Monday, September 30, 2024

Short Takes – 9-30-24

Helene deadliest hurricane in years. LinkedIn.com news summary. Pull quote: “Helene, now a post-tropical cyclone hovering over the Tennessee Valley, has left more than 50 dead across five states, making it the deadliest hurricane to strike the continental U.S. since 2022’s Ian, Bloomberg reports. Helene made landfall as a Category 4 in Florida’s Big Bend region late Thursday, the third hurricane to pummel the area in 13 months. It brought some of the worst flooding the South has seen in 100 years, and has cut off power to millions, strained dams and isolated mountain communities during its push along the Southeast and into Appalachia.”

Chemical Data Reporting; Extension of the 2024 Submission Period. Federal Register EPA direct final rule. Summary: “The Environmental Protection Agency (EPA or Agency) is amending the Toxic Substances Control Act (TSCA) Chemical Data Reporting (CDR) regulations to extend the submission deadline for 2024 reports to November 22, 2024. This extension is for the 2024 submission period only. The TSCA CDR regulations require manufacturers (including importers) of certain chemical substances included on the TSCA Chemical Substance Inventory (TSCA Inventory) to report data on the manufacturing, processing, and use of the chemical substances.”

Warplanes: Where Have All the Maintainers Gone. StrategyPage.com article. Pull quote: “The current surge in retirements of experienced maintainers and a dearth of new air force recruits has left military aviation units with a growing shortage of both veteran and recently trained maintainers. The shortage meant lots of overtime for these maintainers. There is no time and a half pay for military personnel. That means no financial incentive to put up with extended periods of overtime. That led to more maintainers not re-enlisting or, if they were career maintainers, they retired early and went to work for commercial aviation. As civilian maintainers the working conditions are better, the pay higher, and you can stay in one place as long as you like. You also get 50 percent more per hour when you work over 40 hours a week.”

As storms strengthen, fears about chemical plant spills rise. WBUR.com article. Pull quote: “While EPA records for the three New Bedford plants reported that the loss of “cooling, heating, electricity [or] instrument air” would be a major hazard, none of them listed having “emergency power” in their safety plans.”

Certain Per- and Polyfluoroalkyl Substances (PFAS) Risk Management Under the Toxic Substances Control Act (TSCA); Request for Comment. Federal Register EPA notice. Summary: “The Environmental Protection Agency (EPA or Agency) is seeking public comment on the manufacture of certain per- and polyfluoroalkyl substances (PFAS), including perfluorooctanoic acid (PFOA), perfluorononanoic acid (PFNA), and perfluorodecanoic acid (PFDA), during the fluorination of high-density polyethylene (HDPE) and other plastic containers to inform regulations as appropriate under the Toxic Substances Control Act (TSCA). This request for public comment follows the Agency's grant on July 10, 2024, of a TSCA petition received on April 11, 2024, which requested that EPA address via TSCA the regulation of PFOA, PFNA, and PFDA formed during the fluorination of plastic containers used for a variety of household consumer, pesticide, fuel, automotive, and other industrial products.”

Review - HR 9520 Introduced – Federal Cyber Workforce Training

Earlier this month, Rep Fallon (R,TX) introduced HR 9520, the Federal Cyber Workforce Training Act of 2024. The bill would require the National Cyber Director to formulate a plan for the establishment of a federal cyber training institute. It does not authorize the actual establishment of the institute, that would require subsequent legislation. The bill specifically does not authorize new spending. This is a companion measure to S 4715 [removed from paywall], which was introduced in July when it was ordered reported favorably with substitute language. That report (and the revised version) has not yet been printed.

Moving Forward

Fallon is a member of the House Oversight and Accountability Committee to which this bill was assigned for consideration. This means that there may be sufficient influence to see the bill considered in Committee. With new spending being prohibited, I see nothing in this bill that would engender any organized opposition. I suspect that the bill would receive some level of bipartisan support, perhaps enough that it could be considered under the suspension of the rules process.

Commentary

While the proposed institute is not a cybersecurity institute, all cyber work roles should include some level of cybersecurity responsibilities. I think it would be helpful to delineate a responsibility for the institute to establish a minimum level of cybersecurity training for all cyber personnel. To that end, I would like to suggest the insertion of a new §2(b)(2)(C):

“(C) establish a common skill level cybersecurity curriculum for all entry level positions and a more advanced cybersecurity training program for personnel transitioning to mid-career level positions;”

 

For more information about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-9520-introduced - subscription required. 

Short Takes – 9-30-24 – Space Geek Edition

China’s astronauts are aiming to land on the moon by 2030. They now have a new spacesuit to do it. CNN.com article. Pull quote: “The moon-landing suit is equipped with a built-in long and short-range camera, an operations console, and a glare-proof helmet visor, according to a video shared by state broadcaster CCTV, which featured well-known Chinese astronauts Zhai Zhigang and Wang Yaping demonstrating how astronauts wearing the suit can bend and climb a ladder.”

NASA Inspector Issues Warning About Growing Cracks Leaking Air From Space Station. Futurism.com article. Pull quote: “If the leaks continue, NASA and Roscosmos may be forced to permanently close the hatch to the affected tunnel, which would cut astronauts off from using one of the station's four docking ports.” NASA IG report here.

SpaceX pausing launches to study Falcon 9 issue on Crew-9 astronaut mission. Space.com article. Pull quote: “"After today’s successful launch of Crew-9, Falcon 9's second stage was disposed in the ocean as planned, but experienced an off-nominal deorbit burn. As a result, the second stage safely landed in the ocean, but outside of the targeted area. We will resume launching after we better understand root cause," SpaceX wrote in a post on X.” 

Sunday, September 29, 2024

Chemical Incident Reporting – Week of 9-21-24

Chemical Incident Reporting – Week of 9-21-24

NOTE: See here for series background.

Cleves, OH – 9-24-24

Local News Reports: Here, here, and here.

Styrene was leaking from pressure relief valve on a railcar. Evacuations were ordered. No injuries or damages were reported.

Some news reports called it an ‘open valve’ which would imply someone made a mistake (or deliberately) and left a valve open. One video (here) clearly shows venting through the pressure relief valve. Styrene is a monomer and is capable of self-polymerization being initiated by heat. As the chemical polymerizes it releases heat, increasing the rate of polymerization. The increasing heat in the car raises the internal pressure. The PRV is a safety device that relieves that pressure by venting to the atmosphere. While the chemical is toxic the risk from a catastrophic failure of the railcar due to overpressurization is higher.

Not CSB reportable, this is a transportation incident.

Suffield, CT – 9-25-24

Local News Reports: Here, here, here, and here.

Anhydrous ammonia leak at dairy supply facility lead to evacuations and road closures. No injuries were reported and no damage estimates provided.

Not CSB reportable. 

