Short Takes – 8-31-23

Microsoft joins a growing chorus of organizations criticizing a UN cybercrime treaty. CyberScoop.com article. Pull quote: ““We need to ensure that ethical hackers who use their skills to identify vulnerabilities, simulate cyberattacks, and test system defenses are protected,” Amy Hogan-Burney, associate general counsel for cybersecurity policy and protection at Microsoft, wrote in a LinkedIn Post. “Key criminalization provisions are too vague and do not include a reference to ‘criminal intent,’ which would ensure activities like penetration testing remain lawful.””

Hicks takes direct oversight of Pentagon’s UAP office; new reporting website to be launched. DefenseScoop.com article. Pull quote: “The Pentagon’s second-in-charge [D eputy Defense Secretary Kathleen Hicks] took action late last month, partly to help speed up AARO’s development and launch of a congressionally mandated public website where the organization will be expected to disclose its unclassified work and findings and offer a secure mechanism via which users can submit their own reports of possible UAP observances.”

US water infrastructure ‘unsustainable’ amid rapidly evolving crisis, report warns. NextGov.com article. Pull quote: “The report attributes inadequate conditions across the water and wastewater industries to "decades of chronic underfunding and underinvestment" in the U.S. and makes several recommendations to increase water supply sustainability, from aquifer recharges to developing highly integrated water management systems.”

Ensuring safe transportation of anhydrous ammonia: A shared responsibility. Agri-Pulse.com commentary. Pull quote: “The [2019] Beach Park incident serves as a reminder of the dangers of transporting anhydrous ammonia. It proves that failure with even small equipment can have major consequences. To address these safety concerns, PHMSA has undertaken comprehensive, data-driven research on nurse tank fatigue to identify risks and reduce nurse tank failures. In addition, PHMSA has conducted extensive outreach with farmers and the agricultural industry to inform about the safety regulations for transporting anhydrous ammonia.”

CISA Warns of Hurricane-Related Scams. CISA.gov alert. Pull quote: “Social engineering TTPs include phishing, in which threat actors pose as trustworthy persons/organizations—such as disaster-relief charities—to solicit personal information via email or malicious websites. CISA recommends exercising caution in handling emails with disaster-related subject lines, attachments, or hyperlinks. In addition, be wary of social media pleas and texts messages related to severe weather events.”

CISA faces ‘significant concerns’ over losing chemical security staff during reauthorization stalemate. FederalNewsNetwork.com article. Pull quote: ““If we have the same level of appropriations, but no authorization, or if our appropriations did go down, I do have significant concerns that we will lose team members during this uncertainty as this lapse continues and certainly if it continues past the fiscal year,” Murray said during the summit. “But until we see what the numbers are for appropriations or authorizations, I couldn’t answer any specifics.””

Review – 4 Advisories Published – 8-31-23

Today, CISA’s NCCIC-ICS published four control system security advisories for products from Digi International, PTC, GE Digital, and ARDEREG.

Advisories

Digi Advisory - This advisory describes a use of password hash instead of password for authentication vulnerability in the Digi RealPort Protocol.

PTC Advisory - This advisory describes four vulnerabilities in the PTC Kepware KepServerEX.

GE Advisory - This advisory describes a process control vulnerability in the GE CIMPLICITY 2023 product.

ARDEREG Advisory - This advisory describes an SQL injection vulnerability in the ARDEREG Sistemas SCADA.

 

For more details on these advisories, including links to researcher reports and a down-the-rabbit-hole look at the Digi advisory, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/4-advisories-published-8-31-23 - subscription required.

Review - NTSB Publishes 2 ANPRM’s for Transportation Investigations

Today the National Transportation Safety Board (NTSB) published two advanced notices of proposed rulemaking (ANPRM) in the Federal Register (88 FR 60164-60165 and 88 FR 60166-60167) for “Authority of NTSB in Railroad, Pipeline, and Hazardous Materials Investigations”. The two rulemakings would provide definitions for key terms used in existing NTSB regulations at 49 CFR 831.40(a) that were not defined in US Code at (49 USC 1131):

• ‘Substantial property damage’, and

• ‘Significant injury to the environment’

Public Comments

The NTSB is soliciting comments on both rulemakings. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov) using the docket numbers listed below:

• Railroad rulemaking - NTSB-2023-0007, and

• Pipeline rulemaking - NTSB-2023-0008

Comments on both should be submitted by October 30^th, 2023.

 

For more information on both rulemakings, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/ntsb-publishes-2-anprms-for-transportation - subscription required.

2023 Chemical Sector Security Summit – 8-31-23 – Morning Session

The third and last day of the 2023 Chemical Sector Security Summit opened this morning in Arlington, VA. The morning keynote from CISA by Kelly Murray, Associate Director, CISA Chemical Security, gave her an additional chance to mention CFATS reauthorization along with highlighting today’s presentations.

The first presentation of the morning was a panel discussion by the Chemical Sector Coordinating Council (abbreviated as SCC, but all of the sector coordinating councils typically use the same abbreviation). While there were the now obligatory comments about the termination and hope for reauthorization of the Chemical Facility Anti-Terrorism Security (CFATS) program, the focus of this discussion was the operation of the SCC and the importance of the information coordination and sharing capabilities of the SCC.

The second presentation covered drone security at chemical facilities. Katie Ricks, from Dow Chemical, talked briefly about an incident in February, but more importantly she emphasized the importance of having close, cooperative relationships with local law enforcement. Interesting discussion about FBI investigation of drone overflights of critical infrastructure (mainly petrochemical facilities) in Louisianna, where there is a State law prohibiting flying drones over critical infrastructure.

Two more online presentations will be made today before the CSSS closes for this year:

• Cybersecurity as a Shared Responsibility, and

• UAS Threats Facing the Chemical Sector 

Review - OMB Approves TSA Surface Transportation Cybersecurity ICR – 8-29-23

On Tuesday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved the three year extension of the TSA’s information collection request for “Cybersecurity Measures for Surface Modes”. This ICR extension was mandated when OIRA approved an emergency revision to the ICR to support the latest version of TSA’s security directives for certain surface transportation organizations. This ICR extension was submitted to OIRA on March 10^th, 2023.

Commentary

As I have noted on a number of occasions, the TSA does a poor job of providing detailed information in their ICR notices. The whole point of the ICR program is to keep the regulated public involved in the process of approving the collection of information. Public comments provide the necessary feedback for agencies to understand the impacts their regulatory actions have beyond achieving their regulatory goals. It does not seem to me that TSA understands this purpose and, unfortunately, OIRA does a poor job of ensuring that agencies fulfill the spirit of the ICR process.

 

For more information on this ICR, including burden estimate details and additional commentary on TSA’s ICR performance, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/omb-approves-tsa-surface-transportation - subscription required.

Short Takes – 8-30-23

U.S. Hacks QakBot, Quietly Removes Botnet Infections. KrebsOnSecurity.com article. Pull quote: “Documents published by the DOJ in support of today’s takedown state that beginning on Aug. 25, 2023, law enforcement gained access to the Qakbot botnet, redirected botnet traffic to and through servers controlled by law enforcement, and instructed Qakbot-infected computers to download a Qakbot Uninstall file that uninstalled Qakbot malware from the infected computer.”

