor of adoptions. Typically votes in this Committee are 9 to 4, reflecting the party composition of the Committee. Yesterday two Republicans {Rep Norman (R,SC) and Rep Roy (R,TX)} voted against the bill. These two, along with Rep Massie (R,TX) were appointed to the Committee as part of the deal through which Rep McCarthy (R,CA) was finally elected to Speaker of the House. I suspect that there was a great deal of arm twisting applied to Massie to get his yeah vote. If his vote had gone the other way, I suspect that the Democrats would have provided a single yeah vote to move the bill to the floor.

According to reporting by the NY Times, it does not look like Chip Roy, the prima facia leader of the Republican opposition, will resort to the use of a vacate motion to slow consideration of the bill. But, as I noted yesterday, he does not really control the bomb throwers on the right. A motion to vacate may still come if/when the bill is approved in the House. Even if (as I expect that he would) McCarthy survives such a vote, it will almost certainly fatally damage his tenuous control of the Republican fringe in the House and will force him to work more often with Democrats to move legislation (especially spending bills) through the House during the remainder of the session.

On a side note, there were only 21 bills introduced yesterday. That was not surprising given that both the House was originally scheduled to working in their districts (read fund raising) this week. One bill that is worth mentioning here is HR 3750 introduced by Rep Mills (R,FL), it would provide a one-week extension of the debt limit. If HR 3746 fails in either the House or Senate (still a possibility, however remote), this bill may become an important vehicle extending the deadline for a new deal.

Short Takes – 5-30-23

4 Mind-Boggling Technology Advances In Store For 2023. Forbes.com article. Pull quote: “While there are many impactful tech topics such as the Internet of Things, 5G, Space, Genomics, Synthetic Biology, Automation, Augmented Reality, and others, there are four tech areas to keep a keen watch on this coming year as they have promising and near-term capabilities to transform lives. They include: 1) artificial intelligence, 2) computing technologies, 3) robotics, and 4) materials science.”

Lawmakers Want DHS to Assess National Security Risks of Doxing. NextGov.com article. Pull quote: ““This legislation would direct the development and dissemination of a threat assessment of cyber harassment tactics, to both inform future policymaking and law enforcement, as well as prevent targeted attacks on community institutions and persecuted groups,” the lawmakers said in a press release.”

McCarthy rallies support for debt deal amid hints of mutiny. Politico.com article. Pull quote: “The White House scored some good news over the weekend after the leadership team for the New Democratic Coalition — a 98-member voting bloc of centrists who are among the most likely to back the bill — released a statement announcing the group’s support for the bipartisan agreement. The Congressional Black Caucus was also doing its own whip Monday afternoon, according to a Democratic aide who asked to remain anonymous to speak freely about the discussions.”

Spin Cycle. StatusKuo.Substack.com blog post. Pull quote: “But things in Washington are almost never as they seem. The gleeful jabs and boasts from Republican leadership were actually a huge tell, as was the relatively muted response from top Democrats. Let’s walk through what they initially said, and then examine what’s really going on. Bear with me, because it will exemplify why average citizens are both bewildered and highly frustrated by political leaders on both sides, but this is just how politics has always worked.”

First Republican publicly supports ousting McCarthy as Speaker. TheHill.com article. Pull quote: “At a House Freedom Caucus press conference Tuesday, members vented their frustration with the agreement and urged their colleagues to vote against it, but Bishop [(R,NC)] was the sole Republican to raise his hand signifying he would support a motion to oust McCarthy over the bill.”

G.O.P. Revolts Over Debt Limit Deal as Bill Moves Toward a House Vote. NYTimes.com article. Pull quote: “In the legislation’s first test, the House Rules Committee voted to clear the way for debate on the plan to be held Wednesday. Seven Republicans voted to send the measure on, while two others joined with Democrats to oppose doing so.”

Attrition: Inmun Gun is Wasting Away. StrategyPage.com article. Pull quote: “The North Korean Army currently has about 800,000 troops, over 3,000 tanks, 3,000 other AFV and nearly 8,000 artillery pieces, including 2,000 rocket launchers. Most of these weapons are pointed south and stationed on or near the DMZ. North Korea has the means to be dangerous, for a little while anyway. Fuel shortages, elderly equipment and lack of maintenance means that a lot of this gear would not stay operational for long. As an example, the past 25 years or so of deferred maintenance (as in none) on tube artillery pieces, including the guns on tanks, means almost all of those can only fire one round because their recuperator seals have deteriorated so much.”

The United Arab Emirates Is Heading for the Asteroid Belt. NYTimes.com article. Pull quote: “But much more will be manufactured in the Emirates this time. Fifty percent of the money spent on the mission must be spent within the country.” Expanding Emirati space program.

Elon Musk Shares Starship Flight Test 2 Timeline. WCCFTech.com article. Pull quote: “The extent of the damage and the chunks of concrete blasted off from the pad created speculation that perhaps SpaceX would take a considerable amount of time to rebuild it. However, Mr. Musk was quick to state that the next launch attempt would take place in just a couple of months. He seems to be standing by his words, as the current timeline for the Starship test 2 will see SpaceX build the launch pad in a month and then test its rockets on the pad for a similar time period before attempting to reach orbit.”

NASA, Boeing Provide Update on Starliner Flight Test Readiness. NASA.gov article. Pull quote: “As part of the ongoing effort, 95% of the Crew Flight Test certification products are complete. This includes approval of Starliner’s crew module batteries, based on additional testing and analysis, along with post-certification flight mitigations and a proposed battery upgrade for future missions. Teams are conducting final spacecraft closeouts and preparing for upcoming hardware milestones, including spacecraft fueling, spacecraft rollout to the launch site, and integration with the United Launch Alliance Atlas V rocket.”

Surprise mass drone strike spells trouble in the air for Vladimir Putin. The Telegraph via News.Yahoo.com article. Pull quote: “For the Ukrainians, any redeployment of Russian air defence systems away from the front line brings obvious benefits for the Ukrainian air force at a potentially crucial time in the war, just before the launch of their long-awaited counteroffensive.”

Review - HR 3208 Introduced – DHS Cybersecurity OJT

Earlier this month, Rep Jackson-Lee (D,TX) introduced HR 3208, the DHS Cybersecurity On-the-Job Training Program Act. The bill would establish in CISA “the ‘DHS Cybersecurity On-the-Job Training Program’ to voluntarily train Department employees who are not currently in a cybersecurity position for work in matters relating to cybersecurity at the Department.” No funding would be authorized by this legislation.

Moving Forward

Jackson-Lee and three of her six cosponsors {Rep Payne (D,NJ), Rep Thompson (D,MS), and Rep Clarke (D,NY)}, are members of the House Homeland Security Committee, to which this bill was assigned for consideration. This means that there could be sufficient influence to see this bill considered in Committee. While I see nothing in this bill that should engender any organized opposition, it seems odd that there are no Republican cosponsors for the bill. While this is a divided House, I still expect to see bipartisan support for bills like this which seem to be inherently non-partisan. That there are no Republican sponsors makes me suspect that there are issues here that I cannot see.

