Short Takes – 9-7-24

Boeing's Starliner capsule just landed with no crew aboard. What's next for this astronaut taxi? Space.com article. Pull quote: “"What we need to do now is go take a thruster at White Sands [Test Facility in New Mexico] and make sure we understand the exact pulse sequences that cause the heating," Stich said. "And then, at the same time, in parallel, look at software changes to reduce the number of demands on the thrusters."”

After another Boeing letdown, NASA isn’t ready to buy more Starliner missions. ArsTechnica.com article. Pull quote: “No one knows how long that will take, and NASA hasn't decided if it will require Boeing to launch another test flight before formally certifying Starliner for operational missions. If Starliner performs flawlessly after undocking and successfully lands this weekend, perhaps NASA engineers can convince themselves Starliner is good to go for crew rotation flights once Boeing resolves the thruster problems and helium leaks.”

Person in Missouri caught H5 bird flu without animal contact. ArsTechnica.com article. Pull quote: “"I am encouraged that this case was detected through existing surveillance systems, which bodes well for our ability to identify any additional cases in the future," she added. "Federal, state, and local health officials maintained flu surveillance through the summer months in response to the H5 situation, and that was definitely the right move."”

Gateway’s Propulsion System Testing Throttles Up. NASA.gov article. Pull quote: “The Power and Propulsion Element (PPE), being manufactured by Maxar Technologies, provides Gateway with power, high-rate communications, and propulsion for maneuvers around the Moon and to transit between different orbits. The PPE will be combined with the Habitation and Logistic Outpost (HALO) before the integrated spacecraft’s launch. Together, these elements will serve as the hub for early Gateway crewed operations and various science and technology demonstrations as the full Gateway station is assembled around it in the coming years.”

Super-fast setting sticky polymers can suture tricky internal wounds. ChemistryWorld.com article. Pull quote: “The researchers tested this material as a tissue adhesive. The current medical adhesive of choice is usually cyanoacrylate, better known as superglue, but this is unsuitable for closing internal surgical cuts as it is slightly cytotoxic, brittle and slow to decompose. The researchers tested their material for preventing rupture of the amniotic sac of mice when punctured, as is sometimes required for repairing foetal abnormalities. The researchers found that, when they punctured amniotic sacs through patches in their polymer, the patches self-healed around the puncture site and all the foetuses survived to term. Foetuses whose sacs were simply punctured all died. ‘We are actively pursuing other uses for this polymer as a surgical adhesive in my academic lab and in a startup company we have formed to move this towards commercial use,’ says Messersmith.”

OMB Approves CG Final Rule on 2nd Delay of TWIC Reader Implementation

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved the Coast Guard’s final rule on “TWIC--Reader Requirements; Second Delay of Effective Date”. The rule was sent to OIRA on July 10^th, 2024. The notice of proposed rulemaking for this action was published on December 6^th, 2022. 

According to the Spring 2024 Unified Agenda entry for thisrulemaking:

“On August 23, 2016, the Coast Guard issued a final rule, requiring owners and operators of certain vessels and facilities regulated by the Coast Guard to conduct electronic inspections of Transportation Worker Identification Credentials (TWICs) as an access control measure (81 FR 57652).  On August 2, 2018, the TWIC Credential Accountability Act of 2018 was enacted.  It prohibited implementation of the 2016 rule until after the Coast Guard submitted a report reviewing the security value of the TWIC program.  On March 9, 2020, the Coast Guard published its first TWIC delay rule (85 FR 13493).  On December 6, 2022, the Coast Guard proposed to further delay portions of the 2016 final rule for three categories of facilities until May 8, 2026, or later depending on the outcome of the Homeland Security Operational Analysis Center (HSOAC) study and consideration of public comments.  On December 23, 2022, Congress enacted the James M. Inhofe National Defense Authorization Act for Fiscal Year 2023, which directs the Secretary not to implement the 2016 final rule for covered facilities before May 8, 2026.  On April 17, 2023, the Coast Guard published a conforming amendment rule that removed from the CFR earlier implementation dates for facilities covered by this legislation (88 FR 23349).  The Coast Guard plans to issue a final rule to respond to comments from the NPRM and address whether the implementation date should be set beyond May 8, 2026.”

