Monday, December 23, 2024

Short Takes – 12-23-24 - Federal Register Edition

Wireless Telecommunications Bureau Seeks Comment on Licensing and Coordination Procedures for the Space Launch Service. Federal Register notice. Summary: “In this Public Notice, the Wireless Telecommunications Bureau (Bureau) makes proposals and seeks comment on issues related to the Federal Communications Commission's (Commission) Space Launch Service. In particular, it proposes licensing and frequency coordination procedures and data requirements for Space Launch Service licensees seeking Commission authorization to perform non-Federal space launch operations in the 2025-2110 MHz, 2200-2290 MHz, and 2360-2395 MHz bands. Filers responding to this Public Notice should submit comments in ET Docket No. 13-115.” Public comments due: January 22nd, 2025.

Private Sector Participation in Domestic and International Events on Spaceflight Safety, Sustainability, and Emerging Markets in Outer Space. Federal Register State Department notice. Summary: “The U.S. Department of State seeks private sector participation in a series of domestic and international events promoting the safe and responsible exploration and use of outer space…. Solicitations for private sector participation in specific events, including event dates and locations, will be posted at least 30 days prior to the event on https://www.state.gov/​remarks-and-releases-bureau-of-oceans-and-international-environmental-and-scientific-affairs/​.

Positive Train Control Systems. Federal Register FRA comment period extension. Summary: “On October 28, 2024, FRA published an NPRM proposing to amend certain regulations governing positive train control (PTC) systems. Through oversight and continued engagement with the industry, FRA has found that its existing PTC regulations do not adequately address temporary situations during which PTC technology is not enabled, including after certain initialization failures or in cases where a PTC system needs to be temporarily disabled to facilitate repair, maintenance, infrastructure upgrades, or capital projects. FRA expects PTC systems to be reliable and robust, further reducing the occurrence of initialization failures and outages. The NPRM proposes to establish strict parameters and operating restrictions under which railroads may continue to operate safely in certain necessary scenarios when PTC technology is temporarily not governing rail operations. By this notice, FRA is extending the NPRM's comment period, which will close on December 27, 2024, by 15 days.” New comment due date: “January 11th, 2025.

Implementation of Certain Australia Group Decisions. BIS final rule. Summary: “The Bureau of Industry and Security (BIS) is amending the Export Administration Regulations (EAR) to implement changes agreed to by Australia Group (AG) member countries at recent meetings. These include controlling: instruments for the automated chemical synthesis of peptides (automated peptide synthesizers), dipropylamine, and neosaxitoxin; and revising the controls for botulinum toxins, toxic gas monitors, and centrifugal separators. This rule also makes minor conforming changes for the new controls and revisions to existing controls.”

Sunday, December 22, 2024

End of Session Housekeeping – 118th Congress – 12-22-24

With the end of the 118th Congress fast approaching, nothing but pro forma sessions until they adjourn sine die on January 3rd, it is time to catch up on legislation files that are dying with the sessions end. Committees are busy publishing reports that no one will read and the GPO is catching up on publishing bills that will have no effect. Instead of trying to complete writeups on each of these housekeeping items, I am simply going to provide a list of each of the bills that I would normally expect to cover in this blog with the appropriate links. If anyone wants me to cover one of these bills in detail in my blog, just drop me a comment on this post; I will see if I can work them into the schedule.

Reports Filed:

HR 3208 Reported in Senate – DHS Cybersecurity OJT

S Rept 118- 161 .pdf – not yet published

HR 3208 RFS .pdf - https://www.congress.gov/118/bills/hr3208/BILLS-118hr3208rfs.pdf

HR 5840 Reported in House – TSA Screening Modernization

H Rept 118-888 .pdf – not yet published

HR 5840 IH .pdf - https://www.congress.gov/118/bills/hr5840/BILLS-118hr5840rh.pdf

HR 6494 Reported in House – PIPES Act of 2023

H Rept 118-884 .pdf – not yet published

HR 6494 RH .pdf - https://www.congress.gov/118/bills/hr6494/BILLS-118hr6494rh.pdf

HR 9689 Reported in House – DHS Cybersecurity Internships

H Rept 118-858 .pdf – not yet published

HR 9689 RH .pdf - https://www.congress.gov/118/bills/hr9689/BILLS-118hr9689rh.pdf

HR 9769 Reported in House – Cyber Resilience

H Rept 118-859 .pdf – not yet published

HR 9769 RH .pdf - https://www.congress.gov/118/bills/hr9769/BILLS-118hr9769rfs.pdf

Text of Bills Published:

S 5639 Introduced – cUAS Authority

S 5639 ES .pdf - https://www.congress.gov/118/bills/s5639/BILLS-118s5639es.pdf

NOTE: S 5639 was passed in the Senate by unanimous consent.

Saturday, December 21, 2024

Short Takes – 12-21-24

ICS Threat Analysis: New, Experimental Malware Can Kill Engineering Processes. Forescout.com blog post. Pull quote: “The artifact clusters we identified may primarily act as nuisances in real OT environments. Yet, the fact that this type of malware can infiltrate critical networks is alarming.including a 14-year old sample observed thousands of times. Even more concerning is the ability of hacking groups to create malware targeting engineering processes with assistance from generative AI while using legitimate services for C2. This reliance on legitimate services makes detecting these threats more challenging. The gap between a relatively simple example like Chaya_003 and more sophisticated OT-specific malware is narrowing, especially as generative AI empowers less skilled attackers to craft OT-specific code.”

Current State of SonicWall Exposure: Firmware Decryption Unlocks New Insights. BishopFox.com blog post. Pull quote: “Our scan identified a total of 430,363 unique targets (IP address and port combinations) with SonicOS/X login pages exposed on the public internet. Of these, the majority had both the management and SSL VPN interfaces accessible, while the rest only exposed one interface.”

The Top Cybersecurity Agency in the US Is Bracing for Donald Trump. Wired.com article. Pull quote: “Under Biden, CISA gained broader authority and new funding to monitor other agencies’ networks for suspicious activity, turning it into the centralized defender of federal networks that many experts always hoped it would become. That could change under Trump, especially if senior officials close to Trump bristle at CISA’s oversight.” Too much guessing in the article, not much information from the Trump transition team yet.

White House charges Pentagon to develop cislunar monitoring tech, including for ‘planetary defense’. BreakingDefense.com article. Pull quote: “This includes taking the lead in the development of new, and/or improvement of current, ground- and space-based sensors for monitoring the cislunar region. In particular, the plan notes that the Pentagon should assess the value of putting new satellites in “novel orbits” to monitor satellites and space debris near the Moon.” Priorities will probably be different in Trump DOD.

