Short Takes – 2-29-24

Di-isodecyl Phthalate (DIDP) and Di-isononyl Phthalate (DINP); Draft Risk Evaluations; Science Advisory Committee on Chemicals (SACC) Peer Review; Request for Nominations of ad hoc Expert Reviewers. Federal Register EPA notice. Summary: “The Environmental Protection Agency (EPA) is seeking public nominations of scientific and technical experts that EPA can consider for service as ad hoc reviewers assisting the Science Advisory Committee on Chemicals (SACC) with the peer review of the Agency's evaluation of the risks from di-isodecyl phthalate (DIDP) and di-isononyl phthalate (DINP) being conducted to inform risk management decisions under the Toxic Substances Control Act (TSCA). To facilitate nominations, this document provides information about the SACC, the intended topic for the planned peer review, the expertise sought for this peer review, instructions for submitting nominations to EPA, and the Agency's plan for selecting the ad hoc reviewers for this peer review. EPA is planning to convene a virtual public meeting of the SACC in the summer of 2024 to review the draft risk evaluations.”

Winter 2024 CISA SBOM-a-Rama. Federal Register CISA meeting notice. Summary: “CISA will facilitate a public event to build on existing community-led work around Software Bill of Materials (SBOM) on specific SBOM topics. The goal of this meeting is to help the broader software and security community understand the current state of SBOM and what efforts have been made by different parts of the SBOM community, including CISA-facilitated, community-led work and other activity from sectors and governments.” Meeting date February 29^th, 2024. Not much advanced notice (SIGH).

The era of cheap helium is over—and that’s already causing problems. TechnologyReview.com article. Pull quote: “He also predicted the US would use up much of its known helium reserves by the turn of the century. But the US still has enough helium in natural-gas reservoirs to last 150 more years, according to a recent USGS analysis.”

The Mysterious Case of the Missing Trump Trial Ransomware Leak. Wired.com article. Pull quote: “There remain other theories, however, that Lockbit might still possess the court's data but is seeking to use it in some other way. “They generally don't lie about victims, because they're so worried about their reputation,” says Jon DiMaggio, the ransomware-focused chief security strategist at cybersecurity firm Analyst1. He notes that the decision to take down the leak threat may have been the decision of the “affiliate” hackers who partner with LockBit to penetrate victims like Fulton County and may have different motivations from LockBit itself.”

Why concerns over the sustainability of carbon removal are growing. TechnologyReview.com article. Pull quote: “In a report last summer, the venture capital firm DCVC said that all of the approaches it evaluated faced “multiple feasibility constraints.” It noted that carbon-sucking direct-air-capture factories are particularly expensive, charging customers hundreds of dollars per ton.”

Can non-profits beat antibiotic resistance and soaring drug costs? Nature.com article. Pull quote: “But, by funding the registration and launch of drugs in countries that cannot afford to pay commercial prices for them, both the DNDi and the GARDP are effectively providing pull incentives — which is something that these organizations can afford to do because, as non-profits with external funders, they do not need to earn the level of income that a company would require. That means they are providing a model not only for how much-needed drugs can be rescued in the development process, but also for how companies can be supported when their compounds are released onto the market.”

Private Moon lander is dying — it scored some wins for science.  Pull quote: “But during that last-minute manoeuvre, mission controllers forgot to update part of an algorithm — so Odysseus touched down around 1.5 kilometres from its planned landing site and pitched onto its side. The landscape where it ended up was much rougher than anticipated, so “we hit harder and sort of skidded along the way”, says Steve Altemus, chief executive of Intuitive Machines. Odysseus broke at least one of its six legs, causing it to slowly tip over and rest at an angle of about 30 degrees relative to the lunar surface.”

NASA, SpaceX Test Starship Lunar Lander Docking System. NASA.gov article. Pull quote: “This dynamic testing demonstrated that the Starship system could perform a “soft capture” while in the active docking role. When two spacecraft dock, one vehicle assumes an active “chaser” role while the other is in a passive “target” role. To perform a soft capture, the soft capture system (SCS) of the active docking system is extended while the passive system on the other spacecraft remains retracted. Latches and other mechanisms on the active docking system SCS attach to the passive system, allowing the two spacecraft to dock.”

Senate Passes HR 7463 – Short Term CR

This evening the Senate took up HR 7463, the Extension of Continuing Appropriations and Other Matters Act, 2024, that was passed earlier today in the House. The Senate passed the bill by a bipartisan vote of 77 to 13. All but one of the ten Senators that did not vote were Republicans. The bill goes to the President who is expected to sign it tomorrow, well before the current spending deadline.

TheHill.com is reporting that:

“House GOP leadership confirmed Thursday that bill text for the first package of six bills will come out over the weekend, as top appropriators have indicated negotiators are close to wrapping up loose ends on the forthcoming minibus.”

House Passes HR 7463 – FY 2024 Short Term CR

This afternoon the House took up HR 7463, the Extension of Continuing Appropriations and Other Matters Act, 2024, under the suspension of the rules process. After 35 minutes of debate a recorded vote was demanded. After pausing to take care of other business, the vote was held, and the CR passed by a bipartisan vote of 320 to 99. The Republican vote was 113 to 97. The bill now heads to the Senate. It will have to be signed by the President before midnight Friday, or there will be a partial government shutdown.

Review – 2 Advisories Published – 2-29-24

Today, CISA’s NCCIC-ICS published a control system security advisory for products from Delta Electronics and a medical device security advisory for products from MicroDicom.

Advisories

Delta Advisory - This advisory describes a stack-based buffer overflow vulnerability in the Delta CNCSoft-B product.

MicroDicom Advisory - This advisory describes two vulnerabilities in the MicroDicom DICOM Viewer.

 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-advisories-published-2-29-24 - subscription required.

Review - CISA Publishes KEV Submission 60-day ICR Notice

Today, CISA published a 60-day information collection request notice in the Federal Register (89 FR 14896-14897) for “Actively Exploited Vulnerability Submission Form”. The dedicated form on the CISA website will allow for external reporting of vulnerabilities that the reporting entity believe to be Known Exploited Vulnerabilities (KEV) eligible.

Public Comments

CISA is soliciting public comments on this ICR. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket #CISA-2024-0008) comments should be submitted by April 29^th, 2024.

Commentary

There are two things missing from this ICR notice. First is any reference to Binding Operational Directive 22-01 which establishes the purpose of the KEV catalog. Second, and probably more important for public consideration of the ICR for the purposes of comments, is a listing of the criteria that CISA uses to evaluate a vulnerability for consideration of listing in the KEV compatibility.

The more important thing that catches my attention, however, is that CISA is expecting to receive 2,725 submissions each year for proposed for listing in the KEV catalog. With only 1082 currently listed (since 2021) vulnerabilities, CISA looks to be greatly expanding the size of this catalog.

 

For more details about this ICR notice, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/cisa-publishes-kev-submission-60 - subscription required.

FDA Sends New Premarket Cybersecurity Guidance Notice to OMB

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a notice from the Food and Drug Administration (FDA) on “Select Updates for the Premarket Cybersecurity Guidance: Section 524B of the Federal Food, Drug, and Cosmetic Act; Draft Guidance for Industry and Food and Drug Administration Staff; Availability”. Such notices are not normally published in the Unified Agenda, so we have no guidance on what this new guidance may contain other than it almost certainly deals with medical device cybersecurity.

