Friday, June 30, 2023

Short Takes – 6-30-23

Congressional AI proponent Ted Lieu pushes back on ChatGPT restrictions placed by House administrative office. FedScoop.com article. Pull quote: “FedScoop first reported in April that the House of Representatives’ digital service had obtained 40 licenses of ChatGPT Plus, the first publicized congressional use of the popular AI tool. House offices said they were using ChatGPT for generating constituent response drafts and press documents, summarizing large amounts of text in speeches, and drafting policy papers or, in some cases, bill language.”

Irrigation may be shifting Earth’s rotational axis. ScienceNews.org article. Pull quote: “When all sources of water movement are considered — including the runoff of meltwater from the Greenland and Antarctic ice sheets — the North Pole drifted about 1.6 meters toward the east coast of Greenland in that time [1993-2010]. The impact of irrigation was mostly to nudge the pole generally east of where it would have gone otherwise, the team found. Without irrigation, the pole would have drifted nearly the same amount, but toward the center of Greenland instead.”

Comment Request; Chemical Data Reporting Under the Toxic Substances Control Act (TSCA) (Renewal). Federal Register EPA 30-day ICR Notice. Changes in Burden Estimate: “Changes in the estimates: There is an increase of 10,194 hours in the total estimated burden compared with that currently approved by OMB. This increase reflects a combination of reporting requirement changes including changes to the information reported (+35,611 hours) and changes to the number of reporters (−25,417 hours) due to byproducts exemptions and a new small manufacturer definition, which were included in two ICR addendums approved by OMB in 2020 (one associated with the 2020 CDR Revisions Rule and the other with the 2020 8(a) SMD Update Rule).” Comments due July 31st 2023.

Pipeline Safety: Gas Pipeline Leak Detection and Repair. Federal Register PHMSA NPRM Comment Extension. Summary: “On May 18, 2023, PHMSA published a Notice of Proposed Rulemaking (NPRM) in the Federal Register titled: “Pipeline Safety: Gas Pipeline Leak Detection and Repair.” PHMSA received requests to extend the comment period for stakeholders to have more time to evaluate the NPRM. PHMSA is therefore extending the comment period to August 16, 2023.” New comment deadline date: August 16th, 2023.

Review - CSB Issues Report on Watson Grinding Explosion

Yesterday, the Chemical Safety Board (CSB) published their investigation report on the 2020 Fatal Propylene Release and Explosion at Watson Grinding in Houston, TX. The report identifies two safety issues that led to the accidental release of propylene and the subsequent explosion that killed three and damaged nearby residences. The report includes two safety recommendations for the Compressed Gas Association and Matheson Tri-Gas Inc.

The CSB has three additional incident reports that it had intended to release by today as part of their effort to reduce their backlog of incident reports.

Commentary

The pictures of the destruction caused by this incident (pg 31) and the diagram showing the extent of the collateral damage (pg 30) should help to remind people why facilities with flammable chemical storage on site are considered to be potential terrorist targets. Propylene is a DHS chemical of interest (COI) and an inventory of 10,000 pounds or more triggers the Top Screen reporting requirements Chemical Facility Anti-Terrorism Standards (CFATS) program.

The 2,000-gallon tank at Watson Grinding looks like it was designed to keep the local propylene inventory of the facility just under the 10,000-lb screening quantity threshold for the CFATS program. This is a frequently used tactic to avoid regulatory costs.

 

For more details about the Report, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/csb-issues-report-on-watson-grinding - subscription required.

EPA Sends TSCA Risk Evaluation NPRM to OMB

 

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a notice of proposed rulemaking from the EPA on “Procedures for Chemical Risk Evaluation Under the Toxic Substances Control Act (TSCA)”. According to the Spring 2023 Unified Agenda entry for this rulemaking:

“As required under section 6(b)(4) of the Toxic Substances Control Act (TSCA), EPA published a final rule on July 20, 2017, that established a process for conducting risk evaluations to determine whether a chemical substance presents an unreasonable risk of injury to health or the environment, without consideration of costs or other non-risk factors, including an unreasonable risk to a potentially exposed or susceptible subpopulation, under the conditions of use. This process incorporates the science requirements of the amended statute, including best available science and weight of the scientific evidence. The final rule established the steps of a risk evaluation process including: scope, hazard assessment, exposure assessment, risk characterization, and risk determination. The Agency is now considering revisions to that final rule and will solicit public comment through a notice of proposed rulemaking.”

Thursday, June 29, 2023

Short Takes – 6-29-23

GOP divided on first impeachment target. TheHill.com article. Pull quote: “In May and June alone, lawmakers introduced 11 different impeachment resolutions for top Biden officials, five of them sponsored by Rep. Marjorie Taylor Greene (R-Ga.). Aside from Biden, Garland and Mayorkas, Greene also has her sights on FBI Director Christopher Wray and Matthew Graves, the U.S. attorney for the District of Columbia.”

Expect a hot, smoky summer in much of America. Here’s why you’d better get used to it. TheHill.com article. Pull quote: ““We have this this carousel of air cruising around the Midwest, and every once in a while is bringing the smoke directly onto whatever city you live in,” said University of Chicago atmospheric scientist Liz Moyer. “And while the fires are ongoing, you can expect to see these periodic bad air days and the only relief is either when the fires go out or when the weather pattern dies.””

Ransomware Attack Associated With Disruptions at Adjacent Emergency Departments in the US. JAMANetwork.com journal article. Pull quote: “This study found that hospitals adjacent to health care delivery organizations affected by ransomware attacks may see increases in patient census and may experience resource constraints affecting time-sensitive care for conditions such as acute stroke. These findings suggest that targeted hospital cyberattacks may be associated with disruptions of health care delivery at nontargeted hospitals within a community and should be considered a regional disaster.”

Through Pandemics and Wildfires, Can Air Sensors Keep Offices Safe? NYTimes.com article. Pull quote: “Moreover, they added, in many buildings, the underlying air-handling infrastructure — the fans and filters, dampers and ductwork — is poorly maintained, and improving indoor air quality will require investing in these basic technologies. Sensors are a “screening tool” for flagging when there might be a problem with indoor air, Dr. Eykelbosh said. “And then you do something else to improve the space.””

Russian General Arrested Following Wagner Mutiny. TheMoscowTimes.com article. Pull quote: “Kremlin spokesman Dmitry Peskov on Wednesday dismissed the report as “speculation” and “gossip,” suggesting that Putin had not given in to Prigozhin’s demands for an imminent reshuffle of the Russian military's top brass.” The crumble rumble.

Wagner’s Prigozhin Planned to Capture Russian Military Leaders. WSJ.com article. Pull quote: “Among the likely complications for Western spy agencies—former intelligence officials and Russia analysts said—would be discerning the meaning of intercepted conversations before, during and after the rebellion. While some messages might look like idle venting of frustrations about the Russian military to one set of eyes, they could appear to another as awareness of or even involvement in planning operations, they said.”

Where are Russian generals Gerasimov and Surovikin after Wagner rebellion? Reuters.com article. Pull quote: “Lawrence Freedman, Emeritus Professor of War Studies at King's College London, said Surovikin's removal, if true, could be more destabilising to Russia's war effort than Saturday's mutiny, "especially if other associates of Prigozhin/Surovikin start to get purged.”