 

For more information about the provisions of this bill, as well as a discussion about differences from a similar bill introduced last session, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-3208-introduced - subscription required.

Review - 1 Advisory Published – 5-30-23

Today, CISA’s NCCIC-ICS published a new control system security advisory for products from Advantech.

Advisories

Advantech Advisory - This advisory describes an insufficient type-distinction vulnerability in the Advantech WebAccess/SCADA product.

Bills Introduced – 5-29-23

Yesterday, in a rare Memorial Day session, the House met in pro forma session to introduce one bill, HR 3746, the Fiscal Responsibility Act of 2023, Rep. McHenry, Patrick T. [R-NC-10]. This is the debt ceiling bill that was finalized in negotiations earlier over the weekend. The full text of the bill is available.

The House Rules Committee is scheduled to hold a hearing on the rule for consideration of HR 3745 later today. This will almost certainly be a ‘closed rule’ with limited debate (not too limited, there will be time for venting and posturing), and no amendments will be accepted. A vote on the bill will almost certainly be held in the House tomorrow

Extremists on both sides of the political spectrum in Congress will find much in this bill with which to object. Some measures will go too far, while others will not go far enough. The political middle will find those measures to be more palatable. I suspect that there will be sufficient votes in both the House and Senate to pass the bill when it comes to a vote.

The big question now is what will the bomb throwers do in either house. In general, the right-wing extremists got what they wanted, they forced Biden to negotiate on the debt limit and forced spending cuts. They did not get all that they wanted, but after some pointed and loud complaints they will vote against the bill to establish their credentials (and aid fundraising). They, as a group, will not give Speaker McCarthy too much of a hard time on the bill. McCarthy did as they wanted and was largely successful.

But, and this is a LARGE BUT, there are members of this group who have made their reputation by (and receive their funding for) disrupting the operations of the House. This is where a single bomb thrower could offer a privileged motion to vacate the Office of the Speaker, and the House would be required to stop what it was doing and vote on that motion. Now it would take 217 votes to actually remove the Speaker, and that is not going to happen over this bill (the moderate Democrats will 'save' McCarthy). But it would slow down operations a small amount and it would make McCarthy’s future more difficult. But, even with a motion to vacate, the House will vote on this bill and almost certainly pass it on Wednesday.

The Senate is a different story. There are not ‘bomb throwers’ in the Senate, it is much too dignified and proper to allow such members. It does, however, have rules in place for the slow and measured consideration of legislation. And it takes (maybe several) unanimous consent motions to work around those rules to pass legislation quickly. And the Senate has any number of members on the left and right who would insist on following the rules and object to such unanimous consent motions. It is very likely that the Senate will go through the prolonged debate process to pass this bill, but it will pass.

Short Takes – 5-27-23

Biden says debt deal ‘very close’ with default deadline now set at June 5. APNews.com article. Pull quote: “The later “X-date,” laid out in a letter from Treasury Secretary Janet Yellen, set the risk of a devastating default four days beyond an earlier estimate. It came as Americans and the world uneasily watched the negotiating brinkmanship that could throw the U.S. economy into chaos and sap world confidence in the nation’s leadership.”

Biden Administration Dusts Off Contingency Plan if Debt-Ceiling Deadline Passes. WSJ.com article. Pull quote: “Under the backup plan created for a debt-limit breach, federal agencies would submit payments to the Treasury Department no sooner than the day before they are due, the people familiar with the talks said. That would represent a change from the current system, in which agencies may submit payment files well before their due dates. The Treasury Department processes them on a rolling basis, often ahead of the deadlines. Some payments are already sent to the department one day early, one person said.”

Sinema joins debt ceiling negotiations: Axios. TheHill.com article. Pull quote: “Sen. Kyrsten Sinema (I-Ariz.) has joined debt ceiling negotiations to try to help the sides reach an agreement on permitting reform, people familiar with the matter told Axios Saturday.”

BREAKING White House and G.O.P. Strike Debt Limit Deal to Avert Default. NYTimes.com article. Pull quote: “The tentative deal also claws back some unspent money from a previous pandemic relief bill, and reduces by $10 billion — to $70 billion from $80 billion — new enforcement funding for the I.R.S. to crack down on tax cheats. It includes measures meant to speed environmental reviews of certain energy projects.” Bill text due late Sunday for House vote on Wednesday.

The Last Big Weapon on Ukraine’s Wish List. ForeignPolicy.com article. Pull quote: “Some members of Congress and U.S. officials think the deliveries of ATACMS [Army Tactical Missile System] to Ukraine could be decisive in putting Russian troops, ships, and bases on occupied Ukrainian soil at risk. After Ukraine first began raking Russian lines with High Mobility Artillery Rocket Systems, or HIMARS, it received from the United States last year, cutting supply lines, knocking out command posts, and crashing weapons depots, enemy troops began to move out of range and hunker down.”

Why the 2023 Atlantic hurricane season is especially hard to predict. ScienceNews.org article. Pull quote: “There’s little consensus among other groups’ predictions, in part due to the uncertainty of what role El Niño will play. On April 13, Colorado State University, in Fort Collins, announced that it anticipated a below-average season, with just 13 named storms, including six hurricanes. On May 26, the U.K. Meteorological Office announced that it predicts an extremely busy hurricane season in the Atlantic, with 20 named storms, including 11 hurricanes, of which five could be category 3 or greater. The long-term average from 1991 to 2020 is 14 named storms.”

El Nino seen posing larger risk for robusta coffee, less to arabica. Reuters.com article. A real weather issue. Pull quote: “The weather phenomenon, which disrupts rainfall and temperature patterns, could further tighten supplies and raise prices of robusta, which has a higher caffeine content than arabica and is largely used to make instant coffee.”

Review - PHMSA Publishes Hazmat Harmonization NPRM – 5-29-23

The DOT’s Pipeline and Hazardous Materials Safety Administration is publishing a notice of proposed rulemaking in Monday’s (available on line today) Federal Register (88 FR 34568-34622) for “Hazardous Materials: Harmonization With International Standards”. This is a recurring rulemaking that PHMSA uses to maintain alignment with international regulations and standards by adopting various amendments, including changes to proper shipping names, hazard classes, packing groups, special provisions, packaging authorizations, air transport quantity limitations, and vessel stowage requirements.

Noteworthy Changes

The preamble provides a brief description of what PHMSA calls “noteworthy proposals set forth in this NPRM”. They include:

Incorporation by reference,

Hazardous Materials Table,

Polymerizing substances,

Cobalt dihydroxide powder, and

Lithium battery exceptions.

Public Comments

PHMSA is soliciting public comments on this rulemaking. Comments may be submitted via the Federal eRulemaking Portal {www.Regulations.gov; Docket # PHMSA-2021-0092 (HM-215Q)}. Comments should be submitted by July 31^st, 2023.

 

For a more detailed discussion of the proposed changes to the HMR, including links to the discussion of changes to section-by-section analysis, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/phmsa-publishes-hazmat-harmonization - subscription required.

Chemical Incident Reporting – Week of 5-13-23

NOTE: See here for series background.

WYNNEWOOD, OK – 5-23-23

Local news reports: Here, here, and here.