New supersonic ramjet detonation engine takes to the sky. NewAtlas.com article. Pull quote: “The JinDou400, however, uses detonation combustion instead of a regular, steady burning flame. It creates controlled explosions (detonations) in the combustion chamber which are far more powerful and efficient than regular combustion (at high speeds), allowing the engine to produce more thrust with less fuel and work effectively, but only at much higher speeds.”

Bills Introduced – 12-20-24

Yesterday, with both the House and Senate in session, there were 31 bills introduced. Three of those bills would have been expected to receive additional attention in this blog were there any time left in the session:

HR 10545 American Relief Act, 2025 Cole, Tom [Rep.-R-OK-4]

HR 10555 To create mechanisms by which state law enforcement can coordinate with the federal government to detect and stop drones involved in unlawful activities, and for other purposes. Smith, Christopher H. [Rep.-R-NJ-4]

S 5639 Counter-UAS Authority Extension Act Peters, Gary C. [Sen.-D-MI]

HR 10545 passed in both the House (366 to 34 to 1) and Senate (85 to 11) and was signed by President Biden (PL number has not yet been assigned).

S 5639 was passed in the Senate by unanimous consent.

Chemical Incident Reporting – Week of 12-14-24

NOTE: See here for series background.

Mukilteo, WA– 12-13-24

Local News Report: Here, here, and here.

There was an anhydrous ammonia leak at a seafood processing facility. A shelter-in-place warning was issued for neighboring businesses. One minor fire-fighter exposure-injury was treated on the scene. No damages reported.

Not CSB reportable.

Orlando, FL – 12-19-24

Local News Report: Here, here, and here.

There was a lithium powder fire at an aerospace manufacturing facility. Three people were transported to a local hospital; two are reportedly in critical condition. There are no reports about the extent of the damages.

Probable CSB reportable. 

Review – Public ICS Disclosures – Week of 12-14-24

This week we have 13 vendor disclosures from Dassault Systèmes (4), FortiGuard Labs, GE Vernova (3), Hitachi (3), HPE (2), Meinberg, and Western Digital. We have 11 vendor updates from FortiGuard, Hitachi Energy (8), and Palo Alto Networks. There are also five researcher reports describing vulnerabilities in products from ABB, Delta Electronics (3), and Rockwell Automation. Finally, we have an exploit report for products from FLIR.

Advisories

Dassault Advisory #1 - Dassault published an advisory that describes a cross-site scripting vulnerability in their ENOVIA Collaborative Industry Innovator.

Dassault Advisory #2 - Dassault published an advisory that describes a cross-site scripting vulnerability in their ENOVIA Collaborative Industry Innovator.

Dassault Advisory #3 - Dassault published an advisory that describes a cross-site scripting vulnerability in their ENOVIA Collaborative Industry Innovator.

Dassault Advisory #4 - Dassault published an advisory that describes a cross-site scripting vulnerability in their ENOVIA Collaborative Industry Innovator.

FortiGuard Advisory - FortiGuard published an advisory that describes an OS command injection vulnerability in their FortiManager product.

GE Vernova Advisory #1 - GE published an advisory that discusses two vulnerabilities (both listed in CISA’s Known Exploited Vulnerability catalog) in their Control Server installations utilizing VMware vCenter Server.

GE Vernova Advisory #2 - GE published an advisory that discusses two vulnerabilities (both listed in CISA’s KEV catalog) in their  engineering workstations with Veeam Backup & Replication 9.5, 10, or 11 installed.

GE Vernova Advisory #3 - GE published an advisory that discusses six vulnerabilities (one with publicly available exploit) in their e UCSE, UCSC, and UCSB controllers utilized in the Mark* VIe Platform.

Hitachi Advisory #1 - Hitachi published an advisory that discusses 19 vulnerabilities in their Ops Center Common Services.

Hitachi Advisory #2 - Hitachi published an advisory that describes a missing authentication for critical function vulnerability in their Infrastructure Analytics Advisor and Ops Center Analyzer products.

Hitachi Advisory #3 - Hitachi published an advisory that discusses 56 vulnerabilities in multiple Hitachi products.

HPE Advisory #1 - HPE published an advisory that discusses an improper authentication vulnerability in their SANnav Management Portal.

HPE Advisory #2 - HPE published an advisory that describes an exposure of sensitive information to unauthorized actor vulnerability in their Alletra MP OS.

Meinberg Advisory - Meinberg published an advisory that discusses four vulnerabilities (one with publicly available exploit) in their Lantime product.

Western Digital Advisory - Western Digital published an advisory that discusses three vulnerabilities in their My Cloud Home & Duo products.

Updates

FortiGuard Update - FortiGuard published an update for their regreSSHion advisory that was originally published on July 9th, 2024, and most recently updated on December 4th, 2024.

Hitachi Energy Update #1 - Hitachi Energy published an update for their Modbus TCP Packet advisory that was originally published on April 19th, 2022, and most recently updated on September 24th, 2024.

Hitachi Energy Update #2 - Hitachi Energy published an update for their RTU500 Series Product advisory that was originally published on March 25th, 2023, and most recently updated on October 1st, 2024.

Hitachi Energy Update #3 - Hitachi Energy published an update for their RTU500 series products advisory that was originally published on December 19th, 2023, and most recently updated on September 24th, 2024.

Hitachi Energy Update #4 - Hitachi Energy published an update for their RTU500 series Product advisory that was originally published on March 26th, 2024, and most recently updated on October 1st, 2024.

Hitachi Energy Update #5 - Hitachi Energy published an update for their RTU500 series Product advisory that was originally published on April 25th, 2024, and most recently updated on October 1st, 2024.

Hitachi Energy Update #6 - Hitachi Energy published an update for their RTU500 series Product that was originally published on June 28th, 2022, and most recently updated on September 24th, 2024.

Hitachi Energy Update #7 - Hitachi Energy published an update for their RTU500 series Product that was originally published on November 28th, 2023, and most recently updated on October 1st, 2024.

Hitachi Energy Update #8 - Hitachi Energy published an update for their RTU500 series Product that was originally published on February 14th, 2023, and most recently updated on October 1st, 2024.

Palo Alto Networks Update - Palo Alto Networks published an update for their GlobalProtect App advisory that was originally published on November 25th, 2024, and most recently updated on December 13th, 2024.

Researcher Reports

ABB Report - Zero Science published a report that describes an authentication bypass vulnerability (with a publicly available exploit) in the ABB Cylon Aspect building energy management product.

Delta Reports - The Zero Day Initiative published three reports for vulnerabilities in the Delta Electronics DRASimuCAD.

