Thursday, November 7, 2024

Review – 3 Advisories Published – 11-7-24

Today, CISA’s NCCIC-ICS published three control system security advisories for products from Bosch, Delta Electronics, and Beckhoff Automation.

Advisories

Bosch Advisory - This advisory describes an uncontrolled resource consumption vulnerability in the Bosch Rexroth AG IndraDrive.

Delta Advisory - This advisory describes three stack-based buffer overflow vulnerabilities in the Delta DIAScreen.

Beckhoff Advisory - This advisory describes an OS command injection vulnerability in the Beckhoff TwinCAT Package Manager.

 

For more information on these advisories, including a look at additional Delta vulnerabilities – see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/3-advisories-published-11-7-24 - subscription required.

CISA Adds Palo Alto Networks Vulnerability to KEV Catalog – 11-7-24

Today, CISA added four vulnerabilities to their Known Exploited Vulnerabilities catalog. Included in that number is a missing authentication for critical function vulnerability in the Palo Alto Networks Expedition Migration Tool. Palo Alto Networks published their advisory for this vulnerability on July 10th, 2024; reporting that a new version was available to mitigate the vulnerability. On October 9th, Horizon3.ai published a report looking at the vulnerability; the report include proof-of-concept code.

CISA has ordered federal agencies using Expedition to apply “mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable” by November 28th, 2024

NOTE: On June 14th, 2024 Palo Alto Networks announced that Expedition would move into end-of-life status in January 2025. Palo Alto Networks has new products available for Expedition customers to move into.

Review – NHTSA Publishes Crash Avoidance HMI 60-day ICR Notice

Today, DOT’s National Highway Traffic Safety Administration (NHTSA) published a 60-day information collection request (ICR) notice in the Federal Register (89 FR 88342-88346) for a new ICR for “Crash Avoidance Warning System Human-Machine Interface (HMI) Research”. This ICR will support a one-time research study of drivers' interactions with crash avoidance technology with different human-machine interface (HMI) characteristics. NHTSA proposes the following burden estimate for this new ICR:


Public Comments

NHTSA is soliciting public comments on this ICR notice. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # NHTSA-2024-0070). Comments should be submitted by January 6th, 2025.

 

For more details about the information collection, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/nhtsa-publishes-crash-avoidance-hmi - subscription required.

119th Congress

While the Presidential race has been decided, a number of congressional races are still having ballots counted. The Republicans will have at least 52 Senators with three as of yet undecided contests. The House is not as clear, with the Republicans currently ‘holding’ 212 seats to the Democrats 197. According to projections by TheHill.com, we should end up with 222 Republicans to 213 Democrats. It currently looks like the Republicans will ‘control’ both the House and the Senate, as well as the White House.

‘Control’ of the Senate is iffy at best. Under the current rules it still takes 60 votes to pass legislation in the Senate, so 53 votes is short of control. Admittedly, those rules could change. It would only take a majority vote (and Vice President Vance would get to break any tie votes in the 119th session of the Senate) to remove or further limit the cloture rule (that rule to limit debate is what currently sets the 60-vote threshold for legislation). The Democrats were not able to garner the 50 votes in the 118th to modify that rule. It remains to be seen if the Republicans will try (depends on their frustration threshold, and we know President Trump is likely to have a very low frustration threshold) to modify that rule and if there will be sufficient moderate restraint to prevent such changes. I would not be surprised to see modifications to allow a lower threshold on specific issues (immigration probably being the first to be changed).

The composition of the House will not be significantly different than the 118th House. I suspect that the Republican fringe that caused so many problems for the Speakers in the 118th, will not cause quite so many in the 119th, as they are more closely aligned with the new President, but they will certainly not be under the control of their Speaker (probably Rep Johnson, but that vote next week is not necessarily secure yet). There will almost certainly be some defections from moderate Republicans on some of the more radical proposals that may come to the floor, but that will not be as organized as was the fringe in the 118th.

One thing is clear, though, the 119th Congress will cut spending. Where, and how much remains to be seen, but the House will have a much greater say in spending decisions than they did in the 118th. The cuts will almost certainly not be as severe as some of the hardliners (including Trump) will want (Congresscritters still need to bring home the bacon to keep being re-elected), but they will be painful in many (maybe most) places. There will be some internal fights over defense and space spending, those two areas will not face significant reductions, but most of the remainder of the Federal bureaucracy will be affected.

Two programs of interest here are going to be severely affected. The CFATS program will not be renewed, and the Trump budget will disassemble any remnants of that program that remain. The Chemical Safety Board will very likely face severe budget cuts, maybe even be formally disbanded (which would require congressional action).

CAVEAT – please read my earlier post about political predictions, those comments apply here as well.

Raphael and Trump

If you have been following the National Hurricane Center’s coverage of Raphael for the last couple of days, you can see how difficult it is to predict the future. A storm that was originally ‘predicted’ to possibly hit the Southeast coast of Louisiana this weekend, now looks to be headed to the Bay of Campeche. This morning, the NHC noted:

“This steering evolution would cause Rafael to turn more southward, and this is shown by the dynamical model consensus track prediction.  The new official forecast is adjusted to the left of the previous NHC track but is not as far south as the consensus.  The motion is likely to be quite slow during the latter part of the forecast period.  There remains significant uncertainty [emphasis added] in the future track of Rafael over the Gulf of Mexico and additional adjustments to subsequent official track forecasts are likely.”

The National Hurricane Center has gotten much better with its forecasts of the last couple of years, but forecasting is still less than an exact science. They look at a complex mix of atmospheric and oceanic forces, try to determine what interactions are going to have what effect, and then make a seven day prediction of the future. The important thing, however, is that once the prediction is published, they start all over working on the next one.

The people on the central Gulf Coast have been watching Raphael with trepidation, but as the track has shifted, they have become less concerned about the possible future effects of the storm. But, the more experienced know that hurricane prediction is fraught with complexities, and know that they will have to keep an eye on Raphael until it dissipates. And meanwhile watch out for the potential storm that may be forming further to the East.

Political forecasting has many of the same problems. There are a wide variety of elements that go into political forecasting, and the interaction of those elements changes daily, and frequently more often. To make matters worse, most of those elements track changes in their environment and make decisions that further change over time. Anyone that tells you that they know what is going to happen in the future is fooling themselves. The most any of us can do is look at the past and present and make some level of educated guess about what people are going to do tomorrow. And watch what changes on a daily (sometimes hourly) basis and make revisions as necessary.

A lot of people are disappointed, and even fearful about what happened on November 5th. There are a lot of dire predictions about what the political future will bring. All of those predictions are based on past statements and actions, all of which have probative value. But the future is more complex than the past. People are going to react in different ways based upon their judgements of past and present actions. All of that is going to have an effect (positive and negative) on the future. And those effects are going to have further effects down the line.

Take a deep breath, hold and exhale through your mouth. Make the best judgments that you can but be prepared to revise as the situation changes over time. Remember, nothing is constant except change. 

