Saturday, March 30, 2024

Short Takes – 3-30-24

Water systems short on cyber expertise, state and local officials tell EPA. StateScoop.com article. Pull quote: “At the meeting, Neuberger asked states to share by May 20 cybersecurity plans that include information about how they are working with drinking water and wastewater systems to determine vulnerabilities.”

CISA Community Bulletin April 2024. GovDelivery.com bulletin. ChemLock program notes: “CISA’s ChemLock program recently released several new products: three customizable templates that facilities and organizations can use as part of developing and implementing a facility security plan and two new resource flyers.”

Half of senior staffers in Congress are so fed up that they may quit. WashingtonPost.com article (free). Pull quote: “Slightly more senior Democratic staff members said they were considering leaving because of the GOP’s “heated rhetoric” than did Republican aides when considering Democratic rhetoric. But almost 6 in 10 senior Republican staffers said they were thinking about leaving their jobs because of the actions of “my party.””

NOAA gets dire warning about solar geoengineering. Politico.com article. Pull quote: “If something like that were to happen in the real world, “suppose then the monsoon fails over India and China has a disastrous drought or heat wave,” Bookbinder said. “Who do you think they’re gonna blame? The geopolitical problems that can come if people start doing this on a national scale are beyond imagining.””

Baltimore port crisis: World’s largest container ship company, MSC, dumps diverted cargo problem on U.S. companies. CNBC.com article.  Pull quote: “In an email to customers obtained by CNBC on Thursday, MSC explained that for customer containers already on the water bound for the Port of Baltimore, cargo will be rerouted and discharged at an alternate port where it will be made available for pick-up.”

Industry’s water sustainability crisis. ChemistryWorld.com article. Pull quote: “Today’s energy sector consumes vast amounts of water. Avner Vengosh’s research group at Duke University in North Carolina, US, has worked on the energy–water nexus for some years, exploring a vicious cycle of growing demand. ‘The more modern the society, the more water consumption and withdrawal. And then you need more energy, and more water [and] then you pollute more water.’ Treating wastewater and moving treated water again requires more energy.”

Review – Public ICS Disclosures – Week of 3-23-24 – Part 2

For Part 2 we have eight additional vendor disclosures from SEL, SonicDICOM, Splunk (4), Watchguard, and Wireshark. There are also five vendor updates from ELECOM, Hitachi Energy (3), and HP. We also have three researcher reports for vulnerabilities in products from Hikvision, Kunbus, and Uniview. Finally, we have two exploits for products from Dell and Watchguard.

Advisories

SEL Advisory - SEL published a notification of a new version of their SEL-5813 Backup and Recovery Tool (BaRT) which includes a cybersecurity enhancement.

SonicDICOM Advisory - JP Cert published an advisory that discusses a use after free vulnerability in the SonicDICOM Media Viewer.

Splunk Advisory #1 - Splunk published an advisory that describes an insertion of sensitive information into log files vulnerability in the Debug Log in their Enterprise product.

Splunk Advisory #2 - Splunk published an advisory that describes an improper input validation vulnerability in the Dashboard Examples Hub of their Enterprise product.

Splunk Advisory #3 - Splunk published an advisory that discusses four vulnerabilities in their Enterprise product.

Splunk Advisory #4 - Splunk published an advisory that discusses two vulnerabilities in their Universal Forwarder product.

Watchguard Advisory - Watchguard published an advisory that describes a code injection vulnerability in their AuthPoint Password Manager extension for MacOS Safari.

Wireshark Advisory - Wireshark published an advisory that describes a mismatched memory management routines vulnerability in their T.38 dissector.

Updates

ELECOM Update - ELECOM published an update for their Wireless LAN routers advisory that was originally published on February 20th, 2024.

Hitachi Energy Update #1 - Hitachi Energy published an update for their RTU500 series products advisory that was originally published on December 19th, 2023 and most recently updated on February 27th, 2024.

Hitachi Energy Update #2 - Hitachi Energy published an update for their RTU500 series products advisory that was originally published on November 28th, 2023 and most recently updated on February 27th, 2024.

Hitachi Energy Update #3 - Hitachi Energy published an update for their RTU500 series products advisory that was originally published on April 25th, 2023 and most recently updated on February 27th, 2024.

HP Update - HP published an update for their HP Trusted Platform Module advisory that was originally published on June 8th, 2018.

Researcher Reports

Hikvision Report - IOActive published a report for a classic buffer overflow vulnerability in the Hikvision DS-7732NI-I4(B) network video recorder.

Kunbus Report - IOActive published a report of an off-by-one error vulnerability {that is listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog} in the Kunbus Revolution PI industrial PC.

Uniview Report - SSD-Disclosure published a report for an authentication bypass vulnerability in selected Uniview IP Cameras.

Exploits

Dell Exploit - Amirhossein Bahramizadeh published an exploit for an improper access control vulnerability in the Dell Security Management Server.

WatchGuard Exploit - Charles FOL published a Metasploit module for a buffer overflow vulnerability (that is on CISA’s KEV catalog) in the WatchGuard Firebox and XTM appliances.

 

For more information on these disclosures, including links to 3rd party advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-3-ede - subscription required.

CRS Reports – Week of 3-23-24 – Key Bridge Collapse

This week the Congressional Research Service (CRS) published a report on “Baltimore Bridge Collapse: Frequently Asked Questions (FAQ)”. The report provides a brief factual look at the circumstances that surround the incident and its aftermath, but it does not directly address issues related to the cause of the accident.

The FAQ questions addressed include:

Who Owns and Controls the Ship?

How Do Ships Navigate Through Harbors?

How Will Port Traffic Be Affected?

How Will Road Traffic Be Affected?

Has Anything Like This Happened Before?

What Immediate Actions Can the Federal Government Take?

What Is the Federal Government’s Role in Rebuilding the Bridge?

Interestingly, there is no ‘Issues for Congress’ section in this report.


Review – Public ICS Disclosures – Week of 3-23-24 – Part 1

This week we have 14 vendor disclosures from Aruba Networks, Dell, ELECOM (2), Hitachi (2), Hitachi Energy (3), HP, HPE (2), and Keyence (2).

Advisories

Aruba Advisory - Aruba published an advisory that describes a denial-of-service vulnerability in their wired switching products.

Dell Advisory - Dell published an advisory that discusses nine vulnerabilities (including one on CISA’s Known Exploited Vulnerabilities Catalog) in their Cyber Sense security product.

ELECOM Advisory #1 - JP-CERT published an advisory that describes three vulnerabilities in the ELECOM WRC-X3200GST3-B and WRC-G01-W wireless routers.

ELECOM Advisory #2 - JP-CERT published an advisory that describes two vulnerabilities in multiple ELECOM wireless routers.

Hitachi Advisories #1 - Hitachi published an advisory that discusses 39 vulnerabilities in their Disk Array Systems.

Hitachi Advisory #2 - Hitachi published an advisory that describes an insertion of sensitive information in log files vulnerability in their Disk Array Systems.

Hitachi Energy Advisory #1 - Hitachi Energy published an advisory that describes two vulnerabilities in their MACH SCM product.

Hitachi Energy Advisory #2 - Hitachi Energy published an advisory that describes two unrestricted upload of file with dangerous type vulnerabilities in their RTU500 series products.

Hitachi Energy Advisory #3 - Hitachi Energy published an advisory that describes an improper authentication vulnerability in their Asset Suite 9 product.

HP Advisory - HPE published an advisory that describes an arbitrary code execution vulnerability in multiple Desk Jet Printers.

