Tuesday, April 30, 2024

Short Takes – 4-30-24

Killer Asteroid Hunters Spot 27,500 Overlooked Space Rocks. NYTimes.com article. Pull quote: “The algorithm could increase the number of asteroids that Rubin can find, perhaps enough to meet a mandate passed by Congress in 2005 to locate 90 percent of near-Earth asteroids that are 460 feet in diameter or larger.”

TSA Conducts Comprehensive Security Exercise with Brenntag in Orlando. HSToday.us article. Pull quote: “This exercise highlighted the importance of neighborhood and customer stewardship, with Brenntag’s facility serving as a prime example of how businesses can work alongside government agencies to enhance security and preparedness. The involvement of such a diverse group of [30] observers and [25] participants underscored the shared responsibility and collective effort required to protect public spaces and critical infrastructure from potential threats.”

U.S. Needs to Better Track Bird Flu Spread in Farm Animals, Farm Workers, Epidemiologist Says. ScientificAmerican.com article. Pull quote: “On the ground, we really need to get a handle on where H5N1 is spreading and how. That comes through asymptomatic testing of animals and people, sharing genomic surveillance data with the global community and understanding wastewater trends. So certainly, a lot more work needs to be done.” Interesting ‘lessons learned’ comments from COVID pandemic.

Review – 1 Advisory and 2 Updates Published – 4-30-24

Today, CISA’s NCCIC-ICS published a control system security advisory for products from Delta Electronics. They also updated two advisories for products from SEW-EURODRIVE and Unitronics.

Advisories

Delta Advisory - This advisory describes a stack-based buffer overflow vulnerability in the Delta CNCSoft-G2 DOPSoft.

Updates

SEW-EURODRIVE Update - This update provides additional information on an advisory that was originally published on January 16th, 2024.

Unitronics Update - This update provides additional information on an advisory that was originally published on April 18th, 2024.

 

For more information on these advisories, including summaries for changes made in updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-and-2-updates-published-504 - subscription required. 

Monday, April 29, 2024

Short Takes – 4-29-24

Establishment of the Artificial Intelligence Safety and Security Board. Federal Register DHS notice. Summary: “Pursuant to Executive Order (E.O.) 14110 [link added], Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence, dated October 30, 2023, the Department of Homeland Security, through the Office of Partnership and Engagement, has established the Artificial Intelligence Safety and Security Board (the Board). The Board will provide the Secretary of Homeland Security (hereinafter referred to as “the Secretary”) information, advice, and recommendations to advance the security and resilience of our nation's critical infrastructure in its use of artificial intelligence (AI). This Notice is not a solicitation for membership.”

Pipeline Safety: Periodic Updates of Regulatory References to Technical Standards and Miscellaneous Amendments. Federal Register PHMSA final rule. Summary: “PHMSA is amending the Federal pipeline safety regulations (PSRs) to incorporate by reference all or parts of more than 20 new or updated voluntary, consensus industry technical standards. This action allows pipeline operators to use current technologies, improved materials, and updated industry and management practices. Additionally, PHMSA is clarifying certain regulatory provisions and making several editorial corrections.” Effective date June 28th, 2024.

Bird flu in US cows: is the milk supply safe? Nature.com article. Pull quote: “When Nature asked when to expect more evidence on whether pasteurization kills H5N1, Janell Goodwin, public-affairs specialist at the FDA in Silver Spring, Maryland, said that the agency and the US Department of Agriculture (USDA) “are working closely to collect and evaluate additional data and information specific to” H5N1.”

With U.S. aid resumed, Ukraine will try to dig itself out of trouble. WashingtonPost.com article. Pull quote: “Defense Secretary Lloyd Austin on Friday announced the administration’s intent to contract $6 billion in arms for Ukraine, including Patriot air-defense missiles and counter-drone systems — a tranche of vitally needed arms, he said, but one that could take months if not years to produce. The administration has employed a two-tiered approach to helping Ukraine: one entails the immediate drawdown and transfer of existing U.S. military stockpiles; the other is aimed at long-term sustainment through purchase orders for weapons and ammunition.”

Opinion: America’s small-town water systems are global cyber targets. Is your city next? CNN.com commentary. Pull quote: “If we really want to help water utilities defend against cyber threats, we have to close the resource gap. Protecting your personal information in your water bill is important, but so is protecting your actual water. That means cybersecurity must protect operational technology and not just data systems. And costs for cybersecurity investment need to be recoverable through local government budget setting processes.”


Review - S 4054 Introduced -Health Care Cybersecurity

Earlier this month, Sen Warner (D,VA) introduced S 4054, the Health Care Cybersecurity Improvement Act of 2024. The bill would prohibit accelerated Medicare payments to hospitals and medical service providers with significant cashflow problems due to cyber-attacks unless they meet ‘minimum cybersecurity standards’. There is no new funding provided in this legislation.

Moving Forward

Warner is a member of the Senate Finance Committee to which this bill was assigned for consideration. This means that there may be sufficient influence to see the bill considered in Committee. I suspect that there would be Republican opposition to this bill because it would effectively add cybersecurity regulations for the medical sector. I am not sure that there would be sufficient support to see this bill favorably considered. Regardless, this bill would have no chance of being considered by the full Senate under regular order.

Commentary

While there is no mention of cybersecurity regulations in this bill, nor any mandate to develop such regulations, the phrase “meets minimum cybersecurity standards, as determined by the Secretary” effectively means that HHS would need to have regulations in place that define ‘minimum cybersecurity standards’ that the Secretary would use to restrict accelerated payments under these provisions. If the bill had specifically required HHS to promulgate such regulations, the bill would have come under the purview of the Homeland Security and Governmental Affairs Committee where Warner is not a member.

 

For more details about the provisions of the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-4054-introduced - subscription required.

Committee Hearings – Week of 4-29-24

This week, with both the House and Senate back in Washington, there is a moderately heavy hearing schedule in both bodies. Budget hearings continue, moving into the final stages in the respective appropriations subcommittees. There is also a hearing on CISA’s notice of proposed rulemaking for the implementation of the cybersecurity reporting requirements of Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA).

FY 2025 Budget Hearings

 

House

Senate

EPA

Approp Subcommittee

Approp Subcommittee

DOT

Approp Subcommittee

Approp Subcommittee

CISA

Approp Subcommittee

 

Coast Guard

Approp Subcommittee

 

CIRCIA Hearing

On Wednesday, the Subcommittee on Cybersecurity and Infrastructure Protection of the House Homeland Security Committee will hold a hearing on “Surveying CIRCIA: Sector Perspectives On The Notice Of Proposed Rulemaking”. The witness list includes:

Heather Hogsett, Bank Policy Institute,

Scott Aaronson, Edison Electric Institute,

Robert Mayer, The Broadband Association, and

Amit Elazari, OpenPolicy Group

Short Takes – 4-29-24 – Space Geek Edition

Gravitics plans to leverage space station architecture for $1.7M Space Force project. Geekwire.com article. Pull quote: ““Developing and manufacturing commercial space station modules will continue to be at the core of our company mission,” Doughan said. “Gravitics is thrilled to have the opportunity to offer these commercial capabilities to the Department of Defense.””

