Short Takes – 11-30-23

2 municipal water facilities report falling to hackers in separate breaches. ArsTechnica.com article. Pull quote: “The North Texas Municipal Water District (NTMWD) recently detected a cybersecurity incident affecting our business computer network,” an official wrote in an email. “Most of our business network has been restored. Our core water, wastewater, and solid waste services to our Member Cities and Customers have not been impacted by this incident, and we continue to provide those services as usual.” The official went on to say that phone systems remained offline. The district has engaged third-party forensic investigators to probe the extent of the breach.

CISA again prioritizes resilience in times of uncertainty for national chemical security following CFATS lapse. IndustrialCyber.co article. Pull quote: “Looking ahead, Murray said that while the CFATS program has lapsed, “we continue to offer expertise to chemical facilities on a voluntary basis through the ChemLock program, which is available to any facility with dangerous chemicals regardless of whether they were previously tiered under CFATS. Inspectors nationwide continue to offer on-site assessments and assistance, which chemical facilities may request via the ChemLock Services Request Form on the ChemLock homepage.””

Defense bill, passed 62 years in a row, faces partisan minefields in Senate, House. TheHill.com article. Pull quote: ““Increasingly, the NDAA has become the non-appropriations vehicle, Christmas tree vehicle of choice. Like, other than the [appropriations] bill, that’s the catch-all,” he said. “We talked about this a little bit at lunch today. We need to actually have the NDAA be about Defense authorization and not whatever somebody wants to dream up.””

Hazardous Materials: Streamlining Requirements for the Approval of Certain Energetic Materials [fireworks]. Federal Register PHMSA NPRM. Summary: “PHMSA proposes to amend the Hazardous Materials Regulations to revise the classification and approval process for certain low-hazard fireworks; to revise classification criteria for small arms cartridges to include tracer ammunition; to include the PHMSA portal as the method to submit applications for all explosives approvals; and to allow for voluntary termination of an explosive approval by the approval holder.”

To catch an error. ChemistryWorld.com article. The chemical version of measure twice, cut once. “Finally, when it is time to actually run the reaction, there is one more layer of checking. Prior to the drums being charged to the reactor, there is an identity check to make sure that the labels on the drums match what is called for in the batch record. In addition, we have a second person agree that the correct material is being charged to the reactor.”

Review – 4 Advisories Published – 11-30-23

Today, CISA’s NCCIC-ICS published four control system security advisories for products from Mitsubishi Electric, PTC, Yokogawa, and Delta Electronics.

Advisories

Mitsubishi Advisory - This advisory describes an external control of file name or path vulnerability in multiple Mitsubishi FA Engineering Software products.

PTC Advisory - This advisory describes two vulnerabilities in multiple PTC Kepware products.

Yokogawa Advisory - This advisory describes an uncontrolled resource consumption vulnerability in the Yokogawa STARDOM FCN/FCJ controller.

Delta Advisory - This advisory describes a stack-based buffer overflow vulnerability int e Delta DOPSoft product.

 

For more details about these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/4-advisories-published-11-30-23 - subscription required. 

Bills Introduced – 11-29-23

Yesterday, with both the House and Senate in session, there were 35 bills introduced. Four of those bills will receive additional attention in this blog:

HR 6494 To amend title 49, United States Code, to provide enhanced safety in pipeline transportation, and for other purposes. Graves, Sam [Rep.-R-MO-6] 

HR 6496 To require the Administrator of the Pipeline and Hazardous Materials Safety Administration to apply the final rule relating to valve installation and minimum rupture detection standards to Type A gas gathering lines, and for other purposes. Carbajal, Salud O. [Rep.-D-CA-24]

HR 6509 To amend title 49, United States Code, to require the Secretary of Transportation to establish a confidential voluntary information-sharing system to encourage the sharing of pipeline safety data, and for other purposes. Molinaro, Marcus J. [Rep.-R-NY-19]

HR 6510 To direct the Secretary of Transportation to study certain composite material pipelines, and for other purposes. Molinaro, Marcus J. [Rep.-R-NY-19]

It looks like Graves, Chair of the House Transportation and Infrastructure Committee, has introduced the latest PHMSA pipeline safety reauthorization bill and two committee members had concerns that were not addressed in that bill.

Short Takes – 11-29-23

Biden Administration’s New Supply Chain Resilience Council to Oversee 30 Interagency Missions; Alejandro Mayorkas Quoted. ExecutiveGov.com article. Pull quote: “The Department of Homeland Security also has its own supply chain resilience facility. “Conflict, political instability, and climate change could challenge our supply chains in the years ahead,” DHS Secretary Alejandro Mayorkas said. “The Supply Chain Resilience Center will help American businesses and the federal government anticipate these disruptions and play a key role in the Biden-Harris Administration’s work to prevent them,” the Wash100 awardee added.”

GPS Spoofing Signals Traced To Tehran. AVWeb.com article. Pull quote: “Since late September, the website Ops Group has been collecting reports from pilots flying in the Middle East reporting satellite-based navigation equipment giving them false position reports. In some cases, their panels have told them they’re as much as 120 miles from their actual location, prompting the FMS to react. Some crews have had to ask ATC for vectors to keep them on course. Humphreys said the alarming development is the spoofing affects both the GPS-dependent equipment and the Inertial Reference System (IRS).”

Army boot camp will soon include counter-drone training. ArmyTimes.com article. Pull quote: ““We don’t have enough air defense capacity relative to demand, and we never will. Look at the way in which Ukraine has been expending air and missile defense interceptors and translate that over to what we would need in a China conflict. We are going to need to increase capacity a lot more.””

For the first time, we’re seeing views of China’s entire space station. ArsTechnica.com article. Pull quote: “This means the Tiangong space station will continue operating at least until the mid-2030s, several years after the planned decommissioning of the International Space Station in 2030, more than 30 years after the launch of the oldest ISS module. NASA's strategy is to partner with commercial industry to develop a smaller space station to replace the ISS in low-Earth orbit. The idea is that a commercial space station would be cheaper to operate than the ISS, and NASA and other government space agencies could buy access to the privately owned outpost for astronauts and scientific experiments.”

US Coast Guard Issues Safety Alert for Wood Pellet Fires. GCaptain.com article. Pull quote: “Both fires resulted in significant damage, costing approximately $355,000 each, including total loss of cargo and extensive damage to the vessels. The cause of these fires was determined to be spontaneous combustion, a phenomenon that is not necessarily common but has been observed before. According to the International Maritime Solid Bulk Cargoes Code, wood pellets containing additives or binders can ferment over time if their moisture content exceeds 15%, leading to the generation of flammable and asphyxiating gases that can cause spontaneous combustion.”