Rockwell Report - ZDI published a report that describes an out-of-bounds write vulnerability in the Rockwell Arena Simulation product.

Exploit

FLIR Exploit - YZS17 published an exploit for a command injection vulnerability in the FLIR AX8 thermal imaging camera.

 

For more information about these notifications, to include links to 3rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-12-3dd   - subscription required.

Friday, December 20, 2024

Short Takes – 12-20-24

We need to address APT threats. Oh, by the way what is an APT? SCADAMAG.Infracritical.com article. Pull quote: “After this non-exhaustive search for a comprehensive definition of APT is it acceptable to conclude  that in terms of addressing the malicious activities of states we still have a dangerously limited definition of APT? That the kinds of non cybercrime related threats to the critical infrastructure of states that can disrupt the economy, affect national security, and degrade the well-being of society are off some of our radar screens?”

‘Bird flu symptoms’: Online searches spike after first severe case in US. TheHill.com article. Pull quote: “Flu experts said the trajectory of the virus in people remains unclear, but they urged people who have contact with sick or dead birds to take precautions, including wearing respiratory and eye protection and gloves when handling poultry.”

Johnson says plan C reached to avert shutdown, vote expected. TheHill.com article. Pull quote: “Members on Thursday night were unsure how they would solve the funding impasse after the plan B failed. They will have to not only get a bill that can appease Trump and pass in the narrow House GOP majority, but get approval from the Democratic-controlled Senate and White House.” NOTE: Passed in House, pending in Senate as of midnight.

HR 10545 Passed in House – American Relief Act, 2025

With less than six hours remaining before the current government funding authorization ended, the House took up yet another version of a continuing resolution, HR 10545 [, the American Relief Act, 2025. Similar to yesterday’s HR 10515, the bill continues the current spending (FY 2024 levels) authorization through March 14th, 2025, provides a relatively-clean 1-year extension of the Ag bill, and provides additional funding for disaster relief (specifically including agricultural relief for weather related AG losses). Missing is any mention of the debt limit that President-Elect Trump demanded be included in yesterday’s bill. After a little more than one hour of debate, the House passed the bill by a bipartisan vote of 366 to 34 to 1 {Rep Crockett (D,TX) voted ‘Present;}. Not unsurprisingly, all 34 nay votes came from Republicans.

TheHill.com is reporting that the Senate intends to take up HR 10545 before midnight so that there will be no need to ‘shut down’ the federal government. If they are late by even a couple of hours, it will make no practical difference.

Program Extensions

Beyond the healthcare program extensions in Division C, and the agricultural program extensions in Division D, there are five other stand alone program extensions found in Division E (links are provided for programs of interest here):

• Commodity futures trading commission whistleblower program,

• Protection of certain facilities and assets from unmanned aircraft {6 USC 124n(i)},

• Additional special assessment,

• National cybersecurity protection system authorization {6 USC 1525(a)}, and

• Extension of temporary order for fentanyl-related substances.

Notice that the Chemical Facility Anti-Terrorism Standards (CFATS) program was not included. I think that we can finally declare the program to be dead. Any attempt to revive the program in the 119th Congress will have to deal with Sen Paul (R,KY) as Chair of the Senate Homeland Security and Governmental Affairs Committee. Paul can be expected to block any such legislation. Perhaps the focus should be on getting the voluntary ChemLockprogram authorized and expanded.

Bills Introduced – 12-19-24

Yesterday, with both the House and Senate in session, there were 77 bills introduced. Two of those bills would receive additional coverage in this blog:

HR 10515 Making further continuing appropriations for the fiscal year ending September 30, 2025, and for other purposes. Cole, Tom [Rep.-R-OK-4].

S 5610 A bill to provide grants to support continuing education in election administration or cybersecurity for election officials and employees. Klobuchar, Amy [Sen.-D-MN] 

NOTE: HR 10515 was voted down by the House last night. See my post here. Interestingly the bill still has not been officially printed by the GPO. Probably a waste of time and money at this point.

Transportation Chemical Incidents – Week of 11-16-24

Reporting Background

See this post for explanation, with the most recent update here (removed from paywall).

Data from PHMSA’s online database of transportation related chemical incidents that have been reported to the agency.

Incidents Summary

• Number of incidents – 410 (374 highway, 31 air, 5 rail, 0 water)

• Serious incidents – 3 (3 Bulk release, 0 evacuation, 0 injury, 0 death, 0 major artery closed, 0 fire/explosion, 24 no release)

• Largest container involved – 33,600-gal DOT112A340W Railcar {Petroleum Gases, Liquefied Or Liquefied Petroleum Gas} Leaking pressure relief device on ‘empty’ railcar.

• Largest amount spilled – 504-gal A1A steel drum {Resin Solution, Flammable} One 5-gallon metal pale leaked due to improper loading. NOTE: There is a definite mis-match between the reported amount of spill and the description of the event.

NOTE: Links above are to Form 5800.1 for the described incidents.

Most Interesting Chemical: Disodium Trioxosilicate – A white, odorless solid. Corrosive to skin, eyes, mouth, throat, esophagus and digestive tract. Water-Reactive. (Source: CameoChemicals.NOAA.gov).

 



OMB Approves NHTSA Automated Driving System NPRM

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a notice of proposed rulemaking (NPRM) from the DOT’s National Highway Transportation Safety Administration (NHTSA) on “Exemption and Demonstration Framework for Automated Driving Systems”. The NPRM was submitted to OIRA on October 21st, 2024. NHTSA published an advanced notice of proposed rulemaking (ANPRM) on this topic on December 3rd, 2020.

According to the Fall 2024 Unified Agenda entry for this rulemaking:

“This notice would propose a framework for the review and assessment of Automated Driving System (ADS)-equipped vehicles, in order to evaluate operations or requests for exemptions involving such technologies while also informing the agency's approach to future rulemaking and oversight.”

Thursday, December 19, 2024

Short Takes – 12-19-24

Johnson spending deal throws Speakership into question as floor vote approaches. TheHill.com article. Pull quote: “Even if Johnson survives this roadblock, the mutiny he faced over the spending deal is foreshadowing what the next Congress could bring — when Republicans will have an even slimmer majority and, after a number of members depart for the Trump administration, will not be able to afford to lose any lawmakers on party-line votes.”

Johnson has 3 main options to avert a shutdown. None of them are looking good. Politico.com article. Pull quote: “Stopgap with a debt limit hike: This is the preferred option of Trump and others — but it requires rank-and-file to walk what has been the third rail of modern GOP politics: Lifting the nation’s borrowing limits. Republicans have twisted themselves into all sorts of pretzels to avoid precisely these sorts of votes over the last decade, preferring to leave it to Democrats.”

