Short Takes – 4-26-24

China's Shenzhou-18 mission docks with space station. Phys.org article. Pull quote: “They will also try and create an aquarium onboard and seek to raise fish in zero gravity, according to Xinhua.”

Operational Adjustments Resulting From Workforce Shortages. Federal Register Coast Guard request for comments. Summary: “We are requesting your comments on planned actions that will allow the Coast Guard to prioritize lifesaving missions and protection of the Marine Transportation System in light of current personnel shortages. Like other military services, the Coast Guard is facing an unprecedented workforce shortage that is impacting Service readiness. The current and forecasted extent of the shortage is prompting significant actions to best protect the American public and maintain Service readiness. If actions are not taken to adjust operations, we can anticipate longer-term impacts to mission effectiveness and increased risk to our service members, as well as to commercial mariners and private boaters. In addition to leveraging technology and enhancing recruitment and retention efforts, operational adjustments must be executed within the existing response system while maintaining standards and an adherence to core mission execution. These adjustments fall into two categories: First, in regions where multiple units could respond if they were resourced appropriately, boats and people will be consolidated at one or more units to ensure a robust response. Secondly, in areas where the Coast Guard operates limited, or seasonal units that do not have sufficient personnel to respond, operations will be temporarily paused as resources are moved to higher priority areas. These adjustments will remain in effect until the Coast Guard has sufficient personnel to reconstitute these units.” Comments due May 24^th, 2024.

A new U.S. tool maps where heat will be dangerous for your health. ScienceNews.org article. Pull quote: ““You can put in your zip code and see current heat risk and air quality levels and a seven-day heat risk forecast for your area,” Mandy Cohen, director of the Centers for Disease Control and Prevention said April 22 at a news conference unveiling the tool, called HeatRisk. “So, you can plan your day and you can plan your week with your health in mind.”” NWS HeatRisk Tool: https://www.wpc.ncep.noaa.gov/heatrisk/

Colombia becomes first country to restrict US beef due to bird flu in dairy cows. Reuters.com article. Pull quote: “To date, no U.S. beef cattle have tested positive for bird flu, government officials said.” The big question is has anyone been testing beef cattle?

Traces of bird flu are showing up in cow milk. Here’s what to know. ScienceNews.org article. Pull quote: “Because H5N1 has only recently been found in cattle, no studies have directly tested milk pasteurization’s ability to kill the virus, the FDA said in a statement April 23. But studies have shown that egg pasteurization, which is done at lower temperatures than milk pasteurization, inactivates the virus.”

Freight train derails, catches fire near US-Mexico border causing road closures. TheHill.com article. Pull quote: “The train was carrying gasoline and odorless propane at the time of the derailment near Houck, Ariz. No injuries were reported as a result of the incident, according to New Mexico State Police.”

Forecasters predict record number of hurricanes. TheHill.com article. Pull quote: “The Penn forecast predicts between 27 and 39 named tropical storms, with the best estimate at 33 storms — the most of any forecast in the 15-year history of the project. An average season usually has about half that number.” Article also quotes CSU forecast for 24 named storms. 

Review - HR 7922 Introduced – Water Risk and Resilience Organization

Earlier this month, Rep Crawford (R,AR) introduced HR 7922 (no fancy name). The bill would require the EPA to craft regulations providing for the certification of an independent Water Risk and Resilience Organization (WRRO) seemingly similar to NERC in the electric sector. The bill would authorize $5 million per year through 2025 to establish the WRRO.

Moving Forward

Crawford is a member, as is his sole cosponsor {Rep Duarte (R,CA)}, of the House Transportation and Infrastructure Committee to which this bill was assigned for primary consideration. This means that there may be sufficient influence to see it considered in Committee. I expect that any number of small communities are going to pressure their representatives to oppose this legislation as it would end up increasing the costs of maintaining their water systems. Many mid to large size water systems will also object, again because of funding issues. I suspect that there will be significant bipartisan opposition to this bill based upon those objections. I do not expect this bill to move forward, especially since there is no cosponsor on the House Energy and Commerce Committee, to which this bill has been assigned for secondary consideration. That Committee is well known for guarding their prerogatives when they have even limited oversight responsibilities.

Commentary

This attempt to move cybersecurity oversight of water systems out from under the direct control of the EPA is fraught with problems. The first is funding; the two-year $5 million authorization under the bill is a pittance compared to what it is going to need to establish and operate an organization with this level of oversight. Again, based upon the NERC model, the crafters expect the WRRO to be funded from dues and fees from the covered water systems. Those fees will come on top of the costs of implementing the new cybersecurity requirements established by the WRRO. Since the vast majority of these systems are small, municipal-controlled systems, they are going to have a hard time funding required cybersecurity upgrades, much less the dues and fees assessed by the WRRO.

On a side note, this idea has some support in the water sector. In fact, the idea traces back at least as far as the American Water Works Association. You can see a brief look at their interpretation of the idea in an article on ACSH.org from May of last year. Needless to say, the AWWA will almost certainly support this bill.

 

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-7922-introduced - subscription required.

Short Takes – 4-25-24

Dairy Cows Transported Between States Must Now Be Tested for Bird Flu. NYTimes.com article (free link). Pull quote: “While testing more cows is critical, so is reducing the risk of infection among dairy workers regularly exposed to fresh milk now thought to contain extensive virus, said Seema Lakdawala, a virologist at Emory University.”

GPT-4 Can Exploit Most Vulns Just by Reading Threat Advisories. DarkReading.com article. Pull quote: “With only their security advisories to go on, the AI agent was tasked with exploiting each bug in turn. The results of this experiment painted a stark picture. Of the 10 models evaluated — including GPT-3.5, Meta's Llama 2 Chat, and more — nine could not hack even a single vulnerability. GPT-4, however, successfully exploited 13, or 87% of the total.”

Boeing and NASA decide to move forward with historic crewed launch of new spacecraft. CNN.com article. Pull quote: ““This is an important capability for NASA. We signed up to go do this, and we’re gonna go do it and be successful at it,” Nappi said Thursday. “I don’t think of it in terms of what’s important for Boeing as much as I think of it as in terms of what’s important for this program.””

