Short Takes – 8-13-24

Scientists find oceans of water on Mars. It's just too deep to tap. Phys.org article. Pull quote: “The new paper [link added] analyzed the deeper crust and concluded that the "available data are best explained by a water-saturated mid-crust" below Insight's location. Assuming the crust is similar throughout the planet, the team argued, there should be more water in this mid-crust zone than the "volumes proposed to have filled hypothesized ancient Martian oceans."”

Methylene Chloride Standard; Extension of the Office of Management and Budget's (OMB) Approval of Information Collection (Paperwork) Requirements. Federal Register OSHA 60-day ICR Notice. Summary: “OSHA is requesting that OMB extend the approval of the information collection requirements contained in the Methylene Chloride Standard. The agency is requesting an adjustment increase in the burden hours amount from 61,813 hours to 65,555 hours, a difference of 3,742 hours. This increase is due increase in the number of establishments from 84,595 to 89,760.” Does not take into account chemical use changes that will result from EPA’s new methylene chloride TSCA rule.

Invasive Joro Spiders Keep Their Cool Even when Stressed. ScientificAmerican.com article. I have seen two of these in my West-Central Georgia yard. Pull quote: ““We see some spiders that are more urban-tolerant [and] some spiders that are less urban-tolerant, so if you can start to uncover the physiological or behavioral differences, that can start to help us understand more about the species ecology,” says Erin Grabarczyk, a biologist at Valdosta State University in Georgia, who was not involved in the study but has researched Joro spider ecology. It would be interesting to study differences within the species, Grabarczyk adds, noting that individual spiders in Davis’s study seemed to have varying stress responses.”

Virginia Tech food scientist dispels the myths behind cast iron pan use. D.NewsWise.com article. Pull quote: “Proper seasoning is where many of the myths surrounding the classic cookware arise. Seasoning involves adding a small amount of oil or fat to the pan and allowing it to polymerize. During this process, the oil molecules react to heat and combine to form larger molecules. This creates a thin protective layer in the pan that prevents rust and gives it its nonstick properties.”

Review – 10 Advisories Published – 8-13-24

Today, CISA’s NCCIC-ICS published ten control system security advisories for products from Rockwell Automation (8), Ocean Data Systems, and AVEVA.

NOTE: The Ocean advisory also applies to an AVEVA product.

Advisories

ControlLogix Advisory #1 - This advisory describes an improper input validation vulnerability in the Rockwell ControlLogic, CompactLogic and GuardLogic products.

ControlLogix Advisory #2 - This advisory describes an improper input validation vulnerability in the Rockwell ControlLogic, CompactLogic and GuardLogic products.

ControlLogix Advisory #3 - This advisory describes an improper check for unusual or exceptional conditions vulnerable to in the Rockwell ControlLogix 5580, GuardLogix 5580 products.

Micro850/870 Advisory - This advisory describes an uncontrolled resource consumption vulnerability in the Rockwell Micro850/870 PLC’s.

FactoryTalk Advisory - This advisory describes an incorrect permission for critical function vulnerability in the Rockwell FactoryTalk View Site Edition.

DataMosaix Advisory - This advisory describes an improper authentication vulnerability in the Rockwell DataMosaix Private Cloud.

Pavilion8 Advisory - This advisory describes a missing encryption of sensitive data in the Rockwell Pavilion8 model predictive control software.

AADvance Advisory - This advisory discusses two vulnerabilities in the Rockwell AADvance Standalone OPC-DA Server.

Ocean Advisory - This advisory describes two vulnerabilities in the Ocean Dream Report, a report generating and delivery software, and the AVEVA Reports for Operations 2023 software.

AVEVA Advisory - This advisory describes an allocation of resources without limits or throttling vulnerability in the AVEVA SuiteLink Server.

 

For more information on these advisories, including links to 3^rd party advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/10-advisories-published-8-13-24 - subscription required.

Review - HR 8741 Introduced – Vehicle ICTS National Security Review

Back in June, Rep Slotkin (D,MI) introduced HR 8741, the Connected Vehicle National Security Review Act. The bill would codify the establishment of the current Office of Information and Communications Technology and Services (OICTS) within the Department of Commerce’s Bureau of Industry and Security (BIS). It would provide specific authority to monitor and mitigate risks associated with ICTS related to connected vehicles. No new funding is authorized by this legislation.

Moving Forward

Slotkin is not a member of the House Foreign Affairs Committee to which this bill was assigned for consideration. This means that there would not be enough influence to see this bill considered by the Committee. I expect that there would be some level of bipartisan support for this bill were it considered. I suspect that there would be sufficient support for it to be considered under the suspension of the rules process.

Commentary

The OICTS is currently operating under the broad authority of the International Emergency

Economic Powers Act (50 USC 1701 et seq) and four executive orders (EO 13873, EO 13984, EO 14034, and EO 14110). This means that its continued existence could be terminated by a new administration by a relatively simple administrative order. Codifying its existence in statute would make it much more difficult to disband.

 

For more information on the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-8741-introduced - subscription required.

Short Takes – 8-12-24

Seven people have been taken to hospital with breathing difficulties following a major fish tank leak in east London. LBC.co.uk article. Pull quote: “It's believed that halide lights, commonly used to sustain coral in domestic fish tanks, can spark what's known as heat stress in corals not submerged in water. The process leads to the release of palytoxin, the toxin involved in the leak.” Palytoxin geeky reference.

Weapons: Red Sea Rebels Switch to Bomb Boats. StrategyPage.com article. Pull quote: “Because the USVs explode at the waterline, the damaged ship portions quickly fill with water and the ship often sinks. Since November 2023 the Yemeni rebels have launched more than 70 attacks with missiles and USVs. The attacks are uncoordinated and often inept but quantity has a quality all its own and, so far, two cargo ships have been sunk and two ships captured and held for ransom by the rebels. One captured ship was released while the other remains in rebel custody.”

Blue Origin tests out New Glenn rocket recovery crane at Port Canaveral. Phys.org article. Pull quote: “The 375-foot-tall crane arrived to the port from Germany last October and will be used when New Glenn's booster returns to the port on its "sea-based landing platform," similar to how SpaceX lands its Falcon 9 boosters on droneships.”

Can Dirt Clean the Climate? NYTimes.com article (free). Pull quote: “To Alan Richardson, a soil biologist at the Commonwealth Scientific and Industrial Research Organization, a government agency in Australia, the concept of using fungi to store carbon underground makes sense. But it would work only if farmers applied the fungi year after year, allowing the soil to build carbon over many years.”

Nights in Las Vegas Are Becoming Dangerously Hot. NYTImes.com article. Pull quote: “That growth has translated to more roads, more cars, more houses — across a sprawling area — creating one of the most intense urban heat island effects in the United States. At night, the heat trapped inside asphalt and buildings exhales back into neighborhoods, making the city 20 to 25 degrees hotter than the surrounding desert.”

Review - S 4802 Introduced – FY 2025 IER Spending

Last month, Sen Merkley (D,OR) introduced S 4802, the Department of the Interior, Environment, and Related Agencies Appropriations Act, 2025. The Senate Appropriations Committee published their Report on the bill. The bill contains one minor cybersecurity mention. It also includes funding for the Chemical Safety Board. The Committee Report includes two cybersecurity discussions, a discussion about the CSB, and three chemical safety issues.