Saturday, September 28, 2024

Short Takes – 9-28-24

Periodic Graphics: The chemistry of cat and dog kibble. CEN.ACS.org infographic. Just to prove again, chemistry is everywhere.

Intent To Request Extension From OMB of One Current Public Collection of Information: Sensitive Security Information Threat Assessment Application. Federal Register TSA 60-day information collection request. Summary: “OMB Control Number 1652-0042; Sensitive Security Information Threat Assessment. Section 525(d) of the Department of Homeland Security Appropriations Act of 2007 (DHS Appropriations Act, Public Law 109-295, 120 Stat 1382), as reenacted, requires TSA to establish a process by which a party seeking access to SSI in a civil proceeding in federal district court can make a request to receive a record designated as SSI. TSA's process applies to parties who demonstrate a substantial need for relevant SSI in the preparation of the party's case and without the record, it would create an undue hardship to obtain the substantial equivalent of the information in the records by other means. Under this process, the party's representative may request and be granted conditional access to the SSI at issue in the case.” Comments due November 25th, 2024.

Securing the Information and Communications Technology and Services Supply Chain: Connected Vehicles. Federal Register BIS notice of proposed rulemaking. Summary: “In this notice of proposed rulemaking (NPRM), the Department of Commerce's (Department) Bureau of Industry and Security (BIS) proposes a rule to address undue or unacceptable risks to national security and U.S. persons posed by classes of transactions involving information and communications technology and services (ICTS) that are designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of certain foreign adversaries, and which are integral to connected vehicles, as defined herein. BIS is soliciting comment on this proposed rule, which builds on the advance notice of proposed rulemaking (ANPRM) [link added] issued by BIS on March 1, 2024.” Comments due October 28th, 2024.

NRC Implementation of the Accelerating Deployment of Versatile, Advanced Nuclear for Clean Energy Act of 2024. Federal Register NRC public meeting notice. Summary: “The U.S. Nuclear Regulatory Commission (NRC) is implementing the requirements in the Accelerating Deployment of Versatile, Advanced Nuclear for Clean Energy Act of 2024 (the ADVANCE Act, or the Act). The NRC plans to hold public meetings periodically to support the NRC's implementation of the ADVANCE Act.” Meeting dates will be publicized on the NRC's Public Meeting Notice System.

OMB Approves TSA’s Surface Cyber Risk Management NPRM

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved an notice of proposed rulemaking (NPRM) for TSA on “Enhancing Surface Cyber Risk Management”. The NPRM was sent to OIRA on February 16th, 2024. The advanced notice of proposed rulemaking for this rule was published on November 30th, 2022.

According to the Spring 2024 Unified Agenda entry for this rulemaking:

“On July 28, 2021, the President issued the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems.  In response to the ongoing threat to pipeline systems, TSA used its authority under 49 U.S.C. 114 to issue emergency security directives to owners and operators of TSA-designated critical pipelines that transport hazardous liquids and natural gas to implement a number of urgently needed protections against cyber intrusions.  TSA also issued security directives in the freight, passenger, and transit-rail sectors under the same statutory authority.  TSA is committed to enhancing and sustaining industry’s resilience to cybersecurity attacks.  TSA intends to issue a rulemaking that will permanently codify critical cybersecurity requirements for pipeline and rail modes.  Through this rulemaking, TSA will also address certain requirements in the Implementing Recommendations of the 9/11 Commission Act of 2007 related to information and operational technology systems. TSA is committed to enhancing and sustaining cybersecurity for all modes of transportation and intends to issue a rulemaking that may codify these and other requirements following an opportunity for notice and comment.  In addition to holding numerous technical roundtables with the industry regarding cybersecurity requirements, TSA also solicited public input in the development of this rulemaking through publication of an advance notice of proposed rulemaking in November 2022.

This should be published in the Federal Register in the next couple of weeks.

Review – Public ICS Disclosures – Week of 9-21-24

This week we have 17 vendor disclosures from Broadcom (2), Cisco, GE Vernova, HPE (5), Palo Alto Networks, SEL, SICK, WatchGuard (3), Western Digital, and Zyxel. There are also 3 updates from CODESYS, ELECOM, and HPE. We also have 6 researcher reports for products from ABB (4), Blackberry, and Linear Solutions. Finally, we have 3 exploits for products from BlackNET, Positron, and Texas Instruments.

Advisories

Broadcom Advisory #1 - Broadcom published an advisory that discusses the Blast-Radius vulnerability.

Broadcom Advisory #2 - Broadcom published version release notice for their Brocade Fabric OS that lists the previously disclosed vulnerabilities that are corrected in the latest version.

Cisco Advisory - Cisco published an advisory that describes an improper access control vulnerability in their Industrial Ethernet 4000, 4010, and 5000 Series Switches.

GE Vernova Advisory - GE published an advisory that describes two vulnerabilities in their WorkstationST products.

HPE Advisory #1 - HPE published an advisory that discusses the regreSSHion vulnerability in their HPE Superdome Flex and Superdome Flex 280 servers.

HPE Advisory #2 - HPE published an advisory that describes three command injection vulnerabilities in their Aruba Access Points products.

HPE Advisory #3 - HPE published an advisory that describes a cross-site request forgery vulnerability in their IceWall Agent products.

HPE Advisory #4 - HPE published an advisory that discusses a protection mechanism failure vulnerability in their SimpliVity Servers.

HPE Advisory #5 - HPE published an advisory that discusses an inconsistent flow control management vulnerability in their SimpliVity Servers.

Palo Alto Networks Advisory - Palo Alto Networks published an advisory that discusses the CUPS vulnerabilities.

SEL Advisory - SEL published a new version notice for their SEL-5033 acSELerator RTAC software that describes a cybersecurity enhancement.

SICK Advisory - SICK published an advisory that describes a missing authentication for critical function vulnerability in their MSC800 track and trace controller.

WatchGuard Advisory #1 - WatchGuard published an advisory that describes an incorrect authorization vulnerability (with publicly available exploit) in their Authentication Gateway.

WatchGuard Advisory #2 - WatchGuard published an advisory that describes an incorrect authorization vulnerability (with publicly available exploit) in their Authentication Gateway.

WatchGuard Advisory #3 - WatchGuard published an advisory that describes an improper handling of exceptional or unusual conditions vulnerability (with publicly available exploit) in their Single Sign-On Client.

Western Digital Advisory - Western Digital published an advisory that describes an improper restriction of operations within the bounds of a memory buffer vulnerability in their My Cloud firmware.

Zyxel Advisory - Zyxel published an advisory that describes four improper restriction of operations within the bounds of a memory buffer vulnerabilities in multiple Zyxel products.

Updates

CODESYS Update - CODESYS published an update for their Control V3 web server advisory that was originally published on August 29th, 2024.

ELECOM Update - JP-CERT published an update for their ELECOM wireless LAN advisory that was originally published on August 27th, 2024.

