Wednesday, January 31, 2024

Short Takes – 1-31-24

Here’s why COVID-19 isn’t seasonal so far. Sciencenews.org article. Pull quote: “For now, though, the coronavirus is on its own ever-changing timetable. Whether it eventually settles into a seasonal virus may depend on us. The strength of our collective immune systems and our willingness to take precautions to not spread any illness to others may eventually wrestle it into seasonal submission.”

What is the New NFPA 660 Combustible Dust Standard About? BakerRisk.com article. Contains some advertorial content. Pull quote: “By consolidating legacy information, NFPA 660 will ensure that relevant and effective guidelines, recommendations, and best practices are all in the same location for easier access to this information. In doing this, facilities and worksites will be able to browse one standard to learn how to handle combustible dusts instead of looking through several. The hope is that this will reduce confusion and eliminate conflicting information found in existing standalone standards.”

The Past, Present, and Future of Inflatable Space Habitats. Hackaday.com article. Includes a nice review of earlier technology. Pull quote: “As for the first practical application of the technology, Sierra Space and Blue Origin are working together to develop the Orbital Reef commercial space station, which is slated to have at least one LIFE module as part of its baseline configuration. NASA awarded the Orbital Reef project $130 million in December of 2021, with the goal of having it operational by the time the International Space Station is retired, which is currently scheduled for sometime in 2030.”

House Republicans poised to add controversial riders to annual spending bills. TheHill.com article. Pull quote: “At the same time, some House GOP appropriators also say they’ve begun to identify potential changes that could find bipartisan support in spending talks. That includes what Fleischmann described to reporters this week as a “bipartisan and bicameral coalescing” around electric transformers.”

ESA launches first metal 3D printer to ISS. ESA.int article. Pull quote: “One of ESA’s goals for future development is to create a circular space economy and recycle  materials in orbit to allow for a better use of resources. One way would be to repurpose bits from old satellites into new tools or structures. The 3D printer would eliminate the need to send a tool up with a rocket and allow the astronauts to print the needed parts in orbit.”

Drones are changing emergency response in this Pacific Northwest city. SmartCitiesDive.com article. Pull quote: “Cities like Bellevue, Washington, are working toward that ideal with the use of unmanned aerial systems, or UAS. For the last few years, the city has piloted emergency drone services using devices from BRINC Drones that provide aerial night and day vision, thermal sensors and live video streaming.” I wonder how/if they handle cybersecurity for those UAS systems?

Senate HSGAC Approved 2 Cybersecurity Bills – 1-31-24

Today, the Senate Homeland Security and Governmental Affairs Committee held a business meeting (as I discussed on Monday). In addition to other actions, the Committee took up two cybersecurity related bills; S 3635, the Industrial Control Systems Cybersecurity Competition Act, and S 3594, the Source code Harmonization and Reuse in Information Technology (SHARE IT) Act.

According to the Committee Record for the meeting, both bills were amended with substitute language from Sen Peters (D,MI), the sponsor for both bills, which in both cases was further amended. The Committee does not include links to the substitute language or amendments in its Committee Record. We may have to wait until the Committee reports are published before we know what changes were made.

Both bills were approved to be reported favorably, S 3635 by a vote of 9 to 1 and S 3594 by a vote of 10 to 0. Sen Paul (R,KY) voted against S 3635, as did Sen Johnson (R,WI) whose nay vote was by proxy which does not officially count. Both senators are well known for using their right to object to unanimous consent  consideration of bills which they oppose. As I noted in my commentary on S 3635, this probably means that there is little chance of S 3635 to be taken up by the full Senate. Both Paul and Johnson supported S 3594 (Johnson again by proxy).

Review - HR 6607 Introduced – Federal Drug Manufacturing

Last month, Rep Schakowsky (D,IL) introduced HR 6607, the Affordable Drug Manufacturing Act of 2023. The bill would establish within HHS a new Office of Drug Manufacturing which would work to “to increase competition, lower prices, and address shortages in the market for prescription drugs, including insulin, asthma and chronic obstructive pulmonary disease (COPD) inhalers, naloxone, epinephrine auto-injectors, and antibiotics”. The legislation would authorize “such sums as may be necessary to carry out this section”.

Moving Forward

Schakowsky is a member of the House Energy and Commerce Committee to which this bill was assigned for consideration. This means that there could be sufficient influence to see this bill considered in Committee. Unfortunately for Schakowsky and her ten Democratic cosponsors, there would be unanimous opposition to the bill from the Committee’s Republicans. This bill will not be going anywhere in this session of Congress.

Commentary

When this bill was introduced, I noted that:

“I will be watching this bill for language and definitions that would include chemical manufacturing safety and security issues within the scope of responsibility of the proposed Office. I really do not expect to see either.”

I was right, this bill has nothing to do with chemical safety or security. In fact, having a government agency as the manufacturer of record would likely negate the coverage of many OSHA and EPA regulations as they do not apply to government agencies for the most part.

While Republicans will have a kneejerk reaction to this ‘socialist medical manufacturing’ proposal, something has to be done about bringing down the cost critical medications. Medicinal manufacturers have to recover their costs of development and that is certainly contributing to the costs. Unfortunately, this bill would probably have little effect on reducing or eliminating those costs as the developers would recoup those costs when they sold the government the rights to the manufacture the medications.

I think that the crafters of this bill made a serious political mistake when they included language that implied that the ODM would own the means of production (i.e.: “manufacture [emphasis added], or enter into contracts with entities” to manufacture. That idea would never fly with any Republican congresscritter, or even with many moderate Democrats. Paying manufacturers to make specific drugs for use by government agencies sounds a lot less ‘socialist’ and may have at least been considered for discussion.

In any case, this bill is not going anywhere, and it is really outside of the scope of things that I intend to cover here, so this will be my last word on the legislation.

 

For more information on the details of the proposed legislation, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-6607-introduced - subscription required.

OMB Approves BIS Camera Export Controls Final Rule

Yesterday, the OMB’s Office of Information and Regulatory Affairs announced that it had approved a final rule from the DOC’s Bureau of Industry and Security (BIS) on “Revision of Licensing Requirements of Certain Cameras, Systems, or Related Components”. This direct final rule was submitted to the OIRA on October 31st, 2024.

According to the Fall 2023 Unified Agenda entry for this rulemaking:

“This rule amends the Export Administration Regulations by revising licensing requirements for certain cameras, systems, or related components. These revisions will better align controls with technological and commercial developments.”

I expect that we will see this final rule published in the Federal Register next week.

Tuesday, January 30, 2024

Short Takes – 1-30-24

OSHA Issues Major Chemical Safety Enforcement Guide Changes. BloombergLaw.com article. Pull quote: “The new guidance removes instructions from the 1994 directive that guided inspectors on how to conduct inspections. Instead, it tells inspectors to follow a separate directive, the 2017 national emphasis program for process safety released during the final week of the Obama administration.” Guidance document link.

Mix-Up Preceded Deadly Drone Strike in Jordan, U.S. Officials Say. NYTimes.com article. Pull quote: “One theory military officials are examining is that the militants studied the patterns of U.S. drone flights and deliberately positioned their attack drone near the returning American drone to make it harder to spot. Militia planners could have used Google Earth images of the base to guide the explosives-laden drone to the center of a mass target like the living quarters.”