Congressional Reports – Week of 8-31-24 – DOD Counter UAS & NDAA

This week the Congressional Research Service (CRS) published a report on “FY2025 NDAA: Countering Uncrewed Aircraft Systems”. The report provides a brief overview of provisions in the House and Senate versions of the National Defense Authorization Act (NDAA) for FY 2025 and their related Committee Report requirements. With some very specific exceptions, DOD’s counter UAS (cUAS) authority is mainly restricted to combat zone outside of the United States.

Chemical Incident Reporting – Week of 8-31-24

NOTE: See here for series background.

Pittsburg, CA – 9-2-24

Local News Reports: Here, here, and here.

A small apparent chlorine leak from railcar resulted in local advisory. No injuries or damage reported.

Not a CSB reportable incident.

Laguna Beach – 9-2-24

Local News Reports: Here.

Oil spill from trash truck engine caused closure of city road for a couple of hours to allow for cleanup. No injuries or damage was reported.

Not a CSB reportable incident.

Sutter County, CA – 9-2-24

Local News Reports: Here, here, and here.

Two railcars containing consumer items that included lithium-ion batteries caught fire. No injuries were reported. Two intermodal containers were destroyed.

Not CSB reportable – transportation incident.

Akron, OH – 9-5-24

Local News Reports: Here, here, here, and here.

A fire at a local chemical manufacturing plant which involved methanol, xylene, and propane resulted in at least one explosion, a collapsed building, and one fire fighter admitted to hospital.

CSB Reportable.

Bills Introduced – 9-6-24

Yesterday, with the House meeting in pro forma session, there were 43 bills introduced. Five of those bills may receive additional attention in this blog:

HR 9458 To amend the Homeland Security Act of 2002 to enhance outreach for the Urban Area Security Initiative and the State Homeland Security Grant Program of the Department of Homeland Security, and for other purposes. Goldman, Daniel S. [Rep.-D-NY-10]

HR 9459 To amend the Homeland Security Act of 2002 to enable secure and trustworthy technology through other transaction contracting authority, and for other purposes. Guest, Michael [Rep.-R-MS-3] 

HR 9466 To direct the National Institute of Standards and Technology to catalog and evaluate emerging practices and norms for communicating certain characteristics of artificial intelligence systems, including relating to transparency, robustness, resilience, security, safety, and usability, and for other purposes. Baird, James R. [Rep.-R-IN-4] 

HR 9468 Making supplemental appropriations for the fiscal year ending September 30, 2024, and for other purposes.  Garcia, Mike [Rep.-R-CA-27

HR 9469 To amend the Homeland Security Act of 2002 to codify the Transportation Security Administration's responsibility relating to securing pipeline transportation and pipeline facilities against cybersecurity threats, acts of terrorism, and other nefarious acts that jeopardize the physical security or cybersecurity of pipelines, and for other purposes. Garcia, Robert [Rep.-D-CA-42]

I will be covering HR 9458, HR 9459, HR 9468, and HR 9469.

I will be watching HR 9466 for language and definitions that would specifically include AI applications designed to be used with operational technology systems.

Review – Public ICS Disclosure – 8-31-24 – Part 1

This week we have 29 vendor disclosures from Carrier, Dassault Systèmes (4), Eaton, HPE (2), Lenza, Moxa, Palo Alto Networks, QNAP (12), SEL (2), VMware, and Zyxel (2).

Advisories

Carrier Advisory - Carrier published an advisory that describes an unspecified ‘supply chain’ attack in their LenelS2 products.

Dassault Systèmes Advisory #1 - Dassault Systèmes published an advisory that describes a cross-site scripting vulnerability in their 3DExperience product.

Dassault Systèmes Advisory #2 - Dassault Systèmes published an advisory that describes a cross-site scripting vulnerability in their 3DExperience product.

Dassault Systèmes Advisory #3 - Dassault Systèmes published an advisory that describes a cross-site scripting vulnerability in their 3DExperience product.

Dassault Systèmes Advisory #4 - Dassault Systèmes published an advisory that describes a cross-site scripting vulnerability in their 3DExperience product.

Eaton Advisory - Eaton published an advisory that discusses the regreSSHion vulnerability.

