Short Takes – 10-31-23

Tank cleaning company fined £328,000 for failing to protect workers from toxic gas. HazardExOnTheNet.com article. Pull quote: “The OSHA investigation revealed further lapses on the part of National Tank Services, including failure to assess the workplace for potential respiratory dangers, neglect in monitoring employees for possible exposure to hazardous substances, and inadequate provision of suitable respirators for employees. OSHA proposed penalties of $399,349 (£328,000) to the company after citing nine health violations, including two wilful, three repeat and four serious.”

Johnson’s Israel proposal runs into stiff Senate opposition. TheHill.com article. Pull quote: “Other GOP senators warn that getting into a food fight with Democrats over offsets is guaranteed to slow down any emergency military aid, leaving Israeli and Ukrainian forces without weapons at a critical time.”

National Chemical Transportation Safety Advisory Committee Meeting; November 2023 Meeting. Federal Register CG Meeting Cancellation Notice. Summary: “The meeting of the National Chemical Transportation Safety Advisory Committee scheduled for November 28 through 30, 2023, from 9 a.m. until 5 p.m. Central Standard Time (CST) is cancelled.”

Changes to Reporting Requirements for Per- and Polyfluoroalkyl Substances and to Supplier Notifications for Chemicals of Special Concern. Federal Register EPA Final Rule. Summary: “The Environmental Protection Agency (EPA) is adding per- and polyfluoroalkyl substances (PFAS) subject to reporting under the Emergency Planning and Community Right-to-Know Act (EPCRA) and the Pollution Prevention Act (PPA) pursuant to the National Defense Authorization Act for Fiscal Year 2020 (NDAA) to the list of Lower Thresholds for Chemicals of Special Concern (chemicals of special concern). These PFAS already have a lower reporting activity threshold of 100 pounds. The addition of these PFAS to the list of chemicals of special concern means such PFAS are subject to the same reporting requirements as other chemicals of special concern (i.e., it eliminates the use of the de minimis exemption and the option to use Form A and would limit the use of range reporting for PFAS). Removing the availability of these burden-reduction reporting options will result in a more complete picture of the releases and waste management quantities for these PFAS. EPA is removing the availability of the de minimis exemption for purposes of the Supplier Notification Requirements for all chemicals on the list of chemicals of special concern.”

Trichloroethylene (TCE); Regulation Under the Toxic Substances Control Act (TSCA). Federal Register EPA Notice of Proposed Regulation. Pull quote: “The Environmental Protection Agency (EPA) is proposing to address the unreasonable risk of injury to human health presented by trichloroethylene (TCE) under its conditions of use as documented in EPA's November 2020 Risk Evaluation for TCE and January 2023 revised risk determination for TCE pursuant to the Toxic Substances Control Act (TSCA). TCE is widely used as a solvent in a variety of industrial, commercial and consumer applications including for hydrofluorocarbon (HFC) production, vapor and aerosol degreasing, and in lubricants, greases, adhesives, and sealants…. EPA determined that TCE presents an unreasonable risk of injury to health due to the significant adverse health effects associated with exposure to TCE, including non-cancer effects (liver toxicity, kidney toxicity, neurotoxicity, immunotoxicity, reproductive toxicity, and developmental toxicity) as well as cancer (liver, kidney, and non-Hodgkin lymphoma) from chronic inhalation and dermal exposures to TCE. TCE is a neurotoxicant and is carcinogenic to humans by all routes of exposure.”

FAA wraps up safety review of SpaceX's huge Starship rocket. Space.com article. Pull quote: “"The FAA is continuing to work on the environmental review," the agency wrote today in an emailed statement. "As part of its environmental review, the FAA is consulting with the U.S. Fish and Wildlife Service (USFWS) on an updated Biological Assessment under the Endangered Species Act. The FAA and the USFWS must complete this consultation before the environmental review portion of the license evaluation is completed."”

Review – 2 Advisories and 1 Update Published – 10-31-23

Today, CISA’s NCCIC-ICS published two control system security advisories for products from Zavio and INEA. They also updated an advisory for products from Mitsubishi Electric.

There is a discrepancy in the advisory numbers published today, the two advisories end in -03 and -02, CISA apparently skipped -01. While this could be an editorial mistake, it could mean that CISA published the ‘-01’ advisory to limited distribution on the Homeland Security Information Network (HSIN). This happens when CISA or the vendor has concerns about allowing critical infrastructure facilities a chance to mitigate a vulnerability before it is published. See the Baker Hughes advisory publicly published on February 24^th, 2022.

Advisories

Zavio Advisory - This advisory describes five vulnerabilities in a number of Zavio IP Cameras.

INEA Advisory - This advisory describes two vulnerabilities in the INEA ME RTU.

Updates

Mitsubishi Update - This update provides additional information on an advisory that was originally published on July 27^th, 2023 and most recently updated on August 3^rd, 2023.

 

For more details about these advisories, including links to researcher reports with POC and a down-the-rabbit-hole look at CISA coordination efforts, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-advisories-and-1-update-published-7b1 - subscription required.

OSHA Sends Emergency Response NPRM to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a notice of proposed rulemaking from DOL’s Occupational Safety and Health Administration (OSHA) on “Emergency Response”. This new standard would replace in entirety the existing 29 CFR 1910.156, Fire brigades.

According to the entry in the Spring 2023 Unified Agenda for this rulemaking:

“OSHA currently regulates aspects of emergency response and preparedness; some of these standards were promulgated decades ago, and none were designed as comprehensive emergency response standards.  Consequently, they do not address the full range of hazards or concerns currently facing emergency responders, and other workers providing skilled support, nor do they reflect major changes in performance specifications for protective clothing and equipment. The agency acknowledges that current OSHA standards also do not reflect all the major developments in safety and health practices that have already been accepted by the emergency response community and incorporated into industry consensus standards. OSHA is considering updating these standards with information gathered through an RFI and public meetings.”

According to the OSHA website’ slightly dated page for this rulemaking:

“The primary focus of the Emergency Response rule would be to protect workers who respond to emergencies as part of their regularly assigned duties. Examples include: fire brigades/workplace emergency response teams, industrial and municipal fire fighters, technical rescuers, emergency medical service providers, etc. OSHA does not intend to regulate those first responders solely engaged in law enforcement, crime prevention, or security.”

Amendment Announcement for HR 5893 and HR 5894 – FY 2024 CSJ and LHH Spending

Yesterday, the House Rules Committee announced the amendment deadlines for two additional spending bills:

• HR 5893, the Commerce, Justice, Science, and Related Agencies Appropriations (CJS) Act, 2024, and

• HR 5894, the Labor, Health and Human Services, Education, and Related Agencies Appropriations (LHH) Act, 2024

The amendment deadline for HR 5893 is Monday, November 6^th and the deadline for HR 5894 is Friday, November 3^rd.

These were the last two appropriations bills introduced in the House (on October 6^th). Neither bill has been marked up in Committee, so no report is available. Technically, the two bills were just referred to the Appropriations Committee for consideration last week. Typically, appropriations bills are ‘written’ by the Committee with hearings by the appropriate subcommittee and the full Appropriations Committee. They are usually first published as reported versions of the bill with the committee report published at the same time. That process was not followed in the case of these two bills.

I will have brief reports on the two pieces of legislation later this week.