Wednesday, November 6, 2024

Short Takes – 11-6-24

Requests for Comments; Clearance of a Renewed Approval of Information Collection: Small Unmanned Aircraft Systems (sUAS) Safety Event Reporting. Federal Register FAA 30-day ICR notice. Summary: “The Federal Register Notice with a 60-day comment period soliciting comments on the following collection of information was published on July 31, 2024 (89 FR 61575) [corrected link]. The title of this information collection is being changed from “Small Unmanned Aircraft Systems (sUAS) Accident Reporting” to “Small Unmanned Aircraft Systems (sUAS) Safety Event Reporting” to reflect the change made to the title of the applicable regulation (14 CFR 107.9) in 2022. The regulations at 14 CFR 107.9 requires that a small unmanned aircraft system safety event be reported if it causes: (1) serious injury to any person or any loss of consciousness; or (2) damage to any property, other than the small unmanned aircraft, unless the cost of repair or fair market value in the event of total loss does not exceed $500.” Comments due: December 6th, 2024.

California scientists unlock new key to mosquito-borne disease spread. TheHill.com article. Pull quote: “Using a CRISPR gene editing technique, the scientists knocked out the trpVa gene and thereby caused the males mosquitoes to stop reacting to sound. And when they placed the deaf males in chambers with females, they found that nothing happened.” How you spread a gene that limits breading in a large population remains to be demonstrated.

Here’s How to Use Dreams for Creative Inspiration. ScientificAmerican.com article. Pull quote: “An objective, automated creativity measure called “semantic distance” indicated that brief napping helped spur inventiveness but that there was no additional benefit when a tree [dream] prompt was added. In this measure, a computer assessed the similarity of pairs of words produced in each creativity task, with less similarity linked to higher creativity. Still, the measure hints at a mechanism for the creativity boost during N1. “It suggests people are capable of making more distant associations and thereby finding [conceptual] bridges that they might not otherwise discover,” Schooler says.”

The Virus That Causes Mpox Keeps Getting Better at Spreading in People. ScientificAmerican.com article. Pull quote: “Meanwhile, clade I viruses have caused sporadic infections in people for more than 50 years — largely in rural regions of Central Africa. But in late 2023, researchers identified a rapidly growing outbreak in more densely populated, urban areas in eastern regions of the DRC that disproportionately affected sex workers, suggesting that this strain of the virus could, like IIb, spread readily between people.

Harris concession opens agencies to Trump—if he opts in. GovExec.com article. Pull quote: “There remains a significant hurdle to that process, however: Trump has still not signed an agreement with the Biden White House, nor the General Services Administration, the federal agency that manages the presidential transition, that would allow those landing teams to deploy. Under federal transition statute, Trump must have the memoranda of understanding in place and detail the individuals who will serve on the transition before sending them to agencies.”

CISA deepens coordination with agencies on ‘systemic’ risks. FederalNewsNetwork.com article. Pull quote: “An entity can be designated an SIE “based on the potential for its disruption or malfunction to cause nationally significant and cascading negative impacts to national security (including national defense and continuity of government), national economic security, or national public health or safety.””

Who could Trump pick for his new cabinet? Here are top contenders. Reuters.com article. There will be a lot of these articles over the next couple of weeks. Pull quote: “Here are the top contenders for some of the key posts overseeing defense, intelligence, diplomacy, trade, immigration and economic policymaking. Some are in contention for a range of posts.” 

Tuesday, November 5, 2024

Short Takes – 11-5-24

Latest space station science reveals news for astronaut health and telescope longevity. Phys.org article. Pull quote: “The day they return from space flight, astronauts demonstrate significant impairments in fine motor control and the ability to multitask in simulated flying and driving challenges. This finding could help develop countermeasures so crew members can safely land and conduct early operations on the moon and Mars.”

Bacteria discovery could accelerate mosquito control schemes. Phys.org article. Pull quote: “The mechanism for this is unclear, but it does not appear that these bacteria provide direct nutritional benefits. Instead, they changed the wider bacterial community, reducing the abundance of certain bacteria—including some species that may be slightly parasitic.”

NASA’s infrastructure crossroads. TheSpaceReview.com article. Pull quote: “In a webinar held by the National Academies to roll out the report [“NASA at a Crossroads”], Augustine and other committee members said that NASA has underinvested in facilities because of budget pressures. The amount of the agency’s budget that went to “mission support,” a line that includes facility maintenance, fell from 20% of NASA’s overall budget in 2013 to 14% in 2023. “In an opportunity-rich environment, such as NASA has confronted over the years, the choice has too frequently been to pursue near-term missions at the expense of investing in the ostensibly invisible foundational assets of the organization,” the report stated.”

How the Election Could Unfold: Four Scenarios. NYTimes.com article. Pull quote: “If the final result resembles the polls, all strengths and weaknesses will more or less cancel out, yielding yet another close election. There are reasons to think, however, that the race might break one way or another. The polls may show a tight race now, but they could err either way. Even if the polls are better this cycle, voters still might summarily decide that one side’s liabilities are more important as they head to the polls.”

Agencies have completed their pre-election transition briefings. Trump may still not get them on time. GovExec.com article. Pull quote: “A former federal transition official told Government Executive that GSA is currently having discussions over how to handle access to buildings and classified materials for his landing team members who have not been cleared. Under law, the official said, those individuals must be publicly disclosed and their ethics agreements posted in order to participate. Harris has already released her team’s ethics agreement as part of its White House memorandum of understanding.”

Public Briefing on Revisions to Space-Related Export Controls Under Export Administration Regulations and International Traffic in Arms Regulations. Federal Register BIS meeting notice. Summary: “On October 23, 2024, the Bureau of Industry and Security (BIS) published in the Federal Register related rules: a final rule, “Export Administration Regulations: Removal of License Requirements for Certain Spacecraft and Related Items for Australia, Canada, and the United Kingdom,” and an interim final rule, “Export Administration Regulations: Revisions to Space-Related Export Controls.” This document announces that, on November 6, 2024, BIS will host a public briefing on these rules. This document also provides details on the procedures for participating in the public briefing. Elsewhere in this issue of the Federal Register, BIS is publishing notification of the public briefing on related proposed rulemaking.”

Monday, November 4, 2024

Short Takes – 11-4-24

How the Brain Summons Deep Sleep to Speed Healing. ScientificAmerican.com article. Pull quote: “To understand the purpose of the extra sleep, the researchers repeatedly interrupted slow-wave sleep in mice that had had a heart attack. The team found that these mice had more inflammation in both the brain and the heart, and had a much worse prognosis than mice that were allowed to sleep undisturbed after a heart attack.”

People Overestimate Political Opponents’ Immorality. ScientificAmerican.com article. Pull quote: “Although this solution clearly cannot resolve all of our political divisions, it can still have powerful effects. Sometimes we need a reminder that they are like us. We may disagree on many issues, but underneath those disagreements lies a common moral sense: we all care deeply about protecting our friends, family and communities from harm. Talking about our core principles and values—many of which we have in common—before talking about issues that can easily turn contentious can help those conversations go better.”