Bills Introduced – 2-28-24

Yesterday, with the House and Senate in session, there were 29 bills introduced. One of those bills will receive additional attention here:

HR 7463 Extension of Continuing Appropriations and Other Matters Act, 2024 Granger, Kay [Rep.-R-TX-12] 

HR 7463 will move tomorrow’s deadline for four spending bills to the following Friday and move the deadline for the remaining spending bills from next Friday to March 22^nd, 2024. This is a relatively clean CR in that the only other provision has to do with changes in the Free Application for Federal Student Aid (FAFSA) program.

Mention in Passing

I would like to mention an interesting bill introduced yesterday in the Senate:

S 3819 A bill to direct the Federal Trade Commission to issue regulations to establish shrinkflation as an unfair or deceptive act or practice, and for other purposes. Casey, Robert P., Jr. [Sen.-D-PA]

While I personally find the process of reducing package size as an alternative to price increases to be a dubious business practice, as it readily becomes apparent to most consumers after the first purchase, I do not think that it rises to the level of concern that it should become a federal crime. Its negative effect on brand loyalty should be punishment enough.

Of course, I doubt that either Casey or his staff really intend for this bill to become law, but its introduction sure makes for good publicity. Maybe Congress should make such legislative efforts illegal campaign practices. 

Short Takes – 2-28-24

How a Right-Wing Controversy Could Sabotage US Election Security. Wired.com article. Pull quote: “CISA’s relationships with Republican secretaries are “not as strong as they’ve been before,” says John Merrill, who served as Alabama’s secretary of state from 2015 to 2023. In part, Merrill says, that’s because of pressure from the GOP base. “Too many conservative Republican secretaries are not just concerned about how the interaction with those federal agencies is going, but also about how it’s perceived … by their constituents.””

Varda’s drug-cooking Winnebago will be remembered as a space pioneer. ArsTechnical.com article. Pretty comprehensive article about the issues Varda faced. This might be a good mission for an X-37b spaceplane type vehicle. Pull quote: “The FAA's commercial space office is responsible for licensing commercial launch and reentry operations, with a primary interest in ensuring that these activities don't endanger the public. But FAA air traffic controllers had to find a time to clear a broad swath of airspace around the trajectory of Varda's descending space capsule. The FAA's temporary flight restriction for Varda's reentry was unusually large, particularly for such a small spacecraft, stretching more than 400 miles (700 kilometers) long and 60 miles (100 kilometers) wide from southern Montana to western Utah.”

Odysseus Sends Moon Landing Photos Home With Time Running Out. NYTimes.com article (free). Pull quote: “Intuitive Machines said that Odysseus was also able to detect nine safe landing sites within the south pole region, information that could prove useful for future missions as NASA and other space agencies look to explore that region. Frozen water in the shadows of craters there could one day provide crucial resources for astronauts.”

Formaldehyde; Draft Risk Evaluation Peer Review by the Science Advisory Committee on Chemicals (SACC); Request for Comments on Experts Being Considered for Participation as Ad Hoc Peer Reviewers. Federal Register EPA request for comments. Summary: “The Environmental Protection Agency (EPA) is announcing the availability of and soliciting public comments on the list of candidates under consideration for selection as ad hoc peer reviewers assisting the Science Advisory Committee on Chemicals (SACC) with their peer review of the Agency's evaluation of the risks from formaldehyde being conducted to inform risk management decisions under the Toxic Substances Control Act (TSCA). The list of candidates provides the names and biographical sketches of all interested and available candidates identified from the responses to the call for nominations and other sources. Public comments on these candidates will be used to assist the Agency in selecting approximately 10–15 ad hoc peer reviewers to assist the SACC with the identified peer review.”

Congressional leaders strike deal to avert shutdown this week. TheHill.com article. Short term CR. Pull quote: ““I understand that we’re not going to get all the riders, but I’m hoping that there are maybe a couple that we can get some wins out,” Rep. Robert Aderholt (R-Ala.), the spending cardinal for the subcommittee that crafts funding for the departments of Labor and Health and Human Services, said on Wednesday.”

Committee Hearings – Week of 2-25-24

This week with both the House and Senate back in Washington, there is a very light hearing schedule (only one day of hearings in the House). There is one cybersecurity hearing in the House

Cybersecurity

On Thursday the Subcommittee on Transportation and Maritime Security of the House Homeland Security Committee will hold a hearing on “Port Cybersecurity: The Insidious Threat to U.S. Maritime Ports”. The witness list includes:

• Rear Admiral Wayne R. Arguin Jr., CG,

• Rear Admiral John Vann, CG,

• Rear Admiral Derek Trinque, CG, and

• Christa Brzozowski, DHS

The recent Executive Order on maritime cybersecurity is certain to be a topic.

On the Floor

With the first spending bill deadline approaching at the end of the week, all eyes will be watching the Hill to see if some sort of spending bill actually make it to the President’s desk before Friday midnight. There has still not been an announcement of a compromise spending bill being ready to come to the floor. It is looking increasingly like another CR will be required if a partial shutdown is to be averted.

OMB Approves PHMSA HM Security Plan ICR Revision

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a revision of an existing information collection request from DOD’s Pipeline and Hazardous Material Safety Administration (PHMSA) on “Hazardous Materials Security Plans”. During an otherwise routine renewal request for the ICR, PHMSA reduced the burden estimate to reflect changes in the number of expected security plans caused by the cancellation of approval to ship liquified natural gas by rail. This resulted in a reduction in the number of expected responses by 8 and the number of hours burden estimate by 680.

OMB Approves BIS NPRM on IT-Communications Services Update ANPRM

Yesterday, the OMB’s Office of Information and Regulatory Affairs announced that it had approved an advanced notice of proposed rulemaking (ANPRM) from the DOC’s Bureau of Industry and Security on “Update for 15 CFR Part 7”. This rulemaking was not listed in the Fall 2023 Unified Agenda.

This Part of the Commerce and Foreign Trade regulations deals with “Securing the Information And Communications Technology and Services Supply Chain”. It will be interesting to see what changes to these regulations that BIS is considering. This might not be a topic that will be covered here in this blog.

The ANPRM should be published in the next week or so.

Short Takes – 2-27-24

Unmanaged third-party access threatens OT environments. HelpNetSecurity.com article. Pull quote: “73% of organizations permit third-party access to OT environments, with an average of 77 third parties per organization granted such access. Challenges to securing third-party access include preventing unauthorized access (44%), aligning IT and OT security priorities (43%), and giving users too much privileged access (35%).” NOTE: No source given for data.

F-35: The Part-Time Fighter Jet. POGO.org article. Pull quote: “Fortunately, such a yardstick does exist. It is the full mission capable rate, or the percentage of aircraft available to perform all the assigned missions. The testing director said the full mission capable rate standard is “a better evaluation of combat readiness” for the F-35 program. When this higher standard is applied to the F-35 fleet, the magnitude of the program’s failure becomes clear: DOT&E reports the full mission capable rate for the F-35 fleet was 30% in 2023.”

Senate GOP fears Speaker Johnson headed toward shutdown wreck. TheHill.com article. Pull quote: “Lawmakers face another deadline to fund the rest of government on March 8 and don’t appear to be close to reaching a deal on funding the Pentagon and the departments of Homeland Security, Labor and Health and Human Services — which traditionally draw more controversy.”

