OMB Approves FAR Software Supply Chain Security NPRM

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a notice of proposed rulemaking for the Federal Acquisition Regulation on “Federal Acquisition Regulation (FAR); FAR Case 2023-002, Supply Chain Software Security”. This NPRM was sent to OIRA on March 9^th, 2024.

According to the Fall 2023 Unified Agenda entry for this rulemaking:

“This rule will require suppliers of software available for purchase by Federal agencies to comply with, and attest to complying with, applicable secure software development practices.  This rule is being issued in accordance with section 4(n) and 4(k) of the Executive Order 14028 [link added] titled "Improving the Nation's Cybersecurity” and Office of Management and Budget Memorandum 22-18 and 23-16 [links added].”

Sounds like another use for CISA’s Software Attestation form….

EPA Sends PCE TSCA Final Rule to OMB

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a final rule form the EPA on Perchloroethylene (PCE); Regulation under the Toxic Substances Control Act (TSCA). The notice of proposed rulemaking for this action was published on June 16^th, 2023.

According to the Fall 2023 Unified Agenda entry for this rulemaking:

“On June 16, 2023, EPA proposed a rule under the Toxic Substances Control Act (TSCA) to address the unreasonable risk of injury to health from perchloroethylene (PCE). TSCA requires that EPA address by rule any unreasonable risk identified in a TSCA risk evaluation and apply requirements to the extent necessary so the chemical no longer presents unreasonable risk. PCE is a widely used solvent in a variety of occupational and consumer applications including fluorinated compound production, petroleum manufacturing, dry cleaning, and aerosol degreasing. EPA determined that PCE presents an unreasonable risk of injury to health due to the significant adverse health effects associated with exposure to PCE, including neurotoxicity effects from acute and chronic inhalation exposures and dermal exposures, and cancer from chronic inhalation exposures to PCE. TSCA requires that EPA address by rule any unreasonable risk of injury to health or the environment identified in a TSCA risk evaluation and apply requirements to the extent necessary so the chemical no longer presents unreasonable risk. PCE, also known as perc and tetrachloroethylene, is a neurotoxicant and a likely human carcinogen. Neurotoxicity, in particular impaired visual and cognitive function and diminished color discrimination, are the most sensitive adverse effects driving the unreasonable risk of PCE, and other adverse effects associated with exposure include central nervous system depression, kidney and liver effects, immune system toxicity, developmental toxicity, and cancer. To address the identified unreasonable risk, EPA proposed to prohibit most industrial and commercial uses of PCE; the manufacture (including import), processing, and distribution in commerce of PCE for the prohibited industrial and commercial uses; the manufacture (including import), processing, and distribution in commerce of PCE for all consumer use; and, the manufacture (including import), processing, distribution in commerce, and use of PCE in dry cleaning and related spot cleaning through a 10-year phaseout. For certain conditions of use that would not be subject to a prohibition, EPA also proposed to require a PCE workplace chemical protection program that includes requirements to meet an inhalation exposure concentration limit and prevent direct dermal contact. EPA also proposed to require prescriptive workplace controls for laboratory use, and to establish recordkeeping and downstream notification requirements. Additionally, EPA proposed to provide certain time-limited exemptions from requirements for certain critical or essential emergency uses of PCE for which no technically and economically feasible safer alternative is available. The Agency’s development of this rule incorporated significant stakeholder outreach and public participation, including public webinars and over 40 external meetings as well as required Federalism, Tribal, and Environmental Justice consultations and a Small Businesses Advocacy Review Panel. EPA's risk evaluation for PCE, describing the conditions of use is in docket EPA-HQ-OPPT-2019-0502, with the 2022 unreasonable risk determination and additional materials in docket EPA-HQ-OPPT-2016-0732.”

I am unlikely to cover this rulemaking in any detail. It’s publication, however, will be noted in the appropriate ‘Short Takes’ post. 

Transportation Chemical Incidents – Week of 4-27-24

Reporting Background

See this post for explanation, with the most recent update here (removed from paywall).

Data from PHMSA’s online database of transportation related chemical incidents that have been reported to the agency.

Incidents Summary

• Number of incidents – 471 (403 highway, 66 air, 2 rail, water 0)

• Serious incidents – 1 (1 Bulk release, 0 evacuation, 2 injury, 0 death, 0 major artery closed, 1 fire/explosion). The ‘fire’ incident was for a damaged cell phone on an aircraft that was treated as a fire risk because it was ‘bulging’, there was no actual fire. NOTE: There were actually two ‘fire’ incident entries in the database this week, but they were for the same incident.

• Largest container involved – 31,770-gal DOT 111A100W railcar {Heptanes} Damaged manway gasket. 1-gal leaked.

• Largest amount spilled – 6,000-gal (Other Regulated Substances, Liquid, N.O.S.) Valve damaged. Very limited data available.

NOTE: Links above are to the Form 5800.1 for the described incidents.

Most Interesting Chemical: Tetraethyl Silicate: A clear colorless liquid with a faint odor. Flash point 99°F. Less dense than water. Vapors are heavier than air. Inhalation of vapor causes eye and nose irritation, unsteadiness, tremors, salivation, respiratory difficulty, and unconsciousness. In confined spaces this could become an asphyxiation risk.

NOTE: This reporting is being moved from Saturday to Friday so that I can provide incident report links.

 

Short Takes – 5-30-24

Researchers in Pittsburgh discover large source of lithium in Pennsylvania. CBSNews.com article. Dissolved lithium in waste water from fracking operations. Pull quote: “"This is lithium concentrations that already exist at the surface in some capacity in Pennsylvania, and we found that there was sufficient lithium in the waters to supply somewhere between 30 and 40 percent of the current U.S. national demand," said Justin Mackey, research scientist the National Energy Technology Laboratory and PhD student at Pitt.” See journal article here for details.

Exxon Mobil Entering Lithium Market. ChemicalProcessing.com article. Pull quote: “To help meet demand for electric vehicles and the lithium required to power them, ExxonMobil plans to become a leading supplier of lithium using a modern process that has less environmental impact than traditional mining. Exxon's lithium extraction process is expected to have up to two-thirds less carbon intensity than hard-rock mining.”

Successful engine test boosts Vega-C toward return-to-flight. Phys.org article. Pull quote: “A second firing-test will be conducted after the summer to confirm the data collected today. Avio engineers will review the data from the first test to prepare for a second test in October that will then qualify the second stage Zefiro-40 solid rocket motor for a return-to-flight by the end of 2024 from Europe's Spaceport in French Guiana.”

Iceland volcano eruption throws spectacular 160-foot-high wall of lava toward Grindavík. LiveScience.com article. Pull quote: “This is the eighth eruption on the peninsula since March 2021 and the fifth since December 2023. The last eruption continued for 54 days, from March 16 to May 8, 2024. That eruption produced lava flows that narrowly missed Grindavík and a giant plume of toxic gas that traveled hundreds of miles across northern Europe.”