OSHA vs CSB Chemical Incident Investigations

OSHA recently issued citations (here and here) for serious chemical incidents (news reports here and here) at two separate manufacturing facilities. The citations are for regulatory violations that may or may not have directly contributed to the initiation or consequences of the incidents. These regulatory investigations are necessary (and would be more productive if they were conducted before incidents, not after), but they provide little real information about how to prevent incidents.

While both incidents were reported to the Chemical Safety Board (CSB), the Board did not investigate either incident. If it had, their reports would have focused on the processes involved, the proximate cause of the incident, and steps that could have been taken to prevent the incidents. No fines would have been levied, but specific recommendations would have been made to ensure that across the industry (and in associated industries) preventive measures would be available to prevent the reoccurrence of these types of incidents.

Both types of investigations and reports are necessary to help the chemical industry remain a safe work environment and help protect the surrounding communities from the effects of such events. While the CSB provides detailed information about the prevention of such events, OSHA provides the incentives for companies to apply that information to their processes.

Unfortunately, because of the continued backlog of incident reports caused by the inept leadership of previous Boards, the CSB has not initiated a new investigation since September of last year and it had been over a year since the previous last investigation was initiated when CSB personnel arrived at the scene of their latest investigation. While clearance of the remaining five 2021 and earlier investigations should be a priority, the CSB needs to start actively looking at newer incidents and shift their focus back to the present.

Review - CSB Updates Status on 6 Incident Recommendations – 11-28-23

Yesterday, the Chemical Safety Board updated their Recent Recommendation Status Updates page to reflect changes made on November 24th, 2023 to the status of recommendations made on four separate accident investigations. There were changes made to six separate recommendation statuses; one was changed to “Closed – Acceptable Response” and five were changed to “Open - Acceptable Response or Alternate Response”.

The closed response was for:

2020-03-I-TX-R2 - Watson Grinding Fatal Explosion and Fire - Matheson Tri-Gas Inc.

The CSB is currently reporting 144 open recommendations and 810 closed.

 

For more details about these status changes, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/csb-updates-status-on-6-incident - subscription required.

Short Takes – 11-28-23

Hackers Hijack Industrial Control System at US Water Utility. SecurityWeek.com article. Pull quote: “An image posted by KDKA-TV suggests that the hackers took control of an Unitronics Vision system, which is a programmable logic controller (PLC) with an integrated human-machine interface (HMI). Unitronics Vision products have been known to be affected by critical vulnerabilities that could expose devices to attacks.”

GOP faces ominous signs in effort to avoid January shutdown. TheHill.com article. Pull quote: “After this week, the House is set to be in session for just 16 legislative days before the first of a two-part deadline to fund the government on Jan. 19 — with the rest expiring two weeks later, on Feb. 2. This week’s appropriations stall [no spending bills being considered in House] only exacerbates the time crunch.”

Russia: Sabotage, Incompetence and Corruption in Russia. StrategyPage.com article. Pull quote: “Ukrainian sabotage teams in Russian territory disrupt railroad movement by damaging key elements of the railroad signals and communications systems. This makes the railroads less reliable and often leads to accidents that derail supply trains and block further use of that line until the wreckage is removed and the rails repaired. Ukraine has even been able to get operatives deep inside Russia to damage the Trans-Siberian Railroad, which is currently used to move weapons and munitions from North Korea to Ukraine.” Not clear if these are physical or cyber-physical attacks.

Post-Thanksgiving leftovers crowd Congress' December plate. Politico.com article. Pull quote: “Lawmakers have punted on funding the government until after the holidays, but there's still plenty of issues they'll have to confront before bolting from Washington later in December.” Missing from this discussion are a number of authorization bills, including farm bill as well as FAA, Intel, and Intelligence reauthorizations.

Mars Needs Insects. NYTimes.com article. Pull quote: “Either way, humans will have to take — and live with — squirming companions, along with some that are too small to see, anywhere they would like to go beyond Earth — because the only way to survive out there is to make it more like down here, a planet that teems with nutrient-rich beasts.”

The T-shirt chewing enzyme ready to tackle plastic waste. BBC.com article. Pull quote: “Since it produces the same chemical monomers that plastic producers are already using, minimal change is needed. But the familiarity of its product is also a challenge - since these indistinguishable chemicals will cost about 60% more than those derived from petrochemicals.”

Area Maritime Security Advisory Committee (AMSC) Sector Puget Sound. Federal Register CG notice. Summary: “The Coast Guard requests individuals interested in serving on the Area Maritime Security Advisory Committee (AMSC), Sector Puget Sound submit their applications for membership to the U.S. Coast Guard Captain of the Port Sector Puget Sound (COTP). The Advisory Committee assists the COTP as the Federal Maritime Security Coordinator, Sector Puget Sound, in developing, reviewing, and updating the Area Maritime Security Plan for their area of responsibility.”

A Controversial US Surveillance Program May Get Slipped Into a ‘Must-Pass’ Defense Bill. Wired.com article. Pull quote: “By week’s end, top congressional leaders are expected to present the final text of the National Defense Authorization Act (NDAA), a massive bill that directs the Pentagon’s annual funding and one of only a few bills that lawmakers cannot afford to let die. Amending the bill to extend the Section 702 program would force members into an up-or-down vote with limited debate and no opportunity to omit any unwanted, last-minute changes.”

Most school shootings in U.S. aren’t mass killings, study finds, and they’re often driven by community violence. OCRegister.com article. Pull quote: “It found that these adolescents were responsible for only a handful of mass casualty shootings, defined as those involving four or more gunshot fatalities. About half of the shootings analyzed — 119 — involved at least one death. Among the events, seven killed four or more people.”

Chlorine is a highly useful chemical that's also extremely dangerous − here's what to know about staying safe around it. TheConversation.com article. Pull quote: “Chlorine gas exposure, even for short periods of time and at low levels, leads to eye, throat and nose irritation and causes coughing and breathing problems and burning in the eyes. Higher exposure levels can cause chest pain, severe breathing difficulties, pneumonia, vomiting and fluid in the lungs. Very high levels can cause death. Chlorine also can be absorbed through the skin, resulting in pain, swelling, inflammation and blistering.” Very informative, well-balanced article.