Regulation of Commercial Human Spaceflight Safety: Overview and Issues for Congress. CRS report. Pull quote: “Congress may consider whether to extend the learning period again, for a fixed amount of time or indefinitely, or to allow the learning period to lapse. The FAA and some other stakeholders have suggested that, given the growth of the commercial human spaceflight industry, the learning period should be allowed to lapse and the FAA should begin the process of developing regulations.”

SpaceX making progress on Starship in-space refueling technologies. SpaceNews.com article. Pull quote: “The in-space propellant transfer test will be followed by an uncrewed demonstration mission of the HLS Starship, including fueling the vehicle and sending it to the moon for a landing. That mission will also feature an “ascent demo” not originally included in the plan, he said, to prove Starship can lift off the lunar surface.”

Spacecraft approaches metal object zooming around Earth, snaps footage. Mashable.com article. Pull quote: “The experimental spacecraft will now continue to closely approach the rocket, which Japan launched in 2009, gathering more data on the rocket's condition and motion. The following mission, with this information in hand, will "then remove and deorbit the rocket body using in-house robotic arm technologies," the company said in a statement.”

Saturday, April 27, 2024

Review – Public ICS Disclosures – Week of 4-20-24 – Part 2

For Part 2 we have nine additional vendor disclosures from Panasonic, QNAP (6), WatchGuard, and Welotec. We also have eight vendor updates from Broadcom (6), Mitsubishi, and Palo Alto Networks. There are four researcher reports for products from Mathieu Malaterre (3) and Offis. Finally, we have three exploits for products from FortiGuard and Palo Alto Networks (2).

Advisories

Panasonic Advisory - Panasonic published an advisory that describes an improper restriction of operations within the bounds of a memory buffer.

QNAP Advisory #1 - QNAP published an advisory that describes four vulnerabilities in their QTS and QuTS hero products.

QNAP Advisory #2 - QNAP published an advisory that discusses four vulnerabilities in their utility Proxy Server.

QNAP Advisory #3 - QNAP published an advisory that describes two vulnerabilities in their QuFirewall.

QNAP Advisory #4 - QNAP published an advisory that describes an integer overflow or wraparound vulnerability in their QTS, QuTS hero, and QuTScloud product.

QNAP Advisory #5 - QNAP published an advisory that describes an improper authentication vulnerability in their Media Streaming Add-on.

QNAP Advisory #6 - QNAP published an advisory that describes two path traversal vulnerabilities in their QTS, QuTS hero, and QuTScloud products.

WatchGuard Advisory - WatchGuard published an advisory that discusses the Diffie-Hellman Key Agreement Protocol Weaknesses.

Welotec Advisory - CERT-VDE published an advisory that describes an improper restriction of rendered UI layers or frames vulnerability in their SMART EMS and VPN Security Suite products.

Updates

Broadcom Update #1 - Broadcom published an update for their EZServer module advisory that was originally published on November 8th, 2022.

Broadcom Update #2 - Broadcom published an update for their Identical SSH keys advisory that was originally published on April 10th, 2024.

Broadcom Update #3 - Broadcom published an update for their Hardcoded TLS keys advisory that was originally published on April 11th, 2024.

Broadcom Update #4 - Broadcom published an update for their SANnav OVA advisory that was originally published on April 11th, 2024.

Broadcom Update #5 - Broadcom published an update for their Insecure file permission advisory that was originally published on April 11th, 2024.

Broadcom Update #6 - Broadcom published an update for their Docker instances advisory that was originally published on April 11th, 2024.

Mitsubishi Update - Mitsubishi published an update for their Microsoft Message Queuing advisory that was originally published on February 20th, 2024.

Reports

Palo Alto Networks Update - Palo Alto Networks published an update for their Arbitrary File Creation advisory that was originally published on April 12th, 2024 and most recently updated on April 20th, 2024.

Offis Report - Cisco Talos published a report describing an incorrect type conversion or cast vulnerability in the Offis DCMTK, a collection of DICOM libraries.

Exploits

FortiGuard Exploit - Spencer McIntyre published a Metasploit module for an SQL injection vulnerability in the FortiClient EMS (this vulnerability is listed in CISA’s Known Exploit Vulnerability Catalog).

Palo Alto Networks Exploit #1 - Sfewer-r7 published a Metasploit module for a command injection vulnerability in the Palo Alto Networks PAN-OS (this vulnerability is listed in CISA’s KEV Catalog).

Palo Alto Networks Exploit #2 - Kr0ff published an exploit for a command injection vulnerability in the Palo Alto Networks PAN-OS (this vulnerability is listed in CISA’s KEV Catalog).

 

For more information about these disclosures, including links to 3rd party advisories and researcher reports, as well as summaries of changes made in updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-4-6e6 - subscription required.

CRS Reports – Week of 4-20-24 – Change Healthcare Attack

This week, the Congressional Research Service (CRS) published a report on “The Change Healthcare Cyberattack and Response Considerations for Policymakers”. After providing a brief overview of the ransomware attack on Change Healthcare and a discussion about the consequences and federal response to the incident, the report identifies three ‘information parity issues’:

• Coordination of offensive and defensive actions,

• Knowledge of conditions in decision making, and

• Information Sharing Reach.

Presumably, given the mission of the CRS, these issues were identified to aid Congress in any response development efforts that members may be interested in initiating.

Transportation Chemical Incidents – Week of 3-23-24

Reporting Background

See this post for explanation, with an update here (removed from paywall).

Data from PHMSA’s online database of transportation related chemical incidents that have been reported to the agency.

Incidents Summary

• Number of incidents – 478 (451 highway, 20 air, 7 rail)

• Serious incidents – 3 (3 Bulk release, 0 injuries, 0 deaths, 0 major arteries closed)

• Largest container involved – 30,049-gal DOT DOT111A100W1 railcar (Acetone) Loose top closure. 20-gal spilled.

• Largest amount spilled – 1323-lbs (Calcium Hypochlorite, Hydrated or Calcium Hypochlorite, Hydrated Mixtures, With Not Less Than 5.5% But Not More Than 16% Water) plastic container damaged in material handling.

Most Interesting Chemical: Trichloroisocyanuric Acid, Dry. A white slightly hygroscopic crystalline powder or lump solid with a mild chlorine-like odor. Said to have 85 percent available chlorine. Decomposes at 225°C, producing chlorine gas and oxygen. Moderately toxic by ingestion. May irritate skin and eyes. Active ingredient in household dry bleaches. Used in swimming pools as a disinfectant. Strong oxidizing agent.