HPE Advisory #1 - HPE published an advisory that describes a denial of service vulnerability in their IceWall products.

HPE Advisory #2 - HPE published an advisory that discusses a privilege escalation vulnerability in their StoreEasy Servers.

Keyence Advisory #1 - Keyence published an advisory that describes two vulnerabilities in their R REPLAY KV and STUDIO KV products.

Keyence Advisory #2 - Keyence published an advisory that describes a DLL search path vulnerability in their VT STUDIO product.

 

For more information on these advisories, including links to 3rd party advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-3-2c5 - subscription required. 

Bills Introduced – 3-29-24

Yesterday, with the House meeting in pro forma session, there were 25 bills introduced. One of those bills will receive additional attention in this blog:

HJ Res 123 Providing for congressional disapproval under chapter 8 of title 5, United States Code, of the rule submitted by the Environmental Protection Agency relating to "Accidental Release Prevention Requirements: Risk Management Programs Under the Clean Air Act; Safer Communities by Chemical Accident Prevention". Crenshaw, Dan [Rep.-R-TX-2]

While this bill may have a chance of passage in the House, it is unlikely to do so in the Senate. In any case there would not be enough votes in either house to overcome the expected presidential veto.

Mention in Passing

I would like to mention one bill in passing:

H.R.7846 To prohibit Federal personnel charged with certain criminal offenses from receiving classified information, and for other purposes. Sherrill, Mikie [Rep.-D-NJ-11]

According to a press release from Rep Sherrill’s office:

The GUARD Act would prohibit access to classified information to individuals charged or convicted of a covered criminal offense, including: obstructing an official proceeding, unlawful retention of national defense information, the unlawful disclosure or improper handling of classified information, acting as a foreign agent [emphasis added], or compromising the national security of the United States. 

While the press release makes it clear that the legislation is targeted at former President Trump, the inclusion of the ‘acting as a foreign agent’ language would also include Sen Menendez (D,NJ) within the scope of the prohibition.

Needless to say, this bill will not be going anywhere in the Republican “controlled” House. Even if that control were to slip for a couple of weeks with additional Republican resignations, the ‘foreign agent language’ would make it difficult to pass in the Senate.

Friday, March 29, 2024

Short Takes – 3-29-24

Homeland Security’s CWMD unit loses 10% of staff, faces continued attrition concerns. FederalNewsNetwork.com article. Pull quote: ““The end of CFATS authorization has, in my opinion, affected our chemical readiness with regard to identifying threats that would be in chemical facilities,” Callahan said. “CFATS and CWMD are siblings. And they work together closely and we are missing them in this whole of government thread.””

Plan to resuscitate beleaguered vulnerability database draws criticism. CyberScoop.com article. Pull quote: ““They weren’t able to analyze all CVEs before the slowdown, so I hope the consortium can help them get to 100% coverage,” he said via email. “We don’t have new data we can share, but what we are seeing essentially maps to public reporting about the number of CVEs left unanalyzed. We understand that NIST is aware of the problem and the concerns — and is working diligently to modernize NVD.” 

Armor: New American M10 Tank. StrategyPage.com article. Pull quote: “Before the M10 was developed, M1 tanks would supply artillery support for the infantry using their limited number of high-explosive shells. The M1 normally carries some 120mm armor piercing anti-tank shells plus a variable number of 120mm high-explosive shells for infantry support. The main function of the M1 is destruction of enemy tanks and other vehicles. The M10 is designed to supply infantry support more effectively than the M1 and allow the M1s to concentrate on their anti-tank and anti-vehicle role.”

Rare meningitis and bloodstream infections on the rise in the US, CDC warns. LiveScience.com article. Pull quote: “Meningococcal disease most often manifests as meningitis, an infection of the membranes over the brain and spinal cord. However, 64% of people infected with ST-1466 instead had bloodstream infections, and about 4% had septic arthritis, an infection of the joints and surrounding fluid. Doctors should be aware that individuals with these manifestations might not show any telltale signs of meningitis — like headache, stiff neck or altered mental status — but may show other symptoms, such as a purple rash, fever and rapid breathing, in the case of bloodstream infection.”

NASA’s New Asteroid Sample Is Already Rewriting Solar System History. ScientificAmerican.com article. Pull quote: “Mathis wants to use Bennu to explore the boundary between chemistry and biology. “There are some molecules that are so complex that only life could have made them,” he says, offering vitamin B12 as an example. He isn’t expecting anyone to find anything like that in the sample. But he wants to find out which molecules can be made by both life and abiotic chemistry and which can only be made by life. “Where should that transition be?””

Ever Larger Cargo Ships Threaten Bridges, Ports and Other Structures. ScientificAmerican.com article. Pull quote: “Barriers called fenders and dolphins are commonly placed in port channels to protect bridges and other infrastructure from ship strikes. Dolphins, depending on their design, can reduce the force of a ship strike on a bridge very little or by as much as 60 percent, says structural engineer Bassem Andrawes of the University of Illinois at Urbana-Champaign. But powerful, sufficiently large ships “can climb over” dolphins, he says, or plow through them. It is not always economically or physically feasible to build barriers large enough to protect port bridges from the biggest ships.”

Reader Question – CIRCIA Comments

Yesterday, a long-time reader asked me if I would be posting about CISA’s Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) notice of proposed rulemaking (NPRM). The question was asked because the Federal Register had ‘published’ the NPRM the day before on their ‘Public Inspection’ page. While normally this page lists the next day’s Federal Register publications, documents published in the ‘Special Filing’ section are published further in advance. In this case the CIRCIA NPRM will be officially published in the Federal Register on April 4th, 2024

I replied to the question: “I am planning to discuss it on April 4th when it is published in the Federal Register because of the link capabilities.” I thought a little more detail might be appreciated.

First off, the early publication on the Public Inspection page does not contain the same information as provided in the Federal Register publication. Regulatory dates are typically calculated from the date of the FR publication and are noted in the PI documents as, for example, “[INSERT DATE 60 DAYS AFTER DATE OF PUBLICATION IN THE FEDERAL REGISTER]”. Additionally, some included tables may not be complete in the PI publication. Finally, there are provisions for agencies to make post PI publication changes before the official publication of the documents.

My personal reason, though, for not typically using the PI version for my blog comments is that there are no provisions in the PI version for links to paragraphs within the document. That is very important in a 417 page document like the CIRCIA NPRM. I really do like providing my readers with direct access to the regulatory language so they can see for themselves whether they agree with my interpretation of what is being said. I can do that with the FR version of the document, I cannot with the PI version.

There are also mechanical (as in writing mechanics) reasons for waiting for the Federal Register version of the NPRM to be published. There are tools available on the Federal Register Documents pages that make it easier to navigate lengthy documents and find supporting information (actual proposed regulatory code, for instance) that makes it less time consuming to prepare my analyses of regulations.

So, yes this is an important rulemaking, and an unofficial 417-page version is available for public perusal. I just do not intend to write an analysis of the NPRM based on that document. I will wait for the April 4th publication of the official version. By the way, the 60-day comment clock starts from that publication.

BTW: That reader also commented that they did not always see my advertorial posts on LinkedIn. I reminded the reader that my Substack newsletter includes an almost daily post citing my recent publications here and other places and that post is available to free subscribers. So if you want to keep up with what I am writing go to CFSN Detailed Analysis and sign up today. You can also follow me on LinkedIn, Mastodon, and TWITTER.com.

