Short Takes – 10-28-24 – Space Geek Edition

AST SpaceMobile Successfully Completes Unfolding of First Five Commercial Satellites in Low Earth Orbit. BusinessWire.com press release. Pull quote: “AST SpaceMobile’s technology features large, phased array antennas supported by over 3,450 patent and patent-pending claims. This innovative design aims to extend cellular coverage globally, eliminating dead zones and delivering space-based cellular broadband connectivity to underserved regions. These advanced phased arrays, the largest ever deployed commercially in low Earth orbit, connect directly to standard smartphones at broadband speeds. This eliminates the need for specialized equipment, enabling seamless use with existing mobile phones while enhancing and complementing mobile operator networks.”

Starship Super Heavy booster came within one second of aborting first “catch” landing. SpaceNews.com article. Pull quote: ““We’re not taking as much time as we might ideally want to have a very luxurious, like really study everything,” one person said. “But given that that is the first launch in a long time — well, really, ever — that we’ve not been FAA driven, we’re trying to go do a reasonable balance of speed and risk mitigation on the booster, specifically.””

NASA Astronaut Leaves Hospital After ‘Medical Issue’ That Followed Return From Space. NYTimes.com article (free). Still no information about what constituted the ‘medical issue’. Pull quote: “Later in the day, NASA issued an update saying that all four astronauts had been taken to a Pensacola hospital as a precaution. Another update in the afternoon said three of the astronauts had returned to Houston.”

SpaceX has caught a massive rocket. So what’s next? ArsTechnical.com article. Look at what a successful Starship timeline would look like. Pull quote: “Critics of the Starship architecture say it is inefficient because of the mass refueling that must occur in low-Earth orbit for the spacecraft to travel anywhere. For example, fully topping off a Starship that can land humans on the Moon and return them to lunar orbit may take a dozen or more tanker flights. But this only seems stupidly impractical under the old space paradigm, in which launch is expensive, scarce, and unreliable. Such criticism seems less salient if we imagine SpaceX reaching the point of launching a dozen Starships a week or more in a few years.”

Review – PHMSA Publishes Modal Hazmat Update NPRM

Today, DOT’s Pipeline and Hazardous Materials Safety Administration (PHMSA) published a notice of proposed rulemaking (NPRM) in the Federal Register (89 FR 85590-85683) on “Hazardous Materials: Advancing Safety of Highway, Rail, and Vessel Transportation”. This NPRM proposes the revision of the Hazardous Materials Regulations to adopt several modal-specific amendments that would enhance the safe transportation of hazardous materials in commerce. It is based, in part, on industry rulemaking petitions.

PHMSA is soliciting public comments on these proposed rule changes. Comments may be submitted via the Federal eRulemaking Portal {www.Regulations.gov; Docket # PHMSA-2018-0080 (HM-265)}. Comments should be submitted by January 27^th, 2025.

 

For more information about the proposed changes that would be made in this NPRM, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/phmsa-publishes-modal-hazmat-update - subscription required.

Short Takes – 10-26-24

Proportional Representation Could Reduce the Risk of Political Violence in the U.S. JustSecurity.org article. Interesting view point, but does not address the lack of governmental stability in many proportional-representation States. Pull quote: “Where winner-take-all systems tend to ossify political conflict into repeated contests between the same two dominant “camps,” multiparty coalitions shift over time. Critically, a group of scholars recently determined—based on data from 77 elections across 19 Western democracies between 1996 and 2017—that governing coalitions formed in proportional systems can help defuse partisan hostility in a way not possible with disproportional systems like the one in the United States.”

US Copyright Office “frees the McFlurry,” allowing repair of ice cream machines. ArsTechnica.com article. New DMCA 3-year exemption. Pull quote: “"The Register [of Copyrights] recommends adopting a new exemption covering diagnosis, maintenance, and repair of retail-level commercial food preparation equipment because proponents sufficiently showed, by a preponderance of the evidence, adverse effects on the proposed noninfringing uses of such equipment," the Register's findings said.”

NASA’s SpaceX Crew-8 Astronaut Returns to Houston. Blogs.NASA.gov blog post. Returning astronaut released from hospital. Pull quote: “As part of NASA’s SpaceX Crew-8 mission, the astronaut was one of four crewmates who safely splashed down aboard their SpaceX Dragon spacecraft near Pensacola on Oct. 25. The crew members completed a 235-day mission, 232 days of which were spent aboard the International Space Station conducting scientific research.”

Space shots: A tangled web of speculation surrounds Boeing, Blue Origin and Bezos. GeekWire.com article. Pull quote: “Any of those strategies would be a big step for Bezos’ space venture, which already has its hands full with New Glenn, Orbital Reef, the New Shepard suborbital space program and the Blue Moon lunar lander that’s being built for NASA’s use. But as Boeing’s executives consider how it might pare down its unprofitable lines of business, it’s worth watching what Blue Origin is doing as well.”

CRS Reports – Week of 10-19-24 – Typhoon Hacks

This week the Congressional Research Service (CRS) published a report on “Salt Typhoon Hacks of Telecommunications Companies and Federal Response Implications”. This report does not address the tools, techniques and tactics used by the apparently Chinese hacking groups behind the Volt, Flax, and Salt Typhoon attacks on communications sector target. Rather it briefly looks at the federal response to those attacks and then provides a discussion about activities that Congress might wish to consider to address the recent/current attacks and make future such attacks more difficult.

Specifically, it looks at issues related to:

• The Cyber Unified Coordination Group (Cyber UCG) that is (apparently) currently looking at the attacks,

• The Cyber Safety Review Board that has looked at similar large-scale attacks, and

• The cyber preparedness activities that CISA is supposed to undertake to prevent, protect, respond, and recover from such threats.

The first two activities are not specifically authorized (or funded) by Congress, but the report notes that Congress may wish to take actions to rectify that lack of official status.

Chemical Incident Reporting – Week of 10-19-24

NOTE: See here for series background.

DONALDSONVILLE, La – 9-18-24

Local News Reports: Here, here, and here.

A railroad derailment resulted in a spill of cyanuric acid, a non-hazardous, white chemical solid. No injuries were reported. No damage estimates have been provided.

Not CSB reportable – this is a transportation related accident which would be investigated (if necessary) the by the NTSB.

Excelsior Springs, MO – 10-16-24

Local News Reports: Here, here, and here.

One person died after an explosion and fire at an auto repair facility. The explosion occurred when a cutting torch was used to open a chemical drum.

CSB reportable.

Waller County, TX – 10-16-24

Local News Reports: Here, here, and here.

A fire at a propane packaging facility led to multiple explosions and a 30-acre grass fire around the facility. One person was transported to hospital.

Possible CSB reportable.

Auburn, ME – 10-18-24

Local News Reports: Here, here, and here.

A hose broke at a metal manufacturing facility splashing nitric acid (or ‘nitrogen oxide’ in one story) on two workers. Both were transported to the hospital, treated and released. A small fire also occurred in the area of the release.

Not CSB Reportable.

Highland Lakes, TX – 10-21-24

Local News Reports: Here, here, and here.

Aluminum sulfate was mistakenly misloaded into a sodium hypochlorite storage tank at a water treatment facility. Chlorine gas was released from the tank as a result. Facility neighbors were ordered to shelter in place. No injuries or damages were reported.