Review – Public ICS Disclosures – Week of 4-20-24 – Part 1

This week for Part 1 we have 16 vendor disclosures from Belden, Broadcom (7), Hitachi (2), HP, HPE, Meinberg, Moxa, Omron (2), and Palo Alto Networks.

NVD.NIST.gov updated their ‘Program Announcement’ page this week. This page is designed to keep folks up-to-date on the problems that NIST is having with keeping up with the analysis of CVE’s. No real new information has been added.

Advisories

Belden Advisory - Belden published an advisory that describes an improper authentication vulnerability in their Hirchsmann HiEOS devices.

Broadcom Advisory #1 - Broadcom published an advisory that describes an insertion of sensitive data into log file vulnerability in their Brocade SANnav products.

Broadcom Advisory #2 - Broadcom published an advisory that describes an exposure of sensitive information to an unauthorized actor vulnerability in their Brocade SANnav products.

Broadcom Advisory #3 - Broadcom published an advisory that describes an insecure HTTPS configuration vulnerability in their Brocade Fabric OS and Brocade SANnav products.

Broadcom Advisory #4 - Broadcom published an advisory that describes a clear-text transmission of sensitive information vulnerability in their Brocade Fabric OS and Brocade SANnav products.

Broadcom Advisory #5 - Broadcom published an advisory that describes an exposure of sensitive information to an unauthorized actor vulnerability in their Brocade Fabric OS and Brocade SANnav products.

Broadcom Advisory #6 - Broadcom published an advisory that describes an exposure of sensitive information to an unauthorized actor vulnerability in their Brocade SANnav product.

Broadcom Advisory #7 - Broadcom published an advisory that describes an exposure of sensitive information to an unauthorized actor vulnerability in their Brocade SANnav product.

Hitachi Advisory #1 - Hitachi published an advisory that describes an insertion of sensitive information into log file vulnerability in their Ops Center Administrator product.

Hitachi Advisory #2 - Hitachi published an advisory that describes a sensitive cookie in HTTPS session without ‘secure’ attribute vulnerability in their Ops Center Analyzer product.

HP Advisory - HP published an advisory that describes an escalation of privilege vulnerability in their Software Packages (SoftPaqs).

HPE Advisory - HPE published an advisory that discusses six vulnerabilities in their SAN Switches.

Meinberg Advisory - Meinberg published an advisory that discusses eleven vulnerabilities (three with known exploits) in their Lantime product. These are third-party vulnerabilities.

Moxa Advisory - Moxa published an advisory that discusses three vulnerabilities in their AIG-301 series products.

Omron Advisory #1 - Omron published an advisory that describes a free of pointer not at start of buffer vulnerability in their CX-One and Sysmac Studio products.

Omron Advisory #2 - Omron published an advisory that describes an out-of-bounds read vulnerability in their CS-Programmer product.

Palo Alto Networks Advisory - Palo Alto Networks published an advisory that describes an endpoint protection bypass vulnerability in their Cortex XDR agent.

 

For more information on these disclosures, including links to 3rd party advisories, researcher reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-4-534 - subscription required.

Friday, April 26, 2024

Short Takes – 4-26-24

China's Shenzhou-18 mission docks with space station. Phys.org article. Pull quote: “They will also try and create an aquarium onboard and seek to raise fish in zero gravity, according to Xinhua.”

Operational Adjustments Resulting From Workforce Shortages. Federal Register Coast Guard request for comments. Summary: “We are requesting your comments on planned actions that will allow the Coast Guard to prioritize lifesaving missions and protection of the Marine Transportation System in light of current personnel shortages. Like other military services, the Coast Guard is facing an unprecedented workforce shortage that is impacting Service readiness. The current and forecasted extent of the shortage is prompting significant actions to best protect the American public and maintain Service readiness. If actions are not taken to adjust operations, we can anticipate longer-term impacts to mission effectiveness and increased risk to our service members, as well as to commercial mariners and private boaters. In addition to leveraging technology and enhancing recruitment and retention efforts, operational adjustments must be executed within the existing response system while maintaining standards and an adherence to core mission execution. These adjustments fall into two categories: First, in regions where multiple units could respond if they were resourced appropriately, boats and people will be consolidated at one or more units to ensure a robust response. Secondly, in areas where the Coast Guard operates limited, or seasonal units that do not have sufficient personnel to respond, operations will be temporarily paused as resources are moved to higher priority areas. These adjustments will remain in effect until the Coast Guard has sufficient personnel to reconstitute these units.” Comments due May 24th, 2024.

A new U.S. tool maps where heat will be dangerous for your health. ScienceNews.org article. Pull quote: ““You can put in your zip code and see current heat risk and air quality levels and a seven-day heat risk forecast for your area,” Mandy Cohen, director of the Centers for Disease Control and Prevention said April 22 at a news conference unveiling the tool, called HeatRisk. “So, you can plan your day and you can plan your week with your health in mind.”” NWS HeatRisk Tool: https://www.wpc.ncep.noaa.gov/heatrisk/

Colombia becomes first country to restrict US beef due to bird flu in dairy cows. Reuters.com article. Pull quote: “To date, no U.S. beef cattle have tested positive for bird flu, government officials said.” The big question is has anyone been testing beef cattle?

Traces of bird flu are showing up in cow milk. Here’s what to know. ScienceNews.org article. Pull quote: “Because H5N1 has only recently been found in cattle, no studies have directly tested milk pasteurization’s ability to kill the virus, the FDA said in a statement April 23. But studies have shown that egg pasteurization, which is done at lower temperatures than milk pasteurization, inactivates the virus.”

Freight train derails, catches fire near US-Mexico border causing road closures. TheHill.com article. Pull quote: “The train was carrying gasoline and odorless propane at the time of the derailment near Houck, Ariz. No injuries were reported as a result of the incident, according to New Mexico State Police.”

Forecasters predict record number of hurricanes. TheHill.com article. Pull quote: “The Penn forecast predicts between 27 and 39 named tropical storms, with the best estimate at 33 storms — the most of any forecast in the 15-year history of the project. An average season usually has about half that number.” Article also quotes CSU forecast for 24 named storms. 

Review - HR 7922 Introduced – Water Risk and Resilience Organization

Earlier this month, Rep Crawford (R,AR) introduced HR 7922 (no fancy name). The bill would require the EPA to craft regulations providing for the certification of an independent Water Risk and Resilience Organization (WRRO) seemingly similar to NERC in the electric sector. The bill would authorize $5 million per year through 2025 to establish the WRRO.