OMB Approves EPA’s Final Rule for SOCMI NESHAP Update

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a final rule from the Environmental Protection Agency for “NSPS for the Synthetic Organic Chemical Manufacturing Industry and NESHAP for the Synthetic Organic Chemical Manufacturing Industry and Group I & II Polymers and Resins Industry”. The final rule was sent to OMB on January 22nd, 2024 and has a court ordered publication date of today (the EPA will miss this deadline). The notice of proposed rulemaking was published on April 25th, 2023.

According to the Fall 2023 Unified Agenda entry for this rulemaking:

“This action will address the agency's technology review under Clean Air Act (CAA) section 112(d)(6) of the National Emission Standards for Hazardous Air Pollutants (NESHAP) for four subparts in 40 CFR part 63 (subparts F, G, H, and I) which are commonly referred to together as the Hazardous Organic NESHAP (HON) and that apply to the Synthetic Organic Chemical Manufacturing Industry (SOCMI) and to equipment leaks from certain non-SOCMI processes. This action will also address the agency's technology review of the NESHAP for two subparts in 40 CFR part 63 (subparts U and W) that apply to the Group I and Group II Polymers and Resins industries. The HON standards were most recently updated when the agency conducted a residual risk and technology review (RTR) on December 21, 2006. Similarly, the Group I and II Polymers and Resins NESHAP were most recently updated when the agency conducted its RTR on December 16, 2008, and April 21, 2011. The HON and Group I and II Polymers and Resins NESHAP contain maximum achievable control technology (MACT) standards for controlling emissions of hazardous air pollutants (HAP) from process vents, storage vessels, transfer operations, heat exchange systems, wastewater streams, and equipment leaks. The HAP emitted from these emission sources include, but are not limited to, ethylene oxide, benzene, 1,3-butadiene, vinyl chloride, ethylene dichloride, methanol, hexane, toluene, xylenes, and chloroprene. The agency also plans to consider risks from the SOCMI source category and from the Neoprene Production source category in the Group I Polymers and Resins NESHAP during its technology review and to ensure the standards continue to provide an ample margin of safety to protect public health. Lastly, this action will also address the agency's review, under CAA section 111(b)(1)(B), of four New Source Performance Standards (NSPS) in 40 CFR part 60 (subparts III, NNN, RRR, and VVa) for emissions of Volatile Organic Compound (VOC) from SOCMI air oxidation unit processes, SOCMI distillation operations, SOCMI reactor processes, and equipment leaks located at SOCMI sources. These subparts were originally promulgated pursuant to section 111(b) of the CAA on June 29,1990 (subparts III and NNN), August 31, 1993 (subpart RRR), and November 16, 2007 (subpart VVa). On April 25, 2023, the EPA published a proposed rulemaking in the Federal Register (see 88 FR 25080) for this action. In addition, the EPA has conducted public outreach activities, including hosting an informational webinar on April 13, 2023, and holding a public hearing on the proposed rulemaking on May 16, 2023.”

This is potentially an important EPA regulatory update for the specialty chemical industry. I do not plan a detailed examination of the rule in this blog, but I do plan to publicize its publication in a Short Takes post.

Thursday, March 28, 2024

Short Takes – 3-28-24

Requests for Comments; Clearance of a Renewed Approval of Information Collection: Unmanned Aircraft Remote Identification Message Elements. Federal Register FAA 30-day ICR renewal notice. Summary: “The collection involves electronic information that is broadcast directly from certain unmanned aircraft, specifically standard remote identification unmanned aircraft and unmanned aircraft equipped with a remote identification broadcast module. The collection of this information in the remote identification message elements is necessary to comply with the FAA's statutory requirement to develop and implement standards for remotely identifying operators and owners of unmanned aircraft. The collection of this information will also provide airspace awareness to enable the FAA, national security agencies, and law enforcement entities to distinguish compliant airspace users from those potentially posing a safety or security risk.” Comment deadline: April 26th, 2024.

Water isn’t normal. ChemistryWorld.com article. Pull quote: “We have worked out innumerable uses (and occasional abuses) of water’s unique properties, but it’s an irony of the universe that one of the most familiar substances in our world is simultaneously such a bizarre chemical outlier. Science shows us that our normal experience is only a tiny slice of reality: we’ve lived our entire lives at the bottom of a gravity well, to the point that it defines our notions of direction – ‘up’ and ‘down’ have no meaning in most of the universe. But thinking of water as the usual sort of liquid is one of our bigger misconceptions.”

HOW DOES TIME WORK ON THE MOON? HackADay.com article. Interesting article, but misses phases of Earth as a lunar time construct. Pull quote: “It’s easy to imagine overlaying local Moon time and a home Earth time zone on a calendar or planning app of some kind. Thus, if you know you’re heading to a given region at Moon midday, local Moon time, you know you’ve got at least 8.125 Earth days of sunlight before you get to the local dark time. Converting between this and the astronaut’s chosen 24-hour home time zone would become a perennial bugbear, but a necessary part of living and working on the Moon.”

Key Bridge Was Also Hit by a Ship in 1980, With Limited Damage. NYTimes.com article (free). Much larger ships provide much larger threat. Pull quote: “Benjamin W. Schafer, a professor of civil and systems engineering at Johns Hopkins University in Baltimore, told Scientific American this week that the accident would most likely hold lessons for protecting bridge support structures from shipping traffic.”

Reestablishment of the Homeland Security Science and Technology Advisory Committee. Federal Register DHS committee charter notice. Summary: “The Secretary of Homeland Security has determined that the reestablishment of the Homeland Security Science and Technology Advisory Committee (HSSTAC) is necessary and in the public interest to support the Department of Homeland Security (DHS) Science and Technology Directorate (S&T) in the performance of its duties.” New charter expires March 3rd, 2026.

Emergency Response Standard. Federal Register OSHA comment extension notice. Summary: “OSHA is extending the period for submitting comments by 45 days to allow stakeholders interested in the NPRM on Emergency Response additional time to review the NPRM and collect information and data necessary for comment.”

Cyber gangs stealing loads from US truckers, double brokering. NewsNationNow.com article. Pull quote: “If a shipper needs a load delivered to a warehouse or store, a scammer intervenes as the middleman and either holds the load for ransom or doesn’t deliver it. It’s significantly impacting the supply chain, trickling down to consumers as they may face price hikes or shortages of essential items such as food, electronics, building supplies and cars.”

Review - EPA Publishes Worst Case Discharge Final Rule

Today the EPA published a final rule in the Federal Register (89 FR 21924-21967) on “Clean Water Act Hazardous Substance Facility Response Plans”. The final rule was approved by OMB’s Office of Information and Regulatory Affairs (OIRA) on February 21st, 2024. The notice of proposed rulemaking was published on March 28th, 2022 (with additional coverage here and here). This rule establishes facility response plan requirements for worst case discharges of Clean Water Act (CWA) hazardous substances for onshore non-transportation-related facilities that could reasonably be expected to cause substantial harm to the environment by discharging a CWA hazardous substance into or on the navigable waters, adjoining shorelines, or exclusive economic zone.

The effective date for the final rule is May 28th, 2024.

 

For more information about this final rule, including a look at the differences between it and it predecessor notice of proposed rulemaking, see my article a CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/epa-publishes-worst-case-discharge-b1f - subscription required.

Wednesday, March 27, 2024

Review - HR 7447 Introduced – Election System Pentests

Last month, Rep Spanberger (D,VA) introduced HR 7447, the Strengthening Election Cybersecurity to Uphold Respect for Elections through Independent Testing (SECURE IT) Act. The bill would amend the Help America Vote Act of 2002, by adding to the existing election system certification system a requirement to conduct 3rd party penetration testing of such systems. It would also establish a voluntary vulnerability disclosure program. No new funding is authorized by the legislation.