Macron’s Olympics terror nightmare. Politico.eu article. Pull quote: “The worst-case scenario, according to Regul, would be a coordinated cyber and terror attack, with the digital attack taking out crucial security or surveillance systems.”

CG Report for 2023 Cyber Trends in Maritime Environment

I ran into an interesting article over on IndustrialCyber.co looking at the recently released report from the Coast Guard Cyber Command. That report, “2023 Cyber Trends and Insights in the Marine Environment Report”, takes a look at last years trends in maritime cybersecurity. It is a 60-page report with lots of detail, so it is well worth reading. And Anna Ribeiro’s article provides a good overview.

The report includes a fairly detailed discussion (pgs 16-20) about the techniques that Cyber Protection Team (CPT) members used to gain entry to systems during their cybersecurity assessments. Nothing really fancy, certainly no 0-day exploits; just solid application of cybersecurity knowledge.

The discussion about strengthening OT networks (pgs 24-28), while short is illuminative. The Cyber Command authors identify the “three common vulnerabilities present in almost every OT network” the CPT assessors looked at:

• Improperly segmented networks,

• End-of-life software, and

• Use of legacy protocols.

The OT hardening discussion then focuses on how to fix those issues first. Not a bad idea for any OT system.

The final thing I want to point out in the report is Appendix C, “Known Exploitable Vulnerabilities Detected on Cpt Missions”. This appendix lists the vulnerabilities found during CPT missions that are listed in CISA’s Known Exploited Vulnerability (KEV) Catalog. The number of KEV’s found is remarkably small, but that is more than made up for how old some of them are. The oldest KEV reported by the CPT’s in the wild is an “Apache HTTP Server-Side Request Forgery (SSRF)” - CVE-2012-1823. Even being over a decade old, the CG cyber personnel found two incidences of this vulnerability available for attack.

This is a unique look at cybersecurity in the wild, well worth the read even if you have nothing to do with the maritime domain. 

Review – 4 Advisories and 4 Updates Published

Today, CISA’s NCCIC-ICS published four control system security advisories for products from Honeywell, Siemens and Hitachi Energy (2). They also updated advisories for products from Mitsubishi (2), Rockwell and Chirp Systems.

Advisories

Honeywell Advisory - This advisory describes 16 vulnerabilities in multiple Honeywell products.

Siemens Advisory - This advisory discusses a command injection vulnerability {that is listed on CISA’s Known Exploit Vulnerabilities (KEV) Catalog} in the Siemens RUGGEDCOM APE1808 application hosting platform.

Hitachi Energy Advisory #1 - This advisory describes two vulnerabilities in the Hitachi Energy MACH SCM product.

Hitachi Energy Advisory #2 - This advisory describes two unrestricted upload of files with dangerous type vulnerabilities in the Hitachi Energy RTU500 Series.

Updates

Mitsubishi Update #1 - This update provides additional information on the MELSEC Series CPU Module advisory that was originally published on May 23^rd, 2023 and most recently updated on March 14^th, 2024.

Mitsubishi Update #2 - This update provides additional information on the MELSEC iQ-R Series/iQ-F Series advisory that was originally published on June 6^th, 2023.

Rockwell Update - This update provides additional information on the 5015-AENFTXT advisory that was originally published on April 11^th, 2024.

Chirp Systems Update - This update provides additional information on the Chirp Access advisory that was originally published on March 7^th, 2024 and most recently updated on April 23^rd, 2024.

 

For more information on the these advisories, including a brief commentary on the Chirp Systems update, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/4-advisories-and-4-updates-published - subscription required. 

Review - S 4045 Introduced – East Palestine Health Monitoring

Last month, Sen Vance (R,OH) introduced S 4045, the East Palestine Health Impact Monitoring Act of 2024. The bill would require HHS to conduct a study on the health effects of the 2023 East Palestine, OH train derailment. The bill would authorize $2 million per year through 2028 for the study.

Moving Forward

While Vance is not a member of the Senate Health, Education, Labor, and Pensions Committee to which this bill was assigned for consideration, one of his three cosponsors {Sen Casey (D,PA)} is a member. This means that there may be sufficient influence to see this bill considered in Committee. I would expect to see some Republican opposition to this bill because the results of such a study would likely be used to justify additional lawsuits against Norfolk Southern, the railroad involved in the incident. Still I expect that the bill would have sufficient bipartisan support to pass in Committee. I do not expect to see this bill reach the floor of the Senate, though its language could be expected to be offered as an amendment to the DOT spending bill or transportation authorization bill.

Commentary

This is a little bit late (but better late than never) to be starting this sort of post-accident health effects study. To be most effective, this should start within hours or days of the incident. That cannot, of course, happen if we need to rely on the local congressional delegation to put together study legislation and attempt to push it through Congress each time such accidents happen. There should be statutes in place to require the EPA, DOT, and HHS to conduct such studies any time there a significant chemical release occurs. DOT should fund studies for transportation related incidents and the EPA for fixed site accidents.

 

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-4045-introduced - subscription required.

Review - S 3773 Introduced – HHS Cybersecurity Testing

In February, Sen Rubio (R,FL) introduced S 3773, the Strengthening Cybersecurity in Health Care Act. The bill would require the Health and Human Service Department Inspector General to conduct penetration tests and other testing procedures to determine how systems processing, transmitting, or storing mission critical or sensitive data by, for, or on behalf of the Department is currently, or could be compromised. No new funding is provided by the bill.

Moving Forward

While Rubio is not a member of the Senate Health, Education, Labor, and Pensions Committee to which this bill was assigned for consideration, one of his three cosponsors {Sen Hassan (D,NH)} is a member. This means that there may be sufficient influence to see the bill considered in Committee. I do not see anything that would engender any organized opposition to the bill. I suspect that there would be some level of bipartisan support for the legislation if it were considered.

This bill is not politically important enough to consume the time necessary for consideration in the Senate under regular order. This bill might be able to pass under the Senate’s unanimous consent process, but that process always faces the potential for opposition unrelated to the provisions of the bill. This bill is well suited to being included in the annual HHS spending bill and Rubio, a member of the Senate Appropriations Committee, is well placed to see that happen.