Moving Forward

Crawford is a member, as is his sole cosponsor {Rep Duarte (R,CA)}, of the House Transportation and Infrastructure Committee to which this bill was assigned for primary consideration. This means that there may be sufficient influence to see it considered in Committee. I expect that any number of small communities are going to pressure their representatives to oppose this legislation as it would end up increasing the costs of maintaining their water systems. Many mid to large size water systems will also object, again because of funding issues. I suspect that there will be significant bipartisan opposition to this bill based upon those objections. I do not expect this bill to move forward, especially since there is no cosponsor on the House Energy and Commerce Committee, to which this bill has been assigned for secondary consideration. That Committee is well known for guarding their prerogatives when they have even limited oversight responsibilities.

Commentary

This attempt to move cybersecurity oversight of water systems out from under the direct control of the EPA is fraught with problems. The first is funding; the two-year $5 million authorization under the bill is a pittance compared to what it is going to need to establish and operate an organization with this level of oversight. Again, based upon the NERC model, the crafters expect the WRRO to be funded from dues and fees from the covered water systems. Those fees will come on top of the costs of implementing the new cybersecurity requirements established by the WRRO. Since the vast majority of these systems are small, municipal-controlled systems, they are going to have a hard time funding required cybersecurity upgrades, much less the dues and fees assessed by the WRRO.

On a side note, this idea has some support in the water sector. In fact, the idea traces back at least as far as the American Water Works Association. You can see a brief look at their interpretation of the idea in an article on ACSH.org from May of last year. Needless to say, the AWWA will almost certainly support this bill.

 

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-7922-introduced - subscription required.

Thursday, April 25, 2024

Short Takes – 4-25-24

Dairy Cows Transported Between States Must Now Be Tested for Bird Flu. NYTimes.com article (free link). Pull quote: “While testing more cows is critical, so is reducing the risk of infection among dairy workers regularly exposed to fresh milk now thought to contain extensive virus, said Seema Lakdawala, a virologist at Emory University.”

GPT-4 Can Exploit Most Vulns Just by Reading Threat Advisories. DarkReading.com article. Pull quote: “With only their security advisories to go on, the AI agent was tasked with exploiting each bug in turn. The results of this experiment painted a stark picture. Of the 10 models evaluated — including GPT-3.5, Meta's Llama 2 Chat, and more — nine could not hack even a single vulnerability. GPT-4, however, successfully exploited 13, or 87% of the total.”

Boeing and NASA decide to move forward with historic crewed launch of new spacecraft. CNN.com article. Pull quote: ““This is an important capability for NASA. We signed up to go do this, and we’re gonna go do it and be successful at it,” Nappi said Thursday. “I don’t think of it in terms of what’s important for Boeing as much as I think of it as in terms of what’s important for this program.””

Macron’s Olympics terror nightmare. Politico.eu article. Pull quote: “The worst-case scenario, according to Regul, would be a coordinated cyber and terror attack, with the digital attack taking out crucial security or surveillance systems.”

CG Report for 2023 Cyber Trends in Maritime Environment

I ran into an interesting article over on IndustrialCyber.co looking at the recently released report from the Coast Guard Cyber Command. That report, “2023 Cyber Trends and Insights in the Marine Environment Report”, takes a look at last years trends in maritime cybersecurity. It is a 60-page report with lots of detail, so it is well worth reading. And Anna Ribeiro’s article provides a good overview.

The report includes a fairly detailed discussion (pgs 16-20) about the techniques that Cyber Protection Team (CPT) members used to gain entry to systems during their cybersecurity assessments. Nothing really fancy, certainly no 0-day exploits; just solid application of cybersecurity knowledge.

The discussion about strengthening OT networks (pgs 24-28), while short is illuminative. The Cyber Command authors identify the “three common vulnerabilities present in almost every OT network” the CPT assessors looked at:

• Improperly segmented networks,

• End-of-life software, and

• Use of legacy protocols.

The OT hardening discussion then focuses on how to fix those issues first. Not a bad idea for any OT system.

The final thing I want to point out in the report is Appendix C, “Known Exploitable Vulnerabilities Detected on Cpt Missions”. This appendix lists the vulnerabilities found during CPT missions that are listed in CISA’s Known Exploited Vulnerability (KEV) Catalog. The number of KEV’s found is remarkably small, but that is more than made up for how old some of them are. The oldest KEV reported by the CPT’s in the wild is an “Apache HTTP Server-Side Request Forgery (SSRF)” - CVE-2012-1823. Even being over a decade old, the CG cyber personnel found two incidences of this vulnerability available for attack.

This is a unique look at cybersecurity in the wild, well worth the read even if you have nothing to do with the maritime domain. 

Review – 4 Advisories and 4 Updates Published

Today, CISA’s NCCIC-ICS published four control system security advisories for products from Honeywell, Siemens and Hitachi Energy (2). They also updated advisories for products from Mitsubishi (2), Rockwell and Chirp Systems.

Advisories

Honeywell Advisory - This advisory describes 16 vulnerabilities in multiple Honeywell products.

Siemens Advisory - This advisory discusses a command injection vulnerability {that is listed on CISA’s Known Exploit Vulnerabilities (KEV) Catalog} in the Siemens RUGGEDCOM APE1808 application hosting platform.

Hitachi Energy Advisory #1 - This advisory describes two vulnerabilities in the Hitachi Energy MACH SCM product.

Hitachi Energy Advisory #2 - This advisory describes two unrestricted upload of files with dangerous type vulnerabilities in the Hitachi Energy RTU500 Series.

Updates

Mitsubishi Update #1 - This update provides additional information on the MELSEC Series CPU Module advisory that was originally published on May 23rd, 2023 and most recently updated on March 14th, 2024.

Mitsubishi Update #2 - This update provides additional information on the MELSEC iQ-R Series/iQ-F Series advisory that was originally published on June 6th, 2023.

Rockwell Update - This update provides additional information on the 5015-AENFTXT advisory that was originally published on April 11th, 2024.

Chirp Systems Update - This update provides additional information on the Chirp Access advisory that was originally published on March 7th, 2024 and most recently updated on April 23rd, 2024.

 

For more information on the these advisories, including a brief commentary on the Chirp Systems update, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/4-advisories-and-4-updates-published - subscription required. 

Review - S 4045 Introduced – East Palestine Health Monitoring

Last month, Sen Vance (R,OH) introduced S 4045, the East Palestine Health Impact Monitoring Act of 2024. The bill would require HHS to conduct a study on the health effects of the 2023 East Palestine, OH train derailment. The bill would authorize $2 million per year through 2028 for the study.

Moving Forward

While Vance is not a member of the Senate Health, Education, Labor, and Pensions Committee to which this bill was assigned for consideration, one of his three cosponsors {Sen Casey (D,PA)} is a member. This means that there may be sufficient influence to see this bill considered in Committee. I would expect to see some Republican opposition to this bill because the results of such a study would likely be used to justify additional lawsuits against Norfolk Southern, the railroad involved in the incident. Still I expect that the bill would have sufficient bipartisan support to pass in Committee. I do not expect to see this bill reach the floor of the Senate, though its language could be expected to be offered as an amendment to the DOT spending bill or transportation authorization bill.