The Rules Committee also published a meeting notice for tomorrow to formulate the rule for the consideration of three other spending bills, HR 4820 – THUD, HR 4821- IER spending, and an as of yet unnumbered spending supplemental for Israeli security.

Bills Introduced – 10-30-23

Yesterday, with the Senate in Washington and the House meeting in pro forma session, there were 31 bills introduced. One of those bills will receive additional attention in this blog:

HR 6124 To direct the Secretary of Education to establish a pilot program to award competitive grants for the integration of cybersecurity education, and for other purposes. Thompson, Glenn [Rep.-R-PA-15]

Mention in Passing

There is one piece of legislation introduced yesterday that I would like to mention in passing:

H Res 826 Amending the Rules of the House of Representatives to limit the privileged status of a motion causing a vacancy in the Office of Speaker to motions offered by direction of not fewer than 112 Members from the majority party or 112 Members from the minority party. Miller, Max L. [Rep.-R-OH-7]

This rule change resolution is certainly part of the fallout from the Speaker Fiasco earlier this month. Everyone knew that the one-person rule adopted in January was fraught with political peril, but McCarthy was forced into acquiescence by the slim majority the Republicans held, and the pressure applied by a small number of radicals. The number required by this proposed change, 112 or almost 26% of the number of members of the House, seems at first glance to be excessive. 

The interesting thing though is that it specifically allows for the minority party to initiate a move to vacate. I can see that being used in an out-of-majority Republican congress (probably the 119^th) as another tool to obfuscate and impede the operation of Congress like we saw the fringe of the Republican Party do in the 117^th congress.

Short Takes – 10-30-23

Blue Origin’s chief architect lifts the veil on stealthy moon startup at Pathfinder Awards. GeekWire.com article. Pull quote: ““We aim to be the first company that harvests natural resources from the moon to use here on Earth,” Lai told an audience of about 400 banquet-goers on Saturday night. “We’re building a completely novel approach to extract those resources, efficiently, cost-effectively and also responsibly. The goal is really to create a sustainable in-space economy.””

Sci-fi inspired tractor beams are real, and could solve a major space junk problem. LiveScience.com article. Pull quote: “The electrostatic tractor "should be able to produce the forces necessary to move a defunct satellite" and "certainly has a high potential to work in practice," Carolin Frueh, an associate professor of aeronautics and astronautics at Purdue University in Indiana, told Live Science in an email. "But there are still several engineering challenges to be solved along the way to make it real-world-ready."”

They went hunting for fossil fuels. What they found could help save the world. CNN.com article. Pull quote: “This was surprising, Pironon said. It indicated the presence of a large reservoir of hydrogen beneath. They ran calculations and estimated the deposit could contain between 6 million and 250 million metric tons of hydrogen.”

Kicking the LNG tank car down the road. LinkedIn.com article. Pull quote: “The most recent letter does, however, acknowledge an important and fundamental truth about PHMSA: It is by design a safety agency, not an environmental agency. During my time as PHMSA Administrator, I was privileged to observe first-hand as a genuinely gifted team of federal employees, engineers, and regulatory specialists, worked tirelessly to improve transportation safety with a relentless laser-like focus to develop a superior tank car with significant and proven safety enhancements. As they went about their work, the team, with their many years of experience in tank car design and engineering, and characteristics of LNG transportation, was concentrated on one thing, and one thing only – public safety.”

Review - S 2443 Introduced – FY 2024 EWR Spending

Back in July, the late Sen Feinstein introduced S 2443, the Energy and Water Development and Related Agencies (EWR) Appropriations Act, 2024. The Senate Appropriations Committee published their Report on the bill. The bill contains two entries related to cybersecurity and the Report includes a number of discussions about cybersecurity related matters.

Moving Forward

While the House passed HR 4394 with significantly different language (and most spending numbers), the Senate does not typically try to amend the House language piecemeal. Instead, the Appropriations Committee offers the language from their version of the bill as a substitute language for the bill, and the Senate amends it from there. Once, (if) the revised bill is passed in the Senate, then it goes to a conference committee to work out the differences. The final version of the bill goes back to the House and Senate for an up or down vote, and then to the President for signature.

That is what is supposed to happen. The Republican lead House has been much more partisan in their crafting of spending bills, making no pretense of looking for bipartisan support. The Democratic lead Senate has attempted to craft their versions with more focus on bipartisanship, but so far, moving spending bills through the process in the Senate has been much more difficult than normal with a handful of Republicans trying to force votes on extremely partisan amendments.

With HR 4366 still wending its way through the legislative process in the Senate, it is not yet clear that the body can pass a spending bill. To make matters worse, the House representatives on any conference committee have little incentive to try to work out a bipartisan version of the bill with their Senate counterparts, as any such compromise will be seen as an abject surrender by a significant portion of the Republican conference.

At this point, I am not sure that there is a way for funding bills to make it through the process to reach the President’s desk.

 

For more details about the cybersecurity provisions of the legislation – see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-2443-introduced - subscription required.

Committee Hearings – Week of 10-29-23

This week, with both the House and Senate in Washington, there is a very light hearing schedule. There is one hearing in the Senate of potential interest on threats to the Homeland.

Homeland Security

On Tuesday, the Senate Homeland Security and Governmental Affair Committee will hold a hearing on “Threats to the Homeland”. The witness list includes:

• Alejandro N. Mayorkas, DHS, and

• Christopher A. Wray, FBI,

• Christine Abizaid, Director of National Intelligence

With these witnesses, this will be a high-level overview of the potential threats facing the US. Their will be some level of discussion about cybersecurity issues. I would not be surprised to hear at least one question from Committee members about the effects of the termination of the CFATS program.

On the Floor

This is going to be a busy week for spending bills. The Senate will continue to work on amendments to HR 4366, the MilCon spending bill. The House is currently scheduled to take up three spending bills this week:

HR 4364 – Legislative Branch Appropriations Act, 2024,

HR 4821 – Department of the Interior, Environment, and Related Agencies (IER) Appropriations Act, and

HR 4820 – Transportation, Housing and Urban Development, and Related Agencies (THUD) Appropriations Act, 2024

With a short work week (just three-days; Wednesday, Thursday, and Friday) the House will have to fly through these bills, probably with a number of en bloc amendment considerations. Friday sessions tend to end early so that members can catch flights home. It will be interesting to see what happens this coming Friday.

It was an interesting move by the leadership to take up HR 4820. The Senate is already considering the THUD spending in their substitute language for HR 4366. While they could have let this one slide in order to get spending bills complete (a priority for Republicans this year), passing this bill will provide a list of provisions that could be included in the conference report on HR 4366.

Short Takes – 10-28-23

‘Technology surprise’: Are China, Russia ahead of us in UFO retrieval, research? TheHill.com article. Bit of a click-bait headline. Pull quote: “While the exact details of foreign UFO retrieval and reverse engineering efforts remain murky, Grusch has described a “publicly unknown Cold War over recovered and exploited physical material — a competition with near-peer adversaries over the years to identify UAP crashes/landings and retrieve the material for exploitation/reverse engineering to garner asymmetric national defense advantages.””

Putin says first segment of ISS replacement to orbit by 2027. Phys.org article. Pull quote: “The president also asked those overseeing the sector to resolve problems with salaries that are too low in Russia's space industry and to try to attract foreign specialists as well as increase private business involvement.”