Moving Forward

Neither Spanberger nor her two cosponsors {Rep Deluzio (D,PA) and Rep Valadao (R,CA)} are members of the House Administration Committee to which this bill was assigned for primary consideration, nor the House Science, Space, and Technology Committee to which the bill was assigned for secondary consideration. This means that there is practically no chance that the bill will be considered by either committee. I see nothing in the bill that would engender any organized opposition. I suspect that it would receive some level of bipartisan support were it considered.

Commentary

While the term ‘penetration testing’ is used in the legislation, it is never defined. I would suggest using the definition of that term found in NIST 800-95 (pg C-3):

“A method of testing where testers target individual binary components or the application as a whole to determine whether intra or intercomponent vulnerabilities can be exploited to compromise the application, its data, or its environment resources.”

 

For more details about the provisions of this legislation, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-7447-introduced - subscription required.

Tuesday, March 26, 2024

Short Takes – 3-26-24

NY Republican says House could ‘end up having a Speaker Hakeem Jeffries’ as GOP majority narrows. TheHill.com article. Pull quote: “Former Rep. Brian Higgins’ (D-N.Y.) seat is also vacant and will be filled by a special election on April 30. With that seat likely going to a Democrat, the GOP could be left with just a two-seat margin during the month of May.”

Bird flu detected in milk from dairy cows in Texas and Kansas. WashingtonPost.com article. Pull quote: “The infections among cattle pose minimal risk to human food safety or milk supply and prices, officials said. Milk from sick cattle is being diverted or destroyed. Pasteurization — a heating treatment that kills pathogens — is required for milk involved in interstate commerce, greatly reducing the possibility that infected milk enters the food supply, they added.”

National Maritime Security Advisory Committee; Vacancies. Federal Register CG NMSAC notice. Summary: “The U.S. Coast Guard is accepting applications to fill seven vacancies on the National Maritime Security Advisory Committee (Committee). This Committee advises the Secretary of Homeland Security, via the Commandant of the U.S. Coast Guard on matters relating to national maritime security, including on enhancing the sharing of information related to cybersecurity risks that may cause a transportation security incident, between relevant Federal agencies and State, local, and tribal governments; relevant public safety and emergency response agencies; relevant law enforcement and security organizations; maritime industry; port owners and operators; and terminal owners and operators.” Applications to be submitted by May 28th, 2024.

2024 hurricane season conditions 'concerning,' hurricane expert says. WRAL.com article. Pull quote: “Brennan said while NOAA can’t release an official hurricane season forecast yet, the National Hurricane Center is integrating new tools to measure hurricane strength, including a new, unmanned aircraft.”

Starliner’s first commander: Don’t expect perfection on crew test flight. ArsTechnica.com article. Pull quote: “"The expectation from the media should not be perfection," Wilmore said. "This is a test flight. Flying and operating in space is hard. It’s really hard, and we’re going to find some stuff. That’s expected. It’s the first flight where we are integrating the full capabilities of this spacecraft."”

Review - EPA Publishes TSCA Health Data Request NPRM – 3-26-24

Today, the Environmental Protection Agency (EPA) published a notice of proposed rulemaking in the Federal Register (89 FR 20918-20924) on “Certain Existing Chemicals; Request To Submit Unpublished Health and Safety Data Under the Toxic Substances Control Act (TSCA)”. The NPRM would amend 40 CFR 716.21(a), by adding a new paragraph (11) containing 16 new chemicals that would be subject to the health and safety data reporting requirements of §716.

The new chemicals include:

4,4-Methylene bis(2-chloraniline) (CASRN 101–14–4),

4-tert-octylphenol(4-(1,1,3,3-Tetramethylbutyl)-phenol) (CASRN140–66–9),

Acetaldehyde (CASRN75–07–0),

Acrylonitrile (CASRN 107–13–1),

Benzenamine (CASRN 62–53–3),-

Benzene (CASRN 71–43–2),

Bisphenol A (CASRN 80–05–7);

Ethylbenzene (CASRN 100–41–4),

Naphthalene (CASRN 91–20–3),

Vinyl Chloride (CASRN 75–01–4),

Styrene (CASRN 100–42–5),

Tribomomethane (Bromoform) (CASRN 75–25–2),

Triglycidyl isocyanurate; (CASRN 2451–62–9),

Hydrogen fluoride (CARN 7664–39–3),

N-(1,3-Dimethylbutyl)-N′-phenyl-p-phenylenediamine (6PPD) (CASRN 793–24–8), and

2-anilino-5-[(4-methylpentan-2-yl) amino]cyclohexa-2,5-diene-1,4-dione (6PPD-quinone) (CASRN 2754428–18–5).

Public Comments

The EPA is soliciting public comments on the proposed rule. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket No EPA-HQ-OPPT-2023-0360). Comments should be submitted by May 28th, 2024.

 

For more details about the provisions of this NPRM, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/epa-publishes-tsca-health-data-request - subscription required.

Review – 4 Advisories Published – 3-26-24

Today, CISA’s NCCIC-ICS published four control system security advisories for products from Rockwell Automation (3) and AutomationDirect.

Advisories

Rockwell Advisory #1 - This advisory describes a cross-site scripting vulnerability in the Rockwell FactoryTalk View ME HMI software application.

Rockwell Advisory #2 - This advisory describes six vulnerabilities in the Rockwell Arena Simulation Software.

Rockwell Advisory #3 - This advisory describes three vulnerabilities in the Rockwell PowerFlex 527 adjustable frequency AC drives.

AutomationDirect Advisory - This advisory describes three vulnerabilities in the AutomationDirect C-MORE EA9 HMI.

 

For more information about these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/4-advisories-published-3-26-24 - subscription required.

Review - Siemens Publishes Out-of-Band Advisory – 3-26-24

Today, Siemens published an out-of-band advisory for a missing write protection for parametric data values vulnerability in PROFINET products.

For more information about this newly reported vulnerability, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/siemens-publishes-out-of-band-advisory - subscription required.

Monday, March 25, 2024

Short Takes – 3-25-24

Water Utility Cybersecurity, EPA & CISA, and You. SCADAMag.Infracritical.com article. Another important piece of cybersecurity commentary by Jake Brodsky. Pull quote: “In addition, most small water utilities are well-water, not surface water. Well water quality is very consistent and does not usually change much. Surface water utilities, such as from a river or a lake can change more often, but even so, it rarely involves more than a couple changes per shift. Most of the automated systems were run manually just 10 years ago. We automate them to improve consistency and perhaps save chemicals by slowly adjusting dosages as needed over a relatively narrow range.”

Geomagnetic storm from a solar flare could disrupt radio communications and create a striking aurora.  Pull quote: “Satellite operators might have trouble tracking their spacecraft, and power grids could also see some "induced current" in their lines, though nothing they can't handle, he said.”

Cybersecurity Labeling for Internet of Things. Federal Register FCC further notice of proposed rulemaking (FNPRM). Pull quote: “In this FNPRM, we seek comment on additional declarations intended to provide consumers with assurances that the products bearing the FCC IoT Label do not contain hidden vulnerabilities from high-risk countries, that the data collected by the products does not sit within or transit high-risk countries, and that the products cannot be remotely controlled by servers located within high-risk countries. Specifically, we seek comment on whether we should require manufacturers to disclose to the Commission whether firmware and/or software were developed and manufactured in a “high-risk country,” as well as where firmware and software updates will be developed and deployed from. We also seek comment on whether to require manufacturers to disclose to consumers in the registry whether firmware and/or software were developed and manufactured in a “high-risk country,” as well as where firmware and software updates will be developed and deployed from.” Comments due April 24th, 2024.