Not CSB reportable.

OMB Approves EPA Final Rule on PBTC

Yesterday, OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a final rule from the EPA on “Decabromodiphenyl Ether and Phenol, Isopropylated Phosphate (3:1); Revision to the Regulations of Persistent, Bioaccumulative, and Toxic Chemicals Under the Toxic Substances Control Act (TSCA)”. The final rule was sent to OIRA on July 26^th, 2024. The notice of proposed rulemaking was published on November 24^th, 2023.

According to the Spring 2024 Unified Agenda entry for this rulemaking:

“The Environmental Protection Agency (EPA) is proposing revisions to the regulations for decabromodiphenyl ether (decaBDE) and phenol, isopropylated phosphate (3:1) (PIP (3:1)), two of the five persistent, bioaccumulative, and toxic (PBT) chemicals addressed in final rules issued under the Toxic Substances Control Act (TSCA) in January 2021. After receiving additional comments following the issuance of the 2021 PBT final rules, the Agency has determined that revisions to the decaBDE and PIP (3:1) regulations are necessary to address implementation issues and to reduce further exposures. As required under TSCA, these proposed requirements would, if finalized, reduce the potential for exposures to humans and the environment to decaBDE and PIP (3:1) to the extent practicable. The Agency is not proposing to revise the existing regulations for the other three PBT chemicals (2,4,6-TTBP, HCBD, and PCTP) at this time.”

I will not be covering this final rule in any detail, but at the very least I will be announcing the publication in the appropriate ‘Short Takes’ post when it is published.

Review – Public ICS Disclosures – Week of 10-19-24

 This week we have 11 vendor disclosures from ABB, Endress+Hauser, HP (2), HPE (5), Rockwell, and Xerox. We also have eight vendor updates from FortiGuard (2), HP (2), HPE (2), Moxa, and VMware. There are eight researcher reports for vulnerabilities in products from ABB (4), EmbedThis (3), and LAWO. Finally, we have an exploit for products from Rittal.

Advisories

ABB Advisory - ABB published an advisory that describes an improper verification of cryptographic signature vulnerability in multiple ABB products.

Endress+Hauser Advisory - CERT-VDE published an advisory that discusses five vulnerabilities in the Endress+Hauser Netilion Network Insights products.

HP Advisory #1 - HP published an advisory that discusses six vulnerabilities in their Intel 2024.3 IPU – Chipset Firmware used in multiple HP product lines.

HP Advisory #2 - HP published an advisory that discusses the PixieFail vulnerabilities in the EDK2 NetworkPkg in multiple HP product lines.

HPE Advisory #1 - HPE published an advisory that discusses 19 vulnerabilities in their HP-UX Common Internet File System.

HPE Advisory #2 - HPE published an advisory that discusses an incorrect behavior order vulnerability in their Superdome Flex and Superdome Flex 280 Servers.

HPE Advisory #3 - HPE published an advisory that discusses a mirrored regions with different values vulnerability in their Superdome Flex 280 Servers.

HPE Advisory #4 - HPE published an advisory that discusses an observable discrepancy vulnerability in their Superdome Flex 280 Servers.

HPE Advisory #5 - HPE published an advisory that discusses two improper input valications vulnerabilities in their HPE Superdome Flex and Superdome Flex 280 servers.

Rockwell Advisory - Rockwell published an advisory that describes two vulnerabilities in their ThinManager product.

Xerox Advisory - Xerox published an advisory that describes an improper input validation vulnerability in multiple Xerox printers.

Updates

FortiGuard Update #1 - FortiGuard published an update for their SMTP password ciphertext advisory that was originally published on June 12^th, 2024.

FortiGuard Update #2 - FortiGuard published an update for their missing authentication in fgfmsd advisory that was originally published on October 23^rd, 2024.

HP Update #1 - HP published an update for their PC BIOS Security Updates advisory that was originally published on August 13^th, 2024.

HP Update #2 - HP published an update for their HP LaserJet Printers advisory that was originally published on October 2^nd, 2024.

HPE Update #1 - HPE published an update for their Aruba Networking Controller advisory that was originally published on April 30^th, 2024, and most recently updated on June 7^th, 2024.

HPE Update #2 - HPE published an update for their Aruba Networking Controller advisory that was originally published on February 28^th, 2024, and most recently updated on June 7^th,l 2024.

Moxa Update - Moxa published an update for their Cellular Routers, Secure Routers, and Network Security Appliances advisory that was originally published on October 14^th, 2024.

VMware Update - Broadcom published an update for their VMware vCenter Server advisory that was originally published on September 17^th, 2024, and most recently updated on September 20^th, 2024.

Researcher Reports

ABB Reports - Zero Science Labs published four reports describing individual vulnerabilities (with publicly available exploits) in the ABB Cylon Aspect building energy management product.

EmbedThis Reports - Nozomi Networks published three reports describing vulnerabilities in the EmbedThis GoAhead Web Server.

LAWO Report - SEC Consult published a report that describes a path traversal vulnerability in the LAWO LTC Time Sync device.

Exploits

Rittal Exploit - Johannes Kruchem published an exploit for improper signature verification and predictable session identifier vulnerabilities in the Rittal IoT Interface and CMC III Processing Unit.

 

For more information on these disclosures, including links to 3rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-10-dae - subscription required.

Short Takes – 10-25-24

Boeing is still bleeding money on the Starliner commercial crew program. ArsTechnica.com article. Pull quote: “NASA is making moves while assuming Boeing will stay in the game. Astronauts are still assigned to train for the first operational Starliner mission, although it's not likely to happen until the end of next year or in 2026. Earlier this month, NASA announced SpaceX will launch a four-person crew to the International Space Station no earlier than July of next year, taking a slot that the agency once hoped Boeing would use.”

National Security Telecommunications Advisory Committee. Federal Register DHS meeting notice. Agenda: “The NSTAC will meet in an open session on Thursday, November 14, 2024, from 3 p.m. to 4:30 p.m. EST to discuss current NSTAC activities and the government's ongoing cybersecurity and NS/EP communications initiatives. This open session will include: (1) an update on the administration's cybersecurity initiatives; (2) a status update on the NSTAC Principles for Baseline Security Offerings from Cloud Service Providers Study; and (3) a status update on the National Preparedness for Post-Quantum Cryptography Study.”

International Space Station Advisory Committee. Federal Register NASA meeting notice. Meeting date: November 13^th, 2024. Summary: “In accordance with the Federal Advisory Committee Act, the National Aeronautics and Space Administration (NASA) announces a meeting of the NASA International Space Station Advisory Committee. The purpose of the meeting is to review aspects related to the safety and operational readiness of the International Space Station.”

Review – HR 9689 Introduced – DHS Cybersecurity Interns

Last month, Rep Clarke (D,NY) introduced HR 9689, the DHS Cybersecurity Internship Program Act. The bill would amend the Homeland Security Act of 2002 by adding a new §1334, Cybersecurity internship program. It would require DHS to establish a paid cybersecurity internship program. No new funding is authorized by this legislation.

Moving Forward

Clarke is a member of the House Homeland Security Committee to which this bill was assigned for consideration. This means that there may be sufficient influence to see the bill considered in Committee. There is nothing in this bill that would engender organized opposition. I suspect that there would be some level of bipartisan support for the legislation, but I am not sure that it would be enough to allow the bill to move to the floor of the House under the suspension of the rule process.