Congress barrels toward shutdown: 4 scenarios. TheHill.com article. Pull quote: ““If you think over the next week — or two weeks, or a month — that the United States Congress, House and Senate is going to be able to agree on 12 spending bills, you’ve been dipping into your ketamine stash,” he [Sen Kennedy (R,LA)] added.”

How record February heat is priming the US for crop-wrecking ‘whiplash’. TheHill.com article. Pull quote: “But more heat in the southern ocean is creating a windier jet stream, which “is like one of those figure skaters hitting a crack in the ice.” As the skater stumbles, their arms flail out behind them — “and it’s the same thing with the polar vortex. As they are hit by the energy coming from the jet stream down below, their circulation slows down, and you get more outbreaks.”” Caveat: “While it’s impossible to make any predictions more than two weeks out, the risk of this kind of “weather whiplash” is increasing, Cohen said.”

S&T Tests Cutting-Edge Counter-Drone Technology. DHS.gov article. Pull quote: “"The mission of the OSU Counter-UAS Center of Excellence is to work with both government and industry to provide assessments of UAS threats and evaluate the effectiveness of mitigation systems and their capability to detect, identify, and deter drone attacks both at home and abroad,” said Dr. Jamey Jacob, Executive Director of OAIRE. “This test provides a penultimate example of how universities can help both parties to provide the best value for the taxpayer.””

Chlorine is a highly useful chemical that's also extremely dangerous − here's what to know about staying safe around it. AkronLegalNews.com editorial. Pull quote: “A yellow-green gas at room temperature, chlorine is highly reactive, which means that it readily forms compounds with many other chemicals. These reactions often are very intense. Chlorine reacts explosively or forms explosive compounds with many common substances, including hydrogen, turpentine and ammonia.”

China to increase protections against hacking for key industries. Reuters.com article.  Pull quote: “"In response to frequent risk scenarios such as ransomware attacks, vulnerability backdoors, illegal operations by personnel, and uncontrolled remote operation and maintenance, we will strengthen risk self-examination and self-correction, and adopt precise management and protective measures," according to the plan, published on MIIT's [Ministry of Industry and Information Technology] website.”

A bureaucratic printer jam holds up a major Biden climate rule. Politico.com article. Pull quote: “Publication in the government journal — which includes rules, notices and executive orders — triggers when rules take effect. It also kicks off a timeline that allows Congress to unravel rules — a process that environmental advocates worry a second Trump administration could use to torpedo Biden regulations in early 2025.”

Notice of President's National Infrastructure Advisory Council Meeting. Federal Register DHS meeting notice. Agenda: “The National Infrastructure Advisory Council will meet in an open session on Wednesday, March 13, 2024, from 11:00 a.m. to 1:00 p.m. EST to discuss NIAC activities. The open session will include: (1) a period for public comment; (2) a keynote address on critical infrastructure security and resilience; (3) Subcommittee updates and member discussion.

Review - CG Marine Cybersecurity NPRM – Cybersecurity Plan

Last week, the CG published a notice of proposed rulemaking for “Cybersecurity in the Marine Transportation System”. The proposed regulations would update the maritime security regulations by adding regulations specifically focused on establishing minimum cybersecurity requirements for U.S.-flagged vessels, Outer Continental Shelf facilities, and U.S. facilities subject to the Maritime Transportation Security Act of 2002 regulations. This is part of a continuing series of posts on that rulemaking. The earlier posts included:

NPRM Introduction (short version),

Cybersecurity Officer (short version)

This post looks at the requirements for each vessel/facility to have a Cybersecurity Plan

Before the Cybersecurity Plan is started, each covered vessel or facility is required to conduct a Cybersecurity Assessment. The Cybersecurity Plan is then required to incorporate the results of that Cybersecurity Assessment as well as the cybersecurity measures outlined in the new Subpart F. The Cybersecurity Plan would be marked (and protected) as Sensitive Security Information. The proposed rule would require each Cybersecurity Plan to include 14 specific sections. Once the plan is completed it would be required to be submitted to the Coast Guard official responsible for approving the facility or vessel security plan under the Maritime Transportation Security Act. That official would then approve the plan, request additional information, or disapprove the plan.

Commentary

I am more than a little disappointed in the lack of detail about the requirements for the Cybersecurity Assessment. I understand that the Coast Guard was trying to write it general enough that it would apply to everyone, but would not unnecessarily burden anyone with unnecessary requirements. Unfortunately, there are some requirements that should have been included.

First and foremost is the absence of any requirement to define the cybersecurity systems that are to covered by the Cybersecurity Plan. Before any assessment can be made the system must be defined by listing all of the electronic components and defining how they are connected to each other and external communications systems, including the internet, perhaps to include a software bill of materials (SBOM) where available. Additionally, there needs to be a definition of how external communications to and from the system will be controlled or restricted, especially personally owned devices. To be sure, the controls of those communications would probably be included in the Cybersecurity Pan, but the communications nodes would have to be identified in the assessment.

For more details about the proposed regulatory requirements for Cybersecurity Plans, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/cg-marine-cybersecurity-nprm-9c8 - subscription required.

Review – 2 Advisories Published – 2-27-24

Today, CISA’s NCCIC-ICS published a control system security advisories for products from Mitsubishi Electric and a medical device security advisory for products from Santesoft.

Advisories

Mitsubishi Advisory - This advisory describes an insufficient resources pool vulnerability in the Mitsubishi MELSEC iQ-F Series compact control platform.

Santesoft Advisory - This advisory describes an out-of-bounds read vulnerability in the Santesoft Sante DICOM viewer.

 

For more details about these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-advisories-published-2-27-24 - subscription required.

OMB Approves FERC’s CEII Data Request ICR Revision

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a revision request for the Federal Energy Regulatory Commission’s (FERC’s) information collection request (ICR) on “Critical Energy/Electric Infrastructure [CEII] Information Data Request”. The ICR burden was revised downward based upon the recent history of such requests.

The abstract for the announcement notes that:

“In accordance with section 215A(d) of the Federal Power Act and 18 CFR 388.113, this collection of information provides that persons may seek Critical Energy/Electric Infrastructure Information (CEII). To receive CEII, they must show they have a legitimate need for such information, and they must submit a non-disclosure agreement that decreases the likelihood that such information could be used to plan or execute terrorist attacks.”

FERC is one of those agencies that actually periodically updates their ICR requests to reflect recent historical data (which in my opinion all agencies should do for all ICRs). This ICR has been in place since 2002, and the table below is a quick look at the changes in their burden estimates over that time.

	# of Responses	Burden (hrs)
2002	200	50
2005	182	46
2008	200	60
2020	100	30
2023	50	15

Short Takes – 2-26-24

Japan Moon lander revives after lunar night. Phys.org article. Pull quote: “It [JAXA] said that communications were "terminated after a short time, as it was still lunar midday and the temperature of the communication equipment was very high."”

Guest comment: Deja vu, all over again. ProgressiveRailroading.com commentary. By Robert Primus, STB Boardmember. Pull quote: “They ‘unnamed activist investors’ say they want to move forward but have chosen individuals who have strong ties to PSR. If they succeed in returning the company to the old slash-and-burn strategy, recent history may repeat itself in unfortunate ways. Doing so would also invite additional scrutiny from Congress and federal regulators, who may prefer to increase regulatory intervention rather than watch the same story play out again.”