Explosion and fire at refinery. Two taken to hospital, no information on extent of injuries.

Probable CSB reportable, depending on if one or more were admitted.

 

NOTE: The CSB is over a month late on publishing their quarterly update on the CSB's Accidental Release Reporting Rule Data. The last update was published on January 25^th, 2023. To be fair, the CSB has not established a predictable pattern or publishing these updates.

Review – Public ICS Disclosures – Week of 5-20-23

This week we have 62 vendor disclosures for products from ABB, Aruba Networks, Bosch (3), Eaton, HPE (2), Meinberg, Tanzu (42), VMware, Western Digital, and Wireshark (9). There are two researcher reports for products from Broadcom and Mitsubishi. Finally, we have two exploits for products from TEM and PnPSCADA.

Advisories

ABB Advisory - ABB published an advisory that describes an insertion of sensitive information into log files vulnerability in their QCS and Platform Engineering Tools products.

Aruba Advisory - Aruba published an advisory that describes ten vulnerabilities in their EdgeConnect Enterprise product.

Bosch Advisory #1 - Bosch published an advisory that describes an exposure of sensitive information to an unauthorized actor vulnerability in their Video Management System (BVMS).

Bosch Advisory #2 - Bosch published an advisory that describes a misinterpretation of input vulnerability in their AMC2-4WCF and AMC2-2WCF access control products.

Bosch Advisory #3 - Bosch published an advisory that discusses a remote code execution vulnerability in their Bosch Video Management System (BVMS), the Bosch Access Management System (AMS), and the Bosch Building Integration System (BIS) products.

Eaton Advisory - Eaton published an advisory that discusses 16 vulnerabilities in multiple products.

HPE Advisory #1 - HPE published an advisory that discusses two vulnerabilities in their SimpliVity Servers.

HPE Advisory #2 - HPE published an advisory that discusses a double free vulnerability in their IceWall products.

Meinberg Advisory - Meinberg published an advisory that discusses 16 vulnerabilities in their Lantime product.

TANZU Advisories - Tanzu published 42 advisories, each discussing individual third-party vulnerabilities in various Tanzu products.

VMware Advisory - VMware has published an advisory that describes a cross-site scripting vulnerability in their NSX-T product.

Western Digital Advisory - Western Digital has published an advisory that describes a server-side request forgery vulnerability in their My Cloud Home, My Cloud Home Duo and SanDisk ibi firmware.

Wireshark Advisories - Wireshark published 9 advisories, each describing individual vulnerabilities in various components of their product.

Reports

Broadcom Report - BugProve published a report that describes an out-of-bounds write vulnerability in the Broadcom BCM47xx SDK.

Mitsubishi Report - Talos Intelligence has published a report describing a memory corruption vulnerability in the Mitsubishi MELSEC iQ-F FX5U.

Exploits

TEM Exploit - Mr. Empy published an exploit for an improper resource shutdown or release vulnerability in the TEM FLEX-1085 alarm central.

PnPSCADA Exploit - Momen Eldawakhly published an exploit for an SQL injection vulnerability in the SDG PnPSCADA product.

 

For more details about these disclosures, including links to 3^rd party advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-5-58b - subscription required.

Short Takes – 5-26-23

Chemical Engineer (Recent Graduate). USAJobs.gov CSB job listing. Summary: “This position is part of the Chemical Safety and Hazard Investigation Board. The incumbent will be responsible for chemical engineer/investigator, providing technical and analytical assistance in chemical investigations. You will serve in a trainee capacity, performing routine and recurring developmental assignments to acquire knowledge and an understanding of functions, principles, practices, and methods used in the area of Chemical Engineering.” Closing date: June 20^th, 2023.

GOP conservatives fume over debt ceiling compromises. TheHill.com article. Pull quote: ““I will use every procedural tool at my disposal to impede a debt-ceiling deal that doesn’t contain substantial spending and budgetary reforms. I fear things are moving in that direction. If they do, that proposal will not face smooth sailing in the Senate,” Lee tweeted.”

What happens to Social Security checks if the government defaults? TheHill.com article. Pull quote: “William Howell, a political science professor at the University of Chicago Harris School of Public Policy, said the notion of older people and recipients of government benefits doomsday prepping for disruptions every time budget season comes around is symptomatic of a “dysfunctional” democracy.”

When Kevin McCarthy’s spending cuts get spelled out, even Republicans balk. LATimes.com article. Pull quote: “We got evidence of the squeeze this week, even as McCarthy, in his on-again, off-again debt ceiling negotiations with President Biden, was full of budget-cutting bravado to reporters. Just before midnight on Monday — midnight! — the House Appropriations Committee canceled its Tuesday and Wednesday meetings when voting was scheduled on the first of the dozen bills that annually fund the federal government’s operations. Those bills have to fill in the gory details of the spending cuts that Republicans left unidentified when they passed McCarthy’s debt limit bill last month.”

Updates to New Chemicals Regulations Under the Toxic Substances Control Act (TSCA). Federal Register EPA NPRM. Summary: “The United States Environmental Protection Agency (EPA) is proposing amendments to the new chemicals procedural regulations under the Toxic Substances Control Act (TSCA). These amendments are intended to align the regulatory text with the amendments to TSCA's new chemicals review provisions contained in the Frank R. Lautenberg Chemical Safety for the 21st Century Act, enacted on June 22, 2016, improve the efficiency of EPA's review processes, and update the regulations based on existing policies and experience implementing the New Chemicals Program.” Comment deadline: July 25^th, 2023.

Hazardous Materials: Adjusting Registration and Fee Assessment Program. Federal Register PHMSA meeting notice. Summary: “PHMSA's Office of Hazardous Materials Safety will hold a public meeting to solicit input on potential adjustments to the statutorily mandated hazardous materials registration and fee assessment program. The potential adjustment of fees may be necessary to fund PHMSA's national emergency preparedness grant programs at the newly authorized level in accordance with the Infrastructure Investment and Jobs Act of 2021.” Meeting date: June 28^th, 2023.

Review - S 1500 Introduced – Election System Cybersecurity Testing

Earlier this month Sen Warner (D,VA) introduced S 1500, the Strengthening Election Cybersecurity to Uphold Respect for Elections through Independent Testing (SECURE IT) Act. The bill would require the Election Assistance Commission (EAC) “to provide for the conduct of penetration testing as part of the testing and certification of voting systems and to provide for the establishment of an independent security testing and coordinated vulnerability disclosure pilot program for election systems. No funding is authorized in this legislation.

Moving Forward

Warner is a member of the Senate Rules and Administration Committee to which this bill is assigned for consideration. This means that there may be sufficient influence to see the bill considered in Committee. I do not see anything in the bill that would engender any organized opposition. I suspect that the bill would receive some level of bipartisan support. But again, as with most bills introduced in the Senate, this bill is not ‘important’ enough to be considered in the Senate under regular order. I also believe that there would be enough opposition to this bill to prevent it from being considered under the Senate’s unanimous consent process.