Chinese Balloon Used American Tech to Spy on Americans. WSJ.com article. When only the best will do, buy American (GRIN) Pull quote: “The Pentagon has said the balloon was part of a global surveillance program by China, with balloons being detected over Europe, Asia and Latin America, as well as the U.S. One official called the program sophisticated for conducting surveillance in airspace above 60,000 feet. Airspace just above that height and below 330,000 feet—the boundary of outer space, where satellites operate—is sometimes described as “near space,” and activities in that band aren’t governed by international law.”

Satellites and Robot Dogs Tackle Fugitive Emissions. ChemicalProcessing.com article. Pull quote: “"Energy Robotics' autonomous inspection solution has convinced us that mobile robots are able to perform inspection tasks consistently and to reliably provide accurate information. We are now testing this technology," says Uwe Piechottka, with process technology and engineering/digital process technologies at Evonik. Piechottka adds that the goal is to use autonomous robots to keep people out of dangerous or health-threatening work environments while increasing the quality and frequency of inspections.”

Open Meetings of the Internet of Things Advisory Board. Federal Register NIST Meeting Notice. Summary: “The Internet of Things (IoT) Advisory Board will meet August 22–23, 2023, and September 26–27, 2023, from 11 a.m. until 5 p.m., eastern time. All sessions will be open to the public.” IoT Advisory Board site.

CISA Community Bulletin – June 2023

Yesterday, I received the most recent version of the mostly monthly CISA Community Bulletin email (available on-line). The lengthy email contains brief discussions (with links to longer form information) about topics of interest to those interested in cybersecurity or critical infrastructure protection. Topics of potential interest include:

• Are You Subscribed to the Homeland Security Information Network for Critical Infrastructure Security,

• Interactive Tools on the National Initiative for Cybersecurity Careers and Studies (NICCS) Website,

• Congratulations 2023 Graduates! Welcome to the Cybersecurity Workforce,

• Launch of National Survey on Emergency Communications,

• CISA and Partners Release Joint Guide to Securing Remote Access Software,

• Secure by Design, Secure by Default,

• 2023 Chemical Security Summit,

• Cyber Defense Education and Training (lots of courses here).

Note: I have discussed the HSIN system here on a number of occasions (most recently here in discussing the Baker Hughes advisory). Critical infrastructure facilities should certainly be signed up for this information resource.

Review – 5 Advisories and 4 Updates Published – 6-29-23

Today, CISA’s NCCIC-ICS published four control system security advisories for products from Mitsubishi Electric, Ovarro, Schneider, and Delta Electronics. They published a medical device security advisory for products from Medtronic. They also updated four advisories for products from Enphase, Mitsubishi (2), and Rockwell Automation.

Advisories

Mitsubishi Advisory - This advisory describes an authentication bypass by capture replay vulnerability in the Mitsubishi MELSEC-F Series products if they are used with ethernet communication special adapter FX3U-ENET-ADP or ethernet communication block FX3U-ENET(-L).

Ovarro Advisory - This advisory describes six vulnerabilities for the Ovarro TBox RTUs.

Schneider Advisory - This advisory describes a control injection vulnerability in the Schneider EcoStruxure Operator Terminal Expert.

Delta Advisory - This advisory describes three vulnerabilities in the Delta InfraSuite Device Master product.

Medtronic Advisory - This advisory describes a deserialization of untrusted data vulnerability in the Medtronic Paceart Optima System.

Updates

Enphase Update - This update provides additional information on an advisory that was originally published on June 20th, 2023 (Not June 22nd).

Mitsubishi Update #1 - This update provides additional information on an advisory that was originally published on December 6th, 2022 and most recently updated on June 1st, 2023.

Mitsubishi Update #2 - This update provides additional information on an advisory that was originally published on September 1st, 2020 and most recently updated on September 22nd, 2022 (Not September 30th).

Rockwell Update - This update provides additional information on an advisory that was originally published on April 30th, 2019.

 

For additional information on these advisories, including a down-the-rabbit-hole look at the Enphase vulnerability response – see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/5-advisories-and-4-updates-published - subscription required.

Review - HR 4367 Introduced – FY 2024 DHS Spending

Earlier this week, Rep Joyce (R,OH) introduced HR 4367, the Department of Homeland Security Appropriations Act, 2024. The House Appropriations Committee also published their Report on the bill. The bill includes a relatively modest ($19 million) increase in spending for the Cybersecurity and Infrastructure Security Agency (CISA). While chemical security is not mentioned in the bill, there are a number of chemical security, cybersecurity, cyber workforce, and counter-UAS provisions outlined in the Committee Report.

Chemical Security

There are no discussions about chemical security issues in the bill or the report. There is a single line entry in the funding tables on page 170 of the report under Infrastructure Security. It shows that the Committee is funding ‘Chemical Security’ (including the CFATS program) at $37.949 million for FY 2024. That is $3.26 million less that FY 2023 and $3.3 million less than the President requested. The Appropriations Committee clearly expects the CFATS program to continue through FY 2024.

CISA Spending

Starting on page 41, the bill outlines the FY 2024 spending for CISA. The bill would provide $2.37 billion for the Agency. According to the Report (pg 4) this is $19.2 above the FY 2023 spending. The Committee noted that:

“Recognizing that the Cybersecurity and Infrastructure Security Agency (CISA) budget has grown 44 percent over the last three fiscal years, the bill provides $2,926,291,000 to sustain investments in securing federal civilian cyber networks and helping state and local governments and the private sector secure both cyber and physical infrastructure. The amount is $19,153,000 above the fiscal year 2023 enacted level. This strategic pause in significant budget growth provides CISA the opportunity to mature its operations commensurate with the enacted level.”

Moving Forward

This, as with all spending bills, is a bill that has not been passed in the House for some time. In recent years disagreements over immigration and border issues have even stopped the Committee from attempting to publish/report a DHS spending bill. The Republican leadership has included their solutions this year over the opposition of the minority. The Minority Views section (pg 190) of the report outlines their problems with those solutions. What this means for the bill is that it may pass in the House, but it will be strictly on a party-line vote. That is, of course, if the Republican 11 are satisfied in the level of spending cuts included in the bill.

There is little in this bill that will pass mustard with the Democrats in the Senate. Their version of the bill will look a lot different. When the Senate takes up HR 4367 (if, a really big ‘if’, the House actually passes it) they will substitute language from the version being developed by the Senate Appropriations Committee. That version (much amended to appease at least 10 Republicans) may pass on a slightly bipartisan basis. Then a conference committee will work out the differences and maybe McCarthy will work a deal with Democrats to pass the bill in opposition to the right wing of his Party.

There are way too many ‘if’s’, ‘maybe’s’, and ‘may’s’ and other qualifiers in that description. I will not be surprised if this bill never makes it to the President’s desk.

 

For more details about the provisions of the bill, including funding changes and policy discussions, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-4367-introduced - subscription required.

Wednesday, June 28, 2023

Short Takes – 6-28-23

John Roberts Has Wrested Back Control of the Supreme Court. Slate.com commentary. Pull quote: “This reasoning is ridiculous. What Republican legislators really want is the freedom to craft gerrymandered congressional districts without judicial intervention. The North Carolina Supreme Court already gave them that freedom. They won! There is no remaining injury for the court to redress. So Roberts made one up, invoking the specter of a “judgment” that the North Carolina Supreme Court has disavowed. Why? He wanted to reach the merits so he could stomp out the independent state legislature theory well in advance of the 2024 election. Which is ultimately good! It is important to get clarity on this issue before 2024. But to accomplish these noble aims, the chief justice had to pretzel the law of mootness. Kavanaugh and Barrett went right along with him, suggesting that they, too, were eager to get to the meat of the case, and coming around to finding the merits of the Roberts style.”