Johnson’s speakership win fails to end House GOP infighting. Politico.com article. Pull quote: “And on the policy front, it’s not just the stopgap spending bill that could serve to deepen animosity. Republicans are predicting intraparty headaches on passing some of the full-year funding bills, including legislation to fund the Department of Justice and FBI. Johnson will also face an early test on abortion as Republicans try to revive a funding bill that includes provisions on the topic.”

With the House back to legislating, several floor votes showed the limits of a tactic to single out individual federal employees. Politico.com article. Pull quote: “But, the caution here: None of these House measures will become law as written — and must still be meshed together with Senate versions. The failure of some of these amendment votes, however, suggests broader GOP discomfort with singling out particular federal officials, even those with whom they have significant policy agreements.”

Long COVID brain fog may originate in a surprising place, say scientists. NPR.org article. Pull quote: “Because much of this work was done on mice, there are limitations to what conclusions can be drawn about humans. Levy points out that their data can't prove a viral reservoir is causing these events in humans and that a lack of good mouse models of long COVID still hampers research.”

Scientists develop new method to create stable, efficient next-gen solar cells. Phys.org article. Pull quote: “The researchers said the dual deposition technique could pave the way for the development of additional solar cells based on all inorganic perovskites or other halide perovskite compositions. In addition to extending the technique to different compositions, future work will involve making the current phase-heterojunction cells more durable in real-world conditions and scaling them to the size of traditional solar panels, the researchers said.”

Chemical Incident Reporting – Week of 10-21-23

NOTE: See here for series background.

Lutz, FL – 10-25-23

Local news report: Here

Chemical spill at pool supply company. No injuries, minimal damage

Not CSB reportable.

Certainly not ‘liquid chlorine’ as chlorine is only liquid under pressure or low temperature (less than -27° F), probably sodium hypochlorite (bleach) a typical chlorinating agent (hence ‘liquid chlorine’ in the vernacular) for swimming pools. Still dangerous because it reacts with lots of different stuff (including other pool treatment chemicals) to release chlorine gas.

Review – Public ICS Disclosures – Week of 10-21-23

This week we have eight vendor disclosures from Aruba Networks, Bosch, Festo, Genetec, HP, Omron, Sick, and VMware. There are eight vendor updates from BD (2), Cisco (3), HP, and HPE (2). There are two researcher reports for vulnerabilities in products from TEM. Finally, we have two exploits for products from Splunk and VMware.

Advisories

Aruba Advisory - Aruba published an advisory that describes five vulnerabilities in their ClearPass Policy Manager.

Bosch Advisory - Bosch published an advisory that discusses an authentication bypass by capture replay vulnerability in their Rexroth SLC-0-GPNT00300 product.

Festo Advisory - CERT-VDE published an advisory that discusses an improper input validation vulnerability in the Festo TP 260 and MES PC products.

Genetec Advisory - Genetec published an advisory that discusses a command injection vulnerability in their Genetec A1610 and A1210 network door controllers.

HPE Advisory - HPE published an advisory that describes a remote code execution vulnerability in their OneView product.

Omron Advisory - Omron published an advisory that describes a restriction of XML external entity reference vulnerability in their CX Designer product.

Sick Advisory - Sick published an advisory that describes an authentication bypass by capture-replay vulnerability in their Flexi Soft Gateways.

VMware Advisory #1 - VMware published an advisory that describes two vulnerabilities in their vCenter Server.

VMware Advisory #2 - VMware published an advisory that describes two vulnerabilities in their Tools product.

Updates

BD Update #1 - BD published an update for their Busy Box advisory.

BD Update #2 - BD published an update for their Linux Kernel Vulnerability within Wi-Fi Module in Alaris PCU advisory.

Cisco Update #1 - Cisco published an update for their IOS XE Software Web UI Command Injection advisory that was originally published on March 24^th, 2021.

Cisco Update #2 - Cisco published an update for their HTTP/2 Rapid Reset Attack advisory that was originally published on October 16^th, 2023.

Cisco Update #3 - Cisco published an update for their IOS XE Software Web UI Feature Attack advisory that was originally published on October 16^th, 2023.

HP Update - HP published an update for their NVIDIA GPU Display Driver that was originally published on September 11^th, 2023.

HPE Update #1 - HPE published an update for their Aruba AirWave Management Platform advisory that was originally published on October 17^th, 2023.

HPE Update #2 - HPE published an update for their NonStop advisory that was originally published on July 18^th, 2022 and most recently updated on March 30^th, 2023.

Researcher Reports

TEM Reports - Zero Science published two reports of individual vulnerabilities in the TEM Opera Plus FM Family Transmitter.

Exploits

Splunk Exploit - Heyder Andrade published a Metasploit module for a privilege escalation vulnerability in Splunk.

VMware Exploit - SinSinology published an exploit for a use of broken or risky cryptographic algorithm vulnerability in the VMware Aria Operations for Networks program.

 

For more details about these disclosures, including links to 3^rd party advisories and researcher reports as well as brief update summaries, see my article at CFSN Detailed analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-10-19b - subscription required. 

House Passes HR 4394 – FY 2024 EWR Spending

Yesterday, the House completed consideration of HR 4394, the Energy and Water Development and Related Agencies [EWR] Appropriations Act, 2024. After adopting an additional 15 amendments and rejecting 24 amendments (none of specific interest here), the House passed the amended legislation by a nearly party-line vote of 210 to 199. One Republican {Rep Buck (R,CO)} voted against the bill.

When the Senate gets around to taking up this bill, they will substitute language from S 2443 and begin their amendment process there.

Senate Continues Consideration of HR 4366 Amendments – FY 2023 MilCon Spending – 10-26-23

Yesterday, the Senate continued consideration of amendments for HR 4366, the Military Construction, Veterans Affairs, and Related Agencies Appropriations Act, 2024, the Senate began consideration of those amendments yesterday. Only one amendment was considered, SA 1182, which would have added a new §4, Prohibition on Earmarks. There was no debate, and the amendment failed by a recorded vote of 35 to 62.

The Senate returns to Washington on Monday and may resume consideration of HR 4366 after dealing with a cloture vote on a judicial nomination.

Review - CSB Updates Accidental Release Reporting Data – 10-1-23

Yesterday in conjunction with their quarterly business meeting, the CSB updated their published list of reported chemical release incidents. They added 36 new incidents that occurred since the previous version was published in July. These are not incidents that the CSB is investigating, these are incidents that were reported to the CSB under their Accidental Release Reporting rules (40 CFR 1604).

 

For more details about the reported incident data, and a listing of incidents that probably should have been reported, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/csb-updates-accidental-release-reporting - subscription required.

Bills Introduced – 10-26-23

Yesterday, with both the House and Senate in session, there were 86 bills introduced. None of those bills are likely to receive additional coverage in this blog, but I would like to mention one bill in passing:

HR 6075 To establish a program to make grants to institutions of higher education to provide courses relating to critical legacy computer languages, and for other purposes. Cartwright, Matt [Rep.-D-PA-8]

In the 90’s, when I got my BSc degree in Chemistry, one of the required classes for that program was an introduction to Fortran, because many lab instruments were programed in that ‘legacy’ language.

