Tuesday, April 16, 2024

Review - CIRCIA NPRM – Cyber Incident Definitions

Earlier this month, CISA published the official version of their Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) (Division Y, PL 117-103) notice of proposed rulemaking (NPRM). This is part of a continuing series of posts looking at the proposed rulemaking. In this post I will be looking at how CISA is proposing to deal with the problem of implementing the CIRCIA mandated definitions relating to cyber incidents as it applies to these reporting requirements.

Previous posts in this series include:

CISA Publishes CIRCIA Support NPRM (non-subscription version), and

CIRCIA NPRM – Covered Entity (non-subscription version)

Statutory Definitions

CIRCIA provides legal definitions (6 USC 681)  for the following cyber incident related terms:

• Cyber incident, 

• Significant cyber incident, and

• Ransom payment

NPRM Definitions

The NPRM includes in the new Part 226, a section (§226.1) dealing with definitions used in the proposed regulation. Terms of importance leading to the definition of the term ‘covered incident’ include:

Information system,

Cyber incident, and

Substantial cyber incident

This leads to the rather simple definition of the term ‘covered cyber incident’ as any substantial cyber incident experienced by a covered entity.

 

For a more detailed look at these definitions, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/circia-nprm-8dd - subscription required.

Monday, April 15, 2024

Short Takes – 4-15-24

Thermoset plastic made from wood waste catalyzes its own degradation. CEN.ACS.org article. Pull quote: “lenty of researchers have tried making degradable thermoset plastics by incorporating functional groups whose bonds can be severed by a catalyst or other external trigger. Barta and coworkers designed their new biobased epoxy-amine polymer similarly, with easily cleaved ester groups in the polymer backbone. But the polymer turned out not to need an external catalyst to break it down. “The fact that it catalyzes its own degradation was definitely serendipity,” Barta says. “We didn’t hope for such a wonderful effect.””

Ukrainian Hackers Hijacked 87,000 Sensors to Shut down Sewage System. A tad bit of click-bait in the headline. CybersecurityNes.com article. Pull quote: “The malware has begun to flood communication protocols such as RS485/MBus, sending random commands [emphasis added] to the compromised control and sensory systems.” ‘Random commands’ as opposed to system knowledge… not as effective but easier to pull off.

Open Meeting of the Internet of Things Advisory Board. Federal Register NIST meeting notice. Pull quote: “The agenda for the May 14-15, 2024 meeting is expected to focus on finalizing the IoT Advisory Board's report for the IoT Federal Working Group and the recommendations and findings in that report.”

The Space Force Is About to Play Space Wars in Earth Orbit. Gizmodo.com article. Pull quote: “Rocket Lab will build and launch its own spacecraft using the company’s Electron rocket, while True Anomaly will build a rendezvous and proximity operation-capable spacecraft, as well as provide a command and control center. The mission is scheduled for launch in 2025, and each company will be given its own launch and mission profiles at the time.”

Rocket Lab Wins Space Force Contract -- at Twice the Usual Price. Fool.com article. Unusual look at Space Force contract. Pull quote: “For the record, when SpaceX began reusing rockets in 2017, the company calculated the cost savings at approximately 40% -- 40 full percentage points of additional gross margin on its launches. Assuming Rocket Lab succeeds in this endeavor, it could be enough to turn Rocket Lab's launch business profitable when combined with more lucrative U.S. government launch contracts.”

A Glimpse Into the CISA KEV. Jericho.blog blog post. Pull quote: “Before this talk, I certainly had some criticism of the KEV, but this talk really opened my eyes to some of the details on how they operate and why the KEV seemingly fell short. I think after the talk and thinking on it more, the big thing that stands out to me is the KEV is one thing while the industry thinks it is another thing. This talk bridged that gap for me. Now, my criticism is leveled more at organizations and vendors that have evidence of exploitation and don’t share it with CISA, so that the KEV can be updated more rapidly, and be more thorough.”

Cybersecurity and FISA §702 Reauthorization

Last Friday, during the consideration of HR 7888, the Reforming Intelligence and Securing America Act, the House took up Amendment #1 offered under H Rept 118-456 (pg 5). That amendment would have provided for a warrant requirement for reviewing/using information on US persons obtained under §702 of the Foreign Intelligence Surveillance Act. One of the provisions of that amendment was an exemption from the added warrant requirement for cybersecurity purposes. Amendment #1 was defeated by a vote of 212 to 212 (tie votes in the House do not pass) with significant vote splits in both parties.

The amendment would revise the proposed language for §702(f)(2) {original language at 50 USC 1881a(f)(2)} found in §3(a) (pgs 14-15) of the version of HR 7888 being considered. The Amendment #1 language included a subparagraph (B) that provided for exceptions for the need of a warrant. Claus (IV) of that subparagraph provides for an exemption if the “the query uses a known cybersecurity threat signature as a query term”. The exemption would also require that:

• The query is conducted, and the results of the query are used, for the sole purpose of identifying targeted recipients of malicious software and preventing or mitigating harm from such malicious software,

• No additional contents of communications acquired as a result of the query are accessed or reviewed, and

• Each such query is reported to the Foreign Intelligence Surveillance Court.

Obviously, the House was evenly divided about the need to add a warrant requirement to the FISA §702 reauthorization, so there continues to be significant concerns about how the §702 data is being used in practice. It seems to me that the proposed cybersecurity exemption to the warrant requirements was an honest attempt to mitigate some legitimate anti-warrant concerns. Because this was buried in a nine-page amendment, I am not sure that the exception was specifically considered by any member voting on the amendment. Perhaps with more time to consider and debate such provisions this could have swayed one or more votes to accept the general warrant requirements.

Sunday, April 14, 2024

Review – Public ICS Disclosures – Week of 4-6-24 – Part 2

For part two we have three additional vendor disclosures from B&R, Schneider and Welotec. We also have 13 vendor updates from HP (2) and Siemens (11). Finally, there are four researcher reports for vulnerabilities in products from TP-Link.

Advisories

B&R Advisory - B&R published an advisory that discusses four vulnerabilities (one with known exploit) in their APC4100, APC910, and PPC900 products.