HPE Advisory #1 - HPE published an advisory discusses ten vulnerabilities (five with publicly available exploits) in their UX Secure Shell product.

HPE Advisory #2 - HPE published an advisory that discusses nine vulnerabilities (four with publicly available exploits) in their Unified OSS Console Assurance Monitoring (UOCAM) product.

Lenza Advisory - CERT-VDE published an advisory that discusses an incorrect default permissions vulnerability (with a publicly available exploit) in their VisiWin 7 Install Directory application.

Moxa Advisory - Moxa published an advisory that discusses four vulnerabilities (three with publicly available exploits) in their OnCell 3120-LTE-1 Series advisory.

QNAP Advisory #1 - QNAP published an advisory that describes a cross-site scripting vulnerability in their Download Station product.

QNAP Advisory #2 - QNAP published an advisory that describes an improper certificate validation vulnerability in their QuMagie product.

QNAP Advisory #3 - QNAP published an advisory that describes three vulnerabilities in their QTS and QuTS hero products.

QNAP Advisory #4 - QNAP published an advisory that describes two OS command injection vulnerabilities in their QTS and QuTS hero products.

QNAP Advisory #5 - QNAP published an advisory that describes a cross-site scripting vulnerability in their QuLog Center product.

QNAP Advisory #6 - QNAP published an advisory that cross-site scripting vulnerability in their Helpdesk product.

QNAP Advisory #7 - QNAP published an advisory that describes two vulnerabilities in their QTS and QuTS hero products.

QNAP Advisory #8 - QNAP published an advisory that discusses an out-of-bounds write vulnerability in their QTS and QuTS hero products.

QNAP Advisory #9 - QNAP published an advisory that describes an OS command injection vulnerability in their Legacy Versions of QTS.

QNAP Advisory #10 - QNAP published an advisory that describes two vulnerabilities in their Video Station product.

QNAP Advisory #11 - QNAP published an advisory that describes an unquoted search path vulnerability in their QVR Smart Client product.

QNAP Advisory #12 - QNAP published an advisory that describes two cross-site scripting vulnerabilities in their Notes Station 3 product.

SEL Advisory #1 - SEL published a new version announcement that reported three cybersecurity enhancements in their SEL-5037 SEL Grid Configurator.

SEL Advisory #2 - SEL published a new version announcement that reported two cybersecurity enhancements in their SEL-5030 acSELerator QuickSet Software.

VMware Advisory - Broadcom published an advisory that describes an improper input validation vulnerability in the VMware Fusion product.

Zyxel Advisory #1 - Zyxel published an advisory that describes seven vulnerabilities in their firewall products.

Zyxel Advisory #2 - Zyxel published an advisory that describes an OS command injection vulnerability in their APs and security router devices.

 

For more information about these disclosures, including links to 3rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/publish/posts/detail/148616972/share-center - subscription required.

Short Takes – 9-6-24

Summer-like heat is scorching the Southern Hemisphere — in winter. ScienceNews.org article. Pull quote: “These are some of the most extreme numbers in a month of extremes for the land down under, which has sweltered under a prolonged winter heat wave that threatens to break the country’s record for average winter temperatures — a record set just last year. In 2023, Australia’s average winter temperature was 1.53 degrees C above the long-term average of 14.96° C from 1961 to 1990, and the highest since recordkeeping began in 1910.”

Tiny asteroid on path to hit Earth burned up in atmosphere. TheHill.com article. Pull quote: “The small asteroid was only the ninth to be spotted before impact. It was found through a NASA-funded observatory near Tuscon, Ariz., that tracks and catalogs near-Earth objects.”

The Emergency Alert System and Wireless Emergency Alerts. Federal Register FCC final rule. Summary: “In this document, the Federal Communications Commission (FCC or Commission) amends its regulations governing the Emergency Alert System (EAS) and Wireless Emergency Alerts (WEA) to add a new event code, MEP, to allow alert originators to issue an alert to the public about missing and endangered persons (MEP) whose circumstances do not meet the criteria of “America's Missing: Broadcast Emergency Response” (AMBER) alerts.” Effective Date: September 8^th, 2024.