Commentary

This is a little bit late (but better late than never) to be starting this sort of post-accident health effects study. To be most effective, this should start within hours or days of the incident. That cannot, of course, happen if we need to rely on the local congressional delegation to put together study legislation and attempt to push it through Congress each time such accidents happen. There should be statutes in place to require the EPA, DOT, and HHS to conduct such studies any time there a significant chemical release occurs. DOT should fund studies for transportation related incidents and the EPA for fixed site accidents.

 

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-4045-introduced - subscription required.

Review - S 3773 Introduced – HHS Cybersecurity Testing

In February, Sen Rubio (R,FL) introduced S 3773, the Strengthening Cybersecurity in Health Care Act. The bill would require the Health and Human Service Department Inspector General to conduct penetration tests and other testing procedures to determine how systems processing, transmitting, or storing mission critical or sensitive data by, for, or on behalf of the Department is currently, or could be compromised. No new funding is provided by the bill.

Moving Forward

While Rubio is not a member of the Senate Health, Education, Labor, and Pensions Committee to which this bill was assigned for consideration, one of his three cosponsors {Sen Hassan (D,NH)} is a member. This means that there may be sufficient influence to see the bill considered in Committee. I do not see anything that would engender any organized opposition to the bill. I suspect that there would be some level of bipartisan support for the legislation if it were considered.

This bill is not politically important enough to consume the time necessary for consideration in the Senate under regular order. This bill might be able to pass under the Senate’s unanimous consent process, but that process always faces the potential for opposition unrelated to the provisions of the bill. This bill is well suited to being included in the annual HHS spending bill and Rubio, a member of the Senate Appropriations Committee, is well placed to see that happen.

Commentary

HHS has little in the way of internal clinics that might be affected by such testing, so it is unlikely that there will be any medical devices covered by the requirements of this bill. I really mention it here because of the unique requirement for IG cybersecurity testing. This is well within the scope of operations of inspectors general, if probably outside of the existing skill sets for those organizations. While not wishing to CISA’s prominence in government cybersecurity efforts diminished, I think that this might be a good requirement for each inspector general office in the federal government. And it might provide an interesting internal skill set that could be used in other IG investigations.

 

For more details about the provisions of the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-3773-introduced - subscription required.

Short Takes – 4-25-24 – Space Geek Edition

A NASA rover has reached a promising place to search for fossilized life on Mars. Phys.org article. Pull quote: “Mars sample return remains NASA's highest planetary science priority and is strongly supported by the planetary science community around the world. The samples from Perseverance may revolutionize our view of life in the universe. Even if they don't contain fossils or biomolecules, they will fuel decades of research and give future generations a completely new view of Mars. Let's hope NASA and the US government can live up to the name of their rover, and persevere.”

SpaceX’s Special Starship Cargo Lander Capacity Revealed By NASA Ahead Of Fourth Starship Test. WCCFTech.com article. Pull quote: “In a press release, NASA outlined that the cargo landers, part of the original HLS award will land on the Moon starting from the Artemis 7 mission. The Artemis 7 was slated to land on the Moon in 2030 according to a NASA manifest from 2022 - before the space agency moved its timeline for the Artemis 2 mission forward by a year. Artemis 2 will be the first time humans will venture to the Moon since the Apollo program, and the mission was initially slated to launch this year.”

China's Tiangong space station damaged by debris strike. Space.com article. Pull quote: “"The space station's core module Tianhe had suffered a partial loss of power supply due to the impact of the space debris on the solar wing's power cables," Xinhua reported, paraphrasing CMSA deputy director Lin Xiqiang.”

China on track for crewed moon landing by 2030, space official says. SpaceNews.com article. Pull quote: “Lin added that astronaut training for the mission includes mastering operation of the Mengzhou and Lanyue spacecraft, including in normal and emergency flight conditions. Rendezvous and docking and manually avoiding obstacles during the lander’s descent were noted as part of the training. Other activities include entering and exiting the lander, working in one-sixth of Earth’s gravity, long-range lunar roving, drilling, sampling and other scientific work on the lunar surface.”

Companies offer proposals for Apophis asteroid missions. SpaceNews.com article. Pull quote: “Scientists, though, are interested in sending additional missions to Apophis, particularly those that would fly by or orbit the asteroid before the flyby so that researchers can better the understand what impact tidal forces from the flyby might have on the asteroid. Several such mission concepts were discussed during an April 22–23 workshop at a European Space Agency center in The Netherlands.”

Major changes approved for ClearSpace-1 mission. SpaceNews.com article. Pull quote: ““On 10 August, 2023, a collision involving our original target increased the risk of capture and induced the spinning of the object,” ClearSpace CEO Luc Piguet told SpaceNews by email. “This made it more difficult to capture and added complexity to the mission as the goal is to remove debris completely.””

Wednesday, April 24, 2024

Short Takes – 4-24-24

E. coli engineered to become methanol addict to make industry feedstocks. ChemistryWorld.com article. A little biochem geeky stuff. Pull quote: “Lead author Julia Vorholt at ETH Zurich says the first step was to get E. coli ‘addicted’ to methanol. ‘If you make a mutation in a certain gene then [E. coli] needs to make a little bit of biomass for some specific compounds from methanol,’ she explains. Leaving the bacteria to grow in a bioreactor with just enough carbon to survive and an abundance of methanol favours those that can use alcohol. Natural selection takes over and bacteria which thrive using methanol outcompete the others until eventually E. coli has evolved the same fixation cycle seen in other methylotrophs.”

America’s crisis of repetition is hurting national security. BreakingDefense.com article. Pull quote: “Finally, the challenge of identifying obstacles to implementation is hard — and frankly, not necessarily interesting. It involves detective work: asking questions, knowing processes across government, and understanding funding streams. It requires persistence and takes time. It’s a lot less exciting than coming up with purportedly “new” ideas.”

Artemis Mission: Making NASA’s New Moon Suits. Makezine.com article. Pull quote: “This carefulness is evident when you walk into their sewing labs. The labs are filled with single needle, double needle, off-arm, post, bar-tack, serger, and zig-zag sewing machines, all used for the creation of the suits. In typical clothing factories, the buzz of machines is constant and fast. Axiom’s sewing lab is almost dead silent. Some of the sewers even turn the machines by hand to achieve the level of precision needed.”

Agency Information Collection Activities: CISA Gateway User Registration. Federal Register CISA 60-day ICR renewal/change notice. Changes: “The collection was initially approved on October 9, 2007, and the most recent approval was on December 19, 2023, with an expiration date of June 30, 2024. The changes to the collection since the previous OMB approval include; updating the title of the collection, decrease in burden estimates and decrease in costs The total annual burden cost for this collection has changed by $3,096.40, from $4,128 to $7,224.40 due to the removal of the utilization survey, and the addition of PCIIMS respondents. For the CISA Gateway, the total number of responses has increased from 350 to 700 due to the updated metrics resulting from the awareness campaign and due to the registration process changing which does not include the training registration. The annual government cost for this collection has changed by $8,340.92 from $5,723 to $14,063.92 due to the removal of the utilization survey, and the addition of PCIIMS respondents. The This is a renewal with changes of an information collection.” Comments due June 24th, 2024.