Commentary

HHS has little in the way of internal clinics that might be affected by such testing, so it is unlikely that there will be any medical devices covered by the requirements of this bill. I really mention it here because of the unique requirement for IG cybersecurity testing. This is well within the scope of operations of inspectors general, if probably outside of the existing skill sets for those organizations. While not wishing to CISA’s prominence in government cybersecurity efforts diminished, I think that this might be a good requirement for each inspector general office in the federal government. And it might provide an interesting internal skill set that could be used in other IG investigations.

 

For more details about the provisions of the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-3773-introduced - subscription required.

Short Takes – 4-25-24 – Space Geek Edition

A NASA rover has reached a promising place to search for fossilized life on Mars. Phys.org article. Pull quote: “Mars sample return remains NASA's highest planetary science priority and is strongly supported by the planetary science community around the world. The samples from Perseverance may revolutionize our view of life in the universe. Even if they don't contain fossils or biomolecules, they will fuel decades of research and give future generations a completely new view of Mars. Let's hope NASA and the US government can live up to the name of their rover, and persevere.”

SpaceX’s Special Starship Cargo Lander Capacity Revealed By NASA Ahead Of Fourth Starship Test. WCCFTech.com article. Pull quote: “In a press release, NASA outlined that the cargo landers, part of the original HLS award will land on the Moon starting from the Artemis 7 mission. The Artemis 7 was slated to land on the Moon in 2030 according to a NASA manifest from 2022 - before the space agency moved its timeline for the Artemis 2 mission forward by a year. Artemis 2 will be the first time humans will venture to the Moon since the Apollo program, and the mission was initially slated to launch this year.”

China's Tiangong space station damaged by debris strike. Space.com article. Pull quote: “"The space station's core module Tianhe had suffered a partial loss of power supply due to the impact of the space debris on the solar wing's power cables," Xinhua reported, paraphrasing CMSA deputy director Lin Xiqiang.”

China on track for crewed moon landing by 2030, space official says. SpaceNews.com article. Pull quote: “Lin added that astronaut training for the mission includes mastering operation of the Mengzhou and Lanyue spacecraft, including in normal and emergency flight conditions. Rendezvous and docking and manually avoiding obstacles during the lander’s descent were noted as part of the training. Other activities include entering and exiting the lander, working in one-sixth of Earth’s gravity, long-range lunar roving, drilling, sampling and other scientific work on the lunar surface.”

Companies offer proposals for Apophis asteroid missions. SpaceNews.com article. Pull quote: “Scientists, though, are interested in sending additional missions to Apophis, particularly those that would fly by or orbit the asteroid before the flyby so that researchers can better the understand what impact tidal forces from the flyby might have on the asteroid. Several such mission concepts were discussed during an April 22–23 workshop at a European Space Agency center in The Netherlands.”

Major changes approved for ClearSpace-1 mission. SpaceNews.com article. Pull quote: ““On 10 August, 2023, a collision involving our original target increased the risk of capture and induced the spinning of the object,” ClearSpace CEO Luc Piguet told SpaceNews by email. “This made it more difficult to capture and added complexity to the mission as the goal is to remove debris completely.””

Short Takes – 4-24-24

E. coli engineered to become methanol addict to make industry feedstocks. ChemistryWorld.com article. A little biochem geeky stuff. Pull quote: “Lead author Julia Vorholt at ETH Zurich says the first step was to get E. coli ‘addicted’ to methanol. ‘If you make a mutation in a certain gene then [E. coli] needs to make a little bit of biomass for some specific compounds from methanol,’ she explains. Leaving the bacteria to grow in a bioreactor with just enough carbon to survive and an abundance of methanol favours those that can use alcohol. Natural selection takes over and bacteria which thrive using methanol outcompete the others until eventually E. coli has evolved the same fixation cycle seen in other methylotrophs.”

America’s crisis of repetition is hurting national security. BreakingDefense.com article. Pull quote: “Finally, the challenge of identifying obstacles to implementation is hard — and frankly, not necessarily interesting. It involves detective work: asking questions, knowing processes across government, and understanding funding streams. It requires persistence and takes time. It’s a lot less exciting than coming up with purportedly “new” ideas.”

Artemis Mission: Making NASA’s New Moon Suits. Makezine.com article. Pull quote: “This carefulness is evident when you walk into their sewing labs. The labs are filled with single needle, double needle, off-arm, post, bar-tack, serger, and zig-zag sewing machines, all used for the creation of the suits. In typical clothing factories, the buzz of machines is constant and fast. Axiom’s sewing lab is almost dead silent. Some of the sewers even turn the machines by hand to achieve the level of precision needed.”

Agency Information Collection Activities: CISA Gateway User Registration. Federal Register CISA 60-day ICR renewal/change notice. Changes: “The collection was initially approved on October 9, 2007, and the most recent approval was on December 19, 2023, with an expiration date of June 30, 2024. The changes to the collection since the previous OMB approval include; updating the title of the collection, decrease in burden estimates and decrease in costs The total annual burden cost for this collection has changed by $3,096.40, from $4,128 to $7,224.40 due to the removal of the utilization survey, and the addition of PCIIMS respondents. For the CISA Gateway, the total number of responses has increased from 350 to 700 due to the updated metrics resulting from the awareness campaign and due to the registration process changing which does not include the training registration. The annual government cost for this collection has changed by $8,340.92 from $5,723 to $14,063.92 due to the removal of the utilization survey, and the addition of PCIIMS respondents. The This is a renewal with changes of an information collection.” Comments due June 24^th, 2024.

National Security Telecommunications Advisory Committee. Federal Register DHS meeting notice. Agenda: “The NSTAC will meet in an open session on Thursday, May 23, 2024, from 3:15 p.m. to 4:30 p.m. EDT to discuss current NSTAC activities and the government's ongoing cybersecurity and NS/EP communications initiatives. This open session will include: (1) an update on the administration's cybersecurity initiatives; (2) a keynote address;(3) an update on current NSTAC activities; and (4) a status update on the NSTAC Principles for Baseline Security Offerings from Cloud Service Providers Study.”

Sorry, Little Green Men: Alien Life Might Actually Be Purple. ScientificAmerican.com article. Pull quote: “Prior to that, microorganisms generated metabolic energy by harnessing sunlight using a purple-pigmented molecule called retinal, whose origin may have predated chlorophyll. If retinal exists on other faraway worlds, scientists think the molecule's unique fingerprint would be discernible by upcoming ground- and space-based telescopes.”