Schneider Advisory - Schneider published an advisory that discusses an improper privilege management vulnerability in their Easergy Studio product.

Welotec Advisory - CERT-VDE published an advisory that describes two vulnerabilities in the Welotec TK500v1 router series.

Updates

HP Update #1 - HP published an update for their PC Bios advisory that was originally published on March 12th, 2024.

HP Update #2 - HP published an update for their March 2024 BIOS security advisory that was originally published on March 13th, 2024.

Siemens Update #1 - Siemens published an update for their FortiGate NGFW advisory that was originally published on March 12th, 2024.

Siemens Update #2 - Siemens published an update for their SIMATIC S7-1500 BIOS advisory that was originally published on June 16th, 2023 and most recently updated on December 12th, 2023.

Siemens Update #3 - Siemens published an update for their GNU/Linux subsystem advisory that was originally published on June 13th, 2023 and most recently updated on February 13th, 2024.

Siemens Update #4 - Siemens published an update for their SIMATIC WinCC advisory that was originally published on February 13th, 2024.

Siemens Update #5 - Siemens published an update for their Scalance W1750D advisory that was originally published on February 13th, 2024.

Siemens Update #6 - Siemens published an update for their OpenSSL advisory that was originally published on June 14th, 2022 and most recently updated on January 9th, 2024.

Siemens Update #7 - Siemens published an update for their OPC UA Implementation advisory was originally published on September 12th, 2023 and most recently updated on February 13th, 2024.

Siemens Update #8 – Siemens published an update for their OPC Foundation advisory that was originally published on April 11th, 2023 and most recently updated on November 14th, 2023.

Siemens Update # 9 - Siemens published an update for their SCALANCE W700 advisory that was originally published on November 14th, 2023.

Siemens Update #10 - Siemens published an update for their SIMATIC S7-1500 advisory that was or published on December 12th, 2023 and most recently updated on March 12th, 2024.

Siemens Update #11 - Siemens published an update for their OpenSSL Vulnerabilities advisory that was originally published on March 14th, 2023 and most recently updated on October 10th, 2023.

Researcher Reports

TP-Link Reports - Talos published four reports describing twelve vulnerabilities in the TP-Link AC1350 Wireless MU-MIMO Gigabit Access Point.

 

For more information on these disclosures, including links to third parties advisories and summaries of changes made in updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-4-fd8 - subscription required.

Saturday, April 13, 2024

State Actions on CFATS – 4-11-24

I do not normally cover State level legislative efforts, as each State legislature has their own peculiar ways of dealing with legislation, but today I was pointed at an article on NebraskaExaminer.com that includes a discussion about an unusual legislative effort to deal with the fallout from Senate inaction on HR 4470, the CFATS reauthorization bill. Back in January Nebraska State Legislator Bostar introduced LB1048. The bill would require a CFATS covered facility to participate in CISA’s ChemLock program until such time as the CFATS program is reauthorized.

The ChemLock program is a voluntary program that CISA developed to provide chemical security assistance to chemical facilities that were not covered by the CFATS program. While there are a number of important features to that program, it is by no means a substitute for CISA’s oversight of the CFATS program. Still, I can understand Bostar’s concern about the Senate’s inaction on the CFATS reauthorization.

OMB Approves EPA PFOA/PFOS CERCLA Final Rule

Yesterday, OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a final rule from the Environmental Protection Agency on “Designating PFOA and PFOS as CERCLA Hazardous Substances”. The notice of proposed rulemaking for this action was published on September 6th, 2022.

According to the Fall 2023 Unified Agenda entry for this rulemaking:

“Under the Comprehensive Environmental Response, Compensation, and Liability Act of 1980, as amended (“CERCLA” or “Superfund”), the Environmental Protection Agency (EPA or the Agency) is moving to finalize the designation of perfluorooctanoic acid (PFOA) and perfluoro octane sulfonic acid (PFOS), including their salts and structural isomers, as hazardous substances. CERCLA authorizes the Administrator to promulgate regulations designating as hazardous substances such elements, compounds, mixtures, solutions, and substances which, when released into the environment, may present substantial danger to the public health or welfare or the environment. Such a designation would ultimately facilitate cleanup of contaminated sites and reduce human exposure to these “forever” chemicals.”

We could see this final rule published in the Federal Register in the next week or two. I do not expect that I will cover this rulemaking beyond announcing it in the appropriate Short Takes post when it is published.

Chemical Incident Reporting – Week of 4-6-24

NOTE: See here for series background.

San Mateo, CA – 4-4-24

Local News Reports: Here, here, and here.

Pool supply pickup truck overturned, spilling 24-gallons of chlorine bleach. No injuries.

Not CSB reportable; a transportation incident, not a fixed site issue. 

Review - Public ICS Disclosures – Week of 4-6-24 – Part 1

This week for Part 1 we have 20 vendor disclosures from B&R, Broadcom, FortiGuard (3), HP, HPE (3), Insyde, Palo Alto Networks (8), Pepperl+Fuchs, Philips, and Rockwell.

Advisories

B&R Advisory - B&R published an advisory that discusses five vulnerabilities (one with known exploit) in their APROL product.

Broadcom Advisory - Broadcom published an advisory that discusses the XZ Utils Data vulnerability.

FortiGuard Advisory #1 - FortiGuard published an advisory that describes an exposure of sensitive information to unauthorized actor vulnerability in their FortiOS product.

FortiGuard Advisory #2 - FortiGuard published an advisory that describes a use of externally controlled format string vulnerability in their FortiOS product.

FortiGuard Advisory #3 - FortiGuard published an advisory that describes an insufficiently protected credentials vulnerability in their FortiOS and FortiProxy products.

HP Advisory - HP published an advisory that discusses 84 vulnerabilities in their ThinPro products. These are third-party vulnerabilities.

HPE Advisory #1 - HPE published an advisory that describes a cross-site request forgery in their OfficeConnect switches.

HPE Advisory #2 - HPE published an advisory that describes an authentication bypass vulnerability in their FlexFabric and FlexNetwork switches.

HPE Advisory #3 - HPE published an advisory that discusses eleven vulnerabilities {one listed in CISA’s Known Exploited Vulnerabilities (KEV) Catalog} in their Unified Correlation Analyzer.