What the Pentagon has learned from two years of war in Ukraine. WashingtonPost.com article. Pull quote: “The war remains an active and bountiful research opportunity for American military planners as they look to the future, officials say. A classified year-long study on the lessons learned from both sides of the bloody campaign will help inform the next National Defense Strategy, a sweeping document that aligns the Pentagon’s myriad priorities. The 20 officers who led the project examined five areas: ground maneuver, air power, information warfare, sustaining and growing forces and long range fire capability.”

Stunning Comet Could Photobomb This April’s Total Solar Eclipse. ScientificAmerican.com article. Pull quote: “And Comet 12P will make its closest approach to the sun on April 21—less than two weeks after the total solar eclipse. The timing means that the comet will appear about 25 degrees away from the sun during totality. (Your clenched fist held at arm’s length can be used to measure about 10 degrees across in the sky.)”

Science Fiction Meets Reality: New Technique Overcome Obstructed Views. HomelandSecurityNewswire.com article. Pull quote: “As published in Nature Communications, Czajkowski and Murray-Bruce’s research is the first-of-its-kind to successfully reconstruct a hidden scene in 3D using an ordinary digital camera. The algorithm works by using information from the photo of faint shadows cast on nearby surfaces to create a high-quality reconstruction of the scene. While it is more technical for the average person, it could have broad applications.”

Transportation Chemical Incidents – Week of 2-15-24

Reporting Background – See this post for explanation.

Data from PHMSA’s online database of transportation related chemical incidents that have been reported to the agency.

NOTE: I normally report on this on Saturday’s, but the PHMSA database was under maintenance this weekend.

Incidents Summary

Number of incidents – 41 (33 highway, 7 air, 1 rail)

Serious incidents – 1 (1 Bulk release, 0 injuries, 0 deaths, 0 major artery closed)

Largest container involved – Railcar (Fuel Oil) about 1-quart leaked from improperly closed manway.

Largest amount spilled – 330-gallons (Flammable Liquid, N.O.S.) from 330-gallon IBC due to forklift strike.

Most Interesting Chemical: Lithium hydroxide (LiOH). White corrosive powder. Lithium hydroxide in used the in manufacture of alkyd resins and for the production of lithium salts. It is also used as a sorbent for Carbon dioxide especially in spacesuits.

Review - S 3732 Introduce – AI Environmental Impacts

Earlier this month, Sen Markey (D,MI) introduced S 3732, the Artificial Intelligence Environmental Impacts Act of 2024. The bill would require the EPA to conduct a study on the environmental impacts of artificial intelligence. It would then require the National Institute of Standards and Technology (NIST) to convene a consortium “to identify the future measurements, methodologies, standards, and other appropriate needs, in order to measure and report the full range of environmental impacts of artificial intelligence”. No new funding is authorized by this legislation.

Moving Forward

Markey and one of his five cosponsors {Sen Welch (D,VT)} are members of the Senate Commerce, Science, and Technology Committee to which this bill was assigned for consideration. This means that there may be sufficient influence to see the bill considered in Committee. With no funding, and no regulatory requirements, I see nothing in this bill would engender any organized opposition. I suspect that the bill would receive some level of bipartisan support were it considered. As with most bills introduced in the Senate, this bill is not politically important enough to take up the Senate’s time for consideration under regular order. I doubt that it would be a candidate for consideration under the unanimous consent process as it would draw the ire of a small number of Republicans who are almost knee-jerk opposed to any environmental legislation.

Commentary

I noted in an earlier blog post on this bill:

“Section 2, Findings, of that draft lays out the type effects that Markley, et al, expect to find in the reports required in the bill. While those concerns seem to be legitimate and should be substantiated and quantified by the reports, it is clear from the bill’s language that the AI concerns are really more appropriately concerns about the operation of large server farms regardless of the focus of the individual facilities.”

Singling out one type of server farm, one that is already under the political microscope, is political grandstanding. If this is a legitimate effort to look at environmental effects of large server farms, then it should not matter if they are in the service of AI, crypto mining, or a social media backbone, they have an environmental effect that may need to be regulated. The study and measurement system development would go a long way to determine if regulations is necessary.

 

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-3732-introduce - subscription required.

Short Takes – 2-24-24

Odysseus moon lander is tipped over — but sending data. CosmicLog.com article. Pull quote: ““In normal software development for spacecraft, this is the kind of thing that would have taken a month of writing down the math, cross-checking it with your colleagues, doing some simple calculations to prove the theory by putting it into a simulation, running that simulation 10,000 times evaluating performance,” Crain said. “Our team basically did that in an hour and a half. And it worked.””

The New Hot Climate Investment Is Heat Itself. WSJ.com article. Pull quote: “Heat-battery startups say they can cheaply store days worth of renewable energy with a different approach. To charge, Antora’s batteries run renewable electricity through an element comparable to a toaster coil to warm up the blocks. The company settled on the carbon blocks because they can store heat for a long time, and actually get better at storing energy as they get hotter. That allows them to maintain high temperatures for long periods when heat or steam needs to be used.”

Information Collection Requirement; Defense Federal Acquisition Regulation Supplement; Assessing Contractor Implementation of Cybersecurity Requirements. Federal Register DAR 60-day ICR renewal. ICR need statement: “The collection of information is necessary for DoD to assess where vulnerabilities exist in its supply chain and take steps to correct such deficiencies. In addition, the collection of information is necessary to ensure Defense Industrial Base (DIB) contractors that have not fully implemented the National Institute of Standards and Technology (NIST) Special Publication (SP) 800–171 security requirements pursuant to the clause at DFARS 252.204–7012 begin correcting these deficiencies immediately.” ICR comments due by April 26^th, 2024.

Dual Use Foundation Artificial Intelligence Models With Widely Available Model Weights. Federal Register NTIA request for comments. Summary: “On October 30, 2023, President Biden issued an Executive order on “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence,” which directed the Secretary of Commerce, acting through the Assistant Secretary of Commerce for Communications and Information, and in consultation with the Secretary of State, to conduct a public consultation process and issue a report on the potential risks, benefits, other implications, and appropriate policy and regulatory approaches to dual-use foundation models for which the model weights are widely available. Pursuant to that Executive order, the National Telecommunications and Information Administration (NTIA) hereby issues this Request for Comment on these issues. Responses received will be used to submit a report to the President on the potential benefits, risks, and implications of dual-use foundation models for which the model weights are widely available, as well as policy and regulatory recommendations pertaining to those models.” Comments due by March 27^th, 2024.

Chemical Weapons Watchdog Blames Islamic State for 2015 Syria Attack. USNews.com article. Pull quote: “There were "reasonable grounds to believe that on 1 September 2015, during sustained attacks aimed at capturing the town of Marea, units of ISIL deployed sulfur mustard," the organisation said.”

History repeats? Why Chinese companies are establishing private armies. FirstPost.com article. Pull quote: “The People’s Armed Forces are expected to be available for missions like support during wartime, operations during national disasters and helping maintain social order, according to a report by CNN. Another report by FT says that these private armies carry out civil defence activities and contribute to military recruitment, promotion and training.”