HPE Update - HPE published an update for their ProLiant DL/ML/XL, Edgeline, MicroServer and Synergy Servers advisory that was originally published on September 16th, 2024 and most recently updated on September 19th, 2024.

Researcher Reports

ABB Report #1 - Zero Science published a report that describes a files or directories accessible to external parties vulnerability (with an associated exploit) in the ABB ASPECT building management software.

ABB Report #2 - Zero Science published a report that describes an improper input validation vulnerability (with an associated exploit) in the ABB ASPECT building management software.

ABB Report #3 - Zero Science published a report that describes a command injection vulnerability (with an associated exploit) in the ABB ASPECT Control Engines.

ABB Report #4 - Zero Science published a report that describes a use of default credentials vulnerability (with an associated exploit) in the ABB ASPECT system.

Blackberry Report - SEC Consult published a report that describes an authentication bypass by alternate path or channel vulnerability in the Blackberry CylanceOPTICS Windows Installer Package.

Linear Solutions Report - SSD published a report that describes a remote code execution vulnerability in the Linear eMerge E3 access control product.

Exploits

BlackNET Exploit - bRpsd published an exploit for a missing authentication for critical operation vulnerability in the BlackNET secure transport layer.

Positron Exploit - Indoushka published an exploit for a cross-site request forgery in the Positron Broadcast Signal Processor TRA7005.

TI Exploit - crypt0d1v3r published a proof-of-concept toolkit for a denial of service vulnerability in the TI bluetooth stack.

 

For more information on these disclosures, including links to 3rd party advisories, researcher reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-9-2c2 - subscription required.

Friday, September 27, 2024

Review - S 4895 Introduced – Grid Assistants

Last month Sen Wyden (D,OR) introduced S 4895, the Grid Resilience Improvement through Dedicated (GRID) Assistance Act (PL 117-158). The bill would amend the Infrastructure Investment and Jobs Act, adding a new §40114, Grid Assistance Program. It would require DOE to establish a grant program to provide funding for the hiring, training, and retention Grid Assistants to help implement transmission capacity expansion and resiliency efforts. The bill would authorize the spending of $25-million per year through 2029 to fund the new program.

Moving Forward

Wyden is a subcommittee chair in the Senate Energy and Natural Resources Committee to which this bill was assigned for consideration. This means that there is probably sufficient influence to see the bill considered in Committee. Other than the increased funding (which some Republicans would reject without considering the program for which the funding in intended), I see nothing that would engender any organized opposition. I would expect to see some level of bipartisan support for the bill if it were considered.

Due to how little time is left in the session to the lateness of the session, this bill is not likely to be brought to the floor.

 

For more details about the provisions of the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-4895-introduced - subscription required.

Transportation Chemical Incidents – Week of 8-24-24

Reporting Background

See this post for explanation, with the most recent update here (removed from paywall).

Data from PHMSA’s online database of transportation related chemical incidents that have been reported to the agency.

Incidents Summary

• Number of incidents – 636 (601 highway, 29 air, 6 rail, 0 water)

• Serious incidents – 3 (2 Bulk release, 0 evacuation, 1 injury, 0 death, 2 major artery closed, 0 fire/explosion, 32 no release)

• Largest container involved – 31,750-gal DOT 111A100W1 Railcar {Diesel Fuel} Damaged manway seal.

• Largest amount spilled – 380.6-gal IBC (link not available){Organic Peroxide Type F, Liquid} Trailer overturned in vehicle accident.

NOTE: Links above are to Form 5800.1 for the described incidents.

Most Interesting Chemical: Sodium Nitrite - A yellowish white crystalline solid. Noncombustible but will accelerate the burning of combustible material. If large quantities are involved in a fire or if the combustible material is finely divided, an explosion may result. If contaminated by ammonium compounds, spontaneous decomposition can occur and the resulting heat may ignite surrounding combustible material. Prolonged exposure heat may result in an explosion. Toxic oxides of nitrogen are produced in fires involving this material. Used as a food preservative, and to make other chemicals. (Source: CameoChemicals.NOAA.gov).

 



CSB Publishes Update on TS USA Investigation – 9-26-24

Yesterday, the Chemical Safety Board (CSB) published a brief update for their investigation of the fatal May 30th, 2024 chemical incident at the TS USA facility in Chattanooga, TN. The update provides a summary of the incident and provides the following description of the scope of the continuing investigation:

The cause of the molten salt eruption

Hazard Analyses of Liquid Nitriding Processes

TS USA’s Hazard Identification Program

TS USA’s Safety Management Systems

HEF and TS USA’s Corporate Governance of Safety Programs

Regulatory and Industry Guidance for Liquid Nitriding Facilities


Thursday, September 26, 2024

Short Takes – 9-26-24

Threat Actors Continue to Exploit OT/ICS through Unsophisticated Means. CISA.gov alert. No new information. Pull quote: “CISA continues to respond to active exploitation of internet-accessible operational technology (OT) and industrial control systems (ICS) devices, including those in the Water and Wastewater Systems (WWS) Sector. Exposed and vulnerable OT/ICS systems may allow cyber threat actors to use default credentials, conduct brute force attacks, or use other unsophisticated methods to access these devices and cause harm.”

Public health put at risk by mooted EU classification of ethanol as reprotoxic. ChemistryWorld.com article. Pull quote: “The problem is that the classification system is a crude instrument, he adds. ‘Usually, classification is based on animal experiments at high doses that might be unrealistic in real life. The hazard classification is an intrinsic property of the chemical and does not reflect a ‘risk assessment’ of the way the chemical is used. Developmental effects from alcohol are seen in animal studies and humans. So, the effects are real and the classification is justified. [But] this causes problems with respect to marketing a specific biocidal product.”

Car software patches are over 20% of recalls, study finds. ArsTechnica.com article. Pull quote: “So, it's highly likely the trend of fixing product flaws with software will only escalate, particularly with the introduction of software-defined vehicles. This represents a clean-sheet approach to designing a car, with a handful of powerful computers replacing tens of dozens of black boxes, each with a single function. Which is great when it all works, but it's a headache when there are problems.”

A huge Hurricane Helene is expected to hit Florida as a major storm and strike far inland. TheHill.com article. See NHC Inland Warnings here. Pull quote: “State meteorologist Will Lanxton said tropical storm-force winds are expected throughout Georgia. Lanxton said metro Atlanta hasn’t seen sustained tropical storm winds since Hurricane Irma in 2017.”

Experts predicted way more hurricanes this year — here's the weird reason we're 'missing' storms. LiveScience.com article. Pull quote: “However, things may soon be back to normal as the monsoon retreats southward and the sea surface keeps heating up (ocean temperatures typically peak in October), providing the necessary moisture and heat. While the typical season for easterly waves is nearing its end, storms could continue to form from disturbances in the Caribbean. Researchers at Colorado State University, widely considered some of the most accurate hurricane forecasters, have estimated a 50% chance of a return to normal hurricane activity in the next two weeks.”