This bill is coming too late in the session to have a much of a chance to move forward. I would expect to see this bill reintroduced next session.

Commentary

One of the problems any intern program in DHS will have to deal with is that potential incidental exposure to classified information will limit the number of offices in which interns could be employed. The relatively brief period of internship would make obtaining a security clearance difficult, so DHS will have to carefully select the positions where these interns could serve. This should be addressed in the annual report to Congress.

 

For more information on the provisions of the program, including suggested changes to bill to deal with the security clearance issue, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-9689-introduced - subscription required.

Transportation Chemical Incidents – Week of 9-21-24

Reporting Background

See this post for explanation, with the most recent update here (removed from paywall).

Data from PHMSA’s online database of transportation related chemical incidents that have been reported to the agency.

Incidents Summary

• Number of incidents – 598 (553 highway, 43 air, 2 rail, 0 water)

• Serious incidents – 5 (4 Bulk release, 1 evacuation, 1 injury, 0 death, 0 major artery closed, 2 fire/explosion, 55 no release)

• Largest container involved – 31,780-gal DOT 111S100W1 Railcar {Diesel Fuel} Loose manway bolts.

• Largest amount spilled – 900-gal DOT 407 tank truck {Corrosive Liquid, Acidic, Inorganic, N.O.S.} corroded valve leaked.

NOTE: Links above are to Form 5800.1 for the described incidents.

Most Interesting Chemical: Methylal - A clear colorless liquid with a chloroform-like odor. Flash point 0°F. Boiling point 42.3°C (108.1°F). Density 0.864 g / cm3 at 68°F (20°C). Vapors heavier than air. Water soluble. (Source: CameoChemicals.NOAA.gov). Remember: flammable liquids dissolved in water may make water ‘flammable’ depending on concentration.

 

CSB Adds 2 Investigations to Current List – 10-24-24

Yesterday, in conjunction with their first quarterly business meeting of FY 2025, the Chemical Safety Board added two investigations to their ‘Current Investigations’ list. This brings the total number of open investigations to seven.

The two new investigations are:

Bio-Lab Inc. Conyers Fire and Chemical Release (team sent September 30^th, 2024), and

PEMEX Deer Park Chemical Release (team sent October 11th, 2024)

No new information on either investigation has yet been made public.

Short Takes – 10-24-24

Tech companies want small nuclear reactors. Here’s how they’d work. ScienceNews.org article. Pull quote: “With smaller reactors, Huff says, it’s easier to build components offsite in a factory and ship them where they need to go, rather than custom building them from raw materials on site. “The more you can build these reactors like airplanes rather than airports, the cheaper it’s generally going to be.””

A Route Toward the Island of Stability. Physics.APS.org article. Okay, just a tad bit geeky review article. Pull quote: “As well as enabling the discovery of new elements, reactions with nonmagic projectiles offer the chance to discover many new isotopes of known elements with atomic numbers ranging from 104 to 118. About 110 different superheavy isotopes are known to date. About 50 further isotopes are expected to exist but are not reachable by conventional fusion reactions using 208Pb targets or 48Ca beams. Reactions with nonmagic systems would allow this gap to be filled. It is worth noting that the FLNR has also announced results on the production of element 116 through collisions involving a non-doubly-magic nucleus heavier than 48Ca [10]. Using fusion reactions of 54Cr and 238U, the FLNR claims the discovery of a new isotope of element 116 (288Lv), but the result has yet to appear in a peer-reviewed publication.” The real deal article.

Chinese company to sell tickets for space tourism flights in 2027. Phys.org article. Pull quote: “Deep Blue Aerospace is a leader in China's burgeoning commercial space sector, which Beijing is hoping will catch up to rivals such as Elon Musk's SpaceX.”

Bird flu hit a dead end in Missouri, but it’s running rampant in California. ArsTechnica.com article. Pull quote: “With the spread of bird flu in dairies and the fall bird migration underway, the virus will continue to have opportunities to jump to mammals and gain access to people. Officials have also expressed anxiety as seasonal flu ramps up, given influenza's penchant for swapping genetic fragments to generate new viral combinations. The reassortment and exposure to humans increases the risk of the virus adapting to spread from human to human and spark an outbreak.”

How Your Brain Processes Zero (It’s Not Exactly ‘Nothing’). ScientificAmerican.com article. Pull quote: “The notion that zero is somehow distinct comes from studies of brain injury as well. About 14 percent of people who have had a stroke may be unable to read or process numbers that include a zero digit, points out Barnett. In August he and Stephen Fleming, a fellow cognitive neuroscientist at University College London, published findings that showed the brain situates zero along a mental number line, regardless of whether a person is considering zero as a numeral or empty set. Nieder and Mormann’s team demonstrated the same—albeit with different methods and an emphasis on different brain areas.”

S&T Continues Counter-Unmanned Aerial System Technologies Testing. DHS.gov/Science-and-Technology/ article. Pull quote: “Over the course of the week, participants were given a common set of conditions and scenarios in which to test their technologies against drones that are representative of what is available on the market to purchase or build. This enabled the S&T team to not only gauge the effectiveness of each of these technologies in intercepting drones but also the collateral effects of downing them. Testing wrapped up before dusk to enable the team to inspect and map out the drone debris field.”

Review - Siemens Publishes Out-of-Zone Advisory – 10-23-24

Yesterday, Siemens published an out-of-zone advisory for vulnerabilities in their InterMesh Subscriber Devices. Siemens typically publishes a monthly set of advisories on Cyber Tuesday (2^nd Tuesday of each month). This month Siemens published 13 new advisories on October 8^th, 2024. Siemens does not generally explain why they publish these out-of-zone advisories, but in this case, it looks like the CVSS score of 10.0 is probably the reason.

InterMesh Advisory - Siemens published an advisory that discusses four vulnerabilities in their InterMesh Subscriber devices.

 

For more information on this advisory, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/siemens-publishes-out-of-zone-advisory - subscription required.

Review – 3 Advisories and 1 Update Published – 10-24-24

Today, CISA’s NCCIC-ICS published three control system security advisories for products from Deep Sea Electronics, iniNet Solutions and VIMESA. They also updated an advisory for products from OMNTEC.

Advisories

Deep Sea Advisory - This advisory describes a missing authentication for critical function vulnerability in the Deep Sea DSE855 ethernet communications device.

iniNet Advisory - This advisory describes a path traversal vulnerability in the iniNet SpiderControl SCADA PC HMI Editor software management platform.

VIMESA Advisory - This advisory describes an improper access control vulnerability in the VIMESA VHF/FM Transmitter Blue Plus.

Updates

OMNTEC Update - This update provides additional information on the Proteus Tank Monitoring advisory that was originally published on September 24^th, 2024.

 

For more details about these advisories, including a down-the-rabbit-hole look at additional Deep Sea vulnerabilities, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/3-advisories-and-1-update-published-81e - subscription required.

Review - CSB Updates Accidental Release Reporting Data – 10-24-24

Yesterday in preparation for their quarterly business meeting today, the CSB updated their published list of reported chemical release incidents. They added 28 new incidents that occurred since the previous version was published [removed from paywall] in July. They also removed one incident that occurred before July. These are not incidents that the CSB is investigating, these are incidents that were reported to the CSB under their Accidental Release Reporting rules (40 CFR 1604).