This Black Fungus Might Be Healing Chernobyl By Drinking Radiation—A Biologist Explains. Forbes.com article. Pull quote: “This fungus has adapted to a level of radiation that would be lethal for most life forms. Even more fascinating is its ability to “feed” on this radiation, using it as a source of energy, similar to how plants use sunlight for photosynthesis.” There is a difference between using ‘radiation’ as an energy source and remediating the radioactive materials in the environment.

On whose authority? EPA asserts right to regulate DOT-governed activities. BultTransport.com article. Pull quote: “Instead, the violations all relate to Multistar’s “storage” of a hazardous chemical called trimethylamine (TMA) on its rail siding. The TMA was produced by Eastman Chemical Company, sold to Moses Lake Industries, and held in Eastman’s tank cars while awaiting delivery by truck to its final destination. The court mentions Multistar’s previous EPA compliance issues settled in 2005, 2016, 2019, and 2021; the amount of TMA held on Multistar’s rail siding; the length of time it was there; the lack of “motive power” attached to the tank cars; and the absence of shipping papers in justifying its decision. “The court once again rejects Multistar’s claim that the TMA was in transit while it was stored on Multistar’s rail siding,” the decision reads. “No facts support such a conclusion.”

Influential Attorneys Send a Message to Their Peers: No More Frivolous Election Lawsuits. USNews.com article. Pull quote: “The ABA’s letter came together in a manner of days, says Monte Frank, a member of the task force’s advisory commission and past president of the bar associations of Connecticut and New England. He says members were discussing ways that they could remind lawyers that they are “oath-bound protectors of the Constitution and rule of law and to not only uphold their ethical obligations, but to make efforts to ensure free and fair elections, which is a bedrock principle of our democracy.””

CISA Adds 2 IP Camera Vulnerabilities to KEV Catalog

Today, CISA added two new vulnerabilities to their Known Exploited Vulnerabilities (KEV) catalog. Both vulnerabilities are for PT30X-SDI/NDI Cameras from PTZOptics. The vulnerabilities were originally reported by Konstantin Lazarev of GreyNoise. PTZOptics has a new firmware version that mitigates the vulnerabilities. Federal agencies that own or operate these cameras have until November 25th, 2024, to “Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.”

The two newly added vulnerabilities are:

• OS command injection - CVE-2024-8957, and

• Improper authentication - CVE-2024-8956

Note: Links above are for advisories published by VulnCheck.

An interesting side note: PTZOptics made the corrected version of the firmware available on September 17th, 2024. The change log for v6.3.40 does not specifically identify these two vulnerabilities. Instead, it reports: “General Security Fixes.”

One final note: The two VulnCheck advisories reports that these vulnerabilities also affect: “Other white-label AV equipment based on ValueHD Corporation PTZ Camera Firmware”. This is not mentioned in the CISA KEV notice.

Short Takes – 11-4-24 – Space Geek Edition

Starship Flight 6 might come faster than previous launches. SpaceExplored.com article. Pull quote: “With both pieces of hardware nearing flight readiness, Flight 6 I would expect will be nearly the same as Flight 5 (with likely some changes to operations while in space) and could be ready for flight in December. All this is based on the fact that the company is already in the flight test campaign; an even sooner date could be possible. It is SpaceX, after all.”

NASA warns SpaceX over safety issues after astronaut hospitalization. PopSci.com article. Pull quote: “NASA is concerned SpaceX is prioritizing its mission schedule over safety after a recent ocean landing resulted in the brief hospitalizations of all four astronauts. Former astronaut Kent Rominger admonished the company during an October 31 meeting of the Aerospace Safety Advisory Panel, citing a list of recent problems involving both SpaceX’s Falcon 9 rocket and Dragon capsule.” Still nothing about why astronauts were taken to hospital.

Launch: The Fundamental Prerequisite for Space Superiority. AirAndSpaceForces.com article. Well thought out discussion. Pull quote: “With so many providers today, the state of U.S. launch appears solid. But the reality is far more complex. Launch is literally “rocket science.” Early failures in development are common, and catastrophic failures are always possible, potentially causing downstream ripple delays across multiple launch systems. Constant attention and investment are required to ensure the necessary levels of confidence, capacity, and cadence for U.S. space launch to deliver the on-orbit architecture the Space Force needs to deter conflict in the future—or win if deterrence fails.”

Watch Rocket Lab launch mystery mission early on Nov. 5. Space.com article. Pull quote: “"Changes in Latitudes, Changes in Attitudes" will be Rocket Lab's 12th launch of 2024 and 54th overall. All of these missions have been performed by the 59-foot-tall (18 meters) Electron, which is designed to give small satellites dedicated rides to Earth orbit or beyond. (An Electron launched NASA's CAPSTONE mission, which sent a cubesat to the moon.)”

Review – HR 8770 Introduced – Cybersecurity Clinic Grants

Back in June, Rep Veasey (D,TX) introduced HR 8770, the Cybersecurity Clinics Grant Program Act. The bill would require CISA to establish a new Cybersecurity Clinics Grant Program to provide “grants to fund university-based cybersecurity clinics”. The program would be administered by FEMA. The legislation would authorize “such sums as may be necessary to carry out the Program.”

Moving Forward

While Veasy is not a member of the House Homeland Security Committee to which this bill was assigned for consideration, one of his cosponsors {Rep Pfluger (R,TX)} is a member. This means that there may be sufficient influence to see the bill considered in Committee. There will be objections from a number of Republicans to the establishment of a new grant program, particularly a program that targets minority institutions. There still should be some level of bipartisan support for the bill, but it is not clear if that support would be sufficient to move the bill to the floor of the House under the suspension of the rules process.

 

For more details about the provisions of this bill, including a commentary on the scope of the term ‘cybersecurity’ used in the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-8770-introduced - subscription required.

UAVs for CBRN Sampling

There is an interesting article over at I-HLS.com that describes the operation of the US Army’s new Stryker Nuclear Biological Chemical Reconnaissance Vehicle. The article highlights the operational capabilities of the relatively new vehicle system (including the carried CBRN reconnaissance UAV), while neglecting the shortcomings that the Army identified in their testing program. Still the idea of using a drone for conducting rapid chemical and radiological surveillance is a worthwhile concept.

How many times have we seen news footage of ominous dark clouds from fires at chemical facilities while the same news reports quote regulatory officials claiming that groundside atmospheric monitoring detects ‘no chemicals of concern’. If those officials were able to sample within that very large cloud, they might provide a very different and more complete description of the downwind hazard.

Emergency response managers with a significant number of chemical facilities (or even just one or two with particularly noxious toxic chemicals on hand) might find it worthwhile to invest in such UAVs to be launched from Fire Department chemical response vehicles. This would allow first responders to have real-time data about the location and concentration of airborne chemicals during incidents.