Norfolk Southern says outage impact could last weeks. FreightWaves.com article. Pull quote: “In a statement, the company said there’s no indication the disruption was related to cybersecurity, noting it was a “hardware-related technology outage.” It impacted freight, commuter and passenger service.”

Hackers shut down 2 of the world's most advanced telescopes. Space.com article. Pull quote: “The National Science Foundation's National Optical-Infrared Astronomy Research Laboratory, or NOIRLab, reported that a cybersecurity incident that occurred on Aug. 1 has prompted the lab to temporarily halt operations at its Gemini North Telescope in Hawaii and Gemini South Telescope in Chile. Other, smaller telescopes on Cerro Tololo in Chile were also affected.”

House conservatives flirt with shutdown: ‘So be it’. TheHill.com article. Pull quote: “While the Republicans flirting with a shutdown are a tiny minority within the GOP conference, they add another layer of complication for McCarthy as he works to keep the lights on in Washington without angering his right flank, who are pushing for steeper spending cuts and policy additions as part of the appropriations process.”

A sesame allergy law has made it harder to avoid the seed. Here's why. NPR.org article. Pull quote: “He said the FDA typically expects recalls for products containing traces of allergens, even when there's a "may contain" warning on the label, so some bakers determined that intentionally adding sesame was the only way to comply with the FASTER Act. He says it's not feasible for all bakeries to establish separate facilities to produce sesame-free products.”

Availability of Five Draft Toxicological Profiles and One Draft Interaction Profile. Federal Register ATSDR notice. Summary: “The Agency for Toxic Substances and Disease Registry (ATSDR), within the Department of Health and Human Services (HHS), announces the opening of a docket to obtain comments on drafts of five updated toxicological profiles, and one draft interaction profile: Creosote, Nickel, 1,2-Dichloroethene, Vinyl acetate, Acrylonitrile, and the Interaction Profile for Selected Metallic Ions. This action is necessary as this is the opportunity for members of the public and organizations to submit comments on drafts of the profiles. The intended effect of this action is to ensure that the public can note any pertinent additional information or reports on studies about the health effects of these six profiles for review.” Comments due November 28^th, 2023.

Homeland Security Advisory Council. Federal Register DHS meeting notice. Summary: “The Homeland Security Advisory Council (HSAC) will hold a public in-person meeting on Thursday, September 14, 2023. The meeting will be open to the public via teleconference.”

Worker Walkaround Representative Designation Process. Federal Register OSHA NPRM. Summary: “OSHA is proposing to amend its Representatives of Employers and Employees regulation to clarify that the representative(s) authorized by employees may be an employee of the employer or a third party; such third-party employee representative(s) may accompany the OSHA Compliance Safety and Health Officer (CSHO) when they are reasonably necessary to aid in the inspection. OSHA is also proposing clarifications of the relevant knowledge, skills, or experience with hazards or conditions in the workplace or similar workplaces, or language skills of third-party representative(s) authorized by employees who may be reasonably necessary to the conduct of a CSHO's physical inspection of the workplace.” Comments due October 30^th, 2023.

 

Reminder – One Day Left - CFNS Subscription Sale through August 31st - https://chemical-facility-security-news.blogspot.com/2023/08/cfsn-detailed-analysis-subscription.html   See article for links to reduced rate subscriptions.

2023 Chemical Sector Security Summit – 8-30-23 – Morning Sessions

The second day of the 2023 Chemical Sector Security Summit opened this morning in Arlington, VA. The morning keynote continued the CFATS reauthorization mantra from CISA by Dr. David Mussington, Executive Assistant Director, Infrastructure Security, CISA. The keynote was followed by a session closed to the press (myself included) for a presentation by the FBI on Unmanned System Threat Overview.

Interesting set of presentations on “Extreme Weather Threats to Chemical Security”. Sunny Wescott, CISA’s [corrected 9-8-23 23:03 EDT] lead meteorologist, had a fact filled presentation on how recent increases in extreme weather events across the country have impacted facility safety and security. She included a little noted impact on cyber issues, particularly at data centers, heat and cooling. She blew through this presentation pretty quickly, but it was a lot of information to get through in a short period of time.

Remaining online presentations for today:

• Academic Perspective: Terrorist Organizations and Tactics,

• A Community-Oriented Approach to Security Management,

• Artificial Intelligence and Advancing Technology, and

• Mass Attacks in Public Spaces.

I do want to mention a presentation late this afternoon that will not be presented online: Cyber Threats Facing the Chemical Sector. The presenters include Carole Kelliher the Deputy Program Manager for CISA’s CyberSentry program. CyberSentry is a CISA-managed threat detection and monitoring capability, governed by an agreement between CISA and voluntarily-participating critical infrastructure partners who operate significant systems supporting National Critical Functions.

Sponsor Added for HR 1623 – CFATS Propane Exception

Yesterday, a new sponsor was added for HR 1623, a bill amend the Homeland Security Act of 2002 to exclude certain propane storage facilities from certain chemical security standards under the Department of Homeland Security, and for other purposes. Rep Pfluger (R,TX) was added as a cosponsor. Pfluger is a member of the House Homeland Security Committee to which this bill was assigned for primary consideration. This means that there no may sufficient influence to see this bill considered in Committee.

With the CFATS program currently being terminated there is little incentive for the Committee to consider this bill, but that would change if Congress actually gets around to reinstating the program.

OMB Approves FAR NPRM on Cyber Incident Reporting

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a Federal Acquisition Regulation (FAR) notice of proposed rulemaking (NPRM) for “FAR Case 2021-017, Cyber Threat and Incident Reporting and Information Sharing”. The NPRM was sent to OIRA for review on May 11^th, 2023.

According to the Spring Unified Agenda entry for this rulemaking:

“DoD, GSA, and NASA are proposing to amend the Federal Acquisition Regulation (FAR) to increase the sharing of information about cyber threats and incident information between the Government and certain providers, pursuant to Office of Management and Budget recommendations, in accordance with section 2 (b)-(c), and Department of Homeland Security (DHS) recommendations, in accordance with section 8(b), of Executive Order (E.O.) 14028, Improving the Nation’s Cybersecurity. In addition, the rule will propose requiring certain contractors to report cyber incidents to the Federal Government to facilitate effective cyber incident response and remediation, pursuant to DHS recommendations in accordance with sections 2(g)(i) of E.O. 14028.”

This NPRM will likely be published in the Federal Register sometime next week.

Bills Introduced – 8-29-23

Yesterday, with the House and Senate meeting in pro forma sessions, there were 26 bills introduced. One of those bills may receive additional coverage in this blog:

HR 5310 To amend title 41, United States Code, to require information technology contractors to maintain a vulnerability disclosure policy and program, and for other purposes. Lieu, Ted [Rep.-D-CA-36]

I will be watching this bill for language or definitions that would apply the provisions of the bill to industrial control systems operated, installed or serviced by federal contractors.

Mention in Passing

Rep Lieu (D,CA) introduced two other bills that may be of interest to readers, but are outside of the coverage limits of this blog:

HR 5309 To amend title 18, United States Code, to require a warrant for the disclosure of records from a provider of electronic communication service or remote computing service, and for other purposes.  Lieu, Ted [Rep.-D-CA-36]

HR 5311 To preempt State data security vulnerability mandates and decryption requirements. Lieu, Ted [Rep.-D-CA-36]

Short Takes – 8-29-23

Stop it. Mark Meadows Actually Took the Stand? StatusKuo.Substack.com commentary. Pull quote: “And Meadows, should he succeed here, would have a pretty good shot at getting dismissed under a Supremacy Clause argument. After all, the judge would have already ruled that Meadows was in fact acting in the course of his official duties—the very kind of thing the Supremacy Clause exists to protect defendants against when it comes to state level prosecutions.”