Supreme Court rejects theory that would have meant radical changes to election rules. WashingtonPost.com article. Pull quote: ““Although we conclude that the Elections Clause does not exempt state legislatures from the ordinary constraints imposed by state law, state courts do not have free rein,” he wrote. State courts, he added, “may not transgress the ordinary bounds of judicial review such that they arrogate to themselves the power vested in state legislatures to regulate federal elections.””

McCarthy feels the heat as frustrated conservatives grow more aggressive. TheHill.com article. Pull quote: “But frustrated conservatives are getting more aggressive, threatening to tank federal funding bills and risk a government shutdown while pushing harder to force the impeachment votes GOP leaders have sought to avoid.”

Intelligence and Russia’s Pseudo-Coup. TopSecretUmbra.com post. Pull quote: “As of today, Minsk reports that Prigozhin is their guest, while how many Wagner fighters have taken sanctuary with him in Belarus is unclear. Illustrating just how strange this whole operation was, Wagner fighters deployed abroad, serving as semi-deniable cut-outs for Russian military intelligence or GRU, particularly in Africa, the Middle East, and Latin America, remain in action and loyal to Moscow, asserts the Kremlin. It’s difficult to see how mercenaries attempting a coup against the state can be deemed fully loyal to that state just one day later, but Russia has never been a normal country...”

Review - CSB Updates Recommendation Status – 6-27-23

Yesterday, the Chemical Safety Board (CSB) updated their ‘Recent Recommendation Status Updates’ page. They increased the number of ‘Open Recommendations’ from 135 to 155 (no new investigation reports have been published yet). They also changed the status on four existing recommendations from ‘Open’ to ‘Superseded’. Finally, they reported that two currently ‘open’ investigations have zero recommendations.

It really looks like the CSB is getting ready to publish two new reports (Intercontinental Terminals Company investigation and Optima Belle Explosion and Fire investigation) , probably today. This would still leave the Watson Manufacturing and Grinding and LyondellBasell investigations to be completed by their self-reported deadline of June 30th.

 

For more details about the changes made, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/csb-updates-recommendation-status - subscription required.

Bills Introduced – 6-27-23

Yesterday, with the House meeting in proforma session, there were 37 bills introduced. Six of those bills may receive additional coverage in this blog:

HR 4364 Making appropriations for the Legislative Branch for the fiscal year ending September 30, 2024, and for other purposes. Amodei, Mark E. [Rep.-R-NV-2]

HR 4365 Department of Defense Appropriations Act, 2024 Calvert, Ken [Rep.-R-CA-41]

HR 4366 Military Construction, Veterans Affairs, and Related Agencies Appropriations Act, 2024 Carter, John R. [Rep.-R-TX-31]

HR 4367 Making appropriations for the Department of Homeland Security for the fiscal year ending September 30, 2024, and for other purposes. Joyce, David P. [Rep.-R-OH-14]

HR 4368 Making appropriations for Agriculture, Rural Development, Food and Drug Administration, and Related Agencies programs for the fiscal year ending September 30, 2024, and for other purposes. Harris, Andy [Rep.-R-MD-1] 

HR 4387 To amend the National Agricultural Research, Extension, and Teaching Policy Act of 1977 to direct the Secretary of Agriculture to establish a program providing for the establishment of Agriculture Cybersecurity Centers, and for other purposes. Nunn, Zachary [Rep.-R-IA-3]

I will be covering HR 4365, HR 4367 and HR 4387.

I will be watching the remaining spending bills for language that specifically cover cybersecurity provisions not dealing with internal agency cybersecurity.

Tuesday, June 27, 2023

Short Takes – 6-27-23

A New Kill Chain Approach to Disrupting Online Threats. LawfareBlog.com post. Pull quote: “To help break down those siloes between investigators in different fields, companies, and institutions, we have developed a framework to analyze, map, and disrupt many different sorts of online threats: a kill chain for online operations. This is by no means the first time the “kill chain” concept—which identifies the sequence of activities attackers go through in their operations and looks for ways to disrupt them—has been applied to the study of internet threats.”

An upcoming 5G deadline could cause airline delays starting July 1st. TheVerge.com article. Pull quote: “Though airlines aren’t actually required to get the new equipment in place until February 2024, those passenger jets that haven’t been certified for operation around C-band 5G signals by the first of July will not be allowed to land in certain low-visibility situations.”

Armor: Perspectives and Realities. StrategyPage.com article. Pull quote: “Russia has used a lot of anti-personnel and anti-tank mines in Ukraine and the Ukrainian forces have been supplied with equipment and training to find and destroy or disable them. Russia has deployed thousands of these mines in southeast Ukraine to disrupt a Ukrainian offensive. Russia has mapped these minefields in case they are no longer needed and the mines can be removed. If Russia is defeated, those minefield maps are unlikely to be given to the Ukrainians and the mines will be a public hazard for years to come. Ukraine will have to maintain mine-clearing teams and await reports from local civilians about minefield discoveries. Russia and Ukraine have both been using anti-tank mines against each other since 2015.”

Honeywell Forum Tackles Cybersecurity in Process Industries. ChemicalProcessing.com article. “OT organizations don’t necessarily need to add protection solutions that utilize advanced technologies, such as artificial intelligence, to secure their systems, Griswold said. In many cases, OT environments need to begin with basic protections.”

One-Time Informational Reports on Extreme Weather Vulnerability Assessments Climate Change, Extreme Weather, and Electric System Reliability. Federal Register FERC Final Rule. Summary: “The Federal Energy Regulatory Commission (Commission) is adopting a reporting requirement to direct transmission providers to file one-time informational reports describing their current or planned policies and processes for conducting extreme weather vulnerability assessments. The Commission defines an extreme weather vulnerability assessment as any analysis that identifies where and under what conditions jurisdictional transmission assets and operations are at risk from the impacts of extreme weather events, how those risks will manifest themselves, and what the consequences will be for system operations.” Effective date: September 25th, 2023.

Notice of the Renewal of the CISA Cybersecurity Advisory Committee Charter. Federal Register CISA Notice. Summary: “The Secretary, Department of Homeland Security has determined that the renewal of the Cybersecurity and Infrastructure Security Agency (CISA) Cybersecurity Advisory Committee (CSAC) is necessary and in the public interest in connection with DHS's performance of its duties. Through this notice, the Department is announcing the charter renewal of the CSAC, a Federal Advisory Committee, for public awareness.”

US gathered detailed intelligence on Wagner chief’s rebellion plans but kept it secret from most allies. CNN.com article. Pull quote: “The secrecy surrounding the intelligence was why some senior European officials and even senior officials across the US government were caught off guard by Prigozhin’s attack on Friday, and the speed with which Wagner forces marched into Rostov-on-Don and up toward Moscow into Saturday morning, the sources said.”

The emergent industrial metaverse. TechnologyReview.com article. Pull quote: “Existing and developing technologies, including digital twins, artificial intelligence and machine learning, extended reality, blockchain, and cloud and edge computing, will be the building blocks of the industrial metaverse. These will converge to create a powerful interface between the real and digital worlds that is greater than the sum of its individual parts.” Report.