A New Startup Wants to Turn the Sugar You Eat Into Fiber. Wired.com article. Just what we need and excuse to eat more sugar (SIGH). Pull quote: “The enzyme Zya is developing comes from a family called inulosucrases, and is naturally made by a strain of bacteria found in the human microbiome that’s capable of converting sugar to fiber in the gut environment. This enzyme acts on sugar before it can be broken down and absorbed by the body. It works by rearranging sugar molecules into inulin fiber, a type of soluble fiber found in plants such as chicory root that fosters the growth of beneficial gut bacteria.”

Chemical Incident Reporting – Week of 2-10-24

NOTE: See here for series background.

Port Huron, 2-5-24

Local news reports: Here, here, and here.

Explosion at an oil pumping station killed one and injured another.

CSB Reportable

San Francisco, CA – 2-18-24

Local news reports: Here, here, and here.

Apartment refrigerant leak caused hazmat response. Three people treated on scene.

Pull quote: “Refrigerant chemical leaks, usually from HVAC units or refrigerators, can be poisonous — they can cause headaches, coughing, respiratory trouble, dizziness, nausea, or even mild burns if skin gets direct contact.”

Not CSB reportable; no serious injuries, no serious damage.

Review – Public ICS Disclosures – Week of 2-17-24

This week we have 13 vendor disclosures from ADT-TEC Industrial IT, B&R, Elecom (2), Hitachi, HP, HPE, Palo Alto Networks, Sierra Wireless, VMware (2), WAGO, and Zyxel. There are two vendor updates from Cisco and Elecom. There are also 14 researcher reports for products from Imaging Data Commons, Inductive Automation, Sante, SourceForge (8), Weston (3). Finally, we have three exploits for products from Mayurik (2) and QNAP.

Advisories

ADS-TEC Advisory - CERT-VDE published an advisory that discusses an exposure of resource to wrong sphere vulnerability in multiple ADS-TEC DVG-IRF industrial routers.

B&R Advisory - B&R published an advisory that describes an insufficient communication encryption vulnerability in their Automation Studio and Technology Guarding products.

Elecom Advisory #1 - JP CERT published an advisory that describes two vulnerabilities in the Elecom wireless LAN routers.

Elecom Advisory #2 - JP CERT published an advisory that describes an OS command injection vulnerability in the Elecom wireless LAN routers.

Hitachi Advisory - Hitachi published an advisory that describes an EL injection vulnerability in their Global Link Manager.

HP Advisory - HP published an advisory that discusses a service location protocol vulnerability (listed in CISA’s Known Exploited Vulnerability (KEV) Catalog) in their Tera2 Zero Client and Remote Workstation Card.

HPE Advisory - HPE published an advisory that discusses the generation of error message containing sensitive information vulnerability in their IceWall products.

Palo Alto Networks Advisory - Palo Alto Networks published an advisory that discusses the Leaky-Vessels vulnerabilities.

Sierra Wireless Advisory - Sierra Wireless published an advisory that discusses three vulnerabilities in their s EM919x and EM929x

cellular modules.

VMware Advisory #1 - VMware published an advisory that describes a privilege escalation vulnerability in their Aria Operations product.

VMware Advisory #2 - VMware published an advisory that describes two vulnerabilities in their deprecated VMware Enhanced Authentication Plug-in.

WAGO Advisory - CERT-VDE published an advisory that discusses the Terrapin-Attack vulnerability.

Zyxel published an advisory that describes four vulnerabilities in their firewall and AP products.

Zyxel Advisory - Zyxel published an advisory that describes four vulnerabilities in their firewall and AP products.

Updates

Cisco Update - Cisco published an update for their cURL and libcurl vulnerability advisory that was originally published on October 11^th, 2023 and most recently updated on November 8^th, 2023.

Elecom Update - JP-CERT published an update for their ELECOM and LOGITEC network devices advisory that was originally published on October 5^th, 2020 and most recently updated on January 23^rd, 2024.

Researcher Reports

Imaging Data Commons Report - Cisco Talos published a report describing two use-after-free vulnerabilities in the Imaging Data Commons libdicom.

Inductive Automation Report - The Zero Day Initiative published two reports for individual vulnerabilities in the Inductive Automation Ignition product.

Sante Report - ZDI published a report describing an improper input validation vulnerability in the Sante PACS Server.

SourceForge Reports - Cisco Talos published eight reports describing individual vulnerabilities in the SourceForge Biosig Project.

Weston Reports - Cisco Talos published three reports describing four vulnerabilities in the Weston Embedded product.

Exploits

Mayurik Exploit #1 - Nu11secur1ty published an exploit for an SQL injection vulnerability in the Mayurik Best Petrol Pump Management Software.

Mayurik Exploit #2 - SoSPiro published an exploit for a remote shell upload vulnerability in the Mayurik Best Petrol Pump Management Software.

QNAP Exploit - Spencer McIntyre published a Metasploit module for an OS command injection vulnerability in the QNAP QTS and QuTS hero products.

 

For more information on these disclosures, including links to 3rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-2-1cf - subscription required.

Bills Introduced – 2-23-24

Yesterday, with the House and Senate meeting in pro forma session, there were 27 bills introduced. One of those bills will receive additional coverage in this blog:

HR 7447 To amend the Help America Vote Act of 2002 to require the Election Assistance Commission to provide for the conduct of penetration testing as part of the testing and certification of voting systems and to provide for the establishment of an Independent Security Testing and Coordinated Vulnerability Disclosure Pilot Program for Election Systems. Spanberger, Abigail Davis [Rep.-D-VA-7] 

Mention in Passing

Periodically, it looks like a legislative topic will strike the interest of multiple congressional staffs at the same time, resulting with multiple bills addressing the same topic. Normally, the legislative topic is a partisan issue with members wishing to make a political statement, but periodically an issue comes up that crosses party lines. Yesterday, one such bipartisan issue apparently struck a cord in the House; transnational repression. Three bills were introduced on the topic:

HR 7433 To amend the Homeland Security Act of 2002 to establish a transnational repression hotline and conduct a transnational repression public service announcement campaign, and for other purposes. D'Esposito, Anthony [Rep.-R-NY-4]

HR 7439 To amend the Homeland Security Act of 2002 to require the Secretary of Homeland Security to prioritize strengthening of State and local law enforcement capabilities to combat transnational repression and related terrorism threats, and for other purposes. Magaziner, Seth [Rep.-D-RI-2] 

HR 7443 To authorize a dedicated transnational repression office within the Department of Homeland Security's Homeland Security Investigations to analyze and monitor transnational repression and related terrorism threats and require Homeland Security Investigations to take actions to prevent transnational repression. Pfluger, August [Rep.-R-TX-11]

Short Takes – 2-23-24

GOP shutdown fears grow: ‘We could be in a world of hurt’. TheHill.com article. Pull quote: ““Appropriations bills being the key issue of just basic job performance … It’s like showing up to work on time and passing your drug test. It’s like that basic level. It’s not saying you’re competent or good or anything else,” McHenry told CBS. “But we’ve done a terrible job with that.””