Insyde Advisory - Insyde published an advisory that describes an out-of-bounds write vulnerability in their PnpSmm application.

Palo Alto Network Advisory #1 - Palo Alto Networks published an advisory that discusses eleven vulnerabilities (one with known exploit) in their PAN-OS product.

Palo Alto Networks Advisory #2 - Palo Alto Networks published an advisory that describes an incorrect authorization vulnerability in their GlobalProtect SSL VPN.

Palo Alto Networks Advisory #3 - Palo Alto Networks published an advisory that describes an inadequate encryption strength vulnerability in their PAN-OS product.

Palo Alto Network Advisory #4 - Palo Alto Networks published an advisory that describes an interpretation conflict vulnerability in PAN-OS product.

Palo Alto Networks Advisory #5 - Palo Alto Networks published an advisory that describes an interpretation conflict vulnerability in their PAN-OS product.

Palo Alto Networks Advisory #6 - Palo Alto Networks published an advisory that describes an allocation of resources without limit or throttling vulnerability in their PAN-OS product.

Palo Alto Networks Advisory #7 - Palo Alto Networks published an advisory that describes a NULL pointer dereference vulnerability in their PAN-OS product.

Palo Alto Networks Advisory #8 - Palo Alto Networks published an advisory that describes an improper ownership management vulnerability in their PAN OS product.

Pepperl+Fuchs Advisory - CERT-VDE published an advisory that discusses eight vulnerabilities (including three with known exploits) in the Pepperl+Fuchs ICES2 and ICES3 products.

Philips Advisory - Philips published an advisory that discusses the Terrapin Attack vulnerability.

Rockwell Advisory - Rockwell published an advisory that describes an invalid header value vulnerability in their ControlLogix and GuardLogix products.

 

For more information on these disclosures, including links to 3rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-4-3bc - subscription required.

Transportation Chemical Incidents – Week of 3-9-24

Reporting Background

See this post for explanation, with an update here (removed from paywall).

Data from PHMSA’s online database of transportation related chemical incidents that have been reported to the agency.

Incidents Summary (links are to accident report)

• Number of incidents – 484 (455 highway, 28 air, 1 rail)

• Serious incidents – 3 (3 Bulk release, 0 injuries, 0 deaths, 1 major artery closed)

• Largest container involved – 7,500-gal (Diesel Fuel), car accident damaged loading lines stored on trailer. 25-gal spilled.

• Largest amount spilled – 400-lbs (Calcium Hypochlorite, Hydrated or Calcium Hypochlorite, Hydrated Mixtures, With Not Less Than 5.5% But Not More Than 16% Water) plastic container damaged in material handling.

NOTE: There was an incident involving a DOT 105J400W railcar (Petroleum Gases, Liquefied or Liquefied Petroleum Gas), but the database contains no size entry for that incident, so it does not make the list as the 'largest container'. 

Most Interesting Chemical: Furfuryl Alcohol – Used as a monomer in the manufacture of furan resins, will polymerize rapidly and at times with explosive force in the presence of strong mineral acids. A clear colorless liquid. Flash point 167°F. Boiling point 171°F. Denser than water. Contact may irritate skin, eyes and mucous membranes. May be toxic by ingestion and skin contact and moderately toxic by inhalation.



Friday, April 12, 2024

Short Takes – 4-12-24

Japanese astronaut to be first non-American to set foot on moon. Phys.org article. Pull quote: “"Two Japanese astronauts will join future American missions, and one will become the first non-American ever to land on the moon," Biden said in a press conference with Kishida.”

More states are finding bird flu in cattle. This is what scientists are watching for. NPR.org article. Pull quote: “There are still big questions about exactly how bird flu plays out in cattle, since it's only now being followed closely. "There certainly are many mutations that occurred with this jump from wild birds into cattle and we don't necessarily understand what they mean," says Hill.”

SpaceX all set for a record-breaking rocket launch on Friday. DigitalTrends.com article. Pull quote: “Those tuning in will witness the Falcon 9 rocket climb into the sky for a record 20th time, along with stage separation and the deployment of SpaceX’s internet satellites. The webcast will also show the first-stage booster landing upright on the A Shortfall of Gravitas droneship in the Atlantic Ocean about eight minutes after launch, a feat that will pave the way for the rocket’s 21st flight.” NOTE: This did happen today.

The Islamic State in Khorasan Province: Exploiting a Counterterrorism Gap. CSIS.org article. Pull quote: “ISKP is a wholly rejectionist group, meaning that it opposes all the governments in the region as well as the major powers allied with them. This stance is an anomaly in South Asia where most militant groups benefit from at least one government backer. Instigating so many enemies at the same time should be a losing strategy; it certainly was for the Islamic State core in Iraq and Syria. But there has not been such cooperation against ISKP. Instead, it has exploited three counterterrorism gaps to plot and conduct attacks in Afghanistan, the broader region, and beyond.”

Scientists discover first algae that can fix nitrogen — thanks to a tiny cell structure. Nature.com article. Pull quote: “Understanding how the nitroplast interacts with its host cell could support efforts to engineer crops that can fix their own nitrogen, says Zehr. This would reduce the need for nitrogen-based fertilizers and avoid some of the environmental damage they cause. “The tricks that are involved in making this system work could be used in engineering land plants,” he says.”

CISA Adds PanOS KEV – 4-12-24

Today, CISA published a notice that it had added a command injection vulnerability (CVE-2024-3400) in Palo Alto Networks PanOS product used in Palo Alto Network (PAN) firewall devices to their Known Exploited Vulnerability (KEV) Catalog. The vulnerability was discovered by Volexity on April 10th being actively exploited in multiple organizations. Volexity reported the vulnerability to Palo Alto Networks on April 11th and PAN published their advisory today. Palo Alto Networks Unit42 has a detailed description of exploits of this vulnerability with indicators of compromise, and a discussion about tools that can be used to limit lateral movement post-exploitation. 

Review - HR 7630 Introduced – ANCHOR Act

Last month, Rep Garcia (R,CA) introduced HR 7630, the Accelerating Networking, Cyberinfrastructure, and Hardware for Oceanic Research (ANCHOR) Act. The bill would require the National Science Foundation (NSF) to submit a plan to improve the cybersecurity and telecommunications of the Academic Research Fleet. No new funding is authorized by the legislation.