Review 1 Advisory Published – 6-27-23

Today, CISA’s NCCIC-ICS published one control system security advisory for products from Hitachi Energy.

Advisories

Hitachi Energy Advisory - This advisory describes an improper output neutralization for logs vulnerability in the Hitachi Energy FOXMAN-UN and UNEM network management system toolsets.

 

For more details about this advisory, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-published-6-27-23 - subscription required.

Review - PHMSA Publishes Railroad Incident Notification NPRM

Today, DOT’s Pipeline and Hazardous Materials Safety Administration (PHMSA) published a notice of proposed rulemaking in the Federal Register (88 FR 41541-41560) for “Hazardous Materials: FAST Act Requirements for Real-Time Train Consist Information”. The rule would require all railroads to generate in electronic form, maintain, and provide to first responders, emergency response officials, and law enforcement personnel, certain information regarding hazardous materials in rail transportation to enhance emergency response and investigative efforts.

Public Comments

PHMSA is soliciting public comments on this NPRM. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket PHMSA-2016-0015). Comments should be submitted by August 28th, 2023.

 

For more details about the provisions of this rulemaking, including a discussion about the security of information disclosed to response personnel, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/phmsa-publishes-railroad-incident - subscription required.

 

Bioterrorism Rule Updates Sent to OMB

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received two notices of proposed rulemakings (NPRMs) supporting biennial updates required by the bioterrorism acts. NPRMs were received from Agriculture Department’s Animal and Plant Health Inspection Service (APHIS) the CDC.

According to the Spring 2023 Unified Agenda entry for the APHIS rulemaking:

“In accordance with the Agricultural Bioterrorism Protection Act of 2002, we are proposing to amend and republish the select agent and toxin lists that have the potential to pose a severe threat to animal or plant health, or to animal or plant products. The Act requires the biennial review and republication of the list of select agents and toxins and the revision of the list as necessary. This action would implement findings of biennial review of the lists. In addition, we are proposing to codify operational procedures and policies necessary to enforce the regulations.”

According to the Spring 2023 Unified Agenda entry for the CDC rulemaking:

“The Bioterrorism Preparedness Act requires that the Department of Health and Human Services (HHS) Secretary review and republish the list of select agents and toxins on at least a biennial basis. This document begins the biennial review and republication of the list of biological agents and toxins regulated by HHS.”

Monday, June 26, 2023

Short Takes – 6-26-23

Why your flood risk could be a lot worse than you think. TheHill.com article. “The nonprofit found that 51 percent of Americans live in areas where their risks of going through a “1-in-100 year” flood are twice the official estimate, while 21 percent can expect to see such a severe storm every 25 years. (To see the climate risk to 2050 for any freestanding home, click here.)” A bit of an adverticle, see the third paragraph from the end.

Cranky Congress: House GOP hopes a holiday can ease its factional warfare. Politico.com article. Pull quote: “Republicans are eager for a fresh start when they return. The House will be tackling the biggest items on its annual to-do list, from that Pentagon policy bill to its annual spending bills. But those debates threaten to bring only more chaos unless McCarthy and his team can mollify much of the GOP’s right flank, which remains livid over the spending levels set out in the recent debt deal.”

Scammers Target Stores With Bomb Threats, Seeking Bitcoin and Gift Cards. WSJ.com article. Pull quote: “Businesses, entertainment venues and schools for years have dealt with bomb threats and phone scams, and hacking groups have tried to obtain information or money through cybersecurity attacks. Bomb threats demanding ransoms are unusual and appear to be a newer avenue of extortion targeting retailers that started earlier this year, security and industry experts said.”

“Forest bathing” might work in virtual reality too. TechnologyReview.com article. Pull quote: “Science is still divided on the mechanisms behind forest bathing itself. Some lend credence to the “biophilia” theory, popularized by Edward O. Wilson in the 1980s, which suggests that humans require interaction with nature because we are part of it ourselves. Another, called “attention restoration theory,” suggests that natural environments like forests offer people opportunities to recover from the tiring tasks of everyday life. Both theories might also apply in virtual forests.”

HOW TO BUILD A POWER GRID ON THE MOON. Spectrum.IEEE.org article. Pull quote: “The system we intend to build on the moon, dubbed LunaGrid, will consist of a network of solar-power generating stations, or nodes, connected by transmission cables. This grid is designed to deliver power where it’s needed via a fleet of robotic rovers. Astrobotic plans to demonstrate the first-generation system as early as 2026, with the first full LunaGrid becoming operational by 2028 at the lunar south pole.”

Short Takes – 6-26-23 – Russian Coup, Mutiny, Insurrection Issue

Rebel Wagner Forces, Threatening March to Moscow, Abruptly Stand Down. NYTimes.com article.  Pull quote: ““There was a higher goal — to avoid bloodshed, to avoid an internal confrontation, to avoid clashes with unpredictable consequences,” Mr. Peskov said. “It was in the name of these goals that Lukashenko’s mediation efforts were realized, and President Putin made the corresponding decisions.”

Prigozhin's Mutiny. SAMF.Substack.com article.  Pull quote: “Now we have a candidate. This coup is being led by the boss of the Wagner mercenaries, Yevgeny Prigozhin. At first the smart money was on his failure because the full weight of the Russian state is against him. Before he made his moves, he was declared a traitor, his offices were raided, and his bases shelled. But the Russian state is inept and decrepit. If the aim was to catch Prigozhin unawares and shut him up it failed, because he appears to have had some notice of what was being prepared for him and so took his own initiatives. If you are going to move against your opponents you need to be decisive. Prigozhin got away (like Zelensky in February 2022).”

Revolt Raises Searing Question: Could Putin Lose Power? NYTimes.com article. Pull quote: “One of the more confounding aspects of the crisis was why Mr. Putin allowed Mr. Prigozhin’s very public conflict with Russia’s Defense Ministry to escalate for months without addressing it. Mr. Prigozhin had been brazenly outspoken in assailing and belittling the Russian military’s leadership.”

Russia is still on the verge of disintegration, even if Prigozhin turned his men back. Telegraph.co.uk article. via News. Pull quote: “He has spoken of the courage and honour of Ukrainian troops, and contrasted the efficient way in which Kyiv evacuated civilians from the war zone with Moscow’s haplessness. Indeed, his verbal ire has been aimed, not at enemy soldiers, but at Russian regulars, and his last broadcast before the rising was a denunciation of Russia’s pretext for the invasion.”

Russia Coup: Pop Goes the Weasel. SpyTalk.co blog post. Pull quote: “The Ukrainians can help that along. One infowar weapon: ridicule over Russia’s unrest. Kyiv put out a video Saturday of a drone operator eating popcorn, which instantly went viral.  Another was posted of Ukraine military intelligence chief Kyrylo Budanov supposedly issuing a “certificate of appreciation” to Prigozhin for his “efforts and collaboration.” Ha, ha, ha. But just getting the truth to Russian audiences about Prigozhin and Ukraine is a powerful weapon. As Polymeropoulos put it, “What you promulgate is exactly the truth because there is confusion and chaos.””

Why doubling down on Ukraine would be the worst outcome for Vladimir Putin.  Pull quote: SMH.com.au commentary. “Prigozhin’s uprising has also made clear the brittleness of the Russian system. While the corrupt, overly-centralised nature of the Russian state is hardly a new revelation, the past 48 hours have demonstrated how weak and incapable the Russian institutions of state are. That many security services simply “stayed home” during this mutiny, with other military units joining Wagner, indicates Russia has become a fragile state and that there is a deep unhappiness at Putin’s rule.”