Issuance of Maritime Security (MARSEC) Directive 105-4; Cyber Risk Management Actions for Ship-to-Shore Cranes Manufactured by People's Republic of China Companies. Federal Register CG notice of availability. Summary: “The Coast Guard announces the availability of Maritime Security (MARSEC) Directive 105–4, which provides cyber risk management actions for owners or operators of ship-to-shore (STS) cranes manufactured by People's Republic of China (PRC) companies (PRC-manufactured STS cranes). The directive contains security-sensitive information and, therefore, cannot be made available to the general public [emphasis added]. Owners or operators of PRC-manufactured STS cranes should immediately contact their local Coast Guard Captain of the Port (COTP) or District Commander for a copy of MARSEC Directive 105–4.

Moon landing: US clinches first touchdown in 50 years. Reuters.com article. Pull quote: “A host of small landers like Odysseus are expected to pave the way under NASA's Commercial Lunar Payload Services (CLPS) program, designed to deliver instruments and hardware to the moon at lower costs than the U.S. space agency's traditional method of building and launching those vehicles itself.”

A little US company makes history by landing on the Moon. Arstechnica.com article. Pull quote: “The space agency believes that private companies will eventually get the hang of flying vehicles to the Moon. And once the service becomes more routine, it will cost NASA a fraction of the price it would pay for traditionally developed lunar services. In essence, then, NASA is taking some short-term risks for some long-term gains. It looks like one of those risks paid off Thursday.”

Seven Sukhois In Five Days. Ukraine’s Patriot Missile Crews Are Shooting Down Russian Jets Faster Than Ever. Forbes.com article. Pull quote: “Losing Avdiivka lit a fire under the Ukrainian air force. Where before, it was more cautious about deploying some of its Patriot quad-launchers—around 26 of which it got as donations from Germany, The Netherlands and the United States—near the front line, today the air force is more aggressive.”

US tracking high altitude balloon over Midwest. TheHill.com article. Pull quote: ““NORAD will continue to track and monitor the balloon. The FAA also determined the balloon posed no hazard to flight safety,” officials said in a statement. “NORAD remains in close coordination with the FAA to ensure flight safety.””

Review - CG Marine Cybersecurity NPRM – Cybersecurity Officer

Yesterday, the CG published a notice of proposed rulemaking for “Cybersecurity in the Marine Transportation System”. The proposed regulations would update the maritime security regulations by adding regulations specifically focused on establishing minimum cybersecurity requirements for U.S.-flagged vessels, Outer Continental Shelf facilities, and U.S. facilities subject to the Maritime Transportation Security Act of 2002 regulations. This is the second in a series of posts about the provisions of that rule.

Owner Responsibilities

Section 106.620 provides that the owner-operator of any covered vessel or facility has primary responsibility for the implementation of the requirements of this new Subpart F. One of the enumerated responsibilities §106.620(b) is the requirement to designate in writing the Cybersecurity Officer for each covered vessel of facility. Subparagraph (b)(3) requires that the CySO be “accessible to the Coast Guard 24 hours a day, 7 days a week”. It also requires that the appointment document specify how the CG can contact the CySO.

Cybersecurity Officer

Section 106.625 spells out the requirements and responsibilities of the Cybersecurity Officer. In the preamble to the rule, the CG notes that there is broad latitude on who may be appointed to this role. Paragraph (d) specifies the specific responsibilities of the CySO for ‘each vessel, facility, or OCS facility for which they are designated’. Paragraph (e) outlines the qualifications for Cybersecurity Officers.

 

For more details about the requirements for the Cybersecurity Office, see my article CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/cg-marine-cybersecurity-nprm - subscription required.

Short Takes – 2-22-24

CISA ready to take CDM program into the world of OT. FederalNewsNetwork interview. Pull quote: ““From an asset management perspective, it’s starting to tackle those or continuing to tackle those other asset classes. The path and timeline will vary as you think across those different assets in terms of what that’s going to look like. But our objective is the same for all which is to have parity in terms of visibility,” he said. “Fundamentally, these devices are not radically different than some of our traditional endpoints. But there’s a much greater breadth of implementation and quirkiness, if you will, to some of these devices. We are now evaluating some of those products that have been introduced into the market in the past few years that are a little bit more purpose built and tuned for dealing with sensing on IoT devices. With traditional endpoints, it’s more straightforward where we can do things like deploy an agent, and that agent can run locally on that device to sense all of the needs and report back. With IoT, and with some of these other things that we need to report on and ensure we have visibility to in the network, that’s a little bit more like remote sensing, and so there’s some technical nuance there that we’re trying to isolate through the use of maybe some purpose built tools.””

Freedom Caucus pushes Speaker Johnson for full-year CR in absence of policy concessions. TheHill.com article. Pull quote: ““With the expiration of government funding rapidly approaching, negotiations continue behind closed doors and as a result, we anticipate text for likely omnibus legislation that we fear will be released at the latest moment before being rushed to the floor for a vote,” the caucus stated in the letter. “House Republicans should not be left in the dark on the status of the spending levels and hard-fought policy provisions.””

US lacks long-term sustainment plan for key Ukraine weapons, Pentagon watchdog says. Defenseone.com article. Pull quote: “Another problem: It would be very difficult for the U.S. to replace the Patriot systems it gave to Ukraine, the report said. All the Patriot systems given to Ukraine came from U.S. training grounds, and more requests would be “painful” to fulfill, a Defense Department official said in the report.”

Vast seeks to bid on future ISS private astronaut missions. SpaceNews.com article. Pull quote: “Vast is first developing a human-tended single-module station, called Haven-1, that will launch on a Falcon 9. It will be visited by one or more crews on SpaceX Crew Dragon spacecraft. Haot said that the Haven-1 program is fully funded for launch. “It’s launching at the end of next year,” he said. “The challenge is mostly execution.””

Review - CG Publishes Marine Cybersecurity NPRM

Today, the Coast Guard published a notice of proposed rulemaking in the Federal Register (89 FR 13404-13514) on “Cybersecurity in the Marine Transportation System”. The proposed regulations would update the maritime security regulations by adding regulations specifically focused on establishing minimum cybersecurity requirements for U.S.-flagged vessels, Outer Continental Shelf facilities, and U.S. facilities subject to the Maritime Transportation Security Act of 2002 regulations. The proposed changes would add a new Subpart F, Cybersecurity, to 33 CFR 101, Maritime Security.

Public Comments

The Coast Guard is soliciting public comments on the NPRM. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # USCG-2022-0802). Comments should be submitted by April 22^nd, 2024.

 

For more details about the provisions of the proposed rule, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/cg-publishes-marine-cybersecurity - subscription required.

Review – 1 Advisory Published – 2-22-24

Today, CISA’s NCCIC-ICS published a control system security advisory for products from Delta Electronics.

Advisories

Delta Advisory - This advisory describes an uncontrolled search path vulnerability in the Delta CNCSoft-B DOPSoft products.

 

For more information about this advisory, as well as a brief look at the latest addition to CISA’s Known Exploited Vulnerabilities Catalog, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-published-2-22-24 - subscription required.

  

Short Takes – 2-22-24 – Space Geek Edition

Varda Space, Rocket Lab nail first-of-its-kind spacecraft landing in Utah. TechCrunch.com article. Pull quote: “The first-of-its-kind reentry and landing is also a major win for Rocket Lab, which partnered with Varda on the mission. Rocket Lab hosted Varda’s manufacturing capsule inside its Photon satellite bus; through the course of the mission, Photon provided power, communications, attitude control and other essential operations. At the mission’s conclusion, the bus executed a series of maneuvers and de-orbit burns that put the miniature drug lab on the proper reentry trajectory. The final engine burn was executed shortly after 4 p.m. EST.”