Shutdown chances rise as Johnson defers to Trump on a spending plan. Politico.com article. Pull quote: “There’s no final plan yet, as the Lousiana Republican continues to huddle in his office on Thursday with a rotating cross-section of his conference, including members of his leadership team, House Freedom Caucus lawmakers and others. The speaker is assessing various options and running them by Trump world to ensure he has the incoming president’s buy-in before moving forward on another plan, after Trump publicly trashed the spending bill Wednesday and suddenly demanded that lawmakers raise the debt ceiling as well.”

GOP strikes a new spending deal that includes disaster aid and raising the debt limit. Politico.com article. Pull quote: “The plan Johnson is expected to put on the House floor would fund the government through March 14, just like the spending patch he agreed to with Democrats, and also includes the $110 billion disaster aid package mirroring that bipartisan negotiation. But the measure contains a straightforward extension of current "farm bill" policy for food and agriculture programs, along with a simple renewal of expiring health care policy, rather than making changes to those programs and adding new policy like overhauling rules for pharmacy benefit managers.”

Vast Announces Deal with SpaceX to Launch Two Human Spaceflight Missions to the International Space Station. VastSpace.com update. Pull quote: “‍"Enabling payload and crewed missions to the ISS is a key part of Vast’s strategy, allowing us to further our collaboration with NASA and global space agencies. These missions not only strengthen our expertise in human spaceflight operations and collaboration with NASA, but also position Vast as a leading contender to deliver the next-generation successor to the ISS, advancing the future of human space exploration," said Max Haot, Chief Executive Officer of Vast.”

Freight Car Safety Standards Implementing the Infrastructure Investment and Jobs Act. Federal Register FRA final rule. Summary: “FRA is amending the Freight Car Safety Standards (FCSS) to implement section 22425 of the Infrastructure Investment and Jobs Act (Act). The Act places certain restrictions on newly built freight cars placed into service in the United States (U.S.) including limiting content that originates from a country of concern (COC) or is sourced from a state-owned enterprise (SOE) and prohibiting sensitive technology that originates from a COC or is sourced from a SOE. The Act mandates that FRA issue a regulation to monitor and enforce industry's compliance with the Act's standards.”

US temporarily bans drones in parts of NJ, may use “deadly force” against aircraft. ArsTechnica.com article. Pull quote: “The New Jersey Office of Homeland Security and Preparedness recently released a "drone incidents FAQ" to answer residents' concerns. One question in the FAQ was, "Why can't authorities or the military shoot down or capture a drone midflight?" It answered that "state and local authorities do not have the legal ability to mitigate threatening drone activity at this time" and that "federal agencies and the US military have different legal abilities and technical capabilities."”

Intel Officials Warned Police That US Cities Aren’t Ready for Hostile Drones. Wired.com article. Pull quote: “In the memo obtained by WIRED, DHS displays less confidence in its ability to detect menacing drones. The document, which authorities were instructed not to make public, states that “tactics and technology to evade counter-UAS capabilities are circulated and sold online with little to no regulation.” In reality, the ability of police to track errant drones is hindered by a range of evolving technologies, the memo says, including “autonomous flight, 5G command and control, jamming protection technology, swarming technology, and software that disables geofencing restrictions.””

NASA, Axiom Space Change Assembly Order of Commercial Space Station. NASA.gov article. Pull quote: “Under the company’s new assembly sequence, the Payload, Power, and Thermal Module will launch to the orbiting laboratory first, allowing it to depart as early as 2028 and become a free-flying destination known as Axiom Station. In free-flight, Axiom Space will continue assembly of the commercial destination, adding the Habitat 1 module, an airlock, Habitat 2 module, and the Research and Manufacturing Facility.”

Perchloroethylene (PCE); Regulation Under the Toxic Substances Control Act (TSCA). Federal Register EPA final rule. Summary: “The Environmental Protection Agency (EPA or Agency) is finalizing a rule to address the unreasonable risk of injury to health presented by perchloroethylene (PCE) under its conditions of use. TSCA requires that EPA address by rule any unreasonable risk of injury to health or the environment identified in a TSCA risk evaluation and apply requirements to the extent necessary so that the chemical no longer presents unreasonable risk. EPA's final rule will, among other things, prevent serious illness associated with uncontrolled exposures to the chemical by preventing consumer access to the chemical, restricting the industrial and commercial use of the chemical while also allowing for a reasonable transition period where the industrial and commercial use of the chemical is being prohibited, providing a time-limited exemption for a critical or essential use of PCE for which no technically and economically feasible safer alternative is available, and protecting workers from the unreasonable risk of PCE while on the job.” Effective date: January 17th, 2025.

Updates to New Chemicals Regulations Under the Toxic Substances Control Act (TSCA). Federal Register EPA final rule. Summary: “The Environmental Protection Agency (EPA or the Agency) is amending the new chemicals procedural regulations under the Toxic Substances Control Act (TSCA). These amendments align the regulatory text with the amendments to TSCA's new chemicals review provisions contained in the Frank R. Lautenberg Chemical Safety for the 21st Century Act, enacted on June 22, 2016, will improve the efficiency of EPA's review processes, and update the regulations based on existing policies and experience implementing the New Chemicals Program. This final rule includes amendments that will increase the quality of information initially submitted in new chemicals notices and improve the Agency's processes for timely, effective completion of individual risk assessments and the new chemicals review process overall. EPA is also finalizing several amendments to the regulations for low volume exemptions (LVEs) and low release and exposure exemptions (LoREXs), which will require EPA approval of an exemption notice prior to commencement of manufacture, make per- and polyfluoroalkyl substances (PFAS) categorically ineligible for these exemptions, and provide that certain persistent, bioaccumulative, toxic (PBT) chemical substances are ineligible for these exemptions.”  Effective date: January 17th, 2025.

Boeing Starliner astronauts will return to Earth in March 2025 after new NASA, SpaceX delay. Space.com article. Pull quote: “Adding a fifth Crew Dragon to its fleet will allow SpaceX more versatility in its commercial offerings and NASA some extra flexibility in its mission manifests as well. For instance, had a fifth Dragon been available to launch without disruption to the Crew-9 and Crew-10 missions, it's possible NASA could have utilized such a vehicle to bring Starliner's Wilmore and Williams home at an earlier date.”

HR 10515 Failed in House – Trump Revised CR

After President-Elect Trump objected to the language of HR 10445, Speaker Johnson came up with a new version of the CR that met Trumps requirement, HR 10515 (draft version), the American Relief Act, 2025. The House took up that bill this evening and rejected the revised CR by a vote of 174 to 235. Thirty-five Republicans rejected the leaderships bill along with all but two Democrats. Politico.com is reporting that Democrats rejected the bill because they were left out of the negotiations today.