Moving Forward

Both Garcia and his sole cosponsor {Rep Stevens (D,MI)} are members of the House Science, Space, and Technology Committee to which this bill was assigned for consideration. This means that there may be sufficient influence to see the bill considered in Committee. I see nothing in this bill, especially since it contains no new funding or regulatory requirements, that would engender any organized opposition to the legislation. I suspect that there would be bipartisan support for the bill. That support should be large enough to allow consideration of the bill under the suspension of the rules process.

 

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-7630-introduced - subscription required.

Thursday, April 11, 2024

Short Takes – 4-11-24

Holes in the ‘holey graphyne’ story. ChemistryWorld.com commentary. Pull quote: “This metric-driven enterprise generates a torrent of problematic papers, which leave an indelible mark on the global body of knowledge and create serious consequences for science and society. Peer-reviewed studies, regarded as credible and authoritative, inform clinical treatments, policy decisions and funding allocation. Despite the common belief that science self-corrects, most flawed papers evade retraction, as even senior academics often hesitate to criticise their potential reviewers. For the same reason, open discussions of questionable research practices are a very recent development.”

5.25-inch floppy disks expected to help run San Francisco trains until 2030. ArsTechnica.com article. Pull quote: “However, budget challenges put the project's timeline into question. The SFMTA's train upgrade project isn't just a migration off of floppy disks but also a "complete overhaul of the current train control system and all its components, including the onboard computers, central and local servers, and communications infrastructure," Roccaforte said.” The ultimate ‘legacy’ control system….

‘We are out of time’: Air Force secretary warns China’s military catching up as US bungles budgets. Stripes.com article. Pull quote: “Several of the subcommittee’s senators said Tuesday that they shared Kendall’s frustrations with the slow budget approval processes in recent years. The Pentagon has operated about five of the last 15 years under continuing resolutions — the stopgap funding procedures that force the Pentagon to operate at the previous year’s spending levels and halt work on new weapons programs and construction. The Defense Department operated roughly the first six months of fiscal 2024 under continuing resolutions.”

Through astronaut eyes, virtual reality propels gateway forward. Phys.org article. Pull quote: “During VR testing, astronauts engage in a variety of tasks that they expect to encounter in their day-to-day life on Gateway during real Artemis missions, including performing science experiments, retrieving supplies, and preparing warm meals. By combining VR models with real-world astronaut experience, NASA designers can make tweaks to Gateway's interior design for a safer and comfier space station.”

CISA Adds 2 NAS Vulnerabilities to KEV Catalog

Today, CISA added two new vulnerabilities to their Known Exploited Vulnerabilities Catalog, both for multiple NAS devices from D-Link. The two vulnerabilities are:

• Use of hard-coded credentials - CVE-2024-3272, and

• Command injection - CVE-2024-3273

NOTE: Both of the links above apply to both vulnerabilities.

While not included in the KEV addition notice, the CVE record for -3273 includes the following in the KEV notice for the CVE:

“This vulnerability affects legacy D-Link products. All associated hardware revisions have reached their end-of-life (EOL) or end-of-service (EOS) life cycle and should be retired and replaced per vendor instructions.”

On an odd note (and a brief commentary on the continuing NVD.NIST.gov problems) only the -3273 CVE entry notes that the CVE has been listed in the KEV Catalog. The -3272 entry currently (2113 EDT, 4-11-24) does not mention that the CVE has been so listed.

Review – 9 Advisories Published – 4-11-24

Today, CISA’s NCCIC-ICS published nine control system security advisories for products from Rockwell Automation and Siemens (8).

Advisories

Rockwell Advisory - This advisory describes an improper input validation vulnerability in the Rockwell 5015-AENFTXT ethernet/IP adapter.

Telecontrol Advisory - This advisory discusses 47 vulnerabilities in the Siemens Telecontrol Server Basic.

SINEC Advisory - This advisory discusses two vulnerabilities in the Siemens SINEC NMS product.

Parasolid Advisory - This advisory describes three vulnerabilities in the Siemens Parasolid product.

SCALANCE Advisory - This advisory discusses three classic buffer overflow vulnerabilities in the Siemens SCALANCE W1750D direct access point.

RUGGEDCOM Advisory #1 - This advisory that discusses five vulnerabilities (two with known exploits) in the Siemens RUGGEDCOM APE1808 application hosting platform.

RUGGEDCOM Advisory #2 - This advisory discusses six vulnerabilities (one listed in CISA’s KEV catalog) in the Siemens RUGGEDCOM APE1808 application hosting platform.

SIMATIC Advisory #1 - This advisory describes a classic buffer overflow vulnerability in the Siemens SIMATIC PCS 7 and SIMATIC WinCC.

SIMATIC Advisory #2 - This advisory discusses eight vulnerabilities in the Siemens SIMATIC S7-1500.

 

For more information on these advisories, including links to 3rd party advisories and exploits, as well as a down-the-rabbit-hole look at duplicate CVE’s in one of the advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/9-advisories-published-4-11-24 - subscription required.

Review - CSB Updates Status for 7 Recommendations – 4-9-24

Yesterday, the Chemical Safety Board updated their Recent Recommendation Status Updates page to reflect changes to seven recommendations for actions that were taken on April 9th, 2024. Two of the recommendations were changes to the ‘Open’ status of the recommendations, the other five recommendations were closed.

The Recommendations were from the following CSB Investigations

Optima Belle LLC Explosion and Fire,

Pryor Trust Fatal Gas Well Blowout and Fire, and

Motiva Enterprises Sulfuric Acid Tank Explosion

For more information on the actions taken that drove the CSB status changes, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/csb-updates-status-for-7-recommendations - subscription required.

Bills Introduced – 4-10-24

Yesterday, with both the House and the Senate in session, there were 48 bills introduced. One of those bills may receive additional coverage in this blog:

HR 7922 To establish a Water Risk and Resilience Organization to develop risk and resilience requirements for the water sector. Crawford, Eric A. "Rick" [Rep.-R-AR-1]

I will be watching this bill for language and definitions that specifically include cybersecurity risk in the scope of the coverage of the bill.