Commerce Control List Additions and Revisions; Implementation of Controls on Advanced Technologies Consistent With Controls Implemented by International Partners. Federal Register BIS interim final rule (IFR). Summary: The Bureau of Industry and Security (BIS) is implementing export controls on several semiconductor, quantum, and additive manufacturing items for national security and foreign policy reasons. This rule adds new Export Control Classification Numbers (ECCNs) to the Commerce Control List, revises existing ECCNs, adds a new license exception to authorize exports and reexports to and by countries that have implemented equivalent technical controls for these newly added items, and adds two new worldwide license requirements to the national security and regional stability controls in the Export Administration Regulations (EAR). These controls are the product of extensive discussions with international partners.” Comments due November 5^th, 2024.

House GOP unveils stopgap plan to avert government shutdown. TheHill.com article. Pull quote: “But critics of the idea, including those in GOP circles, have downplayed the impact such a strategy will have on funding talks. They also acknowledge the Democratic-controlled Senate is certain to reject the measure in its current form, due both to the timing and the addition of the SAVE Act.”

Transportation Chemical Incidents – Week of 8-3-24

Reporting Background

See this post for explanation, with the most recent update here (removed from paywall).

Data from PHMSA’s online database of transportation related chemical incidents that have been reported to the agency.

Incidents Summary

• Number of incidents – 642 (540 highway, 98 air, 4 rail, 0 water)

• Serious incidents – 4 (3 Bulk release, 2 evacuation, 2 injury, 0 death, 0 major artery closed, 3 fire/explosion, 25 no release)

• Largest container involved – 30,420-gal DOT 117J100W Railcar {Alcohols, N.O.S.} Bottom overflow valve leaking.

• Largest amount spilled – 1,700-gal IBC {Corrosive Liquid, Acidic, Organic, N.O.S.} IBC’s damaged in roll-over truck accident.

NOTE: Links above are to Form 5800.1 for the described incidents.

Most Interesting Chemical: Trichloro-S-Triazinetrione - A white slightly hygroscopic crystalline powder or lump solid with a mild chlorine-like odor. Said to have 85 percent available chlorine. Decomposes at 225°C. Moderately toxic by ingestion. May irritate skin and eyes. Active ingredient in household dry bleaches. Used in swimming pools as a disinfectant. May react with water releasing gaseous chlorine. If mixed with a small amount of water, the concentrated solution (with pH at about 2.0) may explode due to the evolution of unstable nitrogen trichloride. (Source: CameoChemicals.NOAA.gov).

Review - HR 9182 Introduced – Dairy H5N1 Biosecurity

Back in July, Rep Slotkin (D,MI) introduced HR 9182, the Avian Influenza Research and Response Act. The bill would require USDA to establish a dairy biosecurity education and training program, expand appropriations for research on national or regional problems, and add highly pathogenic avian influenza (HPAI) to the list of zoonotic diseases qualifying for the Agriculture and Food Research Initiative. The bill would authorize $5 million per year through 2029 for the biosecurity education and training program.

Moving Forward

Slotkin and her two cosponsors {Rep Valadao (R,CA) and Rep Caraveo (D,CO)}, are members of the House Agriculture Committee to which this bill was assigned for consideration. This means that there may be sufficient influence to see the bill considered in Committee. Other than the one relatively minor authorization increase, I see nothing in the bill that would engender any organized opposition. I suspect that the bill would have some level of bipartisan support, but whether that support would be sufficient to see the bill considered by the Full House under the suspension of the rules process. In the waning days of the 118^th Congress, a better move may be to have the bill’s language included in the 2025 Farm Bill which has yet to be considered by the House.

Commentary

It is somewhat disappointing to not see supplemental funding for the Animal and Plant Health Inspection Service (APHIS) to allow that agency to further expand dairy herd testing for the presence of H5N1 infections and dairy worker surveillance testing. Unfortunately, given the general Republican resistance to mandatory medical testing of any sort, such supplemental funding probably would have provided a focus for organized opposition to the bill.

 

For more information on the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/publish/posts/detail/148571067/share-center - subscription required.

OMB Approves BIS AI Reporting Requirements NPRM

Yesterday, OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a notice of proposed rulemaking (NPRM) from the DOC’s Bureau of Industry and Security (BIS) on “Establishment of Reporting Requirement for the Development of Advanced Artificial Intelligence Models and Computing Clusters”. This NPRM was sent of OIRA on June 5^th, 2024.