NIAC reports cybersecurity compromises in water sector will require a more specialized workforce. IndustrialCyber.co article. Pull quote: “The [National Infrastructure Advisory Council] report also laid down that the [proposed Department of Water] DOW must work with public water system owners to identify necessary infrastructure upgrades and determine funding plans that include local investments, national subsidies, and water rate increases, when necessary. It will also institute policies and budgets necessary to ensure equitable access to water, wastewater, and the benefits of stormwater, and collaborate with related agencies and programs to ensure cross-government alignment.” Draft report approved this week.

CISA Director Jen Easterly Remarks at 2023 Chemical Security Summit. C-Span.org video. Long discussion about the importance of the Chemical Facility Anti-Terrorism Standards from today’s opening of the Chemical Sector Security Summit.

Virgin Galactic’s president explains how VSS Unity is now flying frequently. ArsTechnica.com interview. Pull quote: “To understand why there was such a long downtime after Sir Richard Branson's flight on Virgin Galactic in 2021 and to learn how the company has reached a monthly flight cadence, I recently had a long interview with Mike Moses, the company's chief of operations and president. Moses came to Virgin Galactic in 2011 from NASA, where he worked as a flight director and then as a senior leader of the Space Shuttle program.”

National Cybersecurity Center of Excellence (NCCoE) Accelerate Adoption of Digital Identities on Mobile Devices. Federal Register NIST notice. Summary: “The National Institute of Standards and Technology (NIST) invites organizations to provide letters of interest describing technical expertise and products to support and demonstrate International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 18013–5 and ISO/IEC 18013–7 standards capabilities for the Accelerate Adoption of Digital Identities on Mobile Devices project. This notice is the initial step for the National Cybersecurity Center of Excellence (NCCoE) in collaborating with technology companies to address cybersecurity challenges identified under the Accelerate Adoption of Digital Identities on Mobile Devices project. Participation in the project is open to all interested organizations.”

Hazardous Materials: Information Collection Activities. Federal Register PHMSA 30-day ICR notice. Summary: “In accordance with the Paperwork Reduction Act of 1995, PHMSA invites comments on information collections pertaining to hazardous materials transportation for which PHMSA intends to request renewal and extension from the Office of Management and Budget. PHMSA published a 60-day comment period soliciting comments on these information collections in the Federal Register on March 22, 2023, and did not receive any comments.” Comments due September 28^th, 2023.

Reminder – 2 Days Left – CFNS Subscription Sale through August 31st - https://chemical-facility-security-news.blogspot.com/2023/08/cfsn-detailed-analysis-subscription.html  See article for links to reduced rate subscriptions.

CISA Announces NIAC Meeting – September 13th, 2023

Today CISA published a meeting notice in the Federal Register (88 FR 59533-59534) for public meeting of the President's National Infrastructure Advisory Council (NIAC) on September 13^th, 2023 in Washington, DC. The NIAC provides the President, through the Secretary of Homeland Security, advice on the security and resilience of the Nation's critical infrastructure sectors.

The agenda for the September meeting includes:

• A keynote address on critical infrastructure security and resilience,

• An overview on the National Cybersecurity Implementation Plan and cyber regulatory harmonization,

• A report to the Council from the NIAC's Electrification Subcommittee,

• Deliberation and vote on Electrification Subcommittee recommendations, and

• Additional topics discussion.

Personnel wishing to attend the in-person meeting needs to register by email (NIAC@cisa.dhs.gov). Written comments on the agenda topics may be submitted for consideration by NIAC via the Federal eRulemaking Portal (www.Regulations.gov; Docket #CISA–2023–0012.

Review – 1 Advisory Published – 8-29-23

Today, CISA’s NCCIC-ICS published a control system security advisory for products from PTC.

Advisories

PTC Advisory - This advisory describes a cross-site scripting vulnerability in the PTC Codebeamer.

 

For more information on this advisory, including links to researcher report, see my Article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-published-8-29-23 - subscription required.

2023 Chemical Sector Security Summit – 8-29-23 – Morning Session

The 2023 Chemical Sector Security Summit opened this morning in Arlington, VA. All of this morning’s sessions were shared online. Jen Easterly (Director CISA) and Kelly Murray (Associate Director for Chemical Security) had an interesting chat about the status of the Chemical Facility Anti-Terrorism Standards (CFATS) program (currently terminated) along with a discussion about the importance of reinstating the program. Kelly continued that discussion with her presentation on “State of Chemical Security”.

There was a great deal of information about CFATS and what the termination has meant for CISA, the regulated community, and their surrounding neighbors. Both of these presentations emphasized (repeated a number of times) a couple of statics about the effects that the termination has had in the thirty-days since the Program ceased to exist:

• 160 inspections did not take place (historically 35% of inspections discovered program shortcomings),

• 40 Top Screens were not submitted and evaluated, and

• 300 personnel surety vatting’s per day were not submitted for checks against the Terrorist Screening Database.

As I noted on LinkedIn: “I hope that CISA recorded her presentation and shared it with Congress. She laid out the case for a quick reauthorization of CFATS in great detail.” Kelly did note that the Legislative Liaison folks at CISA were actively in discussions with Congress, but refused to try to forecast what the legislators would do.

This afternoon’s sessions will include:

• Secretary of Homeland Security Remarks,

• Federal and Industry Discussion on the Future of Chemical Security,

• Federal and Industry Response to Supply Chain Disturbances,

• “Wicked Problems” in Chemical Security

Review - OMB Approves TSA ICR Revision for HME Vetting Program – 8-28-23

Yesterday, OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved an information collection request (ICR) revision/update from the TSA for the “Security Threat Assessment for Individuals Applying for a Hazardous Materials Endorsement for a Commercial Driver's License”. The revision was needed because the introduction of an on-line renewal program reduced the time necessary to collect the information and the cost of renewing the HME vetting.

Commentary

I do not know why I am so prone to digging into the TSA’s ICR Notices. I ignored the 60-day and 30-day notices for this ICR when they were published in the Federal Register. From a quick review of the data presented in those documents, it did not seem that there was going to be anything of interest beyond the decrease in the reported burden estimates due to the online renewal process. But, as has almost always been the case, digging into the approved ICR provides some interesting information.

 

For more details about the information presented in the ICR data, including a reported decline in the number of HME’s and an explanation for the increase in the number of estimated responses, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/omb-approves-tsa-icr-revision-for - subscription required.

Short Takes – 8-28-23

GOP tensions between Senate, House raise shutdown odds. TheHill.com article. Pull quote: “Senate GOP aides point out that Sen. Susan Collins (Maine), the senior Republican on the Senate Appropriations Committee, has worked well with Sen. Patty Murray (Wash.), the Democratic chairwoman, to pass all 12 spending bills out of the committee with overwhelming bipartisan votes.”