There were two reasons for the Republican opposition to the bill. First, it was another continuing resolution and there is a hard-core faction that will never support anything but the 12 standard spending bills. The second item was the addition demanded by Trump, the temporary extension of the debt limit (§5106). There are many in the Republican party that would not support such an extension without the inclusion of spending limits.

There is an outside chance that Johnson will bite-the-bullet and bring HR 10445 to the floor for a vote. There will be fewer Republican votes, but there will be a large number of Democrats that would support that bill, perhaps enough to make the supermajority limit required for passage under the suspension of the rules. The number of Republican votes will depend on individuals weighing the Trump/Musk threats versus being held responsible for a holiday government shutdown.

Regardless of what happens with the spending deadline, the Republicans have a real problem facing them on January 3rd when the House convenes for the 119th Congress. It is now obvious to even the most hopeful observer that Johnson will not be able to get 217 votes for Speaker in the opening vote. Too many people are upset with the way this CR issue was dealt with. And it does not look like Johnson is a good enough horse trader to get the requisite votes even further down the line. A bigger problem is the Party has no realistic backup candidate that can do any better. There are just too many bitter feelings and divergent views of where the Party should be going. January 2025 is going to be interesting, even before the 20th.

Review – 8 Advisories Published – 12-19-24

Today CISA’s NCCIC-ICS published seven control system security advisories for products from Schneider Electric (2), Tibbo, Siemens, Delta Electronics, and Hitachi Energy (2). The also published a medical device security advisory for products from Ossur.

Advisory

Schneider Advisory #1 - This advisory describes a cross-site scripting vulnerability in multiple Schneider Modicon Controllers.

Schneider Advisory #2 - This advisory describes a classic buffer overflow vulnerability in the Schneider Accutech Manager product.

Tibbo Advisory - This advisory describes an unrestricted upload of file with dangerous type vulnerability in the Tibbo AggreGate Network Manager.

Siemens Advisory - This advisory describes a heap-based buffer overflow vulnerability in the Siemens User Management Component.

Delta Advisory - This advisory describes a deserialization of untrusted data vulnerability in the Delta DTM Soft product.

Hitachi Energy Advisory #1 - This advisory describes two vulnerabilities in the Hitachi Energy SDM600 product.

Hitachi Energy Advisory #2 - This advisory describes a classic buffer overflow vulnerability in the Hitachi Energy RTU500 series CMU.

Ossur Advisory - This advisory describes three vulnerabilities in the Ossur Logic Mobile Application.

 

For more information about these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/8-advisories-published-12-19-24 - subscription required.

Bills Introduced – 12-18-24

Yesterday, with both the House and Senate in session, there were 82 bills introduced. Two of those bills would be expected to receive additional coverage in this blog if there were time left in the session for actions to be taken on the bills:

 

HR 10483 To amend the Safe Drinking Water Act to provide grants under the Drinking Water Infrastructure Risk and Resilience Program for training programs relating to protecting public water systems from and responding to cyberattacks, and for other purposes. Gallego, Ruben [Rep.-D-AZ-3]

S 5600 A bill to authorize programs for the National Aeronautics and Space Administration for fiscal year 2025, and for other purposes. Cantwell, Maria [Sen.-D-WA]

OMB Approves HIPPA Security NPRM

Yesterday OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a notice of proposed rulemaking from HHS’s Office for Civil Rights (OCR) on “Proposed Modifications to the HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information”. This NPRM was sent to OIRA on October 18th, 2024.

According to the Fall 2024 Unified Agenda entry for this rulemaking:

“This rule will propose modifications to the Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). These modifications will improve cybersecurity in the health care sector by strengthening requirements for HIPAA regulated entities to safeguard electronic protected health information to prevent, detect, contain, mitigate, and recover from cybersecurity threats.”

The Fall 2024 Unified Agenda has included expanded supporting information on rulemakings, including entries for ‘Statement of Need’, “Summary of the Legal Basis”, and ‘Alternatives’. The ‘Statement of Need’ comment for this rulemaking is of potential interest:

“In February 2003, the HIPAA Security Rule established standards for the security of electronic protected health information (ePHI) to be implemented by HIPAA covered entities and, by amendment of the HITECH Act, their business associates (collectively, "regulated entities"). Prior to the HIPAA Security Rule, standard security measures did not exist in the health care industry to address the security of ePHI while stored and exchanged between entities. Since 2003, the Department has received recommendations from the National Committee on Vital and Health Statistics (NCVHS), an advisory committee to the Secretary of HHS, and the public to update and strengthen security standards to protect ePHI, especially in light of newer threats not previously contemplated in 2003 such as ransomware. Additionally, the Department has reviewed media reports advocating the strengthening of protections provided by the HIPAA Security Rule as well as a report from a U.S. Senator advocating for modernizing HIPAA to increase protections of ePHI in the face of current cyber threats.”

It will be interesting to see if this NPRM specifically addresses security requirements for medical devices that store or transmit ePHI.

CISA Sends EO 14117 Restricted Transactions Notice to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a notice from CISA on “Security Requirements for Restricted Transactions Under Executive Order 14117”.

This action was not listed in the Fall 2024 Unified Agenda. Looking at EO 14117, however, this notice is almost certainly that required by §2(d):

“(d) The Secretary of Homeland Security, acting through the Director of the Cybersecurity and Infrastructure Security Agency, shall, in coordination with the Attorney General and in consultation with the heads of relevant agencies, propose, seek public comment on, and publish security requirements that address the unacceptable risk posed by restricted transactions, as identified by the Attorney General pursuant to this section. These requirements shall be based on the Cybersecurity and Privacy Frameworks developed by the National Institute of Standards and Technology.”

Wednesday, December 18, 2024

Short Takes – 12-18-24

FBI Warns of HiatusRAT Attacks on Cameras, DVR Systems. SecurityWeek.com article. Pull quote: “They used the Ingram scanning tool to mainly target Xiongmai and Hikvision devices with telnet access in the Five Eyes intelligence alliance countries, looking for those impacted by vulnerabilities such as CVE-2017-7921, CVE-2018-9995, CVE-2020-25078, CVE-2021-33044, and CVE-2021-36260.”

NASA astronauts stuck in space after Boeing spaceship hit new delay. TheHill.com article.  Pull quote: ““NASA’s SpaceX Crew-10 now is targeting no earlier than late March 2025 to launch four crew members to the International Space Station,” NASA said in a release.”