Robotic moving 'crew' preps for work on moon. Phys.org article. Pull quote: “Now that the team has determined how the system should function, Cline believes the next natural step would be to develop and test an engineering design unit on one of the landers going to the moon as part of NASA's Commercial Lunar Payload Services (CLPS) initiative. The team is actively looking for industry partners who want to commercialize the capability.”

“Pending regulatory approval”: launch companies struggle with licensing. TheSpaceReview.com article. Pull quote: “Industry is not so sure about that conclusion. At the House hearing, Mike French, vice-chair of the Commercial Space Transportation Advisory Committee, said his committee had provided recommendations to the FAA on ways to improve Part 450. That included expanding the 180-day time period the FAA has to evaluate a completed license application to include some parts of the pre-application process as well as allowing companies to use existing legacy regulations for cases where there are no advisory circulars for the new regulations. However, it was not clear when, or if, those recommendations would be taken up by the FAA.”

Space Force taps four companies to design ‘Resilient GPS’ satellites. SpaceNews.com article. Pull quote: “Despite high-level support, the program faces scrutiny from the House Appropriations’ defense subcommittee, which has questioned the effectiveness of adding more satellites to counter jamming threats and denied a $77 million funding request for R-GPS.”

Chemical Industry Counters Terror Threats with Boundary Protection. ChemicalProcessing.com article. Pull quote: ““The sensitivity of products handled by chemical companies and the potential harm that they can cause makes perimeter security a high-level priority,” he says. “Understanding the traffic flow in and out of the facility is important. This helps to provide direction on what the needs are, the products that can be used to meet those needs while still allowing the facility to function productively.””

Neo-Nazi Telegram Users Panic Amid Crackdown and Arrest of Alleged Leaders of Online Extremist Group. ProPublica.org article. Pull quote: ““Every time we have a success against one of them, they learn, they adapt, they modify,” said Don Robinson, who as an FBI agent conducted infiltration operations against white supremacists. “Extremists can simply pick up and move to a new platform once they are de-platformed for content abuses. This leaves law enforcement and intelligence agencies playing an endless game of Whac-a-Mole to identify where the next threat may be coming from.””

Tris(2-chloroethyl) Phosphate (TCEP); Risk Evaluation Under the Toxic Substances Control Act (TSCA); Notice of Availability. Federal Register EPA noticeSummary: “The Environmental Protection Agency (EPA or Agency) is announcing the availability of the final risk evaluation under the Toxic Substances Control Act (TSCA) for tris(2-chloroethyl) phosphate (TCEP). The purpose of risk evaluations under TSCA is to determine whether a chemical substance presents an unreasonable risk of injury to health or the environment, without consideration of costs or non-risk factors, including unreasonable risk to potentially exposed or susceptible subpopulations identified as relevant to the risk evaluation by EPA, under the conditions of use. The Agency used the best available science to prepare this final risk evaluation and determined, based on the weight of scientific evidence, that TCEP poses unreasonable risk to human health and the environment. Under TSCA, EPA must initiate risk management actions to address the unreasonable risk.”

Review – NSF Publishes RFI for Cyber-Physical Resilience Research

Today, the National Science Foundation (NSF) published a request for information in the Federal Register (89 FR 78915-78916) for “Networking and Information Technology Research and Development Request for Information on a National Plan for Cyber-Physical Systems Resilience”. The notice reports that: “The goal of the plan is to shape a whole-of-government research and development (R&D) plan related to cyber-physical resilience across systems that may be local, regional, or national in scope.”

The proposed research plan would be based, at least in part, on the following documents:

PCAST Releases Report on Strategy for Cyber-Physical Resilience,

Strategy for Cyber-Physical Resilience: Fortifying Our Critical Infrastructure for a Digital World, and

Cyber-Physical Systems Resilience—The Networking and Information Technology Research and Development (NITRD) Program.

The NSF is soliciting comments that “address the topics of this RFI clearly and concisely”. Comments should be emailed to CPSR-ftacRFI@nitrd.gov. Comments should be submitted by October 26th, 2024.

 

For more information about the RFI, including a brief description of the scope of the information requested, see my article a CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/nsf-publishes-rfi-for-cyber-physical - subscription required.

Bills Introduced – 9-26-24

Yesterday, with both the House and Senate leaving Washington for electioneering, there were 260 bills introduced. Two of those bills may receive additional coverage in this blog:

HR 9851 To amend the Energy Policy Act of 2005 to establish a Hydrogen Technologies for Heavy Industry Demonstration Program, and for other purposes. Sorensen, Eric [Rep.-D-IL-17]

S 5276 A bill to require a roadmap for the future desired state for the solid rocket motor (SRM) industrial base, and for other purposes. Cornyn, John [Sen.-R-TX] 

I will be watching HR 9851 for language and definitions that would specifically include chemical safety requirements in the program.

I will be watching S 5276 as part of my expanding ‘space geek’ coverage. I will be watching for language and definitions that would include support for commercial space operations in the purview of the legislation.

Review – 5 Advisories Published – 9-26-24

Today, CISA’s NCCIC-ICS published five control system security advisories for products from goTenna (2), Atelmo Atemio, and Advantech (2).

Advisories

goTenna Advisory #1 - This advisory describes nine vulnerabilities in the goTenna Pro ATAK Plugin mesh networking device.

goTenna Advisory #2 - This advisory describes 10 vulnerabilities in the goTenna Pro series mesh networking devices.

Atelmo Advisory - This advisory describes an OS command injection vulnerability (with a publicly available exploit) in the Atelmo Atemio AM 520 HD satellite receiver.

Advantech Advisory #1 - This advisory describes four vulnerabilities in the Advantech ADAM-5630 edge intelligent DAQ controller.

Advantech Advisory #2 - This advisory describes two vulnerabilities in the Advantech ADAM 5550.

 

For more information on these advisories, including links to researcher reports and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/5-advisories-published-9-26-24 - subscription required.

OMB Approves FDA Electronics Record Guidance

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved an FDA guidance document on “Electronic Systems, Electronic Records, and Electronic Signatures in Clinical Investigations: Questions and Answers; Guidance for Industry”. The guidance document was sent to OIRA on September 16th, 2024. This is a very fast turnaround for OIRA, indicating a high priority within the Administration.

As is the case with most guidance documents, this was not listed in the Spring 2024 Unified Agenda. The FDA did, however, publish a draft of this document in March of 2023. That draft did include one question (question #11 on page 15): “What are FDA’s requirements and recommendations regarding the use of security safeguards?”

Such cybersecurity ‘requirements’ may be covered in this blog when the guidance document is published. 

OMB Approves EPA NRPM Adding PFAS to TRI

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a notice of proposed rulemaking (NPRM) on “Addition of Certain Per- and Polyfluoroalkyl Substances (PFAS) to the Toxics Release Inventory (TRI)”. The NPRM was sent to OIRA on January 16th, 2024.