US must establish independent military cyber service to fix ‘alarming’ problems — report. DefenseScoop.com article. Pull quote: “But it [the report] did recommend placing it within the Department of the Army, with Cybercom continuing to be the force employer. Montgomery believes the Army has done the best in cyber, relative to the other services, placing cyber in the hands of general officers. Additionally, the other military departments already have subordinate forces: the Space Force under the Department of the Air Force and the Marine Corps under the Department of the Navy.”

Chinese Tanker Hit with Houthi Missile in the Red Sea. USNI.org article. Pull quote: “The ship is owned by a Chinese company, according to the release. The Houthis previously said they would not attack any Chinese ships. It is possible it was a case of old information, as the South China Morning Post reported that the ship’s registered owner changed in February 2024.”

China launches Queqiao-2 relay satellite to support moon missions. SpaceNews.com article. Pull quote: “The spacecraft will enter a highly elliptical lunar orbit inclined by 55 degrees once it reaches the moon. The orbit is specially designed to support China’s Chang’e-6 lunar far side sample return mission, due to launch in May. The far side of the moon never faces the Earth, as the planet’s gravity has slowed the rotation of the moon over time.”

Review - PHMSA Publishes 60-day ICR Notice for Revisions to Gas Pipeline Reporting

Today, DOT’s Pipeline and Hazardous Materials Safety Administration (PHMSA) published a 60-day ICR revision notice in the Federal Register (89 FR 20751-20755) for “Mitigation of Ruptures on Onshore Gas Transmission and Gathering, Hazardous Liquid, and Carbon Dioxide Pipeline Segments Using Rupture-Mitigation Valves or Alternative Equivalent Technologies and Blending of Hydrogen Gas and Natural Gas Within Gas Pipelines”. According to the notice summary:

“The proposed information collection changes would provide data necessary to demonstrate an alternative approach to the implementation of Recommendation P–11–11 made by the National Transportation Safety Board (NTSB) and allow PHMSA to identify trends related to the blending of hydrogen gas and natural gas within gas pipelines from operator-submitted data.”

Changes are being proposed to the following existing ICRs:

2137–0627, National Registry of Pipeline and LNG Operators,

2137–0635, Incident Reports for Natural Gas Pipeline Operators,

2137–0629, Annual Report for Gas Distribution Operators,

2137–0522, Annual Reports for Gas Pipeline Operators,

2137–0614, Hazardous Liquid Pipeline Operator Annual Reports, and

2137–0596 National Pipeline Mapping Program

The existing and proposed burden estimates are shown below:


Public Comments

PHMSA is soliciting public comments on the proposed changes to these currently approved information collections. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket #PHMSA-2022-0085). Comments should be submitted by May 24th, 2024.

Commentary

It is interesting that these changes to reporting requirements are, for the most part, reducing (according to the table above) the annual burden. The problem is that those changes are not what is being reported by the ICR notice. In three cases the discrepancy is due to the fact that I used data from a currently pending ICR revisions for the following ICR’s: 2137-0629, 2137-0522, 2137-0596. There is nothing in the discussion in today’s notice that would indicate that those earlier proposed changes have been rescinded. I have no idea what is going on with 2137– 0614. We will have wait to see the Supporting Document that PHMSA provides to OIRA after the 30-day ICR is published.

For more details about the changes being proposed by PHMSA, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/phmsa-publishes-60-day-icr-notice - subscription required.

Saturday, March 23, 2024

Chemical Incident Reporting – Week of 3-16-24

NOTE: See here for series background.

DEFIANCE, Ohio – 3-20-24

Local news reports – Here, here, here, and here.

Explosion and fire at methanol refinery. One person taken to hospital, unquantified damages to facility.

Possible CSB reportable.

OMB Approves CISA’s Cyber Incident Reporting NPRM

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a notice of proposed rulemaking (NPRM) from the Cybersecurity and Infrastructure Security Agency (CISA) on “Cyber Incident Reporting for Critical Infrastructure Act Regulations”. The  NPRM was submitted to OIRA on January 2nd, 2024. CISA published a request for information supporting this rulemaking on September 12th, 2022. This rulemaking implements the requirements of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA)

According to the Fall 2023 Unified Agenda entry for this rulemaking:

“The Cybersecurity and Infrastructure Security Agency (CISA) will propose regulations to implement certain aspects of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) [Div Y of PL 117-103].  Specifically, CIRCIA directs CISA to develop and implement regulations requiring covered entities to submit reports to CISA regarding covered cyber incidents and ransom payments.  CIRCIA requires CISA to publish a Notice of Proposed Rulemaking (NPRM) within 24 months of the date of enactment of CIRCIA as part of the process for developing these regulations.  CISA previously issued a Request for Information on September 12, 2022, and held a series of listening sessions seeking public input on potential aspects of the proposed regulation prior to publication of the NPRM.”

We could see this NPRM published in the Federal Register this coming week.

OMB Approves FRA Train Crew Staffing Final Rule

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a final rule from the DOT’s Federal Railroad Administration (FRA) on “Train Crew Staffing”. The rule was submitted to OIRA on January 2nd, 2024. The notice of proposed rulemaking was published on July 28th, 2022.

According to the Fall 2023 Unified Agenda entry for the rulemaking:

“This rulemaking would address the potential safety impact of one-person train operations, including appropriate measures to mitigate an accident's impact and severity, and the patchwork of State laws concerning minimum crew staffing requirements. This rulemaking would address the issue of minimum requirements for the size of train crews, depending on the type of operations. In an effort to encourage public participation, FRA extended the comment period from 60 to 146 days and held a public hearing on December 14, 2022.”

The final rule may be published in the Federal Register this coming week. As with the NPRM, it is not likely that I will be covering this rulemaking in any detail, but I will almost certainly announce it in my ‘Short Takes’ post on the day it is published.

Review - HR 2882 Passed in Senate – 2nd FY 2024 Minibus

Yesterday, after the House passed H Res 1102, the Senate took up the new House amendment to HR 2882, Udall Foundation Reauthorization Act of 2023. After considering, and rejecting seven amendments and two motions, the Senate voted 74 to 24 to pass the bill. It subsequently passed H Con Res 100 to change the title of the bill, with the short title becoming the Further Consolidated Appropriations Act, 2024. The bill was signed by the President Saturday morning.

 

For more details about the consideration in the Senate, including listing of the amendments and motions, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-2882-passed-in-senate - subscription required.

Transportation Chemical Incidents – Week of 3-13-24

Reporting Background

See this post for explanation.

Data from PHMSA’s online database of transportation related chemical incidents that have been reported to the agency.

Incidents Summary

Number of incidents – 110 (101 highway, 9 air, 0 rail)

Serious incidents – 1 (1 Bulk release, 0 injuries, 0 deaths, 0 major artery closed)

Largest container involved – 2100-lb pallet (Batteries, Wet, Filled with Acid, Electric Storage) another package fell on pallet – 0.625-lbs leaked.

Largest amount spilled – 400-lbs (Calcium Hypochlorite, Hydrated or Calcium Hypochlorite, Hydrated Mixtures, With Not Less Than 5.5 Percent but Not More Than 16 Percent Water) 1-gal plastic containers in cardboard boxes. Handling equipment accident.