OPM reminds agencies of burrowing rules ahead of election season. GovExec.com article. Pull quote: “A GAO audit of political appointee burrowing between 2016 and January 2021—covering the end of the Obama administration and the entirety of the Trump administration—found that OPM denied roughly 20% of burrowing requests. But 23% of conversions—37 in total—were implemented prior to asking OPM’s permission, in contravention of government policy, of which 10 hires were ultimately deemed improper, requiring agencies to take steps to address OPM’s concerns.”

Biden secretly gave Ukraine permission to strike inside Russia with US weapons. Politico.com article. Pull quote: ““The president recently directed his team to ensure that Ukraine is able to use U.S. weapons for counter-fire purposes in Kharkiv so Ukraine can hit back at Russian forces hitting them or preparing to hit them,” one of the U.S. officials said, adding that the policy of not allowing long-range strikes inside Russia “has not changed.””

Bird flu confirmed in third farmworker: CDC. TheHill.com article. Pull quote: ““The respiratory symptoms we’re seeing in this individual are what we expected. This is after all, a respiratory virus that is known to cause respiratory systems, symptoms that are well known and symptoms that we are on the lookout for,” Nirav Shah, CDC’s principal deputy director told reporters Thursday.”

ACC Worried about Lapse in CFATS Protection. PowderBulkSolids.com article. Continued industry support for expired CFATS program. Pull quote: “American Chemistry Council President & CEO Chris Jahn believes that US chemical facilities are vulnerable to attack and that Congress must act to secure them before terrorists strike, due to the lapse in the Chemical Facility Anti-Terrorism Standards program as of last July. Below, Jahn writes on why CFATS is necessary — and why the US cannot survive without it.”

Rocket ‘Sandblasts’ Could Pose Major Risk on Moon, New Studies Warn. ScientificAmerican.com article. Pull quote: “Although this may seem like a minor technical revision, it has huge implications for how lunar blast radii are calculated. In one of the new studies, Metzger tested his new theory against footage of the Apollo 16 moon landing that was filmed out of one of the lander’s windows. He found that his theory nicely explained how the dust flung out by the lander’s rocket exhaustduring descent blocked the crew’s view of nearby craters. But his calculations also imply that the Apollo 16 lander flung out between 11 and 26 metric tons of lunar soil—an amount at least four times larger than previous estimates, with much of the remaining uncertainty tied to the soil’s poorly constrained properties.”

Review – 6 Advisories and 1 Update Published – 5-30-24

Today, CISA’s NCCIC-ICS published four control system security advisories for products from Westermo, Inosoft, Fuji Electric, and Carrier. They also updated an advisory for products from Mitsubishi Electric. Finally, they published two medical devices security advisories for products from Baxter.

NIST published a brief update on the status of the problems with the National Vulnerability Database (NVD).

Advisories

Westermo Advisory - This advisory describes two vulnerabilities in the Westermo EDW-100 Serial to Ethernet converter.

Inosoft Advisory - This advisory describes an incorrect default permissions vulnerability with known exploit in the Inosoft VisiWin HMI.

Fuji Advisory - This advisory describes two vulnerabilities in the Fuji Monitouch V-SFT screen configuration software.

Carrier Advisory - This advisory describes three vulnerabilities in the Carrier LenelS2 NetBox access control and event monitoring system.

Baxter Advisory #1 - This advisory describes a use of default cryptographic key vulnerability in the Baxter Welch Allyn Connex Spot Monitor.

Baxter Advisory #2 - This advisory describes an insufficiently protected credentials vulnerability in the Baxter Welch Allyn Configuration Tool.

Updates

Mitsubishi Update - This advisory provides additional information on the MELSEC iQ-R advisory that was originally published on December 22^nd, 2022 and most recently updated on December 12^th, 2023.

NVD Update

NVD Database Problem Update - Yesterday NIST updated the status of the problem with NVD maintenance issues.

For more information no these advisories, including links to exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/6-advisories-and-1-update-published-fa6 - subscription required.

Short Takes – 5-29-24

Nerve agent powder discovered in passenger's bag at Incheon Airport. KoreaJoongAngDaily.com article. ‘Nerve Agent’ implies weaponized material, should have been described as ‘Organophospate’, still potentially dangerous, but not an attack. Pull quote: “She found unknown materials inside a black pouch in her bag and reported it to police. She told authorities that there were “powdery materials that look like ground coffee.””

Boeing’s Starliner set to launch first crewed flight into space Saturday. TheHill.com article. Pull quote: ““We can handle this particular [helium] leak if that leak rate were to grow even up to 100 times,” said Steve Stich, manager of NASA’s Commercial Crew Program, according to Agence France-Presse (AFP).”

How the pandemic gave power to superbugs. NPR.org article. Pull quote: “Researchers from the National Institutes of Health found that, during the pandemic, hospital-acquired antibiotic-resistant infections jumped 32% when compared with data from just before the pandemic – they leapt from 28 cases out of 10,000 hospitalizations to 38 cases out of 10,000 hospitalizations.”

Pentagon Opens Ammunition Factory to Keep Arms Flowing to Ukraine. NYTimes.com article (free). Pull quote: ““The steady increase of artillery ammunition production is significant for long-term U.S. and Ukrainian needs,” said Michael Kofman, an expert on the Russian military and a senior fellow at the Carnegie Endowment for International Peace, “but even in the best case scenario, I would say those late-2025 output targets will arrive late in this war, and it is likely that Russian artillery output will still be higher than the U.S. and Europe combined at that point.””

NASA's OSIRIS-APEX unscathed after searing pass of sun. Phys.org article. Pull quote: “The spacecraft is in an elliptical orbit around the sun that brings it to a point closest to the sun, called a perihelion, about every nine months. To get on a path that will allow it to meet up with its new target Apophis in 2029, the spacecraft's trajectory includes several perihelions that are closer to the sun than the spacecraft's components were originally designed to withstand.”

Russian experts were guiding North Korea's space program ahead of Pyongyang blowing up its latest satellite: South Korean report. BusinessInsider.com article. Pull quote: “North Korean state media cited a space official saying that preliminary investigations showed the rocket's new liquid oxygen and petroleum engine was to blame. However, he also said there may have been other reasons for the launch failure.”

Review - CSB Updates 6 Recommendations – 5-21-24

Yesterday, the Chemical Safety Board updated their Recent Recommendation Status Updates page to reflect changes that the Board made to the status of various accident investigation recommendations made on May 21^st, 2024. The changes include closing four recommendations.

2019-04-I-PA-R1 Philadelphia Energy Solutions (PES) Refinery Fire and Explosions - EPA,

2017-04-I-MO-R2 Loy Lange Box Company Pressure Vessel Explosion – Loy-Lange Box Co,

 2017-04-I-MO-R3 Loy-Lange Box Company Pressure Vessel Explosion – Loy-Lange Box Co,

2018-02-I-WI-R12 Husky Energy Superior Refinery Explosion and Fire – EPA,

2020-04-I-TX-R1 Wendland 1H Well Fatal Explosion – Chesapeake Operating LLC, and

2011-H-1-R3 Public Safety at Oil and Gas Storage Facilities – OK Corporation Commission.