The table below shows the top five states based upon the number of reported incidents since the July update was published.

For more information on the information added to the CSB database, including a list of possibly missing incident reports, see my article at CFSN Detailed analysis - https://patrickcoyle.substack.com/p/csb-updates-accidental-release-reporting-4fb - subscription required.

OMB Approves FAR IFR on Covered UAS Prohibitions

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved an interim final rule (IFR) from Federal Acquisition Regulation (FAR) on “FAR Case 2024-002, Prohibition on Covered Unmanned Aircraft Systems by Covered Foreign Entities”. The IFR was sent to OIRA on June 6^th, 2024.

According to the Spring 2024 Unified Agenda entry for this rulemaking:

“This rule prohibits agencies from procuring covered unmanned aircraft systems (UAS), or products or services in connection with the operation thereof, for systems manufactured or assembled by a covered foreign entity, unless an exemption or waiver applies. This rule is issued pursuant to Subtitle B (American Security Drone Act of 2023), Title XVIII, of the National Defense Authorization Act for Fiscal Year 2024.”

I will probably not be covering this rulemaking in any detail, but I will certainly announce its publication in the appropriate ‘Short Takes’ blog post when it is published.

CISA Adds FortiManager Vulnerability to KEV Catalog – 10-23-24

Yesterday, CISA announced that it had added a missing authentication for critical vulnerability (CVE-2024-47575) in the Fortinet FortiManager product to their Known Exploited Vulnerabilities (KEV) catalog. CISA requires federal agencies employing this product to “apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable” by November 13^th, 2024. CISA describes the vulnerability:

“Fortinet FortiManager Missing Authentication Vulnerability: Fortinet FortiManager contains a missing authentication vulnerability in the fgfmd daemon that allows a remote, unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.”

FortiGuard published their advisory for this vulnerability yesterday. The advisory provides a list of affected products and fixed versions of most of those products. It also notes that certain older versions of FortiAnalyzer with specific features enabled are also vulnerable to this vulnerability. The advisory also provides indicators of compromise. It also reports that:

“The identified actions of this attack in the wild have been to automate via a script the exfiltration of various files from the FortiManager which contained the IPs, credentials [emphasis added] and configurations of the managed devices.”

Short Takes – 10-23-24

Task force unveils cyber recommendations for the next president. CyberScoop.com article. Pull quote “The victor of the 2024 presidential election must resolve conflicting cybersecurity regulations, better deter cyberattacks, address the cyber workforce shortage, develop plans with the private sector on critical infrastructure protection and review how to keep the economy going in the event of major hacks, a task force of cyber experts said in a report released Tuesday.” Recommendations include: “Establishing security standards for operational technology and information technology systems in each sector.”

Bird flu infects four in Washington state; CDC deploys team. TheHill.com article. Pull quote: “In a press release Sunday, the Washington State Department of Health said the “workers tested presumptively positive for avian influenza after working with infected poultry at a commercial egg farm in Franklin County.” Franklin County is in the eastern half of the Evergreen State, which is known for its agriculture.”

Special Operations: Sabotaging Railroads. StrategyPage.com article. Pull quote: “Ukrainian sabotage teams in Russian territory disrupt railroad movement by damaging key elements of the railroad signals and communications systems. This makes the railroads less reliable and often leads to accidents that derail supply trains and block further use of that line until the wreckage is removed and the rails are repaired. Ukraine has even been able to get operatives deep inside Russia to damage the Trans-Siberian Railroad, which is currently used to move weapons and munitions and North Korean soldiers from North Korea to Ukraine.”

Agency Information Collection Activities; Notice and Request for Comment; Automated Driving Systems 2.0: A Vision for Safety. Federal Register NHTSA 60-day ICR extension notice. Summary: “This document describes a collection of information for which NHTSA intends to seek OMB extension approval titled “Automated Driving Systems 2.0: A Vision for Safety” and is identified by OMB Control Number 2127-0723, currently approved through February 28, 2025. The burden hour calculations have been adjusted to reflect a reduction in annual respondents resulting in a reduction in burden hours from 12,000 annually to 2,400 annually.” Includes detailed explanation of burden estimate. Comments due December 23^rd, 2024.

Surface Transportation Security Advisory Committee; Meeting. Federal Register TSA meeting notice. Summary: “The Transportation Security Administration (TSA) will hold a meeting of the Surface Transportation Security Advisory Committee (STSAC) on November 21, 2024. Members of the public will be able to participate virtually via Microsoft Teams. The meeting agenda and information on public participation [links added] is provided below under the SUPPLEMENTARY INFORMATION section.” 

Review - HR 9768 Introduced – Cyber Defense Collaborative

Last month, Rep Swalwell (D,CA) introduced HR 9768, the Joint Cyber Defense Collaborative Act. The bill would amend 6 USC 665b to replace the existing CISA Joint Cyber Planning Office with a new ‘Joint Cyber Defense Collaborative’ program designed to “support enhanced public-private partnerships across critical infrastructure sectors for collective cyber defense operations, information sharing, and operational collaboration”. No new funding would be authorized by this legislation.

Moving Forward

Swalwell and his sole cosponsor {Rep Thompson (D,MS)} are both members of the House Homeland Security Committee and Thompson is the ranking member. This means that there may be sufficient influence to see the bill considered in Committee. While I see no single-provision that would engender specific opposition to this bill, I suspect that many Republicans will be uncomfortable with this level on interaction between businesses and CISA. I think that this may be too late in the session for compromises to be worked out that would ease those concerns.

 

For more information on the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-9768-introduced - subscription required.

Short Takes – 10-23-24 – Space Geek Edition

The moon, Mars, asteroids and Jupiter: China reveals ambitious space exploration plans. Space.com article. Pull quote: “China's next two lunar missions will follow in 2026 and 2028, Li said. These will be Chang'e 7 and Chang'e 8, respectively. Both will attempt to land near the lunar south pole. The first will hunt for water ice in permanently shadowed craters, while the second will carry in-situ resource utilization (ISRU) and terrestrial ecosystem experiments.”

NASA’s SpaceX 31st Resupply Mission to Launch Experiments to Station. NASA.gov article. Pull quote: “Mosses grow on every continent on Earth and have the highest radiation tolerance of any plant. Their small size, low maintenance, ability to absorb water from the air, and tolerance of harsh conditions make them suitable for spaceflight. NASA chose the Antarctic moss because that continent receives high levels of radiation from the Sun.”

Notice of Availability for a Written Re-Evaluation of the Final Programmatic Environmental Assessment for the SpaceX Starship/Super Heavy Launch Vehicle Program at the SpaceX Boca Chica Launch Site in Cameron County, Texas. Federal Register FAA notice. Summary: “In accordance with the National Environmental Policy Act of 1969, as amended, Council on Environmental Quality NEPA-implementing regulations, and FAA Order 1050.1F, Environmental Impacts: Policies and Procedures, the FAA is announcing the availability of the Written Re-Evaluation for the Final Programmatic Environmental Assessment for the SpaceX Starship/Super Heavy Launch Vehicle Program regarding updates to the forward heat shield interstage, sonic boom coverage, use of the deluge system during return to launch site landings, and use of US Coast Guard Safety Zones at the SpaceX Boca Chica Launch Site in Cameron County, Texas.”