This rulemaking was not listed in the Spring 2024 Unified Agenda.

I will probably not be covering this rulemaking in any detail, but it will, at a minimum, will be listing the publication in the appropriate Short Takes post.

Short Takes – 9-5-24

Procurement: A Modest Proposal. StrategyPage.com article. Summary of the state of military jet-propelled UAVs. Pull quote: “Meanwhile Chinese manufacturers developed cheaper clones of Predator and Reaper and sold them, with or without weapons, to anyone who could pay. That destroyed much of the export market for Predators and Reapers. China and Russia are also developing jet-powered UAVs, with the same lack of success, so far, as the United States.”

Nearly undetectable card skimmer found at Southern California gas station. KTLA.com article. Pull quote: “The skimmer was attached to a gas pump card reader and PIN pad at an ARCO station in the 13500 block of Euclid Street in Garden Grove, that city’s police department shared on social media. The device was nearly identical to the real card reader behind it, and even included a sticker warning of a 35 cents “fee” that would be added to each transaction.” Includes photo of device.

Railroad Safety Advisory Committee; Notice of Meeting. Federal Register FRA RSAC meeting notice. Summary: “FRA announces the sixty-seventh meeting of the Railroad Safety Advisory Committee (RSAC or Committee), a Federal Advisory Committee that provides advice and recommendations to FRA on railroad safety matters through a consensus process. This meeting of the RSAC will focus on efforts critical to railroad safety including safety improvements in the wake of the February 3, 2023, East Palestine, Ohio, derailment, electronic devices, remote control operations, and roadway worker protection.”

Medical Devices; Dental Devices; Classification of the Radiofrequency Toothbrush. Federal Register FDA final order. Summary: “The Food and Drug Administration (FDA or we) is classifying the radiofrequency toothbrush into class II (special controls). The special controls that apply to the device type are identified in this order and will be part of the codified language for the radiofrequency toothbrush's classification. We are taking this action because we have determined that classifying the device into class II (special controls) will provide a reasonable assurance of safety and effectiveness of the device. We believe this action will also enhance patients' access to beneficial innovative devices.” Special controls include software risk analysis.

Nicotine analogues emerging in e-cigarettes to evade regulations. ChemistryWorld.com article. Pull quote: “However, Jabba points out that regulating such chemicals on an individual basis is unlikely to be effective. ‘If we regulate one chemical, then a similar chemical with similar function is being added, then we are chasing down that for another couple of decades,’ he says. ‘By the time the regulatory things catch up, we are kind of playing a whack-a-mole.’”

Review – 2 Advisories and 2 Updates Published – 9-5-24

Today, CISA’s NCCIC-ICS published a control system security advisory for products from Hughes, and a medical device security advisory for products from Baxter. They also updated two advisories for products from Mitsubishi.

Advisories

Hughes Advisory - This advisory describes two vulnerabilities in the Hughes WL3000 Fusion Software.

Baxter Advisory - This advisory describes two vulnerabilities in the Baxter Connex Health Portal.

Updates

Mitsubishi Update #1 - This update provides additional information on an advisory that was originally published on October 29^th, 2020, and most recently updated on December 19^th, 2023.

Mitsubishi Update #2 - This update provides additional information on an advisory that was originally published on December 22^nd, 2022, and most recently updated on July 9^th, 2024.

 

For more information on these advisories, including brief summaries of changes made in the updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-advisories-and-2-updates-published-371 - subscription required.

Short Takes – 9-5-24 – Space Geek Edition

Boeing Starliner Set to Leave Space Station Without Its Crew. NYTimes.com article. Pull quote: “However, that would come at considerable cost for Boeing. The $4.2 billion contract that Boeing signed with NASA in 2014 set fixed amounts for meeting milestones like certification, and the company does not receive payment until it meets those benchmarks. Unlike many traditional so-called cost-plus contracts, Boeing is responsible for picking up the cost of overruns and delays under the agreement with the agency.”

NASA's newly unfurled solar sail has started 'tumbling' end-over-end in orbit, surprising observations show. LiveScience.com article. Pull quote: “On Sunday (Sept. 1), Langbroek, who is currently a lecturer in space situational awareness at the Delft University of Technology in the Netherlands, shared video footage of ACS3 repeatedly dimming and brightening as it passed over a satellite tracking station near Leiden. In an associated blog post, the researcher explained that the object went from being as bright as some of the brightest stars in the sky to being barely visible.”