Comentary

The Board’s action to close 2011-H-1-R3 as Unacceptable Action/No Response Received reflects the legal limitations under which the Board operates. The Board has no regulatory authority and has limited influence to see their recommendations implemented. To be fair, that influence is most effective with facilities who have to convince insurance companies that they are operating in a safe manner; an open CSB recommendation (or even worse, a rejected recommendation) is not going to make that an easy story to sell.

 

For more information on the Board’s actions, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/csb-updates-6-recommendations-5-21 - subscription required.

OMB Approves EPA’s N-Methylpyrrolidone NPRM

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a notice of proposed rulemaking from the EPA on “N-Methylpyrrolidone (NMP); Regulation under the Toxic Substances Control Act (TSCA)”. The NPRM was submitted to OIRA on November 2^nd, 2023.

According to the Fall 2023 Unified Agenda entry for this rulemaking:

“This proposed rulemaking will address the unreasonable risk of injury to health presented by n-methylpyrrolidone (NMP). Section 6(a) of the Toxic Substances Control Act (TSCA) requires EPA to address by rule any unreasonable risk identified in a TSCA section 6(b) risk evaluation by applying requirements to the extent necessary so the chemical no longer presents unreasonable risk. The Agency’s development of this rule incorporates significant stakeholder outreach and public participation, including over 40 external meetings as well as required Federalism, Tribal, and Environmental Justice consultations and a Small Businesses Advocacy Review Panel. EPA's 2020 risk evaluation for NMP, describing its conditions of use is in docket EPA-HQ-OPPT-2019-0236, with the 2022 revised unreasonable risk determination and additional materials in docket EPA-HQ-OPPT-2016-0743.6”

That entry also reports on the 2020 Risk Evaluation for NMP:

“The 2020 Risk Evaluation for NMP identified potential health effects for NMP including non-cancer adverse health effects such as liver toxicity, kidney toxicity, immunotoxicity, reproductive toxicity, developmental toxicity, neurotoxicity, and irritation and sensitization. In the 2022 Final Unreasonable Risk Determination, EPA determined that NMP presents an unreasonable risk of injury to health. The unreasonable risk determination is driven by risks to workers due to occupational exposures to NMP (i.e., during manufacture, processing, industrial and commercial uses, and disposal); and to consumers due to exposures from consumer use of NMP and NMP-containing products. For more information, visit: https://www.epa.gov/assessing-and-managing-chemicals-under-tsca/risk-management-existing-chemicals-under-tsca.”

I will probably not cover this rulemaking in any depth, but it’s publication will almost certainly be announced in the appropriate ‘Short Takes’ post.

OMB Deprecates Use of IE

Today, the first time I have been on the Regulations.gov web site in a week or so, I saw the following notice on the top of the page:

“As of May 22^nd 2024, Microsoft Internet Explorer (IE) will no longer be supported by this application. For best system operations, please use Google Chrome or Microsoft Edge browsers.”

As a practical matter, I am not sure what ‘will no longer be supported’ means in this context, but since Microsoft stopped supporting IE almost a year ago, I do not expect that many people are still using it. Odd, though, that only the two biggest browsers are mentioned as reasonable options. I would have expected Firefox to be included as well.

Bills Introduced – 5-28-24

Yesterday, with the House and Senate meeting in pro forma session, there were 12 bills introduced. One of those bills will receive additional coverage in this blog:

HR 8580 Military Construction, Veterans Affairs, and Related Agencies Appropriations Act, 2025 Carter, John R. [Rep.-R-TX-31]

I do not expect that there will be provisions of specific interest here in this bill. I will be following this bill for procedural interests in how the House will be (or will not be) handling spending bills this year. If the Republicans cannot manage to pass this bill with at least some level of bipartisan support (this bill, after all sends money to almost every congressional district in the US), then there will be no hope for passage of any standalone spending bills for FY 2025.

Short Takes – 5-28-24

Our Chemical Facilities Are Vulnerable To Attack. RealClearDefense.com article. Pull quote: “The chemical industry hasn’t been shy about opposing excessive federal regulations, but this is one program that has proven effective. In fact, a recent survey of American Chemistry Council members found that 96 percent support restoring the program, and 85 percent are concerned that failure to do so will compromise security. And this strong support for the program extends beyond industry. Law enforcement organizations, emergency responders, and labor unions have also called on Congress to restore CFATS.”

GOP tempers expectations on appropriations bills. TheHill.com article. Pull quote: ““The floor poses some very interesting dynamics,” he said. “You got to be able to pass a rule. If you can’t pass a rule, and you’ve got to do it on suspension, and you’re not going to get Democratic votes. Inherently, there were some challenges there that we’re going to have to overcome.””

US, European nations consider vaccinating workers exposed to bird flu. Reuters.com article. Pull quote: “The decision on how and when to use the vaccine will hinge on evidence of increased transmission, severity of disease, cases in people with no link to a dairy farm and mutations in the virus, U.S. Centers for Disease Control and Prevention Principal Deputy Director Nirav Shah said.”

DIU Taps the Spaceport Company to Demonstrate Novel Sea-Based Space Launch Infrastructure. ExecutiveGov.com article. Pull quote: “TSC said Tuesday the first leg of the Novel Responsive Space Delivery project calls for a capability to rapidly send satellites to space from a unique, sea-going mobile space launch complex on a regular, commercial basis.”

Review – 1 Advisory Published – 5-28-24

Today, CISA’s NCCIC-ICS published a control system security advisory for products from Campbell Scientific.

Advisory

Cambell Scientific Advisory

This advisory describes two vulnerabilities in the Cambell Scientific CSI Web Server and RTMC Pro products.

 

For more information on this advisory and a brief look at other potential vulnerabilities in the reported systems, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-published-5-28-24 - subscription required.

Short Takes – 5-28-24 – Space Geek Edition -

Dyson spheres: Astronomers report potential candidates for alien structures, and evidence against their existence. Phys.org article. Pull quote: “What Dyson realized is that these megastructures would have an observable signature. Dyson's signature (which the team searched for in the recent study) is a significant excess of infrared radiation. That's because megastructures would absorb visible light given off by the star, but they wouldn't be able to harness it all. Instead, they'd have to "dump" excess energy as infrared light with a much longer wavelength.”

Sweden's Arctic spaceport moves one step closer to orbital launches. Space.com article. Pull quote: “"By bringing our Blue Whale 1 rocket, soon ready for orbital missions, we will partner with SSC to create a state-of-the-art orbital launch service, including further delivery through SSC's ground service offering. After a successful orbital launch from South Korea next year, we look forward to beginning this historic journey at Esrange."”

Mars' moon may not be what we think, scientists claim. Fururism.com article. Pull quote: “In order to find out more about the origins of these moons, Japan is planning on launching sometime this decade the Martian Moons eXploration (MMX) mission, a spacecraft dedicated to studying the two lumpy Martian moons.”