Monkeypox virus: dangerous strain gains ability to spread through sex, new data suggest. Nature.com article. Pull quote: “Although mpox infections have waned globally since 2022, they have been trending upwards in the DRC: in 2023 alone, the country reported more than 14,600 suspected infections and more than 650 deaths. In September, 2023, a new cluster of suspected cases arose in the DRC’s South Kivu province. This cluster especially concerns researchers, as it has been spreading largely among sex workers, suggesting that the virus has adapted to transmit readily through sexual contact.

Remnants of bird flu virus found in pasteurized milk, FDA says. OCRegister.com article. Pull quote: “Because the detection of the bird flu virus known as Type A H5N1 in dairy cattle is new and the situation is evolving, no studies on the effects of pasteurization on the virus have been completed, FDA officials said. But past research shows that pasteurization is “very likely” to inactivate heat-sensitive viruses like H5N1, the agency added.” While I agree with the theory, I am not a big fan of ‘very likely’ as a scientific statement. And what happens if A H5N1 fragments get into someone with an active flu infection; would we see recombination?

Consideration HR 3935 – FAA Reauthorization –

Yesterday, the Senate resumed consideration of the motion to proceed to consideration of H.R. 3935. Sen Schumer (D,NY) entered a motion to close further debate on the motion to proceed to consideration of the bill. The vote on that cloture motion will take place when the Senate returns on March 30^th, 2024, after the vote on the Georgia N. Alexakis nomination.

The Senate actually started this process back in September, but it lead nowhere. At the time there were suggestions that Schumer was going to use the bill as a vessel for consideration of a clean continuing resolution while the House was trying to sort out how to proceed on the spending bills under Rep McCarthy (R,CA). At that time there had been one anti-Ukraine amendment submitted by Sen Vance (R,OH).

No new amendments have been submitted yet for consideration during the actual debate on HR 3935. The first amendment will almost certainly come from Sen Cantwell (D,WA) offering the reported version of S 1939 as substitute language for HR 3935. Additional amendments will be submitted, and some will be considered.

As I noted in a post on S 1939 there is an interesting counter-UAS provision in the Senate bill:

“Section 811 would amend 49 USC Chapter 448 by adding a new § 44813 Unmanned aircraft system detection and mitigation enforcement. The new section would prohibit anyone (other than certain government agencies and employees) from operating “a system or technology to detect, identify, monitor, track, or mitigate an unmanned aircraft or unmanned aircraft system in a manner that adversely impacts or interferes with safe airport operations, navigation, or air traffic services, or the safe and efficient operation of the national airspace system.” The term “adversely impacts or interferes with’ is not defined. Violators would be subject to a civil penalty of not more than $25,000 per violation. This prohibition would terminate on September 30, 2028.”

Review - CSB Updates Accidental Release Reporting Data – 4-19-24

Yesterday in preparation for their quarterly business meeting tomorrow, the CSB updated their published list of reported chemical release incidents. They added 26 new incidents that occurred since the previous version was published in January and inserted eight ‘new’ incidents that occurred before January. These are not incidents that the CSB is investigating, these are incidents that were reported to the CSB under their Accidental Release Reporting rules (40 CFR 1604).

The table below shows the top four states based upon the number of reported incidents since the January update was published.

 

For more details on the new information in the database, including a new top ten chemical incident States list, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/csb-updates-accidental-release-reporting-fae - subscription required.

Short Takes – 4-23-24

Russia-linked hacking group claims to have targeted Indiana water plant. CNN.com article. Pull quote: ““While the video is sensational, the actions taken by the threat actor are amateur and would amount to a minor annoyance for plant operators,” Fabela, who is CEO of Infinity Squared Group, a consulting firm, told CNN.”

A powerful volcano is erupting. Here’s what that could mean for weather and climate. CNN.com article. Pull quote: “In comparison, satellite instruments have estimated Mount Ruang has released an around 300,000 tons of sulfur dioxide so far [compared to 17 million tons in 1991 Mount Pinatubo eruption] , though it’s unclear how much of that plume made it into the stratosphere. While that amount is quite massive in its own right, it falls well short of the most extreme case, according to Huey.”

Could Trump Go to Prison? If He Does, the Secret Service Goes, Too.  Pull quote: “Former corrections officials said there were several New York state prisons and city jails that have been closed or partly closed, leaving wings or large sections of their facilities empty and available. One of those buildings could serve to incarcerate the former president and accommodate his Secret Service protective detail.”

FEMA is making an example of this Florida boomtown. Locals call it ‘revenge politics’. GovExec.com article. Pull quote: “Even if Lee County manages to contest the decision, homeowners in Southwest Florida are almost guaranteed to suffer more financial pain as a result of this enforcement effort. If FEMA stays the course and removes the discount, it will raise flood insurance costs for homeowners in unincorporated parts of the county between $14 and $17 million per year, equating to a $300 annual hit for each flood insurance customer in the area. But if Lee County cracks down on the 50% rule and FEMA restores the discount, homeowners who rebuilt in flood zones may have to spend hundreds of thousands of dollars to elevate their homes.”

Stars and Stripes Media Organization. Federal Register DOD proposed rule. Summary: “This rulemaking proposes to update authorities and responsibilities for the Stars and Stripes Media Organization (often abbreviated as Stripes) to reaffirm its editorial independence in providing media products not only to military service members and DoD civilian employees, but to U.S. veterans, families of veterans and current service members, and contractor personnel, particularly those serving overseas, based on changes in the consumption of news and information in a digital age. It additionally proposes to remove internal operational procedures of the Stars and Stripes Media Organization that do not require rulemaking under the Administrative Procedure Act.” Comments due June 24^th, 2024.

DC3 and DCSA Partner to Announce Vulnerability Disclosure Program for Defense Industrial Base. GovDelivery.com press release. Pull quote: “Through operational agreements and strategic partnerships, DC3 and the DCSA routinely collaborate on ways to share information security data. DoD VDP vulnerability reporting is shared with DoD system owners on the Joint Force Headquarters-DoD Information Networks via the Vulnerability Report Management Network (VRMN). A parallel system, DIB VRMN, employs the same efficient and automated approach while ensuring that DIB data is tracked and held separately from DoD data. Implementation of a DIB-VDP is the most effective means of sharing DIB-sourced vulnerabilities with DIB companies. It promotes timely mitigation of identified vulnerabilities on DIB company internet-facing information systems. This enables vulnerability remediation in DIB companies at a much earlier point than in traditional vulnerability management efforts.”