Commentary

One major item missing from this bill is the definition of the term ‘penetration testing’. NIST has a full page of potential definitions of the term. I think the most appropriate for this context would be the definition taken from NIST SP 800-137 under Penetration Testing. I would modify that definition slightly and add it in a new paragraph §231(e)(3):

“(3) In this section the term ‘penetration testing’ means a test methodology in which the researcher, using all available documentation (e.g., system design, source code, manuals) and working under specific constraints, attempt to circumvent the security features of an election system as that term is defined in §297.”

 

For more details about the provisions of this bill, including additional commentary about the penetration testing requirements – see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-1500-introduced - subscription required.

CSB Publishes Report on Acetic Acid Release in 2021 La Porte, TX Incident

Yesterday, the US Chemical Safety and Hazard Investigation Board (CSB) posted a link to their report on the investigation of a 2021 acetic acid release [removed from paywall] at the LyondellBasell La Porte Complex in LaPorte, TX. The CSB reports that the inadvertent removal of pressure retaining components of a plug valve caused the release of 164,000 pounds of high temperature (238˚F) acetic acid mixture, killing two contract workers and injuring several others. The Board identified two major safety issues and made six recommendations to industry and technical organizations.

According to the CSB, contractor employees were working to fix a leak on an in-service line in the acetic acid unit at the facility. During that work they needed to remove the actuator from a plug valve on a pressurized line. Instead of removing the bolts retaining the actuator unit, they loosened the bolts holding the pressure-retaining valve components.

Citing similar incidents with plug valves, the CSB notes that recurrence of these types of incidents points to the need to further re-design plug valves so that it is more difficult to remove pressure-retaining components while attempting to remove actuating equipment.  Additionally, the CSB reported that both the company and the contractor considered the removal of the actuator a simple task and did not provide the work crew with any sort of procedure or training and did not adequately assess the potential risk of the operation prior to commencing work.

The CSB made six recommendations to help prevent similar incidents in the future:

2021-05-I-TX-1 LyondellBasell La Porte Complex - Update LyondellBasell policy documents to require that procedures are developed for properly removing actuating equipment from plug valves,

2021-05-I-TX-2 LyondellBasell La Porte Complex - Update LyondellBasell policy documents to require that LyondellBasell competent employee(s) verify that contractors are competent, adequately trained, and qualified to perform the required work,

2021-05-I-TX-3 Turn 2 Specialty Companies - Update Turn2 policy documents to require that Turn2 employees are provided with written, detailed procedures for safely conducting work on process equipment and are trained on the procedures before the work is authorized to be performed,

2021-05-I-TX-4 American Society of Mechanical Engineers – Revise ASME Standard B16.34 Valves—Flanged, Threaded, and Welding End,

2021-05-I-TX-5 American Petroleum Institute - Revise API Standard 599 Metal Plug Valves—Flanged, Threaded, and Welding Ends, and

2021-05-I-TX-6 Valve Manufactures Association of America - Work with ASME and API and develop a white paper to the Valve Manufacturers Association of America addressing the issue of plug valve design.

Short Takes – 5-25-23

Mysterious malware designed to cripple industrial systems linked to Russia. Cyerscoop.com article. Pull quote: “The discovery of the malware dubbed “CosmicEnergy” is somewhat unusual since it was uploaded to VirusTotal — a service that Google owns that scans URLs and files for malware — in December 2021 by a user with a Russian IP address and was found through threat hunting and not following an attack on a critical infrastructure system.”

Joe Public, Class I, Division 2, and Gas Stations. StonehouseSafety.com blog post. Pull quote: “Self-service gasoline pumping operations require the public, usually unknowingly, to perform activities within a Class I, Division 2/ Zone 2 hazardous location. If you put gas in your car, vapors will be displaced and may end up in precisely the location where you stand. Around the fuel dispenser there is always a Class I, Division 2 area.” Good discussion about cell phone use at gas stations.

NOAA predicts a near-normal 2023 Atlantic hurricane season. NOAA.gov press release. Pull quote: “NOAA is forecasting a range of 12 to 17 total named storms (winds of 39 mph or higher). Of those, 5 to 9 could become hurricanes (winds of 74 mph or higher), including 1 to 4 major hurricanes (category 3, 4 or 5; with winds of 111 mph or higher). NOAA has a 70% confidence in these ranges.”

The Rise of Open-Source Drones. DroneAnalyst.com article. Pull quote: “It’s fascinating to see the US military move quickly on open-source technologies, and speaks to the influence of the Defense Innovation Unit in changing US DoD procurement culture. It also speaks to the benefits of Open-Source projects for large enterprise users. With strict enforcement of standards, large enterprises can test or deploy multiple systems nearly interchangeably. Vetting of cybersecurity risks can similarly be streamlined, as code is published and commonly tested before procurement.”

NACD Members Call on Congress to Reauthorize Critical CFATS Program: Program Set to Expire in July Without Congressional Action. NACD.com press release. Pull quote: ““As one of the most successful chemical security programs in existence, the CFATS program serves a critical role to our industry by protecting our nation’s high-risk chemical facilities from acts of terror and providing the industry with the stability needed to make important investments. This important program, however, is set to expire on July 27, 2023, without Congressional action. We applaud the dedicated work of Mr. Fridley and Mr. Erstad as they continue to demonstrate how this program allows the industry to partner with the U.S. Department of Homeland Security (DHS) to manage these ever-evolving risks while upholding the highest security standards. NACD will continue to closely work with Members of Congress to secure a clean, long-term reauthorization to continue to protect against potential threats to these critical facilities.””

Notice of Cybersecurity and Infrastructure Security Agency Cybersecurity Advisory Committee Meeting. Federal Register CISA meeting notice. Agenda to be published here by June 16^th, 2023. Meeting date: June 20^th, 2023.

McCarthy set to send the House home without a debt limit deal. News.Yahoo.com article. Pull quote: “In a meeting earlier this week, McCarthy told members of the Republican conference that they should prepare to return to their districts if a deal isn’t reached by the White House and Republican negotiators by Memorial Day weekend. Members can always be called back, but Republican Study Committee Chairman Kevin Hern, who was in the meeting, told reporters that this is a deal that has to be reached between a few key people.”

Debt Ceiling Furloughs Are Unconstitutional, Union Will Argue Before Court Next Week. GovExec.com article. Pull quote: “The lawsuit is seeking an emergency injunction preventing the Biden administration from no longer borrowing money to pay the government’s debt, as is expected to occur under a default, and to prohibit any related layoffs or furloughs of federal employees. NAGE filed the complaint on behalf of its 75,000 federal employee members.”

Congress Doesn’t Know How to Count the Number of National Security Professionals and That’s a Problem. GovExec.com article. Pull quote “A zero trust framework is good for IT, but unfortunately doesn’t work for people – where the reality is we’re always only in a position to reduce risk, not eliminate it. Proposals by Congress to cut the number of security clearances doesn’t address the true problem, which is how lax security procedures have allowed for the printing and removal of classified documents from cleared facilities – which has been the case for nearly every major leak scenario over the past several years.”

Review – 1 Advisory Published – 5-25-23

Today, CISA’s NCCIC-ICS published a control system security advisory for products from Moxa.

Advisories

Moxa Advisory - This advisory describes two vulnerabilities in the Moxa MXsecurity Series software.