It turns out NASA’s Mars helicopter was much more revolutionary than we knew. ArsTechnica.com article. Pull quote: “The miracle of Ingenuity is that all of these commercially bought, off-the-shelf components worked. Radiation didn't fry the Qualcomm computer. The brutal thermal cycles didn't destroy the battery's storage capacity. Likewise, the avionics, sensors, and cameras all survived despite not being procured with spaceflight-rated mandates.”

CFATS Expiration: Leaving Open an Opportunity for Disaster. HSToday.us article. Pull quote: “We know the threat of chemical terrorism did not go away simply because the CFATS program expired. We know the best practices to protect dangerous chemicals against terrorist exploitation still work, and we continue to strive to share that knowledge with the chemical industry via the ChemLock program on a voluntary basis. We must face the fact that the absence of the CFATS program is a national security gap too great to ignore. As we call on the American people to examine the resiliency plans for the critical infrastructure that supports our everyday lives, we at CISA also call on Congress to reauthorize CFATS as a pillar of security and resilience for the nation’s chemical sector.” Associate Director Kelly continues here PR campaign.

U.S. Oil Drillers Are Going Electric—if They Can Get the Electricity. WSJ.com article. Pull quote: “The oil field is both growing and trying to electrify while oil-field communities and other industries like data centers are also growing, said Adrian Rodriguez, Southwestern Public Service’s president. Across both states, the utility estimates it needs to build 5 to 10 gigawatts of new power generation in the coming years to meet growing demand and replace some older power plants.”

E. coli rewired to shift carbon flow towards C4 chemicals. ChemistryWorld.com article. More than a little chem-geeky. Pull quote: “Chang and her team used techniques including natural adaptive evolution, gene knockout, enzyme screening, metabolomics and genetic selection to improve the yields of n-butanol, 1,3-butanediol, and 4-hydroxy-2-butanone from 11–20% to near quantitative yields in E. coli. These three industrially relevant C4 chemicals can be further dehydrated to produce 1-butene, 1,3-butadiene and methyl vinyl ketone, respectively.”

Review - S 3594 Introduced – Federal Code Sharing

Earlier this month, Sen Cruz (R,TX) introduced S 3594, the Source code Harmonization and Reuse in Information Technology (SHARE IT) Act. The bill would require the federal government to “maximize efficiency, minimize duplication, and enhance security and innovation across Federal agencies by requiring the sharing of custom-developed code between agencies”. The bill specifically prohibits the authorization of new funding to support the program.

Moving Forward

As I mentioned yesterday, this bill will be considered by the Senate Homeland Security and Governmental Affairs Committee tomorrow. There is one aspect of the bill that could engender opposition (see my Commentary below), but it could easily be revised in tomorrows markup. With that change, I suspect that there would be substantial bipartisan support for the bill. Since the bill is not politically important enough to be considered under the Senate’s time-consuming regular order, it will be important to watch tomorrow's hearing to see if Sen Paul (R,KY) supports the bill. If he opposes the bill, he would be likely to oppose consideration of the bill in the full Senate under the unanimous consent process. With his position as Ranking Member, he could effectively veto adding the provisions of the bill to other bills via the floor amendment process. Even if he supports the bill in Committee, he could still object to consideration of the bill under that process for unrelated political leverage.

Commentary

The biggest problem this bill is going to face moving forward is industry objections to the provisions of §4(a)(2):

“(2) all software and other key technical components, including documentation, data models, schemas, metadata, and architecture designs, are owned by the agency.”

This paragraph would require that all contracts for software (not restricted to ‘custom code’) going forward would provide for the government ownership of the software, not licensing for use by the vendor. This would be a major change that would be resisted by most (if not all) major software companies. I suspect that if were accepted by vendors (the federal government is a big customer after all) it would come with increased costs and a whole series of legal caveats that are currently covered by licensing agreements and ‘terms of use’ restrictions.

This problem could be solved by substituting the phrase used multiple times in this bill, ‘custom-developed code’ for the opening ‘all software’ in the paragraph. That is, after all, the overall intent of the bill. While there are arguments to be made for changing the ownership structure of software, that is a much larger issue than the relatively minor sharing of custom code in the federal government.

 

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-3594-introduced - subscription required.

Review – 7 Advisories and 1 Update Published – 1-30-24

Today, CISA’s NCCIC-ICS published seven control system security advisories for products from Rockwell Automation (3), Hitron, Mitsubishi Electric (2) and Emerson. They also updated an advisory for products from Mitsubishi.

Advisories

Rockwell Advisory #1 - This advisory discusses 15 vulnerabilities in multiple Rockwell Operator Panels.

Rockwell Advisory #2 - This advisory describes an improper verification of cryptographic signatures in the Rockwell FactoryTalk Service Platform.

Rockwell Advisory #3 - This advisory describes an improper restriction of operations within the bounds of a memory buffer in the Rockwell ControlLogix and GuardLogix products.

Hitron Advisory - This advisory describes six improper input validation vulnerabilities  in the Hitron HGR and LGUVR series DVRs.

Mitsubishi Advisory #1 - This advisory describes an authentication bypass by capture-replay vulnerability in the Mitsubishi MELSEC WS Series Ethernet Interface Modules.

Mitsubishi Advisory #2 - This advisory describes two vulnerabilities in the Mitsubishi FA Engineering Software Products.

Emerson Advisory - This advisory describes four vulnerabilities in the Emerson Rosemount GC370XA, GC700XA, and GC1500XA gas chromatographs.

Updates

Mitsubishi Update - This update provides additional information on an advisory that was originally published on July 27th, 2023 and most recently updated on December 5th, 2023.

 

For more information on these advisories, including links to 3rd party vulnerabilities and researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/7-advisories-and-1-update-published-c5e - subscription required. 

HHS and Ag Dept Publish Select Agents and Toxins NPRMs

Today the Department of Health and Human Services (CDC) as well as the Department of Agriculture (APHIS) issued separate notices of proposed rulemakings updating their respective regulations regarding select biological agents and toxins in the Federal Register (CDC: 89 FR 5823-5842; APHIS: 89 FR 5795-5819). Both departments deleted agents from their respective lists and made other modifications to their regulations. The advanced notices of proposed rulemakings (ANPRMs) were published in 2015.

There are two separate select agent/toxins lists maintained by these agencies based on separate congressional mandates. The CDC list is specifically for targeting agents and toxins that affect humans while the APHIS list is for those targeting plants and animals. There is some overlap between the two lists.

Both agencies are soliciting public comments on the proposed rules. Comments are due on April 1st, 2024. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov):

• HHS Docket: CDC-2020-0024, or

• DA Docket: APHIS-2019-0018


Monday, January 29, 2024

Short Takes – 1-29-24

National Security Telecommunications Advisory Committee. Federal Register DHS meeting notice. Agenda: “The NSTAC will hold a conference call on Thursday, March 7, 2024, from 2:00 to 3:00 p.m. EST to discuss current NSTAC activities and the government's ongoing cybersecurity and NS/EP communications initiatives. This meeting is open to the public and will include: (1) remarks from the administration and CISA leadership on salient NS/EP and cybersecurity efforts; (2) a deliberation and vote on the NSTAC Report to the President on Measuring and Incentivizing the Adoption of Cybersecurity Best Practices; (3) a deliberation and vote on the NSTAC Letter to the President on Dynamic Spectrum Sharing; and (4) a status update on the Principles for Baseline Security Offerings from Cloud Service Providers Study.”