S 2103 Introduced – FY 2004 Intel Authorization

Review - Last week, Sen Warner (D,VA) introduced S 2103, the Intelligence Authorization Act for Fiscal Year 2024. This annual, must-pass legislation, provides continuing authorization for the activities of the intelligence community. In the unclassified portions of this bill there are two cybersecurity related provisions (a workforce measure and an election security act) and one cybersecurity mention-in-passing.

Moving Forward

This bill is one of the must pass bills that Congress needs to deal with each year. Warner is the Chair of the Senate Intelligence Committee and the Committee will take up this legislation when they come back from their two week 4th of July recess next month. I do not review this bill in enough detail (nor do I follow intelligence politics closely enough) to offer an opinion on the prospects for passage of this bill, nor the level of opposition to its many provisions. We will be better able to evaluate those matters when we see how the Committee votes on amendments their final recommendation on the bill.

 

For more details about the cybersecurity provisions of this bill, and a longer discussion about the recent politics of passing the intel authorization bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-2103-introduced - subscription required.

Saturday, June 24, 2023

Short Takes – 6-24-23

Mercenary group launches armed rebellion in Russia: How we got here. TheHill.com article. Pull quote: “The tensions began over the Russian military performance, Wagner’s recruitment of convicts and the amount of supplies and ammunition that the Wagner Group received to help the Russian military in Ukraine. Now, the strained relations have expanded to Prigozhin’s accusations that the Russian military is attacking his forces. He’s also denounced Russia’s justification for the war.”

McCarthy seeks to mollify conservatives ahead of federal spending fight. TheHill.com article. Pull quote: ““I think that what makes the most sense for us strategically is to be able to get these bills, get the numbers as low as we possibly can, and get them out of the House as quick as we can for negotiating purposes,” Rep. Garret Graves (R-La.), a close McCarthy ally who was central to debt ceiling negotiations, told reporters after the meeting. “I think that’s what’s most strategic and in our interest.””

Senate remains divided along party lines as it kicks off the fiscal 2024 funding process. GovExec.com article. Pull quote: “The Senate Appropriations Committee took a vote Thursday on the allocations for each of the 12 funding bills Congress must pass annually to keep agencies operational, but only Democrats supported it. The Fiscal Responsibility Act that President Biden signed into law earlier this month after tense negotiations with House Republicans set the top-line funding level for defense at $886 billion and non-defense discretionary spending at $704 billion—though pre-agreed to adjustments will grow the latter number—but lawmakers must still determine how that money will be divided among the 12 bills and for each federal agency.”

A submersible expert who rode Titan in 2019 says he raised safety concerns to operator CEO after trip. CNN.com article. Pull quote: ““As much as I appreciate entrepreneurship and innovation, you are potentially putting an entire industry at risk,” McCallum wrote in March 2018. “I implore you to take every care in your testing and sea trials and to be very, very conservative.””

Hurricanes push heat deeper into the ocean than scientists realized, boosting long-term ocean warming. Phys.org article. Pull quote: “Scientists have long thought of hurricanes as extreme events fueled by ocean heat and shaped by the Earth's climate. Our findings, published in the Proceedings of the National Academy of Sciences, add a new dimension to this problem by showing that the interactions go both ways—hurricanes themselves have the ability to heat up the ocean and shape the Earth's climate.”

Organizational Changes in Certain Department of Energy Health, Safety, and Security Regulations. Federal Register DOE Final Rule (technical correction). Summary: “The U.S. Department of Energy (DOE) has updated its organizational structure and changed certain titles and reporting duties within the Office of Environment, Health, Safety and Security. This final rule updates certain DOE health, safety and security regulations to reflect the new titles and organizational names. Additionally, the final rule makes further minor updates to these regulations to improve clarity and delete obsolete references.”

A cheap fix to global warming is finally gaining support. Phys.org article. Pull quote: “If all the [methane] gas that's leaked or vented by Turkmenistan's energy sector was salvaged and burned instead and the EU rules take effect, the combined measures would have roughly the same short-term climate effect as wiping out roughly 290 million tons of CO2 each year, according to calculations by Bloomberg and energy think tank Ember. That's like canceling the emissions of Taiwan—the world's leading chip-maker and its 21st worst polluter. In the U.S., the Environmental Protection Agency also is expected to outline its plan in coming weeks for implementing a new fee on methane emissions mandated by the sweeping climate law enacted last year.”

S 2178 – Support for CFATS Program

With just 34 days left until the Chemical Facility Anti-Terrorism Standards (CFATS) program reaches its legislative termination, I admit that I was very happy to see S 2178 introduced earlier this week. I will be happier still when I can see the bill’s language, hopefully early next week. In the meantime, I am going to take a look at two Senate press releases and an industry press release to see what we can figure out about what the bill is going to do.

Industry Press Release

On Friday afternoon, I was notified that the American Chemistry Council had come out in support of the new legislation (that was no surprise). Their web site contains a press release supporting the new bill. The ACC is an industry organization supporting a wide swath of the chemical manufacturers in the United States. They have been long time supporters of the CFATS program, pushing for reauthorization for quite some time.

Unfortunately, there is nothing in their press release that gives any clue to the contents of S 2178.

Senate Press Releases

The first congressional press release that I saw this week on the topic was the one published by Sen Capito’s (R,WV) Office. It provides a brief background on the program and a clear statement about Capito’s support for the program:

“Over the past several years, I have worked so that this program is both authorized and funded at levels to ensure the safety of chemical facilities across this country. By coming together in a bipartisan way, we are demonstrating the importance of our nation’s efforts to support a regulatory framework that strengthens our ability to prevent these facilities from being vulnerable to terrorists,” Senator Capito said.”

There is one piece of actual information about the bill in the press release, the title: Protecting and Securing Chemical Facilities from Terrorist Attacks Act. Not much of a surprise here, this is the same name as the 2014 legislation that last reauthorized the program.

The second senatorial press release came from the office of Sen Peters (D,MI) who is the sponsor of the bill. The bill contains brief statements of support from the three cosponsors {Capito, Sen Carper (D,DE) and Sen Lankford (R,OK)}. Lots of good vibes and support, but not much in the way of information about the provisions of the bill. That is until you get down to the part of the release that provides “statements in support of the senators’ bipartisan legislation”. This portion of the press release provides brief statements made by representatives from a wide selection of chemical manufacturers:

• Dow North America,

• U.S. Chamber of Commerce,

• BASF Corporation,

• Lubrizol Corporation,

• Brenntag North America,

• American Chemistry Council (slightly different than the one discussed above),

• National Association of Chemical Distributors,

• American Fuel and Petrochemical Manufacturers,

• Agriculture Retailers Association, and

• The Fertilizer Institute

Comment Analysis

Some interesting phrases pop up in some of those comments:

• Long-term reauthorization,

• 5-year reauthorization,

• Clean reauthorization,

• 5-year clean extension.

Long-term reauthorization has long been a goal of industry. It provides industry with a certain amount of certitude that the long-term investments that they continue to make in security measures will continue to support the program requirements. Unfortunately, politicians often prefer a shorter extension, because it allows them to meddle with the programs which they can generally only do during reauthorization. The regulators also prefer longer term reauthorization, since it allows them to refine their processes without having the politicians foisting off major changes on them.