DHS Awarded Patent for Homeland Explosive Consequence Assessment Tool. DHS.gov press release. Pull quote: “HExCAT provides emergency managers with capabilities to streamline decision making and emergency response planning, by, among others, identifying vulnerabilities at large venues, devising effective evacuation procedures for facilities, and planning routes for relocating large groups of people to medical facilities. Additionally, HExCAT houses a library of 28 different types of military and homemade explosives, including various fuel and oxidizer combinations that amplify explosive effects, and provides unique insight into potential worst-case outcomes. The tool can also model different scenarios in diverse indoor and outdoor public spaces to more accurately predict how these scenarios will play out and how to adapt in real life situations.”

CISA Urges Congress to Reauthorize Key Chemical Security Program. SecurityBoulevard.com article. “Murray called on Congress to reauthorize CFATS, saying it “provides essential resilience for the chemical industry by enabling chemical facility owners and operators to understand the risks associated with their chemical security holdings, develop site security plans and programs, conduct site inspections, coordinate with local law enforcement and first responders, and continue to reevaluate each facility’s security posture based on changes in its chemical holdings and threat nexus.””

Review – 4 Advisories Published – 11-28-23

Today, CISA’s NCCIC-ICS published three control system security advisories for products from Mitsubishi Electric, Franklin Electric Fueling Systems, and Delta Electronics. They also published a medical device security advisory for products from BD.

Advisories

Mitsubishi Advisory - This advisory describes two improper input validation vulnerabilities in the Mitsubishi GX Works2.

Franklin Advisory - This advisory describes a path traversal vulnerability in the Franklin FFS Colibri fuel inventory monitoring system.

Delta Advisory - This advisory describes four vulnerabilities in the Delta InfraSuite Device Master product.

BD Advisory - This advisory describes seven vulnerabilities in the BD BD FACSChorus workstations.

 

For more details about these advisories, including corrected link for vendor advisory, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/4-advisories-published-11-28-23 - subscription required.

Committee Hearings – Week of 11-27-23

This week the House and Senate return from their Thanksgiving recess. There is a relatively light hearing schedule, with only two hearings of potential interest here. First an NDAA conference committee hearing and second a cybersecurity hearing.

NDAA Hearing

Listed on the Senate hearing schedule page, the conference committee on HR 2670 will meet on Wednesday. No official listing of what is scheduled, but Wired.com is reporting:

“The House and Senate passed their own versions [HR 2670 and S 2226, both removed from paywall] of the NDAA this summer, and a conference of top lawmakers had been tasked with consolidating the two bills. Currently, however, only a few top lawmakers know what the bill’s final text will say. The remaining conferees expect to receive a copy of the NDAA as early as Wednesday, but may have less than a day to parse what is typically over 1,000 pages of text. Party leaders will expect at least half of the conference to sign off on the bill quickly and send it to the House and Senate floor for a vote.”

Cybersecurity

On Wednesday the Cybersecurity, Information Technology, and Government Innovation Subcommittee of the House Oversight and Accountability Committee will hold a hearing on “Safeguarding the Federal Software Supply Chain”. The witness list includes:

• Jamil Jaffer, George Mason University,

• James Lewis, Center for Strategic & International Studies, and

• Roger Waldron, The Coalition for Government Procurement

According to the Committee memo on the hearing, this will focus solely on IT cybersecurity supply chain issues.

BIS Sends Semiconductor Final Rule to OMB

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a final rule from the DOC’s Bureau of Industry and Security (BIS) on “Implementation of Additional Export Controls: Certain Advanced Computing Items and Semiconductor Manufacturing Items; Supercomputer and Semiconductor End Use; Updates to the Controls and Corrections”. This rulemaking responds to comments received by BIS on an interim final rule on the topic published on October 13^th, 2022.

According to the entry for this rulemaking in the Spring 2023 Unified Agenda:

“In this rule, the Bureau of Industry and Security (BIS) is finalizing the changes to the Export Administration Regulations (EAR) in response to an interim final rule published on October 13, 2022, that implemented necessary controls on advanced computing integrated circuits (ICs), computer commodities that contain such ICs, and certain semiconductor manufacturing items.  In addition, BIS expanded controls on transactions involving items for supercomputer and semiconductor manufacturing end uses, for example, the rule expanded the scope of foreign-produced items subject to license requirements for twenty-eight existing entities on the Entity List that are located in China. BIS also informed the public that specific activities of U.S. "persons" that ‘support’ the "development" or "production" of certain ICs in the PRC require a license.  Lastly, to minimize short term impact on the semiconductor supply chain from this rule, BIS established a Temporary General License to permit specific, limited manufacturing activities in China related to items destined for use outside China and is identifying a model certificate that may be used in compliance programs to assist, along with other measures, in conducting due diligence. BIS received forty-three comments in response to the interim final rule.  In this rule, BIS makes additional changes in response to the comments received on the interim final rule and additional changes identified by BIS that are needed in order to achieve the objectives of the October 13 rule.”

This rulemaking probably does not include any cybersecurity provisions that would engender specific coverage in this blog. I am including this procedural coverage because of the potential impact any regulation of the import/export of semiconductors could have on the control system community.

Short Takes – 11-27-23

Life beyond the leak for ESA’s CryoSat. ESA.int article. Pull quote: ““Since 2010, CryoSat has used its Synthetic Radar Altimeter (SAR) to monitor land and sea ice everywhere on Earth to help scientists demonstrate the important role ice plays in regulating climate and being affected by global warming,” says Tommaso Parrinello, CryoSat Mission Manager.” For space geeks.

Georgia case over railroad's use of eminent domain could have property law implications. ABCNew.go.com article. Pull quote: “The case matters because private entities need to condemn private land not only to build railroads, but also to build other facilities such as pipelines and electric transmission lines. There’s a particular need to build additional electric transmission lines in Georgia and other states to transmit electricity from new solar and wind generation.”

In 2024, Republican EV attacks may fall short as swing states reap investment. Reuters.com article. Pull quote: “Of that investment [from the Inflation Reduction Act], $48 billion - or one third - has taken place in Georgia, Arizona, Nevada and Michigan, according to an analysis done by advocacy group Climate Power at Reuters' request. Those four states, along with Wisconsin, Pennsylvania and North Carolina, are the arguably the most competitive in the country.

Indian drug manufacturers benefit from Big Pharma interest beyond China. Reuters.com article. Pull quote: “"Today you're probably not sending an RFP (request for proposal) to a Chinese company," said Tommy Erdei, global co-head of healthcare investment banking at Jefferies. "It's like, 'I don't want to know, it doesn't matter if they can do it for cheaper, I'm not going to start putting my product into China'."”

Chemical Security Standards’ Long Lapse Stirs Backlog Concerns. Bgov.com article. Pull quote: ““Each day that passes without a solution from Congress makes it harder to restart CFATS and adds to the backlog of security reviews and inspections that DHS will need to address,” American Chemistry Council spokesperson Scott Jensen said Tuesday.”