Congress strikes deal to avert government shutdown. TheHill.com article. Pull quote: “Johnson said the goal was for “a very simple, very clean” stopgap funding plan “to get us into next year when we have a unified government.” But he added that “acts of God,” such as hurricanes, required disaster aid and other additions to the package.” Morning story.

Trump, Vance call for streamlined CR and debt ceiling debate. Politico.com article. Pull quote: “Trump said in a post later a post on Truth Social that he would primary any Republican who supported the original temporary funding bill that included the Democrat requests. He said it would “bring the mess of the Debt Limit" to his administration.” Evening story.

Johnson considers plan B amid Trump World opposition to spending deal. TheHill.com article. Pull quote: “The back-up option Johnson is examining is a “clean” continuing resolution, two sources familiar with the matter told The Hill. That would entail dropping the additional provisions that were included in the initial 1,500-page spending package negotiated by congressional leaders, including disaster aid and economic assistance for farmers.”

Axiom Space Accelerates Axiom Station Assembly. AxiomSpace.com press release. Pull quote: ““The result – free-flight capability after the launch and berthing of PPTM,” Greeley explained, “allowing us to add modules while on orbit once we have separated from station. Our goal is to ensure a smooth transition from a government to a commercial platform, maintaining a continuous human presence on orbit to serve a community of global customers and partners, to include NASA.””

S 3959 Passed in House – TWIC-HME Applications

This afternoon the House took up  S 3959 [removed from paywall], the Transportation Security Screening Modernization Act, under the suspension of the rules process. After nine minutes of debate, the House passed the bill by a voice vote. The legislation now goes to the President; Biden is expected to sign the bill, almost certainly before Christmas.

The bill would require the TSA to take actions (potentially including issuing an interim final rule) to streamline the procedures for individuals applying for or renewing enrollment in more than one TSA security threat assessment program, in particular, the TWIC and HAZMAT Endorsement programs. No new funding is authorized by the legislation.

Bills Introduced – 12-17-24

Yesterday, with both the House and Senate in session (and looking forward to the fast approaching end of the 118th Congress), there were 64 bills introduced. Five of those bills will (or would if sufficient time remained to take any action) will receive additional coverage in this blog:

HR 10445 Further Continuing Appropriations and Disaster Relief Supplemental Appropriations Act, 2025 Cole, Tom [Rep.-R-OK-4]

HR 10446 Disaster Offset and Government Efficiency Act Roy, Chip [Rep.-R-TX-21] 

HR 10455 To direct the Secretary of Health and Human Services to establish the Health Sector Cybersecurity Coordination Center, and for other purposes. Kelly, Robin L. [Rep.-D-IL-2] 

HR 10464 To amend chapter 511 of title 51, United States Code, to modify the authority for space transportation infrastructure modernization grants, and for other purposes. Strong, Dale W. [Rep.-R-AL-5]

S 5556 A bill to require a solid rocket motor industrial base strategy. Cornyn, John [Sen.-R-TX]

HR 10464 and S 5556 are being added as part of my Space Geek coverage.

Short Takes – 12-18-24 – Drone-gate Issue

Too much stuff here for pull quotes on all of the articles from just TheHill.com this week:

 

Rep. Carlos Giménez: ‘Drones pose a threat,’ feds don’t know anything. TheHill.com article.

Nancy Mace says mysterious drones could be from ‘outer space’. TheHill.com article.

Biden says there’s ‘no sense of danger’ from drones. TheHill.com article.

John Kirby drone statement ‘very misleading at best’: New Jersey rep. TheHill.com article.

Drone sightings a combination of ‘lawful’ drones, other aircraft and stars, officials say. TheHill.com article.

WH: Drones not national security risk, argues administration has made ‘good faith effort’ to be transparent. TheHill.com article.

Evening Report — Washington presses for answers on drone sightings. TheHill.com article.

NJ governor asks Biden for more federal resources on drone sightings. TheHill.com article.

‘Patience is getting very thin’: New Jersey rep releases drone action plan. TheHill.com article.

Why shooting down mystery drones carries big risks. TheHill.com article.

 

But it isn’t just lawmakers getting up in arms, industry has concerns as well:

 

Congress Must Act Now on Drone Security. AmericanChemistry.com press release.

BIS Sends ICTS Final Rule for Connected Vehicles to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a final rule from the DOC’s Bureau of Industry and Security (BIS) on “Securing the Information and Communications Technology and Services Supply Chain: Connected Vehicles”. The advanced notice of proposed rulemaking (ANPRM) was published on March 1st, 2024.

According to the Fall 2024 Unified Agenda entry for this rulemaking:

“The Department of Commerce’s Bureau of Industry and Security (BIS) published an advance notice of proposed rulemaking (ANPRM) on March 1, 2024, to seek public comment on questions related to transactions The Department of Commerce’s Bureau of Industry and Security (BIS) published an advance notice of proposed rulemaking (ANPRM) on March 1, 2024, to seek public comment on questions related to transactions involving information and communications technology and services integral to connected vehicles that are designed, developed, manufactured, or supplied by persons owned, controlled, or subject to the jurisdiction or direction of foreign governments or foreign non-government persons identified at 15 CFR 7.4, pursuant to Executive Order (E.O.) 13873. BIS is reviewing comments and working to implement a proposed rule to assist BIS in better determining the technologies and market participants most appropriate for regulation pursuant to E.O. 13873 regarding connected vehicles. involving information and communications technology and services integral to connected vehicles that are designed, developed, manufactured, or supplied by persons owned, controlled, or subject to the jurisdiction or direction of foreign governments or foreign non-government persons identified at 15 CFR 7.4, pursuant to Executive Order (E.O.) 13873. BIS is reviewing comments and working to implement a proposed rule to assist BIS in better determining the technologies and market participants most appropriate for regulation pursuant to E.O. 13873 regarding connected vehicles.”


Records show that a notice of proposed rulemaking on this topic was submitted to OIRA on August 20th, 2024 and approved by that agency on September 19th, 2024, but no such NPRM has been published in the Federal Register. I suspect that the documents submitted to OIRA were supposed to be for a revised NPRM not a final rule.

Tuesday, December 17, 2024

Short Takes – 12-17-24

Democrats divided over Biden administration response to reported drone sightings. TheHill.com article. Pull quote: “Such assurances have done little to assuage public concerns that something more nefarious is afoot. Those fears have been fueled by allegations from some Capitol Hill lawmakers that foreign adversaries are sending armies of drones over U.S. airspace to collect intelligence — or worse.”