The House version of this bill is HR 8998 [removed from paywall]. That bill passed in the House on July 24^th, by a straight party-line vote of 210 to 202.

Moving Forward

As noted above, the House passed HR 8998 last month. If the Senate takes up that bill (and the chances are rather slim), the language from this bill will be substituted for the House language as the starting point for the debate. While there will be sufficient bipartisan support for this language in the Senate for passage, there will be some Republicans that will attempt to stall debate.

Ultimately, the chances of any individual spending bill getting to the President’s desk this session are vanishingly small. We are most likely going to see a continuing resolution by the end of next month. With Republicans less confident in Trump's election we are likely to see an end date for that CR early in December. A positive (for the Republicans) election result will likely see a second CR pushing the final date of an omnibus (or two minibus) spending bill until next Spring. A negative result will likely see a spending bill on Biden’s desk in December.

 

For more details about the provisions in this bill and the discussions in the Committee Report, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-4802-introduced - subscription required.

Short Takes – 8-10-24

NASA Explores Industry, Partner Interest in Using VIPER Moon Rover. Science.NASA.gov article. Pull quote: ““NASA thanks everyone who provided expressions of interest in using VIPER and looks forward to learning more about how potential partners envision accomplishing NASA’s science and exploration goals with the rover,” said Nicola Fox, associate administrator, Science Mission Directorate at NASA Headquarters in Washington. “We want to make the best use possible of the engineering, technology, and expertise that have been developed by this project to advance scientific knowledge of the Moon. Partnership opportunities on VIPER would allow us to do this without impacting our future cadence of commercial deliveries to the Moon, to continue lunar science and exploration for everyone’s benefit.” SAM.gov notice - https://sam.gov/opp/31284effc2ba4da4978a6dde931b6250/view

Phasedown of Hydrofluorocarbons: Restrictions on the Use of HFCs Under the AIM Act in Variable Refrigerant Flow Air Conditioning Subsector; Reopening the Comment Period. Federal Register EPA comment period extension. Summary: “On June 26, 2024, EPA published a proposed rule titled, Phasedown of Hydrofluorocarbons: Restrictions on the Use of Hydrofluorocarbons under the American Innovation and Manufacturing Act in Variable Refrigerant Flow Air Conditioning Subsector, to allow one additional year for the installation of certain residential and light commercial air conditioning and heat pump variable refrigerant flow systems. The proposed rule did not include notice that the Agency would hold a public hearing if one were requested. This notice reopens the comment period specifically to provide an opportunity to request a public hearing on this rulemaking if one is desired.” New comment deadline: August 19^th, 2024.

Task Force for Reviewing the Connectivity and Technology Needs of Precision Agriculture in the United States. Federal Register FCC meeting notice. Summary: “In accordance with the Federal Advisory Committee Act, this notice advises interested persons that the Federal Communications Commission's (FCC or Commission) Task Force for Reviewing the Connectivity and Technology Needs of Precision Agriculture in the United States (Task Force) [link added] will hold its next meeting via live internet link.” Teleconference date: September 18^th, 2024. No mention of potential cybersecurity issues on the Task Force web site.

National Security Telecommunications Advisory Committee. Federal Register DHS meeting notice. Agenda: “Agenda:The NSTAC will hold a meeting via teleconference on Tuesday, August 27, 2024, from 2:00 to 3:00 p.m. EDT to discuss current NSTAC activities and the government's ongoing cybersecurity and NS/EP communications initiatives. This meeting is open to the public and will include: (1) remarks from the administration and CISA leadership on salient NS/EP and cybersecurity efforts; (2) discuss and provide background on potential study topics; and (3) a status update on the Principles for Baseline Security Offerings from Cloud Service Providers Study.”

The AI scams infiltrating the knitting and crochet world - and why it matters for everyone. ZDNet.com article. This one is for my wife. Pull quote: “Rose also points out that beginners might not realize the pattern is flawed. They might get discouraged when their hard work doesn't pan out, thinking they're not good at crocheting or knitting, and give up on the craft -- when the real culprit is an inaccurate AI-generated pattern.” Includes 8 tips for spotting AI generated patterns.

NASA Investigation Finds Boeing Hindering Americans’ Return to Moon. FlyingMag.com article. Pull quote: ““According to NASA officials, the welding issues arose due to Boeing’s inexperienced technicians and inadequate work order planning and supervision,” the OIG says. “The lack of a trained and qualified workforce increases the risk that Boeing will continue to manufacture parts and components that do not adhere to NASA requirements and industry standards.””

Chemical Incident Reporting – Week of 8-3-24

NOTE: See here for series background.

Denver, CO – 8-3-24

Local news reports: Here.

Sodium hypochlorite spill at water treatment facility. Minor eye irritation, but no serious injuries. No reported damages.

Not CSB reportable.

Webster, TX – 8-7-24

Local news reports: Here, here, here, and here.

Chlorine gas release due to mixing sodium hypochlorite and sulfuric acid (possibly in a storage tank). Heat of reaction probably also produced water vapor cloud which aggrevated exposure issues. Sixteen employees and contractors were transported to hospital.

Possible CSB reportable depending on if any of the people transported to the hospital were admitted.

Commentary

With an 8 hour reporting standard {40 CFR 1604.3(c)} should facilities consider initiating a report when they know that at least one individual has been transported to the hospital, rather than waiting to find out if they have been admitted? The effort to complete the CSB’s reporting form, is relatively small, and there is no legal downside (the CSB is not a regulatory agency) to reporting an incident that ends up not being a covered incident standard set out in §1604.3(a). On the other hand, while the 8-hour reporting standard is a legally enforceable standard, and the clock starts at the time of the release, the CSB has shown no inclination to aggressively enforce this rule.

The whole point of this regulation is to ensure that the CSB has sufficient information to determine if they should conduct an investigation of the incident. The earlier they receive the incident information, the sooner they can get to the site (if deemed necessary) to begin the process of securing and processing the scene. Thus, I would argue that early reporting is to be recommended, even if it means that incidents that end up not being covered by the standard periodically get reported.

CRS Reports – Week of 8-3-24 – Small Business Cybersecurity

This week the Congressional Research Service published a report on “The Cybersecurity for Small Business Pilot Program”. This program was started in 2022 and was designed to provide grants to States to help deliver cybersecurity assistance to nascent and start-up business owners. It has distributed $9 million in grant fund to date. An additional $3 million in grants is slated to be issued later this year.

This report looks at the history of the program and briefly lists other federal programs to help small businesses with cybersecurity issues. It concludes with an ‘issues for Congress’ section that looks at options available to Congress to continue, modify, or redirect the program.

Review – Public ICS Disclosures – Week of 8-3-24

This week we have 18 vendor disclosures from Bosch, Broadcom, B&R, Carrier, Hitachi (11), HPE (2), and SEL. There are also seven vendor updates from Broadcom (3), Cisco (2), HPE, and VMware. Finally, we have four researcher reports about vulnerabilities in products from Johnson Controls, Korenix, PLANET Technology, and Unitronics.

Advisories

Bosch Advisory - Bosch published an advisory that discusses four vulnerabilities (all with available exploits) in their DIVAR IP all-in-one Devices.

Broadcom Advisory - Broadcom published an advisory that discusses 22 vulnerabilities (11 with publicly available exploits) in their Brocade ASCG.