 

For more details about this advisory, including links to researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-published-5-25-23 - subscription required.

Review - FAA Publishes UAS BVLOS Request for Information

Today, the DOT’s Federal Aviation Administration (FAA) published a request for information (RFI) in the Federal Register (88 FR 33855-33857) for “UAS Beyond Visual Line-of-Sight Operations”. The FAA is reviewing the Final Report of the UAS Beyond Visual Line-of-Sight (BVLOS) Operations Aviation Rulemaking Committee and is looking for additional technical input on key concepts and potential approaches that the FAA is contemplating for use in future exemptions for BVLOS operations.

Public Comment

The FAA is soliciting information from the public on the technical topics discussed in the notice. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # FAA-2023-1256). Comments should be submitted by June 14^th, 2023.

 

For more details about the technical issues for which the FAA is seeking comments, including a discussion about UAS BVLOS cybersecurity which the notice does not address, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/faa-publishes-uas-bvlos-request-for - subscription required.

Review - S 917 Reported in Senate – Open-Source Software Security

Earlier this month, the Senate Homeland Security and Governmental Affairs Committee published their report on S 917 [removed from paywall], the Securing Open Source Software Act of 2023. The Committee considered the bill on March 29^th, 2023, and recommended the bill favorably without amendment. Subsequently, with the agreement of the Chair and Ranking Member, several technical corrections were made and included in the reported version of the bill. The bill has been placed on the Senate’s Calendar and could be considered by the Senate at any time.

The bill establishes several areas of responsibility for CISA regarding open-source software security. No funding is authorized in the bill. This bill is very similar to S 4913 that was introduced by Peters last session. That bill was reported by the Senate Homeland Security and Governmental Affairs Committee, but no further action was taken.

Moving Forward

With the publication of this Report, the bill is now cleared for consideration by the full Senate. With the strong, bipartisan support in Committee {only one vote against the bill, Sen Paul (R,KY)}, I would suspect that there would be similar bipartisan support in the full Senate. This means that the bill would have little problem moving through the cloture process. Unfortunately, I do not think that the Senate leadership would feel that this bill is important enough to take up the time it would take to move this bill through regular order. The best prospects for this bill would be for consideration under the unanimous consent process (though there is already one potential vote against it, by a Senator who is well known for his willingness to voice objections to a unanimous consent motion) or inclusion in an authorization or spending bill.

Commentary

While CISA is almost certainly the agency to which the burden of open-source software monitoring should be assigned within the federal government, this bill does little to address the larger societal problem of open-source vulnerabilities. A more appropriate way to deal with the issue would be to place the burden of open-source vulnerability management on the folks that directly benefit from the use of open-source software: the vendors that short-cut their software development process by using open-source software.

This could be accomplished by requiring vendors selling software, or equipment containing software, to publicly disclose on a publicly searchable internet site, for each supported version of software (including firmware, BIOS, or applications) offered or provided to the federal government, a listing of each piece of open-source software (including version number) used in their software, along with a listing of publicly known, uncorrected vulnerabilities found in the open-source software used in that product. This public listing would allow companies and individuals to access vulnerability information about their currently owned products and influence future software purchases.

 

For more details about the content of the Committee Report, including the changes made in the reported version of the bill and a discussion about the CBO cost estimates for implementing the bill’s requirements, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-917-reported-in-senate - subscription required.

Short Takes – 5-24-23

Protecting Our Water Systems In The Age Of Cyber Threats. ACSH.org opinion piece. Pull quote: “The AWWA recommended that a new entity, the Water Risk and Resilience Organization (WRRO), be created to serve and represent the perspectives of water utilities. Congress would explicitly approve the creation of the WRRO and the extension of cybersecurity oversight to the EPA. In collaboration with the EPA, this organization would draft cybersecurity standards, which the EPA would either approve or reject. If the EPA rejects a standard, they would provide specific recommendations for resubmission. The WRRO and EPA would share responsibilities for compliance auditing and enforcement.” NERC for Water?

Winds of change: New wind energy tech developed by European startups. TheNextWeb.com article. Pull quote: “Novel technologies that could make wind energy more accessible, or enable the construction of huge three-bladed turbines, are emerging from a raft of new European startups. Their innovations hint at a future where electricity generation from wind is much more eclectic than it has been up till now.”

Chicago mpox outbreak raises alarm over summer spread. TheHill.com article. Pull quote: “During the early parts of the mpox outbreak, many health departments’ supplies of Jynneos were stretched thin, with some resorting to administering all the doses they had on hand before knowing when they would have enough supplies to provide the second dose.”

Foreign exports, not domestic demand, to drive controversial gas expansion, agency finds. TheHill.com article. Pull quote: “Anne Rolfes, director of the Louisiana Bucket Brigade, a group opposed to the LNG expansion, told The Hill the EIA’s projections may “underestimate how gas prices might spike because they don’t take two important factors into consideration: storms and the spot market.””

White House believes massive Dem bailout may be needed to pass debt ceiling compromise. Politico.com article. Pull quote: “The speaker has operated by the so-called Hastert rule, which says that only legislation with support from the majority will see the floor. With Republicans owning 222 votes, that means he can afford to lose 110 members.”

Notice of President's National Infrastructure Advisory Council Meeting. Federal Register DHS meeting notice. Agenda: “(1) a period for public comment; (2) a keynote address on critical infrastructure security and resilience; (3) a report to the Council from the Water Security Subcommittee; (4) deliberation and vote on Water Security Study recommendations; and (5) an update on the Electrification Study.”

HR 2944 Introduced – Misuse of Drones

Rep Gallagher (R,WI) introduced HR 2944, the Drone Act of 2023. The bill would revise 18 USC to expand the coverage of the criminal code for misuse of unmanned aircraft. No funding is provided in this bill. The bill is almost identical to S 157 [removed from paywall], that was introduced in February. No action has been taken on the Senate bill to date.

There is one significant difference between the two bills. The House bill does not include the subclause that was added to the language from S 3542 (117^th session) that would specifically make a drone attack on critical infrastructure an offense under the new 18 USC 40B proposed in the bill.

Moving Forward

While Gallagher is not a member of the Senate Judiciary Committee to which the bill was assigned for consideration, one of cosponsors {Rep Gooding (R,TX)} is a member. This means that there may be sufficient influence to see the bill considered in Committee. There will be some level of bipartisan support for the bill, but it is not clear that it would be sufficient to overcome the objections of the UAV industry. I do not believe that the bill would receive enough support to pass a cloture vote in the full Senate.

HR 2999 Introduced – Hazardous Train Event

Last month, Rep Deluzio (D,PA) introduced HR 2999, the Assistance for Local Heroes During Train Crises Act. The bill would establish the Hazardous Train Event Emergency Reimbursement Fund which would provide funds to emergency response personnel in the event of a newly defined ‘Hazardous Train Event’ declared by FRA. The monies for the fund would come from a levy on hazardous materials rail shippers and railroads. No other funding is authorized.

This is a companion bill (identical language) to S 844 [removed from paywall] that was introduced earlier last month by Sen Casey (D,PA). No action has been taken in the Senate on that bill.