According to the Spring 2024 Unified Agenda entry for this rulemaking:

“The Environmental Protection Agency (EPA) is developing a proposal to add individually listed per- and polyfluoroalkyl substances (PFAS) and PFAS categories to the Toxics Release Inventory (TRI) list of toxic chemicals subject to reporting under the Emergency Planning and Community Right-to-Know Act (EPCRA) and the Pollution Prevention Act (PPA). EPA also intends to address how PFAS compound categories should be treated and discuss what events may trigger the automatic addition of a PFAS to the TRI. These actions are being proposed to comply with the National Defense Authorization Act for Fiscal Year 2020 (NDAA) [15 USC 8921].”

This NPRM should have been published by December 20th, 2022 according to the UA entry.

I will not be covering this rulemaking in any depth in this blog, but its publication will be reported in the appropriate ‘Short Takes’ post.

Wednesday, September 25, 2024

Short Takes – 9-25-24

LunaRecycle Challenge Phase 1. Federal Register NASA notice. Summary: “NASA seeks to stimulate research and technology solutions to support future missions and inspire new national aerospace capabilities through public prize competitions called Centennial Challenges. The LunaRecycle Challenge is one such competition. Centennial Challenges are managed at NASA's Marshall Space Flight Center in Huntsville, Alabama and are part of the Prizes, Challenges, and Crowdsourcing program within NASA's Space Technology Mission Directorate (STMD) at the agency's Headquarters in Washington.”

Cyberthreats to railroads loom as industry and TSA grow an uneasy partnership. TheRecord.media article. There is a difference between a ‘security directive’ and a regulation. Pull quote: “Rail infrastructure — from tracks to switches to substations — spreads across vast distances, making security upgrades difficult and time-consuming. Some equipment can’t be upgraded and requires extensive planning to replace. And rail operators allow a wide variety of computer engineers to access their networks, often without strict controls.”

Congress poised to pass short-term funding bill ahead of campaign’s final stretch. Politico.com article. Pull quote: “The Senate: Earlier this week, weekend work was on the table. But that has been set aside: The Senate is set to move swiftly Wednesday night on the spending measure after House passage. On Tuesday night, the upper chamber locked in a time agreement to expedite debate time and speed towards a final vote. Once they receive the House-passed bill, the Senate will debate for up to two hours and then vote.”

Radian Aerospace completes its first round of ground testing for prototype space plane. GeekWire.com article. Pull quote: ““Let’s just put it this way,” Holder said. “The interest in the program is global, and that’s really, really good. The interest in UAE is very high, and I would say that spans from government to private concerns. There’s benefit to being in this space, so people who are interested in maybe being potential users or investors can see some of the work firsthand.””

How Likely Is That To Kill Anyone? LinkedIn.com commentary. An interesting look at why patching control systems can be so difficult. Pull quote: “This is in sharp contrast with some aspects of enterprise cybersecurity programs that in some domains apply constant, aggressive change to stay ahead of the adversary: the latest security updates, as quickly as practical, the latest anti-virus signatures, and the latest software versions and keys and cryptosystems. These “constant change” practices fly in the face of the ECC discipline. There is simply no way to keep industrial equipment patched as aggressively as we patch enterprise networks. One consequence of this limitation is that most industrial equipment is vulnerable to known exploits for much longer periods of time than is typical of enterprise equipment.”

House and Senate Pass HR 9747 – FY 2025 Continuing Resolution

Today the House and Senate both took up HR 9747, the Continuing Appropriations and Extensions Act, 2025, both passing the bill with bipartisan support. With all of the drama that we have seen this year around spending measures, the relatively painless passage today on both sides of the Capitol seemed almost painless. That apparent painlessness is misleading, all the players did today was kick-the-can down the road until after the election.

The House took up the bill early this afternoon. After just a little over 30 minutes of debate (40 minutes were authorized), a recorded vote was demanded. An hour and a half later, a roll call vote was held and the bill passed by a vote of 341 to 82. All of the nay votes were from Republicans. That vote was completed at 4:33 EDT.

The legislation then moved to the Senate where it was considered under unanimous consent agreement that was reached on Tuesday to allow the bill to be debated for 2 hours and immediately move for a vote on the bill with a 60-vote threshold for passage. At 5:18 EDT the vote was held and the measure passed by a bipartisan vote of 78 to 18. As was the case in the House, all the Nay votes were from Republicans.

President Biden is expected to sign the bill, probably before the weekend. The fiscal year deadline is Monday night at midnight.

The spending bill drama will resume when Congress returns from its October recess on November 11th, 2024.

Bills Introduced – 9-24-24

Yesterday, with both the House and Senate in session, there were 67 bills introduced. Three of those bills will receive additional attention in this blog:

HR 9768 Joint Cyber Defense Collaborative Act Swalwell, Eric [Rep.-D-CA-14]

HR 9769 Strengthening Cyber Resilience Against State-Sponsored Threats Act Lee, Laurel M. [Rep.-R-FL-15]

HR 9770 Cyber PIVOTT Act Green, Mark E. [Rep.-R-TN-7] 

As I reported on Monday (subscription required), these three bills are scheduled to be included in a House Homeland Security markup hearing today.

Review - CSB Updates Status on 4 Recommendations – 9-23-25

Yesterday, the Chemical Safety Board updated the status of four accident investigation recommendations. Three were changed to “Closed – Acceptable Action” and one was changed to "Open - Unacceptable Response”. The recommendations updated include:

• Evergreen Packaging Paper Mill - 2020-07-I-NC-R7 - Universal Blastco - Closed,

• Evergreen Packaging Paper Mill - 2020-07-I-NC-R8 - Universal Blastco - Closed,

• Arkema Inc. Chemical Plant Fire - 2017-08-I-TX-R5 - Harris County, Texas - Closed, and

• Wacker Polysilicon Chemical Release - 2021-01-I-TN-R7 - Tennessee Division of Occupational Safety & Health - Open

 

For more information about the responses, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/csb-updates-status-on-4-recommendations - subscription required.

Tuesday, September 24, 2024

Short Takes – 9-24-24

Scientists explore how indoor vertical farming could help future-proof food demand. Phys.org article. Pull quote: “"However, the technical possibility of keeping them constant does not mean that keeping them constant is the best solution. Once dynamic environmental control has become established, both the energy use and costs of the used energy can be substantially reduced, increasing the profitability and sustainability of vertical farms."”

NASA reveals images of enormous, snowman-shaped asteroid 2024 ON after its ultra-close approach to Earth. LiveScience.com article. Pull quote: “The new images were captured by the Goldstone Solar System Radar near Barstow, California on Sept. 16. They showed that the skyscraper-size asteroid resembles something like a peanut. That's because 2024 ON is actually two asteroids that became locked by their own gravity into a formation known as a contact binary after they came too close to each other. Other famous contact binaries include Selam, a double-lobed 'moonlet' orbiting the asteroid Dinkinesh in the main belt between Mars and Jupiter, and Arrokoth, a frigid object beyond the orbit of Pluto that was studied by NASA's New Horizons probe in 2015.”