Export Administration Regulations: Removal of License Requirements for Certain Spacecraft and Related Items for Australia, Canada, and the United Kingdom. Federal Register BIS final rule. Summary: “In this final rule, the Bureau of Industry and Security (BIS) amends the Export Administration Regulations (EAR) by removing controls for certain spacecraft and related items for exports and reexports to Australia, Canada, and the United Kingdom. These spacecraft and related items involve remote sensing or space-based logistics, assembly, or servicing. Taking into account the close relations with these three allied countries, including in space collaboration, as well as their inclusion in the National Technology and Industrial Base (NTIB), this final rule removes the license requirement for these countries for these spacecraft and related items.”

Export Administration Regulations: Revisions to Space-Related Export Controls. Federal Register BIS interim final rule. Summary: “In this interim final rule (IFR), the Bureau of Industry and Security (BIS) makes changes to controls for spacecraft and related items under the Export Administration Regulations (EAR). This IFR reduces license requirements on less sensitive items to reflect the close relations with certain countries to better facilitate space collaboration; and makes refinements and clarifications to existing controls. These changes will better enable a globally competitive U.S. space industrial base while continuing to protect U.S. national security and foreign policy interests.” Comments due November 22^nd, 2024.

Export Administration Regulations: Revisions to Space-Related Export Controls, Including Addition of License Exception Commercial Space Activities (CSA). Federal Register BIS notice of proposed rulemaking. Summary: “In this proposed rule, the Bureau of Industry and Security (BIS) proposes changes to controls for spacecraft and related items under the Export Administration Regulations (EAR) that would conform to proposed changes to the International Traffic in Arms Regulations (ITAR) related to U.S. Munitions List (USML) Categories IV and XV. This rule also proposes the addition of a new license exception for certain Commercial Space Activities (CSA). This proposed rule is published alongside the Department of State proposed rule, “International Traffic in Arms Regulations (ITAR): U.S. Munitions List Categories IV and XV” (1400-AE73), which includes proposed changes for certain space-related defense articles and related controls. These proposed rules are intended to better enable a globally competitive U.S. space industrial base while continuing to protect U.S. national security and foreign policy interests.” Comments due November 22^nd, 2024.

Argotec inaugurates new satellite factory. SpaceNews.com article. Pull quote: “The company has set aside 1,200 square meters of the building for SpacePark HUB, which Avino described as an accelerator for startups developing technologies that Argotec could use for its spacecraft.”

Libre Space Foundation Aims To Improve Satellite Tech. Hackaday.com article. Pull quote: “The LSF maintains a huge database of their open source space projects, including this one, on their GitLab page. Although it might seem like small potatoes now, the adoption of open source software and hardware by space-fairing entities can help further the democratization of low Earth orbit.”

Giant catapult defies gravity by launching satellites into orbit without the need of rocket fuel. TheBrighterSideNews.com article. Pull quote: “SpinLaunch has already conducted multiple successful tests with this technology. "This is not a rocket, and clearly our ability to perform in just 11 months this many tests and have them all function as planned, really is a testament to the nature of our technology," said Jonathan Yaney, founder and CEO of SpinLaunch, in a 2022 Space.com report after their 10th successful launch. The company plans to launch constellations of satellites into orbits below 600 miles by 2026.” For potential downsides about throwing rocks, see Heinlein’s Moon is a Harsh Mistress”.

Scientists Studying “Trickster” Asteroid Make a Surprise Discovery Pointing to Elusive Fifth Force in Physics. TheDebrief.com article. Pull quote: ““The tight constraints we’ve achieved translate readily to some of the tightest-ever limits on Yukawa-type fifth forces,” said Sunny Vagnozzi, assistant professor at the University of Trento in Italy and co-author on the paper. “These results highlight the potential for asteroid tracking as a valuable tool in the search for ultralight bosons, dark matter, and several well-motivated extensions of the Standard Model.”” Journal article here.

Short Takes – 10-22-24

Inside the Bungled Bird Flu Response, Where Profits Collide With Public Health. VanityFair.com article. Lots of links. Pull quote: “It is unclear whether the [bird flu] virus, as it continues to spread and evolve, will ultimately pose a serious threat to human health. But if it does, there could be a battle no less intense than the one still being fought over who should be held responsible for COVID-19. Looking back at the events of 2019, one thing almost everyone agrees on is that China should have been much more transparent about what it knew and when it knew it.”

‘More serious than we had hoped’: Bird flu deaths mount among California dairy cows. LATimes.com article. Pull quote: ““As I’ve said since we first learned of the outbreak in dairy cows, nothing we’ve learned about this virus is new or unexpected,” said Rick Bright, a virologist and former head of the U.S. Biomedical Advanced Research and Development Authority. “It’s behaving exactly as we’ve come to know of this virus over the past 25 years. It’s spreading very efficiently now among mammals, and it’s mutating and adapting to mammals as it does.””

Russian group’s hack of Texas water system underscores critical OT cyber threats. CSOOnline.com article. Interesting discussion about unprofessional threats. Pull quote: “The possible geopolitical connection to these hacks contradicts the notion that the Cyber Army of Russia and other Russian threat groups are merely amusing themselves. Erlin thinks the hackers may be showing off their skills to get jobs as official Russian state hackers. “If you want to get hired for a job, you might want to demonstrate that you’re capable of doing that job,” he says.”

INVESTING IN AMERICA: Biden-Harris Administration Announces Nearly $200 Million to Replace Aging Gas Pipes, Lower Household Energy Bills and Cut Methane Emissions. Transportation.gov press release. Pull quote: ““For the first time, thanks to the Bipartisan Infrastructure Law, we are empowering communities to expedite these critical safety improvements while helping families save money on their energy bills,” said PHMSA Deputy Administrator Tristan Brown. “On average, businesses, families, and everyday Americans can expect to save hundreds of dollars on their energy bills thanks to these necessary safety improvements funded through this new grant.””

Fatal hydrogen sulfide leak at US Pemex refinery under investigation. ChemistryWorld.com article. Pull quote: “The incident discharged almost 20 tonnes of hydrogen sulfide and nearly 14 tonnes of sulfur dioxide over several hours. Two neighbouring cities were subject to shelter-in-place orders, and a section of state highway was temporarily closed.”

Fire at US pool chemical plant releases huge chlorine plume. ChemistryWorld.com article. Includes quotes from me. Pull quote: “Georgia Institute of Technology’s Sally Ng, the leader of a new effort to characterise aerosol chemical composition and physical properties across the US in real time called the Atmospheric Science and Chemistry Measurement Network (Ascent), confirms to Chemistry World that the morning after the fire, the number of chlorine-containing particles detected in the air at Ascent’s Decatur, Georgia site, around 28km from the BioLab plant, had increased by about 1400 times. Bromine-containing particles in the air increases by about 170 times, she said.”

Review – 1 Advisory Published – 10-22-24

Today, CISA’s NCCIC-ICS published a control system security advisory for products from Mitsubishi (and ICONICS).