Moving Forward

Neither Deluzio, nor his sole cosponsor {Rep Fitzpatrick (R,PA)} are members of the House Transportation and Infrastructure Committee to which this bill was assigned for consideration. This means that there is probably not enough influence to see this bill considered in Committee. The shipper and railroad fees to support the Fund will ensure that railroads and chemical manufacturers will oppose this bill. If the bill were considered in Committee, it may pass along partisan lines, but it will not have enough support to be considered by the full Senate.

Short Takes – 5-23-23

Supreme Court punts Section 230 debate back to Congress. TheHill.com article. Pull quote: “But the court resolved the cases against Twitter and Google on other grounds Thursday, leaving Section 230 unscathed until Congress acts or the high court takes up another case. And despite bipartisan criticism that the provision makes the tech industry unaccountable, lawmakers face a stalemate on how to reform it.”

Anti-Putin group claims it has ‘liberated’ town inside Russia’s Belgorod region. TheHill.com article. Pull quote: “The rebel faction, the Freedom of Russia Legion, said it had liberated the town of Kozinka in the Belgorod region and its forces were now entering the town of Grayvoron along with another resistance group called the Russian Volunteer Corps.” How much is anti-Russian propaganda and how much is ground truth is not clear.

Ukrainian-Backed Troops Stage Cross-Border Incursion Into Russia. WSJ.com article. Pull quote: “The events on Monday echoed Russia’s covert invasion of Ukraine in 2014 when Russian troops without insignia appeared on Ukraine’s Crimean Peninsula. Putin denied they were Russians and said at the time that all the equipment they had could easily be bought in a military hardware store.” A slightly different take on ‘on Anti-Putin rebels’.

McCarthy: A debt deal could still pass by June 1. Politico.com article. Pull quote: “And while McCarthy has signaled the House could postpone its weeklong Memorial Day recess — which is slated to begin Friday — lawmakers in both parties will be eager to hit the exits on time. The Senate, while currently on recess, is set to return when it’s time to vote.”

Bolstering Cybersecurity in Navigation Systems. HomelandSecurityNewswire.com article. Pull quote: “With a broad coalition of university collaborators and industry advisers, Pervan and his team plan to approach the problem from several angles, including developing sophisticated algorithms that can tell the difference between authentic or spoofed GPS signals and improving GPS receivers by combining them with other types of sensors that are immune to jamming and spoofing.”

Russia’s Latest Sanctions on U.S. Officials Turn to Trump Enemies. NYTimes.com article. Pull quote: “None of them has anything to do with Russia policy, and the only evident reason they would have come to Moscow’s attention is because Mr. Trump has publicly assailed them. The Russian Foreign Ministry offered no specific explanation for why they would be included on the list but did say that among its targets were “those in government and law enforcement agencies who are directly involved in the persecution of dissidents in the wake of the so-called storming of the Capitol.”” Once again, sowing discord, just to keep things stirred-up.

Biden nominates Lt. Gen. Timothy Haugh to lead NSA, Cyber Command. Politico.com article. Pull quote: “The notice, obtained by POLITICO, was sent out on Monday and is titled “General Officer Nomination.” It announces that the president has nominated Haugh to the Senate for promotion to four-star general and assignment in the dual-hatted role.” Another military promotion to be blocked by Sen Tuberville (R,AL).

DOE pilots information-sharing effort with private industry to bolster energy sector cybersecurity. UtilityDive.com article. Pull quote: “The program has already helped to take threats developed from the Russia-Ukraine conflict and convert those into cyber advisories that were sent out to the entire energy sector, Kumar testified. However, Congress will ultimately need to step in to fully stand up the program, and the current plan calls for a 2027 launch.”

Review – 4 Advisories Published – 5-23-23

Today, CISA’s NCCIC-ICS published four control system security advisories for products from Horner Automation, Mitsubishi Electric, and Hitachi Energy (2).

Advisories

Horner Advisory - This advisory describes ten vulnerabilities in the Horner Cscape product.

Mitsubishi Advisory - This advisory describes a classic buffer overflow vulnerability in the Mitsubishi MELSEC Series CPU module.

Hitachi Energy Advisory #1 - This advisory discusses six vulnerabilities in the Hitachi Energy RTU500 Series.

Hitachi Energy Advisory #2 - This advisory discusses two use after free vulnerabilities in the Hitachi Energy AFS65x, AFS67x, AFR67x and AFF66x series products.

 

For more information on these advisories, including links to 3^rd party advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/4-advisories-published-5-23-23 - subscription required.

Review - TSA Publishes Surface Transportation Employee Vetting NPRM

Today, the Transportation Security Administration (TSA) published a notice of proposed rulemaking (NPRM) in the Federal Register (88 FR 33472-33522) for “Vetting of Certain Surface Transportation Employees”. The proposed regulations would implement provisions of the Implementing Recommendations of the 9/11 Commission Act of 2007 (9/11 Act) that require security vetting of certain public transportation, railroad, and over-the-road-bus (OTRB) employees. A vetting fee schedule is included in the proposal.

Public Comments

The TSA is soliciting public comments on the proposed rule. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov: Docket # TSA-2023-0001). Comments should be submitted by August 21^st, 2023.

Commentary

Interestingly, the TSA did not appear to consider the option of using the current Transportation Workers Identification Credential as the mode for carrying out the vetting requirement for frontline employees, as was suggested in the Congressional mandate. I am sure that this will be mentioned in industry comments.

 

For more details about the provisions of this rulemaking, including a lengthier commentary, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/tsa-publishes-surface-transportation-aa8 - subscription required.

Short Takes – 5-22-23

The northern lights are heating up: Could they come to all 50 states? TheHill.com article.  A little geeky. Pull quote: “As Steenburgh previously explained to Nexstar, mild or moderate geomagnetic storms can cause weak fluctuations in the power grid and impact satellite operations on spacecraft. Stronger storms can lead to power blackouts, radio issues, and problems with navigation systems, including those on aircraft. Thankfully, the SWPC is able to communicate with infrastructure officials to ensure everything continues running smoothly and doesn’t interrupt your aurora viewing.”

Biden says he thinks he has authority to use 14th Amendment on debt ceiling. TheHill.com article. Pull quote: ““I’m looking at the 14th Amendment as to whether or not we have the authority — I think we have the authority,” Biden told reporters at a press conference in Hiroshima, Japan. “The question is, could it be done and invoked in time that it would not be appealed, and as a consequence past the date in question and still default on the debt. That is a question that I think is unresolved.””

New NASA mission will help improve extreme weather forecasts. TheHill.com article. Pull quote: “This position will also allow them to pass over potential storms once an hour, providing a wealth of data not possible with traditional weather satellites, which make passes about once every six hours. The extra data collected is expected to help scientists understand the processes that place within the storms that determine how they intensify.”

Review - S 1458 Introduced – SECURE Small Business Act

NOTE: Corrected bill number in title 0642 EST 5-28-23

Earlier this month, Sen Cortez-Masto introduced S 1458, the Strengthening and Enhancing Cybersecurity Usage to Reach Every (SECURE) Small Business Act. The bill would require the Small Business Administration to establish a program to assist small business concerns with purchasing cybersecurity products and services. No funding authorization is included in this legislation.