Sunday, November 3, 2024

Review – Public ICS Disclosures – Week of 10-25-24 – Part 2

For Part 2 this week we have nine additional vendor disclosures from Moxa, Palo Alto Networks, Philips (3), QNAP (2), Western Digital, and Zyxel. There are six vendor updates from FortiGuard, Hitachi Energy (4), and Moxa. We also have 12 researcher reports for vulnerabilities in products from FortiGuard and ABB (11).

Advisories

Moxa Advisory - Moxa published an advisory that discusses two vulnerabilities (both with publicly available exploits) in their Ethernet Switches.

Palo Alto Networks Advisory - Palo Alto Networks published an advisory that discusses 42 open-source software vulnerabilities.

Philips Advisory #1 - Philips published an advisory that discusses a missing authentication for critical function vulnerability.

Philips Advisory #2 - Philips published an advisory that discusses an SQL injection vulnerability.

Philips Advisory #3 - Philips published an advisory that discusses an improper neutralization of expression/command delimiters vulnerability.

QNAP Advisory #1 - QNAP published an advisory that describes an uncharacterized vulnerability in their HBS 3 Hybrid Backup Sync.

QNAP Advisory #2 - QNAP published an advisory that describes an uncharacterized vulnerability in their SMB Service.

Western Digital Advisory - Western Digital published a security update notice for their My Cloud products.

Zyxel Advisory - Zyxel published an advisory that describes an insufficiently protected credentials vulnerability in their USG FLEX H series firewalls.

Updates

FortiGuard Update - FortiGuard published an update for their Missing authentication in fgfmsd advisory that was originally published on October 23rd, 2024, and most recently updated on October 28th.

Hitachi Energy Update #1 - Hitachi Energy published an update for their FOXMAN-UN advisory that was originally published on June 11th, 2024.

Hitachi Energy Update #2 - Hitachi Energy published an update for their UNEM advisory that was originally published on June 11th, 2024.

Hitachi Energy Update #3 - Hitachi Energy published an update for their MSM product advisory that was originally published on January 30th, 2024.

Hitachi Energy Update #4 - Hitachi Energy published an update for their MicroSCADA advisory that was originally published on August 27th, 2024, and most recently updated on August 30th, 2024.

Moxa Update - Moxa published an update for their Cellular Routers, Secure Routers, and Network Security Appliances advisory that was originally published on October 14th, 2024 and most recently updated on October 15th, 2024.

Researcher Reports

FortiGuard Report - Bishop Fox published a report on the missing authentication for critical function vulnerability (CVE-2024-47575) for FortiGuard’s FortiManager product.

ABB Reports - Zero Science published eleven reports about individual vulnerabilities (with publicly available exploits) in the ABB Cylon Aspect building energy management product.

 

For more information on these vulnerabilities, including links to 3rd party advisories, researcher reports, and exploits, as well as brief summaries of the changes made in updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-10-a32 - subscription required.

Saturday, November 2, 2024

Short Takes – 11-2-24 – Cybersecurity Edition

Data Normalization Challenges and Mitigations in Software Bill of Materials Processing. Mitre.org report. Pull quote: “The U.S. FDA has recognized the importance of SBOMs in managing postmarket software vulnerabilities in medical devices and providing transparency to the users of these devices since the 2018 Medical Device Safety Action Plan [link added] [10], including considering the need for additional regulatory authorities in this space. These authorities were granted in Section 3305 in the Consolidated Appropriations Act, 2023, which added Section 524B “Ensuring Cybersecurity of Medical Devices” to the Federal Food, Drug, and Cosmetic (FD&C) Act. This provision, among other requirements, requires SBOMs (Section 524B(b)(3)) as part of premarket submissions for cyber devices. The 2023 guidance, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions [link added] (henceforth called “premarket cybersecurity guidance”) [11], provides, among other things, FDA’s recommendations on using SBOMs to manage cybersecurity risks.”

New Research: The Proliferation of Cellular in IoT. Rapid7.com blog post. Pull quote: “They go on to demonstrate the importance of breaking open these IoT devices with the goal of penetration testing (pentesting) the strength of the security — or lack thereof — built into the onboard tech. Absent a Wi-Fi connection, they say, it’s critical these devices are able to leverage cellular as a back-up communications method, particularly in the category of potentially life-saving medical devices.”

Testing the security of CCTV systems. PenTestParners.com blog post. Pull quote: “Some vendors, particularly those who operate at the ‘higher end’ of the market have excellent security controls and development practices. Mid-market vendors have distinctly variable security issues. Those at the low end, at a price point where it is hard to drive strong investment in cyber security, are where we have found some depressingly simple compromises.”

Unveiling the Persistent Risks of Connected Medial Devices. Forescout.com report. Pull quote: “The most common OS in embedded firmware is Linux, followed by: The real-time operating systems (RTOS) VxWorks, KADAK AMX RTOS, NutOS, ThreadX, and Digi Net+OS.”

NOTE: During my search for Researcher Reports on control system vulnerabilities for my weekly Public ICS Disclosures post I frequently run across more generic articles and blog posts that provide information of potential interest to the community at large. I will try to bring those to my Short Takes posts on Saturdays. As always, points to such vulnerability reports and articles are much appreciated.

CRS Reports – Week of 10-26-24 – Supreme Court Jurisdiction

This week the Congressional Research Service (CRS) published a report on: “The Exceptions Clause and Congressional Control over Supreme Court Jurisdiction”. The report looks at the constitutional differences between the different types of cases that the Supreme Court may here. It describes the cases over which the Court has ‘original jurisdiction’, cases that are brought directly to the Court dealing with Ambassadors, other public Ministers and Consuls, and those in which a State shall be Party. All other cases reach the Court on appeal of judgements of the lessor courts. It takes special pains to discuss the fact that the Constitution limits those appeals under the ‘Exceptions Clause’ (Article III, Section 2, Clause 2) by making those appeals subject to ““such Exceptions, and … Regulations as the Congress shall make”.

The ‘Considerations for Congress’ section of the report is much more detailed than typically seen in these CRS reports. Instead of laying out specific actions that Congress could/should consider in respect to this topic, the Report continues the legal discussion about practical limits on the topics Congress could expect try to address in regulating the topics of potential litigation before the Court.

To anyone that has taken any courses on constitutional law (and I have taken a handful of undergraduate courses when I was a political science major), this discussion is hardly unusual, but for most folks (including the majority of congresscritters) it demonstrates how complicated these matters can get. Still, this relatively short report (20 pages) is well worth reading. 

Chemical Incident Reporting – Week of 10-26-24

NOTE: See here for series background.

Davenport, IA – 10-10-24

Local News Report: Here, here, and here.

There was an anhydrous ammonia leak at a food processing facility. The leak was isolated and the employees evacuated. No injuries were reported.

Not CSB reportable.

Litchfield, CT – 10-23-24

Local News Reports: Here, here, and here.