Short Takes – 10-26-23

Cargo Tank Combination Vehicle Roadway Departure Crash and Subsequent Release of Anhydrous Ammonia. NTSB.gov Investigation Details. Pull quote: “The driver of the combination vehicle stated that to prevent a collision between the westbound passenger vehicle and the oncoming eastbound vehicle, he took evasive action by steering to the right. The combination vehicle departed the roadway and traveled into a shallow roadside drainage ditch. The truck-tractor struck the end of a 12-inch-diameter corrugated metal pipe culvert installed beneath a field entrance, and the combination vehicle jackknifed and rolled onto its right side with its cargo tank sliding forward. The exposed front end of the cargo tank struck the tow ring of a utility trailer that had been parked adjacent to the roadway on private property. The tow ring punctured the front of the cargo tank, which led to the release of anhydrous ammonia into the atmosphere as a toxic gas in the form of a white cloud.”

Pharmaceutical Production: Lessons Learned from a serious Flash Fire Incident and its Investigation. StoneHouseSafety.com article. Pull quote: “So, it was convincingly demonstrated that the sieving operation in question does generate substantial static electricity in practice, exactly as predicted by the laboratory testing. We also know that in a scenario in which the bin is not grounded, charge will rapidly build up, and within a minute or so the bin would acquire sufficient charge to generate the 15mJ electrostatic spark required to ignite the dispersed dust. We also know that part way through sieving, the bin could rock towards the grounded sieve body and close a gap in which, given the ad-hoc draped plastic dust sheet, there is likely to be a dense airborne dust cloud.”

Can we Afford the Risk? Measuring the cost of the Expiration of the Chemical Facilities Anti-Terrorism Standards Program. CISA.gov blog post. Pull quote: “High-risk chemical facilities are not evenly distributed across the country. Nor are they distributed uniformly across a state, or even within a single county. And far from what you might expect, they are not always isolated to the outskirts of well-populated areas. Of the over 3,200 facilities that CISA had determined to be at high risk of chemical terrorism, twenty-eight percent of them are located in the largest urban areas in the country. Over 7,000 schools, colleges, or universities stand within one mile of a high-risk facility. The same is true for over 300 hospitals. A terrorist incident at any one of these facilities could impact our most vulnerable citizens, along with their families, coworkers, and the surrounding community.”

Speaker Johnson’s paradoxical job security. TheHill.com article. Pull quote: “The health and lifespan of his Speakership may vary inversely with his own outspokenness on the issues. As we’ve see time and time again, Republican intransigence in dealing with Democrats has bled into their own intramural policy disputes. If and when Johnson comes down forcefully on either side of a current policy battle among Republicans — be it arming Ukraine, raising the debt ceiling or supporting a particular candidate for the GOP presidential nomination — he will engender more and more resentment from colleagues on his side of the aisle.”

Senate Begins Consideration of HR 4366 Amendments – FY 2023 MilCon Spending – 10-26-23

After reaching an agreement Tuesday on what amendments would be considered on HR 4366, the Military Construction, Veterans Affairs, and Related Agencies Appropriations Act, 2024, the Senate began consideration of those amendments yesterday. There were 29 amendments considered; two amendments were rejected (by recorded votes), two amendments were passed by recorded votes, and 25 amendments were passed by voice votes.

None of the amendments considered were of specific interest here. There were two amendments, however, that were part of the political deal that allowed the Senate to resume consideration of the bill:

• Kennedy Amendment No. 1354 (to Amendment No. 1092), to prohibit the availability of funds for the Secretary of Veterans Affairs to report certain information to the Department of Justice for use by the National Instant Criminal Background Check System. Passed by a vote of 53 to 45.

• Lankford Amendment No. 1232 (to Amendment No. 1092), to provide for a period of continuing appropriations in the event of a lapse in appropriations under the normal appropriations process, and establish procedures and consequences in the event of a failure to enact appropriations. Failed by a vote of 56 to 42 (60 vote margin).

The Senate began the process to consider HR 4366 on September 7^th, 2023. A reminder, while this is the Military Construction spending bill, the substitute language being considered in the Senate includes language from the following Senate bills:

• Division A, S 2127, Military Construction-Veterans Affairs,

• Division B, S 2131 (removed from paywall), Agriculture, Rural Development, Food and Drug Administration, and Related Agencies Appropriations Act, 2024 (ARD), and

• Division C, S 2437 (removed from paywall), Transportation, Housing and Urban Development, and Related Agencies Appropriations Act, 2024 (THUD).

The House has not yet considered their versions of the ARD and THUD spending bills.

Review – 8 Advisories and 1 Update Published – 10-26-23

Today, CISA’s NCCIC-ICS published eight control system security advisories for products from Sielco, Rockwell Automation, Ashlar-Vellum, Centralite, and Dingtian. They also updated a medical device security advisory for products from BD Alaris.

Advisories

Sielco Advisory #1 - This advisory describes four vulnerabilities in the Sielco Analog FM Transmitters and Radio Link.

Sielco Advisory #2 - This advisory describes seven vulnerabilities in the Sielco PolyEco FM transmitters.

Rockwell Advisory #1 - This advisory describes an improper authentication vulnerability in the Rockwell FactoryTalk Services Platform web service.

Rockwell Advisory #2 - This advisory describes an improper input validation vulnerability in the Rockwell FactoryTalk View Site Edition.

Rockwell Advisory #3 - This advisory describes two vulnerabilities in the Rockwell Arena simulation software.

Ashlar-Vellum Advisory - This advisory describes two vulnerabilities in the Ashlar-Vellum Cobalt, Graphite, Xenon, Argon, Lithium, and Cobalt Share modeling programs.

Centralite Advisory - This advisory describes an allocation of resources without limits or throttling vulnerability in the Centralite Pearl Thermostat.

Dingtian Advisory - This advisory describes an authentication bypass by capture relay vulnerability in the Dingtian DT-R002 relay.

Updates

BD Alaris Update - This update provides additional information on an advisory that was originally published on July 13^th, 2023.

 

For more information on these advisories, including links to researcher advisories, and a down-the-rabbit-hole look at one of the Rockwell advisories - https://patrickcoyle.substack.com/p/8-advisories-and-1-update-published - subscription required.

 

Review - House Takes Up HR 4394 – FY 2024 EWR Spending

Yesterday, with the Speaker Logjam at least temporarily broken, the House resumed where they left off on October 3^rd, 2023, consideration of HR 4394, the Energy and Water Development and Related Agencies [EWR] Appropriations Act, 2024, under a structured rule. Nineteen amendments were considered yesterday with four being approved by voice votes.

Moving Forward

The House is scheduled to finish consideration of HR 4394 today. This bill will likely be an interesting gauge of how some of the moderate Republicans are going to respond to the fallout of the Speaker Chaos of the last three weeks. I suspect that there will be more Republican no votes on some of these spending reduction amendments. How the more radical elements of the party respond to that repudiation will be a measure of how much they have learned about the need for compromise in the House.

 

For more details about what amendments were considered yesterday, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/house-takes-up-hr-4394 - subscription required.

Bills Introduced – 10-24-23

Yesterday, with both the House and Senate in session, there were 48 bills introduced. One of those bills will receive additional coverage in this blog:

HR 6022 To direct the Secretary of Homeland Security to exempt from CFATS regulations certain propane tanks, and for other purposes. Burlison, Eric [Rep.-R-MO-7]

It is interesting to see that at least one congress critter thinks that the CFATS program is still, or will soon be, in operation. I suspect that this bill will be similar to HR 1623 (removed from paywall) that was introduced in April. No action has been taken on that bill.