U.S. Secret Service “Cyber Investigations Advisory Board”. Federal Register Secret Service FAC reestablishment notice. Summary: “The United States Secret Service (USSS) has reestablished a “Cyber Investigations Advisory Board (CIAB),” a Federal Advisory Committee, in order to “prevent and disrupt criminal use of cyberspace,” as directed in the 2018 Department of Homeland Security Cybersecurity Strategy (Pillar #3, Goal #4) and as identified by the Secretary of Homeland Security in 2021. This notice is not a solicitation for membership. The goal of CIAB is to provide the USSS with insights from industry, the public sector, academia, and non-profit organizations on emerging cybersecurity and cybercrime issues, and to provide outside strategic direction for the USSS investigative mission. The CIAB will serve a principal mechanism through which senior industry and other experts can engage, collaborate, and advise the USSS regarding cybersecurity and cybercrime issues.”

The Great Freight-Train Heists of the 21st Century. NYTimes.com article. Pull quote: “At the time, Union Pacific claimed that about 90 containers were being opened per day and that theft on their freight trains in the area was up some 160 percent from the previous year. About 80 guns were stolen from trains. In early 2022, Gov. Gavin Newsom donned a pair of work gloves and picked up scattered boxes on the tracks himself. “What the hell is going on?” he asked the assembled television news crews.”

Since Ohio Train Derailment, Accidents Have Gone Up, Not Down. NYTimes.com article. Pull quote: “Despite that scrutiny, the five Class 1 freight railroads operating in the United States — Union Pacific, BNSF, CSX, Norfolk Southern and Canadian National — reported 256 accidents on their main lines last year through October, an 11 percent increase over the same period in 2022, according to data compiled by the Federal Railroad Administration. The five railroads had reported an aggregate decline in accidents in 2021 and 2022.

Who is Alleged Medibank Hacker Aleksandr Ermakov? KrebsOnSecurity.com article. Pull quote: ““I’ve seen a few people poo-poohing the sanctions…but the sanctions component is actually less important than the doxing component,” Gray said. “Because this guy’s life just got a lot more complicated. He’s probably going to have to pay some bribes to stay out of trouble. Every single criminal in Russia now knows he is a vulnerable 33 year old with an absolute ton of bitcoin. So this is not a happy time for him.””

Dozen funding totals struck as Congress races to avert another shutdown cliff. Politico.com article. Pull quote: “Senate Appropriations Chair Patty Murray (D-Wash.) and House Appropriations Chair Kay Granger (R-Texas) reached the deal late Friday night, according to two sources familiar with talks. Both sides aren’t releasing the numbers for the 12 funding bills, which will provide federal agencies with updated budgets for the current fiscal year.”

Ingenuity, the NASA Helicopter Flying Over Mars, Ends Its Mission. NYTimes.com article. Pull quote: ““They can rely on what we’ve accomplished,” Theodore Tzanetos, the Ingenuity project manager, said in a news conference on Thursday evening. “They can point to the fact that a cellphone processor from 2015 can survive the radiation environment on Mars for two and a half years. Lithium-ion battery cells that are commercial, off the shelf, can survive for two and a half years. Those are massive victories for engineers around NASA.””

Hybrid energy harvesters that harness heat and vibration simultaneously. NewsWise.com article. Pull quote: “"This study confirms that the hybrid energy harvesting system can be reliably applied to our real life," said Dr. Sunghoon Hur of KIST, who led the research. "We have confirmed its effectiveness in places where heat and vibration exist together, such as automobile engines, and are currently planning to build a system that can be applied to factory facilities or construction machinery engines that are difficult to supply power and diagnose their condition wirelessly."”

The United States Needs a New Way to Think About Cyber. Lawfaremedia.org article. Pull quote: “Defense is still quite important. The Iranian attack happened less than a month after the Environmental Protection Agency rescinded a rule requiring water systems to conduct additional cyber health checks. The patchwork U.S. system of water and other utilities may be a strength in some ways, but these entities absolutely must be more responsible about cyber hygiene. Utility companies are suddenly on the front lines, whether they are in Hawaii, Guam, Pennsylvania, or Iowa.”

Energy giant Schneider Electric hit by Cactus ransomware attack. BleepingComputer.com article. Pull quote: “The stolen data could contain sensitive information about customers' power utilization, industrial control and automation systems, and compliance with environmental and energy regulations.” No word on if any product development (programing) information was accessed.

Water Cybersecurity Hearing Added – 1-31-24

This afternoon, the House Energy and Commerce Committee announced that its Subcommittee on Environment, Manufacturing, and Critical Materials would hold a hearing on Wednesday on “Ensuring the Cybersecurity of America’s Drinking Water Systems’. The witness list includes:

• Scott Dewhirst, Tacoma Water (testimony),

• Kevin Morley, American Water Works Association (testimony), and

• Cathy Tucker-Vogel, Kansas Department of Health and Environment (testimony)

It is unusual for witness testimony to be published this far in advance of the scheduled hearing, but I hope that the Subcommittee staff and member’s staffs are taking advantage of the early publication to prepare for some intelligent questions for these three industry representatives.

What is clear from a quick review of the testimony’s is that these three witnesses are experienced in managing cybersecurity issues. And that is a valuable point of view for hearings like this. But there is a difference between ‘managing cybersecurity issues’ and working on the application of cybersecurity measures to drinking water control systems. It would have been instructive to add at least one witness with hands-on cybersecurity application experience. Oh well, this still should be an interesting hearing.

Review - S 3635 Introduced – President’s Cup Update

Last month, Sen Peters (D,MI) introduced S 3635, the Industrial Control Systems Cybersecurity Competition Act. The bill would amend 6 USC 665m(d), President’s Cup Cybersecurity Competition, to expand the competition to specifically include operational technology and industrial control systems. No new funding is authorized by the legislation.

Moving Forward

As I noted this morning, the Senate Homeland Security and Governmental Affairs Committee is scheduled to take up this bill on Wednesday. I suspect that there will be significant bipartisan support for this bill. Since this bill is not politically important enough to be considered by the Senate under regular order, the key person to watch in this hearing will be Ranking Member Paul (R,KY). Opposition will effectively kill further consideration of the bill as he would be expected to object to any unanimous consent motion to consider the bill. Unfortunately, his support would not be a guarantee that he would not object to future unanimous consent motions for other political reasons.

Commentary

While high profile competitions are a good way of publicizing cybersecurity vulnerabilities and threats and encouraging attention to proactive cybersecurity measures, in the great scheme of things they actually do little to stop cyberattacks. Politically, it would allow Congress to look like it is doing something, without spending any money or making any difficult political decisions. I guess we cannot expect much more out of the 118th Congress.

 

For more information about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-3635-introduced - subscription required.

Committee Hearings – Week of 1-28-24

This week, with both the House and Senate in Washington, there will be a nearly normal load of committee hearings. There will be two hearings of interest here; a markup hearing in the Senate and a cyber threat hearing in the House.

Markup Hearing

On Wednesday, the Senate Homeland Security and Governmental Affairs Committee will hold a business meeting. In addition to seven nominations and 12 postal naming bills being considered, the Committee will markup 12 bills. These will include:

• S 3635, Industrial Control Systems Cybersecurity Competition Act, and

• S 3594, Source code Harmonization and Reuse in Information Technology (SHARE IT) Act

The text of both bills just recently became available, I will try to get reviews up before Wednesday.