Advisories

Mitsubishi Advisory - This advisory describes an incorrect default permissions vulnerability in the Mitsubishi ICONICS Suite and MC Works64 products.

 

For more information on this advisory, including a down-the-rabbit-hole look at the ICONICS GENESIS64 advisory, see my article at CFSN Detailed Analysis.

OMB Approves FAR CUI NPRM

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a notice of proposed rulemaking (NPRM) for the Federal Acquisition Regulations (FAR) on “FAR Case 2017-016, Controlled Unclassified Information (CUI)”. This NPRM was sent to OMB on May 21^st, 2024. This rulemaking has been under consideration since 2017

According to the Spring 2024 Unified Agenda entry for this rulemaking:

“This rule will apply the controlled unclassified information (CUI) program requirements in Federal contracts in a uniform manner to protect CUI. This rule is one element of a larger strategy to improve the Government’s efforts to identify, deter, protect against, detect, and respond to increasing sophisticated threat actions targeting Federal contractors. This rule is being issued in accordance with the National Archives and Records Administration (NARA) regulations implementing the CUI program per Executive Order 13556 [link added] issued November 4, 2010, as implemented in NARA’s implementing regulations [link added].”

I will probably not be covering this regulation in any depth, but I will at least mention the publication of the NPRM in the appropriate ‘Short Takes’ post.

PHMSA Sends Pipeline Leak Detection Final Rule to OMB

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a final rule from the DOT’s Pipeline and Hazardous Materials Safety Administration (PHMSA) on “Pipeline Safety: Gas Pipeline Leak Detection and Repair”. The notice of proposed rulemaking for this action was published [removed from paywall] on May 18^th, 2024.

According to the Spring 2024 Unified Agenda Entry for this rulemaking:

“This rulemaking would amend the pipeline safety regulations to enhance requirements for detecting and repairing leaks on new and existing natural gas distribution, gas transmission, and gas gathering pipelines. The proposed rule is necessary to respond to a mandate from Section 113 of the Protecting our Infrastructure of Pipelines and Enhancing Safety Act of 2020 [PL 116-260, 134 STAT 2228].”

This final rule should be published in the Federal Register in the next week or two.

NHTSA Sends Automated Driving System NPRM to OMB

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a notice of proposed rulemaking (NPRM) from the DOT’s National Highway Traffic Safety Administration (NHTSA) on “Exemption and Demonstration Framework for Automated Driving Systems”.

According to the entry in the Spring 2024 Unified Agenda for this rulemaking:

“This notice would propose a framework for the review and assessment of Automated Driving System (ADS)-equipped vehicles, in order to evaluate operations or requests for exemptions involving such technologies while also informing the agency's approach to future rulemaking and oversight.”

I will be watching this rulemaking for cybersecurity provisions.

Short Takes – 10-21-24

Congress’ to-do list grows while on the campaign trail. TheHill.com article. Pull quote: “Conservatives bullish of former President Trump’s chances of winning back the White House had been pushing for Congress to punt the next funding deadline into early 2025. Proponents of the strategy say it would allow Trump more input over government funding, while also decreasing the likelihood of Congress squeezing through another massive, end-of-year omnibus funding package.”

Intelligence: Balloon Based Electronic Surveillance. StrategyPage.com article. Pull quote: “Modern aerostat systems have been around since the 1980s and have proliferated as more compact, lightweight and powerful sensors became available. The larger of these blimps are more than twice the size as the more familiar advertising blimps. An aerostat is designed to always turn into the wind and stay in the same place. An aerostat is unpowered, and secured by a cable that can keep the aerostat in position at its maximum altitude of 4,700 meters. At that altitude, a large aerostat can carry a two-ton payload. The cable also supplies power, which means the blimp can stay up for about 30 days at a time before it has to be brought down for maintenance on its radars. Often, two radars are carried. One is for surveillance; the other is a precision track and illumination radar (PTIR). The surveillance radar provides long-range coverage (400 kilometers or more), while the PTIR, which is a steerable system capable of tracking multiple targets, can focus on items of interest. Current aerostats carry a larger array of more capable sensors.”

Study Reveals Potential Top Cyber Threats Facing Health Care XR Technology. NewsWise.com Pull quote: ““The specific cybersecurity and privacy risks presented by XR [extended reality] technology should be considered as a part of system-wide digital risk management frameworks by health organizations, within their proposed context of use, intended purpose, and perceived benefits to health care delivery and individuals”, says Nilufar Baghaei, one of the authors of the article.” Referenced article.

ESA moves forward with Apophis mission preparations. ESA.int article. Pull quote: “The funds will be used to begin the procurement process for certain time-critical or long-lead equipment, as well as to finalise the overall design of the spacecraft while considering the opportunities for international cooperation currently under discussion.”

Agency Information Collection Activities: Incident Reporting Form and Associated Submission Tools (ICR 1670-0037). Federal Register CISA 30-day ICR notice. Includes changes to forms but no burden change. ICR summary: “CISA's website (at https://www.cisa.gov/​) is a primary tool used by constituents to report incident information, access information sharing products and services, and interact with CISA. Constituents, which may include anyone or any entity in the public, use forms located on the website to complete these activities. Incident reports are primarily submitted using CISA's internet reporting system, available at https://www.cisa.gov/​forms/​report. CISA collects cyber threat indicators and defensive measures in accordance with the requirements of the Cybersecurity Information Sharing Act of 2015 through CISA's Cyber Threat Indicator and Defensive Measure Submission System, https://www.cisa.gov/​forms/​share-indicators. CISA shares cyber threat indicators and defensive measures it receives with certain federal entities in an automated and real-time manner. 6 U.S.C. 1504(c).” Comments due November 20^th, 2024.

Hazardous Materials: Information Collection Activities. Federal Register PHMSA 30-day ICR notice. Three ICR renewals with no burden changes: Flammable Cryogenic Liquids, Response Plans for Shipments of Oil, and Requirements for United Nations (UN) Cylinders. Comments due November 20^th, 2024. The 60-day ICR notice was published on May 10^th, 2024.

Ground systems could delay Artemis 2 launch. SpaceNews.com article. Pull quote: ““While EGS [Exploration Ground Systems] elements are close to completion, the program has no schedule margin for these remaining activities,” the GAO report stated. While issues with Orion led NASA in January to delay the Artemis 2 launch by nearly a year, to September 2025, that slip provided only three months of schedule margin to EGS. That schedule margin was consumed by June, the report stated, because of issues with testing the mobile launcher at Launch Complex 39B.

Review - FCC Publishes Final Rule for Cybersecurity Labeling Administrator (CLA) Applications

Today, the Federal Communications Commission (FCC) published a final rule in the Federal Register (89 FR 84086-84096) announcing “a 15-business day filing window for applications from entities seeking designation as a Cybersecurity Labeling Administrator (CLA) and Lead Administrator and also adopt additional requirements for CLA and Lead Administrator applications as well as responsibilities that must be met by the selected Lead Administrator and CLAs.” This includes a 30-day ICR notice for the associated information collection requirements of this final rule.

Applications

Today’s final rule is a summary of the Commission's document in PS Docket No. 23-239. That document, dated September 10^th, 2024, announced the 15-day window for applications for LA and CLA’s. That window closed on October 1^st, 2024.

