Short Takes – 5-16-24

Board Affairs Specialist. USAJobs.gov CSB job announcement. Summary: “This position is part of the Chemical Safety and Hazard Investigation Board, Chemical Safety and Hazard Investigation Board. The incumbent will be responsible for supporting the programmatic and administrative activities of the Chairperson and the Board as a whole.” Job closing date: May 16^th, 2024 (it was only open two days).

Private mission to save the Hubble Space Telescope raises concerns, NASA emails show. NPR.org article. Pull quote: “"The other issue is the need for reboost now versus later," Grunsfeld wrote. "Perhaps the opportunity with Polaris won't be there, but NASA can work with Congress and the Administration to request funds for a Hubble reboost or enhancement mission, using a commercial partner where NASA is in the drivers [sic] seat, and the maturity of the space systems is higher and lower risk."”

Genetic analyses of the bird flu virus unveil its evolution and potential. ScienceNews.org article. Pull quote: “Since getting into cattle, the virus has jumped into other species including cats in Kansas and Texas that drank infected raw milk. More than half of infected cats from one north Texas dairy died within a few days of having the milk, probably because the virus went to the cats’ brains and nervous systems, researchers reported April 29 in Emerging Infectious Diseases.”

Passenger with measles passes through LAX, those close on plane will be notified. OCRegister.com article. Pull quote: ““Measles is spread by air and by direct contact even before you know you have it and can lead to severe disease,” Dr. Muntu Davis, Los Angeles County health officer, said in a statement. “Measles is highly contagious for those who are not immune to it. Initially causing fever, cough, red, watery eyes, and followed by a rash, it can result in serious complications for young children and vulnerable adults.”

Notice of Meeting; Cybersecurity Advisory Committee. Federal Register CISA meeting notice. Open Agenda: “The CISA Cybersecurity Advisory Committee will hold an in-person meeting on Wednesday, June 5, 2024, to discuss current CISA Cybersecurity Advisory Committee activities. The open session will include: public comment, briefings from all five CSAC subcommittees, and CSAC member deliberation and vote on several recommendations for the Director.” Meeting date: June 3^rd, 2024. 

Drone Security Testimony – 5-16-24

Today, there was a joint hearing by two subcommittees of the House Homeland Security Committee on “Unmanned Aerial Systems: An Examination of The Use of Drones in Emergency Response”. As I predicted on Monday, the prepared testimony from Michael Robbins from the Association for Uncrewed Vehicle Systems International (AUVSI), did briefly address cybersecurity issues associated with the use of uncrewed aircraft systems (I am glad to see that AUVSI is using the gender neutral terminology of ‘uncrewed’).

On page 12 of his testimony, Robbins provides four paragraphs under the heading of ‘Drone Security’ that addresses ways that the industry can address that issue. He briefly discusses the DOD’s Defense Innovation Unit’s Blue UAS program. Their web site notes that: “This effort also proves out a repeatable administrative onboarding process called “Blue UAS On-Ramp” designed to reduce barriers to entry for commercial sUAS and create a more permissive acquisition process for DoD customers.  More systems will be added to the roster soon.”

This is a DOD centric program and is not designed to serve civilian first responder needs. AUVSI has come up with voluntary industry certification program patterned after the DOD’s program, called the Green UAS program. I am not technically qualified to comment on their validation program, but it would seem that commercial UAS purchasers might want to consider something like Green UAS as a short-cut to validating ‘cybersecurity and NDAA supply chain compliance’ before making substantial UAS purchases.

Review – 14 Advisories and 3 Updates Published – 5-16-24

Today, CISA’s NCCIC-ICS published 14 control system security advisories for products from Rockwell Automation and Siemens (13). They also updated three advisories for products from GE Healthcare and Mitsubishi (2).

Siemens published two other advisories and 23 updates on Tuesday that were not addressed here. I will cover them this weekend.

Advisories

Rockwell Advisory - This advisory describes an improper input validation vulnerability in the Rockwell FactoryTalk View SE monitoring software.

Industrial Product Advisory - This advisory describes an out-of-bounds read vulnerability in the Siemens Industrial Products.

Desigo Advisory - This advisory describes three vulnerabilities in the Siemens Cerberus PRO UL and Desigo Fire Safety UL products.

RUGGEDCOM Advisory #1 - This advisory discusses two vulnerabilities in the Siemens RUGGEDCOM APE1808 products.

RUGGEDCOM Advisory #2 - This advisory describes nine vulnerabilities in the Siemens RUGGEDCOM CROSSBOW product.

Solid Edge Advisory - This advisory describes eight vulnerabilities in the Siemens Solid Edge products.

PS/IGES Advisory - This advisory describes 11 vulnerabilities in the Siemens PS/IGES Parasolid Translator Component.

SIMATIC Advisory #1 - This advisory discusses 21 vulnerabilities (three with known exploits) in the Siemens SIMATIC RTLS Locating Manager.

SIMATIC Advisory #2 - This advisory describes three vulnerabilities in the Siemens SIMATIC CN 4100.

SIMCENTER Advisory - This advisory describes a stack-based buffer overflow vulnerability in the Siemens Simcenter Nastran finite element analysis program.

Polarian Advisory - This advisory describes an improper access control vulnerability in the Siemens Polarion ALM application lifecycle management software.

Teamcenter Advisory - This advisory describes two vulnerabilities in the Siemens JT2Go and Teamcenter Visualization products.

SICAM Advisory - This advisory describes three vulnerabilities in multiple Siemens SICAM products.

Parasolid Advisory - This advisory describes three vulnerabilities in the Siemens Parasolid design and simulation product.

Updates

GE Healthcare Update - This update provides additional information on the Ultrasound Products advisory that was originally published on February 18^th, 2020.

Mitsubishi Update #1 - This update provides additional information on the MELSEC-Q/L Series advisory that was originally published on March 14^th, 2024.

Mitsubishi Update #2 - This update provides additional information on the MELSEC iQ-R Series Safety CPU that was originally published on February 13^th, 2024.

 

For more information on these advisories, including links to 3^rd party advisories, vendor advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/14-advisories-and-3-updates-published - subscription required.