Cyber Threats

On Wednesday, the House Select Committee on the CCP will hold a hearing on “The CCP Cyber Threat to the American Homeland and National Security”. The witness list includes:

• Gen Paul Nakasone, United States Cyber Command,

• Jen Easterly, Cybersecurity and Infrastructure Security Agency,

• Christopher Wray, Director, Federal Bureau of Investigation, and

• Harry Coker, Jr., Office of the National Cyber Director

While this is an open hearing, so there will not be much in the way of details discussed, there should be some significant discussions about cyber threat to energy infrastructure from China.

On the Floor

We may see a bipartisan tax bill, HR 7024, considered in the House this week. While there is nothing of specific interest here, just seeing a significant tax bill being reported in a bipartisan manner out of the House Ways and Means Committee, is a news worthy event in the 118th Congress.

Saturday, January 27, 2024

Short Takes – 1-27-24

Cyberattack downs emergency dispatch system in Bucks County, Pennsylvania. StateScoop.com article.  Pull quote: “The Department of Emergency Communications sent out an alert on Monday night through Ready Bucks, its emergency notifications platform, saying the CAD [computer-aided dispatch] system is down. The technology helps public safety officers “prioritize and record incident calls, identify the status and location of responders in the field, and effectively dispatch responder personnel,” according to a publication by the U.S. Department of Homeland Security.”

Pwn2Own Automotive: $1.3M for 49 zero-days, Tesla hacked twice. BeepingComputer.com article. Pull quote: “Throughout the contest organized by Trend Micro's Zero Day Initiative (ZDI) in Tokyo, Japan, during the Automotive World auto conference, hackers targeted fully patched electric vehicle (EV) chargers, infotainment systems, and car operating systems.”

Can private companies carry NASA back to the Moon? TheVerge.com article. Pull quote: “Often derided as the rocket to nowhere, NASA has struggled to convince many in the space industry of SLS’s usefulness, particularly given its exorbitant cost. It has been in development for so long that, arguably, commercial entities like SpaceX will soon be able to provide many of the same facilities, likely for a lower price tag.”

Japan Explains How It Made an Upside-Down Moon Landing. NYTimes.com article. Pull quote: ““It successfully achieved the controlled landing,” Hitoshi Kuninaka, director general of JAXA’s Institute of Space and Astronautical Science, said in Japanese at a news conference. “We confirmed that the landing position was 55 meters away from the initial target. So we concluded that we achieved the 100-meter-accuracy pinpoint landing.””

INSIGHT: No end in sight for lapse of US chemical anti-terrorism program. ICIS.com article. Pull quote: “In January, Nebraska State Senator Eliot Bostar introduced LB1048, which would require certain chemical facilities to comply with the federal chemical security program.”

Chemical Safety Board plots new course. CEN.ACS.org article. Pull quote: “Owens won’t predict how many incidents the CSB will investigate in the future. To speed the process, he says, the agency will rely on teams of four to five investigators per incident and supplement with contractors who have expertise in analyzing areas such as blasts, explosives, and strength of materials. Previously, he says, the CSB too often relied on a single investigator per incident, which slowed the process.”

Emergency Escape Breathing Apparatus Standards. Federal Register FRA Final Rule. Summary: “FRA is amending its regulations related to occupational noise exposure in three ways. First, in response to a congressional mandate, FRA is expanding those regulations to require that railroads provide an appropriate atmosphere-supplying emergency escape breathing apparatus to every train crew member and certain other employees while they are occupying a locomotive cab of a freight train transporting a hazardous material that would pose an inhalation hazard in the event of release during an accident. Second, FRA is changing the name of this part of its regulations from “Occupational Noise Exposure” to “Occupational Safety and Health in the Locomotive Cab” to reflect the additional subject matter of this final rule and to make other conforming amendments. Third, FRA is removing the provision stating the preemptive effect of this part of FRA's regulations because it is unnecessary.” Effective date March 26th, 2024.

Offshore wind farms are vulnerable to cyberattacks, new Concordia study shows. NewsWise.com article. Pull quote: “In turn, these disturbances could trigger poorly dampened power oscillations from the offshore wind farms when all the offshore wind farms are generating their maximum output. If these cyber-induced electrical disturbances are repetitive and match the frequency of the poorly dampened power oscillations, the oscillations could be amplified. These amplified oscillations might then be transmitted through the HVDC system, potentially reaching and affecting the stability of the main power grid. While existing systems usually have redundancies built in to protect them against physical contingencies, such protection is rare against cyber security breaches.”

Chemical Incident Reporting – Week of 1-20-24

NOTE: See here for series background.

Tapps Island, WA – 1-22-24

Local News Reports: Here, here and here.

‘Liquid chlorine’ (typically means sodium hypochlorite) spill in ‘pump house’. No injuries or damage reported. One house evacuated.

Not CSB reportable.

Elk Mountain, WY – 1-22-24

Local News Reports: Here.

Single-vehicle tanker truck accident released anhydrous ammonia in a slow leak. Truck driver injured, but probably from accident not the chemical release.

Not CSB reportable because it is a transportation not fixed site incident.

Review - CSB Updates Accidental Release Reporting Data – 1-25-24

Yesterday in conjunction with their quarterly business meeting, the CSB updated their published list of reported chemical release incidents. They added 37 new incidents that occurred since the previous version was published in October. These are not incidents that the CSB is investigating, these are incidents that were reported to the CSB under their Accidental Release Reporting rules (40 CFR 1604).

The table below shows the top four states based upon the number of reported incidents since the October update was published.


For more details about the reported incident data, and a listing of incidents that probably should have been reported, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/csb-updates-accidental-release-reporting-65d - subscription required. 

Transportation Chemical Incidents – Week of 1-18-24

Reporting Background – See this post for explanation.

Data from PHMSA’s online database of transportation related chemical incidents that have been reported to the agency.

Incidents Summary

Number of incidents – 57 (55 highway, 2 air)

Serious incidents – 1 (1 Bulk release, 0 injuries, 0 deaths, 0 major artery closed)

Largest container involved – 520-gallon IBC (piperidine, about 1 cup leaked),

Largest amount spilled – 250-gallons (sulfuric acid with more than 51 percent acid)

Most interesting chemical - Organic Peroxide Type D, Liquid, Temperature Controlled (UN 3115). Only one shipment with some minor damage during loading (.00715-gal spilled). This is a generic listing for a class of chemicals that are known for self-accelerating decomposition reactions starting at low temperatures that produce oxygen. The exothermic reaction produces heat which increases the rate of the reaction, until you reach a critical temperature where the remaining chemical explosively decomposes.


Review – Public ICS Disclosures – Week of 1-20-24

This week we have 16 vendor disclosures from HP (4), HPE (2), Philips, Splunk (5), TRUMPF (3), and WAGO. We also have a vendor update from HPE. We also have two researcher reports for vulnerabilities in products from Zyxel, and TianoCore.

Advisories

HP Advisory #1 - HP published an advisory that discusses 81 vulnerabilities in their ThinPro products.

HP Advisory #2 - HP published an advisory that discusses three vulnerabilities in multiple HP products.

HP Advisory #3 - HP published an advisory that discusses 26 vulnerabilities in their Device Manager product.