The Benefits of Omnibus Spending Bills

While House Republicans are making a major effort to avoid having an Omnibus Spending bill for FY 2024, it is perhaps a good idea to look at why those spending bills have become so important over the last decade or so. The problem is not so much in the House (at least until this year when an unruly majority has problems passing spending bills), but rather an unruly Senate has allowed a small handful of Senators to make the ‘Advise and Consent’ process for approving an increasing number of Presidential nominees a more time-consuming process. This means that the Senate has less time to take up necessary and important legislation.

In more recent years, this process has been further stalled by a few Senators demanding votes on unpopular amendments during the consideration of significant legislation. All in all, the number of pieces of legislation that the Senate is able to pass has been greatly diminished. Unfortunately, the number of bills that fall into the ‘must pass’ category has only increased as the federal government continues to expand.

The year-end omnibus spending bill has become the legislative safety valve. For example, the FY 2023 Consolidated Spending Act included 27 additional Divisions beyond the 12 actual spending bills. While many of the legislative bits added to those divisions were political horse-trading efforts to ensure wider support for the bill, these Divisions included FAA reauthorization, agriculture reauthorization as well as a number of lesser program reauthorizations. Without an omnibus spending bills, most of these bills never would have made it through the increasingly convoluted legislative process.

While some Republicans in the House are focused on avoiding these large end-of-year spending bills, it is not clear that their efforts will actually work. The Congress has yet to complete the conference committee process on a single piece of legislation (the NDAA for instance). And the House has not yet tried to take up the one spending bill that the Senate completed work on. I suspect that the Republican fringe is trying to stop that consideration because of the possibility that the Senate version of the bill could be passed by Democrats and a relatively small number of Republican moderates voting for approval. Without a House vote to insist on their language, HR 4366 cannot technically start the conference process.

Lacking that vote, the Congress will have to rely upon the backroom process under which Omnibus spending bills have been formulated in the past. We may still see the spending bills stuffed with authorization and miscellaneous legislation.

Review – Public ICS Disclosures – Week of 11-18-23 – Part 2

For Part 2 we have seven more vendor disclosures from Mitsubishi, Philips, Phoenix Contact, Western Digital, WAGO (2), and Zyxel. There are also three updates from Hitachi Energy, HP, HPE. Finally, we have seven researcher reports about vulnerabilities in products from Thales (7).

Advisories

Mitsubishi Advisory - Mitsubishi published an advisory that describes two improper input validation vulnerabilities in their GX Works2 product.

Philips Advisory - Philips published an advisory that discusses the F5 BIG-IP Configuration Utility Authentication Bypass Vulnerability that is listed on the CISA Known Exploited Vulnerability Catalog.

Phoenix Contact Advisory - Phoenix Contact published an advisory that discusses two vulnerabilities in products using the WIBU CodeMeter Runtime product.

Western Digital Advisory - Western Digital published an advisory that describes multiple uncontrolled search path element vulnerabilities (single CVE) in their SanDisk Security Installer for Windows product.

WAGO Advisory #1 - CERT-VDE published an advisory that describes an improper privilege management vulnerability in multiple WAGO products.

WAGO Advisory #2 - CERT-VDE published an advisory that describes an OS command injection vulnerability in WAGO managed switches.

Zyxel Advisory - Zyxel published an advisory that describes an out-of-bounds write vulnerability in their SecuExtender SSL VPN Client software.

Updates

Hitachi Energy Update - Hitachi Energy published an update for their Apache ActiveMQ advisory that was originally published on November 14^th, 2023.

HP Update - HP published an update for their PROSet/Wireless WiFi and Killer™ WiFi advisory that was originally published on August 8^th, 2023, and most recently updated on September 12^th, 2023.

HPE Update - HPE published an update for their IceWall products advisory that was originally published on June 20^th, 2023 and most recently updated on July 24^th, 2023.

Researcher Reports

Thales Reports - Kaspersky published seven reports about individual vulnerabilities in the Thales Telit Cinterion products.

 

For more information on these disclosures, including links to 3rd party advisories and brief descriptions of changes in updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-11-cec - subscription required.

Review – Public ICS Disclosures – Week of 11-18-23 – Part 1

This week we have 20 vendor disclosures from Eaton, FortiGuard (3), Hikvision (3), HP (9), HPE (3), and Meinberg.

Advisories

Eaton Advisories - Eaton published an advisory that describes an improper access control vulnerability in multiple Eaton products.

FortiGuard Advisory #1 - FortiGuard published an advisory that discusses two vulnerabilities in their FortiGate products.

FortiGuard Advisory #2 - FortiGuard published an advisory that describes an improper validation of integrity check value vulnerability in their FortiOS and FortiProxy products.

FortiGuard Advisory #3 - FortiGuard published an advisory that describes a numeric truncation error in their FortiOS and FortiProxy SSL VPN.

Hikvision Advisory #1 - Hikvision published an advisory that describes a buffer overflow vulnerability in their NVR/DVR Devices.

Hikvision Advisory #2 - Hikvision published an advisory that describes two vulnerabilities in their LocalServiceComponents application.

Hikvision Advisory #3 - Hikvision published an advisory that describes an authentication bypass vulnerability in multiple Hikvision products.

HP Advisory #1 - HP published an advisory that discusses an incorrect permission assignment for critical resource vulnerability in multiple HP computers.

HP Advisory #2 - HP published an advisory that discusses an uncontrolled search path element vulnerability in multiple HP computers.

HP Advisory #3 - HP published an advisory that discusses five vulnerabilities in multiple HP computers.

HP Advisory #4 - HP published an advisory that discusses an improper access control vulnerability in multiple HP workstations.

HP Advisory #5 - HP published an advisory that discusses seven vulnerabilities in multiple HP computers.

HP Advisory #6 - HP published an advisory that discusses an improper access control vulnerability in multiple HP computers.

HP Advisory #7 - HP published an advisory that discusses an uncontrolled search path element vulnerability in multiple HP computers.

HP Advisory #8 - HP published an advisory that discusses two improper input validation vulnerabilities in multiple HP computers.

HP Advisory #9 - HP published an advisory that discusses four vulnerabilities in multiple HP computers.

HPE Advisory #1 - HPE published an advisory that discuss an improper or unexpected behavior of the INVD instruction vulnerability in their ProLiant DL/DX/XL servers.

HPE Advisory #2 - HPE published an advisory that discusses sequence of processor instructions leads to unexpected behavior vulnerability in their Edgeline Servers.