Mountains of unused coal causing financial headaches for US power sector: Report. TheHill.comm article. Pull quote: “Given the buildup in coal stockpiles, the authors warned that at a certain point, power providers will buy a lot less of the resource from coal producers.”

Japanese company ispace plans to land helium-3 mining missions on the moon. Space.com article. Pull quote: “Magna Petra, meanwhile, says this type of technology demonstration will allow the company to proceed on a "rapid timeline to validate, capture and return" the large quantities of helium-3 it hopes to eventually deliver back to Earth.”

Trichloroethylene (TCE); Regulation Under the Toxic Substances Control Act (TSCA). Federal Register EPA final rule. Summary: “The Environmental Protection Agency (EPA or Agency) is finalizing a rule to address the unreasonable risk of injury to health presented by trichloroethylene (TCE) under its conditions of use. TSCA requires that EPA address by rule any unreasonable risk of injury to health or the environment identified in a TSCA risk evaluation and apply requirements to the extent necessary so that the chemical no longer presents unreasonable risk. EPA's final rule will, among other things, prevent serious illness associated with uncontrolled exposures to the chemical by preventing consumer access to the chemical, restricting the industrial and commercial use of the chemical while also allowing for a reasonable transition period with interim worker protections in place where an industrial and commercial use of the chemical is being prohibited, and provide time-limited exemptions for critical or essential uses of TCE for which no technically and economically feasible safer alternatives are available.” Effective date: January 16th, 2025.

Implementing the Whistleblower Provisions of the Vehicle Safety Act. Federal Register NHTSA final rule. Summary: “This final rule addresses an important source of motor vehicle safety information and fulfills a requirement in the Motor Vehicle Safety Whistleblower Act (Whistleblower Act) that NHTSA promulgate regulations on the requirements of the Act, in complement to NHTSA's existing whistleblower program. The Whistleblower Act authorizes the Secretary of Transportation to pay an award, subject to certain limitations, to eligible whistleblowers who voluntarily provide original information relating to any motor vehicle defect, noncompliance, or any violation or alleged violation of any notification or reporting requirement, which is likely to cause unreasonable risk of death or serious physical injury, if the information provided leads to the successful resolution of a covered action. This final rule defines certain terms important to the operation of the whistleblower program, outlines the procedures for submitting original information to NHTSA and applying for awards, discusses NHTSA's procedures for making decisions on award applications, and generally explains the scope of the whistleblower program to the public and potential whistleblowers.”

Extension of Agency Information Collection Activity Under OMB Review: Sensitive Security Information Threat Assessment Application. Federal Register TSA 30-day ICR renewal notice. Summary: “Pursuant to the requirements in Section 525(d) of the DHS Appropriations Act, 2007, Public Law 109-295 (120 Stat 1355, 1382, Oct. 4, 2006), as reenacted, TSA must establish a process by which a party seeking access to SSI in a civil proceeding in federal district court can make a request to receive a record designated as SSI. TSA's process applies to parties who demonstrate a substantial need for relevant SSI in preparation of the party's case and not having the record would create an undue hardship to obtain the substantial equivalent of the information by other means. Under this process, the party's representative may request and be granted conditional access to the SSI at issue in the case. TSA may grant court reporters and experts access to the SSI under similar terms and conditions.”

ESCAPADE looking at 2025 and 2026 launch options. SpaceNews.com article. Pull quote: “Those new launch opportunities involve complex trajectories compared to the direct flight to Mars available during traditional launch windows. He showed several options for launch opportunities in late 2025 and early 2026 that involved what he described as a “kidney bean-shaped dance” around the Earth-sun L-2 Lagrange point before doing an Earth gravity assist to head off to Mars.”

Congress strikes deal on $100B in disaster aid and punting funding into March, House GOP leaders say. Politico.com article. Pull quote: “The inclusion of a policy that would approve increased ethanol sales is a major win for Republicans in corn states, and a large group of GOP senators strongly backed the move, helping Midwest Republicans in the House push the measure into the package. But many House conservatives, who had urged Johnson to forgo the policy and overwhelmingly oppose ethanol subsidies, are livid about its inclusion.”

FY 2025 December CR and Offset

This evening two bills were added to the Congress.gov Bills This Week web page:

Further Continuing Appropriations and Disaster Relief Supplemental Appropriations Act, 2025, and

Disaster Offset and Government Efficiency Act

They will be included in the list of bills introduced today (to be published tomorrow morning).

The first bill, offered by Rep Cole (R,OK), could fairly be called the Omnibus Continuing Resolution. In addition to amending The Continuing Appropriations Act, 2025 (PL 118-47) and extending current spending until March 14, 2025 {§101(2)}, the bill provides additional spending for specific programs and includes a number of policy changes, updates, and reauthorizations. Unfortunately, it does not provide a reauthorization for the CFATS program. More details later.

The second bill, offered by Rep Roy (R,TX) would partially offset some of the new spending provided in the CR by amending 2 USC 901(c)(10)(B) changing the non-security discretionary spending limit for FY 2025 from $710,688,000,000 to $597,000,000,000 (- $113.688,000,000 – a 16% reduction). It would also remove an unspecified dollar amount of ‘unobligated funds made available by section 101(e) of the Fiscal Responsibility Act of 2023 (Public Law 118–5 [link added]) for the Department of Commerce Nonrecurring Expenses Fund’.

There is nothing in tomorrow’s House Schedule concerning these two bills beyond the vague “Additional legislative items are possible.” House rules require 72 hours between publication of the bill and a vote, but rules can be waived. Ideally (from the perspective of a Friday midnight shutdown deadline) the House would take up this bill under the suspension of the rules process tomorrow and the Senate would take it up with a final vote on Friday.

There is no way that this CR would pass with strictly Republican votes, so consideration under a rule is not possible. There is enough stuff added to get the necessary super majority under the suspension of the rules process. But, all of those additions, especially (but not limited to) the new spending, are enough to really upset ('piss off' in cruder terms) Roy and the Republican fringe (and some not-so-fringe Republicans), possibly enough to endanger Rep Johnson’s election as Speaker next month. That is the reason for the offset bill, Johnson will give Roy a vote on that bill (again under the suspension process) but there is no way that that vote will get sufficient Democratic votes (and might lose some moderate Republican votes) to pass. So, it is not clear that the vote will be sufficient to ease the anger of the fringe. The first week in January 2025 could make 2023 look simple.

Review – 5 Advisories Published – 12-17-24

Today CISA’s NCCIC-ICS published four control system security advisories for products from Schneider Electric, Rockwell Automation, Hitachi Energy, and ThreatQuotient. They also published a medical device security advisory for products from BD.

Advisories

Schneider Advisory - This advisory describes an improper input validation vulnerability in the Schneider Modicon PLCs.