National Security Telecommunications Advisory Committee. Federal Register DHS meeting notice. Agenda: “The NSTAC will meet in an open session on Thursday, May 23, 2024, from 3:15 p.m. to 4:30 p.m. EDT to discuss current NSTAC activities and the government's ongoing cybersecurity and NS/EP communications initiatives. This open session will include: (1) an update on the administration's cybersecurity initiatives; (2) a keynote address;(3) an update on current NSTAC activities; and (4) a status update on the NSTAC Principles for Baseline Security Offerings from Cloud Service Providers Study.”

Sorry, Little Green Men: Alien Life Might Actually Be Purple. ScientificAmerican.com article. Pull quote: “Prior to that, microorganisms generated metabolic energy by harnessing sunlight using a purple-pigmented molecule called retinal, whose origin may have predated chlorophyll. If retinal exists on other faraway worlds, scientists think the molecule's unique fingerprint would be discernible by upcoming ground- and space-based telescopes.”

Monkeypox virus: dangerous strain gains ability to spread through sex, new data suggest. Nature.com article. Pull quote: “Although mpox infections have waned globally since 2022, they have been trending upwards in the DRC: in 2023 alone, the country reported more than 14,600 suspected infections and more than 650 deaths. In September, 2023, a new cluster of suspected cases arose in the DRC’s South Kivu province. This cluster especially concerns researchers, as it has been spreading largely among sex workers, suggesting that the virus has adapted to transmit readily through sexual contact.

Remnants of bird flu virus found in pasteurized milk, FDA says. OCRegister.com article. Pull quote: “Because the detection of the bird flu virus known as Type A H5N1 in dairy cattle is new and the situation is evolving, no studies on the effects of pasteurization on the virus have been completed, FDA officials said. But past research shows that pasteurization is “very likely” to inactivate heat-sensitive viruses like H5N1, the agency added.” While I agree with the theory, I am not a big fan of ‘very likely’ as a scientific statement. And what happens if A H5N1 fragments get into someone with an active flu infection; would we see recombination?

Consideration HR 3935 – FAA Reauthorization –

Yesterday, the Senate resumed consideration of the motion to proceed to consideration of H.R. 3935. Sen Schumer (D,NY) entered a motion to close further debate on the motion to proceed to consideration of the bill. The vote on that cloture motion will take place when the Senate returns on March 30th, 2024, after the vote on the Georgia N. Alexakis nomination.

The Senate actually started this process back in September, but it lead nowhere. At the time there were suggestions that Schumer was going to use the bill as a vessel for consideration of a clean continuing resolution while the House was trying to sort out how to proceed on the spending bills under Rep McCarthy (R,CA). At that time there had been one anti-Ukraine amendment submitted by Sen Vance (R,OH).

No new amendments have been submitted yet for consideration during the actual debate on HR 3935. The first amendment will almost certainly come from Sen Cantwell (D,WA) offering the reported version of S 1939 as substitute language for HR 3935. Additional amendments will be submitted, and some will be considered.

As I noted in a post on S 1939 there is an interesting counter-UAS provision in the Senate bill:

Section 811 would amend 49 USC Chapter 448 by adding a new § 44813 Unmanned aircraft system detection and mitigation enforcement. The new section would prohibit anyone (other than certain government agencies and employees) from operating “a system or technology to detect, identify, monitor, track, or mitigate an unmanned aircraft or unmanned aircraft system in a manner that adversely impacts or interferes with safe airport operations, navigation, or air traffic services, or the safe and efficient operation of the national airspace system.” The term “adversely impacts or interferes with’ is not defined. Violators would be subject to a civil penalty of not more than $25,000 per violation. This prohibition would terminate on September 30, 2028.”

Review - CSB Updates Accidental Release Reporting Data – 4-19-24

Yesterday in preparation for their quarterly business meeting tomorrow, the CSB updated their published list of reported chemical release incidents. They added 26 new incidents that occurred since the previous version was published in January and inserted eight ‘new’ incidents that occurred before January. These are not incidents that the CSB is investigating, these are incidents that were reported to the CSB under their Accidental Release Reporting rules (40 CFR 1604).

The table below shows the top four states based upon the number of reported incidents since the January update was published.

 

For more details on the new information in the database, including a new top ten chemical incident States list, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/csb-updates-accidental-release-reporting-fae - subscription required.

Tuesday, April 23, 2024

Short Takes – 4-23-24

Russia-linked hacking group claims to have targeted Indiana water plant. CNN.com article. Pull quote: ““While the video is sensational, the actions taken by the threat actor are amateur and would amount to a minor annoyance for plant operators,” Fabela, who is CEO of Infinity Squared Group, a consulting firm, told CNN.”

A powerful volcano is erupting. Here’s what that could mean for weather and climate. CNN.com article. Pull quote: “In comparison, satellite instruments have estimated Mount Ruang has released an around 300,000 tons of sulfur dioxide so far [compared to 17 million tons in 1991 Mount Pinatubo eruption] , though it’s unclear how much of that plume made it into the stratosphere. While that amount is quite massive in its own right, it falls well short of the most extreme case, according to Huey.”

Could Trump Go to Prison? If He Does, the Secret Service Goes, Too.  Pull quote: “Former corrections officials said there were several New York state prisons and city jails that have been closed or partly closed, leaving wings or large sections of their facilities empty and available. One of those buildings could serve to incarcerate the former president and accommodate his Secret Service protective detail.”

FEMA is making an example of this Florida boomtown. Locals call it ‘revenge politics’. GovExec.com article. Pull quote: “Even if Lee County manages to contest the decision, homeowners in Southwest Florida are almost guaranteed to suffer more financial pain as a result of this enforcement effort. If FEMA stays the course and removes the discount, it will raise flood insurance costs for homeowners in unincorporated parts of the county between $14 and $17 million per year, equating to a $300 annual hit for each flood insurance customer in the area. But if Lee County cracks down on the 50% rule and FEMA restores the discount, homeowners who rebuilt in flood zones may have to spend hundreds of thousands of dollars to elevate their homes.”

Stars and Stripes Media Organization. Federal Register DOD proposed rule. Summary: “This rulemaking proposes to update authorities and responsibilities for the Stars and Stripes Media Organization (often abbreviated as Stripes) to reaffirm its editorial independence in providing media products not only to military service members and DoD civilian employees, but to U.S. veterans, families of veterans and current service members, and contractor personnel, particularly those serving overseas, based on changes in the consumption of news and information in a digital age. It additionally proposes to remove internal operational procedures of the Stars and Stripes Media Organization that do not require rulemaking under the Administrative Procedure Act.” Comments due June 24th, 2024.