The term ‘clean reauthorization’ is a vaguely defined technical term. In its purest sense ‘clean’ means no changes to the program. It takes no great insight to see why industry would like that, no legislative changes means no regulatory changes, which of course means no new spending by industry to make changes. The term in practice means no significant changes are made to the program, its hard to keep politicians from tweaking.

Unfortunately, it is hard to know if these commentors have actually seen the language in the proposed legislation, or they are mentioning what they want to see, or something in between. The best I can do is to note that industry appears to expect a 5-year clean extension of the CFATS program. We will have to see when the bill is published.

Review - S 2131 Introduced – FY 2024 ARD Spending

This week Sen Heinrich (D,NM) introduced S 2131, the Agriculture, Rural Development, Food and Drug Administration, and Related Agencies [ARD] Appropriations Act, 2024. The Senate Appropriations Committee also published their Report to accompany the bill. As expected, the only mention of cybersecurity in the bill deals with the cybersecurity spending by the USDA Chief Information Officer on pages 5 and 6 of the legislation. There are no chemical safety mentions in the bill. There are minor mentions of both in the Committee Report. On Thursday, the Committee ordered the bill to be reported favorably by a unanimous vote (pg 140 of the Report).

Moving Forward

Since the Constitution mandates that spending bills originate in the House, the Senate does not usually take action on spending bills until the House version is passed. Typically, once the House passes their bill, the Senate will take up that bill and Heinrich will offer this Senate version as alternate language for the bill. The Senate will make their amendments to this language and then pass the bill (well they have not actually passed individual spending bills in quite some time). A conference committee will be appointed to negotiate a version of the bill that (hopefully) could be passed in both chambers.

The House Appropriations Committee marked-up their version of the bill on June 14th, 2023, and voted to report the resulting bill favorably in a party-line vote. That bill has not yet been published. This, considering recent leadership disputes in the Republican majority, would seem to indicate that there are still problems that have to be worked out, probably dealing with spending levels. The Republican 11 almost certainly want to see even lower spending levels than were adopted in Committee.

 

For more details about the provisions in the bill and directions in the Report, including a longer discussion about spending bill politics in the 118th Congress, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-2131-introduced - subscription required.

CRS Reports – Week of 6-17-23 - ICTS Rule and Review Process

This week the Congressional Research Service (CRS) published a report on “The Information and Communications Technology and Services (ICTS) Rule and Review Process”. This article provides an overview of the ‘Supply Chain Rule’ which implements  Executive Order 13873, Securing the Information and Communications Technology and Services Supply Chain.

The report looks at the following topics:

• What Is ICTS?

• Executive Order 13873,

• What Is a Foreign Adversary?

• Determining Foreign Adversary Involvement,

• What Transactions Will Be Reviewed?

• Connected Software Applications,

• Exclusions,

• The ICTS Review Process,

• Comparisons to CFIUS, and

• Licensing and Pre-Approval

The report concludes with the typical ‘congressional interest’ section:

“Members of Congress may have an interest in the Supply Chain Rule’s impact on U.S. national security and economic interests. Because the ICTS sector is integrated into many aspects of the economy, the Supply Chain Rule could have a wide-ranging effect on U.S. industry. Some business and trade groups contend the rule is overbroad, lacks transparency, and results in costly compliance. Others view the rule as essential to protect U.S. national security and supply chains.”

While control systems are not covered under ICTS, the communications technologies that allow control systems to work could be considered ICTS. Thus, operational control systems could be affected by the Supply Chain Rule rulings.

Chemical Incident Reporting – Week of 6-17-23

NOTE: See here for series background.

New Braunfels, TX – 6-19-23

News reports: Here, here, and here.

Anhydrous ammonia leak at meat processing plant. No injuries reported, no damage reported. It is not clear from the reporting whether the facility evacuation was self-initiated or whether instigated by chemical alarms. One of the ‘good’ things about anhydrous ammonia is that it is easily detected by people at very low concentrations. With minimal safety training self-initiated evacuations can be very effective when leaks are not immediately at dangerous levels.

Probably not CSB reportable.

ALACHUA COUNTY, FL – 6-20-23

News reports: Here, here, and here.

Multi-vehicle accident included styrene tanker that overturned and leaked. No injuries reported.

Transportation related, not CSB reportable.

CSB Incident Reporting Database

The CSB still has not done a quarterly update of their Accidental Release Database since January 25th, 2023.


Review – Public ICS Disclosures – Week of 6-17-23

This week we have twelve vendor disclosures from FortiGuard (2), GE Gas Power, HP, HPE, Sick, Schweitzer Engineering Labs (2), Sierra Wireless, VMware, Western Digital, and Zyxel. There is also an update from GE Gas Power. We also have three researcher reports for products from Dell and an update of the OT:ICEFALL report. Finally, we have an exploit for the HiSECOS from Belden.

Advisories

FortiGuard Advisory #1 - FortiGuard published an advisory that describes a deserialization of untrusted data vulnerability in their FortiNAC.

FortiGuard Advisory #2 - FortiGuard published an advisory that describes a command injection vulnerability in their FortiNAC product

GE Gas Power Advisory - GE published an advisory that discusses five vulnerabilities in their Proficy Historian product.

HP Advisory - HP published an advisory that discusses a Time-of-Check to Time-of-Use (TOCTOU) vulnerability in their PC products using AMI UEFI Firmware.

HPE Advisory - HPE published an advisory that discusses a remote code execution vulnerability in their IceWall product modules.

Sick Advisory - Sick published an advisory that describes vulnerabilities in their SICK EventCam App.

SEL Advisory #1 - SEL announced that a new version of their SEL-5037 SEL Grid Configurator is available that mitigates undescribed cybersecurity vulnerabilities.

SEL Advisory #2 - SEL announced that a new version of their SEL-5030 acSELerator QuickSet Software is available that mitigates undescribed cybersecurity vulnerabilities.

Sierra Wireless Advisory - Sierra Wireless published an advisory that provides additional guidance on a previously disclosed improper authentication vulnerability for their routers using the AirLink Management Service (ALMS).

VMware Advisory - VMware published an advisory that describes five vulnerabilities in their vCenter Server and Cloud Foundation products.

Western Digital Advisory - Western Digital published an advisory that describes two command injection vulnerabilities in their My Cloud OS 5 Firmware.

Zyxel Advisory - Zyxel published an advisory that describes a command injection vulnerability in the NAS products. This vulnerability is listed in the CISA Known Exploited Vulnerabilities Catalog.

Updates

GE Gas Power Update - GE published an update for their Proficy Historian that was originally published on February 3rd, 2023.

Researcher Reports

Dell Reports - Binarly published three reports describing individual vulnerabilities in the Dell Edge Gateway BIOS.

OT:ICEFALL Report - Forescout published an update of their OT:ICEFALL report.

Exploits

Belden Exploit - Dreizehnutters published an exploit for a privilege escalation vulnerability in Belden’s HiSecOS Web Server.

 

For more details on these disclosures, including links to researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-6-7c8 - subscription required.