Hitachi Energy Advisory - This advisory discusses an improper input validation vulnerability in the Hitachi Energy TropOS devices.

Rockwell Advisory - This advisory describes three vulnerabilities in the Rockwell PowerMonitor 1000 Remote products.

ThreatQuotient Advisory - This advisory describes a command injection vulnerability in the ThreatQuotient ThreatQ Platform.

BD Advisory - This advisory describes a use of default credentials vulnerability in multiple BD Diagnostic Solutions products.

 

For more information on these vulnerabilities, including links to 3rd party advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/5-advisories-published-12-17-24 - subscription required.

Review - Fall 2024 Unified Agenda – PHMSA HAZMAT

This is part of a continuing look at the Fall 2024 Unified Agenda that was published last week by the Biden Administration.

Fall 2024 Unified Agenda – DHS Rulemakings

Fall 2024 Unified Agenda – FAA and UAS

The DOT portion of the Unified Agenda lists 222 rulemakings for the Department. Of those, 28 rulemakings are associated with the DOT’s Pipeline and Hazardous Materials Safety Administration (PHMSA). Hazardous Materials (HAZMAT) rules account for 15 of those rulemakings. There is one additional HAZMAT rulemaking listed in the DOT’s Long Range Actions portion of the Agenda.

Commentary

Trump’s nominee for DOT Secretary (still way too early for a PHMSA Administrator to be named), Sean Duffy (former congressman from Wisconsin), has some familiarity with the legislative and regulatory process, so I suspect that we will see DOT continue the rulemaking processes, especially those associated with updating regulatory requirements. People who work in government have a tendency to believe that the government has a duty to protect industry and/or the people; they would not be in government if that were not true.

The rules in the next four years will be more careful in their application of new costly mandates on industry. But, when necessary, regulators will be able to convince the political appointees to go along with necessary regulatory requirements.

 

For more information on these rulemakings, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/fall-2024-unified-agenda-e9f - subscription required.

Monday, December 16, 2024

Short Takes – 12-16-24

Lawmakers struggle to reach deal to avert government shutdown. TheHill.com article. Pull quote: “Key players had indicated this week that the forthcoming CR, which keeps the government funded at current levels, would also include another one-year extension of the 2018 farm bill, as both sides have struggled to agree on a longer-term plan. But lawmakers had also ramped up talks of potential add-ons to provide economic assistance for farmers as part of the broader funding plan.” (Morning’s story)

Funding meltdown foreshadows Johnson’s tough year ahead. Politico.com article. Pull quote: “Congressional leaders on Monday were circling a final funding deal with $10 billion in economic aid for farmers as part of the agreement, possibly up to $12 billion depending on what Republicans agree to on Democratic demands in return. House Majority Leader Steve Scalise (R-La.) told reporters Monday morning that leaders may be able to release the text of the massive bill in the coming hours, but he stressed that nothing was final yet.” (This evening’s story)

Request for Comment on the National Cyber Incident Response Plan Update. Federal Register CISA request for comments. NCIRP Update: “The NCIRP Update is being led by CISA through the Joint Cyber Defense Collaborative (JCDC), a public-private cybersecurity collaborative established by CISA to unite the global cyber community in the collective defense of cyberspace. The JCDC leverages joint cyber planning authorities granted to the agency by Congress in the 2021 National Defense Authorization Act (codified at 6 U.S.C. 665b). The update addresses changes in the cyber threat and operations landscape by incorporating feedback and lessons learned from stakeholders to make the updated NCIRP more fully inclusive across non-federal stakeholders—further establishing a foundation for continued improvement of the nation's response to significant cyber incidents.” Comments due January 15th, 2025. This is a short comment period given the holidays

Italy kicks off project to develop small nuclear reactors to power moon settlements. InterestingEngineering.com article. Pull quote: “The key objective of the ASI’s project is the study of innovative technological solutions for the creation and management of an energy infrastructure Moon Energy Hub (MEnH), which gravitates around the use of SNRs, a solution that promises to overcome the limits of traditional energy technologies, such as radio-isotope systems and solar panels. The latter, although used until now, have shown inefficiencies, poor scalability, short operational life, and weakness (as per cosmic radiation).”

ULA pitches ‘space interceptor’ role for Vulcan rocket’s upper stage. SpaceNews.com article. Pull quote: “Bruno has long advocated expanded capabilities for the Centaur upper stage. In 2020, he outlined plans for an enhanced Centaur V featuring increased energy, thrust, and duration capabilities to enable complex trajectories and ambitious future missions. More recently, he has promoted a “high-performance, long-duration” version that could operate for days or weeks in support of U.S. military operations.”

Review - Siemens Publishes Out-of-Zone Advisory – 12-16-24

Today, Siemens published a control system security advisory, almost a week after their regularly scheduled, monthly release of security advisories and updates. This is the third out-of-zone publication in that week.

UMC Advisory - This advisory describes a heap-based buffer overflow vulnerability in their User Management Component (UMC) of multiple Siemens products.

 

For more information on this advisory, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/siemens-publishes-out-of-zone-advisory-197 - subscription required.

Review - Fall 2024 Unified Agenda – FAA and UAS

Last week the Biden Administration published their Fall 2024 Unified Agenda. The Department of Transportation portion of that Agenda lists 35 rulemakings being considered by the Federal Aviation Administration. Four of those rulemakings address the operations of uncrewed aircraft systems. One additional rulemaking is listed under the FAA listings on the DOT long term agenda. The Pipeline and Hazardous Materials Safety Administration (PHMSA) also has one UAS related rulemaking listed in the Unified Agenda.


Each individual rulemaking listed in the Unified Agenda has a link to a file about that proposed rule. That file includes such information as:

An abstract describing rulemaking,

CFR and USC citations for the proposed regulations,

Legal deadlines (which are seldom if ever enforced),

The aspirational timeline for the next step in the regulatory process, and

Point of contact information at the agency.

Commentary

I do not see anything in any of these rulemakings that would specifically run afoul of the anti-regulatory aspirations of the incoming Trump Administration. I would expect that there would be some minor differences in some of the details from what we would have seen if Harris had been elected. The big difference will be the timing; I would not expect a big push to quickly move any of these regulations across the finish line even though various industrial partners (especially the chemical process industry) will be pushing for the facility registration rulemaking. Still, the people surrounding Trump have a natural mistrust of government regulations, so quick movement is not to be expected.

 

For more information on the Fall 2024 Unified Agenda and the UAS, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/fall-2023-unified-agenda-faa-and-e3c - subscription required.


 
/* Use this with templates/template-twocol.html */