Things are finally looking up for the Voyager 1 interstellar spacecraft. LiveScience.com article. Pull quote: “And then, on May 22, Voyager scientists released the welcome announcement that the spacecraft has successfully resumed returning science data from two of its four instruments, the plasma wave subsystem and magnetometer instrument. They're now working on getting the other two, the cosmic ray subsystem and low energy charged particle instrument, back online as well. Though there technically are six other instruments onboard Voyager, those had been out of commission for some time.”

Fish are Adapting to Weightlessness on the Chinese Space Station. UniverseToday.com article. Pull quote: “As a test subject, zebrafish have several advantages. Their short reproductive and development cycle, and transparent eggs, allow scientists to study their growth quickly and effectively, and their genetic makeup shares similarities with humans, potentially offering insights that are relevant to human health. The zebrafish genome has been fully sequenced, and for these reasons zebrafish are commonly used in scientific experiments on Earth. Seeing how these well-studied creatures behave in such an extreme environment may have a lot to tell us about the life and development of vertebrates across species while exposed to microgravity.”

It might be time for NASA to bail on Boeing’s Starliner. BGR.com commentary. Pull quote: “Mistakes happen, especially when you’re creating something that has to be designed to survive the harshness of space. But with NASA still holding off the launch due to an ongoing helium leak they can’t figure out how to fix, I can’t help but wonder why NASA and Boeing continue to pour money into Starliner when all the cards seemed stacked against it.”

Straight Out of Sci-Fi: NASA Advances Six Pioneering Space Technologies for Tomorrow. SciTechDaily.com article. Pull quote: “Pulsed Plasma Rocket: Shielded, Fast Transits for Humans to Mars is an innovative propulsion system that relies on using fission-generated packets of plasma for thrust. This innovative system could significantly reduce travel times between Earth and any destination in the solar system. This study is led by Brianna Clements with Howe Industries in Scottsdale, Arizona.

Review - PHMSA Transportation Incident Database Reporting - Week of 3-29-24

Since January 13^th, I have been trying to report on chemical transportation incident as reported to PHMSA on their Form 5800.1. Back in April I noted problems with the data sets I was using for my reporting, it did not seem that they were complete. In my reporting then, I noted that I was changing the elapsed time that I was using for selecting the week for which I would be reporting. But I still noted that I did not have solid data to support that selection. Since that time, I have been collecting the necessary data.

Background Information

My earlier post I provided detailed background information on the FORM 5800.1. The regulatory basis for the report is found at 49 CFR 171.16, Detailed hazardous materials incident reports. It requires anyone that is in the possession of a hazardous material at the time of a covered incident {see §171.16(a) for what constitutes a covered incident} is responsible for submitting the form within 30-days of the incident being discovered. This 30-day reporting period causes the majority of the problems that I ran across in my earlier reporting.

There is a more immediate incident reporting requirement at §171.15, Immediate notice of certain hazardous materials incidents. That section requires telephonic notification to the National Response Center (NRC) at 800–424–8802 within 12-hours of a covered incident. The definition of a covered incident {§171.15(b)} from this section is included as a subset of the §171.16(a) definition. As should be expected, the reporting data requirements are much less detailed for the telephonic reporting.

New Data Collection

Starting on April 5^th, I began to collect data from the PHMSA database for the week of March 29^th thru April 4^th. I accessed the database and downloaded that week’s data every Friday morning between 8:00 and 10:00 am EDT. The graph below shows the number of incidents per day of the week for each of the eight weeks that data was collected.

 

There is no change in any of the data between weeks 7 and 8. For the purposes of this analysis I am going to assume that no other incidents will be reported for this week. There is no real expectation that no other incidents will be reported, but the numbers should be minimal and inconsequential for my reporting on transportation hazmat incidents.

Potential Problem with 5-Week Reporting

Analyzing the changes in the various reporting elements of potential interest over the eight weeks seemed to confirm the reasonableness of my recent change to reporting on the PHMSA database data five weeks out from the week of incidents. There is, however, one exception: the data for the size of container involved in the incidents. The graph below shows the number of incidents reported for various size shipping containers for the week of March 29^th, 2024, for eight weeks.

For Week #5 only 66.67% of the bulk container incidents were reported. Since incidents involving bulk containers are potentially the most dangerous, it would seem that reporting on the PHMSA database five weeks out may be missing critical information. Of course, the data here is looking at just a single, random week. It looks like I am going to have to collect additional data…

 

For more information no the PHMSA database reporting, including additional data point analysis, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/phmsa-transportation-incident-database - subscription required.

Short Takes – 5-25-24 – Space Geek Edition

Space Innovation; Mitigation of Orbital Debris in the New Space Age. Federal Register FCC Further Notice of Proposed Rulemaking. Summary: “In this document, the Space Bureau of the Federal Communications Commission (Commission) seeks to refresh the record concerning the rules proposed in a 2020 Further Notice of Proposed Rulemaking (FNPRM) adopted in the Mitigation of Orbital Debris in the New Space Age rulemaking that sought comment on additional amendments to the Commission's rules related to satellite orbital debris mitigation.” Comments due June 27^th, 2024. Full document here.

Boeing, NASA say Starliner astronaut launch will move forward despite spacecraft helium leak. CNBC.com article. Pull quote: “But after calling off the launch attempt, a “small” helium leak with Starliner was identified, causing Boeing and NASA to begin new assessments of the capsule and its safety for the mission. NASA Associate Administrator Ken Bowersox, one of the agency’s most senior officials, explained to the press on Friday that “it’s taken a while for us to be ready to discuss” the helium leak problem.”

SpaceX sets date for next Starship flight, explains what went wrong the last time. ArsTechnica.com article. Pull quote: “For the next flight, SpaceX is focused on solving the technical issues observed on Flight 3: the filter blockages observed during Super Heavy's boostback and landing burns, Starship's attitude control during its coast phase, and managing reentry of that vehicle from orbital velocity.”

Northrop Grumman successfully tests first fully digital rocket motor. InterestingEngineering.com article. Pull quote: “Northrop Grumman states that these missions will include space travel beyond Earth’s atmosphere and other final propulsion stages. C50HP is the company’s inaugural large solid rocket motor system, developed digitally using model-based systems engineering.”

New warp drive concept does twist space, doesn’t move us very fast. ArsTechnica.com article. Pull quote: “The researchers did indeed discover a warp drive solution: a method of manipulating space so that travelers can move without accelerating. There is no such thing as a free lunch, however, and the physicality of this warp drive does come with a major caveat: the vessel and passengers can never travel faster than light. Also disappointing: the fact that the researchers behind the new work don’t seem to bother with figuring out what configurations of matter would allow the warping to happen.” Actual journal article here.