Wednesday, April 10, 2024

Short Takes – 4-10-24

First entirely roll-to-roll system points way to cheap printed perovskite solar cells. ChemistryWorld.com article. Pull quote: “‘The roll-to-roll printed perovskite cells exhibit efficiencies of up to 15.5% for small-area [devices] and 11% for large-area modules,’ says Bruno. Both figures improve the previous efficiency record for roll-to-roll perovskites of 10.8%. With these parameters, the predicted cost could come in at 70 cents (55p) per watt. ‘While [still] more expensive than silicon, the roll-to-roll breakthrough signifies a significant step toward cost reduction,’ she adds. Moreover, easier production processes could cut carbon dioxide emissions, especially as the roll-to-roll printing works at room temperature.”

Federal Acquisition Regulation: FAR Part 40, Information Security and Supply Chain Security; Request for Information. Federal Register FAR request for information. Summary: “DoD, GSA, and NASA recently established Federal Acquisition Regulation (FAR) part 40, Information Security and Supply Chain Security. The intent of this RFI is to solicit feedback from the general public on the scope and organization of FAR part 40.” Comment deadline: June 10th, 2024.

SpaceX to Light Up Starlink on Upcoming Private Space Station. PCMag.com article. Pull quote: “US aerospace company Vast announced today that it will bring Starlink to Haven-1, a low-Earth orbiting private space station slated to launch in 2025.”

After a fiery finale, the Delta rocket family now belongs to history. ArsTechnica.com article. Pull quote: “The Delta IV Heavy, one of the world's most powerful rockets, launched for the 16th and final time Tuesday. It was the 45th and last flight of a Delta IV launcher and the final rocket named Delta to ever launch, ending a string of 389 missions dating back to 1960.”

Review - PHMSA Publishes HMR Harmonization Final Rule (HM-215Q)

Today, the DOT’s Pipeline and Hazardous Materials Safety Administration (PHMSA) published a final rule in the Federal Register (89 FR 25434-25490) on “Hazardous Materials: Harmonization With International Standards”. The notice of proposed rulemaking (NPRM) on this action was published on May 30th, 2023. Changes were made from the proposed language in the NPRM based upon public comments.

Significant changes from the NPRM include:

Phase-out dates for ISO Standards,

Gas mixtures containing fluorine, and

IBCs manufactured from recycled plastics

HMR Revisions

This final rule makes significant changes in the Hazardous Materials Regulations (HMR) in the following areas:

Incorporation by reference,

Hazardous Materials Table,

Polymerizing substances,

Cobalt dihydroxide powder, and

Lithium battery exceptions.

Effective Dates

The effective date for this final rule is May 10th, 2024. PHMSA is allowing voluntary compliance as of January 1st, 2023 and a delayed compliance date of April 10th, 2025.

 

For more details about the changes made by this final rule, including changes to incorporation by reference and the Hazardous Materials Table, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/phmsa-publishes-hmr-harmonization - subscription required.

 

Tuesday, April 9, 2024

Short Takes – 4-9-24

There I Was: How to Tell a Good War Story. ClearanceJobs.com article. Pull quote: “We’re a storytelling people. It’s central to our existence, an essential and fundamental part of being human. Storytelling is a part of life: we tell our stories over coffee with a friend, during family gatherings during the holidays, and even in professional settings with our colleagues. They allow us to share information in a memorable way that imparts knowledge in a manner that bonds us across generations. Our stories help us to understand one another, to forge deeper relationships, and to share our experiences with others in a way that spurs sympathetic learning.”

Clarifying Cybersecurity Guidelines for Drones: the DETECT Act. DroneLife.com article. Pull quote: “If passed and designed to supercede previous orders, the legislation could make it easier for drone manufacturers not focused on defense and not included in the Blue sUAS list, even if they meet NDAA compliance standards, to receive government contracts.  Currently, government agencies must to go through a waiver process to purchase even US manufactured drones not on the Blue sUAS list.” See my post on S 3758.

Max Space announces plans for inflatable space station modules. SpaceNews.com article. Pull quote: “Max Space is pursuing a technology called an ultra-high-performance vessel created by de Jong that distributes loads in one direction, a design that he credited to a “totally accidental discovery” while working on other concepts. That reduces the uncertainty in safety margins, which has been demonstrated in tests where modules burst at pressures within 10% of predicted levels. “The predictability is great and the scalability is great,” he said.”

Cybersecurity in the Marine Transportation System. Federal Register CG comment extension notice. Summary: “The Coast Guard has received multiple requests to extend the comment period. The requesters cited the potentially significant impact of this rulemaking on the operations of affected owners and operators, and the need for additional time to adequately comment as reasons for the requested extension. In response to these requests, we have decided to extend the public comment period by 30 days. The comment period is now open through May 22, 2024.”

Train Crew Size Safety Requirements. Federal Register FRA Final Rule. Summary: “FRA is establishing minimum safety requirements for the size of train crews depending on the type of operation. This final rule requires railroad operations to have a minimum of two crewmembers except for certain identified one-person train crew operations that do not pose significant safety risks to railroad employees, the public, or the environment. This final rule includes requirements for railroads seeking to continue certain existing one-person train crew operations and a special approval process for railroads seeking to initiate certain new one-person train crew operations. This final rule also requires each railroad receiving special approval for a one-person train crew operation to submit to FRA an annual report summarizing the safety of the operation.” Effective Date: June 10, 2024.

Review – 1 Advisory Published – 4-9-24

Today, CISA’s NCCIC-ICS published a control system security advisory for products from SUBNET.

Advisories

SUBNET Advisory - This advisory describes a reliance on insufficiently trustworthy component vulnerability in the Subnet PowerSYSTEM Server and Substation Server 2021.

 

For more details about this advisory, including a look at the utility of reporting CWEs in advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-published-4-9-24 - subscription required.

Committee Hearings – Week of 4-7-24

With the House and Senate returning from a two week break, there is a moderately light hearing schedule. Budget hearings continue the start of the FY 2025 spending cycle. There is a water system cybersecurity hearing this week in the Senate.