There was an explosion in a sewage treatment sludge tank, reportedly due to flammable gas produced by sludge decomposition reaching unidentified ignition source. No injuries were reported and there was some damage to storage tank lid.

Not CSB reportable.

Alcoa, TN – 10-25-24

Local News Report: Here, here, and here

There was an anhydrous ammonia leak at a food processing facility. The leak was due to a malfunctioning valve. No injuries were reported. There is no mention of damages in the articles.

Not CSB reportable.

Fredericktown, Mo – 10-30-24

Local News Report: Here, here, here, and here.

There was a fire with explosions at a Lithium-ion battery recycling facility. Evacuations and sheter-in-place orders have been issued. No injuries have been reported. No damage estimates have yet been published. The local fire department has published a down-wind advisory map.

Probable CSB reportable.

Hayfield, MN – 10-30-24

Local News Report: Here, here, here, and here.

A rural anhydrous ammonia storage tank began leaking, causing a local road to be closed while the leak was fixed. One deputy was taken to a local hospital for exposure related concerns, but was released without being admitted.

Not CSB reportable.

Review – Public ICS Disclosures – Week of 10-25-24 – Part 1

This week, for Part 1, we have 20 vendor disclosures from Broadcom (8), Beckhoff, Bosch, GE Vernova (2), Hikvision, Hitachi Energy (2), HP (3), HPE, and Omron.

Advisories

Broadcom Advisory #1 - Broadcom published an advisory that discusses a function call with incorrect argument type vulnerability in their SANnav product.

Broadcom Advisory #2 - Broadcom published an advisory that discusses an integer overflow or wrap around vulnerability in their SANnav product.

Broadcom Advisory #3 - Broadcom published an advisory that discusses nine vulnerabilities (three with publicly available exploits) in their Fabric OS, SANnav, and ASCG products.

Broadcom Advisory #4 - Broadcom published an advisory that discusses an incorrect resource transfer between spheres vulnerability in their SANnav product.

Broadcom Advisory #5 - Broadcom published an advisory that discusses two vulnerabilities (one with publicly available exploit) in their SANnav product.

Broadcom Advisory #6 - Broadcom published an advisory that discusses an incomplete cleanup vulnerability in their SANnav product.

Broadcom Advisory #7 - Broadcom published an advisory that discusses three inadequately described vulnerabilities in their SANnav product.

Broadcom Advisory #8 - Broadcom published an advisory that discusses six vulnerabilities in their SANnav products.

Beckhoff Advisory - CERT-VDE published an advisory that describes an OS command injection vulnerability in the Beckhoff TwinCAT Package Manager.

Bosch Advisory - Bosch published an advisory that describes an uncontrolled resource consumption vulnerability in the PROFINET stack implementation of the IndraDrive.

GE Vernova Advisory #1 - GE published an advisory that discusses two vulnerabilities in Control Server installations that use VMware vCenter Server.

GE Vernova Advisory #2 - GE published an advisory that describes a side-channel key recovery vulnerability in YubiKey’s in customers using Xona devices and those using YubiKey authentication for certain HMI deployments.

Hikvision Advisory - JP- CERT published an advisory that announces firmware updates for multiple network cameras as a security enhancement, changing the behavior to communicate with Dynamic DNS services, to prevent cleartext transmission.

Hitachi Energy Advisory #1 - Hitachi Energy published an advisory that describes two vulnerabilities in their TRO600 series products.

Hitachi Energy Advisory #2 - Hitachi Energy published an advisory that discusses two vulnerabilities (both with publicly available exploits) in their MSM product web services.

HP Advisory #1 - HP published an advisory that discusses the PixieFail vulnerabilities.

HP Advisory #2 - HP published an advisory that discusses 353 vulnerabilities in their ThinPro product.

HP Advisory #3 - HP published an advisory that describes an out-of-bounds write vulnerability in their Smart Universal Printing Driver.

HPE Advisory - HPE published an advisory that discusses the regreSSHion vulnerability.

Omron Advisory - Omron published an advisory that describes an improper authorization vulnerability in their Sysmac Studio product.

 

For more information about these disclosures, including links to 3rd party advisories, researcher reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-10-25a - subscription required.

Friday, November 1, 2024

Short Takes – 11-1-24

WHO sounds pandemic alarm as world's deadliest infection at highest level since records began. GNNews.com article. Pull quote: “Global funding for TB prevention and care decreased further in 2023, falling far short of targets. Low-and middle-income countries, which bear 98 per cent of the TB burden, faced significant funding shortages.”

What is happening with Boeing’s Starliner spacecraft? ArsTechnica.com article. Pull quote: “Does NASA actually need Starliner? Officials with the space agency have been consistently supportive of Boeing, and expressed a preference to work with the company on continuing certification work. Because the spacecraft will now fly a human mission no earlier than 2026, it would only be available for five or fewer years of the space station's remaining lifetime.”

Public Safety and Homeland Security Bureau Announces 15-Business Day Filing Window for Cybersecurity Labeling Administrator and Lead Administrator Applications; Correction. Federal Register FCC final rule correction notice. Corrected effective date: “Effective date: November 20, 2024, except for amendment 3 (47 CFR 8.220(f)(14)) which is delayed indefinitely until the Office of Management and Budget has completed review under the Paperwork Reduction Act. The Commission will publish a document in the Federal Register announcing that effective date.”

Review - S 5276 Introduced – SRM Industrial Base

Last month, Sen Cornyn (R,TX) introduced S 5276, the Solid Propulsion Enhancement and Advancement for Readiness (SPEAR) Act of 2024. The bill would require DOD to submit to Congress a “roadmap for the future desired state for the solid rocket motor (SRM) industrial base.” No new funding would be authorized by this legislation.

Moving Forward

While Cornyn is not a member of the Senate Armed Services Committee to which this bill was assigned for consideration, one of his two cosponsors {Wicker (R,MS)} is the Ranking Member of the Committee. This means that there may be sufficient influence to see the bill considered in Committee. I see nothing in the proposed legislation that would engender any organized opposition. I suspect that the bill would receive significant bipartisan support, but this late in the session, that will probably not be sufficient to see the bill considered before the end of the year.

 

For more information about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-5276-introduced - subscription required.

NOTE: This bill is being covered here as part of the ‘Space Geek’ expansion of the scope of this blog. I am still working on determining how extensive that expansion will be.


Transportation Chemical Incidents – Week of 9-28-24

Reporting Background

See this post for explanation, with the most recent update here (removed from paywall).

Data from PHMSA’s online database of transportation related chemical incidents that have been reported to the agency.

Incidents Summary

• Number of incidents – 588 (561 highway, 21 air, 6 rail, 0 water)

• Serious incidents – 6 (4 Bulk release, 2 evacuation, 2 injury, 0 death, 0 major artery closed, 3 fire/explosion, 24 no release)

• Largest container involved – 30,520-gal DOT 117J100W Railcar {Alcohols, N.O.S.} Six manway bolts loose.