SpaceX Engine Test Stand Blows Up After Likely Starship Raptor Engine Test. WCCFTech.com article. Pull quote: “However, immediately after the smoke clouds dissipated [after the motor test was stopped], a fire started to blow out from the bottom of the pad where the rocket engine's nozzle emits flame. During the test, this region had seen flames characteristic of a Raptor with the classic Mach diamonds. However, these new flames were orange, and they appeared to travel upwards before a second explosion engulfed the entire structure.”

European Space Agency selects two firms to build ISS cargo vehicle. Phys.org article. Pull quote: “Out of seven proposals, the ESA selected those from French-German The Exploration Company and French-Italian company Thales Alenia Space, each of which will receive 25 million euros, the agency's chief Josef Aschbacher told AFP.”

Chemical Incident Reporting – Week of 5-18-24

NOTE: See here for series background.

Alpharetta, GA – 5-2-24

Local news report: Here.

A warehouse fire at an ink manufacturing company injured one employee who was airlifted to the hospital. No information on any damages.

Probable CSB reportable.

Indiantown, FL – 5-17-24

Local news reports: Here, here, and here.

Fire at power generation facility with a subsequent explosion. One person hospitalized. No reports on the level of damages.

CSB reportable.

Londonderry, NH – 5-22-24

Local news reports: Here and here.

Car wreck where an automotive maintenance van rolled over. Van was carrying hazardous materials. The hazardous materials were petroleum and aerosol-based chemicals used in auto maintenance. One firefighter transported to hospital.

Not CSB reportable as it was a transportation related incident.

Van Nuys, CA – 5-23-24

Local news reports: Here, here, and here.

A car exploded in parking lot. The vehicle contained propane and butane cylinders and the occupant tried to light a cigarette, setting off the explosion.

Not CSB reportable as it was a transportation related incident. 

Review – Public ICS Disclosures – Week of 5-18-24

This week we have 13 vendor disclosures from Broadcom (3), Cisco, Fujitsu, HP (2), HPE, Philips, QNAP, WAGO (2), WithSecure, and Zyxel. We also have two vendor updates from Broadcom and HPE. Finally, we have ten researcher reports for products from FortiGuard, Honeywell, Mitsubishi, Siemens, TP-Link (5), and TVT.

Advisories

Broadcom Advisory #1 - Broadcom published an advisory that discusses a deserialization of untrusted data vulnerability in their Brocade Fabric OS, Brocade SANnav, and Brocade Support Link products.

Broadcom Advisory #2 - Broadcom published an advisory that discusses six inadequate access control vulnerabilities in their Brocade SANnav product.

Broadcom Advisory #3 - Broadcom published an advisory that describes a missing authentication for critical resource vulnerability in their Brocade SANnav product.

Cisco Advisory - Cisco published an advisory that describes an authentication bypass by spoofing vulnerability in their Snort 3 HTTP Intrusion Prevention System.

Fujitsu Advisory - Fujitsu published an advisory that discusses four vulnerabilities in multiple Fujitsu products.

HP Advisory #1 - HP published an advisory that describes a cross-site scripting vulnerability in their LaserJet Pro devices.

HP Advisory #2 - HP published an advisory that describes an SMTP server information disclosure vulnerability in their Laser Jet Pro printers.

NOTE: This link to this advisory is currently leading to a blank page.

HPE Advisories - HPE published 46 Critical Product Security Vulnerability Alerts. See this post for background information on these products.

Philips Advisory - Philips published an advisory that discusses the HPE authorization bypass through user-controlled key vulnerability.

QNAP Advisory - QNAP published an advisory that describes five vulnerabilities in their QTS and QuTS hero products.

WAGO Advisory #1 - CERT-VDE published an advisory that discusses 17 vulnerabilities in multiple WAGO products.

WAGO Advisory #2 - CERT-VDE published an advisory that discusses two vulnerabilities in WAGO Navigator.

WithSecure Advisory - WithSecure published an advisory that describes a link following vulnerability in their Windows endpoint product.

Zyxel Advisory - Zyxel published an advisory that describes two classic buffer overflow vulnerabilities in their 5G NR/4G LTE CPE, DSL/Ethernet CPE, fiber ONT, and WiFi extender.

Updates

Broadcom Update - Broadcom published an update for their remote code execution advisory that was originally published on April 1^st, 2024.

HPE Update - HPE published an update for their Aruba ArubaOS advisory that was originally published on April 30^th, 2024.

Researcher Reports

FortiGuard Report - Horizon3 published a report describing an OS command injection vulnerability in the Fortinet FortiSIEM product.

Honeywell Report - Claroty published a report describing two vulnerabilities in the Honeywell ControlEdge Virtual Unit Operations Center (UOC).

Mitsubishi Report - Positive Technologies published a report describing five vulnerabilities in the Mitsubishi MELSEC System Q and MELSEC System L series PLC processor modules.

Siemens Report - SEC Consult published a report describing an exposed serial shell vulnerability on multiple Siemens PLCs.

TP-Link Reports - ZDI published five reports of vulnerabilities in the TP-Link TP-Link Omada ER605 PPTP VPN.

TVT Report - SSD-Disclosure published a report that describes an exposure of sensitive information vulnerability in the TVT NVMS9000 surveillance management system.

 

For more information on these disclosures, including links to 3rd party advisories and researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-5-329 - subscription required.

Short Takes – 5-24-24

Unsaflok. Unsaflok.com article. Researchers are withholding details at this time. Pull quote: “Upgrading each hotel is an intensive process. All locks require a software update or have to be replaced. Additionally, all keycards have to be reissued, front desk software and card encoders have to be upgraded, and 3rd party integrations (e.g. elevators, parking garages and payment systems) may require additional upgrades.” dormakaba security advisory.

Space guard, COVID amnesty and other House Defense bill highlights. TheHill.com article. Pull quote: “The bill sticks to spending caps as stipulated in last year’s debt ceiling agreement, with just a 1 percent increase over the fiscal 2024 NDAA. But the House legislation shifts around billions of dollars proposed by the Pentagon, adding funding to submarines, cutting dollars for fighter jets, and delaying the retirement of dozens of aircraft.”

Hazardous Materials: Adjusting Registration and Fee Assessment Program. Federal Register PHMSA NPRM. Summary: “In order to account for increased transport of hazardous materials as well as the burdens such transport places on first responders, PHMSA proposes overdue updates to the registration fees under the statutorily mandated registration and fee assessment program for persons who transport, or offer for transportation, certain categories and quantities of hazardous materials. PHMSA's proposal would increase the annual fee to be paid by those registrants qualifying as a small business or not-for-profit organization by $125 to $375 and by those registrants not qualifying as a small business or not-for-profit organization by $425 to $3,000. Actions such as fee adjustments are necessary to fund PHMSA's Hazardous Materials Emergency Preparedness grants program at newly authorized levels in accordance with the Infrastructure Investment and Jobs Act (Pub. L. 117-58). PHMSA also proposes to implement an electronic-only registration fee payment process. Finally, PHMSA proposes to revise requirements to clarify that a certificate of registration may be carried in either electronic or paper form for both motor carriers and those who transport hazardous materials by vessel.” Comments due by August 22^nd, 2024.