HP Advisory #4 - HP published an advisory that discusses three vulnerabilities in their business notebook PCs and thin client PCs.

HPE Advisory #1 - HPE published an advisory that discusses nine vulnerabilities in their Superdome Flex, Superdome Flex 280 and Compute Scale-up Server 3200 Servers.

HPE Advisory #2 - HPE published an advisory that discusses 23 vulnerabilities in their Unified Mediation Bus (UMB) product.

Philips Advisory - Philips published an advisory that discusses two Citrix NetScaler vulnerabilities.

Splunk Advisory #1 - Splunk published an advisory that describes an improper access control vulnerability in their Enterprise product.

Splunk Advisory #2 - Splunk published an advisory that describes an improper input validation vulnerability in their Enterprise and Cloud Platform products.

Splunk Advisory #3 - Splunk published an advisory that describes an insertion of sensitive information into log files vulnerability in their Enterprise product.

Splunk Advisory #4 - Splunk published an advisory that describes an improper input validation vulnerability in their Enterprise for Windows product.

Splunk Advisory #5 - Splunk published an advisory that discusses multiple vulnerabilities in their Enterprise product.

TRUMPF Advisory #1 - CERT-VDE published an advisory that discusses an integer overflow or wraparound vulnerability in multiple TRUMPF products.

TRUMPF Advisory #2 - CERT-VDE published an advisory that discusses four vulnerabilities in the TRUMPF Oseon and True Tops Fab products.

TRUMPF Advisory #3 - CERT-VDE published an advisory that discusses three vulnerabilities in the TRUMPF Oseon product.

WAGO Advisory - CERT-VDE published an advisory that discusses two vulnerabilities in the WAGO e!COCKPIT and WAGO-I/O-Pro products.

Updates

HPE Update - HPE published an update for their OneView advisory that was originally published on January 9th, 2024.

Researcher Reports

Zyxel Report - SSD Secure Disclosure published a report describing three remote command execution vulnerabilities in earlier versions of the Zyxel VPN firewall.

TianoCore Report - Quarks Lab published a report describing nine vulnerabilities in the TianoCore IPv6 network protocol stack of EDK II.

 

For more details about these disclosures, including links to 3rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-1-189 - subscription required.

Friday, January 26, 2024

OMB Issues ICR Number for BIS Malicious Cyber-Enabled Activities Rule

Yesterday, the OMB’s Office of Information and Regulatory Affair (OIRA) announced that it had issued an information collection request (ICR) control number (0694-0144) and filed comments with the notice of proposed rulemaking from the DOC’s Bureau of Industry and Security (BIS) on “Taking Additional Steps To Address the National Emergency With Respect To Significant Malicious Cyber-Enabled Activities”.

Sharp-eyed readers will recall that a similarly titled emergency ICR request was rejected by OIRA earlier this week. It appears that OIRA initiated this ICR file based upon their review of NPRM approved by the Office last week. That NPRM has not yet been published in the Federal Register.

According to the ‘PRA ICR Documents’ page for this ICR notice, no new documents were submitted to OIRA by BIS. The ‘abstract’ information listed on the ICR notice from OIRA is a duplicate from that shown on that earlier, rejected ICR notice.

OMB Approves EPA TSCA Fees Final Rule

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a final rule from the EPA on “Fees for the Administration of the Toxic Substances Control Act (TSCA)”. The final rule was submitted to OIRA on November 14th, 2023. The notice of proposed rulemaking for this action was published on January 21st, 2021 and a supplemental NPRM was published on November 16th, 2022.

According to the Fall 2023 Unified Agenda entry for this rulemaking:

“EPA is considering comments on the 2022 supplemental proposal to its 2021 proposed updates and adjustments to the 2018 fees rule established under the Toxic Substances Control Act (TSCA) to inform the development of a final rule. TSCA requires EPA to review and, if necessary, adjust the fees every three years, after consultation with parties potentially subject to fees. With over five years of experience administering the TSCA amendments of 2016, EPA is taking this action to ensure that the fees charged accurately reflect the level of effort and resources needed to implement TSCA in the manner envisioned by Congress when it reformed the law. The supplemental proposal narrowed certain proposed exemptions for entities subject to the EPA-initiated risk evaluation fees and proposed exemptions for the test rule fee activities; proposed modifications to the self-identification and reporting requirements for EPA-initiated risk evaluation and test rule fees; proposed a partial refund of fees for premanufacture notices withdrawn at any time after the first 10 business days during the assessment period of the chemical; proposed modifications to EPA's proposed methodology for the production volume-based fee allocation for EPA-initiated risk evaluation fees in any scenario where a consortium is not formed; proposed expanding the fee requirements to companies required to submit information for test orders; proposed modifying the fee payment obligations to require payment by processors subject to test orders and enforceable consent agreements (ECA); proposed extending the timeframe for test order and test rule payments; and proposed changes to the fee amounts and the estimate of EPA's total costs for administering TSCA. During development of this rulemaking, EPA consulted and met with stakeholders that were potentially subject to fees, including public webinars in February 2021 and December 2022. This engagement will inform the final rule.”

We should see the publication of this final rule next week in the Federal Register. 

OMB Approves CG Marine Cybersecurity NPRM

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a notice of proposed rulemaking (NPRM) from the Coast Guard on “Cybersecurity in the Marine Transportation System”. The NPRM was submitted to the OIRA on November 13th, 2023.

According to the Fall 2023 Unified Agenda entry for this rulemaking:

“The Coast Guard proposes to update its maritime security regulations by adding cybersecurity requirements to existing Maritime Security regulations in 33 CFR part 101 et seq.  This proposed rulemaking is part of an ongoing effort to address emerging cybersecurity risks and threats to maritime security by including additional security requirements to safeguard the marine transportation system.”

We will probably see this rule published in the Federal Register next week.

EPA Sends Methylene Chloride Final Rule to OMB

On Wednesday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a final rule from the EPA on “Methylene Chloride (MC); Regulation Under the Toxic Substances Control Act (TSCA)”. The notice of proposed rulemaking was published on May 3rd, 2023.

According to the Fall 2023 Unified Agenda entry for this rulemaking:

“On May 5, 2023, EPA proposed a rule under the Toxic Substances Control Act (TSCA)  to address the unreasonable risk of injury to human health from methylene chloride. TSCA requires that EPA address by rule any unreasonable risk of injury to health or the environment identified in a TSCA risk evaluation and apply requirements to the extent necessary so that the chemical no longer presents unreasonable risk. Methylene chloride, also known as dichloromethane, is acutely lethal, a neurotoxicant, a likely human carcinogen, and presents cancer and non-cancer risks following chronic exposures as well as acute risks. Central nervous system depressant effects can result in loss of consciousness and respiratory depression, resulting in irreversible coma, hypoxia, and eventual death, including 85 documented fatalities from 1980 to 2018, a majority of which were occupational fatalities. Nevertheless, methylene chloride is still a widely used solvent in a variety of consumer and commercial applications including adhesives and sealants, automotive products, and paint and coating removers. To address the identified unreasonable risk, EPA proposed to: prohibit the manufacture, processing, and distribution in commerce of methylene chloride for consumer use; prohibit most industrial and commercial uses of methylene chloride; require a workplace chemical protection program (WCPP), which would include a requirement to meet inhalation exposure concentration limits and exposure monitoring for certain continued conditions of use of methylene chloride; require recordkeeping and downstream notification requirements for several conditions of use of methylene chloride; and provide certain time-limited exemptions from requirements for uses of methylene chloride that would otherwise significantly disrupt national security and critical infrastructure. The Agency’s development of this rule incorporated significant stakeholder outreach and public participation, including public webinars and over 40 external meetings as well as required Federalism, Tribal, and Environmental Justice consultations and a Small Businesses Advocacy Review Panel. EPA's risk evaluation, describing the conditions of use is in docket EPA-HQ-OPPT-2019-0437, with the 2022 unreasonable risk determination and additional materials in docket EPA-HQ-OPPT-2016-0742.”