Green Roofs Are Great. Blue-Green Roofs Are Even Better. Wired.com article. Pull quote: “The water levels in the blue-green roof are managed by a smart valve. If the weather forecast says a storm is coming, the system will release stored water from the roof ahead of time. That way, when a downpour comes, the roof refills, meaning there’s less rainwater entering the gutters and sewers in the surrounding area. In other words, the roof becomes a sponge that the operator can wring out as needed. “In the ‘squeezable’ sponge city, you make the whole city malleable,” says Spaan.”

Rooftop solar panels are flooding California’s grid. That’s a problem. WashingtonPost.com article. Pull quote: “But a year ago, the state changed this system, known as “net-metering,” and now only compensates new solar panel owners for how much their power is worth to the grid. In the spring, when the duck curve is deepest, that number can dip close to zero. Customers can get more money back if they install batteries and provide power to the grid in the early evening or morning.”

A rapid shift in ocean currents could imperil the world’s largest ice shelf. ScienceNews.org article. Pull quote: “These findings come at an ominous time. Even as sea ice shrank in the Arctic, it remained stable around Antarctica for decades. But Antarctic sea ice has declined steeply since 2017, especially near the Ross Ice Shelf. Scientists recently reported that the cold, salty waterfall to the Antarctic seafloor is already starting to slow. This is “alarming,” Lowry says. We now know that the ice shelf can easily switch from cold to warm. “The question is, are we observing the switch?””

Review – 2 Updates Published – 4-23-24

Today, CISA’s NCCIC-ICS published updates for two control system security advisories for products from Chirp Systems and Mitsubishi Electric.

Updates

Chirp Systems Update - This update includes additional information on an advisory that was originally published on March 7^th, 2024.

Mitsubishi Update - This update includes additional information on an advisory that was originally published on February 20^th, 2024.

 

For more information on these updates, including a summary of the changes made, and a brief look at the Chirp Systems negative response to the advisory, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-updates-published-4-23-24 - subscription required.

Short Takes – 4-22-24

Syphilis case increase sparks Colorado public health order. TheHill.com article. Pull quote: ““People should know that this is a treatable disease for adults. A course of penicillin generally does the trick. Some adults have very mild symptoms, there’s a lack of diagnosis, others who were symptomatic and treated with penicillin,” Polis said. “But the real danger here is for newborns.””

Suddenly micro-factories are real ... with prices starting at $300,000. NewAtlas.com article. Pull quote: ““There is an urgent need for affordable low-energy homes, but building high-quality, sustainable timber homes is hard to scale, and AUAR intends to change that. Robots and AI allow us to deliver high-quality housing at significantly lower costs, increasing margins and productivity while lowering the cost for the end users. By using our solution, construction companies can hit their sustainability targets at a cost they are comfortable with.””

Trial attention: don’t let a pecker distract from more important stories. EmptyWheel.net post. Pull quote: “All of which is my way of saying: beware of letting this trial drown out more important events. Yes, it is unprecedented to see Trump subjected to discipline. But this trial is sucking up far, far too much attention that might better be directed elsewhere — and all that attention is one of the reasons why jury and witness tampering are such a risk.”

Biomanufacturing isn’t cleaning up chemicals. CEN.ACS.org article. Shooting for the Moon too early in the technology development process. Pull quote: “But will this renewed enthusiasm for synthetic biology yield a different result? While biomanufacturing companies have already found niches for some expensive products, doubters say it might take decades before fermentation-derived molecules are cheap enough to replace oil-derived commodities. And they warn that without policies forcing the petrochemical industry to account for the health and environmental costs of its carbon emissions, fermentation may never displace fossil fuels.”

NASA's Voyager 1 spacecraft finally phones home after 5 months of no contact. Space.com article. Pull quote: “By Saturday (April 20), however, the team confirmed their modification had worked. For the first time in five months, the scientists were able to communicate with Voyager 1 and check its health. Over the next few weeks, the team will work on adjusting the rest of the FDS software and aim to recover the regions of the system that are responsible for packaging and returning vital science data from beyond the limits of the solar system.”

Astronomers Find Evidence Of A Massive Object Beyond The Orbit Of Neptune. IFLScience.com article. Pull quote: “Carrying out simulations to try and discover what best explains the orbits of these objects, the team found that a model that includes a massive planet beyond the region of Neptune explained the steady state of these objects much better than in simulations where planet 9 was not included. In the model, the team included other variables, such as the galactic tide and the gravitational influence of passing stars.”

Bird Flu Is Infecting More Mammals. What Does That Mean for Us? NYTimes.com article. Pull quote: “Government leaders are typically cautious, wanting to see more data. But “given the rapid speed at which this can spread and the devastating illness that it can cause if our leaders are hesitant and don’t pull the right triggers at the right time, we will be caught flat-footed once again,” Dr. Bright said.”

Review - S 3943 Introduced – ANCHOR Act

Last month, Sen Padilla (D,CA) introduced S 3943, the Accelerating Networking, Cyberinfrastructure, and Hardware for Oceanic Research (ANCHOR) Act. The bill would require the National Science Foundation (NSF) to submit a plan to improve the cybersecurity and telecommunications of the Academic Research Fleet. No new funding is authorized by the legislation. The bill is very similar to HR 7630. That bill was adopted without amendment by the House Science, Space, and Technology Committee on March 20^th, 2024.

Differences From HR 7630

The major difference from the House bill is that Section 4 of the earlier bill is absent in the Senate version. That section authorized NSF to support cybersecurity upgrades described in the plan required in §3. Section 4 would have also required a report to Congress on progress made on the implementation of the plan.