Tropical Storm Idalia threatens Florida, may strengthen. TheHill.com article. Potentially a major hurricane before landfall. Pull quote: “Idalia is expected to become a hurricane over the eastern Gulf of Mexico and then turn northeast toward the west coast of Florida, the National Hurricane Center said. In an advisory Sunday, forecasters said this could bring an increased risk of storm surges and hurricane-force winds along portions of Florida’s west coast and the Florida Panhandle starting as early as Tuesday.”

AAR explains 'impasse' over Class Is joining FRA's safety reporting system. ProgressiveRailroading.com article. Pull quote: “"The crux of the current dispute centers on a significant nuance: situations where the employer is aware of a safety rule violation without any employee report — referred to as a 'known event' — but the employee reports the event anyway and therefore avoids discipline," the letter states. "If an employee repeatedly uses the system in this way simply to avoid discipline, the basic objective of the C3RS concept is thwarted. The focus of the program shifts from prevention of accidents to employment protection."”

Ukraine claims liberation of key southeastern town. TheHill.com article. Pull quote: ““As Ukraine continues to gradually gain ground in the south, Russia’s doctrine suggests that it will attempt to regain the initiative by pivoting back to an operational level offensive,” the U.K. Defense Ministry said in an intelligence update over the weekend. “Kupiansk-Lyman is one potential area for this.””

America’s fight against chemical terrorism is at risk. WashingtonPost.com commentary (Jen Easterly). Pull quote: “Since CFATS’s inception in 2006, CISA has maintained a regular presence at chemical facilities, conducting 160 inspections a month. More than 1 in 3 inspections identified chemical security gaps, including the inability to detect intruders, insufficient access controls, incomplete cyber system patching and vulnerability scanning, inadequate security training and missing background investigations. The inspections have led to an improved security posture by an average of nearly 60 percent, based on the identification of risk and subsequent implementation of new security measures.”

Canada's TSB warns of safety risks from locomotive, trackside fires. ProgressiveRailroading.com article. Pull quote: “The incident that prompted the warning was a 2021 fire on a Canadian Pacific (now Canadian Pacific Kansas City) freight train in Elko, British Columbia. On July 8, 2021, the train was traveling east on the Cranbrook Subdivision near Caithness, British Columbia, when its mid-train locomotive experienced a mechanical failure that resulted in flames and embers emanating from the exhaust stack, likely causing a trackside fire.”

Reminder – CFNS Subscription Sale through August 31st - https://chemical-facility-security-news.blogspot.com/2023/08/cfsn-detailed-analysis-subscription.html  See article for links to reduced rate subscriptions.

BIS Sends 2 Final Rules to OMB – 8-25-23

On Friday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received two final rules from the DOC’s Bureau of Industry and Security (BIS) for changes to export control regulations. The two rules cover:

• Revisions to Certain Australia Group Controls and Reasons for Control, and

• Revisions to the Export Administration Regulations Based on 2018, 2019, 2021, and 2022 Missile Technology Control Regime Plenary Agreements; and Revisions to License Exception Eligibility

The first rule was not listed in the Spring 2023 Unified Agenda. The entry for the second rule states that:

“This final rule makes revisions to the Export Administration Regulations based on 2021 and 2022 Missile Technology Control Regime Plenary Agreements; and Revisions to License Exception Eligibility”

Unless you closely follow these international arms control discussions (and I do not), there is no reasonable way to determine what BIS may include in these rules. Since cybersecurity issues have been covered in the past, I mention these now.

Review - HR 3932 Reported in House – FY 2024 Intel Authorization Act

Earlier this month, the House Intelligence Committee published their Report on HR 3932, the Intelligence Authorization Act for Fiscal Year 2024. They also published the reported version of the bill. There is one section in the bill that addresses cybersecurity for intelligence agencies and the sole mention in the report explicates that section. This legislation would also exempt the intelligence community from rules covering controlled unclassified information. The bill also briefly addresses the chemicals used to manufacture illicit drugs in Mexico.

NOTE: The introduced version of this bill was a very bare bones bill that would act as a skeleton for the work by the Committee to flesh out the language. Thus, there is no point in trying to explain the differences between the two versions of the bill.

Moving Forward

With the publication of this report, the bill is now cleared for consideration by the House. This is one of the annual ‘must pass’ bills and in recent years it has been included in the massive year end spending bill. With Congress being ‘prohibited’ from passing a consolidated spending bill, there is a strong likelihood that this bill will be considered by the House before the end of the year.

There are a number of provisions in the bill (not covered here, but see §418 for example) that will draw almost automatic opposition from Democrats in the House, so this will require a united Republican front to pass the bill. Depending on amendments offered by the Republican 11 and rejected by the more moderate Republicans, this bill may not be able to pass without the removal of some of the provisions objected to by the Democrats.

 

For more details about the provisions of this bill, including commentary on some of them, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-3932-reported-in-house - subscription required.

Short Takes – 8-26-23

New Report Warns U.S., Allies of Two Front War with China, North Korea. USNI.org article. Pull quote: “For that two-front war to happen doesn’t require coordination between Beijing and Pyongyang if tensions over Taiwan escalate or North Korea launches an attack on Seoul, he said. The report emphasizes, “U.S. and allied capabilities, command-and-control arrangements, and posture (including forces, bases, and agreements with allies) are unsuited to prevent simultaneous conflict with the PRC and North Korea and/or a limited nuclear attack or provide robust military response options if they occur.””

NERC assessment identifies new risk to grid reliability: energy policy. UtilityDive.com article. Pull quote: “With increased legislative focus on decarbonization, decentralization, and electrification, energy policy is expected to drive rapid change, NERC’s report concludes. “There is an undeniable need to increase coordination and collaboration among all policy makers and regulators as well as on the owners and operators” of the bulk power system, it said.”

How chemists are tackling the plastics problem. TechnologyReview.com article. Pull quote: “Still, achieving that vision will take some tweaks. Polyethylene and polypropylene are simple chains of carbon and hydrogen, while some other plastics contain other elements, like oxygen and chlorine, that could pose a challenge to chemical recycling methods.”

As fires and floods rage, Facebook and Twitter are missing in action. WashingtonPost.com article. “Facebook and Twitter spent years making themselves essential conduits for news. Now that government agencies, the media and hundreds of millions of people have come to rely on them for critical information in times of crisis, the social media giants have decided they’re not so invested in the news after all.”

How Schools Can Survive (and Maybe Even Thrive) With A.I. This Fall. NYTimes.com article. Pull quote: “Last year, many schools tried to scare students away from using A.I. by telling them that tools like ChatGPT are unreliable, prone to spitting out nonsensical answers and generic-sounding prose. These criticisms, while true of early A.I. chatbots, are less true of today’s upgraded models, and clever students are figuring out how to get better results by giving the models more sophisticated prompts.”

The Wrong People Just Got Their Hands on an Elite Drone Unit. TheDailyBeast.com article. Pull quote: “Explosive drones have been some of the most lethal weapons used by cartels against Mexican authorities. That was made all too clear in November 2022, when a convoy from the Mexican military was attacked with explosive drones by henchmen from the Jalisco New Generation Cartel as they approached the small town of Tepalcatepec in Michoacán. Four were killed and six others were injured in the incident, according to news reports.”

 

Reminder – CFNS Subscription Sale through August 31st - https://chemical-facility-security-news.blogspot.com/2023/08/cfsn-detailed-analysis-subscription.html  See article for links to reduced rate subscriptions.

