Review – 3 Advisories and 4 Updates Published

Today, CISA’s NCCIC-ICS published three control system security advisories for products from ICONICS, mySCADA, and Johnson Controls. They also updated advisories for products from Johnson Controls.

Advisories

ICONICS Advisory - This advisory discusses five vulnerabilities (one with known exploit) in the ICONICS product suite.

mySCADA Advisory - This advisory describes a use of hard-coded credentials vulnerability in the mySCADA myPRO product.

Johnson Controls Advisory - This advisory describes an exposure of sensitive information to an unauthorized actor vulnerability in the Johnson Controls Kantech KT series door controllers.

Updates

Johnson Controls Update #1 - This update provides additional information on the Johnson Controls Illustra Essentials Gen 4 advisory that was originally published on June 27^th, 2024.

Johnson Controls Update #2 - This update provides additional information on the Johnson Controls Illustra Essentials Gen 4 advisory that was originally published on June 27^th, 2024.

Johnson Controls update #3 - This update provides additional information on the Johnson Controls Illustra Essentials Gen 4 advisory that was originally published on June 27^th, 2024.

Johnson Controls Update #4 - This update provides additional information on the Johnson Controls Illustra Essentials Gen 4 advisory that was originally published on June 27^th, 2024.

 

For more information on these advisories, including links to 3^rd party advisories, exploits, and a brief look at the timing of the Johnson Controls updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/3-advisories-and-4-updates-published-026 - subscription required.

Short Takes – 7-2-24 – Space Geek Edition

Astronauts Are Not Stuck on the I.S.S., NASA and Boeing Officials Say. NYTimes.com article. Pull quote: ““I think they’re doing their due diligence,” Wayne Hale, a retired NASA flight director, said in an interview. “Being in no hurry to come home, it makes a great deal of sense to take the time to gather as much information as possible so that they can make sure that the problems are all fixed. That makes a great deal of sense, to take your time.””

If alien life exists on Europa, we may find it in hydrothermal vents. LiveScience.com article. Pull quote: “They found that not only could moderately warm vents be maintained over a wide range of conditions on these moons, but that the low gravity allowed for warmer temperatures emanating from the vents. In addition, the low efficiency of heat extraction from the core of the moons (which are thought to be pretty cool in the first place) in the low gravity would allow such moderate- to low-temperature vents to be maintained for possibly billions of years.”

NASA's ISS Spacesuit Situation Turns Grim. Gizmodo.com article. Pull quote: “In a report released in January 2019, NASA’s Aerospace Safety Advisory Panel reviewed the increasing challenges of the spacesuits. “It is an undeniable fact that the 40-year-old EMUs used in ISS operations are reaching the end of their useful life,” the report read. “NASA cannot maintain the necessary, ongoing low-Earth orbit operations without fully functional EVA suits.””

Turion wins Space Force contract for debris-capture technology. SpaceNews.com article. Pull quote: “While Turion’s long-term goal is to provide a debris removal service, the company is currently focused on hosting space domain awareness payloads to generate steady revenue. Turion plans to offer three payload hosting options: Droid Alpha Mini, Droid Alpha, and Droid Alpha Enhanced Mobility with ion thrusters.”

Technical failures leave Starliner crew 'not stranded' on ISS indefinitely. NewAtlas.com article. Pull quote: “Boeing says that there is a "parallel path" for the next Starliner flight in February 2025, though how this will happen without certification hasn't been explained. That means that the only choices are a Russian Soyuz or a SpaceX Dragon. The former would be a major international embarrassment that the United States would rather avoid, especially in an election year, while the latter would see Boeing dining out on crow for the foreseeable future.

Orbit Fab completes ground test of satellite fueling payload. SpaceNews.com article. Pull quote: “Speaking at the recent “State of the Space Industrial Base” conference in Albuquerque, Roth emphasized the importance of on-orbit refueling. “We want to get those technologies on orbit, test them out in an operational environment, and hedge our bets because we don’t know which one will work, and which one will work better than the other,” Roth said, referring to Orbit Fab’s and Northrop Grumman’s refueling hardware.”

Short Takes – 7-1-24

Honeywell sees space opportunity with $1.9 billion CAES acquisition. SpaceNews.com article. Pull quote: “Honeywell, which is helping qualify satellite laser communications terminals for the Pentagon’s Space Development Agency, is present in multiple markets, including aviation and energy. The group reported $36.7 billion in revenue for 2023.”

NASA and SpaceX misjudged the risks from reentering space junk. ArsTechnica.com article. Pull quote: “"During its initial design, the Dragon spacecraft trunk was evaluated for reentry breakup and was predicted to burn up fully," NASA said in a statement. "The information from the debris recovery provides an opportunity for teams to improve debris modeling. NASA and SpaceX will continue exploring additional solutions as we learn from the discovered debris."”

DISA grapples with mounting ‘technology debt’ amid evolving cyber threats. BreakingDefense.com article. Pull quote: ““Let’s continue to still have clear resources on legacy [systems] to make sure that they’re secure and defending our DODIN [DoD Information Network], but in the meantime, also rushing to the horizon to say now, ‘How do we move off of this so we can do better?’ So we can free up capacity and resources to be able to do the things that our warfighters need.””

Chinese Rocket Accidentally Launches During Test, Then Crashes. NYTimes.com article. Pull quote: ““Multiple things probably would have had to go wrong for this failure to happen the way it did,” Dr. Tucker said, adding that although China’s national space program was advanced, its commercial space industry is fairly young.”

Review - S 4045 Reported in Senate – E Palestine Health Study

Last month, the Senate Health, Education, Labor and Pensions Committee ordered S 4045, the East Palestine Health Impact Monitoring Act of 2024, reported favorably without a report. The Committee met on May 23^rd, 2024 and adopted substitute language for the bill. The reported version of the bill is a significant rewrite of the legislation, changing study responsibility requirements, timelines, and funding. The bill is now cleared for potential action by the full Senate.

Moving Forward

This bill is now cleared for potential action by the full Senate. Normally, I would say that this bill is not politically important enough to take up the time of the Senate, but I suspect that this bill could be considered as a stand in for taking action on hazmat rail shipments issues that were highlighted by the E. Palestine train derailment. Railroad are fighting those rail safety bills hard but would have little objection to this bill. Still, I would expect that the leadership would try to pass this by unanimous consent.

 

For more details about the changes made in the reported version of the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-4045-reported-in-senate - subscription required.

Review - S 4443 Report Published – FY 2025 Intel Authorization

After initially ordering S 4443, the Intelligence Authorization Act for Fiscal Year 2025, reported without a written report, the Senate Intelligence Committee published their report on the bill. In addition to providing summaries of the requirements of various sections of the bill, the report provides two additional discussions about cybersecurity related topics.

Moving Forward

As with most authorization bills, the Senate is not expected to take up S 4111, rather they will take up the House bill (HR 8512) which as just recently reported. The Senate will take up the House passed language of that bill and immediately off the language from S 4111 as substitute language for the purpose of the debate in the Senate. A conference committee will subsequently iron out the differences between the two versions of the legislation.

 

For more details about the two new cybersecurity discussions, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-4443-report-published - subscription required.