The EPA maintains a methylene chloride risk management web site.

Bills Introduced – 1-25-24

Yesterday, with just the Senate in session (and preparing to leave for the weekend) and the House meeting in pro forma session, there were 52 bills introduced. One of the bills will receive additional coverage in this blog:

S 3661 A bill to direct the Secretary of Agriculture to periodically assess cybersecurity threats to, and vulnerabilities in, the agriculture and food critical infrastructure sector and to provide recommendations to enhance their security and resilience, to require the Secretary of Agriculture to conduct an annual cross-sector simulation exercise relating to a food-related emergency or disruption, and for other purposes. Cotton, Tom [Sen.-R-AR]

Thursday, January 25, 2024

Short Takes – 1-25-24

A Viral Solution to Farming’s Antibiotic Addiction. Ambrook.com article. Pull quote: “However, he believes phages can scale, given the right investment. Making phages is relatively easy — you can create 10,000 gallons of them in just a few days. That said, infrastructure for storage and transport remains a barrier. While antibiotics have had 100 years of application, phages are still in their early days, at least when it comes to widespread use. “We haven’t brought down the cost to have it [widely] adopted,” Roach added. “But the price will come down, it’s inevitable.””

Recent Postings of Broadly Applicable Alternative Test Methods. Federal Register EPA notice. Summary: “This notice announces the broadly applicable alternative test method approval decisions that the Environmental Protection Agency (EPA) made under and in support of New Source Performance Standards (NSPS) and the National Emission Standards for Hazardous Air Pollutants (NESHAP) between January 1, 2023, and December 31, 2023.” List of test methods here.

The amazing helicopter on Mars, Ingenuity, will fly no more. ArsTechnica.com article. Broken rotor blade. Pull quote: “But it turns out that Ingenuity had other ideas. Since its deployment from the Perseverance rover in April 2021, the helicopter has flown a staggering 72 flights. It has spent more than two hours—128.3 minutes, to be precise—flying through the thin Martian air. Over that time, it flew 11 miles, or 17 km, performing invaluable scouting and scientific investigations. It has been a huge win for NASA and the Jet Propulsion Laboratory, one of the greatest spaceflight stories of this decade.”

News Release: DHS S&T Announces Track 3 of the Remote Identity Validation Tech Demo Challenge. DHS.gov press release. Pull quote: “RIVTD challenges industry to deliver secure, accurate, and easy-to-use remote identity validation technologies to address identity fraud. While millions of people apply for government services or open bank accounts by summitting identity information online, independent or objective data characterizing the performance of these verification technologies, and the degree to which they may reduce fraud is still limited. In an age of widespread increasingly believable phony media, the RIVTD fills a critical gap.” Applications for Track 3 are due by February 29, 2024.

NASA System Predicts Impact of a Very Small Asteroid Over Germany. NASA.gov article. Pull quote: “A small asteroid about 3 feet (1 meter) in size disintegrated harmlessly over Germany on Sunday, Jan. 21, at 1:32 a.m. local time (CET). At 95 minutes before it impacted Earth’s atmosphere, NASA’s Scout impact hazard assessment system, which monitors data on potential asteroid discoveries, gave advance warning as to where and when the asteroid would impact. This is the eighth time in history that a small Earth-bound asteroid has been detected while still in space, before entering and disintegrating in our atmosphere.”

A fiber inspired by polar bears traps heat as well as down feathers do. ScienceNews.org article. Pull quote: “The Arctic’s extreme cold is no match for a polar bear’s super-insulating fur. Humans could one day benefit from a similar material, thanks to a new fiber that mimics the bears’ porous hairs. A sweater knit from the fiber is about one-fifth the thickness of a down coat but similarly warm, researchers report in the Dec. 22 Science.”

Review – 2 Advisories Published – 1-25-24

Today, CISA’s NCCIC-ICS published two control system security advisories for products from SystemK and MachineSense.

Advisories

SystemK Advisory - This advisory describes a command injection vulnerability in the SystemK network video recorders.

MachineSense Advisory - This advisory describes six vulnerabilities in the MachineSense FeverWarn products.

 

For more information on these advisories, including a link to exploit code and a discussion of possible expansion of the list of affected products, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-advisories-published-1-25-24 - subscription required.

Wednesday, January 24, 2024

Short Takes – 1-24-24

The phases of lunar lander success. SpaceReview.com article. Pull quote: “One guide [to claims for success] comes from the press kit JAXA distributed for SLIM, which set out “success criteria” for the mission. What is calls “minimum” success is to “realize a soft landing on the Moon” and verifying the navigation system as well as performance of the spacecraft in orbit before landing. Unless there were problems with the navigation system, SLIM appears to have achieved minimum success despite the orientation problem (akin to the line about any airplane landing you can walk away from being a good landing.)”

Toxic Substances Control Act Review of CBI Claims for the Identity of Chemicals in the TSCA Inventory; Extension of Review Period. Federal Register EPA extension notice. Summary: “This document announces the extension of the review period for Confidential Business Information (CBI) claims for specific identify of all active chemical substances listed on the confidential portion of the Toxic Substances Control Act (TSCA) Inventory submitted to the EPA under TSCA. EPA has determined that an extension of the statutory review period for the review of CBI claims under TSCA are necessary to allow the Agency to complete the required reviews under TSCA.” Extended review period ends February 19th, 2025.

Agency Information Collection Activities; Proposed eCollection eComments Requested; Report of Theft or Loss-Explosive Materials. Federal Register ATF 30-day ICR notice. Abstract: “Any licensee or permittee who has knowledge of the theft or loss of any explosive materials from his stock shall, within 24 hours of discovery, report the theft or loss by telephoning 1–800–800–3855 (nationwide toll free number) and on the Report of Theft or Loss—Explosives—ATF Form 5400.5, in accordance with the instructions on the form. The information collection (IC) OMB #1140–0026 is being revised to include material changes to the form, such as added categories that include checkboxes (with a description and example scenarios), instruction clarification, and header revision (to include reference to voluntary reporting of explosives recovered or located).” Comments due February 23rd, 2024.

Review - STB Publishes Expedited Relief for Service Emergencies Final Rule

Today, the Surface Transportation Board published a final rule in the Federal Register (89 FR 4564-4579) for: “Revisions to Regulations for Expedited Relief for Service Emergencies”. The notice of proposed rulemaking for this rule was published on May 2nd, 2022. This final rule amends 49 CFR 1146, Expedited Relief for Service Emergencies.

This rule changes the process by which “affected shippers or railroads may seek accelerated temporary interim relief under 49 U.S.C. 11123(a) for substantial, measurable deterioration or other demonstrated inadequacy in rail service provided by the incumbent carrier that presents potential imminent significant harm and threatens potentially severe adverse consequences to the petitioner, its customers, or the public.”