Review - HR 7655 Introduced – Pipeline Safety

Back in March, Rep Duncan (R,SC) introduced HR 7655, the Pipeline Safety, Modernization, and Expansion Act of 2024. This bill provides for the reauthorization of the Pipeline and Hazardous Materials Safety Administration’s (PHMSA) Pipeline Safety Regulations (PSR). This bill is similar to HR 6494, the PIPES Act, which was introduced by Rep Graves (R,MO) and reported favorably by the House Transportation and Infrastructure Committee.

Topics of potential interest here include:

§10. Strengthening penalties for pipeline safety violations.

§12. Maximum allowable operating pressure.

§14. Pipeline safety voluntary information-sharing system.

§18. Regulatory updates.

§19. Class location changes

Committee Action

On March 20^th, 2024, the House Energy and Commerce Committee held a markup hearing that included consideration of this bill. The bill was amended (the current record does not show which amendments were approved) and then approved by a vote of 27 to 18 (which sounds like a party-line vote, but again no data is available).

Moving Forward

Typically, once a committee orders a bill reported, the publication of that report enables the bill to be considered by the full House. With split committee support like the 27 to 18 vote indicates, the bill would not be considered for consideration under the suspension of the rules process because such bills require a supermajority for passage. So, this bill would have to be considered under regular order. While ‘regular order’ in the House is less complicated than in the Senate, it still requires a level of political importance, that probably cannot be ascribed to this bill.

But this is not a typical situation. The Transportation and Infrastructure Committee is the committee to which this bill was assigned for primary consideration. Until that Committee takes action on this bill, it will not proceed to the floor (okay, the Chair of the TI Committee could give permission for it to proceed without that Committee’s action, but that ain’t gonna happen, Chair prerogatives are too important).

Commentary

This bill was crafted by the Energy and Commerce Committee staff because the committee leadership was not satisfied with one or more provisions of the HR 6494, the PIPES Act, which was offered by the Chair of the Transportation and Infrastructure Committee. That bill was ordered reported back in December of 2023. Energy and Commerce was assigned secondary consideration on the PIPES Act bill, so that bill is also tied up waiting for EC’s consent to move that bill to the floor.

Bills Introduced – 5-15-24

Yesterday, with both the House and Senate in session, there were 56 bills introduced. One of those bills will receive additional attention in this blog:

HR 8415 To require the Inspector General of the Department of Health and Human Services to evaluate the cybersecurity practices and protocols of the Department, and for other purposes. Steel, Michelle [Rep.-R-CA-45]

This bill seems to be similar in intent to S 3773, the Strengthening Cybersecurity in Health Care Act, which was introduced last month by Sen Rubio (R,FL). That bill has seen no action in the Senate.

DOD Sends CMMC DFARS NPRM to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a notice of proposed rulemaking from the DOD’s Defense Acquisition Regulatory Council (DARC) on “Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)”. An interim final rule on this issue was published on September 29^th, 2020.

According to the Fall 2023 Unified Agenda entry for this rulemaking:

“DoD is amending an interim rule to implement the CMMC framework 2.0 in order to protect against the theft of intellectual property and sensitive information from the Defense Industrial Base (DIB) sector. The CMMC framework, as defined in Title 32 of the Code of Federal Regulations (CFR), assesses compliance with applicable information security requirements. This rule provides the Department with assurances that a DIB contractor can adequately protect sensitive unclassified information at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain.”

 That Agenda entry also notes that:

“The theft of intellectual property and sensitive information from all U.S. industrial sectors due to malicious cyber activity threatens economic security and national security.  Malicious cyber actors have and continue to target the DIB sector and the supply chain of the Department of Defense. These attacks not only focus on the large prime contractors, but also target subcontractors that make up the lower tiers of the DoD supply chain. Many of these subcontractors are small entities that provide critical support and innovation. The aggregate loss of intellectual property and certain unclassified information from the DoD supply chain can undercut U.S. technical advantages and innovation, as well as significantly increase risk to national security.”

Short Takes – 5-15-24

How fast is bird flu spreading in US cows? ‘We have no idea’. TheHill.com article. Pull quote: ““This is new for them [dairy industry]; they’re more edgy and concerned,” Schaffner said. “All these diplomatic overtures and discussions are going on and are being led at the local level, because that’s where personnel are more comfortable. COVID developed a political veneer, and that impeded public health. That legacy still exists, and that may influence some of the caution in the dairy industry.””

Spaceplanes: why we need them, why they have failed, and how they can succeed. TheSpaceReview.com article. Pull quote: “In practical terms the ultimate problem is that, because space has no oxygen, rockets have to carry up about 2.4 tons of it for every ton of fuel they carry. Not surprisingly, given this constraint, rockets which reduce their mass to orbit by dropping off empty sections on the way up—staging—is the system that has been universally adopted to maximise the non-propellant mass (another Tsiolokovsky insight). A further drawback of SSTO’s [Single State to Orbit] is that they must haul along a pair of wings that are useful only for a very small part of the flight path, which further limits the thin weight margin available for the payload.”

Cooperative Research and Development Agreement (CRADA)-“Shoreside and Shipboard Open-Source Software Defined Radio (SDR) Technology”. Federal Register CG notice. Summary: “The Coast Guard is announcing its intent to enter into a Cooperative Research and Development Agreement (CRADA) with General Dynamics Mission Systems (GDMS) to evaluate the suitability of implementing open-source-based SDR technologies on shore-side and shipboard environments. The effort would include evaluating the utility of a P25 Telecommunications Industry Association (TIA)-compliant interface for software defined radios (SDRs). This CRADA would leverage Coast Guard network infrastructure and shipboard IT communications systems to evaluate open-source SDR technologies and determine how they can be implemented to support multiple Coast Guard core mission areas for shore-side and shipboard use under a variety of scenarios. Technology researched, tested, and prototyped will adhere to all active Coast Guard, Federal Communications Commission (FCC), and National Telecommunications and Information Administration (NTIA) standards and regulations. While the Coast Guard is currently considering partnering with GDMS, we are soliciting public comment on the possible nature of and participation of other parties in the proposed CRADA.” Comments due June 14^th, 2024. No mention of SDR cybersecurity concerns.