Budget Hearings

Budget Hearings

House

Senate

DHS

Approp Subcommittee

Approp Subcommittee

Cyber Command

Armed Ser Subcommittee

Armed Services

DHS – Member

Approp Subcommittee

 

Armed Services

 

Armed Services

Cybersecurity Hearing

On Wednesday the Water and Power Subcommittee of the Senate Energy and Natural Resources Committee will hold a hearing on “Examine the Federal and Non-Federal Role of Assessing Cyber Threats to and Vulnerabilities of Critical Water Infrastructure in our Energy Sector”. The witness list includes:

• Terry Turpin, FERC,

• Virginia Wright, INL,

• Scott Aaronson, EEI

While an impressive array of cybersecurity experts, it seems to me that they may have less cogent input on cybersecurity for water systems as their expertise is focused on the national grid. Wrights leadership of the INL's cyberinformed engineering work may be the most important input.

OMB Approves OSHA HAZCOM Update Final Rule

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a final rule from DOL’s Occupational Safety and Health Administration (OSHA) on “Update to the Hazard Communication Standard”. The rule was submitted to the OIRA on October 11th, 2023.

According to the Fall 2023 Unified Agenda entry for this rulemaking:

“OSHA and other U.S. agencies have been involved in a long-term project to negotiate a globally harmonized approach to classifying chemical hazards, and providing labels and safety data sheets for hazardous chemicals. The result is the Globally Harmonized System of Classification and Labeling of Chemicals (GHS). The GHS was adopted by the United Nations, with an international goal of as many countries as possible adopting it by 2008.  OSHA incorporated the GHS into the Hazard Communication Standard (HCS) in March 2012 to specify requirements for hazard classification and to standardize label components and information on safety data sheets, which will improve employee protection and facilitate international trade.  However, the GHS is a living document and has been updated several times since OSHA’s rulemaking. While OSHA's HCS 2012 was based on the third edition of the GHS, OSHA’s current rulemaking is to harmonize the HCS to the seventh edition of the GHS, improve harmonization with international trading partners such as Canada, and to codify a number of enforcement policies that have been issued since the 2012 standard.”

We could see this final rule published in the Federal Register in the next week or two.

Commentary

Having worked on the change-over from MSDS to SDS that was a major portion of the 2012 final rule in two different relatively small chemical companies, I know how much of a pain a HAZCOM update can be. Every chemical manufacturer or importer is going to have to review/update the SDS for each chemical in its repertoire to meet the new requirements. If ever there was an area that needed a well-designed artificial intelligence, this is it.

Monday, April 8, 2024

Short Takes – 4-8-24

NASA engineers discover why Voyager 1 is sending a stream of gibberish from outside our solar system. LiveScience.com article. Pull quote: “"The team suspects that a single chip responsible for storing part of the affected portion of the FDS memory isn't working," NASA said in a blog post Wednesday (March 13). "Engineers can't determine with certainty what caused the issue. Two possibilities are that the chip could have been hit by an energetic particle from space or that it simply may have worn out after 46 years."”

Look at what NASA’s Lunar Reconnaissance Orbiter just caught speeding in orbit around the Moon. TheDebrief.com article. Pull quote: “Due to their opposite directional paths and the speed at which each lunar orbiter is traveling in their respective orbits (estimated to be close to 7,200 miles per hour), Danuri appeared elongated, making it look close to ten times its actual size, even despite the short exposure time of just 0.338 milliseconds used by the LRO’s narrow-angle camera.”

Top 10 Universal Practices for Critical Infrastructure Security. ICubedSolutions.com blog post. Pull quote: “The top 10 list is in no particular order because applying all 10 is very crucial to the security and resilience of our critical infrastructures, especially our interdependent industrial infrastructures such as water, oil, gas, electric, transportation (e.g. pipelines, rail, aviation, maritime) and telecommunications.”

NSA releases a repository of signatures and analytics to secure Operational Technology. NSA.gov press release. Pull quote: “Cyber actors have demonstrated their continued willingness to conduct malicious cyber activity against critical infrastructure by exploiting Internet-accessible and vulnerable Operational Technology (OT) assets. To counter this threat, NSA has released a repository for OT Intrusion Detection Signatures and Analytics to the NSA Cyber GitHub. The capability, known as ELITEWOLF, can enable defenders of critical infrastructure, defense industrial base, and national security systems to identify and detect potentially malicious cyber activity in their OT environments.”

Ukraine strikes at Russian oil as battlefield desperation mounts. TheHill.com article. Pull quote: “But experts say the oil refinery attacks would need to ramp up to change the calculus on the battlefield, where Russia has seized the upper hand in recent months, thanks in part to Republicans in U.S. Congress refusing to pass new aid for Ukraine.”

How to fix the military’s software SNAFU. GovExec.com article. Pull quote: “The second is drowning a military software organization with the toil associated with identifying, triaging, and remediating known vulnerabilities to meet compliance and security requirements. When a colleague and I interviewed software professionals at ten organizations, we discovered that it is common for many modern software organizations to spend thousands of staff hours on vulnerability management each year. One U.S. military unit we talked to was likely spending 15,000 hours of staff time per year on vulnerability management. This is an unacknowledged underbelly of the so-called digital transformation.”

Review - CIRCIA NPRM – Covered Entity

Last week, CISA published the official version of their Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) (Division Y, PL 117-103) notice of proposed rulemaking (NPRM). This is part of a continuing series of posts looking at the proposed rulemaking. In this post I will be looking at how CISA is proposing to deal with the problem of implementing the CIRCIA mandated definition of the term ‘covered entity’ as it applies to these reporting requirements.

Covered Entity Definition

CIRCIA (codified at 6 USC 681-681g) defines the term ‘covered entity’ {§681(5)}: “The term ‘covered entity’ means  an entity in a critical infrastructure sector, as defined in Presidential Policy Directive 21 [link added], that satisfies the definition established by the Director in the final rule issued pursuant to section 2242(b) (§681b).” Congress had to use this broad reliance on CISA’s judgement to define the term because it has never been able to come up with a useable definition what constitutes a critical infrastructure entity.