B&R Advisory - B&R published an advisory that discusses six vulnerabilities in their Automation Runtime product.

Carrier Advisory - Carrier published an advisory that discusses a supply chain attack that affected their LenelS2 NetBox products.

Hitachi Advisory #1 - Hitachi published an advisory that discusses an HTTP request/response smuggling vulnerability in their Cosminexus product.

Hitachi Advisory #2 - Hitachi published an advisory that discusses an incomplete cleanup vulnerability in their Automation Director, Infrastructure Analytics Advisor and Ops Center products.

Hitachi Advisory #3 - Hitachi published an advisory that describes an unquoted search path vulnerability in their Device Manager.

Hitachi Advisory #4 - Hitachi published an advisory that discusses six vulnerabilities (including three with publicly available exploits) in their Ops Center Analyzer viewpoint and Ops Center Viewpoint products.

Hitachi Advisory #5 - Hitachi published an advisory that discusses two vulnerabilities (one with publicly available exploits) in their Configuration Manager and Ops Center API Configuration Manager products.

Hitachi Advisory #6 - Hitachi published an advisory that discusses an XMM register corruption vulnerability in their Configuration Manager and Ops Center API Configuration Manager products.

Hitachi Advisory #7 - Hitachi published an advisory that discusses the Terrapin Attack vulnerability.

Hitachi Advisory #8 - Hitachi published an advisory that describes an EL injection vulnerability in their Tuning Manager product.

Hitachi Advisory #9 - Hitachi published an advisory that discusses six vulnerabilities in their Cosminexus Developer's Kit for Java and Hitachi Developer's Kit for Java products.

Hitachi Advisory #10 - Hitachi published an advisory that discusses six vulnerabilities in multiple products.

Hitachi Advisory #11 - Hitachi published an advisory that discusses 71 vulnerabilities in their Disk Array Systems.

HPE Advisory #1 - HPE published an advisory that describes a SMM lock bypass vulnerability in their ProLiant AMD Servers.

HPE Advisory #2 - HPE published an advisory that discusses the regreSSHion vulnerability. HPE reports that their Athonet products are affected.

SEL Advisory - SEL published a version update notice for their Compass product that reports that the new version includes cybersecurity enhancements.

Updates

Broadcom Update #1 - Broadcom published an update for their Privilege escalation using switch commands advisory that was originally published on September 13^th, 2022 and most recently updated on September 20^th, 2022.

Broadcom Update #2 - Broadcom published an update for their libxml2 advisory that was originally published on July 30^th, 2024.

Cisco Update #1 - Cisco published an update for their Blast-Radius advisory that was originally published on July 10^th, 2024 and most recently updated on August 2^nd, 2024.

Cisco Update #2 - Cisco published an update for their regreSSHion advisory that was originally published on July 2^nd, 2024 and most recently updated on July 26^th, 2024.

HPE Update - HPE published an update for their Fiber Channel and SAN Switches advisory that was originally published on August 1^st, 2024.

VMware Update - Broadcom published an update for their VMware Workspace ONE advisory that was originally published on April 6^th, 2024.

Researcher Reports

Johnson Controls Report - Nozomi Networks published a report describing five vulnerabilities in the Johnson Controls’ exacqVision Web Service.

Korenix Report - CyberDanube published a report that describes three vulnerabilities in the Korenix JetPort ethernet switch. An exploit was also published for the three vulnerabilities.

Planet Technology Report - IOActive published a report that describes three vulnerabilities in the PLANET IGS-4215-16T2S switch.

Unitronics Report - Claroty published a report that describes two vulnerabilities in Unitronics PLCs/HMI that have been exploited in the wild.

 

For more details about these disclosures, including links to 3rd party advisories and exploits, see my article at CFSN Detailed Analysis – https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-8-bbf - subscription  required.

Short Takes – 8-9-24

Logistics: Russian Army Transport Disaster. StrategyPage.com article. Interesting look at anti-truck warfare. Pull quote: “Since 2022 Ukraine has continued its war on Russian truck transport. Recently long-range Ukrainian UAV attacks into Russia hit three Russian truck manufacturing plants. Without trucks Russian forces cannot move, and if enough trucks are destroyed, Russian troops can’t survive in Ukraine and must withdraw.”

Ship Brings Rocky Clues to Life’s Origins Up From Ocean’s ‘Lost City’. NYTimes.com article. Pull quote: “Its [Lost City] discovery, however, marked the scientific debut of a new class of deep spring very different from those previously studied, in which rock chimneys spew extraordinarily hot water black with minerals, nicknamed black smokers. In contrast, Lost City was located not atop the Mid-Atlantic rift but off to one side, its fluids cooler and spires taller.”

Powering Enzymes with Light to Make Ammonia. NewsWise.com article. Pull quote: “This biohybrid approach uses sunlight to drive the energy-demanding conversion reactions that can mitigate the co-production of greenhouse gases. The standard approach to making ammonia is the Haber-Bosch process. This process produces about 150 million metric tons (MmT) of ammonia per year but requires large amounts of energy and also produces about 280 MmT of carbon dioxide (CO2). The new process uses sunlight to catalyze NH3 production without generating CO2. It is also an attractive way to produce NH3 fertilizers close to where they will be used, minimizing CO2 emissions from shipping to farms. Making this process a reality requires understanding how to couple sunlight to drive the reaction.”

US Space Force will make history when SpaceX's Crew-9 mission launches in September. Space.com article. Fluff piece. Pull quote: “It will be only the second time astronauts have launched from a Space Force installation, and the first time the service sends an active Guardian to space from any facility. It will also be the first-ever crewed launch from SLC 40, and the first SpaceX mission to splash down in the Pacific Ocean when it concludes.”

Review - HR 8775 Introduced – CI Contingency Plan

Back in June, Rep Crenshaw (R,TX) introduced HR 8775, the Contingency Plan for Critical Infrastructure Act. The bill would require CISA to submit to Congress a “joint sector-by-sector assessment on the ability of critical infrastructure owners and operators to operate critical systems in a manual operating mode during cyber incidents.” It would also require FEMA to update their “Planning Considerations for Cyber Incidents” last published November 7^th, 2023. No new funding is authorized by this legislation.

Moving Forward

While Crenshaw is not a member of the House Homeland Security Committee to which this bill was assigned for primary consideration, his sole cosponsor {Rep Magaziner (D,RI)}, is a member. This means that there may be sufficient influence to see the bill considered in Committee. I suspect that a number of process manufacturing and distribution organizations would object to the government suggesting that they should be able to switch to manual operation in the event of a cyberattack. That opposition will ultimately result in pressure on members to oppose the bill. While this is not a partisan issue, I do not expect to see sufficient support in Committee to move this bill forward.

Commentary

With the increase in attacks on operational control systems, and a larger increase in the number of instances where cyberattacks on business assets results in preventative shutdowns in those control systems, it would seem obvious that organizations should want to be able to switch to some sort of system control that does not rely on vulnerable automated control systems. Unfortunately, the more complex the manufacturing/distribution system is, the wider is the gap between ‘want to’ and ‘able to’ switch to ‘manual operation’. In the most complex systems (petrochemical refineries, for instance), there are certainly not enough trained personnel on site to go back to the old, pre-automation control processes.