House Agreed to Senate Amendment to HR 3935 – FAA Reauthorization

The House began considering the Senate Amendment to  HR 3935, the Securing Growth and Robust Leadership in American Aviation Act, under the suspension of the rules process. After nine minutes of debate, a recorded debate was demanded. That vote was held this afternoon. The House accepted the Senate Amendment by a vote of 387 to 26. The bill now goes to the President for signature, plenty of time to meet the Friday midnight deadline to enact the legislation.

House Passes HR 4510 – NTIA Reauthorization

Yesterday, the House began consideration of HR 4510, the National Telecommunications and Information Administration Reauthorization Act of 2023, under the suspension of the rules process. After about 14 minutes of debate, a recorded vote was demanded. That vote took place this evening. The House passed the bill by a vote of 374 to 36. The legislation now goes to the Senate.

The Senate is unlikely to take up HR 4510 under regular order. With 32 of the 36 nay votes coming from conservative fringe elements of the House, it would seem to be very likely that one of their compatriots in the Senate would object to the bill if it were offered under the Senate’s unanimous consent process. This would mean that the bill would have to be added to some other piece of major legislation as an amendment for this to move forward.

Short Takes – 5-15-24 – Space Geek Edition

Commercial Space Stations Approach Launch Phase – Blue  Origin’s Orbital Reef aces milestones while Europe and China aim high. Spectrum.IEEE.org article. Pull quote: “Orbital Reef will be relying on some technologies developed for and spun off from the ISS project, which was completed in 2011 at a cost of US $100 billion. The new station will be operating on fractions of such budgets, with Blue Origin awarded $130 million of a total $415.6 million given to three companies in 2021.”

Intuitive Machines making upgrades to second lunar lander. SpaceNews.com article. Pull quote: “With a gap in CLPS missions after IM-3, Altemus said that the company is planning to fly a fully commercial mission after IM-3. “We have signed contracts with multiple payloads that we have been aggregating and holding,” he said, with enough in place to allow the company to proceed with a commercial mission as it continues to sign up additional customers for it.”

World-first aerospike rocket flight test ends in disaster. NewAtlas.com article. Pull quote: “In lab tests, the aerospike engine design can get around this [bell/altitude efficiency] issue. Effectively, aerospike designs use the ambient atmospheric pressure around the rocket as the external wall of their nozzles. The changing pressure at different altitudes combines with aerodynamic effects to change the size and shape of the envelope of air pressure around the engine, pushing the fiery goodness of the expanding gases back against the cross section of the half-bell to create more pressure, speed up the exhaust and focus the thrust.”

NASA’s Boeing Crew Flight Test Eyes Next Launch Opportunity. Blogs.NASA.gov blog post. Pull quote: “NASA and Boeing are developing spacecraft testing and operational solutions to address the issue. As a part of the testing, Boeing will bring the propulsion system up to flight pressurization just as it does prior to launch, and then allow the helium system to vent naturally to validate existing data and strengthen flight rationale. Mission teams also completed a thorough review of the data from the May 6 launch attempt and are not tracking any other issues.”

NASA’s Artemis Astronauts Will Help Grow Crops on the Moon—And Much More. ScientificAmerican.com article. Pull quote: “After considering myriad proposals, NASA has now announced three gadgets chosen to accompany the Artemis III crew members on their voyage: The Lunar Environment Monitoring Station (LEMS) package is a remarkably precise seismometer that is designed to listen out for moonquakes and survey the lunar geological underworld. The Lunar Effects on Agricultural Flora (LEAF) instrument will attempt to grow three crops on the moon and study how they respond to the mercurial, extreme environment. And the Lunar Dielectric Analyzer (LDA) will use the flow of electric currents through the lunar soil to detect the presence of volatiles, most notably water ice.”

Bills Introduced – 5-14-24

Yesterday, with both the House and Senate in session there were 54 bills introduced. None of those bills will receive additional coverage in this blog.

I would like to mention one bill in passing:

HR 8374 To prohibit Federal interference with the interstate traffic of unpasteurized milk and milk products that are packaged for direct human consumption. Massie, Thomas [Rep.-R-KY-4]

With the recent discovery of viral fragments of H5N1 virus in pasteurized cow’s milk from a variety of milk sources the need for the pasteurization of whole milk as a public health measure has become even more apparent. Pasteurization destroyed the effectiveness of the H5N1 virus to replicate, that is how we ended up with ‘viral fragments’ of the virus in pasteurized milk. Bills of this type pander to the anti-science, anti-vaccination crowd and their paranoia about government health measures. Fortunately, this bill has little chance of being considered, much less passed even in this House.

Short Takes – 5-14-24

Welcome to the Laser Wars. Wired.com article. Pull quote: “Beyond functional issues, there’s also the question of teaching service members to operate a laser effectively in a combat setting. The CRS report notes that “thermal blooming”—where a sustained laser beam heats up the air it’s passing through, which in turn defocuses the beam—makes head-on (or “down-the-throat”) shots against incoming targets less effective, a problem that will require a training and doctrinal fix in order to compensate. And while many of the US military laser weapons in development require minimal training to use (the BlueHalo Locust on which the P-HEL is based runs on an Xbox controller), the 2023 GAO assessment indicated that the US military will need to develop brand new “tactics, techniques, and procedures” for operating the novel systems in complex combat environments. The laser may work, but it’s up to service members to get the most out of it.”

Covert Connections. MediaDefense.gov technical article. Pull quote: “A 2023 report by the Defense Counterintelligence and Security Agency reveals that social networking ranks among the most common contact methods for adversary intelligence services, particularly those originating from East Asia and the Pacific. A consulting offer serves merely as the initial enticement, paving the way for further exploitation. In the digital age, the acquisition, storage, and analysis of personal information far surpass “any secret police files” compiled by the Soviets during the Cold War. Moreover, advancements in algorithms and artificial intelligence (AI) make analysis even more accessible.”