HPE Advisory #3 - HPE published an advisory that discusses an improper certificate validation vulnerability in their UX OpenSSL product.

Meinberg Advisory - Meinberg published an advisory that discusses seven vulnerabilities in their Lantime product.

 

For more details about these disclosures, including links to third-party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-11-dda - subscription required.

Short Takes – 11-24-23

Why the House GOP is having a hard time passing its remaining funding bills. TheHill.com article. Pull quote: “But leadership is having trouble locking down support for the five remaining bills as some conservatives press for a harder line on reducing spending, while moderates are wary of what could end up on the cutting room floor.”

Employee data hit in Idaho National Lab cyberattack. GovExec.com article. Pull quote: “Officials from the laboratory confirmed to Nextgov/FCW that its digital network was targeted by a cyberattack on Monday. The attack affected servers that support the Human Resources department within the lab that use Oracle software. The impacted data included employee information.” Interesting that there is no mention of the Lab’s OT-cybersecurity work in the blurb about the lab.

Why cheap drones pose a significant chemical terrorism threat. TheBulletin.org article. Pull quote: “Relatively cheap drones are becoming a mainstay of conflicts, from the war in Ukraine to the Israel-Hamas conflict in Gaza. Though drones were once the purview of rich and powerful militaries, it’s now possible to use cheap consumer drones in battle. With a few tweaks, they can whistle past even sophisticated air defenses. As Al-Bared’s case [link added] highlights, they may also present a significant chemical terrorism threat. Drones can be equipped with sprayers to deliver chemical weapons, or they could be used in an attack on a chemical plant. They could also provide critical attack support, helping with reconnaissance to plan out and conduct an attack, monitor law enforcement response, and create propaganda to highlight terrorist activities.”

The Old-School Artillery Shell Is Becoming High Tech. WSJ.com article (freee). Pull quote: “The technological advances, giving some shells capabilities similar to missiles but with a lower cost and quicker production time, promise a dramatic change for artillery as it plays its biggest role since the Vietnam War.”

Decabromodiphenyl Ether and Phenol, Isopropylated Phosphate (3:1); Revision to the Regulation of Persistent, Bioaccumulative, and Toxic Chemicals Under the Toxic Substances Control Act (TSCA). Federal Register EPA NPRM. Summary: “The Environmental Protection Agency (EPA) is proposing revisions to the regulations for decabromodiphenyl ether (decaBDE) and phenol, isopropylated phosphate (3:1) (PIP (3:1)), two of the five persistent, bioaccumulative, and toxic (PBT) chemicals addressed in final rules issued under the Toxic Substances Control Act (TSCA) in January 2021. After receiving additional comments following the issuance of the 2021 PBT final rules, the Agency has determined that revisions to the decaBDE and PIP (3:1) regulations are necessary to address implementation issues and to reduce further exposures.”

Safety Advisory 2023-07; Review and Implement New Predictive Weather Modeling and Proactive Safety Processes Across the National Rail Network To Prevent Weather-Related Accidents and Incidents. Federal Register FRA Safety Advisory. Summary: “To reduce weather-related accidents/incidents and improve the efficiency of the national rail network during severe weather events, FRA is issuing this Safety Advisory to recommend that railroads review existing policies, procedures, and operating rules related to predicting, monitoring, communicating, and operating during severe weather conditions or subsequent to extreme weather events. FRA also recommends that railroads collaborate to develop best practices for utilizing weather forecasting technologies, predictive weather models, and weather-related action plans throughout the industry.”

Review - HR 5840 Introduced – Streamlining TSA Threat Assessments

Last month, Rep Graves (R,LA) introduced HR 5840, the Transportation Security Screening Modernization Act. The bill would require the TSA to take actions (potentially including issuing an interim final rule) to streamline the procedures for individuals applying for or renewing enrollment in more than one TSA security threat assessment program, in particular, the TWIC and HAZMAT Endorsement programs. No new funding is authorized by the legislation.

Moving Forward

Graves and two of his cosponsors {Rep Titus (D,NV) and Rep Green (R,TN)} are members of the House Homeland Security Committee to which this bill was assigned for consideration. This means that there may be sufficient influence to see the bill considered in Committee. I see nothing in this bill that would engender any organized opposition. I suspect that there would be sufficient bipartisan support for the bill for it to be considered on the floor of the House under the suspension of the rules process.

Commentary

TSA has already implemented some of the streamlining actions. If a TWIC applicant already has an HME (or a Free and Secure Trade card) they are eligible for a reduced fee TWIC ($93 vs $125.25) and the expiration of the two will be the same (the date for the earlier assessment).

 

For more information about the provisions of the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-5840-introduced - subscription required.

Short Takes – 11-22-23

Mucus-Covered Jellyfish Hint at Dangers of Deep-Sea Mining. NYTimes.com article. Pull quote: “Dr. Drazen noted that the species the researchers chose for the study was hardier than many of its relatives. “This is a really robust jellyfish. You can catch this thing in a net and it doesn’t turn into goo,” he said, and its stress response to the sediment indicates that other soft-bodied sea creatures exposed to sediment for longer periods of time might fare even worse.”

In 2024, Space Coast gears up for most astronaut launches since '09. Phys.org article. Pull quote: “But 2024 could see three more crewed vehicles flying from the Space Coast on SpaceX commercial crew and private flights. Al,so the first crewed flight of NASA's Artemis program and its Orion spacecraft and the long-delayed first crewed test flight of Boeing's CST-100 Starliner could happen.”

KERI's metamaterial, stretchable and efficient wearable thermoelectric energy harvester! Newswise.com article. Pull quote: “This achievement is expected to receive great attention in the field of IoT and AI-based wearable devices. Existing wearable devices had the disadvantage as it had to have a separate power supply such as a battery, but with KERI thermal energy harvesting technology, they can simply be attached to the body to produce electricity using body heat, and even supply power directly through the module. It can also be applied to the next-generation medical field.” Journal article here.

Virginia Tech opens world’s first fully automated AI and cyberbiosecurity water lab. Newswise.com article. Pull quote: ““ACWA lab is aimed at creating a test bed for water supply systems, water distribution systems, and water treatment plants in the United States to test potential incidents, like cyberattacks, and protect against them,” Batarseh said. “The lab is able to provide data sets that are not easily created anywhere else in the world by combining the cyber components and computational components with water quality and quantity aspects, such as water flow, pH and nitrogen rates, and so on.” Article starts off with the Oldsmar attack myth… Hope the lab has better info.