 

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-8775-introduced - subscription required.

Transportation Chemical Incidents – Week of 7-6-24

Reporting Background

See this post for explanation, with the most recent update here (removed from paywall).

Data from PHMSA’s online database of transportation related chemical incidents that have been reported to the agency.

Incidents Summary

• Number of incidents – 695 (581 highway, 109 air, 5 rail, 0 water)

• Serious incidents – 4 (6 Bulk release, 0 evacuation, 0 injury, 0 death, 1 major artery closed, 0 fire/explosion, 28 no release)

• Largest container involved – 30,290-gal DOT117R100W railcar {Hydrocarbons, Liquid, N.O.S.} Leaking bottom outlet valve.

• Largest amount spilled – 41,250-gal Tank truck {Sodium Hydroxide, Solid} Tank truck roll-over accident damaged 50-lb sacks of product.

NOTE: Links above are to Form 5800.1 for the described incidents.

Most Interesting Chemical: Hexachlorobutadiene - A colorless liquid with a mild odor. Insoluble in water and denser than water. Nonflammable. May be toxic by ingestion or inhalation. Used as a solvent and heat transfer fluid. Rapidly decomposes rubber on contact (Source:CameoChemicals.NOAA.gov).

 

Short Takes – 8-9-24 – Space Geek Edition

NASA Says Boeing Starliner Astronauts May Fly Home on SpaceX in 2025. NYTimes.com article. Pull quote: “Under the contingency plan, the next SpaceX Crew Dragon capsule would travel to the space station with only two astronauts instead of four. Ms. Williams and Mr. Wilmore would then join as full-fledged members of the space station crew for a half-year stay and return on the Crew Dragon around next February.”

NASA says chances are growing that astronauts may switch from Boeing to a SpaceX ride back to Earth. Phys.org article. Pull quote: “The next crew flight will be SpaceX's 10th for NASA. On Tuesday, it was delayed for a month until late September to allow for extra time to figure out how best to handle Starliner's return. Three NASA astronauts and one Russian are assigned to the flight, and managers on Wednesday declined to say who might be bumped.”

Drop it like it’s hot: Space Rider model falls gracefully. ESA.int article. Pull quote: “The Space Rider project is an uncrewed laboratory about the size of two minivans that will be able to stay in orbit for up to two months. The spacecraft comes in two parts, an orbital module that supplies everything it needs to fly around our planet and a reentry module that brings Space Rider and its experiments back to Earth.”

SpaceX targeting Aug. 26 for historic Polaris Dawn astronaut mission. Space.com article. Pull quote: “The news [August 26^th projected launch date], which the Polaris Dawn team announced today (Aug. 7) via a post on X, firms up a previously vague window; the most recent target for the groundbreaking mission was mid-August.”

Terraforming Mars could be easier than scientists thought. Science.org article. Pull quote: “Mars could warm by about 10°C within a matter of months, the team found, despite requiring 5000 times less material than other proposed greenhouse gas schemes. The 2 million tons of [9-micrometer-long rods] particles still represent about six Empire State Buildings, and roughly 0.1% of the industrial metals mined on Earth each year. But because the rods’ raw materials exist on Mars, people could mine them on the Red Planet, the team says, eliminating the need for transport from Earth.”

This futuristic space habitat is designed to self-assemble in orbit. TechnologyReview.com article. Pull quote: “Following a successful launch, the tiles would be thrown into space in a balloon-like structure or net to stop them from drifting away. The net would keep the tiles, which have strong magnets in their edges, close enough for magnetic attraction. The hope is that the tiles would then snap together on their own into the correct configuration the first time. If they don’t, the team can pulse a current through the magnets to break apart the incorrectly configured tiles and try again. Following assembly, electrical and plumbing systems can be mounted by hand.”

Short Takes – 8-8-24

CDC issues new guidelines for RSV vaccines, citing side-effect concerns. LiveScience.com article. Pull quote: “For a vaccine with no associated risk of [Guillain-Barré syndrome] GBS, you'd expect to see about 2 cases per 1 million doses administered, whereas the Pfizer vaccine was tied to about 5 cases per 1 million, Live Science previously reported.”

Massive Criminal Online Platform Disrupted. CourtWatch.news article. Pull quote: “The FBI was able to determine the IP addresses of the WWH Club site’s administrators after obtaining a search warrant for the US-based Cloud company Digital Ocean. From there, according to the complaint, computer scientists working for the FBI coded the WWH site’s data to give agents administrative privileges and the ability to see tens of thousands of emails, passwords, and activity registered to accounts. Agents noted that the administrative view of the website was in Russian, requiring them to use Google to translate much of the data.” What, the FBI does not have Russian speaking programmers?

Swiss cow and calf dead after ransomware attack on milking robot. CyberNews.com article. Pull quote: “Due to the inability to monitor pregnant animals, the farmer was unable to identify the emergency situation in time. One calf died in the womb. The farmer tried to save the cow, but, unfortunately, it was too late, and the cow had to be put down.”

Your AC habits aren’t unique. Here’s why that’s a problem. TechnologyReview.com article. Pull quote: “A growing number of technologies do just this [cooling systems that can act as their own batteries] - the goal is to charge up the systems using electricity during times when demand is low, or when renewables are readily available. Then they can provide cooling during these peak-demand hours without adding stress to the grid. Check out my full story for more on how they work, and how far along they are.”

WHO may declare new, deadlier mpox outbreak an international emergency. LiveScience.com article. Pull quote: “The ongoing outbreak in Africa features a new branch of the clade 1 family tree, dubbed clade 1b. Genetic analyses suggest that this new branch emerged in September 2023 in the DRC. The virus has been spreading through households and within sexual networks, and its fatality rate has been estimated between 3% and 6%, according to CIDRAP News, which is published by the University of Minnesota.”

Congress limps toward the end of a disappointing session, with just 78 laws to show. GovExec.com article. Pull quote: ““There’s enough work for individual senators to do seven days a week if you want to work,” Grassley said. “But you can’t solve this country’s problems until you get 100 people together, and they’ve got to be together for more than two-and-a-half days a week.””

Review - HR 8787 Introduced – Orbital Sustainability

Back in June, Rep Neguse (D,CO) introduced HR 8787, the Orbital Sustainability (ORBITS) Act of 2024. The bill would require the Department of Commerce to “publish a list of select identified orbital debris that may be remediated to improve the safety and sustainability of orbiting satellites and on-orbit activities.” It would also require NASA to “establish a demonstration project to make competitive awards for the research, development, and demonstration of technologies leading to the remediation of selected orbital debris”. The legislation would authorize $150 million per year through 2023 to carry out these activities.

Moving Forward

While Neguse is not a member of the House Science, Space, and Technology Committee to which this bill was assigned for consideration, but one of his six cosponsors {Rep Caraveo (D,CO)} is a member. That means that there may be sufficient influence to see the bill considered in Committee. While the Committee is more likely to be willing to spend money on worthwhile projects, there are certainly be some in the Republican leadership that would object to spending an additional $150 million per year on space projects. I do not expect this bill to move forward in this session.

Commentary

This is another area of space operations where the United States is beginning to fall behind their foreign competitors. The Japanese equivalent of NASA is already funding a debris removal pilot program and there is a demonstration flight in progress by the Japanese satellite technology company, Astroscale.