Transportation Chemical Incidents – Week of 4-20-24

Reporting Background

See this post for explanation, with an update here (removed from paywall).

Data from PHMSA’s online database of transportation related chemical incidents that have been reported to the agency.

Incidents Summary

• Number of incidents – 507 (384 highway, 56 air, 4 rail, water 0)

• Serious incidents – 2 (2 Bulk release, 0 evacuation, 0 injury, 0 death, 0 major artery closed, 1 fire/explosion). Note: The fire/explosion incident was an exploding vape pen on an aircraft. A small fire resulted, but it was put out with onboard fire extinguisher.

• Largest container involved – 30,067-gal DOT 111A100W railcar {Fuel Oil (NO. 1, 2, 4, 5, OR 6)} Derailed railcar in railyard was on its side, leaking from vacuum relief valve. 75-gal leaked.

• Largest amount spilled – 550-gal (Gasoline Includes Gasoline Mixed with Ethyl Alcohol, with Not More Than 10% Alcohol) Tank truck rollover accident and the shell was punctured, spilled 5649-gal of gasoline, no fire. Note: there is a discrepancy between the amount spilled column and the description of the accident.

Most Interesting Chemical: Toluene Diisocyanate: A clear colorless to pale yellow liquid with a pungent odor. Denser than water. Burns, but may be difficult to ignite (Flash point 250°F). Vapors are heavier than air. This chemical is highly toxic by inhalation and ingestion. It is also highly toxic by skin contact. It is an irritant of the skin, eyes, mucous membranes and respiratory tract. 

Bills Introduced – 5-23-24

Yesterday, with the House and Senate preparing to depart for their Memorial Day recess, there were 125 bills introduced. Five of those bills may receive additional coverage in this blog:

HR 8522 To improve connections between the Department of Agriculture and national and homeland security agencies, and for other purposes. Bice, Stephanie I. [Rep.-R-OK-5]

HR 8537 To require a study on public health impacts as a consequence of the February 3, 2023, train derailment in East Palestine, Ohio. Joyce, David P. [Rep.-R-OH-14]

HR 8544 To require original equipment manufacturers of digital electronic equipment to make available certain documentation, diagnostic, and repair information to independent repair providers, and for other purposes.

S 4420 A bill to improve connections between the Department of Agriculture and national and homeland security agencies, and for other purposes. Padilla, Alex [Sen.-D-CA]

S 4422 A bill to require original equipment manufacturers of digital electronic equipment to make available certain documentation, diagnostic, and repair information to independent repair providers, and for other purposes. Lujan, Ben Ray [Sen.-D-NM]

I will be watching HR 8522 and S 4420 for language and definitions that would specifically address chemical security and cybersecurity issues in the improved connections sought by the bills.

I will be covering HR 8537. I suspect that this bill will be similar to S 4045.

I will be covering HR 8544 and S 4422.

First FY 2025 Spending Bill Teed Up in House

Yesterday, the House Rules Committee announced the deadline for submitting amendments to be considered during the consideration of the Military Construction, Veterans Affairs, and Related Agencies Appropriations Act, 2025. That deadline is next Wednesday while the House is out on their Memorial Day recess. This means that the bill is likely to be considered the following week when they return on June 3^rd (Rules Committee hearing likely on June 3^rd, rule vote in the House possible on June 4^th).

A quick review of the Committee Print of the bill reveals nothing of specific interest here (not unusual). Last year’s Consolidated Appropriations Act (HR 4366) provided $2,022,775,000 overall military construction spending under DIVISION A, Military Construction, Veterans Affairs, and Related Agencies Appropriations Act, 2024. The Committee draft proposes $2,217,757,000, a 9.6% increase over last year. This bill affects spending in almost every congressional district in the country. It is easy to see why the Leadership is stepping up with this bill first.

On the other hand, veterans’ compensation spending drops from $15.1 billion to $9.8 billion (pg 26), a 35.1% decrease.

Short Takes – 5-23-24

House GOP eyes ambitious plans to pass all 12 government funding bills. TheHill.com article. Pull quote: “He [Rep Harris (R,MD)] added that he thinks the party’s goal of passing all 12 bills across the floor “won’t be any easier” than last year — when intraparty divides over spending and policy areas like abortion dominated public attention as the conference struggled to unify behind its appropriations bills.”

Air Weapons: UAV Use Evolves in Ukraine. Strategypage.com article. Pull quote: “The Drone Force can also supply units with specialized UAV units containing trained operators and commanded by officers who were trained to get the most out of these units. That means knowing how to handle larger UAVs that can search areas up to a hundred kilometers distant to find targets or just enemy activity in general. The Drone Force will collect data on recent UAV usage and modify UAV design and combat procedures to improve effectiveness in combat. The side that innovates and reorganizes the fastest in response to new situations has an edge in combat. This is what the Ukrainian Drone Force was created for and, along with the million UAVs Ukraine seeks to obtain in 2024, may prove to be decisive this year.”

Finland's wizards making food out of thin air. Phys.org article. Pull quote: “By feeding a microbe with carbon dioxide, hydrogen and some minerals, and powering the process with electricity from renewable sources, the company has managed to create a protein-rich powder that can be used as a milk and egg substitute.”

The Pentagon Isn’t Buying Enough Ammo. ForeignPolicy.com article. Pull quote: “In response, munitions procurement followed boom and bust cycles. The military bought weapons when they were being used during a conflict and stores ran low, but then quickly deprioritized weapons purchases once the immediate need subsided. Inconsistent buys led the armaments industry to atrophy and lose its ability to surge, a result of increasingly fragile supply chains and a proliferation of sole-source suppliers. For example, there are currently only two American companies that produce the solid rocket motors that propel the majority of U.S. missile systems.”

Could Putting Neosporin in Your Nose Fend Off COVID? ScientificAmerican.com article. Pull quote: “While much of the work was conducted on rodents, the researchers did ask a dozen healthy people to apply Neosporin—which contains a much lower dose of neomycin than the experiments in rodents used—in their nose twice a day for one week and compared them with seven people who used Vaseline—a topical ointment with no neomycin in it. The researchers measured the activity, or expression, of five different interferon-stimulated genes (and one immunoregulatory gene affected by interferon-stimulated gene activity) in each person. They found that even several days after Neosporin administration ended, the people who used it showed higher levels of gene expression, suggesting a stronger immune response. The results were intriguing enough that Iwasaki hopes to conduct more tests on the approach—including testing higher doses of neomycin than are present in Neosporin—in the future.”

Open Meeting of the Internet of Things Advisory Board. Federal Register NIST meeting notice. Agenda: “The purpose of this meeting is to finalize the IoT Advisory Board's report for the IoT Federal Working Group. The recommendations documented in the report were accepted as final at the May 2024 meeting. This meeting's agenda will focus on finalizing the initial sections of the report, primarily the Executive Summary, Introduction, Future of IOT and Findings. Note that agenda items may change without notice. The final agendas will be posted on the IoT Advisory Board web page: https://www.nist.gov/​itl/​applied-cybersecurity/​nist-cybersecurity-iot-program/​internet-things-advisory-board.” Meeting date: June 14^th, 2024.