Why Do So Many Tiny Asteroids Have Moons? ScientificAmerican.com article. Includes a number of quirky parenthetical comments. Pull quote: “Clearly there’s a lot left to learn about space rocks. Given that they could still impact our planet and cause widespread havoc, finding out as much as we can about them doesn’t just satisfy our need to gain knowledge for the love of science—it could increase humanity’s ability to stick around, too.”

Why Is It So Hard to Go Back to the Moon? ScientificAmerican.com article. Pull quote: “The new way of going deep into space ultimately results in a safer, better-understood system that might meet with more public approval—at home and abroad. And besides, it’s always been true that we choose to do it because it’s hard—so what if it’s harder? And what’s the rush? It’s not a race.”

Speaker Johnson says House will not approve ‘Christmas omnibus’. TheHill.com article. Pull quote: “Johnson is also ruling out other large packages of funding legislation, such as “minibuses” — bills that combine funding for some, but not all, areas of government. Government funding is theoretically divided up among 12 appropriations bills.”

Senate GOP wants no part of spending showdown in election year. TheHill.com article. Pull quote: “Senate Republican Whip John Thune (S.D.) said the Senate could pass the government funding stopgap as soon as Thursday, several days before the Sept. 30 deadline, because Republican lawmakers don’t want to risk a politically damaging government shutdown next week.”

CDC widens mpox vaccine recommendations. TheHill.com article. Pull quote: “The CDC guidance advised that travelers should speak to their providers about immunization if they are travelling to a country where clade I mpox is endemic and they anticipate sex with a new partner; sex at a commercial venue; sex in exchange for money or goods; and sex associated with a large public event.”

Pipeline Safety: 2024 Risk Modeling Public Workshop. Federal Register PHMSA notice of meeting change. Summary: “This notice provides amendments to the time, website information, dates, and other details of a notice published July 25, 2024, announcing a public workshop on risk modeling methodologies and tools for the evaluation of gas, carbon dioxide (CO2), and hazardous liquid pipelines.”

HR 3208 Passed in House – DHS Cybersecurity OJT

After debating HR 3208, the DHS Cybersecurity On-the-Job Training Program Act, yesterday for almost six minutes, the House completed consideration today, passing the bill in a somewhat bipartisan vote of 377 to 43, all the nay votes were Republicans. The bill would establish in CISA “the ‘DHS Cybersecurity On-the-Job Training Program’ to voluntarily train Department employees who are not currently in a cybersecurity position for work in matters relating to cybersecurity at the Department.”

The bill now heads to the Senate. It is not likely to be considered under regular order. While the bill could be brought up under the suspension of the rules process, the level of opposition from Republicans in the House would likely mean that Rep Paul (R,KY), Sen Johnson, (R,WI), or Sen Tuberville (R,AL) would object to such action. Since Paul is the Ranking Member of the Senate Homeland Security and Governmental Affairs Committee, he would have virtual veto authority to prevent the bill being added to an omnibus spending bill later in the session.

HR 7073 Passed in House – NextGen Pipeline Systems

After debating HR 7073, the Next Generation Pipelines Research, [removed from paywall] for about 14-minutes yesterday under the suspension of the rules process, The House completed consideration of the bill this afternoon, passing it by a largely bipartisan vote of 373 to 41; with Democrats and Republicans splitting the Nay votes almost evenly. The bill, which would require Department of Energy to establish a new grant program to “carry out demonstration projects on low- to mid-technology readiness level subjects to achieve deployment of technologies”, now moves to the Senate for consideration.

This late in the session it would be very surprising to see the Senate taking up this bill, it is just not politically important enough to take up the time needed for consideration under regular order. The regular alternative for a bipartisan bill would be for it to be considered under the Senate’s unanimous consent rule, but that is not likely to work with this bill given the opposition of radical Republicans in the House. Their Senate counterparts are well known for objecting to consideration of bills under the unanimous consent process, thus killing the movement towards passage.

This bill might be suited for addition to the end-of-year omnibus spending bill. Since the Ranking Member of the Senate Commerce, Science, and Transportation Committee {Sen Cruiz, (R,TX)} may be disinclined to block a pipeline research bill, there would not be an automatic veto preventing this bill from being added like we have seen with many homeland security related bills and Sen Paul (R,TN). 

Review – 6 Advisories and 2 Updates Published – 9-24-24

Today, CISA’s NCCIC-ICS published six control system security advisories for products from Moxa, OMNTEC, Dover Fueling Solutions, Franklin Fueling Solutions, Alisonic, and OPW Fuel Management Solutions. They also updated advisories for products from Interpeak and Uniview.

Advisories

Moxa Advisory - This advisory describes three vulnerabilities in the Moxa MXview One products.

OMNTEC Advisory - This advisory describes a missing authentication for critical function vulnerability in the OMNTEC Proteus Tank Monitoring product.

Dover Advisory - This advisory describes six vulnerabilities in the DFS ProGauge MAGLINK LX Consoles.

Franklin Advisory - This advisory describes an absolute path traversal vulnerability in the Franklin TS-550 EVO automatic tank gauge.

Alisonic Advisory - This advisory describes an SQL injection vulnerability in the Alisonic Sibylla automated tank gauge.

OPW Advisory - This advisory describes a missing authentication for critical function vulnerability in the OPW SiteSentinel product.

NOTE: The vulnerabilities for the five fuel handling equipment advisories were reported to CISA by Pedro Umbelino of BitSight; that report is worth reading.

Updates

Interpeak Update - This update provides additional information on the Interpeak TCP/IP Stack advisory that was originally published on October 1st, 2019 and most recently updated on May 12th, 2020.

Uniview Update - This update provides additional information on the Uniview NVR301-04S2-P4 advisory that was originally published on June 4th, 2024.

 

For more information on these advisories, including links to a researcher report and a down-the-rabbit-hole look at relay rapid cycling attacks, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/6-advisories-and-2-updates-published - subscription required.

Bills Introduced – 9-23-24

Yesterday, with both the House and Senate in session, there were 47 bills introduced. Two of those bills will receive additional coverage in this blog:

HR 9747 Continuing Appropriations and Extensions Act, 2025 Cole, Tom [Rep.-R-OK-4]

HR 9762 To amend the Homeland Security Act of 2002 to provide explicit authority for the Secretary of Homeland Security and the Director of the Cybersecurity and Infrastructure Security Agency to work with international partners on cybersecurity, and for other purposes. Menendez, Robert [Rep.-D-NJ-8]

HR 9747 was supposed to be included in yesterday’s House Rules Committee hearing to set up the rule for consideration of bills under regular order this week. The rule adopted last night, H Res 1486, did not include the CR. Apparently there were not enough votes in the Rules Committee to include the spending bill (as I discussed yesterday). Politico.com is reporting that the bill will be considered under the suspension of the rules process. HR 9747 is not listed on today’s schedule for the House, so it will likely come to the floor on Wednesday. Congress has until midnight Monday to get a spending bill to the President’s desk to avoid a potential shutdown of the federal government.