Supervisory Compliance Investigator. USAJobs.gov PHMSA job opening. Summary: “The incumbent serves as Chief Investigator within the Office of Hazardous Materials Safety (OHMS), Field Operations. The incumbent serves as the first line supervisor for the Pipeline and Hazardous Materials Safety Administration's (PHMSA) hazardous materials accident investigation staff.”

Strange, red-glowing planet may be 'melting from within,' scientists report. LiveScience.com article. Pull quote: “"This teaches us a lot about the extremes of how much energy can be pumped into a terrestrial planet, and the consequences of that," Kane said in the statement. "There have been several cases of terrestrial planets that are close to their star and heated by the energy from the star, but very few cases where the tidal energy is melting the planet from within," he told Universe Today.”

Cows might host both human and bird flus. ScienceNews.org article. Pull quote: “In the new study, Kristensen and colleagues tested whether cows have receptors that bird flu viruses can use to infect their cells. Not only did the team find such entry portals but also found that the receptors, especially the duck version, were abundant in the mammary glands, at low levels in the respiratory tract and at very low levels in the brain. That fits with the description of the illness in cows, Kristensen says, which affects milk production but doesn’t seem to make most cows very sick.”

Solar storms made GPS tractors miss their mark at the worst time for farmers. TheVerge.com article. Pull quote: “LandMark Implement, which owns John Deere dealerships in Kansas and Nebraska, warned farmers on Friday to turn off a feature that uses a fixed receiver to correct tractors’ paths. LandMark updated its post Saturday, saying it expects that when farmers tend crops later, “rows won’t be where the AutoPath lines think they are” and that it would be “difficult - if not impossible” for the self-driving tractor feature to work in fields planted while the GPS systems were hampered.”

How to Check If You’re Immune to Measles. ScientificAmerican.com article. Pull quote: “People born before 1957 are presumed to be immune to measles because they had it in childhood. Those born in 1957 or later, however, are likely protected only if they have been vaccinated. Initially, U.S. children received just one dose of the measles, mumps and rubella (MMR) vaccine, but that changed after a big measles outbreak that occurred from 1989 to 1991 and resulted in a reported 55,622 cases in the country. The outbreak killed 123 people and led to a congressional hearing.”

HR 7659 Passed in House – 2024 CG Authorization

This evening the House considered HR 7659, the Coast Guard Authorization Act of 2024 under the suspension of the rules process. After about 27 minutes of debate (and a 30 minute recess) the House voted to pass the bill by strong bipartisan vote of 376 to 16. The bill now moves to the Senate for consideration.

Moving Forward

This is one of those bills that, in recent years, has typically been pasted onto one of the omnibus spending bills that have so enraged conservatives. Part of the reason is that while this bill is important, it is probably not politically important enough to take up the time of the Senate to consider it under regular order, especially with the approaching election. The 15 radical republican votes against the bill in the House probably means that the Senate would not be able to consider the bill under the unanimous consent process, one or more of their Senate compatriots would object.

I have not yet seen a CG authorization bill for 2024 introduced in the Senate, but I am relatively certain that Sen Cantwell (D,WA), Chair of the Senate Commerce, Science and Transportation Committee. would propose substitute language if the bill were considered in the Senate. They would go through the three-cloture motion process that that body went through with the recent FAA bill. And it would be slowed down by the same wrangling over adding non-germane amendments that in recent years has slowed down progress so much in the Senate.

While the FAA is more intertwined with the commerce of this country (almost every county has an airport, there are many fewer ports or Coast Guard Stations), the CG is still an important part of the economy, and it needs to be reauthorized. So, the Senate leadership will probably find a way to get this bill considered, and hopefully before the August recess.

UAS Use Hearing – 5-16-24

Earlier today, in reporting on Congressional Hearings, I noted that without “a witness list it is hard to tell, but there is a possibility that UAS cybersecurity issues could be part of this topic.” Well, a witness list has since been published for Thursday’s hearing. It includes:

• John M. Chell, New York City Police Department,

• Kaz Daughtry, New York City Police Department,

• Kevin Fetterman, Orange County Fire Authority,

• Michael Robbins, Association for Uncrewed Vehicle Systems International, and

• Rahul Sidhu, Aerodome

It looks like Robbins and Sidhu were selected as witnesses for the technical background their organizations bring to the UAS as first responders topic. Robbins, in particular has been working on UAS cybersecurity issues with CISA. It will be interesting to see if his testimony addresses the topic.

The controlling factor for this hearing is if the committee staff has prepped any of the Members to ask cybersecurity related questions. If so, this could be an interesting hearing, but do not hold your breath.

Some questions that I would like to see asked:

• How much will GPS spoofing or jamming affect UAS use beyond visual line of site?

• How often will RF signal dead spaces in urban areas interfere with UAS response?

• Will UAS vendors be proactive in notifying emergency response organizations about UAS cybersecurity vulnerabilities?

• How will emergency response teams respond to counter UAS technology used against friendly drones?

Review – 4 Advisories Published – 5-14-24

Today, CISA’s NCCIC-ICS published four control system security advisories for products from Mitsubishi Electric, Johnson Controls, SUBNET, and Rockwell Automation.

Advisories

Mitsubishi Advisory - This advisory describes 12 vulnerabilities in the multiple Mitsubishi FA Engineering software products.

Johnson Controls Advisory - This advisory describes an insertion of sensitive information into log file vulnerability in the Johnson Controls Software House C●CURE 9000 security management system.

SUBNET Advisory - This advisory describes a reliance on insufficiently trustworthy components vulnerability in the SUBNET PowerSYSTEM Center product.

Rockwell Advisory - This advisory describes an unquoted search path vulnerability in the Rockwell Factory Talk Remote Access (FTRA) product.

 

For more details about these advisories, and a brief down-the-rabbit-hole look at simple OPSEC problems, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/4-advisories-published-5-14-24 - subscription required.

Committee Hearings – Week of 5-13-24

This week, with both the House and Senate in session, there is a relatively busy hearing schedule. FY 2025 budget hearings continue in the oversight committees. There is one markup hearing of note, a Chinese security risk hearing and UAS use hearing.

Budget Hearings

	House	Senate
EPA	EC Subcommittee
TSA	HS Subcommittee
NTIA	EC Subcommittee
DOD Acquisitions		APP Subcommittee

Note: There is a problem with the links to the Senate Appropriations Committee this morning.