Sharing CUI – An Example

A lot of valuable security information is gathered and published as Controlled Unclassified Information (CUI). While not subject to the same controls as classified information, the government still tries to restrict the sharing of such information for a variety of reasons, most of them justifiable. Even when such information is leaked and shared in the press, current government regulations limit the ability of government employees and contractors to use such information.

There are a number of ways that agencies can get around the information sharing limitations associated with CUI. I ran across a time-honored CUI bypass (redaction) in a recent online article found at DomesticPreparedness.com. The actual article is very short, but it provides a link to a presumably officially redacted copy of a report by the DHS Office of the Inspector General on “CBP Outbound Inspections Disrupt Transnational Criminal Organization Illicit Operations”. The original version of the report was marked as “Law Enforcement Sesitive”. While the redaction markings on the document are not annotated as to the authority responsible for the redaction, the redacted report is maintained on the OIG web site, so I think we can safety assume that the rules about sharing CUI are not being violated in this case.

The amount of redacted information included in this non-CUI version of the report is actually relatively small. The example below shows the redactions on page 8 of the report, the first place where data is redacted in this report. Even without knowing what is redacted, it is relatively easy to contextually understand why the blanked out text has been removed.

Paragraph with redacted material on page 8

The most important thing about the redaction efforts in this document is the fact that the redacted material does not materially detract from the information being shared in the report.

Redacting information in an existing CUI labeled report should be less difficult and time consuming than writing an unclassified version from scratch. It should also be easier to review the document for the approval process.

Chemical Incident Reporting – Week of 8-19-23

NOTE: See here for series background.

Warrenville, IL – 8-17-23

Local news reports: Here, here, and here.

A typical pool chemical accident in apartment storage room, chemicals spilled, mixed, and produce chlorine gas cloud. Building evacuated, only minor injuries reported.

Probably not a CSB reportable.

Nashua, NH – 8-21-23

Local news reports: Here, here, and here.

Six bug bombs activated in an apartment. 1 taken to hospital.

Possible CSB reportable, depending on if the patient was admitted. Again, this is a technical violation because an apartment could be considered a stationary source. While the owner/renter may be liable under other statutes, there is no way CSB is going to refer a failure to report to the EPA for this violation.

Bartlett, TX – 8-21-23

Local news reports: Here, here, and here.

Fertilizer (not ammonium nitrate) plant fire, no explosions. No injuries, facility destroyed.

Probable CSB reportable based upon damages.

Garyville, LA – 8-25-23

Local  news reports: Here, here, and here.

Chemical (naphtha) release and storage tank fire at refinery. No injuries, no explosions.

Probable CSB reportable based upon damages. If facilities were required to include off-site costs of evacuations, business and school closures in cost of damages, this would certainly exceed the $1 million minimum for reporting.

Review – Public ICS Disclosures – Week of 8-19-23

This week we have 13 vendor disclosures from Aruba Networks, CBC, Hitachi, Moxa, Ormazabal, QNAP (3), Sick, and Wireshark (4).

Advisories

Aruba Advisory - Aruba published an advisory that describes 20 vulnerabilities in their EdgeConnect SD-WAN Orchestrator.

CBC Advisory - JP-CERT published an advisory that describes three vulnerabilities in the CBC digital video recorders.

Hitachi Advisory - Hitachi published an advisory that describes four vulnerabilities in their EH-VIEW product.

Moxa Advisory - Moxa published an advisory that describes four vulnerabilities in their ioLogik 4000 Series products.

Ormazabal Advisory - Incibe-CERT published an advisory that describes 10 vulnerabilities in the Ormazabal ekorCCP and ekorRCI industrial devices.

QNAP Advisory #1 - QNAP published an advisory that describes an inadequate encryption strength vulnerability in their QTS and QuTS hero products.

QNAP Advisory #2 - QNAP published an advisory that describes an insufficient entropy vulnerability in their QTS and QuTS hero products.

QNAP Advisory #3 - QNAP published an advisory that describes a cleartext transmission of sensitive information vulnerability in their QTS and QuTS hero products.

Sick Advisory - Sick published an advisory that describes four vulnerabilities in their LMS5xx products.

Wireshark Advisory #1 - Wireshark published an advisory that describes a dissector crash vulnerability in their CP2179.

Wireshark Advisory #2 - Wireshark published an advisory that describes a dissector memory leak vulnerability in their BT SDP.

Wireshark Advisory #3 - Wireshark published an advisory that describes an infinite loop vulnerability in their BT SDP.

Wireshark Advisory #4 - Wireshark published an advisory describes a dissector crash vulnerability in their CBOR.

 

For more details about these disclosures, including links to researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-8-922 - subscription required.

Short Takes – 8-25-23

CHEMTREC® Announces Additional US$ 10,000 Funds For Hazmat Preparedness. TheBigRedGuide.com article. Pull quote: “The CHEMTREC® Hazmat Emergencies Local Preparedness (HELP) Award is designed to help volunteer fire departments increase local preparedness and response capabilities for hazardous materials incidents. Thanks to Dow, a total of five recipients will be selected to receive US$ 10,000 each in 2023.”

Physical Security Technical Conference; Notice Inviting Post-Technical Conference Comments. Federal Register FERC request for comments. Summary: “We are seeking comments on the topics discussed during the technical conference [video link added] held on August 10, 2023, including responses to the questions listed in the Final Notice issued in this proceeding on August 3, 2023, as well as supplemental questions developed by Commission staff post-conference. The questions from the agenda and the supplemental questions are included below.” Comment submission deadline September 25^th, 2023.

Proposed National Guidance for Industry on Responding to Munitions and Explosives of Concern in U.S. Federal Waters. Federal Register Committee on the Marine Transportation System guidance notice. Summary: “This notice announces the availability of a draft guidance document, the National Guidance for Industry on Responding to Munitions and Explosives of Concern in U.S. Federal Waters. The U.S. Committee on the Marine Transportation System invites public comment on the draft guidance.” Comment submission deadline: September 25^th, 2023.

 

Reminder – CFNS Subscription Sale through August 31st - https://chemical-facility-security-news.blogspot.com/2023/08/cfsn-detailed-analysis-subscription.html. See article for links to reduced rate subscriptions.

Review - FCC Publishes IoT Device Labeling NPRM

Today the Federal Communications Commission published a notice of proposed rulemaking (NPRM) in the Federal Register (88 FR 58211-58229) for “Cybersecurity Labeling for Internet of Things”. Today’s NPRM notice is a summary of the Commission's Notice of Proposed Rulemaking (NPRM), FCC 23–65, adopted August 6, 2023, and released August 10, 2023.

Public Comments

The FCC is soliciting public comments on this proposed rulemaking. Comments may be submitted via the Commission’s website (https://www.apps.fcc.gov/​ecfs/​; PS Docket No. 23-239). Comments should be submitted by September 25^th, 2023, with replies to comments submitted by October 24^th, 2023.

Commentary

The FCC rulemaking process is slightly different than what is normally covered in this blog. Today’s NPRM sounds more like what other agencies call an advanced notice of proposed rulemaking, with the FCC outlining the scope of a potential rule and providing an outline of the information that the Commission is looking to receive from the public and regulated community.

 

For more details about the NPRM, including additional commentary on the limited focus, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/fcc-publishes-iot-device-labeling - subscription required.