• Largest amount spilled – 412.6-gal Plastic drums {Sodium Bisulfite, Solution} Drum punctured by exposed nail in pallet. (Note: with just one drum affected, the reported amount “3301” lbs should have been something on the order of 300)

NOTE: Links above are to Form 5800.1 for the described incidents.

Most Interesting Chemical: N-Aminoethylpiperazine – A colorless liquid with a faint fishlike odor. Flash point 199°F. Corrosive to tissue. Toxic oxides of nitrogen are produced by combustion. (Source: CameoChemicals.NOAA.gov). It is used as an epoxy curing agent, and is used in the manufacture of pharmaceuticals and synthetic fibers.



Review - CSB Updates Recommendation Response Status – 10-23-24

Yesterday, the Chemical Safety Board updated their Recent Recommendation Status Updates page to reflect changes to ten open recommendations that were made as a result of four separate closed investigations. Eight of those recommendations were closed. The changes were approved at the recent public meeting of the Board. The updated recommendations included:

• Loy-Lange Box Company Pressure Vessel Explosion – 2017-04-I-MO-R8 - Open – Acceptable Response,

• Evergreen Packaging Paper Mill – Fire During Hot Work – 2020-07-I-NC-R3 - Closed – No Longer Applicable

• Evergreen Packaging Paper Mill – Fire During Hot Work – 2020-07-I-NC-R4 - Closed – No Longer Applicable

• Evergreen Packaging Paper Mill – Fire During Hot Work – 2020-07-I-NC-R7 - Closed – Acceptable Action

• Evergreen Packaging Paper Mill – Fire During Hot Work – 2020-07-I-NC-R8 - Closed – Acceptable Action

• Caribbean Petroleum Refining Tank Explosion and Fire – 2010-02-I-PR-R3 - Closed – Acceptable Action

• Husky Energy Superior Refinery Explosion and Fire – 2018-02-I-WI-R8 - Closed – Acceptable Action

• Husky Energy Superior Refinery Explosion and Fire – 2018-02-I-WI-R9 - Closed – Acceptable Action

• Husky Energy Superior Refinery Explosion and Fire – 2018-02-I-WI-R10 - Open – Acceptable Response

 

For more information about these incident response actions, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/csb-updates-recommendation-response - subscription required.

Thursday, October 31, 2024

Short Takes – 10-31-24

New guidance published for hydrogen pipelines. HazardExOnTheNet.net article. Pull quote: ““This change will result in a more efficient application of clear, consensus-based hydrogen rules for piping systems by consolidating these rules into the standards that are most often used by our industry partners,” said Chris Cantrell, ASME’s senior managing director of standards and engineering services. “ASME would like to thank our volunteers, our staff, and PRCI staff and volunteers for working with us to meet pipeline industry needs and to advance the use of hydrogen to promote a clean energy future.”” Final report here.

Three-person crew enters China's Tiangong space station. Phys.org article. Pull quote: “The new Tiangong team will carry out experiments with an eye to the space program's goal of placing astronauts on the Moon by 2030 and eventually constructing a lunar base.” Includes diagram of Tiangong station.

Bird flu has been found in a pig for the first time in the U.S. NPR.org article. Pull quote: “The USDA has conducted genetic tests on the farm's poultry and has not seen any mutations that suggest the virus is gaining an increased ability to spread to people. That indicates the current risk to the public remains low, officials said.”

Bird flu could become deadlier if it mixes with seasonal flu viruses, experts warn. LiveScience.com article. Pull quote: “These mutations may change the shape of the hemagglutinin and, thus, the antibodies that bind to it. This difference might render the CDC's standard tests unsuitable, so the agency spent three weeks developing new antibody tests based on the mutant protein.”

Voyager 1 loses contact with NASA, turns on retro transmitter not used since 1981. LiveScience.com article. Pull quote: “On Oct. 22, engineers sent a command to confirm that the spacecraft was indeed using its backup S-band transmitter. The team successfully reestablished contact with Voyager 1 two days later. NASA engineers are now working to diagnose the issue that triggered Voyager 1's fault protection system and to restore it to normal operations.”

China wants to make its Tiangong space station bigger and better. Space.com article. Pull quote: “Also named Xuntian, the CSST is a Hubble-class space telescope that will share an orbit with Tiangong. It will be able to dock with the space station for maintenance, repairs and even upgrades.”

Empowering Chemical Technical Professionals. CEN.ACS.org discovery report. Pull quote: “These obstacles are particularly concerning for diversity in chemistry. If the only way to join the chemical workforce is to go directly to university and graduate school, the scientific community of tomorrow will not be inclusive. Skilled technical positions allow people to start their careers in science earlier and with less student debt. Some may become motivated to pursue advanced degrees later in life, while others will be successful in technical roles. Supporting these pathways means that careers in chemistry will be more accessible to more people.”

I Voted Today – 10-31-24


I voted this morning, the next to last day of early voting in Georgia. No line, no problems; I like it when duties are this easy to perform. I have voted in every Presidential election since 1972 (and lots of others as well). I was raised in a politically active family and would not be able to face my parents in the hereafter if I missed even one.

I have been a registered Republican that whole time. I worked my first campaign in 1964 (yes, I was much less than 18 in that year) in California. I worked in the local Republican Headquarters that first year, helping to make the ‘get-out-the-vote’ lists. In 68 and 72 I was one of the people going to Republican voters on election day, reminding them to get out and vote. Once I joined the Army later in 72, I left active political life behind.

Last Saturday, I was visited by a couple of Trump campaign workers who came to the house to remind me to vote. Now anyone that knows me, knows how little use I have for Trump as a candidate or a person. I was tempted to let these two know about my feelings, but I remembered making similar calls on people in 68 and 72. They were polite and non-political (beyond their Trump and MAGA buttons), so I responded with the same level of civility and assured them that I was voting early.

Please, let us all try to return civility to political discourse. Yelling and screaming has never changed anyone’s mind. It just encourages yelling and screaming in return.

Review – 1 Advisory and 3 Updates Published – 10-31-24

Today, CISA’s NCCIC-ICS published a control system security advisory for products from Rockwell. They also updated three advisories for products from Mitsubishi.

Advisories

Rockwell Advisory - This advisory describes two vulnerabilities in the Rockwell ThinManager product.

Updates

Mitsubishi Update #1 - This update provides additional information on the MELSEC iQ-R Series advisory that was originally published on June 6th, 2023, and most recently updated on April 25th, 2024.

Mitsubishi Update #2 - This update provides additional information on the FA Engineering Software advisory that was originally published on May 14th, 2024.

Mitsubishi Update #3 - This update provides additional information on the FA Engineering Software advisory that was originally published on January 30th, 2024.

 

For more information on these advisories, including brief summary of changes made in updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-and-3-updates-published-7c3 - subscription required.