Markup Hearing

On Wednesday, the House Oversight and Accountability Committee will hold a markup hearing to consider six bills and three postal naming bills. The one bill of specific interest here is:

HR 5255: "To require covered contractors implement a vulnerability disclosure policy consistent with NIST guidelines, and for other purposes."

Chinese Threat Hearing

On Wednesday the Cybersecurity, Information Technology, and Government Innovation Subcommittee of the House Oversight and Accountability Committee will hold a hearing on “Red Alert: Countering the Cyberthreat from China”. The witness list includes:

• Charles Carmakal, Mandiant,

• William Evanina, Former Director of the National Counterintelligence and Security Center,

• Rob Joyce, Former Special Assistant to the President and White House Cyber Security Coordinator,

• Steven M. Kelly, Institute for Security and Technology

Expect some FUD pointing by committee members.

UAS Uses

On Thursday the Subcommittee on Emergency Management and Technology, and the Subcommittee on Counterterrorism, Law Enforcement, and Intelligence, both of the House Homeland Security Committee will hold a joint hearing on “Unmanned Aerial Systems: An Examination of the Use of Drones in Emergency Response”. No witness list is currently available.

Without a witness list it is hard to tell, but there is a possibility that UAS cybersecurity issues could be part of this topic.

On the Floor

The House will consider a relatively large number of bills on Tuesday (votes lasting through Wednesday) under their suspension of the rules process this week. Of interest here, this will include:

HR 4510 – NTIA Reauthorization Act of 2024, as amended,

HR 7659 – Coast Guard Authorization Act of 2024, as amended, and

Senate Amendment to HR 3935 – FAA Reauthorization Act of 2024.

Short Takes – 5-13-24

Agency Information Collection Activities: Safety Act Collection of Qualitative Feedback. Federal Register DHS/S&T 30-day ICR notice. Summary: “The Department of Homeland Security Science and Technology Directorate (S&T), DHS will submit the following information collection request (ICR) to the Office of Management and Budget (OMB) for review and clearance in accordance with the Paperwork Reduction Act of 1995. DHS previously published this information collection request (ICR) in the Federal Register on September 14, 2023, for a 60-day public comment period. Two comments were received by DHS. The purpose of this notice is to allow additional 30-days for public comments.” Comment due date: June 12^th, 2024.

Mean Time Between Cyber Failures. SELINC.com article. Pull quote: “Figure 2 illustrates this revised state behavior for cybersecurity. A system is securely commissioned at Time t0. Then a security incident happens somewhere in the system at Time t1, resulting in the system becoming insecure. Security mitigations are applied, and the system is once again secure at Time t2. The system is secure until another security incident occurs at Time t3. The mean time between security failures (MTBSF) is the population average of (t2 – t3). The mean time to security repair (MTTSR) is the population average of (t1 – t2).” It is becoming increasingly apparent that this discussion should include a measure for the time between when a security incident occurs and the time it is discovered.

Pipedream ICS malware toolkit is a nightmare. PentestPartners.com blog post. Pull quote: “For administrators and controllers of OT networks, staying ahead of potential cyber threats is paramount. One proactive measure they can take is to conduct off-network compromise assessments. These take periodic forensic reviews of the estate, rather than in response to a known compromise, providing early warnings of Indicators of Compromise, without the need for continuous monitoring solutions.”

In the race for space metals, companies hope to cash in. ArsTechnica.com article. Pull quote: “Regardless of environmental pros and cons, making the leap to cosmic extraction will likely require further constraints on Earth—for example, stricter environmental regulations—that make space mining more appealing than digging another hole in the ground at home.”

Review – HR 7659 Introduced – CG Authorization

Back in March, Rep Graves introduced HR 7659, the Coast Guard Authorization Act of 2024. On March 20^th, the House Transportation and Infrastructure Committee held a markup hearing that included HR 7659. Graves proposed substitute language for the bill in that hearing, which the Committee adopted by a vote of 53 to 3. On May 8^th, 2024 the Committee published their report (not yet available from the GPO) on the bill. The House is scheduled to take up HR 7659 tomorrow under the suspension of the rules process.

Bill Overview

This review will use the reported version of the bill for simplicities sake.

Sections of potential interest here:

§ 207 Report on establishment of unmanned systems capabilities office.

§ 401 Vessel response plans.

§ 404 Online incident reporting system.

Moving Forward

As mentioned above, the House is scheduled to take up the bill tomorrow. With 14 bills on the calendar, it is very likely that a final vote will not be held until sometime Wednesday. The leadership expects bipartisan support for the legislation, with sufficient support to receive the super majority required for passage under the suspension of the rules process.

 

For more details about the sections of interest, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-7659-introduced - subscription required.

Review - New HPE Security Information Products

Last week HPE issued a series of new security publications looking at past security vulnerabilities that may have affected customers using HPE products. These publications are called “Hewlett Packard Enterprise Critical Product Security Vulnerability Alerts”. While this program appears to have started in August of 2023, on May 6^th, 2024, published 43 specific alerts under this category. These reports do not appear to replace their standard security bulletins, but rather collects information from potentially multiple security bulletins and usually includes a product impact assessment for each vulnerability (restricted access to registered customers).

 

For more information on these new security information products, including a list of current advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/new-hpe-security-information-products - subscription required. 

Chemical Incident Reporting – Week of 5-4-24

NOTE: See here for series background.

Old Bridge, NJ – 5-1-24

Local news reports: Here, here, and here.

Explosion and fire at a smoke generator manufacturing facility. One dead and four transported to hospital. No report on damage sustained. The cause is currently unknown.

CSB reportable.

Chambersburg, PA – 5-5-24

Local news reports: Here, and here.

A material handling incident at farm supply store resulted in a spill of ‘liquid chlorinator’. Minor health concerns treated on scene. Interesting photo of scene.

Not CSB reportable

Naples, FL – 5-8-24

Local news report: Here.

There was a traffic accident involving a pool supply company truck that was carrying 44 2.5-gallon containers of chlorine (probably sodium hypochlorite solution). No injuries were reported. Interesting photo of impact.