Moving Forward

While Padilla is not a member of the Senate Commerce, Science, and Transportation Committee to which this bill was assigned for consideration, two of his three cosponsors are members. This means that there could be sufficient influence to see this bill considered in Committee. I see nothing in this bill, especially since it contains no new funding or regulatory requirements, that would engender any organized opposition to the legislation. I suspect that there would be bipartisan support for the bill. Unfortunately, this is yet another bill that is not politically important enough to take up the time to considered by the full Senate. If this bill is to move forward, it would need to be considered under the unanimous consent process (a politically fraught process) or be included in some larger, more politically necessary bill.

 

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-3943-introduced - subscription required.

Short Takes – 4-22-24 – Space Geek Edition

Dragonfly: NASA Just Confirmed The Most Exciting Space Mission Of Your Lifetime. Forbes.com article. Pull quote: “Titan is the only other world in the solar system other than Earth that has weather and liquid on its surface. It has an atmosphere, rain, lakes, oceans, shorelines, valleys, mountain ridges, mesas and dunes—and possibly the building blocks of life itself. It’s been described as both a utopia and as deranged because of its weird chemistry.”

NASA reveals 'glass-smooth lake of cooling lava' on surface of Jupiter's moon Io. LiveScience.com article. Pull quote: “The new images show Loki Patera, a 127-mile-long (200 km) lava lake on Io's surface. Scientists have been observing this lava lake for decades. It sits over the magma reservoirs under Io's surface. The cooling lava at the center of the lake is ringed by possibly molten magma around the edges, Scott Bolton, principal investigator  for the Juno mission, said during a news conference Wednesday (April 16) at the European Geophysical Union General Assembly in Vienna.”

Starship Faces Performance Shortfall for Lunar Missions. AmericaSpace.com article. Pull quote: “This is likely what happened to Starship.  To mitigate the risk that one exploding Raptor engine might cause a cascade of failures, SpaceX installed extra shielding around each of the 33 motors on the Super Heavy booster.  In addition, it installed a steel “hot staging” ring between the booster and the ship, which allows the latter to ignite its engines while the two stages are still attached.  It is worth noting that this component was supposed to increase the performance of the vehicle by 10%; SpaceX has not disclosed whether those gains were realized.  Other additions to the vehicle included components which mitigated the propellant leaks which partially contributed to the failure of the first test flight.  Each additional gram of mass ate into Starship’s payload capacity.”

America's Next Great Space Station Gets a Vote of Support from Japan. Fool.com article. Pull quote: “Of the three teams discussed, the most "international" of the teams vying to replace the International Space Station is Voyager's. In addition to American aerospace company Northrop, Voyager's team also includes the European aerospace champion Airbus. As of last week, it will also include an industrial leader from Japan: As the companies announced earlier this month, Japan's Mitsubishi Corporation (MSBHF 1.65%) is taking an equity stake in the Starlab project.”

Senate Began Consideration HR 3935 – FAA Reauthorization

On Friday, the Senate began debate on the consideration of HR 3935, the Securing Growth and Robust Leadership in American Aviation Act. That debate continued on Saturday. Debate will resume on Tuesday. No amendments have been submitted. No real action will occur until the Senate comes back from their upcoming recess on April 29^th.

CISA Publishes ‘Secure Your Chemicals: Potential Threats’

Recently, CISA added a new infographic to their stable of publications supporting the two agency chemical security programs, the currently inactive Chemical Facility Anti-Terrorism Standards (CFATS) program and the voluntary ChemLock program. The new “SECURE CHEMICALS: POTENTIAL THREATS” page shows a brief overview of the potential threats to chemical facilities. The page notes that:

“By considering the potential avenues of attack and approaching security holistically, facility owners and operators can choose cost-effective, efficient security measures that work best to protect their dangerous chemicals from the threats and hazards most likely to occur at their facility.”

Chemical Incident Reporting – Week of 4-13-24

NOTE: See here for series background.

Moosic, PA – 4-15-24

Local news reports: Here, here, and here.

Ammonia storage tank leak at food processing facility. 14 transported to hospital for ammonia exposure.

Possible CSB reportable if any of the patients were admitted to the hospital.

Naperville, IL – 4-15-24

Local news reports: Here, here, and here.

One-gallon ammonia spill in restaurant basement. 1 person transported to hospital for ammonia exposure.

Possible CSB reportable if the patient was admitted to the hospital.

Walker County, AL – 4-16-24

Local news reports: Here, here, and here.

A tank truck overturned in an apparent single-vehicle accident. It caught fire and exploded. The truck was destroyed and the driver killed. No reports about what the truck was hauling.

Not CSB reportable, transportation related accident not fixed site.

Galena Park, TX – 4-19-24

Local news reports: Here, here, here, and here.

Flash fire at rail loading site of refinery. Three contractors transported to hospital for burns. One report notes that injured were treated and released from hospital.

Probably not CSB reportable. Very little damage from flash fire and injured were apparently not admitted to hospital.

GAO Reports – Week of 4-13-24 – Federal Cybersecurity EO Actions

This week, the Government Accountability Office (GAO) published a report on “Cybersecurity - Implementation of Executive Order Requirements Is Essential to Address Key Actions”. The report looks at the implementation of EO 14028 in CISA, NIST, and OMB.

The table below shows the GAO’s assessment of EO 14028 leadership and oversight requirements (see Appendix III of the report for description of the individual requirements):

Executive Order Section	Number of requirements that are:
	Fully complete	Partially complete	Not complete	Not applicable
Removing Barriers to Sharing Threat Information	6	1	—	—
Modernizing Federal Government Cybersecurity	8	—	—	—
Enhancing Software Supply Chain Security	16	1	—	—
Establishing a Cyber Safety Review Board	6	1	—	—
Standardizing Playbook for Responding to Cybersecurity Vulnerabilities and Incidents	4	—	—	1
Improving Detection of Cybersecurity Vulnerabilities and Incidents	7	1	—	—
Improving the Federal Government's Investigative and Remediation Capabilities	2	1	—	—
Total	49	5	—	1

The report makes a total of five recommendations (pg 44), two for DHS and three for the OMB:

• The Secretary of Homeland Security should direct the Director of CISA to issue, in a timely manner, its list of software and software product categories that are considered critical software. (Recommendation 1)

• The Secretary of Homeland Security, through the Director of the CISA, should direct the Cyber Safety Review Board to document steps taken or planned to implement the recommendations provided to the President for improving the board’s operations. (Recommendation 2)