The weapon behind Russia’s creeping battlefield advances. CounterOffensive.news article. Pull quote: ““Missiles are basically critical. These are one of the defining capabilities of this type of conflict,” said Federico Borsari, a fellow at the Center for European Policy Analysis. “Russia had to resort to the use of gliding bombs because its stock of missiles is not sufficient to deliver good effects on the battlefield.””

Hijack of monitoring devices highlights cyber threat to solar power infrastructure. CSOOnline.com article. Pull quote: “In what might be the first publicly confirmed cyberattack on the solar power grid infrastructure, Japanese media recently reported that malicious actors hijacked 800 SolarView Compact remote monitoring devices made by industrial control electronics manufacturer Contec at solar power generation facilities to engage in bank account thefts.”

Davidsmeyer Hazmat Tanker Placard Info Bill Passes. WLDS.com article. Pull quote: “Davidsmeyer says the bill requires the Secretary of State to include more information in the Illinois Rules of the Road book pertaining to the transportation of hazardous material for everyday drivers: “This bill just says in the Rules of the Road book that all kids have to go through before they get their driver’s license, we have to include hazardous material placards so that they know when they get around larger trucks or larger vehicles that have these hazardous material placards that they should be a little bit more careful as they decide to pass or how they drive around those vehicles.””

What is wind shear? An atmospheric scientist explains how it can tear apart hurricanes. TheConversation.com article. Pull quote: “Too much vertical wind shear, however, can offset the top of the storm. This weakens the wind circulation, as well as the transport of heat and moisture needed to fuel the storm. The result can tear a hurricane apart.” 

Review - Reader Comment: Wither CFATS?

I had an interesting telephone conversation today with a long-time reader (and CISA employee, so they cannot be named here) about the future of the Chemical Facility Anti-Terrorism Standards program. While CISA is officially certain that Congress will get its act together and reauthorize the program, they are bit by bit taking the still existing FY 2024 CFATS funding and parceling it out to other under-funded or un-funded programs. The reader wanted my take on the future of CFATS.

At this point, I do not hold out a lot of hope that the Congress will get its act together and pass HR 4470. It appears that it is hard to get congress critters excited about preventing terrorist attacks using industrial chemicals. Part of the reason for that is the success of the CFATS program in making it difficult for terrorists to get their hands on weaponizable chemicals. There has been no terrorist attack in the United States using an industrial sized improvised weapon since the Oklahoma City bombing in 1995. Maybe there will never be another.

But, if there is, people will be demanding to know why the federal government failed to prevent the attack. And we will be able to point the finger at the 118^th Congress. The Congress that found it too hard to overcome the objections of a single Senator.

 

For more details about how I reached this conclusion, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/reader-comment-wither-cfats - subscription required.

Review - 1 Advisory Published – 5-23-24

Today, CISA’s NCCIC-ICS published a control system security advisory for products from Automation Direct.

Advisories

AutomationDirect Advisory - The advisory describes 15 vulnerabilities in the AutomationDirect Productivity PLCs.

 

For more information on this advisory, including a listing of the 15 vulnerabilities, see my article at CFSN Detailed Analysis - - subscription required.

Bills Introduced – 5-22-24

Yesterday, with both the House and Senate in session, there were 42 bills introduced. Two of those bills may receive additional attention here:

HR 8497 To provide the Secretary of Homeland Security certain direct hiring authorities. Gallego, Ruben [Rep.-D-AZ-3]

 

HR 8512 To authorize appropriations for fiscal year 2025 for intelligence and intelligence-related activities of the United States Government, the Community Management Account, and the Central Intelligence Agency Retirement and Disability System, and for other purposes. Turner, Michael R. [Rep.-R-OH-10]

I will be watching HR 8497 for language and definitions that would specifically apply to cybersecurity related positions.

I will be covering HR 8512.

Short Takes – 5-22-24

Eventbrite Promoted Illegal Opioid Sales to People Searching for Addiction Recovery Help. Wired.com article. Pull quote: “Pugh, from Intelligence for Good, says those uploading the posts to multiple platforms may be using automated tools to do so, and they are not manually entering all their details time and time again. “You definitely can see a difference in some of the more sophisticated actors who have clearly used some SEO-manipulation tools,” Pugh says. Some, she says, will use emoji or slang terms to avoid automatic content moderation that platforms put in place.”

Electronic cooling device is part fridge, part muscle. ChemistryWorld.com article. Pull quote: “Qian, however, stresses that the material is not ready for commercialisation. The material is too fragile, he admits. The voltage required to achieve the effect, 2000V, is also too high. ‘When you provide a device that can pump heat at the 100V level, then I think this can really move from a paper to industry,’ Qian says.”

Glitch on BepiColombo: work ongoing to restore spacecraft to full thrust. ESA.int blog post. Pull quote: “A combined team from ESA and the mission’s industrial partners set to work the moment the issue was identified. By 7 May, they had restored BepiColombo’s thrust to approximately 90% of its previous level. However, the Transfer Module’s available power is still lower than it should be, and so full thrust cannot yet be restored.”

Architecting lunar infrastructure. SpaceReview.com article. Pull quote: “He said Interlune focused on helium-3 because of its high price: $20 million per kilogram. “It is the only resource that is priced high enough to warrant going to the Moon and bringing it back. We needed something like that to anchor the business case.””

There Is Too Much Trash in Space. ScientificAmerican.com commentary. Pull quote: “As long as doing the right thing is voluntary, it may not happen, concluded a 2018 Air Force Association report. The limited action since then tells us the world is way overdue for an agreement on mandatory standards. Few countries or companies currently design rockets for their complete life cycle. They must be forced to store enough fuel and retain the capability for spacecraft to steer safely out of space when their useful life is over. Painful financial and regulatory penalties should afflict spacefaring industries and nations that fail to play by the new rules.”

Slow Response to Bird Flu in Cows Worries Scientists. ScientificAmerican.com article. Pull quote: “Information about how and where the virus has spread is important for informing the response. If the outbreak is not widespread and is moving slowly, public-health officials could decide to cull affected herds and eradicate the virus in cattle, says Eckerle. But if it is too widespread or fast-moving, they might have to resign themselves to a new reality in which cattle are a reservoir of H5N1, and focus on restricting its jump to people. “I would not say it’s too late” to decide between these two pathways, says Eckerle — but “we need data.””

Second case of bird flu in humans confirmed in a Michigan farmer. TheHill.com article. Pull quote: “According to the Centers for Disease Control and Prevention (CDC), a nasal swab from the person tested negative for influenza in a state lab, but an eye swab from the patient was shipped to CDC and tested positive for influenza A virus, indicating an eye infection.”