Not CSB reportable, it was a transportation accident, not a fixed site release.

CRS Reports – Week of 5-4-24 – H5N1 in Cattle

This week the Congressional Research Service published a report on “Highly Pathogenic Avian Influenza in Dairy Herds”. The report provides an overview of the recent detection of H5N1, or ‘Highly Pathogenic Avian Influenza’ (HPAI) in dairy cattle. It discusses the authorities and responsibilities for USDA’s Animal and Plant Health Inspection Service (APHIS), and the FDA in dealing with such disease outbreaks. It also describes the testing that has been done to date to establish the limits of the outbreak and its potential impact on the food supply. The report notes that no infections have been reported to date in beef cattle, only dairy cattle.

Commentary

If you have been following my Short Takes post, you will be aware that I am watching this outbreak relatively closely. It is not a chemical security issue (duh), but after watching how well this country reacted to and responded to the COVID epidemic, I am interested in seeing how well the government responds to future potential epidemics. At this point, this is a low-threat disease for humans, which is a good thing. But…, this is influenza, a disease that is well known for its adaptability and mutagenicity. It deserves further watch and study.

This report is fairly straightforward reporting on the current status of the outbreak. What is missing is one of the mainstays of CRS reports, a look forward to the issues with which Congress might expect to have to deal. APHIS has a budget for animal testing activities. As the agency expands its support of H5N1 testing in dairy and beef cattle, this will inevitably take away funds from other animal testing activities. The report notes that (pg 2):

“In the case of dairy herd infections with H5N1, APHIS announced that the [National Animal Health Laboratory Network] NAHLN laboratories will be reimbursed for (1) testing suspect dairy cattle, (2) pre-movement testing, (3) tests requested by producers of asymptomatic cattle, and (4) testing of samples from other animals on dairies with HPAI infections.”

If APHIS is going to try to get an idea of how widespread this outbreak really is, numbers 3 and 4 above are going to be very important. Perhaps it would be reasonable for Congress to begin to consider setting aside additional monies for not just the reimbursement for the actual sample testing, but also support for organized sample collection efforts.

Transportation Chemical Incidents – Week of 4-6-24

Reporting Background

See this post for explanation, with an update here (removed from paywall).

Data from PHMSA’s online database of transportation related chemical incidents that have been reported to the agency.

Incidents Summary

• Number of incidents – 457 (430 highway, 24 air, 3 rail, water 1)

• Serious incidents – 0 (0 Bulk release, 0 injuries, 0 deaths, 0 major arteries closed)

• Largest container involved – 25,000-gal DOT 117R100W railcar (Hydrocarbons, Liquid, N.O.S.) Loose manway bolts leaking. 5-gal leaked.

• Largest amount spilled – 400-lbs (Flammable Solids, Organic, N.O.S.) Improper blocking/bracing of load, plastic bags crushed.

Most Interesting Chemical: Tetrachloroethylene (PCE) - A toxic, clear colorless volatile liquid having an ether-like odor. Noncombustible. Insoluble in water. Vapors heavier than air. Boiling point 250°F. Still used in dry cleaning and metal cleaning operations. The EPA is in the rulemaking process to greatly reduce PCE uses, but it expects a 10-year phase out for dry cleaning.

 

Review – Public ICS Disclosures – Week of 5-4-24

This week we have 12 vendor disclosures from Aruba Networks, CODESYS, Honeywell, HP, Moxa, SEL (4), Socomec, and Westermo (2). There are also two vendor updates from Broadcom and HP. Eleven researcher reports are available for vulnerabilities in products from Dassault Systèmes (11). Finally, we have six exploits for products from Elber.

Advisories

Aruba Advisory - Aruba published an advisory that discusses the Terrapin-Attack vulnerability.

CODESYS Advisory - CODESYS published an advisory that describes two vulnerabilities in their Development System V2.3 products.

Honeywell Advisory - Honeywell Advisory published an end-of-life notice for their Pro-Watch 5.0 product.

HP Advisory - HP published an advisory that discusses an uncontrolled resource consumption vulnerability in their Teradici PCoIP Management Console.

Moxa Advisory - Moxa published an advisory that describes a cross-site scripting vulnerability in their NPort 5100A series products.

SEL Advisory #1 - SEL published an advisory that announced that the latest version of their Blueframe OS fixed three cybersecurity issues.

SEL Advisory #2 - SEL published an advisory that announced that the most recent SEL-3350-1 BIOS update fixed 10 vulnerabilities (nine of which have available exploits).

SEL Advisory #3 - SEL published an advisory that announced that the latest update for their SEL-3355-2/SEL-3360-2 Intel Management Engine included fixes for two vulnerabilities.

SEL Advisory #4 - SEL published an advisory that announced that the most recent SEL-3355-2/SEL-3360-2 BIOS update fixed 10 vulnerabilities (nine of which have available exploits).

Socomec Advisory - INCIBE-CERT published an advisory that describes two vulnerabilities in the Socomec NET VISION 7, UPS WEB/SNMP Ethernet Card.

Westermo Advisory #1 - Westermo published an advisory that describes four vulnerabilities in their EDW-100 serial to Ethernet converter.

Westermo Advisory #2 - Westermo published an advisory that describes a cleartext transmission of sensitive information vulnerability in their WeOS.

Updates

Broadcom Update - Broadcom published an update for their SANnav exposes Kafka advisory that was originally published on April 25^th, 2024 and most recently updated on April 30^th, 2024.

HP Update - HP published an update for their Plantronics Hub advisory that was originally published on December 20^th, 2023.

Researcher Reports

Dassault Reports - The Zero Day Initiative published eleven reports for individual vulnerabilities in the Dassault Systèmes eDrawings Viewer.

Exploits

Elber Exploits - LiquidWorm published six exploits for vulnerabilities in three products from Elber.

 

For more details about these disclosures, including links to 3rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-5-89b - subscription required.

HR 8289 Published – Short Term FAA Extension

The Congress.gov web site has now published the version of HR 8289, the Airport and Airway Extension Act of 2024, Part II, that was passed in the House on Wednesday. This is the same version, no amendments were made, that subsequently passed in the Senate.