Polaris’s dawn. TheSpaceReview.com article. Pull quote: “SpaceX has not announced a new launch date, with this Friday [September 6^th] now the earliest it could fly. (The launch time remains the same each day, with opportunities between about 3:30 and 7 am EDT.) Isaacman posted over the Labor Day weekend that the crew remains in quarantine in Florida, doing training like proficiency flights to stay ready when the weather cooperates.”

To guard against cyberattacks in space, researchers ask “what if?” TheSpaceReview.com article. High-level overview of cybersecurity issues. Pull quote: “Because space is so remote and hard to access, if someone wanted to attack a space system, they would likely need to do it through a cyberattack. Space systems are particularly attractive targets because their hardware cannot be easily upgraded once launched, and this insecurity worsens over time. As complex systems, they can have long supply chains, and more links in the chain increase the chance of vulnerabilities. Major space projects are also challenged to keep up with best practices over the decade or more needed to build them.”

Huge SpaceX rocket explosion shredded the upper atmosphere. Nature.com article. Pull quote: “The team examined publicly available data from more than 2,500 ground stations across North America and the Caribbean that receive satellite navigation signals. They found that the Starship explosions produced shock waves that travelled faster than the speed of sound, turning the ionosphere into a region of neutral atmosphere — a “hole” — for nearly an hour over a region stretching from Mexico’s Yucatán peninsula to the southeastern United States. Rocket exhaust can trigger chemical reactions that produce temporary holes in the ionosphere even in the absence of an explosion, but in this case the shockwaves themselves had by far the larger effect, Yasyukevich says.” Journal article.

FrankenVega Confirmed for Sentinel 2C Launch. EuropeanSpaceFlight.com article. Pull quote: “While the stage will incorporate elements of an AVUM+ upper stage, it must retain a significant portion of its original design to avoid the need for requalification by ESA. However, given the unique situation and the untested nature of these components being combined into a single stage, ESA appears to be accepting additional risk for the launch of an important payload.”

Short Takes – 9-4-24

Ukraine lessons in many domains: What US military intel officials are learning. BreakingDefense.com article. Pull quote: ““So listen, it’s easy to sit at the Pentagon thinking you have a great ideas for innovation,” Andrew Evans, the director of the Army’s ISR (Intelligence, Surveillance and Reconnaissance) Task Force said. “But you know who the best innovators are? The people who have to innovate or they’re going to die the next day.””

Could bird flu spread at state fairs? Here’s why health experts advise caution. NPR.org article.  Pull quote: ““One of the things that people bring up so much about COVID-19 are the animal markets in China, where you have multiple different animals and different species interacting with each other,” Adalja said. “Similar things happen at state fairs in the United States. That's not really any different.”” Latest State to add Bovine H5N1 infection reports: California.

Elevating precision farming with innovative plant e-skin coupled with digital-twin monitoring system. NewsWise.com article. Pull quote: “To resolve these limitations, the NUS research team designed the innovative plant e-skin to be biocompatible, transparent and stretchable using commercially available organic materials. The ultrathin plant e-skin has a thickness of 4.5 micrometres, which is about 10 times thinner than the diameter of a strand of human hair which is around 50 micrometres. The e-skin comprises an electrically conductive layer, sandwiched between two transparent substrate layers. The incorporation of these layers renders the plant e-skin remarkably transparent, allowing over 85 per cent of light to pass through within the wavelength range of 400 to 700 nanometres, perfectly aligning with the light absorbance wavelength needed for plants to produce energy.” Journal article. 

Review - NTIA Publishes Data Center Growth, Resilience, and Security RFI

Today the DOC’s National Telecommunications and Information Administration (NTIA) published a request for information (RFI) notice in the Federal Register (89 FR 71890-71893) on “Request for Comments on Bolstering Data Center Growth, Resilience, and Security”.  The Summary notes that:

“The National Telecommunications and Information Administration (NTIA) hereby requests comments on the challenges surrounding data center growth, resilience and security in the United States amidst a surge of computing power demand due to the development of critical and emerging technologies. This request focuses on identifying opportunities for the U.S. government to improve data centers' market development, supply chain resilience, and data security. NTIA will rely on these comments, along with other public engagements on this topic, to draft and issue a public report capturing economic and security policy considerations and policy recommendations for fostering safe, secure, and sustainable data center growth.”