In this NPRM, CISA defined the term ‘covered entity’ (§226.1) this way: “Covered entity means an entity that meets the criteria set forth in § 226.2 of this part.” In turn, §226.2, Applicability, provides a two-part requirement. First, the entity must be larger than the ‘small business size standard’ set forth in 13 CFR part 121. Second, the entity must meet “one or more of the sector-based criteria provided below, regardless of the specific critical infrastructure sector of which the entity considers itself to be part”. Then §226.2 goes on to list those ‘sector-based criteria’:

Owns or operates a covered chemical facility,

Provides wire or radio communications service,

Owns or operates critical manufacturing sector infrastructure,

Provides operationally critical support to the Department of Defense or processes, stores, or transmits covered defense information,

Performs an emergency service or function,

Bulk electric and distribution system entities,

Owns or operates financial services sector infrastructure,

Qualifies as a State, local, Tribal, or territorial government entity,

Qualifies as an education facility,

Involved with information and communications technology to support elections processes,

Provides essential public health-related services,

Information technology entities,

Owns or operates a commercial nuclear power reactor or fuel cycle Facility,

Transportation system entities,

Subject to regulation under the Maritime Transportation Security Act, or

Owns or operates a qualifying community water system or publicly owned treatment works.

Each of the links above takes you to a paragraph under §226.2(b) that provides a brief description of what types of facilities (frequently with reference to a controlling regulatory structure) under that general description would be classified as a ‘covered entity’. There are a lengthier discussions in the preamble that provide additional information on how CISA reached each of these definitions. Those discussions, from an enforcement perspective, will be very important for courts deciding whether a facility should be covered by this regulation.

 

For a more detailed look at how this definition specifically applies to chemical facilities, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/circia-nprm - subscription required.

OMB Approves STB Expedited Relief ICR

Friday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved an information collection request (ICR) from the Surface Transportation Board (STB) on “Expedited Relief for Service Emergencies”. The 60-day ICR notice was published [removed from paywall] on May 2nd, 2022. The 30-day ICR notice was published [removed from paywall] as part of the final rule on January 4th, 2024.

Burden Estimate

Initial

# of Responses

32

Time Burden (hrs)

2,710

Cost Burden ($)

0

Saturday, April 6, 2024

Chemical Incident Reporting – Week of 3-30-24

NOTE: See here for series background.

Borger, TX – 4-1-24

Local News Reports: Here, here, and here.

Refinery fire. Two employees were airlifted to hospital. No information on damages.

Probable CSB reportable, depending on if employees were admitted to the hospital (most likely after being airlifted).

GAO Reports – Week of 3-3-24 – Gas Pipeline Safety Regulatory Scheme

This week the Government Accountability Office (GAO) published a report on “Gas Pipeline Safety:

Better Data and Planning Would Improve Implementation of Regulatory Changes”. The report looks at two recent major changes to the pipeline safety regulations (2019 final rule and 2022 final rule) and PHMSA’s implementation efforts. Based upon their review of the problems that PHMSA and the gas pipeline industry had with the implementation of the 2019 rule, GAO is making the following recommendations for the 2022 rule implementation and for planned future rules.

• The Administrator of PHMSA should, as PHMSA considers possible changes to the potential impact radius calculation, evaluate what additional data are needed from operators to better understand the actual impact of pipeline incidents. (Recommendation 1)

• The Administrator of PHMSA should develop an implementation plan for the remaining activities for the 2022 final rule that includes clear objectives, timelines, and an outreach strategy. (Recommendation 2)

• The Administrator of PHMSA should update the 2019 and 2022 Gas Transmission Final Rule Implementation web pages to increase accessibility to rule implementation information. (Recommendation 3)

Transportation Chemical Incidents – Week of 3-2-24

Reporting Background

See this post for explanation, with an update here (removed from paywall).

Data from PHMSA’s online database of transportation related chemical incidents that have been reported to the agency.

Incidents Summary (links are to accident report)

• Number of incidents – 535 (500 highway, 20 air, 15 rail)

• Serious incidents – 5 (5 Bulk release, 0 injuries, 0 deaths, 1 major artery closed)

• Largest container involved – 29,925-gal DOT 111A100W1 railcar (Gasoline Includes Gasoline Mixed With Ethyl Alcohol, With Not More Than 10% Alcohol) Car was found leaking from top. Liquid valve opened and secondary closer plug missing. 15-gal leaked.

• Largest amount spilled – 6,000-gal (Gasoline Includes Gasoline Mixed With Ethyl Alcohol, With Not More Than 10% Alcohol), tank truck roll-over accident punctured tank shell.

Most Interesting Chemical: Hexaldehyde - alkyl aldehyde used in the flavor industry to produce fruity flavors. A clear colorless liquid with a pungent odor. Flash point 90°F. Less dense than water and insoluble in water. Vapors heavier than air.


Review – Public ICS Disclosures – Week of 3-30-24

This week we have five vendor disclosures about the XZ Utils vulnerability from Broadcom, Palo Alto Networks, Philips, QNAP, and WatchGuard. We have fourteen additional vendor disclosures from ABB, BD, Broadcom (2), Cisco, Hikvision, HP, HPE (4), Palo Alto Networks, Philips, and VMWare. There are four vendor updates from Eaton, HP (2), and HPE. We have five researcher reports for vulnerabilities in products from Open Automation Software (4) and Positron. Finally, we have an exploit for products from Petrol Pump.

XZ Utils Advisories

Broadcom published an advisory that discussed the XZ Utils vulnerability.

Palo Alto Networks published an advisory that discussed the XZ Utils vulnerability.

Philips published an advisory that discussed the XZ Utils vulnerability.

QNAP published an advisory that discussed the XZ Utils vulnerability.

WatchGuard published an advisory that discussed the XZ Utils vulnerability.

Advisories

ABB Advisory - ABB published an advisory that describes an improper input validation vulnerability in the Virtual PNI API in their S+ Engineering product.

BD Advisory - BD published an advisory that discusses an improper privilege management vulnerability in a number of their products.

Broadcom Advisory #1 - Broadcom published an advisory that describes an OS command injection vulnerability in their Brocade Fabric OS product.