This is a clean, short-term extension. It adds seven days to the existing expiration dates for a wide variety (see §102 for example) of FAA related programs. Provisions that were scheduled to expire today, will now expire on May 17^th; those that were set to expire on Saturday, will now expire on May 18^th, 2024.

The House is currently scheduled to take up the Senate’s amendment to HR 3935, the Securing Growth and Robust Leadership in American Aviation Act, on Tuesday under the suspension of the rules process. There are 13 other bills also scheduled to be considered on Tuesday, so it may end up being Wednesday before an actual vote is held on the Senate version of the legislation. Still, this should provide more than enough time for the bill to make its way to the White House for signature while keeping the FAA operating.

PHMSA Publishes 60-Day ICR Notice for 3 Hazmat ICR’s – 5-10-24

Today, DOT’s Pipeline and Hazardous Materials Safety Administration (PHMSA) published a 60-day information collection request (ICR) notice in the Federal Register (89 FR 40535-40537) for renewals of three hazardous materials program information collections. The three covered collections are:

2137-0542 – Flammable Cryogenic Liquids,

2137-0591 – Response Plans for Shipments of Oil, and

2137-0621 – Requirements for United Nations (UN) Cylinders

The table below shows the proposed and current annual burden estimates for these three ICR’s:

ICR Burden	Proposed	Current
2137-0542
Responses	36,400	36,400
Hours	1,214	1,214
2137-0591
Responses	8,000	8,000
Hours	10,560	10,560
2137-0621
Responses	210	210
Hours	818	818

PHMSA is soliciting public comments on these ICR renewals. Comments may be provided through the Federal eRulemaking Portal (www.Regulations.gov; Docket # PHMSA-2024-0056). Comments should be submitted by July 9^th, 2024.

Short Takes – 5-10-24 – Space Geek Edition

NASA watchdog report: 100+ cracks on heat shield biggest threat to human moon mission. Phys.org article. Pull quote: “NASA leaders say they are committed to fixing the heat shield but have admitted they might not be able to nail down the root cause for the damage. The report warned that NASA's plan to consider modifying Orion's reentry trajectory or redesigning the heat shield can also introduce unknown risks.”

Office of Commercial Space Transportation; Notice of Intent To Prepare an Environmental Impact Statement (EIS), Open a Public Scoping Period, and Hold Public Scoping Meetings. Federal Register FAA EIS notice. Summary: “This Notice provides information to Federal, State, and local agencies; Native American tribes; and other interested persons regarding the FAA's intent to prepare an EIS to evaluate the potential environmental impacts of issuing a commercial launch Vehicle Operator License to SpaceX for the Starship-Super Heavy launch vehicle at Launch Complex 39A (LC-39A) at Kennedy Space Center (KSC), Florida. SpaceX proposes to construct launch, landing, and other associated infrastructure at and in proximity to LC-39A. The proposal would also include Starship-Super Heavy launches at LC-39A; recoverable Super Heavy booster and Starship landings at LC-39A or on a droneship; and expendable Super Heavy booster and Starship landings in the ocean. The FAA will prepare the EIS in accordance with the National Environmental Policy Act of 1969, the Council on Environmental Quality Regulations for Implementing the Procedural Provisions of NEPA, and FAA Order 1050.1F, Environmental Impacts: Policies and Procedures, as part of its licensing process.” Comments due June 24^th, 2024.

Sierra Space prepares to ship Dream Chaser to Florida. SpaceNews.com article. Pull quote: “The mission is the first of seven currently under contract to Sierra Space for NASA cargo missions to the ISS. The company is building a second Dream Chaser vehicle, called Reverence, that will be used with Tenacity on those missions and potential other applications. The company has also announced its intent to develop a crewed version of Dream Chaser.”

POLARIS Spaceplanes Moves Ahead with New MIRA Prototypes. EuropeanSpaceFlight.com article. Pull quote: “The demonstrators’ fiber-reinforced fuselage shells are currently being manufactured for POLARIS by Aachen-based company Up2-Tec. The company expects the shells to be delivered by June. Polaris teams will then complete a four-week assembly and integration period before preparing for a maiden flight.”

Aiming for Apophis. SpaceNews.com article. Pull quote: “Such [multiple agency] efforts need to come together quickly to get a spacecraft built and launched in time to reach Apophis before its 2029 flyby. “Decisions have to be made here in the next six months as to what we are going to do,” Johnson said, “because we are out of time.”

Redwire announces second VLEO satellite platform. SpaceNews.com article. Pull quote: “The Phantom bus is designed for missions at orbits below 300 kilometers, where atmospheric drag plays a much larger role, requiring more aerodynamic designs and propulsion to maintain orbit. Phantom can accommodate payloads weigh up to 50 kilograms, with a total spacecraft mass of up to 300 kilograms, according to company documents. The spacecraft uses electric propulsion to maintain its orbit for missions lasting as long as five years.”

Axiom Space eyes the moon while continuing to dream big in Earth orbit. Space.com article. Pull quote: “Axiom Space could contribute to Artemis missions in additional ways as well; the company is partnering with Astrolab and Odyssey Space Research on the FLEX lunar rover project, one of three private efforts that just received NASA funding for development work. One of these three private designs is expected to become the Lunar Terrain Vehicle (LTV), which Artemis astronauts will use to drive around on the moon.”

Senate Passes HR 3935 – FAA Reauthorization

Yesterday, the Senate concluded action on HR 3935, the Securing Growth and Robust Leadership in American Aviation Act, passing the bill by a vote of 88 to 4 (all nay votes were from Democrats). Earlier the substitute language (modified SA 1911) was adopted by unanimous consent. No other amendments were adopted. The bill will now go back to the House for action on the Senate’s amendment. That consideration will take place next week.

I reported yesterday that the House could take up the bill as early as today, but they are only meeting in pro forma session this moring, so consideration of the Senate version is not possible.

Just before adjourning yesterday, the Senate passed HR 8289, a bill to extend authorizations for the airport improvement program, to extend the funding and expenditure authority of the Airport and Airway Trust Fund, and for other purposes. That legislation passed by unanimous consent. While an official copy of that bill is still not available, the bill will, when signed by the President, extend the FAA’s authority through next week. This will allow time for the House to take up the Senate’s version of HR 3935. 