Requests for Comments; Clearance of a Renewed Approval of Information Collection: Unmanned Aircraft Remote Identification Message Elements. Federal Register FAA 60-day ICR notice. Annual Burden Estimate: “The collection of information through the broadcasting of the remote identification message elements is entirely automatic, therefore there is no annual burden associated with the broadcast of the remote identification message elements.”

OMB Approves DOD CMMC NPRM

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a notice of proposed rulemaking (NPRM) for the DOD’s “Cybersecurity Maturity Model Certification (CMMC) Program”. The NPRM was sent to OIRA on July 24^th, 2023. Guidance documents for the program were approved last week.

According to the Spring 2023 Unified Agenda entry for this rulemaking:

“DOD is proposing to implement the Cybersecurity Maturity Model Certification (CMMC) Framework,  to help assess a Defense Industrial Base (DIB) contractor’s compliance with and implementation of cybersecurity requirements to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) transiting non-federal systems and mitigate the threats posed by Advanced Persistent Threats--adversaries with sophisticated levels of expertise and significant resources.”

Short Takes – 11-21-23

A mysterious illness is sickening dogs in several states. Some are dying. WashingtonPost.com article. Pull quote: ““I would strongly recommend that people avoid boarding facilities, doggy day care, anything that’s going to be a high volume of dogs in a space,” Ganzer said. “I know it’s going to be hard with the holidays coming up, but trying to find somebody that will come to your house and take care of your dog is a better option.”” According to the article the currently affected States are: Colorado, Rhode Island, Oregon, New Hampshire and Massachusetts.

NASA's 'flawless' heat shield demo passes the test. Phys.org article. Pull quote: “Also known as a Hypersonic Inflatable Aerodynamic Decelerator (HIAD) aeroshell, this technology could allow larger spacecraft to safely descend through the atmospheres of celestial bodies like Mars, Venus, and even Saturn's moon, Titan.”

The Biden administration announces its new acting cyber director, as nominee awaits Senate vote. GovExec.com article. Pull quote: “In her current role, Dudley sets strategy and budget priorities for the office, working with partners including the Office of Management and Budget. She has worked at ONCD since August 2022, when the White House announced her as the assistant national cyber director for budget review and assessment in a round of hires for the then-new cyber office.” Admin background, not cyber.

2022 Liquid Chemical Categorization Updates. Federal Register CG final rule. Summary: “The Coast Guard is issuing this final rule to align liquid chemical categorization tables in its tank vessels and bulk dangerous cargo regulations with the 2020 Edition of the International Code for the Construction and Equipment of Ships Carrying Dangerous Chemicals in Bulk. The updated tables provide a list of the liquid hazardous materials, liquefied gases, and compressed gases approved for international and domestic maritime transportation and indicate how each substance is categorized by its pollution potential, safe carriage requirements, chemical flammability, combustibility, and compatibility with other substances. This rule imposes no additional costs to chemical shippers or vessel owners.” Effective Date: December 21, 2023.

New Source Performance Standards Review for Volatile Organic Liquid Storage Vessels (Including Petroleum Liquid Storage Vessels); Extension of Comment Period. Federal Register EPA comment extension. Summary On October 4, 2023, the U.S. Environmental Protection Agency (EPA) proposed amendments to the “Standards of Performance for Volatile Organic Liquid Storage Vessels (Including Petroleum Liquid Storage Vessels).” The EPA is extending the comment period on this proposed rule that currently closes on November 20, 2023, by 18 days. The comment period will now remain open until December 8, 2023, to allow additional time for stakeholders to review and comment on the proposal.”

Canadian police warn crypto investors on growing home robbery trend. CoinTelegraph.com article. Pull quote: ““The suspects gain access to a victim’s home by posing as delivery people or persons of authority. Once let inside the home, the suspects rob the victims of information that gives access to their cryptocurrency accounts.””

Worker Hurt In Platform Decommissioning Fire. ISSSource.com article. Pull quote: “This happened because an oxygen bottle regulator suddenly burst, starting a flash fire while the crew member was turning the valve to supply oxygen for welding, according to a report from the Bureau of Safety and Environmental Enforcement (BSEE). The crew member’s wounds ended up treated with burn gel.”

Hackers are taking over planes’ GPS — experts are lost on how to fix it. NYPost.com article. Pull quote: “But the tactic has now become so sophisticated that nefarious hackers, still at large, have recently learned how to override an airplane’s critical Inertial Reference Systems (IRS). That crucial piece of technology is commonly called the “brains” of a craft by manufacturers.” Okay, it is the NY Post, but…

Electronic Warfare Confounds Civilian Pilots, Far From Any Battlefield. NYTimes.com article. Pull quote: “Spoofing is harder to handle because the signal appears legitimate. Only the European navigation satellite system, Galileo, incorporates an authentication system that can provide confidence that a signal is from its satellites. Galileo, which currently is the most accurate and precise navigation satellite system, plans to introduce an even stronger level of authentication, according to a spokesperson for the European Commission.”

Review – 2 Advisories and 3 Updates Published – 11-21-23

Today, CISA’s NCCIC-ICS published two control system security updates for products from Fuji Electric and WAGO. They also updated advisories for products from Rockwell Automation, Keysight, and Mitsubishi Electric.

Advisories

Fuji Advisory - This advisory describes three vulnerabilities in the Fuji Tellus Lite V-Simulator.

WAGO Advisory - This advisory that describes an externally controlled reference to a resources in another sphere vulnerability in the WAGO PFC200 Series products.

WAGO Advisory - This advisory that describes an externally controlled reference to a resources in another sphere vulnerability in the WAGO PFC200 Series products.

Updates                                                                                      

Rockwell Update - This update provides additional information on the Stratix 5800 and Stratix 5200 advisory that was originally published on October 24^th, 2023.

Keysight Update - This update provides additional information on the N8844A Data Analytics advisory that was originally published on April 25^th, 2023.

Mitsubishi Update - This update provides additional information on the CNC Series advisory that was originally published on July 27^th, 2023 and most recently updated on October 31^st, 2023.

 

For more details about these advisories, including notes about the vendor advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-advisories-and-3-updates-published-132 - subscription required.

Review - FAA Publishes UAS Identification Compliance 60-day ICR Notice

Today the DOT’s Federal Aviation Administration (FAA) published a 60-day information collection request (ICR) renewal notice in the Federal Register (88 FR 81174-81175) for “Means of Compliance, Declarations of Compliance, and Labeling Requirements for Unmanned Aircraft Systems with Remote Identification”. The current version of the ICR was approved on March 8^th, 2021. The table below shows the burden estimate for this renewal with a comparison to the existing version.

Public Comments

The FAA is soliciting public comments on this ICR notice. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; docket #FAA-2023-2246). Comments should be submitted by January 22^nd, 2024.