• The Director of OMB should demonstrate that the office has conducted, with pertinent federal agencies, cost analyses for the implementation of recommendations related to the sharing of threat information, as defined in the order. (Recommendation 3)

• The Director of OMB should demonstrate that the office has coordinated with pertinent federal agencies regarding resourcing needs for the implementation of an endpoint detection and response capability, as defined in the order. (Recommendation 4)

• The Director of OMB should demonstrate that the office has coordinated with pertinent federal agencies regarding resourcing needs for logging, log retention, and log management capabilities, as defined in the order. (Recommendation 5)

CRS Reports – Week of 4-13-24 – Congressional Disapproval

This week, the Congressional Research Service (CRS) published a report on “The Congressional Review Act: Defining a “Rule” and Overturning a Rule an Agency Did Not Submit to Congress”. The 118^th Congress has been fairly active in submitting and passing bills to overturn agency actions. This report outlines the processes under the Congressional Review Act (5 USC 801 thru 808) for overturing agency actions, specifically it discusses the process for congressional action in the small number of cases where the agency does not pre-submit a copy of a rule to Congress.

Transportation Chemical Incidents – Week of 3-16-24

Reporting Background

See this post for explanation, with an update here (removed from paywall).

Data from PHMSA’s online database of transportation related chemical incidents that have been reported to the agency.

Incidents Summary

• Number of incidents – 470 (460 highway, 9 air, 1 rail)

• Serious incidents – 4 (3 Bulk release, 0 injuries, 0 deaths, 3 major arteries closed)

• Largest container involved – 30190-gal DOT DOT117R100W railcar (Alcohols, N.O.S.), improperly tightened bolts on manway cover. 5-gal spilled.

• Largest amount spilled – 440-lbs (Calcium Hypochlorite, Hydrated or Calcium Hypochlorite, Hydrated Mixtures, With Not Less Than 5.5% But Not More Than 16% Water) plastic container damaged in material handling.

Most Interesting Chemical: Tetrahydrofuran: Used as a solvent. A clear colorless liquid with an ethereal odor. Less dense than water. Flash point 6°F. Vapors are heavier than air. May form explosive peroxides when exposed to air, may be stabilized with butylated hydroxytoluene (BHT) to prevent the formation of peroxides. Involved in four incidents in the covered week.

Review – Public ICS Disclosures – Week of 4-13-24

This week we have nine vendor disclosures from Hitachi, HPE (4), Peplink, Philips, and Rockwell (2). There are also five vendor updates from B&R (2), Contec, HPE, and Palo Alto Networks. We also have eleven researcher reports about vulnerabilities in products from Elber (10) and Silicon Labs. Finally, we have two exploits for products from Palo Alto Networks.

NOTE: HP reports that they have an update for their NVIDIA GPU Display Driver advisory that was originally published on March 12^th, 2024, but the link currently goes to a blank page.

Advisories

Hitachi Advisory - Hitachi published an advisory that discusses an allocation of resources without limit or throttling vulnerability in their JP1 product.

HPE Advisory #1 - HPE published an advisory that discusses an out-of-bounds write vulnerability in their Superdome Flex, Superdome Flex 280 and Compute Scale-up Server 3200 Servers.

HPE Advisory #2 - HPE published an advisory that discusses an improper restriction of operations within the bounds of a memory buffer vulnerability in their Compute Scale-up Server 3200 server.

HPE Advisory #3 - HPE published an advisory that discusses five vulnerabilities (three with exploits available) in their Telco IP Mediation E-Media product.

HPE Advisory #4 - HPE published an advisory that describes an insertion of sensitive information into a logfile vulnerability in their Compute Scale-up Server 3200 Server.

Peplink Advisory - Peplink published an advisory that describes five vulnerabilities in their Smart Reader access control product.

Philips Advisory - Philips published an advisory that discusses a CISA report of a compromise of Sisense Customer Data.

Rockwell Advisory #1 - Rockwell published an advisory that describes an improper input validation vulnerability in their 5015-AENFTXT product.

Rockwell Advisory #2 - Rockwell published an advisory that discusses a deserialization of untrusted data vulnerability {listed in CISA’s Known Exploited Vulnerabilities (KEV) Catalog} in their FactoryTalk Production Centre product.

Updates

B&R Update #1 - B&R published an update for their Docker Engine advisory that was originally published on April 10^th, 2024.

B&R Update #2 - B&R published an update for their LOGO Fail advisory that was originally published on April 11^th, 2024.

Contec Update - JP-CERT published an update for their SolarView Compact advisory that was originally published on June 9^th, 2022 and most recently updated on February 10^th, 2023.

HPE Update - HPE published an update for their Superdome Flex advisory that was originally published on January 23^rd, 2024 and most recently updated on March 8^th, 2024.

Palo Alto Networks Update - Palo Alto Networks published an update for their PAN OS command injection advisory that was originally published on March 12^th, 2024.

Researcher Reports

Elber Report #1 - Zero Science published two reports of vulnerabilities in the Elber Signum DVB-S/S2 controller for satellite equipment.

Elber Report #2 - Zero Science published two reports of vulnerabilities in the Elber Cleber/3 Broadcast Multi-Purpose Platform.

Elber Report #3 - Zero Science published two reports of vulnerabilities in the Elber Reble610 M/ODU XPIC IP-ASI-SDH Microwave Link.

Elber Report #4 - Zero Science published two reports of vulnerabilities in the Elber DVB-S/S2 Satellite Receiver. Microwave Link.

Elber Report #5 - Zero Science published two reports of vulnerabilities in the Elber Wayber Analog/Digital Audio STL.

Silicon Labs Report - Talos published a report about a NULL pointer dereference vulnerability in the Silicon Labs Gecko Platform software design kit.

Exploits

Palo Alto Networks Exploit #1 - H4x0r-dz published an exploit for a command injection vulnerability in the Palo Alto Networks PAN-OS.

Palo Alto Networks Exploit #2 - W01fh4cker published an exploit for a command injection vulnerability in the Palo Alto Networks PAN-OS.

 

For more details about these disclosures, including links to researcher report, 3^rd party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-4-ac1 - subscription required.