Short Takes – 8-24-23

Mask mandates reemerge amid upturn in COVID-19 cases. TheHill.com article. Pull quote: ““When you take flu and RSV and, you know, if we had a little bit of a surge in COVID … the biggest concern right now is hospitals becoming overwhelmed. And we had a little bit of that last year that is very much in everybody’s minds and concerns right now.””

US intelligence says an intentional explosion brought down Wagner chief Prigozhin’s plane. APNews.com article. Pull quote: “Videos shared by the pro-Wagner Telegram channel Grey Zone showed a plane dropping like a stone from a large cloud of smoke, twisting wildly as it fell, one of its wings apparently missing. A free fall like that typically occurs when an aircraft sustains severe damage. A frame-by-frame AP analysis of two videos was consistent with some sort of explosion mid-flight.”

Chandrayaan-3 spacecraft lands on the moon in 'victory cry of a new India'. Reuters.com article. Pull quote: “"Landing on the south pole would actually allow India to explore if there is water ice on the moon. And this is very important for cumulative data and science on the geology of the moon," said Carla Filotico, a partner and managing director at consultancy SpaceTec Partners.”

What should we expect from the coronavirus this fall? ScienceNews.org article. Pull quote: “Levels of detectable coronavirus in wastewater samples and the proportion of tests that come back positive have certainly been ticking up since June, data from the U.S. Centers for Disease Control and Prevention show. Both metrics indicate rising cases at the national level, albeit indirectly. It’s hard to get a good grasp of the start of new surges or know what’s happening within communities, in part because states are no longer required to report new cases, a result of the U.S. public health emergency ending in May (SN: 5/4/23).”

Reminder – CFNS Subscription Sale through August 31st - https://chemical-facility-security-news.blogspot.com/2023/08/cfsn-detailed-analysis-subscription.html  See article for links to reduced rate subscriptions.

Reader Comment – Software Supply Chain

Earlier this afternoon, Chris, a reader of my Substack blog, CFSN Detailed Analysis, left a comment on my post there on Six Advisories Published – 8-24-23, a more detailed version of my post here, Review – Six Advisories Published – 8-24-23. Chris commented: “Thanks for noting the software supply chain aspect on the Rockwell Automation advisory. It was a good reminder that this vulnerability is still out there and is gradually being patched in drivers.”

He was commenting on my note at the end of the discussion about the Rockwell input/output devices advisory. I noted that:

“NCCIC-ICS published an advisory for this vulnerability in the Pyramid products. That advisory also listed another vendor (Weimueller) that was experiencing this vulnerability as a third-party vulnerability. Interestingly the NVD.NIST.gov listing for this vulnerability does not list the Weidmueller advisory.”

CISA’s advisory today did not mention the earlier discussion, so most readers of today’s advisory would not understand the larger significance of the vulnerability. This is one of the areas where NCCIC-ICS (and its predecessor, ICS-CERT) have a mixed history in their information sharing efforts.

 

CISA could have published today’s information as an update to the earlier Pyramid advisory, adding a reference to the Rockwell advisory where they addressed the earlier Weidmueller advisory. Unfortunately, that would not have drawn the same amount of attention as a new advisory for the Rockwell derivative vulnerability.

And this is the problem with 3^rd party vulnerabilities. The vulnerability in a piece of relatively little-known software just does not capture much attention, even in the community. It isn’t until the derivative problem in a better-known product becomes public that there is much attention paid to the issue. But failing to clearly identify the source of the problem does not help.

But the larger issue that Chris identified in his comment is that there are almost inevitably other products from other vendors that are affected by the Pyramid vulnerability. Some of them are being fixed, without notice, and others remain vulnerable. None of the advisories discussed here address that issue.

Review – Six Advisories Published – 8-24-23

Today, CISA’s NCCIC-ICS published six control system security advisories for products from Rockwell Automation, CODESYS (3), Opto 22, and KNX Association.

Advisories

Rockwell Advisory - This advisory discusses an out-of-bounds write vulnerability in select Input/Output Modules from Rockwell.

CODESYS Advisory #1 - This advisory describes an insufficient verification of data authenticity vulnerability in the CODESYS Development System.

CODESYS Advisory #2 - This advisory describes an insufficient verification of data authenticity vulnerability in the CODESYS Development System.

CODESYS Advisory #3 - This advisory describes an uncontrolled search path element vulnerability in the CODESYS Development System.

Opto 22 Advisory - This advisory describes 5 vulnerabilities in the Opto 22 SNAP PAC S1 product.

KNX Protocol Advisory - This advisory describes an overly restrictive account lockout mechanism vulnerability in the KNX Protocol.

 

For more details about these advisories, including links to researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/six-advisories-published-8-24-23 - subscription required.

HR 1674 Cosponsor Added – Railway Safety Act

On Tuesday, there were two new cosponsors added for HR 1674, Railway Safety Act of 2023. One of those cosponsors {Rep Ryan (D,NY)} is a member of the House Transportation and Infrastructure Committee to which this bill was assigned for consideration. This now means that there may be sufficient influence to see the bill considered in Committee.

The bill provides a variety of potential improvements for the shipment of hazardous materials by rail. Various funds are authorized to support some of the program proposed.

There are now eight Republican co-sponsors, so there is an increased likelihood that there would be sufficient bipartisan support for the bill to move forward in Committee.

Review - NIST Publishes Update from IoT Federal Working Group – 8-24-23

Today, DOC’s National Institute of Science and Technology (NIST) published a notice in the Federal Register (88 FR 57937-57938) on “A Preliminary Update From the Internet of Things Federal Working Group”. The Preliminary Update is available on the NIST website. A final report to Congress is expected to be submitted in June 2024.

Public Comments

NIST is soliciting public comments on the Preliminary Update. Comments should be emailed to NIST (iotfwg@nist.gov). Comments should be submitted by September 25^th, 2023.

Commentary

A decent, non-technical summary of the work to date, which is mainly just a definition of the problem space. I hope the working group fleshes this document out before preparing their report to Congress, soliciting additional public input.

 

For more details about the Working Group and it Preliminary Update, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/nist-publishes-update-from-iot-federal - subscription required.

Short Takes – 8-23-23

Trump infighting risks rise as allies face legal bills, cash crunch. TheHill.com article. Pull quote: ““But it’s a good idea because here’s what DOJ does. DOJ obviously they have, I hesitate to say the word limitless resources, but pretty close. And one of their standard tactics is to bleed the defendant and witnesses dry,” he [Tim Parlatore, who represented Trump in the Mar-a-Lago case] added. “And once they can bleed you dry to where all of your life savings have been sucked up by somebody like me [emphasis added]… then you’re far more pliable and willing to plead guilty to just about anything to stop the bleeding.”

Annual Reporting of Explosive Materials Storage Facilities to the Local Fire Authority. Federal Register ATF NPRM. Summary: “The Department of Justice is proposing to amend Bureau of Alcohol, Tobacco, Firearms, and Explosives (“ATF”) regulations to require that any person who stores explosive materials notify on an annual basis the authority having jurisdiction for fire safety in the locality in which the explosive materials are being stored of the type of explosives, magazine capacity, and location of each site where such materials are stored. In addition, the proposed rule requires any person who stores explosive materials to notify the authority having jurisdiction for fire safety in the locality in which the explosive materials were stored whenever storage is discontinued. These changes are intended to increase public safety.” Public comments due November 21^st, 2023.