Moving Forward

While Cortez-Masto is not a member of the Senate Small Business and Entrepreneurship Committee to which this bill was assigned for consideration, her sole co-sponsor {Sen Risch (R,ID)} is a member. This means that there may be sufficient influence to see the bill considered in Committee. I see nothing in this bill that would engender any organized opposition. I suspect that there will be substantial bipartisan support for the bill if it were considered.

As with most bills in the Senate, this legislation is not important enough to be considered under regular order. If it were to be considered by the full Senate, it would most likely be as an amendment to an authorization or spending bill.

Commentary

The wording for the sunset provision in the bill is more than a little odd. Even if the bill were enacted next month (extremely unlikely) the SBA is given six months to establish the marketplace, which means some time in December (and few programs get established in the congressionally mandated timeframe). This means that in an unrealistic world, the program would be in existence for little more than nine months, hardly enough time to see if the program were effective, and certainly not time enough for congress to reauthorize if it were even overwhelmingly effective. These sunset provisions are not usually tied to a date certain, but rather they are typically expressed in a period of 2 to 5 years from the date of enactment.

 

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-1459-introduced - subscription required.

Committee Hearings – Week of 5-21-23

This week, with just the House in Washington, there is a full slate of hearings scheduled. In this space, an oversight hearing on the NTIA and a markup of the DHS spending bill are of potential interest.

NTIA Oversight

On Tuesday, the Communications and Technology Subcommittee of the House Energy and Commerce Committee will hold a hearing on “Oversight and Reauthorization of the National Telecommunications and Information Administration”. No witness list is currently available, but it will almost certainly include the NTIA Director. The hearing notice lists 18 pieces of legislation (only two of which have been introduced to date) upon which the hearing will focus. Legislation of potential interest here (links to committee drafts) are:

HR___, the National Telecommunication and Information Administration Reauthorization Act

of 2023,

H Res___, To express the sense of Congress with respect to WHOIS information accessibility, and for other purposes,

HR___, the Digital Economy Cybersecurity Advisory Act of 2023, and

HR___, the Artificial Intelligence Accountability Act.

DHS Spending Bill

On Wednesday, the House Appropriations Committee will hold a markup hearing on “Fiscal Year 2024 Homeland Security and Agriculture, Rural Development, Food and Drug Administration, and Related Agencies Bills”. No word is publicly available on what changes may have been made last week by the DHS Subcommittee to the Committee Draft.

On the Floor

The House has a fairly lite schedule this week, with nothing of particular note here. Interesting that there is not a note on the bottom of the schedule about a potential vote on a budget ceiling bill. With a June 1^st deadline for action, the House would need to complete action this week since they are not scheduled to be in Washington next week.

30 Tons of Missing Ammonium Nitrate

On Saturday, I briefly mentioned an article from CowboyStateDaily.com (and a similar article from KQED.org) about 30-tons of ammonium nitrate pellets that got lost somewhere between Wyoming and Southern California. The hopper railcar in which the material was switched has bottom off-loading valves, and it is currently thought that one or more of those valves leaked the material onto the railroad right-of-way somewhere in transit.

If this is part of a terrorist plot (unlikely according to both news stories) this would provide enough explosive precursor to make six truck bombs the size of the one that blew up the Murrah Building in Oklahoma city in 1995. This would definitely make a splash in the news and could better serve McVeigh’s intent of igniting a civil war. But, stealing this amount from a railcar in transit would require an organized plot to rival any IMF movie plot. It would be much easier to divert truck loads of the material destined for field fertilization across much of the American Midwest.

Having said that, this situation points out security issues with the transport of ammonium nitrate. If this had been a railcar of chlorine gas (or most other toxic inhalation hazard chemicals) rail crews would have been required to inspect the car for potential explosive devices at each location where responsibility for the railcar changed hands. During such an inspection, a leaking unloading valve would have certainly been noticed. Perhaps it is time to increase the security of other hazardous material rail shipments.

BTW: The overdue ammonium nitrate regulations mentioned in the articles would not have had any practical effect on this incident. The missing ammonium nitrate was apparently promptly reported (as a chemical spill, not a theft/diversion). I do not think that the response would be much different if it had been reported as a potential theft/diversion. But it is a solid reminder that CISA really needs to complete this rulemaking.

Software Compliance Tools and CFATS

Last week, I briefly mentioned an article over on FCW.com that discussed plans in DOD to make available free software tools for small contractors to better enable them to meet DOD’s contractor cyber maturity requirements. This is a concept that should spread through out the government, but is especially applicable to the Chemical Security Anti-Terrorism Standards (CFATS) program.

To be fair, the CFATS program is practically run on software applications in its Chemical Security Assessment Tool (CSAT). This collection of compliance tools was innovative in its day (and still should be looked at by other security and safety agencies), but it is time to further modernize the program and start moving some tools to the facility devices. One obvious possibility is cyber incident reporting.

Back in September of 2021, CISA clarified (removed from paywall) the cyber incident reporting requirements for CFATS covered facilities. While CISA does have an online cyber incident reporting form, it would make far more sense for regulated facilities to have an app available for such reporting. It would make reporting easier and could automatically include information about the regulated status of the facility (including facility identification).

Such an application could also provide CISA with a secure mechanism to share cyber threat information with regulated facilities.

Short Takes – 5-20-23

30 Tons of Explosive Chemicals Disappeared Somewhere Between Cheyenne and California. CowboyStateDail.y.com article. Pull quote: “A railcar carrying 60,000 pounds of ammonium nitrate, a chemical used in explosives at Wyoming coal mines, left Cheyenne for California on April 12. Two weeks later, the chemical was discovered missing from the railcar and no one is entirely certain what happened to it.” Leak or terrorist theft?

Multiple Interstellar Objects Have Entered Our Solar System, Study Finds. ScienceAlert.com article. A little geeky. Pull quote: “This study takes a closer look at ISO [interstellar object] capture and tests the idea that some ISOs could be captured in near-Earth orbits rather than solar orbits. The researchers behind the work say that there could be a steady population of ISOs in near-Earth orbit.”

‘In a lot of the world, the clock has hit midnight’: China is calling in loans to dozens of countries from Pakistan to Kenya. Fortune.com article. Pull quote: “An Associated Press analysis of a dozen countries most indebted to China — including Pakistan, Kenya, Zambia, Laos and Mongolia — found paying back that debt is consuming an ever-greater amount of the tax revenue needed to keep schools open, provide electricity and pay for food and fuel. And it’s draining foreign currency reserves these countries use to pay interest on those loans, leaving some with just months before that money is gone.”

National Chemical Transportation Safety Advisory Committee; June 2023 Meetings. Federal Register CG meeting notice. Summary: “The National Chemical Transportation Safety Advisory Committee (Committee) will conduct a series of meetings over 2 days in Washington DC, to discuss matters relating to the safe and secure marine transportation of hazardous materials. The subcommittee meetings will also be available by videoconference for those unable to attend in person, however the full committee meeting will be held in person only. All meetings will be open to the public.”