Public Comments

NTIA is soliciting public comments on these questions. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # NTIA-2024-0002). Comments should be submitted by November 4^th, 2024.

 

For more information on this RFI, including a list of supply chain security and cybersecurity related questions, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/ntia-publishes-data-center-growth - subscription required.

 

OMB Approves FHWA RFI on Medium and Heavy-Duty Charging Stations

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a request for information from the DOT’s Federal Highway Administration (FHWA) on “Notice of Request for Information (RFI) on Medium and Heavy-Duty Electric Charging Technologies and Infrastructure Needs”. The RFI was sent to OMB on June 25^th, 2024.

This rulemaking was not listed in the Spring 2024 Unified Agenda, but that is not too unusual at this stage of the rulemaking process.

I suspect that the RFI will include a selection of cybersecurity related questions. If there are no such questions, the only coverage for the publication of this RFI will be a mention in the appropriate Short Takes post.

Short Takes – 9-3-24

America Must Free Itself from the Tyranny of the Penny. NYTimes.com article. Pull quote: “Most pennies produced by the U.S. Mint are given out as change but never spent; this creates an incessant demand for new pennies to replace them, so that cash transactions that necessitate pennies (i.e., any concluding with a sum whose final digit is 1, 2, 3, 4, 6, 7, 8 or 9) can be settled. Because these replacement pennies will themselves not be spent, they will need to be replaced with new pennies that will also not be spent, and so will have to be replaced with new pennies that will not be spent, which will have to be replaced by new pennies (that will not be spent, and so will have to be replaced). In other words, we keep minting pennies because no one uses the pennies we mint.”

What to Know about Eastern Equine Encephalitis Virus Spread by Mosquitoes. ScientificAmerican.com article. Pull quote: “Even in extreme years, however, the number of mosquitoes that are infected [with these viruses] is relatively low—so low that detecting virus in a single mosquito is very unlikely. And when someone is bitten by an infected mosquito, they may or may not be infected. Among those people who are infected, only 4 to 5 percent will develop any kind of disease. Among the 4 to 5 percent who have some kind of disease, about one third are the serious, life-threatening encephalitis version.”

How Deadly Is Mpox, What Vaccines are Effective, and Other Questions Answered. ScientificAmerican.com article. Pull quote: “But Liesenborghs says that the mutations and clades might not be the most important factor in understanding how the monkeypox virus spreads. Although distinguishing Ia from Ib is useful in tracking the disease, he says, severity and transmissibility of disease could be more affected by the region where the virus is circulating and the people there. Clade Ia, for instance, seems to be more common in sparsely populated rural regions where it is less likely to spread far. Clade Ib is cropping up in densely populated areas and spreading more readily.”

How the 14th Amendment prevents state legislatures from subverting popular presidential elections. TheConversation.com commentary. Pull quote: “If all of a state’s voters have their right to vote taken away, Section 2 requires that the state’s House representation immediately and automatically be reduced to zero. The Constitution elsewhere specifies that each state’s representation in the Electoral College is the sum of the state’s House and Senate delegations.”

Logistics: Russian Railroads Ruined. StrategyPage.com article. Pull quote: “Ukraine plans to build some European Gauge rail lines to major transportation centers in several Ukrainian cities. Eventually Ukraine wants to convert all its major rail lines to Standard gauge. This will make it easier to handle trade with Europe and, if there’s another war with Russia, the Russians will not have all those Russian gauge rail lines available to quickly move troops and supplies into Ukraine on Russian gauge railroads. Instead, the Russians will have to use roads or capture Ukrainian railroad engines along with passenger, cargo, and flatcars so they can use Ukrainian European Standard gauge railroads.”