Short Takes – 4-19-24

The Trump Jury Has a Doxing Problem. Wired.com article. To be fair, should read ‘… Potential Doxing Problem’. Pull quote: “Armed with basic personal details about jurors and certain tools and databases, “an OSINT researcher could potentially uncover a significant amount of personal information by cross-referencing all this together,” Diachenko says. “That's why it's crucial to consider the implications of publicly revealing jurors' personal information and take steps to protect their privacy during criminal trials.””

The great commercial takeover of low Earth orbit. TechnologyReview.com article. Lengthy article, lots of interesting information. Pull quote: ““Within two to three years, I could send a graduate student to space with Axiom,” Ekblaw says. “It requires a little creative fundraising, but I think that that is opening up a realm of possibility.” In the past, she explains, a doctoral researcher would be unbelievably fortunate to have research fly as part of a single flight mission.Today, however, researchers even in a master’s program can fly experiments repeatedly because of the increased opportunities afforded by commercial spaceflight.In the future, rather than relying on career NASA astronauts—who have myriad responsibilities in orbit and spend a good amount of time as guinea pigs themselves—scientists could go up personally to run their own research projects in greater depth.”

Notice Pesticide Registration Review; Draft Human Health and Ecological Risk Assessments for Formaldehyde and Paraformaldehyde; Notice of Availability. Federal Register EPA notice. Summary: “This notice announces the availability of EPA's draft human health and ecological risk assessments for the registration review of formaldehyde and paraformaldehyde and opens a 60-day public comment period on this document.”

Ratification of Security Directives. Federal Register DHS OSPP notice. Summary: “The Department of Homeland Security (DHS) is publishing official notice that the Transportation Security Oversight Board (TSOB) ratified Transportation Security Administration (TSA) Security Directive Pipeline-2021-01C and Security Directive Pipeline-2021-02D, applicable to owners and operators of critical hazardous liquid and natural gas pipeline infrastructure (owner/operators). Security Directive Pipeline-2021-01C, issued on May 22, 2023, extended the requirements of the Security Directive Pipeline-2021-01 series for an additional year. Security Directive Pipeline-2021-02D, issued on July 26, 2023, extended the requirements of the Security Directive Pipeline-2021-02 series for an additional year and amended them to strengthen their effectiveness and address emerging cyber threats.”

Recommendation Regarding Emergency Action in Aviation. Federal Register DHS OSPP notice. Summary: “DHS is publishing official notice that the Transportation Security Oversight Board (TSOB) has recommended to the Transportation Security Administration (TSA) that a cybersecurity emergency exists that warrants TSA's determination to expedite the implementation of critical cyber mitigation measures through the exercise of emergency regulatory authority.”

Siemens Publishes Out-of-Zone Advisory – 4-19-24

Today, ten days after the publication of their monthly tranche of security advisories and updates, Siemens published a control system security advisory that discusses a command injection vulnerability in their RUGGEDCOM APE1808 devices configured with Palo Alto Networks Virtual NGFW. This is a third-party (Palo Alto Networks) vulnerability that is listed in CISA’s Known Exploited Vulnerabilities (KEV) Catalog.

Siemens recommends that users disable the GlobalProtect gateway and GlobalProtect portal. They report that that these features are disabled by default in RUGGEDCOM APE1808 deployments. They also recommend that users follow the recommendations in the Palo Alto Networks advisory. There is no mention that the owners of affected Palo Alto Networks products have seen this vulnerability widely exploited.

OMB Approves DOE’s Foreign Entity Final Rule

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a final rule for the DOE on “U.S. Department of Energy Interpretation of Foreign Entity of Concern”. The rule was submitted to OIRA on March 21^st, 2024. This rulemaking was not listed in the Fall 2023 Unified Agenda.

This rulemaking will probably be published next week.

OMB Approves EPA’s Methylene Chloride Final Rule

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a final rule for the EPA on “Methylene Chloride (MC); Regulation Under the Toxic Substances Control Act (TSCA)”. The final rule was submitted to OIRA on January 24^th, 2024. The notice of proposed rulemaking was published on May 3^rd, 2023.

According to the Fall 2023 Unified Agenda entry for this rulemaking:

“On May 5, 2023, EPA proposed a rule under the Toxic Substances Control Act (TSCA)  to address the unreasonable risk of injury to human health from methylene chloride. TSCA requires that EPA address by rule any unreasonable risk of injury to health or the environment identified in a TSCA risk evaluation and apply requirements to the extent necessary so that the chemical no longer presents unreasonable risk. Methylene chloride, also known as dichloromethane, is acutely lethal, a neurotoxicant, a likely human carcinogen, and presents cancer and non-cancer risks following chronic exposures as well as acute risks. Central nervous system depressant effects can result in loss of consciousness and respiratory depression, resulting in irreversible coma, hypoxia, and eventual death, including 85 documented fatalities from 1980 to 2018, a majority of which were occupational fatalities. Nevertheless, methylene chloride is still a widely used solvent in a variety of consumer and commercial applications including adhesives and sealants, automotive products, and paint and coating removers. To address the identified unreasonable risk, EPA proposed to: prohibit the manufacture, processing, and distribution in commerce of methylene chloride for consumer use; prohibit most industrial and commercial uses of methylene chloride; require a workplace chemical protection program (WCPP), which would include a requirement to meet inhalation exposure concentration limits and exposure monitoring for certain continued conditions of use of methylene chloride; require recordkeeping and downstream notification requirements for several conditions of use of methylene chloride; and provide certain time-limited exemptions from requirements for uses of methylene chloride that would otherwise significantly disrupt national security and critical infrastructure. The Agency’s development of this rule incorporated significant stakeholder outreach and public participation, including public webinars and over 40 external meetings as well as required Federalism, Tribal, and Environmental Justice consultations and a Small Businesses Advocacy Review Panel. EPA's risk evaluation, describing the conditions of use is in docket EPA-HQ-OPPT-2019-0437, with the 2022 unreasonable risk determination and additional materials in docket EPA-HQ-OPPT-2016-0742.”

The EPA maintains a methylene chloride risk management web site.

We could see the final rule published in the Federal Register in the next couple of weeks. I do not expect to cover the final rule in any depth, but I will announce its publication on the appropriate ‘Short Takes’ post.