Intuitive Machines, NASA Science Progress Toward Moon Landing. Blogs.NASA.gov blog post. Pull quote: “All powered NASA science instruments on board have completed their transit checkouts, received data, and are operating as expected, including: LN-1 (Lunar Node 1 Navigation Demonstrator), NDL (Navigation Doppler Lidar for Precise Velocity and Range Sensing), RFMG (Radio Frequency Mass Gauge), ROLSES (Radio-wave Observations at the Lunar Surface of the Photoelectron Sheath), SCALPSS (Stereo Cameras for Lunar Plume-Surface Studies). Since the LRA (Laser Retroreflector Array) instrument is a passive experiment designed for the lunar surface, it cannot conduct any operations in transit.”

U.S. Moon Landing: How to Watch and What to Know. NYTimes.com article. Pull quote: “Although it is a private mission, the main customer is NASA, which paid $118 million for the delivery of six instruments to the moon. NASA TV will stream coverage of the landing beginning at 4 p.m. on Thursday.”

Jeff Bezos’s Big Rocket Moves Into View and Closer to Launch. NYTimes.com article (free). Pull quote: “Mr. Limp is not quite as certain that a second New Glenn launch will get off the ground this year. “It’s hard to look around that corner because you are going to learn so much from the first launch,” he said. “I would just say, I’ll be super happy if we get one launch this year, for sure.””

Capturing a comet's tail to keep Earth safe from the sun. Phys.org article. Pull quote: “Comets are sometimes referred to as cosmic 'windsocks' as they can indicate the direction and strength of the solar wind in space, similar to how a windsock shows the direction and strength of the wind. Images of the comet will enable the research team to record data about solar wind conditions local to the comet. If the tail detaches from the comet or appears to wobble, the team can determine there was an increase in solar wind activity nearby.”

ERS-2 reenters Earth’s atmosphere over Pacific Ocean. ESA.int article. Pull quote: “ERS-2’s reentry was ‘natural’. All of its remaining fuel was depleted during deorbiting to reduce the risk of an internal malfunction causing the satellite to break up into pieces while still at an altitude used by active satellites. As a result, it was not possible to control ERS-2 at any point during its reentry and the only force driving its descent was unpredictable atmospheric drag.”

From Southwest Regional Spaceport to Spaceport America. TheSpaceReview.com article. Pull quote: “Spaceport America began as New Mexico’s dream to integrate and promote its space industry to grow the state’s economy. Instead, it got lost in this detour into suborbital space tourism. The best hope for revitalizing the New Mexico space industry and its search for expansion lies in a return to the original vision, operating the spaceport as the flagship of an integrated New Mexico strategy for space rather than as an isolated facility lost in the vastness of the Jornada del Muerto.”

Under pressure -- space exploration in our time. ScienceDaily.com commentary. Pull quote: “Hanlon explains why protecting historic sites on the Moon and elsewhere in space not only preserves the past, but also provides a vital foundation for the future. Hanlon explores the gaps in space law and, in particular, she asks, "What are the differing obligations space law imposes on scientific and commercial activities, as well as governmental and private actors." Hanlon anticipates that space law, ethics, policy, and treaties will take on an increasingly higher strategic priority as nations seek to avoid potential conflicts.”

CSB Publishes Marathon Renewables Update – 2-21-24

Yesterday, the Chemical Safety Board published an update about their ongoing investigation of a fire that occurred in November during the startup of the Marathon Renewables Facility in Martinez, California. The update provides a description of the events that occurred that night and points at a possible proximate cause of the incident. The investigation is ongoing.

This investigation is one of two that the Board currently has in progress.

OMB Approves EPA Worst Case Discharge Final Rule

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a final rule for the EPA’s “Clean Water Act Hazardous Substance Facility Response Plans”. The final rule was sent to OMB on October 11^th, 2023. The notice of proposed rulemaking was published on March 28^th, 2022.

According to the Fall 2023 Unified Agenda entry for this rulemaking:

“The Clean Water Act (CWA) provides that regulations shall be issued "which require an owner or operator of a tank vessel or facility ... to prepare and submit ... a plan for responding, to the maximum extent practicable, to a worst-case discharge, and to a substantial threat of such a discharge, of … a hazardous substance." EPA was sued for failure to fulfill this mandatory duty imposed by Congress. This regulatory action is being conducted under the terms of a consent decree entered into on March 12, 2020, which requires that a proposed action is signed within 24 months of the final agreement and that a final action follow within 30 months of the publication of the proposed rule. Subsequently, the Environmental Protection Agency proposed a regulatory action to require planning for worst case discharges of CWA hazardous substances under section 311(j)(5)(A). EPA plans to promulgate a final rule by Spring 2024 meet the terms of the Consent Decree.”

The final rule should be published in the Federal Register next week.

FAR Semiconductor ANPRM Sent to OMB

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received an advanced notice of proposed regulation (ANPRM) for “Federal Acquisition Regulation (FAR); FAR Case 2023-008, Prohibition on Certain Semiconductor Products and Services”.

According to the Fall 2023 Unified Agenda entry for this rulemaking:

“This rule will prohibit agencies from: (1) procuring or obtaining, or extending or renewing a contract to procure or obtain, any electronic parts, products, or services that include covered semiconductor products or services; or (2) entering into a contract, or extending or renewing a contract, with an entity to procure or obtain electronic parts or products that include covered semiconductor products or services.  This rule is issued pursuant to section 5949(a) of the National Defense Authorization Act for Fiscal Year 2023 [PL 117-263].”

Short Takes – 2-21-24

Why Bloat Is Still Software’s Biggest Vulnerability. Spectrum.IEEEE.com article. Pull quote: “Another problem is that we often don’t know what code we are actually shipping. Software has gotten huge. In 1995 Niklaus Wirth lamented that software had grown to megabytes in size. In his article “A Plea for Lean Software,” he went on to describe his Oberon operating system, which was only 200 kilobytes, including an editor and a compiler. There are now projects that have more than 200 KB for their configuration files alone.”

White House announces new actions to mitigate cybersecurity threats at US ports. TheHill.com article. Pull quote: “First, President Biden will sign an executive order that will bolster the Department of Homeland Security’s authority to address maritime cyber threats, Anne Neuberger, deputy national security adviser for cyber and emerging technology, announced.”

Commercial spaceship set for lunar touchdown, in test for US industry. Phys.org article. Pull quote: “The company plans to run a live stream on its website, with flight controllers expected to confirm landing around 15 seconds after the milestone is achieved, because of the time it takes for radio signals to return.”

Posting of Informational Video: Cybersecurity Maturity Model Certification (CMMC) Program. Federal Register DOD notice of availability. Summary: “The Office of the Department of Defense Chief Information Officer (DoD CIO) has released an informational video to provide the public with an overview of the proposed rule for DoD's updated Cybersecurity Maturity Model Certification (CMMC) Program, which was published in the Federal Register on December 26, 2023 for public comment. The proposed rule establishes requirements for a comprehensive and scalable assessment mechanism to ensure defense contractors and subcontractors have, as part of the CMMC Program, implemented required existing security requirements for Federal Contract Information and Controlled Unclassified Information (CUI) and adds new CUI security requirements for certain priority programs. This document announces that a video file containing an overview briefing of the CMMC proposed rule, presented by leadership and staff from the Office of the DoD Deputy CIO for Cybersecurity, was posted on the internet on February 14, 2024.”