NOTE: Two bills of interest here that were considered under the suspension of the rules process yesterday (HR 3208 and HR 7073) were debated, but recorded votes were demanded. Further action was postponed, votes will probably take place today. I discussed this briefly yesterday in my CFSN Detailed Analysis committee hearing post (subscription required).

CSB Adds Cuisine Ammonia Release Investigation

Yesterday the Chemical Safety Board added a fifth investigation to its ‘Current Investigations’ web page, the Cuisine Solutions Ammonia Release. The CSB reported initiating the investigation on August 1st, 2024. The newly published report page describes the incident:

“A July 31, 2024 ammonia release at Cuisine Solutions, Inc., a food processing facility in Loudon County, VA led to the hospitalization of 33 workers, with some in serious condition. The facility is a commercial food preparation plant with approximately 350 employees located about 30 miles from Washington D.C.”

The Washington Post has a pretty good article describing the incident, with a follow up article here.

There have been no updates to the investigation status since the original announcement.

There have been two other two recently ‘announced’ investigations (here and here), neither have yet made it to the ‘Current Investigations’ page.

Monday, September 23, 2024

Short Takes – 9-23-24

As elections loom, key US cyber policy goals still unfinished, Cyber Solarium report says. NextGov.com article. Pull quote: “One area that’s yet to be fulfilled is the creation of House and Senate select committees on cybersecurity, the report says. It’s been an inconsistent miss each year the CSC’s findings have been produced, and Montgomery said that it likely won’t move anywhere soon because there’s no motivation in either chamber or political party to do so.”

Johnson’s government funding plan B disappoints conservatives. TheHill.com article. Pull quote: “Now, House Republicans are set to face the deadline that hardliners wanted to avoid, jammed up against the Christmas holiday at the end of the 118th Congress. House GOP leadership aides, though, said the December stopgap date “does not necessarily mean we will be doing an omnibus in December,” forecasting another funding battle.”

Florida company's space balloon takes big step toward 1st human flight. Phys.org article. Note: That should be “not quite space balloon”, only reaches about 100,000 feet (18.9 miles). Pull quote: “Space Perspective, though, taps into a market that doesn't require training and can fly much more frequently. Plus, the company touts the carbon-neutral aspect of the trips that only need hydrogen gas for the balloon to take flight.”

Electronic Warfare Spooks Airlines, Pilots and Air-Safety Officials. WSJ.com article (free). Pull quote: “GPS spoofing has disrupted operations in Europe but hasn’t endangered flights, said Florian Guillermet, executive director of the European Union Aviation Safety Agency. Pilots have had to divert to airports they weren’t intending to land at, and earlier this year an airline temporarily halted operations to an Estonian airport that wasn’t equipped with ground-based navigation as a backup for GPS.”

Explainer: The chemistry of autumn. ChemistryWorld.com article. Pull quote: “Ethylene, the simplest alkene, is a gas that accelerates fruit maturation, but decreases leaf growth and promotes abscission. Ethylene is produced from the amino acid methionine via a long chain of biochemical reactions. As darkness stimulates the biosynthesis of this gas, plants increase their ethylene production in autumn and winter, causing their leaves to drop.”

‘One pistol clip can change the balance of power’: Congress is wholly unprepared for a mass casualty event. Politico.com article. Pull quote: “Despite the lack of real progress over the years, there is some movement. The House Administration Committee’s subpanel on modernization held a hearing on continuity of Congress in mid-September.”

HR 7630 Passed in House – ANCHOR Act

Today, the House took up HR 7630 [removed from paywall], the Accelerating Networking, Cyberinfrastructure, and Hardware for Oceanic Research (ANCHOR) Act, under the suspension of the rules process. After less than ten minutes of debate, the bill was passed by a voice vote. The bill would require the National Science Foundation (NSF) to submit a plan to improve the cybersecurity and telecommunications of the Academic Research Fleet. No new funding is authorized by the legislation.

The bill now moves to the Senate for consideration. The legislation is not politically important enough to be considered under regular order, but it does appear to be a good candidate for consideration under the Senate’s unanimous consent process. A slightly different version of the bill, S 3943 [removed from paywall], was introduced in the Senate and subsequently was ordered reported favorably (without a written report) on August 1st by the Senate Commerce, Science, and Transportation Committee.

Review - Committee Hearings – Week of 9-22-24

With both the House and Senate in Washington (probably for the last time before the election) we have a moderately busy hearing schedule. In the House there are two markup hearings (here and here) with cybersecurity legislation and a CrowdStrike hearing. In the Senate we will see a cybersecurity threat hearing . The House will be considering 38 bills under the suspension of the rules process as well as three bills under rules (The CR is not included in either list at this point).

 

For more details about these hearings and legislation, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/committee-hearings-week-of-9-22-24 - subscription required.

Next CR Dropped 9-22-24

Yesterday, the House Rules Committee published a copy of the next version of the FY 2025 continuing resolution that the House will try to pass this week. The Committee will meet this afternoon to craft the rule (almost certainly a closed rule; 1 hour debate, and no floor amendments) for the consideration of the bill (which will be formally introduced today). This is a relatively clean CR through December 20th, 2024 {§106(3)}.

Division A is a mainly formulaic continuation of current (FY 2024) spending through that date. It does include some additional funding for a variety of relatively non-controversial programs. The one that may draw some attention is §136, this provides additional funding for the Secret Service “for operations necessary to carry out protective operations including the 2024 Presidential Campaign and National Special Security Events”. Access to this additional funding is predicated on the delivery to Congress of the Secret Service’s “Mission Assurance Report” on the first Trump assassination attempt. A summary of that report was made public on Friday.

Division B provides extension of various authorities that expire with the fiscal year. This list keeps on growing larger every year. No the CFATS program is not included in this list.

There are three votes on the House Rules Committee that are ‘controlled’ by House Freedom Caucus. In general, members of that Caucus object to the use of continuing resolutions and omnibus spending bills. It is not clear that these three members will vote with their fellow Republicans on this Rule. If they vote with the Democrats (as they have done on similar measures), that would kill the Rule. Then Speaker Johnson will be forced to bring the CR to the floor under the suspension of the rules process. Sufficient Democrats (most actually) would be expected to support this ‘clean’ CR for the bill to pass, but Johnson would pay a political price for that move. How severe that price would be remains to be seen.