The effective date for the rule is February 23rd, 2024.

 

For more details on this final rule, including links to STB response to comments on NPRM, and a brief listing of changes made as a result of those comments, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/stb-publishes-expedited-relief-for - subscription required.

OMB Disapproves New BIS Cyber Enabled Activities ICR

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that the DOC’s Bureau of Industry and Security (BIS) improperly submitted an emergency information collection request (ICR) for “Taking Additional Steps To Address the National Emergency With Respect To Significant Malicious Cyber-Enabled Activities”. While there is nothing in yesterday's notice that explains why the emergency ICR was disapproved, it looks like OIRA objected to the use of an emergency request instead of the normal publish and public comment process required for ICR’s.

The supporting document that BIS submitted to OIRA mentions a notice of proposed rulemaking on the same topic as the justification for the ICR. This is the notice of proposed rulemaking that OMB approved last week. And the letter requesting emergency approval of the ICR notes that BIS intends to publish that NPRM on Friday, noting that there will be a 90-day comment period on that NPRM. Typically, NPRMs contain the initial 60-day ICR notice required for any new or revised ICR’s needed to support agency actions under that proposed rule. It looks like OIRA is expecting BIS to follow that procedure instead of using the emergency ICR approval process.

Tuesday, January 23, 2024

Short Takes – 1-23-24

Cyber Provisions in the FY2024 NDAA. LawfareMedia.org article. Pull quote: “The NDAA includes at least one new express grant of authority for military cyber operations. Section 1505 authorizes the secretary of defense to “conduct detection, monitoring, and other operations in cyberspace to counter Mexican transnational criminal organizations” engaged in illegal activities “that cross the southern border of the United States,” including drug smuggling, human trafficking, and weapons sales. The military may act in coordination with other federal agencies—likely the Drug Enforcement Administration and the Department of Homeland Security—and should do so “in consultation with the Government of Mexico as appropriate.” This new authorization builds on a long-standing law tapping the Defense Department to be the lead agency in monitoring and detecting aerial and maritime transit of illegal drugs into the United States and a much more recent grant of authority to conduct military cyber activities “when appropriately authorized to do so.””

What the Navy is learning from its fight in the Red Sea. MilitaryTimes.com article. Pull quote: ““[I have] no idea what specific doctrine our ships are using in the Red Sea, but you generally train to use multiple missiles per engagement,” Holmes said. “If it’s an SM-2 engagement … the latest variant of the SM-2 seems to run about $2.4 million per round, so you’re talking just under $5 million to bring down what is probably an inexpensive threat. And again, weapons expended in the Red Sea are weapons not available in the primary theater, East Asia, and are not quickly replaced.””

Zeno Power teams up with Westinghouse on radioisotopes for nuclear power system. GeekWire.com article. Pull quote: “Radioisotope power systems that convert heat into electricity for off-grid power have been used for decades — for example, for space missions ranging from the Apollo moonshots to the Curiosity rover mission to Mars and the New Horizons mission to Pluto. Those systems have typically used plutonium-238, but Zeno is working on systems that make use of other radioisotopes such as strontium-90.”

Sierra Space tests full-scale inflatable module. SpaceNews.com article. Pull quote: “[Large Integrated Flexible Environment] LIFE is designed to fit within a five-meter payload fairing at launch and then inflate once in orbit. When fully expanded, the module will have a volume of 300 cubic meters, about one third the habitable volume of the International Space Station. Sierra Space has proposed a larger version of LIFE, designed to fit into a seven-meter payload fairing, with a volume of 1,400 cubic meters.”

Red Sea shipping attacks are impacting the chemical industry. ChemistryWorld.com article. Pull quote: “Tom Brown, a chemicals expert and chief news correspondent for the energy and chemicals consulting firm ICIS, tells Chemistry World that pricing for some chemicals and products are starting to increase, especially in markets like Europe that are very reliant on imports of feedstocks or on the material itself.”

President's Cup Cybersecurity Competition. PresidentsCup.CISA.gov announcement. Pull quote: “Established in response to Executive Order 13870 [link added], the President's Cup Cybersecurity Competition is a national cyber competition aiming to identify, recognize, and reward the best cybersecurity talent in the federal executive workforce. Hosting challenges from across the National Initiative for Cybersecurity Education (NICE) Cybersecurity Framework, competitors will face a diverse array of challenges and will require an extensive skill set to succeed.”

Towards Achieving a Better Understanding of the Nation’s Defenses. RealClearDefense.com commentary. Pull quote: “Senators and Representatives in turn must forgo the temptation to focus on issues that impact only their states and districts and instead relentlessly probe DoD witnesses for answers about military preparedness writ large. They must be prepared to relentlessly follow-up on answers which are often vague or incomplete. Questioning like this requires extraordinary preparation [emphasis added].”

Scientists are finding signals of long covid in blood. They could lead to new treatments.  Pull quote: “The researchers began by looking at levels of more than 6,500 proteins in the blood of 113 people who tested positive for SARS-CoV-2 and 39 people who had never been infected. Six months later, they took new blood samples. By that time, 73 people who had been infected had recovered, and 40 had gone on to develop long covid. Many of the proteins elevated in people with long covid were also elevated in people who had recovered from severe covid. But the markers that were unique to the long covid groups pointed to abnormal activation of the complement system.”

Review – 6 Advisories Published – 1-23-24

Today, CISA’s NCCIC-ICS published five control system security advisories for products from Lantronix, Westermo, Voltronic Power, Crestron, and APsystems, and one medical device security advisory for products from Orthanc.

Advisories

Lantronix Advisory - This advisory describes a weak encoding for passwords vulnerability in the Lantronix XPort Device Server Configuration Manager.

Westermo Advisory - This advisory describes eight vulnerabilities in the Westermo Lynx 206-F2G layer-three industrial Ethernet switch.

Voltronic Advisory - This advisory describes four vulnerabilities in the Voltronic ViewPower Pro Uninterruptable Power Supply (UPS) management software.

APsystems Advisory - This advisory describes an improper access control vulnerability in the APsystems Energy Communication Unit (ECU-C) Power Control Software.

Orthanc Advisory - This advisory describes a cross-site scripting vulnerability in the Orthanc Osimis Web Viewer.

 

For more details about these advisories, including links to researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/6-advisories-published-1-23-24 - subscription required.

Reader Comment – Continuing Broadcom Conversation

This morning an anonymous reader left a comment on my BIS Cyber-Enabled Activities post that was actually a reply to my last Reader Comment post about 3rd party KEV problems. The commenter makes some good points about advisories and 3rd party vulnerabilities; well worth the effort to read.

Vendors need to realize that people using their software/devices look to their advisories for both information about the scope of the vulnerabilities to use in their risk management processes, as well as information about how to mitigate (short term risk minimization) or fix the vulnerability. In my opinion, Broadcom does not do a good job in either department, but they are hardly the worst of those that I look at in my reporting on ICS vulnerabilities.

Interestingly, some of the most informative ‘advisories’ I have seen are open source software discussions on github sites that frequently include discussions about how the vulnerabilities could be exploited. That may be a tad bit overbroad in the information sharing department, but it is probably helpful to developers using the software to mitigate the problem in their own usages.