World's biggest battery coming to Maine — and it could store 130 million times more energy than your laptop. LiveScience.com article. Pull quote: “But there's no chance of iron-air batteries replacing lLi-ion batteries in consumer electronics, according to the Environmental and Energy Study Institute (EESI). Although iron-air batteries are useful for large-scale storage, they charge and discharge energy much slower than Li-ion cells, which isn't ideal for smartphones or electric cars. It's also tough for researchers to shrink the batteries down small enough to fit inside these everyday devices.”

CISA Adds 2 DrayTek Network Management Vulnerabilities to KEV Catalog

Today, CISA added three new vulnerabilities to their Known Exploited Vulnerabilities Catalog, including two vulnerabilities for the DrayTek Vigo Connect local network management product. The two DrayTek vulnerabilities are:

Path Traversal - CVE-2021-20123 and CVE-2021-20124

The vulnerabilities were discovered by Tenable, who published their report (including proof-of-concept code) on October 12^th, 2021. DrayTek acknowledged these vulnerabilities on October 15^th, 2021, reporting that they had a new version that mitigated the vulnerabilities.

CISA is requiring government agencies possessing the affected versions of these products to update to the new version (or discontinue the use of those products) by September 24^th, 2024.

Review – 1 Advisory Published – 9-3-24

Today, CISA’s NCCIC-ICS published a control system security advisory for products from LOYTEC.

Advisories

LOYTEC Advisory - This advisory describes ten vulnerabilities (with publicly available exploits) in the Loytec building automation products.

 

For more information on the advisory, including links to researcher reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-advisory-published-9-3-24 - subscription required.

Cyber Retribution

There is an interesting article over at Lawfaremedia.org on preventing election related cyberattacks. An excellent article, well worth reading. What struck me though was the last paragraph:

“The Biden administration should make clear that interference in the election is a true red line—no matter which campaign is targeted or who benefits. The Biden administration should threaten real consequences and then restore the credibility of U.S. red lines through action. The response to the Iran hack could be a true tit-for-tat: Iran just had an election, and surely the U.S. government collected sensitive information about the candidates. Declassify and release it, ensuring it lands inside Iran’s borders. Embarrassment is a far greater threat to Tehran’s closed authoritarian society than it is to Washington. Some observers may argue that now is the wrong time to push back on Iran, given the tense situation with Israel. They would be wrong. Iran must realize that the United States will not coddle and cajole it into a more responsible posture on the world stage. Especially when it comes to core national values, like a free and fair election—something Iran knows little about—U.S. resolve must be unbending and its tolerance for this sort of meddling gone.”

I am not sure that I agree with the premise of the central sentence; “Embarrassment is a far greater threat to Tehran’s closed authoritarian society than it is to Washington.” One thing is certain though, our current responses to international cyberattacks have been significantly less than effective. This would be a low-cost (financially and politically) solution, and it could not be any less successful than the sanction regimes that have been the “most successful” retaliation to date. Perhaps it is worth a try. In any case, creative thinking like this is going to be needed to deal with state-sponsored or state-encouraged cyberattacks.

Review - HR 9083 Introduced – Energy Security Plans

Last month, Rep Latta (R,OH) introduced HR 9083, the Securing Community Upgrades for a Resilient (SECURE) Grid Act. The bill would amend 42 USC 6326 to require States to include local distribution systems in their State Energy Security Plans described in §6326. No new funding is authorized by this legislation.

Moving Forward

Both Latta and his sole cosponsor {Rep Matsui (D,CA)}, are members of the House Energy and Commerce Committee to which this bill was assigned for consideration. This means that there could be sufficient influence to see this bill considered in Committee. While I see nothing in this bill that would engender any organized opposition, I do suspect that there would be some interest in seeing some changes to the wording of the new §6326(c)(3) language, in particular subparagraph (B); “(B) risks and liabilities posed by human error or mismanagement;”. At the end of the day, I suspect that there will be some level of bipartisan support for this bill in Committee. Whether that support would be sufficient to see the bill considered in the Full House under the suspension of the rules remains to be seen.

Commentary

While the addition of the “attacks on the physical security of local distribution systems” language is certainly important given the increasing numbers of such attack in the last couple of years, it comes at the cost of removing the existence reference to the “physical threats and vulnerabilities” for the bulk power system within the State. I would like to see that language added back in by inserting a new §6326(c)(3)(E):

“(E) physical threats and vulnerabilities;”

 

For more information on the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-9083-introduced- subscription required.