NOTE: Computer died yesterday when I started writing this post. Dealing with new computer startup issues so things are getting backed up.

1 Advisory Published – 10-24-23

Today, CISA’s NCCIC-ICS published a control system security advisory for products from Rockwell Automation.

Rockwell Advisory

This advisory discusses Cisco IOS XE Software Web UI privilege escalation vulnerability in the Rockwell Stratix 5200 and 5800 products. The vulnerability is listed in the CISA Known Exploited Vulnerability Catalog. Rockwell provides generic mitigation measures, pending development of a fix.

NCCIC-ICS reports that a relatively low-skilled attacker could use an existing exploit to exploit the vulnerability to allow an unauthenticated attacker to take control of the affected system.

NOTE: I briefly discussed the Rockwell report on this vulnerability on Saturday.

 

Short Takes – 10-24-23 – Geek Edition

An unusual crater on Pluto might be a supervolcano. Phys.org article. Pull quote: “The team suggests strongly that Kiladze is a super cryovolcano. Cryovolcanism is the process that sends ice "lava" to the surface of Pluto. We've seen it across the outer solar system, in some of the moons of Jupiter, Saturn, Uranus, and Neptune. Like its "sister" form of volcanism here on Earth, some kind of heating melts mantle materials, which can eventually escape to the surface. We're used to seeing rocky lavas. However, ice and water act as "lava," too, if conditions are just right.”

California's supervolcano has a massive lid that causes swarms of earthquakes — and that's a good thing, scientists say. LiveScience.com article. Pull quote: “A new study published Oct. 18 in the journal Science Advances, however, finds that the volcano's piping-hot reservoir is covered with a layer of cooled, crystallized magma-turned-rock. The researchers found that as the upper layer of the reservoir cools, it releases volatile gasses in bubbles and burps that cause earthquakes and the ground to inflate — which suggests the seismic activity in the area is not caused by an impending massive eruption.”

Researchers probe how a piece of the moon became a near-Earth asteroid. ScienceDaily.com article. Pull quote: “The other peculiar aspect of Kamo`oalewa is its longevity, said Jose Daniel Castro-Cisneros, the study's lead author and a graduate student in the Department of Physics. Kamo`oalewa is expected to remain as a companion of the Earth for millions of years, which is its remarkable feature, Castro-Cisneros said, unlike other known objects that stay in these very Earth-like orbits only for a few decades.”

NASA's Artemis moon astronauts may wear electric field spacesuits to fight pesky lunar dust. Space.com article. Pull quote: “The new technology is called LiqMEST (Liquid Metal Electrostatic Protective Textile) and aims to overcome the dusty problems NASA's Apollo astronauts struggled with in the 1960s and 1970s. The sharp dust quickly corroded surfaces like rover dust shields, caked the spacesuits of astronauts and generally clung to everything, making even three-day sorties a challenge.”

OMB Approves FACA NPRM

Yesterday, OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a notice of proposed rulemaking (NPRM) from the General Services Administration (GSA) on “Federal Management Regulation (FMR); FMR Case 2022-01, Federal Advisory Committee Management”. The NPRM was sent to OIRA on July 27^th, 2023.

According to the Spring 2023 Unified Agenda entry for this rulemaking:

“FACA is a transparency statute designed to provide Congress, interested stakeholders, and the public with information on, and access to the activities, membership, meetings, costs, etc. of federal advisory committees established by the Executive Branch. Under section 7 of the Act, GSA is responsible for preparing regulations for implementing FACA. The proposed rule revisions will provide updates and clarification to federal advisory committee management policies and processes. The proposed rule revisions will also encourage diversity and inclusivity in federal advisory committee activities, which is an Administration priority.”

A lot of the nitty-gritty work of development of technical regulations and policy guidance is done by FACAs. So, this regulation could have some interesting unintended consequences to those development processes over the years. 

This NPRM could show up in the Federal Register later this week, but more likely next week.

BIS Sends Error Correction Final Rule to OMB

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a final rule from the DOC’s Bureau of Industry and Security (BIS) on “Corrections to the EAR [Export Administration Regulations]”. According to the Spring 2023 Unified Agenda entry for this rulemaking:

“The Bureau of Industry and Security (BIS) publishes this final rule to correct inadvertent errors to two recent BIS Federal Register publications. These changes are merely technical corrections.”

To error is human, to correct regulations is tedious.

Short Takes – 10-23-23

Three leading space companies agree: No new regulations on human spaceflight. TechCrunch.com article. Pull quote: ““Congress and the FAA helped accelerate the development of the spaceflight industry, and now the FAA is struggling to keep pace,” he said. “Streamlined processes will help, but the FAA needs more funding to deal with the increase in launches.””

Matt Gaetz blasts the House GOP secret ballot process that knocked off Jim Jordan as the party's speaker nominee: 'It's as swampy as swamp gets'. BusinessInsider.com article. Pull quote: “"The most popular Republican in the United States Congress was just knifed by a secret ballot, in a private meeting, in the basement of the Capitol," the Florida Republican said. "It's as swampy as swamp gets, and Jim Jordan deserved better than that."”

GOP senators pressure House to solve Speaker drama. TheHill.com article. Pull quote: “They also worry the leadership vacuum in the House has paralyzed the annual appropriations process so long that it appears increasingly inevitable the spending bills will have to be crammed into a massive year-end omnibus package, something GOP senators vowed they would try to avoid.”

Gingrich says House GOP poses ‘very real danger’ of electing Speaker, then going ‘back into the same mess’. TheHill.com article. Pull quote: “The House is now back at square one, with nine Republicans who have thrown their name into the Speakership race. A candidate forum is expected to take place Monday at 6:30 p.m., and the House will move to an internal nomination election Tuesday at 9 a.m.”

Illinois first responders learn about anhydrous ammonia safety. MyWabashValley.com article. Pull quote: “One of the reasons situations like this can spiral out of control is because a lot of first responders aren’t in the agriculture industry. This means that many of them have rarely dealt with chemicals of this magnitude.”

CFATS Lapse Impacts

CISA has recently change the Chemical Facility Anti-Terrroism Standards (CFATS) program landing page, providing additional information about the impact of the termination of the program. Below the box added on July 28^th, CISA has inserted a new box titled ‘CFATS Lapse Impacts’ that outline the problems that CISA faces trying to help protect high-risk chemical facilities since the program ended because of inaction on the part of the Senate.

The addition notes that:

• CISA cannot inspect high-risk sites—on average, that's 160 inspections per month going unscheduled.
• CISA cannot conduct terrorist vetting on personnel who have access to dangerous chemicals—that's 9,000 names each month going unvetted.
• CISA cannot require the implementation of cyber and physical security measures or assess the risk to these facilities and the communities that surround them—on average, facilities improve their security posture by nearly 60% to comply with CFATS.
• CISA cannot identify new facilities that possess high-risk chemicals—meaning the locations of dangerous chemicals are unknown to CISA and local first responders.
• More than one third of inspections turn up security gaps—CISA can no longer address these gaps with facilities.
• More than 90% of CFATS visits result in confirmed outreach with law enforcement and the local fire department—CISA can no longer confirm these important relationships and ensure critical information sharing and preparedness.

Readers who attended (live or online) the Chemical Security Summit in August heard all of this on Day 1 of the Summit in the opening presentations by Director Jen Easterly and Associate Director Kelly Murray. Further details were provided in the State of Chemical Security presentation by Murray. Still, since Congress has still not acted, it bears repeating often and loudly.