CG Publishes TWIC Reader Delay Final Rule – 10-31-24

Today, the Coast Guard published a final rule in the Federal Register (89 FR 86723-86739) on “TWIC--Reader Requirements; Second Delay of Effective Date”. This rulemaking extends the enforcement date for the TWIC Reader requirements for the three categories of facilities related to Certain Dangerous Cargo listed in 33 CFR §105.253(a) until May 8th, 2029. The notice of proposed rulemaking was published on December 6th, 2022. The effective date of this rule is December 2nd, 2024.

The TWIC Reader rule was controversial from its first proposal. The preamble for this rule provides a lengthy review of the regulatory convolutions that the Coast Guard has gone through on the TWIC Reader requirements. One of the developments that has had the most impact on the two ‘delay rules’ is the Congressional mandate for the Coast Guard to commission an independent study reviewing the security value of the TWIC program. The Homeland Security Operational Analysis Center (HSOAC) delivered that analysis in July, 2022; a copy of that report will be posted in the docket for this rule. The CG continues to review that report.

Wednesday, October 30, 2024

Review - CISA Publishes Coordinated Vulnerability Disclosure 60-day ICR Notice

Today, CISA published a 60-day information collection request (ICR) notice in the Federal Register (89 FR 86352) for a new ICR on Vulnerability Reporting Submission Form. According to the discussion in this notice:

“CISA is responsible for performing Coordinated Vulnerability Disclosure, which may originate outside the United States Government (USG) network/community and affect users within the USG and/or broader community, or originate within the USG community and affect users both within and outside of it. Often, therefore, the effective handling of security incidents relies on information sharing among individual users, industry, and the USG, which may be facilitated by and through CISA. A dedicated form on the CISA website will allow for reporting of vulnerabilities that the reporting entity believe to be CISA Coordinated Vulnerability Disclosure (CVD) eligible. Upon submission, CISA will evaluate the information provided, and then will triage through the CVD process, if all CISA scoped CVD requirements are met.”

CISA provides the following initial estimate of the annual burden that will be imposed by this collection:


Public Comments

CISA is soliciting public comments on this information collection request. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket #CISA-2024-0027). Comments should be submitted by December 30th, 2024.

Commentary

What is not clear in this relatively brief ICR notice is whether CISA is owning up to the ‘sponsorship’ of Carnegie Mellon’s reporting process (see the ‘sponsored by’ notice on the bottom of the KB.CERT.org reporting page) or if CISA is going to be standing up a vulnerability coordination process separate from the MITRE system. From the perspective of a response to this ICR, this is an important distinction. If CISA is simply taking ownership of the MITRE process, then we have public access to the data collection documentation and can appropriately comment on that collection effort and the burden estimate based upon that system.

On the other hand, if CISA is starting a new program from scratch, there is no way that we can comment on the appropriateness of, for instance, the estimate of 10 minutes per response upon which the burden estimate is predicated. We would need to see a copy of the reporting format to be able to judge the accuracy of the estimate. 

 

For more information on this ICR notice, including additional commentary about missing burden elements, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/cisa-publishes-coordinated-vulnerability - subscription required.


Tuesday, October 29, 2024

Short Takes – 10-29-24

New Metal 3D Printing Technology for Ultra-Strong Materials used in Space! NewsWise.com article. Pull quote: “The technology allows the maximization of the strengthening effect of carbon addition to the alloy via finely distributed nano-carbides at the boundaries of nano-sized cell structure. As a result, the team achieved a combination of tensile strength (the ability to resist forces) and ductility (the ability to endure deformation before failure) that was over 140% better than carbon-free alloys in cryogenic environments. In particular, the elongation of the alloy is twice as high at 77 K compared to 298 K. This technology also offers a potential guideline for alloying design in additive manufacturing to produce high-performance products with excellent load-bearing capacity for use in cryogenic applications. Another key distinction of this technology is its ability to fine-controlling microstructure through additive manufacturing.” Journal article here.

UAH Researcher Wins $300k NSF Award to Characterize Vulnerability of Intelligent Controllers for Cyber-Physical Systems to Safeguard Smart Grids, Robotic Swarms, Autonomous Vehicles. Newswise.com article. Pull quote: ““In reinforcement learning, an agent or controller interacts with an environment by taking actions and receiving feedback in the form of rewards,” Sahoo says. “The goal is to learn an optimal policy that maximizes cumulative rewards. For example, in a microgrid – a cyber-physical system comprising generators, controllers and loads – a controller regulates parameters like voltage or frequency. The generator (acting as the environment) evaluates the controller's action and provides a reward based on how well the regulation goal was achieved.”

Long COVID Is Harming Too Many Kids. ScientificAmerican.com commentary. Pull quote: “The JAMA study comparing infected and uninfected children found that trouble with memory or focusing is the most common long COVID symptom in kids aged six to 11. Back, neck, stomach and head pain were the next most common symptoms. Other behavioral impacts included “fear about specific things” and refusal to go to school.”

Plans to Trash the Space Station Preview a Bigger Problem. ScientificAmerican.com article. Pull quote: “Experts are beginning to be concerned that that effect might actually be substantial and that it will grow more so. In samples of the rarefied air, “there’s all of this sort of metallic crap there that didn’t used to be there that looks like it’s from vaporized spacecraft,” McDowell says. He’s currently working on a paper estimating how much of that foreign material remains in the atmosphere. “We just don’t know yet what the effects are,” he says. “But that doesn’t mean you go, ‘Oh, well, no worries,’ right?””

Lumma/Amadey: fake CAPTCHAs want to know if you’re human. SecureList.com article. Really complex CAPTCHAs. Pull quote: “To avoid falling for the attackers’ tricks, it’s important to understand how they and their distribution network operate. The ad network pushing pages with the malicious CAPTCHA also includes legitimate, non-malicious offers. It functions as follows: clicking anywhere on a page using the ad module redirects the user to other resources. Most redirects lead to websites promoting security software, ad blockers, and the like – standard practice for adware. However, in some cases, the victim lands on a page with the malicious CAPTCHA.”

Starship Next Gen Upper Stage Rocket Pops Up – Is Nothing Short Of A Work Of Art. WCCFTech.com article. Pull quote: “While the new Starship upper stage will not fly on Flight 6, true to form, SpaceX has kept up with its pace of rapid iteration development and rolled the rocket out of its assembly facility in Boca Chica, Texas. Fresh images of the ship from local media show the fins pointing away from the heat shield. This is the biggest upgrade to the Starship second stage's exterior since SpaceX started its integrated flight test campaign. It also follows Musk's comments where he had confirmed that Starship fins would be "shifted leeward" to avoid damage.”

Satellite servicing industry faces uncertain military demand. SpaceNews.com article. Pull quote: “The ability to refuel satellites in orbit is particularly appealing to the U.S. military, which operates some of the most expensive spacecraft in geosynchronous orbit. Keeping these critical assets functional for as long as possible is a top priority. However, beyond basic refueling, the military remains uncertain about adopting other ISAM (in-space servicing, assembly and manufacturing) services.”

Review – 3 Advisories Published – 10-29-24

Today, CISA’s NCCIC-ICS published three control system security advisories for products from Delta Electronics, Solar-Log, and Siemens.