Most Interesting Chemical: Hydrobromic Acid, UN 1788. Used in chemical synthesis and metal cleaning. TOXIC; inhalation, ingestion or skin contact with material may cause severe injury or death. Contact with molten substance may cause severe burns to skin and eyes. Avoid any skin contact. Effects of contact or inhalation may be delayed. Fire may produce irritating, corrosive and/or toxic gases. Runoff from fire control or dilution water may be corrosive and/or toxic and cause environmental contamination.


Review – Public ICS Disclosures – Week of 3-16-24

This week we have eight vendor disclosures from Belden, Bosch, Buffalo Tech, Honeywell, HP, Planet Technology, and Rockwell (2). There are five vendor updates from Eaton, HP (2), Palo Alto Networks, and QNAP. We have two researcher reports for vulnerabilities in products from FortiGuard and Unitronics. Finally, we have four exploits for products from APC and TELSAT (3).

Advisories

Belden Advisory - Belden published an advisory that discusses five vulnerabilities in multiple Hirschmann products.

Bosch Advisory - Bosch published an advisory that describes a command injection vulnerability in their Network Synchronizer.

Buffalo Advisory - JP-CERT published an advisory that describes an insufficient data validation vulnerability in the Buffalo LinkStation 200 series NAS.

Honeywell Advisory - Honeywell published an advisory that describes a cross-site scripting vulnerability in their MPA2 Web Application.

HP Advisory - HP published an advisory that describes a denial of service vulnerability in their OfficeJet Pro printers.

Planet Advisory - Incibe-CERT published an advisory that describes three vulnerabilities in the Planet IGS-4215-16T2S industrial ethernet switch.

Rockwell Advisory #1 - Rockwell published an advisory that describes an improper security protection for remote restart action vulnerability in their FactoryTalk® View ME on PanelView.

Rockwell Advisory #2 - Rockwell published an advisory that describes three vulnerabilities in their PowerFlex® 527 product.

UPDATES

Eaton Update - Eaton published an update for their User Management System advisory that was originally published on November 24th, 2023 and most recently updated on December 20th, 2023.

HP Update #1 - HP published an update for their Intel 2023.4 IPU advisory that was originally published on December 11th, 2023 and most recently updated January 9th, 2024.

HP Update #2 - HP published an update for their AMD Client UEFI firmware advisory that was originally published on December 7th, 2023 and most recently updated on January 5th, 2024.

Researcher Reports

FortiGuard Report - Horizon3 published a report describing an SQL injection vulnerability in the FortiGuard FortiClient EMS product.

Unitronics Report - Claroty published a report describing eight vulnerabilities in the Unitronics UniStream integrated PLC/HMI products.

Exploits

APC Exploit - Victor Garcia published an exploit for a path traversal vulnerability in the APC UPS Network Management Card.

TELSAT Exploits - LIQUIDWORM published exploits for three vulnerabilities in the TELSAT marKoni FM Transmitter.

 

For more information on these disclosures, including links to 3rd party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-3-051 - subscription required.

Bills Introduced – 3-22-24

Yesterday, with both the House and Senate in session and preparing to leave Washington for their two-week Easter recess, 65 bills were introduced. Three of those bills will receive additional attention in this blog:

H Res 1102 Providing for the concurrence by the House in the Senate amendment to H.R. 2882, with an amendment. Granger, Kay [Rep.-R-TX-12]

H Res 1103 Declaring the office of Speaker of the House of Representatives to be vacant. Greene, Marjorie Taylor [Rep.-R-GA-14]

S 4054 A bill to require entities to meet minimum cybersecurity standards to be eligible for Medicare accelerated and advance payment programs if the reason for the need for such payments is due to a cybersecurity incident. Warner, Mark R. [Sen.-D-VA]

As I reported last night, the House adopted H Res 1102 yesterday afternoon, which sent HR 2882 back to the Senate with an amendment consisting of the text of H Res 1102. The Senate subsequently took up that amendment and adopted it early this morning, providing for funding of the remaining portions of the Federal Government through the end of the fiscal year (more on those deliberations in a subsequent post).

H Res 1103 was not offered as a ‘privileged resolution’ so immediate (2 legislative days) action by the House is not required. There is an interesting article over on Politico.com about this resolution.

Mention in Passing

I would like to mention in passing S 4064, a bill to amend section 50905 of title 51, United States Code, to extend and modify provisions relating to license applications and requirements for commercial space launch activities, and for other purposes. This will have some sort of effect on the current exception from FAA general flight safety regulations for commercial space flight. I would expect that this bill would require some sort of transition to ‘normal’ space flight safety requirements.

Friday, March 22, 2024

Short Takes – 3-22-24

Exploiting remote access – the ultimate living off the land attack. ScadaMag.Infracritical.com blog post. Very concise description of the need for remote access leading to living-off-the-land attacks in OT systems.

Apple Chip Flaw Lets Hackers Steal Encryption Keys. Zetter-ZeroDay.com article. Pull quote: “The site includes an instruction to developers of cryptographic applications to include code in their program that causes the processor to implement data-independent timing, or DIT, that effectively disables the prefetcher when the computer is performing cryptographic functions for their application. It’s not clear how long this instruction has been on Apple’s developers site; there’s no date on the page, but it’s part of Apple’s core documentation for developers, so presumably it’s been there for years.”

Truck-to-truck worm could infect – and disrupt – entire US commercial fleet. TheRegister.com article. Pull quote: “Finally, in what the authors described as the "most concerning" scenario, they uploaded a truck-to-truck worm. The worm uses the compromised device's Wi-Fi capabilities to search for other vulnerable ELDs nearby.”

Commercial Vehicle Electronic Logging Device Security: Unmasking the Risk of Truck-to-Truck Cyber Worms.  NDSS-Symposium.org paper. Actual paper described above. Pull quote: “These findings highlight an urgent need to improve the security posture in ELD systems. Following some existing best practices and adhering to known requirements can greatly improve the security of these systems. The process of discovering the vulnerabilities and exploiting them is explained in detail. Product designers, programmers, engineers, and consumers should use this information to raise awareness of these vulnerabilities and encourage the development of safer devices that connect to vehicular networks.”

Four questions about the new effort to oust Mike Johnson, answered. Politico.com article. Rep Greene (R,GA) introduced vacate resolution. Pull quote: “There’s no guarantee of that [voting on the resolution when the House returns from Easter break]. Greene had the option to speed up consideration of her proposal, but instead chose a slow path that will loom over House Republicans as they head home for recess.”

House Passes H Res 1102 – FY 2024 2nd Minibus

Today the House took up H Res 1102, House Passes H Res 1102 – FY 2024 2nd Minibus. The resolution was considered under the suspension of the rules process. After 44 minutes of debate the House voted 286 to 134 to pass the resolution.

While an official copy of the language of the resolution is not currently available, the resolution should contain the same wording as was published by the House Appropriations Committee on Thursday night. Passage of the resolution has the effect of substituting that language for the Senate version of HR 2882 and sending that bill back to the Senate for consideration.

The Senate began the process of the consideration of the House amendment to HR 2282 this afternoon, voting 78 to 18 on the motion to proceed to the consideration of the updated language.

OMB Approves BIS Advanced Computing Final Rule

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a final rule from the DOC’s Bureau of Industry and Security (BIS) on “Implementation of Additional Export Controls: Certain Advanced Computing Items and Semiconductor Manufacturing Items; Supercomputer and Semiconductor End Use; Updates to the Controls and Corrections”. The final rule was sent to OIRA on November 27th, 2023.