Prigozhin plane crash shrouded in mystery. TheHill.com article. Lots of rumors. Pull quote: “Independent Russian sources claim two explosions were heard before the plane descended, which may indicate air defenses shot it out of the sky.”

Some Surprising Places Are at Risk of Devastating Urban Wildfires like Maui’s. ScientificAmerican.com article. Pull quote: “Even the dense boreal forests of Wisconsin and Minnesota are candidates for unexpected wildfire. This summer National Oceanic and Atmospheric Administration meteorologists reported that drought had reached the “exceptional” category—the highest drought designation—in Wisconsin for the first time ever. June is normally the wettest month in Wisconsin, but this past June was one of the driest on record. Wisconsin is in a flash drought, says Steve Vavrus, the state’s  interim climatologist.”

Reminder – CFNS Subscription Sale through August 31st - https://chemical-facility-security-news.blogspot.com/2023/08/cfsn-detailed-analysis-subscription.html See article for links to reduced rate subscriptions.

Reveiw - HR 4623 Introduced – Cybersecurity Standards

Review - Last month, Rep Lieu (D,CA) introduced HR 4623, the Cyber Shield Act of 2023. The bill would establish require the Department of Commerce to establish the Cyber Shield Program; a program for the voluntary certification and labeling of products that meet industry-leading cybersecurity and data security benchmarks to enhance cybersecurity and protect data.

This bill is identical to HR 2236, introduced by Lieu last session. No action was taken on that bill.

Moving Forward

Lieu is not a member of the House Energy and Commerce Committee to which this bill is assigned for consideration. This means that it is unlikely that he has enough influence with that Committee to see this bill considered. Lieu will need to get a member of that Committee to cosponsor the bill for it to move forward.

 

For more details about the provisions of the program, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-4623-introduced - subscription required.

OMB Approves PHMSA Suspension of LNG by Rail Final Rule

Yesterday, OMB’s Office of Information and Regulatory Affairs announced that it had approved a final rule from DOT’s Pipeline and Hazardous Materials Safety Administration (PHMSA) on “Hazardous Materials: Suspension of HMR Amendments Authorizing Transportation of Liquefied Natural Gas by Rail”. This final rule was sent to OIRA for review on July 14^th, 2023; a fairly rapid turnaround for OIRA.

According to the entry in the Spring 2023 Unified Agenda for this rulemaking:

“This rulemaking action would amend the Hazardous Materials Regulations to suspend authorization of liquefied natural gas (LNG) transportation by rail tank car pending completion of the companion rulemaking under RIN 2137-AF54 [link added], or June 30, 2024.”

We will probably see this final rule published in the Federal Register next week. That publication will not be the final word on LNG by rail. The notice of proposed rulemaking for the ‘other’ rulemaking has yet to be published, and the Republican energy advocates in the House will almost certainly introduce legislation to counter this rulemaking. This continuing controversy will ensure that few people will be interested in ordering the DOT-113C120W9 railcars necessary to transport LNG by rail under the existing rules that are being suspended by this rulemaking.

NOTE: This web site reports that Chart has constructed a single DOT-113C120W9 for testing purposes at the Transportation Technology Center, Inc.

Bills Introduced – 8-22-23

Yesterday, with the House and Senate meeting in pro forma session, there were 24 bills introduced. One of those bills will receive additional attention in this blog:

HR 5255 To require covered contractors implement a vulnerability disclosure policy consistent with NIST guidelines, and for other purposes.  Mace, Nancy [Rep.-R-SC-1] 

Short Takes – 8-22-23

5 ‘surprising’ areas where wildfire risk is rising. TheHill.com article. Pull quote: “He [Philip Higuera, a fire ecologist at the University of Montana] offered a simple rule of thumb for those officials: “If there’s vegetation, and it’s warm and dry, and there’s an ignition, and there is flammable vegetation, then it can happen in your community — whether or not that was the case for our parents or our grandparents.””

House Freedom Caucus rolls out demands to avoid shutdown. Politico.com article. Pull quote: “In addition to vowing to oppose a so-called clean short-term funding bill, the Freedom Caucus is also planning to vote against any spending legislation that doesn’t meet certain priorities of the party’s right flank. That would mean including, according to the announcement, a sweeping GOP border bill that has stalled in the Senate; addressing “the unprecedented weaponization” of the Justice Department and FBI and ending “woke” Defense Department policies.”

Vetting of Certain Surface Transportation Employees. Federal Register TSA comment extension notice. Pull quote: “On May 23, 2023, the Transportation Security Administration (TSA) published a notice of proposed rulemaking (NPRM) proposing security vetting of certain public transportation, railroad, and over-the-road-bus (OTRB) employees. Through this notice, TSA is extending the comment period to October 1, 2023, to provide additional time for the public to submit comments.”

Ukraine’s Forces and Firepower Are Misallocated, U.S. Officials Say. NYTimes.com article. Pull quote: “Even if the counteroffensive fails to reach the coast, officials and analysts say if it can make it far enough to put the coastal road within range of Ukrainian artillery and other strikes, it could cause even more problems for Russian forces in the south who depend on that route for supplies.”

British defense ministry says drone attacks in Russia may come from within. PolskieRadio.pl article. Pull quote: “The emerging evidence, if accurate, strengthens the notion that certain UAV strikes against Russian military targets could be originating from within Russia's own territory. The British Defense Ministry noted that the range of UAVs might not be sufficient to reach Solcy-2 from locations outside Russia.”

Republican says threat to McCarthy’s Speakership ‘inevitable’ if he doesn’t meet conservative demands. TheHill.com article. Pull quote: ““McCarthy is going to have to listen to the people on the right or else he’s going to have to rely on the Democrats to pass this,” Jackson [Rep Jackson, (R,TX)] said.”

 

Reminder – CFNS Subscription Sale through August 31st - https://chemical-facility-security-news.blogspot.com/2023/08/cfsn-detailed-analysis-subscription.html  See article for links to reduced rate subscriptions.

H 3224 Reported in House – CWMD Reauthorization

Last month, the House Homeland Security Committee published their Report on HR 3224 [removed from paywall], the Countering Weapons of Mass Destruction Extension Act of 2023. The Committee considered the bill during a business meeting on May 17^th, 2023. The legislation was ordered reported favorably without amendment by a voice vote.

The bill would extend the current authorization of the DHS Countering Weapons of Mass Destruction (CWMD) Office for seven years. The legislation would also require the Government Accountability Office to compile a report on the CWMD efforts. The current authorization expires on December 21^st, 2023.

There is no specific spending authorization in the HR 3224, but the Congressional Budget Office section of the report (pgs 3-4) notes that Congress appropriated $433 million for the Office in 2023. Expanding on that base, the CBO expects this extension to cost $1.5 billion through 2028.

There are no alternative views included in the Committee’s Report.

Moving Forward

With the publication of this report the bill is cleared for consideration by the whole House at the pleasure of the leadership. The voice vote approval by the Homeland Security Committee and the lack of alternate views in the Report are indicative of broad, bipartisan support for the bill. This means that it would likely be considered under the House’s suspension of the rules process. This would mean limited debate, no floor amendments, while requiring a super majority for passage. This bill would almost certainly pass.