Burden Estimate

Appendix D of PS Docket 23-289 provides the burden estimate for the LA and CLA application process, OMB control number 3060-1328. It reports that the FCC expects that each LA application will take 10 hours and each CLA application will take 20 hours. There is no estimate provided for the number of applications that the Commission expects to receive, so a full burden estimate is not provided.

The FCC is soliciting comments on the new information collection request supporting these applications. Comments may be mailed to the FCC at PRA@fcc.gov. Comments should be submitted by November 20^th, 204.

 

For more information on this rulemaking, including a background look at the roles of LA and CLAs in the FCC IoT Label Program, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/fcc-publishes-final-rule-for-cybersecurity - subscription required.

Review – Public ICS Disclosures – Week of 10-12-24 – Part 2

For Part 2 we have 18 additional vendor disclosures from Moxa, SEL (2), Splunk (13), TAI Smart Factory, and VMware. There are also four vendor updates from FortiGuard (2), Mitsubishi Electric, and Palo Alto Networks. There are also two researcher reports for vulnerabilities in products from ABB and Rittal. Finally, we have an exploit for products from WatchGuard.

Advisories

Moxa Advisory - Moxa published an advisory that describes two vulnerabilities in their Cellular Routers, Secure Routers, and Network Security Appliances.

SEL Advisory #1 - SEL published a new version notice that describes cybersecurity enhancements for their SEL-5703 Synchrowave Monitoring product.

SEL Advisory #2 - SEL published a new versions notice that describes cybersecurity enhancements for their SEL-5702 Synchrowave Operations product.

Splunk Advisory #1 - Splunk published an advisory that describes an arbitrary file write vulnerability in their Enterprise for Windows product.

Splunk Advisory #2 - Splunk published an advisory that describes a missing authorization vulnerability in their SplunkDeploymentServerConfig app.

Splunk Advisory #3 - Splunk published an advisory that describes a deserialization of untrusted data vulnerability in their Enterprise on Windows product.

Splunk Advisory #4 - Splunk published an advisory that describes an improper access control vulnerability in their Classic Dashboard product.

Splunk Advisory #5 - Splunk published an advisory that describes an improper access control vulnerability in their Secure Gateway App.

Splunk Advisory #6 - Splunk published an advisory that describes an uncontrolled resource consumption vulnerability in their Daemon product.

Splunk Advisory #7 - Splunk published an advisory that describes a cross-site request forgery vulnerability in their Enterprise and Cloud Platform products.

Splunk Advisory #8 - Splunk published an advisory that describes an insertion of sensitive information into a log file vulnerability in their Enterprise product.

Splunk Advisory #9 - Splunk published an advisory that describes an insertion of sensitive information into a log file vulnerability in their Enterprise product.

Splunk Advisory #10 - Splunk published an advisory that describes a cross-site scripting vulnerability in their Enterprise product.

Splunk Advisory #11 - Splunk published an advisory that describes a cross-site scripting vulnerability in their Enterprise product.

Splunk Advisory #12 - Splunk published an advisory that discusses 68 vulnerabilities in their Enterprise product.

Splunk Advisory #13 - Splunk published an advisory that discusses four vulnerabilities (one with publicly available exploit) in their Add-on for Office 365 product.

TAI Advisory - Incibe-CERT published an advisory that describes an SQL injection vulnerability in the TAI Smart Factory's QPLANT plant data management product.

VMware Advisory - Broadcom published an advisory that describes an SQL injection vulnerability in their HCX product.

UPDATES

FortiGuard Update #1 - FortiGuard published an update for their regreSSHion  advisory that was originally published on July 9^th, 2024, and most recently updated on September 11^th, 2024.

FortiGuard Update #2 - FortiGuard published an update for their Format String Bug that was originally published on February 8^th, 2024, and most recently updated on October 11^th, 2024.

Mitsubishi Update - Mitsubishi published an update for their GENESIS64 advisory that was originally published on June 27^th, 2024.

Palo Alto Networks Update - Palo Alto Networks published an update for their Firewall Denial of Service advisory that was originally published on October 9^th, 2024.

Researcher Reports

ABB Reports - Zero Science published five reports about individual vulnerabilities (with publicly available exploits) in the ABB Cylon Aspect building management product.

Rittal Report - SEC Consult published a report that describes three vulnerabilities in the Rittal IoT Interface & CMC III Processing Unit.

Exploits

WatchGuard Exploit - Indoushka published an exploit for a buffer overflow vulnerability in the WatchGuard XTM Firebox.

 

For more information on these disclosures, including links to 3rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-10-7cf - subscription required.

Short Takes – 10-19-24

Mechanochemistry can extract edible proteins from moor grass. ChemistryWorld.com article. Pull quote: “With a growing global population and dietary intake changes, there is a need to source edible proteins using alternative and sustainable methods. Previous studies report edible protein extraction from grasses however ‘a lot of the conventional methods use very harsh solvents or chemicals to break down the cell walls’ explains Castro-Dominguez. While these methods are often effective, ‘once you put vitamins and proteins under these harsh conditions, they tend to degrade’ he says. ‘We want to have proteins that are completely in good shape for human consumption.’”

 Trelleborg adds elastomer manway nozzle gaskets. BulkTransporter.com article. Pull quote: “The manway nozzle gaskets are made from high-grade fluoroelastomer (FKM) materials offering enhanced chemical resistance, robust mechanical strength, and a wide temperature range. Their single-piece design with a chevron profile ensures excellent sealing and simplified manufacturing. Leveraging material science and fully integrated engineering, they are developed with advanced materials and in-house manufacturing, helping to prevent non-accident releases (NARs). Produced in ISO 9001 and ISO 14001 certified facilities, they ensure consistent quality and full traceability from formulation to final product.” No endorsement implied.

The Orionids Meteor Shower Is Peaking. Here’s How to Watch. NYTimes.com article. Pull quote: “The Orionids are well-loved by meteor shower aficionados because of the bright, speedy streaks they make near the group of stars known as Orion’s Belt. Like the Eta Aquarid meteor shower, which peaked in early May, the Orionids result when Earth passes through debris from Halley’s comet.”

DHS Warns Law Enforcement Election Deniers May Attempt to Bomb Drop Boxes. Wired.com article. Pull quote: “The documents show that DHS alerted dozens of agencies this summer to online chatter indicating potential attacks on election drop boxes—secured receptacles used in more than 30 states to collect mail-in voter ballots. The text highlights the efforts of an unnamed group to crowdsource information about “incendiary and explosive materials” capable of destroying the boxes and ballots. An extensive list of household mixtures and solvents, which are said to render voter ballots “impossible to process,” was also compiled by members of the group, the report says, and openly shared online.”

OMB Approves CISA’s Notice on Cybersecurity of Bulk Personal Information Transfers

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a ‘notice’ from CISA on “Security Requirements for Restricted Transactions Under Executive Order 14117”. The notice was sent to OIRA on July 8^th, 2024.

This rulemaking was not published in the Spring 2024 Unified Agenda. This could be because this is a ‘notice’ not an actual proposed rulemaking.

As I noted in my earlier post:

“Executive Order 14117 outlines the Administration’s intent “to restrict access by countries of concern to Americans' bulk sensitive personal data and United States Government-related data when such access would pose an unacceptable risk to the national security of the United States.” Section 2(d) of that EO requires CISA to “propose, seek public comment on, and publish security requirements that address the unacceptable risk posed by restricted transactions”. Those ‘restricted transactions’ are outlined in §2(a) and are to be further defined by regulations issued by the Attorney General.”