 

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-8787-introduced - subscription required.

Editorial Note:

Sharp eyed readers will have noticed that I have expanded this blog to include some coverage of ‘Space Geek’ issues in my ‘Short Takes’ posts. With this post, I suppose that I am extending that expansion to includes some legislative analysis. I have long been something of a space geek myself, partly as a result of my Dad’s influence. When I was growing up, he was working at Lockheed Missile and Space in Sunnyvale, CA and he enjoyed talking about his work at the dinner table. I watched a lot of NASA TV during the building of the ISS and a lot of my early blogs on MySpace and AOL were about those Space Shuttle missions. Anyway, I will be looking at some space related legislation in this blog.

Short Takes – 8-8-24 – Federal Register Edition

1-Bromopropane (1-BP); Regulation Under the Toxic Substances Control Act (TSCA). Federal Register EPA notice of proposed rule. Summary: “EPA determined that 1-BP presents an unreasonable risk of injury to health due to the significant adverse health effects associated with exposure to 1-BP, including neurotoxicity, developmental toxicity from acute and chronic inhalation exposures and dermal exposures, and cancer from chronic inhalation exposures. TSCA requires that EPA address by rule any unreasonable risk of injury to health or the environment identified in a TSCA risk evaluation and apply requirements to the extent necessary so the chemical no longer presents unreasonable risk. To address the identified unreasonable risk, EPA is proposing requirements to, among other things, prevent consumer access to the chemical, restrict the industrial and commercial use of the chemical while also allowing for a reasonable transition period where an industrial and commercial use of the chemical is being prohibited, and protect workers from the unreasonable risk of 1-BP while on the job.”

Hazardous Materials: Notice of Public Meeting on the Transportation of Hazardous Materials by Unmanned Aircraft Systems. Federal Register PHMSA meeting notice. Summary: “On May 16, 2024, President Biden signed the Federal Aviation Administration (FAA) Reauthorization Act of 2024 into law. Section 933 of the FAA Reauthorization Act of 2024, titled “Special Authority for Transport of Hazardous Materials by Commercial Package Delivery Unmanned Aircraft Systems” directs the Secretary of Transportation to use a risk-based approach to establish the operational requirements, standards, or special permits necessary to approve or authorize an air carrier to transport hazardous materials by UAS providing common carriage under 14 Code of Federal Regulations (CFR) part 135, or under successor authorities, as applicable, based on the weight, amount, and type of hazardous material being transported and the characteristics of the operations subject to such requirements, standards, or special purposes (see § 933, subsection (a)). Section 933, subsection (e)(1) requires the Secretary to hold a public meeting within 180 days of the enactment of the FAA Reauthorization Act of 2024 to obtain input on the changes necessary to implement § 933.

Review – 1 Advisory Published – 8-8-24

Today, CISA’s NCCIC-ICS published a control system security advisory for products from Dorsett Controls.

Advisories

Dorsett Advisory - This advisory describes three vulnerabilities in the Dorset InfoScan HMI.

 

For more information on this advisory, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-published-8-8-24 - subscription required.

OMB Approves DOD/DARC Cybersecurity Assessment NPRM

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a notice of proposed rulemaking on “Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)”. The NPRM was sent to OIRA on May 15^th, 2024. This rulemaking would amend an interim final rule that was published on September 29^th, 2020.

According to the Spring 2024 Unified Agenda entry for this rulemaking:

“DoD is amending an interim rule to implement the CMMC framework 2.0 in order to protect against the theft of intellectual property and sensitive information from the Defense Industrial Base (DIB) sector. The CMMC framework, as defined in Title 32 of the Code of Federal Regulations (CFR), assesses compliance with applicable information security requirements. This rule provides the Department with assurances that a DIB contractor can adequately protect sensitive unclassified information at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain.”

I am not likely to fully cover this rulemaking in this blog. I will, however, include a link to its publication in the appropriate ‘Short Takes’ post.

Review - S 4690 Introduced – FY 2025 ARD Spending

Last month, Sen Heinrich (D,NM) introduce S 4690, the Agriculture, Rural Development, Food and Drug Administration, and Related Agencies spending bill. The Senate Appropriations Committee published their Report for the legislation. The bill includes one cybersecurity mention, and the Report includes one cybersecurity discussion.

The House version of this bill is HR 9027. The House Appropriations Committee ordered the bill reported favorably, but no other action has been taken in the House.

Moving Forward

Because of constitutional issues, the Senate waits for the House to pass spending bills. When the bill is subsequently considered by the Senate, one of the first actions taken is the offering of an amendment in the form of a substitute which substitutes the language from the related Senate bill for the language of the House bill. From there, the Senate amends and votes on the revised Senate language.

Unfortunately, it looks like the House is not going to consider HR 9027 this year. That means that this bill is effectively dead-on arrival through no fault or design of the Senate.

 

For more information on the cybersecurity provision in the bill and in the report, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-4690-introduced - subscription required.

Short Takes – 8-7-24 – Space Geek Edition

Commerce Department to Roll Out Traffic Coordination System for Space Phase 1.0 in September. ExecuriveGov.com article. Pull quote: “The National Oceanic and Atmospheric Administration’s Office of Space Commerce is developing TraCSS as a cloud-based information technology system that will provide space situational awareness and space traffic coordination support services for private and civil space operators.”

SpaceX warns of ‘sonic booms’ ahead of fifth Starship test flight at Boca Chica. ValleyCentral.com article. Pull quote: “The space company stated the booster will slow down from supersonic speeds, resulting in audible sonic booms in the area around the return location. The booms are expected to be heard between seven and nine minutes after the launch.”

Benchmark adds Starlight thruster to partner network. SpaceNews.com article. Pull quote: “Under the agreement announced at the Small Satellite Conference here, Benchmark will offer hybrid propulsion systems that pair Starlight Crucible Hall-effect thrusters with Benchmark non-toxic chemical thrusters. The hybrid propulsion system is designed for high-endurance or high-specific-impulse missions and spacecraft with a mass of 1,000 kilograms or less.”

NASA chief will make the final decision on how Starliner crew flies home. ArsTechnica.com article. Pull quote: “Well-placed sources said the current flight software on board Starliner, as configured, cannot perform an automated undocking from the space station and entry into Earth’s atmosphere. It will take about four weeks to update and validate the software for an autonomous return, should NASA decide it would be safer to bring Wilmore and Williams back to Earth inside a Crew Dragon spacecraft.”

World's First True Spaceliner Inching Closer to Launch, ISS Is Its First Target. AutoEvolution.com article. Pull quote: “The thing is 30-foot (nine-meter) long and 15-foot (4.5-meter) wide and it will be capable of carrying up to 11,500 pounds (5,200 kg) of cargo. Cargo won't be carried in a single space, but divided between the spaceplane's own payload bays and an attached cargo module the company is calling the Shooting Star.”

Review - HR 9027 Introduced – FY 2025 ARD Spending

Review - HR 9027 Introduced – FY 2025 ARD Spending

Last month, Rep Harris (R,MD) introduced HR 9027, the Agriculture, Rural Development, Food and Drug Administration, and Related Agencies Appropriations Act, 2025. The House Appropriations Committee published their Report on the bill. The bill contains one cybersecurity related provision. The Report contains two cybersecurity related discussions. There are no chemical safety issues mentioned in either document.