Short Takes – 5-9-24

What you need to know about the historic cicada emergence. TheHill.com article. Pull quote: “That’s the conclusion of a paper published last October in Science, which found that more than 80 bird species switched from hunting their general prey to focus on cicadas — a nutrient pulse that boosts their offspring that year.”

Billionaire's 2nd SpaceX trip featuring spacewalk aims for early summer launch. Phys.org article. Pull quote: “While two will venture out, having all four exposed to the vacuum of space has never been done before. SpaceX is replacing the cupola window feature that Resilience flew with on Inspiration4 with an exit hatch instead. After the spacewalk, the crew will have to repressurize the capsule.”

Hazardous Materials: Harmonization With International Standards; Correction. Federal Register PHMSA final rule correction. Summary: “The Pipeline and Hazardous Materials Safety Administration is correcting a final rule that was published in the Federal Register on April 10, 2024. The final rule was published to maintain alignment with international regulations and standards by adopting various amendments, including changes to proper shipping names, hazard classes, packing groups, special provisions, packaging authorizations, air transport quantity limitations, and vessel stowage requirements. The corrections address several errors to the hazardous material entries in the hazardous materials table.” Effective date: May 10^th, 2024.

China’s Chang’e-6 launched successfully — what happens next? Nature.com article. Pull quote: “In early June, the spacecraft will drop a lander, which aims to drill and scoop up two kilograms of soil and rocks. After that, an ascender will blast off from the lander and ferry the samples back to the orbiter for the trip back home. Thanks to Queqiao-2, the spacecraft and Earth will remain in contact during the mission’s crucial moments, such as the 15-minute descent and touchdown, the two-day sampling period and the 6-minute ascent.”

Interstellar cloud conditions yield ‘impossible molecule’. ChemistryWorld.com article. Methanetriol duplicated in lab. Pull quote: “‘Interstellar space has a lot of weird molecules that are not stable on Earth,’ comments Wilkins. ‘This makes the field [of astrochemistry] exciting, but also presents a challenge,’ she adds. Predicting the presence of ‘impossible molecules’ in space and the upper atmosphere requires an impressive imagination. For Kaiser, the importance of this discovery is also deeply symbolic. ‘The chemistry of the interstellar medium is more exotic and a continual source of new discoveries in chemistry,’ he says.”

New COVID ‘FLiRT’ variants show virus isn’t going away. TheHill.com article. Pull quote: “But fewer than 1 in 4 U.S. adults received the shots last fall, and there’s concern that low vaccination rates combined with mutating variants could be a recipe for a summer surge.”

TSA announces appointment of members to the Surface Transportation Security Advisory Committee. TSA.gov press release. Pull quote: “The STSAC members represent each mode of surface transportation, such as freight rail, highways, mass transit, over-the-road bus, passenger rail, pipelines, school bus industry and trucking among others. For a complete list, please see the STSAC Charter. The Committee also has 14 non-voting members who serve in an advisory capacity for two-year terms from the Departments of Defense, Energy, Homeland Security, and Transportation, as well as the Federal Bureau of Investigation.”

Survey: Chemical shippers still face rail-service issues. ProgressiveRailroading.com article. Pull quote: “"Moving goods through rail is critical to chemical distribution as it is the safest form of transportation for certain materials," said ACD President and CEO Eric Byer in a press release. "Unfortunately, freight-rail service has significantly deteriorated in recent years and the most recent ACD freight-rail survey shows members continue to struggle to receive consistent, on-time rail service."”

How Bird Flu Caught the Dairy Industry Off Guard. ScientificAmerican.com article. Pull quote: “Wild mammals that have been infected with avian influenza display serious respiratory and even neurological symptoms such as seizures. In contrast, infected cows are tricky to spot. “You need to look for it; it’s not something very apparent,” says Zelmar Rodriguez, a dairy veterinarian at Michigan State University, who has visited farms with H5N1-infected cows.”

Review – 3 Advisories and 1 Update Published – 5-9-24

Today, CISA’s NCCIC-ICS published three control system security advisories for products from Delta Electronics, alpitronic, and Rockwell Automation. They also updated an advisory for products from Rockwell.

Advisories

Delta Advisory - This advisory discusses a deserialization of untrusted data vulnerability (that is listed in CISA’s Known Exploited Vulnerabilities Catalog) in the Delta InfraSuite Device Master.

Alpitronic Advisory - This advisory describes a use of default credential vulnerability in the alpitronic Hypercharger EV charger high power charging station.

Rockwell Advisory - This advisory discusses two vulnerabilities in the Rockwell FactoryTalk Historian SE data management application.

Updates

Rockwell Update - This update provides additional information on the ControlLogix and GuardLogix advisory that was originally published on April 16^th, 2024.

 

For more information on these advisories, including functioning links to vendor advisories and a down-the-rabbit-hole look at remote fixes, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/3-advisories-and-1-update-published-107 - subscription required.

Review - Senate Debate on HR 3935 – FAA Reauthorization – 5-9-24

Yesterday, the Senate continued their deliberations on HR 3935, the Securing Growth and Robust Leadership in American Aviation Act. There was one recorded vote on a motion to table the consideration of SA 2027, a placeholding amendment made by Sen Schumer (D,NY) that would send the bill back to Committee to change the effective date. The motion failed by a vote of 12 to 85. A unanimous consent motion was adopted to resume consideration of the bill today.

Moving Forward

Cloture votes for SA 1911 (the modified Senate substitute language) and the full bill are scheduled for today. If the bill passes, the House is scheduled to be in session tomorrow (it is not in session today), so it could potentially consider the Senate language under the suspension of the rules process and make it to the President’s desk before the FAA’s current authority expires at midnight. Lacking that, the House approved HR 8289 yesterday. The Senate could take up that short-term extension of the FAA authorities today or tomorrow.

 

For more information on yesterday’s consideration, including a look at a CFATS related amendment that was offered, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/senate-debate-on-hr-3935 - subscription required.