Three different versions of an interim final rule have been published:

October 25th, 2023,

January 18th, 2023, and

October 13th, 2022

It is not clear from yesterday’s notice whether this will be an actual final rule or just another interim final rule. Typically, these rules have not had direct cybersecurity implications, so it may not be covered in the blog beyond a mention of the publication in a daily ‘Short Takes’ post.

DOE Sends Foreign Entity Final Rule to OMB

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a final rule (direct final rule?) from the Department of Energy on “U.S. Department of Energy Interpretation of Foreign Entity of Concern”. This rulemaking was not listed in the Fall 2023 Unified Agenda.

Bills Introduced – 3-21-24

Yesterday, with both the House and Senate in session, there were 82 bills introduced. Three of those bills may receive additional attention in this blog:

HR 7781 To require a report on the economic and national security risks posed by the use of artificial intelligence in the commission of financial crimes, including fraud and the dissemination of misinformation, and for other purposes. Nunn, Zachary [Rep.-R-IA-3]

S 4024 A bill to amend the Homeland Security Act of 2002 to enable secure and trustworthy technology through other transaction contracting authority. Peters, Gary C. [Sen.-D-MI] 

S 4045 A bill to require a study on public health impacts as a consequence of the February 3, 2023, train derailment in East Palestine, Ohio.

All three of these bills appear to address issues that are tangentially similar to topics that I routinely cover in this blog. While I am normally able to point to specific issues that I would be looking for in such bills, all three of these bills address issues that may be more complex than I would be able to put into a routine ‘looking for’ statement. I suspect that S 4045 will be the most likely bill to receive further consideration here.

The Missing Bill

I had expected to see the House resolution that I discussed yesterday that forms the basis for the consideration of the 2nd FY 2024 spending minibus. I have no idea why it was not introduced, but it is still on the list of legislation scheduled for consideration in the House today. It will almost certainly be one of the first things considered today so that there will be some time available for the Senate to take up the HR 2882, the bill that would be amended to be the spending bill. With any kind of luck, Sen Schumer (D,NY) has come to some sort of agreement about a list of amendments that will get floor votes before the final vote on the amended HR 2882. If that final vote does not happen by midnight, a technical shutdown will occur, but the effects would be somewhat limited because it is the weekend. If the Senate must adjourn, before the final vote on the bill (or the bill fails in a final vote), the partial government shutdown becomes more than technical.

Thursday, March 21, 2024

Short Takes – 3-21-24

National Guard ready to assist states with cyber response, say officials. StateScoop.com article. If this story were about a private cybersecurity company I would label it an advertorial. Pull quote: ““We want them to make a lot of money in the cyber field Monday through Friday and then I tell them they can come work for us on the weekend,” Jarrard said. “I think we have a good pool to pull from and those individuals one, they like to do exciting things on the keyboard but two, they like serving their country, serving their community and helping out.””

Key test drive of Orion on NASA's Artemis II to aid future missions. Phys.org article. Pull quote: “Because the Artemis II Orion is not docking with another spacecraft, it is not equipped with a docking module containing lights and therefore is reliant on the ICPS to be lit enough by the sun to allow the crew to see the targets.”

NASA sees progress on Blue Origin's Orbital Reef Life Support System. Phys.org article. Pull quote: “The trace contaminant control test screened materials to remove harmful impurities from the air. The water containment oxidation test, urine water recovery test, and water tank test all focused on potential cleaning, reclaiming, and storing technologies.”

1,1-Dichloroethane (1,1-DCA); Draft Risk Evaluation Under the Toxic Substances Control Act (TSCA); Letter Peer Review; Request for Nominations of Expert Reviewers. Federal Register EPA notice. Summary: “The Environmental Protection Agency (EPA or the Agency) is seeking nominations of scientific and technical experts to review the draft risk evaluation for 1,1-dichloroethane (1,1-DCA) conducted under the Toxic Substances Control Act (TSCA). The Agency will release the draft risk evaluation for public review and comment in spring of 2024 through a separate Federal Register document and subsequently will provide the selected peer reviewers with the draft risk evaluation for letter peer review in the summer of 2024.” Nomination deadline – April 11th, 2024.

Spy agency ready to launch new vehicle-tracking satellites. DefenseOne.com article. Pull quote: “However, Space Force officials have said that the GMTI program can’t move forward until Congress passes a fiscal 2024 budget because the effort is a new start in last year’s budget request.”

NASA Analysis Sees Spike in 2023 Global Sea Level Due to El NiƱo. JPL.NASA.gov article. Pull quote: ““Current rates of acceleration mean that we are on track to add another 20 centimeters of global mean sea level by 2050, doubling the amount of change in the next three decades compared to the previous 100 years and increasing the frequency and impacts of floods across the world,” said Nadya Vinogradova Shiffer, director for the NASA sea level change team and the ocean physics program in Washington.”

Review – 1 Advisory Published – 3-21-24

Today, CISA’s NCCIC-ICS published a control system security advisory for products from Advantech.

Advisories

Advantech Advisory - This advisory describes an SQL injection vulnerability in the Advantech WebAccess/SCADA.

 

For more details about this advisory, including a down-the-rabbit-hole search for the researcher that discovered the vulnerability, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-published-3-21-24 - subscription required.

OMB Approves OSHA Walk Around Final Rule

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a final rule from the DOL’s Occupational Safety and Health Administration (OSHA) on “Worker Walkaround Representative Designation Process”. The rule was submitted to OIRA on February 9th, 2024, a fairly rapid turnaround for OIRA. The notice of proposed rulemaking (NPRM) was published on August 30th, 2023

According to the Fall 2023 Unified Agenda entry for this rulemaking:

“This rulemaking will clarify the right of workers and certified bargaining units to specify a worker or union representative to accompany an OSHA inspector during the inspection process/facility walkaround, regardless of whether the representative is an employee of the employer, if in the judgment of the Compliance Safety and Health Officer such person is reasonably necessary to an effective and thorough physical inspection.”

While I did not describe the NPRM, I did note a chemical security issue that had been raised by the Alliance for Chemical Distribution. It will be interesting to see how OSHA addresses this issue in their final rule.

We could see the final rule published in the Federal Register next week.

2nd FY 2024 Spending Minibus Published – 3-20-24

Late last night the House Appropriations Committee published the 2nd FY 2024 spending minibus. As with the earlier spending bill, this takes the form of a House Resolution (not yet numbered as it will be introduced today) providing a House amendment to the Senate amendment to a previously passed House bill (HR 2882, the Udall Foundation Reauthorization Act of 2023). A committee print of the resolution is available.

There is no mention of an extension/reinstatement of the Chemical Facility Anti-Terrorism Standards (CFATS) program in the text of the bill. There is, however, an odd comment about the program in the Division C (DHS) Joint Explanatory Statement (pg 38):

“The agreement includes $15,077,000 below the request for Chemical Facility Anti-Terrorism Standards (CFATS) due to cost savings within the program.”

Since the Appropriations Committee Report (H Rept 118-123) provided $41 million for ‘Chemical Security’ (table on page 170), it looks like this bill will continue some level of funding for the program through the end of September. So the program may yet be resurrectable.

It is unlikely that the resolution will be brought to the floor of the House today (it is not listed on the Majority Leader’s schedule for today) and only slightly more likely for tomorrow. This means that another short-term continuing resolution will be required to stop a government shutdown on Saturday.