I will probably not be covering these regulations in any depth in this blog, but I will certainly be announcing the relevant publications in the appropriate ‘Short Takes’ post.

FDA Sends HIPPA Cybersecurity NPRM to OMB

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a notice of proposed rulemaking from the Food and Drug Administration (FDA) on “Proposed Modifications to the HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information”.

According to the Spring 2024 Unified Agenda Entry for this rulemaking:

“This rule will propose modifications to the Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). These modifications will improve cybersecurity in the health care sector by strengthening requirements for HIPAA regulated entities to safeguard electronic protected health information to prevent, detect, contain, mitigate, and recover from cybersecurity threats.”

I will probably not cover this rulemaking in any detail on this blog, unless it specifically addresses cybersecurity issues of medical devices that may contain, process, or transmit protected health information (PHI). Otherwise, there will just be a notification published in the appropriate ‘Short Takes’ post when this rulemaking is published in the Federal Register.

Chemical Incident Reporting – Week of 10-12-24

NOTE: See here for series background.

Washington, NC – 9-18-24

Local News Reports: Here, here, and here.

Chlorine gas was released from a storage tank at a water treatment facility when an ammonium sulfate solution was inadvertently unloaded into a sodium hypochlorite storage tank by a delivery driver. The driver was taken to a local hospital for treatment. The remaining contents of the storage tank were hauled away for disposal as hazardous waste.

Possible CSB reportable if the driver was admitted to hospital. Possibly could be treated as a hazmat transportation incident.

A similar incident with unrelated water treatment chemicals occurred in May at a nearby water treatment plant in North Carolina.

These incidents are more common than most people realize. A gas cloud exiting a storage tank is an absolute signal that a mixing incident is occurring. Fast action shutting down the feed will minimize the potential damage and the size of the gas cloud. The problem is that frequently, the steam driven cloud (these reactions are often exothermic) frequently interferes with the driver (it is almost always a non-facility driver that is ‘responsible’ for such incidents) reaching the controls on the discharge line. This means that the cloud is larger and there is a danger of the storage tank physically failing due to the combination of overfilling and gas production.

NOTE: I missed this particular incident last month, but was pointed at it by a report at ISSSource.com.

Bills Introduced – 10-18-24

Yesterday, with the House and Senate meeting in pro forma session, there were 30 bills introduced. None of those bills are likely to receive additional coverage in this blog. There are, however, two items of interest. The first is that HR 10000 was introduced, the first time that congress has had to resort to a 5-digit bill number. That combined with the really small number of bills passed to date (106 bills) shows just how ineffective Congress has become. It would be really interesting for someone to compile a report on the legislative efficiency of the members of Congress.

The second item of interest is a bill that I would like to mention in passing:

HR 9999 To amend the Congressional Budget and Impoundment Control Act of 1974 to include timely completion of budgetary actions as an essential purpose of such Act and to establish limitations on the official travel of Members of Congress upon failure to timely adopt a concurrent resolution on the budget, and for other purposes. Arrington, Jodey C. [Rep.-R-TX-19]

There have been any number of bills introduced this session (and in sessions past, to be sure) that have purported to try to hold congresscritters to account for passing a federal budget. This is the first that I recall having used congressional travel monies as the incentive to get our elected officials to do their job.

Section 301 of the Congressional Budget and Impoundment Control Act of 1974 already requires that: “On or before April 15 of each year, the Congress shall complete action on a concurrent resolution on the budget for the fiscal year beginning on October 1 of such year.”

There is, of course, no current enforcement of that ‘shall complete’ requirement, as the Supreme Court (and not just the current packed Court) would never allow any legal action to enforce that requirement under the separation of powers standard. The only ones that could enforce that are the voters, who for the most part do not really care about the budget or most of the activities of Congress.

This bill does not have much chance of actually being considered, much less enacted into law. Even if it were, there would be any number of legislative or administrative workarounds that would still allow for official travel payments in the ‘unlikely’ (sigh) event that Congress failed to do its duty. As with most of these bills, there is little chance that they will be considered, much less voted upon, or sent to the President. This is political posturing, nothing more, and just weeks before the election.

Review – Public ICS Disclosures – Week of 10-12-24 – Part 1

This week we have vendor disclosures from Belden, Bosch, Dassault Systèmes (2), Helmholtz (2), Hikvision, HP (3), HPE (3), MB Connect (2), Meinberg, Moxa, Philips (2), and Sick.

Advisories

Belden Advisory - Belden published an advisory that describes a heap overflow vulnerability (with publicly available exploit) in their Hirschman HilCOS product line.

Bosch Advisory - Bosch published an advisory that describes an unrestricted resource consumption vulnerability in their VMS Central Server.

Dassault Systèmes Advisory #1 – Dassault Systèmes published an advisory that describes an authorization bypass through user-controlled keys vulnerability in their 3DSwymer.

Dassault Systèmes Advisory #2 – Dassault Systèmes published an advisory that describes a cross-site scripting vulnerability in their ENOVIA product.

Helmholtz Advisory #1 - CERT-VDE published an advisory that describes two vulnerabilities in multiple Helmholtz products.

Helmholtz Advisory #2 - CERT-VDE published an advisory that describes five vulnerabilities in the Helmholtz REX100 industrial router.

Hikvision Advisory - Hikvision published an advisory that describes three vulnerabilities in their HikCentral product series.

HP Advisory #1 - HP published an advisory that describes a missing authentication for critical function vulnerability in their DesignJet products.

HP Advisory #2 - HP published an advisory that discusses an incorrect behavior order vulnerability in their SMI Transfer Monitor.

HP Advisory #3 - HP published an advisory that discusses 12 vulnerabilities in multiple HP products.

HPE Advisory #1 - HPE published an advisory that discusses a code injection vulnerability in their Cray and ProLiant XL Servers.

HPE Advisory #2 - HPE published an advisory that discusses an incomplete filtering of special elements vulnerability in their ProLiant DX Servers.

HPE Advisory #3 - HPE published an advisory that discusses an insufficient control flow management vulnerability in their ProLiant DX Servers.

MB Connect Advisory #1 - CERT-VDE published an advisory that describes two vulnerabilities in multiple MB Connect products.

MB Connect Advisory #2 - CERT-VDE published an advisory that describes five vulnerabilities in the mbNET.mini product.

Meinberg Advisory - Meinberg published an advisory that discusses five vulnerabilities in their LANTIME product.

Moxa Advisory - Moxa published an advisory that describes two vulnerabilities in their MXsecurity Series products.

Philips Advisory #1 - Philips published an advisory that discusses two recent MS Windows vulnerabilities (CVE-2024-43572 and CVE-2024-43573) listed on CISA’s Known Exploited Vulnerabilities catalog.

Philips Advisory #2 - Philips published an advisory that discusses two recent Cisco vulnerabilities (CVE-2024-20393 and CVE-2024-20470).

Sick Advisory - Sick published an advisory that describes a use of hard-coded credentials vulnerability in multiple Sick products.

 

For more information about these disclosures, including links to 3rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-10-4a8 - subscription required.