Short Takes – 8-22-23 – Geek Edition –

A new approach to reduce the risk of losing solar-powered rovers on the moon. Phys.org article. A Pull quote: “A key objective of the recent work by Lamarre and his colleagues was to quantify the probability of losing solar-powered rovers as they are exploring these shadowed areas on the moon. In addition, the team wished to devise an approach that could help to maximize the probability that the solar-powered rovers will safely complete their missions.”

We could soon be getting energy from solar power harvested in space. TheConversation.com article. Pull quote: “In SBSP, the energy is converted several times (light to electricity to microwaves to electricity), and some of it is lost as heat. In order to inject 2 gigawatts (GW) of power into the grid, about 10 GW of power will need to be collected by the satellite.”

Pyrolysed plastic waste converted into valuable chemical feedstocks. ChemistryWorld.com article. Pull quote: “Pyrolysis is currently the most common way to recover hydrocarbons from plastic and involves heating the waste to high temperatures. The long polymer chains thermally decompose through a radical mechanism, forming an olefin-rich mixture known as pyrolysis oil which can then be used as a fuel for other industrial processes. However, George Huber from the University of Wisconsin–Madison believes we could extract greater value from this hydrocarbon mixture by exploiting the high proportion of alkenes present in the oil. ‘The whole chemical industry is based on first making an olefin from crude oil and then using that to access all these different chemistries,’ he explains. ‘So why not take advantage of the olefin functionality in pyrolysis oil and use it to make higher-value chemicals rather than just making fuels from it, or feeding it back to a steam cracker?’”

How Hilary Turned Into a Monster Storm. Wired.com article. Pull quote: “This topology helps explain why hurricanes behave differently on different sides of the US. The East Coast and gulf region are relatively flat, allowing storms to travel more easily, while the mountainous west coasts of Mexico and California tend to break them up quicker. That’s partly why Southern California has been getting such intense rainfall; Hilary is fragmenting and dumping its moisture much faster than a more cohesive hurricane would while lumbering along the East Coast. Think of the East Coast scenario as similar to letting air out of a tire until it’s flat. On the West Coast, with Hilary, it’s more like popping that tire.”

Reminder – CFNS Subscription Sale through August 31st - https://chemical-facility-security-news.blogspot.com/2023/08/cfsn-detailed-analysis-subscription.html  See article for links to reduced rate subscriptions.

Review – 3 Advisories and 1 Update Published – 8-22-23

Today, CISA’s NCCIC-ICS published three control system security advisories for products from Rockwell Automation, Trane, and Hitachi Energy. They also updated an advisory for products from Mitsubishi.

Advisories

Rockwell Advisory - This advisory describes three improper input validation vulnerabilities in the Rockwell ThinManager ThinServer.

Trane Advisory - This advisory describes a command injection vulnerability in the Trane and Pivot thermostats.

Hitachi Energy Advisory - This advisory discusses six vulnerabilities in the Hitachi Energy AFF66x Products.

Updates

Mitsubishi Update - This update provides additional information on an advisory that was originally published on May 18^th, 2023.

 

For more details about these advisories, including links to 3^rd party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/3-advisories-and-1-update-published-cce - subscription required.

CSB and Hurricane Season

Yesterday, the CSB published a press release that urges “the chemical industry to act now to prepare for potentially more frequent and more powerful hurricanes and other extreme wind events in the months ahead.” This is the second effort this year that the CSB has made related to hurricane safety, the first was a letter to the Federal Energy Regulatory Commission (FERC) to urge inclusion of hurricanes and flooding in weather related protection order.

Commentary

This is more than a little late in the hurricane season (started on June 1^st) for this press release, but better late than never is a long-standing government measure of success. I understand that they were responding to a change in the storm frequency projection from the National Oceanic and Atmospheric Administration, but even a relatively mild season could still see one or more major hurricanes landing in the United States.

Short Takes – 8-21-23

Magnitude-5.1 earthquake in Ventura County shakes parts of Southern California. NBCLosAngeles.com article. Pull quote: “The magnitude-5.1 earthquake at 2:41 p.m. startled Southern Californians who were already braced for the remnant of Hurricane Hilary, which had already brought hours of steady rain during the region's driest month of the year. There were at least a dozen aftershocks of magnitude-3.0 or greater.”

Russia’s Lunar Lander Crashes Into the Moon. NYTimes.com article. Pull quote: “That is part of the Kremlin’s narrative — a compelling one for many Russians — that Russia is a great nation held back by an American-led West that is jealous of and threatened by Russia’s capabilities. The country’s state-run space industry in particular has been a valuable tool as Russia works to remake its geopolitical relationships.”

Rains slow as Hilary moves north and leaves Southern California underwater. NPR.org article. Pull quote: “The National Weather Service cautioned that heavy rain had passed in some areas, such as Ventura County, but lighter rain still posed potentially deadly threats. Just after midnight, it reported that rain was falling at a rate of 0.5 to 1 inch of rain per hour in the San Gabriel Mountains in Los Angeles, and that rock and mudslides were occurring.”

Reminder – CFNS Subscription Sale through August 31st - https://chemical-facility-security-news.blogspot.com/2023/08/cfsn-detailed-analysis-subscription.html  See article for links to reduced rate subscriptions –

Review - S 2388 Introduced – Cyber Circuit Rider Program

Last month, Sen Cortez-Masto (D,NV) introduced S 2388, the Cybersecurity for Rural Water Systems Act. The bill would require USDA to establish a rural water and wastewater cybersecurity circuit rider program” similar to the one established in 7 USC 1926(a)(22), but focused on cybersecurity. The bill would authorize $10-million per year through 2028 to support the program.

This bill is similar in intent to HR 3809, the Cybersecurity for Rural Water Systems Act of 2023. That bill would add cybersecurity to the existing circuit rider program. This bill would establish a separate, standalone entity.

Moving Forward

Neither Cortez-Masto nor her sole co-sponsor {Sen Rounds (R,ND)} are members of the Senate Agriculture, Nutrition, and Forestry Committee to which this bill was assigned for consideration. This means that it is unlikely that there is sufficient influence to see the bill considered in Committee. Adding $10-million dollars in spending is sure to draw opposition from many Republicans, but there may still be sufficient bipartisan support in the Committee to see the bill approved if it were considered.

As with most bills, there would not be sufficient interest in this legislation to see the Senate leadership tie up the Senate for the time that it would be necessary to consider this bill under regular order. Because of the added spending involved, it would not be possible to pass this bill under the Senate’s unanimous consent process; it would take just a single Senator to object to passage of the bill to kill consideration.

Commentary

While a cybersecurity add-on to the current circuit rider program would benefit from the existing administrative functions of the program, it could suffer from internal conflicts over resources. A stand-alone program would avoid those potential problems. The $2.5 million in additional funding in this bill would presumably go to pay for the administrative support.

 

The current circuit rider program has about 147 personnel periodically helping small water systems and small wastewater treatment systems. CISA reports about 153,000 water treatment facilities in the US with the vast majority (93 % by one estimate -pg 3) being small systems that would be covered by the circuit rider program. That means that each circuit rider would have to cover about 1,000 systems. They do not get around very often.

 

For more details about the provisions of this bill, including a slightly expanded commentary, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-2388-introduced - subscription required.