Bills Introduced – 6-23-23

Yesterday, with just the House in session (and preparing to join the Senate in their 2-week 4th of July recess), there were 58 bills introduced. One of those bills will be covered in this blog:

HR 4333 To enhance the authority granted to the Department of Homeland Security and Department of Justice with respect to unmanned aircraft systems and unmanned aircraft, and for other purposes. Houlahan, Chrissy [Rep.-D-PA-6]

Friday, June 23, 2023

Short Takes – 6-23-23

Boebert’s ‘frankly stupid’ impeachment push leads to GOP groans, Dem glee. TheHill.com article. Pull quote: “But that doesn’t mean there will be an end to impeachment efforts, given that Rep. Marjorie Taylor Greene (R-Ga) has her own efforts to impeach not only Biden, but Attorney General Merrick Garland, Homeland Security Secretary Alejandro Mayorkas, FBI director Christopher Wray and Matthew Graves, the U.S. district attorney for the District of Columbia.”

Titan’s experimental design drew concern even before its doomed dive. WashingtonPost.com article. Pull quote: “Within a debris field about 1,600 feet from the bow of the Titanic, the search team found the front and back portions of the pressurized hull, said Paul Hankins, who leads salvage operations for the U.S. Navy. Carl Hartsfield of Woods Hole Oceanographic Institution said the debris indicates that the submersible probably imploded before reaching the ocean floor.”

East Palestine fire chief tells NTSB hearing he had 13 minutes to make key decision. WashingtonPost.com article. Pull quote: “The on-scene hearing is the first since the NTSB sent representatives to Alaska as part of a plane crash investigation six years ago and is a rare chance for the public to observe the NTSB’s investigators at work. It marks a milestone in the East Palestine investigation, which is likely to continue into 2024, at which point the board will formally determine the cause of the derailment and issue safety recommendations for how such incidents can be avoided.”

Review - S 1939 Introduced – FAA Reauthorization

Earlier this month, Sen Cantwell (D,WA) introduced S 1939, the FAA Reauthorization Act of 2023. In addition to the periodic reauthorization of various FAA programs, the bill includes aircraft cybersecurity provisions and unmanned aircraft system (UAS) requirements of concern here. UAS provisions include:

• Beyond visual line of sight flight rules,

• Prevention of tracking or interfering with unmanned aircraft,

• Extend DOJ and DHS counter UAS authority, and

• Allow UAS to transport hazardous materials.

Moving Forward

Cantwell is the Chair of the Senate Commerce, Science, and Transportation Committee. This means that she certainly has the influence to see this bill considered in Committee. Given that Sen Cruz (R,TX), the Ranking Member of the Committee is a cosponsor of the bill, there should be bipartisan support for this bill. We will have to see if the amendment process in Committee changes that support. This is one of the ‘must pass’ bills that the Senate deals with every year.

Typically, we would expect the House to pass their FAA reauthorization bill (HR 3935). Then the Senate would take up the bill and the first amendment (offered by Cantwell) would be to offer the language from this bill as substitute language. Then the amendment process would start. Once the amended House bill is passed, the bill would normally go to a conference committee to work out the differences between the two versions of the bill. With the current leadership upheaval in the House, it will be interesting to see if the ‘standard process’ is followed this year.

 

For more details about the provisions of the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-1939-introduced - subscription required.

Bills Introduced – 6-22-23

Yesterday, with both the House and Senate in session, there were 191 bills introduced. Six of those bills may receive additional coverage in this blog:

S 2103 An original bill to authorize appropriations for fiscal year 2024 for intelligence and intelligence-related activities of the United States Government, the Intelligence Community Management Account, and the Central Intelligence Agency Retirement and Disability System, and for other purposes. Warner, Mark R. [Sen.-D-VA] 

S 2127 An original bill making appropriations for military construction, the Department of Veterans Affairs, and related agencies for the fiscal year ending September 30, 2024, and for other purposes. Murray, Patty [Sen.-D-WA]

S 2131 An original bill making appropriations for Agriculture, Rural Development, Food and Drug Administration, and Related Agencies for the fiscal year ending September 30, 2024, and for other purposes. Heinrich, Martin [Sen.-D-NM] 

S 2153 A bill to provide for the use of members of the Selected Reserve and Individual Ready Reserve to respond to significant cyber events. Peters, Gary C. [Sen.-D-MI]

S 2178 A bill to extend the Chemical Facility Anti-Terrorism Standards Program of the Department of Homeland Security, and for other purposes. Peters, Gary C. [Sen.-D-MI] 

S 2201 A bill to increase knowledge and awareness of best practices to reduce cybersecurity risks in the United States. Klobuchar, Amy [Sen.-D-MN] 

I will be covering S 2103, S 2153, and S 2178. A special note on S 2178, the Chemical Facility Anti-Terrorism Standards (CFATS) program will terminate on July 27th, 2023, unless it is reauthorized by Congress. S 2178 is the first bill introduced in either the 117th or 118th Congress that would reauthorize the program.

I will be watching the two spending bills, S 2127 and S 2131, for language addressing cybersecurity issues, particularly those addressing control system issues.

I will be watching S 2201 for language and definitions that include control system cybersecurity risks within the scope of the legislation’s requirements.

Mentioned in Passing

There are three bills that I would like to mention in passing:

HR 4310 To ban the sale of products with a high concentration of sodium nitrite to individuals, and for other purposes. Rep. Trahan, Lori [D-MA-3]

H Res 537 Amending the Rules of the House of Representatives to clarify that the payment of a bail bond constitutes a gift for purposes of the Rules.  Rep. Cohen, Steve [D-TN-9]

S 2168 A bill to rescind discretionary appropriations in the event of a debt ceiling crisis period and to honor the full faith and credit of the debts of the United States in the event of a debt ceiling crisis. Braun, Mike [Sen.-R-IN]

RE HR4310 - In trying to figure out why Trahan would want to see sodium nitrate sales banned leads to two possibilities, sodium nitrate capsules are being used as poison for feral hogs (there is a certain level of appropriateness in that) and there has apparently been an increase in the number of individuals that use sodium nitrate as a poison for suicide.

RE H Res 537 – This is a further attempt to deal with the ‘Santos’ problem in Congress. Making bail bond payments gifts would require a congress critter to report them to the Ethics Committee.

RE S 2168 – This is a radical ‘solution’ to the debt limit ceiling problem. It would (really?) keep the financial community happy because debt service payments could continue to be made while Congress dithered. It would also protect military pay, Social Security checks, and other mandatory spending.

Thursday, June 22, 2023

Short Takes – 6-22-23

Enphase Ignores CISA Request to Fix Remotely Exploitable Flaws. SecurityWeek.com article. Pull quote: ““Enphase Energy is in direct contact with CISA and committed to quickly addressing any potential vulnerabilities,” a company spokesperson told SecurityWeek. “Enphase maintains a strong focus on cybersecurity to protect our customers in an increasingly interconnected, data-driven, and modern energy landscape. With positive customer experience at the center, we aim to create and provide high-quality products and services that meet the highest security standards.”

Ex-FBI analyst who kept classified info in bathroom like Trump going to prison in KC case. KansasCity.com article. Pull quote: “The sentencing for willful retention of national defense information was the first since a federal grand jury indicted Trump earlier this month, accusing him of hoarding classified documents at his Mar-a-Lago estate in Florida, keeping boxes of documents not only in a storage room but in a ballroom and bathroom as well.” No political slant to this news story….

Have Chemical Weapons been Used in Ukraine? RUSI.ORG commentary. Pull quote: “It is a reasonably logical step to go from initial assumptions in early 2022 that the Russian military would take rapid control of the country, to the need to disperse civilian protests and therefore to have ready access to RCA [riot control agents similar to tear gas]. Although this rapid occupation did not take place, it is also logical that local commanders – who would still have had access to these grenades – would have seen them as a possible game changer in flushing out Ukrainian defenders, adopting the same mentality as in the First World War in an attempt to break a stalemate in entrenched positions. It is quite conceivable that at the time, this use was a local decision, made without local commanders even being aware that use of these weapons was not permitted by the CWC [Chemical Weapons Convention].” Interesting discussion.