Broadcom Advisory #2 - Broadcom published an advisory that describes an origin validation error vulnerability in their Brocade Fabric OS product.

Cisco Advisory - Cisco published an advisory that describes two vulnerabilities in their Emergency Responder product.

Hikvision Advisory - Hikvision published an advisory that describes three vulnerabilities in their NVR devices.

HP Advisory - HP published an advisory that describes an improper access control vulnerability in their CCX devices.

HPE Advisory #1 - HPE published an advisory that discusses eight vulnerabilities (three with known exploits) in their Unified OSS Console Assurance Monitoring product.

HPE Advisory #2 - HPE published an advisory that discusses ten vulnerabilities in their ProLiant DL/ML/SY/RL/XL/Edgeline Servers.

HPE Advisory #3 - HPE published an advisory that describes a privilege escalation vulnerability in their MSA SAN Storage VSS Provider and CAPI Proxy Software.

HPE Advisory #4 - HPE published an advisory that describes an unauthorized access to files vulnerability in their NonStop Web ViewPoint Enterprise software.

Palo Alto Networks Advisory - Palo Alto Networks published an advisory that discusses eight third-party vulnerabilities that could be associated with their Prisma SD-WAN ION product.

Philips Advisory - Philips published an advisory that discusses a use-after-free vulnerability in multiple Philips products.

VMware Advisory - VMware published an advisory that describes three vulnerabilities in their SD-WAN Edge and SD-WAN Orchestrator products.

Updates

Eaton Update - Eaton published an update for their Apache Log4j advisory that was originally published on December 14th, 2021 and most recently updated on January 31st, 2022.

HP Update #1 - HP published an update for their OfficeJet Pro advisory that was originally published on March 20th, 2024.

HP Update #2 - HP published an update for their AMD Graphics Driver advisory that was originally published on November 21st, 2023.

HPE Update - HPE published an update for their SimpliVity Servers advisory that was originally published on February 15th, 2024.

Researcher Reports

Open Automation Software Reports - Talos published four reports for individual vulnerabilities in the OAS Platform product.

Positron Report - Zero Science published a report about an authentication bypass vulnerability in the Positron TRA7005 series broadcast signal processor.

Exploits

Petrol Pump Exploit - Sandeep Vishwakarma published an exploit for a file upload vulnerability in the Petrol Pump Management software.

 

For more information on these disclosures, including links to 3rd party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-3-671 - subscription required. 

Friday, April 5, 2024

Short Takes – 4-5-24

Forecasters warn of ‘extremely active’ hurricane season. TheHill.com article. Pull quote: “In the forecast, the group said it also “anticipate a well above-average probability for major hurricanes making landfall along the continental United States coastline and in the Caribbean.””

‘Alarming’ Ocean Temperatures Suggest This Hurricane Season Will Be a Daunting One. NYTimes.com article (free). Pull quote: “Sea surface temperatures also affect the hurricane season. Over the past century, those temperatures have increased gradually. But last year, with an intensity that unnerved climate scientists, the warming ratcheted up more rapidly. And in the main area where hurricanes form, 2024 is already the warmest in a decade.”

Boulders flung from NASA's DART mission could crash into Mars, study predicts. LiveScience.com article. Pull quote: “But the mission had an unexpected consequence: When the craft collided with Dimorphos, it sent a swarm of 37 boulders measuring up to 22 feet (6.7 meters)  flying into the cosmos.”

National Emission Standards for Hazardous Air Pollutants: Ethylene Oxide Emissions Standards for Sterilization Facilities Residual Risk and Technology Review. Federal Register EPA final rule. Summary: “This action finalizes the residual risk and technology review (RTR) conducted for the Commercial Sterilization Facilities source category regulated under national emission standards for hazardous air pollutants (NESHAP) under the Clean Air Act. The EPA is finalizing decisions concerning the RTR, including definitions for affected sources, emission standards for previously unregulated sources, amendments pursuant to the risk review to address ethylene oxide (EtO) emissions from certain sterilization chamber vents (SCVs), aeration room vents (ARVs), chamber exhaust vents (CEVs), and room air emissions, and amendments pursuant to the technology review for certain SCVs and ARVs.”

Review - HR 7556 Introduced – LNG Oversight Coordination

Last month Rep Webber (R,TX) introduced HR 7556, the LNG Coordination Act of 2024. The bill would require the DOT to establish the Liquefied Natural Gas Regulatory Safety Working Group (LNGRSWG). The Working Group would “clarify the authority of covered agencies in the authorizing and oversight of LNG facilities, other than peak shaving facilities, and improve coordination of the authority of such agencies”. No new funding is authorized by this legislation.

Moving Forward

Both Webber and his sole cosponsor {Rep Fletcher (D,TX)} are members of the House Energy and Commerce Committee to which this bill was assigned for secondary consideration. Neither are members of the House Transportation and Infrastructure Committee to which the bill was assigned for primary consideration. This means that while there may be sufficient influence to see the bill considered in the E&C Committee, there is probably not sufficient influence in the T&I Committee. The bills generally do not move to the floor of the House without the acquiescence of the committee assigned primary consideration.

There will be some opposition to this bill from environmentalists who would object to just about anything that makes it easier to expand petrochemical operations. While that opposition would have almost no affect in committee considerations, it could make it difficult to have the bill considered under suspension of the rules where a supermajority is necessary for passage. Without an influential cosponsor on the Transportation and Infrastructure Committee there is no way that this bill would move to the floor for consideration.

Commentary

There are two major actors missing in the Working Group membership. The EPA has some oversight responsibilities for LNG facilities through its RMP program and various chemical release regulations. Admittedly this is not as big an influence on LNG facility operations as the other members of the Working Group, but adding the EPA would alleviate some potential concerns of more mainstream environmentalists. DHS is the other agency that should be on the Working Group list, even though security is not mentioned anywhere in the bill. DHS has direct impact on LNG facilities through the TSA (pipeline security issues), CISA (the Chemical Facility Anti-Terrorism Standards, if/when it is reinstated), and the Coast Guard (through MTSA facilities oversight and LNG shipping regulations).

 

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-7556-introduced - subscription required.

 
/* Use this with templates/template-twocol.html */