 

For more details about the ICR Notice, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/faa-publishes-uas-identification - subscription required.

Short Takes – 11-20-23

Speaker Mike Johnson Faces Hard-Right Discontent, Risking Disarray Ahead. Finance.Yahoo.com article. Pull quote: “The party’s assertive hard-liners, a few of whom toppled then-speaker Kevin McCarthy just last month, are warning they won’t yield on their expectations for steep cuts in government spending and conservative policy changes, despite the limited leverage possessed by a slim and fractious Republican House majority.”

Winning: Tunnel Warfare Troops and Techniques. StrategyPage.com article. An interesting look at tunnel warfare tech. Pull quote: “The purpose of the ATE vehicle is to quickly, carefully and precisely explore these tunnels using a number of sensors to detect and identify what is down there while creating a 3D map of the tunnel or larger tunnel system. The prototype ATE was recently tested on a 1,500-meter South Korean test tunnel containing many of the characteristics of North Korean and Hamas tunnels. ATE did well and tests continue.”

Federal Motor Vehicle Safety Standards; V2V Communications. Federal Register NHTSA NPRM withdrawal notice. Summary: “The National Highway Traffic Safety Administration withdraws a previous proposal to create a new Federal Motor Vehicle Safety Standard requiring vehicle-to-vehicle (V2V) communications in new light vehicles. After the advent of new V2V communications protocol, and after a recent Federal Communications Commission (FCC) decision regarding the regulations governing the 5.850–5.895 gigahertz (5.9 GHz) band, the agency has decided to withdraw its V2V proposed rule.”

Review - HR 6124 Introduced – Cybersecurity Skills

Last month, Rep Thompson (R,PA) introduced HR 6124, the Cybersecurity Skills Integration Act. The bill would require the Department of Education to start a pilot grant program to develop a “postsecondary career and technical education programs that integrate cybersecurity education”. The legislation would authorize $10-million to support the pilot program.

This bill is identical to HR 9259 that was introduced by Rep Langevin (D,RI) in the 117^th Congress. Thompson was a cosponsor of the earlier version. It was introduced much too late in the session for any actions to be taken. It is interesting that Langevin did not re-introduce this legislation, nor is he listed as a cosponsor, though three other Democrats are.

Moving Forward

Thompson a member of the House Education and Labor Committee to which this bill was assigned for consideration. This means that there should be sufficient influence to see this bill considered in Committee. I would expect to see some Republican opposition to the bill because of the $10 million price tag, but that opposition would be off-set by Democratic support.

I am not sure that it would receive sufficient bipartisan support to be considered in the House under the suspension of the rules process if it were to make it that far.

Commentary

This is the first piece of cybersecurity legislation that I have seen where it appears that the crafters of the bill really have a basic understanding of the unique dangers related to attacks on industrial control systems in process industries. In each of the first two parts of the definition of ‘cybersecurity education’ references are made to ‘control systems and operational technology’. It is in the third part of the definition, however, where those potential dangers are really addressed:

“(C) training to ensure the continuous physical and environmental safety of the operations of critical infrastructure systems.”

 

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-9259-introduced-1bf - subscription required.

Short Takes – 11-20-23 – Geek Edition

SpaceX’s Starship gets farther on its second test flight. CosmicLog.com article. Pull quote: “SpaceX took the day as a win — based not only on a successful liftoff from its South Texas launch pad a little after 8 a.m. CT (5 a.m. PT), but also on the successful execution of a hot-stage separation maneuver two and a half minutes after launch.”

SpaceX Makes Progress in 2nd Launch of Giant Moon and Mars Rocket. NYTimes.com article (free). Pull quote: “Daniel L. Dumbacher, the executive director of the American Institute of Aeronautics and Astronautics, agreed. “This is a large launch system,” he said. “It’s going to take some work to get it to where it needs to go. I have no doubt that the SpaceX team will be able to figure out how to get the launch vehicle working.””

New cooling mechanism set to revolutionize conventional environmentally harmful refrigeration technologies. Newswise.com article. Scale-up work is ongoing. Pull quote: “In this particular case, the electrocaloric effect involves applying an electric field to ceramic capacitors, inducing temperature changes, and creating a cooling effect. “Our proposed solution involves an assembly of multilayer capacitors stacked within an electrically connected fluid-filled pipe,” explains Dr Emmanuel Defay, who leads the Nanotechnology unit within the Materials Research and Technology (MRT) department at LIST. Defay and his team have been working on electrocaloric materials for several years. “The fluid flows back and forth between the capacitors, creating a temperature gradient,” he adds.”

NASA is pausing all Mars missions, effective immediately. Here's why. LiveScience.com article. Pull quote: “"NASA will hold off sending commands to its Mars fleet for two weeks, from Nov. 11 to 25, while Earth and the Red Planet are on opposite sides of the sun. Called Mars solar conjunction, this phenomenon happens every two years," NASA said in a statement. "The missions pause because hot, ionized gas expelled from the sun's corona could potentially corrupt radio signals sent from Earth to NASA's Mars spacecraft, leading to unexpected behaviors."”

Removing Cesium: Solutions to a Chemically Complex Problem. Newswise.com article. Pull quote: “Cesium-137 is mostly human-made. It is found in large quantities in nuclear waste because it’s a byproduct of making plutonium, a necessary step in nuclear weapons production. Scientists have discovered how to safely store this radioactive waste in glass, but before that can happen a portion of the liquid tank waste needs to be treated to remove most of the cesium-137. That’s because the type of gamma radiation it emits—energy higher than X-rays—can penetrate through the human body and even through steel, making it too dangerous for workers to operate and maintain the processing technology used to make low-activity waste glass.”

SpaceX founding employee successfully moves from rockets to in-space propulsion. ArsTechnica.com article. Pull quote: “Fully fueled, the Mira spacecraft masses about 650 pounds (300 kg) and is the size of a dishwasher. The vehicle is designed to maximize its delta-V capability, so it is mostly propellant and fuel tanks, and powered by Saiph thrusters that operate at a specific impulse (ISP) of 290. "It's a pretty whiz-bang little machine," Mueller said.”

Review – Public ICS Disclosures – Week of 11-11-23 – Part 2

For Part 2 we have eight additional vendor disclosures from Schneider (3), Siemens (2), VMware, and Wireshark (2). There are 21 updates from Broadcom, Cisco, Mitsubishi, and Siemens (18). There are four researcher reports for products from Ashlar-Vellum.

Advisories

Schneider Advisory #1 - Schneider published an advisory that describes two vulnerabilities in their s PowerLogic ION8650 and ION8800 products.