Request for Public Comment on Two Draft Immediately Dangerous to Life or Health (IDLH) Values, for Hydrogen Bromide and Hydrogen Iodide. Federal Register CDC request for comment. Summary: “The National Institute for Occupational Safety and Health (NIOSH) in the Centers for Disease Control and Prevention (CDC), an Operating Division of the Department of Health and Human Services (HHS), requests public comment and technical review on two (2) draft Immediately Dangerous to Life or Health (IDLH) Value Profiles regarding the chemicals hydrogen bromide (CAS# 10035–10–6) and hydrogen iodide (CAS# 10034–85–2).” Comment deadline: August 21st, 2023.

The Invasive Giant African Land Snail Has Been Spotted in Florida. NYTimes.com article. Pull quote: “The species, the giant African land snail, was detected earlier this month in Miramar, Fla., north of Miami. On Tuesday, after completing a survey of the area, state agriculture officials decided to place a 3.5-square-mile section of Broward County under quarantine.”

U.S. Navy Heard What It Believed Was Titan Implosion Days Ago. WSJ.com article. Pull quote: “The Navy began listening for the Titan almost as soon as the sub lost communications, according to a U.S. defense official. Shortly after the submersible’s disappearance Sunday, the U.S. system detected what it suspected was the sound of an implosion near the debris site discovered Thursday and reported its findings to the Coast Guard commander on site, U.S. defense officials said.”

Review - S 1798 Introduced – Countering WMD Office

Earlier this month, Sen Peters (D,MI) introduced S 1798, Offices of Countering Weapons of Mass Destruction and Health Security Act of 2023. The bill would reauthorize both the Office of Countering Weapons of Mass Destruction and the Office of Health Security (name changed) in DHS. Unlike HR 3224, S 1798 does a major rewrite for the authorizing statutes for both offices. It also removes the automatic termination language (which requires periodic reauthorization) for the CWMD Office. No new funding is authorized in this bill.

Moving Forward

Earlier this month, the Senate Homeland Security and Governmental Affairs Committee held a business meeting that included a markup of this bill. According to the Committee record of the meeting the bill was ordered favorably reported by a vote of 12 to 2 (Sen Marshall (R,KS) and Sen Paul (R,KY) voted no) after it amended and adopted substitute language. Senate committees do not typically provide copies of substitute language or amendments on their web site, so we will have to wait for the Committee Report to be published to see what changes were made.

The current termination date {6 USC 591(e)}for the authorization for the CWMD is December 31st, 2023. This means that this bill or the House version (HR 3224) should be passed this summer for the other body to have time to take up the bill. The Senate is unlikely to consider S 1798 under regular order, and Paul’s opposition to the bill means that he will almost certainly object if the bill were considered under the suspension of the Rules process. It is not clear if Paul would similarly oppose the less extensive changes to the CWMD authorization found in the House bill.

Commentary

In researching this bill, I went back and looked at the referenced definition of the term ‘weapons of mass destruction’ in 50 USC 1801. Now this definition dates back to 1978 so it completely misses the most-deadly weapon of mass destruction employed in an attack on US soil, the airliners used on 9/11. Those airliners were not the ‘explosive, incendiary, or poison gas’ devices envisioned in paragraph (1) of that definition, though they certainly released jet fuel into their targets and the resulting fires were the proximate cause of the collapse of the Twin Towers.

The wording of the other three paragraphs of the definition could lead us to a better, more inclusive wording for §1801(p)(1):

(1) Any weapon that is designed, intended, or has the capability to cause death or serious bodily injury to a significant number of persons through the release of chemical, kinetic or electrical energy;


For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-1798-introduced - subscription required. 

Review – 2 Advisories and 2 Updates Published – 6-22-23

Today, CISA’s NCCIC-ICS published two control system security advisories for products from SpiderControl and Advantech. They also updated two advisories for products from Mitsubishi and Econolite.

Advisories

SpiderControl Advisory - This advisory describes a path traversal vulnerability in the SpiderControl SCADA Webserver.

Advantech Advisory - This advisory describes two vulnerabilities in the Advantech R-SeeNet server monitors.

Updates

Mitsubishi Update - This update provides additional information on an advisory that was originally published on March 2nd, 2023.

Econolite Update - This update provides additional information on an advisory that was originally published on January 26th, 2023.

 

For more details on these advisories, including a discussion about a missing advisory number, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-advisories-and-2-updates-published-c3d - subscription required.

Bills Introduced – 6-21-23

Yesterday, with both the House and Senate in session, there were 101 bills introduced. One of those bills may receive additional coverage in this blog:

S 2071 A bill to amend section 11101 of title 49, United States Code, to ensure that rail carriers provide transportation or service in a manner that fulfills the shipper's reasonable service requirements. Baldwin, Tammy [Sen.-D-WI]

I will be watching S 2071 for language and definitions that would specifically include chemical shipments in the scope of the proposed changes.

Mention in Passing

I would like to mention two bills introduced yesterday, HR 4250 and S 2074. They are both described as bills “to maintain the free flow of information to the public by establishing appropriate limits on the federally compelled disclosure of information obtained as part of engaging in journalism, and for other purposes.” While whether blogs such as this one are considered ‘journalism’ is open to interpretation and debate, I have something of a personal stake in legislation like this. Both bills have significant bipartisan sponsorship, but I doubt that in this congress they will actually get considered.

Wednesday, June 21, 2023

Short Takes – 6-21-23

Physicists split bits of sound using quantum mechanics. ScienceNews.org article. Geeky stuff. Pull quote: “Cleland and his team managed the feat with an acoustic beam splitter, a device that allows about half of an impinging torrent of phonons to pass through while the rest get reflected back. But when just one phonon at a time meets the beam splitter, that phonon enters a special quantum state where it goes both ways at once. The simultaneously reflected and transmitted phonon interacts with itself, in a process known as interference, to change where it ultimately ends up.”

Hazardous Materials: Information Collection Activities. Federal Register PHMSA 30-day ICR Notice. Comment deadline – July 21st, 2023. Renewing the following ICR’s (internal document links):

Hazardous Materials Incident Reports (2137–0039),

Cargo Tank Motor Vehicles in Liquefied Compressed Gas Service (2137–0595), and

Inspection and Testing of Meter Provers (2137–0620),

Teamsters strike with UPS could snarl commerce as labor flexes muscle. TheHill.com article. Pull quote: ““If it was just one union rattling its saber and trying to make demands, that’s one thing. But if you’re having Starbucks, Amazon, Apple and all these major companies starting to unionize now, a lot of these pretty substantial bargaining demands become more realistic, especially with all these logistical dilemmas people are having,” he said.”

Proposed rule requires railroads to notify first responders in 10-mile radius of derailments. TheHill.com article. Draft NPRM (HM-263). Pull quote: “Large railroads already have an app, AskRail, so firefighters could look up what the cargo of each train carries — but the smaller railroads do not have an app like that. This new rule would apply to nearly 600 railroads across the country.” May be in Federal Register next week, but it has not yet been sent to OMB (maybe not necessary).

 
/* Use this with templates/template-twocol.html */