Moving Forward

The Republican leadership failed to bring this bill to the floor before their early departure on the Summer Recess. There was never much chance that this bill would pass in the House because of its extremely partisan nature (see pages 234-6 of the Report for the Democrats concerns about the bill). The only question would be how many Nay votes would be cast by Republican moderates.

 

For more details about the cybersecurity provisions in the bill and discussions in the Report, and a longer ‘Moving Forward’ commentary, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-9027-introduced - subscription required.

Short Takes – 8-6-24

Drinking Too Much Water Can Actually Be Dangerous. WSJ.com article (free). Pull quote: “Drinking too much water essentially makes it difficult for the body to keep up healthy levels of sodium, an electrolyte that helps balance the fluid in cells. A person’s kidneys can typically manage about one liter of water per hour, said Thunder Jalili, a professor of nutrition and integrative physiology at the University of Utah.”

Alarmism about Terrorism Is Risky and Unjustified. HomelandSecurityNewswire.com article. Pull quote: “Unfortunately, government security analysts see no downside in making wrong predictions. Congress doesn’t rake you over the coals if you predicted something that didn’t happen, only if you fail to predict something that did. In the intelligence community, it is considered a failure if something bad happens and you miss the call. But if you make a call and nothing happens, then the mistake will be forgotten. But as every warning analyst knows, “crying wolf” too often reduces trust in predictions—and that makes sense.”

NASA Adjusts Crew-9 Launch Date for Operational Flexibility. Blogs.NASA.gov article. Pull quote: “This adjustment [no earlier than September 24^th, 2024] allows more time for mission managers to finalize return planning for the agency’s Boeing Crew Flight Test currently docked to the orbiting laboratory. Starliner ground teams are taking their time to analyze the results of recent docked hot-fire testing, finalize flight rationale for the spacecraft’s integrated propulsion system, and confirm system reliability ahead of Starliner’s return to Earth. NASA and Boeing continue to evaluate the spacecraft’s readiness, and no decisions have been made regarding Starliner’s return.”

CISA Releases Secure by Demand Guidance. CISA.gov news release. Pull quote: “This guide [link added] provides organizations with questions to ask when buying software, considerations to integrate product security into various stages of the procurement lifecycle, and resources to assess product security maturity in line with secure by design principles.”

These Pathogens Could Spark the Next Pandemic, Scientists Warn. ScientificAmerican.com article. Pull quote: “Forrester-Soto says that the list of pathogens is reasonable given what researchers know about the viruses. But “some pathogens from the list may never cause an epidemic, and one we have not thought of may be important in the future,” she says. “We have almost never predicted the next pathogen to emerge”.”

Review - Siemens Published Out-of-Zone Security Advisory – 8-6-24

Today, Siemens published an out-of-zone control system security advisory for multiple vulnerabilities in Omnivise T3000.

Omnivise Advisory - This advisory describes four vulnerabilities in the Siemens Omnivise T3000.

 

For more information on this advisory, including a commentary on it’s out-of-zone nature, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/siemens-published-out-of-zone-security - subscription required.

Review - 1 Advisory Published – 8-6-24

Today, CISA’s NCCIC-ICS published a control system security advisory for products from Delta.

Advisories

Delta Advisory - This advisory describes a stack-based buffer overflow vulnerability in the Delta DIAScreen visualization software.

 

For more information on this advisory, including a DTRH look at the underlying Zero Day Initiative reporting (not yet available), see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-published-8-6-24 - subscription required.

Short Takes – 8-6-24 – Space Geek Edition

Freighter bound for the ISS suffers engine abort. TheRegister.com article. Pull quote: “The freighter is carrying some extras for the Starliner crew, currently having an extended stay on board the ISS while engineers continue to evaluate the performance of Boeing's spacecraft. This includes clothing removed from the Starliner in favor of ISS spare parts.”

Station Awaits Cygnus Cargo Delivery During Science, Hardware Duties. Blogs.NASA.gov post. Some glitches are easier to fix than others. Pull quote: “Shortly after launch on Sunday, the spacecraft performed as designed by cancelling a scheduled engine burn due to a slightly low initial pressure reading flagged by the Cygnus onboard detection system. Engineers at Northrop Grumman’s mission control center in Dulles, Virginia evaluated the pressure reading, confirmed it was acceptable and re-worked the burn plan to arrive at the space station on the originally planned schedule.”

A big asteroid is coming close to Earth. Be excited, not afraid. WashingtonPost.com article. Space missions in search of funding. Pull quote: ““Apophis is an opportunity to practice what kinds of characterization efforts could be done to better understand a particular object. Lessons from that can be applied in the future when we find an asteroid coming our way,” said Terik Daly, a planetary scientist on the DART and OSIRIS-APEX missions.

Pentagon advisory panel urges integration of commercial space tech for military use. SpaceNews.com article. Pull quote: “The study, conducted by the Defense Science Board (DSB), a committee of civilian experts that advises senior Defense Department leadership,  recommends a comprehensive approach to integrating commercial space capabilities into national security architectures. The report was commissioned in November 2022 by Undersecretary of Defense for Research and Engineering Heidi Shyu and publicly released last month.”

Review – S 4515 Introduced – Combating Foreign Terrorist Drones

Back in June, Sen Romney (R,UT) introduced S 4515, the Combating Foreign Terrorist Drones Act of 2024. The bill would required DOD to provide to Congress an “intelligence assessment of foreign terrorist organization acquisition of unmanned aerial systems.” No new funding is authorized by this legislation.

Moving Forward

While Romney is not a member of the Senate Armed Forces Committee to which this bill was assigned for consideration, his sole cosponsor {Sen Rosen (D,NV)} is a member. This means that there may be sufficient influence to see the bill considered in the Committee. I suspect that there will be substantial bipartisan support for the bill. Unfortunately, this bill is not politically important enough to be considered by the full Senate. This bill, however, would be well suited for consideration as an amendment to the National Defense Authorization Act which the Senate should take up in September.

Commentary

This bill is primarily aimed at drones that would be likely to be encountered by DOD personnel overseas. Part of the reason for that is the political restrictions on DOD operations in CONUS. In many ways this makes the assessment much more difficult because of the lack of authority (even to gather information) the Federal government has on overseas vendor and manufacturers of drones. While this bill cannot target terrorist drone attacks in this country, the efforts by DOD (and the intelligence community) to prevent foreign terrorist from using UAS on troops stationed overseas will have a potential beneficial affect on countering drone attacks here.

 

For more details about the provisions of this bill, including suggested added language to include UAS control system intelligence in the assessment report, in my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-4515-introduced - subscription required.

Short Takes – 8-5-24

Request for Information on Collaboration and Data Sharing for Railroad Operations Analysis. Federal Register FRA request for information. Summary: “FRA seeks to ensure that the creative and problem-solving process at the core of OA is as effective and collaborative as possible. As such, with the questions below, FRA is requesting public comment to gain a better understanding of the potential challenges involved in the development of OA and the review of OA results to assess what improvements can be made for Federally funded railroad projects.” Question list here.