Review - H 4664 Introduced – FY 2024 FinServ Spending

Back in July, Rep Womack (R,AR) introduced HR 4664, the Financial Services and General Government Appropriations Act, 2024. The House Appropriations Committee also published their Report on the bill. There are actually three cybersecurity spending mentions included in the bill. There are multiple discussions about cybersecurity (mostly information technology related) issues in the Committee Report.

Moving Forward

To understand how politically polarized this spending bill is, one only has to look to the ‘Dissenting Views’ portion of the Committee Report on pages 289 thru 291. It is unlikely that there will be any Democratic votes for this bill if/when it comes to the House floor, but it is unclear whether the spending cuts have been sufficient to see the radical wing of the Republican Party vote for the bill.

Commentary

See my ‘Coming FY 2024 Spending Bill Logjams’ for my discussion about the problems passing spending bills this session. Those problems have been further compounded by the removal of Speaker McCarthy over the passage of the continuing resolution with Democratic support and the ongoing problem with electing a new speaker. Even if a new Speaker is elected in time enough to take actions on the pending spending bills, it is now very unlikely that there is enough time before November 17^th to get those bills through a conference Committee.

And a reminder, anything that comes out of conference in a form that could pass in the Senate will require Democratic votes to pass in the House. There is a very real possibility that that the passage of the first such bill would again trigger the removal of whomever is Speaker and initiate Speaker Chaos 3. Perhaps the new Speaker should just go for an omnibus spending bill out of the gate and lose their job over that. Then at least, the executive branch could continue to function.

 

For more details about the cybersecurity mentions in the bill and Report, see my article at CFSN Detailed Analysis - https://open.substack.com/pub/patrickcoyle/p/h-4664-introduced - subscription required.

S 1443 Reported in Senate – Border cUAS Strategy

Earlier this month, the Senate Homeland Security and Governmental Affairs Committee published their report on S 1443 [removed from paywall], the Protecting the Border from Unmanned Aircraft Systems Act. The bill was considered in a Committee Business Meeting (pgs 11-12) on May 17^th, 2023 and recommended favorably without amendment by a vote of 9 to 1. Sen Paul (R,TN) was the dissenting vote.

The bill would require an interagency strategy for creating a unified posture on counter-unmanned aircraft systems (C–UAS) capabilities and protections at international borders of the United States. It would also require a report to Congress on the resources needed to place that strategy into effect.

Moving Forward

While this bill received strong bipartisan support in Committee, it is not a politically important enough bill to justify the time the Senate would need to consume to consider it under regular order. The most likely way that it could be considered would be under the unanimous consent process, but Paul’s opposition in Committee makes that unlikely, as he would likely object and it only takes one objection to stop the unanimous consent process. Similarly, Paul’s position as Ranking Member of the Committee makes it unlikely that the bill would be allowed to be considered as an amendment to some must pass legislation.

Short Takes – 10-21-23

Owner of California biolab that fueled bio-weapons rumors charged with mislabeling, lacking permits. ABCNews.go.com article. Pull quote: “The criminal case alleges that the two companies involved, Universal Meditech Inc. and Prestige Biotech Inc., did not obtain authorizations to manufacture and distribute the kits and mislabeled some of them. It also alleges that Zhu made false statements to the FDA about his identity, ownership and control of the companies and their activities.”

The TSA is found to have some serious cybersecurity deficiencies. FederalNewsNetwok.com article. Pull quote: “Supply chain risk management, access controls, planning awareness and training, assessment authorization and monitoring, and contingency planning all had deficiencies.”

Gaza Tunnels Give Hamas an Advantage in Fight Against Israel. SSPIStategist.org article. Pull quote: “She [Daphne Richemond-Barak at Reichman University] noted: ‘The tunnels inside Gaza are different because Hamas is using them on a regular basis. They are probably more comfortable to be in for longer periods of time. They are definitely equipped for a longer, sustained presence. The leaders are hiding there, they have command-and-control centres, they use them for transport and lines of communication. They are equipped with electricity, lighting and rail tracks.’”

SpaceX fires up Starship prototype in deorbit burn test (video). Space.com article. Pull quote: “SpaceX is gearing up for the second-ever Starship test flight, which will involve a Super Heavy known as Booster 9 and the Ship 25 upper stage. The company has conducted static fires with both of these vehicles and says the duo are ready to fly from a technical standpoint.”

Could Neptune's largest moon swing a spacecraft into the planet's orbit? Space.com article. Pull quote: “The researchers proposed to aim a future Neptune orbiter at Triton and use a LOFTID-like apparatus, known as an aeroshell, to slow the spacecraft. They found that the atmosphere of Triton, despite having less than 1/70,000 the air pressure of Earth's atmosphere, could sufficiently slow a spacecraft and allow it to enter into a captured orbit around Neptune. Additionally, they could change the angle of the aeroshell to tweak the orbiter's alignment and fine-tune the course to get it into the perfect orbit.”

Review – Public ICS Disclosures – Week of 10-14-23 – Part 2

For Part 2 we have 43 more vendor disclosures from Moxa, NI, Philips, QNAP, Rockwell Automation, Ruckus Wireless, Synology, Tanzu (31), VMware (2), WAGO, and Yokogawa. We have three vendor updates for products from Broadcom, HPE, and Moxa. Finally, we have two researcher reports for vulnerabilities in products from Synology and Tideworks.

Advisories

Moxa Advisory #1 - Moxa published an advisory that describes eight vulnerabilities in their TN-5900 and TN-4900 Series Web Server.

NI Advisory - NI published an advisory that describes a stack-based buffer overflow vulnerability in their NI System Configuration product.

Philips Advisory - Philips published an advisory that discusses the Cisco IOS XE Software Web UI privilege escalation vulnerability that was recently added to CISA’s Known Exploited Vulnerabilities Catalog.

QNAP Advisory - QNAP published an advisory that describes an OS command injection vulnerability in their QUSBCam2.

Rockwell Advisory - Rockwell published an advisory that discusses Cisco IOS XE Software Web UI privilege escalation vulnerability.

Ruckus Advisory - Ruckus published an advisory that describes a cross-site scripting vulnerability in their Cloudpath product.

Synology Advisory - Synology published an advisory that discusses the HTTP2-Rapid-Reset vulnerability.

Tanzu Advisories - Tanzu published 31 advisories that discuss various third-party vulnerabilities.

VMware Advisory #1 - VMware published an advisory that describes two vulnerabilities in their Aria Operations for Logs product.

VMware Advisory #2 - VMware published an advisory that describes three vulnerabilities in their Workstation Pro/Player.

WAGO Advisory - CERT-VDE published an advisory that describes an externally controlled reference to a resource in another sphere.

Updates

Broadcom Update - Broadcom published an update for their Product Security Incident Response Team Contact Information advisory that was originally published on February 7^th, 2023.

HPE Update - PE published an update for their OneView advisory that was originally published on September 14^th, 2023.

Moxa Update - Moxa published an update for their TN-5900 and TN-5400 advisory that was originally published August 16^th, 2023, and most recently updated on September 4^th, 2023.

Reports

Synology Report - Claroty published a report that describes a use of insufficiently random values vulnerability in the Synology DiskStation Manager (DSM).

Tideworks Report - Black Lantern Security published a report that describes two vulnerabilities in the Tideworks Forecast product.