I would not be surprised to see one or more of the Caucus members to abstain (or be physically absent) from this afternoon’s vote on the rule. This would allow them to claim that they opposed the CR, but would not derail its consideration under a rule. Even if all three abstained, the Republicans would have a one vote majority for the consideration of the rule.

Saturday, September 21, 2024

Short Takes – 9-21-24

Trump’s shutdown push falls flat with Republicans. TheHill.com article. Pull quote: ““Everybody knows that I’m certainly comfortable with fighting and having a shutdown to force the question on whether or not we’re gonna fund government at the right levels, which means cutting spending, and make sure that we ensure that only citizens vote,” said Roy, a member of the conservative House Freedom Caucus. “I’d be happy to do that. But you got to have the votes to go do it.””

The radical intervention that might save the “doomsday” glacier. TechnologyReview.com article. Pull quote: “But Moore readily acknowledges that such efforts will face vast challenges. Much more work needs to be done to closely evaluate how the flow of warm water will be affected, how well the curtains will hold up over time, what sorts of environmental side effects could occur, and how the public will respond. And installing the curtains under the frigid, turbulent conditions near Antarctica would likely require high-powered icebreakers and the sorts of submersible equipment used for deep-sea oil and gas platforms.”

First Israel’s Exploding Pagers Maimed and Killed. Now Comes the Paranoia. Wired.com article. Pull quote: “Creating distrust of communication devices within Hezbollah may well be Israel's purposeful tactic of “preparing the battle space” ahead of impending Israeli military operations against Lebanon, says Thomas Rid, a professor of strategic studies at Johns Hopkins University and author of Active Measures, who specializes in disinformation and influence operations. He compares the operation to cyberattacks or physical attacks on “command-and-control” infrastructure at the beginning of a conflict, such as the United States' efforts, documented in former NSA chief Michael Hayden's book Playing to the Edge, to destroy the Iraqi military's fiber-optics-based communications in 2003 in order to “herd” the enemy's military toward more easily intercepted radio-based communications.”

Strange Visual Auras Could Hold the Key to Better Migraine Treatments. Wired.com article. Pull quote: “Nouchine Hadjikhani, a Harvard neuroscientist who has been researching auras for three decades, says the research is “probably the biggest advance” in 10 to 20 years about how migraines happen. Around the turn of the millennium, we learned that auras occur during a temporary shutdown of neuron activity, known as a cortical spreading depression (CSD). Hadjikhani’s team was the first to show this in humans on fMRI scans, as a slow-moving wave of cells activating anomalously, rippling across the cerebral cortex. “Imagine you throw a stone in water and you see the waves going out,” she says. Most aura symptoms are visual because more than a third of the brain is dedicated to visual processing.”

Short Takes – 9-21-24 – Federal Register Edition

Quarterly Reports of Positive Train Control System Performance. Federal Register FRA notice. Summary: “The purpose of this notice is to inform the public that FRA has determined it is in the public interest for railroads to continue submitting reports of their positive train control (PTC) systems' performance to FRA on a quarterly basis as the Infrastructure Investment and Jobs Act currently requires, and as the Office of Management and Budget (OMB) has approved through March 31, 2027.”

New Agency Information Collection Activity Under OMB Review: Minimum Standards for Driver's Licenses and Identification Cards Acceptable by Federal Agencies for Official Purposes. Federal Register TSA 30-day information collection notice. Summary: “This notice announces that the Transportation Security Administration (TSA) has forwarded the new Information Collection Request (ICR) abstracted below to the Office of Management and Budget (OMB) for review and approval under the Paperwork Reduction Act (PRA). The ICR describes the nature of the information collection and its expected burden. The collection involves the requirement that States who seek a temporary waiver of the prohibition on Federal acceptance, for official purposes, of mobile driver's licenses (mDLs) that do not comply with the REAL ID Act and regulations, must submit an application for such waiver to TSA.”

National Chemical Transportation Safety Advisory Committee; October 2024 Meeting. Federal Register Coast Guard meeting notice. Summary: “The National Chemical Transportation Safety Advisory Committee (Committee) and its three subcommittees will meet in public in Washington, DC to discuss matters relating to the safe and secure marine transportation of hazardous materials. The Committee will be held in person only. The three subcommittee meetings will be virtual. For more detailed information regarding the subcommittee meetings, see Agenda Day 1 and Day 2 below.”

Notice of Partially Closed Federal Advisory Committee Meeting. Federal Register CISA Cybersecurity Advisory Committee Quarterly Meeting notice. Agenda: “The CISA Cybersecurity Advisory Committee will hold a virtual meeting on Friday, October 11, 2024, to discuss current CISA Cybersecurity Advisory Committee activities. The open session will be held from 2:30 p.m. to 4:00 p.m. EDT and will include: public comment, briefings from four CSAC subcommittees, and CSAC member deliberation and vote on recommendations for the Director.”

Review - Reader Comment – Advisory Mistakes

Yesterday, an anonymous reader left a comment about my Thursday blog post on CISA advisories published that day. The reader notes:

“About the Rockwell advisory: on that vendor's publication for that vulnerability there is a reference to a JSON to help you automate the vulnerability handling, but the JSON refers to another vulnerability. Looks like the webpage is copy/pasted.”

If you look at the bottom of the Rockwell Advisory you will find the following:

ADDITIONAL RESOURCES

 

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.    

 

·      ·       JSON CVE-2024-7847

To be clear that CVE is for the vulnerability discussed in the advisory. On the advisory, that last line ‘JSON CVD-2024-7847’ has an active link to https://cveawg.mitre.org/api/cve/CVE-2024-45825. Obviously, that is the wrong CVE number. Interestingly Rockwell is using the Mitre JSON document instead of developing their own tool to produce JSON pages.

Now, as to how this happened, the cut and paste suggestion by the anonymous reader who noted the problem could easily be right. As I well know, there are numerous ways that errors in links can creep into documents. That is where good editors provide an invaluable service to writers. Unfortunately, blog writers do not usually have editors, and I suspect that the corporate writers of advisories are similarly lacking that type of support. We have to rely on readers like my anonymous friend here to catch the mistakes that we miss.

 

For more information about the machine readable alternatives, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/reader-comment-advisory-mistakes - subscription required. 

Chemical Incident Reporting – Week of 9-14-24

NOTE: See here for series background.

Deer Park, TX – 9-16-24

Local News Reports: Here, here, and here.

An LNG pipeline explosion and fire were apparently caused by a vehicle striking an above ground pipeline valve. Multiple homes were damaged by fire. No injuries were initially reported, but the body of the driver of the vehicle was recovered from the vehicle.

Not CSB reportable – transportation related incident.

Cardiff, ID – 9-12-24

Local News Reports: Here, here, and here.

An explosion and fire at a gas station killed two people and required hospitalization of two others. Gas station destroyed. Reports include pictures of damage to the above-ground tank farm behind station building and fuel tanker that was apparently unloading in front of the building

CSB reportable.

 
/* Use this with templates/template-twocol.html */