Advisories

Delta Advisory - This advisory describes a deserialization of untrusted data vulnerability in the Delta InfraSuite Device Master real-time device monitoring software.

Solar-Log Advisory - This advisory describes a cross-site scripting vulnerability in the Solar-Log Base 15 solar monitoring device.

Siemens Advisory - This advisory discusses four vulnerabilities in the Siemens InterMesh products.

 

For more information on these advisories, including a down-the-rabbit-hole look at the affected Solar-Log products, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/3-advisories-published-10-29-24 - subscription required.

Review - HR 9851 Introduced – Heavy Industry Hydrogen

Last month, Rep Sorensen (D,IL) introduced HR 9551, the Hydrogen for Industry Act of 2024. The bill would require DOE to establish the ‘Hydrogen Technologies for Heavy Industry Demonstration Program’ to provide grants or cooperative agreements to demonstrate industrial end-use applications of hydrogen. The bill would authorize $1.2 billion for the period of fiscal years 2025 through 2029.

The bill would amend the Energy Policy Act of 2005 by adding a new §969E, Hydrogen Technologies for Heavy Industry Demonstration Program.

HR 9851 is virtually identical to S 646 that was introduced in March of 2023. There has been no action in the Senate on that bill to date. The sole difference between the two bills is the funding authorization dates; 2025-2029 in the House bill and 2024-2028 in the Senate bill.

Moving Forward

Sorensen is a member of the House Science, Space, and Technology Committee to which the bill was assigned for consideration. This means that there may be sufficient influence to see the bill considered in Committee. Unfortunately, the new large-spending authorization on an unconventional energy source is probably a non-starter with most Republican members of the Committee. Some lower level of funding may provide an acceptable compromise, but it is unlikely that any work will proceed on this legislation in the short time remaining in the session. A Democratically controlled House in the 119th Congress (a possibility) would make such a compromise less necessary.

 

For more information on the provisions of the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-9851-introduced - subscription required.

Short Takes – 10-29-24 – Federal Register Edition

Federal Railroad Administration's Procedures for Waivers and Safety-Related Proceedings. Federal Register FRA notice of proposed rulemaking. Summary: “This proposed rule would update FRA's procedures for waivers and safety-related proceedings to define the two components of the statutory waiver and suspension standard, “in the public interest” and “consistent with railroad safety.” By defining these terms, FRA intends to clarify the standard the agency will apply when evaluating petitions for regulatory relief. FRA also proposes to require petitions for relief to include evidence of meaningful consultation with appropriate stakeholders. Additionally, FRA proposes to make minor updates to agency rules of practice.” Comments required by December 30th, 2024.

Request for Comment on Product Security Bad Practices Guidance. Federal Register CISA comment extension notice.  Summary: “On October 16, 2024, the Cybersecurity Division (CSD) within the Cybersecurity and Infrastructure Security Agency (CISA) published a request for comment [link added] in the Federal Register on the voluntary, draft Product Security Bad Practices guidance, which requests feedback on the draft guidance. CISA is extending the comment period for the draft guidance for an additional fourteen days through December 16, 2024.”

Request for Comment on Security Requirements for Restricted Transactions Under Executive Order 14117. Federal Register DHS request for comments notice. Summary: “CISA seeks public input on the development of security requirements for restricted transactions as directed by Executive Order (E.O.) 14117, “Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” E.O. 14117 addresses national-security and foreign-policy threats that arise when countries of concern and covered persons can access bulk U.S. sensitive personal data or government-related data. The proposed CISA security requirements for restricted transactions would apply to classes of restricted transactions identified in regulations issued by the Department of Justice (DOJ).” Comments due November 29th, 2024.

Provisions Pertaining to Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons. Federal Register DOJ notice of proposed rulemaking. Summary: “The Department of Justice proposes a rule to implement Executive Order 14117 of February 28, 2024 (Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern), by prohibiting and restricting certain data transactions with certain countries or persons.” Comments due November 29th, 2024.

Monday, October 28, 2024

Short Takes – 10-28-24

Atmospheric Rivers Have Shifted Towards Earth's Poles, Bringing Big Changes To Weather.  IFLScience.com article. Pull quote: “For a region like southern California, the northward movement of atmospheric rivers could reduce rainfall even further, leading to more problems with water scarcity, droughts, and wildfires. Meanwhile, regions like the Pacific Northwest might see even wetter weather, unleashing issues like flooding.”

Positive Train Control Systems. Federal Register FRA notice of proposed rulemaking. Summary: “FRA is proposing to amend certain regulations governing positive train control (PTC) systems. Since December 31, 2020, by law, PTC systems have generally governed rail operations on PTC-mandated main lines, which encompass nearly 59,000 route miles today. Through FRA's oversight and continued engagement with the industry, FRA has found that its existing PTC regulations do not adequately address temporary situations during which PTC technology is not enabled, including after certain initialization failures or in cases where a PTC system needs to be temporarily disabled to facilitate repair, maintenance, infrastructure upgrades, or capital projects. FRA expects PTC systems to be reliable and robust, further reducing the occurrence of initialization failures and outages. This NPRM proposes to establish strict parameters and operating restrictions under which railroads may continue to operate safely in certain necessary scenarios when PTC technology is temporarily not governing rail operations. The purpose of this NPRM is to enable continued, safe operations and improve rail safety by facilitating prompt repairs, upgrades, and restoration of PTC system service.” Comments due: December 27th, 2024.

Male mosquitoes sometimes suck, too. ScienceNews.org article. Pull quote: “In nature, A. aegypti is the main carrier of yellow fever, but can also spread Zika, chikungunya and dengue, while female C. tarsalis can spread West Nile, St. Louis encephalitis and related diseases (SN: 8/26/24; SN: 6/2/15). Male C. tarsalis mosquitoes can be infected with West Nile virus and produce infectious virus in their saliva just like females can, the researchers found.”

Rwanda identifies index case for current Marburg virus outbreak. CEN.ACS.org article. Pull quote: “In an earlier meeting, on Oct. 20, Nsanzimana had revealed that it's very likely the first human Marburg virus disease case in the current outbreak was in a 27-year-old man who had been exposed to fruit bats in a cave where mining occurs. The individual had sought treatment at Kigali’s King Faisal Hospital, where he was first diagnosed with and treated for malaria, and Marburg was detected only later. By then, the infection had spread to his close contacts and several health-care staff.”

One year in, TSA’s cybersecurity directive lays groundwork for railroad sector amid rising digital threats. IndustrialCyber.co article. Pull quote: ““These are the ABCs of OT cybersecurity management – fundamental practices that must be implemented correctly,” Geyer said. “It is critical to refine how these processes can be operationalized, especially given the number of vulnerabilities. Although the directive doesn’t outline an exact order of steps, organizations can look to CISA’s Known Exploited Vulnerabilities (KEV) catalog for guidance on addressing the most pressing risks.””

 
/* Use this with templates/template-twocol.html */