Axiom Mission 4 to ISS will include India, Poland, Hungary. AxiomSpace.com press release. Pull quote: ““Ax-4 represents Axiom Space’s continued efforts to build opportunity for countries to research, innovate, test, and engage with people around the world while in low-Earth orbit,” said Michael Suffredini, CEO of Axiom Space. “This mission broadens horizons for nations with ambitious goals of advancing scientific, technological, and economic pursuits. Our collaboration with ESA for a second time and the inclusion of Hungary and India underscores Axiom Space’s ability to cultivate global partners, expand the scope of exploration, and open up new avenues to grow a global space economy.””

Tech contractor exposes data of 4.6 million US voters. CSOOnline.com article. Pull quote: ““The databases were publicly accessible for an unknown duration, raising concerns about potential unauthorized access,” Fowler said. “Only an internal forensic audit can determine if there was any suspicious activity.”” QUESTION: Is it unauthorized access if you access an unprotected database?

Hurricane Debby makes landfall along Florida coast. AOL.com article. Live updates. Pull quote: “Now, less than a year later, Hurricane Debby came ashore near Steinhatchee, about 10 [miles] southeast of Keaton Beach. While it’s a less powerful storm, Debby was capable of unleashing life-threatening storm surge across much of the same region that was walloped by Idalia.”

Bird Flu Cases in People Are Being Undercounted. ScientificAmerican.com article. Pull quote: “Gray’s team detected signs of prior bird flu infections in workers from two dairy farms that had outbreaks in Texas earlier this year. They analyzed blood samples from 14 farmworkers who had not been tested for the virus and found antibodies against it in two. This is a nearly 15% hit rate from only two dairy farms out of more than 170 with bird flu outbreaks in 13 states this year.”

Is the Paris Olympics’ Swimming Pool ‘Slow’? Let’s Dive into the Math. ScientificAmerican.com article. Pull quote: “What is surprising, however, is the depth of this year’s pool, which is unusually shallow at 2.15 meters. There is no standardized regulation as to what dimensions an Olympic pool should have. Until a few years ago, it had to be at least two meters deep, but now the minimum depth is 2.5 meters. A depth of three meters, however, is recommended. When construction of the Olympic pool started in 2017, the two-meter rule still applied. The pool in Nanterre is therefore permitted despite its comparatively shallow depth. And this, many are convinced, means that it is “slow.””

DART Forward: Five Papers Shed New Light on Asteroids From World’s First Planetary Defense Test. D.NewsWise.com article. Pull quote: “In recently published papers in Nature Communications, the team explored the geology of the asteroid system encountered in 2022 to characterize its origin and evolution, and constrain its physical characteristics. Researchers from the Johns Hopkins Applied Physics Laboratory (APL) in Laurel, Maryland, with team members from several international partner institutions led five papers that provided a detailed overview and interpretation of the geological findings.”

How the rising earth in Antarctica will impact future sea level rise. D.NewsWise.com article. Pull quote: “Surprisingly, according to some of the team’s GPS observations processed by researchers at Ohio State, Wilson said, the Antarctic Ice Sheet is currently experiencing a solid earth uplift of about 5 centimeters per year, about 5 times the rate that North America experiences.”

Short Takes – 8-5-24 – Space Geek Edition

NASA’s science mission spacecraft are at risk from hackers, but a new law could help protect them. TheConversation.com article. Pull quote: “One significant challenge is the burden on smaller operators and contractors. The legislation must provide support and guidance to help these companies comply with cybersecurity requirements without stifling innovation. This support could include financial incentives, technical assistance, and a phased implementation approach to allow smaller companies time to adapt to new standards.”

Allocation of Spectrum for Non-Federal Space Launch Operations; Federal Earth Stations Communicating With Non-Federal Fixed Satellite Service Space Stations; and Federal Space Station Use of the 399.9-400.05 MHz Band. Federal Register FCC final rule. Summary: “In this document, the Federal Communications Commission (Commission) adopts a new secondary allocation in the 2025-2110 MHz band for non-Federal space operations, removes the restriction on use of the 2200-2290 MHz secondary non-Federal space operation allocation to four specific sub-channels to make the entire 2200-2290 MHz band available, adds a non-Federal secondary mobile allocation to the 2200-2290 MHz band, and adopts licensing and technical rules for space launch operations. Additionally, the Commission amends the allocation for the 399.9-400.05 MHz band to permit the deployment of Federal space stations.”

SDA is set to award satellite servicing contracts. SpaceNews.com article. Pull quote: ““That’s what we’re prepared to spend,” Tournear said. “As the technology matures, we’ll increase the capability and keep the price constant over time. What that means is any dollar that I don’t have to spend to over-engineer or provide redundancy on my propulsion and deorbit systems is funding that can be put back into the capabilities of the payload. That’s the cost trade that we’re looking at.””

Space: Russia Makes War In Orbital Space. StrategyPage.com article. Click-bait headline, actually about competing GPS systems. Pull quote: “Use of multiple global positioning satellite systems can also increase the accuracy and reliability of the signals, as well as provide redundancy and interoperability in case of failures or attacks. Having too many systems can also pose challenges, such as spectrum congestion, signal interference, and coordination difficulties. Moreover, some countries may use their systems for strategic or political purposes, such as denying access to rivals or asserting territorial claims. Therefore, it is important to establish international norms and regulations for the peaceful and responsible use of global positioning satellite systems.”

Scientists pin down the origins of the moon's tenuous atmosphere. ScienceDaily.com article. Pull quote: “"With impact vaporization, most of the atoms would stay in the lunar atmosphere, whereas with ion sputtering, a lot of atoms would be ejected into space," Nie says. "From our study, we now can quantify the role of both processes, to say that the relative contribution of impact vaporization versus ion sputtering is about 70:30 or larger." In other words, 70 percent or more of the moon's atmosphere is a product of meteorite impacts, whereas the remaining 30 percent is a consequence of the solar wind.”

Review - S 4678 Introduced – FY 2025 Legislative Spending

Last month, Sen Reex (D,RI) introduced S 4678, the FY 2025 Agriculture, Rural Development, Food and Drug Administration, and Related Agencies bill. The Senate Appropriations Committee published their report on the bill. The bill contains no mention of cybersecurity or chemical safety issues. The Report includes multiple cybersecurity discussions.

Moving Forward

The House version of this spending bill, HR 8772 [removed from paywall], was rejected by the House on a ‘bipartisan’ vote of 205 to 213 (ten Republicans voted Nay, three Democrats vote Yeah, so the vote was somewhat bipartisan). Technically, this means that the Senate cannot take up this bill, because all spending bills must originate in the House. That makes consideration of this bill low priority in the Senate.

 

For more details about the cybersecurity provisions within the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-4678-introduced - subscription required.

Chemical Incident Reporting – Week of 7-27-24

NOTE: See here for series background.

Baker, CA  7-26-24

Local news reports: Here, here and here.

Tractor-trailer accident led to the lithium batteries being transported to catch fire. Shut down Interstate 15 for two days.  No injuries reported, no damage estimates provided. Pull quote on the problem:

“The primary concern is the air quality due to the hazardous materials and chemicals involved,” officials said. “These chemicals pose significant health risks at elevated levels, with hydrogen cyanide and chlorine being particularly dangerous even at low concentrations. We apologize for this inconvenience, but everything that is being done is in the interest of public safety,” the San Bernardino County Fire Department said. “Due to the location of this incident, alternate routes are slim to none.”

Not CSB reportable, transportation related incident.