DC3 and DCSA Partner to Announce Vulnerability Disclosure Program for Defense Industrial Base. GovDelivery.com press release. Pull quote: “Through operational agreements and strategic partnerships, DC3 and the DCSA routinely collaborate on ways to share information security data. DoD VDP vulnerability reporting is shared with DoD system owners on the Joint Force Headquarters-DoD Information Networks via the Vulnerability Report Management Network (VRMN). A parallel system, DIB VRMN, employs the same efficient and automated approach while ensuring that DIB data is tracked and held separately from DoD data. Implementation of a DIB-VDP is the most effective means of sharing DIB-sourced vulnerabilities with DIB companies. It promotes timely mitigation of identified vulnerabilities on DIB company internet-facing information systems. This enables vulnerability remediation in DIB companies at a much earlier point than in traditional vulnerability management efforts.”

Green Roofs Are Great. Blue-Green Roofs Are Even Better. Wired.com article. Pull quote: “The water levels in the blue-green roof are managed by a smart valve. If the weather forecast says a storm is coming, the system will release stored water from the roof ahead of time. That way, when a downpour comes, the roof refills, meaning there’s less rainwater entering the gutters and sewers in the surrounding area. In other words, the roof becomes a sponge that the operator can wring out as needed. “In the ‘squeezable’ sponge city, you make the whole city malleable,” says Spaan.”

Rooftop solar panels are flooding California’s grid. That’s a problem. WashingtonPost.com article. Pull quote: “But a year ago, the state changed this system, known as “net-metering,” and now only compensates new solar panel owners for how much their power is worth to the grid. In the spring, when the duck curve is deepest, that number can dip close to zero. Customers can get more money back if they install batteries and provide power to the grid in the early evening or morning.”

A rapid shift in ocean currents could imperil the world’s largest ice shelf. ScienceNews.org article. Pull quote: “These findings come at an ominous time. Even as sea ice shrank in the Arctic, it remained stable around Antarctica for decades. But Antarctic sea ice has declined steeply since 2017, especially near the Ross Ice Shelf. Scientists recently reported that the cold, salty waterfall to the Antarctic seafloor is already starting to slow. This is “alarming,” Lowry says. We now know that the ice shelf can easily switch from cold to warm. “The question is, are we observing the switch?””

Review – 2 Updates Published – 4-23-24

Today, CISA’s NCCIC-ICS published updates for two control system security advisories for products from Chirp Systems and Mitsubishi Electric.

Updates

Chirp Systems Update - This update includes additional information on an advisory that was originally published on March 7th, 2024.

Mitsubishi Update - This update includes additional information on an advisory that was originally published on February 20th, 2024.

 

For more information on these updates, including a summary of the changes made, and a brief look at the Chirp Systems negative response to the advisory, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-updates-published-4-23-24 - subscription required.

Monday, April 22, 2024

Short Takes – 4-22-24

Syphilis case increase sparks Colorado public health order. TheHill.com article. Pull quote: ““People should know that this is a treatable disease for adults. A course of penicillin generally does the trick. Some adults have very mild symptoms, there’s a lack of diagnosis, others who were symptomatic and treated with penicillin,” Polis said. “But the real danger here is for newborns.””

Suddenly micro-factories are real ... with prices starting at $300,000. NewAtlas.com article. Pull quote: ““There is an urgent need for affordable low-energy homes, but building high-quality, sustainable timber homes is hard to scale, and AUAR intends to change that. Robots and AI allow us to deliver high-quality housing at significantly lower costs, increasing margins and productivity while lowering the cost for the end users. By using our solution, construction companies can hit their sustainability targets at a cost they are comfortable with.””

Trial attention: don’t let a pecker distract from more important stories. EmptyWheel.net post. Pull quote: “All of which is my way of saying: beware of letting this trial drown out more important events. Yes, it is unprecedented to see Trump subjected to discipline. But this trial is sucking up far, far too much attention that might better be directed elsewhere — and all that attention is one of the reasons why jury and witness tampering are such a risk.”

Biomanufacturing isn’t cleaning up chemicals. CEN.ACS.org article. Shooting for the Moon too early in the technology development process. Pull quote: “But will this renewed enthusiasm for synthetic biology yield a different result? While biomanufacturing companies have already found niches for some expensive products, doubters say it might take decades before fermentation-derived molecules are cheap enough to replace oil-derived commodities. And they warn that without policies forcing the petrochemical industry to account for the health and environmental costs of its carbon emissions, fermentation may never displace fossil fuels.”

NASA's Voyager 1 spacecraft finally phones home after 5 months of no contact. Space.com article. Pull quote: “By Saturday (April 20), however, the team confirmed their modification had worked. For the first time in five months, the scientists were able to communicate with Voyager 1 and check its health. Over the next few weeks, the team will work on adjusting the rest of the FDS software and aim to recover the regions of the system that are responsible for packaging and returning vital science data from beyond the limits of the solar system.”

Astronomers Find Evidence Of A Massive Object Beyond The Orbit Of Neptune. IFLScience.com article. Pull quote: “Carrying out simulations to try and discover what best explains the orbits of these objects, the team found that a model that includes a massive planet beyond the region of Neptune explained the steady state of these objects much better than in simulations where planet 9 was not included. In the model, the team included other variables, such as the galactic tide and the gravitational influence of passing stars.”

Bird Flu Is Infecting More Mammals. What Does That Mean for Us? NYTimes.com article. Pull quote: “Government leaders are typically cautious, wanting to see more data. But “given the rapid speed at which this can spread and the devastating illness that it can cause if our leaders are hesitant and don’t pull the right triggers at the right time, we will be caught flat-footed once again,” Dr. Bright said.”

Review - S 3943 Introduced – ANCHOR Act

Last month, Sen Padilla (D,CA) introduced S 3943, the Accelerating Networking, Cyberinfrastructure, and Hardware for Oceanic Research (ANCHOR) Act. The bill would require the National Science Foundation (NSF) to submit a plan to improve the cybersecurity and telecommunications of the Academic Research Fleet. No new funding is authorized by the legislation. The bill is very similar to HR 7630. That bill was adopted without amendment by the House Science, Space, and Technology Committee on March 20th, 2024.

Differences From HR 7630

The major difference from the House bill is that Section 4 of the earlier bill is absent in the Senate version. That section authorized NSF to support cybersecurity upgrades described in the plan required in §3. Section 4 would have also required a report to Congress on progress made on the implementation of the plan.