NASA, Mission Partners Assessing Launch Opportunities for Crew Flight Test. Blogs.NASA.gov blog post. Pull quote: “Work continues to assess Starliner performance and redundancy following the discovery of a small helium leak in the spacecraft’s service module. As part of this work, and unrelated to the current leak which remains stable, teams are in the process of completing a follow-on propulsion system assessment to understand potential helium system impacts on some Starliner return scenarios. NASA also will conduct a Delta-Agency Flight Test Readiness Review to discuss the work that was performed since the last CFT launch attempt on May 6, and to evaluate issue closure and flight rationale ahead of the next attempt, as part of NASA’s process for assessing readiness. The date of the upcoming Flight Test Readiness Review is under consideration and will be announced once selected.”

Review - CISA Publishes New 60-day ICR Notice for Infrastructure Visualization Platform

Yesterday, CISA published a new 60-day information collection request (ICR) in the Federal Register (89 FR 44695-44696) for Infrastructure Visualization Platform (IVP) Pre-Collection Questionnaire. This new ICR will support critical infrastructure security assessment efforts by CISA’s Protective Security Advisors (PSA). The collection would be for the facility questionnaire that would have to be filled out before the on-sight data collection would take place.

CISA provides the following burden estimates to support this ICR.

NOTE: The annualized respondent cost appears to be the standard calculation for personnel costs for the time to fill out the questionnaire.

A copy of the questionnaire that is covered by this ICR notice will not be publicly available until CISA submits the ICR to OIRA after the 30-day ICR notice is published.

Public Comments

CISA is soliciting public comment on this ICR notice. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # CISA-2024-0012). Comments should be submitted by July 22^nd, 2024.

 

For more information on this ICR notice, including background information on the IVP program, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/cisa-publishes-new-60-day-icr-notice - subscription required.

Bills Introduced – 5-21-24

Yesterday, with both the House and Senate in session, there were 46 bills introduced. One of those bills will receive additional attention in this blog:

HR 8469 Introduced - To establish in the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security a program to promote the cybersecurity field to disadvantaged communities, including older individuals, racial and ethnic minorities, people with disabilities, geographically diverse communities, socioeconomically diverse communities, women, individuals from nontraditional educational paths, individuals who are veterans, and individuals who were formerly incarcerated, and for other purposes. Brown, Shontel M. [Rep.-D-OH-11] 

That description covers such a wide base of potential individual to be the focus of the program, I will be interested in seeing how the crafters of this bill expect a single program to adequately address each of the varying constituencies.

FAR Sends CUI NPRM to OMB

Yesterday, the OMB’s Office of Information and Regulatory Affairs announced that it had received a notice of proposed rulemaking from FAR on “Federal Acquisition Regulation (FAR); FAR Case 2017-016, Controlled Unclassified Information (CUI)”. This rulemaking has been under consideration since 2017.

According to the Fall 2023 Unified Agenda entry for this rulemaking:

“This rule will apply the controlled unclassified information (CUI) program requirements in Federal contracts in a uniform manner to protect CUI. This rule is one element of a larger strategy to improve the Government’s efforts to identify, deter, protect against, detect, and respond to increasing sophisticated threat actions targeting Federal contractors. This rule is being issued in accordance with the National Archives and Records Administration (NARA) regulations implementing the CUI program per Executive Order 13556 issued November 4, 2010, as implemented in NARA’s implementing regulations.”

Short Takes – 5-21-24

Space Force and Starfish Space lay out their roadmap for satellite docking mission. GeekWire.com article. Pull quote: “The Otter project will draw upon the $37.5 million in funding from the Space Force as well as $30 million in past and future venture capital investment, Starfish said. The aim of the demonstration mission will be to send an Otter spacecraft to geostationary Earth orbit, or GEO, to dock with and maneuver national security assets. The specific assets to be maneuvered and the detailed plan for operations have not yet been made public.”

"Securable" by Design. WHMurray.blogspot.com post. Pull quote: “By habit and culture, engineers use a complete specification for a system. By contrast, IT developers often work from a specification that is less than complete. A complete specification includes an expression or description:”

IT Cybersecurity Specialist. USAJobs.gov CSB job announcement. Summary: “This position is part of the Chemical Safety and Hazard Investigation Board. The incumbent is the Deputy CIO and will be responsible for serving as the agency's senior expert and consultant on the design, development, and integration of information technology (IT) systems.”  Job closes May 24^th, 2024.

Periodic Graphics: The chemistry of hydrangea color changes. CEN.ACS.org chemistry graphic. Pull quote: “Hydrangeas change colors depending on soil acidity. Here we take a look at the science behind their varying colors and how you can fine tune their hues with soil additives.”

Taking Down Big Laundry. SlugSec.UCSC.edu blog post. An interesting hacker report. Pull quote: “Injecting more realistic amounts such as $50 or $100, however, seems to fly under their radar. Our test transactions with smaller denominations are still present 5 months later.”

Why Your Wi-Fi Router Doubles as an Apple AirTag. KrebsOnSecurity.com article. This may have interesting positional security implications. Pull quote: “Plotting the locations returned by Apple’s WPS between November 2022 and November 2023, Levin and Rye saw they had a near global view of the locations tied to more than two billion Wi-Fi access points. The map showed geolocated access points in nearly every corner of the globe, apart from almost the entirety of China, vast stretches of desert wilderness in central Australia and Africa, and deep in the rainforests of South America.”

Hazard Communication Standard. Federal Register OSHA final rule. Way too complex to be summarized in even a series of blog posts. Summary: “The agency has determined that the revisions in this final rule will enhance the effectiveness of the HCS by ensuring employees are appropriately apprised of the chemical hazards to which they may be exposed, thus reducing the incidence of chemical-related occupational illnesses and injuries. The modifications to the standard include revised criteria for classification of certain health and physical hazards, revised provisions for updating labels, new labeling provisions for small containers, new provisions related to trade secrets, technical amendments related to the contents of safety data sheets (SDSs), and related revisions to definitions of terms used in the standard.”

ARPA-H announces program to automate cybersecurity for health care facilities. ARPA-H.gov press release. Pull quote: “Filling this gap in digital health security will take expertise from IT staff, medical device manufacturers and vendors, health care providers, human factors engineers, and cybersecurity experts to create a tailored and scalable software suite for hospital cyber-resilience. The UPGRADE platform will enable proactive evaluation of potential vulnerabilities by probing models of digital hospital environments for weaknesses in software. Once a threat is detected, a remediation (e.g., patch) can be automatically procured or developed, tested in the model environment, and deployed with minimum interruption to the devices in use in a hospital.” Hospitals are nearly as cyber complex as modern manufacturing facilities, it will be interesting to see how this works out.

Mars rover mission will use pioneering nuclear power source. Nature.com article. Pull quote: “ESA’s heater units will not only be a first for Europe, but the first anywhere to use americium-241, a by-product of plutonium decay that packs less power per gram than its predecessor. But americium-241 is more abundant and cheaper, meaning that even if the RHUs require more of the isotope to run, they might be less expensive overall. “Developing and launching a European RHU will be a first for ESA and a major achievement,” says Sutherland.”