Wednesday, March 20, 2024

Short Takes – 3-20-24

Pentagon Received Over 50,000 Vulnerability Reports Since 2016. SecurityWeek.com article. Pull quote: ““The success of the DC3 VDP is a powerful example of how a strong relationship with the global ethical hacker community translates to the consistent strengthening of cyber defenses. As proud partners, we look forward to continued collaboration as ethical hackers work to further strengthen national security,” HackerOne founder and CTO Alex Rice said.” I wonder how many of these were control system vulnerabilities and how many of those were shared with CISA?

Researchers develop tantalizing method to study cyberdeterrence. Sandia.gov article. Pull quote: “At Sandia, the name Tantalus is associated with an experimental multiplayer online war game used to study different conditions within cyberdeterrence strategy. More importantly, the game is a human research study to gather data about how people’s decisions during threatening situations can impact national security.”

SpaceX planning rapid turnaround for next Starship flight. SpaceNews.com article. Pull quote: “The FAA has updated SpaceX’s Starship launch license after every flight to date to reflect changes in the mission, such as the different suborbital trajectory used on the most recent flight. However, Coleman said the agency wants to move to a process where the license is valid for “portfolio of launches” rather than individual ones. That is particularly important, he added, because SpaceX is planning six to nine more Starship launches this year.”

DARPA picks Northrop Grumman to develop 'lunar raiload' concept. Space.com article. Pull quote: “"To get to a turning point faster, LunA-10 uniquely aims to identify solutions that can enable multi-mission lunar systems — imagine a wireless power station that can also provide comms and navigation in its beam," Nayak said. Such work, he added, will accelerate "key technologies that may be used by government and the commercial space industry, and ultimately to catalyze economic vibrancy on the moon."”

Benchmark Space Systems flies first electric thruster. SpaceNews.com article. Pull quote: “On EWS, a 12U cubesat, the millinewton-class Xantus thruster will be used for end-to-end spacecraft operations, including deorbiting at the end of its mission. Benchmark, though, sees the biggest demand for the thruster on larger spacecraft.”

Review - HR 7589 Introduced – ROUTERS Act

Earlier this month, Rep Latta (R,OH) introduced HR 7589, the Removing Our Unsecure Technologies to Ensure Reliability and Security (ROUTERS) Act. The bill would require the Department of Commerce to conduct a study on the national security risks of routers and modems manufactured in China. No new funding is authorized by the legislation.

Moving Forward

The House Energy and Commerce Committee took up this bill (along with 27 others) this morning. There are no results posted to the hearing web site and it does not look like any amendments were offered. I suspect that the bill was ordered reported favorably by a significantly bipartisan vote.

 

For more details about the provisions of this legislation, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-7589-introduced - subscription required.

HR 3404 Sponsor Added – Gas Cylinder Safety

Yesterday, Rep Orden (R,OH) was added as a cosponsor to HR 3404 [removed from paywall], the Compressed Gas Cylinder Safety and Oversight Improvements Act of 2023. Orden is a member of the House Transportation and Infrastructure Committee, to which this was assigned for consideration, the first sponsor that is a member. This means that there may now be sufficient influence to see the bill considered in Committee.

Unfortunately, this late in an election year session, there may not be time for this bill to move forward. The sooner it is considered in Committee (preferably without amendments) the better chances for it to move forward. There has been no action in the Senate on the nearly identical S 1632.

Tuesday, March 19, 2024

Short Takes – 3-19-24

Drones and the US Air Force. Schneier.com blog post. Pull quote: “He estimated that a single Chinese Sunflower suicide drone costs about $30,000—so you could purchase 16,000 Sunflowers for the cost of one F-35A. And since the full mission capable rate of the F-35A has hovered around 50 percent in recent years, you need two to ensure that all missions can be completed—for an opportunity cost of 32,000 Sunflowers. As Hammes concluded, “Which do you think creates more problems for air defense?””

2024 Terrorism Risk Insurance Program Data Call. Federal Register Treasury data collection – Summary: “Pursuant to the Terrorism Risk Insurance Act of 2002, as amended (TRIA), insurers that participate in the Terrorism Risk Insurance Program (TRIP or Program) are directed to submit information for the 2024 TRIP Data Call, which covers the reporting period from January 1, 2023 to December 31, 2023. Participating insurers are required to register and report information in a series of forms approved by the Office of Management and Budget (OMB). All insurers writing commercial property and casualty insurance in lines subject to TRIP, subject to certain exceptions identified in this notice, must respond to this data call no later than May 15, 2024.”  Comment due date: May 15th, 2024.

Snake Steak Could Be a Climate-Friendly Source of Protein. ScientificAmerican.com article. Pull quote: “In particular, the researchers were struck by the pythons’ resilience during long fasts: the animals sometimes went months without eating but also without losing much weight. “Observing the ability of relatively young snakes to go many months without food and remain in a healthy state with minimal loss of body condition was really astounding,” Natusch says. Notably, he and his colleagues think that such resilience could be valuable during a major disruption to the food system, such as what occurred during the early days of the COVID pandemic, when some farmers couldn’t afford to keep feeding their livestock but also couldn’t get them to processors.”

Blue Origin plans to test Blue Ring space platform on Pentagon’s DarkSky-1 mission. GeekWire.com article. Pull quote: “Blue Ring is a multi-mission, multi-orbit vehicle that’s being developed to facilitate logistical services in orbit. The Pentagon-backed mission, known as DarkSky-1, will demonstrate Blue Origin’s flight system, including space-based data processing and storage capabilities, ground-based radiometric tracking and Blue Ring’s telemetry, tracking and command hardware, also known as TT&C.”

Committee Hearings – Week of 3-17-24

This week, with the House and Senate both in session, there is a relatively heavy hearing schedule. Budget hearings are starting the FY 2025 spending cycle. And there are a lot of markup hearings with three of particular interest here. There will also be an oversight hearing on the DHS cWMD office.

Budget Hearings:

The FY 2025 spending process starts this week with budget hearings. I do not cover these much anymore since Presidential Budgets have been ‘dead on arrival’ for almost a decade now, but they do deserve, at least, mention in passing.

Budget Hearings

House

Senate

DOE

3-20-24 E&C

 

SBA

 

3-20-24 SBC

Markup Hearings

Energy and Commerce Committee markup hearing – 3-20-24 – 28 bills:

HR 7655, Pipeline Safety, Modernization, and Expansion Act of 2024, and

HR 7589, Removing Our Unsecure Technologies to Ensure Reliability and Security (ROUTERS) Act

Transportation and Infrastructure Committee markup hearing – 3-20-24 – 2 bills:

HR 7659, the Coast Guard Authorization Act of 2024

Science, Space, and Technology Committee markup hearing – 3-20-24  - 8 bills:

HR 7073, Next Generation Pipelines Research and Development Act

WMD Hearing

On Wednesday, the Subcommittee on Emergency Management and Technology of the House Homeland Security Committee will hold a hearing on “Securing our Nation from WMDs: A Review of the Department of Homeland Security's Countering Weapons of Mass Destruction Office”. The witness list includes:

• Mary Ellen Callahan, DHS,

• Tina Won Sherman, GAO, and

• Herbert Wolfe, DHS

On the Floor

With an overall agreement reportedly reached on the 2nd Minibus spending bill (including DHS and DOD), there is a good chance that the bill will come to the floor of the House this week, but it seems unlikely that it will be able to clear both houses before the midnight Friday deadline to keep the government funded. Politicians may risk a technical shutdown over some of the weekend if they think that the House and Senate can finish the bill by Sunday, but it is more likely that there will be yet again a short-term continuing resolution to allow the political posturing in both the House and Senate to run its course.

 
/* Use this with templates/template-twocol.html */