Moving Forward

While Padilla is not a member of the Senate Commerce, Science, and Transportation Committee to which this bill was assigned for consideration, two of his three cosponsors are members. This means that there could be sufficient influence to see this bill considered in Committee. I see nothing in this bill, especially since it contains no new funding or regulatory requirements, that would engender any organized opposition to the legislation. I suspect that there would be bipartisan support for the bill. Unfortunately, this is yet another bill that is not politically important enough to take up the time to considered by the full Senate. If this bill is to move forward, it would need to be considered under the unanimous consent process (a politically fraught process) or be included in some larger, more politically necessary bill.

 

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-3943-introduced - subscription required.

Short Takes – 4-22-24 – Space Geek Edition

Dragonfly: NASA Just Confirmed The Most Exciting Space Mission Of Your Lifetime. Forbes.com article. Pull quote: “Titan is the only other world in the solar system other than Earth that has weather and liquid on its surface. It has an atmosphere, rain, lakes, oceans, shorelines, valleys, mountain ridges, mesas and dunes—and possibly the building blocks of life itself. It’s been described as both a utopia and as deranged because of its weird chemistry.”

NASA reveals 'glass-smooth lake of cooling lava' on surface of Jupiter's moon Io. LiveScience.com article. Pull quote: “The new images show Loki Patera, a 127-mile-long (200 km) lava lake on Io's surface. Scientists have been observing this lava lake for decades. It sits over the magma reservoirs under Io's surface. The cooling lava at the center of the lake is ringed by possibly molten magma around the edges, Scott Bolton, principal investigator  for the Juno mission, said during a news conference Wednesday (April 16) at the European Geophysical Union General Assembly in Vienna.”

Starship Faces Performance Shortfall for Lunar Missions. AmericaSpace.com article. Pull quote: “This is likely what happened to Starship.  To mitigate the risk that one exploding Raptor engine might cause a cascade of failures, SpaceX installed extra shielding around each of the 33 motors on the Super Heavy booster.  In addition, it installed a steel “hot staging” ring between the booster and the ship, which allows the latter to ignite its engines while the two stages are still attached.  It is worth noting that this component was supposed to increase the performance of the vehicle by 10%; SpaceX has not disclosed whether those gains were realized.  Other additions to the vehicle included components which mitigated the propellant leaks which partially contributed to the failure of the first test flight.  Each additional gram of mass ate into Starship’s payload capacity.”

America's Next Great Space Station Gets a Vote of Support from Japan. Fool.com article. Pull quote: “Of the three teams discussed, the most "international" of the teams vying to replace the International Space Station is Voyager's. In addition to American aerospace company Northrop, Voyager's team also includes the European aerospace champion Airbus. As of last week, it will also include an industrial leader from Japan: As the companies announced earlier this month, Japan's Mitsubishi Corporation (MSBHF 1.65%) is taking an equity stake in the Starlab project.”

Senate Began Consideration HR 3935 – FAA Reauthorization

On Friday, the Senate began debate on the consideration of HR 3935, the Securing Growth and Robust Leadership in American Aviation Act. That debate continued on Saturday. Debate will resume on Tuesday. No amendments have been submitted. No real action will occur until the Senate comes back from their upcoming recess on April 29th.

Saturday, April 20, 2024

CISA Publishes ‘Secure Your Chemicals: Potential Threats’

Recently, CISA added a new infographic to their stable of publications supporting the two agency chemical security programs, the currently inactive Chemical Facility Anti-Terrorism Standards (CFATS) program and the voluntary ChemLock program. The new “SECURE CHEMICALS: POTENTIAL THREATS” page shows a brief overview of the potential threats to chemical facilities. The page notes that:

“By considering the potential avenues of attack and approaching security holistically, facility owners and operators can choose cost-effective, efficient security measures that work best to protect their dangerous chemicals from the threats and hazards most likely to occur at their facility.”

Chemical Incident Reporting – Week of 4-13-24

NOTE: See here for series background.

Moosic, PA – 4-15-24

Local news reports: Here, here, and here.

Ammonia storage tank leak at food processing facility. 14 transported to hospital for ammonia exposure.

Possible CSB reportable if any of the patients were admitted to the hospital.

Naperville, IL – 4-15-24

Local news reports: Here, here, and here.

One-gallon ammonia spill in restaurant basement. 1 person transported to hospital for ammonia exposure.

Possible CSB reportable if the patient was admitted to the hospital.

Walker County, AL – 4-16-24

Local news reports: Here, here, and here.

A tank truck overturned in an apparent single-vehicle accident. It caught fire and exploded. The truck was destroyed and the driver killed. No reports about what the truck was hauling.

Not CSB reportable, transportation related accident not fixed site.

Galena Park, TX – 4-19-24

Local news reports: Here, here, here, and here.

Flash fire at rail loading site of refinery. Three contractors transported to hospital for burns. One report notes that injured were treated and released from hospital.

Probably not CSB reportable. Very little damage from flash fire and injured were apparently not admitted to hospital.

GAO Reports – Week of 4-13-24 – Federal Cybersecurity EO Actions

This week, the Government Accountability Office (GAO) published a report on “Cybersecurity - Implementation of Executive Order Requirements Is Essential to Address Key Actions”. The report looks at the implementation of EO 14028 in CISA, NIST, and OMB.

The table below shows the GAO’s assessment of EO 14028 leadership and oversight requirements (see Appendix III of the report for description of the individual requirements):

Executive Order Section

Number of requirements that are:

Fully complete

Partially complete

Not complete

Not applicable

Removing Barriers to Sharing Threat Information

6

1

Modernizing Federal Government Cybersecurity

8

Enhancing Software Supply Chain Security

16

1

Establishing a Cyber Safety Review Board

6

1

Standardizing Playbook for Responding to Cybersecurity Vulnerabilities and Incidents

4

1

Improving Detection of Cybersecurity Vulnerabilities and Incidents

7

1

Improving the Federal Government's Investigative and Remediation Capabilities

2

1

Total

49

5

1

The report makes a total of five recommendations (pg 44), two for DHS and three for the OMB:

• The Secretary of Homeland Security should direct the Director of CISA to issue, in a timely manner, its list of software and software product categories that are considered critical software. (Recommendation 1)

• The Secretary of Homeland Security, through the Director of the CISA, should direct the Cyber Safety Review Board to document steps taken or planned to implement the recommendations provided to the President for improving the board’s operations. (Recommendation 2)

• The Director of OMB should demonstrate that the office has conducted, with pertinent federal agencies, cost analyses for the implementation of recommendations related to the sharing of threat information, as defined in the order. (Recommendation 3)

• The Director of OMB should demonstrate that the office has coordinated with pertinent federal agencies regarding resourcing needs for the implementation of an endpoint detection and response capability, as defined in the order. (Recommendation 4)

• The Director of OMB should demonstrate that the office has coordinated with pertinent federal agencies regarding resourcing needs for logging, log retention, and log management capabilities, as defined in the order. (Recommendation 5)

 
/* Use this with templates/template-twocol.html */