Review – Public ICS Disclosures – Week of 8-27-24

This week we have six vendor disclosures for the regreSSHion vulnerability from Cisco, Eaton, Helmholtz, HPE, Moxa, and Red Lion. We have nine additional vendor disclosures from ABB, Broadcom (4), HP, HPE (2), and Western Digital. There are also four vendor updates from Broadcom, Cisco, Hitachi Energy, and HPE. We also have two researcher reports for products from FortiGuard and Pioneer. Finally, we have an exploit for products from mySCADA.

RegreSSHion Advisories

Cisco published an update for their regreSSHion advisory that was originally published on July 2^nd, 2024 and most recently updated on July 26^th, 2024.

Eaton published an advisory that announces that Eaton is investigating the vulnerability, but notes that for most Eaton products, SSH service is disable by default.

Helmholtz – CERT-VDE published an advisory that provides a list of affected products and fixed versions.

HPE published an update for their regreSSHion advisory that was originally published on July 10^th, 2024.

Moxa published an advisory that provides a list of affected and fixed products.

Red Lion Europe – CERT-VDE published an advisory that provides a list of affected products and fixed versions.

Advisories

ABB Advisory - ABB published an advisory that discusses an insufficiently protected credentials vulnerability in their Automation Builder product.

Broadcom Advisory #1 - Broadcom published an advisory that discusses five vulnerabilities (3 with exploits available) in their Brocade Fabric OS.

Broadcom Advisory #2 - Broadcom published an advisory that discusses nine vulnerabilities (2 with exploit code available) in multiple Broadcom products.

Broadcom Advisory #3 - Broadcom published an advisory that describes a command injection vulnerability in their Brocade 6547 (FC5022) embedded switches.

Broadcom Advisory #4 - Broadcom published an advisory that describes a plain-text storage of passwords vulnerability in their Brocade FabricOS.

HMS Advisory - HMS published an advisory that describes six vulnerabilities in their Cosy+ product line.

HP Advisory - HP published an advisory that discusses 214 vulnerabilities in their ThinPro products.

HPE Advisory #1 - HPE published an advisory that discusses 16 vulnerabilities (5 with publicly available exploits) in their Fiber Channel and SAN Switches.

HPE Advisory #2 - HPE published an advisory that discusses four vulnerabilities (one with publicly available exploits) in their Aruba ClearPass Policy Manager product.

Western Digital Advisory - Western Digital published an advisory that describes a code injection vulnerability in their Discovery Desktop App.

Updates

Broadcom Update - Broadcom published an update for their Azul Zulu advisory that was originally published on July 26^th, 2024.

Cisco Update - Cisco published an update for their RADIUS Protocol Spoofing advisory that was originally published on July 10^th, 2024 and most recently updated on July 29^th, 2024.

Hitachi Energy Update - Hitachi Energy published an update for their IED ConnPacks advisory that was originally published on November 15^th, 2022 and most recently updated on June 25^th, 2024.

HPE Update - HPE published an update for their Telecommunication Management Information Platform advisory that was originally published on December 12^th, 2024.

Researcher Reports

FortiGuard Report - IOActive published a report describing a cross-site scripting vulnerability in the FortiGuard SSL VPN web UI.

Pioneer Report - ZDI published three reports of individual vulnerabilities in the Pioneer DMH-WT7600NEX automotive media center.

Exploits

MySCADA Exploit - Michael Heinzl published a Metasploit module for an OS command injection vulnerability in the mySCADA MyPro product.

 

For more details about these disclosures, including links to 3rd party vendors, see my article at CFSN Detailed analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-8-dae - subscription required.

Short Takes – 8-2-24

Scientists uncover microbes that destroy 'forever chemical' pollutants. LiveScience.com article. Pull quote: “The microbes highlighted in the new study break down carbon-fluorine bonds in some unsaturated PFAS. This process, known as defluorination, is driven by enzymes that split the chemical bonds, thus releasing fluoride atoms. These atoms would usually kill bacteria. But the researchers found that the Acetobacterium species have specialized channels that pump fluoride out of their cells and into the environment, enabling the bacteria to survive.”

A moon of Uranus could have a hidden ocean, James Webb Space Telescope finds. LiveScience.com article. Pull quote: “Comparing this to simulated spectra from a chemical mix in the lab here on Earth revealed to the team that Ariel has some of the most carbon dioxide-rich deposits in the solar system. Not only did this add an extra 10 millimeters (0.4 inches) of thickness to the ice on the side of the tidally locked Ariel that permanently faces away from Uranus, but it also revealed clear deposits of carbon monoxide for the first time.”

Space propulsion-as-a-service gets a Boost! ESA.int article. Pull quote: ““We are very impressed with what is being developed by the three partners that make up Omega, with their fresh take on the space propulsion business,” says ESA’s Jorgen Bru. “The service-based model that Omega is advancing foresees a future where satellite integrators can focus on their core business and Omega takes care of everything related to propulsion and transportation.””

NASA says it is “evaluating all options” for the safe return of Starliner crew. ArsTechnica.com article. Pull quote: “So what will the space agency do? Starliner probably could make it back to Earth safely. But there appears to be some reasonable doubt that Starliner will come back safely. If NASA defers to its fallback plan, flying on Dragon, it may spell the end of the Starliner program. During the development and testing of Starliner, the company has already lost $1.6 billion. Reflying a crew test flight mission, which likely would be necessary should Starliner return autonomously, would cost much more. Boeing might opt to cancel Starliner and leave NASA with just a single provider of crew transportation. That would be painful for both NASA and Boeing.”

Notice of Rail Energy Transportation Advisory Committee Vacancies. Federal Register STB RETAC vacancies notice. Pull quote: “The Surface Transportation Board (Board) hereby gives notice of five vacancies on its Rail Energy Transportation Advisory Committee (RETAC) for three representatives from electric utilities; one representative from biofuel feedstock growers or providers and biofuel refiners, processors, and distributors; and one representative from the petroleum shipping industry. The Board is soliciting nominations from the public for candidates to fill these vacancies.”

Bills Introduced – 8-1-24

Yesterday, with just the Senate in Washington, there were 86 bills introduced. Four of those bills will receive additional coverage in this blog:

S 4921 A bill making appropriations for the Department of Defense for the fiscal year ending September 30, 2025, and for other purposes. Tester, Jon [Sen.-D-MT]

S 4927 A bill making appropriations for energy and water development and related agencies for the fiscal year ending September 30, 2025, and for other purposes. Murray, Patty [Sen.-D-WA]

S 4928 A bill making appropriations for financial services and general government for the fiscal year ending September 30, 2025, and for other purposes. Van Hollen, Chris [Sen.-D-MD] 

S 4942 A bill making appropriations for the Departments of Labor, Health and human Services, and Education, and related agencies for the fiscal year ending September 30, 2025, and for other purposes. Baldwin, Tammy [Sen.-D-WI]

Mention in Passing

There is one additional bill that I would like to mention in passing:

SJ Res 107 A joint resolution to authorize the use of military force against the Islamic Republic of Iran if the President determines that the Islamic Republic of Iran is planning or conducts an attack against any former, current, or incoming United States Government official or senior military personnel. Graham, Lindsey [Sen.-R-SC]

As with yesterday’s use-of-force resolution, also from Graham, this looks like another what-would-donald-do bit of campaign literature.