 

For more information about these disclosures, including links to 3^rd party advisories, and researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-10-22c - subscription required.

Reader Comment: Criminal Malfeasance and CSB Investigations

A long-time reader and commentor here, Richard Rosera, pointed me at an article on the Progressive Farmer (dtnpf.com) on “Didion Milling Employees Found Guilty”. It discusses recent convictions of two managers at Didion Milling for charges of falsifying documents and conspiracy to obstruct and mislead OSHA investigators in their investigation of the 2017 deadly dust explosion at Didion Milling. An earlier article from the same source noted that two other supervisors pled guilty to falsification of cleaning logs in relation to the explosion.

That dust explosion is still under investigation by the Chemical Safety Board. This investigation is the oldest incident still on the backlog closure plan. Interestingly, it appears that none of the CSB investigators that actually worked on the investigation are still with the agency.

Presumably, the same false statements made to OSHA investigators were made to the CSB investigation team. Since the CSB is not a regulatory agency, false statements to CSB investigators are not legally as serious as identical false statements made to OSHA investigators. This would be the reason that there is no mention of the CSB in the article.

I suspect that this criminal investigation into Didion Milling is part of the reason for the delay in CSB’s issuing of an investigation report on the incident. If CSB had issued a report that provided technical information supporting the claim of failure to perform the required cleaning and the falsification of records, that information would likely have been used by the prosecution in the case. Such testimony would have a chilling effect on the open sharing of information with the CSB accident investigators in future incidents.

Review – Public ICS Disclosures – Week of 10-14-23 – Part 1

This week we have 18 vendor disclosures from Advantech, Aruba Networks, Bosch, Broadcom (3), Cisco (2), Eaton (2), Festo, GE Gas Power, Helmholz, HP (2), HPE, JTEKT, and mb Connect.

Advisories

Advantech Advisory - Advantech published an advisory that describes an exposure of sensitive information to an unauthorized actor vulnerability in their R-SeeNet v2 products

Aruba Advisory - Aruba published an advisory that describes an information disclosure vulnerability in their AirWave Management Platform’s web-based management interface.

Bosch Advisory - Bosch published an advisory that describes ‘several vulnerabilities’ in their ctrlX WR21 HMI.

Broadcom Advisory #1 - Broadcom published an advisory that discusses the SOCKS5 heap buffer overflow vulnerability.

Broadcom Advisory #2 - Broadcom published an advisory that discusses an insufficient control flow management vulnerability in their Brocade Extension Switches.

Broadcom Advisory #3 - Broadcom published an advisory that discusses the HTTP2 Rapid Reset vulnerability.

Cisco Advisory #1 - Cisco published an advisory that discusses the SOCKS5 heap buffer overflow vulnerability.

Cisco Advisory #2 - Cisco published an advisory that discusses the HTTP2 Rapid Reset vulnerability.

Eaton Advisory #1 - Eaton published an advisory that describes a weak encoding of passwords vulnerability in their easyE4 product.

Eaton Advisory #2 - Eaton published an advisory that describes a plaintext storage of password vulnerability in their easySoft software.

Festo Advisory - CERT-VDE published an advisory that discusses a path traversal vulnerability in their TP 260 and MES PC products.

GE Gas Power Advisory - GE Gas Power published an advisory that discusses eight vulnerabilities in their NetworkST4, Remote Operations Offering, and M&D Lockbox products.

Helmholz Advisory - CERT-VDE published an advisory that discusses an improper privilege management vulnerability in the Helmholz REX24 products.

HP Advisory #1 - HP published an advisory that describes a privilege escalation vulnerability in multiple products.

HP Advisory #2 - HP published an advisory that discusses 83 vulnerabilities in their HP Device Manager product.

HPE Advisory - HPE published an advisory that describes a denial of service vulnerability in their Integrated Lights-Out product.

JTEKT Advisory - JTEKT published an advisory that describes two vulnerabilities in their OnSinView2 product.

MB Connect Advisory - MB Connect published an advisory that describes an improper privilege management vulnerability in their mymbCONNECT24 and mbCONNECT24 software.

 

For more details about these disclosures, including links to researcher reports and 3^rd party advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-10-f0f - subscription required.

Short Takes – 10-20-23

ISA MLM-38A “Identifying Control System Cyber Incidents” has been issued. ScadaMag.Infracritical.com article. Pull quote: “Those people that can identify control system cyber incidents are not under the purview of the CISO. Cyber security requirements, technologies, monitoring, testing, and incident response planning are based on lessons learned from IP network cyber vulnerabilities and incidents. This ISA work product can help organizations meet their cyber incident reporting requirements. By identifying control system cyber incidents, OT, IT, and engineers could become more aware of risk and be better enabled to take appropriate prevention measures leading to a more holistic approach to cyber security.” And not one mention of sensors.

House cybersecurity subcommittee chairman says GOP speaker drama is impacting cyber legislation. CyberScoop.com article. Pull quote: “Speaking on the sidelines of a panel hosted by Punchbowl News, Rep. Andrew Garbarino, R-N.Y., told CyberScoop that “the lack of a speaker is going to keep us from doing legislation right now.” Once Republicans settle on a successor to Rep. Kevin McCarthy, R-Calif., “the next step, which I think is the most important thing, is to make sure that CISA is protected in the appropriations process. We made sure they were properly funded in our House bill — just making sure that happens through committee.””

Kennedy cuts deal with Schumer on veterans’ gun rights amendment. TheHill.com article. Pull quote: “Now, the Louisiana senator said he expects to get a vote on his proposal after he agreed to modify the language. As a result, Kennedy said he will let the long-delayed appropriations bill advance.”

Republican congressman says labor crunch biggest threat to US cybersecurity. TheHill.com article. Pull quote: “The lawmaker also said that Congress could contribute to solving the workforce deficit by incentivizing [K-12] schools, through additional funds, to adjust the curriculum that offer cyber-related classes.”

Biden administration pleads for WMD office’s salvation. GovExec.com article. Pull quote: “CWMD officials have hosted or had conversations with members of the House Homeland Security Committee, the Senate Homeland Security and Governmental Affairs Committee and appropriations committees in both chambers to try to move legislation that would keep the office open. Both homeland security panels have without much resistance approved bills [HR 3224 and S 1798] to do so, but neither has received a floor vote. With the House still without a speaker, it remains paralyzed in its capacity to pass any legislation.” Sen Paul opposes the reauthorization, just like he did for the CFATS program.

PHMSA Job Posting – Through 10-30-23

A reader pointed me at this PHMSA job posting, asking me to spread the word about these Compliance Investigator positions. This is actually three entry level positions in PHMSA’s Office of Hazardous Materials Safety Field Operations, with openings in Ontario, CA, Atlanta, GA, and Kansas City, MO.

I do not have any recent experience with USAJobs.gov, but it has long had a reputation as a bureaucratic job portal. If you are interested in this position, get started early and prepare to be persistent. And best of luck, these are important chemical safety jobs.

Bills Introduced – 10-19-23

Yesterday, with both the House (kinda) and Senate in session, there were 52 bills introduced. One of those bills may receive additional attention in this blog:

S 3082 A bill to amend the Federal Water Pollution Control Act to make changes with respect to water quality certification, and for other purposes. Barrasso, John [Sen.-R-WY]

I will be watching this bill for language and definitions that would have potential impact on the decision by the EPA [removed from paywall] this spring to add cybersecurity to ‘sanitary survey’ certification requirements.