Advisory Committee for Cyberinfrastructure; Notice of Meeting. Federal Register NSF meeting notice. Summary: “The final meeting agenda and instructions to register and attend the meeting will be posted on the ACCI website: https://www.nsf.gov/​cise/​oac/​advisory.jsp.”

NASA’s New Horizons Detects Dusty Hints of an Extended Kuiper Belt. Pluto.JHUAPL.edu article. Pull quote: “These readings come as New Horizons scientists, using observatories like the Japanese Subaru Telescope in Hawaii, have also discovered a number KBOs far beyond the traditional outer edge of the Kuiper Belt. This outer edge (where the density of objects starts to decline) was thought to be at about 50 AU, but new evidence suggests the belt may extend to 80 AU, or farther.”

Review - EPA Publishes TSCA Fees Final Rule

Today, the EPA published a final rule in the Federal Register (89 FR 12961-12979) for “Fees for the Administration of the Toxic Substances Control Act (TSCA)”. The notice of proposed rulemaking for this action was published on January 11^th, 2021. A supplemental NPRM was published on November 16^th, 2022. The effective date for today’s rule is April 22nd, 2024. This makes the required periodic adjustment of fees collected to support the EPA’s TSCA program.

 

For more details about the fee changes and the supporting TSCA cost data, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/epa-publishes-tsca-fees-final-rule - subscription required.

Review - CSB Updates Status on 7 Recommendations – 2-21-24

Yesterday, the Chemical Safety Board updated their ‘Recent Recommendation Status Updates’ page to reflect changes in the status of seven accident-investigation recommendations. All seven recommendations were from the Husky Energy Superior Refinery Explosion and Fire investigation and applied to recommendations made to the current owner of the refinery, Cenovus Superior Refinery. The recommendations were updated on February 16^th, 2024. After these updates, there are 164 remaining open recommendations.

 

For more details about the corrective actions that lead to these changes, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/csb-updates-status-on-7-recommendations-5ff - subscription required.

Short Takes – 2-20-24

Toxic Brucine-Laced Letters Spark Alarm in Brussels Government Offices. BNNBreaking.com article. Purple prose lives. Pull quote: “The day unfolded with an ordinary rhythm until the ordinary turned ominous. Employees at the Palais de Justice, among Brussels' most iconic buildings, were the first to encounter the hazardous letters. Their discovery prompted an immediate response, drawing in specialists to contend with the potential danger. As the news spread, similar findings were reported at the office of Belgium's Justice Minister and the State Security Building. Each letter carried the same deadly cargo: brucine, a white powder known for its toxicity. The substance, dangerous when ingested, became the centerpiece of a mystery that had law enforcement and the public on edge. Despite the alarm, authorities were quick to clarify that skin contact with brucine posed no immediate danger, a small relief amidst the growing concern.”

Giant, invasive Joro spiders with 6-foot webs could be poised to take over US cities, scientists warn. LiveScience.com article. Click-bait title, but interesting. Pull quote: “It is unclear what long-term effects Jorō spiders will have on the ecosystems they invade. Last year, researchers revealed that the spiders are unusually shy and non-aggressive toward other spiders. However, without a natural predator seeking them out, their numbers will likely continue to rise, which could help them outcompete other species for resources.”

Can Astronomers Use Radar to Spot a Cataclysmic Asteroid? NewsWise.com article. Pull quote: “How does ground-based astronomical radar expand our understanding of the Universe? By allowing us to study our nearby Solar System, and everything in it, in unprecedented detail. Radar can reveal the surface and ancient geology of planets and their moons, letting us trace their evolution. It can also determine the location, size, and speed of potentially hazardous Near Earth Objects, like comets or asteroids. Advances in astronomical radar are opening new avenues, renewed investment, and interest in joint industry and scientific community collaborations as a multidisciplinary venture.”

Russia Threatens Moldova With ‘Military Scenario’ Over Transnistria. BalkanInsight.com article. Pull quote: “Meanwhile, the Institute for the Study of War, ISW, a US non-profit, has issued an analysis that says the Kremlin is preparing a hybrid operation in Moldova, similar to the one it used before its invasions of Ukraine in 2014 and in 2022, which could justify a possible escalation of the conflict in the region.”

Chemical Plants, Terrorism and Regulations May Be Back on the Agenda. SEJ.org article. Pull quote: ““These companies can reduce their holding or change the concentrations or opt for a safer alternative and get out of the regulatory system,” Murray said. “When CFATS was in operation, we had conversations every day about this, but we left it to the companies to make those decisions.””

Assessing the Need for New Regulatory Standards for Automatic and Remote-Control Shutoff Valves on Existing Liquid and Gas Transmission Pipelines. NationalAcadamies.org press release. Pull quote: “The report says the varying conditions and circumstances of existing pipeline systems mean that retroactive installations of rupture mitigation valves can differ greatly in feasibility, complexity, cost, and the benefits they confer. For these reasons, a broad-based requirement for rupture mitigation valves on existing pipelines is not currently advisable. The report offers recommendations for the Pipeline and Hazardous Materials Safety Agency aimed at bolstering the use of quantitative models for evaluating risk, improving integrity management and verification processes, and increasing the body of technical guidance for industry.” Ensuring Timely Pipeline Shutdowns in Emergencies: When to Install Rupture Mitigation Valves

Starliner’s first crewed test flight a step closer after crucial upgrade. DigitalTrends.com article. Pull quote: ““Data analysis shows the two-parachute test … was a success, and all test objectives were met, clearing the way for the Crew Flight Test,” Boeing Space said in a post on social media, adding that the enhanced parachute design “improves the system’s soft links, reinforces its main parachute suspension, and strengthens its radial line,” compared to the previous iteration.”

The search for extraterrestrial life is targeting Jupiter’s icy moon Europa. TechnologyReview.com article. Pull quote: “Pappalardo has been at the forefront of efforts to send a craft to Europa for more than two decades. Now his hope is finally coming to fruition: later this year, NASA plans to launch Europa Clipper, the largest-­ever craft designed to visit another planet. The $5 billion mission, scheduled to reach Jupiter in 2030, will spend four years analyzing this moon to determine whether it could support life. It will be joined after two years by the European Space Agency’s Juice, which launched last year and is similarly designed to look for habitable conditions, not only on Europa but also on other mysterious Jovian moons.”

FCC Proposes Licensing Framework or In-Space Servicing, Assembly, and Manufacturing Operations. FCC.gov press release. ISAM refers to a set of capabilities used on-orbit, on the surface of space objects and celestial bodies, and in transit. The “servicing” aspect of ISAM includes activities such as the in-space inspection, life extension, repair, refueling, or alteration of a spacecraft after its initial launch. The term “servicing” is also used to describe transport of a spacecraft from one orbit to another, as well as debris collection and removal. “Assembly” refers to the on-orbit construction of a space system using pre-manufactured components, and “manufacturing” is the transformation of raw or recycled materials into components, products, or infrastructure in space.” FCC NPRM.