Review - CFATS and Chemical Plant Expansions

I was reading an article last week about the expansion of a hydrogen peroxide manufacturing facility in Texas, and I thought about the security implications of such expansions, the need for an updated security plan and security planning for the construction process. That inevitably brought me back to thinking about the problems the Senate imposed on chemical manufacturers by not reauthorizing the Chemical Facility Anti-Terrorism Standards (CFATS) program last July. If the CFATS program were still up and functioning, CISA would be a partner in the security planning process for the expanding facility.

These are just some of the chemical security issues that the Senate caused by their failure to take up and approve HR 4470, the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2023, that was passed in the House by a vote of 409 to 1. The Senate can solve these problems by passing HR 4470. The longer they wait, the longer it is going to take CISA to get the program back into smooth operation.

 

For a more detailed look at the security issues involved in plant expansions, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/cfats-and-chemical-plant-expansions   - subscription required.

Short Takes – 1-23-24 – Geek Edition

Self-powered sensor automatically harvests magnetic energy. News.MIT.edu article. Pull quote: “The versatile design framework is not limited to sensors that harvest magnetic field energy, and can be applied to those that use other power sources, like vibrations or sunlight. It could be used to build networks of sensors for factories, warehouses, and commercial spaces that cost less to install and maintain.”

Salad in space? New research says it's not a healthy choice. Phys.org article. Really needs confirmation study on ISS. Pull quote: “It wasn't true microgravity, Totsline said, but it did the job to help plants lose their sense of directionality. Ultimately, the researchers discovered that it appears Salmonella can invade leaf tissue more easily under simulated microgravity conditions than it can under typical conditions on Earth.”

Japan hopes sunlight can save stricken Slim Moon lander. BBC.com article. Pull quote: “It's currently "morning" at Slim's landing location on the slopes of Shioli Crater. If, as suspected, the spacecraft's solar cells are pointing westward, then it may have to wait until the "lunar afternoon" before those cells catch enough light to start charging the battery system.”

At last: NASA's complete sample of the 'potentially hazardous' asteroid Bennu is finally freed from its canister. LiveScience.com article. Pull quote: “After landing in the Utah desert on Sept. 24, the OSIRIS-REx capsule was taken to NASA's  Johnson Space Center in Houston, where scientists began working on its disassembly. Yet two out of the capsule's 35 fasteners got stuck, meaning that NASA engineers had to design and manufacture two bespoke clamp-like tools from scratch. Made from surgical steel, the tools were used to remove the clasps and crack open the capsule on Jan. 11.”

Turnover and retention: an unspoken cost center affecting space companies. TheSpaceReview.com article. Pull quote: “This is compounded by the fact that most companies are searching for “unicorns”: people with levels of skill and experience that rarely exist, causing them to focus on a tiny pool of candidates. That is a wonderful position for seasoned space professionals who are open to being poached back and forth across the community, but not a model that can be sustained, or one that adds talent to the industry. The cost in time and resources spent chasing the “perfect hire” is significant. There is a better way.” This seems to be a typical tech industry problem.

Here’s What I Learned as the U.S. Government’s UFO Hunter. ScientificAmerican.com article. Pull quote: “AARO thoroughly investigated these claims as part of its congressionally mandated mission to not only technically evaluate contemporary UAP observations but also review historical accounts going back to the 1940s. One of my last acts before retiring was to sign AARO’s Historical Record Report Volume 1, which is currently being prepared for delivery to Congress and the public. The report demonstrates that many of the circulating allegations described above derive from inadvertent or unauthorized disclosures of legitimate U.S. programs or related R&D that have nothing to do with extraterrestrial issues or technology. Some are misrepresentations, and some derive from pure, unsupported beliefs. In many respects, the narrative is a textbook example of circular reporting, with each person relaying what they heard, but the information often ultimately being sourced to the same small group of individuals.”

Bills Introduced – 1-22-24

Yesterday, with the Senate in Washington and the House meeting in pro forma session, there were 25 bills introduced. Three of those bills will receive additional attention in this blog:

HR 7062 To direct the Secretary of Agriculture to periodically assess cybersecurity threats to, and vulnerabilities in, the agriculture and food critical infrastructure sector and to provide recommendations to enhance their security and resilience, to require the Secretary of Agriculture to conduct an annual cross-sector simulation exercise relating to a food-related emergency or disruption, and for other purposes. Finstad, Brad [Rep.-R-MN-1] 

HR 7073 To improve public-private partnerships and increase Federal research, development, and demonstration related to the evolution of next generation pipeline systems, and for other purposes. Weber, Randy K., Sr. [Rep.-R-TX-14]

S 3635 A bill to improve the President's Cup Cybersecurity Competitions. Peters, Gary C. [Sen.-D-MI]

Monday, January 22, 2024

Short Takes – 1-22-24

NASA regains contact with mini-helicopter on Mars. Phys.org article. Pull quote: “The mini rotorcraft, which weighs just four pounds (1.8 kilograms), has far exceeded its original goal of undertaking five flights over 30 days on the red planet. In all, it has covered just over 10 miles (17 kilometers) and reached altitudes of up to 79 feet (24 meters).”

Billions of cicadas will buzz this spring as two broods emerge at the same time. NPR.org article. Pull quote: “While the two broods this spring will mostly be separated by time and place, "they will overlap for several weeks," in Illinois, says Shockley. This overlap could result in some Illinois residents hearing all seven species of the two broods singing their cacophonous mating calls together, he says. Additionally, Shockley says the overlap could result in "an extremely rare opportunity for genetic crossing between 13-year cicadas and 17-year cicadas that could lead to the emergence of a new brood."”

Blue Origin and SpaceX start work on cargo versions of crewed lunar landers. SpaceNews.com article.  Pull quote: ““In the last few months, we’ve asked both of our Human Landing System providers, SpaceX and Blue Origin, to being applying the work they’re doing on the human-rated versions of the landing vehicles to develop a cargo variant that can land large cargo on the surface,” said Amit Kshatriya, deputy associate administrator for the Moon to Mars Program in NASA’s Exploration Systems Mission Development, in a Jan. 9 media call. However, NASA provided no other details about that work at the time, with the briefing focused on the delays to the upcoming Artemis missions.” 

Reader Comment – 3rd Party KEV’s

Earlier today, an anonymous reader left a comment on Saturday’s Public ICS Disclosure post. The reader questioned my note that the Broadcom advisory contained “vulnerabilities that is listed in the CISA Known Exploited Vulnerabilities Catalog in multiple”. The reader noted that the advisory “states that "No Brocade Fibre Channel Products from Broadcom Products are known to be affected by this vulnerability." so it also unlikely to be in the CISA KEV list.”

First, the advisory reports that Brocade Fabric OS, Brocade SANnav, and Brocade Support Link products are affected by the vulnerability; the ‘Brocade Fibre Channel’ note is confusing a lot of people. Second, the vulnerability (CVE-2023-4911) is a third-party vulnerability, found in the GNU C Library. As shown below (a clip from the NVD.NIST.gov site for the vulnerability), that vulnerability is listed in CISA’s Known Exploited Vulnerabilities Catalog.

We are starting to see a number of these KEV vulnerabilities being reported as third-party vulnerabilities. How vulnerable these new products are to the KEV depends a great deal on how the original program is utilized and implemented in the new product. Even where the product is susceptible to the vulnerability, existing exploits will need to be revised in most cases to work. 

 
/* Use this with templates/template-twocol.html */