Mention in Passing

Yesterday, Sen Coons (D,DE) introduced S Res 421, A resolution designating the week of October 15 through 21, 2023, as "National Chemistry Week". The resolution was passed in the Senate and no further action is required. It has been unusual for one of these designation resolutions to actually be passed before the designated week has completely passed. Oh, and no, this resolution has no practical effect. National Chemistry Week is an annual activity of the American Chemical Society.

Short Takes – 10-19-23

Lone senator stymies cyber legislation in Senate. WashingtonPost.com article. Pull quote: “Paul has also blocked other avenues for them to get full Senate consideration, such as amendments to the annual defense policy bill, said a Senate source who spoke on the condition of anonymity to discuss internal procedures. Senate procedures usually require clearances from both parties’ leaders before amendments can proceed on subject matter under the committee’s guidance.”

Prioritize safety during post-harvest Anhydrous Ammonia applications. M.Farms.com article. Pull quote: “Safety should always come first during post-harvest anhydrous ammonia (NH3) applications. Accidents involving NH3 have demonstrated the severe risks associated with mishandling this fertilizer. Safety experts offer the following essential tips for farmers, fertilizer dealers, and custom applicators to ensure safe NH3 field applications.”

Non-Hazardous Secondary Material Standards; Response to Petition. Federal Register EPA Final Rule. Summary: “The Environmental Protection Agency is finalizing its denial of a rulemaking petition from American Forest and Paper Association et al. requesting amendments to the Non-Hazardous Secondary Materials regulations, initially promulgated on March 21, 2011, and amended on February 7, 2013, February 8, 2016, and February 7, 2018, under the Resource Conservation and Recovery Act. These regulations establish standards and procedures for identifying whether non-hazardous secondary materials are solid wastes when legitimately used as fuels or ingredients in combustion units.”

National Maritime Security Advisory Committee; December 2023 Virtual Meeting. Federal Register CG NMSAC Meeting Notice. Summary: “The National Maritime Security Advisory Committee (Committee) will conduct a virtual meeting to discuss the Committee's final recommendations concerning ways to enhance cyber security information sharing between the U. S. Coast Guard and Marine Transportation System (MTS) stakeholders. The virtual meeting will be open to the public.” Meeting date: December 5^th, 2023.

NASA’s first look at a sample from asteroid Bennu reveals life’s building blocks. ScienceNews.org article. Pull quote: “The mission returned some bonus material as well, in the form of loose debris that was inadvertently kicked up into the capsule in the area around the collection container, prior to the capsule sealing up for the trip home. The science team has delayed opening the main sample canister, instead taking time to collect and analyze the bonus sample.”

Republican Tempers Flare as Speaker Fight Continues, Paralyzing the House. NYTimes.com article. Pull quote: “The roadblock Mr. Jordan has encountered is a rare instance of the party’s more mainstream wing — normally those who seek compromise and conciliation — breaking with their Republican colleagues in defiance of the ultraconservative faction led by Mr. Jordan. They have been the targets of savage threats from right-wing activists allied with Mr. Jordan, who have embarked on an intense pressure campaign to try to install him as speaker.”

Review - 1 Update Published – 10-19-23

Today, CISA’s NCCIC-ICS published an update for a control system security advisory for products from Hitachi Energy.

Hitachi Energy Update - This update provides updated information on an advisory that was originally published on May 23^rd, 2023 (not May 5^th) and most recently updated on September 28^th, 2023.

 

For more details about this advisory, including a down-the-rabbit-hole look at what information has been updated in the advisory and a commentary on the underlying problem, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-update-published-10-19-23 - subscription required.

Short Takes – 10-19-23 – Speaker Chaos Edition

Speaker saga sparks revolution among mainstream Republicans. TheHill.com article. Pull quote: ““The January 20 [against McCarthy] were all trying to extract something. it was transactional,” Womack said. “The October 20 — I’ve talked to these people. There’s not an ask. There is nothing that the candidate can offer that can move these members from their positions.””

As Speaker Chaos Grows, so Does Talk of Empowering McHenry. NYTimes.com article (free). Pull quote: “Representative Mike Kelly, Republican of Pennsylvania, introduced a resolution [H Res 787, no text available] on Monday that would force a vote on keeping Mr. McHenry in an empowered role until Nov. 17. That’s when the current stopgap spending measure expires, which would trigger a government shutdown unless Congress acts to extend it.”

Jordan Endorses Temporary Speaker Plan, Holding Off on Third Vote. NYTimes.com article. Pull quote: ““It’s a giant mistake to give the Democrats control of a Republican majority,” said Representative Jim Banks of Indiana, who backs Mr. Jordan. He added: “What they’re doing right now is walking the Republicans off the plank. We don’t deserve the majority if we go along with a plan to give the Democrats control over the House of Representatives. It’s a giant betrayal to Republicans.””

Dems bide their time before deciding to help House GOP out of latest jam. Politico.com article. Pull quote: ““We're just waiting to see what they come up with … So let's see what really comes out of [GOP conference]. I hope it's that Mr. Jordan has decided to do lesser and smaller things. And there's room to talk,” Rep. Mike Quigley (D-Ill.) said.”

McHenry is Mum.  Politico.com mini-article. Pull quote: “Acting Speaker Patrick McHenry (R-N.C.) opened the House floor on Thursday and immediately recessed it — offering no hint as to when the chamber will vote on a proposal to empower him to run the show temporarily amid the GOP's speakership mess.”

Review - S 2980 Introduced – PIPE Act

Last month, Sen Markey (D,MA) introduced S 2980, the Penalizing and Improving Prevention of Emergencies (PIPE) Act of 2023 (not to be confused with the annual PIPES Act). The bill would make several changes to existing US Code pipeline safety requirements, including removing the requirement for the consideration of cost-benefit analysis in new pipeline regulations, making existing pipelines subject to new standards, and specifically making a pipeline release a US Code violation. No new funding is included in this legislation.

Moving Forward

Markey is a member of the Senate Commerce, Science, and Technology Committee to which this bill was assigned for consideration. This means that there could be sufficient influence to see this bill considered in Committee. While changes like these have long been sought by environmental activists, they have been strongly resisted by pipeline operators. That conflict would play out in the Committee’s consideration of this bill. That conflict probably means that this bill will not be considered without significant changes. If the bill were approved in Committee, there is no way that this bill would survive a cloture motion necessary for moving this bill to the floor of the Senate.

 

For more details about the provisions of the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-2980-introduced - subscription required.

Short Takes – 10-18-23

Israeli tanks add drone protection cages, a lesson from Ukraine war. WashingtonPost.com article. Pull quote: ““An interesting question is whether these structures will become standard for armored vehicles in conflict,” Cancian said. “The United States has not equipped its tanks with cages, but this may be a lesson armies need to learn the hard way.””

India plans manned Moon mission, space station. PhysOrg.com article. Pull quote: “The three-day mission, expected to take place next year, aims to send a three-member crew into Earth's orbit at a cost of about $1.08 billion, according to ISRO.”

SpaceX launch today would equal Space Coast record for the year. Phys.org article. Pull quote: “The pace between launches has picked up as well, with only an eight hour and 42 minute gap between the Psyche launch that happened Friday morning and a Starlink launch on Friday evening.” Commercial space launches are becoming routine.