2023 CISA SBOM-a-Rama. Federal Register CISA meeting notice. Summary: “The Cybersecurity and Infrastructure Security Agency will facilitate a public event to build on existing community-led work around Software Bill of Materials (“SBOM”) on specific SBOM topics.”

Hazardous Materials: Information Collection Activities. Federal Register PHMSA 60-day ICR notice. Renewal requests for:

• Inspection and Testing of Portable Tanks and Intermediate Bulk Containers (2137–0018),

• Hazardous Materials Shipping Papers & Emergency Response Information (2137–0034),

• Approval for Hazardous Materials (2137–0557),

• Rail Carrier and Tank Car Tanks Requirements, Rail Tank Car Tanks—Transportation of Hazardous Materials by Rail (2137–0559),

• Testing Requirements for Non-Bulk Packaging (2137–0572),

• Hazardous Materials Public Sector Training and Planning Grants (2137–0586),

Politicians Need to Learn How AI Works—Fast. Wired.com article. Pull quote: “Cummings also says that politicians and regulators badly need to get up to speed on developments in AI and become more familiar with the technology and how it works. To that end she says she is looking at ways to train people to investigate accidents involving AI, and is creating a course at George Mason aimed at policymakers and regulators who want to be better informed about the technology.”

There’s no final debt ceiling deal. But already, lawmakers don’t like it. WashingtonPost.com article. Pull quote: “Sens. John Fetterman (D-Pa.) and Elizabeth Warren (D-Mass.) have also threatened to vote against a deal that includes work requirements, potentially imperiling Democratic support in a narrowly divided Senate. In a statement this past week, Fetterman said that he “cannot in good conscience support a debt ceiling proposal that pushes people into poverty.””

China, Birthplace of the Covid Pandemic, Is Laying Tracks for Another Global Health Crisis. Reuters.com article. Pull quote: “Animals that may not have had much contact in the forest now live in close quarters, near humans. For that reason, rural areas such as this are where most deadly new pathogens spill over. “There is a higher circulation of viruses in these places,” said Frutos, director of research at the Agricultural Research Center for International Development, a French governmental institute.”

CRS Reports – Week of 5-20-23 – Cybercrime

This week, the Congressional Research Service (CRS) published a report on “Cybercrime and the Law: Primer on the Computer Fraud and Abuse Act and Related Statutes”. This longer than normal (53 pages) report provides a detailed look at the CFAA, its definitions and seven categories of actions prohibited under the statue. It concludes with a discussion of potential issues of concern for Congress.

The latter discussion should be of interest to anyone working in or on the fringes of the cybersecurity community. Topics include:

• Botnet trafficking,

• “Hacking back”,

• Critical infrastructure,

• Doxing and swatting, and

• The insider threat.

 

Chemical Incident Reporting – Week of 5-13-23

NOTE: See here for series background.

Willmar, MN – 5-5-23

Local news reports: Here, here, and here.

Two 150-lb chlorine gas cylinders leaking at very small water treatment facility, no injuries. Good use of leak detection equipment. Not clear from the articles, but this facility is probably not covered by EPA’s security regulations (two small), and is completely exempt (water treatment exemption) from the CFATS regulations, thus the three chlorine cylinders typically found in the small building, could be targeted by terrorists seeking access to chemical weapons.

Not CSB reportable.

Texas City, TX – 5-15-23

Local news reports: Here, here, and here.

Refinery fire. 1 dead and two sent to hospital.

CSB reportable.

Review – Public ICS Disclosures – Week of 5-13-23

This week we have 19 vendor disclosures from ABB, Broadcom (6), Flexera, Helmholz, HPE (3), MB Connect, OPC Foundation, SICK, TandD, Western Digital, WAGO, and Zyxel. There are also two updates from BD and HPE. Finally, we have two exploits for products from Ivanti and Siemens.

Advisories

ABB Advisory - ABB published an advisory that describes two vulnerabilities in their Terra AC wallbox.

Broadcom Advisory #1 - Broadcom published an advisory that discusses an out-of-bounds read vulnerability in their Brocade Directors, Brocade Fabric OS, and Brocade Switches.

Broadcom Advisory #2 - Broadcom published an advisory that discusses an SQL injection vulnerability in their Brocade Fabric OS, Brocade SANnav, and Brocade Support Link.

Broadcom Advisory #3 - Broadcom published an advisory that discusses an incorrect permission assignment for critical resource vulnerability in their Brocade SANnav.

Broadcom Advisory #4 - Broadcom published an advisory that discusses an SQL injection vulnerability in their Brocade Fabric OS, Brocade SANnav, and Brocade Support Link.

Broadcom Advisory #5 - Broadcom published an advisory that discusses an SQL injection vulnerability in their Brocade Fabric OS, Brocade SANnav, and Brocade Support Link.

Broadcom Advisory #6 - Broadcom published an advisory that discusses an abuse of service location protocol vulnerability in their Brocade Fabric OS, Brocade SANnav, Brocade Support Link.

Flexera Advisory - Flexera published an advisory that discusses four vulnerabilities in their FlexNet Publisher.

Helmholz Advisory - CERT-VDE published an advisory that discusses two unnamed vulnerabilities in their myREX24 and myREX24.virtual products.

HPE Advisory #1 - HPE published an advisory that discusses four vulnerabilities in their HP-UX products.

HPE Advisory #2 - HPE published an advisory that discusses two vulnerabilities in their Edgeline servers.

HPE Advisory #3 - HPE published an advisory that discusses 11 vulnerabilities in their Cray EX235a Accelerator Blade.

MB Connect Advisory – MB Connect published an advisory that describes an incorrectly implemented object cache vulnerability in their mbCONNECT24 and mymbCONNECT24 products.

OPC Foundation - The OPC Foundation published an advisory that describes an uncontrolled resource consumption vulnerability in their OPC UA Legacy Java Stack.

SICK Advisory - The SICK product security page lists a new advisory for “Vulnerabilities in SICK FTMg”.

TandD Advisory - TandD published an advisory that describes four vulnerabilities in four end-of-life TandD products.

Western Digital Advisory - Western Digital published an advisory that describes four vulnerabilities in their My Cloud OS 5 Firmware.

WAGO Advisory - CERT-VDE published an advisory that describes an OS command injection vulnerability in multiple products from WAGO.

Zyxel Advisory #1 - Zyxel published an advisory that describes four vulnerabilities in their NBG-418N v2 router.

Zyxel Advisory #2 - Zyxel published an advisory that describes a command injection vulnerability in their NBG6604 router.

Updates

BD Update - BD published an update for their BD Totalys™ MultiProcessor that was originally published on October 4^th, 2022.

HPE Update - HPE published an update for their PE Servers using certain Intel Chipset Firmware advisory that was originally published on February 8^th, 2022 an most recently updated on March 3^rd, 2022.

Exploits

Ivanti Exploit - Shelby Pace, Piotr Bazydlo published a Metasploit module for an unrestricted upload of file with dangerous type vulnerability in the Ivanti Avalanche.

Siemens Exploit - RoseSecurity published an exploit for a cross-site request forgery vulnerability in the SIMATIC S7-1200 CPU.

 

For more details on these disclosures, including links to 3^rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-5-978 - subscription required.