Schneider Advisory #2 - Schneider published an advisory that describes two vulnerabilities in their s EcoStruxure™ Power products.

Schneider Advisory #3 - Schneider published an advisory that describes a path traversal vulnerability in their Galaxy VS and VL.

Siemens Advisory #1 - Siemens published an advisory that describes two vulnerabilities in their Simcenter Femap product.

Siemens Advisory #2 - Siemens published an advisory that describes seven vulnerabilities in their Tecnomatix Plant Simulation product.

VMware Advisory - VMware published an advisory that describes an authentication bypass vulnerability in their Cloud Director Appliance.

Wireshark Advisory #1 - Wireshark published an advisory that describes an SSH dissector crash vulnerability.

Wireshark Advisory #2 - Wireshark published an advisory that describes an SSH dissector crash vulnerability.

Updates

Broadcom Update - Broadcom published an update for their GNU Coreutils advisory that was originally published on November 14^th, 2023 and most recently updated on November 10^th, 2023.

Cisco Update - Cisco published an update for their HTTP/2 Rapid Reset Attack advisory that was originally published on October 16^th, 2023 and most recently updated on November 9^th, 2023.

Mitsubishi Update - Mitsubishi published an update for their GENESIS64 advisory that was originally published on December 13^th, 2022 and most recently updated on August 3^rd, 2023.

Siemens Update #1 - Siemens published an update for their SIMATIC IPCs advisory that was originally published on September 12^th, 2023.

Siemens Update #2 - Siemens published an update for their Open Design Alliance Drawings SDK advisory that was originally published on June 13^th, 2023.

Siemens Update #3 - Siemens published an update for their RUGGEDCOM ROS devices advisory that was originally published on August 8^th, 2023.

Siemens Update #4 - Siemens published an update for their RUGGEDCOM ROS advisory that was originally published on July 12^th, 2022 and most recently updated on April 11^th, 2023.

Siemens Update #5 - Siemens published an update for their SIMATIC S7-1500 TM MFP V1.0 advisory that was originally published on June 13^th, 2023 and most recently updated on September 12^th, 2023.

Siemens Update #6 - Siemens published an update for their SIMATIC S7-1500 TM MFP V1.0 advisory that was originally published on June 13^th, 2203 and most recently update on September 12^th, 2023.

Siemens Update #7 - Siemens published an update for their RUGGEDCOM ROS devices advisory that was originally published on November 8^th, 2022 and most recently updated on September 12^th, 2023.

Siemens Update #8 - Siemens published an update for their RUGGEDCOM ROS Devices advisory that was originally published on August 8^th, 2023.

Siemens Update #9 - Siemens published an update for their RUGGEDCOM ROS Devices advisory that was originally published on March 8^th, 2022 and most recently updated on March 14^th, 2023.

Siemens Update #10 - Siemens published an update for their OPC UA Implementations of SIMATIC Products advisory that was originally published on September 12^th, 2023 and most recently updated on October 10^th, 2023.

Siemens Update #11 - Siemens published an update for their OPC Foundation advisory that was originally published on April 11^th, 2023 and most recently updated on August 8^th, 2023.

Siemens Update #12 - Siemens published an update for their RUGGEDCOM APE1808 devices advisory that was originally published on October 10^th, 2023.

Siemens Update #13 - Siemens published an update for their SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP advisory that was originally published on November 27^th, 2018 and most recently updated on October 10th, 2023.

Siemens Update #14 - Siemens published an update for their Parasolid and Teamcenter Visualization advisory that was originally published on August 8^th, 2023.

Siemens Update #15 - Siemens published an update for their SIMATIC WinCC Kiosk Mode advisory that was originally published on May 10^th, 2022 and most recently updated on October 10^th, 2023.

Siemens Update #16 - Siemens published an update for their Industrial Products using Intel CPUs advisory that was originally published on August 10^th, 2021 and most recently updated on May 9^th, 2023.

Siemens Update #17 - Siemens published an update for their Insyde BIOS Vulnerabilities advisory that was originally published on February 22^nd, 2022 and most recently updated on August 8^th, 2023.

Research Reports

Ashlar-Vellum Reports - The Zero Day Initiative published four reports about vulnerabilities in the Ashlar-Vellum Lithium products.

 

For more details about these disclosures, including summaries of changes made in updates and links to researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-11-66a - subscription required.

OMB Approves BIS STA Enhancement NPRM

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a notice of proposed rulemaking (NPRM) from the DOC’s Bureau of Industry and Security (BIS) for “Proposed Enhancements and Simplification of License Exception Strategic Trade Authorization (STA)” [link added]. This rulemaking was not published in the Spring 2023 Unified Agenda.

This NPRM could appear in the Federal Register this coming week. I do not expect to see anything in the way of cybersecurity language in this rulemaking.

OMB Approves CMMC Guidance Documents

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved eight guidance documents for the DOD’s Cybersecurity Maturity Model Certification program. All of the documents were approved “Consistent with Change”.

0790-ZA23	CMMC Scoping Guide - Level 3	Concluded
0790-ZA22	CMMC Scoping Guide - Level 2	Concluded
0790-ZA21	CMMC Scoping Guide - Level 1	Concluded
0790-ZA24	CMMC Hashing Guide	Concluded
0790-ZA20	CMMC Assessment Guide - Level 3	Concluded
0790-ZA19	CMMC Assessment Guide - Level 2	Concluded
0790-ZA18	CMMC Assessment Guide - Level 1	Concluded
0790-ZA17	CMMC Model Overview	Concluded

These guides could be published in the Federal Register this week, but with the Holiday, I expect to see it the following week.

Chemical Incident Reporting – Week of 11-11-23

NOTE: See here for series background.

Los Angeles, CA – 11-10-23

Local News Reports: Here, here, and here.

Leaking 55-gal drum of ‘non-hazardous’ cleaning chemical. 11 people evaluated after breathing fumes, one hospitalized.

CSB reportable incident.

Whitestown, NY – 11-17-23

Local News Reports: Here, here, and here.

Uncontrolled chemical reaction in metal cleaning operation, out-gassing caused 1 person to be taken to hospital according to one report.

An interesting set of conflicting news reports, one reports one person hospitalized, the other two site no injuries. One reports that a cleaning tank containing “nitric and hydrofluoric acids” was involved, another says “hydrochloric acid, nitric acid and a water solution”. I suspect that it was the later; aqua regia, is a common metal-cleaning solution and would be consistent with the reported yellow cloud.

Possible CSB reportable depending on whether someone was admitted to the hospital.